Leahy and Edwards introduce a narrow Digital Telephony bill
with major new privacy protections
============================================================

Today Senator Patrick Leahy (D-VT) and Representative Don Edwards
(D-CA) introduced their version of Digital Telephony legislation.  Since
1992, the Electronic Frontier Foundation has been successful at stopping a
series of FBI Digital Telephony proposals, which would have forced
communications companies to install wiretap capability into every
communications medium.  However, earlier this year, Senator Leahy and Rep.
Edwards, who have helped to quash previous FBI proposals, concluded that
the passage of such a bill was inevitable this year.  To head off passage
of the FBI's bill, Leahy and Edwards stepped in to draft a narrow bill, and
asked for EFF's help in the process.  EFF remains deeply troubled by the
prospect of the federal government forcing communications networks to be
made "wiretap ready," but we believe that the legislation introduced today
is substantially less intrusive that the original FBI proposals.

Jerry Berman, EFF Policy Director said: "We have opposed digital telephony
proposals for the past three years and still do not believe that such
legislation is necessary."

"Thanks to the work of Senator Leahy and Rep. Edwards and Senator Biden,
however, the bill contains a number of significant privacy advances,
including enhanced protection for the detailed transactional information
records generated by online information services, email systems, and the
Internet," Berman said.

Many online communication and information systems create detailed records
of users' communication activities as well as lists of the information that
they have accessed.  The new legal protection is critical in that it
recognizes that this transactional information created by new digital
communications systems is extremely sensitive and deserves a high
degree of protection from casual law enforcement access which is currently
possible without any independent judicial supervision.  Under current law,
the government can gain access to transactional records with a mere
subpoena, which can be obtained without the intervention of a court.  Under
the new privacy protections in this bill, law enforcement would have to
convince a court to issue an order based on a finding that there are
"specific and articulable facts" which prove that the information sought
would be relevant to an ongoing criminal investigation.  

"The fact that law enforcement has to take a case to court in order to get
permission to access records is a major new privacy protection which will
benefit all users of online communication systems," said Daniel Weitzner,
EFF Deputy Policy Director.

Another important privacy protection is that there is a cap on the amount
of money that can be spent on surveillance technology in the first four
years.  The Attorney General is authorized to spend up to $500 million
on reimbursement telecommunications carriers who retrofit their systems so
as to come into compliance with the bill.  So that this cap truly functions
as a privacy protection, we believe that carriers should only be
responsible for complying with the bill if the Attorney General actually
pays for modifications.  Government should get what it pays for, and no
more.

"Although we do not support the concept of digital telephony legislation,
we believe that if Congress is to pass any version of the bill this year,
it should be along the lines of the Leahy/Edwards version," said Berman.

"The version crafted by Senator Leahy and Rep. Edwards," Berman explained,
"is substantially better from a privacy, technology policy, and civil
liberties standpoint than the draconian measures offered in the past
by the Bush Administration."

"As the bill works through the legislative process," Berman continued, "EFF
will work to ensure that privacy and public process provisions are
strengthened, and that the scope remains narrow -- continuing to exclude
the Internet, electronic bulletin board systems, and online communications
services such as America Online, Prodigy and Compuserve.  Also, we note
that the radio communication provisions have not yet been subject to public
discussion, and hope that this will occur before the bill is considered by
the full House and Senate." 


FOR MORE INFORMATION CONTACT:

Jerry Berman       Policy Director           <jberman@eff.org>
Daniel Weitzner    Deputy Policy Director    <djw@eff.org>
+1 202 347 5400


     *     *     *     *     *     *     *     *


EFF Analysis of and comments on major provisions of the bill
============================================================

A.    Key new privacy protections

1.    Expanded protection for transactional records sought by law
      enforcement

Senator Leahy and Rep. Edwards have agreed that law enforcement access to
transactional records in online communication systems (everything from the
Internet to AOL to hobbyist BBSs) threatens privacy rights because the
records are personally identifiable, because they reveal the content of
people's communications, and because the compilation of such records makes
it easy for law enforcement to create a detailed picture of people's lives
online. Based on this recognition, the draft bill contains the following
provisions:

i.    Court order required for access to transactional records
      instead of mere subpoena

