Information Security News: RE: Smith Bill Raises Police Power Concerns

[InfoSec News <isn () c4i org>]

Forwarded from: Marjorie Simmons <lawyer () carpereslegalis com>

Alan Davidson's helpful testimony regarding H.R. 3482 follows 
my remark, and is reported by the CDT at:
http://www.cdt.org/testimony/020212davidson.shtml

the GPO bill is at 
http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3482:


My experience with responses to requests for information and 
subpoenas I and others have drafted in civil matters seeking 
information from ISPs in the last several years has been interesting. 
ISP responses have been all over the map, varying from the alarming 
(too much data handed over) to the absurdly secretive (contempt 
charged).  ISPs so often founder in a quagmire with this stuff -- 
hopefully Mr. Davidson's comments will have the desired impact 
and (whatever the outcome of H.R. 3482, the "Cyber Security 
Enhancement Act of 2001"), will prompt the codification of a useful 
comfort zone that will cascade to civil litigants. I won't, however, 
hold my breath in any case, as it often seems possible that the 
tortoise called Osmosis may finish the race before the hare called 
Post-911-Statute-Making.

Marjorie Simmons
lawyer () carpereslegalis com
________________________________


Testimony of Alan Davidson (Associate Director CDT)
before the Subcommittee on Crime of the Committee on 
Judiciary U.S. House of Representatives 2-12-02

[snip preamble] . . . 

Our nation is at a point where revolutionary changes in 
communications and computer technology have created new concerns 
about public safety, security, and privacy online. In the aftermath of 
September 11, cybersecurity is a serious problem that demands a real 
response from government. At the same time, such responses must be 
respectful of the protections for personal privacy and from overly 
broad governmental authority, enshrined in our Constitution and 
electronic surveillance laws. 

If we are forced to give up essential liberties fundamental to our 
American way of life than our country will truly have lost something 
important. 

With this need to protect both security and Constitutional privacy 
principles, CDT offers the following comments on H.R. 4382:

First, CDT commends this committee for holding this hearing, and 
for the relatively measured approach taken in HR 3482. We agree 
that computer crime and security is a serious problem that requires 
serious government response. In the USA PATRIOT Act, passed this 
fall, substantial changes were made to the computer crime and 
government surveillance statutes that raised serious privacy concerns 
and are to this date still not fully understood. In contrast and with 
one notable exception - the emergency disclosures provision of 
Section 102 - H.R. 4382 takes a more modest approach to these 
laws that does not raise the same types of privacy concerns.

Second, the emergency disclosure provision of Section 102, as 
drafted, is overly broad and would eviscerate important privacy 
protections in current law.

Current law protects the privacy of electronic communications by 
prohibiting service providers from revealing those communications 
to anyone without proper lawful orders. Emergency disclosure 
provisions exist in the current law based on a reasonable idea - ISPs 
who reasonably believe there is an imminent threat of death or 
serious injury should be able to reveal communications to law 
enforcement agencies on an emergency basis even without judicial 
oversight. 

Sec. 102 would substantially expand this ability to reveal private 
communications without any judicial authority or oversight.

In practice, however, we have heard reports from large and small 
providers, universities, and libraries, that the emergency disclosure 
is being used in a different way. Providers are often approached by 
government agents and asked to voluntarily disclose communi-
cations or other subscriber information for investigations that the 
government claims involve a danger to life and limb. Providers are 
then faced with a Hobbesian choice - either turn over sensitive 
private communications of subscribers without any court order, or 
say no to a government request. Of course many comply with the 
requests. Small providers have few legal resources to evaluate such 
requests. Others receive requests from the same agents they may 
seek help from the next day regarding hacking attacks or other 
problems. Without proper restrictions, such "voluntary disclosure" 
provisions risk becoming a major loophole.

Current law, passed just four months ago, confines these extraordinary 
disclosures to law enforcement agents in limited circumstances. As 
drafted, Sec. 102 would threaten the privacy of communication by 
substantially broadening these disclosures:

It allows these disclosures to any governmental entity, not just law 
enforcement agents. That could include literally thousands of federal, 
state, and local employees - perhaps even foreign government 
officials. 

It no longer requires imminent danger for disclosure. It would allow 
these extraordinary disclosures when there is some danger, which 
might be far in the future and far more hypothetical. 

It no longer requires a reasonable belief that there is a danger on 
the part of the ISP. Section 102 would allow these sensitive 
disclosures if there is any good faith belief - even if unreasonable-of 
danger. 

Thus as drafted, Sec. 102 would allow many more disclosures of 
sensitive communications without any court oversight or notice to 
subscribers. It would allow these disclosures to (and based on 
requests from) potentially hundreds of thousands of government 
employees, ranging from local canine control officials to school-
teachers to Agriculture Department cotton inspectors to foreign 
government officials.

We urge the committee to carefully rethink this expansion. We 
understand the argument that in some narrow circumstances 
disclosures to some entities - such as the Center for Disease 
Control - might be warranted. As supported in current law, in cases 
of imminent threats of death or serious injury, law enforcement 
agencies - trained to deal with such situations and cognizant of 
legal strictures- should be the first contact point for concerned 
citizens. We also urge the committee to maintain the requirements 
of a reasonable belief in imminent danger.

