Privacy in Electronic Communications

right to have notice before those records are accessed-but in fact the doctor might not even realize when those records are accessed. To conclude, in thinking about electronic communications as we move forward I would ask that Congress, one, reexamine the need for limits on the disclosure and use of personal information by private entities. This is a very important area that is in need of further thought. Reconsider how the lines have been drawn between records that are entitled to the full Fourth Amendment protection, such as my diary in my home, and the records that are considered business records, such as the records that Kenneth Starr subpoenaed from Kramer Books about Monica Lewinsky's First Amendment activities. It is time to heighten the standard for access to transactional data because it does reveal much more than just the phone numbers that we've dialed.

Finally, I would ask that you consider creating a privacy entity to deal with privacy policy as we move forward. It's going to continue to be a perplexing issue. Encryption has focused us on privacy. There will always be needs that people think outweigh Americans' interest in privacy, and we must have a cohesive body of thought and a place to develop institutional policies on this issue. And, finally, I think that the government has

Mr. COBLE. Ms. Mulligan, if you could wrap it up as soon as you can. I don't want to cut you off.

Ms. MULLIGAN. Yes, this is the last one. Technology does play an important role in protecting privacy and as many members of the subcommittee have stated this morning, encryption is one of those core technologies. I think your support for strong encryption in this coming age is of utmost importance. Thank you.

Mr. COBLE. Thank you.

[The prepared statement of Deirdre Mulligan follows:]

PREPARED STATEMENT OF DEIRDRE MULLIGAN, STAFF COUNSEL, CENTER FOR

DEMOCRACY AND TECHNOLOGY

SUMMARY

CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values in new digital media. One of our core goals is to enhance privacy protections for individuals in the development and use of new technologies.

It is critically important to ensure that privacy protections keep pace with changes in technology. This requires a periodic assessment of whether changes in technology pose new threats to privacy that must be addressed through changes in law. Many of our existing laws were constructed to meet dual purposes, such as protecting privacy and meeting legitimate law enforcement needs, or protecting privacy and promoting the cost effective operation of the health care system, the rules continue to set the bounds of permissible government action. We must examine whether they continue to do so in a fashion consistent with privacy protection. In addition, it requires us to evaluate whether technology itself can be used to advance privacy in this new environment. Finally, the globalization of the communications system requires us to consider alternative methods for achieving policy goals, be they selfregulation or international agreements. In other words, examining privacy protections in the changing electronic communications environment requires us to look freshly at old law, consider the creation of new law, consider the role of technology in promoting privacy, and explore new avenues of making policy.

Shifts in Technology

Several trends in technology have ramifications for the existing framework of privacy protections in electronic communications: the explosive growth of the Internet; the increase in transactional data generated; the globalization of communications

technology; the lack of centralized control mechanisms; and, the decrease in computing costs and the focus on client-side controls over network interactions.

Gaps in the legal framework

The current legal framework of Title III and ECPA did not envision the World Wide Web and the pervasive role technology would play in our daily lives. Underly. ing Title III and ECPA were a number of assumptions about both the nature and the use of electronic communications. While these assumptions may have been accurate at one point in history, communications technology and individuals' use of it have both changed dramatically since the initial framework for protecting electronic communications was articulated in 1968. The shift toward distributed networks and the proliferation of digital communications technology in our everyday interactions creates some interesting privacy consequences under the existing framework. Conclusion and Recommendations

As we consider privacy in the changing communications environment we must ask whether policies designed to implement the Fourth Amendment developed in a 20th century world of paper records even as extended to protect transient voice communications—are applicable to 21st century technologies where many of our most important records are not "papers" in our "houses" but "bytes" stored electronically and our communications rather than disappearing into thin air are captured and stored at distant "virtual" locations for indefinite periods of time.

To address privacy in the electronic communications environment the U.S. government should:

• Reexamine the need for limits on the disclosure and use of personal information by private entities.

• Reconsider how the lines have been drawn between records entitled to full Fourth Amendment protection and records under Miller that fall outside the protection of the Fourth Amendment.

• Heighten the standard for access to transactional data.