In order to gain access to transactional records, such as a list of to whom
a subject sent email, which online discussion group one subscribes to, or
which movies you request on a pay-per view channel, law enforcement will
have to prove to a court, by the showing of "specific and articulable
facts" that the records requested are relevant to an ongoing criminal
investigation. This means that the government may not request volumes of
transactional records merely to see what it can find through traffic
analysis. Rather, law enforcement will have to prove to a court that it has
reason to believe that it will find some specific information that is
relevant to an ongoing criminal investigation in the records that it
requests. 

With these provisions, we have achieved for all online systems, a
significantly greater level of protection than currently exists for
telephone toll records. The lists of telephone calls that are kept by local
and long distance phone companies are available to law enforcement without
any judicial intervention at all.  Law enforcement gains access to hundreds
of thousands of such telephone records each year, without a warrant and
without even notice to the citizens involved.  Court order protection will
make it much more difficult for law enforcement to go on "fishing
expeditions" through online transactional records, hoping to find evidence
of a crime by accident.

ii.   Standard of proof much greater than for telephone toll records,
      but below that for content

The most important change that these new provisions offer, is that law
enforcement will (a) have to convince a judge that there is reason to
look at a particular set of records, and (b) have to expend the time and
energy necessary to have a US Attorney or DA actually present a case before
a court. However, the burden or proof to be met by the government in such a
proceeding is lower than required for access to the content of a
communication. 

2.    New protection for location-specific information available
      in cellular, PCS and other advanced networks

Much of the electronic surveillance conducted by law enforcement today
involves gathering telephone dialing information through a device
known as a pen register. Authority to attach pen registers is obtained
merely by asserting that the information would be relevant to a criminal
investigation. Courts have no authority to deny pen register requests. 
This legislation offers significant new limits on the use of pen register
data.

Under this bill, when law enforcement seeks pen register information from
a carrier, the carrier is forbidden to deliver to law enforcement any
information which would disclose the location or movement of the calling or
called party. Cellular phone networks, PCS systems, and so-called
"follow-me" services all store location information in their networks. 
This new limitation is a major safeguard which will prevent law enforcement
from casually using mobile and intelligent communications services as
nation-wide tracking systems.

i.    New limitations on "pen register" authority

Law enforcement must use "technology reasonably available" to limit pen
registers to the collection of calling number information only.
Currently, law enforcement is able to capture not only the telephone number
dialed, but also any other touch-tone digits dialed which reflect the
user's interaction with an automated information service on the other end
of the line, such as an automatic banking system or a voice-mail password. 

3.    Bill does not preclude use of encryption

Unlike previous Digital Telephony proposals, this bill places no
obligation on telecommunication carriers to decipher encrypted messages,
unless the carrier actually holds the key.

4.    Automated remote monitoring precluded

Law enforcement is specifically precluded from having automated, remote
surveillance capability.  Any electronic surveillance must be initiated by
an employee of the telecommunications carrier.

5.    Privacy considerations essential to development of new technology

One of the requirements that telecommunications carriers must meet to
be in compliance with the Act, is that the wiretap access methods adopted
must protect the privacy and security of each user's communication.  If
this requirement is not met, anyone may petition the FCC to have the
wiretap access service be modified so that network security is maintained. 
So, the technology used to conduct wiretaps cannot also jeopardize the
security of the network as a whole.  If network-wide security problems
arise because of wiretapping standards, then the standards can be
overturned.

B.    Draconian provisions softened

In addition, the surveillance requirements imposed by the bill are not 
as far-reaching as the original FBI version.  A number of procedural
safeguards are added which seek to minimize the threatens to privacy,
security, and innovation.  Though the underlying premise of the Act is
still cause for concern, these new limitations deserve attention:

1.    Narrow Scope

The bill explicitly excludes Internet providers, email systems, BBSs,
and other online services.  Unlike the bills previously proposed by the
FBI, this bill is limited to local and long distance telephone companies,
cellular and PCS providers, and other common carriers.  

