[Senate Hearing 106-1057] [From the U.S. Government Publishing Office] S. Hrg. 106-1057 THE ``CARNIVORE'' CONTROVERSY: ELECTRONIC SURVEILLANCE AND PRIVACY IN THE DIGITAL AGE ======================================================================= HEARING before the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ SEPTEMBER 6, 2000 __________ Serial No. J-106-105 __________ Printed for the use of the Committee on the Judiciary U.S. GOVERNMENT PRINTING OFFICE 74-729 WASHINGTON : 2001 ---------------------------------------------------------------------------- For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001 COMMITTEE ON THE JUDICIARY ORRIN G. HATCH, Utah, Chairman STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware JON KYL, Arizona HERBERT KOHL, Wisconsin MIKE DeWINE, Ohio DIANNE FEINSTEIN, California JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York BOB SMITH, New Hampshire Manus Cooney, Chief Counsel and Staff Director Bruce A. Cohen, Minority Chief Counsel C O N T E N T S ---------- STATEMENTS OF COMMITTEE MEMBERS Page Hatch, Hon. Orrin G., a U.S. Senator from the State of Utah...... 1 Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 3 WITNESSES Cerf, Vinton G., Internet Trustee, Internet Society, Reston, VA.. 29 Dempsey, James X., Senior Staff Counsel, Center for Democracy and Technology, Washington, DC..................................... 42 Di Gregory, Kevin V., Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice, Washington, DC; accompanied by Martha Stansell-Gamm, Chief, Computer Crimes and Intellectual Property Section, U.S. Department of Justice, Washington, DC................................................. 21 Kerr, Donald M., Assistant Director, Federal Bureau of Investigation, Washington, DC; accompanied by Larry R. Parkinson, General Counsel, Federal Bureau of Investigation, Washington, DC................................................. 9 O'Neill, Michael, Assistant Professor of Law, George Mason University Law School, Fairfax, VA............................. 36 Rosen, Jeffrey, Associate Professor of Law, George Washington University Law School, Washington, DC.......................... 62 QUESTIONS AND ANSWERS Responses of Donald M. Kerr to Questions from: Senator Hatch................................................ 81 Senator Thurmond............................................. 83 Senator Leahy................................................ 87 THE ``CARNIVORE'' CONTROVERSY: ELECTRONIC SURVEILLANCE AND PRIVACY IN THE DIGITAL AGE ---------- WEDNESDAY, SEPTEMBER 6, 2000 U.S. Senate, Committee on the Judiciary, Washington, DC. The committee met, pursuant to notice, at 10:08 a.m., in room SD-226, Dirksen Senate Office Building, Hon. Orrin G. Hatch, (chairman of the committee) presiding. Also present: Senators Specter and Leahy. OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM THE STATE OF UTAH The Chairman. We are happy to welcome all of you out to today's hearing. The purpose of our hearing today is to examine the effect that new surveillance technologies, such as the FBI's now too famous Carnivore, is having on the important public policy balance between personal privacy rights and law enforcement in the digital age. That the context of this hearing is important goes without saying. The Internet is rapidly becoming a dominant means by which Americans transact business, receive news and information, communicate with their families, and even have fun. A recent report states that over 40 million Americans are currently using the Internet, and that the rate of increase is nearly 55,000 new users every day. Over three million Web pages were created every day in 1999. Clearly, the Internet is becoming a pervasive feature of daily life, and the technology on the horizon promises to make it even more so. Additionally, the Internet's ability to allow anyone, regardless of wealth or status or political clout, to share opinions with the world, makes it the ultimate first amendment-enabling technology. But as with many great technological developments and achievements, the Internet's greatest strength is also its most vulnerable weakness. The huge amounts of data speeding through the Internet, including phone numbers, addresses, credit card numbers and bank account information, have facilitated an online crime wave. And the same ease of use that has motivated so many people to rely on the Internet has also given rise to a new breed of swindlers, vandals and terrorists who are short- circuiting the Internet's benefits by waging denial of service attacks, or who are turning the Internet into a weapon by spreading computer viruses. Only last week, a 24-year-old California man was charged with securities fraud after a fake news release posted on a Website claimed that the Emulex Company had lost its CEO and would restate its last quarter's earnings to show a loss instead of a profit. The hoax caused a $2 billion loss in the value of this company. Unfortunately, this is only one of the myriad types of crime committed via the Internet. The use of e-mail has been a boon to criminals engaged in spreading child pornography, coordinating illegal drug rings, stealing intellectual property, and much more. America's Internet users are legitimately concerned that surfing the Internet is like walking in a big city at night: the enjoyment is tempered by a fear of what is lurking unnoticed in the dark alleys. Even short of illegal activity, Americans are concerned about the ability of businesses and other Web site hosts to collect and share personal information, and to track individuals' interests, purchases, and other data. On the other side of the debate is an equally important concern that the Government should not intrude unduly into commerce and personal lives. Unlike many other governments in the world, the United States does not permit its law enforcement agencies easy access to phone lines, the mail, and other sources of private information. The computer geniuses who are innovating with new technology and creating e-commerce companies are understandably wary of opening up their hard drives and servers to government data traffic control. And individuals who use the Internet for personal communications, purchases and hobbies are justifiably reluctant to allow an ``Orwellian Big Brother'' to monitor which Web sites they visit or what messages they send through cyberspace. In short, America's Internet users want a balanced approach to Internet integrity that guarantees protection of personal privacy, but that allows limited and constitutionally- sanctioned access to law enforcement when necessary for the protection of law-abiding citizens. Some believe these goals are in hopeless conflict. I personally do not. I firmly believe that properly calibrated laws can simultaneously protect the Internet from criminals and terrorists, respect the privacy interests of all Americans, and allow the Internet to flourish free from burdensome regulation. In fact, I recently introduced a bill, the Internet Integrity and Critical Infrastructure Protection Act of 2000, that strives to do that in certain circumstances. Although no law could prevent bad actors from misusing the Internet, my bill will provide much needed resources and investigative tools to law enforcement and will update our computer abuse laws to help deter and prevent such activities. So it is within the context of this debate that we are holding today's hearing to examine the constitutional and policy implications of new surveillance technologies, in general, and the FBI's Carnivore system in particular. I hope we get a better understanding of what Carnivore is and how it operates today. As I understand it, it permits law enforcement agencies to gather specific electronic-mail information, presumably circumscribed by court order, relevant to the commission of a crime. There has been a lot of controversy surrounding this system, perhaps justified, perhaps not. Much of the controversy and confusion is due to differences in opinion on the degree of protection against improper searches by the Government that the fourth amendment of our Constitution provides each citizen, and whether current laws--which were written before the Internet became the revolutionary force in communications that it has become--need updating in this new digital age. It is this constitutional challenge created by technological advancement that we are here to examine today. Now, before we hear from today's witnesses, I want to note that the technical questions about Carnivore are to be addressed by a DOJ-commissioned independent technical review. These technical questions include whether the Carnivore system could interfere with the proper functioning of Internet service providers, whether the system might provide investigators with more information than is authorized by a court order, or whether the system's capabilities could give rise to a risk of misuse, leading to improper invasions of privacy. I think this is a very important study which likely will affect some of our policy decisions, and we will examine the report's findings once it is conducted in a future hearing. With that background, I will introduce our distinguished witnesses as soon as the ranking member makes his comments. STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM THE STATE OF VERMONT Senator Leahy. Thank you, Mr. Chairman. We talk about ISP's and URL's and all this new language of the Internet age that Mr. Cerf and others gave us. And I thank you most of the time, Mr. Cerf. There are days when connections are slow when I don't, but that is not your fault. What we are doing here actually is carrying on a 200-year conversation about how we assure the rights of the American people, the rights of all of you, the rights of me and the chairman and everybody else to be secure in their persons, in their houses, in their papers, and their effects, secure against unreasonable searches and seizures. That obviously goes back to the Constitution's Fourth Amendment. Back at the time of the Framers, you gained access to a person's private effects by being there. You were going to find out what was in somebody's desk drawer by walking in the house and opening the desk. You were going to find out what papers they had in their inside pocket by searching them and searching their inside pocket. It is a lot different today. You can be a mile away or 10,000 miles away and search information about most families, certainly those who have computers and are on the Net. This is really the concern that I have. On the one hand, I ask the question, are we dealing with a legitimate surveillance tool in a cyber age when we know that criminals can move billions of dollars electronically; when terrorists can plan damage from a point on another continent to a residence or a warehouse in the United States; when a kidnaper can deal with somebody in a different State, or where a child abuser can seek out a victim hundreds of miles away. But on the other hand, is this surveillance something that goes way beyond what we the American people want? It is legitimate to ask the FBI, which has come up with this unfortunately named device--and I suspect nobody has claimed credit as the author of the name, but we should not allow ourselves to be distracted simply by the name. Call it anything you want. The question we have to ask, and legitimately, is has the FBI given themselves a tool which allows them to go way beyond what the American people would allow, what the stated mandate of the FBI would allow, and certainly what the Congress or anyone else would accept. I think these are the kinds of questions that we have to ask because new communications technologies both have benefits and pose challenges to privacy and law enforcement. The Congress has, I think, worked successfully, in a bipartisan fashion, to mediate this tension with a combination of very stringent procedures for law enforcement access to our communications, but also legal protections to maintain privacy and confidentiality, whether it is in person, over the telephone, fax, computer, or elsewhere. In fact, in 1968 the Congress passed comprehensive legislation authorizing Government interception of voice communications over telephones, and so on. We returned to this in 1986, when we passed the Electronic Communications Privacy Act, which I sponsored. That law established procedures for law enforcement access to electronic mail systems, to remote data processing systems, and had privacy safeguards for computer uses. It talked about the way we get pen registers and traps, and so on. These pen register and trap and trace orders, though, were not to be used to identify or record the contents of the communications. Now, we have this new surveillance tool and we have to find out where it fits in the mix. I understand Carnivore is a surveillance tool, a software program developed by the FBI, installed by the FBI at the physical premise of an Internet service provider, to intercept Internet communications following a court order. The order may authorize capture of an entire communication or it may be limited to addressing information, sort of like a pen register. This program, though, is versatile enough that the FBI can use the same program to accommodate variations in court order authorizations. So I want to hear more about how it works, the precise kind of information the program produces to the FBI, and what controls the FBI has in place when Carnivore is used to ensure the program is operated only as authorized by the court order. This is keeping in mind the fact that usually the court orders are going to be designed exactly the way the Government wants them to be. But notwithstanding that--and I am sorry some of the courts may take offense at that, but that is a fact. And notwithstanding that, I want to make sure it still doesn't go beyond it. Carnivore is not ``freeware'' available for download and public scrutiny. So somewhere, somebody has got to be able to scrutinize it. I commend the Attorney General for her efforts to address this concern and hiring an independent contractor to conduct a technical review of the surveillance program. It is a constructive step that moves beyond the hypothetical discussions of Carnivore. Now, there is no dispute that the stringent legal requirements governing wiretaps apply to Carnivore when it is used to capture the content of e-mails or other computer transmissions. I think all of us here on the Judiciary Committee would agree with that. There is also no dispute that both the text and the subject line of an e-mail message are content which law enforcement may intercept only under a wiretap order. But we still want to know whether the legal standards for its use are adequate and exactly what it does. Telephone companies regularly comply with wiretap and other legitimate surveillance orders, as do Internet service providers. But if the Internet service provider doesn't have the capability or willingness to do it, to execute court orders, fine; I will accept the fact that law enforcement can step in. I think Carnivore is for that. But, again, is it limited, and will it limit itself to what a willing ISP would give if they were willing to carry out the order themselves? Second, Carnivore works by sifting through the Internet traffic of a particular ISP to capture the particular information or communication authorized by a court order. I think privacy advocates are rightly concerned about whether Carnivore accesses too much, not only too much information about Internet users, but also too much information about the communications that are the subject of the court order. We know that the Internet breaks down communications into separatepackets that are reassembled at the destination point. The FBI will say that Carnivore is able to find the different packets that make up a suspected Internet criminal's message only by sifting through all the traffic. Technically, that is correct, but that might not be a great comfort to all the other Internet users who are not subject to the court-ordered surveillance but have their messages being looked at. It comes down to this: Carnivore is like a car. It can be very useful or it can be abused. You can drive back and forth to take your kids to school or you could have a drunk driver come down the road and wipe out a family. What counts is the rules of the road, but also what counts is what license we give the driver, and I am interested in the license and hearing from the witnesses today whether surveillance rules we developed for the analog telephone environment and for the pre-Internet computer environment are adequate to protect our current expectations of privacy when we go online. And I must say in that regard, Mr. Chairman, that we have the CALEA Act, which we all worked on very closely and worked closely with the FBI. And in many ways, the FBI has tried to push the envelope way beyond what I as one of the authors of that bill intended and what many of the others did. Because of that, I take a little more careful view of what they might say and whether the FBI now is going to push beyond the envelope of what they are allowed. In closing, I am a strong proponent of the Internet. I don't know of anybody in the Senate who is a stronger proponent. But I am a defender of our constitutional right to speak freely, and also I have the typical Vermonter's view of privacy that we should keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can and must be respected when law enforcement agencies use surveillance tools to uncover and hold accountable criminal wrongdoers. So, Mr. Chairman, I think you have an excellent hearing. I think it is a wise one to have. I would put my whole statement in the record so we can hear from the witnesses. The Chairman. Well, thank you, Senator, and we will put all statements in the record at this point. [The prepared statement of Senator Leahy follows:] Prepared Statement of Senator Patrick J. Leahy We will talk today about ISPs and URLs and other new language of the Internet age, but fundamentally we are continuing a 20-year-old conversation about how we assure the right of American people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures. This is both the promise and the mandate of our Constitution's Fourth Amendment. The means by which law enforcement authorities may gain access to a person's private ``effects'' is no longer limited by physical proximity, as it was in the time of the Framers. New communications methods and surveillance devices have dramatically expended the opportunities for surreptitous law enforcement access to private messages and records from remote locations. In short, new communications technologies pose both benefits and challenges to privacy and law enforcement. The Congress has worked successfully in the past to mediate this tension with a combination of stringent procedures for law enforcement access to our communications and legal protections to maintain their privacy and confidentiality, whether they occur in person or over the telephone, fax machine or computer. In 1968, the Congress passed comprehensive legislation authorizing government interception, under carefully defined circumstances, of voice communications over telephones or in person in Title III of the Omnibus Crime Control and Safe Streets Act. We returned to this important area in 1986, when we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, that outlined procedures for law enforcement access to electronic mail systems and remote data processing systems, and that provided important privacy safeguards for computer users. ECPA also set forth the procedures for use, application and issuance of orders for pen registers and trap and trace devices that were to be used to identify the numbers dialed from a particular telephone line or the originating number of an incoming telephone call, respectively. As the Committee's report on ECPA makes clear, these pen register and trap and trace orders were not to be used ``to identify or record the contents of the communication.'' [Senate Comm. On the Judiciary, ``Electronic Communications Privacy Act of 1986'', S. Rep. No. 99-541, 99th Cong., 2d Sess. at p. 46 (1986).] This hearing will explore where the FBI's use of the new surveillance tool called ``Carnivore'' fits into that mix. As I understand this surveillance tool, Carnivore is a software program developed by the FBI and installed by the FBI at the physical premise of an Internet Service Provider to intercept Internet communications, in accordance with a court order. This court order may authorize capture of an entire communication, or it can be limited only to addressing information, akin to a pen register order for a telephone line. Carnivore is sufficiently versatile that the FBI can use the same program to accommodate variations in court order authorizations. I want to hear more about how the Carnivore program works, the precise kind of information the program produces to the FBI, and what controls the FBI has in place when Carnivore is used to insure the program is operated only as authorized by the applicable court order. Certainly, some of the concern over the FBI's use of Carnivore stems from the fact that the Carnivore program is not ``freeware'' available for download and public scrutiny. I commend the Attorney General for her efforts to address this concern and for moving forward to hire an independent contractor to conduct a technical review of the surveillance program. This is constructive step to move beyond hypothetical discussions of Carnivore's theoretical capabilities to focus on the facts. At the outset, let us be clear where there is no dispute. There is no dispute that the stringent legal requirements governing wiretaps apply to Carnivore when it is used to capture the content of e-mails or other computer transmissions. There is also no dispute that both the text and the subject line of an e-mail message are ``content'' which law enforcement may intercept only under a wiretap order. But fundamental questions remain about when the FBI chooses to use Carnivore, how the program works, and whether the legal standards that apply to its use are adequate. First, telephone companies regularly comply with wiretap and other legitimate surveillance orders, as do Internet Service Providers. But if the trail of a criminal investigation leads to evidence in the custody of an Internet Service Provider that lacks the capability or willingness to conduct the interception as required in a court order, most of us agree that law enforcement authorities should not be stymied but should have the authority to pursue the trail. Indeed, it has been a long-standing tenet codified in the wiretap and pen register laws that providers of telephone services must furnish law enforcement officials with ``all information, facilities and technical assistance necessary to accomplish'' the interception or installation of the pen register device unobtrusively and with a minimum of interference with the service being provided to the person whose communications are to be intercepted.'' [18 U.S.C. Sec. 2518(4) and3124(a).] Carnivore was apparently created for use in just this circumstantce--where the ISP is unable to assist directly in execution of the court-ordered surveillance. We want to hear today about whether use of Carnivore is limited to only that circumstance and what effect, if any, this use has on the integrity and function of the ISP. As the principal Senate sponsor of the Communications Assistance for Law Enforcement Act (CALEA), I should note that we passed this law in 1994 to require telephone companies to be able to execute court orders for surveillance. That law was passed with the concurrence of the telecommunications industry, which wanted all participants to share the responsibilities and expenses of complying with such court orders. This law exempts ``information services'', however, including most ISPs. Consequently, the FBI has developed its own program to fill the gap if a particular ISP is unable or unwilling to assist in execution of a court order for surveillance. This is preferable, in my view, to legislation requiring ISPs to ramp up to execute court orders. Second, Carnivore apparently works by sifting through the Internet traffic of a particular ISP to capture the particular information or communication authorized by a court order. Privacy advocates are rightly concerned about whether Carnivore accesses too much--not only too much information about Internet users whose communications are not the subject of the court order, but also too much information about the communications that are the subject of the court order. The Internet works by breaking communications down into separate packets that are reassembled at the destination point. The FBI says that, as a technical matter, Carnivore is able to find the different packets that make up a suspected criminal's Internet message only by sifting through all the traffic. This is cold comfort to all the other Internet users, who are not the subject of any court ordered surveillance but nonetheless are having their Internet messages automatically screened by the FBI's Carnivore program. The FBI says that Carnivore can be used as the functional equivalent for the Internet of a pen register or trap and trace devices that provide information about the source or destination of a telephone call. Yet the addressing, or header, information on an Internet message may provide far more detail about the interests of the person sending the message than a dialed telephone number does. This prompts the question whether the same legal standard and procedure should apply to capturing Internet addressing information that applies to capturing telephone numbers. Finally, Carnivore is a like a car. It can be useful, or it can be abused. What counts are the rules of the road and the license we give the driver. I am interested in hearing from the witnesses today whether the surveillance rules we developed for the analogue telephone environment and for the pre-Internet computer environment are adequate to protect our current expectations of privacy when we go online. I, for one, do not believe our current laws are adequate. That is why over a year ago I introduced the E-RIGHTS Act, S. 854, to update our laws and provide additional privacy protections for our online communications and records, including law enforcement access procedures and standards that are more in keeping with our current privacy expectations. For example, a critical privacy issue confronting us today is the procedure by which law enforcement authorities obtain pen register and trap and trace orders. The controversy over Carnivore puts the shortcomings of that procedure in stark relief. Under current law, federal judges are no more than rubber stamps who are required to issue pen register or trap and trace orders whenever a prosecutor asks for them. Federal judges have no authority to ask ``why'' and to make sure that requested surveillance is necessary and justified. The E-RIGHTS Act proposes a procedure that would permit judges to ask for and get reasons for the surveillance. The Administration has recently transmitted proposed legislation that would modify this procedure in a fashion similar to the one I originally proposed. I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can and must be respected when law enforcement agencies use surveillance tools to uncover and hold accountable criminal wrongdoers. I look forward to hearing from the witnesses today about whether Carnivore oversteps these bounds. The Chairman. We have a distinguished group of witnesses here today. First, we will hear from Dr. Donald M. Kerr, who is the Assistant Director of the Federal Bureau of Investigation. Mr. Kerr heads the FBI lab that developed Carnivore and will be able to provide us with valuable insight from the Bureau. Our next witness is Kevin V. Di Gregory, Deputy Assistant Attorney General of the Criminal Division, which includes the Computer Crimes and Intellectual Property Section at the Department of Justice. After first hearing from these two witnesses, we will then hear from distinguished experts who will help guide us through the complex legal and technical issues involved in balancing the needs of law enforcement with the privacy rights of individuals. So we will hear, after the first two, from Mr. Vinton G. Cerf of the Internet Society, a non-profit educational and research institution devoted to the continual evolution of the Internet. Mr. Cerf is also a senior vice president at WorldCom, where he is responsible for Internet architecture and technology. In 1997, Mr. Cerf was awarded the National Medal of Technology for his role in the invention and implementation of the Internet. We are very fortunate to have you here today and we look forward to taking your testimony. Our next witness, Michael O'Neill, is an assistant professor of law at the George Mason University School of Law in Fairfax, VA. Professor O'Neill, who is a former Supreme Court clerk and current Commissioner on the U.S. Sentencing Commission, specializes in criminal law, criminal procedure, and constitutional law. Mr. O'Neill, we are very happy to have you back before the committee. Next, we welcome James X. Dempsey, Senior Staff Counsel with the Center for Democracy and Technology, located here in Washington, DC. Mr. Dempsey is a respected leader in the privacy community. He has been a friend of the committee and has testified here before, so we are really happy to have you back and we look forward to hearing your testimony. Our final witness is Professor Jeffrey Rosen, associate professor at the George Washington University Law School, located here in Washington. Professor Rosen teaches constitutional law, criminal procedure, and the law of privacy. He is also the legal affairs editor of the New Republic and has authored a book analyzing privacy issues. I wouldn't mind having one of the books if you could send it, OK? Mr. Rosen. I will provide it for you Senator. The Chairman. Good. I hope you autograph it. Mr. Rosen. Absolutely. The Chairman. We are fortunate to have each of you here today and we want to welcome you to our hearing on ``The Carnivore Controversy: Electronic Surveillance and Privacy in the Digital Age.'' This is a very, very important hearing and we look forward to hearing from each and every one of you. So we will turn to you, Mr. Kerr, and go from there. PANEL CONSISTING OF DONALD M. KERR, ASSISTANT DIRECTOR, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC, ACCOMPANIED BY LARRY R. PARKINSON, GENERAL COUNSEL, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC; KEVIN V. DI GREGORY, DEPUTY ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC, ACCOMPANIED BY MARTHA STANSELL-GAMM, CHIEF, COMPUTER CRIMES AND INTELLECTUAL PROPERTY SECTION, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC; VINTON G. CERF, INTERNET TRUSTEE, INTERNET SOCIETY, RESTON, VA; MICHAEL O'NEILL, ASSISTANT PROFESSOR OF LAW, GEORGE MASON UNIVERSITY LAW SCHOOL, FAIRFAX, VA; JAMES X. DEMPSEY, SENIOR STAFF COUNSEL, CENTER FOR DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC; AND JEFFREY ROSEN, ASSOCIATE PROFESSOR OF LAW, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL, WASHINGTON, DC STATEMENT OF DONALD M. KERR Mr. Kerr. Good morning, Mr. Chairman, members of the committee. I am grateful for the opportunity to discuss the Internet and data interception capabilities developed by the FBI in response to the increased exploitation of computers, networks, and databases by terrorists, spies, and dangerous criminals to commit crimes and to harm the safety, security and privacy of others. I have provided a rather long statement for the record which I will spare you. The Chairman. We will put all statements in the record as though they were fully delivered. We hope you can summarize. Mr. Kerr. Thank you, Mr. Chairman, and I will simply briefly try to address some of the major issues covered in that statement. The context for our development and use of the Carnivore e- mail intercept system and other similar tools is the significant increase in terrorist and criminal acts. For example, terrorist groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate relatively securely. An early instance of the use of secured information was the convicted terrorist Ramzi Yousef, who was the mastermind of the World Trade Center bombing, who, in fact, had encrypted files on his laptop for blowing up U.S. airplanes in various parts of the world. Serious fraud, such as the one mentioned earlier in your opening statement, recently dramatized by a case in New York, in March, where 19 people were charged in an insider trading scheme--the commission of that fraud rested on theability to enter chat rooms, in effect recruit people to provide information on two major brokerage firms' customers and, of course, share in the profits from the use of that illicitly obtained information. You are well aware of our Innocent Images program dealing with child pornography and sexual exploitation of children where, since 1995, the FBI has investigated nearly 800 cases involving adults traveling interstate to meet minors for the purpose of illegal sexual relationships, and more than 1,800 cases involving persons trading child pornography over the Internet. As mentioned, the FBI only conducts electronic surveillance pursuant to Federal law, and in particular acts pursuant to court order. The Federal electronics surveillance law has carefully balanced the constitutional and privacy rights of individuals, legitimate search and seizure needs of law enforcement, and the obligations placed upon communications and information service providers to cooperate. In enacting the Federal electronic surveillance laws, including title III and the ECPA-based transactional record and pen register trap and trace regimes, Congress specified appropriately strict procedures for law enforcement's interception of communications content, and also its access to communications transactional, addressing, and dialing information. Also, by law, the investigators must specify the steps that will be taken to minimize the acquisition of any non-criminal communications. A title III application must be approved by a Federal district court judge who, after authorizing the order, carefully monitors the progress of the surveillance by reviewing reports brought to the court usually every 7 to 10 days by the U.S. Attorney's Office. The U.S. Attorney's Office oversees the surveillance on a daily basis, and at the end of the surveillance the judge directs notice be given to those whose communications were intercepted. Under titles II and III of ECPA, law enforcement acquires transactional addressing and dialing type information pursuant to court orders based upon relevancy to an ongoing criminal investigation. These acquisitions, which include no communications content, can be obtained through approval by a Federal magistrate pursuant to applications from the U.S. Attorney's Office. Acquisitions under the pen register trap and trace regime last for 60 days, since they only pertain to the transactional addressing and dialing information. While the law requires no notice be given to the criminals or others concerning whom service provider communications transactional records are obtained, many service providers advise their subscribers after the investigation is concluded. Those who have raised concerns regarding Carnivore have principally asserted that through the use of Carnivore, the FBI is collecting more information than a given pen register or trap and trace court order permits. I want to speak to the safeguards we have in place, the techniques by which we deploy Carnivore, and in particular I think the great protections we offer for both personal privacy and the business interests of the Interest service providers. First of all, as you have correctly mentioned, Carnivore is both software and hardware. And because it is software in part, it can be configured to specifically comply with each court order. In doing that, we provide an audit trail. And, of course, you are well aware of the sanctions for misuse, both criminal and civil. It is a PC-based system. We maximize the use of commercial software to reduce risk and cost. It is installed by a team comprising a senior supervisory FBI special agent, typically an electronics technician, and one or more members of the Internet service provider's staff to be sure that we don't do something that would interfere with their system. But I would point out the case agent is not the one installing the system. People who are specifically trained in its use and the legal constraints on its use are the ones who do that. It is important to understand that it filters the Internet traffic. It is looking for the addressing information, and at the first stage it is looking for the Internet addresses that are covered in the court order and it picks off the packets that meet that test. It then goes through the subsequent filtering stage. If full content is allowed, it, of course, captures all of the packets relating to that message and records them in their digital form. If only the addressing information, the ``to'' and ``from'' lines, subject again to the court order, are captured, those are recorded. Once the recordings are made, there is no other information available to the FBI. We capture and record no other information, and those pieces of data are not available to us at any subsequent time. There is no real-time review of text because, in fact, we are dealing with systems where the information is transiting at rates, for instance, of 40 megabits a second. We have no one who can read 0s and 1s at 40 megabits a second and translate that into content. In fact, we only restore the message when content is authorized after recovering the recorded bits and bringing it back to our laboratory to recover the actual content of the message. We produce a record of all settings, and that becomes part of the evidentiary chain that we create. The system, in fact, is secured within the Internet service provider's spaces to provide physical chain of custody as well. In fact, in the newest version that we are intending to bring into use, we will provide the same authentication of the message information that we capture, as well as the settings, so that we will be able to testify later in court as to what the settings were, who set them up, and were any subsequent changes or alterations made. Carnivore does not adversely affect the business interests of the Internet service provider. I mentioned we safeguard their interests in part by collaborating with their technical staff. We always use the smallest segment of traffic through their system because, in fact, what we are after is just the message traffic of the subject of the court order. So if that can be delivered and the ISP can do it with their equipment, we accept that from them and, in fact, we reimburse them for providing that service. When the ISP does not have the equipment or the capability to meet the terms of the court order, we, in fact, use Carnivore, installed under the conditions that I mentioned. But recall there may be 15,000 ISP's in this country. Some of them are well capitalized and well equipped. Others are very small operations and would not have the capital to have in place an infrequently usedcapability or perhaps a never used capability. The Chairman. How many ISP's did you say are in the country? Mr. Kerr. I think approximately 15,000, but I think there are others at the table who know better. Mr. Cerf. Mr. Chairman, I can respond to that. I think probably that is a global number, as opposed to the number in the United States. So presumably your focus of attention is the number in the United States, but that still could be on the order of 8,000. So you are in the same order of magnitude. The Chairman. OK; sorry to interrupt you. Mr. Kerr. Not a problem. It is very helpful. Carnivore is a passive system and, in fact, it is isolated from the Internet service provider's network by a commercial device that allows for information to flow to Carnivore, but for no signals to flow from Carnivore into the system. And, of course, like all communications intercept equipment, it is removed as soon as the court order has expired. Overall, we think that the public should have trust and confidence in the FBI conduct of electronic surveillance under the legal guidance that we have. We first exhaust other means to get timely information. We always try to minimize the intrusiveness of our intercept, whether it be for e-mail or for telephones. We attempt to avoid undesirable consequences for telecommunications providers or Internet service providers. We cannot activate our capabilities without an appropriate order. There are sanctions in place that deter misuse. Broad search and surveillance is prohibited, and we seek specific evidence of criminal behavior, not broad information content. With that, Mr. Chairman, I will conclude my remarks and look forward to your questions. [The prepared statement of Mr. Kerr follows:] Prepared Statement of Donald M. Kerr Good morning, Mr. Chairman and Members of the Committee. I am grateful for this opportunity to discuss with you the FBI's Carnivore system--a system specially designed for effectively enforcing the law while at the same time fully complying with the law. Carnivore is a system which we are counting on to help us in critical ways in combating acts of terrorism, espionage, information warfare, hacking, and other serious and violent crimes occurring over the Internet, acts which threaten the security of our Nation and the safety of our people. In my statement, I will touch upon five points; why we need a system like Carnivore; why the public should have confidence that the FBI is lawfully Carnivore; how Carnivore, as a special purpose electronic surveillance tool, works; why computer network service providers, with whom the FBI always work closely, should not be fearful about Carnivore's use with their networks; and, as an overarching matter, why the public should have trust in the FBI's conduct of electronic surveillance and in its use of the Carnivore system. In addressing these important points, we hope to set the record straight and allay any legal, privacy, network security, and trustworthiness concerns. Why does the FBI need a system like Carnivore? By now, it has become common knowledge that terrorists, spies, hackers, and dangerous criminals are increasingly using computers and computer networks, including the Internet, to carry our their heinous acts. In response to their serious threats to our Nation, to the safety of the American people, to the security of our communications infrastructure, and to the important commercial and private potentialities of a safe, secure, and vibrant Internet, the FBI has responded by concentrating its effort, including its technological efforts, and resources, to fight a broad array of Cyber-crimes. While the