========================================================================= ________________ _______________ _______________ /_______________/\ /_______________\ /\______________\ \\\\\\\\\\\\\\\\\ \ ||||||||||||||||| / //////////////// \\\\\\\\\\\\\\\\\/ ||||||||||||||||| / //////////////// \\\\\\_______/\ ||||||_______\ / //////_____\ \\\\\\\\\\\\\ \ |||||||||||||| / ///////////// \\\\\\\\\\\\\/____ |||||||||||||| / ///////////// \\\\\___________/\ ||||| / //// \\\\\\\\\\\\\\\\ \ ||||| / //// \\\\\\\\\\\\\\\\/ ||||| \//// ========================================================================= EFFector Online Volume 07 No. 05 Mar. 11, 1994 editors@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 In This Issue: DPSWG Coalition's Digital Telephony Letter to White House Letter of DPSWG to FBI Dir. Freeh on Wiretap Bill's Privacy Threat EFF Files Email "Interception" Brief in Steve Jackson Games Appeal Executive Director Position Opening Soon as EFF Expands New EFF SysOp Membership Option What YOU Can Do ------------------------------ The two letters below deserve your immediate attention, and further redistribution. The FBI has released a draft of the new version of its Digital Telephony legislation, aimed at crippling all future communications technology to enhance their ability to wiretap and gain the ability to perform communications traffic analysis without a warrant. To add insult to injury, tacked on to the end of the bill draft are some sections that would hope to apply the privacy protections of the ECPA to certain wireless communications, allowing the FBI to name their would-be bill, "Digital Telphony and Communications Privacy Improvement Act of 1994: A legislative proposal to protect the American public from criminal activity and ensure privacy in telecommunications". Do not be fooled. The FBI scheme would turn the data superhighway into a national surveillance network of staggering proportions. The letters that follow show an unprecedented consensus of civil liberties and industry organizations on the need to protect privacy, and on the adverse consequences to security and privacy threatened by the Digital Telephony bill. "Only in a police state is the job of a policeman easy." -Orson Welles "In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich Partners, two-thirds said it was more important to protect the privacy of phone calls than to preserve the ability of police to conduct wiretaps." - Philip Elmer-Dewitt, "Who Should Keep the Keys", _TIME_, Mar. 14 1994 ---------------------------------------------------------------------- Subject: DPSWG Coalition's Digital Telephony Letter to White House ------------------------------------------------------------------ On March 9, the Digital Privacy and Security Working Group sent the following letter to the Administration calling into question the procedures by which the FBI's Digital Telephony "Wiretap Bill" draft is being examined, and expressing harsh criticism of the would-be legislation. The DPSWG is a coalition of privacy and civil liberties organizations, trade associations, and industry leaders, coordinated by the Electronic Frontier Foundation. March 9, 1994 The President William J. Clinton The White House Washington, D.C. 20500 The Vice President of the United States United States Senate Washington, D.C. 20510 Dear Mr. President and Mr. Vice President: Telecommunications carriers and other members of the Digital Privacy and Security Working Group are keenly aware of the concerns raised by the Administration regarding the ability to intercept communications transmitted over advanced commu nications networks. We are concerned, however, about the nature of the process upon which the Administration has embarked to address these issues. Seeking immediate industry reaction to the FBI's draft legislation and congressional passage of such legislation shortly thereafter is troubling. It suggests curtailment of public debate and of congressional deliberation. Given the interest of the public in these matters and their complexity, it is essential that there be a full public debate on these issues. Industry is currently cooperating with appropriate authorities to avoid future problems and to expand existing capacities. This is not to say that there have not been some transitional concerns particularly upon the introduction of new technologies that have grown greatly in popularity. But, whenever transitional problems have arisen, industry representatives have worked with law enforcement officials to resolve them. The FBI's actions are especially troubling in light of our view that legislation is not needed to accomplish the agency's goals. We still see no evidence that current law enforcement efforts are being jeopardized by new technologies. Nor are we convinced that future law enforcement activities will be jeopardized given industry cooperation. We still believe that continued cooperation by government and industry within the working relationship that has emerged from the 1992 Quantico Joint Government Industry Group will resolve "the digital telephony problem" and preserve the government's current authorities. The discussions have succeeded in identifying specific problems and have begun the process of generating concrete, cost-effective solutions. This process has facilitated a more robust exchange of technical information and an identification of possible new equipment and police tactics needed to achieve law