• Create a privacy protection entity to provide expertise and institutional memory, a forum for privacy research, exploration, and guidance, and a source of policy recommendations on privacy issues.

Encourage the development and implementation of technologies that support privacy on global information networks.

I. Introduction and Summary

STATEMENT

The Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify on the issue of privacy protection in the online environment.

CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies.

To focus my testimony this morning, I will begin by outlining five trends in technology with ramifications for the existing framework of privacy protections in electronic communications. The current mix of legal and self-regulatory protections for privacy has not kept pace with technology and its growing role in society. The core of my testimony is a series of policy recommendations:

• identifying areas in which Congress should enhance existing privacy protections;

• recommending the creation of an institutional structure for addressing privacy concerns in a proactive and ongoing manner; and,

• urging the US government (and others) to engage in several non-traditional methods of developing and implementing privacy policy that are of particular relevance to the global, decentralized networks that comprise our communications infrastructure.

tor action in a fashion consistent with privacy protection. In addition, we should evaluate whether technology itself can be used to advance privacy in this new environment. Finally, the globalization of the communications system requires us to consider alternative methods for achieving policy goals, be they self-regulation or international agreements.

II. Technology trends with ramifications for individual privacy in electronic communications

A. The explosive growth of the Internet is transforming our methods of communicating and methods of gathering, processing and sharing information and knowledge. In 1986, when Congress updated the communications privacy laws,1 the Internet was comprised of approximately 50,000 computers. Today the Internet is comprised of upwards of 20 million Internet host computers globally and estimates on individual users hover around 100 million people worldwide. Unlike traditional media, the Internet supports interactions ranging from banking to dating, from one to one communications, town hall meetings, political events, to commercial trans

actions.

B. The transactional data generated through the use of new technologies is a rich source of information about individuals' habits of association, speech, and commercial activities. This vast new data is essential to the operation of the packet-switching medium and provides the raw material for many of the unique functions the Internet offers, yet it poses significant privacy concerns. Interactive media generate, capture and store a tremendous amount of information. At the same time the flexibility of new media is blurring the distinction between the content of a communication and the transactional data used to route the message to its destination. Transactional data in this new media is more detailed, descriptive, and identifying than ever before. Aggregated, it is capable of revealing as much about the individual as the content of a message.

C. The globalization of communications technology is eroding national borders. Governments are finding it increasingly difficult to enforce laws-be they laws to protect or repress their citizens. The fluidity of borders on the Internet promises to promote pluralism, the free flow of information and ideas, diverse associations, and, we hope, democracy. On the other hand, enforceable, workable privacy protections for the global information infrastructure have yet to emerge leaving individuals' communications and personal data vulnerable.

D. The lack of centralized control mechanisms. The distributed nature of the Internet's infrastructure distinguishes it, at least in degree, from existing communications systems. Its decentralized nature allows it to cope with problems and failures in any given computer network by simply routing information along alternate paths. This makes the Internet quite robust. However, the lack of centralized control mechanisms may frustrate those seeking to regulate activities on the network.2 Decentralized systems are inherently less secure. They pose new challenges to protecting data during storage and transmission.

E. Decrease in computing costs and the focus on client-side controls over network interactions present new opportunities to empower individuals. The Internet continues to shift control over interactions away from the government and large private sector companies. The ability to build privacy protections into the users interface with the network offers the opportunity to craft privacy protections that shield individuals regardless of the jurisdictional law and policy. Providing individuals with technical means to control and secure their communications and personal information may pave the way for privacy protections that are as decentralized and ubiquitous as the networks themselves.

III. Policies from the pre-network world

Current policies protecting individual privacy in electronic communications are built upon Fourth Amendment principles designed to protect citizens from government intrusion. While premised on Fourth Amendment concepts, the contours of existing statutory protections are also a product of the technical and social "givens" of specific moments in history. Some of these historical givens have changed dramatically, with implications for the effectiveness and relevance of existing statutory protections for privacy.

1 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in sections of 18 U.S.C. including §§ 2510-21, 2701-10, 3121-26.