FBI has always, as a first instinct, sought to work cooperatively and closely with computer network service providers, software and equipment manufactures, and many others to fight these crimes, it also become obvious that the FBI needed its own tools to fight this battle, especially where legal, evidentiary, and investigative imperatives required special purpose tools. One such tool is Carnivore, which I will discuss at length today. However, before discussing Carnivore, it is important to identify and briefly discuss some of the types of Cyber-crime threats which we in law enforcement have been encountering, and will encounter in the future, and concerning which Carnivore, and tools such as Carnivore, are of critical importance to the FBI. Terrorism Terrorist groups are increasingly using new information technology (IT) and the Internet to formulate plans, raise funds, spread propaganda, and communicate securely. In his statement on the worldwide threat in the year 2000, Director of Central Intelligence George Tenet testified that terrorist groups, ``including Hezbollah, HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida organization are using computerized files, E-mail, and encryption to support their operations.'' As one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. Other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engaged in attacks on foreign government websites and E-mail servers. ``Cyber terrorism''-- the use of Cyber tools to shut down critical national infrastructures (such as energy,telecommunications, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population--is emerging as a very real threat. Recently, the FBI uncovered a plot to break into National Guard armories and to steal the armaments and explosives necessary to simultaneously destroy multiple power transmission facilities in the Southern United States. After introducing a cooperating witness into the inner circle of this domestic terrorist group, it became clear that many of the communications of the group were occurring via E-mail. As the investigation closed, computer evidence disclosed that the group was downloading information about Ricin, the third most deadly toxin in the world. Without the fortunate ability to place a person in this group, the need and technological capability to intercept their E-mail communications' content and addressing information would have been imperative, if the FBI were to be able to detect and prevent these acts and successfully prosecute. Espionage Not surprisingly, foreign intelligence services have adapted to using Cyber tools as part of their espionage trade craft. Even as far back as 1986, before the worldwide surge in Internet use, the KGB employed German hackers to access Department of Defense systems in the well-known ``Cuckoo's Egg'' case. It should not surprise anyone to hear that foreign intelligence services increasingly view the Internet and computer intrusions as useful tools for acquiring sensitive U.S. government and private sector information. Information Warfare The prospect of ``information warfare'' by foreign militaries against our Nation's critical infrastructures is perhaps the greatest potential Cyber threat to our national security. We know that several foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. Knowing that they cannot match our military might with conventional weapons, nations see Cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heel--our growing dependence on information technology in government and commercial operations. Two Chinese military officers recently published a book that called for the use of unconventional measures, including the propagation of computer viruses, to counterbalance the military power of the United States. And a Russian official has also commented that an attack on a national infrastructure could, ``by virtue of its catastrophic consequences, completely overlap with the use of [weapons] of mass destruction.'' Child Pornography and Sexual Exploitation of Children Through the FBI's ``Innocent Images'' case, and others, it has become abundantly clear that certain adults are using computers and the Internet widely to disseminate child pornography and to entice young children into illegal and often violent sexual activity. Such sexual predators find the Internet to be a well-suited medium to trap unwary children. Since 1995, the FBI has investigated nearly 800 cases involving adults traveling interstate to meet minors for the purpose of illegal sexual relationships, and more than 1850 cases involving persons trading child pornography--almost all of these involve the exchange of child pornography over the Internet. Serious Fraud One of the most serious criminal threats facing the Nation is the use of the Internet for fraudulent purposes. For example, securities offered over the Internet have added an entirely new dimension to securities fraud investigations. The North American Securities Administrators Association has estimated that Internet-related stock fraud results in a loss to investors of approximately $10 billion per year (or nearly $1 million per hour). In one case, on March 5, 2000, nineteen people were charged in a multimillion-dollar insider trading scheme. At the core of the scheme, the central ``insider'' figure went online and found others in ISP chat rooms. He soon was passing inside information on clients of several brokerage firms to two other individuals in exchange for a percentage of any profits they earned by acting on it. For 2\1/2\ years, this person passed inside information, communicating almost solely through online chats and instant messages, with the insider receiving $170,000 in kickbacks while his partners made $500,000. Why should the public have confidence in the FBI's lawful use of Carnivore? There are a number of reasons why the public should have confidence in the FBI's lawful use of Carnivore. First of all, since 1986, with the enactment of the Electronic Communications Privacy Act of 1986 (ECPA), which amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III), Congress created statutory legal protection for all types of wire and electronic communications' content, including computer and Internet-based communications' content, consistent with the Constitution. The ECPA also created statutory privacy protection for ``transactional records'' pertaining to an electronic communications provider's provision of services to a customer or subscriber consistent with the Constitution. The term ``transactional records,'' as used here, includes addressing (e.g., in the context of E-mail communications, the ``to'' and ``from'' lines-- but not the ``subject'' or ``re'' lines) routing, billing, or other information maintained or generated by the service provider. ``Transactional records'' do not include the content (substance, purport or meaning) of E-mails or other communications. Correspondingly, in the ECPA, Congress regulated all governmental electronic surveillance interceptions of communications' content and all acquisitions of communications addressing and transactional record information consistent with the Constitution. Under the ECPA, all such electronic surveillance efforts require some form of court order, either a full Title III (probable cause-based) court order for obtaining communications' content or an ECPA-created court order based upon relevancy for communications' addressing and transactional record information. Of course, there are ``emergency'' provisions whereby surveillance is permitted to proceed immediately, when high-level Department of Justice authorization is obtained, so long as a court order is filed within 48 hours. Under Title III, applications for electronic surveillance must demonstrate probable cause and state with particularly and specificity: the offenses being committed, the communications facility regarding which the subject's communications are to be intercepted, a description of the types of conversations to be intercepted, and the identities of the persons committing the offenses and anticipated to be intercepted. Clearly, the criminal electronic surveillance laws focus on gathering hard evidence--not intelligence. Under this law, the FBI cannot, and does not, ``snoop.'' In obedience of the law, the FBI obtains judicial authorization, in terms of always obtaining the appropriate court order required when intercepting wire and electronic communications' content or when acquiring addressing information and transactional record information, or lawful consent, regardless of whether they are occurring over a computer or telecommunications network. The FBI's use of the Carnivore system--approximately 25 times in the last two years--has in every case and at all times been pursuant to such a judicially-granted court order or lawful consent. In every case, we only deploy Carnivore after serving a court order on an ISP (or after obtaining lawful consent of a party to the communication) and then only after working closely with the ISP technicians or engineers in installing it. Parenthetically, were the ISP is equipped to fully and properly implement the court order or consensual authorization, the FBI leaves the interception to the ISP and does not rely upon Carnivore. Moreover, if an FBI employee were to attempt to acquire such content or information using Carnivore without obtaining a court order or appropriate consent, it would be a serious violation of the law--a federal felony, thereby subjecting theemployee to criminal prosecution, civil liability, and termination. Finally, FBI employees fully understand that the unlawful interception of the content of private communications will lead to the suppression of any and all tainted evidence and any evidence of fruits derived therefrom. In short, the penalties for violating the electronic surveillance laws are so severe as to dissuade any such unlawful behavior, even if someone were so inclined. Those who have raised legal concerns regarding Carnivore have principally asserted that (1) through its use of Carnivore, the FBI is collecting more information than a given pen register or trap and trace court order permits, or (2) while using Carnivore, the FBI is acquiring more information under such order than that order should lawfully permit. As to the first assertion (as will be explained in detail below), in many investigative situations (principally those involving pen register or trap and tract court orders), Carnivore--far better than any commercially-available sniffer--is configurable so as to filter with precision certain electronic computer traffic (i.e., the binary computer code, the fast-flowing streams of O's and 1's) such that, in each case, FBI personnel only receive and see the specified communications addressing information associated with a particular criminal subject's service, concerning which a particular ECPA court order has been authorized. Further, to our knowledge, there are few, if any, electronic surveillance tools that perform like Carnivore, in terms of its being able to be tailored to comply with different court orders, owing to its ability to filter with precision computer code traffic. In fact, the genesis for some of the technological functionality of Carnivore was the result of the FBI's decision, made in light of privacy and investigative concerns, that prudent practice, with regard to computer network-based electronic surveillance, dictated that the communications' addressing information gleaned through technical equipment the FBI would be using should, to the fullest extent possible, correspond to that information authorized for acquisition and use under law. In this regard, prior to our development of Carnivore, the FBI, consistent with the Constitution and the legal mandate found in 18 U.S.C. 3121, was using ``technology reasonably available to it'' which permitted the acquisition of communications' addressing information, but which necessitated minimization. However, while the technology then available (principally commercial sniffers) worked as well as could be expected, as discussed in greater detail below, such equipment had never been designed as a law enforcement electronic surveillance tool, and hence had shortcomings. Not knowing if, or when, market forces would lead to the development of a law enforcement electronic surveillance too, the FBI took the initiative. In this context, we want to make sure that both the Congress and the public understand that, in using Carnivore, there is no broad-brush acquisition by either Carnivore or by FBI personnel of the ``contents of the wire or electronic communications'' of all ISP users--such as to constitute an unauthorized Title III ``intercept.'' Carnivore only intercepts the communications of that particular criminal subject for which a Title III order has been obtained. Similarly, we want everyone to understand that, in using Carnivore, there is no broad brush collection, storage, or review, by either Carnivore or by FBI personnel, of the addressing or transactional information regarding any ISP user beyond that pertaining to the criminal subject's service for which an ECPA court order under 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d) has been obtained. As to the second assertion, some have stated that, in their opinion, the FBI is acquiring more information when it uses Carnivore to acquire communications addressing and transactional record information than it should be entitled to under the Constitution or under the ECPA statutory regimes found in Chapters 206 and 121 of Title 18 of the United States Code, and, in particular, under the court order authorities within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). By way of response, and more to the point, it appears that much, if not most, of this contention regarding governmental access to communications addressing and transactional information emanates from concerns about the use of electronic surveillance generally, as opposed to the FBI's use of Carnivore in particular. However, there is little or nothing in law or Federal jurisprudence to support the contention that has been asserted in this regard. In 1979, the U.S. Supreme Court ruled that, because there was no justifiable or reasonable expectation of privacy in the electronic impulses dialed and transmitted over the telephone lines of a service provider to initiate a telephone call, no Fourth Amendment search or seizure was implicated, and, accordingly, that no legal right or protection regarding governmental acquisition of such information was cognizable or afforded under the Constitution (see, Smith v. Maryland, 442 U.S. 735 (1979). Similarly, the U.S. Supreme Court had earlier found no Constitutional right or protection against the Government's warrantless acquisition of banking information that had been disclosed by a customer to a third party financial institution (see, United States v. Miller, 425 U.S. 435, 442-444 (1976)). Hence, then, at least as a matter of Constitutional law, the Supreme Court has found no Constitutional requirement for a probable cause-based warrant in order to acquire transactional records or information that a customer conveys or transmits to third parties such as banks and telephone service providers. In 1986, in enacting the ECPA's Title II and Title III provisions, the Congress was aware of the foregoing Supreme Court rulings and sought to ``create'' new privacy protection in statute to protect a subscriber's communications addressing and transactional record information. Also, just as it intended to afford statutory privacy protection for such information, Congress also created appropriate and commensurate court order authorities for lawful governmental use in acquiring such information. In doing so, Congress made very reasonable, considered, and balanced determinations as to the level of privacy protection that was appropriate for each type of information at issue. Now, although it is true that there have been great changes in computer technology since 1986, the core statutory privacy principles and fault lines applicable to protecting computer-based communications content, on the one hand, and communications addressing information, on the other, as well as to their lawful interception or acquisition, have remained quite stable. Since 1986, and long before the advent and use of Carnivore, the FBI and many other Federal, State, and local governmental authorities having been lawfully acquiring computer network-based addressing and transactional information from both telecommunications carriers and Internet Service Providers (ISPs) under court order as anticipated by Congress within the ECPA., i.e., the court order authorities set forth within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). Governmental surveillance in this area has proceeded based upon the rightful premise that, with the appropriate ECPA court order(s), each and every type of communications addressing and transactional record information found within telecommunications and computer networks could be lawfully acquired. Since the ECPA was enacted, federal courts throughout the country have consistently authorized ECPA-based court orders applied for by the Department of Justice and the United States Attorneys' Offices, under the authorities set forth within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d), with regard to the types of governmental access to and acquisition of computer network addressing information currently being complained of, without finding Constitutional or statutory impediment. Finally, with specific reference to Carnivore, in the approximately 25 instances wherein its use has occurred, the courts have approved the applications, in terms of what was lawfully obtainable through the federal statutory regimes(s) and/or court orders cited above, and in terms ofthe information which Carnivore, through its filtering, enables FBI personnel to lawfully receive or see under these regimes. In the only case challenging Carnivore's intended use (in a case involving the acquisition of E-mail addressing information under the court order authorities set forth within 18 U.S.C. 2703(c)(d) and 18 U.S.C. 3123), the court sided with the Government, finding that the addressing information to be acquired through the Government's use of Carnivore was no more intrusive than the information acquired through a conventional pen register under 18 U.S.C. 3123. How does Carnivore work, and why the FBI believes Carnivore is superior from a legal, privacy, investigative, evidentiary and technological perspective to commercial sniffers Carnivore is very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information. For many electronic surveillance purposes, Carnivore is superior to any commercially available ``sniffer'' tool which ISP network administrators typically might use for network oversight, management, and trouble-shooting. In the ISP world such sniffers are the closest thing to what would be considered an electronic surveillance interception device. Such sniffers, however, were never designed or intended to be a special purpose electronic surveillance tool, and therefore they are not best suited to protect the privacy rights afforded by the Constitution or by statute. It's important to describe the context of when and how Carnivore is used and the way Carnivore works. It's most critical to clearly understand what Carnivore discloses and, more importantly, what it does not disclose to the FBI personnel who use it. First of all, as emphasized above, Carnivore is only employed when the FBI has a court order (or lawful consent) authorizing a particular type of interception or acquisition regarding a particular criminal subject user, user address, or account number. Second, when an ISP can completely, properly, and securely comply with the court order on its own, the FBI does not need to deploy Carnivore.\1\ Third, if a decision is made to use Carnivore, the FBI never deploys it without the cooperation and technical assistance of the ISP technicians and/or engineers. Fourth, through working with the ISP, Carnivore is positioned and isolated in the network so as to focus exclusively upon just that small segment of the network traffic where the subject's communications can be funneled. This is roughly analogous to using an electronic surveillance device only within in a single trunk or cable within a telephone network. Stated differently, and contrary to the statements of some critics, Carnivore is not positioned to filter or access ``in a Big Brother mode, all subscriber traffic throughout an ISP network.'' --------------------------------------------------------------------------- \1\ In many instances, ISPs, particularly the larger ones, maintain certain technical capabilities which allow them to comply, or partially comply, with court orders. For example, certain ISPs have the capability to intercept or ``clone'' the E-mail transmitted to and from a particular criminal subject's account. In many instances, such capabilities are satisfactory and allow full compliance with a court order. However, as noted in the main text, in most cases, ISPs do not have such capabilities or cannot employ them in a secure manner. Also, most ``off the shelf'' sniffers or internal systems designed ad hoc to effect an electronic surveillance effort frequently lack the ability to properly discriminate between messages in a fashion that satisfies the court order. Further, many court orders go beyond E-mail, authorizing the acquisition of other messages or protocols, such as instant messaging. In these cases, obviously, a cloned mailbox would not be sufficient to comply with the order of the court. --------------------------------------------------------------------------- In illustrating its functionality, it is important to understand that Carnivore's filtering operates in stages. Carnivore's first action is to filter a portion of an ISP's high speed network traffic. Specifically, it filters binary code--streams of 0's and 1's that flow through an ISP network, for example, at 40 mega-bits per second, and often at much higher speeds. Carnivore operates real time with these speeds. To visualize this, imagine a huge screen containing 40 million 0's and 1's flashing by on this screen for one second, and for one second only. Carnivore's first effort--entirely within the Carnivore box--is to identify within those 40 million 0's and 1's whether the particular identifying information of the criminal subject (for which a court order has been authorized) is there. If the subject's identifying information is detected, the packets of the subject's communication associated with the identifying information that was detected, and those alone, are segregated for additional filtering or storage. However, it's critically important to understand that all of those 40 million 0's and 1's associated with other communications are instantaneously vaporized after that one second. They are totally destroyed; they are not collected, saved, or stored. Hence, FBI personnel never see any of these 40 million 0's and 1's, not even for that one second. Continuing the illustration, if the subject's identifying information is not in that screen, then the next screen of 40 million 0's and 1's flashes by at the same rate, and the process described above is repeated in identical fashion until the subject's identifying information is detected.\2\ --------------------------------------------------------------------------- \2\ Parenthetically, some might argue that although the FBI does not collect, save, or store all of those 40 million bits per second, that it could if it chose to. In fact, that is simply not the case. The reason is that, even with substantial gigabit level storage, the hard drive storage would fill up in a matters of a few minutes, requiring constant replacement of the hard drives or alternatively the front end acquisition of large amounts of equipment space within an ISP's access space. Neither one of these scenarios is in any way realistic. But, for the sake of argument, even if such massive collection and storage could be marshaled, an equally gigantic effort would be required to process all of the O's and 1's to produce intelligible English text. Then finally, there would have to be a huge dedication of FBI human resources to sift through the information--and for no discernable reason. The fact of the matter is that the FBI, focused upon the identified criminals/accounts under investigation, is normally ``swamped'' with evidence. The FBI simply has no interest in rummaging (``snooping'') through the immense number of communications of those ISP users that through mere happenstance traverse the same part of the network as the traffic of the criminal subject. As noted above, any such unauthorized rummaging would be a violation of law, subjecting FBI personnel to criminal prosecution, civil liability, and immediate termination of employment. --------------------------------------------------------------------------- After exclusively segregating the subject's information for further machine processing, then a second stage of filtering is employed. At this point, and again all within the Carnivore box, Carnivore checks its programming to see what it should filter and collect for processing. In other words, it determines, as required by the specific wording of the court order, if it's supposed to comprehensively collect communications content--in a full title III or FISA mode--or, alternatively, whether it's only to collect pen register or trap and trace transactional and addressing information. Only information specified in the court order is being collected by Carnivore. Importantly, this is where some of Carnivore's key legal, evidentiary, and privacy-enhancing features really kick in. To address the particular concerns that have been raised regarding what is filtered and processed, and what FBI personnel see and don't see, its useful to illustrate how Carnivore operates, for example, in a pen register or trap and trace transactional and addressing information mode, pursuant to authorities set forth within 18 U.S.C. 3123 and 18 U.S.C. 2703(c)(d). Under these circumstances, Carnivore only collects transactional and addressing information. It is programmed to filter out all content, including subject line and ``re'' information. For example, certain pen register or trap and trace orders will authorize collection of simply ``source,'' ``destination,'' date, time, and duration of the message. Others will authorize collection of ``source,'' ``destination,'' ``user account address,'' date, time, and duration. Again, each collection, and the filters being employed, are tailored to a particular court order's authorization. At this point, an explanation on a more technological and functional level is warranted as to why, with regard to pen register and trap and trace transactional and addressing information usage, Carnivore's use was necessitated by certain privacy, evidentiary, and investigative concerns. Commercially-available sniffers do a very good job in many circumstances of filtering and segregating ISP information, especially in title III interceptions. However, in other cases, where more stringent legal, evidentiary, and law enforcement investigative requirements exist, manysniffers would collect either too much information, such as collecting all of the information regarding a given criminal subject's account, or , alternatively fail to collect the authorized information at all. For example, because of differences and vagaries in network protocols and header addressing information and their implementations by ISPs, collections with these commercial sniffers often do not cut off the header addressing information at the precise point. This can lead to a small amount of a communications' content being included (such as the ``subject line'') which then must be minimized by human review. Hence, resort to commercial sniffers alone under certain circumstances raises privacy concerns and interferes with the FBI's investigative resources. While such sniffer capabilities might suffice for non-law enforcement administration purposes, it is less than perfect for a law enforcement point of view. Carnivore's development was driven by a need to address such issues. In another area with significant legal, evidentiary, and investigative ramifications, Carnivore is superior to commercial sniffer. Commercial sniffers are typically designed to work only with fixed IP addresses. Unfortunately, dynamic addressing within ISPs occurs probably in 98-99% of the cases. Hence, the use of commercial sniffers, without more, would be ineffective in 98-99% of court authorized collections. Carnivore was specifically designed to interface with ISP networks so that when dynamic addressing occurs it can immediately respond to it. Finally, while it is true that other efforts with ISPs can address this problem, this problem is effectively and efficiently resolved technically by Carnivore. In still another area with significant legal, evidentiary, and investigative ramifications, Carnivore has the ability to filter and collect Simple Mail Transport Protocol (SMTP) traffic sent to or from a specific user. Most, if not all, commercial sniffers would collect all E-mails and then require a human visual search to find the targeted E- mail. This obviously is wanting from a privacy and operational perspective. Carnivore, on the other hand, has the ability to conduct very surgical acquisitions of only a targeted criminal subject's E- mail. To repeat, during all the filtering/processing noted above, no FBI personnel are seeing information--all of the information filtering/ processing, and purely in a machine-readable format, is occurring exclusively ``within the box.'' Now, at the end of all the filtering and processing, there, of course, is information that ultimately is collected and stored for human review. Hence, what finally reaches the hands of FBI personnel in every case is simply and only that particular lawfully authorized by the court order--and no more. Finally, Carnivore includes another piece of important functionality. For evidentiary purposes, and as an audit history, Carnivore was also designed to append to an event file for each collection the filter configuration that was used in that collection. This information tells the FBI personnel--and indeed it tells the world, including a court, defense counsel, and a jury--what mode the device was operating in (what it was programmed to collect), so as to allay any suspicion that more information was being passed along to FBI personnel. As you know, Rule 901 of the Federal Rules of Evidence requires the authentication of evidence as a precondition for its admissibility. The use of the Carnivore system by the FBI to intercept and store communications establishes, with much less human interaction and without the potential for human error, a trustworthy machine-based memorialization of the evidence. It also establishes a reliable first link in an undisturbed chain of custody, and it facilitates the ease and accuracy of a witness' testimony by permitting the witness to testify as to the retrieval of the evidence and as to the purely technological method by which the evidence was acquired and recorded. Finally, Carnivore is being upgraded by adding an integrity feature which will further demonstrate the authenticity of the information, by imprinting on the evidence the collection mode being used. It thus helps prove authenticity, by demonstrating that no alteration has been made to the filter settings employed or to the information obtained. As an evidentiary matter, such features strengthen showings of ``chain of custody,'' authenticity, and non-alteration. Why computer network service providers should not be fearful about Carnivore's use with their networks Notwithstanding assertions to the contrary, the Carnivore system is safe to operate with IP networks. As noted above, Carnivore is only installed in that small segment of the computer network through which the criminal subject's communications traffic will pass. The Carnivore system is connected with the network by a bridging device that physically prevents Carnivore from transmitting into the network. Thus, as a technological certainty, there is absolutely no way it could possibly have any ability to transmit any information or thing into the network. Importantly, Carnivore is only attached to the network after consultation with, and after obtaining the agreement and assistance of, technical personnel form the ISP. It is worth noting that, to date, the FBI has never installed Carnivore with an ISP's network without first obtaining the assistance of the ISP's technical personnel. The Internet is highly complex and heterogeneous environment in which to conduct electronic surveillance, and I can assure you that without the technical knowledge of the ISP's personnel, it would be very difficult, and in some instances impossible for law enforcement agencies to act unilaterally and successfully in implementing such a technical effort. Moreover, the FBI particularly depends upon the ISP personnel to understand the protocols and architecture of their particular networks. Some critics have also asserted that the use of the Carnivore system introduces significant new vulnerabilities for hacking access. But such assertions miss the mark. With regard to hacking, and considering the hacking methodologies most commonly employed, there would be absolutely no greater qualitative value in trying to use the Carnivore system as an access point than any other access point or node in the Internet, concerning which there are literally millions. Indeed, recognizing that Carnivore is a law enforcement surveillance tool, a hacker's attempted use of it as an access path would be particularly foolish inasmuch as access to Carnivore, as noted above, would never create an actual transmission path into the network. Lastly, there has been the suggestion, in prior Congressional testimony, that the Carnivore system had caused a network crash or other problems in the network of a particular ISP. Let me emphasize that such a suggestion is simply factually incorrect. In the instance cited, the cause of the network problem (there was no crash)--it was in the nature of a network slowdown--was programming steps undertaken exclusively by the ISP's technicians, and entirely on their own. Why should the public have trust in the FBI's conduct of electronic surveillance, and, in particular, in its use of the Carnivore system We believe that the American public should have trust in the FBI's conduct of electronic surveillance, principally because it has an outstanding record of lawfully complying with the Federal electronic surveillance laws which the Congress first enacted over thirty years ago, in 1968. Although the assertion of widespread 'illegal FBI wiretapping' is frequently made, and is an article of faith for some, the facts in no way support it. Any careful review of the dockets of the Federal courts offers no support to the assertion of FBI electronic surveillance abuse during these years. Indeed, all FBI electronic surveillance is authorized and carefully supervised by many different ``outside'' entities. To begin with, in every FBI investigation involving electronic surveillance, all surveillance efforts are approved, monitored, and overseen at each step of the way by both the local United States Attorneys Office and the appropriate U.S. District Court Judge (for Title IIIs) or Magistrate (for ECPA court orders). In surveillance conducted under the Foreign Intelligence Surveillance Act (FISA), FBI surveillance efforts are approved, monitored, and overseen by the Department of Justice's Office of Intelligence Policy and Review, and by the Foreign Intelligence Surveillance Court, respectively. Moreover, before any full-blown Title III or FISA electronic surveillance involving the interception of communications' content is approved, lengthy, multi-layered, and thorough reviews occur both within the FBI and within the Department of Justice, and, as a statutory mandate, high-level Department of Justice approval is required for all such surveillance. For more than three decades now, FBI electronic surveillance has been closely supervised and monitored by the Department of Justice. There has been no indication of FBI abuse. Indeed, the Department of Justice typically points to the FBI as an agency model with regard to how to carefully and lawfully conduct electronic surveillance. Aside from Executive and Judicial Branch review of FBI electronic surveillance efforts, the Congress itself exercises frequent and ongoing oversight over the FBI's conduct of electronic surveillance in a number of ways. Year in and year out, numerous Congressional Committees (and their staff) involved in authorizations and appropriations scrutinize FBI expenditures, programs, and even equipment. Committees on the Judiciary and Intelligence frequently hold hearings, such as this, and submit written questions to be addressed by the FBI. Further, since Title III's enactment in 1968, the Congress has revisited the Federal electronic surveillance laws on a number of occasions: in 1978 (FISA), in 1986 (ECPA), and in 1994 (CALEA). And, as the Committee is well aware, each time the Federal electronic surveillance laws are updated there is a substantial subtext to the legislative initiative wherein the Congress considers and reconsiders whether such laws are working well and whether there is any significant indication of abuse such as to warrant the laws' curtailment or modification. However, with each of these pieces of legislation, the Congress has never found or suggested that the law enforcement community, in general, or the FBI, as an agency, in particular, was abusing the electronic surveillance authorities. Further, in recent years, it has become somewhat commonplace for members of the Congress to request a visit to the FBI's Engineering Research Facility (ERF) to permit themselves and/or their staff to understand FBI surveillance methodologies, etc., better. Beyond these, every year the Administrative Office of the United States Courts sends to the Congress the yearly "Wiretap Report" which specifies Federal, State, and local law enforcement's Title III electronic surveillance activities. Likewise, and also pursuant to Federal statute, every year the Department of Justice submits to the Congress a report regarding the use of pen register and traps and traces conducted by law enforcement agency components within the Department. Further, several years ago, as a part of the Anti-terrorism and Effective Death Penalty Act of 1996, the Congress requested a Report from the Department of Justice which was to specifically include a review of any abuse in law enforcement's conduct of electronic surveillance. In the Report submitted by the Department of Justice, it was pointed out that law enforcement errancy in this area was rare, and did not suggest any significant problem. In particular, there was no citation as to abuse by the FBI. At this point, it may be useful to briefly discuss another vital component in the overall electronic surveillance/Carnivore mix: the FBI personnel who use it. In this regard, the Committee would truly be missing a significant part of the story if we failed to point out the quality of the FBI personnel involved and the ways in which they perform their tasks. To begin with, to become and FBI employee requires a substantial showing of trustworthiness, lawfulness, and personal and professional intergrity--all of which must be demonstrated through the conduct of an extensive and very thorough national security-level background investigation. To be sure, the structure of the FBI would quickly collapse if the agency and all of its onboard employees could not trust without reservation its new employees. And the FBI certainly does not recruit honest and law-abiding people only to turn around and employ them in corrupt and dishonest ways. Indeed, in contrast with the requirements placed upon many of the personnel employed by telecommunications and computer network service providers (who may have some role in implementing electronic surveillance orders), all FBI employees are specifically sworn to uphold the Constitution, obey the law, and to faithfully execute the laws of the land. Of course, and as noted above, it is emphasized to all FBI employees that any type of illegal electronic surveillance would be a serious violation of the law--a federal felony, thereby subjecting the employee to criminal prosecution, civil liability, and termination. Further, FBI employees are made to fully understand that any unlawful surveillance will likely lead to the suppression of any and all tainted evidence and any evidence or fruits derived therefrom. In short, it is made clear that any such unlawful behavior will not be tolerated. All FBI personnel involved in conducting electronic surveillance are thoroughly and specifically trained about the Federal electronic surveillance laws. This is particularly so for the FBI Technically Trained Agents (TTAs) who receive specialized training in the conduct of electronic surveillance, including legal instruction, at the FBI's Engineering Research Facility (ERF) in Quantico, Virginia. This training weds together the black letter law with the ``hands on'' technical level implementations of electronic surveillance. Moreover, FBI personnel involved in electronic surveillance are involved in ongoing consultation with attorneys from the FBI's Office ofthe General Counsel, the FBI Field Office's Chief Division Counsel, the Department of Justice, and the Offices of United States Attorneys. Access to and the use of FBI electronic surveillance equipment is controlled administratively, and usually requires a trained specialist to operate it. Hence, the large pool of FBI Special Agents and support employees never have access to, or competency in the use of, such highly-specialized pieces of surveillance equipment. In sum, over the last 32 years, the FBI's record of properly conducting court authorized electronic surveillance is a very good one--one that we believe should command the trust of the public and the Congress. With regard to Carnivore, it is a relatively new electronic surveillance tool, and has only been used within the last two years. Trust in the FBI's use of Carnivore, we believe, should at least in part rest upon the FBI's openness and willingness to discuss this device. Indeed, perhaps the most telling fact about Carnivore, as an electronic surveillance tool, is that in an unprecedented fashion, the FBI has shared with numerous entities in the public Carnivore's (and/or some of its technical counterparts') purpose and basic functionality-- long before any concerns were raised and before any Congressional hearings were scheduled. Ironically, the most central fact and aspect of the entire matter has gotten lost: that the FBI has spent a considerable amount of time, money, and energy in developing