enforcement goals. Nevertheless, we are prepared to work with the Congress and the Administration to attempt to resolve the legitimate concerns of law enforcement. The signatories to this letter cannot overemphasize how critical it is that any new initiatives in this area preserve the public's confidence in the privacy of information carried over the public switched network. Less than a decade after enactment of the Electronic Communications Privacy Act of 1986, the nation can ill afford to undercut customer privacy expectations. Indeed, on the eve of the National Information Infrastructure's deployment, preserving customer confidence is all the more important. Privacy protection is not a secondary interest here. Survey after survey performed by Professor Alan Westin and others have demonstrated the public's concern with privacy and the security of their communications. We all must seek to maximize those interests and assure the public that their communications are protected. Sincerely yours, Apple Computer, Inc. AT&T American Civil Liberties Union Business Software Alliance Cellular Telecommunications Industry Association Computer Business Equipment & Manufacturers Assn Digital Equipment Corporation Electronic Frontier Foundation Electronic Messaging Association GTE Corporation Information Industry Association Information Technology Association of America Iris Associates, Inc McCaw Cellular MCI Communications Corporation People for the American Way Software Publishers Association Sun Microsystems Federal, Inc. Trusted Information Systems United States Telephone Association cc: Louis Freeh, Director, Federal Bureau of Investigation John Podesta, Office of the President Michael Nelson, Office of the Vice President Senator Patrick Leahy Senator Ernest Hollings Representitive Don Edwards Representative Edward Markey ------------------------------ Subject: Letter of DPSWG to FBI Dir. Freeh on Wiretap Bill's Privacy Threat --------------------------------------------------------------------------- On March 11, the Digital Privacy and Security Working Group sent the letter below to FBI Dir. Louis Freeh as a followup to the March 9 letter to the Administration, detailing the DPSWG's criticisms of the FBI's proposed Digital Telephony bill, and raising serious privacy questions. EFF and the DPSWG feel that the Digital Telephony scheme, coupled with the Administration's Clipper Chip plan, could turn the future National Inforamation Infrastructure into a nationwide surveillance network. It is clear that law enforcement needs and wants do not require such overly-broad legislative action, and the possible gain to law enforcement is vastly outweighed by the massive threat to citizen privacy. The DPSWG is a coalition of privacy and civil liberties organizations, trade associations, and industry leaders, coordinated by the Electronic Frontier Foundation. March 11, 1994 By Hand Delivery Mr. Louis Freeh Director Federal Bureau of Investigation Washington, D.C. Dear Director Freeh: This letter is a follow-up to our letter of March 9, 1994 to President Clinton and Vice President Gore (a copy is attached). While we do not believe that new legislation is needed to accomplish the FBI's goals, we take this opportunity to more specifically raise some of the questions that should be answered in pursuing any digital telephony legislation. The draft that the White House has given us for comment is overly broad, and it is our hope that this letter will assist in narrowing the scope of any legislation. While we have additional, important questions and concerns, this letter sets forth our primary concerns. (1) Should digital telephony legislation reach "call setup information" independently of a "Title III" search warrant? The New York Times of February 28, 1994 quotes you as stating, "My real objective is to get access to the content of telephone calls." The bill should therefore be limited to content of communications and incidental call setup or transactional data. Legislation should apply to "call setup information" only when that information is incident to a warrant issued for wire, oral, or electronic communications as set forth in 18 U.S.C. € 2518. Extending the legislation's scope beyond the acquisition of content (pursuant to a warrant under section 2518) to the independent acquisition of call setup information raises many issues that require examination. For example, currently the legal standard for obtaining transactional data is a certification (via subpoena or statement to a judge) that the sought-after data is relevant to an ongoing criminal investigation. In the era of personal communications services ("PCS") and of the information highway, transactional data will reveal far more about individuals than it has in the past. In fact, in some cases it may be equivalent to content information. This transactional data certainly could make it possible to build a detailed model of an individual's behavior and movements. The net result could be government dictating to industry that it create a surveillance-based system that will allow federal, state, and local government to use a service provider's electronic communication facilities to conduct minute-by-minute surveillance of individuals. As long as they have an IRS or other administrative subpoena or a law enforcement agent willing to certify that the sought-after data is relevant to an ongoing criminal investigation, law enforcement officials could