2 Attempts to regulate the availability of encryption on the Internet highlight the frustrations that regulators may experience. As many scholars and advocates have pointed out, national attempts to restrict the availability of encryption are likely to be ineffective. For if even one jurisdiction (or one network in one jurisdiction) fails to restrict it, individuals world-wide will be able to access it over the Internet and use it.

Crafting proper privacy protections in the electronic realm has always been a complex endeavor. It requires a keen awareness of not only changes in technology, but also changes in how the technology is used by citizens, and how those changes are pushing at the edges of existing laws. From time to time these changes require us to reexamine our fabric of privacy protections. The issues raised below indicate that it is time for such a review.

A. From phones to email: The existing framework

In response to Supreme Court decisions finding that electronic surveillance was a search and seizure covered by the 4th Amendment 3 and law enforcement's arguments that it was a needed weapon against organized crime,4 Congress passed Title III of the Omnibus Crime Control and Safe Streets Act of 1968.5 The wiretap provisions of Title III authorized law enforcement wiretapping of telephones within a framework designed to protect privacy and compensate for the uniquely intrusive aspects of electronic surveillance 6

În brief, the legislation Congress enacted in 1968 had the following components: the content of wire communications could be seized by the government in criminal cases pursuant to a court order issued upon a finding of probable cause;7 wiretapping would be otherwise outlawed;8 wiretapping would be permitted only for specified crimes;9 it would be authorized only as a last resort, when other investigative techniques would not work;10 surveillance would be carried out in such a way as to "minimize" the interception of innocent conversations;11 notice would be provided after the investigation had been concluded; 12 and there would be an opportunity prior to introduction of the evidence at any trial for an adversarial challenge to both the adequacy of the probable cause and the conduct of the wiretap.13 “Minimization" was deemed essential to satisfy the Fourth Amendment's particularity requirement, compensating for the fact that law enforcement was receiving all of the target's communications, including those that were not evidence of a crime. The showing of a special need, in the form of a lack of other reasonable means to obtain the information, was viewed as justification for the failure to provide advance or contemporaneous notice of the search. 14

Due to privacy considerations arising from changes in technology, primarily the advent of wireless services and the growing use of email, in 1986 Congress adopted the Electronic Communications Privacy Act (ECPA).15 Congress' action was in part spurred by the recognition that individuals would be reluctant to use new technologies unless privacy protections were in place. 16

ECPA did recognize the importance of transactional data. ECPA set forth rules for the use of pen registers and trap and trace devices, which capture out-going and incoming phone numbers respectively.17 It also established rules for law enforcement access to information identifying subscribers of electronic communication services.18 For transactional information relating to e-mail ECPA requires a warrant, for other transactional data it requires a court order, a mere subpoena, or consent. To a large degree ECPA extended the Title III protections to the interception of wireless voice communications and to non-voice electronic communications such as

3 See Berger v. New York, 388 U.S. 41, 56 (1967); Katz v. United States, 389 U.S. 347 (1967). 4 See Controlling Crime Through More Effective Law Enforcement: Hearings on S. 300, S. 552, S. 580, S. 674, S. 675, S. 678, S. 798, S. 824, S. 916, S. 917, S. 992, S. 1007, S. 1094, S. 1194, S. 1333, and S. 2050 Before the Subcomm. on Criminal Laws and Procedures of the Senate Comm. on the Judiciary, 90th Cong. (1967), passim.

518 U.S.C. §§ 2510-22 (1996).

6 In 1978, Congress enacted the Foreign Intelligence Surveillance Act (FISA) to regulate wiretapping in national security cases. It provides more limited protections than those afforded under Title III, and was meant to be used primarily in foreign intelligence and counter-intelligence cases. Of importance, FISA does not require that the subject of the surveillance ever be given notice, and for individuals who are not U.S. citizens or permanent residents it does not require the government to show probable cause that the target is engaged in criminal conduct. Pub. L. No. 95-511, tit. I, § 101, 92 Stat. 1783 (1983) (codified at 50 U.S.C. § 1801-11 (1996). 718 U.S.C. § 2518 (3) (1996).

8 18 U.S.C. § 2511 (1996).