an electronic surveillance tool with the exclusively laudable purposes of better satisfying the Constitutional standard of particularity, the Title III and ECPA precepts of minimization, as well as the legal, privacy-based, and societal concerns associated with careful, precise, and lawful surveillance efforts. As the Committee may be aware, the FBI has briefed a wide-ranging variety of entities: governmental attorneys, leading ISPs, leading Information Technology (IT) companies, leading telecommunications service providers, academic labs, and software manufacturers as to the functionality of the Carnivore system. Hence, if, for the sake of argument, the FBI had ever possessed any untoward intentions, in terms of using Carnivore in a stealthy, illegal, or abusive way, it certainly went about pursuing them in the wrong way. In fact, the FBI's openness with regard to Carnivore should, in and of itself, properly and reasonably instill public confidence and trust, notwithstanding that some of its detractors may disagree with some aspect of Carnivore. Of course, with regard to Carnivore, the same strict personnel, legal, training, and security practices apply. Further, given that relatively few of these devices are even available throughout the entire FBI, those in existence are under the custody and control of but a few FBI technically-trained personnel. Finally, the FBI, in concert with the Department, has welcomed a review of the Carnivore system. The FBI believes that when all is said and done the FBI and the Carnivore device will receive a clean bill of health, and thereby hopefully more fully instill public confidence and trust in this important and critically needed investigative tool. Conclusion In conclusion, I would like to say that over the last ten years or more, we have witnessed a continuing, steady growth in computer and Internet-related crimes, including extremely serious acts in furtherance of terrorism, espionage, infrastructure attack, as well as the more conventional serious and violent crimes, to include child pornography and exploitation. These activities which have been planned or carried out, in part, using computers and the Internet pose challenges to the U.S. law enforcement community that we dare not fail to meet. In turn, the ability of the law enforcement community to effectively investigate and prevent these serious crimes is, in part, dependent upon our ability to lawfully and effectively intercept and acquire vital evidence of these crimes, and our ability to promptly respond to these harms that so threaten the American public. As the Internet becomes more complex, so too do the challenges placed upon us to keep pace. Without the continued cooperation of our industry partners and important technological innovations such as the Carnivore system, such a task would be futile. I look forward to working with the Committee staff to provide more information and welcome your suggestions on this important issue. I will be happy to answer any questions that you may have. Thank You. The Chairman. Thank you so much. Mr. Di Gregory, we will turn to you. STATEMENT OF KEVIN V. DI GREGORY Mr. Di Gregory. Thank you, Mr. Chairman. Thank you for allowing me the opportunity to testify about electronic surveillance and privacy in the digital age. We have seen, as you have already noted, the Internet flourish over the last 10 years. In that relatively short period of time, it has created vast benefits for citizens, businesses and governments, and appears to hold boundless promise. The Internet has spurred a new economy, and many businesses have been built and people employed through Internet sales of products and services. Others have assisted in building, maintaining and improving the Internet itself. The Internet has given people jobs, supported families and communities, and created new opportunities for commerce for America and the world. The Internet has touched our working lives, our social lives, and our family lives. As we have seen throughout history, however, there are those who would use powerful tools like the Internet to inflict harm on others. The Internet has not escaped this historical truth. Even in the Internet's relatively short existence, we have seen a wide range of criminal use of this technology. It has been used to commit traditional crimes against an ever widening number of victims. There are also those criminals intent on attacking and disrupting computers, computer networks, and the Internet itself. In short, although the Internet provides an unparalleled opportunity for Americans to freely express ideas and conduct business and government, it also provides a very effective means for ill-motivated persons to breach the privacy and security of others. Many of the crimes that we confront everyday in the physical world are beginning to appear in the online world. Crimes like death threats, extortion, fraud, and child pornography are migrating to the Internet at a startling pace. The fourth amendment and laws addressing privacy and public safety serve as a framework for law enforcement to respond to this new forum for criminal activity. If law enforcement fails properly to respect individual privacy in its investigative techniques, the public's confidence in government will be eroded, evidence will be suppressed, and criminals will elude successful prosecution. If law enforcement is too timid in responding to cyber crime, however, we will, in effect, render cyberspace a safe haven for criminals and terrorists to communicate and carry out crime without fear of authorized government surveillance. If we fail to make the Internet safe, people's confidence in using the Internet and in e-commerce will decline, endangering those very benefits brought about by the information age. Proper balance is the key. Despite the fervor over the unfortunately named Carnivore, the truth of the matter is that Carnivore was created to provide us with a tool to help us enforce the laws and preserve the privacy of our citizens. To satisfy our obligations to the public to enforce the laws and preserve public safety, we use the same sorts of investigatory techniques and methods online as we do in the physical world, with the same careful attention to the strict constitutional and legal limits which apply. We must have an investigatory tool that helps us to investigate online in the same way as in the physical world, and enables us to obtain only the information we are authorized to obtain through a court order. For example, if a man is suspected of luring children for sex, law enforcement must determine with whom the suspect is communicating. In the recent past, such communications would have been carried out exclusively by telephone. To find out who the suspect is communicating with, law enforcement would obtain an order from a court authorizing the installation of a trap and trace and a pen register device, and either the telephone company or law enforcement would have installed the device to comply with the court's order. Thereafter, the source and destination of the calls would have been recorded. This is information that the Supreme Court has held in Smith v. Maryland is not subject to any reasonable expectation of privacy. Given the personal nature of the information, however, Congress required the Government to obtain an order under these circumstances. In this way, privacy is protected and law enforcement is able to conduct its investigation in its efforts to protect the public. Nowadays, that same suspect is more likely to operate through e-mail or other kinds of online communications. In attempting to investigate the criminal activity, law enforcement can apply to a court for an order to obtain in real time the e-mail addresses of those persons with whom the suspect is communicating through or by e-mail. Law enforcement needs to be able to quickly identify the source and destination of such e-mails to fulfill its obligations to the victims, in particular, and to the public generally. In the event that the investigation requires viewing the content of the e-mail, even just the subject line, then law enforcement must comply with the strict internal FBI and Department guidelines and the provisions of Title III of the Omnibus Crime Control and Safe Streets Act of 1968. When law enforcement uses a trap and trace, pen register, or a title III order in the online context, however, we have found that at times the Internet service provider has been able or even unwilling to supply the information we need. It is for that narrow set of circumstances that the FBI needs effective online investigative tools. Law enforcement cannot abdicate its responsibility to protect public safety simply because technology has changed. Rather, we believe the public rightfully expects that law enforcement will continue to be effective as criminal activity migrates to the Internet. Where the service provider cannot or will not comply with a court order to reveal addressing information or content of electronic communications, law enforcement must have some mechanism to obtain that information. It must have a tool that can obtain the information authorized by the court order, and I say again only that information authorized by the court order. The tool should be configurable so that, for example, it can be set to gather only the e-mail addresses of those persons with whom the suspect is communicating without any human being either from law enforcement or the service provider viewing the private information that is outside of the scope of the court order. Such a tool automatically reduces the data collected to only that permitted by the court, thus allowing law enforcement strictly to comply withthe order and safeguarding the privacy of information outside the order. The FBI created Carnivore to be such a tool. We have numerous mechanisms in place to prevent possible misuse of electronic surveillance tools. The fourth amendment, of course, restricts what law enforcement can do with the software, as do the statutory requirements of title III and the Electronic Communications Privacy Act. And, further, implementing orders of the courts will restrict us and will prevent possible misuse of electronic surveillance tools. For Federal title III applications, as you know, the Justice Department imposes its own guidelines on top of the privacy protections provided by the Constitution, statutes, and the courts. For example, before Carnivore can be used to intercept wire or electronic communications, with the limited exception of digital display pagers, the requesting investigative agency must obtain approval for the title III application from the Department of Justice. Specifically, the Office of Enforcement Operations in the Criminal Division of the Department reviews each proposed title III application to ensure that the interception satisfies fourth amendment requirements and is in compliance with applicable statutes and regulations. If the proposal clears the Office of Enforcement Operations, approval must generally be given then by a Deputy Assistant Attorney General in the Criminal Division. Typically, investigative agencies such as the FBI have similar but separate internal approval requirements. If the investigative agency and the Department of Justice approve a Federal title III request, it still must, of course, be approved by the proper court using familiar but exacting standards. By statute and internal departmental regulation, the interception may last no longer than 30 days without an extension by the court. Courts, as I alluded to earlier, often impose their own additional requirements. In addition, the remedies for violating title III or ECPA by improperly intercepting electronic communications include criminal sanctions and civil suits. For violations of the fourth amendment, of course, the remedy of suppression is also available. We recognize that notwithstanding the limited use of the software and the many protections in place, concerns remain about the computer program Carnivore. To address those concerns, the Attorney General has asked, as you have noted, Mr. Chairman, for an independent technical review of Carnivore to evaluate whether it performs the functions it was designed to perform, and does so without any greater threat to privacy or to the smooth operation of private service providers than would be posed by any other system that allows compliance with the law related to court-ordered interceptions. The technical reviewers will have whatever access they need to discharge their responsibilities, and their report will be made public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the continued effectiveness of the software. The report will also be reviewed by a high-level Department panel, chaired by the Assistant Attorney General for the Justice Management Division, Mr. Stephen Colgate, and including the Attorney General's chief science and technology officer; the Department's chief privacy officer; the Assistant Director of the FBI in charge of the Bureau's laboratory Division, Dr. Kerr; and a representative of the Department's Criminal Division. That panel will consider the positions of interested parties, such as industry and privacy groups, concerning the technical review and will report to the Attorney General. Mr. Chairman, thank you again for allowing me this opportunity to address our efforts to fight crime on the Internet and preserve the privacy rights conferred by the fourth amendment and statutes. The need to protect the privacy of our citizens from criminals, as well as the Government, is the paramount consideration in all our activities. The public is undoubtedly concerned about their online privacy and the potential for criminals, private industry and the Government to infringe upon it. The public is also deeply concerned, we believe, about their safety and security when exploring and using the ever- expanding reaches of the Internet. By deterring and punishing those criminals who violate individual privacy, ensuring the ability of law enforcement to fight cyber crime both promotes safety and security of Internet users and enhances user privacy. The Department of Justice stands ready to work with the members of this committee and others to achieve these important goals. Mr. Chairman, that concludes my prepared statement. We have provided the committee with my full written statement, and thank you very much. Hopefully, later, we will be able to answer any questions you or Senator Leahy may have. [The prepared statement of Mr. Di Gregory follows:] Prepared Statement of Kevin V. Di Gregory Mr. Chairman and Members of the Committee, I appreciate your providing me with this opportunity to testify about the computer program ``Carnivore.'' This Committee has previously heard from Deputy Attorney General Eric Holder and Assistant Attorney General for the Criminal Division James K. Robinson and concerning cybercrime issues. We are pleased to continue to participate in this very important dialogue today, and to address the imperative of protecting individual privacy on the Internet from unwarranted governmental intrusion, and the critical role the Department plays to ensure that the Internet is a safe and secure place for our citizens. Privacy and the Obligation to Provide Public Safety Our obligation to the public to enforce the laws is not limited to activities in the physical world; our responsibilities to the citizens to preserve their safety continues where illegal conduct is committed on-line or facilitated by the Internet. The public rightfully expects, for example, that law enforcement will investigate and prosecute child molesters who prey on children using electronic mail or other Internet communications tools. Similarly, of course, the duty of law enforcement to preserve privacy does not end where the Internet begins. The Fourth Amendment protects the rights of our citizens as we go on-line to work, learn and explore the Internet, just as the Fourth Amendment protects rights in the physical world. The goal of the Department is long-honored and noble: we must preserve the privacy of our citizens while protecting their safety. History has taught us, and our founding fathers recognized, that our citizens' liberty cannot thrive unless we can investigate, apprehend and prosecute those who engage in criminal conduct. At the same time, however, our founding fathers abhorred the disregard and abuse of privacy by the government in England. Privacy and public safety can be at odds in certain circumstances. The founders of this nation adopted the Fourth Amendment to address those situations. Under the Fourth Amendment, the government must demonstrate probable cause to a neutral magistrate before obtaining a warrant for a search, arrest, or other significant intrusion on privacy. Congress and the courts have also recognized that less intrusive investigate steps should be permitted under a less exacting threshold. The Electronic Communications Privacy Act establishes a three-tier system by which the government can obtain stored information from electronic communication service providers. In general, the government needs a search warrant to obtain the content of unretrieved communications (like e-mail), a court order to obtain transactional records, and a subpoena to obtain information identifying the subscriber. See Sec. Sec. 18 U.S.C. 2701-11. In addition, to obtain information identifying who is sending or receiving communications to or from a particular suspect, the government must obtain a ``trap and trace'' or ``pen register'' court order authorizing the recording of such information. See 18 U.S. 3121 et seq. Because of the privacy values it protects, the wiretap statute, 18 U.S.C. Sec. Sec. 2510-22, commonly known as Title III, places a higher burden on the real-time interception of oral, wire and electronic communications than even the Fourth Amendment requires. To listen to or record communications as they are happening, law enforcement must obtain a court order unless one of the specified statutory exceptions applies. To obtain such an order, the government must show that normal investigative techniques for obtaining the information have or are likely to fail are too dangerous, and that any interception will be conducted so as to ensure that the intrusion is minimized. The Fourth Amendment and statutory restrictions on government access to information do not prevent effective law enforcement. Rather, they provide boundaries for law enforcement, clarifying what is acceptable evidence gathering and what is not. Often, our obligations to enforce the law and our goal to preserve privacy are in complete harmony, such as when we apprehend and prosecute a criminal who has hacked into a computer containing the confidential records of others. In those instances where there is tension, we must find a proper balance. Law enforcement has a critical role to play in preserving privacy against intrusions by others. Although the primary mission of the Department of Justice is law enforcement, Attorney General Reno and the entire Department understand and share the legitimate concerns of all Americans with regard to personal privacy. If the Internet is to thrive and citizens' confidence in the Internet is to remain high, we can abandon neither the goal of on-line privacy nor the goal of public safety. The Department has been and will remain committed to protecting the privacy rights of individuals. We look forward to working with Congress and other concerned individuals to address these important matters in the months ahead. Keeping the Peace in Cyberspace Although the Fourth Amendment is over two centuries old, the Internet as we know it is stillin its infancy. The huge advances in communications technology over the past decade have forever altered the landscape of society worldwide. The Internet provides a new forum in which citizens can communicate, transfer information, engage in commerce, play and expand their educational opportunities. These are but a few of the wonderful benefits of this rapidly evolving technology. As has happened to every major technological advance, however, we are seeing individuals and groups use the Internet to commit crimes. As the Department has noted in the past, this nation's vulnerability to computer crime is astonishingly high and threatens not only economic prosperity, but the privacy of our citizens and our country's critical infrastructure. Many of the crimes that we confront everyday in the physical world are migrating to the on-line world. Crimes like death threats, extortion, fraud and child pornography have migrated with startling speed to the Internet. The Fourth Amendment and laws addressing privacy and public safety serve as the framework for law enforcement to respond to this new forum for criminal activity. If law enforcement fails properly to respect individual privacy in its investigate techniques, the public's confidence in government will be eroded, evidence will be suppressed, and criminals will elude successful prosecution. If law enforcement is too timid in responding to cybercrime, however, we will, in effect, render cyberspace a safe haven for criminals and terrorists to communicate and carry out crime, without fear of authorized government surveillance. If we fail to make the Internet safe, people's confidence in using the Internet and e-commerce will decline, endangering the very benefits brought by the Information Age. Proper balance is the key. To meet our responsibilities to the public to enforce the laws and preserve the safety, we use the same sorts of investigative techniques and methods on-line as we do in the physical world, with the same careful attention to the strict constitutional, statutory, internal and court-ordered boundaries. For example, if a man is suspected of luring children for sex, law enforcement must determine with whom the suspect is communicating. In the recent past, such communications would have been carried out exclusively by telephone. To find out who the suspect is communicating with, law enforcement would obtain an order from a court authorizing the installation of a ``trap and trace'' and a ``pen register'' device, and either the telephone companyor law enforcement would have installed these devices to comply with the court's order. Thereafter, the source and destination of calls would have been recorded. This is information that the Supreme Court has held is not subject to any reasonable expectation of privacy. Given the personal nature of this information, however, the law requires government to obtain an order under these circumstances. In this way, privacy is protected and law enforcement is able to investigate to protect the public. Now, that same suspect is more likely to operate through e-mail or other kinds of online communications. In attempting to investigate the criminal activity, law enforcement can apply to a court for an order to obtain in real time the e-mail addresses of those persons with whom the suspect is communicating through or by e-mail. Law enforcement needs to be able to quickly identify the source and destination of such e-mails to fulfill its obligations to the victims in particular and the public generally. In the event that the investigation requires viewing the content of the e-mail--even just the subject line--then law enforcement must comply with strict internal FBI and Department guidelines, and the provisions of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. Sec. Sec. 2510-2521. At times, Internet service providers may be unable to use their own technology to comply with court orders directing them to supply source and destination information or the content of communications. Law enforcement cannot abdicate its responsibility to protect public safety simply because technology has changed. Rather, the public rightfully expects that law enforcement will continue to be effective as criminal activity migrates to the Internet. It is for such narrow set of circumstances that the FBI designed ``Carnivore.'' When a criminal uses e-mail to send a kidnaping demand, to buy and sell illegal drugs or to distribute child pornography, law enforcement needs to know to whom he is sending messages and from whom he receives them. To get this information, we obtain a court order, which we serve on the appropriate service provider. Because of the nature of Internet communications, the addressing information (as opposed to the content of the communication itself) is often mixed in with other non-content data that we have no desire to gather. If the service provider can comply with the order and provide us with only the addressing information required by court order, it will do so and we will not employ any investigative tool. Where the service provider cannot or will not comply with a court order to reveal addressing information or content of electronic communications, law enforcement must have some mechanism to obtain the information. It must have a tool that can obtain the information authorized by court order, and only that information. The tool should be configurable such that, for example, it can be set to gather only the e-mail addresses of those persons with whom the kidnapper is communicating, without allowing any human being, either from law enforcement or the service provider, to view private information outside of the scope of the court's order. Such a tool automatically reduces the data collected to only that permitted by the court, thus allowing law enforcement strictly to comply with the order, and safeguarding the privacy of information outside the order. The FBI created Carnivore to be such a tool. We have numerous mechanisms in place to prevent possible misuse of electronic surveillance tools. The Fourth Amendment, of course, restricts what law enforcement can do with the software, as do the statutory requirements of Title III and the Electronic Communications Privacy Act, and the implementing orders of the courts. For federal Title III applications, the Department of Justice imposes its own guidelines on top of the privacy protections provided by the Constitution, statutes and the courts. For example, before Carnivore may be used to intercept the content of communications, the requesting investigative agency must obtain approval from the Department of Justice asking a court for a Title III order. The Office of Enforcement Operations in the Criminal Division of the Department reviews each proposed Title III application to ensure that the interception satisfies the protections of the Fourth Amendment and complies with applicable statutes and regulations. Even if the proposal clears the OEO, the application cannot go to to a court without approval by a Deputy Assistant Attorney General or higher-level official in the Department. Although this requirement of high-level review is required by Title III only with regard to proposed intercepts of wire and oral communications, the Department voluntarily imposes the same level of review for proposed interceptions of electronic communications (except digital-display pagers). Typically, investigative agencies such as the Federal Bureau of Investigation have similar internal requirements, separate and apart from Constitutional, statutory or Department of Justice requirements. If the investigative agency and the Department of Justice approve a federal Title III request, it still must, of course, be submitted to and approved by a court of proper jurisdiction. The court will evaluate the application under the Fourth Amendment and using the familiar standards of Title III. By statute, for example, the application to the court must show, through sworn affidavit, why the intercept is necessary as opposed to other less-intrusive investigative techniques. The application must also provide additional detail, including whether there have been previous interceptions of communications of the target, the identity of the target (if known), the nature and location of the communications facilities, and a description of the type of communications sought and the offenses to which the communications relate. By statute and internal Department regulation, the interception may last no longer than 30 days without an extension by the court. Courts also often impose their own requirements. For example, many federal courts require that the investigators provide periodic reports setting forth information such as the number of communications intercepted, steps taken to minimize irrelevant traffic, and whether the interceptions have been fruitful. The court may, of course terminate the interception at any time. The remedies for violating Title II or ECPA by improperly intercepting electronic communications can include criminal sanctions, civil suit, and for law enforcement agents, adverse employment action. For violations of the Fourth Amendment, of course, the remedy of suppression is also available. The Justice Department and law enforcement across this nation are committed to continuing to work together and with their counterparts in other countries to develop and implement investigative strategies to successfully track, apprehend, and prosecute individuals who conduct criminal activity on the Internet. In so doing, the same privacy standards that apply in the physical world remain effective online. As the Committee is aware, the Administration recently transmitted to Congress a legislative proposal addressing various issues relating to cyber-security. Two portions of the bill relate directly to today's discussion. First, the Administration supports raising the statutory standards for intercepting the content of electronic communications so they are the same as those for intercepting telephone calls: high-level approval, use only in cases involving certain predicate offenses that are specified by statute, and statutory suppression of evidence derived from improper intercepts. Second, the Administration bill requires federal judges to confirm that the appropriate statutory predicates have been satisfied before issuing a pen register or trap-and-trace order. Those changes would apply to the use of Carnivore, and in important respects wouldsimply confirm by statute the policies and procedures already followed by the Department of Justice. The Administration supports a balanced updating of laws to enhance protection of both privacy and public safety, and the bill contains important provisions that would be most helpful in the ongoing fight against cyber-crime. We recognize that, notwithstanding the limited use of the software and the many protections in place, concerns remain about the computer program. To address those concerns, the Attorney General has asked for an independent technical review of Carnivore to evaluate whether it performs the functions it was designed to perform, and does so without any greater threat to privacy or to the smooth operation of private service providers then would be posed by any other system that allows compliance with the law relating to court-ordered interceptions. The technical reviewers will have whatever access they need to discharge their responsibilities, and their report will be made public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the continued effectiveness of the software as a law-enforcement tool. The report will also be reviewed by a high-level Departmental panel, chaired by the Assistant Attorney General for the Justice Management Division and including the Attorney General's Chief Science & technology Advisory, the Department's Chief Privacy Officer, the Assistant Director of the FBI in charge of the Bureau's Laboratory Division, and me. That panel will consider the positions of interested parties, such as industry and privacy groups, concerning the technical review, and will report to the Attorney General. Mr. Chairman, the Department of Justice takes privacy concerns seriously and takes a proactive leadership role in making cyberspace safer for all Americans. The cornerstone of our cybercrime prosecutor program is the Criminal Division's Computer Crime and Intellectual Property Section, known as CCIPS. Founded in 1991 as the Computer Crime Unit, CCIPS became a Section in 1996. CCIPS has grown from five attorneys in 1996 to nineteen today, and we need more to keep pace with the demand for their expertise. The attorneys in CCIPS work closely on computer crime cases with Assistant United States Attorneys known as ``Computer and Telecommunications Coordinators,'' or CTC's, in U.S. Attorney's Offices around the nation. Each CTC receives special training and equipment and serves as the district's expert on computer crime cases. CCIPS and the CTC's work together in prosecuting cases, spearheading training for local, state and federal law enforcement, working with international counterparts to address difficult international challenges, and providing legal and technical instruction to assist in the protection of this nation's critical infrastructes. CCIPS also provides its expertise to the public through its Internet website, www.cybercrime.gov. We are very proud of the work these people do and we will continue to work diligently to help stop criminals from victimizing people online. I also note that public education is an important component of the Attorney General's strategy on combating computer crime. As she often notes, the same children who recognize that it is wrong to steal a neighbor's mail or shoplift do not seem to understand that it is equally wrong to steal a neighbor's e-mail or copy a proprietary software or music file without paying for it. To remedy this problem, the Department of Justice, together with the Information Technology Association of America (ITAA), has embarked upon a national campaign to educate and raise awareness of computer responsibility and to provide resources to empower concerned citizens. The ``Cybercitizen Awareness Program'' seeks to engage children, young adults, and others on the basics of critical information protection and security and on the limits of acceptable online behavior. The objectives of the program are to give children an understanding of cyberspace benefits and responsibilities, an awareness of consequences resulting from the misuse of the medium and an understanding of the personal dangers that exist on the Internet and techniques to avoid being harmed. Conclusion Mr. Chairman, thank you again for allowing me this opportunity to address our efforts to fight crime on the Internet and preserve the privacy rights conferred by the Fourth Amendment and statute. The need to protect the privacy of our citizens from criminals as well as the government, is a paramount consideration in all our activities. The public is undoubtedly concerned about their on-line privacy, and the potential for criminals, private industry, and the government to infringe upon it. The public is also deeply concerned about their safety and security when exploring and using the ever-expanding reaches of the Internet. By deterring and punishing those criminals who violate individual privacy, ensuring the ability of law enforcement to fight cyber-crime both promotes the safety and security of Internet users and enhances user privacy. The Department of Justice stands ready to work with the Members of this Committee and others to achieve these important goals. Mr. Chairman, that concludes my prepared statement. I would be pleased to answer you questions The Chairman. Thank you so much. Mr. Cerf, we will take your testimony at this time. STATEMENT OF VINTON G. CERF Mr. Cerf. Thank you very much, Mr. Chairman. It is a pleasure to be here. Good morning, Senator Leahy. It is a pleasure to see you again as well. I am here representing the Internet Society, although for purposes of identification, the chairman is quite correct, I also serve as senior vice president at WorldCom for Internet Architecture and Technology. For many, many years I worked on the Internet, and for a long time many of you know that getting the Internet protocol out there was an important goal. So I even had a T-shirt made to commemorative. It reads ``IP on everything,'' and that is what I have been doing for a long time. However, the FBI is now confronted with a serious problem because now that the Internet protocol is going everywhere, everyone wants to put all new applications on top of it. So, as a result, we have Internet telephony and television and radio and e-mail and World Wide Web. So now I have another T-shirt that says ``Everything on IP,'' although one could read this ``IP Under Everything,'' which is another way of thinking about it. That is the problem confronting the FBI today, is that these communications---- Senator Leahy. You have made sure this will be the one thing that we will remember from this hearing. [Laughter.] The Chairman. If you had any guts, you would have worn those T-shirts. Senator Leahy. Don't encourage him, Mr. Chairman. [Laughter.] Mr. Cerf. I don't know if I want to go there any further. Thank you, Mr. Chairman. The Chairman. But I have met a lot of your associates in this business and they wear T-shirts. Mr. Cerf. My purpose today is entirely technical. I am not prepared to, and I don't even consider myself competent to speak to the policy side of these questions. But I do want to make some attempt to explain how difficult it is to achieve what the Carnivore system tries to do, so let me remind you a little bit about the Internet. First of all, think of the packets that flow through it as if they are postcards. Postcards don't necessarily stay in order as they go through the Postal Service. This is true on the Internet as well. They get lost. In fact, in the Internet world sometimes we have to duplicate them in order to get reliable delivery to the far end. The other thing which is characteristic of the Internet is that it works with computers with a lot of software in them and the software is structured in layers. So the lowest layer is the Internet protocol layer, but there are layers on top of that, each one depending on the ones below it for performing the functions that achieve reliability or implement things like electronic mail. So as an example of what happens when someone is sending e- mail from place to place on the Net, let me start with an example. This is a simple little e-mail from Tom Bell to Vinton Cerf, and we will pretend like this is the original message that--for people back there, there you are. That is the original message that is prepared by the sender. But by the time the FBI gets a chance to look at it through the Carnivore System, what they will see is, in fact, not this message, but rather a series of envelopes which I have numbered 1, 2, 3 and 4. They may not see them in this order. They may see them in the order 1, 3, 2 and 4, depending on where the Carnivore system is actually located in the network. If it is close to the source of the messages, then it may actually see them in order. But because of retransmissions and other things, you may still see them out of order. What is more interesting is that when you open up one of these Internet packets to see what is in inside, what you discover is only a piece of the e-mail that started out as one whole message. And, in fact, you may not be able to tell from looking inside who it is from or where it is going because not all of the message is there. All of the header information that says ``to Vint Cerf'' and ``from Tom Bell'' may not be visible in the particular packet that you happen to have detected. So it is a big challenge for the Carnivore system to have its parameters set to filter out only those packets that have information in them that is useful to the surveillance. In fact, because of the way this system has been implemented, it is looking at each packet one at a time. It doesn't assemble them together and then look at them. It sees each one as if it were through a keyhole. As a result, if you don't see enough information in here, you will have discard it because you won't, in fact, be able to identify it as useful to the surveillance. So they actually lose quite a bit of information. They don't see as much as they would if they were trying to assemble everything. The result is that they will see, for example, a subset of all the messages I may send and receive to someone as e-mail. If, on the other hand, they are permitted to record all of the information because the court order says they can see everything, then after they have captured these packets, you can put them back together and examine the complete messages and extract from them the part of the information that you are permitted to extract. Now, in order to do that properly, you are going to actually see everything in the message and you will have to filter out the part that says ``to'' and ``from'' because the physical way in which you pull these things together allows you to see the entire thing if you are permitted to see all of the traffic. If you are only permitted to see the packets, then you will just see those messages that happen to have in them enough information to identify this as an e-mail from Vint Cerf to a particular target. So I would argue that, technically speaking, the Carnivore system sees less than would be absolutely allowed in the case that they are only permitted to see the ``to'' and ``from'' addresses. If, however, they are permitted to see everything, they can, in fact, see everything and then have to filter that out and discard the portion of the traffic which is not relevant. Then the other thing that I want to point out, then, is that the placement of the Carnivore system is pretty crucial to all of this. I would like to make an analogy, if I could. Let's imagine for the sake of argument that our postal services are done with post office boxes, that we have no home addresses, we have no home delivery of postal mail. We all have to go to our post office boxes in order to retrieve our messages. The Internet behaves a lot like that because the mail systems are like post offices that contain postoffice boxes. The FBI's problem is that if they were trying to observe the traffic going from one party to another, from one post box to another, the only thing that they can see is traffic going between post offices, not post office boxes. All they get to see in the Internet packet is something that says this is the Annandale post office and this is the Springfield post office, and that is all the traffic they can see. You have to open it up and look deeper to figure out from which post office box it is going. That is why there is such concern that you may be seeing more than you are allowed to see. But my understanding of the way the Carnivore configuration is set up is it is very limited in its ability to capture packets with respect to the ``to'' and ``from'' addresses or the equivalent post office box addresses. So the last thing I would like to point out in this discussion is that the technology that allows people to protect privacy makes life even harder for the FBI in the course of doing this surveillance because if you use what is called