demand that they be notified at some remote location every time certain individuals communicate by telephone, and their location at the time, as well as every database they connect to and when they log on and off. In short, law enforcement officials could insist on instantaneously knowing the existence of every single electronic communication (but not its content). The enormous potential for abuse and threat to personal privacy suggests that, if transactional data were to be covered by digital telephony legislation, it should be incidental to a "Title III" wiretap warrant. This would not limit in any way law enforcement's access to trap and trace, pen register, or call billing information under current law or practice. This is particularly true given that there has been no case made that demonstrates any current or potential difficulty in getting this non-content information under current practices. The technology in fact has made these type of services much easier for law enforcement to use and access. Additional legislation is simply not necessary to obtain this data. (2) What is covered? The obligation to isolate the content of communications must be reasonably related to the service provider's telecommunications services. It would be unreasonable for the FBI to demand any person involved with the communication to furnish it with access to that communication. For example, most providers, including local telephone companies, usually need to isolate communications for purposes of billing and maintenance. It is appropriate for the FBI to seek their assistance in intercepting communications on their networks only when the requests are reasonably related to the telecommunications services they provide. Therefore, the question is not necessarily who is covered, but what telecommunications services are covered. For example, the legislation should reflect the fact that, in reselling services, even local telephone companies sometimes are unable in those instances to furnish call setup information regardless of whether it is incident to the acquisition of a communication's content. (3) What will be the requirements placed upon service providers and what will be the standard of compliance that will be applied? Legislation should carefully define the obligations of service providers. This is not the case with the FBI's current draft of proposed legislation. These obligations are vague and subject to considerable interpretation. Service providers and manufactures must have flexibility to adopt procedures that reasonably comply with the specific functional performance requirements of law enforcement. This is particularly true where, as here, compliance requires an assessment of future needs and interoperability requirements. There is a difference between compliance and a guarantee, and legislation must reflect that difference. Carriers should be required to provide reasonable cooperation and that cooperation should be measured by a standard of reasonable compliance. In installing new software or equipment under this statute, a service provider must be able to reasonably assess future demands by law enforcement. Other industries subject to regulation at least know, for example, the temperature at which they must maintain the specimens, the emission standard they must satisfy, or the type of safety restraint equipment they must install and the date by which they must have it installed in vehicles. Service providers cannot be held to an absolute standard of compliance where they are using and delivering new technologies to the public and the demands of law enforcement are not clearly specified. This applies to both capability and capacity. Law enforcement must be specific in its requirements for capacity and capability from each service provider. (4) What is expected of commercial mobile service providers? It is not a foregone conclusion that mobility in a digitized telecommunications environment will degrade or otherwise impede the law enforcement community's ability to effectively execute court- approved wiretap orders. Wireless carriers are committed to assisting law enforcement agencies to successfully wiretap and intercept voice communications. To accomplish this goal, the wireless industry understands that available excess port capacity is needed in all switches throughout the nation. While it may be reasonable for federal and state law enforcement agencies to acquire the contents of wireless communications pursuant to "Title III" warrants through additional port capacity, it would be prohibitively expensive to require that every one of the nation's switches be connected to the FBI to enable it to acquire such information on a "real time" basis at remote locations. Connecting every one of the nation's switches to the FBI, moreover, would increase exponentially the risk of unauthorized access to wireless communications. Further, the proliferation of fraudulent use of wireless telephones through such techniques as "cloning" and "tumbling" ESNs (electronic serial numbers) poses additional questions with respect to privacy and the ability of law enforcement to properly execute court- approved wiretap orders. (5) What are the responsibilities of manufacturers and suppliers, if any? The FBI wishes manufacturers of telecommunications equipment and providers of support services to fall within the scope of the legislation. But, would service providers be held liable for software or hardware