[Senate Hearing 106-1027]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 106-1027

                     INTERNET SECURITY AND PRIVACY

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 25, 2000

                               __________

                          Serial No. J-106-86

                               __________

         Printed for the use of the Committee on the Judiciary

                    U.S. GOVERNMENT PRINTING OFFICE
73-464                      WASHINGTON : 2001

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone (202) 512ï¿½091800  Fax: (202) 512ï¿½092250
              Mail: Stop SSOP, Washington, DC 20402ï¿½090001




                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina       PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania          JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona                     HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio                    DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri              RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan            ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama               CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
             Manus Cooney, Chief Counsel and Staff Director
                 Bruce A. Cohen, Minority Chief Counsel




                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

Feinstein, Hon. Dianne, a U.S. Senator from the State of 
  California.....................................................    72
Grassley, Hon. Charles E., a U.S. Senator from the State of Iowa, 
  prepared statement.............................................    78
Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah......     1
Kyl, Hon. Jon, a U.S. Senator from the State of Arizona, prepared 
  statement......................................................    79
Leahy, Patrick J., a U.S. Senator from the State of Vermont, 
  prepared statement and attachments.............................    12
Schumer, Hon. Charles E., a U.S. Senator from the State of New 
  York...........................................................    10
Thurmond, Hon. Strom., a U.S. Senator from the State of South 
  Carolina, prepared statement...................................    78

                               WITNESSES

Dempsey, James X., Senior Staff Counsel, Center for Democracy and 
  Technology, prepared statement.................................    62
Heinman, Bruce J., Executive Director, Americans for Computer 
  Privacy, prepared statement....................................    30
Pethia, Richard, Director, Cert Centers, Software Engineering 
  Institute, Carnegie Mellon University, prepared statement......    37
Richards, Jeff B., Executive Director, Internet Alliance, 
  prepared statement and attachment..............................    43
Robinson, James K., Assistant Attorney General, Criminal 
  Division, U.S. Department of Justice, prepared statement.......    17
Vatis, Michael A., Director, National Infrastructure Protection 
  Center, Federal Bureau of Investigation, U.S. Department of 
  Justice, prepared statement....................................     3

                                APPENDIX
                         Questions and Answers

Responses of Bruce Herman to Questions from Senator Hatch........    81
Responses of Bruce Herman to Questions from Senator Leahy........    83
Responses of Richard Pethia to Questions from Senator Hatch......    84
Responses of Jeff B. Richards to Questions from Senator Leahy....    86
Responses of James X. Dempsey to Questions from Senator Hatch....    89
Responses of James X. Dempsey to Questions from Senator Leahy....    92

                 Additional Submissions for the Record

Center for Democracy and Technology, letter and attachments......    93
Washington Post, May 25, 2000, article...........................    27

 
                     INTERNET SECURITY AND PRIVACY

                              ----------                             

                         THURSDAY, MAY 25, 2000

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:16 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Orrin G. 
Hatch, (chairman of the committee) presiding.
    Also present: Senators Leahy, Feinstein, and Schumer.

 OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM 
                       THE STATE OF UTAH

    Chairman Hatch. I apologize for being late. I had just a 
variety of things come up at the last minute. It is just one of 
those days where you just have to do it, you know.
    Let me just say at the outset that the Internet is 
dramatically changing the way we work, live, play, and learn. 
According to recent studies, there are over 40 million Internet 
users today. More than 5 million Americans joined the online 
world in the first quarter of this year, and roughly 55,000 
more Americans join that world each new day.
    What is more, more than 3 million Web pages were created 
every day in 1999, and Web pages in the United States have 
averaged as high as 1 billion hits per day. Clearly, the 
Internet is fast becoming the means of choice for Americans to 
carry out their routine commercial and communication 
activities.
    The Internet's explosive growth promises to impact every 
aspect of our daily life, as it provides the public with useful 
and often vital information and literary content immediately at 
the mere click of a mouse. Internet technology has and will 
continue to reshape our democracy through its promise to 
continue to play an important role in educating the population 
through distance learning and through the general delivery of 
commerce and information. Additionally, the Internet's ability 
to allow anyone, regardless of wealth or market power or 
viewpoint, to deliver his or her perspective for the world to 
see and hear makes it the ultimate First Amendment enabling 
technology.
    Unfortunately, as recent denial of service and computer 
virus attacks, as well as the online theft of consumers' credit 
card information, have made all too clear, the Internet is also 
becoming an increasingly popular means by which criminals, 
including terrorists, commit crimes and attack our Nation's 
critical infrastructure.
    Americans are concerned that the Internet not become a 
haven for anonymous criminals who can remain beyond the reach 
of law enforcement. At the same time, however, as Americans 
spend more of their time on the Internet, they are also 
legitimately concerned about the ability of Web sites, both 
government and commercial, to track their digital steps. 
Consumers must be assured that personally identifiable 
information that is collected online is afforded adequate 
levels of protection. How do we do so without chilling the 
development of new technologies or the expansion of the 
marketplace?
    When we talk about ``privacy on the Internet,'' we mean the 
level of protection that Web sites operators accord Internet 
users' personal information. The basic issue revolves around 
giving Internet users notice about what personal information 
will be collected by government and commercial Web sites when 
they visit the site and how it will be used. Most Web sites 
collect and sell personal information through online 
registrations, mailing lists, surveys, user profiles, and order 
fulfillment requirements.
    Internet security refers to the extent to which Web sites 
are vulnerable to unauthorized intrusions or attacks by ill-
motivated persons. So far, many of the attacks have been 
carried out by pranksters trying to make a point or achieve a 
measure of notoriety. There have been, however, several 
instances where a Web site has been broken into and the 
intruder has stolen sensitive credit card information from the 
site. Internet security is, of course, a natural complement to 
the privacy issue. Both are essential to ensuring the integrity 
of the Internet.
    The task confronting us is how to develop and implement 
public policies that advance each of these interests. While 
some believe these goals are in hopeless conflict, I firmly 
believe that properly calibrated laws can simultaneously 
protect the Internet from criminals and terrorists, respect the 
legitimate privacy interests of Americans, and allow the 
Internet to flourish free from burdensome regulation.
    The Internet Integrity and Critical Infrastructure 
Protection Act of 2000, which I recently introduced together 
with Senator Schumer, strikes the appropriate balance. It will 
not prevent bad actors from misusing the Internet, but it will 
provide much needed resources and investigative tools to 
government agencies charged with protecting us against Internet 
crime and update our computer abuse laws to help deter and 
prevent such activities. The bill accomplishes these ends 
without undermining the growth of the Internet or lessening 
legitimate privacy interests.
    The bill also will assure consumers with respect to their 
personally identifiable information that is collected by 
Internet companies. The bill requires that a Web site provide 
customers with a notice of its practice and allow customers the 
opportunity to prevent their information from being sold to 
third parties. This approach provides for privacy protection 
without imposing a burdensome regulatory framework and without 
a Federal bureaucracy overseeing the various business practices 
of Internet companies. The bill puts in place general statutory 
rules, but leaves industry free to determine how best to comply 
with them.
    It is imperative that steps are taken, preferably by 
industry, but by government where necessary, to protect the 
integrity, security, and privacy of the Internet. By 
introducing this legislation, however, I am not suggesting that 
government must play a role in ensuring Internet integrity and 
privacy. Indeed, I would prefer to encourage private sector 
solutions within the industry, and I hope to hear your thoughts 
on what is being done to develop these non-governmental 
solutions.
    Now is the time for the various interests--private 
industry, law enforcement, other government agencies, and 
privacy and consumer groups--to come together and formulate 
policies that will help us to realize the promise of the 
Internet.
    Well, we are grateful to have a variety of witnesses here 
today. Let me introduce our first panel of witnesses. First, we 
have Michael Vatis of the Federal Bureau of Investigation. Mr. 
Vatis is the Director of the National Infrastructure Protection 
Center here in Washington, DC.
    Our next witness is James K. Robinson, the Assistant 
Attorney General for the Criminal Division at the Department of 
Justice. Mr. Robinson is accompanied by Ms. Martha Stansell-
Gamm, who is the Chief of the Computer Crime and Intellectual 
Property Section at the Department of Justice.
    So we are happy to have both of you here today, and we look 
forward to taking your testimony at this time. Mr. Vatis, we 
will turn to you first.

   PANEL CONSISTING OF MICHAEL A. VATIS, DIRECTOR, NATIONAL 
      INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF 
INVESTIGATION, U. S. DEPARTMENT OF JUSTICE, WASHINGTON, DC; AND 
    JAMES K. ROBINSON, ASSISTANT ATTORNEY GENERAL, CRIMINAL 
    DIVISION, U. S. DEPARTMENT OF JUSTICE, WASHINGTON, DC, 
ACCOMPANIED BY MARTHA STANSELL-GAMM, CHIEF, COMPUTER CRIME AND 
  INTELLECTUAL PROPERTY SECTION, U. S. DEPARTMENT OF JUSTICE, 
                         WASHINGTON, DC

                 STATEMENT OF MICHAEL A. VATIS

    Mr. Vatis. Mr. Chairman, thank you very much for inviting 
me this morning to discuss cyber crime in general, and S. 2448, 
the Hatch-Schumer bill in particular.
    As you noted in your opening remarks, cyber crime is 
clearly on the rise. That fact is borne out in not only 
anecdotal accounts in the news media, but also in the recent 
Computer Security Institute and FBI survey of private companies 
which showed that most companies have had some sort of computer 
intrusion or denial of service in the last year. It is also 
borne out by the marked increase in the FBI's caseload 
involving computer intrusions and other sorts of cyber crime. 
So this is clearly a growing problem that we need to address.
    The I Love You or Love Bug virus that hit companies and 
individuals around the world earlier this month is really only 
the latest instance of destructive viruses that coarse through 
the Internet. Last year, we saw the Melissa virus wreak similar 
havoc around the world, and the Explorer Zip virus as well.
    Earlier this year, in February, we also saw distributed 
denial of service attacks on critical e-commerce sites, and 
also Government agencies, that had the effect of knocking those 
sites off line for at least several hours. Now, that may not be 
a big deal for somebody who is merely posting a personal Web 
site with personal information on the Internet. But for a 
company that is engaged in online commerce or e-commerce, that 
could be a critical thing and cause significant economic 
damage.
    But viruses and distributed denial of service attacks are 
only one part of the pie that we are dealing with. We are also 
seeing, as you mentioned, numerous intrusions that go beyond 
pranksters or people just merely trying to show their hacking 
skills, but involve organized criminal activity to steal 
private information, proprietary data from companies about 
high-tech developments, credit card information, et cetera.
    In addition, we need to keep in mind that this is not just 
a crime problem. It is also very much a national security 
problem because of the potential for foreign intelligence 
services, foreign terrorist groups, and foreign military 
organizations to use these same sorts of tools to steal 
sensitive information from government agencies or to disrupt or 
deny service to critical infrastructure systems, which would 
have a broad-scale debilitating impact on our economy and our 
national security.
    So we are attempting in our efforts to deal with this 
problem to look at the whole spectrum of threats, ranging from 
the insider at a company who engages in hacking as a means of 
getting revenge against his employer or an individual teenage 
hacker, all the way to information warfare at the opposite end 
of the spectrum, and a whole myriad of challenges in between 
those things.
    The National Infrastructure Protection Center is an 
interagency organization located at the FBI that is attempting 
to do several things. On the one hand, we are attempting to 
gather information from all potential sources about the threat. 
That includes intelligence sources, law enforcement sources, 
and information provided to us voluntarily by private 
companies, so we can understand the full panoply of threats and 
have a picture of what is going on out there in the world in 
real time so that we can issue alerts and warnings and analyses 
to the people who are potential victims of these sorts of 
attacks.
    On the other hand, we are also trying to improve our 
capability to respond effectively to attacks that do occur, 
whether they be criminal attacks or national security attacks. 
And because of that broad spectrum of threats that we deal 
with, we work very closely with agencies from the intelligence 
community, from the Defense Department, from other law 
enforcement agencies, and most importantly from the private 
sector to ensure that we have as much information as possible.
    You mentioned how critical outreach to the private sector 
is. We fully agree with that, and as a result we have several 
outreach ventures, including our InfraGard and our Key Asset 
initiatives which are described in my formal written testimony 
in full. But they basically involve our efforts to develop 
liaison relationships with private companies so that we can 
give them information that we have that is relevant to their 
ability to protect themselves, and they can give us information 
that they have which might be relevant to our ability to 
investigate crimes and possibly deter them before they occur.
    With regard to the Hatch-Schumer bill, I will defer to Mr. 
Robinson for the bulk of the FBI and the Department's remarks 
on that, but I will say a couple of things in particular. We 
think the bill is an extremely useful advance in our ability to 
deal with this problem, particularly in the area of resources.
    It is my view that the number one thing we need right now 
is additional resources to deal with this fast-growing problem. 
Therefore, section 402 and section 109 are particularly welcome 
to us, in that they would give us additional resources both to 
do investigations and the forensic examination of computers.
    We are also very much in favor of the increased penalties 
that are in the statute, and the elimination of the $5,000 
threshold for Federal jurisdiction, because both of these 
things would provide additional deterrence to would-be 
criminals.
    I should mention there is one item in the bill that does 
cause us some concern, and that is the expansion of Secret 
Service jurisdiction for various areas of computer crime. When 
Congress first passed the Computer Fraud and Abuse Act in 1986, 
it set out careful delineation of the relative jurisdiction of 
investigative agencies which we think has worked well and has 
prevented confusion.
    The item in the bill that would do away with that 
delineation causes us concern because we think it creates the 
potential for confusion particularly in the area of electronic 
espionage, which we think should properly remain within the 
jurisdiction of the FBI, which has really the sole jurisdiction 
to investigate espionage in general right now.
    Then I would point out one thing that we think is missing 
that we would like to see added to the bill, which is the 
creation of a nationwide pen or trap and trace order so that 
one Federal court would have the ability to issue one order 
that would follow a communication regardless of how many 
jurisdictions it went through. Right now, we are in the 
position of having to get numerous court orders to follow a 
single communication because an electronic or wire 
communication can pass through numerous jurisdictions at once. 
We know that provision is in S. 2092, but we would like to see 
that also added to S. 2448 because we think that is critical to 
our ability to quickly pursue an investigation.
    So we look forward to working with your staff on these and 
other suggestions that we have with regard to the bill, and I 
thank you again for inviting me here today.
    [The prepared statement of Mr. Vatis follows:]

                 Prepared Statement of Michael A. Vatis

    Good morning, Mr. Chairman, Senator Leahy, and Members of the 
Committee. I am grateful for this opportunity to discuss cybercrime in 
general and S. 2448, the Hatch-Schumer bill, in particular.
    Last month the Computer Security Institute released its fifth 
annual ``Computer Crime and Security Survey,'' The results only confirm 
what we had already suspected given our burgeoning case load: that more 
companies surveyed are reporting illegal intrusions, that dollar losses 
are increasing, that insiders remain a serious threat, and that more 
companies are doing more business on the Internet than ever before--and 
are thus vulnerable to the rising tide of cyber crime.
    The statistics tell the story. Ninety percent of respondents 
detected security breaches over the last 12 months. At least 74 percent 
of respondents reported security breaches including theft of 
proprietary information, financial fraud, system penetration by 
outsiders, data or network sabotage, or denial of service attacks. Many 
companies experienced multiple attacks; 19% of respondents reported 10 
or more incidents. Information theft and financial fraud caused the 
most severe financial losses, estimated by the respondents at $68 
million and $56 million respectively. The losses from 273 respondents 
totaled just over $265 million. Notably, this survey does not include 
harm caused by recent destructive episodes such as the Distributed 
Denial of Service attacks on e-commerce sites in February, and the 
``ILOVEYOU'' or ``Love Bug'' virus earlier this month. Unfortunately, 
we should expect that the results of next year's survey will show a 
continuing upward trend in the damage caused by cyber crime.
    Over the past several years we have seen a broad spectrum of 
computer crimes ranging from defacement of websites by juveniles to 
sophisticated intrusions that we suspect may be sponsored by foreign 
powers, and everything in between. Some of these are obviously more 
significant than others. The theft of national security information 
from a government agency or the interruption of electrical power to a 
major metropolitan area has greater consequences for national security, 
public safety, and the economy than the defacement of a web-site. But 
even the less serious categories have real consequences and, 
ultimately, can undermine confidence in e-commerce and violate privacy 
or property rights. A website hack that shuts down an e-commerce site 
can have disastrous consequences for a business. An intrusion that 
results in the theft of credit card numbers from an online vendor can 
result in significant financial loss and, more broadly, reduce 
consumers' willingness to engage in e-commerce. And a destructive virus 
that disables a company's email server or forces it to disconnect from 
the Internet can significantly disrupt business operations. The harm 
caused by the Distributed Denial of Service attacks in February and the 
``ILOVEYOU'' virus this month are only the most recent examples of the 
magnitude of this problem. The fact is that far more cyber crime occurs 
that the public never hears about. Accordingly, it is imperative that 
Congress and the Executive Branch work together to ensure that we have 
the legal authorities, the programs, and the resources we need to 
investigate, and, ultimately, deter these sorts of crimes.
                           ``iloveyou'' virus
    Let me take a minute to update the committee on the ILOVEYOU virus 
(or worm) matter. The NIPC first learned of the virus on May 4, 2000 at 
5:45 a.m., when an industry contact called the NIPC Watch to inform it 
of the virus. The Watch's standard procedure when informed of a virus 
is to verify the report and determine its potential significance by 
checking various law enforcement, intelligence, private sector, and 
``open'' (e.g., media) sources. There are on average over 30 new 
viruses disseminated every day, with over 50,000 known viruses in 
existence overall, and most do not warrant a public warning because 
they are not terribly damaging, do not propagate easily, and/or are 
detected by existing anti-virus software. Accordingly, it is important 
for us, as well as for private sector computer response entities, to 
assess virus reports to ensure that the reports are credible and that a 
virus is significant enough, in terms of its destructive impact and the 
speed and breadth of propagation, to warrant a public warning. Creating 
an unnecessary panic or perpetuating a virus hoax could be just as 
damaging as a real virus if it causes people to unnecessarily 
disconnect from the Internet or shut down email.
    Unfortunately, there was not a great deal of information available 
on the new virus early on May 4. Nevertheless, by 7:40 a.m.--less than 
two hours after we had received the initial report--the NIPC had 
obtained sufficient information to verify the initial report and assess 
the virus. We then immediately notified the Federal Computer Incident 
Response Capability (FedCIRC), which is responsible for assisting 
government systems administrators in addressing computer network 
vulnerabilities. This notification was made by telephone because of the 
urgency of the situation and the need to make immediate contact. 
FedCIRC then began notifying other government agencies, completing the 
process by approximately 9 a.m. The NIPC also telephonically notified 
the Computer Emergency Response Team-Coordination Center at Carnegie 
Mellon University, which assists private sector systems administrators. 
This process was the most expeditious means available for reaching a 
broad audience, while we continued to seek out and assess additional 
information. Subsequently, the Watch loaded the alert into our website, 
so that it was accessible to the general public, and sent the alert our 
directly to thousands of private companies and state and local law 
enforcement agencies. The Watch then continually provided updates on 
the virus and its many variants.
    To date, the NIPC has published 18 alerts on variants of the 
ILOVEYOU virus as they are identified. We have also issued an alert on 
a new, more destructive virus, dubbed the ``New Love.vbs'' virus. The 
``New Love'' virus deletes a much broader range of files than did the 
variants of the ILOVEYOU virus. In addition, this virus is 
``polymorphic,'' in that each new dissemination of it comes in a new 
guise and with slightly different code, which makes it harder both for 
human recipients and anti-virus software to detect. The NewLove.VBS 
variant uses the filename of a file that a user has recently been 
working on, and places that filename in the subject line of the email 
transmission. The recipient may thus think that he has been forwarded a 
file from a known associate. When the attachment is opened, this worm 
can damage or delete most or all files not currently in use. It can 
also transmit itself to a new group of victims taken from the current 
victim's email address book. Each wave to emails will have a different 
subject line taken from a filename that the current victim has recently 
been working on. In addition, each wave will contain slightly altered 
code in the attachment, in order to try to evade anti-virus software 
updated to address earlier iterations of the virus.
    The NIPC began issuing alerts on the New Love virus at 
approximately 2 a.m. on May 19. Fortunately, although this virus is 
more destructive than the ILOVEYOU virus, it has not propagated nearly 
as quickly, in part because of early warnings and the heightened 
awareness by users after the ILOVEYOU episode of the need to take 
caution in opening email.
    In addition to issuing alerts, the NIPC has been coordinating and 
supporting the FBI investigations into the ILOVEYOU virus and some of 
the variants. Notably, the FBI's New York office was able to obtain 
leads on the ILOVEYOU virus very quickly, and contacted authorities in 
the Philippines within a day of the virus' spread. FBI agents from the 
United States as well as the FBI Legal Attache in Manilla are working 
closely with the Philippine National Bureau of Investigation. Some of 
the officers assigned to the case there are ones we have trained as 
part of our international outreach program.
Initiatives to fight cyber crime
    Since its creation two years ago, the NIPC has moved aggressively 
to address the growing threat of cyber crime through several 
coordinated efforts. The NIPC serves as a focal point for the Federal 
Government's efforts to detect, assess, warn of, and respond to cyber 
attacks. To accomplish its goals, the NIPC is organize into three 
sections:
    The Computer Investigations and Operations Section (CIOS) is the 
operational response arm of the Center. It supports and, where 
necessary, coordinates computer investigations conducted by FBI field 
offices throughout the country, provides expert technical assistance to 
network investigations, and provides a cyber emergency response 
capability to coordinate the response to a national-level cyber 
incident.
    The Analysis and Warning Section (AWS) serves as the ``indications 
and warning'' arm of the NIPC. It provides tactical analytical support 
during a cyber incident, and also develops strategic analyses of 
threats for dissemination to both government and private sector 
entities so that they can take appropriate steps to protect themselves. 
Through its 24/7 watch and warning operation, it maintains a real-time 
situational awareness by reviewing numerous governmental and ``open'' 
sources of information and by maintaining communications with partner 
entities in the government and private sector. Through its efforts, the 
AWS strives to acquire indications of a possible attack, assess the 
information, and issue appropriate warnings to government and private 
sector partners as quickly as possible.
    The Training, Outreach and Strategy Section (TOSS) coordinates the 
vital training of cyber investigators in the FBI field offices, other 
federal agencies, and state and local law enforcement. It also 
coordinates outreach to private industry and government agencies to 
build the partnerships that are key to both our investigative and our 
warning missions. In addition, this section manages our efforts to 
catalogue information about individual ``key assets'' across the 
country which, if successfully attacked, could have significant 
repercussions on our economy or national security. Finally, the TOSS 
handles the development of strategy and policy in conjunction with 
other agencies and the Congress.
    The broad spectrum of cyber threats, ranging from hacking to 
foreign espionage and information warfare, requires not just new 
technologies and skills on the part of investigators, but new 
organizational constructs as well. In most cyber attacks, the identity, 
location, and objective of the perpetrator are not immediately 
apparent. Nor is the scope of his attack--i.e., whether an intrusion is 
isolated or part of a broader pattern affecting numerous targets. This 
means it is often impossible to determine at the outset if an intrusion 
is an act of cyber vandalism, organized crime, domestic or foreign 
terrorism, economic or traditional espionage, or some form of strategic 
military attack. The only way to determine the source, nature, and 
scope of the incident is to gather information from the victim sites 
and intermediate sites such as ISPs and telecommunications carriers. 
Under our constitutional system, such information typically can be 
gathered only pursuant to criminal investigative authorities. This is 
why the NIPC is part of the FBI, allowing us to utilize the FBI's legal 
authorities to gather and retain information and to act on it, 
consistent with constitutional and statutory requirements.
    But the dimension and varied nature of the threats also means that 
this is an issue that concerns not just the FBI and law enforcement 
agencies, but also the Department of Defense, the Intelligence 
Community, and civilian agencies with infrastructure-focused 
responsibility such as the Departments of Energy and Transportation. It 
also is a matter that greatly affects state and local law enforcement. 
This is why the NIPC is an interagency center, with representatives 
detailed to the FBI from numerous federal agencies and representation 
from state and local law enforcement as well. These representatives 
operate under the direction and authority of the FBI, but bring with 
them expertise and skills from their respective home agencies that 
enable better coordination and cooperation among all relevant agencies, 
consistent with applicable laws.
    In addition to the activities at NIPC headquarters, the NIPC has 
established a National Infrastructure Protection and Computer Intrusion 
(NIPCI) Program in the FBI field offices across the nation. Currently 
16 field offices have computer intrusion squads, while other offices 
have at least one agent working computer intrusion and infrastructure 
protection.
    Much has been said over the last few years about the importance of 
information sharing. Since our founding, the NIPC has been actively 
engaged in building concrete mechanisms and initiatives to make this 
sharing a reality, and we have built up a track record of actually 
sharing useful information. These efforts belie the notions that 
private industry won't share with law enforcement in this area, or that 
the government won't provide meaningful threat data to industry. As 
companies continue to gain experience in dealing with the NIPC and FBI 
field offices, as we continue to provide them with important and useful 
threat information, and as companies recognize that cyber crime 
requires a joint effort by industry and government together, we will 
continue to make real progress in this area.
    The effort to protect the nation's critical infrastructures and 
deter computer intrusions, however, requires close cooperation with the 
private sector and with state and local law enforcement. The NIPC is 
pursuing several significant outreach efforts to the private sector. 
Our Key Asset Initiative (KAI) is focused specifically on the owners 
and operators of critical components of each of the infrastructure 
sectors. It facilitates the response to threats and incidents by 
building liaison and communication links with the owners and operators 
of individual companies and enabling contingency planning. The KAI 
began in the 1980s and focused on physical vulnerabilities to 
terrorism. Under the NIPC, the KAI has been reinvigorated and expanded 
to focus on cyber threats and vulnerabilities as well. The KAI 
currently involves determining which assets are key within the 
jurisdiction of each FBI Field Office and obtaining 24-points of 
contact at each asset in cases of emergency. Eventually, if future 
resources permit, the initiative will include the development of 
contingency plans to respond to attacks on each asset, exercises to 
test response plans, and modelings to determine the effects of an 
attack on particular assets. FBI field offices are responsible for 
developing a list of the assets within their respective jurisdictions, 
while the NIPC maintains the national database. The KAI is being 
developed in coordination with DOD and other agencies. Currently the 
database has about 2400 entries.
    A second outreach initiative is InfraGard. This is actually an 
initiative that was created by private companies and academic 
institutions that wanted to get together and share information about 
threats and vulnerabilities with each other, and with the FBI. A vital 
component of InfraGard is the ability of industry to provide 
information on intrusions to the local FBI field office and to the NIPC 
using secure e-mail communications in both a ``sanitized'' and detailed 
format. The local FBI field offices can, if appropriate, use the 
detailed version to initiate an investigation; while NIPC Headquarters 
can analyze that information in conjunction with other information we 
obtain to determine if the intrusion is part of a broader attack on 
numerous sites. The NIPC can simultaneously use the sanitized version 
to inform other members of the intrusion without compromising the 
confidentiality of the reporting company. The key to this system is 
that whether, and what, to report is entirely up to the reporting 
company. A secure web site also contains a variety of analytic and 
warning products that we made available to the InfraGard community. 
Alerts can also be sent directly by the NIPC Watch to InfraGard 
members.
    Another initiative is a pilot program we have begun with the North 
American Electrical Reliability Council (NERC) to develop an 
``Indications and Warning'' System for cyber attacks. Under the pilot 
program, electric utility companies and other power entities transmit 
cyber incident reports to the NIPC. These reports are analyzed and 
assessed to determine whether an NIPC warning, alert, or advisory is 
warranted to the electric utility community. Electric power 
participants in the pilot program have stated that the information and 
analysis provided by the NIPC back to the power companies make this 
program especially worthwhile. It is our expectation that the 
Electrical Power Indications and Warning System will provide a mode for 
the other critical infrastructures. We are currently working with 
industry on a Indications and Warning model for the telecommunications 
sector.
    With regard to state and local law enforcement the NIPC has 
sponsored computer investigations training for state and local 
investigators, in addition to FBI and other federal investigators. In 
the last two years we have trained hundreds of FBI and other-
government-agency students in NIPC sponsored training classes on 
network investigations and infrastructure protection. The emphasis for 
2000 is on continuing to train federal personnel while expanding 
training opportunities for state and local law enforcement personnel. 
During FY 2000, we plan to train approximately 740 personnel from the 
FBI, other federal agencies, and state and local law enforcement. As of 
April, 2000 we had already trained 540 students in FY 2000. The NIPC 
also has held international computer crime conferences and offered 
cyber crime training classes to foreign law enforcement officials to 
develop liaison contacts and bring these officials up to speed on cyber 
crime issues.
    In addition, in its role under Presidential Decision Directive 
(PDD) 63 as the lead agency for the ``emergency law enforcement 
sector,'' the NIPC has been working with state and local law 
enforcement to develop a plan to protect that sector from cyber attack 
and reduce its vulnerabilities. As part of that effort, the NIPC's 
alerts and warnings are regularly sent to state and local law 
enforcement agencies via the National Law Enforcement 
Telecommunications System (NLETS).
    All of these efforts are critical to our ability to build a 
partnership across government agencies at all levels, and between the 
government and private sector. They have already borne fruit in that we 
have seen an unprecedented level of cooperation and information sharing 
to address cyber threats. But much work remains for us to expand our 
base of contacts and build a system that allows for speedy reports by 
private companies and government agencies, so that we get the earliest 
possible warning of developing threats, and that permits expeditious 
alerts and warnings by the NIPC to government agencies, private 
companies, and the public, as appropriate.
            The Hatch-Schumer bill
    With regard to S. 2448, the Hatch-Schumer bill, I will generally 
defer to Assistant Attorney General Robinson, and confine my comments 
to only a few items. Let me say at the outset, however, that we are 
very pleased that in a year that has seen some of the most destructive 
attacks ever on the Internet, Congress, and in particular the Senate 
Judiciary Committee, is acting to strengthen the computer intrusion 
laws and enhance our ability to fight computer crime, while protecting 
privacy rights.
    While some of the legislative changes effected by the bill (and 
others not in the bill, which I will mention below) are important, it 
is our view that the most pressing need right now to enhance our 
ability to fight cyber crime is additional investigative capabilities. 
Unless we have a sufficient number of trained cyber investigators and 
analysts, and state of the art equipment to help analyze and process 
data, we simply will not be able to do our job, and fulfill our mission 
under PDD 63, adequately. For this reason, we welcome section 402 of S. 
2448, which authorizes the appropriation of additional resources.
    Similarly, we welcome the effort in Section 109a of S. 2448, to 
develop a greater capability at the federal, state, and local level for 
law enforcement to address the burgeoning load of computer forensics. 
This forensic work is critical not only in what we commonly refer to as 
``computer crime'' (meaning crimes in which criminals use computers as 
tools to attack other computers to steal money or information, 
undermine the integrity or data, or deny or disrupt service) but also 
in more traditional investigations involving organized crime, narcotics 
trafficking, espionage, terrorism, child pornography, white collar 
crime, etc. Further, as the frequency of encounters with encryption 
increases, it is essential that the FBI be capable of utilizing 
techniques to deal with encryption products. For as the world continues 
to do more and more business on-line, more and more evidence of crime 
is being found on computers, necessitating the work of specially 
trained forensic examiners to produce critical evidence.
    The FBI believes that there is and necessarily will be a logical 
synergy between the missions and functions of this enhanced national 
capability and the Regional Computer Forensics Labs as part of a 
successful, multi-layered, pyramidic cybercrime strategy. In order to 
realistically achieve the maximum allocation of precious technical and 
personnel resources, as well as achieve economies of scale, we support 
this enhanced technical support capability.
    In addition to these provisions that would increase our 
investigative capabilities, S. 2448 would effect changes in the 
Computer Fraud and Abuse Act that would enhance our ability to 
investigate computer intrusions, denial of service attacks, and 
propagation of computer viruses and, ultimately, provide a greater 
deterrence to those who might engage in computer crime in the future. 
In particular, we support provisions that make the penalties match the 
seriousness of the damage caused by large scale computer crime. The 
current penalties provide inadequate deterrence, and send the 
inappropriate signal that a computer crime that could cause millions or 
even billions of dollars of damage is not treated seriously by the 
Federal Government. We also support revision of the $5,000 proof of 
damage provision; S. 2448 would make federal jurisdiction attach to the 
nature of the computer intrusion rather than the dollar value of 
damage. We have seen many instances where the damage is difficult to 
determine in dollars, but where the crime is extremely serious based on 
the nature of the systems that were affected or the potential damage 
that the criminal could have caused with a mere tap on the keyboard.
Additional legislative changes
    There are additional legislative changes not in S. 2448 that would 
assist law enforcement in the investigation of computer crimes. Many of 
the present statutes that are used in the investigation of computer 
crime were written prior to the widespread use of personal computers, 
desktop publishing, and the Internet. These drafters of these laws 
surely did not intend that criminals simply using new technology could 
hide their activities from law enforcement and escape prosecution. The 
Pen Register/Trap and Trace Statute is one significant example.
    As the Director testified on March 28, 2000 on S. 2092, the FBI 
supports provisions of S. 2092 that renders the language regarding pen 
traps and traces technology neutral. This is especially critical in 
light of changing technology. Even the terms ``pen register'' and 
``trap and trace'' are of limited significance today and harken back to 
a time when telephone companies would actually attach a physical device 
to a telephone line to implement these court orders. Today, few phone 
companies attach a physical device to an individual telephone line. 
It's critical that our investigative laws keep pace with the evolving 
technology utilized by criminals.
Conclusion
    The last couple of years have witnessed a series of increasingly 
destructive attacks on our government and commercial computer networks. 
In 1998, young hackers from California and Israel were able to 
penetrate numerous Department of Defense computers and gain ``root'' 
access, meaning they had the capability to shut the systems down or 
steal or alter important information. In 1999, the Melissa Macro Virus 
caused at least $80 million in damage and affected networks and systems 
all over the world. In 2000, Distributed Denial of Service attacks took 
some of the most popular e-commerce sites off-line for several hours, 
causing enormous losses in terms of lost business opportunities and 
repair costs. Most recently, the ILOVEYOU virus impaired government and 
commercial systems across the globe by jamming e-mail servers and 
erasing computer files. All of these events, and the many more that 
don't make the front pages of newspapers but may be at least as 
significant in terms of their impact on our economy or our national 
security, all demonstrate the urgent need for greater resources for law 
enforcement to address these problems and for changes to the applicable 
laws to enhance our investigative capabilities and provide added 
deterrence. S. 2448 is a welcome step in our battle against cybercrime. 
We look forward to working with the committee staff to provide more 
detailed suggestions on this important legislation. Thank you.

    The Chairman. Thank you, Mr. Vatis.
    Let me turn to Senator Schumer, who has a short statement 
he would like to make as a prime cosponsor of this bill.

 STATEMENT OF HON. CHARLES E. SCHUMER, A U.S. SENATOR FROM THE 
                       STATE OF NEW YORK

    Senator Schumer. Well, thank you, Mr. Chairman. I want to 
thank you for your leadership on this, as on so many other 
issues, and for being such a fine person for a new Senator to 
work with, which I appreciate very, very much.
    The Chairman. Thank you very much.
    Senator Schumer. Mr. Chairman, I appreciate the opportunity 
to make a statement. I am in the Banking Committee and here on 
two issues I care about, so I will be shuttling back and forth 
the whole morning.
    Mr. Chairman, let's face it, we are in a brave new world. 
In 1993, there were 13 non-government sites on the World Wide 
Web. Today, there are 14 million. And as the Web has 
mushroomed, Internet crime has quickly and quietly become a 
clear and present danger to our national security, our economy, 
and all our lives.
    In 1996, the cost of Internet crime was about $100 million. 
In 1998, the number tripled, and now a single computer virus, 
the I Love You virus, can cause on its own financial losses in 
the billions. The denial of service attacks a few months ago 
and the I Love You virus show how easy it is to cripple the 
most prized computer networks around the globe, and how 
helpless law enforcement can be in catching those responsible. 
Up to now, it seems those who have caused damage are doing it 
almost for sport. What is going to happen when someone with far 
more nefarious purposes starts to do this?
    Mr. Chairman, there are multiple causes of this problem. 
First, most computer systems are not sufficiently secure, and 
security was usually a relatively low priority in the 
development of computer software and Internet systems. Second, 
hacking is still considered more of a prank than a crime, even 
though hacking could cost lives or billions of dollars to the 
economy.
    Third, our laws, even our computer laws, are set up for a 
world that travels at sub-sonic speed, while hacking crimes and 
computer viruses move at the speed of light. We have fallible 
systems vulnerable to hackers who are viewed with bemusement, 
and laws that make it difficult to apprehend them.
    And we are constantly learning. For instance, one major 
problem we face with computer crime is the failure of many 
companies to report hacking incidents. Until recently, I 
assumed this was because companies thought their businesses 
would be hurt and their vulnerabilities exposed. But I have 
recently learned an additional reason. Apparently, it is part 
of the hacker ethic that if a company reports its incident, 
then it is open season in the hacker community against that 
company.
    I have also learned recently of a growing number of Net 
denizens who are helping law enforcement by serving as private 
Net detectives. Maybe it is time we started thinking about how 
to harness this excellent resources that could be the next wave 
of community policing.
    Mr. Chairman, clearly this new world of computer crime 
requires new study and new solutions. And as the Net goes 
wireless, we may need even new, new solutions. At the very 
least, I am convinced that taking on computer crime will be 
tricky, requiring far-reaching and complex solutions that, 
among other things, require significant cooperation from 
foreign governments. International borders are not even speed 
bumps on the information superhighway.
    And we shouldn't fool ourselves into thinking Congress can 
alone solve this problem or do so right away. With that said, I 
think there are some common-sense changes we can make. They are 
embodied in the bill that Senator Hatch and I have introduced, 
and I won't go over them, but the comprehensive bill 
facilitates the apprehension, prosecution, and punishment of 
computer criminals. In addition, Senator Kyl and I have 
introduced S. 2092 that for the first time provides law 
enforcement with nationwide trap and trace authority.
    The bottom line is that the creation of a more secure 
environment in cyberspace is good for everyone except 
criminals. The question is whether we can come up with 
appropriate solutions that will deter and punish crime without 
impinging on the rights of individuals and slowing down the 
booming growth in the Net.
    Mr. Chairman, I think the bill we have introduced is a good 
start, and I appreciate your holding hearings on it. I also 
thank my ranking member, Senator Leahy, who is just walking in, 
although I was mentioning him before I saw that, for all this 
good work on this issue.
    Thank you.
    The Chairman. Thank you.
    Senator Leahy, do you have a statement you would care to 
make?

  STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE 
                        STATE OF VERMONT

    Senator Leahy. I do, Mr. Chairman, and I will keep it 
brief.
    I think that computer-related crime really is a major 
challenge for law enforcement. I think of what happened with 
the Love Bug. We ended up worried all last year about the Y2K 
problem, which turned out to be a big yawn because of work done 
here, but also in countries that even did very little or any 
work it was not much of a problem.
    Now, with the Love Bug, we are talking about billions of 
dollars of damage. I know how many problems it caused my own 
office, and efforts to clean and purge files to make sure 
things could be done. It made it impossible to work between our 
various offices for a couple of days.
    But we have done a number of things to help law 
enforcement. As Jim Robinson knows, in 1984 we passed the 
Computer Fraud and Abuse Act to criminalize conduct when 
carried out by means of unauthorized access to a computer. In 
1986, we passed the Electronic Communications Privacy Act, 
ECPA, which I sponsored, that criminalized tampering with 
electronic mail systems.
    In 1994, the Violent Crime Control and Law Enforcement Act 
included the computer abuse amendments which I authored to make 
illegal the intentional transmission of computer viruses. In 
the 104th Congress, Senators Kyl, Grassley and I worked 
together to enact the National Information Infrastructure 
Protection Act.
    We have introduced a bill in this Congress with Senator 
DeWine, the Computer Crime Enforcement Act, to set up a $25 
million grant program within the Department of Justice for 
States to use. All 50 States have tough computer control laws, 
but they need the training, and this would help greatly. We 
have seen even in a little State like mine the number of 
problems we have.
    Our computer crime laws need to be kept up to date. We 
introduced S. 2430 on April 13, the Internet Security Act, that 
would do that. The Hatch-Schumer Internet Integrity and 
Critical Infrastructure Protection Act is scheduled for markup 
at the committee's next business meeting, and I am very pleased 
that both Senator Hatch and Senator Schumer are here having 
this hearing.
    I support a number of the provisions in it. In fact, some 
are virtually identical to sections in my Internet Security Act 
and my e-rights bill, so I obviously support those. I would 
raise only the question of some parts of it which would 
criminalize a variety of minor computer abuses, regardless of 
whether any significant harm results.
    I think we want to look at this. I don't want to be 
criminalizing an over-curious college sophomore who might check 
a professor's unattended computer to see what grade he is going 
to get and accidentally delete a message. I don't think Federal 
law should go after that. One could argue that under S. 2448, 
that could constitute a three-year felony. So I think we have 
to make sure that we do the things we all agree we want to do, 
not criminalize other aspects. I have mentioned this to the 
chairman before and to Senator Schumer, and we will continue to 
work on that.
    I don't want to hold up the hearing. I will put the whole 
statement in the record, Orrin, but I did want to mention those 
points. There are some parts, as I said, I strongly agree with 
because they are the same as my bill, but there are other parts 
that we want to just make sure that we don't overreach on some 
of these areas of criminalization.
    [The prepared statement of Senator Leahy follows:]

             Prepared Statement of Senator Patrick J. Leahy

    As we head into the twenty-first century, computer-related crime is 
one of the greatest challenges facing law enforcement. Many of our 
critical infrastructures, our government and each of us depend upon the 
reliability and security of complex computer systems. We need to make 
sure that both essential government systems and our personal computers 
are protected from attack. Just recently we were reminded of how 
vulnerable--and how inter-connected--all of our computer systems are 
when the ``I love you'' virus disabled computers all over the world.
    Cybercrime is not a new problem. We have been aware of the 
vulnerabilities to terrorist attacks of our computer networks for more 
than a decade. It became clear to me, when I chaired a series of 
hearings in 1988 and 1989 by the Subcommittee on Technology and the Law 
in the Senate Judiciary Committee on the subject of high-tech terrorism 
and the threat of computer viruses, that merely ``hardening'' our 
physical space from potential attack would only prompt committed 
criminals and terrorists to switch tactics and use new technologies to 
reach vulnerable softer targets, such as our computer systems and other 
critical infrastructures. The government has a responsibility to work 
with those in the private sector to assess those vulnerabilities and 
defend them. That means making sure our law enforcement agencies have 
the tools they need, but also that the government does not stand in the 
way of smart technical solutions to defend our computer systems.
    Encryption helps prevent cybercrime. That is why, for years, I have 
advocated and sponsored legislation to relax export controls on 
encryption technology and encourage the widespread use of strong 
encryption. The Administration made enormous progress earlier this year 
when it issued new export regulations on encryption. Of course, 
encryption technology cannot be the sole source of protection for our 
critical computer networks and computer-based infrastructure, but we 
need to make sure the government is encouraging--and not restraining--
the use of strong encryption and other technical solutions to 
protecting our computer systems.
    The private sector must assume primary responsibility for 
protecting its computer systems. Targeting cybercrime with up-to-date 
criminal laws and tougher law enforcement is only part of the solution. 
While criminal penalties may deter some computer criminals, these laws 
usually come into play too late, after the crime has been committed and 
the injury inflicted. We should keep in mind the adage that the best 
defense is a good offense. Americans and American firms must be 
encouraged to take preventive measures to protect their computer 
information and systems. Just recently, Internet providers and 
companies such as Yahoo! and Amazon.com Inc., and computer hardware 
companies such as Cisco Systems Inc., proved successful at stemming 
denial-of-service attacks within hours thereby limiting losses.
    Prior legislative efforts were designed to deter cybercrime. 
Congress has responded again and again to help our law enforcement 
agencies keep up with the challenges of new crimes being executed over 
computer networks. In 1984, we passed the Computer Fraud and Abuse Act, 
and its amendments, to criminalize conduct when carried out by means of 
unauthorized access to a computer. In 1986, we passed the Electronic 
Communications Privacy Act (ECPA), which I was proud to sponsor, to 
criminalize tampering with electronic mail systems and remote data 
processing systems and to protect the privacy of computer users. In 
1994, the Violent Crime Control and Law Enforcement Act included the 
Computer Abuse Amendments which I authored to make illegal the 
intentional transmission of computer viruses.
    In the 104th Congress, Senators Kyl, Grassley and I worked together 
to enact the National Information Infrastructure Protection Act to 
increase protection under federal criminal law for both government and 
private computers, and to address an emerging problem of computer-age 
blackmail in which a criminal threatens to harm or shut down a computer 
system unless their extortion demands are met.
    In this Congress, I have introduced a bill with Senator DeWine, the 
Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant 
program within the U.S. Department of Justice for states to tap for 
improved education, training, enforcement and prosecution of computer 
crimes. All 50 states have now enacted tough computer crime control 
laws. These state laws establish a firm groundwork for electronic 
commerce and Internet security. Unfortunately, too many state and local 
law enforcement agencies are struggling to afford the high cost of 
training and equipment necessary for effective enforcement of their 
state computer crime statutes. Our legislation, the Computer Crime 
Enforcement Act, would help state and local law enforcement join the 
fight to combat the worsening threats we face from computer crime.
    Computer crime is a problem in Vermont. I recently released a 
survey on computer crime in Vermont, my home state. My office surveyed 
54 law enforcement agencies in Vermont--43 police departments and 11 
State's attorney offices--on their experience investigating and 
prosecuting computer crimes. The survey found that more than half of 
these Vermont law enforcement agencies encounter crime, with many 
police departments and state's attorney offices handling 2 to 5 
computer crimes per month.
    Despite this documented need, far too many law enforcement agencies 
in Vermont cannot afford the cost of policing against computer crimes. 
Indeed, my survey found that 98% of the responding Vermont law 
enforcement agencies do not have funds dedicated for use in computer 
crime enforcement.
    My survey also found that few law enforcement officers in Vermont 
are properly trained in investigating computer crimes and analyzing 
cyber-evidence. According to my survey, 83% of responding law 
enforcement agencies in Vermont do not employ officers properly trained 
in computer crime investigative techniques. Moreover, my survey found 
that 52% of the law enforcement agencies that handle one or more 
computer crimes per month cited their lack of training as a problem 
encountered during investigations. Proper training is critical to 
ensuring success in the fight against computer crime, and the Leahy-
DeWine Computer Crime Enforcement Act would help.
    Our computer crime laws need to be kept up-to-date as an important 
backstop and deterrent. That is why, on April 13, 2000, I introduced 
legislation, S. 2430, The Internet Security Act, to help law 
enforcement investigate and prosecute those who jeopardize the 
integrity of our computer systems and the Internet, while enhancing 
protection of online privacy. The Internet Security Act would make it 
more efficient for law enforcement to use tools that are already 
available--such as pen registers and trap and trace devices--to track 
down computer criminals expeditiously. It would ensure that law 
enforcement can investigate and prosecute hacker attacks even when 
perpetrators use foreign-based computers to facilitate their crimes. It 
would allow criminal forfeiture of replicator devices used in the 
counterfeiting of computer software. It would close a current loophole 
in our wiretap laws that prevents a law enforcement officer from 
monitoring an innocent-host computer with the consent of the computer's 
owner and without a wiretap order to track down the source of denial-
of-service attacks. Finally, this legislation will assist state and 
local police departments in their parallel efforts to combat 
cybercrime, in recognition of the fact that this fight is not just at 
the federal level.
    The key provisions of the Internet Security Act are:
     Jurisdictional and Definitional Changes to the Computer 
Fraud and Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. 
Sec. 1030, is the primary federal criminal statute prohibiting computer 
frauds and hacking. This bill would amend the statute to clarify the 
appropriate scope of federal jurisdiction.
    First, the bill adds a broad definition of ``loss'' to the 
definitions section. Calculation of loss is important both in 
determining whether the $5,000 jurisdictional hurdle in the statute is 
met, and, at sentencing, in calculating the appropriate guideline range 
and restitution amount.
    Second, the bill amends the definition of ``protected computer,'' 
to expressly include qualified computers even when they are physically 
located outside of the United States. This clarification will preserve 
the ability of the United States to assist in international hacking 
cases. A ``Sense of Congress'' provision specifies that federal 
jurisdiction is justified by the ``interconnected and interdependent 
nature of computers used in interstate or foreign commerce.''
    Finally, the bill expands the jurisdiction of the United States 
Secret Service to encompass investigations of all violations of 18 
U.S.C. Sec. 1030. Prior to the 1996 amendments to the Computer Fraud 
and Abuse Act, the Secret Service was authorized to investigate any and 
all violations of section 1030, pursuant to an agreement between the 
Secretary of Treasury and the Attorney General. The 1996 amendments, 
however, concentrated Secret Service jurisdiction on certain specified 
subsections of section 1030. The current amendment would return full 
jurisdiction to the Secret Service and would allow the Justice and 
Treasury Departments to decide on the appropriate work-sharing balance 
between the two.
     Elimination of Mandatory Minimum Sentence for Certain 
Violations of Computer Fraud and Abuse Act: Currently, a directive to 
the Sentencing Commission requires that all violations, including 
misdemeanor violations, of certain provisions of the Computer Fraud and 
Abuse Act be punished with a term of imprisonment of at least six 
months. The bill would change this directive to the Sentencing 
Commission so that no such mandatory minimum would be required.
     Additional Criminal Forfeiture Provisions: The bill adds a 
criminal forfeiture provision to the Computer Fraud and Abuse Act, 
requiring forfeiture of physical property used in or to facilitate the 
offense as well as property derived from proceeds of the offense. It 
also supplements the current forfeiture provision in 18 U.S.C. 
Sec. 2318, which prohibits trafficking in, among other things, 
counterfeit computer program documentation and packaging, to require 
the forfeiture of replicators and other devices used in the production 
of such counterfeit items.
     Pen Registers and Trap and Trace Devices: The bill makes 
it easier for law enforcement to use these investigative techniques in 
the area of cybercrime, and institutes corresponding privacy 
protections. On the law enforcement side, the bill gives nationwide 
effect to pen register and trap and trace orders obtained by Government 
attorneys, thus obviating the need to obtain identical orders in 
multiple federal jurisdictions. It also clarifies that such devices can 
be used on all electronic communication lines, not just telephone 
lines. On the privacy side, the bill provides for greater judicial 
review of applications for pen registers and trap and trace devices and 
institutes a minimization requirement for the use of such devices. The 
bill also amends the reporting requirements for applications for such 
devices by specifying the information to be reported.
     Denial of Service Investigations: Currently, a person 
whose computer is accessed by a hacker as a means for the hacker to 
reach a third computer cannot simply consent to law enforcement 
monitoring of his computer. Instead, because this person is not 
technically a party to the communication, law enforcement needs wiretap 
authorization under Title III to conduct such monitoring. The bill will 
close this loophole by explicitly permitting such monitoring without a 
wiretap if prior consent is obtained from the person whose computer is 
being hacked through and used to send ``harmful interference to a 
lawfully operating computer system.''
     State and Local Computer Crime Enforcement: The bill 
directs the Office of Federal Programs to make grants to assist State 
and local law enforcement in the investigation and prosecution of 
computer crime.
    S. 2448, the Hatch-Schumer ``Internet Integrity and Critical 
Infrastructure Protection Act'', is scheduled for mark-up at the 
Committee's next business meeting. This bill addresses a number of 
important and complex issues, and I am glad the Chairman decided to 
hold a hearing before the Committee is asked to vote on it. While I 
support some of the provisions in the legislation offered by Senators 
Hatch and Schumer--Indeed, some are virtually identical to sections in 
my Internet Security Act and in my E-Rights bill--others should give us 
pause.
    For example, section 109 of the Hatch-Schumer bill incorporates 
provisions from the Leahy-DeWine Computer Crime Enforcement Act, S. 
1314, and I certainly support that. I also support sections 301(a) and 
303, since they reflect pen register and wiretap reporting requirements 
that were in the Leahy-Hatch wiretap reporting bill, S. 1769, which was 
enacted on May 2, 2000 (P.L. 106-197). I support other sections as 
well, such as sections 103 (regarding the authority of the U.S. Secret 
Service) and 107 (regarding forfeiture of replication devices used to 
counterfeit computer software), which are also part of my Internet 
Security Act. Finally, I support section 302 of S. 2448, which 
generally mirrors provisions to provide privacy protection to 
subscribers of satellite TV services that I proposed over a year ago in 
my E-RIGHTS bill, S. 854. Despite my support for those provisions, let 
me explain my concerns with other parts of S. 2448.
    S. 2448 Would Over-Federalize Minor Computer Abuses: Currently, 
federal jurisdiction exists for a variety of computer crimes if, and 
only if, such criminal offenses result in at least $5,000 of aggregate 
damage or cause another specified injury, such as the impairment of 
medical treatment, physical injury to a person or a threat to public 
safety. The Hatch/Schumer bill would criminalize a variety of minor 
computer abuses, regardless of whether any significant harm results. In 
addition, for certain computer offenses, the maximum punishment has 
been doubled.
    Specifically, the bill would amend 1030(a)(5)(A) (sending 
transmissions intending to cause damage), and 1030(a)(5)(B) 
(intentionally accessing computer and recklessly causing damage) 
provisions to eliminate the now-existing jurisdictional triggers and to 
criminalize as 3-year federal felonies all such offenses, whether or 
not they cause $5,000 loss or other specified injury. In addition, the 
bill would amend 1030(a)(5)(C) (intentionally accessing computer and 
causing damage) to eliminate now-existing jurisdictional triggers to 
criminalize as misdemeanors all such offenses, whether or not they 
cause $5,000 loss or other specified injury. These minor incidents were 
not previously punishable under federal law.
    These provisions are overkill. Our federal laws do not need to 
reach each and every minor, inadvertent and harmless hacking offense--
after all, each of the 50 states has its own computer crime laws. 
Rather, our federal laws need to reach those offenses for which federal 
jurisdiction is appropriate. This can be accomplished, as I have done 
in the Internet Security Act by simply adding an appropriate definition 
of ``loss'' to the statute.
    Prior Congresses have declined to over-federalize computer offenses 
and sensibly determined that all computer abuses warrant federal 
criminal sanctions. When the computer crime law was first enacted in 
1984, the House Judiciary Committee reporting the bill stated: ``the 
Federal jurisdictional threshold is that there must be $5,000 worth of 
benefit to the defendant or loss to another in order to concentrate 
Federal resources on the more substantial computer offenses that affect 
interstate or foreign commerce.'' (H. Rep., 98-894, at p. 22, July 24, 
1984).
    Similarly, the Senate Judiciary Committee under the chairmanship of 
Senator Thurmond, rejected suggestions in 1986 that ``the Congress 
should enact as sweeping a Federal statute as possible so that no 
computer crime is potentially uncovered.'' (S. Rep. 99-432, at p. 4, 
September 3, 1986).
    For example, if an overly-curious college sophomore checks a 
professor's unattended computer to see what grade he is going to get 
and accidentally deletes a file or a message, current Federal law does 
not make that conduct a crime. That conduct may be cause for discipline 
at the college, but not for the FBI to swoop in and investigate. Yet, 
under S. 2448, this unauthorized access to the professor's computer 
would constitute a felony violation of 1030(a)(5)(B), punishable by up 
to 3 year's imprisonment, with mandatory minimum of at least 6 months 
in jail under U.S.S.G. Sec. 2B1.3, or a misdemeanor violation of 
1030(a)(5)(C).
    Let us look at another example of a teenage hacker, who plays a 
trick on a friend by modifying the friend's vanity Web page. Under 
current law, no federal crime has occurred. Yet, under S. 2448, this 
conduct could constitute a felony violation of 1030(a)(5)(B), 
punishable by up to 3 years' imprisonment, with mandatory 6-month jail 
term under U.S.S.G. Sec. 2B1.3, or a misdemeanor violation of 
1030(a)(5)(C). If the damage to the Web page resulted in more than 
$5,000 in damage, then the conduct would be punishable by up to 10 
years' imprisonment.
    Another part of S. 2448 would authorize the Attorney General to 
provide computer crime evidence to foreign law enforcement authorities 
under the provisions of a computer crime Mutual Legal Assistant Treaty 
(``MLAT'') and ``without regard to whether the conduct investigated 
violates any Federal computer crime law.'' This title appears to expand 
the Justice Department's investigate authority broadly to investigate 
lawful conduct in the U.S. at the request of foreign governments. 
Moreover, this title may be construed to force the Justice Department 
to negotiate MLATs narrowly limited to computer crimes, rather than 
addressing criminal activity generally, and consequently may require 
more, not less, work for the Department to obtain constructive 
assistance from foreign governments in computer crime cases.
    I expressed these and other concerns before the Chairman introduced 
this bill, and would be happy to discuss ways in which we can work 
together on these important issues.
    Legislation must be balanced to protect our privacy and other 
constitutional rights. This hearing has two subjects--both Internet 
security and privacy. This is appropriate since secure systems that 
keep out unauthorized snoops are integral to maintaining the privacy of 
our electronic mail messages and the information we store on our PC's 
hard drive or on a remote server. I am a strong proponent of the 
Internet and a defender of our constitutional rights to speak freely 
and to keep private our confidential affairs from either private sector 
snoops or unreasonable government searchers. We must make sure that our 
legislative efforts are precisely targeted on stopping destructive acts 
and that we avoid scatter shot proposals that would threaten, rather 
than foster, electronic commerce and sacrifice, rather than promote, 
our constitutional rights.
    Process is important. Technology has ushered in a new age filled 
with unlimited potential for commerce and communications. But the 
Internet age has also ushered in a new challenges for federal, state, 
and local law enforcement officials. Congress, the Administration and 
the private sector need to work together to meet these new challenges 
while preserving the benefits of our new era. We should not be rushing 
forward with legislation without engaging in discussions with the 
Administration and industry to ensure the legislation addresses 
problems constructively without inadvertently creating other problems.

    The Chairman. Well, thank you, Senator Leahy. We look 
forward to working very closely with you. You and I have worked 
on almost every intellectual property bill that has come 
through the Congress. And we can't do it without you, so we 
just appreciate any suggestions you have.
    We have already heard from Mr. Vatis. We are going to turn 
to Mr. Robinson. We are certainly happy to have you with us 
here today, and also you, Ms. Stansell-Gamm.

                 STATEMENT OF JAMES K. ROBINSON

    Mr. Robinson. Thank you, Mr. Chairman, Senator Leahy, 
Senator Schumer. I want to thank you for this opportunity to 
testify on the topic of cyber crime and S. 2448, the Internet 
Integrity and Critical Infrastructure Act, sponsored by the 
chairman and Senator Schumer.
    The issue, as you have all indicated in your statements, 
before the committee today is one of singular importance in our 
technologically advancing world. I want to thank you 
personally, Mr. Chairman, and Senator Leahy, for your 
leadership and your help to law enforcement not only on this 
issue, but on many matters dealing with public safety over the 
years.
    Chairman Hatch, we have been pleased to work with you on a 
number of initiatives to help law enforcement, and we sincerely 
appreciate your efforts to address the current challenges we 
face in cyberspace by introducing S. 2448, along with Senator 
Schumer, and for holding this hearing today.
    Senator Leahy has also been a pivotal person, as we know, 
in the development of many of the most prominent statutes 
utilized today against online criminals, such as the Electronic 
Communications Privacy Act and the Computer Fraud and Abuse 
Act. And your efforts, Senator Leahy, to protect the online 
public have continued recently, as you have indicated, with the 
introduction of S. 2430, the Internet Security Act of 2000.
    The Department appreciates the continued dedication of this 
committee and the leadership of this committee on these very 
important issues, and it is our sincere hope that we will be 
able to work together in the remaining days of this Congress to 
help ensure the safety of all Americans who use the Internet.
    As was noted by the chairman, over the past decade the use 
of computers and the Internet has grown exponentially, and 
individuals have increasingly come to depend on the use of this 
very important technological tool in their daily lives. The 
Internet has resulted in new and exciting ways for people to 
communicate, to transfer information, engage in commerce, and 
expand their educational opportunities.
    Yet, as has been noted, as people have increasingly used 
computers for lawful purposes, so too have criminals 
increasingly exploited computers to commit crimes and to harm 
the safety, security, and privacy of all American citizens in 
many instances.
    Just in the past few months, for example, legitimate e-
commerce has been the target of malicious computer hackers in 
the form of denial of service attacks that have been mentioned. 
These unlawful attacks involve the intrusion into an unknown 
number of computers which are used to use launch attacks on 
target computers. In these cases, the number of victims can be 
substantial, as can the collective costs and loss and the cost 
to respond to these attacks.
    These fast-moving viruses that we have seen recently are 
also a matter of major concern. As Mr. Vatis indicates, while 
these denial of service attacks and the recent viruses have 
received a great deal of attention and are certainly a cause of 
concern by all of us, they are but one facet of the criminal 
activity that occurs online today.
    Criminals use computers to send child pornography to each 
other using anonymous encrypted communications. Hackers 
illegally break into financial computers and steal sensitive 
personal information of private consumers, such as names, 
addresses, Social Security numbers, and credit card 
information. Criminals use the Internet's inexpensive and easy 
means of communication to commit large-scale frauds on victims 
all over the globe.
    Simply put, criminals are exploiting the Internet and 
victimizing people worldwide every day.
    The growing threat of illicit conduct online was made clear 
in the findings and conclusions recently released in the report 
of the President's Working Group on Unlawful Conduct on the 
Internet which I have a copy of here, entitled ``The Electronic 
Frontier: The Challenge of Unlawful Conduct Involving the Use 
of the Internet.'' The report highlights in detail the 
significant challenges facing law enforcement in cyberspace. I 
would encourage any interested persons to consult the Computer 
Crime and Intellectual Property Section's Web site for this 
information, as well as other information. It is 
www.cybercrime.gov.
    The migration of criminal activity to cyberspace has 
accelerated and continues to accelerate with each passing day, 
and the threat to public safety is becoming increasingly 
significant. As a consequence, the work of this committee in 
this important area is essential to the protection of all 
Americans.
    It is fair to say, as this committee has recognized, that 
the laws defining computer offenses and the legal tools needed 
to investigate criminals using the Internet have lagged behind 
the technological and social changes which have occurred so 
rapidly, leaving many of these tools and law out of date and in 
some instances ineffective. In short, law enforcement today 
does not have the tools needed to fully protect the Internet-
using public from online criminal activity. It is not a 
coincidence that this is the fourth time since February of this 
year that the Department of Justice has provided testimony on 
this issue to Congress.
    The safety of the Internet-using public is and will remain 
a priority for the Justice Department. I would note, for 
example, that earlier this year the Attorney General and the 
FBI Director participated in the creation of the Internet Fraud 
Complaint Center, which gives consumers the ability to go 
online and file complaints with the Center. This is but one 
aspect of the approach taken by the FBI and the Department to 
making cyberspace a safe place for everyone.
    Because of the gravity of this issue and the need to 
respond quickly, I am pleased to offer our preliminary views in 
my testimony that has been filed with the committee on S. 2448, 
and I want to say at the outset that the proposed legislation, 
I think, appropriately focuses on several very important public 
safety goals. I will just mention this briefly, in the interest 
of time.
    First, I think the legislation improves the ability of 
Federal investigators and prosecutors to bring online criminals 
to justice by removing the $5,000 damage threshold for Federal 
jurisdiction. The Department has encountered difficulties in 
this area of getting over this threshold, and we think it is 
particularly important to address that and we commend the 
committee and the sponsors for doing that.
    Second, I think the bill greatly enhances the deterrent 
effect of the Computer Fraud and Abuse Act, the primary statute 
used to prosecute computer hackers, by raising the maximum 
penalties for various categories of violations, such as those 
that occurred in the recent denial of service attacks which 
have been discussed earlier. Given the scope and severity of 
the damage to protected computers that have occurred recently, 
the current five-year maximum, we think, does not adequately 
take into account the seriousness of these crimes.
    The statute also provides for increased punishment for 
computer criminals that use minors to help in the commission of 
crime. And the Department shares your concern about adults 
exploiting children to aid in the furtherance of their own 
criminal activities, and this deserves special condemnation. We 
are concerned, however, that the provision may be only 
applicable to adults who use juveniles and not to--we are 
concerned about having that provision apply to juvenile co-
conspirators, something I am sure the committee will look at 
carefully.
    We think that the efforts to address greater deterrence to 
would-be juvenile hackers is an appropriate consideration, 
something that we think is fully worthy of being addressed. And 
to address this important problem, the bill provides that 
juvenile adjudications for the Computer Fraud and Abuse Act 
count as prior convictions as other similar provisions. We 
support your efforts to address these issues and to assist law 
enforcement in combatting crime effectively and promoting 
public safety online.
    In the interest of time, I would just mention two other 
quick matters of interest to us. I think one is that the 
Department believes it is critical to modernize the outdated 
trap and trace and pen register statutes to eliminate 
unworkable and technologically specific terminology, and to 
provide courts with the ability to issue orders that under the 
statute have a nationwide effect. It is a major deterrent in 
this fast-moving area where you have to track these 
communications to have go to through so many chains, and I 
think that is a very important development. Indeed, S. 2092, 
introduced by Senators Schumer and Kyl, addresses these issues 
and we think that is an important development.
    Another thing I want to mention briefly is the Department 
continues to be concerned about technology-specific legislation 
and statutes. Things are moving so quickly in this world that 
our concern is that the proposed section 302 of S. 2448 
regarding satellite television services would, as introduced, 
create many of the same problems we have seen in other 
instances when technology-specific legislation is adopted.
    At present, existing statutes that are written in 
technology-specific terms have resulted, we think, in 
unintended conflict with other Federal laws, such as ECPA. This 
has led to litigation that has slowed down unnecessarily, we 
think, criminal investigations. We believe that ECPA does apply 
to all communication providers without regard to specific 
technology used to provide the services. And for these reasons, 
we would recommend that section 302 be removed.
    Obviously, we have focused on some of the more significant 
matters in our filed testimony, not intended to be all-
inclusive. The Department has provided our full written 
statement. We look forward to working with the committee in 
these and other efforts to address this very important problem, 
and we are happy to answer your questions.
    I am particularly happy to be here with Marty Stansell-
Gamm, the Chief of our Computer Crimes and Intellectual 
Property Section in the Criminal Division. This is an 
outstanding group of prosecutors who are working at the cutting 
edge, with your help and providing them the tools to do so. And 
I think the country can be proud of the efforts of these very 
able prosecutors and the people we have in all the U.S. 
Attorneys' offices around the country working to assist all of 
us in dealing with this important problem.
    So I thank you very much for your interest and look forward 
to trying to provide answers to your questions.
    [The prepared statement of Mr. Robinson follows:]

                Prepared Statement of James K. Robinson

    Mr. Chairman, Senator Leahy and Members of the Committee, I thank 
you for this opportunity to testify on the topic of cybercrime and 
S.2248, The Internet Integrity and Critical Infrastructure Act 
sponsored by Chairman Hatch and Senator Schumer. The issue before this 
Committee today is one of singular importance and I commend the 
Committee for holding this hearing today. I also want to thank you 
personally Mr. Chairman and Senator Leahy for your leadership, not just 
on this issue, but on many matters dealing with public safety over the 
years.
    Chairman Hatch we have been pleased to work with you on a number of 
initiatives to help law enforcement and we sincerely appreciate your 
efforts to address the current challenges facing us in cyberspace by 
introducing S. 2448, along with Senator Schumer, and for holding this 
hearing today. Senator Leahy, you have been a pivotal person in the 
development of many of the most prominent statutes utilized today 
against online criminals, such as the Electronic Communications Privacy 
Act, and the Computer Fraud and Abuse Act. Your efforts to protect the 
online public have continued recently with the introduction of S. 2430, 
The Internet Security Act of 2000. The Department of Justice 
appreciates the continued dedication and leadership of you both to 
these important issues. It is my sincere hope that we will all be able 
to work together in the remaining days of this Congress to help ensure 
the safety of all Americans who use the Internet.
                     the internet and public safety
    Over the last decade, use of computers and the Internet has grown 
exponentially, and individuals have increasingly come to depend on this 
use in their daily lives. The Internet has resulted in new and exciting 
ways for people to communicate, transfer information, engage in 
commerce, and expand their educational opportunities. These are but a 
few of the wonderful benefits of this rapidly changing technology. 
There is no question that the Internet has changed the way we live 
today. Yet, as people have increasingly used computers for lawful 
purposes, so too have criminals increasingly exploited computers to 
commit crimes and to harm the safety, security, and privacy of others.
    In just the past few months for example, legitimate e-commerce has 
been the target of malicious computer hackers in the form of ``denial 
of service attacks.'' These unlawful attacks involve the intrusion into 
an unknown number of computers, which are in turn used to launch 
attacks on several, target computers, such as Yahoo, eBay, CNN and 
ZDNET. In these cases, the number of victims can be substantial, as can 
the collective loss and cost to respond to these attacks. We have also 
seen the emergence of fast-moving viruses that have caused damages to 
computer systems around the world and have disrupted the computer 
systems of consumers, businesses, and governments.
    In April 1999, the Melissa virus was released. Through the 
cooperative efforts of state and federal law enforcement, as well as 
the contributions of antiviral companies and Internet service 
providers, the perpetrator of the virus was found within a few days of 
the virus' dissemination. He pled guilty in December, admitting that 
his actions caused over $80 million in damages.
    A few weeks ago, the ``I Love You'' virus began infecting systems 
around the world. While there is not yet any official assessment of the 
damages caused by this virus, antiviral companies have estimated that 
the damages are in the billions. As with the Melissa virus, law 
enforcement agencies on all levels have been cooperating with the 
private sector to determine who released this virus. The FBI is now 
working closely with the National Bureau of Investigation of the 
Philippines to pursue leads in that country. While I cannot comment 
directly on that investigation, I will say that the FBI and the 
Department of Justice will continue to provide whatever technical, 
investigative, or prosecutorial assistance is needed by the Philippine 
government.
    Frighteningly, the ``I Love You'' virus was followed almost 
immediately by copycat variants. At last count, there were almost 30 of 
these variants that had been identified. They were followed last 
Thursday by the New Love virus, a virus that self-replicated, mutated 
in name and size, and destroyed the computer systems affected by it. 
The FBI, again working with the private sector, is investigating.
    The new crop of viruses are becoming more sophisticated and 
difficult to detect. If we are going to control this epidemic of 
viruses and denial of service attacks, U.S. law enforcement must 
continue to work with the private sector and with law enforcement in 
other countries. As all these cases demonstrate, computer crime is a 
global problem. In this regard, we are making important progress. Last 
week, I returned from a meeting in Paris at which the government and 
industry of the G8 nations, along with representatives of other nations 
and groups, sat down to discuss how we can work together to identify 
the source of criminal behavior on the Internet, as well as tracing 
those responsible for committing crime over the Internet. We are also 
involved in similar efforts with the Council of Europe. Efforts are 
underway, which are nearing completion, to develop a cybercrime 
convention that will create minimum standards for defining crimes 
committed over the computer networks. The convention will also 
establish minimum standards for international cooperation and domestic 
law enforcement powers. The draft convention also would further expand 
the 24/7 point of contact network that was begun by the G8. This 
network of experienced law enforcement officials capable of dealing 
with computer crime has been steadily expanding beyond its original 
eight members, and we are working to further develop the network so 
that we are better prepared to address crimes committed using computer 
networks wherever and whenever they occur.
    Fostering better international understanding and response to 
computer crimes has been a priority for over a decade and we are making 
significant progress. We will continue to build on the successes of the 
past and capitalize on world-wide attention brought about by the ``I 
Love You'' virus to continue working with nations across the globe on 
this vital issue.
    While the denial of service attacks and the recent viruses have 
received a great deal of attention and are cause for concern, they are 
but one facet of the criminal activity that occurs online today. 
Criminals use computers to send child pornography to each other using 
anonymous, encrypted communications; hackers illegally break into 
financial computers and steal sensitive, personal information of 
private consumers, such as name, address, social security number and 
credit card information; criminals use the Internet's inexpensive and 
easy means of communication to commit large-scale fraud on victims all 
over the globe. Simply put, criminals are exploiting the Internet and 
victimizing people, worldwide, everyday.
    It is important to note, Mr. Chairman, that when law enforcement 
successfully investigates, apprehends, and prosecutes a criminal who 
has stolen a citizen's personal information from a computer system, law 
enforcement is undeniably working, not just to apprehend the offender, 
but to protect privacy and deter further privacy violations at the 
hands of criminals. The same is true when law enforcement apprehends a 
hacker who compromised the financial records of a bank customer.
    responding to the challenge of unlawful conduct on the internet
    The growing threat of illicit conduct online was made clear in the 
findings and conclusions reached in the recently released report of the 
President's Working Group on Unlawful Conduct on the Internet, entitled 
``The Electronic Frontier: The Challenge of Unlawful Conduct Involving 
the Use of the Internet.'' This extensive report highlights in detail 
the significant challenges facing law enforcement in cyberspace. As the 
report states, the needs and challenges confronting law enforcement, 
``are neither trivial nor theoretical.'' The Report outlines a three-
pronged approach for responding to unlawful activity on the Internet:
    1. Conduct on the Internet should be treated in the same manner as 
similar conduct offline, in a technology neutral manner.
    2. The needs and challenges of law enforcement posed by the 
Internet--including the need for resources, up-to-date investigative 
tools and enhanced multijurisdictional cooperaton--are significant.
    3. Finally, continued support for private sector leadership in 
developing tools and methods to help Internet users to prevent and 
minimize the risks of unlawful conduct online.
    I would encourage anyone with an interest in this important topic 
to review carefully the report of the Working Group. The report an be 
found on the Internet by visiting the website of the Department of 
Justice's Computer Crime and Intellectual Property Section, located at 
www.cybercrime.gov. That website also contains a great deal of other 
information relating to cybercrime and to the laws protecting 
intellectual property.
    The migration of criminality to cyberspace accelerates with each 
passing day and the threat to public safety is becoming increasingly 
significant. As Deputy Attorney General Eric Holder told a joint 
hearing of House and Senate Judiciary Subcommittees in February, this 
nation's vulnerability to computer crime is astonishingly high and 
threatens not only our financial well-being and our privacy, but also 
this nation's critical infrastructure.
    However, Mr. Chairman, the laws defining computer offenses--and the 
legal tools needed to investigate criminals using the Internet--have 
lagged behind technological and social changes, leaving them out of 
date and, in some instances, ineffective. In short, law enforcement 
today does not have the tools we need to fully protect the Internet-
using public from criminal activity online.
    We must confront this problem on two fronts simultaneously. First, 
we must make certain that the substantive laws defining which conduct 
is criminal, such as the Computer Fraud and Abuse Act (Title 18 section 
1030), are adequately refined and updated. Second, we must look 
critically at the tools law enforcement uses to investigate and 
prosecute computer crimes--such as the Electronic Communications 
Privacy Act and the pen register and trap and trace statutes--to ensure 
that they are cast in terms that fully account for the rapid advances 
in technology. Failure to do both will render our efforts meaningless. 
If we have the appropriate substantive laws, but no means to effectuate 
them, we will be stymied in our pursuit of online criminals. 
Conversely, if the conduct in question is not covered by the criminal 
law, the ability to gather evidence is of no value in protecting the 
safety and privacy of people who use the Internet. It is not a 
coincidence, Mr. Chairman, that today marks the fourth time, since 
February of this year, that the Department of Justice has provided 
testimony on this issue to Congress. This issue--the safety of the 
Internet-using public--is and will remain a priority of the Justice 
Department. I would note, for example, that earlier this month the 
Attorney General and the Director of the FBI participated in the 
creation of the Internet Fraud Complaint Center, which gives consumers 
the ability to go online and file complaints with the Center. This is 
but one aspect of the approach we are taking to make cyberspace safe 
for everyone.
                 department of justice views on s. 2448
    At this point, I am pleased to offer the preliminary views of the 
Department of Justice on S. 2448, ``The Internet Integrity and Critical 
Infrastructure Protection Act,'' that is the subject of today's 
hearing.
    At the outset, let me say that the proposed legislation 
appropriately focuses on several very important public safety goals. As 
I mentioned earlier, the ability to fully protect public safety online 
requires that the substantive laws utilized to define criminal activity 
be fine-turned. The proposed legislation, S. 2448, offers a number of 
provisions that address the substantive laws.
A. Refining the substantive law for the Information Age
    First, the legislation addresses the ability of federal 
investigators and prosecutors to bring online criminals to justice by 
removing the $5,000 ``damage'' threshold for federal jurisdiction. The 
Department has encountered numerous instances in which computer 
intruders have gained unauthorized access to computers used in the 
provisions of ``critical infrastructure'' systems and services, which 
include, for example, computers that run 9-1-1 emergency services.
    Yet, in several investigations, proof of damage in excess of 
$5,000--the amount presently required to allow federal investigation 
and prosecution--has not been readily available. Given the risks posed 
by the initial act of gaining unauthorized access to these vital 
computers, federal jurisdiction should not be restricted to those 
instances in which damage of $5,000 or more can be readily 
demonstrated, under the current definition of ``damage''. S. 2448 
acknowledges and solves this problem by making federal jurisdiction 
clearly attach at the outset of an unauthorized intrusion into 
interstate systems, rather than requiring investigators to wait for 
estimates of damage to confer jurisdiction. While the Justice 
Department has some concern about treating the newly covered crimes as 
felonies in every instance, we strongly support this idea, and would 
like to work with Congress to best determine the appropriate 
classification of offenses below the $5,000 damage amount. It is, 
however, vital to our ability to respond to criminal activity that the 
jurisdictional threshold be removed.
    Second, the bill enhances the deterrent effect of the Computer 
Fraud and Abuse Act--the primary statute used to prosecute computer 
hackers--by raising the maximum penalties for various categories of 
violations, such as those that occurred in the recent denial of service 
attacks discussed earlier. At present, the statutory maximum penalty 
for these violations is five years. Given the scope and severity of the 
damage to protected computers that hackers have been doing recently, 
the current five year maximum does not adequately take into account the 
seriousness of their crimes.
    For example, as I mentioned earlier, David Smith recently pled 
guilty to violating Title 18, subsection 1030(a)(5)(A), for releasing 
the ``Melissa'' virus that caused massive damage to thousands of 
computers across the Internet. Although Smith agreed, as part of his 
plea, that his conduct caused over $80,000,000 worth of damage (the 
maximum dollar figure contained in the Sentencing Guidelines), experts 
estimate that the actual amount of damage may have been as much as ten 
times that amount. Depending on the circumstances of the offense, the 
amount of loss and the criminal history of the offender, the Sentencing 
Guidelines may call for a sentence of greater than five years. However, 
such a sentence cannot be imposed at this time. We support the goal of 
raising penalties for violations of the Computer Fraud and Abuse Act 
and will work with the Committee to determine the appropriate increase.
    S. 2448 also provides for increased punishment for computer 
criminals that ``use'' minors to help in the commission of the crime. 
The Department shares your concern that adults that exploit children to 
aid in the furtherance of their own criminal activity deserve special 
condemnation. We might explore whether this provision be applied to all 
of 18 U.S.C. 1030 and not just subsection (a)(5). The Department points 
out, however, that the provision only be applicable to adults who use 
juveniles and not to juvenile co-conspirators, and we look forward to 
working with you to ensure the provision is tailored appropriately.
    Third, S. 2448 takes important steps to provide greater deterrence 
to would-be juvenile hackers. We are increasingly encountering 
juveniles committing crimes and creating risks to the public via the 
Internet. For example, a juvenile was recently charged with the recent 
``denial of service'' attack on CNN. This juvenile, known as 
``Mafiaboy,'' is currently being prosecuted in Canada. We have also 
seen juvenile hackers penetrate numerous sensitive computers, including 
computers run by the Defense Department, even as military operations 
were being planned. In addition, in March of 1998, a juvenile hacker 
interfered with a computer that provided telecommunications of a town 
in central Massachusetts, including the regional airport. This action 
cut off telephone service to the airport's control tower, fire 
department, and security services.
    To address this important problem, the bill provides that juvenile 
adjudications for violations of the Computer Fraud and Abuse Act count 
as prior convictions if such juveniles continue to violate section 1030 
as adults. Thus, any juvenile who is arrested and adjudicated 
delinquent for such a crime would face a stiffer penalty if he or she 
does not reform. The bill also modifies federal law to allow the 
federal government to investigate and prosecute juveniles who commit 
certain serious computer offenses. As S. 2448 recognizes, when an 
individual attacks a federal computer, or when a hacker uses interstate 
communications or the Internet to compromise the health, safety, or 
security of the public, it clearly raises substantial federal interest 
and warrants federal jurisdiction.
    Mr. Chairman, we support your efforts to address these issues and 
assist law enforcement to combat crime effectively and promote public 
safety online. As mentioned earlier, however, revision of the 
substantive law is but one needed part of the response to cybercrime. 
The balance of my testimony, and the views of the Department of Justice 
on S. 2448, will focus on the second prong--making certain that law 
enforcement has the tools necessary to investigate and build cases 
against online criminals.
B. Updating the tools needed to protect public safety online
    Section 301 of the proposed legislation attempts to solve several 
important problems relating to the use of pen registers and trap and 
trace devices in the investigation of computer crime. The Justice 
Department is concerned, however, that as introduced, this section of 
the bill does not address several problems in the existing statute that 
have been caused by changes in telecommunications technology and the 
telecommunications industry. First, the language of the existing law is 
obsolete. The definition of ``pen register,'' for example, refers to a 
``device'' that is ``attached'' to a telephone ``line.'' Telephone 
companies, however, no longer accomplish these functions using physical 
hardware attached to an actual telephone line. Moreover, the existing 
statute refers specifically to telephone ``numbers,'' a concept made 
out of date by the need to trace communications over the Internet that 
use other means to identify users' accounts. The Department strongly 
recommends that these provisions be amended to clarify that pen/trap 
orders apply equally to the tracing of communications in the computer 
network context. Indeed, S.2092, introduced by Senators Schumer and 
Kyl, would amend the statute in these important ways.
    In addition to amending the language of the statute to reflect the 
technological changes that have and will continue to occur, the Justice 
Department also recommends that the statute be amended to ensure that 
federal courts have the authority to order all telecommunications 
carriers providing service in the United States--whether within a 
particular judicial jurisdiction or not--to provide law enforcement 
authorities the information needed to trace both voice and electronic 
communications to their source. The deregulation of the 
telecommunications industry has created unprecedented hurdles in 
tracing multi-provider communications to their ultimate source and 
destination. Many different companies, located in a variety of judicial 
districts, may handle a single communication as it crosses the country. 
Under the existing statute, however, a court can only order the 
installation of a pen/trap device within the jurisdiction of that 
court. As a result, investigators often have to apply for multiple 
court orders in multiple jurisdictions in order to trace a single 
communication, causing a needless waste of resources and delaying and 
impeding important investigations. Given that time is of the essence in 
the vast majority of computer hacking cases, this delay may be fatal to 
the investigation. S. 2092 address this problem as well.
    Section 302 of the proposed legislation regulates the release of 
personally identifiable information by providers of satellite 
television services. Although the protection of the privacy of 
satellite subscribers' information is a laudable goal, the manner in 
which this provision seeks to address this issue creates serious 
concerns. This provision is drafted in ``technology specific'' terms. 
The Justice Department has consistently argued, and does so today, that 
in order to be effective, statutes must remain technology neutral. By 
creating a standard exclusively for one form of technology--in this 
case, satellite television service--the provision restricts the 
activities of certain companies and individuals based on an arbitrary 
criterion. If a company chooses to provide its television programming 
over cable lines or over the Internet, it would not be bound by these 
restrictions.
    The law should not treat companies differently based on the various 
ways in which they provide the identical service. further, the Justice 
Department is concerned about he scope of services--beyond simply 
providing television service--that would be covered by this provision, 
thus compounding the disparate treatment noted above. Given the fact 
that the old distinctions between communications providers and their 
respective services are rapidly falling away--with each industry 
crossing over into other areas and offering multiple communications 
services--technology specific statutes simply become unworkable. We 
believe that ECPA governs all communication providers without regard to 
specific technology used to provide the services.
    Another portion of S. 2448 which raises significant concerns for 
the Department of Justice is Title V, regarding International Computer 
Crime Enforcement. International cooperation in computer crime cases--
as highlighted in recent weeks--is extremely important, and 
strengthening international cooperation mechanisms is a high priority 
for the Department. As I noted earlier, we are making significant 
progress in this area and any new proposals have to be fashioned 
extremely carefully so as not to undermine the valuable avenues of 
cooperation already in place. The Department is concerned that Title V 
would not significantly promote international cooperation on computer 
crime investigations, and it has the potential to damage existing 
agreements and legal authorities. The Department, therefore, opposes 
inclusion of this provision in the bill.
    Before concluding my testimony, let me make some brief remarks on 
two issues that have principally been handled by parts of the 
Administration other than the Department of Justice. Concerning the 
anti-slamming provision in S. 2448, the Administration agrees that the 
use of deceptive identification information in connection with 
unsolicited commercial email raises serious concerns. While the 
Administration has not endorsed any currently proposed approach to this 
problem, we support continued examination of this issue and note that 
comprehensive anti-spamming legislation has been proposed in and is 
being considered by both the House and the Senate at this time.
    Concerning the online collection and dissemination of personally 
identifiable information on Internet, I draw your attention to a 
statement on that subject earlier this week by Secretary of Commerce 
Daley. Secretary Daley expressed the hope that we will continue to see 
improvement in the quantity and quality of online privacy policies. He 
stated that, ``if we do not see such progress, then we may eventually 
need to consider whether legislation would provide companies with the 
right incentives to have good policies and participate in an effective 
self-regulatory program.'' Secretary Daley added that any such 
legislation, if it becomes necessary ``should recognize and provide 
incentives for self-regulation, such as by granting participants in 
effective self-regulatory programs a ``safe harbor'' from regulation. 
Such incentives are not currently included in S. 2448.
                               conclusion
    Mr. Chairman, my testimony today is necessarily focused upon the 
more significant portions of the proposed legislation and is not 
intended to be all inclusive. It is my sincere hope that through this 
and other hearings that have been held, those of us who are concerned 
about public safety and want to see the Internet continue to flourish 
and thrive, can come together and forge responses to the problems that 
I have outlined here today. I again want to commend this Committee for 
its continued leadership on the issues of technology and public safety 
and pledge to you today that the Department of Justice stands ready to 
work with all concerned to make the Internet safe for all Americans.
    If we fail in our responsibility to respond to criminal conduct 
online, we will, in effect render cyberspace a safe haven for 
criminals. If we do not make the Internet safe, people's confidence in 
using the Internet and e-commerce will decline, parents will no longer 
let their children use the Internet for the wonderful learning tool 
that it is, and people worlds apart will no longer use the Internet to 
communicate and the flow of information will slow. By failing to ensure 
the public's safety online, we are effectively endangering the very 
benefits born of the Information Age. The Internet Integrity and 
Critical Infrastructure Protection Act is a positive step in avoiding 
that unfortunate and unnecessary result and we look forward to working 
with the Committee and the Congress on this matter in the weeks ahead.
    Mr. Chairman, that concludes my prepared statement. I would be 
pleased to answer any questions that you may have at this time.