end- to-end cryptography--and there is plenty of that now available both domestically and internationally--the object that they had to look at that was inside this packet to figure out the ``to'' and ``from'' addresses of the mail could be encrypted. As a result, the target may not be visible. So this makes the job of the FBI even more difficult in the event that end-to-end cryptography is used. I see that I have overstayed my welcome, but let me stop there and say that the FBI's implementation of Carnivore attempts, in my estimation, to limit the amount of information that is being captured, but it is very, very hard to do that successfully, and the cryptography makes their job even more difficult. I would be happy to answer any questions that may come about as a consequence of further discussion at this point. Thank you very much. [The prepared statement of Mr. Cerf follows:] Prepared Statement of Dr. Vinton G. Cerf Mr. Chairman, my name is Vinton Cerf. I am present on behalf of the Internet Society; a non-profit educational and research institution devoted to the continued evolution and spread of the Internet on a global basis. For purposes of identification only, I am also senior vice present at WorldCom where I am responsible for Internet Architecture and Technology, but my testimony today is on behalf of the Internet Society where I serve as a trustee. I served a the founding president of the Society from 1992 to 1995 and have served on its board of trustees since 1992. In 1997, President Clinton awarded the National Medal of Technology to me and to Dr. Robert E. Kahn for our roles in the invention and implementation of the Internet. The purpose of my testimony today is technical. I hope to provide you, Mr. Chairman and the other members of the committee with a sense for how the Internet works and how the FBI Carnivore system operates within the architectural framework of the Internet. I thank you for this opportunity to share these technical ideas with you and I hope that they will prove to be useful as the committee considers the policy implications of the Carnivore technology. Let me begin by offering a simple analogy that has proven to be helpful in the past to explain some basic principles by which the Internet functions. To begin with, the Internet is not a single network but, rather a network of networks interlinked on a global scale. The precise figure is not known but there are probably on the order of 300,000 networks, worldwide, interconnected to form the Internet. There are an estimated 100 million service computers on the Internet and approximately 330 million users. These figures do not include laptops, desktops, mobile telephones and Internet-enabled appliances that are on the Internet on a sporadic basis. The technology used by the Internet to switch data among the computers on the network is called ``packet switching'' and is quite different from the technology used to support conventional voice telephony services. In the traditional voice telephone network, the end devices (telephones and fax machines, typically) ``dial'' each other up and the network forms end-to-end electronic circuits the pair of communicating devices. The connection remains in place until one or the other device ``hangs up'' or, as occasionally happens, the telephone system accidentally disconnects the parties. As far back as 1961, it was recognized by a few individuals that a very different mode of operation would be appropriate to link networks of communicating computers. That technology eventually became known as ``packet switching.'' In principle, computers communicate with each other in a ``bursty'' fashion. That is, they compute for a while and then emit a burst of information, then go back to computing. This is particularly true in time-shared machines that serve many users concurrently. Each user feels as if he or she has the computer resource all to himself or herself, but in fact the computer is so much faster than the user, it is possible to appear to be a dedicated resource when, in fact, the machine serves each user in turn. The service rate is fast enough that, most of the time, the sharing is not noticed by users. Of course, if the resources of the serving computer are over-subscribed, users may in fact find themselves waiting for service. A ``packet'' is a brief computer message of perhaps a few thousands bits (up to a thousand or so characters) containing some indication of the source of the message and the destination in addition to the content. The best analogy that I have been able to come up with so far is to compare a packets to ordinary post cards. Each postcard has a ``from:'' address and a ``to:'' address. So does each Internet packet, but the packet addresses are Internet addresses that are something like telephone numbers. A postcard has a finite amount of content, and so does an Internet packet. When you put a postcard into the postal system, it is picked up from the postbox and transported to the destination, passing through one or more post offices and carried by truck, plane, train, boat or even on foot on its way to the destination. Similarly, an Internet packet may be carried over optical fiber, telephone twisted pair copper lines, coaxial television cables, point to point radio or satellite. When you put a postcard into the postal system, there is no guarantee that it will come out! The same is true of an Internet packet! When you put two postcards into the postal system there is not guarantee that they will come out in the same order they went in, even if addressed to the same destination. The same is true of Internet packets. The Internet does one other thing that the Post Office does not do. Occasionally it will deliver duplicate packets to the destination--that's not a feature of the U.S. Postal Service, as far as I am aware. As postcards are routed through the postal service, they are forwarded from one post office to another until they reach the destination post office after which they are delivered to the target address. Devices called ``routers'' serve the same function in the Internet as post offices in the sense that they take in packets andforward them from router to router until the destination is reached. The Internet uses what is called the Internet Protocol to forward packets between computers in what is, effectively, a kind of computer post card service. A ``protocol'' is simply a set of conventions and formats used to achieve communications. The postal service dictates that addresses take a certain format and occupy certain places in a postcard--Internet packets have their own format and procedures for being injected into and taken out of the Internet. The standards and procedures used by the Internet are essentially developed by a body called the Internet Engineering Task Force and the architecture of the Internet is looked after by the Internet Architecture Board. These two groups operate under the auspices of the Internet Society. There is more, however, to Internet than the basic Internet Protocol (the electronic postcard system). The Internet architecture is called a ``layered'' system because there are actually several layers of procedures. Each higher level procedure or protocol relies on the lower level protocol(s) to perform basic functions. One sometimes hears or reads the expression ``TCP/IP'' in association with the Internet. TCP stands for Transmission Control Protocol and IP stands for Internet Protocol. These are the two basic protocols that Bob Kahn and I began working on in 1973 and they form the basis of the Internet as we know it today. The Internet Protocol was designed to operate on top of virtually any digital transmission and switching system and, in fact, I have had a T-shirt made to emphasize this notion. The T-shirt reads ``IP on Everything''! The Internet Protocol, as you should now realize, does not guarantee the reliability of the packets it transports, nor does it assure ordering, or the path over which the packets are transported. But there are a great many applications that require these features, and more, to function successfully. The Transmission Control Protocol (TCP) was designed to make up for the deficiencies of the Internet Protocol by keeping things in sequence, recovering from loss and filtering out duplicates. To see how TCP does this, another analogy is useful. Let us suppose that Senator Hatch wants to send a book to Senator Leahy by means of a postal service that can only carry postcards. How would he set about accomplishing this task? He would first have to remove pages of the book and cut them up to fit on post cards. Then he would notice that not every postcard had a page number so Senator Leahy might have difficulty piecing the post cards back in the right order, so he would decide to number each page. Then he would remember that not all the postcards would necessarily reach Senator Leahy, so he would keep copies of them in case duplicates had to be sent. Then he would wonder how he would know when to send duplicates. Senator Leahy might then think of a good idea: he would occasionally send a postcard back to Senator Hatch to say that he'd gotten every postcard up to, say, number 402. But then Senator Leahy would remember that his postcard might not reach Senator Hatch. At this point, both Senators would conclude that Senator Hatch will have to have some kind of time-out, after which he would begin sending copies of postcards that had not been acknowledged, until he receives confirming postcards from Senator Leahy. Finally, Senator Leahy would remind Senator Hatch that his mailbox can hold only a finite number of postcards. If the book Senator Hatch wants to send turns into 1000 postcards but Senator Leahy's mailbox can only hold 200 at a time, both Senators might conclude that if by a miracle, the US Post Office actually delivered all 1000 postcards at the same time, some of them might get lost if they didn't fit into Senator Leahy's mailbox. This would lead them to conclude that they should agree that Senator Hatch won't send more than 200 postcards at a time and would not have more than that ``outstanding'' until Senator Leahy has confirmed their receipt. Well, in principle, that is the way the TCP protocol turns the simpler Internet Protocol into a reliable, sequenced and flow- controlled service. This isn't quite the way in which Bob Kahn and I developed the TCP but it isn't very far away from the basic reasoning! At this point, it is possible to explain how the FBI`s Carnivore observation system makes use of the Internet and to outline the limitations of its operation. In this brief exposition, I will assume that the Senate Judiciary Committee members are well-acquainted with the legal basis on which the FBI occasionally is granted permission to intercept domestic communications in the course of enforcing the laws of the United States. As I understand the law, such surveillance is carried out only after the conduct of judicial proceedings intended to assure that any such surveillance is documented and justified. In the past, such surveillance has been associated with the interception of telephone-based communications but just like the rest of the citizens of the United States, law-breakers are making increasing use of electronic mail and other kinds of Internet-based communication, including such things as chat rooms, in the conduct of their activities. The FBI, in recognition of this trend, has developed new methods of observing computer-based communications and one such system has been named ``Carnivore.'' To understand what Carnivore is and how it works, we need to take one more foray into the world of analogies. I mentioned earlier that the Internet architecture is ``layered''--that is, it consists of a number of different protocols each one layered on top of the other and each layer relying on the one below it for certain functions. For example, the Internet Protocol layer that performs the forwarding of packets relies on the lower levels to actually transport the bits of information that make up each packet. The TCP layer relies on the Internet Protocol to deliver packets, and TCP makes sure they are put back in order and retransmitted if any are lost. The electronic mail service has its own protocol (called Simple Mail Transport Protocol or SMTP) and that service makes use of TCP. It turns email messages into TCP streams of data that are broken up into Internet packets and sent by varying paths toward the destination where the packets are reassembled first into a sequenced stream of information by TCP and parsed into messages again by the SMTP. The layered architecture is mirrored in the implementation of the software that uses the protocols. The email client software that is used to compose email produces the text of messages that look something like: Date: Tue, 05 Sep 2000 19:27:05 +0100 From:Subject: Thank you To: Dear Sir, I would like to thank you for the very useful information that you included in reply to my request. Sharon Bell This text is to be sent to the electronic mail box of user Vinton.G.Cerf on the computer on the Internet that has the ``domain name'' wcom.com (``To: [email protected]''). However, the email composition program knows that the TCP service does not know where computer ``wcom.com'' is on the Internet. So it ``looks up'' the name of this computer in a distributed directory called the Domain Name System, and discovers that the Internet address of this computer is: 204.176.69.71. You can think of this as a kind of Internet telephone number forpurposes of this exercise. The email composition program creates a kind of envelope that it addresses to 204.176.69.71, puts a return address of the Internet address of the computer that is sending the email, say 170.127.34.16, and places the email message in the envelope. In spirit, the envelope looks something like: From: 170.127.34.16 To: 204.176.69.71 (Attention: For the SMTP service via the TCP program) The TCP program takes this envelope and cuts it into pieces (including the contents!!) and sends the pieces in smaller envelopes that are addressed, again by analogy: From: 170.127.34.16 To: 204.176.69.71 (Attention: for the TCP Program via the Internet Protocol) These smaller envelopes function like the Internet Postcards that were introduced in the earlier part of this testimony. They are sent through the series of computers we call ``routers'' that serve in the same fashion as post offices, to forward the traffic by potentially different paths to the destination. At the destination computer (``wcom.com''), the process is reversed and the small Internet Protocol envelopes are opened, the contents reassembled by the TCP program into a message and the result is handled to the SMTP receiving program. That program puts the received message away in the mailbox associated with Vinton.G.Cerf on the wcom.com computer. Later, when user Vinton.G.Cerf runs the email reading and composition program he will be able to see the message and to respond to it. The important concept to take away from these preliminary remarks are: 1. The concept of packets (``postcards''); 2. The idea that packets do not always stay in order, may be lost, and may even travel on distinct paths through the Internet; 3. The understanding that there are tens of thousands of Internet Service Providers around the world operating hundreds of thousands of networks that make up the Internet and that traffic may flow through a number of such networks as it flows from source to destination; and 4. The concept of layering and the notion that each layer ``envelopes'' the information generated by the layer above and that anyone observing traffic on a particular circuit that carries Internet packets will actually be observing pieces of messages (or files or bits of digitized sound) carried in the small Internet Protocol envelopes. The Carnivore system is a computer that tries to observe the traffic (Internet packets) flowing on a circuit within the Internet. Its objective is to try to find only those packets that may be relevant to an ongoing investigation and to ignore theirs (both for legal reasons and simply to deal with the potentially enormous flow of traffic that may require filtering). It's a bit like trying to find a particular shrimp in the intake of a baleen whale! The physical location of the Carnivore computer is important. If it is observing traffic somewhere in the middle of the Internet, it may not even see all the packets that correspond to a particular exchange between computers or even a complete transmission from one computer to another. One could try to place Carnivore computers at different locations in the Internet, hoping to catch all the requisite traffic but in fact, the only way to achieve reasonable success is to locate the Carnivore computer so it can observe all the traffic going to and from the computer under observation. That may mean locating the Carnivore computer where it can see everything going into and out of the location of the subject of surveillance, watching all traffic going to and from the subject's laptop or desktop, or locating the Carnivore computer at the Internet Service Provider who serves that subject and placing it in such a way that the traffic going to and from the subject's email server computer can be observed. Furthermove, since the Carnivore looks at each individual Internet packet and does not perform reassembly of the packets in real time, there are some limits to what the software can do to recognize relevant traffic. It can plainly see the ``to:'' and ``from'' Internet address of the Internet packets (e.g., 170.127.34.16). It may not be able to see the ``To: [email protected]'' in every packet because this is NOT contained in every Internet packet. One has to reassemble the massage at the SMTP level of protocol (two layers above the Internet Protocol) to be assured of seeing this. But this may require that all the packets or most of the Internet packers carrying the email be intercepted and this may or may not be assured, depending on the rate at which these Internet packets must be examined by Carnivore and whether most of the packets are actually present on the circuit being monitored. The Carnivore operators have the ability to be very precise about which Internet addresses are of interest and can ignore all other traffic. They can tell which protocols are being carried in these Internet packets (TCP, among others, including steaming protocols based on the so-called User Datagram Protocol). If the contents of the IP packers are NOT encrypted they will be able to see for what layer of protocol above TCP or UDP the traffic is intended so they could distinguish email (SMTP) from file transfer (FTP) from World Wide Web traffic (HTTP). If the contents of the TCP traffic is encrypted, as it often is with the World Wide Web for financial transactions, it is not possible in real time for the Carnivore system to see any deeper into the traffic than to know that it is World Wide Web traffic. The encryption is often quite robust, using up to 128 bit keys and strong cryptographic codes. Some of the more recent standards for security for the Internet even introduce cryptography at the level of the Internet Packet so that it contents are encrypted end to end. Both the current version 4 IP protocol and the more recent version 6IP protocol have provisions for such encryption using the so-called IPSEC standard. The Carnivore system has been configured so that it is possible to limit the amount of information retrieved from any particular packet so that, for example, the only information that might be collected is the source or designation address of the Internet packet and none of the content. It is may understanding that the Carnivore implements have gone to considerable length to build in mechanisms to restrict traffic capture to conform to the limitations that any particular court- approved surveillance may impose. In summary, the Carnivore system is fairly basic system that must do itswork by observing single packets of traffic at a time and attempt to determine based on a limited set of parameters whether this packet is relevant to the desired surveillance. It is not a system that is capable of observing all the traffic flowing through the Internet at once nor even all the traffic flowing through any one reasonably-sized Internet Service Provider's system. It is also important to note that this system is not unlike commercially available tools that help network operators debug problems in the network by analyzing the protocols that are in use and observing the states that these protocols go through in the course of an interaction. These protocol analyzers generally do not capture packet contents but rather work their way up through the ``envelopes'' to understand the sequences of events that may be causing a problem for the users or operators of a particular ISP or a collection of them. Readers of this testimony should remember that reasoning by analogy can sometimes lead to incorrect conclusions. I hope the use of analogy has been educational and not misleading, but precision answers about Carnivore should be sought from the engineers who have designed it, and not drawn solely on the basis of the analogies I have tried to use to explain the concepts behind its operation. Thank you. The Chairman. Thank you, Mr. Cerf. Professor O'Neill, we will turn to you. STATEMENT OF MICHAEL O'NEILL Mr. O'Neill. Chairman Hatch, Senator Leahy, I welcome this opportunity to testify regarding a topic that should obviously be of great interest to us all, and that is, namely, the appropriate way in which law enforcement interests should be balanced against what Justice Douglas once called our fundamental right to be left alone. I think I would also like to just take a second and just thank Mr. Cerf, as well, for helping to design something that has helped break the grip that TV formerly held on my life. I do not wish to belabor points that have already been made, nor am I here to make claims that Carnivore is going to eat the Constitution or that if we fail to deploy it that crime will somehow run rampant. I think it is safe to say that none of us in this room likely wishes to live in a police state, nor do we particularly wish to live in a state of anarchy either. We live now in a time of profound technological change, and the communications revolution has been a part of that change. Change, however, is not without its costs. Privacy, one of the fundamental rights underpinning our society, is presently under assault as perhaps never before, and not only by the government, but also by business interests. On the other side of the equation, however, criminal enterprises have been increasingly willing to utilize technological innovations to achieve their own ends and thereby threaten our personal security. While we may stand at the brink of a new world in terms of information, however, we still have old rules, rules that have served to guide us well for over 200 years and that will continue to serve as a guide for us for our understanding and ultimately controlling the many technological transformations surrounding us. With that in mind, I would like to address two fundamental issues. One, is Carnivore, at least as I understand the software to operate, compatible with the requirements of the Fourth Amendment? And, two, what role should Congress play in ensuring that both significant privacy and security interests are addressed? Our Constitution presupposes that, as citizens, we enjoy a sphere of action free from governmental interference. To this end, the Drafters of the Bill of Rights had the foresight to include as a fundamental guarantee to protect the right of the people in their persons, houses, papers and effects against unreasonable searches and seizures. The term ``unreasonable'' is really key here. We are protected, at least from the government, only against those searches that are per se unreasonable. The fourth amendment's reasonableness requirement has an important application to today's debate; namely, after all, what is deemed unreasonable is entirely and ultimately a social construct. It is, at the end of the day, for the people to decide what is and is not a reasonable intrusion into their private affairs. The difficulty I have in coming before you today is that I am not at all confident that I know what is reasonable in this particular context. If polled, most individuals, I suspect, would assume and likely prefer that their e-mails be every bit as secure, if not more so, than standard snail mail. The evolution of the privacy/security struggle has been well defined in the development of fourth amendment law. In Olmstead v. United States, a 1928 case that was sort of the harbinger of the wiretap and ultimately the electronic surveillance revolution, the Supreme Court considered whether warrantless wiretapping violated the fourth amendment. The Court found ultimately no constitutional violation because surveillance was accomplished without intruding upon the defendant's physical property. Justice Brandeis, however, penned a thoughtful dissent in which he observed that constitutional principles were undermined to the extent that the Court focused exclusively on the means of communication. He reasoned that the Constitution must be interpreted with technological advancements in mind to preserve fundamental rights and liberties. Foreshadowing those advancements, he warned that, quote, ``Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered at in the closet.'' Now, the Court ultimately adopted Justice Brandeis' view toward wiretapping. In Katz v. United States, it declared that the Fourth Amendment protects people, not places, and held wiretapping permissible only after the issuance of a valid warrant. This decision expressly overruled Olmstead, replacing the previous focus on the means of the communication with an appreciation for the fact that the communication itself was the source of the constitutional right. The Court subsequently revisited this area in Maryland v. Smith, a 1979 case that you have heard the executive branch relied upon to justify its claim that there is no expectation of privacy in an Internet address. In Smith, however, the Court reasoned that there is no legitimate expectation of privacy in a number being dialed on a telephone. It is important to understand, however, that the Court found that individuals do not have this expectation of privacy because pen registers themselves do not acquire the contents of communications. The technology in question was limited to this single function. This neat categorization, however, may not apply to technologies such as Carnivore which may have far greater information-gathering abilities. A URL, for example, can disclose specific pages visited, sites visited, or even items that have been purchased or browsed on the Internet. And as people move more of their lives online, a list of e-mails sent or Web sites visited can provide a very detailed dossier of activities, all available without the heightened standards of a wiretap or even a regular fourth amendment warrant. This is far more akin to walking into somebody's office and snooping around in their file cabinet than it is to standing on the street corner and writing down their physical address. Given the wealth of information obtainable by means of an Internet address, perhaps it is time to rethink our privacy expectations online. Indeed, I think it is increasingly difficult to say that you don't have an expectation of privacy in information that is in the hands of a third party. If the vision of an open, PC-less Internet world is to come to pass, it will be the case that much of our lives will be in the hands of third parties. Indeed, currently I do all of my banking and manage my meager stock portfolio all on the Internet. All of this information is contained online. To simply treat the ``to'' and ``from'' lines in e-mails as though they were the phone numbers that you dial out on just doesn't make sense anymore. Moreover, the physical ease with which information is obtained becomes important. Ordinarily, a search is limited by a number of physical properties. You have to be on site, you have certain time limitations. Internet searches, however, make the retrieval of vital data, even otherwise public data, far more routine. For example, while property tax assessment records are public, people generally had to take the time and hassle to schlep on down to the court house to retrieve them. In a matter of minutes, however, just the other night I was able to retrieve fairly easily Chairman Hatch's property tax records. And basically now I know what the value of his current assessed land is. I know how many bedrooms he has in his house. The Chairman. I wouldn't mind knowing that myself. [Laughter.] Mr. O'Neill. Well, sir, I would be happy afterwards--I won't submit this for the record, but I will be happy to give it to you after we have finished. Now, again, that is public information, information that is always obtainable at the court house. But the mere fact that late last night, in a process of about, I don't know, maybe half a dozen keystrokes and a matter of about five minutes or so I could obtain all this information, should give us at least some cause for pause about what we are getting ourselves into. Mr. Cerf. You are not making a threat, are you? Mr. O'Neill. Oh, not at all. Mr. Cerf. OK; I am just checking. Mr. O'Neill. I used to work for him, so I felt it was okay. Mr. Cerf. OK. Mr. O'Neill. But I did the same thing for Senator Leahy as well. Senator Leahy. I was thinking. I mentioned to the chairman that he must have paid you too much if you have got a stock portfolio. Mr. O'Neill. Senator, I was smart; I married a doctor. The Chairman. That is a typical Democrat comment--failing to recognize the importance of the Internet and all of these other great programs that we have. Senator Leahy. We Democrats try to keep down the cost of Government. That is why. The Chairman. We hadn't noticed that. [Laughter.] Mr. O'Neill. I will try to remain silent on that issue. Similarly, I think another problem that we have to address is we don't even know how certain Fourth Amendment doctrines will apply in this field and to a device like Carnivore which, although it may have physical limitations and may, in fact, be limited in its application, may be configured or updated in ways that we are not necessarily aware of. It may have the potential of reading e-mail or looking at other addresses that people visit. The plain view doctrine, for example, permits, among other things, law enforcement officers to seize items in their plain view when they are executing a warrant. Well, if we allow law enforcement to filter nonspecific pieces of mail, does that mean that they can seize anything else that they may happen to find of a criminal nature which is not necessarily contained within the plain language of the warrant? These are among the fundamental issues that we will ultimately need to address as the law struggles to cope with technological advancements. Now, I don't want to go too far over the red light here, but I have ten fairly specific recommendations that I would consider that perhaps Congress ought to consider in terms of deciding and securing our privacy online. I will actually submit those for the record and I won't belabor those points now. But I think that this hearing is an important first step in looking at these important privacy issues as they come before us, and one simple suggestion that I might make is that government, specifically the Congress of the United States, should set itself up as the primary protector of people's liberty and security interests. And it is not a bad idea at all, I think, either to place within the Intelligence Committee or perhaps one of the other committees of jurisdiction careful congressional oversight of precisely the types of information and the sources of information that the Department of Justice is seeking to obtain when it does things such as Carnivore to search out people's private information. But, again, I will submit those and the remainder of my remarks for the record. I again thank you for this opportunity to testify and look forward to answering any questions you may have later. The Chairman. Well, thank you, professor. I think the FBI and Justice are going to want to look at your ten suggestions those fairly carefully because there are some very interesting suggestions there. [The prepared statement of Mr. O'Neill follows:] Prepared Statement of Michael O'Neill Chairman Hatch, Senator Leahy, and members of the Committee, I welcome this opportunity to testify regarding a topic that should be of great interest to us all, namely the appropriate way in which law enforcement interests should be balanced against what Justice Douglas once called our fundamental right ``to left alone.'' [U.S. v. Davis, 328 U.S. 582 (1946). I do not wish to belabor points that have already been made. Nor am I here to make claims that Carnivore will eat the Constitution, or that if we fail to deploy it, crime will run rampant. I think it is safe to say that none of us in this room likely wishes to live in a police state, nor, however, do we desire to live in a state of anarchy. We live in a time of profound technological change, and the communications revolution has been a vital part of that change. Change, however, is not without its costs. Privacy, one of the fundamental rights underpinning our society, is presently under assault as perhaps never before. On the other side of the equation, however, criminal enterprises have been increasingly willing to utilize technological innovations to achieve their own ends and thereby threaten our personal security. While we may stand at the brink of a new world in terms of information, however, we still have old rules, rules that have served us well for over 200 years, and that continue to serve as a guide to understanding, and controlling, the transformations surrounding us. With that in mind, I would like to address two fundamental issues: (1) is Carnivore, at least as I understand the software to operate, compatible with the Fourth Amendment? And (2) What role should Congress play in ensuring that both significant privacy and security concerns are addressed? Our constitution presupposes that as citizens, we enjoy a sphere of action free from governmental interference. to this end, Drafters of theBill of Rights had the foresight to include as a fundamental guarantee to protect ``the right of the people * * * in their persons, houses, papers, and effects, against unreasonable, searches and seizures.'' The term ``unreasonable'' is the key here * * * we are only protected against those searches that are unreasonable. The Fourth Amendment's reasonableness requirement has an important application to today's debate. After all, what is deemed ``unreasonable'' is ultimately a social construct * * * it is at the end of the day for the people to decide what is and is not a reasonable intrusion into their private affairs. The difficulty I have in coming before you today is that I am not at all confident that I know what is ``reasonable'' in this particular context. If polled, most individuals, I suspect, would assume, and likely prefer, that their e-mails be every bit as secure, if not more so, than their snail mail. The evolution of the privacy/security struggle has been well- defined in the development of Fourth Amendment law. In Olmstead v. United States (1928), the Supreme Court considered whether warrantless wiretapping violated the Fourth Amendment. The Court found no constitutional violation because the surveillance was accomplished without intruding on the defendant's physical property. Justice Brandeis, however, penned a thoughtful dissent in which he observed that constitutional principles were undermined to the extent the Court focused exclusively on the means of communication. He reasoned that the Constitution must be interpreted with technological advancements in mind to preserve fundamental rights. Foreshadowing those advancements, he warned that: ``Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet.'' The Court ultimately adopted Justice Brandeis' view toward wiretapping. In Katz v. United States, it declared that the Fourth Amendment ``protects people, not places'' and held wiretapping permissible only after the issuance of a valid warrant. This decision expressly overruled Olmstead, replacing the previous focus on the means of communication with an appreciation of the fact of communication as the source of the constitutional right. The Court subsequently revisited this area in Maryland v. Smith (1979), a case the executive branch has often relied upon to justify its claim that there is no expectation of privacy in an internet address. In Smith, the Court reasoned that there is no legitimate expectation of privacy in a number being dialed on the phone. It is important to understand, however, that the Court found that individuals do not have a reasonable expectation of privacy in such information because ``pen registers do not acquire the contents of communications. Smith v. Maryland, 442 U.S. 735, 742 (1979). The technology in question was limited to this single function. This neat categorization may not apply to technologies such as Carnivore, however, which may have far greater information gathering abilities. An URL, for example, can disclose specific pages visited, sites visited, or even items purchased or browsed. And as people move more of their lives online, a list of e-mails sent or web sites visited can provide a very detailed dossier of activities--all available without the heightened protections of a wiretap or even a standard Fourth Amendment warrant. This is much more akin to walking into someone's office and snooping around in their file cabinet than it is to standing on the street corner and writing down their address. Given the wealth of information obtainable by means of an internet address, perhaps it is time to re-think our privacy expectations on-line. Indeed, I think it is increasingly difficult to say that you don't have an expectation of privacy in information that is in the hands of a third party. If the vision of an open, pc-less internet world is to come to pass, it will be the case that our entire lives will be in the hands of third parties. To treat the ``To'' and ``From'' lines in e-mails as though they were just the same as the phone numbers that you dial makes little sense. Moreover, the physical ease with which information is obtained becomes more important. Ordinarily, a search is limited by a number of physical properties. Internet ``searches,'' however, make the retrieval of vital data, even otherwise public data, far more routine. For example, while property tax assessment records are public, people generally had to take the time, and hassle, to go to a court house to retrieve them. In a matter of minutes, however, I was able to easily retrieve [hold up records] Chairman Hatch's property tax data. Don't worry, I won't disclose it * * * but I do know how many bedrooms, bathrooms, and fireplaces you have in your home * * *! Similarly, we don't know exactly how certain Fourth Amendment doctrines will apply to a device, such as Carnivore, that has the potential of reading personal e-mail, as well as, via the internet address, entering the individual's hard drive and scoping it out. The plain view doctrine, for example, permits (among other things) law enforcement officers to seize items in their ``plain view'' when they are executing a warrant. Well, if we allow law enforcement to filter non-specific pieces of mail, does that mean they can seize anything they happen to find? These are among the fundamental issues that will need to be addressed as the law struggles to cope with technological advancements. what questions ought congress be asking? Law enforcement has pointed out that the law must be changed to preserve its mission to prevent and punish crime, while the civil liberties community has warned of grave dangers to personal privacy and the Fourth Amendment. Although each group may emphasize different aspects of the problem, each agrees that the law must be updated to keep pace with technological change. Remarkably, the 1986 Electronic Communications Privacy Act was the last significant update to the privacy standards of the electronic surveillance laws. Significant changes have occurred since then, including--the development of the Internet; data convergence; the creation of wireless systems; and the movement of information out of people's homes and offices onto networks controlled by third parties. As a result of these developments, more information is being held and communicated in configurations where it is in the hands of third parties and not afforded the full protections of the Fourth Amendment. The following steps might therefore be in order. (1) With respect to Carnivore itself, Congress ought to obtain briefings, classified, if necessary, to get a better understanding of what Carnivore is designed to do and how it does it, and whether there exists potential for abuse. (2) Congress ought to determine what the statutory authorization for Carnivore is and whether law enforcement has the authority to insist that a service provider install Carnivore. (3) If implemented in some fashion, Congress should require that statistics be maintained by the Justice Department, and that these so- called ``audit trails'' be routinely provided for legislative oversight. (4) Congress should seek to learn whether Carnivore can easily be defeated by encryption software or E.A. Poe type purloined letter schemes. More broadly, (5) Hearings out to be conducted to determine whether all internet trap and trace orders should be issued only on the basis of a judicial finding that reasonable cause exists to believe that a target has or is about to commit a crime; (6) The executive branch ought to be required to provide consumers with notice whenever the government obtains information about their Internet transactions; (7) Specific statistical reports for Internet trap orders similar to the reports required under Title III ought to be require; (8) Congress should explicitly provide that Internet queries, e- mail subject lines, URL's of sites visited and other information which provides more than the equivalent of a dialed number cannot be disclosed without a probably cause order. (9) Congress should consider requiring notice and an opportunity for defendants to object when civil subpoenas seek personal information about Internet usage. (10) Finally, Congress ought to provide enhanced protection for information on networks: including the establishment of probably cause for seizure without prior notice, and providing a meaningful opportunity to object to subpoena access. At bottom, I would urge a cautious, thoughtful approach when it comes to expanding surveillance capabilities. The conflict between increased security and enhanced privacy protection