We are confident that if other disclosures are needed they can be 
carefully crafted, and we look forward to working with the 
Committee as well as experts in industry and other interested 
parties to find a more balanced approach.

In addition, we strongly encourage this Committee to add 
accountability mechanisms for this extraordinary power. Congress 
should consider requiring notice to the subscriber, after the fact 
(and deferrable based on a judicial order), as a means of providing 
subscribers with some way of knowing that their communications 
have been disclosed. And at a bare minimum Congress should 
mandate a reporting requirement for these emergency disclosures 
to federal law enforcement, to give Congress some method of 
evaluating their use.

Third, we urge the Committee to continue its work to balance 
powerful surveillance authorities with appropriate privacy 
protections.

An essential element of security in cyberspace is trust. If Internet 
users cannot trust that their most sensitive personal and business 
communications will be private, than we cannot realize the 
promise of the Internet as a communications medium.

Powerful new surveillance authorities require powerful oversight 
and accountability. In addition, the digital age is making more 
personal information available than ever before, also increasing 
the need for a legislative framework that protects personal 
information from inappropriate surveillance.

The USA Patriot Act passed this fall provides substantial new 
government capabilities to conduct surveillance on Americans 
and to combat terrorism and cyber crime. H.R. 4382 also provides 
additional and powerful new resources and tools. But in both cases 
there are virtually no new measures for oversight and accountability, 
or any protections for all the sensitive personal information 
increasingly available in the digital and wireless age. (We note that 
this committee's own admirable efforts to strike a greater balance in 
the PATRIOT Act were largely ignored.)

We urge this committee to adopt a more comprehensive approach 
to cybersecurity that recognizes the urgent need for additional 
privacy protections. The Congress could start by taking up the 
helpful changes to surveillance law developed and passed by the 
House Judiciary Committee in the last Congress, under H.R. 5018, 
including:

Heightened protections for access to wireless location information, 
requiring a judge to find probable cause to believe that a crime has 
been or is being committed. Today tens of millions of Americans 
are carrying (or driving) mobile devices that could be used to create 
a detailed dossier of their movements over time - with little clarity 
over how that information could be accessed and without an 
appropriate legal standard for doing so. 

An increased standard for use of expanded pen registers and trap 
and trace capabilities, requiring a judge to at least find that specific 
and particularly facts reasonably indicate criminal activity and that 
the information to be collected is relevant to the investigation of 
such conduct. 

Addition of electronic communications to the Title III exclusionary 
rule in 18 USC ?2515 and add a similar rule to the section 2703 
authority. This would prohibit the use in any court or administrative 
proceeding of email or other Internet communications intercepted 
or seized in violation of the privacy standards in the law. 

Require statistical reports for ?2703 disclosures, similar to those 
required by Title III. 

Require high-level Justice Department approval for applications to 
intercept electronic communications, as is currently required for 
interceptions of wire and oral communications. 

In addition, other issues - some of broader scope - need to be 
addressed:

Improve the notice requirement under ECPA to ensure that 
consumers receive notice whenever the government obtains 
information about their Internet transactions. 

Provide enhanced protection for personal information on networks: 
probable cause for seizure without prior notice, and a meaningful 
opportunity to object for subpoena access. 

Require notice and an opportunity to object when civil subpoenas 
seek personal information about Internet usage. 

The bills put before this Committee last Congress were efforts 
towards a modest improvement in privacy protections without in 
any way denying the government any investigative tools. They 
should serve as a starting point, and we hope that you will 
consider including them to address the privacy concerns of many 
Americans and the imbalance that exists in today's electronic 
surveillance laws. 

In conclusion, we urge to Subcommittee to 

Substantially narrow the new emergency disclosure provisions 
of Section 102. If retained, they should greatly limit the scope 
of governmental entities that can receive such disclosure, could 
provide deferred notice to the subscribers whose communications 
were revealed, and should absolutely require reporting to 
Congress on their use. 

Take a more balanced approach by including some of the privacy 
protections passed by this committee last Congress. Among the 
most urgent of these: a need for clearer protection of wireless 
location information, clearer definitions of what constitutes 
content for pen/trap orders online, and additional statistical 
reporting requirements. 

Protecting national security and public safety in this digital age 
is a major challenge and priority for our country. On balance, 
however, we believe that new sources of data and new tools 
available will prove to be of great benefit to government 
surveillance and law enforcement. It is essential that we offer a 
measured response to these concerns, and urgently take up the 
need for additional privacy protections in the electronic 
surveillance laws.

Powerful new government surveillance and law enforcement 
capabilities demand powerful oversight, accountability, and 
privacy protection mechanisms. We look forward to working 
with the Subcommittee and other interested parties to craft 
an approach that protects both security and privacy online.

___________________________________________
On Sunday, May 12, 2002 11:41 pm, InfoSec News 
[SMTP:isn () c4i org] wrote:
| Forwarded from: Bob <bob () globaldevelopment org>
| 
| http://dc.internet.com/news/print/0,,2101_1107691,00.html
| 
 . . .


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.