918 U.S.C. § 2516 (2) (1996).

10 18 U.S.C. § 2518 (3)(c) (1996).

11 18 U.S.C. § 2518 (5) (1996).

12 18 U.S.C. § 2518 (8)(d) (1996).

13 18 U.S.C. §2518 (9), (10) (1996).

14 S. Rep. No. 90-1097, at 66 (1968).

15 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in sections of 18 U.S.C. including §§ 2510-21, 2701-10, 3121–26.

16 See generally S. Rep No 99-541, at 5 (1986); and, H.R. Rep. No. 99-647, at 19 (1986).

17 18 U.S.C. §3121-27 (1996).

18 18 U.S.C. 2703 (c).

fax and email while in transit. However, ECPA did not extend all of Title III's protections to electronic communications. Unlike Title III, which limits the use of wiretaps to a limited list of crimes, court orders authorizing interceptions of electronic communications can be based upon the violation of any federal felony. While constitutional challenges to the introduction of information obtained in violation of ECPA may succeed, ECPA contains no statutory exclusionary rule as Title III does. 19

Moreover, Congress et very different rules for access to electronic communications while they are in storage incident to transmission.20 When the government goes to AOL or another service provider and asks it to provide a copy of a person's email messages from the AOL server where they sit waiting to be read, an ordinary search warrant is enough without the special protections of minimization, judicial supervision and notice to the individual found in Title III.

B. Assumptions of the existing framework

In drafting ECPA Congress began the process of dealing with fundamental changes in technology. They recognized that transactional data needed privacy protections. However, the framework of Title III and the advances of ECPA did not envision the World Wide Web and the pervasive role technology would come to play in our daily lives. Underlying Title III and ECPA were a number of assumptions about both the nature and the use of electronic communications:

• The transmission of private communications and records stored with third parties, including records of such communications, raise different privacy considerations.

• The majority of electronic communications are by nature ephemeral.

• The private sphere of personal communications and interactions would be located at the end-points, not in the medium itself.

• The government's collection and use of information about individuals' activities and communications is the greatest threat to individual privacy.

• Transactional data is not rich in intimate, personal detail. Congress has only begun to wrestle with the fact that some of these assumptions, while perhaps accurate at one point in history, have changed dramatically since the initial framework for protecting electronic communications was articulated in 1986. Congress took a first small step towards recognizing the changing nature of transactional data in the networked environment with amendments to ECPA enacted as part of the Communications Assistance for Law Enforcement Act of 1994 (CALEA).21 The 1994 Amendments recognized that transactional data was emerging as a hybrid form of data, somewhere between addressing information and content, and was becoming increasingly revealing of personal patterns of association. For example, addressing information was no longer just a number and name, but contained the subject under discussion and information about the individual's location. Therefore, Congress raised the legal bar for government access to transactional data by eliminating subpoena access and requiring a court order, albeit one issued on a lower relevance standard.22 Some issues were left unanswered, and new ones continue to arise as communications technology advance.

IV. Four examples reveal the current weaknesses of existing statutory protections for privacy in light of the shifts in electronic communications technology and its use in society.

A. Personal papers in cyberspace

Individual's traditionally kept their diaries under their mattress, in the bottom drawer of their dresser or at their writing table. Situated within the four walls of the home these private papers are protected by the Fourth Amendment. With the advent of home computers individual diaries moved to the desktop and the harddrive. Writers, poets, and average citizens quickly took advantage of computers to manage and transcribe their important records and thoughts. Similarly, pictures moved from the photo album to the CD-ROM.

Today, network computing allows individuals to rent space outside their home to store personal files and personal World Wide Web pages. The information has re

19 See 18 U.S.C. § 2515 (1966) (exclusionary rule refers to wire or oral communications, not electronic communications).

20 18 U.S.C. 2703.

21 Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 108 Stat. 4279 (1994) (codified at 47 U.S.C. § 1001 and scattered sections of 18 U.S.C. and 47 U.S.C.)

22 18 U.S.C. § 2703 (b) (A)–(B), (c) (1)(B), (d).

« Forrige Fortsett »

Bøker

Privacy in Electronic Communications: Hearing Before the Subcommittee on ...