2.    Open process with public right of intervention

The public will have access to information about the implementation of
the Act, including open access to all standards adopted in compliance
with the Act, the details of how much wiretap capacity the government
demands, and a detailed accounting of all federal money paid to carriers
for modifications to their networks.  Privacy groups, industry interests,
and anyone else has a statutory right under this bill to challenge
implementation steps taken by law enforcement if they threaten privacy or
impede technology advancement.

3.    Technical requirements standards developed by industry instead of
      the Attorney General

All surveillance requirements are to be implemented according to
standards developed by industry groups.  The government is specifically
precluded from forcing any particular technical standard, and all
requirements are qualified by notions of economic and technical
reasonableness.

4.    Right to deploy untappable services

Unlike the original FBI proposal, this bill recognizes that there may
be services which are untappable, even with Herculean effort to accommodate
surveillance needs.  In provisions that still require some strengthening,
the bill allows untappable services to be deployed if redesign is not
economically or technically feasible.


C.    Provisions that must be changed

EFF plans to work on the following issues in the bill as the
legislative process continues:

1.    Strengthened public process

In the first four years of the bill's implementation, most of the requests
that law enforcement makes to carriers are required to be recorded in 
the public record.  However, additional demands for compliance after
that time are only required to be made by written notice to the carrier. 
All compliance requirements, whether initial requests or subsequent
modification, must be recorded in the Federal Register after public
hearings, to allow for public scrutiny.

2.    Linkage of cost to compliance requirements -- the FBI gets what it
      pays for and no more

The bill authorizes, but does not appropriate, $500 million to be spent by
the government in reimbursing telecommunications carriers for bringing 
their networks into compliance with the bill.  The FBI maintains that this
is enough money to cover all reasonable expenses.  The industry, however, 
has consistently maintained that the costs are five to ten times higher. 
Given the FBI's confidence in their cost estimate, we believe that
telecommunications carriers should only be required to comply to the extent
that they have been reimbursed.  This spending cap is both a safeguard
against requiring unnecessary surveillance technology, and a way to
guarantee that carriers' expenses for electronic surveillance are truly
paid for by the government, not by the customers.

3.    Ensure right to deploy untappable services

The enforcement provisions of the bill suggest, but do not state
explicitly, that services which are untappable may be deployed.  The bill
should be state directly that if it is technically and economically
unreasonable to make a service tappable, then it may be deployed, without
interference by a court.

4.    Clarify definition of call identifying information

The definition of call identifying information in the bill is too broad. 
Whether intentionally or not, the term now covers network signaling
information of networks which are beyond the scope of the bill.  To
maintain the narrow scope of the bill, this definition should be clarified.

5.    Review of minimization requirements in view of commingled
      communications

The bill implicitly contemplates that law enforcement, in some cases,
will intercept large bundles of communications, some of which are from
subscribers who are not subject of wiretap orders.  For example, when
tapping a single individual whose calls are handled by a PBX, law
enforcement may sweep in calls of other individuals as well.  Currently the
Supreme Court requires "minimization" procedures in all wiretaps, to
minimize the intrusion on the privacy of conversations not covered by a
court's wiretap order.  We believe that the bill should reinforce the
current minimization requirements by recognizing that stronger minimization
procedures may be required.

                                   
                                    * * *


Locating Relevant Documents
===========================

** Original 1992 Bush-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI/Old, digtel92_old_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
     Telephony; file: digtel92.old


** 1993/1994 Clinton-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
     Telephony; file: digtel94.dft


** 1994 final draft, as sponsored **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94.bill
gopher.eff.org, 1/EFF/Policy/FBI, digtel94.bill
http://www.eff.org/pub/EFF/Policy/FBI/digtel94.bill
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
     Telephony; file: digtel94.bil


** EFF Analysis of sponsored version **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_analysis.eff
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_analysis.eff
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_analysis.eff
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
     Telephony; file: digtel94.ana