Return-Path: <sentto-279987-2232-1001187760-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sat, 22 Sep 2001 12:44:12 -0700 (PDT)
Received: (qmail 2588 invoked by uid 510); 22 Sep 2001 19:43:25 -0000
Received: from n9.groups.yahoo.com (216.115.96.59) by 204.181.12.215 with SMTP; 22 Sep 2001 19:43:25 -0000
X-eGroups-Return: sentto-279987-2232-1001187760-fc=all.net@returns.onelist.com
Received: from [10.1.1.223] by fl.egroups.com with NNFMP; 22 Sep 2001 19:43:00 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 22 Sep 2001 19:42:40 -0000
Received: (qmail 27989 invoked from network); 22 Sep 2001 19:42:40 -0000
Received: from unknown (10.1.10.27) by 10.1.1.223 with QMQP; 22 Sep 2001 19:42:40 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 22 Sep 2001 19:42:59 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id MAA19785 for iwar@onelist.com; Sat, 22 Sep 2001 12:42:59 -0700
Message-Id: <200109221942.MAA19785@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 22 Sep 2001 12:42:59 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Concern.Over.Proposed.Changes.in.Internet.Surveillance]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
September 21, 2001
CYBER LAW JOURNAL
Concern Over Proposed Changes in Internet Surveillance
By CARL S. KAPLAN
Significant and perhaps worrisome changes in the government's Internet
surveillance authority have been proposed by legislators in the wake of
the attacks on the World Trade Center and the Pentagon. Indeed, so much
is happening so quickly it's hard to keep track of the legislative
process, let alone follow the ongoing debate between fast-moving law
enforcement experts and more cautious civil libertarians.
To illuminate the huge changes afoot, it might be useful to spotlight
one little corner of some proposed legislation. After all, as lawyers
love to say, the devil is in the details.
The proposed law that is furthest along in the pipeline is the Combating
Terrorism Act of 2001, an amendment to an appropriations bill that was
passed by the Senate on September 13th without hearings and with little
floor debate. That legislation, which may ultimately become part of an
integrated package of laws put forward this week by the Attorney
General, has several provisions. Perhaps the most controversial is
section 832, which seeks to enhance the government's ability to capture
information related to a suspect's activities in cyberspace.
Some background information is in order. With telephone conversations,
a law enforcement official can tap a suspect's conversations only if
there is probable cause to believe the suspect is doing something
illegal and if a magistrate agrees to issue an order. The Fourth
Amendment's ban on unreasonable searches have heightened the legal
requirements needed for a government wiretap.
But suppose an F.B.I. agent doesn't want to listen to the content of a
telephone conversation. Suppose she just wants to get a list of the
telephone numbers that a suspect dials, and the telephone numbers of
people that call the suspect? This information, the Supreme Court has
held, is not that private. Under federal law, all the government has to
do in order to plant gizmos that record a suspect's outgoing and
incoming telephone numbers -- so called pen registers and trap and trace
devices -- is to tell a magistrate that the information is relevant to
an ongoing criminal investigation. There is no probable cause
requirement and no hearing. The pen/trap and trace information is
extremely easy to get.
For the past few years, the government has interpreted the existing pen
register and trap and trace laws, which were designed with telephones in
mind, to allow them to swiftly garner certain information from ISP's
about a suspect's e-mails -- for example, the to/from header
information.
In one sense, section 832 of the Senate amendment codifies the
government's pro-law enforcement interpretation. Among other things,
the amendment explicitly expands the pen/trap and trace law to include
Internet communications. Specifically, the proposed law allows the
government, under the low-standard pen/trap and trace authority, to
record not just telephone numbers dialed but "routing, addressing, or
signalling information" .
According to experts on both sides of the legislative debate, the exact
meaning of routing, addressing and signalling data is ambiguous. But
chances are it includes not just to/from e-mail header information but a
record of the URLs -- Web site addresses -- that a person visits.
The legislation's language is "not very narrow," said Stewart Baker,
head of the technology practice at Steptoe & Johnson, a Washington,
D.C. law firm, and former general counsel of the National Security
Agency. Conceivably, he said, federal agents under the proposed law
could very easily -- and without making a showing of probable cause --
get a list of "everyone you send e-mail to, when you sent it, who
replied to you, how long the messages were, whether they had
attachments, as well as where you went online."
"That's quite a bit of information," added Baker, who this week
participated in a written dialog on national security in wartime on the
online magazine Slate. Moreover, it's more information-rich material
than a log of telephone numbers. "I think if you asked anyone on the
street: 'Which would you rather reveal, the telephone numbers you dialed
or a list of all the people you sent e-mail to and the Web sites you
visited?' I think they'd say, "Go with the phone numbers,'" he said.
Under the proposed amendment, the government's authority to easily
monitor a person's clickstream is particularly troublesome and an
unwarranted enlargement of pen/trap and trace law, say some critics.
After all, they point out, on the Internet the boundary between a mere
address and the content of a communication is fuzzy. For example, by
examining a URL, an agent may gain knowledge of a book that a person
sought to purchase on Amazon.com, or perhaps learn about a person's
query on a search engine. Indeed, a URL for a target's use of Google
may reveal travel plans: <a
href="http://www.google.com/search?q=Do+You+Know+the+Way+to+San+Jose&btnG=Google+S">http://www.google.com/search?q=Do+You+Know+the+Way+to+San+Jose&btnG=Google+S>
earchr
"When you look at URLs, you're getting a map of how someone surfs the
Net," said Daniel Solove, a law professor at Seton Hall University and
an expert on privacy. "That's much more telling about an individual"
than a list of telephone numbers, he said. He said that he wished
Congress would take its time and examine any new Internet surveillance
legislation with great care.
That view is echoed by Eugene Volokh, a law professor at UCLA and the
other half of the ongoing national security dialog on Slate. "Keep in
mind that these laws are things we will live with for a long time," he
said in an interview. "These laws can be used by the government in
other sorts of investigations" besides terrorism, he added.
For his part, Baker of Steptoe & Johnson is willing to stomach
section 832, should it become law. "Obviously, we're in a crisis," he
said.
Marc Zwillinger, a former Internet crime prosecutor for the Department
of Justice who is currently a partner at the Washington, D.C. office of
Kirkland & Ellis, a large law firm, goes a bit further. He said
that bringing the pen/trap and trace law into the Internet Age is not
that big a deal.
"Knowing that you visited a Web site at a certain time -- how is that
different from knowing that you dialed a certain telephone number at a
particular time of the day?" he asked. It's the same thing, he
asserted. The only difference is that because people use the Web more
than telephones, authorities can learn more. "I'm not troubled by it,"
he said.
Zwillinger noted that when he worked for the government, he obtained
pen/trap and trace information about suspects' Internet use "hundreds of
times." He said that under the Justice Department's interpretation of
the current federal law, as well as under the proposed law, the
government can lawfully record, for example, which computer terminals
downloaded a particular file from a server; which computers logged into
a Hotmail account to retrieve mail; which URLs a computer user visited.
Often, an ISP can capture this information, he said, or the F.B.I. can
deploy over-the-counter software tools or use sniffer programs such as
Carnivore to obtain needed results.
But Volokh cautioned against the argument that because law enforcement
has been doing something all along without explicit authority, Congress
should pass a bill quickly recognizing the status quo. "Originally, the
government had the right to record phone numbers" without a showing of
probable cause, he said. "Then they looked at e-mail headers. Now
they're looking at URLs. Each step is small. But put a lot of little
steps together and you get a big bit."
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/XrFcOC/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->
------------------
http://all.net/
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:48 PDT