is not easily resolvable, nor will it likely ever be. But Congress ought to seize the moment to ensure that robust debate occurs before law enforcement's powers are enhanced, and regardless of how the balance is struck. The Chairman. Mr. Dempsey, we will turn to you. STATEMENT OF JAMES X. DEMPSEY Mr. Dempsey. Mr. Chairman, Senator Leahy, good morning. Thank you again for holding this hearing and for giving me the opportunity to testify. I am at a certain point, I think, going to use just one overhead, if I could, but in order not to delay things I will talk while they are setting up the projector. I think I wanted to start out by responding to one of the points that the FBI and the Justice Department make which they regularly make and I think which needs to be regularly rebutted or balanced, and that is the point about the use of the Internet by criminals. Undoubtedly, criminals do use the Internet, but I think if you look at the facts over the past two or three years, it is clear that the Justice Department and the FBI have been extremely successful in using the new technology to track criminals online and to make cases, including some cases that they probably couldn't have made in the offline environment. Online surveillance and tracking led to the arrest of the Phonemasters, who were stealing and selling credit card numbers worldwide; Solar Sunrise culprits, one of whom was tracked down to Israel; an intruder on NASA computers who was arrested and prosecuted in Canada; the thieves who broke into the Citibank computers and who were tracked and arrested in Russia; Ardita, who was tracked down electronically to Argentina; the creator of the Melissa virus. All of these people were tracked online using this very technology. Innocent Images is another example of where FBI agents are able to pretend online to be young girls or to be pedophiles and to legally entrap people. In the Emulex case that you referred to, Mr. Chairman, investigators said that they learned within hours of the stock's plunge where the computer was located that the perpetrator had used, and they obviously have arrested that person. Back in August, two Kazhaks were arrested in a cyber extortion case. Their communications went from Kazhakstan to London and to the target in New York, which was Bloomberg. Yet, they were traced back using this very technology, and in response to that Bloomberg pointed out these arrests show that our law enforcement agencies can find, catch, and bring criminals to justice online. Criminals believe that they have a totally anonymous presence on the Internet. They believe that they can intimidate companies. This operation shows that they do not have that kind of anonymity. So I think we need to recognize--and Professor O'Neill in his online search showed us how easy it is to find so much information. And I think, if anything, what we need to do is to not abandon the traditional rules that we have had to protect privacy but, in fact, to strengthen those rules in the face of the surveillance and investigative power of this new technology. Now, turning specifically to Carnivore, the first problem that we have with Carnivore is that we don't know really what it is and how it works. It is something that is now totally controlled by the FBI. It is a black box. They have refused to share publicly the details of that, and they have put out a request for proposal to conduct an independent review, which is a good idea even if it were conducted outside of the public light. But the FBI and the Justice Department have set out for this independent review so many restrictions and they have put such burdens on anybody who would sign up to do that, such secrecy burdens, that a lot of the good people are backing out of that, are backing out, it seems, from competing for that. And it does call into question, with the kinds of restrictions the FBI has set, whether they will be able to get the best people to do that review. Today, in USA Today Online, there is a story by Will Roger in which he states that MIT, Purdue University, Dartmouth, the University of Michigan, and the Super Computer Center at the University of California at San Diego have all indicated their reluctance to participate in that review, given the constraints that the FBI has posed in terms of pre-review, and so on. The second issue I would like to emphasize is that Carnivore is fundamentally inconsistent with the way that wiretaps have been done in the past, and fundamentally inconsistent with the understandings of this committee repeatedly over the years. Traditionally, we have not allowed the FBI into the networks, into the switching systems and into the property of ISP's. A major, major problem with Carnivore, and I think a lot of the source for the concern about it, is that it is a black box that the FBI imposes on the ISP. Now, this committee in 1986, when it was adopting ECPA--and Senator Leahy was the prime author of that legislation in the Senate--this committee in its report on ECPA emphasized telephone company customers have a reasonable expectation, traditionally enhanced by telephone company practice and policies, that their company will not become, in effect, a branch of government law enforcement. The committee went on to say that they understand that the practice has been that the telephone company premises are not used for wiretap activity. And the committee actually directed--I don't know if it happened--the Justice Department in its wiretap manual to state that there would be a statement there in the manual that U.S. attorneys should not attempt to compel any company to make its premises available for wiretap activity. And the committee in 1986 asked for notification if there was a change in that policy and if the Justice Department did decide to try to compel carriers to make their premises available and what is Carnivore to basically latch this software and hardware into the network. Again, in CALEA, in 1994, this committee reemphasized that, and there is section 105 in CALEA which specifically says that telephone companies--CALEA does not apply to the ISP's, but it is the principle here that the committee cared about quite strongly. CALEA says that a telecommunications service provider shall design its system so that a wiretap is activated within the switching premises and controlled by telephone company personnel, not by law enforcement personnel, precisely because this committee was concerned about the problem of remote FBI access to the actual guts of the network of a service provider. I think a lot of the concerns that people have with Carnivore would be mitigated if the software and the ability to control the software were placed in the hands of the service providers rather than held and controlled by the FBI. Now, I wanted to talk a little bit about the way---- The Chairman. How can you trust the service providersany more than you trust the FBI? Mr. Dempsey. Well, I think what we have to do is we have to have a system of checks and balances; that is, we have to have some buffer or barrier between the customer and the Government. The Chairman. It is one thing for the telephone companies to have control over how the transmission is made. It is another thing to have the ISP's--who have tremendous software capabilities themselves in control of the transmissions. Mr. Dempsey. Well, many of the ISP's already perform and comply with court orders, as Dr. Kerr made clear. Many ISP's do not need Carnivore, do not accept Carnivore, and do comply on their own with the court orders. Mr. Cerf. May I? I have just two comments to make. One observation is that the Carnivore equipment is a passive device. In other words, it doesn't actively enter into the control stream or anything like that. It simply taps information. In fact, as was pointed out by the FBI, it is prohibited technically from transmitting anything into the Net. So in that sense, that is helpful because it is passive. I would certainly debate the advisability of having the ISP personnel setting the parameters and managing the capture of e- mail-related information. In fact, I would be more concerned about---- The Chairman. I think it is a different situation than phone companies. Mr. Cerf. Sir? The Chairman. I think it is a different situation than phone companies--much broader. Mr. Cerf. Well, even going and setting parameters, let alone inventing software, the side effect of having the ISP personnel do that is that you may not get protection of the evidence in the evidentiary chain. You may get exposures of information that are not legal. The FBI operators are well aware of those restrictions, but the ISP operators are probably not. So I am not sure that I would be as comfortable as you sound like. Mr. Dempsey. We have headed pretty far down the road in allowing ISP's who can perform to do so. Of course, the FBI can go back and say you didn't give us everything that we wanted, and that process can go forward. In the telephone realm, the way we are heading in CALEA is that it will be an intercept function that is activated by carrier, pursuant to an order---- The Chairman. Yes, but collected by the FBI. Mr. Dempsey [continuing]. To isolate and identify what is the stream of communications. In the Internet, it is harder because we do not have a circuit-switched system. Mr. Cerf. You actually have to work your way up in those layers of protocol in order to see what is going on. In fact, the simple analogy here, these little letters, is that if you watch a stream going from a customer's personal computer going into or coming from the Internet, it could contain a variety of information all at the same time. There could be some voice communication, there could be video, there could be e-mail, there could be a World Wide Web exchange, all of this happening at once. And the stream of packets going by in these little envelopes have to be opened up and examined in order to figure out which one is it. The Chairman. One of the questions I am going to have is how does the FBI protect this information from the ISP collecting it? That is a question that I think---- Senator Leahy. But the ISP could look at it any time they wanted anyway. The Chairman. Yes, but they may not know what they are looking for, where the FBI knows what they are looking for. Mr. Cerf. In order for the ISP to perform the same function that the Carnivore system does, they would have to essentially build the same kind of software that the FBI is using and configure it to capture the portion of the stream that is of interest. In a sense, they would have to reproduce all of the technology that goes into Carnivore. There are systems like that. They are called sniffers, but they are not as sophisticated, in fact, at restricting the information that is captured. Moreover, there are none of the safeguards that the Carnivore system has for keeping track of who did what. Senator Leahy. Well, are you saying by that then that no ISP system today, whether they have sniffers or not, can match Carnivore? And if so, does that mean the FBI are going to have to say, well, we have always got to use our own system because you are not good enough? Mr. Cerf. What I am saying is that the devices that are available that are used to help debug problems on the network that will allow you to crawl up and down in the so-called layers can capture everything. The problem is that that is not what the FBI wants to do. What it wants to do is to capture only that part that is---- Senator Leahy. But that goes, then, to my particular point. Are you saying that nobody today can duplicate what the FBI is doing? Thus, the FBI whenever they have one of these court orders is going to have to use their own? I see Ms. Stansell-Gamm shaking her head no, but I just---- Mr. Cerf. What I am trying to say is that the technology exists to capture information off the Net. An ISP has that capability because these are off-the-shelf devices. The implementation of Carnivore is intended to constrain the way that capture is done and the ISP doesn't have the particular motivation to go and do that, to invest in all that. The Chairman. They don't have the same interests as the FBI. They are not going to be doing that. Mr. Cerf. That is correct. The Chairman. Well, let me finish with Mr. Dempsey and then go to Professor Rosen. Mr. Cerf. I am sorry I interrupted you. Mr. Dempsey. If I could, to round out this dialog, I think that there is an answer to the dilemma here, and that is to take the Carnivore software and make it available to the ISP's so that they know what it is, know how it works. They can configure it, they can set the parameters as ordered by the court order. And then you do have that protection in the middle that you don't have the FBI, in essence, taking control of a part of a network or inserting itself into the network. I think that a lot of the concerns about Carnivore would be mitigated if this software technology were disclosed and made available to ISPs. The Chairman. Well, let's go to Professor Rosen, but I have a lot of problems with that because then you have a nonlaw enforcement agency--a private company--being able to do whatever they want to do with people's knowledge andpeople's information. You have made some interesting suggestions. I want to really look at those because I don't know what the answer is here. All I can say is that I don't want to have 1984 in 2004, but we are already there. With nanotechnology coming up now--if you read Kurtzweil's book--it is enough to scare the living daylights out of every one of us. And if you read Bill Joy's article, I mean, my gosh, it is mind-boggling. Senator Leahy. But, Orrin, they can do this now. The Chairman. Yes, I know. Senator Leahy. The ISP's can do this now anyway. The Chairman. They can do it now anyway. Senator Leahy. They can step through and get most of this now. They might have a different reason, a different purpose, but they can do it. The Chairman. But they don't need to have the assistance of the FBI to do it. Mr. Dempsey. If I could, Mr. Chairman, just before you go to Professor Rosen--and we can go back to this later in the questions--I just wanted to lay out two other areas that I think merit discussion here, one of which is the question of whether Carnivore constitutes a search for fourth amendment purposes and an interception for title III purposes. I believe that, at least as the FBI has explained it on their Website, Carnivore does constitute a search and seizure for constitutional purposes and an interception for title III purposes. Finally, I would just like to say that once again we are back to the question of how do you translate the wiretap laws to the Internet. And Professor O'Neill, I think, referred to this quite well, but by developing Carnivore and by controlling and programming Carnivore and putting it out there, the FBI has basically decided that question technologically by saying that Carnivore can collect, under a pen register order, e-mail ``to'' and ``from'' addresses and other Internet addressing and routing information without ever finishing a debate which we started back here, I think, in May before this committee, which is the question of what should be the legal standards for application of pen registers to this very different medium of the Internet. So with that, I will conclude. Thank you, Mr. Chairman. [The prepared statement and attachments of Mr. Dempsey follow:] Prepared Statement of James X. Dempsey Mr. Chairman, and members of the Committee, thank you for calling this hearing and giving CDT* the opportunity to testify on the FBI's ``Carnivore'' initiative and its implications for Fourth Amendment privacy protections in the digital age. --------------------------------------------------------------------------- * The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic value on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other new media. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG) a forum for more than 50 computer, communications, and public interest organizations, companies, and associations working on information privacy and security issue. --------------------------------------------------------------------------- Summary We can all appreciate that new communications technologies pose challenges to law enforcement agencies carrying out important duties. But as a black box controlled by the FBI and inserted into the network of an Internet service provider to search through thousands or millions of messages, including those of innocent people, Carnivore is not the right solution. It is not consistent with the way that electronic surveillance was conducted in the past. It is not consistent with the Fourth Amendment nor with the Supreme Court's image in the Katz and Berger decisions of how electronic surveillance could permissibly be conducted. It is not consistent with the federal wiretap statute, Title III. And it is not consistent with CALEA. The FBI has to find a better way to conduct surveillance of Internet communications, one that does not entail taking control of a portion of the network of a service provider and that does not entail a general search through the communications of innocent persons. In order to moot the serious questions about Carnivore's legality, the FBI should immediately cease insisting that it be installed outside the control of Internet service providers (ISPs). Instead, the FBI should immediately begin making the technology of Carnivore available-- including the source code and the right to modify it--to any ISP that needs it to comply with a surveillance order. (Most ISPs don't need it.) If any ISP needs to adopt Carnivore or something like it, the ISP should control its own network, isolating and delivering to the government only what the government is entitled to intercept, and thus serving as a buffer between the government and the communications of their innocent customers. This would reinstitute the kind of checks and balances we depend on to preserve our rights. Looking more broadly, Carnivore is the latest in a series of wake- up calls about the perils facing personal privacy in the digital age. Carnivore illustrates the extend to which the FBI claims the authority to actually control the design or functioning of communications networks.\1\ Yet the deployment of Carnivore and other design or functional mandates for surveillance creates new and largely unappreciated threats to the security of communications. Moreover, even apart from FBI efforts to control the technology, it is clear that, despite the ways in which the newer digital technologies are harder to tap, on balance the government is acquiring far more surveillance powers as a result of the digital revolution: Market-driven changes in the technology and the ways we use it mean that we are generating more electronic information than ever before about our lives and making it available on networks and computers where it can be readily obtained by the government. Law enforcement agencies are not loosing ground--they are gaining surveillance and tracking capabilities by leaps and bounds. For all of these reasons, Carnivore highlights the need for Congress to enact greater privacy protections in the outdated statutory framework. --------------------------------------------------------------------------- \1\ For other examples, see Neil King Jr. and David S. Cloud, Hang- Ups: Global Phone Deals Face Scrutiny from New Source: the FBI, Wall Street Journal, August 24, 2000, at A1. The implementation of CALEA has been one long struggle over the FBI's insistence on dictating very precise surveillance features to the telephone industry. See United States Telecomm Assoc. v. FCC, No. 99-1442 (D.C. Cir Aug. 15, 2000). --------------------------------------------------------------------------- Among the specific points we would like to make about Carnivore: The first problem with Carnivore is that we do not know how it works. There is little understanding of how Carnivore searches are limited, and little chance for judicial or public oversight. Such a situation is ripe for mistake or misuse. The government should embrace an open source model allowing public scrutiny of Carnivore's design. Unfortunately, the ``independent review'' promised by the Justice Department at this point is so circumscribed and under such control of the FBI and the Department that it holds little promise of giving Congress, industry or the public reliable answers. So long as Carnivore is a black box owned and controlled by the government, its forced installation in the network of an ISP means that, in essence, the government takes control of part of the ISP's network. ISPs should control their own networks. Installing a closed Carnivore system outside of ISP control introduces new risks to the security of these networks. ISPs are in the best position to respond to court orders in a fashion that protects user privacy. As far as we can tell, Carnivore searches more information than the government is legally entitled to search. Indeed, based on current description. Carnivore, when controlled by the FBI, has to be characterized as an unconstitutional governal search and an interception in violation of Title III. If Carnivore is used as a pen register under the pen register statute as currently interpreted by the DOJ, it is likely that it searches (and intercepts, in Title III terms) content of the target. Even worse, whether used under the pen register order or a Title III probable cause order, it searches and intercepts the communications of innocent persons outside the scope of any properly issued Title III order. Carnivore's use as a pen registers has pre-judged--in fact has surrendered to Executive Branch discretion and ex parte legal proceedings--the important public policy question of what data should the government collect about Internet transactions under the weak privacy standard of the pen register statute. Without explicit statutory language, the Justice Department is asserting that it can use the rubber-stamp pen register authority to collect information from the Internet that is much more revealing than the information collected by pen registers from telephone lines. There seems to be a growing consensus that the low legal standard authorizing their use should be raised for plain old telephones. But if the government is to collect on the Internet transactional information more personally revealing than that collected on telephone lines, then it would seem that an intermediate standard must be developed for Internet transactional data. Context: Privacy and Surveillance in the Internet Age The Internet has already demonstrated its potential to promote democracy, spur economic growth, and enhance human development. Individuals, civil society, businesses and governments are all rushing to use the Internet for work, activism, education, social services, human contact, artistic expression and consumerism. The Internet has become a necessity in most workplaces and a fixture in most schools and libraries. Soon, it may converge with the television and wireless phones, and thereby become nearly ubiquitous. Every day, Americans use the Internet to access and transfer vast amounts of private data. Financial statements, medical records, and information about our children--once kept on paper and secure in a home or office--now travel through the network. Electronic mail, online reading and shopping habits, business transactions and Web surfing can reveal detailed profiles of people's lives. And as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators. While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that the digital revolution has been a boon to government surveillance and information collection. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 percent. Computer files are a rich source of evidence: In a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 sought additional funds to ``data mine'' these public and private sources of digital information for their intelligence value. Wiretapping the Internet Our legal framework for electronic surveillance was developed in an era of circuit-switched telephone networks, where it was relatively easy to isolate the communications of a particular target to the exclusion of the communications of innocent persons, and where it was relatively easy to distinguish between transactional data, which was limited and not very revealing, and Constitutionally-protected content. Even at the time CALEA (the Communications Assistance for Law Enforcement Act) was adopted in 1994, the telephone system, while going digital, was still largely based on a circuit-switched architecture, and CALEA assumed that central telephone company switches, if loaded with special software, would provide ready access to the communications and call-identifying information of surveillance subjects. This Committee, in drafting CALEA, wisely excluded the Internet from CALEA specifically because those technical assumptions did not apply to the packetized, decentralized Internet. By design, the Internet's architecture is not like that of the phone system. It is not centralized. It does not dedicate a channel or circuit to one conversation. It does not have permanent addresses. But surely these technological differences do not mean that we can abandon the principles of the fourth Amendment. As the D.C. Circuit recently made clear in the CALEA appeal, the mere fact that government agencies are encountering a new technology does not give them the authority to redefine the rules of interception, even where the government promises it will not record or use the information it is not entitled to. Instead, we must find ways to ensure that the fundamental distinctions of the law are maintained, and where they cannot be, the government must meet the higher, not the lower, legal standard. ``Wiretapping'' the Internet may require greater oversight and protection. If pen registers on the Internet reveal more than the ``numbers dialed'' they once provided for telephones, then the standard must be higher than the standard for telephone pen registers. And we must recognize that the government's desire to translate every current telephone surveillance capability into the Internet world (with a kind of 100% guaranteed success rate never really available with traditional telephone surveillance) would require a new technical architecture for the Internet with huge security risks. It is in this context that the FBI's Carnivore initiative must be viewed. Questions about Carnivore Carnivore reportedly serves at least two functions. Installed at an ISP, it monitors communications on the ISP network and records messages sent or received by a targeted user. This is presumably designed to effectuate an electronic ``wiretap'' order served on an ISP. Carnivore can reportedly also isolate the origin and destination of all communications to and from a particular ISP customer. This is presumably designed to satisfy what law enforcement claims is the Internet equivalent of ``pen register'' and ``trap and trace'' orders, which in the telephone context provide digits dialed and incoming phone numbers. (Note that there are fundamental questions about what information pen register and trap and trace orders should collect in the Internet context.) There are many unanswered questions about Carnivore: How does Carnivore isolate and record only the information that the government is legally entitled to collect under a particular wiretap or pen register order? Carnivore has the potential to capture the content of communications even when a pen register order would limit collection to addressing information. Indeed, as we explain below, getting the addressing information the government claims it is entitled to often requires capturing and analyzing content. Does Carnivore avoid that? Moreover, since Carnivore operates on a network link, it has the potential to capture the traffic of customers who are not the subjects of an order. For example, Internet Protocol (IP) addresses may be used to identify the communications of a target. But in many systems such addresses are dynamically allocated (meaning that the same address will be assigned to many users sequentially, and a given user will not have the same address from day to day or hour to hour), making it quite easy to monitor the wrong user. Is Carnivore itself a secure system? Can it be compromised? Does it provide secure audit trails, and is it tamper resistant? Is it true that Carnivore installed on an ISP's system can be remotely accessed and reprogrammed by the FBI? If Carnivore, an eavesdropping device with access to a vast stream of traffic independent of any ISP control, were itself somehow compromised, the damage to privacy and security could be tremendous. The technical community has developed a method to improve trust in complex systems: Open source review. Review of the source code and design specifications by a community of experts might reveal mistakes, bugs, or security holes unknown to the FBI. Such mistakes are quite common in the design of complex technical systems. Open source review of Carnivore's hardware, software, and technical design is essential to ensuring that Carnivore does not exceed its legal authority. It would also seem necessary for defense lawyers and judges to test in the adversarial process the reliability of evidence it generates. Undoubtedly, the FBI will initially argue that revealing source code will compromise the effectiveness of Carnivore. If true, one must question the general security and usefulness of a system that can be so easily circumvented by anyone with knowledge of its operation. The Department of Justice has promised to contract for an ``independent review'' of Carnivore. Unfortunately, the review has been wrapped in conditions and controls that undermine its credibility and seem to be discouraging the best experts from participating.Two in particular are especially troubling: (1) The contract documents for the review specify that the government will retain control over what portions of the reviewers' comments are released to the public. The government says that it will release as much as possible, consistent with contractual obligations and ``preserving the effectiveness of Carnivore.'' This would seem to preclude release of conclusions about the vulnerability or effectiveness of Carnivore. Since the FBI has claimed that its contractual obligations preclude it from disclosing even the name of the company that built Carnivore, that could be another huge justification for censoring the contractor's report. (2) The implications of this are compounded by the blanket non-disclosure agreement that contractor personnel would be required to sign, in which they would promise not to disclose to anyone anything they learned in the course of their review without FBI permission. Under the agreement, sensitive information is defined as ``any and all information received from the FBI'' and ``any and all other information associated with the Carnivore device and system.'' This gag order would mean that persons who now can talk about Carnivore based on their general understanding of it would be permanently silence if they participated in the review. In a Departure from Tradition and Best Practice, Carnivore Is Not Controlled by ISPs Even were there open review of Carnivore's system, installation of a ``black box'' out of an ISP's control creates new privacy and security risks. The parameters for how Carnivore is used once installed are likely to be extremely important. Such parameters could control who the targets are, how they are identified, and what information is collected about them. Yet with Carnivore, ISPs appear to have no control over how the system operates. Such a system provides no checks on its use, and is an invitation for misuse or mistake. Indeed, we understand that the FBI retains the sole right to alter how Carnivore operates when it is in place, and that the FBI can do so remotely, without the knowledge or cooperation of the service provider. Carnivore is a radical departure from the way interceptions have traditionally been performed. In the world of telephone wiretaps, phone companies are extremely reluctant to allow law enforcement officials into their switching facilities. In the past, and up through the present time, telephone companies have been adamant that the would activate any interception from within their central offices. (Companies would allow law enforcement agents to activate intercepts from access points on their outside plant, like neighborhood or apartment building junction boxes, but that type of access is disappearing.) The reasons were both privacy and security. In 1994, Congress confirmed that this principle was an important additional check on abuse. So section 105 of CALEA expressly provides that wiretaps shall be activated and controlled by telephone company personnnel: A telecommunications service provided shall ensure that any interception of communications or access to call-identifying information effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier * * * 47 U.S.C. 1004, Pub. L. 103-414, section 105. CALEA does not apply to ISPs (and should not be extended to ISPs), but Carnivore is a radical departure from the principle that service providers must keep government agents out of their systems. ISPs themselves are in the best position to comply with lawful orders for electronic surveillance. ISPs have a dual duty, to both produce information for law enforcement and to protect the privacy of their customers by only revealing such information where required by lawful order. Moreover, ISPs are in the best position to understand their own networks and the most effective ways of complying with lawful orders. They are also in the best position to understand potential implications or threats from installation of a Carnivore device. Carnivore Performs an Unconstitutional General Search and an Illegal Intercept Under Title III Carnivore operates very differently from an ordinary wiretap or pen register. In the telephone world, it has always been possible to isolate a pair of wires or a channel or circuit that is dedicated to a targeted individual's communication. The Supreme Court's approval of wiretapping under the Fourth Amendment was based on the understanding that the government would be accessing only the communications on a particularly identified line (the ``facility,'' in Title III terms). All of the Court's concern about ensuring that on that particularly identified line the government only intercepted communications that involved specified criminal conduct would be rendered absurd if the government could search the lines of many subscribers. See Berger v. New York, 388 U.S. 41, 58-60 (1967); Katz v. United States, 389 U.S. 347, 355-56 (1967). According to published accounts, including information on the FBI's Web site, http://www.fbi.gov/programs/carnivore/carnlrgmap.htm, Carnivore operates by monitoring (according to the FBI's description, redirecting and copying) all traffic on the network link where it is installed. Carnivore searches through all this traffic. (A copy of the FBI's description is attached to this testimony.) In theory, Carnivore then only records data appropriate to the order under which it operates--i.e., data relating to the target of an order, or even narrower information pertaining to pen register or trap and trace orders. Nevertheless, in Fourth Amendment terms, Carnivore, as it has been described, is conducting a ``search'' of all the communications on the network segment to which it is attached, including the traffic of innocent persons. That is, even if Carnivore functions as promised and only records the traffic of the target, it is searching through the email of many innocent persons--it is conducting an unconstitutional general search. The ISP redirects to Carnivore a stream of packets from many different customers. Carnivore filters those packets. That is a search. The fact that Carnivore is automated and that no human ever reads innocent messages does not make it any less of a search. The use of machines to carry out searches does not make them any less a search for Constitutional purposes. In Title III terms, it also seems clear that what Carnivore does is an ``intercept.'' As the Second Circuit states, ``It seems clear that when the contents of a wire communication are captured or redirected in any way, an interception occurs at that time. * * * Redirection presupposes interception.'' United States v. Rodriguez, 968 F.2d 130 (2nd Cir. 1992), cert. denied, 113 S.Ct 139, 140, 663 (19992). See also United States v. Denman, 100 F.3d 399, 403 (5th Cir. 1996), cert denied, 117 S. Ct 1256 (1997); United States v. Tavarex, 40 F.3d 1136 (10th Cir. 1994); United States v. Nelson, 837 F.2d 1519, 1527 (11th Cir. 1988), reh'g denied en banc, 845 F.2d 1032 (1988), cert denied, 488 U.S. (1988). Thus, use of Carnivore under control of the FBI is an illegal interception of the redirected communications of innocent subscribers. Pen Registers Do Not Translate Neatly Onto the Internet A pen register collects the ``electronic or other impulses'' that identify ``the numbers dialed'' for outgoing calls and a trap and trace device collects ``the orginiating number'' for incoming calls. 18 U.S.C. Sec. 3121 et seq. The Supreme Court has held that the numbers collected by a pen register on a telephone line reveal so little about a person's communication that they are not constitutionally protected. Smith v. Maryland, 442 U.S. 735 (1979). The Court has stated, ``Neither the surpost of any communication between the callerand the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.'' United States v. New York Tel. Co., 434 U.S. 159, 167 (1977). (While the information is not constitutionally protected, it is sensitive, and as CDT and others have noted, the standard for pen registers in the telephone world is now too low, since even phone numbers dialed can draw a profile of a person's life.) Carnivore's apparent attempt to extend ``pen registers'' and ``trap and trace'' orders to the Internet is not a simple matter. Access to Internet transactional data is not clearly supported by the pen register statute, which refers to the collection only of ``numbers dialed'' on the ``telephone line'' to which the device is attached. Moreover, Internet origin and destination addresses can be far more revealing than the Supreme Court contemplated in Smith v. Maryland and New York Tel. Co. Extending the use of pen registers to new telephone devices and services--such as pagers, or numbers dialed after a call is completed-- has been the subject of debate \2\ and was one of the issues in the CALEA lawsuit where the Court of Appeals reversed the FCC. \3\ But Carnivore is indicative of a whole new and problematic expansion of the pen register to the Internet. See CDT memo dated April 4, 2000, ``Amending the Pen Register and Trap and Trace Statute in response to Recent Internet Denial of Service Attacks, and to Establish Meaningful Privacy Protections,'' http://www.cdt.org/security/ 000404amending.shtml. --------------------------------------------------------------------------- \2\ See,. e.g., Brown v. Waddell, 50 F.3d 285, 290-91 (4th Cir. 1995) (refusing to classify a digital display pager clone as a pen register). \3\ See United States Telecomm Assoc. v. FCC, No. 99-1442 (D.C. Cir Aug. 15, 2000). --------------------------------------------------------------------------- The first question is what Internet transactional data may be collected and under what standard. It is one thing if the FBI were using the pen register authority only to collect IP addresses (provided, of course, that the isolation were done by the service provider rather than by an FBI-controlled Carnivore). In the packet- switched Internet, the literal ``destination'' of an intercepted message is often the Internet Protocol (IP) address of the link on which it is observed. This information is found in the header of a packet. So is the Ethernet address it is being sent to on a local network. If the government is seeking just IP or Ethernet address information, it can find it in the header of a packet, which is easily separated form the content. But if by destination the government means the ``To:'' line of an e-mail message, that is often within the packet's content payload, and as the DC Circuit recently made clear, intercepting addressing information that is commingled with content requires authority to intercept content. United States Telecomm Assoc. v. FCC (Aug., 12, 2000). In an effort to illustrate this point, I have attached some packets we ``sniffed'' off our own DCT network. Example 1 shows a packet for a visit to Chairman Hatch's web page. The header of the packet includes the source the destination IP addresses. In this case, the source IP address 207.2263.15 is a computer at CDT and the destination 199.95.76.12 is the U.S. Senate web server. (If you type 199.95.76.12 into your browser after http://, it takes you to the Senate home page just as if you had typed www.senate.gov.) So the header, which can be easily separated from the content payload, would provide information that might be similar to the information that a pen register would provide on a person at CDT who called 224-3121, the Senate switchboard. However, if the FBI wanted to know what precise page I was viewing, they would need to reach into the content (TCP data) portion of the packet. There they would find that I had asked for (``Get'') a copy of /-hatch/greeting.ram. Anybody typing that into a browser would find that I had downloaded the video greeting on the Chairman's web page. Thus, they would know the precise content of my Web viewing. In other cases, where law enforcement is apparently seeking origin and destination addresses that are more than link IP addresses, they will be forced to analyze the contents of packets. For example, attached in Example 2 are three sample IP packet ``sniffed'' as they went from CDT's network to our ISP. The packets are part of an e-mail message from me to Makan Delrahim, a member of the Committee staff. The header of each packet shows the IP addresses of the packet's origin (a computer at CDT) and destination (our ISP's mail server, which will next send the packet to the Senate mail server). To find out to whom the e-mail is addressed to, one would need to read and analyze the contents of specific packets. Is Carnivore able to pick out only the one packet that contains only the ``To:'' information and the one packet that contains only the ``From:'' information? It would be nice to have some assurance other than the FBI's say-so. The e-mail addresses in the To and From lines are much more revealing than ``numbers dialed'' in that they are associated with specific persons. In the case of a Web site, the URL can disclose specific pages visited, books browsed, or items purchases. And as people move more of their lives online, a list of e-mail recipients by name or web sites visited can provide a very detailed dossier of activities--all available without the heightened protections of a wiretap or even a standard Fourth Amendment warrant. For example, attached in Example 3 is a sample IP packet showing a search for a book on the Barnes and Noble web site. Again, the IP address information is available in the header; the URL in the body of the message reveals information about what books the user is looking at--here, books on prostate cancer. (A subsequent URL might indicate that the person actually bought the book.) Taken together, a collection of such ``destination'' information could generate a revealing list of a person's interests and activities. In this way, Internet transactional information is more revealing than telephone transactional data. CDT has long urged, and there seems to be a consensus, that Congress should raise the standards for use of pen registers across the board. Under the current standards, a judge ``shall'' approve any request signed by a prosecutor certifying that ``the information likely to be obtained is relevant to an ongoing criminal investigation.'' 