that is not available from vendors? Why? How would the obligations be enforced against foreign manufacturers? What would be the liability of a domestic carrier that relies upon foreign manufacturers? What are the trade implications of having domestic manufacturers export equipment designed for governmental surveillance? (6) How, and during what period, are costs to be recovered to ensure that there is a direct relationship between the costs reasonably incurred by covered entities and the government's requirements? Government should pay for what it needs, which will help focus attention upon the facilities that truly need upgrading. If the government does not pay for upgrades or facilities, then the service providers should not be held responsible. The FBI appears to have accepted the concept that government should pay for the costs of compliance but has so far underestimated these costs and proposed an arbitrary three-year limit on cost reimbursement. Government compensation should be ongoing with industry's compliance. * * * We trust you find our comments helpful. We remain prepared to work with you, Congress, and others to attempt to resolve the legitimate concerns of law enforcement. Sincerely yours, [signed] Jerry Berman (202) 347-5400 [signed] Ronald Plesser (202) 861-3969 Enclosure cc: John Podesta, Office of the President Michael Nelson, Office of Science & Technology Policy Senator Joseph Biden Senator Ernest Hollings Senator Patrick Leahy Representative Jack Brooks Representative John Dingell Representative Don Edwards Representative Edward Markey ------------------------------ Subject: EFF Files Email "Interception" Brief in Steve Jackson Games Appeal --------------------------------------------------------------------------- In a move that could have significant ramifications for the proposed "information superhighway," Steve Jackson of Austin, Texas, and his company, Steve Jackson Games Incorporated -- together with three users of the company's electronic bulletin board system (BBS) -- are asking a federal appeals court to rule on how federal wiretap laws apply to electronic mail. In an appeal filed in the United States Court of Appeals for the Fifth Circuit in New Orleans, the plaintiffs seek a ruling that a seizure of electronic mail (e-mail) before the addressee receives it qualifies as an "interception" under the Electronic Communications Privacy Act (ECPA). The appeal follows a court victory last year for Steve Jackson Games, a small roleplaying-games book publisher in Austin, Texas. On March 1, 1990, United States Secret Service Agents seized the company's BBS and three computers containing the company's business records and all copies of an upcoming publication. On March 12, 1993, Judge Sam Sparks of the U.S. District Court for the Western District of Texas found that Secret Service agents involved with the raid had violated the Privacy Protection Act of 1980, which is designed to protect publishers. Steve Jackson Games was awarded $51,040 in damages under that claim. In addition, the trial judge held that the seizure of electronic mail on the company's electronic bulletin board system was a violation of the stored communications provisions of the ECPA and awarded each of the plaintiffs $1,000 in statutory damages. On a third, independent claim, however, the trial judge ruled against the plaintiffs, holding that electronic mail that had not yet been accessed by its intended recipient is not "intercepted" under the ECPA. Judge Sparks held that an interception can occur when a only communication is acquired at the same time it is occurring -- in other words, in real time as the message is actually travelling over the wires. Plaintiffs base their appeal on Congress' intention in creating separate statutory provisions for "intercepted" communications and on the plain meaning of the term "interception." "As any defensive back knows," states the plaintiffs' brief, "this is the classic definition of an 'interception,' and one comfortably within the statute's definition." Three organizations interested in electronic communications, the Electronic Frontier Foundation, The Society for Electronic Access and InterCon Systems Corporation, filed a friends of the court brief to support Plaintiffs' definition of "interception" under ECPA. "For purposes of intercepting the contents of an electronic mail message, the time the message actually travels through the wire between computers is a technical detail of the delivery process that should not be relevant to the law." The Justice Department has 30 days to reply. ------------------------------ Subject: Executive Director Position Opening Soon as EFF Expands ---------------------------------------------------------------- For Immediate Release 03/03/94 The Board of Directors of the Electronic Frontier Foundation announced today that has begun the search for a new Executive Director. An increase in EFF's activities with the rapid development of the national information infrastructure requires an addition to the management team. The new Executive Director will work collaboratively with EFF's current Executive Director, Jerry Berman. Mr. Berman will continue as the Foundation's Director of Policy in order to devote full time leadership to EFF's critical and expanding public policy activities. EFF identifies significant issues related to information and communication technologies, and creates activities that seek to understand how