The New York Times September 21, 2001
Concern Over Proposed Changes in Internet Surveillance
By Carl S. Kaplan
Significant and perhaps worrisome changes in the government's Internet
surveillance authority have been proposed by legislators in the wake of the
attacks on the World Trade Center and the Pentagon. Indeed, so much is
happening so quickly it's hard to keep track of the legislative process, let
alone follow the ongoing debate between fast-moving law enforcement experts
and more cautious civil libertarians.
To illuminate the huge changes afoot, it might be useful to spotlight one
little corner of some proposed legislation. After all, as lawyers love to
say, the devil is in the details.
The proposed law that is furthest along in the pipeline is the Combating
Terrorism Act of 2001, an amendment to an appropriations bill that was
passed by the Senate on September 13th without hearings and with little
floor debate. That legislation, which may ultimately become part of an
integrated package of laws put forward this week by the Attorney General,
has several provisions. Perhaps the most controversial is section 832, which
seeks to enhance the government's ability to capture information related to
a suspect's activities in cyberspace.
Some background information is in order. With telephone conversations, a law
enforcement official can tap a suspect's conversations only if there is
probable cause to believe the suspect is doing something illegal and if a
magistrate agrees to issue an order. The Fourth Amendment's ban on
unreasonable searches have heightened the legal requirements needed for a
government wiretap.
But suppose an F.B.I. agent doesn't want to listen to the content of a
telephone conversation. Suppose she just wants to get a list of the
telephone numbers that a suspect dials, and the telephone numbers of people
that call the suspect? This information, the Supreme Court has held, is not
that private. Under federal law, all the government has to do in order to
plant gizmos that record a suspect's outgoing and incoming telephone numbers
-- so called pen registers and trap and trace devices -- is to tell a
magistrate that the information is relevant to an ongoing criminal
investigation. There is no probable cause requirement and no hearing. The
pen/trap and trace information is extremely easy to get.
For the past few years, the government has interpreted the existing pen
register and trap and trace laws, which were designed with telephones in
mind, to allow them to swiftly garner certain information from ISP's about a
suspect's e-mails -- for example, the to/from header information.
In one sense, section 832 of the Senate amendment codifies the government's
pro-law enforcement interpretation. Among other things, the amendment
explicitly expands the pen/trap and trace law to include Internet
communications. Specifically, the proposed law allows the government, under
the low-standard pen/trap and trace authority, to record not just telephone
numbers dialed but "routing, addressing, or signalling information" .
According to experts on both sides of the legislative debate, the exact
meaning of routing, addressing and signalling data is ambiguous. But chances
are it includes not just to/from e-mail header information but a record of
the URLs -- Web site addresses -- that a person visits.
The legislation's language is "not very narrow," said Stewart Baker, head of
the technology practice at Steptoe & Johnson, a Washington, D.C. law firm,
and former general counsel of the National Security Agency. Conceivably, he
said, federal agents under the proposed law could very easily -- and without
making a showing of probable cause -- get a list of "everyone you send
e-mail to, when you sent it, who replied to you, how long the messages were,
whether they had attachments, as well as where you went online."
"That's quite a bit of information," added Baker, who this week participated
in a written dialog on national security in wartime on the online magazine
Slate. Moreover, it's more information-rich material than a log of telephone
numbers. "I think if you asked anyone on the street: 'Which would you rather
reveal, the telephone numbers you dialed or a list of all the people you
sent e-mail to and the Web sites you visited?' I think they'd say, "Go with
the phone numbers,'" he said.
Under the proposed amendment, the government's authority to easily monitor a
person's clickstream is particularly troublesome and an unwarranted
enlargement of pen/trap and trace law, say some critics. After all, they
point out, on the Internet the boundary between a mere address and the
content of a communication is fuzzy. For example, by examining a URL, an
agent may gain knowledge of a book that a person sought to purchase on
Amazon.com, or perhaps learn about a person's query on a search engine.
Indeed, a URL for a target's use of Google may reveal travel plans:
"When you look at URLs, you're getting a map of how someone surfs the Net,"
said Daniel Solove, a law professor at Seton Hall University and an expert
on privacy. "That's much more telling about an individual" than a list of
telephone numbers, he said. He said that he wished Congress would take its
time and examine any new Internet surveillance legislation with great care.
That view is echoed by Eugene Volokh, a law professor at UCLA and the other
half of the ongoing national security dialog on Slate. "Keep in mind that
these laws are things we will live with for a long time," he said in an
interview. "These laws can be used by the government in other sorts of
investigations" besides terrorism, he added.
For his part, Baker of Steptoe & Johnson is willing to stomach section 832,
should it become law. "Obviously, we're in a crisis," he said.
Marc Zwillinger, a former Internet crime prosecutor for the Department of
Justice who is currently a partner at the Washington, D.C. office of
Kirkland & Ellis, a large law firm, goes a bit further. He said that
bringing the pen/trap and trace law into the Internet Age is not that big a
deal.
"Knowing that you visited a Web site at a certain time -- how is that
different from knowing that you dialed a certain telephone number at a
particular time of the day?" he asked. It's the same thing, he asserted. The
only difference is that because people use the Web more than telephones,
authorities can learn more. "I'm not troubled by it," he said.
Zwillinger noted that when he worked for the government, he obtained
pen/trap and trace information about suspects' Internet use "hundreds of
times." He said that under the Justice Department's interpretation of the
current federal law, as well as under the proposed law, the government can
lawfully record, for example, which computer terminals downloaded a
particular file from a server; which computers logged into a Hotmail account
to retrieve mail; which URLs a computer user visited. Often, an ISP can
capture this information, he said, or the F.B.I. can deploy over-the-counter
software tools or use sniffer programs such as Carnivore to obtain needed
results.
But Volokh cautioned against the argument that because law enforcement has
been doing something all along without explicit authority, Congress should
pass a bill quickly recognizing the status quo. "Originally, the government
had the right to record phone numbers" without a showing of probable cause,
he said. "Then they looked at e-mail headers. Now they're looking at URLs.
Each step is small. But put a lot of little steps together and you get a big
bit."
http://www.google.com/search?q=Do+You+Know+the+Way+to+San+Jose&btnG=Google+S
earchr