18 U.S.C.Sec. Sec. 3122-23. This is low standard of proof, similar to that for a subpoena, and judges are given no discretion in the granting of orders. Pen registers are executed with neither public nor judicial oversight: in contrast to wiretap orders, there is no requirement that the government ever report back to the authorizing judge on the results of a pen register and no requirement of notice to the targets of pen registers. Unlike wiretaps, there are no national reporting reqirements on the use of pen registers. The Justice Department reports on its own use, but this does not include numerous federal, state and local use. The Carnivore debate raises Fourth Amendment questions for pen registers online. Courts have found that consumers have no ``expectation of privacy'' in the digits they dial on a telephone.\4\ Given the revealing nature of Internet transactional information, it would seem that users do have a reasonable expectation of privacy in the URLs of Web sites they visit and the email addresses of those with whom they communicate, such that an intermediate standard is necessary for collecting certain Internet transactional data. See 18 U.S.C. 2703(d) and H.R. 5018, the ``Electronic Communications Privacy Act of 2000,'' introduced by Reps. Canady and Hutchinson. --------------------------------------------------------------------------- \4\See Smith v. Maryland, 442 U.S. 735 (1979). The Court's reasoning relied in part on its understanding that ``pen registers do not acquire the contents of communications.'' --------------------------------------------------------------------------- Reinvigorating the Fourth Amendment in Cyberspace On May 25, 2000, I testified before this Committee about the ways in which the statutory and constitutional framework governing electronic surveillance has been outpaced by technological change. http://www.senate.gov/-judiciary/52520jxd.htm. To update the privacy laws, and respond specifically to Carnivore, Congress could start with the following issues: Increase the standard for pen registers across the board. Define and limit what Internet transactional information can be disclosed to the government and under what standard. Add electronic communications to the Title III exclusionary rule in 18 USC Sec. 2515 and add a similar rule to the section 2703 authority. This would prohibit the government from using improperly obtained information about electronic communications. Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage. Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions. Require statistical reports for Sec. 2703 disclosures, similar to those required by Title III. Make it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order. Provide enhanced protection for information on networks: probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access. The recent White House announcement \5\ on privacy and surveillance adopts some of these proposals. Extension of the wiretapping exclusionary protections to electronic interceptions is a particularly welcome step. Increasing the standard for pen registers is an improvement, but will not be sufficient if such orders are applied broadly (i.e., include URLs) to the Internet. On the other hand, the proposed expansion of the Computer Fraud and Abuse Act criminalizes an unnecessarily broad range of activities online. The proposal fails to address the need for heightened protections for private data held in the hands of third parties. And there are other changes buried in the proposal that we are still analyzing. CDT is prepared to work with Congress and the Justice Department to continue to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for discussion and consensus building on these issues. --------------------------------------------------------------------------- \5\ See Ted Bridis, Updating of Wiretap Law for E-Mail Age is Urged by the Clinton Administration, Wall Street Journal., July 18, 2000, at A3. --------------------------------------------------------------------------- Conclusion The Carnivore system requires greater public scrutiny. It should be controlled by the ISPs. More broadly, it speaks to the need for modernization of our surveillance laws and greater privacy protections to counteract the real threats to privacy online. Protecting national security and public safety in this new digital age is a major challenge and priority for our country. On balance, however, the new sources of data and new tools available are proving to be a boon to government surveillance and law enforcement. We do not need to ignore traditional standards in order to respond to the new technologies. The attempt to literally translate all current surveillance capabilities directly onto the Internet may not be possible or desirable in all cases, or may require new privacy protections.*ERR03* [GRAPHIC] [TIFF OMITTED] T4729A.001 [GRAPHIC] [TIFF OMITTED] T4729A.002 [GRAPHIC] [TIFF OMITTED] T4729A.003 [GRAPHIC] [TIFF OMITTED] T4729A.004 [GRAPHIC] [TIFF OMITTED] T4729A.005 [GRAPHIC] [TIFF OMITTED] T4729A.006 [GRAPHIC] [TIFF OMITTED] T4729A.007 The Chairman. Professor Rosen, we will conclude with you. We would like to have some questions here before we finish. STATEMENT OF JEFFREY ROSEN Mr. Rosen. Thank you so much, Senator. It is an honor to be here. I just want to talk very briefly at the end of this hearing about uncertainty, and in particular about the cost of the uncertainty that results from covert monitoring on the Internet, and this is the uncertainty of innocent citizens who can't be sure whether or not their intimate communications are being intercepted by State officials or by ISP's. It strikes me that even at the end of this fascinating and informative hearing, there is a great deal of uncertainty that continues to be associated with Carnivore. I was interested and encouraged to hear Dr. Kerr testify that Carnivore is only made available to ISP's if they are unwilling or unable to conduct the search themselves, and that it is removed as soon as the court order expires. Surely, this procedural regulation should be codified to reduce the uncertainty of innocent citizens who may fear that their Government has technical access to their messages without their knowledge or consent. There are, as you began by saying, Senator Hatch, other uncertainties associated with Carnivore. The FBI is legally forbidden from monitoring the communications of citizens who are not targets, but the mere knowledge that Government agents have the technical capacity to read e-mail messages will greatly increase the uncertainty of innocent citizens at a time of widespread concern over privacy over the Internet. It is also true that one of the safeguards of the system, the audit trail records that record precisely which communications are intercepted, is made available to targets only if a prosecution actually results. So innocent citizens who are not targets have no notice when they are being monitored and no confidence that they are not being monitored. Senator Hatch, I would be delighted to give you a copy of my book. It is called ``The Unwanted Gaze: The Destruction of Privacy in America,'' available everywhere from Random House. And I will take this opportunity to note that the title, ``The Unwanted Gaze,'' actually describes the consequences when people are not certain about whether or not they are being observed. It comes from a beautiful passage actually in Jewish law that describes the anxiety and inhibition that results when citizens are being watched without their knowledge. There is a body of doctrine called hezzek re'iyyah, which means the injury caused by seeing or the injury caused by being seen. So when your neighbor puts up a window, observing you in a common courtyard, you are entitled not only to prohibit the neighbor from observing you, but also actually to require that the window be taken down because medieval authorities recognized that it was not only the surveillance itself, but uncertainty about whether or not surveillance is taking place, that forces us to lead more constricted lives and inhibits us from speaking and acting freely in private places. So, understandably, the consensus among these medieval jurists was that the window had to come down even if the individual whose privacy was violated failed to protest because there was this uncertainty that made everyone act in a more inhibited way in spaces that should be considered private. I am concerned particularly at this moment of uncertainty about the Internet that the Carnivore System, even if it were administered scrupulously, would increase the anxiety about monitoring on the Internet at precisely the moment when many citizens are afraid to use e-mail because of concerns about privacy. There are several surveys of the health effects of monitoring in the workplace that suggest that electronically- monitored workers express higher levels of depression, tension and anxiety, and lower levels of productivity than those who are not monitored. Now, let me briefly address the constitutional issue which has been touched on, but seems to me a very hard one, and this is the question does Carnivore violate the fourth amendment. It seems to me that one could make a strong argument on either side. Is this the quintessential example of an unreasonable search or is it the precisely tailored example of the perfectly reasonable search? Carnivore operates very much like an ingenious and hypothetical search that was discussed in a fascinating article in the Yale Law Journal recently, and this is a program called the worm. So the worm is a form of computer software that the Government can dispatch to enter your computer without notice. It scans your hard drive for illegal software or specified words or images, pornographic pictures or any other evidence that the Government is looking for. If the worm finds what it is looking for, it can alert the FBI. And if not, it destroys itself, leaving no trace of its presence. So in some respects, the worm seems very much like Carnivore, and it looks precisely like the general warrants that the Framers of the fourth amendment meant to prohibit. Both Carnivore and the worm can monitor millions of computer users without probable cause to believe that a crime has been committed, and they search broadly without particularized suspicion of people or places. But in other respects, the worm, like Carnivore, avoids all of the spillover effects that led the Framers of the fourth amendment to condemn general warrants in the first place. Rather than exposing innocent as well as illegal material, it focuses on the illegal material with greater precision. So, Senator Leahy, you began by noting that in the 18th century if you wanted to read someone's diary, you had to break into their house and rifle through their desk drawer, and then you would see a lot of innocent information in the course of searching for guilty information. Carnivore, if properly administered, might be said to avoid all of those effects and only reveal the guilty information. So I don't think we should be alarmist or hyperbolic about this difficult question of constitutional translation. Senator Leahy. Are there people who are being alarmist or hyperbolic here? Mr. Rosen. Are people being hyperbolic? I should say that I have a hyperbolic instinct when I hear about Carnivore because my fourth amendment knee jerks. But when we think about this responsibly, it seems to me a hard constitutional question. Senator, let's remind ourselves, too, how far we have moved from the world of searches of private diaries in desk drawers. In the 18th century, the search of a private diary was considered the quintessential example of an unreasonable search. We have the story of John Wilkes, the famousEnglish patriot whose diary was searched by King George, sued in trespass and won ruinous damages. It is only recently that private diaries have lost their constitutional protection, we learned from the case of Senator Packwood. It is also true that in the famous article about the right to privacy written by the future Justice Brandeis, he noted that if a man wrote in a letter to his wife that he hadn't dined with his son that day, not only the content of the letter but also a general list of its subject matter would be protected from public exposure because it wasn't the information itself, but the domestic occurrence. We have fallen very far from there to a world where the list of the subject matters of e-mails are available on a general standard of relevancy. And one of the things you might consider, Senator, because I know both of you have been so important in thinking about pen registers, is whether a higher standard for the subject matter of e-mails, some more like reasonable cause, might be appropriate. I will conclude by echoing Michael O'Neill's notion that the search of this subject matter information seems far more invasive than a pen register because they reveal so much more identity, both the names of the recipient and the sender, and in the case of URL's the bookstores that you have searched and the actual search terms themselves. So this is why a reasonable cause standard might be appropriate. It seems to me that none of the FBI's testimony at previous hearings suggests compelling reasons why e-mail interception should depart from traditional statutory models for regulating wiretaps. I agree with James Dempsey that Internet service providers rather than the FBI should at least have the first opportunity of producing relevant communications specified by a court order, and Carnivore should not be imposed but made available to those who can't afford to undertake this search. You might also think about other possibilities, keeping audit logs for all communications monitored by Carnivore, not simply those that result in prosecution, and increasing procedural protections for innocent communications to reduce the uncertainty of citizens who have no notice about whether or not monitoring has occurred. But my big point is just the costs of uncertainty are great. This is an anxious time for the Internet. At the very least, innocent citizens need to be reassured that their Government is not observing their intimate messages without their knowledge or consent. Thank you. The Chairman. Mr. Cerf, let me just turn to you first, and perhaps I should express the gratitude of the Vice President for your assistance in helping him to invent the Internet. [Laughter.] I just couldn't resist. I notice you had some differences, or at least you looked like you had some differences with Professor Rosen. I will give you a chance to respond. Mr. Cerf. Senator, I am sorry. I am having trouble hearing you. I am hearing-impaired and my hearing aids are not picking you up. The Chairman. That is fine. I do have a soft voice, too soft--my wife says. I noticed you had some difficulties with what Professor Rosen was saying. Mr. Cerf. I had some reactions. The Chairman. I would like to see what you have to say. Mr. Cerf. I would like to suggest two things to our panelists. One suggestion about putting the Carnivore software, or the equivalent thereof, in the hands of the ISPs for purposes of having them perform these searches strikes me as alarming, frankly. If I were a member of the public wondering who is managing that software and doing things with it, I would be more concerned if it were available to and generally in use by ISP personnel, who need not necessarily understand or follow all the restrictions and constraints that the FBI would follow. So it seems to proliferate that strikes me as being excessive compared to what the FBI proposes, as I understand it, which is to place the equipment there only during the period of time that surveillance is required and then remove it again. Have I misunderstood that? Mr. Kerr. No. That is correct. Mr. Cerf. So in some sense, the proposition puts the facility at broader spread than it would otherwise. That is one point. You wanted to respond to that? Mr. Dempsey. Well, I was just going to say that this use of Carnivore or unauthorized access to electronic communications is equally a crime. The sanctions are the same and the definition of the offense is the same---- Mr. Cerf. No debate there. Mr. Dempsey [continuing]. Whether it is done by Government officials or by ISP's. Mr. Cerf. But I have the feeling that the ISP geeks may be less familiar with the penalties and with the restraints than the gentlemen from the FBI. So I would propose that that is not the best idea in the whole world. The other reaction that I had, Mr. Chairman, was any comparison of the Carnivore system with the worm is technically ill considered. The worm is a very different kind of beast. It is a mobile piece of software. That is not the way the Carnivore system functions. I did have the opportunity to go down to Quantico and have a pretty thorough briefing and to see the Carnivore system in operation. I regret that other members of the technical community appear to have felt unable to do that or are reluctant to do so. It was a helpful briefing, and I feel as though I have a much more firm understanding of what it can and cannot do. I still have concerns about it, as you could tell, I hope, from my comments on how much you have to look at in order to filter appropriate content. But I think the comparison with the worm is not well considered and I think should be rethought, Mr. Rosen. Mr. Rosen. I should suggest I was not making a technical comparison between Carnivore and the worm, but simply in the nature of the focused search. Limited to that particular aspect, it seems to me they are exactly analogous in the sense that it only reveals the information it is looking for and doesn't reveal to any human agent information it is not looking for. That was the limit ofthe comparison. Mr. Cerf. OK, then you are not proposing that the Carnivore is a mobile piece of software that moves around and jumps into millions of machines, which it does not do? Mr. Rosen. I am a lawyer, not a technician, sir. I will defer to you on---- Mr. Cerf. I will forgive you for that. Mr. O'Neill. If I could just make a point, sort of a means of follow-up, I think one of the difficulties and what perhaps concerns people is the idea that there is software and also hardware, because Carnivore apparently is both, and it is unclear precisely what it does or what its capabilities either currently are or can be. I mean, we all know--and I am not a technician particularly either, but we all know that software is not only dependent upon what it is, but how it is updatable, how it is modifiable, and how in any individual case it can be configured. Now, I happen to be not in the camp of those who would like to see the Carnivore source code released to the public. I think that would, in part, defeat its purpose. But I do think that it is important for this body to have oversight to make sure that at least someone is watching the watchers. And it seems to me that that is the important role that Congress can play in this whole decisionmaking process. The Chairman. Go ahead. Mr. Cerf. Well, I am thinking that the existing surveillance mechanisms are in place now and we must have someone watching the watchers, I hope. I mean, I would assume that that is true. So wouldn't the same watchers who currently oversee this---- Senator Leahy. Don't always assume that, Mr. Cerf. The Chairman. No, you can't always assume that. Mr. Cerf. I am sorry? Senator Leahy. I said don't always assume that. Mr. Cerf. Well, all right. If I am incorrect, then we have a bigger problem than just Carnivore. The Chairman. It is a big problem. We want you to know it is a big problem. Professor O'Neill, you gave us 10 reasons that you didn't define, but let me just go through those. No. 1, you say with respect to Carnivore itself, Congress ought to obtain briefings, classified if necessary, to get a better understanding of what Carnivore is designed to do, how it does it, and whether there exists potential for abuse. No. 2, Congress ought to determine what the statutory authorization for Carnivore is and whether law enforcement has the authority to insist that a service provider install Carnivore. No. 3, if implemented in some fashion, Congress should require that statistics be maintained by the Justice Department and that these so-called, ``audit trails,'' be routinely provided for legislative oversight. No. 4, Congress should seek to learn whether Carnivore can easily be defeated by encryption software or E.A. Poe-type purloined letter schemes. More broadly, No. 5, hearings ought to be conducted to determine whether all Internet trap and trace orders should be issued only on the basis of the judicial finding that reasonable cause exists to believe that a target has or is about to commit a crime. No. 6, the executive branch ought to be required to provide consumers with notice whenever the Government obtains information about their Internet transactions. No. 7, specific statistical reports for pen register or trap orders for Internet communications similar to the reports required under title III ought to be required. No. 8, Congress should explicitly provide that Internet queries, e-mail subject lines, URL's of sites visited, and other information which provides more than the equivalent of a dialed number cannot be disclosed without a probable cause order. No. 9, Congress should consider requiring notice and opportunity for defendants to object when civil subpoenas seek personal information about Internet usage. And, No. 10, provide enhance protection for information on networks, probable cause for seizure without prior notice, and a meaningful opportunity to object for subpoena access. Then you say, ``At bottom, I would urge a cautious, thoughtful approach when it comes to expanding surveillance capabilities. The conflict between increased security and enhanced privacy protection is not easily resolvable, nor will it likely ever be. But Congress ought to seize the moment to ensure that robust debate occurs before law enforcement's powers are enhanced and regardless of how the balance is struck.'' I thought those were pretty good suggestions, to be honest with you. I don't know how the FBI feels, but having heard them, what do you think, Mr. Kerr. Mr. Kerr. Well, I must say that I have just heard them for the first time, as you have read them off. But if you would permit me, Mr. Chairman, there were some questions and suggestions raised about our interactions with the Internet service providers and I think I can help you on that. The Chairman. Well, let me add to that because it was raised here in this article in USA Today, which I have read--it appears to cast doubt on whether any university is willing to take the study of Carnivore under the restrictions that have been placed on such a study by the FBI, or at least the restrictions they think are placed by the FBI. In fact, Mr. Dempsey has pointed that out, I think, fairly strongly, and I would just like you to comment about that in your overall comments. Mr. Kerr. All right. The first point I should make absolutely clear is that the FBI is not soliciting this review. It is being done by the Department of Justice, and in particular under the auspices of Steve Colgate, the Assistant Attorney General, head of the Justice Management Division. While I will be part of reviewing the report once it is prepared, I will have nothing to do with determining the scope of that study or the acceptability of the outcome. We did it precisely to avoid having the FBI funding a look at its own equipment and capabilities. Senator Leahy. Does the FBI support the study, though? Mr. Kerr. Yes, absolutely. Senator Leahy. Thank you. The Chairman. Have you set the restrictions on the study, though, or has the Justice Department set the restrictions? Mr. Kerr. The Justice Department. The Chairman. Mr. Di Gregory, is that right? Mr. Di Gregory. That is correct, Senator. The Chairman. Why have restrictions? Mr. Di Gregory. Well, there are certain restrictions that we believe are necessary. The one restriction, for example, is the restriction on the release of the source code. We don't believe that the source code should be released publicly because that could hamper law enforcement efforts. The Chairman. I can understand that. Mr. Di Gregory. And a general restriction with respect to the scope and the nature of the review is that the review is a technical review. The review was never intended to be a legal review, but a technical review to determine whether or not Carnivore does the things it claims it does. The Chairman. Then why are these universities having such a difficult time taking on that review? Mr. Di Gregory. I don't know. That is probably a question you would have to ask the particular universities involved, and I can't comment any further on the procurement process. The Chairman. But am I correct in inferring that all the universities approached thus far have refused to take on the review? Mr. Di Gregory. First of all, I don't know the answer to that, and even if I did know, I wouldn't comment on it because there are restrictions with respect to commenting on the procurement process that I am not completely familiar with, but am familiar enough with to know that I don't want to get in trouble. So if you wouldn't mind my---- The Chairman. Well, you don't want to get in trouble with us either, do you? Mr. Di Gregory. I don't, Senator. [Laughter.] The Chairman. I understand. Mr. O'Neill. One thing I would add to that, Senator, is it is interesting, though, that--and I think the Department of Justice ought to be commended for taking these steps, but I think it is interesting that it seems to be--if you sort of follow the time line, at least, it is in large part because Congress chose to take oversight of this because this information was leaked to the press that the Department of Justice then sought this outside independent review, which is entirely the appropriate and proper thing to do, and it is, of course, the role that Congress ought to be playing here. The Chairman. Well, your ten suggestions are very broadly written. I would like you and Mr. Rosen and others, and especially you, Mr. Cerf and Mr. Dempsey, to look at these and see if you can improve upon them and make suggestions for us and for the Justice Department and for the FBI as to how we might do this. Look, this is something that is really terrifying a lot of people around the country. Are we going to have an Orwellian type of investigative Government now that we are in this Orwellian type of a world which is doubling now in capacities in revolutionary ways? This is scary stuff. We have people who don't want anything to be done in this area. And, of course, we have people that are terrified that if we keep allowing the Internet to be used as a source for crime and criminal activity, this society is going to be very badly damaged. So I would like you all to spend some time on that. Mr. Cerf, go ahead, and then I will go to Mr. Kerr. Mr. Cerf. There is a book that was published recently by a gentleman named Amitai Etzione. The title, if I remember correctly, is something like ``The Limits to Privacy.'' The Chairman. Right. Mr. Cerf. In that book is what I thought was a fairly reasoned and balanced discourse about the protection of personal privacy. The Chairman. And you think Etzione's discourse would apply in this case, in this digital world? Mr. Cerf. You say it would not apply? The Chairman. No. Do you think it would apply? Mr. Cerf. I believe that it would because his premise is that there is a balance to be reached, as I think several panelists have said, between the protection of personal privacy and personal information, and the need to protect the general public's well-being from people who don't mean it well, criminal elements. And what Etzione argues in this book is that it is possible that we have gone too far in one direction or another. It is a worthwhile book to read, if only to be provoked into thinking about what the balance could be or should be. The Chairman. Mr. Kerr. Mr. Kerr. Two points that I would like to make very briefly, Mr. Chairman. First, the suggestion that in any way information about Carnivore was leaked to the press and has led to hearings and press coverage is absolutely wrong. We have been briefing on Carnivore for about 18 months. It has been reviewed substantially within the Department of Justice. It has been briefed to many companies, many trade associations. We have offered two ISP's complete access for them to review the product and its performance, and in no way have we attempted to conceal its existence or its intended purpose. And so I find it rather surprising at this juncture that that is still the view. We have briefed many members of the congressional staff as well. With respect to the concern about ISP's and their access, the thing we safeguard is the integrity of the evidence. The box where we record the information is locked and accessible only to an FBI agent. Also, the PC on which the system is based has its keyboard and monitor removed so that, in fact, a passer-by can't make a change either maliciously or inadvertently. And we don't allow them to use the remote dial- up access which we employ and log, but that is what tells us when the memory is full and an agent needs to go and remove the disk. So we have tried to design it not only with great specificity to respond to the court orders, but, in fact, with a view toward maintaining the integrity and authenticity of the evidence we collect, and to be able to testify after the fact in court that we did so, who had access, when they had access, and what the settings of the device were. I hope that clarifies the point. The Chairman. Well, it helps, except for one thing. As I understand your testimony, you indicated that Carnivore has been used in some 25 cases so far. Is that correct? Mr. Kerr. Yes, sir. It is now between 25 and 30. That is correct. The Chairman. There are reports that the Attorney General was not aware of it--according to press reports, was not aware of Carnivore. And I hear from constituents that their concern with Government surveillance is not their objection to authorized uses of it, but the potential uses without the proper checks and balances on Government search and seizure that our country and Constitution are based on. What concerns most citizens and concerns me deeply are reports that the FBI developed and deployed the Carnivore system without even the knowledge of the Attorney General herself. That may be par for the course for this Justice Department, but you cannot take this lightly, given the fundamental civil liberties that are implicated here. Now, my sense is that much of the controversy surrounding Carnivore is due to the apparent perception, rightly or wrongly--and I would like you to clarify this--that there is no check on its use by the FBI. Now, I would like, Mr. Kerr, you and Mr. Di Gregory to explain to us to what extent the development and deployment of new surveillance technologies by Federal law enforcement have to be authorized by Congress. In other words, under what delegated authorities are new technologies, in general--and Carnivore in particular-- developed, and was there specific authorization by Congress or the Attorney General to develop and use Carnivore or other similar systems? Are these press reports right that the Attorney General didn't even know about it until recently? And answer the question as far as what rights do you have to go ahead with it. Mr. Kerr. Mr. Di Gregory is going to give the first part of the answer and I will give the second. The Chairman. Okay, that will be great. Mr. Di Gregory. From what I understand, Senator, without knowing of the name ``Carnivore'' or without knowing of the specific program--this is my understanding--the Attorney General was aware of the FBI's capacity to do this kind of surveillance. I think Ms. Stansell-Gamm may have some more detail about that. The Chairman. But the Attorney General was unaware of the actual software that was being developed or has been developed? Ms. Stansell-Gamm. I simply don't know at what point the Attorney General became aware of this specific tool or the name of the tool. The Chairman. Then answer the second question. What authority do you have to do this and to have used it in 25 cases? Has Congress given you any authority? Mr. Kerr. Well, in fact, Congress appropriated the money, pursuant to our budget request, within which there is a specific line related to electronic surveillance, and particularly the development of tools for access to data networks, the Internet, and the like. It has been in our budget for a number of years. It is part of our continuing response to be able to carry out our mission to lawfully intercept communications as technology evolves. The Chairman. We are happy to have Mr. Parkinson and Ms. Stansell-Gamm here with us today. Ms. Stansell-Gamm. I would like to answer your question another way, if I could. It has been at least 3 years ago since the Attorney General made a press announcement about the case called Ardita, which Mr. Dempsey referred to, kindly, as one of our law enforcement success stories. And she briefed that case in great detail to the press, and the core of that story was what we were able to do and how we were able to do it. It involved an electronic wiretap at a network at Harvard University that this hacker, who turned out to be in Argentina, was using as a platform for attacking DOD systems all over the world. The investigative problem that we had was how to find the needle in the haystack, how to find Mr. Ardita's communications in the haystack of legitimate traffic. The Attorney General understood how we were able to do that, which was supervised very closely by a court in Boston. I think there were two separate title III orders. And because the tool that we were using to do that was a tool that was not as sophisticated as Carnivore but, as Mr. Cerf has pointed out, captured a great deal more hay than the needle, the minimizing process was far more exacting, required several steps and, in fact, required an agent to look at some text strings. The irony of all of this is that while---- Senator Leahy. Instead of carnivore, was that omnivore? Mr. Stansell-Gamm. No, that was not omnivore. In fact, it was a tool developed by the Navy called NIDS, Network Intrusion Defense System. The Air Force has one that they call Sniffy. You know, they all have their different names, but these tools have been used by law enforcement in a variety of agencies for some time, under the strict supervision of courts. As I say, the irony of all of this is that the tool Carnivore is the most selective, the most discreet, the most controllable, the one that is most likely to be able to reach in and pull out only the needle, although, as you say, it is a very hard problem. The Chairman. Maybe bits of needles. Ms. Stansell-Gamm. Bits of needles, exactly, while the haystack is moving by. The Chairman. Right. Ms. Stansell-Gamm. It is a very difficult technological challenge. So this represents, in my view, quite a good-faith attempt on the part of the FBI engineers to respond to the challenge of collecting information on the Internet in ways that comply strictly with our legal authorities, and to do it in very discreet, controlled ways that create records. That is what this tool does. The Chairman. Let me turn to Senator Leahy. I have taken long enough. Senator Leahy. You know, it is interesting as we examine these issues to look back at lost opportunities. A few years ago, I suggested some better procedures for applying for warrants on pen registers, and so forth, and the FBI has always been reluctant to talk about that. Now, I find, since Carnivore came out, some of my colleagues in the House have proposed that we change not just the procedures, but also the standard for pen registers and traps and traces to an extent that I think that probably Justice and the FBI would wish that they had paid more attention to the suggestions that Imade. But I assume from the fact that they haven't expressed any change of heart about my prior proposal that, they reject that and would prefer that I support the legislation, for example, of Representatives Canady and Hutchinson, H.R. 5018, which proposes a more stringent standard for pen registers, trap and trace, and similar devices that would identify e-mail addresses, like Carnivore. That legislation would require specific and articulable facts reasonably indicating that a crime has been or is being or will be committed, plus a showing of relevance of the information sought to the investigation of that crime. Another bill introduced by Representatives Barr and Emerson, H.R. 4987, would apply that same greater standard to all pen registers and traps and traces, whether or not they would identify e-mail addresses. Since the source and destination information about e-mail may have content in a way that a dialed telephone does not, should we change the standard for pen registers and traps and traces, or do my earlier suggestions now suddenly sound better to you? Mr. Di Gregory. As you may know, Senator, the administration has put forth a proposal which would elevate the standard required for trap and trace or pen register information, though not quite the same standard that is put forth by Barr and Canady. Our standard would require the prosecutor--the one that is proposed would require the prosecutor to submit a factual statement rather than merely a certification, and that that factual statement would be viewed by a court and a court would determine whether or not the factual statement was sufficient to establish that the information to be obtained from pen register or trap and trace was information relevant to an ongoing criminal investigation. Senator Leahy. Does that mean you don't like their legislation? Mr. Di Gregory. There are problems with their legislation. The one that comes to mind initially is that the legislation submitted by specifically Representative Canady is e-mail- specific. It is not even Internet-specific, but it is e-mail- specific, and that creates a problem. As we have said in other contexts and have said before Chairman Canady's subcommittee, we believe that any legislation that is developed with respect to the substantive criminal law, or even the procedural criminal law as it relates to the Internet should be as much as possible technology-neutral. We don't think that there should be a different standard for the interception of e-mails versus the interception of telephones-- excuse me; I used the word ``interception''--for a pen register or a trap and trace for e-mails as opposed to a pen register or trap and trace for telephones. Senator Leahy. Dr. Kerr, do you feel the same way? Mr. Kerr. I will take the easy-out, sir. As you know, I am a physicist and I don't normally opine on matters of the law. Senator Leahy. Thank you. There is nothing wrong with that answer. We got a letter from the FBI last month that described the operation of Carnivore. It said, ``It does not snoop through e- mail traveling through an ISP network by searching for key words or reading the subject line or any other content.'' But the nature of how the Internet works, as I see it anyway, is that the specific communications or addressing information of a suspected criminal, one who has been targeted under a court order, are mixed all up like a stew with all the other packets of different Internet users carried by the ISP. Somehow, Carnivore has to snoop through all these other different packets to find the right one, the needle in the haystack. Is that correct? Mr. Kerr. Let me start to answer and certainly welcome any assistance Mr. Cerf would like to give, but go back to his envelopes for a minute. What we are looking at in the first instance is the address on the outside of the envelope. With the address matching the one we are authorized to capture, we collect the envelope and we subsequently go and we only take from that envelope the information we are authorized to take. But we use the addressing properties of the Internet itself, the Internet protocols, to select out just those packets. We don't read them at that point. The machine is doing it. There is no content being viewed by any human. And, in fact, those packets that contain information we are not authorized to obtain disappear at that point. We don't control them. Senator Leahy. But to use the envelope thing, it is like getting a big bag of envelopes and you are looking just for the one addressed to Dr. Kerr, but there is also an envelope in there to Mr. Parkinson, Mr. Di Gregory, and on and on. I mean, you have got to go down through all those envelopes at some point. Mr. Kerr. Well, think of it better perhaps, you are standing at the post office and all the envelopes are going by you on a conveyor belt. And we are just picking off those envelopes that have the right address on them. The others go away; they are not in our life anymore. Senator Leahy. Mr. Cerf. Mr. Cerf. If I could interject, the problem here is a language and terminology problem. The term ``address'' unfortunately is overused for a variety of different purposes even in the Internet. And so we speak, for example, of Internet addresses, by which we sometimes mean 170.127.34.16, which is a numeric indicator of where a computer is in the Internet. It is sort of like a telephone number. On the other hand, we also say what is your Internet address, and by this we often mean what is your e-mail address, which in my case would be [email protected]. Those are different, and so the way the Carnivore works is it starts with the lowest-level physical numeric addresses of the source and destinations that are under observation. And it only selects out--the conveyer belt model is a good one--it only selects out those ones that happen to contain those physical addresses. Now, we can argue separately about whether you have got the right addresses. I