    The Chairman. Well, thank you, Mr. Robinson.
    We have two back-to-back votes. I would like to finish this 
panel, so I am willing to submit my questions.
    The Chairman. Let me turn to the ranking member. Do you 
have anything you want to----
    Senator Leahy. I will submit mine, also, Mr. Chairman.
    [The questions of Senators Hatch and Leahy can be found in 
the appendix.]
    Senator Leahy. I also want to submit for the record an 
article from the Washington Post today about security lapses at 
airports, the Pentagon, and the FBI. It is not just cyberspace 
that is the problem. We saw it happen at the FBI where people 
saying that they were law enforcement and had briefcases with 
weapons in them just got waved through. Of course, they were 
not law enforcement. It was just a test of security.
    I would put that in the record.
    [The article referred to follows:]
    [GRAPHIC] [TIFF OMITTED] T3464A.001
    
    [GRAPHIC] [TIFF OMITTED] T3464A.002
    
    Mr. Robinson. I might just say that I was surprised to see 
that, since I have so much difficulty getting into the FBI 
building to meet with senior FBI officials, as anybody who has 
tried to do that has.
    Senator Leahy. I find the same thing. I find that sometimes 
both at the State Department and elsewhere on matters when I am 
handling oversight on major issues for them and their requests 
come down and I just can't get anywhere. I should just tell 
them I am carrying my .44 magnum and I am the deputy sheriff of 
Chittenden County, VT, and I will get waved right in. If I say 
I am a U.S. Senator, it is a lot more difficult.
    The Chairman. We have a lot of questions that range from 
what is the Department doing to ensure the privacy rights of 
online users so that they are not compromised during the effort 
to patrol and investigate online criminal activity, to the 
viruses that we have, and isn't our greater threat hostile 
foreign nations or international or domestic terrorists. How do 
we combat all of that? We were going to go into PDD-63 and all 
the issues involved there. So we will submit these because I 
don't want to have to hold you.
    I apologize to the next panel because you are just going to 
have to wait until we can get back. But if you could answer 
these questions in as much detail as you can and also give us 
as succinctly as you can what you think he changes ought to be 
in this bill--naturally, we file these bills and then we want 
criticism; we want to know how we can perfect them and make 
them better.
    This is a real important bill and it should give you the 
tools that law enforcement needs to make sure that we don't 
have processes that really will hurt our people, our country, 
and our allies as we continue through this next century.
    So with that, I think we will just release you and let you 
go, and then we will be back as soon as we can get through that 
second vote and have the second panel. Thanks so much.
    [The committee stood in recess from 10:55 a.m. to 11:35 
a.m.]
    The Chairman. Well, I apologize. I get grabbed six ways 
from Friday every time I get near the floor, so there is 
nothing I can do about that.
    Let me call our second panel of witnesses. Our first 
witness is Bruce Heiman, who is the Executive Director of 
Americans for Computer Privacy, a coalition of companies, 
associations, interest groups, and individuals that focuses on 
issues at the intersection of electronic information, privacy, 
law enforcement, and national security.
    The next witness is Richard Pethia, who is the Director of 
the CERT Centers, which are a part of the Software Engineering 
Institute at Carnegie Mellon University, in Pittsburgh, 
Pennsylvania.
    Our third witness is Jeff Richards, Executive Director of 
the Internet Alliance, located here in Washington D.C.
    Our final witness is James X. Dempsey, Senior Staff Counsel 
with the Center for Democracy and Technology, also located here 
in Washington, DC.
    So I would like to welcome each of you here this morning. 
We look forward to taking your testimony. We will turn to you 
first, Mr. Heiman.
    And we are happy to have Senator Feinstein here as well.

   PANEL CONSISTING OF BRUCE J. HEIMAN, EXECUTIVE DIRECTOR, 
AMERICANS FOR COMPUTER PRIVACY, WASHINGTON, DC; RICHARD PETHIA, 
    DIRECTOR, CERT CENTERS, SOFTWARE ENGINEERING INSTITUTE, 
 CARNEGIE MELLON UNIVERSITY, PITTSBURGH, PA; JEFF B. RICHARDS, 
  EXECUTIVE DIRECTOR, INTERNET ALLIANCE, WASHINGTON, DC; AND 
 JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, CENTER FOR DEMOCRACY 
                 AND TECHNOLOGY, WASHINGTON, DC

                 STATEMENT OF BRUCE J. HEINMAN

    Mr. Heiman. Thank you, Mr. Chairman, Senator Feinstein. 
During the last 2 years, Americans for Computer Privacy, ACP, 
led the private sector effort to encourage the widespread use 
of American encryption products. With strong congressional 
support, including many on this committee, we succeeded in 
persuading the administration to change its policy and relax 
export controls. That is important because greater use of 
encryption will help prevent cyber crime and help protect our 
national security.
    But we all know that more needs to be done to protect our 
critical information infrastructure. ACP takes extremely 
seriously the need for increased cyber security throughout 
those sectors of our economy that are so reliant on information 
systems. We really think there is only one way to get this 
right. ACP strongly believes that a voluntary, cooperative 
partnership between government and industry is the only 
approach that can succeed in protecting critical information 
infrastructure.
    So what should the private sector do? First, companies need 
to keep improving information security, just as they have been 
doing for years. It is the private sector that owns and 
operates the networks, systems, products, and services that 
make up the information infrastructure. It also is the private 
sector that possesses the knowledge and expertise necessary to 
protect it. Unfortunately, there is no single silver bullet for 
the problem of information security. Rather, it is a process of 
continual improvement.
    Second, we all have to practice good security hygiene and 
teach others to do so. We have made some progress. According to 
a recent Pew poll reported in the Washington Post, only about a 
quarter of those who received the Love Bug e-mail and 
attachment actually opened it. That is real improvement. You 
wouldn't let anybody into your house and you shouldn't let just 
anybody into your computer.
    Third, industry does need to share information among itself 
and with the Government about threats and vulnerabilities, as 
well as best practices. In this regard, ACP has met with 
representatives of the National Security Council, the FBI, and 
the Department of Commerce. Furthermore, several of ACP's 
members will be serving on the President's National 
Infrastructure Assurance Council, a CEO-level group that is 
being formed to advise the President and Cabinet. Many of ACP's 
members are also active participants in the Partnership for 
Critical Infrastructure Security, a cross-sector, cross-
industry effort led out of the Department of Commerce.
    Of course, the Government also has an essential role to 
play. There are five things the Government should do. First, it 
is important for the Government to share information quickly 
with the private sector. This includes alerts of particular 
threats.
    Second, the Government must lead by example. The Government 
needs to do a better job of protecting its own computer 
systems.
    Third, the Government needs to increase training of law 
enforcement personnel, including those at the State and local 
levels. ACP strongly supports funding for this purpose.
    Fourth, the Government needs to strengthen its 
technological capabilities. ACP supports funding so that law 
enforcement has the same state-of-the-art hardware and software 
possessed by criminal hackers.
    Fifth, we support the idea of new cyber security 
scholarships and the creation of a new cyber corps of those 
with specialized education in cyber security.
    I want to conclude with an important point. ACP strongly 
believes that the Government must proceed cautiously and should 
not rush to pass new legislation. There is little doubt that 
true cyber crime today is already illegal under our existing 
laws and can be prosecuted. Moreover, the private sector will 
continue to cooperate with and assist law enforcement in 
investigating and prosecuting cyber criminals, just as it has 
done in the past.
    We are concerned about the possibility of overreaction to 
recent denial of service attacks and Internet viruses. It is 
essential that the Government not use legitimate threats to 
computer security as a justification for assuming new powers of 
regulation or imposing new burdens on industry. New Government 
controls, technology mandates, or federally imposed standards 
will not lead to better cyber security. Instead, they would 
stifle innovation and harm the very infrastructure that needs 
protection.
    The Government also should not use legitimate threats to 
computer security as a justification for threatening privacy 
rights. The Government must not increase widespread monitoring 
of Americans, as we proposed in the original FIDNET plan. We 
fully support giving law enforcement the requisite resources 
and training to investigate and prosecute cyber crime. But just 
because we know someone will commit cyber crime, it is not 
appropriate to closely watch what everyone is doing.
    Chairman Hatch, you and other members of the committee have 
introduced legislation addressing different aspects of cyber 
crime and critical information infrastructure protection. As we 
explained, there are some positive steps that could be taken, 
but there is no need to rush forward with legislation. Hearings 
such as these are essential to examine these complex issues. 
Indeed, ACP has questions and concerns about several aspects of 
this bill.
    For example, we support the funding, as Mr. Vatis asked 
for, in terms of the FBI and Justice and training personnel 
with technological capabilities. But we have serious concerns 
about some of the bill's direction and the duties that are 
given to the FBI. They are quite expansive and include setting 
standards as well, which we do not think is appropriate.
    I would be pleased to answer any further detailed 
questions.
    [The prepared statement of Mr. Heiman follows:]

                 Prepared Statement of Bruce J. Heiman

                      i. introduction and summary
    My name is Bruce Heiman, and I am Executive Director of Americans 
for Computer Privacy (ACP). ACP is a broad-based coalition that brings 
together more than 100 companies and 40 associations representing high-
tech, telecommunications, manufacturing, financial services and 
transportation, as well as law enforcement, civil-liberties, pro-
family, taxpayer groups, and over 6000 individuals. Our members created 
ACP to focus on issues at the intersection of electronic information 
and communications, privacy rights, law enforcement, and national 
security. A list of our membership is attached to my testimony.
    Encryption is an essential component of information security. ACP 
supports policies that advance the rights of American citizens to 
encode information without fear of government intrusion, and advocates 
the lifting of export restrictions on U.S.-made encryption products. 
The Administration's January 14th policy announcement represents a 
substantive improvement over the prior encryption export policy and a 
significant movement toward leveling the playing field between U.S. and 
foreign manufacturers of encryption products. ACP wishes to express its 
gratitude to the Congress and the Administration for its far-sighted 
support for liberalization of U.S. encryption export policy.
    But more needs to be done. Protecting the critical information 
infrastructure is essential for U.S. national security, American 
economic welfare, and our fundamental freedoms.
    ACP strongly believes that a voluntary cooperative partnership 
between government and industry is the only approach that can succeed 
in protecting critical information infrastructure. ACP supports 
policies that promote industry-led, market driven solutions to Critical 
Information Infrastructure Protection and opposes government efforts to 
impose mandates or design standards. ACP supports giving government the 
resources necessary to protect its own computer systems, to recruit and 
train computer security and law enforcement personnel, and to 
strengthen the government's technological capabilities to investigate 
and prosecute cyber crime. But ACP opposes government proposals to 
increase widespread monitoring or surveillance.
    Importantly, ACP believes that the government must proceed 
cautiously and should not rush to pass new legislation. We are 
concerned about the possibility of overreaction to recent denial of 
service attacks and Internet viruses. Such an overreaction could 
generate new laws or regulations which would stifle innovation, harm 
the very infrastructure that needs protection, and threaten the privacy 
rights of Americans at work and at home. (ACP has formulated five 
principles that should structure the current debate concerning Critical 
Information Infrastructure Protection, which are also attached to my 
testimony.)
    ii. encryption is an essential component of information security
    Encryption is the essential technological ingredient that can 
ensure the confidentiality, privacy, and authenticity of information. 
Encryption helps prevent cyber crime and promotes our national 
security. During the last two years, ACP led the private-sector's 
effort to permit the widespread use of strong American encryption 
products in order to protect privacy, promote national security, and 
prevent crime. With strong Congressional support, we succeeded in 
persuading the Administration to relax export controls on encryption 
products.
    We commend the Administration on its change in encryption export 
policy. However, the Administration still requires both licensing and a 
classification and technical review process for encryption exports. 
Furthermore, the Administration lacks sufficient resources to meet the 
nearly 200% increase in classification requests for encryption exports. 
Despite the new regulations, a lack of government resources results in 
delayed processing of applications and creates a de facto competitive 
disadvantage for U.S. companies vis-a-vis their foreign competitors.
    Companies of the European Union (EU) will enjoy a further advantage 
over American companies in world markets due to the EU's recently 
announced liberalization of its encryption export control policy. The 
EU essentially created a license-free zone for EU members and another 
ten countries. In contrast, the United States still requires U.S. 
companies to apply for licenses to export encryption to foreign 
countries, except Canada.
    On May 15th ACP filed comments urging the Administration to respond 
to the recent EU encryption export policy. ACP urged the Administration 
to extend Canada-type treatment to encryption exports to the EU 
countries and the other countries covered by the EU's new rules. We 
look forward to working with the Administration to prevent U.S. 
encryption exporters from being disadvantaged by the EU's new policy.
    ACP also continues to oppose any efforts by foreign governments to 
erect import barriers to American products or to impose domestic 
controls on the use of encryption. We appreciate the Administration's 
actions, again with strong Congressional support, in opposition to 
proposed controls in China and France. Overall, we anticipate the 
widespread use of encryption in the years ahead.
 iii. but more needs to be done to protect our critical infrastructure
    Technology has made many of our Nation's essential services 
enormously more robust and reliable. Our information infrastructure has 
sparked the dramatic increases in productivity underlying the 
phenomenal economic success story of the 1990's yet the same 
``interconnectedness'' that allows us to increase efficiency and 
productivity and opens new frontiers of commerce also gives rise to 
increased vulnerability. All members of ACP are affected by this new 
vulnerability.
    As a result, ACP takes extremely seriously the need for increased 
cyber-security throughout those sectors of our economy--such as 
utilities, banking, communications, transportation, healthcare, and e-
commerce--that today are so reliant on information systems. The U.S. 
government, including our national defense establishment, also relies 
heavily on private-sector networks, products, and services.
    The denial of service attacks earlier this year, and most recently 
the Melissa and Love Bug viruses and their progeny, remind us of the 
need to secure the information systems on which so many sectors of our 
economy rely.
    ACP's members are working hard to improve computer security and to 
make the Internet a safe and reliable environment for business and 
personal use, while preserving the dynamic growth and rapid pace 
innovation that have made the Internet such an amazing phenomenon.
iv. a voluntary cooperative partnership between government and industry 
                 is the only approach that can succeed
    In the United States, it is the private sector that develops, owns, 
operates and maintains the networks, systems, products, and services 
that make up the information infrastructure. It also is the private 
sector that possesses the knowledge and expertise necessary to protect 
it.
    So far, the Administration--in Presidential Decision Directive 63, 
the National Plan for Information Systems Protection, Version 1.0, and 
various other activities--has recognized that it should work 
cooperatively with industry on a voluntary basis to deter, identify, 
and respond to cyber threats and attacks.
    Both the private sector and the government play key roles in 
Critical Information Infrastructure Protection.
What should the private sector be doing?
    First, what information technology companies already have been 
doing for some time: constantly improving protection in their product 
lines and networks. Information and communication sector companies 
accept that improved network and information systems security is 
imperative, and they are willing to do their part.
    Private companies are in the best position to know how to protect 
infrastructures they have developed, owned and operated. But it is 
important to understand that there is no one single ``silver bullet'' 
for the problem of information security--rather, it is a process of 
continual improvement.
    Second, it is incumbent upon all of us to practice good ``security 
hygiene'' and to educate others to do so. For example, many people 
choose a password that is related to something about them and thus make 
it easier to figure out. Also, many people do not change their 
passwords at regular intevals. Others simply choose an English language 
word rather than a random sequence of letters, symbols, and numbers, 
which is far more difficult to crack.
    Perhaps the recent Internet virus attacks have had a positive 
effect: all of the attention on Internet viruses has made computer 
users more wary and less trusting. According to a recent Pew Internet 
and American Life Project poll reported in the Washington Post, only 
about 25% of users who received the Love Bug email attachment actually 
opened it. This is a real improvement. The private sector needs to 
continue to spread the message that, just as you wouldn't let anybody 
into your house, so you shouldn't let just anybody into your computer.
    Third, industry does need to share information among itself and 
with the government about threats and vulnerabilities as well as best 
practices. In this regard, ACP has met with representatives of the 
National Security Council staff, the FBI's National Infrastructure 
Protection Office (NIPC), and the Dept. of Commerce's Critical 
Infrastructure Assurance Office (CIAO), and ACP has been encouraged to 
continue the dialogue. Furthermore, several of ACP's members will be 
serving on the President's National Infrastructure Assurance Council, a 
CEO-level group that is being formed to advise the President and 
Cabinet members. Many of ACP's members are also active participants in 
the Partnership for Critical Infrastructure Security, a cross-sector, 
cross-industry effort supported by Commerce Secretary Daly and John 
Tritak, Director of the Critical Infrastructure Assurance Office 
(CIAO). The Partnership has already met a number of times and 
established several working groups.
    There is an ongoing, serious discussion within industry itself and 
between industry and government about the possible need for legislation 
to facilitate the sharing of information among the private sector and 
between the private sector and government. Such legislation could 
provide enhanced protection for shared information by removing 
disincentives for this dialogue imposed by antitrust laws and FOIA 
requirements and resulting from the apparent ability of third-parties 
to use such disclosed information against those who provide it.
Of course, the government also has an essential role to play as well
    First, it is important for the government to share information with 
the private sector. This includes alert warnings of particular threats. 
We are encouraged in this regard by the approach taken and attitudes 
shown by the FBI's National Infrastructure Protection Center. However, 
we think the government needs to keep improving the time it takes from 
receiving information to issuing an alert.
    Second, it is important the government leads by example and gets 
its own house in order. In this regard, it does appear that the 
government needs to continue improving as well. The Love Bug virus 
affected government computers, and the GAO recently criticized the 
vulnerability of the Executive Branch to the recent virus attacks.
    Third, we strongly support law enforcement's efforts to increase 
training of officers, including at the state and local levels, in the 
detection and prosecution of cyber crime. ACP supports funding to hire 
and train additional government computer security personnel. We also 
will continue to work with law enforcement to educate their people.
    Fourth, we support strengthening the government's technological 
capabilities to investigate and prosecute cyber crime. Law enforcement 
needs to have the same state-of-the-art hardware and software possessed 
by criminal hackers. ACP supports additional appropriations so that law 
enforcement has the tools to counter the threat posed by these hackers. 
We also will continue to work with law enforcement so that government 
can better understand the technology.
    Fifth, we support the idea of new cyber security scholarships and 
the creation of a new ``cyber corps'' of those with specialized 
educations in the prevention, detection, investigation, and prosecution 
of cyber crimes and in the protection of our critical infrastructure. 
Today, there are not enough academic centers offering curricula in 
cyber security. Government and the private sector should join together 
to incubate such schools in order to develop tomorrow's leaders in 
cyber security.
                 v. government must proceed cautiously
    While Critical Information Infrastructure Protection is very 
important to both the private-sector and the government, ACP also 
believes it is important that government not overreact to the recent 
denial-of-service attacks and Internet viruses. Indeed, precipitous 
action can do far more harm than good.
    First, it is important to remember that Internet viruses such as 
the Love Bug are not a new problem and in fact represent a complex, 
variegated problem. To be more specific, according to the Washington 
Post, information technology companies have identified roughly 40,000 
different viruses, including 29 separate versions of the Love Bug. 
Information technology companies constantly upgrade their products and 
support services to provide protection against similar attacks. Indeed, 
only private companies--as opposed to the government--have the 
quickness and agility to stay abreast of the rapidly developing 
technology of cybersecurity.
    Second, information technology companies are responding with 
greater rapidity to such attacks. It is usually only a matter of hours 
before a virus has been detected and analyzed and a software patch 
fixing the problem is posted on the Internet for free download. Thus, 
according to many calculations, the response to the Love Bug virus was 
much quicker than the response to the Melissa virus.
    Third, the public is becoming better educated about ``security 
hygiene.'' The recent Pew Poll reported in the Washington Post is 
encouraging: only one in four recipients of the Love Bug virus actually 
opened the attachments in the face of widespread dissemination about 
the dangers of the virus. We believe that individuals at home and at 
work are beginning to evaluate critically the messages and information 
they receive and to take seriously their security responsibilities--
whether it be changing their passwords, using better encryption, or 
updating their anti-virus software.
    Fourth, there is little doubt that true cyber crime is illegal 
under our existing laws and that such crimes could be prosecuted. 
Moreover, private sector individuals with particular expertise have, 
and will continue to, cooperate with and assist law enforcement in 
investigating and prosecuting cyber criminals. I should note that ACP 
does not think it appropriate or desirable to use the possible absence 
of sufficient laws in other countries to enact new legislation in the 
United States that might infringe on privacy rights.
    Fifth, we strongly believe that new government controls, 
technological mandates, or federally imposed standards will not lead to 
better Critical Information Infrastructure Protection. It is essential 
that the government not use legitimate threats to computer security as 
a justification for assuming new powers of regulation, imposing new 
burdens upon industry, or mandating that the private sector use 
particular technologies or processes. Such commands would backfire by 
stifling innovation, artificially channeling R&D, and harming the very 
infrastructure that needs protection.
    Sixth, government must not violate personal and corporate privacy 
in the quest for Critical Information Infrastructure Protection. Once 
again, the government should not use legitimate threats to computer 
security as a justification for threatening fundamental rights of 
privacy. Indeed, as more of our lives are conducted electronically, it 
is essential that we ensure the security and privacy of information, 
communications, and transactions that dominate our daily lives from 
unjustified and unwarranted government examination. The government must 
not increase widespread surveillance or monitoring of Americans at home 
and work. While we fully support giving law enforcement the requisite 
resources and training to investigate and prosecute cyber crime, it is 
quite another thing to say that, just because some will commit cyber 
crime, it is necessary to watch closely what everyone is doing.
    One example of this danger is the government's original plan for 
FIDNET--the Federal Intrusion and Detection Network. As originally 
conceived, the Administration proposed that the FBI monitor Internet 
traffic generally within this country. We are pleased that, in response 
to widespread Congressional and private sector criticism, the 
Administration has changed FIDNET's mission to be, more appropriately, 
one of monitoring the federal government's own computer networks. This 
is much more in line with what companies do in terms of monitoring 
their own information systems and it is something quite concrete, which 
can improve information security. However, troubling proposals keep 
bubbling up. The Washington Post recently reported on the FBI's plan to 
build a ``casa de web'' data mining computer system for recording and 
analyzing Internet activity.
    Chairman Hatch, you and Senator Leahy and other members of the 
committee have introduced legislation addressing different aspects of 
cyber crime and critical infrastructure protection. As we have 
explained, there are some positive steps that could be taken. But there 
is no need to rush forward with legislation. Indeed, ACP has questions 
and concerns about several aspects of these bills (e.g., the proper 
role of the FBI's NIPC, international cooperation standards, and the 
extension of trap and trace devices and pen registers to electronic 
communications). This area is both legally and technologically complex. 
Hearings such as these are essential. ACP believes that at this point 
much legislation concerning Critical Information Infrastructure 
Protection is in fact premature.
                             vi. conclusion
    Thank you again for this opportunity to testify. ACP believes there 
is much for the private sector and the government to do together, and 
ACP looks forward to working with the government to protect our 
critical infrastructure and thus our economy, national security, and 
fundamental freedoms.
                                 ______
                                 

             Americans for Computer Privacy Membership List

                              associations
    60 Plus Association, American Conservative Union, American 
Electronics Association, American Financial Services Association, 
American Petroleum Institute, American Privacy Protection Association, 
American Small Business Alliance, Americans for Tax Reform, Business 
Software Alliance, Cellular Telecommunications Industry Association, 
Center for Democracy and Technology, Citizens for a Sound Economy, 
Commercial Internet eXchange Association, Computer and Communications 
Industry Association, Computing Technology Industry Association, 
Consumer Electronics Manufacturers Association, Eagle Forum, Electronic 
Commerce Forum, Electronic Industries Association, and FTD Association.
    Information Technology Association of America, Information 
Technology Business Center, Information Technology Industry Council, 
Interactive Services Association, IEEE-USA, Law Enforcement Alliance of 
America, Louisiana Sheriffs' Association, NASDAQ, National Association 
of Manufacturers, National Retail Federation, National Rifle 
Association, National Venture Capital Association, Online Banking 
Association, Securities Industry Association, Small Business Survival 
Committee, Software Publishers Association, Telecommunications Industry 
Association, U.S. Chamber of Commerce, and U.S. Telephone Association.
                               companies
    3Com Corporation, 3K Associates, Incorporated, ACL Datacom, 
Incorporated, Acordia Northwest, Incorporated, Adobe Systems, 
Incorporated, Altopia Corporation, America Online, Incorporated, Asia 
Pacific Marketing, Incorporated, Autodesk, AXENT Technologies, 
Incorporated, BEA Systems, Inc., Bell South, Bokler Software 
Corporation, Bowles Farming Company, Brooks Internet Software, 
Incorporated, Central Predicting Corporation, Centurion Soft, Cipher 
Logics Corp., Circuit City, and Cisco Systems, Incorporated.
    Citrix Systems, Incorporated, Claris Corporation, CommerceNet, 
Compaq Computer Corporation, Computer Associates International 
Incorporated, Consensus Development Corporation, Corel Corporation, 
Countrywide Home Loans, Inc., DAK, DBA Springfield CyberLink, 
deregulation.net, EDS Corporation, Envision, Incorporated, Furukawa 
Information Technologies, Inc., General Instrument Corporation, Genio 
USA, GeoData Solutions, Incorporated, Geoworks, GFI Consulting, and 
Goodyear Tire & Rubber Company.
    Honeywell, Incorporated, I.S. Grupe Incorporated, I/O Software, 
Incorporated, Intel Corporation, Intellectual Protocols, LLC, 
Intellimedia Commerce, Incorporated, Intershop Communications, 
Incorporated, Intersolv, Incorporated, Intuit, Incorporated, Invincible 
Data Systems, Incorporated, Kapenda Corp., Kellogg Technologies, 
Kinesix Corporation, Lehrer Financial and Economic Advisory Svcs., 
Litigation Support Systems, Lotus Development Corporation, Lucent 
Technologies, Mac Sourcery, Mastercard International, Incorporated, and 
McLellan Software Center, Incorporated.
    MeterNet Corporation, Microsoft Corporation, Microtest, 
Incorporated, Mindscape, Incorporated, Napersoft, Incorporated, 
NeoMedia Technologies, Incorporated, Netscape Communications 
Corporation, Network Associates, Network Risk Management Services, 
Nokia, Novell, Incorporated, Now Software, Incorporated, Oracle 
Corporation, Piranha Interactive Publishing, Incorporated, Platinum 
Technology, Incorporated, Portland Software, Incorporated, ProSys, 
Incorporated, Rail Safety Engineering, Incorporated, Raptor Systems, 
Inc., and Raycom Data Technologies, Incorporated.
    ReCor Corporation, Red Creek, Rockwell International, RSA Data 
Security, Incorporated, Santa Cruz Operation, Incorporated, SAS 
Institute, Inc., SBC Telecommunications, Inc., Secure Computing 
Corporation, Shadow Technologies, Silenus Group, Silicon Valley 
Software Industry Coalition, SISCO, Inc., SkillsBank Corporation, Soft 
Machines, Soundcode, Inc., Southern Company, Storage Technology 
Corporation, Sun Microsystems, Incorporated, and Sybase, Incorporated.
    Symantec Corporation, SynData Technologies, SynData Technologies, 
Target Printing & Graphics, Ultimate Privacy Corporation, UUNet 
Technologies, Visa International, Vortex Solutions, Watchguard 
Technologies, Inc., and Wyatt River Software, Incorporated.
                                 ______
                                 

      Americans for Computer Privacy 2000 Statement of Principles

    ACP strongly believes that protecting the global information 
infrastructure (``critical information infrastructure protection'' or 
``CIIP'') is essential for U.S. national security, American economic 
welfare, and our fundamental freedoms. ACP has adopted the following 
five principles:
    1. CIIP is best accomplished through private sector solutions that 
are market driven and industry led. The private sector owns, operates, 
and has developed the networks and services that constitute the 
information infrastructure.
    2. Governments and industry must work cooperatively on a voluntary 
basis towards achieving CIIP. This should include an institutionalized 
and thoughtful dialogue between key government officials and industry.
    3. Government must not mandate the private sector use of particular 
technologies or processes, dictate standards, or increase widespread 
surveillance or monitoring of citizens at home and work under the 
banner of CIIP.
    4. Governments must not violate personal and corporate privacy in 
the quest for CIIP. Such privacy protection is best preserved by 
scrutiny of new governmental CIIP authority.
    5. Barriers to strong CIIP should be removed, including barriers to 
the widespread use of strong encryption. Encryption promotes national 
security, prevents crime, and protects privacy. The U.S. Government 
must fully implement the recent relaxation in U.S. encryption export 
controls and make additional changes as necessary to ensure the ability 
of American companies to lead globally. Governments must not impose 
foreign import barriers or domestic controls.

    The Chairman. Thank you very much.
    Mr. Pethia, we will turn to you.

                  STATEMENT OF RICHARD PETHIA

    Mr. Pethia. Mr. Chairman, Senator Feinstein, thank you for 
the opportunity to testify on security issues. My perspective 
comes from the work that we do at the CERT coordination center, 
established in 1988 by the Defense Advanced Research Projects 
Agency to respond to Internet security emergencies and to help 
prevent future incidents. Since then, we have handled over 
28,000 separate security incidents and analyzed more than 1,500 
vulnerabilities in network-related products. Over 80 incident 
response teams around the world have adopted our incident 
handling practices.
    When a security breach occurs, our staff members help the 
administrators of the affected sites to identify and correct 
the vulnerabilities that allowed the incident to occur. We 
issue advisories to the Internet community warning of serious 
security threats. We are responsible for the day-to-day 
operations of the Federal computer incident response 
capability, an organization operated by the General Services 
Administration that provides direct support for the Federal 
civil agencies. We also handle reports of vulnerabilities in 
commercial products, and work with technology producers to fix 
them.
    The vulnerabilities that we see on the Internet put 
government, business, and individual users at risk. The current 
state of security is the result of many factors. Rapid growth 
of the Internet brings new users who are not aware of security 
issues. As the technology is being distributed, so is the 
management of that technology. System administration and 
management often fall upon people who do not have the training, 
skills, resources, or interest needed to operate their systems 
securely.
    The Internet is becoming increasingly complex, and with 
that complexity comes increased vulnerability. When vendors 
release upgrades to solve security problems, organizations 
often do not upgrade their systems. The job may be too time-
consuming, too complex, or just too low a priority for the 
system administration staff to handle. There is little evidence 
of security improvement in most new products. Developers are 
not devoting sufficient effort to apply lessons learned about 
the sources of vulnerability.
    Finally, engineering for ease of use is not being matched 
by engineering for ease of security and administration. 
Products are very easy to use, but they are very difficult to 
secure. This is a dynamic problem. The Internet and other forms 
of communications systems will continue grow and interconnect. 
More and more people will conduct business and become otherwise 
dependent on these networks. More and more people will lack the 
detailed technical knowledge and skill that is required to 
effectively protect systems. More and more attackers will look 
for ways to take advantage of the assets of others or to cause 
disruption and damage for personal or political gain.
    The network technology will evolve, and the attack 
technology will evolve right along with it. Many of the 
solutions that work today won't work tomorrow. To move forward, 
we need to make improvements to existing capabilities, but also 
make fundamental changes to the way technology is developed, 
packaged, and used.
    We need, and your bill supports, enhanced response 
capabilities to keep up with the new forms of attack. New forms 
of communications must be developed that provide system 
operators with near realtime access to information about 
security events. The mechanisms that we have today work in 
units of hours and days, but the kinds of attacks that we will 
see in the future won't give us that luxury. We will need to 
move much more quickly.
    In the long term, it is unrealistic to expect that response 
organizations and system administrators, even with highly 
automated procedures, will be able to stay ahead of the kinds 
of automated attacks we can expect to see in the future. At the 
same time, the average level of technical understanding of 
system users is declining, and that trend will continue. In 
this environment, a security approach based on ``user beware'' 
is unacceptable.
    The long-term solution requires a combination of virus-
proof software. Viruses propagate and infect systems because of 
design choices that have been made by computer and software 
designers. Vendors must provide systems and software that are 
virus-resistant.
    Widespread use of encryption and strong authentication. 
Many forms of attack are successful partly because attackers 
are able to masquerade as being someone that the attack target 
knows. Widespread deployment of strong authentication 
technology will help us deal with that problem.
    High-security default configurations. Properly configuring 
systems and networks to use the strongest security built into 
products is difficult. Vendors can help reduce the impact of 
security problems by shipping products with configurations that 
enable security options rather than requiring the user to 
enable them.
    In the end, response techniques can go just so far in 
limiting damage, and we are approaching the limits. It is 
critical that system operators and product developers recognize 
that their systems and products are now operating in hostile 
environments. Operators must demand and developers must produce 
products that are fit for use in this environment.
    With respect to the new legislation, we very much support 
the increased resources for the NIPC and their role of incident 
response, but would encourage you to consider looking at 
allocating at least some of those funds toward increased roles 
in prevention for the Justice Department and for others in the 
Federal Government. Until we begin to build stronger 
foundations in our technology base, we are going to have a 
problem that will be very difficult to deal with. We won't have 
enough resources to deal with the reactive side of the problem, 
and we need more focus on preventing the problem to begin with.
    Thank you.
    [The prepared statement of Mr. Pethia follows:]