they will affect society, and change the way that people think, work and interact. Current EFF activities focus on public policy, civil liberties, and public education. The new Executive Director will build organizational capacity by implementing management, fundraising and membership programs, and will expand the scope of the Foundation's activities by developing diverse projects that encompass: - information infrastructure; - the development and application of law; - evolution of new technology; - protection of civil liberties; - changes in social fabric and the meaning of community; - opportunities and effects on commerce/economics; and - international issues. EFF was started in 1990 by Mitchell Kapor, founder of Lotus Development Corporation, and John Perry Barlow, an author and lecturer interested in digital technology and society. Both founders will continue to remain active on the Board of Directors of the organization. For more information contact: Electronic Frontier Foundation Attn: Executive Director Search Committee 1001 G St. NW, Suite 950 E, Washington DC 20001 202-347-5400 search@eff.org ------------------------------ Subject: New EFF SysOp Membership Option ---------------------------------------- EFF is now offering a special members for BBS sysops. For a *$10* tax-deductible membership contribution, sysop members will receive a subscription to EFF's biweekly electronic newsletter (EFFector Online), a subscription to our quarterly hardcopy newsletter (Networks & Policy) and access to our online bulletin board system. In addition, sysop members will receive a special version of our Frontier Files diskette containing some of EFF's most popular resources which can be posted for distribution, ASCII and ANSI screens announcing your system's membership in EFF, and the opportunity to be listed in a directory of boards supporting EFF and its work. Sysop members are eligible to renew at the special discounted rate of $10 if in the course of their 1 year membership they recruit 10 new EFF members. As soon as EFF's BBS (Outpost) is fully functional, sysop members will be among the first invited to join our new FTN- and QWK-format network. Information will be forwarded about Outpost and the network as soon as it is available. SysOp membership may be open to operators/admins of other online services as well, not just the prototypical BBS. Any questions regarding EFF or the sysop membership can be directed to EFF's Membership coordinator at membership@eff.org. For general information about EFF and it's mission, send mail to info@eff.org. ------------------------------ Subject: What YOU Can Do ------------------------ "In order to keep up with the criminals and to protect our national security, the solution is clear: we need legislation to ensure that telephone companies and other carriers provide law enforcement with access to this new technology." - FBI Dir. Louis Freeh, 12/8/93, on hampering new telecom technology to make it easily wiretappable. [Full text of this Dec. 1993 DC Press Club speech available for anonymous ftp as wiretap.speech from ftp.eff.org in Pub/EFF/Policy/Digital_Telephony/digtel93_freeh.speech] That's right - it's the Digital Telephony proposal. Again. The FBI wants guaranteed access to *your* communications. If you want to fight government invasions of your privacy, join EFF! You've been following the newspapers and reading EFFector Online. You know that today there are several battles being fought over the future of personal privacy. The Clipper Chip, export restrictions, the Digital Telephony Proposal - the arguments are numerous and complex, but the principles are clear. Who will decide how much privacy is "enough"? The Electronic Frontier Foundation believes that individuals should be able to ensure the privacy of their personal communications through any technological means they choose. However, the government's current restrictions on the export of encrytion software have stifled the development and commercial availability of strong encryption in the U.S. Rep. Maria Cantwell has introduced a bill (H.R. 3627) in the House that would liberalize export controls on software that contains encryption, but needs vocal support if the bill is to make it out of the committee stage. The decisions that are made today will affect our futures indefinitely. EFF is a respected voice for the rights of users of online technologies and EFF members receive regular online updates on the issues that affect our online communications and particpate in shaping the future. Now, more than ever, EFF is working to make sure that you are the one that makes these decisions for yourself. Our members are making themselves heard on the whole range of issues. To date, EFF has collected over 4800 letters of support for Rep. Cantwell's bill to liberalize restrictions on cryptography. We also have over 1400 letters supporting Sen. Leahy's open hearings on the proposed Clipper encryption scheme If you'd like to add your voice in support of the Cantwell bill and the Leahy hearings, you can send your letters to: cantwell@eff.org, Subject: I support HR 3627 leahy@eff.org, Subject: I support hearings on Clipper Your letters will be printed out and hand delivered to Rep. Cantwell and Sen. Leahy by EFF. You KNOW privacy is important. You have probably participated in our online campaigns. Have you become a member of EFF yet? We feel that the best way to protect your online rights is to be