One of the key components of Administration's counter-terrorism legislative package is to enhance the government's authority to obtain and place so-called "pen register" and "trap and trace" orders ("pen/trap orders"). On October 1, 2001, the House Judiciary Committee adopted much of what the Administration proposed, but toned down some of the other provisions of the larger proposal. At this writing, the Senate Judiciary Committee is considering the Administration proposal together with an alternative package put forward by Senator Leahy.
This essay provides some basic background information on pen/trap orders and how changing technology indeed supports further legislative actions in this area, including proposals dealing with: emergency trap and trace actions without a court order; nationwide scope for trap and trace orders; updating outdated telephone language to apply to the Internet; and providing a more effective way for law enforcement to help system owners who are under computer attack.
Based on my experience working on these issues in the last Administration, I believe that while additional legislation is warranted, the current proposals need further work in the Congress before they are enacted. Ideally, the Congress should hold hearings and study the complex legislative language. If Congress decides that time is of the essence, then at a minimum any legislation rushed through now should have a two year sunset. That way, the proposals could be studied more carefully before they become a permanent part of our surveillance law.
Background on Pen/trap Orders
The term "pen register" comes from the old style for tracking all of the calls originating from a single telephone. At one point, the surveillance technology for wiretapped phones was based on the fact that rotary clicks would trigger movements of a pen on a piece of paper. Police could then read off the numbers dialed on the phone. Although technology has changed, we still call the list of phone numbers dialed a "pen register." The term "trap and trace" covers all of the calls to a particular phone. Surveillance technology "traps" a particular call as one that is going to the target phone. It then "traces" the call back to its point of origin.
There has been a longstanding consensus that this sort of to/from information about phone calls is less sensitive than the content of phone calls. In the 1960's, the U.S. Supreme Court held in Katz v. United States that there is a "reasonable expectation of privacy" in the content of a phone call made from a phone booth when the caller had closed the door. The Fourth Amendment thus required a warrant before the police could wiretap the call. Congress followed this case by passing a strict wiretap law for the contents of phone calls. Court orders under this statute are called "Title III" orders because the wiretap rules were in Title III of an omnibus crime control law passed in 1968.
The Supreme Court in 1979 made clear that to/from information was not as sensitive as the contents of a phone call. In Smith v. Maryland the Court held that there was no "reasonable expectation of privacy" in to/from information. The Justice Department often cites Smith as the legal basis for there being no constitutional protection for to/from information. Those who support greater protections against surveillance point out that Smith assumed that pen/trap information was very limited. For instance, the Court noted that law enforcement could not determine whether the phone call was completed, the identity of the callers, or the "purport" of any communication.
In 1984 Congress responded to Smith and to the early use of e-mail by passing the Electronic Communications Privacy Act (ECPA). ECPA created some procedural rules for pen/trap orders. As discussed below, these rules are much less strict than for wiretaps of the content of communications. ECPA also created somewhat complex rules for police access to e-mails. For interception of the content of e-mails, for instance, ECPA states that e-mail and phone call wiretaps must meet the strict Title III standards. E-mails are different from phone calls, however, in that they sit around on a service provider's computers. Police can get recent e-mails out of computer storage with a subpoena. They can get the contents of e-mails that are older than 180 days under the same low standards that apply to pen/trap orders.
ECPA has not aged gracefully. Much of its language reflects the telephone technology of the 1980s rather than the Internet realities of today. For instance, the term "pen register" is defined as "a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached." Read literally, this definition might prevent police from learning pen/trap information about who has been sent a communication. "Device" sounds like a physical term, so that a software wiretap might not qualify. "Transmitted on a telephone line" may not fit wireless and other new ways of sending messages. And "identify the numbers dialed" sounds like it applies to phone numbers rather than the full panoply of ways people might communicate over the Internet.
These sorts of outdated terms in ECPA create a serious risk for law enforcement that a court will hold that ECPA does not authorize modern pen/trap orders. Although no court has yet read the statute so narrowly, some judges have orally questioned whether the statute applies to some Internet communications. Some new technical challenges, discussed below, have also made it harder in some cases for law enforcement to get investigatory information.