                  Prepared Statement of Richard Pethia

                              introduction
    My name is Richard Pethia. I manage the Survivable Systems 
Initiative and the CERT Coordination Center (CERT/CC) at Carnegie 
Mellon University's Software Engineering Institute (SEI) in Pittsburgh, 
Pennsylvania.
    Thank you for the opportunity to testify on the role of the CERT/CC 
in dealing with Internet security issues. Today I will give some 
background on the CERT/CC, describe our experience with Internet 
security incidents, and outline some of the steps that I believe must 
be taken to reduce the impact of future security incidents.
                               background
    The CERT Coordination Center (CERT/CC) is located at the Software 
Engineering Institute (SEI), a federally funded research and 
development center at Carnegie Mellon University in Pittsburgh, 
Pennsylvania. Following the Internet Worm incident, which brought 10 
percent of Internet systems to a halt in November 1988, the Defense 
Advanced Research Projects Agency (DARPA) charged the SEI with setting 
up a center to coordinate communication among experts during security 
emergencies and to help prevent future incidents. Since then, the CERT/
CC has handled over 28,000 computer network security incidents and 
analyzed more than 1,500 vulnerabilities in network-related products. 
Over 80 incident response teams around the world have adopted the 
incident handling practices of the CERT/CC.
    Today, the Defense Information Systems Agency, the General Services 
Administration, and the Federal Bureau of Investigation sponsor the 
CERT/CC's work. The CERT/CC provides assistance to computer system 
administrators in the Internet community who report security problems. 
When a security breach occurs, CERT/CC staff members help the 
administrators of the affected sites to identify and correct the 
vulnerabilities that allow the incident to occur. The CERT/CC staff 
also coordinates the response with other sites affected by the same 
incident. When a site specifically requests, CERT/CC staff members 
facilitate communication with law enforcement agencies.
    The scale of emerging networks and the diversity of user 
communities make it impractical for a single organization to provide 
universal support for addressing computer security issues. Therefore, 
the CERT/CC staff regularly works with sites to help them form incident 
response teams and provides guidance to newly formed teams. The CERT/CC 
is also responsible for the day-to-day operations of the FedCIRC 
(Federal Computer Incident Response Capability) Operations Center, an 
organization that provides incident response and other security-related 
services to Federal civilian agencies. The General Services 
Administration (GSA) manages FedCIRC.
    The CERT/CC also handles reports of vulnerabilities in commercial 
products. When we receive a vulnerability report, our vulnerability 
experts analyze the potential vulnerability and work with technology 
producers to inform them of security deficiencies in their products and 
to facilitate and track their response to these problems. Another 
source of vulnerability information comes from incident analysis. 
Repeated incidents of the same type often point to the existence of a 
vulnerability and, often, the existence of public information or 
automated tolls for exploiting the vulnerability. To achieve long-term 
benefit from vulnerability analysis, we have begun to identify the 
underlying software engineering and system administration practices 
that lead to vulnerabilities and, conversely, practices that prevent 
vulnerabilities.
    Our ongoing computer security incident response activities help the 
Internet community to deal with its immediate problems while allowing 
us to understand the scope and nature of the problems and of the 
community's needs. Our understanding of current security problems and 
potential solutions comes from first-hand experience with compromised 
sites on the Internet and subsequent analysis of security incidents, 
intrusion techniques, configuration problems, and software 
vulnerabilities.
    As a result of our incident and vulnerability analysis work, we 
have a broad view of incident and vulnerability trends and 
characteristics. We communicate this information back to the community 
through online reports, presentations at conferences and workshops, and 
training courses. In addition critical information about specific 
threats goes out to the Internet community through security alerts such 
as CERT advisories, incident notes, vulnerability notes, and vendor-
initiated bulletins. The government receives early warnings through 
``special communications'' to the Department of Defense (through their 
incident response teams), Federal civil agencies (through FedCIRC), and 
the FBI. This work is possible because the CERT/CC has become a major 
reporting center for incidents and vulnerabilities because staff 
members have an established reputation for discretion and objectivity. 
As a result of the community's trust, and receive thousands of reports 
every year.
    In addition to incident response and vulnerability handling, we 
also work on security improvement and network survivability.
    In the area of security improvement we are defining security 
improvement practices to provide concrete, practical guidance that will 
help organizations improve the security of their networked computer 
systems. These practices are being published as security improvement 
modules and focus on best practices that address important problems in 
network security. We also transition these practices through courses 
offered by the SEI and by the SEI's transition patterns.
    Our staff members are also developing a comprehensive, repeatable 
technique for identifying vulnerabilities in networked systems through 
self-evaluation. The information security self-evaluation takes into 
consideration policy, management, administration, and other 
organizational issues, as well as technology, to provide a 
comprehensive view of the information security state of an 
organization. We see this evaluation method as a key component of an 
overarching security improvement framework that allows an organization 
to maintain an acceptable level of security by quickly adapting to 
changes in the internal and external environments.
    In the area of network survivability, we are concentrating on the 
technical basis for identifying and preventing security flaws and for 
preserving essential services in the event of intrusions, accidents, or 
failures. This work draws on the incident data collected by the CERT/
CC. We are developing a survivable network analysis method, which uses 
a structured architectural specification of an existing or proposed 
network application to determine the most likely points in the 
architecture where accidents and/or intrusions could cause the mission 
of the application to fail. This method leverages SEI expertise in risk 
and architectural analysis, network intrusion expertise, and 
vulnerability analysis. It is applied to a selected system by a SEI 
assessment team working with system architects and stakeholders. 
survivable network analysis identifies essential services and assets of 
the application that must survive intrusion, evaluates its ability to 
withstand attack, and recommends architecture strategies to mitigate 
vulnerabilities that are uncovered. The method is designed to scale to 
highly distributed systems in unbounded domains such as the Internet, 
for which traditional security techniques are inadequate. Along with 
the analysis method, our staff is building a simulator to explore 
survivability characteristics of large networked applications in an 
environment of limited administrative control. This will enhance the 
analysis of national infrastructures dependent on information systems 
that are interconnected and interdependent. This simulator will be used 
as part of a more advanced analysis technique for networked 
applications and network protocols. The simulator will help us 
understand how cascade effects and other complex failures arise from 
large networked domains where administrative control is localized but 
there is a dependence on network elements beyond this administrative 
control.
            vulnerability of the internet and world wide web
    Vulnerabilities associated with the Internet put government, 
business and individual users at risk. Security measures that were 
appropriate for mainframe computers and small, well-defined networks 
inside an organization are not effective for the Internet, a complex, 
dynamic world of interconnected networks with no clear boundaries and 
no central control. Because the Internet was not originally designed 
with security in mind, it is difficult to ensure the integrity, 
availability, and privacy of information. The Internet was designed to 
be ``open,'' with distributed control and mutual trust among users. As 
a result, control is in the hands of users, not in the hands of the 
provider; and a central authority cannot administer use. Furthermore, 
security issues are not well understood and are rarely given high 
priority by software developers, vendors, network managers, or 
consumers.
    In addition, because the Internet is digital, not physical, it has 
no geographic location and no well-defined boundaries. Traditional 
physical ``rules'' are difficult or impossible to apply. Instead, new 
knowledge and a new point of view are required to understand the 
workings and the vulnerabilities of the Internet.
    Another factor is the approach typically taken by the intruder 
community. There is (loosely) organized development in the intruder 
community, with only a few months elapsing between ``beta'' software 
and active use in attacks. Moreover, intruders take an open-source 
approach to development. One can draw parallels with open system 
development: there are many developers and a large, reusable code base.
    Intruder tools are becoming increasingly sophisticated and also 
becoming increasingly user friendly and widely available. For the first 
time, intruders are developing techniques to harness the power of 
hundreds of thousands of vulnerable systems on the internet. Using what 
are called distributed-system attack tools, intruders can involve a 
large number of sites simultaneously, focusing all of them to attack 
one or more victim hosts or networks. The sophisticated developers of 
intruder programs package their tools into user-friendly forms and make 
them widely available. As a result, even unsophisticated intruders can 
use them.
    The current state of Internet security is the result of many 
additional factors, such as the ones listed below. A change in any one 
of these can change the level of Internet security and survivability.
     Because of the dramatically lower cost of communication on 
the Internet, use of the Internet is replacing other forms of 
electronic communication. The Internet itself is growing at an amazing 
rate, as noted in an earlier section.
     There is a continuing movement to distributed, client-
server, and heterogeneous configurations. As the technology is being 
distributed, so is the management of that technology. In these cases, 
system administration and management often fall upon people who do not 
have the training, skill, resources, or interest needed to operate 
their systems securely. The number of directly connected homes, 
schools, libraries and other venues without trained system 
administration and security staff is rapidly increasing. These 
``always-on, rarely-protected'' systems allow attackers to continue to 
add new systems to their arsenal of captured weapons.
     Internet sites have become so interconnected and intruder 
tools so effective that the security of any site depends, in part, on 
the security of all other sites on the Internet.
     The difficulty of criminal investigation of cybercrime 
coupled with the complexity of international law mean that successful 
apprehension and prosecution of computer criminals is unlikely, and 
thus little deterrent value is realized.
     The Internet is becoming increasingly complex and dynamic, 
but among those connected to the Internet there is a lack of adequate 
knowledge about the network and about security. The rush to the 
Internet, coupled with a lack of understanding, is leading to the 
exposure of sensitive data and risk to safety-critical systems. 
Misconfigured or outdated operating systems, mail programs, and Web 
sites result in vulnerabilities that intruders can exploit. Just one 
naive user with an easy-to-guess passwork increases an organization's 
risk.
     When vendors release patches or upgrades to solve security 
problems, organizations' systems often are not upgraded. The job may be 
too time-consuming, too complex, or just at too low a priority for the 
system administration staff to handle. With increased complexity comes 
the introduction of more vulnerabilities, so solutions do not solve 
problems for the long term--system maintenance is never-ending. Because 
managers do not fully understand the risks, they neither give security 
a high enough priority nor assign adequate resources. Exacerbating the 
problem is the fact that the demand for skilled system administrators 
far exceeds the supply.
     As we face the complex and rapidly changing world of the 
Internet, comprehensive solutions are lacking. Among security-conscious 
organizations, there is increased reliance on ``silver bullet'' 
solutions, such as firewalls and encryption. The organizations that 
have applied a ``silver bullet'' are lulled into a false sense of 
security and become less vigilant, but single solutions applied once 
are neither foolproof nor adequate. Solutions must be combined, and the 
security situation must be constantly monitored as technology changes 
and new exploitation techniques are discovered.
     There is little evidence of improvement in the security 
features of most products; developers are not devoting sufficient 
effort to apply lessons learned about the sources of vulnerabilities. 
The CERT Coordination Center routinely receives reports of new 
vulnerabilities. We continue to see the same types of vulnerabilities 
in newer versions of products that we saw in earlier versions. 
Technology evolves so rapidly that vendors concentrate on time to 
market, often minimizing that time by placing a low priority on 
security features. Until their customers demand products that are more 
secure, the situation is unlikely to change.
     Engineering for ease of use is not being matched by 
engineering for ease of secure administration. Today's software 
products, workstations, and personal computers bring the power of the 
computer to increasing numbers of people who use that power to perform 
their work more efficiently and effectively. Products are so easy to 
use that people with little technical knowledge or skill can install 
and operate them on their desktop computers. Unfortunately, it is 
difficult to configure and operate many of these products securely. 
This gap leads to increasing numbers of vulnerable systems.
                               solutions
    While it is important to react to crisis situations when they 
occur, it is just as important to recognize that information assurance 
is a long-term problem. The Internet and other forms of communications 
systems will continue to grow and interconnect. More and more people 
and organizations will conduct business and become otherwise dependent 
on these networks. More and more of these organizations and individuals 
will lack the detailed technical knowledge and skill that is required 
to effectively protect systems today. More and more attackers will look 
for ways to take advantage of the assets of others or to cause 
disruption and damage for personal or political gain. The network and 
computer technology will evolve and the attack technology will evolve 
along with it. Many information assurance solutions that work today 
will not work tomorrow.
    Managing the risks that come from this expanded use and dependence 
on information technology requires an evolving strategy that stays 
abreast of changes in technology, changes in the ways we use the 
technology, and changes in the way people attack us through our systems 
and networks. To move forward, we will need to make improvements to 
existing capabilities as well as fundamental changes to the way 
technology is developed, packaged, and used.
     Enhanced incident response capabilities--The incident 
response community has handled most incidents well, but is now being 
strained beyond its capacity. In the future, we can expect to see 
multiple broad-based attacks launched at the Internet at the same time. 
With its limited resources, the response community will fragment, 
dividing its attention across the problems thereby slowing progress on 
each. In addition, system operators will be confused as they try to 
understand if they are dealing with one problem with multiple symptoms 
or with multiple, simultaneous problems. New forms of communications 
must be developed that provide system operators with near real-time 
status on network security events with less person-to-person 
interaction than is required today. Incident response organizations 
must develop more effective ways to analyze security events and 
vulnerability data and to disseminate the results of the analysis to 
their constituents quickly. The mechanisms we have today work in units 
of hours and days, more time than we will have when faced with 
widespread, rapidly moving problems.
     Changes in technology development, packaging and use--In 
the long-term, it is unrealistic to expect that response organizations 
and system administrators, even with highly automated procedures, will 
be able to stay ahead of problems that move at Internet speed. While 
response teams will always be needed to handle new threats and 
unprecedented situations, technology producers must recognize that 
their products are being used in hostile environments and take steps to 
insure that their products are fit for use in those environments. 
Computers and software are becoming more powerful and more 
interconnected. At the same time, the average level of technical 
understanding of system users is declining. Powerful computers and 
software that anyone and everyone can use, without having a deep 
understanding of the technology, are now available. In this 
environment, a security approach based on ``user-beware'' is 
unacceptable. The systems are too complex for this approach to work. 
The long-term solutions required are a combination of the following.
     Virus-resistant/proof software--There is nothing intrinsic 
about digital computers or software that makes them vulnerable to virus 
attack or infestation. Viruses propagate and infect systems because of 
design choices that have been made by computer and software designers. 
Designs that allow the import of executable code, in one form or 
another, and allow the unconstrained execution of that code on the 
machine that received it, are the designs that are susceptible to 
viruses and their effects. Unconstrained execution allows code 
developers (e.g. macro-code developers) to take full advantage of a 
system's capabilities, but does so with the side effect of making the 
system vulnerable to virus attack. To effectively control viruses in 
the long term, vendors must provide systems and software that constrain 
the execution of imported code, especially code that comes from unknown 
or not-trusted sources. Some techniques to do this have been known for 
decades. Others, such as ``sandbox'' techniques, have been more 
recently developed.
     Widespread use of strong authentication--Many forms of 
attack are successful partly because attackers are able to masquerade 
(in either direct attacks or indirect attacks launched through viruses) 
as being someone that the attack target knows. Carefully implemented 
authentication technology, such as digital signatures, that is in 
widespread use would allow people to reject messages, documents and 
code from unknown sources. This would have an immediate impact of 
inhibiting the spread of email carried viruses. Strong cryptographic 
technology exists today to provide integrity and authentication, but it 
is not in widespread use. Widespread deployment will require secure, 
manageable key distribution infrastructures and research and 
development to produce these infrastructures should be accelerated.
     High-security default configurations--With the complexity 
of today's products, properly configuring systems and networks to use 
the strongest security built into the products is difficult, even for 
people with strong technical skills training. Small mistakes can leave 
systems vulnerable and put users at risk when connected to the 
Internet. Vendors can help reduce the impact of security problems by 
shipping products with configurations that enable security options 
rather than require the user to enable them. The user can lower these 
``default'' configurations if desired, but should provide the best 
security possible unless the user takes explicit steps to reduce it.
                               conclusion
    The recent rash of attacks on the Internet demonstrates how quickly 
automated attacks can spread across the network and hints at the kind 
of damage that can be done. Incident response organizations are able to 
limit damage by working effectively together to analyze the problem, 
synthesize solutions, and alert the community to the need to take 
corrective action. With the attacks we can expect to see in the future, 
response organizations will need expanded resources and new techniques 
to act quickly and effectively. Response organizations will always have 
a role to play in identifying new threats and dealing with 
unprecedented problems, but response methods will not be able to react 
at Internet Speeds with complicated viruses or with multiple 
simultaneous attacks of different types.
    The long-term solutions to the problems represented by new forms of 
automated attack will require fundamental changes to the way technology 
is developed, packaged and used. It is critical that system operators 
and product developers recognize that their systems and products are 
now operating in hostile environments. Operators must demand, and 
developers must produce, products that are fit for use in this 
environment. As new forms of attack are identified and understood, 
developers must change their designs to protect systems and networks 
from these kinds of attack.

    The Chairman. Thank you, Mr. Pethia.
    Mr. Richards, we will turn to you.

                 STATEMENT OF JEFF B. RICHARDS

    Mr. Richards. Mr. Chairman, Senator Feinstein, I am Jeff 
Richards, Executive Director of the Internet Alliance. We were 
founded in 1982. Sometimes people think that is a typo. 
Actually, we were the Videotech Industries Association, the 
only trade association to address online and Internet issues 
from a consumer Internet online perspective. In fact, we were 
that group of 50 people who said in 1982-1983 there will be a 
consumer online marketplace one day, and when there is, it will 
change everything. That is what we are talking about today.
    Our mission is to increase consumer trust and confidence in 
the Internet by promoting good business practice, public 
education initiatives, enforcement of existing laws protecting 
consumers, and development of a legal framework governing the 
Internet that will provide, at the same time, predictability, 
efficiency, security, and freedom to innovate.
    In particular, I will focus on security matters, coming as 
I did from last week's G-8 meeting in Paris, during which we 
released the Internet Alliance's white paper which is entitled 
``An International Policy Framework for Internet Law 
Enforcement and Security.'' Mr. Chairman, I would like to have 
the white paper, if possible, appended to my remarks for the 
record.
    The Chairman. Without objection, we will do that.
    [The white paper follows:]

  An International Policy Framework for Internet Law Enforcement and 
          Security: An Internet Alliance White Paper, May 2000

                           executive summary
    In its short life, the Internet has helped us realize the great 
potential of the information age. We are just now beginning to reap the 
economic and social benefits from cyberspace. However, as a value-
neutral technological tool, the Internet has also brought new forms of 
crime and new ways to commit traditional crime. Thus, today, as the 
Internet enters its adolescence, it is a very sensitive time in which 
it is essential for its users to have a sense of confidence and trust 
in this new medium.
    Recent events including ``distributed denial of service attacks'' 
on major Web sites and outbreaks of Internet-spread computer viruses 
have raised international concern and highlighted the need for a policy 
framework to address the issue of Internet crime. As the leading 
consumer Internet industry association, the Internet Alliance, through 
public policy, advocacy, consumer outreach and strategic alliances is 
seeking to build this confidence and trust necessary for the Internet 
to become a leading global market medium of the 21st Century.
    In combating cybercrime, we apply a levelheaded, first-things-first 
approach and encourage the application of existing laws before rushing 
to create new ones. Of course, there are many obstacles to effectively 
enforcing these laws. The Internet knows no borders, thus coordination 
within nation-states and internationally is problematic. While some 
such efforts to address this are underway, many more are needed.
    At the same time, the Internet is an intensely local and intensely 
global experience. While it provides for communication over vast 
distances in cyberspace, its effects can have very real implications 
upon local communities and individual users. Thus, while there is an 
immediate need to coordinate international efforts in combating 
Internet crime, such initiatives should also incorporate national and 
local law enforcement authorities. Without effective law enforcement at 
all levels of government, gaps in coverage could lead to overall 
ineffectiveness.
    Thus far, law enforcement has not been able to keep up with 
technology moving at ``Internet time.'' Lacking the resources and 
experience, especially at the local level police agencies are 
struggling to keep up with the increasing level of cybercrime. While 
the Internet industry is well positioned to help, industry cooperation 
in assisting law enforcement in investigations should be voluntary and 
in strict compliance with existing law.
    With the help of groups such as the Internet Alliance, industry can 
assist in the training and education of law enforcement officials and 
help them to train themselves. Industry should also come together in 
forums such as the IA's Law Enforcement and Security Council to share 
best business practices, form flexible standards, and offer new 
initiatives in the global effort to fight cybercrime. Recognizing that 
education is the best form of prevention, industry should also work to 
promote educational initiatives not only for law enforcement personnel, 
but for consumers as well. The cooperation and proactive work of 
industry should provide good support for law enforcement. This should 
come voluntarily, motivated by concern for the marketplace. At the same 
time, the enforcement of law should remain under the domain of 
government.
    Working together in their respective roles, industry, government 
and empowered consumers will be able to better assess, address and 
prevent Internet crime. It is our hope that this white paper offers a 
place from which to start such cooperation and communication. These 
efforts can only work to further establish the trust and confidence 
necessary for the Internet's success.
                              introduction
    As the word itself implies, the Internet is a global network of 
networks, connecting people and relaying information. From e-commerce 
to chat rooms, the Internet acts as an extension and facilitator of 
traditional offline economic and social activities that people have 
conducted for years before the information age. These activities also 
include traditional unlawful acts such as fraud and identity theft. 
Like any technology, the Internet is an inherently value-neutral tool 
and can also be used by criminals as well as consumers. While some 
criminal acts such as the recent distributed denial of service (DDoS) 
attacks are unique to the Internet and its technology, most online 
crime is an ``Internet version'' of offenses with long histories in the 
real (not virtual) world. Guided by this principle, the Internet 
Alliance, in the second of a series of white papers, provides a 
framework for assessing, addressing, and ultimately preventing Internet 
crime.
    Today, we are just beginning to realize the far-reaching economic 
and social benefits that the Internet can offer. The Internet Alliance 
is committed to help our industry build the confidence and trust 
necessary for the Internet to become the global mass market medium of 
the 21st century through public policy, industry advocacy, consumer 
education and media relations. In 1998, the Internet received a 
permanent place on the agendas of policymakers around the world. On 
countless fronts, and in a host of ever-expanding issue areas, the 
Internet is being addressed through hundreds of different policy 
decisions that will profoundly affect the Internet, consumers and e-
commerce. Businesses providing access, content, software and hardware 
are now seen as a seamless ``Internet industry'' by policymakers, media 
and consumers. Yet until a few months ago, representation acknowledging 
this new, holistic nature of the Internet industry was non-existent. 
The IA is dedicated to advocating the Internet industry perspective on 
issues deeply important to both consumers and to business. Drawing upon 
the knowledge, experience and expertise of the industry members who 
comprise our Law Enforcement and Security Council (LESC), we address 
the issue of Internet crime in this greater context and, in doing so, 
have several guiding themes:
     Policymakers must carefully weigh the complete range of 
available information before acting on Internet issues, in order to 
avoid harmful unintended consequences;
     Consumer Internet policy should avoid creating an 
unpredictable marketplace environment, one where consumers face a 
``hit-or-miss'' electronic shopping experience;
     Policies adopted for the Internet should reflect the 
importance of consumer choice in the marketplace;
     Policies addressing the consumer Internet must reflect the 
need to help educate consumers about use of the new medium;
     Technological tools can be and frequently are more 
effective than government regulations at dealing with social issues 
related to the Internet;
     Consumer Internet policy must not be rooted in alarmist 
depictions of the Internet, and policymakers should strive not to let 
the abusive actions of a few Web sites obscure the unquestioned utility 
and benefits of the new medium.\1\
    It is also important to recognize the efforts of the other national 
and international bodies who, along with the Internet Alliance, are 
taking the first steps in defining the issue and working to combat 
cybercrime. These groups include the G-8, the Council of Europe, 
INTERPOL, the United Nations, the European Council, the Organization of 
American States, the US Departments of Justice, Treasury and State, the 
National White Collar Crime Center, the National Cybercrime Training 
Partnership, and the National Center for Missing and Exploited 
Children.
    To begin, we will evaluate the nature and scope of law enforcement 
and security on the Internet. There are various types of crimes being 
committed online. We identify some of these, not for the purpose of 
offering specific solutions, but rather for the purpose of determining 
the context for more general recommendations. In order to address the 
issue, we must first know what it encompasses.
    Most online crime is traditional ``offline'' crime committed in a 
new way. Therefore, the primary guiding principle we support in 
addressing this issue is the application of existing law to offenses 
committed on the Internet. At the same time, the Net's global coverage 
presents unique jurisdictional problems. In evaluating these, this 
paper emphasizes the importance of local level law enforcement and 
security. While the need for intentional cooperation and coordination 
in dealing with crimes committed in cyberspace may seem obvious, the 
local element is less so. With the click of a mouse, Internet users can 
communicate and send information instantly across the world. Yet, they 
also exist as citizens in their local communities. And in times of 
crisis, after a crime has been committed, most turn to their local 
authorities first. Accordingly, we then explore the best methods for 
bridging the gaps that exist among international, national, and local 
law enforcement officials who combat Internet crime.
    Not surprisingly, private industry has taken the lead in addressing 
issues of law enforcement on the Internet. These efforts are being 
facilitated by groups such as the Internet Alliance that bring together 
the various members of industry and create a shared collective of 
experience. There is much that industry can and should teach law 
enforcement officials about Internet technology, the types of crimes 
being committed, and the recommended ways in which they might be 
addressed. However, as we discuss, industry should not, nor does it 
want to be forced to become the police itself. Here, we try to 
distinguish the proper roles for government and industry. We propose 
that industry be cooperative and proactive in assisting law 
enforcement. It should also define standards, and offer new initiatives 
in its effort to fight cybercrime, while law enforcement remains under 
the domain of government. Industry cooperation with law enforcement 
should be both voluntary and within the limits of current law. Also in 
this section, we examine how non-governmental and international 
organizations may also take active roles in Internet law enforcement 
and security.
    In evaluating the need for cooperation and coordination between and 
within industry and government, we turn to some specific criminal cases 
the demonstrate both its successful and unsuccessful applications. We 
also make some recommendations including the establishment of forums 
and the sharing of best practices and training methods that may serve 
to enhance this cooperation and coordination.
    As it is with any crime, education is the key to prevention. This 
requires educating consumers as well as those in government and 
industry. We assess what is being done and make recommendations for 
what should be done in utilizing the tools, both technological and 
human, to teach and train these groups.
    Recognizing the international breadth of the Internet as it cuts 
across borders, cultures and different forms of government, the goal of 
this paper is to lay the necessary foundation for future discussion. In 
defining key concepts such as the cooperation between industry and 
government, we seek to establish a context from which future Internet 
law enforcement and security initiatives can begin. It is our hope that 
this paper will achieve its goal in helping to ensure the Internet's 
success in meeting the many promises of the information age, as we all 
can use this new medium with confidence and trust.
                  the nature and scope of the problem
    Computers can play three roles in criminal activity. First, 
computers can be targets of an offense. Common examples of this include 
hacking to steal information or attack Web sites as occurs in denial of 
service attacks as well as the propagation of computer viruses. Second, 
computers can simply be the medium in which an offense is committed. 
This includes the transmission of child pornography, software piracy, 
Internet identity theft and fraud. Finally, computers can be incidental 
to a crime. In this case, they may be used to store information or 
provide other evidence of a crime that has been committed. Of course, 
these uses for computers (and the Internet) are not mutually exclusive 
and can all be exploited in the process of committing one crime.\2\
    The Internet crime rate is increasing in pace with Internet's 
explosive growth. Internet users in the US alone are expected to 
increase from over 100 million in 1999 to 177 million by the end of 
2003. Worldwide, the number of users is estimated to reach 502 million 
by 2003.\3\ The economic stakes are also increasing, as e-commerce now 
accounts for $20 billion of the retail market and is expected to reach 
$185 billion by 2004. Even more dramatically, business-to-business e-
commerce which totaled over $100 billion in 1999 is projected to reach 
over $2.7 trillion by that time.\4\ Without effective law enforcement 
and security, Internet crime threatens to derail this economic train by 
creating a loss of consumer and industry confidence in what remains a 
relatively new medium. Moreover, untold social benefits from Internet-
based applications in fields such as medicine, and education may go 
unrealized without the establishment of trust in online communications.
    With such high stakes and high profile events like the recent 
distributed denial of service attacks on some of the Internet's most 
heavily trafficked Web sites, some are pushing for a legislative 
solution. Following the DDoS attacks, a US Senate Hearing on Cybercrime 
was held to discuss possible actions. The Internet Alliance was called 
to testify. Some legislators had proposed an immediate increase of 
penalties for hacking and giving judges more power in authorizing law 
enforcement's use of tracking technology. In addition, the Federal 
Bureau of Investigations has been promoting its Cyberspace Security Act 
(CESA), which would expand the Bureau's powers in fighting cybercrime. 
Others such as the National Infrastructure Protection Center in the US 
are also calling for the drafting of new laws to enhance investigative 
and prosecutorial powers.\5\ Not surprisingly, these responses have 
drawn the ire of civil liberty groups who feel that such action would 
be an encroachment upon the future of electronic privacy and free 
speech. We return to this debate later in the paper. However, as we 
stated before the US Senate, it is our contention that Internet crime 
is largely an extension of traditional crime and, therefore, can best 
be addressed through better application of existing law.
  from local police to international organizations: the importance of 
                     coorporation and coordination
    The international nature of the Internet is obvious. It does not 
respect geographical boundaries or jurisdictions from country to 
country. At first glance, it would seem a haven for criminals. Whether 
it be from home, office, or even on the road from a portable computer, 
access to the Internet and its global reach is readily available. 
Moreover, unlike the Internet, law enforcement agencies must contend 
with very definite borders and jurisdictional limits. In addition to 
issues of sovereignty, these agencies must deal with differences among 
legal systems and a great disparity in technical expertise among their 
international counterparts. Finally, the nature of the Internet 
technology helps ensure that most people can use the Internet 
anonymously. For example, a single transmission may be carried through 
various Internet Service Providers (ISPs), and from country to country 
over different media by means of cable, satellite, or wireless 
technologies. While most Internet users may prefer not to be identified 
online, this technology makes international traces to identify and 
locate a computer criminal quite difficult to accomplish.\6\
    Given these conditions, the need for international cooperation and 
coordination among law enforcement agencies is strong. Below, we will 
address the international efforts that are currently being conducted 
not only by governments, but by non-governmental organizations (NGOs) 
and by other international organizations as well.
                         international efforts
    In spite of the wide range of legal and technological differences 
that separate the many nations connected to the Internet, various 
international efforts are underway to create a more global approach to 
fighting cybercrime.
    As early as 1994, G-7 leaders were emphasizing the need for 
international cooperation in the developing global information society. 
Since then, the G-7 and G-8 have identified a select number of pilot 
projects with key objectives including the support of an international 
consensus on common principles governing access to computer networks 
and applications and their interoperability. Another key objective has 
been the creation of opportunities for information exchange among 
nations. At the same time, these projects were not supposed to require 
the formation of new bureaucracies or institutions, and were to be 
financed by existing programs.\7\ Though not specific to fighting crime 
on the Internet, the G-8's Information Society Pilot Projects have been 
a useful step in achieving greater global coordination and cooperation, 
without which it would be impossible to do successfully.
    At the end of April of this year, the 41-nation Council of Europe 
released a draft version of its ``Convention on Cyber-Crime.'' This 
will be the first international treaty to address criminal law and the 
procedural aspects of Internet crime.\8\ Its purpose is to help 
harmonize national legislation in this field and facilitate 
investigations at all efficient levels of cooperation between 
authorities of different nations. Among the draft's provisions are 
calls for coordinated criminalization of computer hacking and hacking 
devices, illegal interception of data and interference with computer 
systems, computer-related fraud and forgery. In addition, it prohibits 
online child pornography, including the possession of such material 
after downloading, as well as the reproduction and distribution of 
copyrighted material. The draft will also define online criminal acts 
and attempt to determine the liability of individual and corporate 
offenders and set minimum standards for applicable penalties.\9\
    While these steps to further improve international cooperation and 
coordination are welcomed, the legal binding nature of the Treaty is 
somewhat troubling. Future signatory nations will be obliged to give 
national authorities the ability to perform searches and seizures of 
computer data and require subjects to produce data under their control 
and preserve vulnerable data. They will also be obligated to provide 
assistance to their foreign counterparts, for example by preserving 
evidence and locating online subjects. This is likely to wreak havoc on 
existing legal systems that vary widely on issues such as the right to 
privacy. Civil libertarians have already responded to the plan, saying 
that it would violate longstanding privacy rights and grant the 
government far too much power.\10\ Industry participation, including 
the interception of data transmissions by telecom operators and ISPs 
may also be required when the final draft of this Treaty is released in 
December 2000. As we discuss below, such demands on industry run 
contrary to legal protections and would result in the stifling of 
Internet growth. Similarly, while legal remedies may, in fact, be 
required to update outdated laws that cannot be applied to new forms of 
Internet crime, excessive international requirements for new 
legislation in member countries should be avoided. What is preferred is 
a voluntary solution by which sovereignty is respected, national and 
legal values are preserved and mutual assistance is supported.
    In January 1999, based on a proposal of the EC, the European 
Parliament and the Council of the European Union adopted a Multiannual 
Action Plan on promoting safer use of the Internet by combating illegal 
and harmful content on global networks. This plan was designed to 
provide a financial framework for the various EU initiatives on how to 
deal with undesirable content on the Internet. Its main objectives are 
to promote industry cooperation and to ensure that this approach is 
coordinated across Europe and with the rest of the world. In 
particular, the Action Plan supports four main activities:
     The creation of a safe environment, specifically by 
setting up a European network of hotlines and encouraging self-
regulation and codes of conduct;
     The development of filtering and rating systems, by 
demonstrating their benefits and facilitating international agreements 
on rating systems;
     The encouragement of full-scale awareness actions;
     The support of actions, such as assessing legal 
implications, coordination with similar international activities and 
evaluating the impact of Community measures.
    With a budget of 1 million Euros, contracts for the first three 
activities have already begun.\11\
    Among the various forms of Internet crime, the production and 
distribution of online child pornography has received especially strong 
attention from international law enforcement authorities. In 1998, in 
what was the largest ever Internet raid, over one hundred arrests were 
made worldwide and nearly one million pornographic images of children 
were seized. Under the codename ``Operation Cathedral,'' 
internationally coordinated investigations culminated in simultaneous 
raids in twelve countries.
    The pedophile group targeted in the investigation, the Wonderland 
Club, was the most sophisticated known to date and operated in secrecy 
through chat rooms running on discrete servers whose locations were 
changed on a regular basis. Access was always password protected and 
supervised. Though the Wonderland Club originated in the US, a 
breakthrough in the case came when UK police raided a house and seized 
a computer that contained information about the group. With the help of 
international bodies like INTERPOL, an agreement was reached by the 
countries participating in the operation to share key evidence, 
intelligence and relevant computer data. This was formalized in a 
Letter of Request and the National Crime Squad in the UK agreed to 
compile a definitive list of victim images for on-going identification.
    The expertise gained from this operation has benefited law 
enforcement agencies worldwide both operationally and strategically. It 
has helped in establishing guidelines for computer investigations and 
in coordinating operational activities. New computer research methods 
were developed to support established covert policing policies. 
Combined with the assistance of ISPs, more conventional policing was 
adopted in order to identify suspects, many of whom used false names, 
and to gain access to their computer systems and the children who were 
being abused. Without the application of new technology and 
international cooperation and coordination, the investigation could not 
have been successful.\12\
    Operation Cathedral's successful methods and procedures should 
inspire similar efforts in international initiatives to fight other 
forms of cybercrime. The investigation also highlighted some of the 
challenges that such endeavors face. The formal Letter of Request 
system, for example, as a bureaucratic tool, did not provide for fast 
time exchange of relevant evidence. This demonstrated the more general 
problem in preparation of cross border evidence. Also, future cross 
border cooperation may be difficult to achieve when legislative and 
operational differences between countries can only be overcome through 
individual determination as opposed to structural and system 
support.\13\
    INTERPOL, in dealing with issues of cybercrime has organized not 
only a central program at the General Secretariat with an experts 
working group, but has also promoted and supported regional groups to 
study issues and solutions particular to their own areas of the world. 
There may also be value in using the models developed in the 
hemispheric trade and commerce organizations including NAFTA, APEC, 
MERCOSUR and CARICOM to study new ways and means for promoting securing 
security, safety and integrity on the Internet.
                        including the local level
    International efforts alone, however, cannot solve the problem of 
Internet crime. Although Internet users can transcend geography in the 
virtual world of cyberspace, their bodies remain in the very real world 
of their respective local communities. Accordingly, in the case of a 
burglary or assault, a citizen would likely turn to their local 
authorities, as the most accessible source for help. In the same way, 
local authorities should be prepared to assist in the investigation and 
policing of Internet crime. However, without tying these local efforts 
to national and international ones, the gaps between could result in 
overall ineffectiveness. Or worse, this disjointedness could lead to 
ill-conceived solutions that cause more harm than good.
    The importance of inter-jurisdictional cooperation has not gone 
unnoticed in the United States, for example. In April of this year, the 
Washington State Attorney General announced a new initiative that would 
integrate local, state, and federal efforts in combating cybercrime. 
The Computer Law Enforcement of Washington (CLEW) cooperative agreement 
was signed by the US Attorney's Offices in the state of Washington, the 
FBI, the Washington State Patrol, the Washington Association of 
Prosecuting Attorneys and Police Chiefs, the State's Association of 
Sheriffs and the Attorney General's Office. CLEW's focus of bringing 
together law enforcement from national and local levels to combat 
Internet crime is one that should be emulated worldwide. Specifically, 
CLEW is designed to:
     Provide a law enforcement response to high tech crime 
complaints 24 hours a day, seven days a week;
     Share expertise, resources, and training to help local law 
enforcement investigate and prosecute Internet crimes;
     Seek funding for a computer forensics lab which is 
essential for investigating and prosecuting Internet crimes, and;
     Suggest legislation to help prosecute online crime.\14\
    The Washington Attorney General's Office also formed a strike team 
of attorneys and investigators to prosecute consumer protection and 
criminal cases and to provide expertise to local authorities on 
Internet crime issues. Another key component of the agreement 
established the Consumer and Criminal Justice Clearinghouse. With the 
help of the University of Washington, this Web-based center is designed 
to educate consumers, parents, teachers, and law enforcement officials 
about cybercrime issues. In addition, the site will allow for consumers 
to remove their names from marketing lists and file online 
complaints.\15\
    Other groups in the US have also been created to help inform and 
educate local law enforcement authorities about Internet and high tech 
crime. The National Cybercrime Training Partnership's (NCTP) is a 
training consortium comprised of federal, state, local and 
international law enforcement agencies and training associations. This 
group designs, develops and conducts programs to assist investigators 
and prosecutors of high tech crimes, including those committed on the 
Internet. With the support of the US Department of Justice and the 
National White Collar Crime Center, the NCTP has helped local 
authorities especially to receive training in the latest technologies 
and methods to address computer-related crime. One example of their 
efforts is a video that serves as an introduction to the online world 
and the types of crimes that are committed there. The video also helps 
local police officers take the appropriate steps in tracking down 
online criminals and provides information on how to best seize and 
preserve electronic evidence.\16\ The Internet Alliance is also working 
on a similar video to assist law enforcement officers.
    These types of initiatives are particularly useful, as they allow 
local law enforcement to draw upon the expertise and resources of 
national and international authorities. While items such as the video 
may not necessarily give local police all of the specific information 
they need in helping with an online crime, they can refer them to 
relevant laws such as the Electronic Communications Privacy Act or to 
appropriate federal authorities such as the FBI's Computer Analysis 
Response Team, the US Secret Service and US Customs. These are all 
useful resources for local police to tap in determining a course of 
action in investigating or prosecuting an Internet crime.
    Other efforts are underway to create interagency alliances within 
the US federal government. In addition to working with the various 
consumer and international organizations, the Federal Trade Commission 
has been active in targeting Internet fraud while working with other 
agencies from the Securities and Exchange Commission to the Postal 
Service and the Justice Department.\17\
                         avoiding co-regulation
    It is no surprise that companies in the Internet industry have 
taken the early lead in confronting cybercrime. For online merchants 
and other content providers, ISPs, hardware and software companies, it 
is their very business at stake. These companies are also the 
technology innovators and have the best understanding of the technical 
issues with which they work daily. In spite of recent initiatives, 
governments cannot move at the speed of industry and have been somewhat 
late in addressing this issue. The Internet Alliance recognizes that 
law enforcement is trying to catch up with crime in cyberspace and that 
it needs more resources to do so, or it will seriously fall behind and 
may never catch up as technology races ahead. At the same time, as a 
result of their lack of experience and expertise in dealing with the 
Internet crime, some law enforcement agencies may be tempted to rely 
upon industry to identify crime, apprehend criminals, and assist in 
their prosecution.
    As in the offline world, this blurring of the line between 
government and private industry is unacceptable and could have 
extremely detrimental effects. Members of the Internet industry should 
cooperate on a voluntary basis with the proper law enforcement 
authorities in accordance with existing law. Any new legislation that, 
in effect, forced industry into being a ``co-regulator'' with 
government would stifle innovation and entrepreneurial spirit in this, 
one of the world's fastest growing sectors. In the end, this could lead 
to the international flight of companies to countries with more 
favorable regulatory environments.
    Determining the proper role for industry in fighting cybercrime is 
an international concern. This issue was a key topic at the November 
1999 European Commission's Information Society Technologies Conference 
in Helsinki. In this case, the importance of balanced cooperation 
between the ISPs and law enforcement was stressed with particular 
emphasis on having transparent procedures. It was agreed that industry 
should cooperate only according to the law. There was also consensus 
that a relationship of mutual respect and trust should be developed 
between industry and law enforcement authorities.\18\
    In explaining the need for the EU's Multiannual Action Plan 
mentioned above, the European Commission reiterated the need for self-
regulation in the Internet industry: ``A good cooperation between 
industry and government might, however, not be sufficient. [The] 
Internet's technical features, worldwide extension and unlimited 
accessibility make the application and enforcement of existing rules 
difficult . . . Existing or new legislation may therefore not be the 
only or the best tool to fight harmful or illegal content. We therefore 
need to explore new methods and approaches . . . In developing these 
approaches, the self-regulatory approach should be the preferred 
option.\19\
    The EC also commented that the July 1999 EC proposal for a 
Directive on legal aspects of electronic commerce was proposed as an 
initiative to help eliminate member states' legal differences and 
divergent approaches to the issue. In particular, it highlighted the 
proposal's call to establish an exemption from liability for 
intermediaries where they play a passive role as a ``conduit'' of 
information from third parties and limit service providers' liability 
for other ``intermediary'' activities such as the storage of 
information. ``A careful balance between the different interests 
involved is needed, in order to stimulate cooperation between different 
parties and so reduce the risk of illegal activity online. Once again, 
industry has a key role to play here by providing for self-regulation, 
by developing technical solutions and by cooperating with law 
enforcement agencies.'' \20\
    Such ``self-regulation'' is desirable as long as it is interpreted 
as the voluntary cooperation of industry and is not equated with 
``self-policing.'' This concept has also been supported by INTERPOL, in 
its presentation at last year's International Conference on Combating 
Child Pornography on the Internet. In regards to the responsibilities 
of ISPs, INTERPOL acknowledged the commitment of ISPs to assist in the 
detection and elimination of child pornography on the Internet and 
expressed an understanding of the difficulties ISPs face in controlling 
what customers distribute through their services. The presentation also 
included discussion of an initiative that utilized software to 
centralize, track, and identify cases of child abuse on the Internet. 
As INTERPOL noted, this project would allow ISPs to support law 
enforcement in their daily work without having to ``police'' the Net 
themselves.\21\ Initiatives such as this one that utilize existing 
technology instead of new regulation or legislation hold promise for 
easier and faster implementation and, therefore, success. Industry can 
no doubt accomplish more when motivated by an interest in a marketplace 
in which consumers have a predictable, positive experience than when it 
is threatened with civil and criminal sanctions for failing to prevent 
third-party crimes.
    Beginning last year, and spurred by the recent denial-of-service 
attacks on eight of the Internet's most popular Web sites, the US 
government has been pushing to make Internet security a top national 
priority. The initiatives coming from the White House, including an 
Internet security summit held this February, the Working Group on 
Unlawful Conduct on the Internet, and a ``National Plan for Information 
Systems Protection,'' have all called on private industry for help. In 
response to Clinton's National Plan, subtitled ``An Invitation to a 
Dialogue,'' which calls for a public-private partnership to assure 
critical infrastructures, an industry group, the Partnership for 
Critical Infrastructure Protection, was formed.
    Such efforts are useful and productive to the extent that they 
offer a forum in which information and experience can be shared. 
However, in the process, the government should avoid overreaction and 
the ``deputizing'' of private industry. While it would be fair to say 
that the Internet industry like all industries has been wary of 
increased government regulation, this does not mean that private 
companies wish to assume the roles of law enforcement and prosecutor. 
Again, the emphasis should be placed on industry's voluntary 
cooperation and assistance.
                       industry's supporting role
    While the distinction of the proper roles between law enforcement 
and the Internet industry must be maintained in combating cybercrime, 
there are a number of steps that can be taken to make the efforts of 
both more effective. As the technology leader, industry can offer the 
government assistance in developing more sophisticated methods to 
assess Internet crime. Industry should and is contributing to the 
development of training programs for government agencies. In addition, 
a directory of appropriate industry and government contacts should be 
devised to ensure that law enforcement agencies seek assistance from 
the best resources. In conjunction with the U.S. Department of 
Justice's recently announced ``24/7'' computer crime personnel network, 
the Internet Alliance's Law Enforcement and Security Council is 
currently developing an online prototype of such a guide. As we discuss 
below, the LESC is also taking the lead in establishing other 
initiatives to ensure industry's active support of law enforcement.
    Within the Internet industry, a voluntary set of standards or best 
practices, whether technological, policy-oriented, or other, would aid 
in the prevention, investigation and prosecution of cybercrime. These 
standards should respect current business models, allowing flexibility 
based upon resources that may vary from company to company. For 
example, while a larger company may be able to establish and support a 
24 hour hotline for security and law enforcement contacts, a smaller 
one may not.
    Industry's assistance should also extend to educational efforts 
including the development and promotion of tools such as parental 
control software and informative campaigns that help consumers to 
protect themselves from illegal online activities. Here, the LESC is 
taking action, not only by promoting the sharing of best practices 
among its member companies, but also by assisting in the production of 
these educational materials.
    In supporting the government, industry can also work to set up 
reliable and efficient procedures and channels of communication and 
cooperation for processing law enforcement requests and passing along 
investigative material. These efforts can best be achieved through open 
dialogue within industry and the law enforcement community, facilitated 
by groups such as the Internet Alliance's Law Enforcement and Security 
Council. The LESC acts as the primary forum for industry to gather, to 
assess and to define security problems. This information is also shared 
among law enforcement agencies, policymakers, and consumers.
    In coordination with several agencies, including the Department of 
Justice and the FBI, the LESC is also preparing updated Internet law 
enforcement training and resource materials. While many members of the 
LESC already provide briefings, materials and consultations for the law 
enforcement community as requested, needs may soon outstrip individual 
companies' capabilities. By combining an entire industry's experience, 
efforts such as this one can provide both basic, introductory, and 
updated, advanced materials to increase law enforcement's expertise and 
success.\22\
    Government can also play a constructive role in enabling and 
facilitating cooperative industry initiatives, such as statements of 
good business practices. It can properly use its influence to praise, 
to critique and to alert consumers to the difference between those 
companies that are proactive in their efforts and those that are not. 
However, if such initiatives are to remain viable options for industry, 
they should not be codified by subsequent legislation. Indeed, for the 
legislature to take a reasonable, good-faith system of self-regulation 
and codify it with the imposition of strict duties, inflexible 
regulations, and the threat of civil and criminal penalties, is a 
breach of trust that will undermine the willingness of any company to 
step forward voluntarily in the future.
    Initiatives taken by private industry should only complement 
government efforts and should not replace them. For example, government 
should first take the time to train its own law enforcement officers in 
computer and Internet skills irrespective of their jurisdictions. 
Though many agencies and local authorities may lack experience in 
dealing with Internet crime, there are some centers of excellence 
within the Department of Justice, FBI, Attorneys General offices and a 
few metropolitan police forces. These sources of expertise should be 
exploited in inter-jurisdictional efforts such as Washington's CLEW 
program. The LESC also encourages agencies with experience in fighting 
Internet crime to assist those without it. Within the government, there 
are also numerous legal authorities to advise on issues of 
constitutional and statutory civil liberties in the context of the 
Internet. If given the budgetary resources, law enforcement agencies 
can also help themselves by hiring additional personnel and supplying 
them with the proper equipment and materials to investigate and 
prosecute online crime.
           other cases of internet crime: what can be learned
    In October 1998, as part of a worldwide investigation of suspected 
pornographers, New York State Police seized the computer equipment that 
local Buffalo, New York ISP, BuffNET, used to provide its subscribers 
with access to Internet newsgroups. The New York Attorney General said 
organizers of a virtual college had used the Internet newsgroups to 
post and trade pornographic images of pre-teens. Thirteen people from 
four nations were charged in connection with the investigation, but 
there were no local arrests.
    In an issued response, BuffNET stated that it did not create the 
content under investigation. Nor was it possible for BuffNET, or any 
ISP, to completely control the postings to its newsgroups. The company 
did not know about this group or their activity and none of the people 
charged had BuffNET accounts or uploaded to BuffNET servers. BuffNET 
received feeds for the newsgroups from other providers including 
Sprint, Prodigy and a few major educational institutions. In its 
defense, BuffNET also noted that ISPs are not bound by any state or 
federal law to moderate their newsgroups. BuffNET even had a history of 
cooperation with US Customs, the Secret Service, local Sheriffs' 
offices and the Canadian-American Law Enforcement Organization in 
tracing the identities of persons involved in illegal Internet 
activities. The company also has a web page that offers parents 
information about protecting their children while using the 
Internet.\23\
    Better communication between law enforcement and industry would 
have helped in this case. Without identifying himself, an undercover 
investigator from the Attorney General's office e-mailed the company a 
notification of possible illegal content. BuffNET's attorney reviewed 
the newsgroup in question and did not find any illegal materials. The 
Federal Telecommunications Act of 1996 protects service providers from 
prosecution for materials that are transmitted through their computers, 
but also obligates them to remove illegal content when they are aware 
of it.\24\ When BuffNET did not remove the site, their equipment was 
impounded. In this case, which has been likened to the shooting of the 
messenger, law enforcement authorities could have better coordinated 
their efforts with members of the ISP industry who were willing to 
cooperate and provide support in apprehending the true criminals--those 
who produced and distributed the child pornography.
    Law enforcement took a different approach in the case of the 
Melissa virus. The e-mail spread virus that wreaked havoc on computers 
worldwide last year was suspected to have been unleashed through on 
America Online account in the US. AOL was then served with a court 
order requiring it to turn over information regarding the virus. In 
addition, the FBI seized a computer of a local Florida ISP which hosted 
space for the individual suspected of authoring the virus. The FBI also 
investigated a small ISP in Tennessee through which the virus may have 
spread. Less than a week after the virus had begun to spread, a third 
suspect, who later admitted creating it, was arrested in New Jersey.
    Indeed, without the help of AOL, the arrest could not have taken 
place so quickly. According to the New Jersey Attorney General's 
office, after being served with the court order, the company gave them 
a tip to the virus' originator, tracking the dissemination source 
through a listserver.\25\
    In this case, industry's best business practices combined with 
strict compliance with appropriate legal procedures and adherence to 
principles of due process yielded positive results. Court orders were 
used when required, privacy was protected and the case was brought to a 
successful completion. Such protocol will help governments in 
establishing a good cooperative environment in which industry can 
assist law enforcement and consumers. Of course, industry also has a 
vested interest in creating a safer marketplace for its customers. As 
the owner of the investigated ISP in Tennessee said, ``We shut down the 
Web site . . . We don't like viruses any more than anybody.'' \26\
    In the Melissa case, there was also voluntary assistance from 
industry, as a software company in Massachusetts proved instrumental in 
tracing the virus to its authors. In addition, this case revealed the 
benefits that can come from educational institutions assisting in 
combating cybercrime, as the Defense Department-sponsored Computer 
Emergency Response Team at Carnegie Mellon University found digital 
tracks leading the site where the virus was originally posted. In 
contrast to the BuffNET case, this investigation proved to be a more 
positive interaction between government and industry and contributed 
more toward the cooperative engagement of industry in the future.
    As in the Melissa case, the more recent DDoS attacks mentioned 
above created international concern and sometimes overreaction to an 
Internet crime. It is important to note that following the report of 
these attacks on February 7 of this year, Internet services were 
interrupted for a period of hours, not days. When the assault was 
detected, teams of experts deployed additional user capacity and 
screening tools, quickly bringing the situation under control. This was 
an impressive demonstration of industry's responsiveness and effective 
application of technological solutions.
    At the same time, the cooperation of industry and law enforcement 
agencies in this case has already led to the arrest of a Canadian 
juvenile. Aided by a Canadian Internet Service Provider, the Royal 
Canadian Mounted Police led a wide-ranging investigation that received 
input from the FBI, the US Department of Justice and the National 
Infrastructure Protection Center.
    As this paper goes to press, yet another high profile, 
international virus case is under investigation. In the effort to 
apprehend the creator of what is being called the ``Love Bug'' virus, 
law enforcement agencies from different countries are once again 
working together and in cooperation with ISPs to solve an Internet 
crime. In this case, the Love Bug is expected to cause economic damage 
across the world in excess of $10 billion before its done.\27\ As is 
the Melissa case, industry has been quick to react with technological 
solutions, as parts of the virus were removed from ISPs' networks and 
software disinfectants were developed within twenty-four hours of the 
outbreak.
                  protecting privacy with existing law
    Virus cases such as Melissa and the Love Bug have also led to more 
self-regulatory action by ISP and anti-virus firms. In looking for 
alternative technological solutions, some ISPs are developing ways to 
clean their networks so that e-mail is disinfected before it reaches 
its destination. With technical staff and experience to guide them, 
some ISPs feel that they can better stay up-to-date with the latest 
anti-virus software and apply it effectively at the network level. 
Similarly, many ISPs already provide junk mail filters for their 
customers. While this may prove a good example of a proactive 
initiative, not all ISPs are convinced it will work. Scanning incoming 
e-mail traffic and connecting to billing and directory systems will 
require significant technical work and expense, they say. Moreover, it 
may provide a false sense of security and some people might consider it 
an invasion of privacy.\28\ In this way, working within existing laws, 
the marketplace is determining new ways to fight cybercrime.
    Privacy, of course, is a major concern of the Internet industry in 
its assisting in law enforcement investigations. ISPs and other 
companies have the utmost concern for maintaining their customers' 
privacy. At the same, they desire to make their marketplace a safe and 
secure one and also must comply with the letter of the law.
    The first law of its kind, the Electronic Communications Privacy 
Act was enacted by the US Congress to establish rules and procedures by 
which law enforcement could have access to an individual's electronic 
communications and records. These limits on government parallel the 
approaches traditionally taken in the ``bricks and mortar'' world. 
Before information or objects are handed over to law enforcement for 
investigation, the appropriate warrant, judicial order, or subpoenas 
must be acquired.
    Members of the Internet industry have also developed and 
implemented policies and internal mechanisms that limit the sharing of 
personal user information with law enforcement in accordance with the 
ECPA. This model of industry cooperation and compliance with privacy 
protection laws could be effectively applied worldwide. However, there 
are still occasions when law enforcement personnel make investigative 
requests of companies that fall outside the limits of the law. These 
requests may also be directed to the wrong persons such as consumer 
service representatives, rather than others within the ISP structure 
responsible for handling them. Again, these types of problems can be 
alleviated through better law enforcement training and communication 
across the public and private sector lines. In the end, the challenge 
remains for governments and industry to work together to reach a 
balance between privacy and law enforcement on the Internet, while 
taking into account the different laws, structures and norms from 
society to society.
           education: helping internet users help themselves
    Thus far, this paper has focused on law enforcement and industry 
initiatives to fight Internet crime. However, this solution is 
incomplete without mention of the role that the Internet's users in the 
form of consumers, educators, parents and children, should play in 
helping to help themselves.
    Both technological and non-technological tools can help empower the 
public to minimize risks associated with the Internet and to use the 
Internet responsibly. Of special importance is how these tools along 
with relevant knowledge and other resources can be used to guide 
children's online experience and, in turn, teach them responsible use 
of the Internet.
    Of course, one of the most effective ways of protecting children 
online is through parents taking a direct role in teaching their 
children responsible Internet use. Some suggestions include:
     Never give out personal information, such as home address, 
school name, or telephone number, in a public message such as a chat 
room or bulletin board;
     Never allow a child to arrange a face-to-face meeting with 
another computer user without parental permission;
     Get to know your children's online friends just as you get 
to know all their other friends.29
    In addition, there are a number of Web sites that give parents 
guidelines to promote safe and rewarding Internet experiences for 
children.
    Libraries, schools and other public institutions are also 
developing local solutions to help make cyberspace a safer place for 
children. Both technological and non-technological, these efforts 
should be supported by the federal government. Industry should also 
continue its involvement, as it has through participation in roundtable 
discussions with government on this issue.30
    Child protection on the Internet has also gained the attention of 
non-governmental international organizations. In January 1999, Director 
General of UNESCO, Federico Mayor hosted a meeting at UNESCO 
headquarters in Paris to consider ways of combating the exploitation of 
children on the Net. 300 specialists in childcare and child protection, 
Internet specialists and service providers, members of the media, law 
enforcement agencies and other government representatives were in 
attendance. To implement the resulting action plan and the World 
Movement of Citizens to Protect Innocence in Danger was created. This 
group has a small international committee, but the main work is done by 
National Action Groups and NGOs that enlist the participation of 
lawyers, Internet specialists, child protection organizations, jurists, 
political leader and personalities for public relations.31 
Among the Innocence in Danger's achievements thus far, it has helped 
support regional and international conferences on child pornography on 
the Internet. It has also produced handbooks for children, parents and 
teachers, and has created a web-based ``electronic watchtower'' to 
provide news and information on the subject. While this program focuses 
on issues of child pornography it proves a good model for other 
citizen-based efforts to educate about, and combat, cybercrime.
    In assisting law enforcement, some parents are not only teaching 
their children about online safety, they are also actively seeking out 
and reporting Internet predators. Thousands of these volunteers are 
rising up worldwide and their cooperation is welcomed by police, as 
long as citizens know where to draw the line.32 Citizens can 
also contribute directly to law enforcement on the Internet by 
accessing sites such as the National Center for Missing and Exploited 
Children's Cyber Tipline www.missingkids.com. The NCMEC has been a key 
strategic partner for the Internet Alliance since 1996.
    Just as they can help in making the Internet safer for children, 
technological and non-technological tools can be applied in the 
education of consumers. In the US, the Federal Trade Commission has 
begun a number of initiatives to educate consumers and give them more 
confidence in making online transactions. The FTC is also working 
directly with online marketers and other online entrepreneurs on how to 
ensure that consumer protection principles apply to their businesses 
and receives health feedback from these companies that often raises new 
issues in applying traditional consumer protection to Internet 
business.
    Like the FTC, other US agencies are also working to ensure consumer 
confidence in the Internet by enforcing legal protections and 
encouraging private sector leadership. These include initiatives from 
the Department of Commerce, which has been working with the private 
sector to develop codes of conduct for business-to-consumer e-commerce 
and consumer-friendly alternative dispute resolution measures. These 
measures may prove especially useful in cases hampered by differences 
in international law. At the request of the FBI, we at the Internet 
Alliance are working to develop reporting mechanisms for a new Internet 
Fraud Reporting Center. The Better Business Bureau has also gone 
online. BBBOnLine is working with industry to help establish guidelines 
to implement consumer protection. Industry leading ISPs, computer 
companies, and credit card companies have also formed the Electronic 
Commerce and Consumer Protection Group. This group works with consumer 
leaders to develop concrete approaches to address issues of e-commerce 
confidence.\33\
    As with online child pornography, some citizens are doing their own 
investigative work to combat Internet fraud. Often the victims of 
fraudulent online auctions, ``e-posses'' have formed and, in some 
cases, been able to contribute to the arrest of those committing the 
offenses. More of these cases will likely wind up on the doorstep of 
local law enforcement authorities, as one recently did at Suffolk 
County Police Department in New York.\34\ This reemphasizes the need 
for law enforcement at all levels to have sufficient education, 
training, and equipment to be able to deal with them effectively.
    It is not only police and consumers who can use advice on creating 
a more secure Internet environment. According to some in the security 
business, many companies have not taken adequate steps to deal with 
online attacks. Most companies already have the solution, according to 
one consultant. ``They simply need to do things like avoid shared 
accounts and blank passwords. Organizations need to understand the 
risks and prioritize their security [efforts] . . . remembering that 
most breaches are internal.'' \35\ Others contend that companies alone 
do not have the resources to effectively prevent network attacks and 
require managed security monitoring services to provide adequate 
vigilance.\36\ Such debate is healthy and, if pursued in a forum such 
as the LESC, can lead to the sharing of best practices within industry 
and greater overall Internet security.
                               conclusion
    The Internet is still a relatively new medium. Though its sudden 
and exponential growth over the past ten years has helped to revitalize 
our economy, its success in the future will require constant dedication 
and the maintenance of confidence and trust. For this technology to 
continue to live up to its potential as a positive economic and social 
force, it must gain the confidence and trust of those who would use it. 
Internet crime poses an immediate danger to this confidence and trust 
and therefore, should be a top priority issue for policymakers to 
address.
    There are, as we have seen, many obstacles to effective law 
enforcement and security on the Internet. In addressing the legal 
issues associated with this complex technology, we recommend a simple 
approach. Begin by focusing on the effective enforcement of existing 
criminal laws. Next, as the Internet Alliance is actively doing, 
encourage law enforcement to utilize all available resources at all 
levels of government both domestically and internationally. It is 
important to realize that the Internet is a simultaneously global and 
local experience. Accordingly, police efforts must be effective at 
those levels and all in-between. Otherwise, gaps in law enforcement 
coverage at one level could lead to overall ineffectiveness.
    Government should also learn from industry and vice-versa. This 
includes training and the sharing of information. It is equally 
important, however, that the roles of government and industry remain 
distinct. Industry should be tasked with developing its own leadership 
and taking a cooperative and proactive role, including the sharing of 
best practices, the development of technology tools, as well as 
``cyberethics'' curricula and other media to help combat cybercrime. 
The Internet Alliance and its Law Enforcement and Security Council are 
working to meet these ends. However, it is also important to remember 
that actual law enforcement duties should remain the responsibility of 
appropriate government authorities.
    Finally, with the belief that education is the best prevention, 
both the government and industry should take the time to educate 
consumers as well as listen to their concerns. Once again, the Internet 
Alliance is working with industry to promote such educational 
initiatives. At the same time, consumers should become empowered 
themselves and seek to do all that they can in the fight against 
Internet crime.
    The Internet has revolutionized modern communication and its 
greatest chance to live up to its promise will come from the 
communication and the mutual efforts of government, industry, and 
consumers. These efforts will be needed to establish confidence and 
trust in what is still largely a new frontier. It is our intention with 
this white paper to create a common foundation from which to address 
the subject of Internet crime and set stage for future discussion.
                                endnotes
    \1\ Andrew Mathews, Building Consumer Trust and Confidence in the 
Internet Age: An Internet Alliance White Paper, 1999 (Washington, D.C.: 
Internet Alliance), p. 2
    \2\ Robert S. Litt, Statement before The Subcommittee on Social 
Security Senate Ways and Means Committee, United States Senate, May 6, 
1997.
    \3\ United States Dept. of Justice, The Electronic Frontier: The 
Challenge of Unlawful Conduct Involving the Use of the Internet. March 
2000, p. 43. http://www.usdoj.gov/criminal/cybercrime/unlawful.html.
    \4\ Robert Lemos, ``The Problem: How Big is this Threat?'' 2000. 
ZDNet. 31 March 2000. http://www.zdnet.com/special/stories/defense/
0,10459,2473565,00.html
    \5\ Robert Lemos and Lisa M. Bowman, ``Overview: Do we Need a 
`National Plan?'' 2000. ZDNet. 1 May 2000 http://www.zdnet.com/special/
stories/defense/0,10459,2475331,00.html
    \6\ United States. Dept. of Justice. Remarks of Deputy Attorney 
General Eric H. Holder, Jr. at High-Tech Crime Summit in Washington, 
DC. January 12, 2000. http://www.cybercrime.gov/dag0112.html.
    \7\ National Coordinators: G-8 Global Information Society Pilot 
Projects, ``G-8 Global Information Society Pilot Projects: Interim 
Report.'' 1998. Information Society Web Site. 20 April 2000 http://
www.ispo.cec.be/g7/g8interim.html.
    \8\ For updates on the treaty, please see the Internet Alliance Web 
Site. http://www.internetalliance.org.
    \9\ Council of Europe, Draft of Convention on Crime in Cyberspace, 
April 27, 2000. http://www.coe.fr/cp/2000/300a(20000).html
    \10\ Declan McCullagh, ``Cybercrime Solution Has Bugs.'' 2000. 
Wired.com. 3 May 2000. http://www.wired.com/news/print/
0,1294,36047.html.
    \11\ G.M. Borchardt, Taking Stock: Activities of the European 
Commission on the Fight Against Child Pornography, 1999 (Austria: 
European Commission in the Fight Against Child Pornography), p. 2.
    \12\ Alexander Wood, National Crime Squad: United Kingdom Briefing 
Note, 1998. (United Kingdom, National Crime Squad).
    \13\ Wood, National Crime Squad: United Kingdom Briefing Note, 
1998. (United Kingdom, National Crime Squad).
    \14\ Attorney General of Washington, ``Law Enforcement Announces 
Plan to Fight Internet Crime.'' 2000. http://www.wa.gov/ago/releases/
rel__
internet__042700.html.
    \15\ Manny Frishberg, ``Northwest's Plans vs. Cybercrime.'' 2000. 
Wired. 28 April 2000. http://www.wired.com/news/print/
0,1294,35970,00.html.
    \16\ The National Cybercrime Training Partnership, Cybercrime 
Fighting: The Law Enforcement Officer's Guide to Online Crime. Video. 
United States Dept. of Justice. 1998.
    \17\ Jeri Clausing, ``Interagency Alliances Aim to Fight 
Cybercrime.'' 2000. New York Times on the Web. 25 April 2000. http://
www.nytimes.com/library/tech/00/04/cyber/capital/25capital.html.
    \18\ Kiveli Ringou, Information Society Technologies Conference 
1999: Final Report, 1999 (Helsinki, Finland) p. 22.
    \19\ Borchardt, Taking Stock: Activities of the European Commission 
on the Fight Against Child Pornography, 1999 (Austria: European 
Commission in the Fight Against Child Pornography), p. 2.
    \20\ Borchardt, Taking Stock: Activities of the European Commission 
on the Fight Against Child Pornography, 1999 (Austria: European 
Commission in the Fight Against Child Pornography), p. 2.
    \21\ ICPO-Interpol General Assembly, Statement to Vienna Interpol 
Minister. 2000. Vienna, Austria.
    \22\ Jeff B. Richards, Testimony before the United States Senate 
Committee on Appropriations, Subcommittee on Commerce, Justice, State, 
and Judicary. 2000. (Washington, D.C.: Internet Alliance) p. 4-5.
    \23\ BuffNET, BuffNET's Statement with Respect to Attorney 
General's Seizure of Internet Equipment. Buffalo News: Nov. 30, 1998.
    \24\ Editorial, BuffNET Bust: A question of Accountability. Buffalo 
News: Nov. 9, 1998.
    \25\ Erich Luening, ``Court Papers: Smith admits to creating 
Melissa Virus.'' 1999. CNET.com. 3 May 2000. http://news.cnet.com/
category/0-1005-200-346448.html.
    \26\ Stephen Shankland, ``Melissa Suspect Arrested in New Jersey.'' 
1999. CNET.com. 3 May 2000. http://news.cnet.com/category/0-1005-200-
340689.html
    \27\ Morton Overbye, Maria Ressa and Pierre Thomas, ``Authorities 
may be Zeroing in on ILOVEYOU Suspect.'' 2000. CNN.com. 8 May 2000. 
http://www.cnn.com/200/tech/computing/05/05/iloveyou.02.html
    \28\ John Borland, ``ISP's Look to Kill Viruses Before they 
Strike'' 1999 CNET.Com. December 23, 2000. http://news.cnet.com/
category/0-1004-200-1505088.html
    \29\ United States Dept. of Justice, The Electronic Frontier: The 
Challenge of Unlawful Conduct Involving the Use of the Internet. March 
2000 http://www.usdoj.gov/criminal/cybercrime/unlawful.html
    \30\ IBID, p. 43.
    \31\ Homayra Sellier, Innocence in Danger, 1999 (Washington D.C.: 
World Citizens' Movement to Protect).
    \32\ Maria Glod, ``Mom Hunts Pedophiles on Internet.'' 2000. 
Washington Post Online. 13 April 2000 http://www.newslibrary.com/
payoptions/payoption.asp?DBLIST= wp00&DOCNUM=18197&DOCPRICE=
2.95&DOCCURRSYM=$&DOCCURRCODE=usd&ERC=0.
    \33\ United States Dept. of Justice, The Electronic Frontier: The 
Challenge of Unlawful Conduct Involving the Use of the Internet. March 
2000, p. 43-49. http://www.usdoj.gov/criminal/cybercrime/unlawful.html.
    \34\ Julia Angwin, ``How an E-posse Led to Arrests in Fraud on 
Online Auction Site'' 2000. MSNBC. 4 May 2000 http://www.msnbc.com/
news/403265.asp.
    \35\ Robert Lemos and Lisa M. Bowman, ``Overview: Do we Need a 
`National Plan?'' 2000. ZDNet. 1 May 2000 http://www.zdnet.com/special/ 
stories/defense/0,10459,2475331,00.html
    \36\ Bruce Schneier, ``Opinion: The Importance of Vigilance.'' 
2000. ZDNet. 5 April 2000. http://www.zdnet.com/zdnn/ stories/news/
0,4586,2510681,00.html

