Concern Over Proposed Changes in Internet Surveillance
By Carl S. Kaplan
Significant and perhaps worrisome changes in the government's Internet surveillance authority have been proposed by legislators in the wake of the attacks on the World Trade Center and the Pentagon. Indeed, so much is happening so quickly it's hard to keep track of the legislative process, let alone follow the ongoing debate between fast-moving law enforcement experts and more cautious civil libertarians.
To illuminate the huge changes afoot, it might be useful to spotlight one little corner of some proposed legislation. After all, as lawyers love to say, the devil is in the details.
The proposed law that is furthest along in the pipeline is the Combating Terrorism Act of 2001, an amendment to an appropriations bill that was passed by the Senate on September 13th without hearings and with little floor debate. That legislation, which may ultimately become part of an integrated package of laws put forward this week by the Attorney General, has several provisions. Perhaps the most controversial is section 832, which seeks to enhance the government's ability to capture information related to a suspect's activities in cyberspace.
Some background information is in order. With telephone conversations, a law enforcement official can tap a suspect's conversations only if there is probable cause to believe the suspect is doing something illegal and if a magistrate agrees to issue an order. The Fourth Amendment's ban on unreasonable searches have heightened the legal requirements needed for a government wiretap.
But suppose an F.B.I. agent doesn't want to listen to the content of a telephone conversation. Suppose she just wants to get a list of the telephone numbers that a suspect dials, and the telephone numbers of people that call the suspect? This information, the Supreme Court has held, is not that private. Under federal law, all the government has to do in order to plant gizmos that record a suspect's outgoing and incoming telephone numbers -- so called pen registers and trap and trace devices -- is to tell a magistrate that the information is relevant to an ongoing criminal investigation. There is no probable cause requirement and no hearing. The pen/trap and trace information is extremely easy to get.
For the past few years, the government has interpreted the existing pen register and trap and trace laws, which were designed with telephones in mind, to allow them to swiftly garner certain information from ISP's about a suspect's e-mails -- for example, the to/from header information.
In one sense, section 832 of the Senate amendment codifies the government's pro-law enforcement interpretation. Among other things, the amendment explicitly expands the pen/trap and trace law to include Internet communications. Specifically, the proposed law allows the government, under the low-standard pen/trap and trace authority, to record not just telephone numbers dialed but "routing, addressing, or signalling information" .
According to experts on both sides of the legislative debate, the exact meaning of routing, addressing and signalling data is ambiguous. But chances are it includes not just to/from e-mail header information but a record of the URLs -- Web site addresses -- that a person visits.
The legislation's language is "not very narrow," said Stewart Baker, head of the technology practice at Steptoe & Johnson, a Washington, D.C. law firm, and former general counsel of the National Security Agency. Conceivably, he said, federal agents under the proposed law could very easily -- and without making a showing of probable cause -- get a list of "everyone you send e-mail to, when you sent it, who replied to you, how long the messages were, whether they had attachments, as well as where you went online."
"That's quite a bit of information," added Baker, who this week participated in a written dialog on national security in wartime on the online magazine Slate. Moreover, it's more information-rich material than a log of telephone numbers. "I think if you asked anyone on the street: 'Which would you rather reveal, the telephone numbers you dialed or a list of all the people you sent e-mail to and the Web sites you visited?' I think they'd say, "Go with the phone numbers,'" he said.
Under the proposed amendment, the government's authority to easily monitor a person's clickstream is particularly troublesome and an unwarranted enlargement of pen/trap and trace law, say some critics. After all, they point out, on the Internet the boundary between a mere address and the content of a communication is fuzzy. For example, by examining a URL, an agent may gain knowledge of a book that a person sought to purchase on Amazon.com, or perhaps learn about a person's query on a search engine. Indeed, a URL for a target's use of Google may reveal travel plans:
"When you look at URLs, you're getting a map of how someone surfs the Net," said Daniel Solove, a law professor at Seton Hall University and an expert on privacy. "That's much more telling about an individual" than a list of telephone numbers, he said. He said that he wished Congress would take its time and examine any new Internet surveillance legislation with great care.
That view is echoed by Eugene Volokh, a law professor at UCLA and the other half of the ongoing national security dialog on Slate. "Keep in mind that these laws are things we will live with for a long time," he said in an interview. "These laws can be used by the government in other sorts of investigations" besides terrorism, he added.
For his part, Baker of Steptoe & Johnson is willing to stomach section 832, should it become law. "Obviously, we're in a crisis," he said.
Marc Zwillinger, a former Internet crime prosecutor for the Department of Justice who is currently a partner at the Washington, D.C. office of Kirkland & Ellis, a large law firm, goes a bit further. He said that bringing the pen/trap and trace law into the Internet Age is not that big a deal.
"Knowing that you visited a Web site at a certain time -- how is that different from knowing that you dialed a certain telephone number at a particular time of the day?" he asked. It's the same thing, he asserted. The only difference is that because people use the Web more than telephones, authorities can learn more. "I'm not troubled by it," he said.
Zwillinger noted that when he worked for the government, he obtained pen/trap and trace information about suspects' Internet use "hundreds of times." He said that under the Justice Department's interpretation of the current federal law, as well as under the proposed law, the government can lawfully record, for example, which computer terminals downloaded a particular file from a server; which computers logged into a Hotmail account to retrieve mail; which URLs a computer user visited. Often, an ISP can capture this information, he said, or the F.B.I. can deploy over-the-counter software tools or use sniffer programs such as Carnivore to obtain needed results.
But Volokh cautioned against the argument that because law enforcement has been doing something all along without explicit authority, Congress should pass a bill quickly recognizing the status quo. "Originally, the government had the right to record phone numbers" without a showing of probable cause, he said. "Then they looked at e-mail headers. Now they're looking at URLs. Each step is small. But put a lot of little steps together and you get a big bit." http://www.google.com/search?q=Do+You+Know+the+Way+to+San+Jose&btnG=Google+S earchr