mean, there are some issues about the stability of IP address assignment and whether or not a particular computer has the same IP address forever and ever or whether it changes from time to time. I am sure that the members of this committee don't want to know all the details right here on the spot, though I am prepared to provide them if needed. But after you have selected the set of envelopes thatmay contain information of interest, only then do you then look inside. And if I have any concerns at all--and I want the FBI folks here to know I do have concerns--you do have to see quite a bit; you have to suck into the Carnivore machine quite a bit before you can find that part which you are interested in after you have determined that this envelope might contain something of interest. The point that the Carnivore programmers make is that the software is intended to look at the collection of material that makes up an e-mail message like this one, that amount of which happens to be in one packet, and only if it finds, for example, a ``to'' and ``from'' e-mail does it capture that packet. If it can't find that, if it can't parse the contents, it throws it away. That is the design, that is the intent, and that is the way it is used. So it is true that the machine pulls in more than is needed, but it then is programmed to throw away that part which doesn't match their search criteria. Senator Leahy. And what you are saying, Dr. Kerr, is you can't go back to the machine and find out what was thrown away? Mr. Kerr. That is correct. Mr. Cerf. Except in the case, of course, where you have been authorized to obtain and capture content as well. I don't know whether you are ever allowed to do that. Mr. Kerr. The answer I was giving was that packets that we have discarded aren't available to us at all. Mr. Cerf. They are not. They have disappeared on the conveyor belt and have gone away. So it is a multilevel filter that is being applied, and at each stage in the filtering process less and less information is retained. Senator Leahy. Mr. Dempsey, you wanted to add something to that. Mr. Dempsey. Yes, Senator. I have two comments, one of which addresses the question which is, is it good enough that Vint Cerf has looked at Carnivore and has come away relatively satisfied with it. And I have to say that---- Mr. Cerf. I won't take any offense if you say that it isn't because I would agree with you. Mr. Dempsey. That it isn't good enough? Mr. Cerf. That is right. Mr. Dempsey. And so we have to somehow get beyond the fact that one person has been in, or that several people have been in. I really don't think we have had the kind of review of Carnivore that would really satisfy this committee and satisfy the public, and I do agree with the chairman that somehow the FBI needs to work and the Justice Department needs to work on that independent review. I would note in response to Dr. Kerr's comments it is a Justice Department review, but this nondisclosure agreement which Vint Cerf signed but which other people are rather reluctant to sign--the nondisclosure agreement is between the contract personnel and the FBI. You are signing an agreement with the FBI and you are responsible to the FBI as to what you can say and not say. I also think that I am a little bit reminded of the---- Senator Leahy. Responsible to the FBI, even though the review is that of the Justice Department, or did I miss the point? Mr. Dempsey. Well, the question was who is controlling the---- Senator Leahy. You are talking about when it goes in. Mr. Dempsey. Controlling the review. Senator Leahy. Yes, OK. Mr. Dempsey. Who is controlling the review, and Dr. Kerr made the point, well, people needn't worry; it is a Justice Department-controlled review. And I am making the point that the nondisclosure--people are going to be bound to the FBI. Mr. Cerf. May I just interject that I agreed to sign the nondisclosure on the principle that when you are dealing with surveillance, just as you would with other intelligence situations, sources and methods are always a sensitive issue. Mr. Dempsey. But the concern on the part of people, as I understand it, is that this agreement is so broadly drafted that it will prohibit people from talking more broadly or more generally. Now, you feel comfortable coming here today and speaking, but other people are worried, particularly if they would be critical as opposed to moderately supportive, that they would then be accused that they had--particularly if they talk about ways in which Carnivore may be vulnerable, may be subject to abuse, may be avoidable or evadable, that they would--the point is we need to get beyond one person knowing. Mr. Cerf. Absolutely, and I believe that the FBI has, in fact, introduced this system to more than one person. But I just want to emphasize two things. First of all, I am conscious of the concern over methods of collection and I recognize the need to keep those reasonably under control. However, I do agree with Mr. Dempsey that one person is not enough and that you need a broader substantiation that this system does what it, in fact, claims to do. So I would certainly agree with what I think Mr. Dempsey is suggesting, is that there be a broader review of this system and some confirmation coming back to this committee that it does as it is advertised. Senator Leahy. I would like that. And let me ask you--I think this would probably be for the FBI or DOJ--the D.C. Circuit Court of Appeals had a recent decision on the FCC's implementation of CALEA and it raised some interesting questions both about the legality of Carnivore, but also I think the liability of ISP's. The court agreed with the FCC that a standard adopted by telecommunications carriers could provide both packet headers and the content or payload to law enforcement. The carriers argued, though, that they couldn't technically separate the two, while the FBI said, that is OK, we have got equipment that could, ``distinguish between a packet's header and its communications payload, and make only the relevant header information available for recording or decoding.'' Now, I assume the FBI was referring to its Carnivore equipment when it made that representation to the court. It actually made the same representation to the FCC. The reason I say this is the representation was critical, since both the FCC and the court noted that, ``privacy concerns could be implicated if carriers were to give to law enforcement packets containing both the addressing information and the content, when only the former''--that is, the addressing information-- ``was authorized.'' Now, both the FCC and the court noted that CALEA imposes an affirmative duty on carriers to protect the privacy and security of communications not authorized to be intercepted. It also requires that they do not give lawenforcement access to any communications or addressing information not covered by a court order. I put all that as a basis to this question: do you believe that the way in which Carnivore operates gives law enforcement access to more than just the communications or addressing information covered in a court order? And if so, could it put the ISP in jeopardy of violating its duty under CALEA of protecting the privacy and security of communications not authorized to be intercepted? Mr. Kerr. The very simple answer to your question is that CALEA covers telecommunications carriers. The Internet service providers are not covered under CALEA. We have only used Carnivore in conjunction with the networks of Internet service providers. We did, in fact, brief the standards committee for the companies and others involved in CALEA on the technology used in Carnivore in order that they would be aware of it as they develop a CALEA-based standard for telecommunications carriers using packet-switched networks. But there is no carryover between CALEA and what we have been talking about with Carnivore. Senator Leahy. Then what did the FBI mean, after the carriers had argued they couldn't separate packet headers and content--I am talking about telecommunications carriers when they argued that before the court, and the FBI said, well, that is OK, we have got equipment that could distinguish between packet headers and communications payload. Were they referring to Carnivore? Mr. Kerr. I think they were likely referring to Carnivore, but as a demonstration of a technical approach. To repeat, we have not used and don't expect to use Carnivore in a CALEA- covered intercept. Senator Leahy. Mr. Di Gregory, is that your understanding, too? Mr. Di Gregory. My understanding of what the FBI intends to use? Senator Leahy. Yes. Mr. Di Gregory. As I understand it, the FBI only intends to use Carnivore when the ISP is unable to provide the information or not willing to do so. Senator Leahy. Mr. Dempsey. Mr. Dempsey. Well, Senator, Dr. Kerr is 100-percent correct when he says that CALEA does not apply to ISP's. And I have to say that was one of the smartest decisions that was made in the course of CALEA because implementing CALEA for the telephone companies has been a nightmare. It would be even worse trying to apply CALEA to the Internet and to ISP's. But I think what the court and---- Senator Leahy. It is a matter that we thought of at the time, as you recall. You were involved in some of that debate at that time. Mr. Dempsey. Yes, I was, Senator. I take responsibility for all the mistakes we made there. Senator Leahy. No, no, no. Mr. Dempsey. But keeping the Internet out was your and Congressman Edwards' decision, and it was a wise one, it turns out. I think what the FBI was referring to was not Carnivore, per se, but this notion that we will let the technology make this distinction, this constitutionally-based distinction between content and something other than content. We have a huge issue on the Internet about what about this transactional information? It is not just numbers dialed, and what should be the standard? Professor O'Neill referred to that. But assuming that you can distinguish between content and noncontent, the FBI said in the CALEA debate if the carriers can't separate it, give it all to us. Even under a pen register order, give us the whole packets and we, the FBI, will sort it out, and we will only keep what we are authorized to keep. We won't look at or keep what we are not authorized to keep. And if it is a pen register, content, we are not authorized to keep content. We have a machine, we have a capability to disregard that. And what the court of appeals said, I think, is that is not good enough. The technology, the FBI, the Commission, the industry cannot modify the constitutionally-based rules for interception of content, and that in order to obtain and grab and look at and analyze and redirect content, you need a full probable cause-based order. And the FBI is using Carnivore under the pen register authority on the ``trust us'' standard that our technology will solve the problem of what is the distinction. Now, Mr. Cerf has said it is very hard to distinguish between what is content and what is, ``addressing information.'' Mr. Cerf. No, I didn't say it was hard to distinguish between the two. What I said is that you have to capture a lot before you can filter out the part which is considered header. Yes, you must capture it. Because of the structuring of the protocols, you have to capture essentially a lot of this piece of text before you can then find the part that you want to capture. Mr. Dempsey. That poses huge constitutional problems. Mr. Cerf. Hang on, folks. Senator Leahy. Just a minute. To make sure I understand it, part of the problem is the ``just trust us'' standard, but it actually even goes beyond that, the fact that it is even being collected to begin with. Is that what you are saying, Mr. Dempsey? Mr. Dempsey. Yes. Mr. O'Neill. If I may interject, this is part of the difficulty, I think, that Congress has to deal with. The fact that the Department of Justice--and I was very proud to have worked for the Department of Justice, and frankly in a lot of circumstances I much prefer the Department of Justice having any personal or private information about me than I do some industry groups or whether the ISP does. I mean, that is sort of my general default. Part of the difficulty, though, is that the Department of Justice perceives its mission, and rightly so, as making sure that we are secure in our homes, preventing and stopping crime. In an effort to do that, what the Department has done, and rightly so, is to make sure that it stays technically relevant. The Internet is a big change over the way people communicated in the past. In order for the FBI to be able to fight and deal with the perceived threat and the actual threat, whether it is crime or international terrorism or what have you, it then develops software and it develops new and innovative approaches to collect information to continue doing what it has done in the past. The difficulty and I think the challenge for Congress is to make sure that all of this technological innovation,all of these changes in the way that the FBI or Federal law enforcement assembles information-- that someone is watching it. Judges frankly are in a very poor position to monitor this because judges frankly don't have the information available. They are only trained as lawyers. They are not in a situation like the U.S. Congress is to have people who are expert in these very complicated, and as we have seen from the discussion here today, very esoteric parts of technology. Congress frankly is in the best position to be able to do that, and I think it is in Congress where the American people's trust has to reside to make sure that this just doesn't happen with nobody watching it, to make sure the Department of Justice isn't too good in fulfilling its mission, and that there is a public watchdog, namely the Congress, making sure that the appropriate balance between personal security and personal privacy is maintained. Senator Leahy. Well, I would agree there. I am happy we are having this hearing. Whether Congress is going to be adequate in this kind of oversight--I mean, we can be if we want to be. It is whether we set that as a priority, and you have worked up here and you know that there are a million things coming through at any given time, some substantive and some symbolic, and we tend to spend a lot of time on one or the other depending on what we are doing. But the Sunday afternoon emergency court order is not going to be--the oversight is not going to be in the Congress, but it is going to be at the Department of Justice. Mr. O'Neill. But Congress should be setting the baselines. Senator Leahy. I agree. Mr. O'Neill. And once the baselines are set, then judges and the FBI and law enforcement can properly administer those baselines when they are out there in the field. Mr. Rosen. Can I just make a point on that? Senator Leahy. Well, Mr. Cerf had been trying to respond. Mr. Cerf. Only to support Mr. O'Neill's argument. It seems to me that it is inescapable that this technology will proliferate, not the Carnivore technology, the Internet technology, and that it will become the basis for most of our communications. Even if the other systems survive and persist, the Internet will carry television and telephony and radio, and so on. So we need to learn how to deal with that. We need to deal with it in the context of the problems that the Justice Department and the FBI have, and other law enforcement people do, at the same time trying to protect individual rights to privacy. That balance has to be struck, and the terms and conditions for it surely lie squarely with our Congress. Senator Leahy. Mr. Rosen. Mr. Rosen. I wonder if I could make a concrete suggestion about striking that balance, to pick up on the suggestion. We have been focusing on the different standards for different forms of technology, for pen registers, for content, for header information. There is another approach that Congress took in the title III area which is really a model for protecting privacy and striking the balance that we are thinking about here, and that is limiting the most intrusive searches to the most serious crimes. A search of a diary, for example, might be reasonable in the context of the Unabomber, but not for a relatively trivial civil suit. Now, there is a tendency, as you know, for the list of these crimes to expand exponentially. So originally the title III list was limited to really serious and violent crimes, and now it includes all felonies. But for searches of e-mail and for any content-based searches, you have the ability and the opportunity right now to really create a very limited number of crimes that can justify these searches. And I think that citizens would just feel much more comfortable about having intimate information revealed when they know that there are violent and serious criminals involved than when they think that any of them may be caught up in a relatively trivial offense. Senator Leahy. What you are saying is the constitutional threshold remains the same, no matter what the crime is, but we will just simply say that constitutional threshold or not, you can only do these searches for certain types of crimes. Mr. Rosen. I guess the notion is the constitutional threshold is reasonableness, and a search is more likely to be reasonable if a serious crime is involved than if it is not. So in trying to substantiate that constitutional standard, just make sure that the list is limited when the searches are intrusive. Senator Leahy. Mr. Cerf, there is something I have always meant to ask you. Are you relation to the late Vincent Cerf? Mr. Cerf. To whom? Senator Leahy. The late Vincent Cerf. Mr. Cerf. Are you thinking of the late Bennett Cerf, perhaps? Senator Leahy. Well, there is also a Vincent Cerf. Mr. Cerf. There is a Vincent? Senator Leahy. Yes. Mr. Cerf. Gee, no, not that I am aware of. I am related to Bennett Cerf, both of them. One of them is my son and the other one, of course, is the former publisher at Random House. But I do not know Vincent Cerf. Senator Leahy. Bennett Cerf has the ability to come up with some of the wildest puns, as you probably know. Mr. Cerf. It is a genetic defect and it runs in the family. Senator Leahy. I have been accused of using some from years back. Obviously, you are an acknowledged pioneer of the Internet, and you were kind enough to help out the Internet Caucus, and so on. You worked on ARPANet, which is the precursor to the Internet. You were there when the Internet was first discussed and began being developed into what it is today. I suspect that neither you nor anybody else could have envisioned just how quickly it has gone so far. You may have known that it would go like this, but the fact that it has moved so quickly. But Congress also played an essential role. We funded not only ARPANet, but also the NSPNet and the backbone that led to the Internet. The reason I ask this is that some--I wouldn't suggest anybody on this committee, but some have poked fun at Al Gore on this issue. But I think they fail to acknowledge his role in Congress when he pushed fordevelopment and saw the potential of the Internet years ago when a lot of others didn't. I remember back in the 1980's--and I remember this because his office was down the hall from mine--that then Senator Gore chaired a hearing that had the first ever live computer demonstration exhibiting the possibilities of a high-speed computer network. I know of nobody else who had done it up to that point. So would you at least agree with me that the Vice President played a significant role in pushing for funding and development of what became the Internet, and may deserve some praise for his vision in that regard? Mr. Cerf. I would have to agree with that, Senator. The Vice President while he was Senator, in fact, was one of the first in this august body to realize that there might be something important about super computers and optical fiber and computer networking. He held a number of hearings, some of which had a direct impact and influence on legislation that supported the research that has led to the continued evolution of the Internet. He has been a strong supporter, as I am sure you are aware, both in his senatorial role and as Vice President. And so I think it is quite proper for him to receive some credit for that interest and that support. I regret, as I suspect he does, the slip of the tongue that led him to characterize his role more broadly than I think it deserves. Senator Leahy. More broadly than he intended, too, I think. Mr. Cerf. I believe that is correct. On the other hand, I feel very strongly that he does deserve considerable credit for his consistent support for the Internet and related technologies. Senator Leahy. One of the national news media gave me what I thought was too flattering, but I am not going to ask for a retraction, profile referring to me as the Cyber Senator. I have got to admit that a lot of that interest came from then Senator Gore. When we were coming back from votes, he would start pounding my ear and then would grab me into office and keep on going until I agree that, yes, I would learn more about it, and then he would turn me loose. Thank you. Thank you, Mr. Chairman. The Chairman. Well, I want to thank all of you for being here today. This has been an excellent hearing. We have raised a lot of issues that are important. Naturally, all of us want to support law enforcement, it seems to me, in legitimate pursuit of those who are breaking the laws. I certainly do. On the other hand, we certainly want to be concerned about the privacy aspects of individual citizens in our society. There are no easy answers to all of these very significant questions, but we are hopeful that you can continue to help us to understand this. So we will keep the record open for a week for any additional comments or statements anybody cares to make and any additional materials you would want to submit to us. Senator Leahy. Mr. Chairman, could I emphasize regarding submitting anything further, if you have further thoughts on that court of appeals case, I think it would be very helpful to both the chairman and myself if any of you would like to add to it. I mean, that is not a trick question in any way whatsoever, as you know. I am trying to figure out where it goes. So if you want to add something, if you want to ask your own question and answer it, please feel free to do so. The Chairman. We will keep the record open for that. We want to thank each and every one of you. You have been great here today, and this has helped us to understand this much better. So with that, we will recess until further notice. [Whereupon, at 12:31 p.m., the committee was adjourned.] ---------- Questions and Answers Responses of Donald M. Kerr to Questions From Senator Hatch Question 1. Is Carnivore set up to intercept all of the communications of all of the ISP Subscribers Within an ISP's Computer Network? Answer 1. No. First of all, the FBI intentionally works closely with the computer network Administrator to decide on the best and most appropriate interception access point. This access point is determined with the specific purpose of finding the smallest segment within that ISP's computer network into which the criminal subject's communications traffic can be funneled, so as to minimize the amount of network traffic involved. Technically speaking, most ISPs can and do identify such a limited segment within the overall ISP network which contains the criminal subject's communications traffic. Second, the FBI uses a commercial device to attach Carnivore to, yet isolate it from, the network. More to the point, the FBI has absolutely no intention of being put into a situation where Carnivore would have to interface with an entire ISP network. If someone had the erroneous idea that the FBI might desire to ``capture'' all such ISP network traffic--which it certainly does not want to and will not do--the Carnivore system could very quickly be overwhelmed with traffic. That is, Carnivore software is deployed on a standard PC and the largest hard drive that has been deployed is 18Gb. With the total traffic of many ISPs running at thousands of Mbps, even if this hard drive was storing only 100Mbps of network traffic, the Carnivore system would fill up in about three minutes. The only exception to the aforementioned rule would be with regard to very small ISPs where all subscribers' communications traffic was traversing the same segment of the network as the criminal subject's traffic. Of course, under this unusual circumstances, Carnivore would, as it always does, filter out all of the traffic other than that of the criminal subject. Question 2. Does the use of the Carnivore System legitimately raise the concern of Carnivore broadly conducting illegal searches as to other innocent, non-criminal subject subscribers' communications addressing information or communications content? Answer 2. No. It is important to understand that Carnivore's filtering operates in stages--and that all filtering occurs exclusively within the ``Carnivore box.'' Carnivore's first operation is exclusively to detect the criminal subject's identifying information. The first stage of filtering in the Carnivore system is to match (in purely binary computer code) the ``pattern'' of ``1's'' and ``0's'' in the computer bit stream that matches the subject's ``pattern,'' based upon the criminal subject's identifying information, as set forth in the court order. So, in a very simplified example, with the filter exclusively set to detect the criminal subject's computer bit pattern ``1100,'' if the first bit in the compute bit stream was an ``0,'' Carnivore would automatically conclude that since ``0'' and ``1'' are not a match, that this circumstances does not meet the filter pattern criteria, and it would quickly move on to conduct the next pattern match effort. If the first digit is a match, Carnivore would then go to the next digit in the computer bit stream, and repeat the process, until an exact, complete match is arrived at. Importantly, nothing happens at all, by way of any interception of communications content or acquisition of communications addressing information, unless and until the criminal subject's unique identifying information has been matched. Then, and only then, does Carnivore move on to the second stage of filtering, in terms of applying the appropriate filters required to filter either for communications addressing information acquisition or for full communications content interception, depending upon the particular authorization found within the court's order. Finally, FBI personnel only receive and ``see'' the communications addressing information or communications content of the criminal subject, as appropriate--based upon the court's order--after all of the Carnivore filtering has been completed exclusively within the Carnivore box. In short, Carnivore never conducts a search of the communications addressing information or communications content of any innocent, non- criminal subject at all. Indeed, even with the criminal's subject's communications traffic, Carnivore filters the criminal subject's ``machine readable only'' binary code exclusively within the box; and FBI personnel only obtain, in a humanly intelligible format--and ``outside of the box''--the criminal evidence sought after Carnivore has completely concluded its programmed filtering efforts within the box. Question 3. Does the FBI ``view'' computer network traffic as it passes through the Carnivore System? Answer 3. No. First of all, Carnivore's filtering program renders Carnivore effectively blind to any network traffic other than that of the criminal subject, concerning whom a court has issued an order authorizing the acquisition of communications addressing and transactional information or the interception of communications content, all based upon identifying information unique to the criminal subject. Only such information about or communications content of the criminal subject is collected by Carnivore. Second, the computer network traffic passes through the Carnivore system at a speed far beyond human comprehension. The network traffic consists solely of a series of ``machine readable only'' 0's and 1's, flashing through Carnivore at a rate of 40 million ``0''s/``1''s per second (and often at much higher speeds). Whenever any network traffic is stored on the Carnivore system, it remains in the same format of 0's and 1's; and, importantly, it is not turned into a format intelligible to humans until after it is transferred from the Carnivore system. Again, it bears repeating that Carnivore is a configurable system that will provide FBI personnel only that information that it has been programmed to deliver through its filtering--information that equates with the information authorized for interception/acquisition in the court's order. Question 4. If the FBI were to conduct a pen register type investigation, wherein Carnivore would be programmed to only acquire the criminal subject's addressing information, and if the subject visited different web sites, would the carnivore system acquire information such as URL subdirectories? For example, if the subject went to Amazon.com to buy a book, would the FBI be able to tell what book he/she bought? Answer 4. No. URL subdirectories are not acquired. The IP address and port number for Amazon.com alone would be acquired. Hence, the FBI would only know that the subject went to Amazon.com, and whether or not the subject established a ``secure'' connection (i.e., secure socket layer (SSL)). Question 5. Can the FBI use Carnivore to intercept computer network communications other than e-mail? Answer 5. Yes. Carnivore can be configured to intercept various types of computer network communications which match its filters. It has been used to intercept several protocols in the TCP/IP protocol suite (e.g., Telnet, FTP, IRC, and HTTP). Of course, in all instances, the appropriate legal process under Title III, FISA, or the ECPA would first have been obtained. If the electronic surveillance is for communications ``content,'' a full Title III court order (probable cause showings and more) would be required. Question 6. Does Carnivore interfere with the service or operations of an ISP computer network? Answer 6. No. By design, Carnivore does not interfere with an ISP network. First, the FBI works closely with the ISP computer network Administrator to decide on the appropriate interception access point. This access point is determined with the specific purpose of finding the smallest segment within that ISP's computer network into which the criminal subject's communications traffic can be funneled, so as to minimize the amount of network traffic involved. Then, importantly, a commercial device is used to attach Carnivore to, yet isolate it from, the network, such that, as a technological matter, it physically cannot and will not transmit anything whatsoever into the network or otherwise intrude into the network. Second, by design, Carnivore's attachment to a network will not crash or interrupt network service. Recent comments reported in the media suggesting that Carnivore had interrupted or ``crashed'' the service or operations of a major ISP are completely false. In reality, a small loss of bandwidth did occur with the ISP in question, within only one segment of that ISP's network, when technicians from the ISP chose on their own to alter their software code to facilitate interception access. In fact, Carnivore was not even attached to the ISP network at the time when this ISP network problem arose. Question 7. Does the Carnivore System use trojan horses or viruses to collect a criminal subject's communications content or addressing information? Answer 7. No. The Carnivore system is totally passive. No software is added to a subject's computer. Question 8. Once Carnivore has been deployed, can the filters be accessed and changed remotely? Answer 8. Yes. Carnivore can be accessed remotely and the filters may be changed--but, (1) only a select few technical persons specially dedicated to the Carnivore program, (2) only when those few persons are privy to the specific dial-up access number, (3) only when those persons possess a hardware security device that is specifically required for remote access, and (4) only when such persons have the necessary two-tiered password access authority required. Currently, within the FBI there are only a limited number of technically-trained personnel who implement the Carnivore program. As noted, the dial-up access is secured by both hardware and software protections, and any access, or attempted access, automatically generates a series of recorded logs which disclose precisely who, if anyone, has ever accessed Carnivore remotely and/or changed the filters in any given case. Importantly, any filter changes would be based upon some significant reason, such as a change in the legal process (e.g., moving from a pen register or trap and trace investigation to a full Title III, pursuant to obtaining a Title III court order), the termination of the surveillance period and Carnivore's attendant ``shutdown,'' or for technical ``trouble-shooting,'' if some technical problem or glitch arose. Although investigative personnel have limited remote access capabilities for investigative purposes only--that is, to access the raw data that subsequently, through later processing, will constitute the evidence in the investigation--they are never given the second tier password required to access or change the Carnivore filter sets. ______ Responses of Donald M. Kerr to Questions From Senator Thurmond Question 1. Dr. Kerr, please explain the obstacles that law enforcement faces in getting information on electronic communications, especially with less encryption controls and with the increased use of digital messages. Answer. As your question correctly suggests, technological obstacles to electronic surveillance are arising in the environment of electronic communications. These obstacles are varied and pose significant challenges to the law enforcement community's lawful conduct of court-ordered electronic surveillance. In working with the vast array of large, medium, and small size Internet Service Providers (ISPs), we have encountered some unusual network-based obstacles. For example, even though the FBI always works very closely with such ISPs (both by desire and necessity) before we ever undertake an electronic surveillance effort, we have nonetheless encountered some unusual, non-standardized, and proprietary network protocols and other network controls within such ISP networks; and these complicate electronic surveillance efforts. Indeed, somewhat remarkably, we have found, in some instances, that a given ISP's most expert technical personnel themselves may not always be fully aware of, or conversant with, the protocols being utilized within their network and/or how they have been implemented. Such a situation can adversely impact upon the smooth effectuation of certain electronic surveillance orders. In another vein, certain very high-speed electronic communications can likewise challenge, or threaten to undermine, the ability of law enforcement to fully and properly execute electronic surveillance court orders. Finally, the use of encryption by criminal subjects (absent some lawful and efficacious law enforcement decryption capability), can threaten to undermine Federal District court electronic surveillance orders and the ability of law enforcement agencies to investigate and prevent serious acts of terrorism, espionage, and violent criminality. As to the foregoing challenges and many others, the FBI historically has worked (and continues to work) closely with various business and technological components within the electronic communications industry. and, by necessity, the FBI also steps in and develops its own tools, as necessary, when commercial tools are not available which fully meet legal, evidentiary, investigative, and operational requirements placed upon law enforcement's lawful conduct of electronic surveillance. Question 2. Dr. Kerr, there has been considerable concern about the F.B.I. possibly using Carnivore to search randomly through all e-mails or other electronic communications that contain specific words or phrases like ``bombs'' or ``drugs''. Does the F.B.I. have the authority to gather intelligence on non-specific targets in this manner? Answer 2. First of all, the FBI's Carnivore system simply does not work, as suggested by some, in a fashion of randomly searching through all E-mails or other communications that contain specific words or phrases like ``bombs'' or ``drugs,'' etc. To the contrary, Carnivore is a ``filtering'' tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications regarding a specific criminal subject--based upon that criminal subject's identifying information (e.g., his/her IP address)-- occurring over a particular computer network, in complicance with the Constitution and the Federal electronic surveillance laws. Whenever Carnivore is used, the FBI never deploys it without the cooperation and technical assistance of the ISP network technicians and/or engineers. Further, through working with the ISP, Carnivore is positioned and isolated in the network so as to focus exclusively upon just that small segment of the network traffic where the criminal subject's communications can be funneled. This is roughly analogous to using an electronic surveillance device only within in a single trunk or cable within a telephone network. Stated differently, and contrary to the assertions of some critics, Carnivore does not access `in a big Brother mode, all subscriber communications throughout an ISP network.' Carnivore's filtering operates in stages. Carnivore's first action is to filter only within a small portion of an ISP's network. Specifically, Carnivore filters binary code--streams of 0's and 1's that flow through an ISP network, for example, at 40 mega-bits per second, and often at much higher speeds. To visualize this, imagine a huge screen containing 40 million 0's and 1's flashing by on this screen for one screen for one second, and for one second only. Carnivore's first effort--entirely within the Carnivore box--is to identify within those 40 million 0's and 1's whether the particular identifying information of the criminal subject, such as his/her IP address, (for which a court order has been authorized) is there. If the subject's identifying information is detected, the packets of that criminal subject's communication associated with the identifying information that was detected, and those alone, are segregated for additional filtering or storage. However, it's very important to understand that all of those 40 million 0's and 1's associated with other communications are instantaneously vaporized after that one second. They are totally destroyed; they are not collected, saved, or stored. Hence, FBI personnel never see any of these 40 million 0's and 1's, not even for that one second. After exclusively segregating the criminal subject's information for further machine processing, then a second stage of filtlering is employed. At this point, and again all within the Carnivore box, Carnivore checks its programming to see what it should filter and collect for processing. In other words, it determines, as required by the specific wording of the court order, if it's supposed to comprehensively collect communications content--in a full Title III or FISA mode--or, alternatively, whether it's only to collect pen register or trap and trace transactional and addressing information. Only that information specified in the court order is being collected and passed on to FBI personnel by Carnivore. As to the second part of the question, the FBI does not have the authority to--certainly does not--gather intelligence on non-criminal targets in some broad brush manner. FBI electronic surveillance under title III and the ECPA focuses on gathering hard evidence about particular criminal subjects with regard to particular facilities being used by such criminal subjects and with reference to particular crimes and criminal communications, and with reference to identified co- conspirators. Question 3. Dr. Kerr, what controls exist on the F.B.I. to insure that Carnivore is not misused for a fishing expedition or to obtain electronic communications that lie outside of the scope of a court order? Answer 3. There are numerous legal, technological, and administrative controls that prevent the misuse of Carnivore for a fishing expedition or for intercepting communications outside the scope of the court order. Legal Controls: First of all, the law itself is a powerful control to ensure that only properly authorized, lawful electronic surveillance occurs. The FBI certainly is of this opinion. As such, the FBI only conducts electronic surveillance--whether conducted through the use of Carnivore or otherwise--pursuant to a lawful court order or lawful voluntary consent of a party to the communication. This has been the case since 1968, when the first Federal electronic surveillance laws were enacted in the Title III legislation. Importantly, the FBI has an outstanding record of compliance with the electronic surveillance laws since their enactment over 30 years ago. In addition, it is very noteworthy that the electronic surveillance laws contain stringent deterrents to unauthorized (illegal) electronic surveillance, including criminal (felony) and civil sanctions for any individual who violates the law. Further, under the Constitution, suppression of illegally obtained evidence (and fruits thereof) may be applied by Federal courts if electronic communications content is unlawfully intercepted. Technological Controls: The Carnivore system, by design and functionality, is set up to establish an ``audit record'' for evidentiary purposes. Of course, a secondary aspect and value of this design and functionality would be to aid in the prevention of any potential infringement of privacy rights. Moreover, as you may be aware, Carnivore, by design, is a device which only functions to filter out. In its first filtering action, carnivore filters out anything not associated with the unique and specific identifier associated with a particular criminal subject's service, as identified in a given court order. Stated differently, Carnivore ``ignores'' and is ``blind to'' anything not associated with a criminal subject's unique identifier that relates to the specific authorization set forth in the court's order. In its second filtering action, Carnivore filters out content when the order is only for communications addressing and transactional information. Thus, as a special purpose electronic surveillance tool, Carnivore fundamentally and purposely works as a ``filter.'' By contrast, Carnivore fundamentally and purposely does not work, descriptively speaking, as a ``vacuum cleaner'' which, by design, would purposely acquire electronic communications broadly and indiscriminately from