fully informed and to make your opinions heard. EFF members are informed, and are making a difference. Join EFF today! ------------------------------ MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION ================================================ Print out in monospaced (non-proportional) font and mail to: Membership Coordinator Electronic Frontier Foundation 1001 G Street, NW, Suite 950 East, Washington, DC 20001 SIGN ME UP! ----------- I wish to become a member of the Electronic Frontier Foundation. I enclose: ___ Regular membership -- $40 ___ Student membership -- $20 ___ SysOp membership -- $10* * SysOp members are required to bring in 10 new members to renew at the SysOp membership rate (otherwise normal rates apply). Send queries to membership@eff.org for more info. Special Contribution I wish to make an additional tax-deductible donation in the amount of $__________ to further support the activities of EFF and to broaden participation in the organization. PAYMENT METHOD: --------------- ___ Enclosed is a check or money order payable to the Electronic Frontier Foundation. ___ Please charge my: ___ MasterCard ___ Visa ___ American Express Card Number: _____________________________________________ Expiration Date: _________________________________________ Signature: _______________________________________________ NOTE: We do not recommend sending credit card information via email! YOUR CONTACT INFORMATION: ------------------------- Name: __________________________________________________________ Organization: __________________________________________________ Address: _______________________________________________________ _______________________________________________________ _______________________________________________________ E-mail addresses: ______________________________________________ ______________________________________________ Phone: _____________________ FAX: ___________________________ BBS: _____________________ Modem Type: ____________________ _____________________ ________________________________ _____________________ ________________________________ BBS Info: BBS Name: ___________________________________________ SysOps:______________________________________________ Voice/Support Phone: ________________________________ Network Addresses: __________________________________ __________________________________ BBS Notes (OS, modem types/speeds, Internet connectivity, access requirments, hours, fees, software, focus or special interests, unique features, etc.) _____________________________________________________ _____________________________________________________ _____________________________________________________ EFF will maintain a publicly available list of BBSs and similar services that support the efforts of the Electronic Fontier Foundation. Members with BBSs who do not opt for the SysOp Membership plan are welcome to be listed as well. Include my BBS in the EFF Member BBS Directory _______ PREFERRED CONTACT ___ Electronic: Please contact me via the Internet address listed above. I would like to receive the following at that address: ___ EFFector Online - EFF's biweekly electronic newsletter (back issues available from ftp.eff.org, pub/EFF/Newsletters/EFFector). ___ Online Bulletins - bulletins on key developments affecting online communications. NOTE: Traffic may be high. You may wish to browse these publications in the Usenet newsgroup comp.org.eff.news (also available in FidoNet, as EFF-NEWS). ___ Paper: Please contact me through the US Mail at the street address listed above. NOTE: Paper documents available upon request. "Networks & Policy" Newsletter automatically sent via US Mail. PRIVACY POLICY -------------- EFF occasionally shares our mailing list with other organizations promoting similar goals. However, we respect an individual's right to privacy and will not distribute your name without explicit permission. ___ I grant permission for the EFF to distribute my name and contact information to organizations sharing similar goals. [This form came from eff.org - please leave this line on the form! If you found it elsewhere, please tell us where so we see how far it goes.] The Electronic Frontier Foundation is a nonprofit, 501(c)(3) organization supported by contributions from individual members, corporations and private foundations. Donations are tax-deductible. ------------------------------ Administrivia ============= EFFector Online is published biweekly by: Electronic Frontier Foundation 1001 G Street, N.W., Suite 950 East Washington, DC 20001, USA Phone: +1 202 347 5400, FAX: +1 202 393 5509 Internet Address: eff@eff.org or ask@eff.org Coordination, production and shipping by: Stanton McCandlish, Online ActivistReproduction of this publication in electronic media is encouraged. Signed articles do not necessarily represent the views of EFF. To reproduce signed articles individually, please contact the authors for their express permission. To subscribe to EFFector via email, ask brown@eff.org for a subscription to the EFFector mailing list. ------------------------------ Internet Contact Addresses -------------------------- Membership & donations: membership@eff.org Legal services: ssteele@eff.org Hardcopy publications: pubs@eff.org Technical questions/problems, access to mailing lists: eff@eff.org General EFF, legal, policy or online resources queries: ask@eff.org End of EFFector Online v07 #05 ****************************** $$