    Mr. Richards. I saw again that at least among the G-8 
members there was a clear belief that law enforcement and 
security issues are, in fact, shaping the consumer Internet 
marketplace more than any other factor.
    My message today is that, with this committee, the Internet 
Alliance agrees that law enforcement and security issues are 
central to achieving consumer confidence and trust. At the same 
time, we are not enthusiastic about and don't today support 
proposals to legislate privacy. If time allows, I will touch on 
why privacy legislation could have unintended consequences, 
increase tensions over jurisdiction, and most of all distract 
us from the critical point of agreement here, effective 
enforcement of current law.
    I make these points about best practices and the success 
that industry has had and government has encouraged us to 
develop because in the areas of security and privacy we offer 
the committee an outstanding example of voluntary private 
sector action and an unusual record of achievement.
    Mr. Chairman, in S. 2448 you have proposed ambitious 
security and privacy legislation, and we express today our 
appreciation for your sensitivity to a number of industry needs 
and concerns in its drafting. Among its provisions on the 
security side are additional powers and resources for law 
enforcement in the Internet space, increased penalties for 
existing crimes and the addition of new conduct to the criminal 
code, and provisions for expanded law enforcement cooperation 
with computer crime investigations by foreign jurisdictions.
    While we approach any legislation governing the Internet 
with extreme caution, we feel that some of these provisions are 
of positive interest to industry. By way of background, we have 
become vigorously involved in building bridges between industry 
and law enforcement. We last fall launched our Law Enforcement 
and Security Council as a global initiative, again focused on 
effective enforcement of current law. And we are today 
partnering with law enforcement globally, especially with 
INTERPOL and others, to improve training and coordination. So 
we are putting our money where our mouth is on these issues.
    Now, I have also testified in support of additional 
budgetary and personnel resources for law enforcement before 
Senator Gregg's appropriations subcommittee earlier this year. 
At the same time, we recognize there are times when current law 
needs to be amended by narrowly tailored legislation, and so we 
advocate the criminal provisions outlawing false e-mail and 
message identification information as a key step empowering 
consumers to reduce the amount of unsolicited e-mail, and to 
assist ISPs, Internet service providers, to block outgoing 
messages which may be part of, let's say, a denial of service 
attack. We are convinced it is a necessary foundation for other 
consumer empowerment and law enforcement initiatives.
    With respect to other security-related provisions, we favor 
giving law enforcement adequate tools to investigate and 
prosecute criminal acts online. However, we do also share the 
misgivings of some civil liberties groups and others over law 
enforcement requests to expand wholesale the trap and trace or 
pen register laws to the Internet context.
    While useful to law enforcement, we feel these steps can 
threaten to undermine consumer confidence and trust, and 
subject the actions and communications of innocent users to an 
unparalleled level of Government monitoring and intrusion. At 
the same time, it could implicate ISPs and Web site hosts to an 
unprecedented level of participation in criminal investigations 
and lead to mandatory, impractical data retention requirements. 
We commend you for having resisted these proposals in the 
drafting of S. 2448.
    In our society, we have never subscribed to the idea that 
safety and security is worth the sacrifice of all freedoms. We 
accept some measure of risk, some inefficiency in our criminal 
law system, because we also attach a high value to individual 
freedom and privacy from government intrusion. So we feel 
strongly that the Fourth Amendment and statutory protections 
such as ECPA must be safeguarded and made applicable to the 
online context.
    As our final security side point, we have long urged 
greater domestic law enforcement cooperation with foreign law 
authorities. However, the international character and ease of 
use of the Internet, as we have seen with recent virus attacks, 
makes it clear that cross-border crimes will become frankly 
more common. So we clearly support increased budgetary, 
personnel, and training resources for those purposes. We think 
the international dialogue will protect consumers.
    In conclusion, getting it right, we believe, is essential. 
And there is one other specific point from my written statement 
that I really must note. A key factor from an industry 
standpoint is preemption of State and local laws. This comes as 
no surprise. The Internet provides the most compelling scenario 
in recent memory for uniformity of legal treatment across State 
and national borders.
    Thus, we support your proposal. We think that there are 
issues about preemption, about the constitutional sense of 
occupying the field with respect to duties and risks of e-
businesses. I want to finally move on and commend you and thank 
you for the public education aspect of S. 2448. We think it is 
absolutely crucial.
    I stand ready to answer any of your questions, and thank 
you.
    [The prepared statement of Mr. Richards follows:]

                 Prepared Statement of Jeff B. Richards

    Good morning, I am Jeff Richards, Executive Director of the 
Internet Alliance. Since our founding in 1982 as the Videotex Industry 
Association, the Internet Alliance (IA) has been the only trade 
association to address online Internet issues from a consumer Internet 
online company perspective. Through public policy, advocacy, consumer 
outreach and strategic alliances, the IA is building the trust and 
confidence necessary for the Internet to become the global mass-market 
medium of this century. The Internet Alliance's members represent more 
than ninety percent of consumer access to the Internet in the United 
States. Since May of 1999, the Internet Alliance has been a separate 
subsidiary of the Direct Marketing Association, bringing the resources 
of a 4,500-member organization to bear on consumer Internet issues and 
their resolution.
    Our mission is to increase consumer trust and confidence in the 
Internet by promoting good business practices, public education 
initiatives, enforcement of existing laws protecting consumers, and the 
development of a legal framework governing the Internet that will 
provide at the same time predictability and efficiency, security and 
freedom to innovate.
    I am pleased to be able to offer the Alliance's views on Internet 
security and privacy, and particularly on S. 2448. IA's consumer e-
business focus gives its views particular relevance. Among the key 
issues affecting the willingness of consumers to use the Internet is 
security, law enforcement, and privacy. For example, while privacy is 
among the most cherished American values, ironically it is not an 
absolute proposition, but a flexible and evolving set of expectations. 
Indeed those expectations change according to individual circumstances, 
such as where we are, what we are doing, and what stage of life we're 
in, as well as changing along with our culture and technology. Clearly, 
analyzing privacy in simplistic terms, while appealing, is unlikely to 
lead us to an optimal level of consumer satisfaction.
    In particular, then, I will focus on security matters. Coming as I 
did from last week's G8 meeting during which we released the Internet 
Alliance White Paper entitled ``An International Policy Framework for 
Internet Law Enforcement and Security,'' I saw again that--at least 
among the G8 members--there was a clear belief that law enforcement and 
security issues are in fact shaping the consumer Internet marketplace 
more than any other. My message today is that, with this Committee, the 
Internet Alliance agrees that law enforcement and security issues are 
central to achieving consumer confidence and trust. At the same time, 
we are not enthusiastic about and do not today support proposals to 
legislate privacy. For reasons that we will touch on later, privacy 
legislation invites unintended consequences, increases tensions over 
jurisdiction, and distracts us all from the critical point of 
agreement--effective enforcement of current law.
    IA members recognized several years ago, in the infancy of e-
commerce, the importance of consumer confidence and trust in the 
protection of their data, and they were instrumental in designing the 
first privacy ``best practices'' guidelines. Beginning with our 
creation of the first industry privacy principles in 1996, and 
continuing through initiatives like TRUSTe, BBBOnline, and the Online 
Privacy Alliance's privacy guidelines, as the Internet was 
commercialized the private sector has changed the e-commerce landscape 
in favor of the consumer. At the same time government has monitored 
these efforts but has expressly endorsed industry leadership and 
encouraged corporate participation in these voluntary efforts, while 
forbearing to legislate. This approach to Internet regulation has 
proven very constructive.
    I make these points because the areas of security and privacy of 
personally identifiable information offer the Committee an outstanding 
example of voluntary private sector action resulting in an unusual 
record of achievement. As noted in recent studies, over 90 percent of 
recently surveyed commercial web sites post privacy policies, a huge 
advance over the last two years; and the quality of the disclosures and 
other features is also rapidly increasing. It is doubtful that either 
government or non-profit sites come close to this level of performance. 
Most importantly, there is no question that industry has brought these 
benefits to consumers more rapidly than could have been the case under 
the compulsion of formal federal regulations. Likewise, the inherent 
flexibility of business-led efforts has allowed for a more prompt and 
tailored response to subsequent challenges, such as those posed 
recently by the evolution of ad server practices, that government has 
helped highlight.
    This provides evidence that the optimal approach to consumer 
Internet issues is almost always found in a combination of efforts, a 
three-way partnership among industry committed to better serving 
customers, government committed to effectively enforcing current law, 
and an empowered public knowledgeable of its choices and competent to 
decide for itself among a range of options. I stress that as it 
addresses the rapidly changing Internet, government has a useful, even 
essential role. However, that role should rarely lead it to impose new 
legislative mandates and constraints, and then only by the least 
restrictive means available.
    These ideas form the framework for the rest of my comments. We 
commend the Committee for its leadership role in oversight of the 
Internet and the many issues raised as the new medium alters our 
economy and our society in significant ways. The context for this 
hearing is compelling: just over the last few months, public attention 
has been focused on large-scale distributed-denial-of-service attacks, 
hacking of sensitive databases, a new set of viruses, and this week, 
the release of the Federal Trade Commission's annual e-commerce site 
privacy survey and recommendations. These are the kinds of events that 
normally generate widespread support for responsive legislation. We 
must keep in mind, however, that in each case the response of industry 
and, where laws were broken, law enforcement, has been quick and 
effective. This was without new laws or expanded enforcement 
authorities.
    Mr. Chairman, Mr. Schumer, in S. 2448 you have proposed ambitious 
security and privacy legislation; and we express our appreciation for 
your sensitivity to a number of industry needs and concerns in its 
drafting. It covers several general areas: on the security side, 1) 
additional powers and resources for law enforcement in the Internet 
space; 2) increased penalties for existing crimes and the addition of 
new conduct to the criminal code; and 3) provisions for expanded law 
enforcement cooperation with computer crime investigations by foreign 
jurisdictions. On the privacy side: requirements that e-businesses give 
consumers notice before collection of personally identifiable 
information, and choice over how that information, if collected, can be 
disclosed to others. You have asked for our reaction to these 
initiatives.
    While we approach any legislation governing the Internet with 
extreme caution, we feel that S. 2448 does contain security-related 
provisions of positive interest to industry. By way of background we 
have become vigorously involved in building bridges between industry 
and the law enforcement community. Last fall the Internet Alliance 
launched the Law Enforcement and Security Council as a global 
initiative focused on the effective enforcement of current laws. The 
LESC is partnering with several law enforcement agencies to improve 
training and coordination in the enforcement of existing laws. We feel 
additional budgetary and personnel resources for these agencies, and 
more widespread training of and coordination among investigative and 
prosecutorial officers, to be the steps that would provide maximum 
benefit to all who use the Internet. I myself testified in support of 
these resources before Sen. Gregg's Appropriations Subcommittee earlier 
this year. Again, we feel increased enforcement of current laws is 
almost always sufficient to protect the public.
    At the same time, the Internet Alliance also recognizes there are 
times when current law needs to be amended by narrowly tailored 
legislation in order to enhance effective enforcement. Thus, we 
advocate criminal provisions outlawing false email and message 
identification information, as a key step in empowering consumers to 
reduce the amount of unsolicited email, and in assisting ISP's to block 
outgoing messages which may be part of a distributed denial of service 
attack. We appreciate your inclusion in S. 2448 of a provision directed 
to these concerns. While it is not a complete solution in itself, we 
are convinced it is a necessary foundation for other consumer 
empowerment and law enforcement initiatives, some of which have been 
proposed in other bills.
    With respect to the other security related provisions, the IA 
favors giving law enforcement adequate tools to investigate and 
prosecute criminal acts online. Our enforcement agencies are 
instrumental in contributing to the high quality of life we enjoy in 
America. As the Internet has emerged, they have been called on to meet 
extraordinary new challenges. In general, they are doing a fine job, as 
demonstrated by their successes in responding to the recently 
publicized DDoS, hacking and virus attacks, but there are modest 
changes in law which would further improve their ability to protect the 
public. We support S. 2448's proposals to satisfy the $5,000 threshold 
on computer crimes by expanding the definition of and allowing the 
aggregation of damages, and to give nationwide effect to certain 
evidentiary court orders. Experience has shown that current rules in 
these areas fall short in real world application.
    However, we share the misgivings of civil liberties groups and 
others over law enforcement requests to expand wholesale the scope of 
trap and trace or pen register laws in the Internet context. While 
useful to law enforcement, we feel these steps threaten to undermine 
consumer confidence in the Internet and subject the actions and 
communications of innocent users to an unparalleled level of government 
monitoring and intrusion. At the same time, they could implicate ISP's 
and web site hosts in an unprecedented level of participation in 
criminal investigations and lead to mandatory, and impractical, data 
retention requirements. We commend you for having resisted these 
proposals in drafting S. 2448.
    In our society, we have never subscribed to the idea that safety 
and security is worth the sacrifice of all freedoms. We accept some 
measure of risk, some inefficiency in our criminal law system, because 
we attach such a high value to individual freedom and privacy from 
government intrusion. Thus, the Internet Alliance feels strongly that 
Fourth Amendment and statutory protections such as ECPA must be 
safeguarded and made applicable in all online contexts. It is not 
reasonable to believe Internet users are greatly concerned about 
corporate use of personally identifiable information, but that they 
have little interest in government access to the same data. Survey 
results consistently have shown the opposite.
    We also would like to raise concerns about the impact of broadening 
the scope of criminal conduct for computer crimes, and about the effect 
of the new hacking provisions. We concur with the addition of computer 
crimes to the list of offenses for which wiretaps may be sought. On the 
other hand, I believe you would agree that the federal role in law 
enforcement is a special one, and as we think about expanding our 
ability to combat hacking by broadening proscribed conduct, we should 
avoid spreading the net so far as to encompass relatively harmless 
nuisances and pranks. In addition, our members feel strongly that any 
hacking provisions must not compromise their ability to hack into their 
own systems, or to hire others to do so. This is a technique essential 
to the ongoing process of discovering system weaknesses and correcting 
them. We have not concluded that the language of S. 2448 poses these 
problems, but we would like to work with you to make sure the right 
balance is clearly struck.
    On our final security-side point, we have long urged greater 
domestic law enforcement cooperation with foreign criminal law 
authorities. Positive examples can be found, such as the assistance 
both the consumer Internet industry and U.S. law enforcement officials 
gave in the Philippine investigation of the ``Love Bug'' virus. 
However, the international character and ease of use of the Internet 
makes it inevitable that cross-border crimes will become more and more 
common. Again, we support increased budgetary, personnel and training 
resources for this purpose. And we have no substantive concerns with 
many of the international cooperation provisions of S. 2448. We offer 
the following examples as starting points for effective international 
dialog:
     The law as finally amended should not require businesses 
to change their business practices to accommodate the needs of foreign, 
or domestic, criminal investigations.
     The law should not impose significant, uncompensated 
expenses on ISP's or other e-businesses in responding to requests by 
law enforcement at the behest of foreign authorities.
     It should not require business involvement in the 
investigation of conduct which is constitutionally protected in the 
United States or which is consistent with our underlying values. We 
believe S. 2448 contains language designed to produce this result, 
though we would like to review the specific wording with you to make 
sure it's effective.
     Immunity from suit should be extended to those who in good 
faith comply with investigative requests under the law, which are valid 
on their face.
    Turning now to privacy, I would like to make a few general 
comments. It is clear that privacy is growing as a federal legislative 
issue. Some policymakers and the media, in particular, are coming to 
believe that they grasp the complexity of the issue and the options 
available, and that the time has come for a decision on what federal 
privacy legislation should look like. As I noted at the beginning of my 
testimony, industry has always been at the forefront of thought, 
discussion and action in improving privacy protections available to 
Internet users. Yet, we in the business community are acutely aware 
that because of the complexity of cause-and-effect in the Internet 
space, even well intentioned legislation developed after several years 
of experience poses both to business and to consumers significant risks 
of unintended consequences. Hence, we must be involved in providing you 
the best of our knowledge and expertise.
    From our standpoint, ``getting it right'' is essential:
     Technology and business models are changing quickly, and 
require policymakers to acquire current factual knowledge and develop 
insight into future trends, so as not to rob consumers of new Internet 
functions or capabilities--and prevent new privacy innovations and 
solutions.
     Policy models to date have rested on assumption about what 
consumers want. There is a growing body of data indicating that they 
vary widely in their desires and expectations. We would all benefit 
from increased knowledge in this area.
     Industry's voluntary response to the privacy challenge has 
been remarkably successful in delivering real benefits to consumers, 
and it is increasingly effective. We must be careful not to sap this 
momentum.
     Quite significantly, it is becoming clear that we will not 
legislate in a vacuum. Other nations have taken up the privacy issue 
and still others may do so. As an example, it has taken the U.S. and 
the European union two strenuous years to negotiate ``safe harbor'' 
rules, which have yet to be tested in practice. In the United States, 
for example, we have looked at issues in a sector-by-sector approach, 
such as children, or the financial sector. In Europe, by contrast, 
there has been a more general approach.
     These are complicated issues. We must take the time to 
integrate an international view into our thinking and assure ourselves 
that whatever we do will serve us both domestically and 
internationally.
    A key factor from an industry standpoint is pre-emption of state 
and local laws. This comes as no surprise: the Internet provides the 
most compelling scenario in recent memory for uniformity of legal 
treatment across state, and indeed, national, borders. It is clear that 
S. 2448 does not contain the kind of language which in a constitutional 
sense ``occupies the field'' with respect to duties and risks of e-
businesses in collecting and disseminating personally identifiable 
information.
    In short, the privacy issue has been joined on many levels. I can 
assure you that we are every bit as committed as you are to giving 
consumers a secure and satisfying online experience. We hope to work 
with you to increase your knowledge of the complex dynamics at work 
here, dynamics just as subtle and involved as those in the areas of 
financial and medical privacy.
    Finally, let me commend you on the public education campaign called 
for in S. 2448. We have consistently said that consumer empowerment is 
the essential ingredient in a successful national privacy policy, and 
education is a vital component of empowerment. Thus, we support your 
proposal, but we'd like to help improve it.
    To a significant degree, the current debate on privacy is distorted 
by the perception that the sharing of personal information benefits 
only the corporate recipient. This of course is incorrect. While the 
public, and many of us, have come to see the Internet as ``free,'' even 
on the Internet, free lunches are few and far between. It costs website 
hosts, merchants, ISP's and other significant resources to create and 
handle the traffic for useful, attractive, entertaining experiences for 
consumers. Even for large sales-oriented sites, these are not small 
components of the cost of doing business. But for most, access to 
information from consumers who make purchases, or who just visit, is 
critical to support revenue from web site advertisers.
    The Internet offers new opportunities for data sharing and for 
consumer benefit. Moreover, its ability to save consumers time on 
purchases and to more perfectly match their expectations on variety, 
price, performance and other factors is unrivaled in the bricks and 
mortar world. Yet, because the Internet is an interactive medium, its 
advantages of speed and satisfaction are directly dependent on the 
sharing of information. These benefits will only increase in the future 
as the technology matures.
    Thus, we recommend that the public education campaign communicate a 
balanced view of the risks and benefits to sharing information. We'd be 
glad to consult with you on this task.
    Again, Mr. Chairman, Sen. Schumer, members of the committee, we 
appreciate the opportunity to comment on these important issues, and we 
look forward to an ongoing and constructive dialogue. I'd be glad to 
answer any questions.