ECPA also seems outdated to others for a different reason: because it treats the content of e-mails less protectively than the content of phone calls. Unlike for phone calls, wiretaps of e-mail content do not need to be approved by a senior Department of Justice official, and they can be used for any crime rather a limited list of serious crimes. Perhaps most importantly, Title III suppresses the use of illegally wiretapped phone calls in court, but does not apply to illegal e-mail taps.
The Clinton Administration created a process last year to address the ways that ECPA was outdated. I chaired a 15-agency White House working group to prepare a bill. Chief of Staff John Podesta announced the proposal in June of 2000, and it was introduced as S. 3083. The House Judiciary Committee considered some of the issues last fall, and almost unanimously approved a bill, H.R. 5018, that was stricter on privacy protections than the Administration proposal.
Nationwide Trap and Trace
In 1984, when ECPA was passed, the local telephone company could generally fulfill a trap and trace order - the call came from a readily-identified phone number in a unified phone network. By 2001, the network has become far more complicated. To trace the source of an e-mail, law enforcement first must serve a trap and trace order on the local Internet service provider. That provider then might tell police that the e-mail came from a backbone provider, who got it from another backbone provider, who got it from another service provider elsewhere, who might finally be able to identify the sender of the e-mail.
Under current law, law enforcement must get one court order from a judge at the first stage, and a separate court order from another judge at each stage later on. This is time-consuming, expensive, and can seem redundant because the first federal judge has already approved the order. The Clinton last year and the Bush proposal this year both proposed to allow one trap and trace order to be effective nationwide, back to the source of the particular communication.
Although the nationwide trap and trace order largely can be seen as updating ECPA to take account of the current network, critics have voiced some concerns. For instance, prosecutors might shop around for a judge who will approve an order based on slender evidence. In addition, telecommunications companies today are used to cooperating with the local judges and police, and know how to check to ensure that a court order is valid. But how, in the middle of the night during an investigation, should a company in Ohio react to an order from a judge in Oregon if there are doubts about the order's validity? Perhaps there should be additional legislative work to clarify how the company can and should react in such cases.
Emergency Trap and Trace Orders
Today, there are very limited emergency circumstances where law enforcement can receive trap and trace information from a company even without a court order. (In general, it is a violation of ECPA for a company to turn over to/from information to the government unless there is a court order.) Today, the focus of the emergency power is where there is imminent risk to the safety of a person. The information is provided to law enforcement immediately, and a court order is supposed to be issued shortly afterwards.
In a bill that passed the Senate a few days after the September 11 attacks (the Justice Department appropriations bill), there was a major expansion of the emergency powers. An emergency request could now be made for any "immediate threat to the national security interests of the United States." These "national security interests" may be very broad, and the threat does not need to be "substantial" but only "immediate." Perhaps even more broadly, the emergency powers would be triggered by "an attack on the integrity or availability" of essentially any computer hooked up to the Internet.
There is an important logic to these two emergency situations. First, if there is truly "an immediate threat" to the national security, then who wants to stand in the way of getting that information to the appropriate authorities? Second, if an attack on a computer is underway, the only way to track the attack to its source may be while the attack is continuing. Once the attacker has logged off, there may be no way to learn afterwards where the communication originated. If we don't provide law enforcement with an emergency exception, then it may often be too late once the court order is issued.
That said, there are deep historical concerns to allowing law enforcement to conduct searches without having to go to a magistrate first. As a technical matter, the Justice Department points out that a trap and trace order is not a "search" because Smith v. Maryland said there was no reasonable expectation of privacy in to/from information. Nonetheless, expanding emergencies to include any threat to national security and any attack on a computer gives some people pause, especially when considered together with the other proposed changes.
What Is A Telephone Number On The Internet?
The next issue is how to draw the line between to/from information (less strict) and content (more strict) for the Internet. Current law says that a pen register means a "device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached." In Smith v. Maryland the Supreme Court emphasized the narrow amount of information in "the numbers dialed" when holding that there was no reasonable expectation of privacy.