    The Chairman. Thank you, Mr. Richards.
    Mr. Dempsey, we will take your testimony now.

                 STATEMENT OF JAMES X. DEMPSEY

    Mr. Dempsey. Good morning, Mr. Chairman. Senator Feinstein, 
good morning. Thank you, Mr. Chairman, for inviting us to 
testify at this important hearing on the issue of Internet 
security and privacy. We congratulate you on your leadership 
and foresight in beginning to grapple with these difficult 
issues both from the law enforcement perspective and from the 
consumer perspective.
    The Center for Democracy and Technology is an Internet 
privacy and civil liberties organization, and we come here 
today with three main points. Law enforcement obviously must 
have sufficient authority to fight crime online. In your bill, 
2448, section 109 and section 402 of that bill, you have some 
important provisions increasing the resources for law 
enforcement. They obviously need to build up their expertise to 
be able to deal with this new kind of crime.
    But at the same time, we must recognize that it is the 
Internet industry, the designers and builders of this 
technology, of this amazing new network, this amazing new 
communications medium--it is the people who run it and operate 
it and run the critical infrastructures who are really in the 
best position to prevent hacking crimes and to protect the 
critical infrastructure by building more secure products and 
networks.
    And it is clear that industry, after probably not giving 
security the priority that it deserves, is now focusing on this 
issue a tremendous amount of resources cooperatively, and that 
is far more likely to solve this problem than government 
intervention.
    Second, given the tremendous increase in surveillance 
powers brought about by the new technology, we must avoid any 
expansions of government surveillance authority, and instead 
focus on the privacy standards and strengthen the privacy 
controls governing government monitoring of communications and 
access to stored records. I will discuss in a minute some of 
the ways in which the current privacy standards for government 
surveillance and government data collection have not kept pace 
with the change of this technology.
    Third, for consumer privacy, we must seek a solution that 
is suited to the rapidly changing nature of the Internet, and 
the ultimate solution will combine both the privacy-enhancing 
potential of the technology itself--we need to actually use 
this technology to improve privacy, not to merely erode 
privacy--and, secondly, self-regulation driven by consumer 
demand. Consumers want privacy, and industry is hearing that 
and beginning to address those consumer concerns. And 
ultimately, as your legislation recognizes, we will need 
Federal baseline standards that are enforceable against the bad 
actors and the outliers to protect consumers and their privacy 
online.
    I wanted to focus primarily on some of the Fourth Amendment 
issues, where this committee, along with the rest of society, 
is confronted with what might seem like a dilemma: how do we 
address crime online without intruding on privacy.
    I think that there are two observations here. One is that 
the Internet is a unique, decentralized, user-controlled 
medium. And far more than with any other type of crime, the 
solutions to hacking, the solutions to Internet crime and 
attacks lie in the hands of industry and the people who use 
this technology. Obviously, as you said in your opening 
statement, that is where our first emphasis has to be.
    And the role of the Government is always going to be, of 
necessity, I think, limited, and the ability of the Government 
is going to be limited to bring about improvements in the 
private sector. The Government has enough to do to get its own 
house in order.
    Second, it is clear if you look at the broad sweep of 
technology that the powers of law enforcement to collect 
information, the access to information, has dramatically 
increased. Yet, the last time we updated our privacy laws 
governing criminal investigations was in 1986 with ECPA, the 
Electronic Communications Privacy Act, which came out of this 
committee.
    Think of all the changes that have occurred since 1986 and 
the vast amount of information that is now available online. We 
need to develop privacy standards that address that. The 
Justice Department is pushing for an expansion in authority, 
particularly in terms of the pen register. And there is some 
merit, I think, to their claim of need for a nationwide pen 
register order.
    But by the same token, if you look at that underlying 
statute, the standard in that statute is the rubber stamp 
standard. There is no authority of the judge to review that 
Government application. So before we extend that authority to 
the Internet, before we make it nationwide in effect and give 
this sort of roving authority, we need to go back, look at the 
basic standards in the Title 18 investigatory provisions, and 
increase those standards to put some real teeth in it, to give 
the public the kind of Fourth Amendment privacy protections 
that they expect in the offline world to begin extending those 
more fully to the online world.
    We are prepared to work with you, Mr. Chairman. We 
coordinate the Digital Privacy and Security Working Group, 
which is a group of industry and public interest organizations, 
and we will make that forum available to you and your staff and 
to the other members of the committee to begin to try to build 
some consensus and develop a narrowly focused bill. We can't 
allow this, I think, to become a Christmas tree.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Dempsey follows:]

                 Prepared Statement of James X. Dempsey

    Chairman Hatch, we thank you and Senator Leahy for the opportunity 
to testify today on the important issue of internet security and 
privacy. We congratulate both of you, and Senator Schumer, for your 
leadership and foresight in beginning to grapple with these difficult 
issues, both from the law enforcement perspective and from the consumer 
privacy perspective. S. 2448 and the other introduced bills have served 
to launch an important dialogue. Consensus has not been achieved yet, 
and we share with you today some of our concerns about various 
proposals that are being put forth, but CDT is committed to working 
with you, Mr. Chairman, and other members of this Committee, to develop 
narrowly focused and properly balanced legislation.
    The Center for Democracy and Technology is a non-profit, public 
interest organization dedicated to promoting civil liberties and 
democratic values on the Internet. Our core goals include ensuring that 
the Constitution's protections extend to the Internet and other digital 
information technologies, and that public policies and technical 
solutions provide individuals with control over their personal 
information online. CDT also coordinates the Digital Privacy and 
Security Working Group (DPSWG), a forum for more than 50 computer, 
communications, and public interest organizations, companies and 
associations working on information privacy and security issues.
    Our main points today are three-fold:
     While law enforcement must have sufficient authority to 
fight crime in cyberspace, we must recognize that the Internet industry 
is in the best position to prevent hacking crimes and protect critical 
infrastructures by building more secure products and networks.
     Given the tremendous increase in surveillance power 
brought about by the new technology, we must avoid expansions of 
government surveillance authority and instead must strengthen the weak 
and outdated privacy standards controlling government monitoring of 
communications and access to stored records.
     For consumer privacy, we must seek a solution suited to 
the rapidly changing Internet, combining the privacy-enhancing 
potential of the technology itself, self-regulation driven by consumer 
demands for privacy, and federal legislation that sets baseline 
standards and provides remedies against the bad actors and outliners.
    We focus in this testimony primarily on the Fourth amendment 
issues, where this Committee, along with the rest of society, is 
confronted with what might seem to be a dilemma: how to fight crime on 
the Internet without intruding on privacy.
    A starting point in resolving this apparent dilemma is to recognize 
that the Internet is a uniquely decentralized, user-controlled medium. 
Hacking, unauthorized access to computers, denial of service attacks, 
and the theft, alteration or destruction of data are all already 
federal crimes, and appropriately so. But Internet security is not a 
problem primarily within the control of the federal government. 
Particularly, it is not a problem to be solved through the criminal 
justice system. Internet security is primarily a matter most 
effectively addressed by the private sector, which has built this 
amazing medium in such a short time without government interference. It 
is clear that the private sector is stepping up its security efforts, 
with an effectiveness that the government could never match, given the 
rapid pace of technology change and the decentralized nature of the 
medium. The tools for warning, diagnosing, preventing and even 
investigating infrastructure attacks through computer networks are 
uniquely in the hands of the private sector. In these ways, Internet 
crime is quite different from other forms of crime. While the potential 
for the government to help is limited, the risk of government doing 
harm through design mandates or further intrusions on privacy is very 
high.
    Second, while the Justice Department frequently complains that 
digital technologies pose new challenges to law enforcement, it is 
clear, if you look at the Justice Department's record, that the digital 
revolution has been a boon to government surveillance and collection of 
information. In testimony on February 16, 2000 before the Senate 
appropriations subcommittee, FBI Director Freeh outlined the Bureau's 
success in many computer crime cases. Online surveillance and tracking 
led to the arrest of the Phonemasters who stole calling card numbers; 
the Solar Sunrise culprits, several of whom were located in Israel; an 
intruder on NASA computers, who was arrested and convicted in Canada; 
the thieves who manipulated Citibank's computers and who were arrested 
with cooperation of Russian authorities; Julio Cesar Ardita, who was 
tracked electronically to Argentina; and the creator of the Melissa 
virus, among others. Computer files are a rich source of stored 
evidence: in a single investigation last year, the FBI seized enough 
computer data to nearly fill the Library of Congress twice. Electronic 
surveillance is going up, not down, in the face of new technologies. 
The FBI estimates that over the next decade, given planned improvements 
in the digital collection and analysis of communications, the number of 
wiretaps will increase 300 per cent. Last year, the largest rate of 
increase in government intercepts under Title III involved newer 
electronic technologies, such as email, fax and wireless devices. 
Online service providers, Internet portals and Web sites are facing a 
deluge of government subpoenas for records about online activities of 
their customers. Everywhere we go on the Internet we leave digital 
fingerprints, which can be tracked by marketers and government agencies 
alike. The FBI in its budget request for FY 2001 seeks additional funds 
to ``data mine'' these public and private sources of digital 
information for their intelligence value.
    Considering the broad sweep of the digital revolution, it is 
apparent that the major problem now is not that technology is outpacing 
government's ability to investigate crime, but, to the contrary, that 
changes in communications and computer technology have outpaced the 
privacy protections in our laws. Technology is making ever-increasing 
amounts of information available to government under minimal standards 
falling far short of Fourth Amendment protections.
    Nonetheless, the Justice Department is seeking further expansions 
in its surveillance authorities. But surely, before enacting any 
enhancements to government power, we should ensure that current laws 
adequately protect privacy. For example, the government wants to extend 
the pen register statute to the Internet and create a ``roving'' pen 
register authority. Yet, the current standard for pen registers imposes 
no effective control on the government, reducing judges to mere rubber-
stamps. And pen register as applied to Internet communications are even 
more revealing. In this and other cases, we must tighten the standards 
for government surveillance and access to information, thus restoring a 
balance between government surveillance and personal privacy and 
building user trust and confidence in these economically vital new 
media. CDT is prepared to work with the Committee and the Justice 
Department to flesh out the needed privacy enhancements and to convene 
our DPSWG working group as a forum for building consensus.
            background: fourth amendment privacy principles
    To understand how far current privacy protections diverge from the 
principles of the Constitution, we should start with the protections 
accorded by the Fourth Amendment. If the government wants access to 
your papers or effects in your home or office, it has to meet a high 
standard:
     The government must obtain a warrant from a judge based on 
a showing of probable cause to believe that a crime has been, is being 
or is about to be committed and that the search will uncover evidence 
of the crime. The warrant must ``particularly'' describe the place to 
be searched and the things to be seized.
     The government must provide you with contemporaneous 
notice of the search and an inventory of items taken. See Richards v. 
Wisconsin, 520 U.S. 385 (1997); Wilson v. Arkansas, 514 U.S. 927 
(1995).

These rules apply in the computer age, so long as you keep information 
stored on your hard drive or disks in your home or office.
    The Supreme Court held in 1967 that wiretapping is a search and 
seizure and that telephone conversations are entitled to protection 
under the Fourth Amendment. Katz v. United States, 389 U.S. 347 (1967), 
Berger v. New York, 388 U.S. 41 (1967). Congress responded by adopting 
Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 
requiring a court order based on a finding of probable cause to 
intercept wire or oral (i.e., face-to-face) communications. 18 U.S.C. 
Sec. 2510 et seq. However, Congress did not require the contemporaneous 
notice normally accorded at the time of a search and seizure. This was 
a fateful decision, but, the government argued, to give contemporaneous 
notice would defeat the effectiveness of the surveillance technique. In 
part to make up for the absence of notice, and recognizing the other 
uniquely intrusive aspects of wiretapping, Congress added to Title III 
requirements that go beyond the protections of the Fourth Amendment. 
These additional protections included: permitting the use of wiretaps 
only for investigations of a short list of very serious crimes; 
requiring high-level Justice Department approval before court 
authorization can be sought; requiring law enforcement agencies to 
exhaust other, less intrusive techniques before turning to 
eavesdropping; directing them to minimize the interception of innocent 
conversations; providing for periodic judicial oversight of the 
progress of a wiretap; establishing a statutory suppression rule; and 
requiring detailed annual reports to be published on the number and 
nature of wiretaps.1
---------------------------------------------------------------------------
    \1\ Over time, though, many of these additional protections have 
been substantially watered down. The list of crimes has been expanded, 
from the initial 26 to nearly 100 today and more are added every 
Congress. Minimization is rarely enforced by the courts. The exhaustion 
requirement has been weakened. Evidence is rarely excluded for 
violations of the statute. Almost every year the number of wiretaps 
goes up--12% in 1998 alone. Judicial denials are rare--only 3 in the 
last 10 years. The average duration of wiretaps has doubled since 1988. 
So even in the world of plain old telephone service we have seen an 
erosion of privacy protections. The fragility of these standards is 
even more disconcerting when paired with the FBI's ``Digital Storm'' 
plans for digital collection, voice recognition and key word searching, 
which will reduce if not eliminate the practical constraints that have 
up to now limited the volume of information that the government can 
intercept.
---------------------------------------------------------------------------
    After it ruled that there was an expectation of privacy in 
communications, the Supreme Court took a step that had serious adverse 
consequences for privacy: It held that personal information given to a 
third party loses its Fourth Amendment protection. This rule was stated 
first in a case involving bank records, United States v. Miller, 425 
U.S. 435 (1976), but it is wide-ranging and now serves as the basis for 
government access to all of the records that together constitute a 
profile of our lives, both online and offline: credit, medical, 
purchasing, travel, car rental, etc. In the absence of a specific 
statute, these records are available to law enforcement for the asking 
and can be compelled with a mere subpoena issued without meaningful 
judicial control.
    In 1979, a third piece of the privacy scheme was put in place when 
the Supreme Court held that there is no constitutionally-protected 
privacy interest in the numbers one dials to initiate a telephone 
call--data collected under a device known as a ``pen register.'' Smith 
v. Maryland, 442 U.S. 735, 742 (1979). While the Court was careful to 
limit the scope of its decision, and emphasized subsequently that pen 
registers collect only a very narrow range of information, the view has 
grown up that transactional data concerning communications is not 
constitutionally protected. Yet, in an increasingly connected world, a 
recording of every telephone number dialed and the source of every call 
received can provide a very complete picture--a profile--of a person's 
associations, habits, contacts, interests and activities. (Extending 
this to email and other electronic communications can, as we explain, 
below, be even more revealing.)
    In 1986, as cellular telephones service became available and email 
and other computer-to-computer communications were developing, this 
Committee recognized that the privacy law was woefully out of date. 
Title III anachronistically protected only wire and voice 
communications: it did not clearly cover wireless phone conservations 
or email. In response, under the leadership of Senator Leahy, Congress 
adopted the Electronic Communications Privacy Act of 1986 (ECPA). ECPA 
did several things: it made it clear that wireless voice communications 
were covered to the same degree as wireline voice communications. It 
extended some, but not all, of Title III's privacy protections to 
electronic communications intercepted in real-time.
    ECPA also set standards for access to stored email and other 
electronic communications and transactional records (subscriber 
identifying information, logs, toll records). 18 USC Sec. 2701 et seq. 
And it adopted the pen register and trap and trace statute, 18 USC 
Sec. 3121 et seq., governing real-time interception of ``the numbers 
dialed or otherwise transmitted on a telephone line.'' (A pen register 
collects the ``electronic or other impulses'' that identify ``the 
numbers dialed'' for outgoing calls and a trap and trace device 
collects ``the originating number'' for incoming calls.) To obtain such 
an order, the government need merely certify that ``the information 
likely to be obtained is relevant to an ongoing criminal 
investigation.'' 18 USC Sec. Sec. 3122-23. (There is no constitutional 
or statutory threshold for opening a criminal investigation.) The law 
states that the judge ``shall'' approve any request signed by a 
prosecutor.
    ECPA did not, however, extend full Title III protections to email 
sitting on the server of an ISP. Instead, it set up a two-tiered rule: 
email in ``electronic storage'' with a service provider for 180 days or 
less may be obtained only pursuant to a search warrant, which requires 
a finding of probable cause, but the additional protections of Title 
III--limited number of crimes, high level approval, judicial 
supervision--do not apply. Email in storage for more than 180 days and 
data stored on a ``remote computing service'' may be obtained with a 
warrant or a mere subpoena. In no case is the user entitled to 
contemporaneous notice. The email portions of ECPA also do not include 
a statutory suppression rule for government violations and do not 
require annual reports of how often and under what government access, 
which are critical for public or congressional oversight.
              mapping the fourth amendment onto cyberspace
    Remarkably, ECPA was the last significant update to the privacy 
standards of the electronic surveillance laws. Astonishing and 
unanticipated changes have occurred since 1986:
     the development of the Internet and the World Wide Web as 
mass media;
     the convergence of voice, data, video, and fax over wire, 
cable and wireless systems;
     the proliferation of service providers in a decentralized, 
competitive communications market;
     the movement of information out of people's homes or 
offices and onto networks controlled by third parties;
     the increasing power of hand-held computers and other 
mobile devices that access the Internet and data stored on networks.
    As a result of these changes, personal data is moving out of the 
desk drawer and off of the desktop computer and out onto the Internet. 
Unless Congress responds, the Fourth Amendment protections would remain 
available only in the home when increasingly information is not stored 
there anymore. It is time to adopt legislative protections that map 
Fourth Amendment principles onto the new technology.
    It is clear that the surveillance laws' privacy protections are too 
weak:
     Data stored on networks is not afforded full privacy 
protection. Once something is stored on a server, it can be accessed by 
the government without notice to the user, and without probable cause.
     The standard for pen registers is minimal--judges must 
rubber stamp any application presented to them.
     Many of the protections in the wiretap law, including the 
special approval requirements and the statutory rule against use of 
illegally obtained evidence, do not apply to email and other Internet 
communications.
     ISP customers are not entitled to notice when personal 
information is subpoenaed in civil lawsuits; notice of government 
requests can be delayed until it is too late to object.
     Inconsistent standards apply to government access to 
information about one's activities depending on the type of technology 
used. For example, watching the same movie via satellite, cable TV, 
Internet cable modem, and video rental is subject to four different 
privacy standards.
    In addition, there are many ambiguities, some of which have existed 
since ECPA was enacted, others caused by technology's continuing 
evolution since 1986. For example, does the pen register statute apply 
to email or Web communications? If so, what are ``the numbers dialed or 
otherwise transmitted?'' To get email addresses and Web addresses 
(URLs), can the government serve a pen register order on the ISP or 
must it use an order under ECPA? What information is collected under a 
pen register order and from whom in the case of a person who is using 
the Internet for voice communications? What standard applies if the 
person has a cable modem? Is an Internet portal an electronic 
communications service under ECPA? Are search terms covered by ECPA? 
Does ECPA cover government access to information about one's activity 
at an e-commerce site? Do people have a constitutionally protected 
privacy interest in their calendars stored on Internet Web sites? At 
best, the answers are unclear.
    The importance of these questions is heightened by the fact that 
transactional or addressing data for electronic communications like 
email and Web browsing can be much more revealing than telephone 
numbers dialed. First, email addresses are more personally revealing 
than phone numbers because email addresses are unique to individual 
users. Furthermore, if the pen register authority applies to URLs or 
the names of files transmitted under a file transfer protocol, then the 
addressing information can actually convey the substance or purport of 
a communication. For example, a search for ``heart disease'' 
information through a search engine creates a URL that indicates 
exactly what content a Web surfer is exploring.
              outlining the necessary privacy enhancements
        To update the privacy laws, Congress should start with the 
        following issues:
     Increase the standard for pen registers. Under current 
law, a court order is required but the judge is a mere rubber stamp--
the statute presently says that the judge ``shall'' approve any 
application signed by a prosecutor saying that the information sought 
is relevant to an investigation. Instead, the government should be 
required to justify its request and the order should issue only if the 
judge affirmatively finds that the government has shown that the 
information sought is relevant and material.
     Assuming that the pen register authority applies to 
Internet service providers, define and limit what personal information 
is disclosed to the government under a pen register or trap and trace 
order.
     Add electronic communications to the Title III 
exclusionary rule in 18 USC Sec. 2515 and add a similar rule to the 
section 2703 authority. This would prohibit the government from using 
improperly obtained information about electronic communications.
     Require notice and an opportunity to object when civil 
subpoenas seek personal information about Internet usage.
     Improve the notice requirement under ECPA to ensure that 
consumers receive notice whenever the government obtains information 
about their Internet transactions.
     Require statistical reports for Sec. 2703 disclosures, 
similar to the reports required under Title III.
     Make it clear that Internet queries are content, which 
cannot be disclosed without consent or a probable cause order.
     Provide enhanced protection for information on networks: 
probable cause for seizure without prior notice, opportunity to object 
for subpoena access.
                          comments on s. 2448
    S. 2448 represents an effort to address a range of Internet privacy 
and security concerns without creating an unwieldy bill. We appreciate 
the Chairman's decision to stay away from some contentious issues, 
particularly the Justice Department's request for ``roving'' pen 
registers for the Internet, and we hope you will work to keep the bill 
from being weighted down with other proposals that would expand 
government surveillance power without adequate privacy standards.
    In many ways, we have a robust computer crime law. The Computer 
Fraud and Abuse Act was originally passed in 1984 and was amended in 
1986, 1994 and 1996. It protects a broad range of computers and is 
quite comprehensive. By its terms, it clearly covers the recent ``love 
bug'' virus, the Melissa virus, and the denial of service attacks in 
February, even those that were created and launched from overseas.
    The main effect of S. 2448's criminal provisions would be to extend 
federal jurisdiction over minor computer abuses not previously thought 
serious enough to merit federal resources. Currently, federal 
jurisdiction exists for some computer crimes only if they result in at 
least $5,000 of aggregate damage or cause especially significant 
damage, such as any impairment of medical records, or pose a threat to 
public safety. Any virus affecting more than a few computers easily 
meets the $5,000 threshold. S. 2448 would eliminate even this low 
threshold.
    Specifically, the bill would make it a felony to send any 
transmission intending to cause damage or to intentionally access a 
computer and recklessly cause damage, punishable for up to 3 years in 
prison, even if the damage caused is negligible. In addition, the bill 
would make it a misdemeanor to intentionally access any computer and 
cause damage, even unintentional damage, again regardless of the extent 
of such damage.
    Perhaps unintentionally, these changes would federalize a range of 
de minimis intrusions on another's computer:
     Somebody borrows a friends computer without permission and 
changes some files as a joke.
     A student, noticing that someone at the school library's 
public terminal failed to completely log out of their account, gains 
access to that student's account and accidentally erases some files.
     A computer science graduate student, in the process of 
testing a new computer security tool, gains access to another computer 
on campus without permission and then changes some files to show they 
were there.
    It is highly unlikely that the FBI and the Justice Department could 
ever have the resources to prosecute such minor computer offenses. The 
provisions will have to be applied selectively, and the risk becomes 
high, therefore, that the provisions will be applied in unfair ways.
    The elimination of any thresholds is particularly questionable in 
light of sections of S. 2448 that would amend the forfeiture law in 
ways that could result in seizure by the government of the house in 
which sat a computer used in hacking and expand wiretap authority by 
making all computer crimes a predicate for wiretaps.
    Another part of S. 2448 permits the US Attorney General to provide 
computer crime evidence to foreign law enforcement authorities 
``without regard to whether the conduct investigated violates any 
Federal computer crime law.'' It is unclear whether this expands the 
Justice Department's investigative authority to investigate lawful 
conduct in the US at the request of foreign governments.
    On the consumer privacy side, S. 2448 has other provisions that 
would bring about some improvements in privacy, although there are some 
problems with the bill.
     Sec. 302 would prohibit satellite TV service providers 
from disclosing information about their customers and their viewing 
habits unless the customers have affirmatively agreed (``opted-in'') to 
such sharing. This is a step toward addressing one of the many areas of 
inconsistency in our privacy laws. Currently, federal law protects the 
subscriber information and viewing habits of a cable TV subscriber but 
not a satellite TV viewer. Sec. 302 would create privacy protections 
for viewers of satellite TV. However, we are distressed to see that an 
exception in Sec. 203 allows disclosure to the government without 
notice and an opportunity to object, thereby giving satellite TV 
viewers less protection than existing law affords to cable TVA 
subscribers.
     Sec. 304 would require commercial Web sites to give 
visitors notice of data collection and sharing practices and ``the 
opportunity, before the time that such information is initially 
disclosed, to direct that such information not be disclosed to such 
person.'' Again, enforceable requirements of notice and opt-out would 
be a step forward over current law. However, the bill does not address 
two other key elements of online privacy--access and security. Further, 
we believe that it is possible to avoid the current dichotomy between 
opt-out and opt-in. On the Internet, a better way to think of privacy 
is in terms of meaningful choice, since the technology can eliminate 
the transaction costs and other burdens on industry associated with 
opt-in rules in the offline world. Indeed, some online service 
providers have adopted in opt-in policy as part of their business mode. 
given the rapid change that is occurring as businesses respond to 
persistent high levels of consumer concern about privacy, we would not 
want federal legislation to freeze opt-out into place.
     Sec. 306 would make fraudulent access to personally 
identifiable information a crime The provision covers anyone who 
``knowingly and with an intent to defraud . . . causes to be disclosed 
to any person, personally identifiable information . . . by making a 
false . . . statement . . . to a customer of an interactive computer 
service.'' The Committee should make it clear whether the ``with intent 
to defraud'' language is enough to exclude from the crime a Web site's 
collection of information under a privacy statement that is not longer 
being adhered to.
                      justice department proposals
    Our greatest concern, however, is with Justice Department and other 
proposals for expansions in government surveillance or data access 
authority. One area of serious concern is Sen. Schumer's bill S. 2092, 
which, in its current form, extends pen register authority over the 
Internet in broad and ill-defined ways. S. 2092 also would give every 
federal pen register and trap and trace order nationwide effect, 
without limit and without requiring the government to make a showing of 
need, creating a sort of ``roving pen register.'' We have shared our 
privacy concerns with Sen. Schumer, along withy our specific 
recommendations for improvements, and we hope that a more balanced bill 
could be agreed upon. We have prepared for Sen. Schumer and interested 
parties a detailed memo, which I would request be made a part of the 
record of this hearing.
    S. 2092 focuses on pen registers, which collect the numbers dialed 
on outgoing calls, and trap and trace devices, which collect the phone 
numbers identifying incoming calls. These surveillance devices have 
long been used by law enforcement in the plain old telephone world. 
Because they are not supposed to identify the parties to a 
communication nor whether the communication was even completed, the 
standard for approval of a pen register is very low: the law provides 
that a judge ``shall'' approve any request by the government that 
claims the information sought is ``relevant'' to a investigation. This 
really says that the court must rubber stamp any government request.
    The pen register and trap and trace statute only applies to the 
numbers dialed or otherwise transmitted on the telephone line to which 
the device is attached. S. 2092 would extend the pen register and trap 
and trace authority to all Internet traffic. It does so with very broad 
terminology, stating that the pen register can collect ``dialing, 
routing, addressing or signaling information,'' without further 
definition. It needs to be made clear that pen registers do not sweep 
in search queries or URLs that identify specific documents viewed 
online or include personal information.
    It is time to give the pen register statute real privacy teeth, 
requiring the government to actually justify its requests to a judge's 
satisfaction. Also, if nationwide service is to be available, it should 
be on the basis of a specific showing of need, and should be limited 
both by time and other parameters.
                               conclusion
    We do not need a new Fourth Amendment for cyberspace. The one we 
have is good enough. But we need to recognize that people are 
conducting more and more of their lives online. They are storing 
increasing amounts of sensitive data on networks. They are using 
technology that can paint a full profile of their personal lives. The 
pricetage for this technology should not include loss of privacy. It 
should not be the end of the privacy debate to say that technological 
change takes information outside the protection of the Fourth Amendment 
as interpreted by the courts 25 years ago. Nor is it adequate to say 
that individuals are voluntarily surrendering their privacy by using 
new computer and communications technologies. What we need is to 
translate the Fourth Amendment's vision of limited government power and 
strong protections for personal privacy to the global, decentralized, 
networked environment of the Internet. This should be the Committee's 
first task.

    The Chairman. Well, thank you, Mr. Dempsey. Let me start 
with you, but I would like the rest of you to take a crack at 
this if you care to. In your testimony, you applaud the 
enhanced privacy provided by the Internet, but doesn't that cut 
both ways? In other words, does the increased privacy and 
anonymity afforded by the Internet create greater worries for 
Americans concerned about Internet crime, such as child 
pornography or terrorism, or fraud for that matter? Wouldn't 
you agree that we in Government have some role, perhaps even an 
obligation, in addressing these concerns?
    Mr. Dempsey. The Government has a role, obviously. Crime, 
fraud, child pornography, other criminal activity that is 
criminal offline is, and should be, criminal online. I think 
that, again, if you look at the successes of law enforcement, 
you see that they have been extremely successful in identifying 
and tracking criminals online, including criminals overseas.
    The Citibank computer break-in--the FBI traced the 
perpetrators of that to Russia and, with the cooperation of 
Russian authorities, arrested them. Ardita, the Argentine 
hacker, was traced back to Argentina using online techniques. 
The Phonemasters, the creator of the Melissa virus--in all of 
these cases, the Government, using the current authorities that 
it has and using the current information that is generated, 
these digital fingerprints that we leave behind, has been 
successful. Child pornography--obviously, the anonymity there 
works both ways because you can have an FBI agent go online and 
pretend to be a 13-year-old girl, and they are making cases in 
the Innocent Images program.
    I think to then try to squeeze that relative anonymity--I 
don't think there is perfect anonymity on the Internet, never 
has been and never will be. There are certain forms of relative 
anonymity online that are not that dissimilar to some of the 
forms of relative anonymity that we have offline as we walk 
down the street.
    To try to squeeze out legislatively that remaining bit of 
anonymity, I think, would have some negative impacts on freedom 
of expression and privacy. It could have some unintended 
security implications. Far better to let industry develop the 
authentication that is required in certain online 
communications. Other kinds of activity online can proceed 
anonymously, and I think that is the balance that we need to 
maintain.
    The Chairman. Thanks.
    Mr. Richards.
    Mr. Richards. Mr. Chairman, at the Internet Alliance we 
think consumers and citizens want to know that the cyber cop is 
on the cyber beat. We think that effective enforcement of 
current law is absolutely the foundation of what we need today.
    The number of law enforcement officials who need to be 
trained just in the basics of computer forensics are in the 
single digits, and worldwide it is much worse. So we believe 
that training, and especially training at the local level, to 
be frank--the call to 911 should not be met with an 
unresponsive ear or a blank stare. So this is building for the 
future for problems we know we will always have, and it begins 
with the foundations. But we believe that current law is the 
correct starting place.
    The Chairman. Mr. Heiman.
    Mr. Heiman. I would echo that. I would say that I think you 
are hearing agreement here that the sections of your bill which 
provide funding to beef up the technological capabilities at 
the FBI, to provide grants to States and locals, to authorize 
funding for the FBI's NIPC, the National Infrastructure 
Protection Center, are all a good idea. We really need to do 
more under the existing laws and authorities and train people 
how to do that than we do in terms of expanding those 
authorities right now.
    The Chairman. All right. What would you say is the 
appropriate role for industry in assuring the security and 
privacy of Internet users? Should industry take the lead?
    Mr. Richards.
    Mr. Richards. Mr. Chairman, I think that industry should 
take the lead, and I think those innovations are already well 
underway and we are beginning to see them at Internet speed; 
for example, authentication, easy-to-use means of securing our 
identity. I might add that, again, going back to current 
enforcement, we should turn our attention to identity theft, 
which is not entirely an online issue. In fact, it blends 
online and offline. These are some of the immediate issues.
    But to sum up, we have, I believe, the technologies and the 
ability to reach users effectively. We are working very hard to 
do that. If we don't, we ourselves will fail.
    Mr. Pethia. One of the things I think would help industry 
take its leadership role is additional information from the 
Government, from the NIPC and others in the FBI, about the 
kinds of threats that are really there. Industry currently is 
not moving, I think, quite as quickly as it could, and I think 
part of the reason is they are not yet convinced that there is 
a real problem, that there are real criminals, that there is a 
real smoking gun.
    So one of the things that I would encourage in enabling 
industry to take its leadership role is more information from 
the Government about the kinds of damages that are being done, 
the kinds of cases that are being investigated, to the extent 
that that is possible, and the kinds of threats that are there 
at the local, the State, and the national level.
    Mr. Heiman. I would agree with part of that. I certainly 
think great information from the Government about the threats 
would really help address this problem. I would say that 
industry does take the need to improve information security 
extremely seriously, but it is a tricky problem. I can sort of 
give you a physical analogy.
    We could probably save 20,000 lives a year in the United 
States by halving our speed limits on the roads, but we don't, 
and the reason we don't is because the fabric of our lives are 
such that we need to get from point A to point B in a certain 
amount of time and we have built up our physical infrastructure 
in that way.
    Well, so too, we depend on the Internet and Internet 
traffic, and we are not going to stop that traffic. Instead, we 
are going to do the equivalent of what we do in the physical 
world. We are going to build safer cars, we are going to 
improve road conditions, we are going to improve signaling. And 
so we are going to continue to improve security products, but 
there is a balance there because you need to maintain the 
dynamic growth, the vitality, the productivity, and the 
efficiency of the Internet that is really underlying, for 
example, much of the economic growth in the 1990's.
    The Chairman. Thank you.
    Senator Feinstein.

  STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE 
                      STATE OF CALIFORNIA

    Senator Feinstein. Thanks, Mr. Chairman. I would like to 
make a couple of comments, if I might, because I hear a real 
disconnect in what we are being told by these gentlemen and my 
experience, and I know some of these individuals and I respect 
them.
    The industry is saying, yes, we need law enforcement; yes, 
we want privacy; yes, we want all these things, but don't do 
anything to get us there; we will take care of it. Well, I have 
been waiting for industry to take care of it for the 8 years 
since I have been in the Senate and it has not. And, frankly, I 
was very amazed by the latest report of the FTC because up to 
1998, the FTC had been a supporter of that philosophy. And then 
when they did a survey and they took a look at websites--they 
looked at 335 commercial web sites, including 91 of the 100 
most heavily trafficked websites--what they found is that the 
number of websites that meet basic standards of privacy 
protection is far too low.
    The FTC said that only 20 percent of the websites of the 
busiest commercial companies had implemented 4 major 
information principles: one, notice; two, choice; three, 
access; and, four, security. Only 20 percent. Moreover, only 8 
percent display a privacy seal, a linchpin of any self-
regulatory effort. And only 41 percent of the randomly surveyed 
websites collecting personal information provided consumers 
information about the site's notice and choice policies.
    The Social Security Administration tells us that they have 
had 30,000 complaints dealing with identity theft involving 
Social Security numbers, which can be purchased for $49 on 
commercial Web sites. Personal financial information about an 
individual that people in this room wouldn't even suspect is 
available for purchase. Personal health information can also be 
purchased. And the consumer has no right to know that that is 
happening.
    Mr. Richards, you spoke about your Social Security number 
being stolen. A staffer came in my office and punched up my 
Social Security number on a computer; it is up there for sale 
for anyone that wants to go out and strip my identity. This 
kind of theft and fraud is on a dramatic increase.
    I feel very strongly, Mr. Chairman, that if we are going to 
move a bill, whatever bill that is, it has to deal with the 
consumer aspects of privacy. Social Security numbers should not 
be sold. Now, when you sit down with companies and argue 
whether it is opt in or opt out, meaning whether a company has 
the responsibility before they sell a card to notice 
individuals and ask their permission, the company doesn't want 
to do this. So they say it is up to the individual to be on 
guard. Well, I say to them this is my identification number; 
this is a widely used Federal number. You can't strip me of my 
number without even telling me you are doing that.
    The longer I am around, the longer I watch this dance, and 
the longer we go around in circles, the more I am concerned by 
what is happening. Hacking and viruses are one thing, but the 
public has a basic right to know. The Democratic Caucus a 
couple of weeks ago had a wonderfully informative lunch--the 
CEO of eBay came to us, and I marveled at her. She was quite 
wonderful because she has such high ethical standards. eBay 
will not allow the information of anyone trading on eBay to be 
sold or used in any other way. But that is a rare instance.
    Most of the time, all of this material is up for sale. So 
the sophisticated person can actually use it, buy it, develop 
full profiles about people that they want to go out and 
defraud, steal their identity, use their credit cards, pretend 
they are them. And you even have complaints to the Social 
Security Administration going from 11,000 complaints in 1998 to 
30,000 complaints in 1999. That number is going to double again 
and again and again.
    So what I heard all you gentlemen saying is the laws are 
adequate. But this isn't petty larceny with a prior, this isn't 
grand theft, this isn't robbery, this isn't burglary. Our laws 
aren't adequate to deal with this.
    Mr. Dempsey. Senator, could I respond?
    Senator Feinstein. Absolutely.
    Mr. Dempsey. At the Center for Democracy and Technology, we 
have come to the point that you have come to, and we do believe 
that Federal legislation is necessary to address the privacy 
concerns of consumers, for all of the reasons that you state, 
including that recent FTC report, and for a further reason, 
which is there are now 700 bills pending at the State 
legislatures to address consumer privacy online and offline.
    That says to us that it would be chaos to have 50 different 
State rules for privacy online, on a borderless medium. So we 
are going to have to get to the point, and the chairman's bill 
has a provision in it addressing two of the four items that the 
FTC report calls fundamental principles of privacy. The 
chairman's bill addresses notice and choice. It does not 
address the other two that you mentioned, access and security, 
which are very hard issues. All these issues actually are hard, 
but the last two are the hardest.
    If I could just for one second, on the question of choice--
and you mentioned the opt-out versus opt-in debate. This is the 
classic case where this technology and its interactive nature 
can eliminate much of that debate, can eliminate much of that 
concern. It is so easy to present online meaningful choice to 
consumers. Whether you call it opt-in or opt-out, right there 
the consumer can be told this is our policy, this is what we 
want from you, these are your choices, do you agree, don't you 
agree.
    Senator Feinstein. Let me interrupt you. My Social Security 
number is my number. How can somebody sell that number to those 
who may abuse it, or sell it? Why does anyone want to protect 
that?
    Mr. Dempsey. I don't think it should be protected, Senator. 
We used to have a law in this country that said that the Social 
Security number is to be used only for the purposes of 
administering the Social Security system. You give it to your 
employer for purposes of taxes and it goes to the Social 
Security Administration so they can match up who you are and 
what your benefits are. That was the purpose of that number 
when that system was first created.
    Senator Feinstein. That is correct.
    Mr. Dempsey. Over time, we created exception after 
exception after exception. Thirty States now use that number on 
their driver's license. Multiple instances----
    Senator Feinstein. But nobody sells it. Until recently, no 
one has sold it.
    Mr. Dempsey. Well, actually, Senator, Congress actually had 
to pass a bill. The States were selling that information. The 
States were selling the driver's license information. In 1994, 
this committee passed the Driver's Privacy Protection Act to 
begin to try to clamp down on that.
    Last year, this Congress strengthened that Act because then 
the States started selling the pictures off of the--or planning 
to sell the digital pictures off the driver's license. That has 
now been shut down, but it took an effort to basically put that 
cat back in the bag. But now your Social Security number, 
because we have gotten blase about it, is out there on multiple 
different forms. Possibly, some filing you made as a Senator 
included your Social Security number and someone took that off 
of there.
    Senator Feinstein. Well, let me ask you a question. Would 
your Center support legislation that would make it illegal to 
sell a Social Security number without the individual's 
permission?
    Mr. Dempsey. I think that is something that we have to move 
toward, and I am not going to right now say what it is.
    Senator Feinstein. There you go.
    Mr. Dempsey. No. What I am saying is to make it illegal to 
sell the number----
    Senator Feinstein. Wherever you sell it, period, making it 
illegal to sell somebody's number offline or online.
    Mr. Dempsey. I think I want to work with you on that and I 
want to come up with a bill with you.
    Senator Feinstein. It is pretty simple.
    Mr. Dempsey. With all respect, Senator, drafting a criminal 
law on the sale of information is not that easy. If it is 
already out there in the public domain, I think we need to 
think it through.
    Senator Feinstein. OK, all right.
    Mr. Dempsey. I am a hundred percent with you that this is 
an issue. We have lost control over the Social Security number. 
It is terrible the way these numbers are now being sold and 
then used as the basis for identity theft. We need to get 
control over that. What actually that mechanism is I am not 
prepared to write that bill right this second. I will write it 
this afternoon if you want, but not right here.
    Senator Feinstein. Well, I appreciate that because I will 
be introducing such a bill. Senator Grassley and I are working 
together on the issue. Senator Kyl and I are also working on a 
bill on cyber crime, Mr. Chairman. If S. 2448 is the bill you 
intend to move, I hope you would take a look at some of the 
concepts I have mentioned.
    I think if we are going to pass a privacy bill, the 
consumer has to be protected. A privacy bill has to be good for 
people. We have got to achieve some protection for people's 
privacy, their financial data, their health data, Social 
Security numbers, whether drivers' license pictures or 
information should be sold.
    I think too much identity theft is happening, and there is 
now evidence that some of these thefts are actually being used 
to carry out crimes of murder. Now, murder can be currently 
prosecuted. The law provides for that, but everything involved 
in indentity theft can't be prosecuted as clearly as murder.
    I don't want to belabor the point, Mr. Chairman, but if you 
would be so good, as you always are, to take a look at our 
bills and see if they might meet muster, I would appreciate it.
    The Chairman. I will be glad to do it.
    Senator Feinstein. I also have a statement I would like to 
put in the record, Mr. Chairman.
    The Chairman. It will be included in the record.
    [The prepared statement of Senator Feinstein follows:]

             Prepared Statement of Senator Dianne Feinstein

    I am grateful to the Chairman for this hearing because he correctly 
links the security of our nation's electronic infrastructure with 
personal privacy. In both cases, we are trying to stop unlawful and 
inappropriate disruption and invasion. Just as our nation's websites 
are subject to attacks from viruses like the ``I love you'' virus, our 
privacy can also be subject to attack on the Internet.
    Few would contest that the protection of personal privacy is a key 
concern of many Americans as they consider the growth of the Internet.
    That is because, for the first time, the Internet permits a company 
to browse a shopper, while a shopper is browsing in the store. 
Information brokers can compile dossiers on people. These dossiers are 
growing ever larger and more precise. To safeguard the future of the 
Internet, we must safeguard the privacy concerns of people who use it.
    I am encouraged by the Federal Trade Commission's announcement this 
week that privacy legislation is needed. The devil, of course, is in 
the details.
    When considering Internet privacy or privacy in the ``off-line'' 
world, I think, as a basic principle, people should have more control 
over the information they consider personally sensitive.
    As on small step in this direction, I am pleased to announce that I 
am working with Vice President Al Gore, who has a keen personal 
interest in this matter, on an Administration bill that would prohibit 
the sale of Social Security numbers, whether they are sold on the 
Internet or off the Internet.
History of interest in privacy of SSNs
    My reservations about the trafficking in SSNs have deep roots. In 
1997, I introduced S. 600, the Personal Privacy Information Act, after 
watching in dismay as one of my staff downloaded my SSN off the 
Internet in less than a minute.
    Not much has changed. For a mere $49, one can go on-line and 
purchase a person's SSN from a whole host of web businesses--no 
questions asked.
Threat posed by sale of SSNs
    Why is it so important to stop this sale of SSNs? Once a criminal 
has a potential victim's SSN, that person is extremely vulnerable, 
subject to having her whereabouts tracked and her identity stolen. 
Though never intended to be anything more than a tool for the Social 
Security Administration to track personal earnings, the Social Security 
number has become a de facto national identifier. It is the key to 
one's public identity.
    The Federal government uses the SSN as the taxpayer identification 
number, the Medicare number, and as a soldier's serial number. Many 
states use the SSN as the identification number on drivers' licenses, 
fishing licenses, and other official records. Banks use it to establish 
personal identification for credit. The number is requested by 
telephone companies, gas companies, and stock brokerages when consumers 
set-up personal accounts. Supermarkets ask for the number when an 
applicant wishes to get a check-cashing card.
    If you believe that these number are kept confidential by 
government and commercial providers, think again. Without any 
restrictions, third parties can buy SSNs off the Internet. In those 
states where SSNs are on driver's license, if your wallet is stolen, so 
is your SSN. Credit bureaus sell SSNs by the thousands. One's SSN is 
anything but private or confidential.
    Thus, SSNs have the dubious distinction of being easy for criminals 
to obtain and, at the same time, the most common tool used for 
identifying people.
Identity theft
    Partly due to this unrestricted traffic in SSNs, our country is 
facing an explosion in identity theft crimes. The Social Security 
Administration recently reported that it had received more than 30,000 
complaints about the misuse of Social Security numbers last year, most 
of which had to do with identity theft.
    This figure is up from 11,000 complaints in 1998 and just 7,868 in 
1997. In total, Treasury Department officials estimate that identity 
theft causes between $2 and $3 billion in losses each year--just from 
credit cards alone.
    Sometimes, this unrestricted sale of personal information can have 
tragic results. Amy Boyer, a twenty-year old dental assistant in New 
Hampshire, was killed by a man who tracked her down through the online 
personal-data service Docusearch.com
Administration bill's impact
    The legislation I am working on with the Administration will stop 
the unrestricted sale of Social Security numbers. It will prevent 
people like Amy Boyer's killer from logging onto an Internet site and 
purchasing her Social Security number. It will make it harder for 
criminals to use your SSN as a stepping stone to assuming your 
identity.
Future legislation
    In addition to this joint effort with the Clinton Administration, I 
also am working with Senator Grassley on a broader initiative to cut 
down on the misuse of SSNs.
    This expanded proposal will prevent companies from denying service 
to those individuals who refuse to give a company their SSNs. The bill 
will prohibit government agencies from disclosing SSNs on mailing 
labels or other public documents. The legislation also will enhance the 
Social Security Administration's ability to prosecute criminals who 
misuse SSNs by adding civil penalties to existing criminal penalties.

    The Chairman. I appreciated your testimony. I am going to 
submit questions to you.
    [The questions of Senator Hatch can be found in the 
appendix.]
    The Chairman. I am not advocating that Government is or 
should be the solution to the Internet security and privacy 
concerns concerning the Internet. I think the Government should 
do what it can within what I consider its traditional limited 
role to help industry protect the infrastructure and to help 
deter malicious attacks on the Internet and a network that we 
rely on.
    I am skeptical of, and in fact oppose at this point, 
efforts to regulate privacy on the Internet. I have devoted my 
whole career to end unneeded regulations that we have on the 
books that raise the cost of doing business and that distort 
the marketplace and end up limiting choices for consumers.
    I agree with Senator Feinstein that an effective security 
and privacy regime should protect consumers, to the extent the 
consumer expects it. And in doing so, it strives to restore the 
consumer's confidence in the integrity of the Internet. I think 
it should also be flexible enough to allow for variances in 
consumer expectations and marketplace solutions as well.
    To date, the discussions surrounding Internet privacy have 
revolved around two mutually exclusive models as possible 
solutions to this issue. The first, advocated by certain 
consumer rights groups and now by the FTC, would give 
government regulatory bodies the authority to regulate conduct 
on the Internet. And the second, advocated by most members of 
the industry, would entrust the industry to regulate itself 
without any role for the government.
    As I suggested last year, one solution worth considering is 
the possibility of establishing a private sector board with 
limited government oversight to address the security and 
privacy concerns, while taking into consideration the special 
characteristics of the Internet. The board might set some basic 
rules and let the marketplace determine how those rules will be 
complied with. That is at least a thought that I have.
    Frankly, this is a very intriguing area to me, as I am sure 
it is to all of you. And I would like to have your best 
suggestions and advice as to what this final legislation should 
be. We have filed it. We want your comments. We want to change 
things that aren't quite accurate or right. Of course, that is 
the reason for hearings and that is the reason for this whole 
legislative process. But I intend to have a privacy bill 
through by the end of this year, and we would like your help in 
doing so and we would like to do it in a way that would really 
help everybody concerned.
    With that, we will keep the record open until 6:00 today 
for anybody to submit any questions that they would like, and I 
would hope that you would get your answers back as quickly as 
you can because this is important and I am going to move 
forward with this bill. I will, in the process, also take 
Senator Feinstein's advice to look at these other legislative 
measures and see if we can dovetail those with this bill as 
well.
    Thank you. Your testimony has been very important to us, 
and we appreciate your making the effort and taking the time to 
do this. Thanks so much.
    We will include in the record all statements submitted by 
the members of the committee.
    [The prepared statement of Senator Thurmond follows:]

  Prepared Statement of Hon. Strom Thurmond, a U.S. Senator From the 
                        State of South Carolina

    Mr. Chairman: I am pleased that we are holding this hearing today 
regarding the threat of serious criminal misconduct involving the 
Internet.
    A few months ago, hackers essentially shut down some popular and 
important Internet sites temporarily by overwhelming them with data. My 
Subcommittee on Criminal Justice Oversight, in conjunction with the 
House Judiciary Crime Subcommittee, held a hearing on these denial of 
service attacks and discussed the need to tighten our laws regarding 
computer crime. Very recently, serious damage was caused to computers 
around the world by the ``I Love You'' virus, which apparently was 
unleashed in the Philippines. The technology used in these attacks was 
not very complex, which raises the question of what hostile adversaries 
could accomplish through a sophisticated, concerted effort.
    Internet crime is a serious, growing threat. Law enforcement must 
have the tools and resources it needs to address this problem. Also, 
our criminal laws must be updated as needed so that they remain 
technology neutral. Punishment must be as swift and severe in the 
computer world as it is in the real world. There can be no double 
standard regarding crime on the Internet.
    The private sector, which controls 90 percent of the 
infrastructure, should take the lead in protecting computer systems 
from attacks, just as citizens must protect themselves from crimes by 
locking their doors. Also, industry should cooperate with law 
enforcement and share information regarding intrusions with the 
authorities and among themselves. It is critical for industry to view 
the government as a partner in their joint efforts to stop malicious 
hackers and other Internet crime.
    I welcome our witnesses to discuss this important, timely issue.

    [The prepared statement of Senator Grassley follows:]

Prepared Statement of Hon. Charles E. Grassley, a U.S. Senator From the 
                             State of Iowa

    Mr. Chairman, I'd like to raise a serious concern I have about 
NIPC. The General Accounting Office recently did a review of NIPC's 
performance. It looked in particular at the ILOVEYOU virus, and NIPC's 
response to that.
    The White House issued a ``white paper'' on the Presidential 
Decision Directive that governs the NIPC. According to that paper, the 
mission of the NIPC includes ``timely warnings of intentional threats, 
comprehensive analyses and law enforcement investigation and 
response.''
    The GAO review was critical of the NIPC. It noted that NIPC did not 
issue an alert on its Web site until 11 am on May 4. This was hours 
after the rest of the world already knew. My own office was notified 
before 9 am, two hours before NIPC issued its alert. And, it wasn't 
until 10 o'clock at night that advice on how to deal with the virus was 
posted by NIPC.
    Here's what the GAO said about NIPC's performance:
    ``The lack of more effective early warning clearly affected most 
federal agencies. . . . Clearly, more needs to be done to enhance the 
government's ability to collect, analyze and distribute timely 
information that can be used by agencies to protect their critical 
information systems from possible attack. In the ILOVEYOU incident, 
NIPC and FedCIRC, despite their efforts, had only a limited impact on 
agencies being able to mitigate the attack.''
    Now, this program to protect the nation's critical infrastructure 
has a $40 million budget. And the bill before this committee would 
increase and extend that budget for another five years. That's section 
402. And I'm a little concerned about that.
    The program was supposed to be a clearing house for information 
from all sources, and a focal point to coordinate the investigations of 
various federal law enforcement agencies. The private sector 
participation is intended to be voluntary.
    But the private sector has not participated. That's because they 
can't get information or cooperation from the FBI. And many of the 
agencies have pulled out. Most notably Treasury and Commerce. That's 
because all the incoming cases have been taken by the FBI. The PDD 
calls upon them to distribute cases according to expertise. That's not 
being done.
    Getting information out of the NIPC is also pretty tough. GAO 
briefed me last week that NIPC hadn't responded formally to its request 
for information about the ILOVEYOU incident. That was after nearly 
three weeks of asking. Other agencies responded within 24 hours.
    Two months ago at a hearing before this committee, I submitted 
follow-up questions for NIPC. I have yet to hear back.
    And now, some Senators on this committee, myself included, have 
asked for an audit by GAO, and an investigation into whether NIPC is 
fulfilling its charter. This will be a major undertaking by GAO. And I 
think members of the committee will want to see the results. So I would 
urge caution about funding the program without making some much-needed 
changes.
    Most important, I think, in fueling the problems we've encountered 
with this program is how the FBI handles a case. The FBI doesn't share 
information when it's working on a case. And rightfully so. But the 
point of responding to critical incidents like the ILOVEYOU case is to 
share information rapidly. The two methodologies are incompatible. 
That's why the PDD intended the program to operate as a cooperative 
effort. But that's not the way it's being carried out.
    So, I just wanted to take this time, Mr. Chairman, and raise these 
concerns. I have no questions of Mr. Vatis at this time. But I do look 
forward to getting answers to my questions from March. And I hope that 
happens very soon.

    [The prepared statement of Senator Kyl follows:]

 Prepared Statement of Hon. Jon Kyl, a U.S. Senator From the State of 
                                Arizona

    As we all know, the Information Age continues to change the way we 
live. Millions of American's log on to the Internet every day to shop, 
to communicate with friends, to buy and sell stocks, and so on. 
Computer networks and the Internet also form the backbone of critical 
services Americans depend on every day, like the electricity grid, 
telecommunications, air-traffic control, and military early warning 
systems.
    Several events in recent weeks have highlighted the fact that the 
benefits of the Information Age have been accompanied by new 
challenges. The denial of service attacks earlier this year on popular 
e-commerce web sites and the recent spread of the ``I Love You'' virus 
have awakened most Americans to the need for improved cyber security--
something that many experts have been warning about for some time.
    Over the past three years, I've chaired seven hearings on cyber 
security issues in my Subcommittee. It's clear to me that there are 
responsible things we can and should do in the Congress to improve 
cyber security. In many cases, this merely entails updating our laws to 
reflect the current state of technology development.
    For example, Senator Schumer and I have introduced a bill to 
improve the ability of law enforcement agencies to investigate cyber 
crimes. The key provision of this bill would remove the requirement for 
law enforcement to obtain a court order in every jurisdiction in order 
to trace hacking attacks that, in many cases, are purposefully routed 
through several Internet service providers in different states to make 
it difficult to trace. In dealing with the Internet, which knows no 
boundaries, the requirement for a separate court order in every 
jurisdiction simply no longer makes sense. One court order authorizing 
nationwide trap and trace authority will improve investigation of 
computer crimes while maintaining the ability of our judicial system to 
protect the civil liberties of Americans.
    Mr. Chairman, I look forward to continuing to work with you and the 
other Members of the Committee to address these important issues and I 
thank you for the opportunity to make this brief opening statement.

    The Chairman. With that, we will recess until further 
notice.
    [Whereupon, at 12:22 p.m., the committee was adjourned.]
                            A P P E N D I X

                              ----------                              


                         Questions and Answers

                                ------                                


       Responses of Bruce Herman to Questions From Senator Hatch

Industry role
    Question 1. What is the appropriate role of industry in assuring 
the security and privacy of Internet users? Should they take the lead?
    Answer 1. Yes, industry should continue to lead the effort to make 
the Internet more secure Industry-led, market-driven solutions to 
Critical Information Infrastructure Protection have the best prospects 
of success. Moreover, a voluntary cooperative partnership between 
industry and government is the only approach that can work.
    Specifically, the private sector can do three things. First, 
industry can constantly improve protection of its product lines and 
networks. Private companies are in the best position to know how to 
protect infrastructures they have developed, owned and operated. But it 
is important to understand that there is no one single ``silver 
bullet'' for the problem of information security--rather, it is a 
process of continual improvement.
    Second, the private sector must continue to educate the public on 
the need to practice good ``security hygiene'' and to educate others to 
do so. The private sector needs to continue to spread the message that, 
just as you wouldn't let anybody into your house, so you shouldn't let 
just anybody into your computer.
    Third, industry does need to share information among itself and 
with the government about threats and vulnerabilities as well as best 
practices. In this regard, ACP has met with representatives of the 
National Security Council staff, the FBI's National Infrastructure 
Protection Office (NIPC), and the Dept. of Commerce's Critical 
Infrastructure Assurance Office (CIAO), and ACP has been encouraged to 
continue the dialogue.

    Question 2. To what extent is it necessary for industry to involve 
law enforcement in taking steps to ensure the security and integrity of 
the Internet? Could the use of encryption devices, for example, in fact 
frustrate the ability of law enforcement to provide assistance when 
such assistance is requested by industry or required under law?
    Answer 2. Industry should involve law enforcement to help prevent, 
investigate, and prosecute computer crime that threatens the security 
of the Internet. Toward this end, industry should share information 
with law enforcement about threats and vulnerabilities. ACP also 
supports giving law enforcement the requisite resources and training to 
investigate and prosecute cyber crime.
    But, of course, it is up to the private sector in the first 
instance to protect itself by adopting good security measures. 
Encryption is an essential component of information security. That is 
why ACP was pleased by the widespread Congressional support for 
liberalizing export controls on American encryption products that 
helped lead to the Administration's new regulations in January. The 
widespread use of encryption helps prevent crime, as well as protect 
national security and promote the privacy of Americans at work and at 
home.
Government regulation
    Question 1. A primary criticism of government regulation of privacy 
on the Internet is that it would stymie technologic innovation of this 
industry. Do you agree with this criticism? If you do agree, please 
describe how this might occur.
    Answer 1. Yes. ACP strongly opposes government efforts to mandate 
the use of particular technologies or to insist on certain design 
standards in order to allegedly protect our nation's critical 
information infrastructure. It is the private sector that owns and 
operates the networks, systems, products and services that constitute 
the information infrastructure and it is the private sector that has 
the experience and expertise to protect it. New laws or regulations 
would stifle innovation, artificially channel R&D, and harm the very 
infrastructure that needs protection.
    ACP also strongly believes government must not violate personal and 
corporate privacy in the quest for Critical Information Infrastructure 
Protection. Indeed, as more of our lives are conducted electronically, 
it is essential that we ensure the security and privacy of information, 
communications and transactions from unjustified and unwarranted 
government examination. The government must not increase widespread 
surveillance or monitoring of Americans at home and work.

    Question 2. In addition, it is your opinion that any government 
action would hurt technologic innovation? What actions can the 
government take to both encourage technoligic innovation and address 
the issue of consumer privacy on the Internet?
    Answer 2. See answers to other questions.
Use of consumer information
    Question 1. Given what an important resource the Internet is for 
companies to target potential consumer groups, are there ways a 
consumer's personal information could be made available to third 
parties for business purposes while still maintaining a consumer's 
anonymity and privacy?
    Can the government take any actions that might help industry do 
this? If so, what?
    Answer 1. ACP focuses on the interaction of the private sector with 
the government. ACP led the private sector to liberalize export 
controls on American encryption products and is now focused on the 
right way to protect America's critical information infrastructure. ACP 
has not addressed the topic raised by this question.
Privacy concerns
    Question 1. National polls indicate that personal privacy is an 
increasing concern amongst consumers as the Internet is being used more 
and more each day to conduct personal business such as purchasing 
consumer goods, banking, and trading.
    In your view, are such privacy concerns justified?
    Will commerce on the Internet reach its full potential if such 
concerns are not adequately addressed?
    Answer 1. ACP has focused on privacy rights of Americans vis a vis 
their government. We are concerned about the potential for governmental 
abuse of the increasing amount of electronic personal information. Thus 
ACP supports giving law enforcement the requisite resources and 
training to investigate and prosecute cyber crime. But we oppose the 
initiation or increase of widespread government monitoring or 
surveillance of Americans by the government. Just because we know that 
some will commit cyber crime, it would be wrong to watch closely what 
everyone is doing.
    ACP as an organization does not have a position on commercial 
privacy issues. They are not within the organization's mission (see 
attached mission statement). However, we recognize that these issues 
are complex and controversial--and are concerned about a single bill 
that addresses both commercial privacy and cyber security/
infrastructure protection (as does S. 2448). Moreover, we know that 
many members of ACP individually and through other organizations have 
implemented privacy policies and are adopting privacy enhancing 
technologies and have concerns about the commercial privacy provisions 
of S. 2448.
Privacy protections--individuals vs. business
    Question 1. In the analog world there are different expectations of 
privacy in different concerns. For example, there is a substantial 
difference in privacy expectations between the shopkeeper and the 
shopper. Certainly a consumer would expect to be able to shop for a 
computer without surrendering significant personal information. But one 
does expect to have access to sufficient information about the seller 
to verify that it is a reputable dealer. Such information may be even 
more important in the virtual world where certain unscrupulous 
shopkeepers can hide behind technologically-rich facades that give then 
an aura of credibility.
    Does this not suggest we protect privacy of online shoppers and web 
surfers, and require disclosure from web site proprietors, especially 
those engaged in e-commerce, or at least that we should treat 
differently the privacy claims of people surfing the net and those 
holding themselves out on the net by opening web sites?
    Answer 1. ACP as an organization does not have a position on 
commercial privacy issues. They are not within the organization's 
mission (see attached mission statement).
                               __________

       Responses of Bruce Heiman to Questions From Senator Leahy

    Question 1. Do you support or endorse S. 2448? Are you aware of any 
companies or organizations that support or endorse S. 2448?
    Answer 1. ACP does not support S. 2448 as introduced. We are not 
aware of any companies organizations that endorse the bill.

    Question 2. Please comment on your views of S. 2448 and explain any 
specific concerns you may have about this legislation.
    Answer 2. As a first principle, ACP does not believe Congress 
should rush to pass legislation in the area of critical infrastructure 
protection. Indeed, we believe premature legislation could prove 
counter-productive. We outlined our specific concerns about S. 2448 in 
a letter to Chairman Hatch (see attached). Essentially, ACP supports 
giving law enforcement the requisite resources and training to 
investigate and prosecute cyber crime. We believe this can be 
accomplished through the appropriations process. We do not believe 
there is a need for new authorizing legislation, particularly a bill 
that would give broad new authorities to the government or expand 
existing authority (such as trap and trace) to new areas (such as the 
Internet) without much more detailed examination of all the potential 
ramifications.

    Question 3. In my opening statement, I gave the example of the 
college student who without authorization accesses his professor's 
computer to see what grade he is going to get and accidentally deletes 
a file or a message. That conduct may be cause for discipline at the 
college but would not be a federal crime under current law, unless the 
conduct caused over $5,000 in damage. (A) Do you think that sort of 
unethical conduct warrants federal law enforcement attention and should 
be a federal crime?
    Answer 3A. Cyber crime is a serious problem--whether hacking, 
unleashing a virus, or pirating copyrighted material. I cannot be 
treated casually. At the same time, prosecutors are already stretched 
thin. The question is one of balance. Without commenting on the $5,000 
threshold, this particular conduct does not seem worthy of federal law 
enforcement attention. It involves neither conduct that is interstate 
in nature nor any other serious federal interest.

    Question 3B. Under S. 2448, this unauthorized access to the 
professor's computer would constitute a felony violation of 
1030(a)(5)(B), punishable by up to 3 years' imprisonment, with a 
mandatory minimum of at least 6 months in jail, or a misdemeanor 
violation of 1030(a)(5)(C). Rather than trust federal prosecutors to 
exercise their discretion to decline such a case, would it be 
preferable for Congress to define clearly what should and should not be 
a federal crime?
    Answer 3B. ACP does not have a position on this issue.

    Question 4. Some have suggested that some change to the Freedom of 
Information Act (FOIA) would be useful to encourage private sector 
cooperation with the government in protecting critical infrastructures. 
I have long supported the FOIA as a critical tool for all Americans to 
find out what their government is doing. This is healthy and necessary 
for our democracy. Consequently. I am concerned about proposals that 
allow agencies to keep ``secret'' broad categories of records in their 
possession that may be related to the ``critical infrastructure'' and 
to block FOIA requests, with no other justification and no judicial 
review. This would certainly reduce the FOIA workload of Federal 
agencies, but labeling information as related to ``critical 
infrastructure'' as a means of exempting entire categories of 
information from the FOIA would, in my view, undercut and pose a threat 
to the effectiveness of the FOIA.
    Answer 4. There is an on-going, serious discussion within industry 
itself and between industry and government about the possible need for 
legislation to facilitate the sharing of information among the private 
sector and between the private sector and government. Such legislation 
could provide enhanced protection of shared information by removing 
disincentives for this dialogue. An FOIA exemption is only one such 
measure. The possible application of the antitrust laws is another. 
Finally, there is the disincentive resulting from the apparent ability 
of third-parties to use disclosed information against those who provide 
it. ACP is carefully reviewing legislation introduced in the House by 
Reps. Davis and Moran.
    Question 4A. Would you agree with me that any change to the FOIA 
must avoid undercutting the usefulness of the FOIA and ensure the 
effectiveness of judicial review?
    Answer 4A. No response.
    Question 4B. What suggestions, if any, do you have for refining the 
FOIA in ways that would narrowly address the legitimate concerns of the 
private sector about sharing information to protect our critical 
infrastructures while at the same time maintaining the presumption in 
FOIA that federal agency records are subject to the disclosure and that 
agency action is subject to judicial review?
    Answer 4B. No response.
                               __________

      Responses of Richard Pethia to Questions From Senator Hatch

    Question 1. What is the appropriate role of industry in assuring 
the security and privacy of Internet users? Should they take the lead?
    Answer 1. Technology vendors and Internet service providers of all 
forms have a responsibility to insure that the products and services 
they produce and offer in the Internet community are fit for use in 
that environment. That means they have a responsibility to fully 
understand the risk and threats in that environment and to take steps 
to insure their products and services effectively mitigate those risks 
when used appropriately by their customers. To date, it is not clear to 
me that the industry is taking its responsibility seriously. Security 
incidents are increasing, the damage from those incidents is 
increasing, and the vunlerabilities discovered in internet technology 
products are also on the increase. In this area, I believe the 
appropriate step for government to take is to insure it takes no steps 
to limit the liability of Internet product and service providers with 
respect to damages caused by their offering of products and services 
that are not fit for use in the Internet environment. Allowing the 
marketplace and the civil courts to freely handle the issues of fitness 
for use, damage and liability is the best way to send a strong message 
to industry that they will be held accountable for the consequences of 
reasonable use of their products.

    Question 2. To what extent is it necessary for industry to involve 
law enforcement in taking steps to ensure the security and integrity of 
the Internet? Could the use of encryption devices, for example, in fact 
frustrate the ability of law enforcement to provide assistance when 
such assistance is requested by industry or required by law?
    Answer 2. As the Internet grows and becomes increasingly accessible 
to the entire global community, we are sure to see many of the criminal 
problems we see in other aspects of our lives. In fact, because the 
Internet is such a powerful tool, we are likely to see new forms of 
crime where criminals take advantage of the power of the net to achieve 
their purposes. Just as industry does not have the ability to deal with 
all forms of crime today, it will not have the ability to do so on the 
Internet. Law enforcement will play a necessary and important role. At 
the same time, it is important to understand that the Internet is 
changing the rules of the game in many aspects of our societies. It 
will change the rules in law enforcement as well. Using your example of 
encryption, it has historically been the case that only governments 
have had access of strong encryption. The Internet, along with the 
global spread of technical capability, has changed this. Today, strong 
encryption products are available from a variety of global sources. The 
Internet assures that these products are accessible globally and 
inexpensively. In this case, and I'm sure we will see others as well, 
the technology genie is out of the bottle and will not go back in. Law 
enforcement, along with the rests of us, will need to recognize that 
the Internet (as an example of all new forms of information technology) 
will obsolete old ways of doing business (whatever that business is) 
and push us to find new ways to meet our responsibilities.

    Question 3. A primary criticism of government regulation of privacy 
on the Internet is that it would stymie technologic innovation of this 
industry. Do you agree with this criticism? If you do agree, please 
describe how this might occur. In addition, is it your opinion that any 
government action would hurt technologic innovation? What actions can 
the government take to both encourage technologic innovation and 
address the issue of consumer privacy on the Internet.
    Answer 3. I agree that there is some risk the government regulation 
of privacy on the Internet could stymie innovation, but believe that 
risk is limited if the government regulations focus on outcomes rather 
than specific technical mechanisms. For example, many organizations, 
both inside and outside the Internet community, collect information 
about their customers and about their customer's use of their products. 
The issue of privacy focuses on how they protect, use, and further 
disseminate that information. Government regulations could require 
organizations to control access to the information, disclose how it is 
to be used, and further disseminate it only in an aggregated form where 
it is no longer possible attribute data elements to individuals. This 
type of regulation is silent on the technology, but still brings 
protection for individual's privacy. It is then up to industry to 
become even more innovative and develop cost effective ways to support 
the regulations. In general, I believe regulations focused on 
technology will stymie innovation. Regulations focused on outcomes 
should not have that effect.

    Question 4. Given what an important resource the Internet is for 
companies to target potential consumer groups, are there ways a 
consumer's personal information could be made available to third 
parties for business purposes while still maintaining a consumer's 
anonymity and privacy? Can government take any actions that might help 
industry do this? If so, what?
    Answer 4. I have no good ideas on this one. It seems to me that 
information about individuals can either be distributed (and their 
privacy affected) or not.

    Question 5. National polls indicate that privacy is an increasing 
concern among consumers as the Internet is being used more and more 
each day to conduct personal business such as purchasing consumer 
goods, banking, and trading. In your view are such privacy concerns 
justified? Will commerce on the Internet reach its full potential if 
such concerns are not adequately addressed?
    Answer 5. In my view, the concerns are justified, but the focus on 
the Internet is off-base. I believe that what we are seeing in an 
entire new industry focus on collecting and disseminating information 
about individuals. For example, my supermarket offers a card that I can 
use for discounts when I use it at the check-out line. What this card 
does is remove my anonymity with respect to the purchases I make. It 
allows my supermarket (and anyone they give/sell the information to) to 
develop a profile of my purchasing patterns and my individual product 
preferences. On the positive side, they can use this information to 
better inform me of products that have the characteristics I prefer. On 
the negative side, they can use this information to describe products 
to me in a way that makes it appear they have the characteristics I 
prefer even if they do not really have these characteristics. At the 
base, this is not an Internet issue. It is an issue of collecting and 
disseminating information about individuals. If there are to be any 
regulations, they should focus on this, and issues such as truth in 
advertising, rather than the more narrow focus on the Internet. In 
these cases, the Internet simply facilitates good and bad practice. 
There is nothing inherent in the Internet that favors either one.

    Question 6. In the analog world there are different expectations of 
privacy in different contexts. For example, there is a substantial 
difference in privacy expectations between the shopkeeper and the 
shopper. Certainly a consumer would expect to be able to shop for a 
computer without surrendering personal information. But one does expect 
to have access to sufficient information about the seller to verify 
that it is a reputable dealer. Such information may be even more 
important in the virtual world where certain unscrupulous shopkeepers 
can hide behind technologically-rich facades that give them an aura of 
credibility. Does this not suggest we protect the privacy of on-line 
shoppers and web surfers, and require disclosure from web site 
proprietors, especially those engaged in e-commerce; or at least that 
we should treat differently the privacy claims of people surfing the 
net and those holding themselves out on the net by opening web sites.
    Answer 6. The problems we face in the virtual world are basically 
the same as those we face in the analog world with the exception that 
state and national boundaries no longer have meaning. In the analog 
world, we all face the problem of unscrupulous merchants (e.g. home 
improvement charlatans, financial scams of one form or another, rip-off 
at the auto shop, etc). We face the same problems in cyber-space 
compounded by the lack on national boundaries and the fact (as you 
suggest) that it takes very little capital to establish what looks like 
a credible store-front. In these cases, ``buyer beware'' becomes even 
more important. Here I think the best thing the government can do is 
develop awareness campaigns that inform consumers of the risks in the 
virtual world. It can also foster the development of things such as 
``better business bureaus of cyberspace'' and ``cyberspace consumer 
reports'' to help consumers separate the credible from the corrupt. 
This ongoing ``registry'' of information on the quality of Internet 
product and service providers will be a massive on-going effort that 
requires industry participation and support. I think this, rather than 
requiring disclosure (which itself could be false and how are you ever 
going to police it all internationally) from web site operators, is 
more likely to give consumers the information they need and build 
consumer confidence.
                               __________

     Responses of Jeff B. Richards to Questions From Senator Leahy

    Question 1. Do you support or endorse S. 2448? Are you aware of any 
companies or organizations that support or endorse S. 2448?
    Answer 1. As we have stated in prior comments to the Committee, we 
do not support or endorse passage of this legislation at this time. In 
particular, with respect to privacy legislation, we believe that the 
combination of voluntary, industry-led privacy programs coupled with 
emerging technology, will deliver more flexible, more meaningful, and 
ultimately more satisfying privacy protection to the public than the 
application of one-size-fits-all legislative approaches. We cannot 
speak for other associations or companies.

    Question 2. Please comment on your views of S. 2448 and explain any 
specific concerns you may have about this legislation.
    Answer 2. These views and concerns were expressed in our testimony 
before the Committee on S. 2448, and in our letter to the Committee of 
June 23, 2000. We refer you to these documents.

    Question 3. In my opening statement, I gave the example of the 
college student who without authorization accesses his professor's 
computer to see what grade he is going to get and accidentally deletes 
a file or message. That conduct may be cause for discipline at the 
college but would not be a federal crime under current law, unless the 
conduct caused over $5000 in damage. a. Do you think that sort of 
unethical conduct warrants federal law enforcement attention and should 
be a federal crime?
    Answer 3a. As stated in our letter and testimony, we feel the 
current $5000 damage requirement, if augmented by the law enforcement's 
ability to aggregate damages to multiple computers or networks, would 
serve the public interest better than elimination of the $5000 
requirement.
    Question 3b. Under S. 2448, this unauthorized access to the 
professor's computer would constitute a felony violation of 
1030(a)(5)(B), punishable by up to 3 years' imprisonment, with a 
mandatory minimum of at least 6 months in jail, or a misdemeanor 
violation of 1030 (a)(5)(C). Rather than trust federal prosecutors to 
exercise their discretion to decline such a case, would it be 
preferable for Congress to define clearly what should and should not be 
a federal crime?
    Answer 3b. Yes, generally we feel it preferable for Congress to 
define clearly what should and should not be a federal crime. For 
further insight on our section 1030 comments, see our letter of June 
23.

    Question 4. Some have suggested that some change to the Freedom of 
Information Act (FOIA) would be useful to encourage private sector 
cooperation with the government in protecting critical infrastructures. 
I have long supported the FOIA as a critical tool for all Americans to 
find out what their government is doing. This is healthy and necessary 
for our democracy. Consequently, I am concerned about proposals that 
allow agencies to keep ``secret'' broad categories of records in their 
possession that may be related to the ``critical infrastructure'' and 
to block FOIA requests, with no other justification and no judicial 
review. This would certainly reduce the FOIA workload of Federal 
agencies, but labeling information as related to ``critical 
infrastructure'' as a means of exempting entire categories of 
information from the FOIA would, in my view, undercut and pose a threat 
to the effectiveness of the FOIA. a. Would you agree with me that any 
change to the FOIA must avoid undercutting the usefulness of the FOIA 
and ensure the effectiveness of judicial review?
    Answer 4a. To date we have not taken a position on any specific 
proposal to amend FOIA. We are aware that the Partnership on Critical 
Infrastructure and the Digital Private Sector Working Group, among 
others, are studying this question and will be reporting 
recommendations. We urge Congress to defer any legislation along these 
lines until the reports of these groups are available.
    Question 4b.What suggestions, if any, do you have for refining the 
FOIA in ways that would narrowly address the legitimate concerns of the 
private sector about sharing information to protect our critical 
infrastructures while at the same time maintaining the presumption in 
FOIA that federal agency records are subject to the disclosure and that 
agency action is subject to judicial review?
    Answer 4b. As noted in the answer to the preceding question, we are 
not prepared to respond at this time.
  questions relating to industry's role in promoting internet security
    Question 1. What is the appropriate role of industry in assuring 
the security and privacy of Internet users? Should they take the lead?
    Answer 1. We believe the role of industry must be one of 
partnership with users and the government. As in most other areas of 
commerce, users need to protect themselves to the extent knowledge and 
tools are available to them. At the same time, industry's part of the 
equation is also crucial--Internet businesses and sites must provide 
secure storage mechanisms for user data, and should affirmatively 
disclose their privacy practices and policies, whether in the 
commercial or non-commercial sectors. Industry has also been active in 
creating and bringing to market new technological privacy solutions.
    With respect to data security, we believe the market should take 
the lead in setting standards that provide strong protection from 
unauthorized use, through an industry-led process that maintains the 
flexibility and speed to respond to new market conditions and security 
threats. Government's role should be to encourage such marketplace 
developments, while making sure the criminal laws are vigorously 
enforced.
    With respect to privacy, we believe industry should take the lead 
vis-a-vis government. The history of business' response to the privacy 
issue is a remarkably good one, and the mechanisms currently in place 
are much more adaptable, flexible, and economical than any federal 
regulatory scheme would be.

    Question 2. To what extent is it necessary for industry to involve 
law enforcement in taking steps to ensure the security and integrity of 
the Internet? Could the use of encryption devices, for example, in fact 
frustrate the ability of law enforcement to provide assistance when 
such assistance is requested by industry or required by law?
    Answer 2. As noted in the answer to the preceding question, we 
believe government enforcement of current laws is essential to the 
security and integrity of the Internet. Its performance in responding 
to recent hacking and distributed-denial-of-service attacks has been 
admirable. However, we caution the Committee in considering any 
restriction on the use of encryption. While e-businesses would welcome 
a world in which no cybercriminal could hide his trail through 
encryption, we would reject a world in which there could be no real 
anonymity online, a world in which the initiator of a signal, or author 
of a message, could be revealed to the government at the push of a 
button regardless of the circumstances. In short, we as a society must 
be prepared to strike careful balances in our dual aims to protect the 
privacy of law abiding users and to enforce the law effectively.
  questions on whether government regulation would stymie technologic 
                               innovation
    Question 1. A primary criticism of government regulation of privacy 
on the Internet is that it would stymie technologic innovation of this 
industry. Do you agree with this criticism? If you do agree, please 
describe how this might occur.
    Answer 1. Clearly any regulation of business practices changes the 
future development of the affected economic sector. The impact is most 
significant, and unpredictable, where, as with the Internet, a true 
paradigm shift is underway that is changing the way individuals 
interact with each other and with every kind of institution in our 
society. In such an environment, it is impossible to prevent even well-
meaning government regulation from generating unintended consequences, 
and many of them may be unproductive or harmful.
    Turning specifically to privacy, we believe government's role to 
date--publicly and privately encouraging and facilitating voluntary, 
industry-led, privacy programs--has been helpful. Perhaps more 
importantly, privacy has spurred industry innovation to the public's 
benefit: business models and technological systems (eg., P3P, the 
Platform for Privacy Preferences, which will allow privacy preferences 
to be built into users' browsers) have been crafted to offer the public 
and businesses different ways of ordering their relationships. These 
may well be undercut by ill-considered legislation, with the result 
that the public will have fewer choices rather than more.
    Looking backward can illustrate the hazard even of general 
regulation: can we say with any confidence that the P3P initiative 
would have reached its current level of development if online privacy 
had been forced into a simple on-off model five years ago? How then can 
we have confidence that similar steps today will not undercut the 
beneficial advances of tomorrow? Though the analogy is not perfect, if 
everyone is required to wear a gray tunic, tailors go out of business, 
along with designers, retailers, clothmakers and dyemakers.