Law enforcement faces some tough challenges in using the current language on the Internet. For instance, many people today use web-based e-mail, such as Hotmail or Yahoo! When a suspect sends e-mail, law enforcement might learn only that it went to www.hotmail.com but not learn the e-mail address of the person who received the message. To learn the actual address, law enforcement would have to dig deeper into the e-mail, into the part traditionally understood to be "content" requiring the strict Title III search warrant. More generally, law enforcement does not want the language in the statute to be technology-specific; as new technologies develop, it is important for law enforcement to still be able to track a communication to its destination or back to its source.
The preferred language of the Justice Department is thus that a pen register should mean "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which" a communication is transmitted. This DRAS information (dialing, routing, addressing, and signaling) would presumably be broad enough to cover e-mail today and new technologies as they emerge.
This section of the law clearly needs to be updated so that it is no longer telephone-specific. The definition of DRAS information, however, seems to give law enforcement substantially more content on the Internet than it could have received in the telephone world. James Dempsey of the Center for Democracy and Technology has suggested that better language would be DRAS information "that identifies the destination" of a communication. "Identifying the destination" matches the historic use of to/from information in telephone numbers.
Dempsey further suggests that there should be statutory language or legislative history making it clear that pen registers do not authorize interception of search terms, URLs identifying certain documents, files or web pages, or other transactional information. Thus far, my understanding is that Justice Department officials have rejected the "identifying the destination" approach, suggesting that they indeed wish to get a broader range of information under the new statutory language.
There are constitutional as well as policy reasons to support the Dempsey approach. The entire use of pen/trap orders is based on the Smith v. Maryland finding that there is no reasonable expectation of privacy in to/from information. Under the Justice Department's proposed language, law enforcement would appear to get significantly more content about a person's web surfing, e-mail, and other activities. This broad language would be significantly more subject to constitutional challenge than the Dempsey alternative.
Computer Trespasser Exception
There is an important "computer trespasser" proposal in the Bush bill that has never been the subject of a Congressional hearing or significant public attention. My view is that some version of this proposal may be good public policy, but it needs more debate before being accepted as a permanent change in the law.
The problem arises today because of limits on how law enforcement can work with the owners of computer systems that are under attack. ECPA generally allows a system owner to monitor the system to prevent and respond to attacks. ECPA also allows a system owner to turn over to police evidence of criminal attacks that have already occurred. What ECPA does not allow, however, is for law enforcement to "look over the shoulder" or "surf behind" the owner of a computer system. The concern has been that law enforcement and system owners would agree to have law enforcement officials permanently stationed in communications companies, monitoring anything suspicious that occurred. One worry is that system owners might feel pressured to allow law enforcement officials on the premises, leading to virtually unlimited wiretapping.
The current rules can be very frustrating for system owners who want to ask the police for help with computer attacks. If an intruder is coming into the system every night, the owner might want the police to lie in wait for the attack and then use a trap and trace order to follow the intruder back to the source. The police, however, cannot take up residence and wait for a future attack. This problem has been especially acute for the Defense Department, which is subject to an enormous number of hacking attacks and cannot coordinate easily with law enforcement. It is also a problem for smaller enterprises, which often lack the technical expertise to defend their own systems against attack and wish to have police help.
Last year, this issue was discussed extensively within the Administration but a decision was made not to include the provision in the Admnistration's legislative proposal. The trick is how to help law enforcement appropriately without creating a recipe for permanent wiretapping. Language from last year's discussions has now surfaced in the Bush Administration's proposed bill.
The new proposal allows law enforcement to assist system owners in tracking a "computer trespasser," defined as "a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through, or from the protected computer." Interceptions would now be allowed by law enforcement if: (1) the owner or operator of the system authorizes the interception; (2) there is a lawful investigation; (3) the official "has reasonable grounds to believe that the contents of the computer trespasser's communications will be relevant to the investigation"; and (4) "such interception does not acquire communications other than those transmitted to or from the computer trespasser."
This computer trespasser proposal has just begun to receive attention from experts outside of the government. It is a significant change to current law, because it creates conditions under which law enforcement officials can station themselves in communications companies to watch phone calls, e-mail, and web surfing as it occurs. Some non-government experts are beginning to point out how open-ended the computer trespasser exception may turn out to be in practice.
My view is that there is a real problem that needs to be addressed: how law enforcement can appropriately cooperate with companies to confront ongoing hacking attacks. But Congress should be reluctant to support the current language until there have been extensive hearings and debate about this change to the law.
Should New Privacy Protections Accompany the New Wiretap Powers?
Last year, the Clinton Administration took the position that wiretap laws should be updated both to provide law enforcement appropriate tools for the Internet and to enhance the protection of privacy for e-mail, in order to reflect the importance of the content of e-mail communications.
For pen/trap orders, one important change was that the Administration said that a federal judge should make an independent determination of whether the order should issue. Under current law, "the court shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device if the court finds that the attorney for the Government has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation." (emphasis added)
The Clinton proposal was that the judge should not be required to issue an order based on the certification by the Government's attorney. Instead, the order should issue only where the judge "finds, based on the facts contained in the application" that the standard has been met. In debate in Congress, many members agreed with this change but also wished to raise the legal standard for issuing the order. Instead of the information being "relevant to an ongoing criminal investigation," the House Judiciary Committee in H.R. 5018 approved a stricter standard: "specific and articulable facts reasonably indicate that a crime has been, is being, or will be committed, and information likely to be obtained by such installation and use is relevant to the investigation."
Last year, The Clinton Administration also proposed that the contents of e-mail should be given the same protection as the contents of phone calls. Signature by a senior Justice Department official should be required for a Title III order. E-mail wiretaps should apply only to listed serious crimes. Most importantly, if law enforcement officials break the rules when gathering e-mails, then they should not be able to use the illegally gathered information in later proceedings.
The current Administration proposals do not contain these provisions or any others that update ECPA on the privacy side.
Putting The Package Together
Now that we have examined the pen/trap proposals supported by the current Administration, and the privacy-enhancing proposals that were proposed last year, we can to try to assess the overall effect of the current proposals. As indicated above, there are indeed good reasons to consider updating the statute in each of the areas targeted by the Administration's proposals.
My view, however, is that the cumulative effect of the proposals is substantial. Broad emergency provisions mean that trap and trace orders can be instituted very often without first going to a judge. The nationwide provision means that one judge, perhaps chosen by prosecutors to be especially favorable, can institute a general order without even knowing who will be subjected to it. The expanded definition of all "dialing, routing, addressing, and signaling information" means that law enforcement will quite possibly get web surfing and a good deal of other information that goes beyond identifying the destination of a communication. The creation of the computer trespasser exception would allow ongoing monitoring of private-sector systems by law enforcement.
The cumulative effect of these proposals is more worrisome because the legislation does not contain the counter-balancing provisions that were discussed last year. Judges do not gain the power to make an independent assessment of whether the facts support issuance of a pen/trap order. The standard for issuing a pen/trap order has not been increased. If law enforcement in the future does exceed lawful limits, there is essentially no remedy. The suppression remedy that has long applied to illegal telephone wiretaps would not apply to illegal e-mail wiretaps.
The proposed pen/trap changes thus contemplate broad emergency powers, instituted nationwide, for a wider range of information, and with the possibility of ongoing on-site monitoring. My view is that a package of this sort should be made a permanent part of our law only after careful consideration and informed debate.
The Administration has asked for immediate action on its proposals. If the Congress decides to act immediately, then I think it is important to have a sunset provision, such as the two-year sunset being considered in the House. In this way, we can learn from our experience in the intervening two years. We may find after further experience and study that some of the provisions are too loose, or too strict, or otherwise not properly defined.
If proponents are not willing to accept a sunset, then I believe that good policy demands careful study of the pen/trap provisions. The computer trespasser exception, for instance, is a brand new proposal that has never been the subject of a Congressional hearing. New technology and new terrorist threats may indeed counsel for us to change our surveillance and wiretap laws. But permanent and significant changes in those laws should occur only after we better understand what we are doing.
Peter P. Swire is Professor of Law at the Ohio State University and currently a Visiting Professor at George Washington University. From 1999 to early 2001 he served as Chief Counselor for Privacy in the Office of Management and Budget. With Robert E. Litan, he is author or None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive, published by Brookings in 1998.