    Question 2. In addition, is it your opinion that any government 
action would hurt technologic innovation? What actions can the 
government take to both encourage technologic innovation and address 
the issue of consumer privacy on the Internet?
    Answer 2. In general, government facilitates innovation by 
providing a stable legal and physical infrastructure, educational 
opportunity, general conditions for prosperity, etc., while leaving 
unfettered the imagination and drives of individuals and companies. 
This implies a balance--some restriction on individual action is 
necessary to an orderly society. As history tells us, the degree of any 
regulation obviously must be carefully crafted according to the 
particular area of activity and the interests affected. In the area of 
online privacy, we reiterate our position that industry should take the 
lead, and that any governmental approach must intrude as little as 
possible into a largely successful industry response.
     questions on whether consumer information can be used without 
                   compromising anonymity and privacy
    Question 1a. Given what an important resource the Internet is for 
companies to target potential consumer groups, are there ways a 
consumer's personal information could be made available to third 
parties for business purposes while still maintaining a consumer's 
anonymity and privacy?
    Answer 1a. Yes. Though this field is new, a few approaches have 
already been developed. An example is the use of agent-intermediaries: 
businesses in possession of personally identifiable information can 
agree to route targeted marketing to individual email addresses based 
on criteria specified by the marketer without revealing the addresses 
to the marketer. Similarly, consumers can contract with third party 
agents for a new online identity through which they can share 
demographic and other data with marketers while at the same time 
maintaining the privacy of their email address or other key 
identifiers. In the same way, it is becoming possible for consumers to 
make purchases and transfer funds through an intermediary, without 
revealing their identity to the seller.
    Question 1b. Can the government take any actions that might help 
industry do this? If so, what?
    Answer 1b. We will be glad to give this some thought. In general we 
have not been able to adequately address it in the context of the 
abbreviated time for answering these questions.
          questions on whether privacy concerns are justified
    Question 1. National polls indicate that personal privacy is an 
increasing concern amongst consumers as the Internet is being used more 
and more each day to conduct personal business such as purchasing 
consumer goods, banking, and trading.
    a. In your view are such privacy concerns justified?
    Answer 1a. Certainly both the increasing use of the Internet for 
sensitive transactions, as well as the growing knowledge and 
sophistication of Internet users, is causing more and more of us to pay 
attention to privacy issues. This is a positive development, since it 
inevitably leads to more prudent behavior.
    Industry recognizes online privacy as a key issue and voluntarily 
is taking unprecedented and ongoing steps to improve privacy policies 
and practices online. In terms of justification, however, we do feel 
there has been something of an overreaction. There is no evidence that 
consumers in their daily online transactions are being routinely 
victimized by sharing personal information. Indeed, the data indicates 
consumers should feel more concerned about punching their calling card 
numbers into a pay phone in an airport, or giving their credit card 
numbers to a restaurant waiter, or engaging in other offline 
transactions with which we have come to feel comfortable as a society.
    Question 1b. Will commerce on the Internet reach its full potential 
if such concerns are not adequately addressed?
    Answer 1b. No, we concur with Committee members and many thoughtful 
observers that consumers must feel confident about the security of 
their personal data online, and about the collection and use of 
personally identifiable information, if the public trust and confidence 
is to be built which will maximize the Internet's potential benefits to 
society. The choice, of course, is among various approaches to building 
that trust and confidence while preserving the unique, and in many 
cases, as yet undetermined, benefits the new medium can offer.
    questions on whether privacy protections differ between on-line 
                    consumers and on-line businesses
    Question 1. In the analog world there are different expectations of 
privacy in different contexts. For example, there is a substantial 
difference in privacy expectations between the shopkeeper and the 
shopper. Certainly a consumer would expect to be able to shop for a 
computer without surrendering significant personal information. But one 
does expect to have access to sufficient information about the seller 
to verify that it is a reputable dealer. Such information may be even 
more important in the virtual world where certain unscrupulous 
shopkeepers can hide behind technologically-rich facades that give them 
an aura of credibility.
    Does this not suggest we protect the privacy of online shoppers and 
web surfers, and require disclosure from web site proprietors, 
especially those engaged in e-commerce; or at least that we should 
treat differently the privacy claims of people surfing the net and 
those holding themselves out on the net by opening web sites?
    Answer 1. Given the context of the opening paragraph of this 
question, we are uncertain whether it asks about disclosure of 
identity, contact information, or other basic information by web site 
proprietors, or whether it focuses on privacy disclosures. The former 
concerns a set of issues we have not yet joined with the Committee. We 
would be glad to respond if the question could be clarified.
                               __________
                       Center for Democracy and Technology,
                                     Washington, DC, June 27, 2000.
Re May 25, 2000 hearing--responses to written questions.

Hon. Orrin G. Hatch,
Chairman, Senate Judiciary Committee,
Washington, DC.
    Dear Chairman Hatch: We are pleased to submit the following 
responses to follow-up questions stemming from the May 25 hearing on 
Internet security and privacy.

     Responses of James X. Dempsey to Questions From Senator Hatch

  questions relating to industry's role in promoting internet security
    Question 1. What is the appropriate role of industry in assuring 
the security and privacy of Internet users? Should they take the lead?
    Answer 1. Industry should take the lead on security. The problem of 
Internet security is not one primarily within the control of the 
federal government. Particularly, it is not a problem to be solved 
through the criminal justice system. Internet security is primarily a 
matter for the private sector, which has built this amazing system in 
such a short time without government interference. It is clear that the 
private sector is stepping up its security efforts, with an 
effectiveness that the government could never match, given the rapid 
pace of technology change and the decentralized nature of the medium. 
Indeed, government intervention to protect security through standards 
or design mandates would be counterproductive and would undermine, not 
bolster, user confidence.
    In contrast, in terms of ensuring consumer data privacy, the 
Internet requires a multifaceted approach that draws upon the strengths 
of technology, self-regulation, and legislation to deliver to the 
American public the ability to exercise control over their personal 
information. Consistency is critical to consumers, businesses, and the 
character of the Internet. It is impossible to develop a consistent 
standard for privacy without legislation. While self-regulatory 
efforts, auditing, and self-enforcement schemes work for some 
businesses, on its own these will result in an inconsistent framework 
of privacy protection. Bad actors will not self regulate: the clueless 
or new on the scene may not have the resources or where-with-all to 
participate in regulating their own behavior. Law is critical to 
spreading the word and ensuring widespread compliance with fair, 
privacy protective standards. By building a system of self-regulation 
and legislation, we can create a framework of privacy and instill 
consumer trust.
    Internet privacy legislation can and should support self-regulation 
and technical developments. The tired debate over self-regulation 
versus legislation does not serve our mutual interest in privacy 
protection. It is our collective task to develop a legislative privacy 
proposal that fosters that best industry has to offer through self-
enforcement and privacy enhancing tools. Realizing privacy on the 
Internet demands that we develop a cohesive framework that builds upon 
the best all three of these important tools offer.
    Finally, to protect against government intrusions on privacy, there 
is a role for industry and for legislation. Industry should consciously 
design systems to minimize the collection and retention of personally 
identifiable information in formats that allow it to be retrieved by 
the government without the knowledge or cooperation of the record 
subject. Secondly, legislation is needed to establish strong 
protections limiting government access to information that is 
collected.

    Question 2. To what extent is it necessary for industry to involve 
law enforcement in taking steps to ensure the security and integrity of 
the Internet? Could the use of encryption devices, for example, in fact 
frustrate the ability of law enforcement to provide assistance when 
such assistance is requested by industry or required under law?
    Answer 2. There is a very limited role for government in ensuring 
the security and integrity of the Internet. Obviously, attacks on 
computer systems are crimes and should be investigated and prosecuted 
by well-trained law enforcement personnel. The Internet industry has 
demonstrated its willingness to cooperate in properly-focused 
investigations. In fact, in many computer crime cases, key leads and 
evidence were voluntarily provided to the government by the private 
sector.
    The Congress need not be concerned that private sector security 
measures will impede law enforcement investigations, for, on balance, 
sound computer security measures will prevent far more crime than they 
will shield or facilitate. Encryption is a perfect example. While the 
widespread availability and use of strong encryption means that some 
criminal communications previously accessible to the government will no 
longer be available, the use of encryption on credit card numbers, 
proprietary data and other valuable information in transit and storage 
will prevent far more crime. Similarly, anonymity online, while it 
shields some criminal conduct, also allows honest individuals to 
conduct certain activities in unidentifiable ways, reducing the risk of 
cyber-stalking and identity theft. Government efforts to reduce or 
eliminate the degree of relative anonymity currently available online 
could well backfire, just as other government efforts to dictate the 
design of systems to facilitate government surveillance or access to 
information are likely to introduce security vulnerabilities that will 
be exploited by criminals.
  questions on whether government regulation would stymie technologic 
                               innovation
    Question 1. A primary criticism of government regulation of privacy 
on the Internet is that it would stymie technologic innovation of this 
industry. Do you agree with this criticism? If you do agree, please 
describe how this might occur.
    Answer 1. We do not agree with this criticism as a general matter. 
Government regulation of privacy need not stymie technologic 
innovation. To the contrary, government regulation, if done properly, 
could increase consumer confidence and boost the demand for new online 
services and computer/telecommunications products.

    Question 2. In addition, is it your opinion that any government 
action would hurt technologic innovation? What actions can the 
government take to both encourage technologic innovation and address 
the issue of consumer privacy on the Internet?
    Answer 2. It would certainly hurt technologic innovation if the 
government were to mandate design requirements for security, and 
especially if the government were to require features intended to 
facilitate government surveillance. The experience under the 
Communications Assistance for Law Enforcement Act (CALEA) has been very 
negative. The federal government's decades' long effort to control the 
availability of strong encryption is another example of the harm that 
government regulation can do to privacy, security and technologic 
innovation.
     questions on whether consumer information can be used without 
                   compromising anonymity and privacy
    Question 1. Given what an important resource the Internet is for 
companies to target potential consumer groups, are there ways a 
consumer's personal information could be made available to third 
parties for business purposes while still maintaining a consumer's 
anonymity and privacy?
    Can the government take any actions that might help industry do 
this? If so, what?
    Answer 1. Yes, there are ways a consumer's personal information 
could be made available to third parties while still maintaining a 
consumer's anonymity and privacy, but there is little that the 
government could do to promote these developments short of enacting 
baseline legislation embodying enforceable fair information practices, 
as discussed above.
    The private sector (corporations, public interest organizations, 
and standards bodies) must take the lead in developing specifications, 
standards and products that protect privacy. A privacy-enhancing 
architecture must incorporate, in its design and function, individuals' 
expectations of privacy. For example, a privacy-protective architecture 
would provide individuals the ability to ``walk'' through the digital 
world, browse, and even purchase without disclosing information about 
their identity, thereby preserving their autonomy and ensuring the 
expectations of privacy.
    For example, the Internet Engineering Task Force (IETF) is working 
on two standards that would create new guidelines for the appropriate 
use of cookies. While cookies are helpful for Web sites looking to 
maintain relationships with visitors, they have been implemented in 
ways that give users very little control and have been used by some to 
subvert consumers' privacy. On most browsers, users are given only the 
option to either accept or reject all cookies or to be repeatedly 
bombarded with messages asking if it is OK to place a cookie. The IETF 
is considering two complementary ``Internet drafts'' that would 
encourage software makers to design cookies in ways that give users 
more control. These drafts lay out guidelines for the use of cookies, 
suggesting that programmers should make sure that:
    --the user is aware that a cookies is being maintained and consents 
to it;
    --the user has the ability to delete cookies associated with a Web 
visit at any time;
    --the information obtained through the cookie about the user is not 
disclosed to other parties without the user's explicit consent; and
    --cookie information itself cannot contain sensitive information 
and cannot be used to obtain sensitive information that is not 
otherwise available to an eavesdropper.
    The drafts say that cookies should not be used to leak information 
to third parties nor as a means of authentication. Both are common 
practices today.
          questions on whether privacy concerns are justified
    Question 1. National polls indicate that personal privacy is an 
increasing concern amongst consumers as the Internet is being used more 
and more each day to conduct personal business such as purchasing 
consumer goods, banking, and trading.
    In your view, are such privacy concerns justified?
    Will commerce on the Internet reach its full potential if such 
concerns are not adequately addressed?
    Answer 1. In CDT's view, consumer privacy concerns are indeed 
justified. We have long stated that the Internet will never reach its 
potential if such concerns are not adequately addressed. Over the past 
twelve months privacy concerns surrounding the use of technology to 
track and profile individuals' has taken center stage. From the joint 
FTC and Department of Commerce workshop on Online Profiling, to the 
massive online consumer protest of Doubleclick's withdrawn proposal to 
tie online profiles to individuals' offline identities, to the private 
law suits against Realnetworks, to state Attorneys' General actions 
against Doubleclick--it is clear that policy-makers and the public are 
concerned with the use of technology to undermine privacy expectations.
    There is reason for concern. Third-party cookies, as the FTC Web 
sweep reports, are routinely found at commercial Web sites. In fact, 
consumers visiting 78% of the 100 most popular Web sites will be 
confronted with cookies from entities other than the Web site. While 
the growth of third-party cookies continues, less than 51% of the top 
100 sites that set third-party cookies tell consumers about this 
practice.
    Similarly, the use of ``web bugs'' or clear gifts--invisble tags 
that Internet marketing companies use to track the travels of Internet 
users--has grown exponentially over the past year. Richard Smith, a 
well-known computer security expert, in his presentation to the 
Congressional Privacy Caucus stated that in January 2000 approximately 
2000 ``web bugs'' were in use on the Web (according to a search using 
Alta Vista), but in just 5 months that number multiplied ten-fold to 
27,000.
    questions on whether privacy protections differ between on-line 
                     consumers and on-line business
    Question 1. In the analog world there are different expectations of 
privacy in different contexts. For example, there is a substantial 
difference in privacy expectations between the shopkeeper and the 
shopper. Certainly a consumer would expect to be able to shop for a 
computer without surrendering significant personal information. But one 
does expect to have access to sufficient information about the seller 
to verify that it is a reputable dealer. Such information may be even 
more important in the virtual world where certain unscrupulous 
shopkeepers can hide behind technologically-rich facades that given 
them an aura of credibility.
    Does this not suggest we protect privacy of online shoppers and web 
surfers, and require disclosure from web site proprietors, especially 
those engaged in e-commerce, or at least that we should treat 
differently the privacy claims of people surfing the net and those 
holding themselves out on the net by opening web sites?
    Answer 1. We hesitate to support any requirements of disclosure 
from Web site operators. The principle of caveat emptor (buyer beware) 
applies on the Internet with even more force than it does off-line. 
While the government should prosecute fraud online just as it does 
fraud offline (we note that the Justice Department has recently created 
an online complaint system for consumers who suspect they have been the 
victims of online fraud), we believe that disclosure requirements would 
be unworkable and ineffective. There is already a tremendous amount of 
information available online. Users need to take advantage of the 
information that is there, not depend on some regulatory mechanism to 
certify what is reliable and what isn't.
                                 ______
                                 

     Responses of James X. Dempsey to Questions From Senator Leahy

    Question 1. Do you support or endorse S. 2448? Are you aware of any 
companies or organizations that support or endorse S. 2448?
    Answer 1. CDT does not support S. 2448 as introduced. We are not 
aware of any companies or organizations that endorse the bill.

    Question 2. Please comment on your views of S. 2448 and explain any 
specific concerns you may have about this legislation.
    Answer 2. Our views on S. 2448 are set forth in detail in our 
testimony and in the attached letter to Chairman Hatch identifying 
specific areas of concern and making specific suggestions for changes 
in the bill.

    Question 3. In my opening statement, I gave the example of the 
college student who without authorization accesses his professor's 
computer to see what grade he is going to get and accidentally deletes 
a file or a message. That conduct may be cause for discipline at the 
college but would not be a federal crime under current law, unless the 
conduct caused over $5,000 in damage.
    A. Do you think that sort of unethical conduct warrants federal law 
enforcement attention and should be a federal crime?
    Answer 3A. No.

    Question 3. B. Under S. 2448, this unauthorized access to the 
professor's computer would constitute a felony violation of 
1030(a)(5)(B), punishable by up to 3 years' imprisonment, with a 
mandatory minimum of at least 6 months in jail, or a misdemeanor 
violation of 1030(a)(5)(C). Rather than trust federal prosecutors to 
exercise their discretion to decline such a case, would it be 
preferable for Congress to define clearly what would and should not be 
a federal crime?
    Answer 3B. CDT does not take a position on mandatory minimum 
sentences.

    Question 4. Some have suggested that some change to the Freedom of 
Information Act (FOIA) would be useful to encourage private sector 
cooperation with the government in protecting critical infrastructures. 
I have long supported the FOIA as a critical tool for all Americans to 
find out what their government is doing. This is healthy and necessary 
for our democracy. Consequently, I am concerned about proposals that 
allow agencies to keep ``secret'' broad categories of records in their 
possession that may be related to the ``critical infrastructure'' and 
to block FOIA requests, with no other justification and no judicial 
review. This would certainly reduce the FOIA workload of Federal 
agencies, but labeling information as related to ``critical 
infrastructure'' as a means of exempting entire categories of 
information from the FOIA would, in my view, undercut and pose a threat 
to the effectiveness of the FOIA.
    A. Would you agree with me that any change to the FOIA must avoid 
undercutting the usefulness of the FOIA and ensure the effectiveness of 
judicial review?
    Answer 4A. Absolutely. CDT supports and applauds the position of 
Senator Leahy, who has long been a champion for the FOIA and its vital 
role in our democratic system of open and accountable government. We 
share Sen. Leahy's concerns about the dangers posed by further FOIA 
exemptions, particularly if they are drawn in broad terms. If cyber-
security is to become a government priority, then information about 
cyber-security issues in the hands of the government should be subject 
to public access, to ensure that the government is doing its job, 
subject only to the narrow national security, law enforcement and 
proprietary information exceptions of FOIA.

    Question 4B. What suggestions, if any, do you have for refining the 
FOIA in ways that would narrowly address the legitimate concerns of the 
private sector about sharing information to protect our critical 
infrastructures while at the same time maintaining the presumption in 
FOIA that federal agency records are subject to the disclosure and that 
agency actions is subject to judicial review?
    Answer 4B. We believe that, if any change is adopted, it would be 
best to work within the existing framework of the (b)(4) proprietary 
information exemption to FOIA. The Y2K Information and Readiness 
Disclosure Act, Pub. L. 105-271, exempted certain Y2K-related 
information within the context of (b)(4). In other respects, however, 
the Y2K legislation is not an appropriate model for legislation 
regarding cyber-security information. CDT has prepared a detailed 
analysis of one such proposal, H.R. 4246, introduced by Reps. Davis and 
Moran. A copy of our analysis is enclosed.
          * * * * * * *
    Mr. Chairman, CDT looks forward to continuing to work with you, 
with the ranking Senator and with all the members of the Senate 
Judiciary Committee to craft a focused bill improving privacy and 
cyber-security. We would be happy to provide to you any further 
information or assistance we can.
            Respectfully,
                            James X. Dempsey, senior staff counsel.
                                 ______
                                 
                       Center for Democracy and Technology,
                                      Washington, DC, June 7, 2000.
Re S. 2448, Internet Integrity and Critical Infrastructure Protection 
        Act of 2000.

Hon. Orrin G. Hatch,
Chairman, Senate Judiciary Committee,
 Washington, DC.
    Dear Chairman Hatch: We are pleased to share with you some further 
specific comments on your bill, S. 2448. We have been grateful, for the 
attention that you and your staff have shown to privacy concerns. In 
particular, your staff has spent many hours with us going over the bill 
both before and after introduction.
Title I
    We are concerned that Section 101(b)(3) of S. 2448 would amend the 
federal Computer Fraud and Abuse Act, 18 USC 1030, to make the most 
trival forms of unauthorized computer access a potential federal crime, 
by eliminating the $5,000 threshold that currently defines ``damage'' 
in the absence of other specific harms.
    The $5,000 threshold is important to the purport of Sec. 1030 
because otherwise the scope of the statute is exceedingly broad. It was 
hard for drafters of Sec. 1030 to specify what kinds of conduct should 
constitute a computer crime. Consequently, subsection (a)(5)(A) is very 
general: it makes it a crime to knowingly cause the transmission of 
``information'' and as a result intentionally cause damage without 
authorization to any computer connected to the Internet. Under 
subsection (e)(8), damage is defined as ``any impairment to the . . . 
availability of . . . a system.'' Sending a single email to someone who 
didn't want it impairs the availability of that person's system for the 
tiny amount of time it takes to download the message, and every user 
who sends a message to someone who didn't want it intentionally 
``impairs'' the availability of that person's computer for that very 
short period of time. On the other hand, sending many thousands and 
thousands of unwanted messages to a system also impairs the 
availability of that system, but in a way that should be treated as a 
criminal attack. To make it clear that the latter was a crime but the 
former was not, Sec. 1030(a)(5) has a damage requirement and damage was 
defined in terms of a $5,000 Threshold. (In contract, subsections 
(a)(1)-(4) and (6)(7) of Sec. 1030 do not have damage requirements, 
because the crimes there are more precisely defined.)
    We oppose the elimination of the $5,000 threshold. It will open up 
a wide range of common conduct to the threat of criminal prosecution. 
We are especially concerned that the authority would be used 
selectively and could be used to intimidate those who use the Internet 
for political advocacy. The concerns are compounded by the other 
sections of S. 2448 that would require forefeiture to the government of 
the real and personal property of any person convicted of any violation 
of Sec. 1030 as expanded by section 101 an expand wiretap authority by 
making all subsections of Sec. 1030 crimes a predicate for wiretaps.
    Indepndently, we are concerned about the implications of forfeiture 
of real property ``used . . . to facilitate'' the commission of an 
offense under Sec. 1030.
    Suggested changes: On page 7, we would urge you to strike lines 1 
through 5.
    On page 9, lines 15 and 16, strike ``in any property, whether real 
or personal,'' and insert ``in any computer equipment.''
    On page 10, line 11, strike ``Any property, whether real or 
personal,'' and insert ``Any computer equipment''.
Section 302--Satellite TV subscriber privacy
    We commend you for including Sec. 302, which would prohibit 
satellite TV service providers from disclosing information about their 
customers and their viewing habits unless the customers have 
affirmatively agreed (``opted-in'') to such sharing. This provision 
extends to satellite TV viewers some of the privacy protections 
accorded to cable TV viewers under 47 USC 551. However, S. 2448 is not 
as strong as the Cable Act: S. 2448 allows disclosure to the government 
without notice to the subscriber and an opportunity to object, and sets 
a lower relevance standard for government access, thereby giving 
satellite TV viewers less protection than existing federal law affords 
to cable TV subscribers. We recommend extending all of the privacy 
protections of the Cable Act to satellite.
    Suggested change: On page 31, strike lines 6 through 14 and 
insert'' (I) if the law enforcement agency shows that there is clear 
and convincing evidence that the subject of the information is 
reasonably suspected of engaging in criminal activity and that the 
information sought would be material evidence in the case, and (II) if 
the subject of the information is afforded the opportunity to appear 
and contest such entity's claim.''
Title IV--FBI/DOJ authority
    CDT endorses the comments of Americans for Computer Privacy, of 
which we are a member. For the sake of completeness, we restate their 
comments here.
    We are concerned that language in Section 402, specifically 
402(a)(4), could be interpreted as giving the FBI the ability (if not 
the express authority) to set standards for the computer and 
telecommunications industry. We think subsection (a)(4) unintentionally 
yet mistakenly gives such authority. Subsection (a)(5) gives NIPC the 
authority to pursue any mission it wishes.
    Suggested change: We strongly urges you to eliminate (a)(4)-(5) 
altogether and list only the first three purposes, all of which help 
delineate an appropriate role for law enforcement.
    We share ACP's concerns with a couple of the duties listed for the 
new DAAG created in Section 401. In particular, please note those 
sections that would become Sec. 507a(c)(2) and Sec 507a(c)(6). The 
first provision grants the DAAG the power to ``coordinate national and 
international activities relating to combatting computer crime.'' This 
grant of authority is too broad. For example, dictating design 
standards or compelling hacker information from companies both 
represent ``activities relating to combatting computer crime,'' but the 
DAAG should not be given authority--implied or otherwise--to carry out 
these activities.
    Suggested change: To address this problem, we suggest that, after 
``international,'' the words ``law enforcement'' be inserted.
International assistance
    Section 502 permits the Attorney General to disclose information 
regarding the activities of U.S. citizens or companies to foreign law 
enforcement authorities, even where the activities are legal under U.S. 
law. Section 503(b)(2) of S. 2448 permits the US Attorney General to 
provide computer crime evidence to foreign law enforcement authorities 
``without regard to whether the conduct investigated violates any 
Federal computer crime law.''
    Suggested change: To make it clear that this Title does not expand 
the Justice Department's investigative authority to investigate lawful 
conduct in the US at the request of foreign governments, strike section 
503(b)(2), lines 17 through 23 on page 54.
Possible amendments
    We congratulate you on keeping S. 2448 narrow, while at the same 
time addressing a range of cyber-crime and e-commerce issues. We remain 
concerned about potential amendments that would introduce new issues, 
for which CDT and other interested parties would not have had an 
opportunity to review language and strive for consensus. We stress, as 
we did in our testimony, that it is important to proceed cautiously, as 
you have, and keep the bill from becoming laden with other issues that 
have not been adequately reviewed and refined.
Pen registers for the Internet
    Primary among the issues we have feared might be offered as 
amendments to S. 2448 is S. 2092, which the Justice Department is 
urging be added to S. 2448.
    S. 2092 would extend government surveillance authority over the 
Internet in broad and ill-defined ways. It does so with very broad 
terminology, stating that the pen register can collect ``dialing, 
routing, addressing or signaling information,'' without further 
definition. S. 2092 also would give every federal pen register and trap 
and trace order nationwide effect, without limit and without requiring 
the government to make a showing of need, creating a sort of ``roving 
pen register.''
    We have shared our concerns with Senator Schumer and are committed 
to working with him to improve his bill. At this point, we understand 
that Sen. Schumer does not intend to offer his bill as an amendment to 
S. 2448. A copy of our comments and suggestions on S. 2092 is enclosed.
    Again, we thank you for the care with which you have approached 
these difficult issues and for your willingness to make changes to your 
bill to accommodate the privacy and civil liberties concerns. We look 
forward to continuing to work with you to develop a consensus bill that 
can enjoy widespread support.
    Sincerely,
                            James X. Dempsey, senior staff counsel.
Enclosure.

                  Center for Democracy and Technology

  amending the pen register and trap and trace statute in response to 
recent internet denial of service attacks--and to establish meaningful 
                          privacy protections
    Pen registers are surveillance devices that capture the phone 
numbers dialed on outgoing telephone calls; trap and trace devices 
capture the numbers identifying incoming calls. They are not supposed 
to reveal the content of communications. They are not even supposed to 
identify the parties to a communication or whether a call was 
connected, only that one phone dialed another phone. Nonetheless, in an 
increasingly connected world, a recording of every telephone number 
dialed and the source of every call received can provide a very 
complete picture--a profile--of a person's associations, habits, 
contacts, interests and activities. For that reason, pen registers and 
trap and trace devices are very helpful to law enforcement and pose 
significant privacy concerns. Much of the current debate over 
surveillance standards relates to the collection of transactional data 
by these devices and by other means.
    A 1986 federal law requires a court order for use of such devices, 
but the standard for approval is so low as to be nearly worthless--a 
prosecutor does not have to justify the request and judges are required 
to approve every request.
    These orders apply to email and other Internet activity, but it is 
not clear what is the Internet equivalent of the dialing information 
that must be disclosed. In crucial respects, Internet addressing 
information can be far more revealing than telephone dialing 
information--not only doesit reveal the precise parties who are 
communicating, but it can even reveal the meaning or content of 
communications.
    Federal law enforcement agencies conduct roughly 10 times as many 
pen register and trap and trace surveillances as they do wiretaps. In 
1996, the Justice Department components alone obtained 4,569 pen 
register and trap and trace orders. Most orders covered more than one 
line: in 1996, 10,520 lines were surveilled by pen registers or trap 
and trace devices. So much information is collected that Justice 
Department agencies have developed several generations of computer 
tools to enhance the analysis and linking of transactional data from 
pen registers and trap and trace devices.
    In response to a Justice Department proposal, legislation has been 
introduced to authorize judges in one jurisdiction to issue pen 
register and trap and trace orders to service providers anywhere in the 
country. S. 2092. Other provisions in the bill could have the effect of 
greatly expanding the scope of these supposedly limited surveillance 
devices, allowing the collection of more personally revealing 
information and imposing expensive burdens on ISPs, portals, and other 
service providers.
    Before the geographic reach of pen register and trap and trace 
orders is expanded, the privacy standards in the current law should be 
updated: some real substance should be put into the standard for 
issuing those orders and the scope of information they collect should 
be carefully limited.
The framework of the electronic surveillance laws
    There are three major laws setting privacy standards for government 
interception of communications and access to subscriber information:
     The federal wiretap statute (``Title III''), 18 USC 2510 
et seq., which requires a probable cause order from a judge for real-
time interception of the content of voice and data communications. This 
legal standard is high.
     The Electronic Communications Privacy Act of 1986 
(``ECPA''), 18 USC 2701 et seq., setting standards for access to stored 
email and other electronic communications and to transactional records 
(subscriber identifying information, logs, toll records). The standard 
for access to the contents of email is relatively high; the standards 
for access to transactional data are low.
     The pen register and trap and trace statute, enacted as 
part of ECPA, 18 USC 3121 et seq., governing real-time interception of 
``the numbers dialed or otherwise transmitted on the telephone line to 
which such device is attached.'' The standard is that of a rubber 
stamp.
    Title III governs the interception of the ``contents'' of 
communications, which the statute defines as ``any information 
concerning the substance, purport, or meaning of that communication.'' 
18 USC Sec. 2510(8). Since the Supreme Court has held that the content 
of communications is fully protected by the Fourth Amendment's 
limitations on searches and seizures, Title III imposes strict 
limitations on the ability of law enforcement to obtain call content-
limitations that embody, and in some respects go beyond, the 
protections guaranteed by the Fourth Amendment. A law enforcement 
agency may intercept content only pursuant to a court order issued upon 
findings of probable cause to believe that an individual is committing 
one of a list of specifically enumerated crimes, that communications 
concerning the specified offense will be intercepted, and that the 
pertinent facilities are commonly used by the alleged offender or are 
being used in connection with the offense. 18 USC Sec. 2518(3).
    On the other hand, the Supreme Court has held that there is no 
constitutionally-protected privacy interest in the numbers one dials to 
initiate a telephone call. Smith v. Maryland, 442 U.S. 735, 742 (1979). 
Accordingly, the pen register and trap and trace provisions in 18 USC 
Sec. 3121 et seq. establish minimum standards for court-approved law 
enforcement access to the ``electronic or other impulses'' that 
identify ``the numbers dialed'' for outgoing calls and ``the 
originating number'' for incoming calls. 18 U.S.C. Sec. Sec.  3127(3)-
(4). To obtain such an order, the government need merely certify that 
``the information likely to be obtained is relevant to an ongoing 
criminal investigation'' 18 USC Sec. Sec. 3122-23. (There is no 
constitutional or statutory threshold for opening a criminal 
investigation.)
    The Supreme Court has stressed how limited is the information 
collected by pen registers. ``Neither the purport of any communication 
between the caller and the recipient of the call, their identities, nor 
whether the call was even completed is disclosed by pen register.'' 
United States v. New York Tel, Co., 434 U.S. 159, 167 (1977) (emphasis 
added). Recent court decisions have reemphasized that such devices' 
``only capability is ti intercept'' the telephone numbers a person 
calls. Brown v. Waddell, 50 F.3d 285, 292 (4th Cir. 1995) (emphasis 
added).
    The pen register/trap and trace statute lacks many of the privacy 
protections found in the wiretap law. Not only is the standard for 
judicial approval so low as to be meaningless, the government can use 
pen register evidence even if it is intercepted without complying with 
the law's minimal provisions: Unlike the wiretap statute, which has a 
statutory exclusion rule, the pen register/trap and trace law has no 
such provision, and the Fourth Amendment's exclusionary rule does not 
apply. There is little chance of after-the-fact oversight, since 
innocent citizens are unlikely to find out about abuses of the statute: 
Unlike the wiretap law, the pen register/trap and trace statute has no 
provision requiring notice to persons whose communications activities 
have been surveilled. Nor, in contrast to the wiretap law is there any 
provision for judicial supervision of the conduct of pen registers: 
Judges are never informed of the progress or success of a pen register 
or trap and trace. There is also no minimization rule: Section 3121(c) 
requires the government to use technology reasonably available to it 
that restricts the recording or decoding of electronic or other 
impulses to the dialing and signaling information used in call 
processing, the FBI has recently admitted that no such technology 
exists.
Applying pen registers to the Internet
    The pen register and trap and trace statute was adopted before the 
Internet was widely available to ordinary citizens. The definition of 
pen register says that such devices capture only the ``numbers dialed 
or otherwise transmitted'' on the telephone line to which the device is 
attached. 18 USC 3127(3). The definition of trap and trace device 
refers to ``the originating number of an instrument or device from 
which a wire or electronic communication was transmitted.'' 18 USC 
3127(4).
    There are many questions posed by application of the pen register/
trap and trace statute to the Internet. The statue almost certainly 
applies to email and the Web, for it refers to electronic 
communications. But what are ``the numbers dialed or otherwise 
transmitted''? Can the government serve a pen register order on the ISP 
or other service provider like Hotmail, to obtain the addresses of all 
incoming and outgoing emails for a certain account? Does the pen 
register/trap and trace authority encompass only numbers (Internet 
protocol addresses) or does it include email addresses or both? Can a 
pen register or trap and trace order be served on a portal or search 
engine? What does the statute mean when applied to URLs? Can the 
government serve a pen register or trap and trace order on CNN and get 
the address of everybody who has downloaded or viewed a certain 
article? What information is collected under a pen register order and 
from whom in the case of a person who is using the Internet for voice 
communications? What standard applies if the person has DSL or a cable 
modem?
    The importance of these questions is heightened by the fact that 
transactional or addressing data of electronic communications like 
email and Web browsing can be much more revealing than telephone 
numbers dialed.
    First, email addresses are more personally revealing than phone 
numbers because email addresses are unique to individual users. In many 
offices, while there is only one phone number normally called from the 
outside, each person has an individual email address. So while a pen 
register on a phone line only shows the general number called, a pen 
register served on an ISP will likely identify the specific recipient 
of each message. Even in a household, each person online may have a 
separate email, and may have different email addresses for different 
purposes, making it more likely that the government can determine 
precisely who is contacting whom.
    Furthermore, if the pen register authority applies to URLs or the 
names of files transmitted under a file transfer protocol, then the 
addressing information can actually convey the substance or purport of 
a communication. If you call (202) 637-9800 on the phone and asks for a 
copy of our statement on cybercrime and Internet survelliance, a pen 
register shows only that you called the general CDT number. If you 
``visit'' our website and read the statement, your computer transmits 
the URL http://www.cdt.org/security/000229judiciary.shtml, which 
precisely identifies the content of the communication. Does a pen 
register served on our ISP or our web hosting service require 
disclosure of that URL? If so, the government has no trouble knowing 
what you read, for typing in the same URL reveals the whole document.
    Such revealing information appears in other addresses:
    If you search Yahoo for information about ``FBI investigations of 
computer hacking,'' the addressing information you send to Yahoo 
includes your search terms. The URL looks like this: http://
search.yahoo.com/bin/search?p=FBI+and+hacking+
investigations.
    If you search AltaVista for ``hacker tools,'' the ``addressing'' 
data looks like this: http://www.altavista.com/cgo-bin/
query?pg=q≻=on&hl=on&q=hacker+ tools&kl=XX&stype=stext&search.x= 
25&search.y=11.
    If you send a message to Amazon.com to buy a book, this is what the 
URL looks like: http://www.amazon.com/exec/obidos/handle-buy-
box=0962770523/book-glance/002-9953098-4097847, where 0962770523 is the 
standardized international catalogue (ISBN) number of the book you are 
buying.
    Computer security expert Richard Smith has identified numerous ways 
in which the URLs sent to DoubleClick include personal information 
about travel plans, health, and other matters. See attached memo and 
http://www.tiac.net/users/ smiths/privacy/banads.htm. Can a pen 
register order be served on DoubleClick? Would it cover the detailed 
information found in URLs delivered to DoubleClick?
    These questions did not exist in 1986, when the pen register 
statute was enacted. They illustrate how outdated is the rubber-stamp 
standard of the current law. All of these questions should be addressed 
before the scope of the pen register statute is further extended.
Jurisdictional expansion of the pen register/trap and trace statute
    18 USC 3123(a) currently states that a judge shall authorize the 
installation and use of a pen register or trap and trace device 
``within the jurisdiction of the court.'' The Justice Department argues 
that this jurisdictional limitation (no different than the 
jurisdictional limitation that applies to search warrants or subpoenas 
in the ``real'' world) poses a burden to law enforcement conducting 
investigations in cyberspace, since a communication may jump from one 
computer to another.
    While there is some apparent logic to the government's argument for 
tracing computer data across jurisdictional lines, the proposed change 
would not be limited to computer communications--it would also apply to 
plain old telephones. Nor would it be limited to situations where it 
appeared that communications were passing through multiple service 
providers: it would allow a Miami judge to authorize the use of a pen 
register in New York on communications starting and ending in New York.
    Furthermore, orders issued under the proposed change as introduced 
would have no limits. A normal subpoena, even one with nationwide 
effect, is addressed to a specific custodian of the desired 
information. Fed. R. Crim. Proc. 17(c). This requirement does not 
appear in S. 209; instead, the government would receive a blank order, 
which it could presumably serve on multiple, unnamed service providers, 
with no limit as to time or how often the subpoena could be used.
    If the pen register and trap and trace provisions are given 
nationwide effect, it should not automatically apply to every such 
order. There should at least be some requirement that the applicant 
explain to the judge's satisfaction why authority is sought to conduct 
the investigation across jurisdictional lines: Section 3122(b) should 
be amended to require in the application, if an order with nationwide 
effect is sought, a full and complete statement as to the grounds for 
believing that some of the communications to be identified originate or 
will terminate outside the jurisdiction of the issuing court or are 
passing through multiple service providers and that the cooperation of 
multiple service providers or service providers in other jurisdictions 
will be necessary to identify their origin or destination. And 3123 
should be amended to require the judge to specify to whom the subpoena 
is directed by name, as well as the geographic extent of the order and 
the time within which it is effective. (Limiting language or geographic 
extent already appears in the statute. 3123(b)(1)(C).)
Establishing meaning privacy standards for pen registers
    Any territorial extension of the reach of trap and trace or pen 
register orders should also be coupled with a heightened standard for 
approval of such devices. Under current law, a court order is required 
but the judge is a mere rubber stamp--the statute presently says that 
the judge ``shall'' approve any application signed by a prosecutor 
saying that the information sought is relevant to an investigation. 
Currently, the judge cannot question the claim of relevance, and isn't 
even provided with an explanation of the reason for the application. 
Given the obvious importance of this ``profiling'' information, section 
3122(b)(2) should be amended to require the government's application to 
include a specific description of the ongoing investigation and how the 
information sought would be relevant and material to such 
investigation, and section 3123(a) should be amended to state that an 
order may issue only if the court finds, based on a showing by the 
government of specific and articulable facts, that the information 
likely to be obtained by such installation and use is relevant and 
material to an ongoing criminal investigation.
    The second change needed is to define and limit what information is 
disclosed to the government under a pen register or trap and trace 
order, especially those served on an Internet service provider or in 
other packet networks. Unfortunately, S. 2092 goes in the opposite 
direction. It would amend the definition of pen register devices to 
include ``dialing, routing, addressing, or signaling information 
transmitted by an instrument or facility from which a wire or 
electronic communication is transmitted.'' This completely looses the 
current sense of the statute, which is limited to information 
identifying the destination of a communication. The phrase ``dialing, 
routing, addressing or signalling information'' is very broad. It 
increases the amount of information that can be ordered disclosed/
collected, in ways that are unclear but that are likely to increase the 
intrusiveness of these devices, which are not supposed to identify the 
parties to a communication and not even supposed to disclose whether 
the communication was completed. It goes will beyond merely eliminating 
the archaic reference to telephone lines.
    A much better way to phrase the pen register definition would be: 
``dialing, routing, addressing or signalling information that 
identifies the destination of a wire or electronic communication 
transmitted by the telephone line or other subscriber facility to which 
such device or process is attached or applied,''.
    Similarly, the trap and trace definition could be amended to read: 
``a device or process that captures the dialing, routing, addressing or 
signalling information that identifies the originating instrument or 
device from which a wire or electronic communication was transmitted.'' 
These amendments should be coupled with statutory language or 
legislative history making it clear that pen registers do not authorize 
interception of search terms, URLs identifying certain documents, files 
or web pages, or other transactional information.
    As an oversight matter, it would be useful to include reporting 
requirements in the pen register statute that are closer to those 
applicable to wiretaps. Currently, the statute requires only reports 
for pen registers and trap and trace devices applied for by the Justice 
Department, so there is no way of knowing what is done by other federal 
law enforcement agencies or state and local authorities.
    Finally, it should be made clear that any changes to the statute do 
not expand the obligations on carriers under the Communications 
Assistance of Law Enforcement Act. Currently, a debate is underway over 
the meaning of CALEA. The government would almost certainly cite S. 
2092's amendments to the definitions of pen register and trap and trace 
device as justification for requiring carriers to install additional 
surveillance features. It must be made clear, for example, that the pen 
register/trap and trace statute's reference to identifying the origin 
of communications does not imply a design mandate for identification or 
traceability.
    For more information, contact: Jim Dempsey (202) 637-9800
    [GRAPHIC] [TIFF OMITTED] T3464A.003
    
    [GRAPHIC] [TIFF OMITTED] T3464A.004
    
    [GRAPHIC] [TIFF OMITTED] T3464A.005
    
    [GRAPHIC] [TIFF OMITTED] T3464A.006
    
    [GRAPHIC] [TIFF OMITTED] T3464A.007
    
    [GRAPHIC] [TIFF OMITTED] T3464A.008