all network users, including those of innocent subscribers. Hence, Carnivore's design does serve as an effective check against any potentiality of infringing upon privacy rights. Adminstrative Controls: There are numerous administrative and criminal justice system-based controls which preclude the errant use of Carnivore, both in terms of internal and external oversight to control how Carnivore is being used at any point in time. To begin with, it should be emphasized that the FBI does not deploy or use Carnivore or any other non-consensual electronic surveillance tool in a vacuum. With regard to applications for pen registers or trap and trace devices, section 3121 of Title 18 of the United States Code prohibits Carnivore's use, as such a device, without a court order. In order to acquire a court order, the FBI may not act alone, but must seek the approval of an appropriate official within the Department of Justice. Section 3122 mandates that an ``attorney for the government'' be the applicant for a pen register or trap and trace device. Typically, this requires the approval of the Office of United States Attorney for the district in which the device is to be used. Of course, more stringent requirements, mandating high-level Department of Justice approval, are found in Title III/FISA provisions and practices controlling the interception of electronic communications. Within the FBI itself, there are also a number of administrative, technological, and physical access controls which prevent the unauthorized use of any electronic surveillance tool, including Carnivore. First, as a general matter, all covert electronic surveillance equipment is carefully controlled and overseen within the FBI by FBI Headquarters program managers and by each field officer's Technical Advisor (TA). Second, with regard to Carnivore specifically, there are only a few Carnivore devices and only a limited number of FBI personnel who are trained to operate this special purpose tool, under FBI Headquarter's overnight. Third, to use Carnivore in any given case, such personnel must be privy to the specific access number for a targeted account number. Fourth, such personnel can use Carnivore only when they possess a hardware security device that is specifically required for access. And fifth, such personnel can use Carnivore only when they have the necessary two-tiered password access authority required. Finally, if any FBI employee ever were to conduct such unlawful activity, he/she would be terminated from employment with the FBI. There is ``zero tolerance'' for any such illegal conduct within the FBI. In sum, Carnivore has many legal, technological, and administrative controls. Such controls effectively act to prevent any ``fishing expedition'' or infringement of privacy rights when using Carnivore. Question 4. Dr. Kerr, is Carnivore used in routine criminal investigations or is it limited to rare cases when the information cannot be obtained through the Internet Service Provider or another manner? Answer 4. Carnivore has been used in important ECPA-based criminal investigations and in important FISA-based national security investigations. As noted in our testimony, we have used Carnivore when the interception of electronic communications content or the acquisition of electronic communications addressing information could not be fully or properly effectuated by the Internet Service Provider (ISP) (with reference to legal, evidentiary, investigative, and operational requirements which need to be met) or when the ISP has indicated that it is ill-equipped to effect the interception or that it would be more efficient for the FBI to effectuate the order using Carnivore. Question 5. Dr. Kerr, some have called upon the F.B.I. to release the source code for Carnivore. What impact would this have on the ability of Carnivore to operate? Answer 5. To begin with, in enacting the first comprehensive U.S. electronic surveillance laws, Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III), 18 U.S.C. 2510-2522, as amended, the Congress instituted a balanced regime which both affords clear statutory authority and Constitutionally-compliant procedures to enable law enforcement to lawfully conduct electronic surveillance pursuant to court order and which criminalizes the unauthorized conduct of electronic surveillance in order to underscore the Congress' intention of preventing unlawful searches and seizures and of preserving communications privacy. To advance both of these principles, the Congress also crafted Title III provisions to prevent the proliferation of surreptitious electronic surveillance interception devices. See 18 U.S.C. 2512 (Manufacture, distribution, possession, and advertising of wire, oral, and electronic communication intercepting devices prohibited). The only two categories of users exempted under Section 2512 are providers of wire or electronic communication service, with regard to equipment utilized by them in the normal course of providing their service, and governmental officials, with regard to equipment utilized by them in the normal course of carrying out governmental activities. Similarly, there are statutory and regulatory U.S. export control regimes which govern the export of electronic surveillance-related equipment (e.g., the Arms Export Control Act, as implemented by the International Traffic in Arms Regulations, and the Export Control Act, as implemented by the Export Administration Regulations). Depending upon the type of electronic surveillance equipment involved, one or both of these regimes will likely govern the export of electronic surveillance equipment. In short, electronic surveillance equipment generally, and that used by the FBI in particular (at least that electronic surveillance equipment used in covert, non-consensual efforts--i.e. surreptitious electronic surveillance devices) is treated as sensitive, at a minimum. In many cases, such equipment may also be classified. Hence, in light of the above, and as a starting point, the FBI is concerned about the legal and policy constraints associated with the disclosure of such electronic surveillance equipment, including its software. With regard to Carnivore, and again in light of the above laws, controls, and constraints, we believe that it would be improper to disclose to the public generally the source code of Carnivore. The source code, after all, is for a special purpose surreptitious electronic surveillance system which should be treated with circumspection. Public disclosure of the source code could lead to the unintended and harmful effect of facilitating unauthorized, and hence unlawful, electronic surveillance. Further, it may be that disclosure could inform the criminal community about aspects of Carnivore that might suggest some potential for circumvention. However, as you may be aware, the FBI will disclose the Carnivore source code to the independent, outside review team which the Attorney General has called for (the Illinois Institute of Technology and Research Institute (IITRI)) in a controlled environment and under controlled circumstances, in order to give assurance to the public that Carnivore operates properly and lawfully, as the FBI claims it does. Question 6. Dr. Kerr, do you think the name Carnivore has contributed to public perceptions about the program being extremely intrusive? Answer 6. It's probably fair to say that the name ``Carnivore'' has unintendedly and unhappily lent itself to some negative comments by those who have not understood Carnivore's actual use, functionality, and core purpose in making electronic surveillance efforts more--not less--surgical and precise. As noted in our testimony, in a number of regards, Carnivore is superior, as an electronic surveillance tool, to the ``sniffers'' that are sold commercially and often used by ISPs for network trouble-shooting and management (such sniffers were never intended for use as a law enforcement electronic surveillance tool). Indeed, in the furor, the public appears to have lost sight of the core fact that the FBI has spent considerable time, money, and energy in trying to develop an electronic surveillance tool which better meets the dictates of the Constitution and the Federal electronic surveillance laws. Responses of Donald M. Kerr to Questions From Senator Leahy Question 1. By letter dated August 16, 2000, the FBI informed me that ``Carnivore is only used in those small number of instances when an ISP cannot on its own deliver what the court order instructs,'' suggesting that Carnivore is an investigative tool of last resort. Others have expressed the view that Carnivore should be a tool of first resort because the responsibility for executing court orders for electronic surveillance and protecting privacy rights is best discharged by the Department of Justice, not private ISPs. What is your view? Answer 1. In the past, the FBI's decision to use Carnivore or to permit an ISP to implement a court-authorized electronic surveillance order for either the full interception of electronic communications content or for the acquisition of electronic communications addressing and transactional information within an ISP's network has been decided on a case-by-case basis. Given the complexities and the great number of variables related to any given court-authorized electronic surveillance technical effort within an ISP network, the FBI has always viewed such electronic surveillance efforts from a tactical and effectiveness perspective. Central factors considered by the FBI in making determinations have been the ISP's ability to implement a particular order fully, properly, securely and in a timely manner. If the ISP can meet these requirements, we would normally let the ISP implement the order. Further, it is important to remember that both as a technological and practical matter, the FBI's conduct of electronic surveillance within such ISP's computer network always requires a cooperative and collaborative effort between the ISP and the FBI. This is so because an ISP's network administrators and engineers are really the only ones possessing the knowledge required as to their network to identify within it the transmission pathway(s) of a particular criminal subject, the best access vantage point(s), the protocols being used, etc.--all of which are required to effectively execute a surveillance order. Hence, the FBI believes the best approach will continue to be a case-by-case approach, based upon considerations such as those outlined above. Question 2. The FBI has testified that Carnivore has been used, as of September 6, 2000, in approximately 25 instances and that ``in many instances, ISPs, particularly the larger ones, maintain certain technical capabilities which allow them to comply, or partially comply, with court order.'' A. Is it fair to say the majority of court orders for electronic surveillance of Internet communications or source and destination information of Internet communications are executed by ISPs without the use of Carnivore? B. Since the FBI employs Carnivore only on rare occasions when its use is necessary, should the FBI retain the right to use Carnivore in all cases? C. Should the government be required to make a showing that use of Carnivore is necessary and obtain court permission before using this tool? D. Would concern about abuse of Carnivore be allayed if its use were limited to circumstances when a court has granted explicit permission for the electronic surveillance order to be executed by law enforcement on the ISP's premises? Answer 2 A and B. Again, owing to a number of factors and variables, as outlined above in Answer #1, and their interrelationship, we cannot give an unqualified answer. Generally speaking, certain very large ISPs do tend to have greater electronic surveillance capabilities than the small ISPs. For example, if the electronic surveillance order were for the interception of E-mail content, certain ISPs could ``clone'' the E-mail and accomplish, or very substantially accomplish, such an interception effort. When the ISP can meet electronic surveillance requirements, we have permitted the ISP to effect the surveillance effort. However, since most ISPs have developed with little emphasis being placed on conducting electronic surveillance for law enforcement, and since the ``tools'' that they might typically resort to in order to effect such efforts (e.g., ``commercial sniffers'') were never designed for such a law enforcement electronic surveillance purpose, surveillance shortfalls can occur. By comparison, the FBI's Carnivore system was specially designed to effect such surveillances. In this regard, it bears noting that, when an ISP does lack the capability to implement a court order fully, properly, securely, and in a timely manner, the ISP usually is the first to recognize that it is more effective for the FBI to use its electronic surveillance tools. Given the different and sometimes unique factors and variables that arise from case to case, as noted above, we believe that the FBI must retain the right to use its electronic surveillance equipment in order to ensure that electronic surveillance orders can be implemented fully, properly, securely and in a timely manner. However, in the rare instances where a dispute may arise between the government and the ISP, as with any matter in contention, resolution of such matter is through the courts, with a judge or magistrate resolving it. Resolution is never dictated unilaterally by the government, much less by the FBI. Answer 2 C and D. We believe, based upon different factors and variables, as outlined above, as well as our past experience in this area, that the best course is one where the ISP and the FBI work closely together in a consultative, cooperative, and collaborative fashion to implement a particular electronic surveillance order in the best way possible, so that the court's order is properly implemented and not frustrated. The technical and administrative staff of an ISP is best positioned, in concert with law enforcement, to make complex technological judgments, which often arise only after the court issues its order. Relatedly, the FBI does not have the resources that would be required to initiate in-depth discussions with all the ISPs (some in industry estimate the number of ISPs to be in the thousands) that conceivably could be involved in a potential future court-ordered electronic surveillance interception (with an eye to pre-determining what technological approach might be best) prior to the time when an actual and specific order may in fact be issued by a particular court. Further, and as indicated above, suchpre-determination could, at best, only be general and tentative in nature since, as noted, many different technological variables and factors come into play, and, importantly, they change over time as the ISPs' networks change over time. Thus, especially in fast-paced investigations where time is of the essence, such as in computer hacker cases, to require in advance a specialized demonstration of need to a court in order to utilize Carnivore, as suggested, would impose very problematic procedural delays. Neither FBI nor ISP engineers would be in a position to make a final determination until after a particular order authorizing interception or acquisition of particular information had been issued at a particular juncture in time with reference to the then technological state of the given ISP's network. As to the issue of concern about abuse, as noted in our hearing testimony, Carnivore has a built-in audit record. This audit record feature was designed into Carnivore for the purpose of making a permanent record as to the particular filter settings that have been used in each case with Carnivore--and hence what information has been acquired by Carnivore--at any point in time. Thus, this Carnivore feature creates a record to afford assurance to any interested party (FBI managers, Offices of the United States Attorney, U.S. District Courts, juries, criminal defendants, and defense counsel) as to precisely what Carnivore is or is not acquiring at any point of time in each investigation. Also, as with any type of electronic surveillance within any service provider network (wire or electronic), the criminal and civil penalties within our electronic surveillance laws, along with close DOJ and FBI administrative oversight, prevent misuse of electronic surveillance. Indeed, the FBI has an outstanding record of compliance with the electronic surveillance laws since their enactment over 30 years ago. Question 3. The FBI and Department of Justice have asserted that Carnivore is the functional equivalent of pen register and trap-and- trace devices used on telephone lines. The Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), that telephone callers do not have an expectation of privacy in dialed numbers used in placing a call since such numbers are necessarily divulged to a telephone company, which makes a permanent record for purposes of billing operations and maintenance of the service. The Court specifically distinguished such dialed numbers from ``content,'' which are protected by the Fourth Amendment. A. An Internet user may go to a particular URL that specifies not only the computer on the Internet on which a particular document can be found, but also the directory in which the document is located, the file name of the document and the page within the document that the user seeks and retrieves. Does such a URL or ``Internet address'' contain more or less information about the subject of a communication than a dialed telephone number? B. Is Carnivore capable of intercepting information about a specific URL searched by an Internet user who is the subject of a pen register order? If so, at what point in the searching, or addressing, information would the Justice Department believe that the line has been crossed into ``content''? C. Is Carnivore capable of intercepting information about all the URLs visited by an Internet user who is the subject of a pen register order during a particular session? Answer 3 A, B, and C. To clarify, a Uniform Resource Locator (URL) is simply an electronic Internet Protocol (IP) domain name address (e.g., xyzcorp.com). Further, also riding underneath the alphabetic URL address is a numeric address associated with the server that is supporting the contacted URL. Accordingly, when, pursuant to a pen register court order, the FBI uses Carnivore and acquires URL address information that is all that is being acquired--i.e., the fact that a criminal subject has electronically connected to a given URL address. As such, the URL address information does not include any subdirectory or any other information about the site. In such a case, the FBI would only know that the criminal subject had contacted the xyzcorp.com site and whether or not his/her computer had established a ``secure'' connection (i.e., secure socket layer (SSL))--no more. Hence, in light of the foregoing, we believe that such URL information is essentially identical to a telephone number within a telephone network that a criminal subject may dial. Thus, it is worth noting that a Carnivore- based pen register would provide the FBI with virtually the same information as a telephone pen register would, i.e., the telephone number dialed by the criminal subject reflecting that a communication to XYZ Corp. had occurred. No ``content'' information (substance, purport or meaning) is gleaned from either type of pen register as to the nature of the call. Question 4. Under current law, a judge must issue a pen register order upon a prosecutor's certification that the information likely to be obtained is relevant to an ongoing investigation. I have proposed in the E-RIGHTS Act, S. 854, that the law be changed to authorize a judge to issue such an order upon finding that the prosecutor has shown that the information is likely to be relevant. The Administration has proposed a similar change in current law. By contrast, Professor O'Neill suggested at the hearing that Congress should consider whether all Internet trap and trace orders should issue only on the basis of a judicial finding that probable cause exists to believe that a target has or is about to commit a crime. Representatives Canady and Hutchinson have proposed a bill that would require a prosecutor seeking e-mail source/destination information to show specific and articulable facts reasonably indicating that a crime has been, is being or will be committed, plus a showing of relevance of the information sought to investigation of that crime. A bill sponsored by Representatives Barr and Emerson would apply that standard to all pen registers and traps- and-traces whether or not they would identify e-mail addresses. What modifications, if any, to the existing standard for pen registers and traps-and-traces do you favor? Answer 4. We believe now, as we did in 1986 when agreement was reached in the Congress (and amongst all of the interested parties) in enacting the Electronic Communications Privacy Act of 1986 (ECPA), that the current (ECPA) standard with regard to the use of pen registers and traps and traces is appropriate for the acquisition of non-content- based pen register-related addressing and transactional information. On March 28, 2000, Director Freeh testified in support of S. 2092, a bi- partisan bill co-sponsored by Senator Schumer and Senator Kyl. The FBI believes S. 2092 maintains the appropriate 1986 ECPA standard with regard to the acquisition of non-content-based ``addressing and routing'' information while rendering the pen register statute technologically neutral. Question 5. According to the FBI, Carnivore operates by sifting through network traffic where a subject's communications are expected to be found ``roughly analogous to using anelectronic surveillance device . . . on a single trunk or cable within a telephone network.'' In your view, does the manner in which Carnivore operates give law enforcement access to more than just the communications or addressing information covered in a court order and, if so, would a telecommunications carrier that is also serving as an ISP be put in jeopardy of violating its duty under CALEA of protecting ``the privacy and security of communications . . . not authorized to be intercepted''? (47 U.S.C. 1002). Answer 5. As to the first part of your question, the way Carnivore operates, as described at some length in Answer #9(B), below, does not give the FBI more than the communications or addressing information covered by a particular court order. As to the second part of your question, no, we believe that the CALEA directive concerning protecting ``the privacy and security of communications not authorized to be intercepted'' applies only to those technological approaches and technical requirements that are developed to provide solutions covered by CALEA. Question 6. Professor O'Neill has suggested a number of steps to be taken by Congress to address questions raised by Carnivore, including obtaining answers to the following questions: A. Please explain the legal authority for law enforcement to insist that an ISP install Carnivore? B. Can Carnivore be easily defeated by encryption software or does this tool capture IP addresses that are more difficult to encrypt than the contents of messages? Answer 6A. The primary legal authority for the FBI and the United States Attorney's Office requiring that an ISP cooperate in installing Carnivore would be to avoid the ``frustration'' of a particular court order. The prospect of frustration, in the first instance, would stem from an ISP's inability to implement a given order fully, properly, securely, and in a timely manner. Both the Title III and the pen register/trap and trace statutes have specific ``assistance'' provisions addressed to, among others, ``providers of wire or electronic communications service'' for the purpose of avoiding frustration of court orders. The statutes state that such providers ``shall furnish . . . [the] investigative or law enforcement officer forthwith all information, facilities, and technical assistance necessary to accomplish [the Title III interception or the installation of the pen resister].'' Accomplish necessarily means fully accomplish, such that valuable evidence is not lost and such that its accuracy/ integrity is not challengeable. Second, it is to be done securely. And third, as indicated by the statutory language (``forthwith''), a service provider must be able to assist very promptly. 18 U.S.C. 2518(4), 18 U.S.C. 3124, respectively. The language in the ``assistance order'' issued by the judge or magistrate usually mirrors the statutory language exactly. As emphasized in the FBI's testimony, anytime the FBI has a surveillance order where an ISP can (1) fully and properly accomplish the surveillance, (2) do it securely, (3) do it very promptly, the FBI has been content to permit the ISP to implement the order. However, noting the foregoing statutory and court order language, the FBI and the United States Attorney's Office legitimately and properly could insist upon an ISP's cooperation with regard to the use of FBI electronic surveillance equipment (whether it be Carnivore or other equipment) that would work to execute an order fully, properly, securely, and in a timely manner, whenever the ISP does not have the capability to satisfy such requirements. Of course, if there were to be a dispute in this regard between the FBI and the ISP, as with any matter in contention, the resolution of the matter would be through the court, with a judge or magistrate resolving the issue. Resolution would not be dictated unilaterally by the government, much less by the FBI. Answer 6B. Carnivore was not designed to address encryption. Any encryption that was encountered would require decryption through other means or devices. Question 7. At the hearing, Dr. Kerr testified that Carnivore had recently been updated and improved. Presumably, the FBI will continue to update and improve Carnivore even after the independent technical review for which the Attorney General is now arranging. According to the FBI, one way to monitor Carnivore's use and modifications after conclusion of the technical review is by a so-called ``audit trail'' which allows a defendant to see how the FBI conducted a Carnivore search keystroke-by-keystroke. If the search was improperly conducted, the defendant might have grounds for suppression. Even if the audit trail operates as advertised, however, it will only be available to criminal defendants against whom prosecutors seek to introduce evidence obtained by Carnivore. How do we assure the law-abiding public after the anticipated technical review that Carnivore will not infringe on privacy rights? Should Congress consider an independent monitor for that purpose? Anwser 7. There are numerous legal, technological, and administrative controls in place that prevent the misuse of Carnivore and any infringement upon privacy rights. Legal Controls: First of all, the law itself is a powerful control to ensure that only properly authorized, lawful electronic surveillance occurs. The FBI certainly is of this opinion. As such, the FBI only conducts electronic surveillance--whether conducted through the use of Carnivore of otherwise--pursuant to a lawful court order or lawful voluntary consent of a party to the communication. This has been the case since 1968, when the first Federal electronic surveillance laws were enacted in the Title III legislation. Importantly, the FBI has an outstanding record of compliance with the electronic surveillance laws since their enactment over 30 years ago. In addition, it is very noteworthy that the electronic surveillance laws contain stringent deterrents to unauthorized (illegal) electronic surveillance, including criminal (felony) and civil sanctions for any individual who violates the law. Further, under the Constitution, suppression of illegally obtained evidence (and fruits thereof) may be applied by Federal courts if electronic communications content is unlawfully intercepted. Technological Controls: As you note in your question, the Carnivore system, by design and functionality, is set up to establish an ``audit record'' for evidentiary purposes. Of course, a secondary aspect and value of this design and functionality would be to aid in the prevention of any potential infringement of privacy rights. Moreover, as you may be aware, Carnivore, by design, is a device which only functions to filter out. In its first filtering action, Carnivore filters out anything not associated with the unique and specific identifier associated with a particular criminal subject's service, as identified in a given court order. Stated differently, Carnivore ``ignores'' and is ``blind to'' anything not associated with a criminal subject's unique identifierthat relates to the specific authorization set forth in the court's order. In its second filtering action, Carnivore filters out content when the order is only for communications addressing and transactional information. Thus, as a special purpose electronic surveillance tool, Carnivore fundamentally and purposely works as a ``filter.'' By contrast, Carnivore fundamentally and purposely does not work, descriptively speaking, as a ``vacuum cleaner'' which, by design, would purposely acquire electronic communications broadly and indiscriminately from all network users, including those of innocent subscribers. Hence, Carnivore's design does serve as an effective check against any potentiality of infringing upon privacy rights. Administrative Controls: There are numerous administrative and criminal justice system-based controls which preclude the errant use of Carnivore, both in terms of internal and external oversight to control how Carnivore is being used at any point in time. To begin with, it should be emphasized that the FBI does not deploy or use Carnivore or any other non-consensual electronic surveillance tool in a vacuum. With regard to applications for pen registers or trap and trace devises, section 3121 of Title 18 of the United States Code prohibits Carnivore's use, as such a device, without a court order. In order to acquire a court order, the FBI may not act alone, but must seek the approval of an appropriate official within the Department of Justice. Section 3122 mandates that an ``attorney for the government'' be the applicant for a pen register or trap and trace device. Typically, this requires the approval of the Office of the United States Attorney for the district in which the device is to be used. Of course, more stringent requirements mandating high-level Department of Justice approval, are found in Title III/FISA provisions and practices controlling the interception of electronic communications. Within the FBI itself, there are also a number of administrative, technological, and physical access controls which prevent the authorized use of any electronic surveillance tool, including Carnivore. First, as a general matter, all covert electronic surveillance equipment is carefully controlled and overseen within the FBI by FBI Headquarters program managers and by each field office's Technical Advisor (TA). Second, with regard to Carnivore specifically, there are only a few Carnivore devices and only a limited number of FBI personnel who are trained to operate this special purpose tool, under FBI Headquarter's oversight. Third, to use Carnivore in any given case, such personnel must be privy to the specific access number for a targeted account number. Fourth, such personnel can use Carnivore only when they possess a hardware security device that is specifically required for access. And fifth, such personnel can use Carnivore only when they have the necessary two-tiered password access authority required. Finally, if any FBI employee ever were to conduct such unlawful activity, he/she would be terminated from employment with the FBI. There is ``zero tolerance'' for any such illegal conduct within the FBI. In sum, Carnivore has many legal, technological, and administrative controls. Such controls effectively act to prevent any infringement of privacy rights when using Carnivore. As to the second part of your question, we believe that it would be imprudent for the Congress to contemplate as a course of action, in the context of the concerns expressed with regard to Carnivore, the establishment of an outside ``independent monitor.'' There are a number of reasons why resort of such an independent monitor would be problematic, including, but not necessarily limited to, the following. First, there is a likely separation of powers issue with regard to the Executive Branch's Constitutionally-reserved right to fashion and utilize proper sources and methods in order to lawfully and fully execute warrants and court orders (including electronic surveillance orders). Second, as a general proposition, such an approach, if adopted, could give rise to the unintended result of casting the independent monitor in the awkward role of being a sort of ``electronic surveillance technology police,'' a role particularly ill-suited to a complex environment of fast-moving technology and the associated need for nimble electronic surveillance response. Third, it would appear to use that for this approach to really work the independent monitor may also have to assume an unprecedented and ongoing supervisory role throughout the duration of an execution of a given court-ordered surveillance. As can be seen, significant philosophical and legal including Constitutional) problems arise with the prospect of having the government itself ``surveilled'' by an ``independent monitor'' as the FBI proceeds to lawfully execute a warrant or court order. If assuring the propriety of FBI surveillance is the core issue, as noted immediately above, other effective checks and balances are in place. Also, although the focus of the instant suggestion pertains to Carnivore, as a matter of precedent, the notion associated with using an independent electronic surveillance monitor could in principle be applied to every piece of electronic surveillance equipment that might be designed and used by the FBI, by other Federal law enforcement and/ or security agencies, and by State and local law enforcement agencies. We would strongly recommend against pursing such an approach. Question 8. Some universities interested in responding to DOJ's solicitation of bids to conduct the independent technical review of Carnivore have reportedly criticized certain terms of a non-disclosure agreement which the chosen contractor would be required to sign. One witness at the hearing said that the FBI would be a party to the required agreement. Please provide a copy of the non-disclosure agreement, identify the terms that have been criticized and explain why they are necessary. Answer 8. Attached at the end of this document is a copy of the ``Sensitive Information Nondisclosure Agreement'' (NDA) executed by the Carnivore review team contractor. In the recent Senate hearing on Carnivore, Mr. James Dempsey cited a USA Today On Line story where certain universities reportedly had indicated a reluctance to participate. One point noted in the story was that ``Universities and any other contractors must agree not to publish anything the government deems sensitive.'' Hence, it appears, based upon the USA Today's characterization, that the university community's objection is more global as to the general proposition of not disclosing ``sensitive'' information as opposed to any particular ``term'' or provision in the NDA. To begin with, the attached NDA is derived from a standard FBI NDA form (FD 857) which the FBI sues when sharing sensitive information with outside entities such as contractors and other persons. Such NDAs are also typically included in FBI/DOJ federal contracting. In the instant case, the FBI worked with the Carnivore review team contractor, the Illinois Institute of Technology Research Institute (IITRI), in formulating final NDA language which satisfied the contractor and which did not stifle the full review of Carnivore by the contractor. As to the second part of the question, electronic surveillance equipment, including software, is sensitive and, under law, information about it is strictly controlled and constrained. As you are aware, in enacting the first comprehensive U.S. electronic surveillance laws, Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Title III), 18 U.S.C. 2510-2522, as amended, the Congress instituted a balanced regime which both affords clear statutory authority and Constitutionally-compliant procedures to enable law enforcement to lawfully conduct electronic surveillance pursuant to court order and which also criminalizes the unauthorized conduct of electronic surveillance in order to underscore the Congress' intention of preventing unlawful searches and seizures and of preserving communications privacy. To advance both of these principles, the Congress also crafted a particular Title III provision to prevent the proliferation of surreptitious electronic surveillance interception devices. See 18 U.S.C. 2512 (Manufacture, distribution, possession, and advertising of wire, oral, and electronic communication intercepting devices prohibited). The only two categories of users exempted under Section 2512 from using such devices are providers of wire or electronic communication service, with regard to equipment utilized by them in the normal course of providing their service, and governmental officials, with regard to equipment utilized by them in the normal course of carrying out governmental activities. Similarly, there are statutory and regulatory U.S. export control regimes which govern the export of electronic surveillance equipment (e.g., the Arms Export Control Act, as implemented by the International Traffic in Arms Regulations, and the Export Control Act, as implemented by the Export Administration Regulations). Depending on the type of electronic surveillance device involved, one or both of these regimes govern the export of electronic surveillance equipment. In short, electronic surveillance equipment generally, and that used by the FBI in particular (at least that electronic surveillance equipment used in covert, non-consensual efforts--i.e. surreptitious electronic surveillance devices) is treated as sensitive, at a minimum. In many cases, such equipment may also be classified. Hence, in light of the above, the FBI is concerned about the legal and policy constraints and controls that would conflict with the open-ended public disclosure of such electronic surveillance equipment, including its software. With regard to Carnivore, and again in light of the above laws, controls, and constraints, we believe that it would be improper to disclose to the public generally the source code of Carnivore. The source code, after all, is for a special purpose surreptitious electronic surveillance system which should be treated with circumspection. Public disclosure of the source code could lead to the unintended and harmful effect of facilitating unauthorized, and hence unlawful electronic surveillance. Also, it may well be that disclosure could inform the criminal community about aspects of Carnivore that might suggest some potential for circumvention. However, as you are aware, the FBI will disclose the Carnivore source code to the IITRI review team under controlled circumstances in order to give assurance to the public that Carnivore operates properly and lawfully, as the FBI claims it does. In so sharing such sensitive information, it is altogether appropriate that an NDA be utilized to protect the information. It is important to note, however, that nothing in the NDA can reasonably be read to prohibit or stifle the disclosure of information of findings, potentially critical of Carnivore or the FBI, to the Attorney General and the Department of Justice. In conclusion, the testimony of the respected Internet expert, Mr. Vint Cerf (who previously was briefed as to Carnivore and who signed an NDA), is worth noting in this regard. At the hearing, Mr. Cerf testified, ``May I just interject that I agreed to sign the nondisclosure on the principle that when you're dealing with surveillance just as you would with other intelligence situations, sources and methods are always a sensitive issue.'' Question 9. In the D.C. Circuit Court of Appeals recent decision on the FCC's implementation of CALEA (the ``Communications Assistance for Law Enforcement Act''), the Court agreed with the FCC that under a standard adopted by telecommunications carriers for packet-switched networks, the carriers could provide both packet headers and the content, or ``payload,'' to law enforcement. Carriers argued that technically they could not separate the two, while the FBI contended that it had equipment which could ``distinguish between a packet's header and its communications payload and make[] only the relevant header information available for recording or decoding.'' A. Was the FBI referring to its ``Carnivore'' equipment when it made this representation to both the FCC and the Court? B. The FBI's representation was critical, since both the FCC and the Court noted that ``privacy concerns could be implicated if carriers were to give to [law enforcement] packets containing both [the addressing information and the content] when only the former was authorized.'' When Carnivore is installed, is the ISP essentially giving law enforcement the entire traffic flow over that particular part of the network, including both addressing information and content of packets? C. The FBI testified at the hearing that CALEA does not apply to ISPs. In fact, CALEA, by its terms, applies only to telecommunications carriers. Are there telecommunications carriers that are also ISPs? If so, please provide examples. D. Should the privacy concerns expressed by the Court for packet- switched networks apply only to telecommunications carriers, as defined in CALEA, or do those concerns apply more broadly to ISPs? Answer 9A. The reference in question was not to Carnivore. The representation was generic as to what the FBI believes can be designed to separate communications from call-identifying information. Answer 9B. First, we would like to clarify a couple of points included in the opening paragraph of this CALEA-related question. One point is that the FBI has asserted in its FCC filings regarding CALEA that, as a matter of technology, it believes that devices can be designed that would be capable of separating the communications content from the communications call-identifying information. A second point is that, assuming the availability of such devices, any entity, including a ``telecommunications carrier'' under CALEA, presumably could avail itself of them and use any such device itself. As to your specific question, ``[w]hen Carnivore is installed, is the ISP essentially giving law enforcement the entire traffic flow over that particular part of the network, including both addressing information and content of packets?'' (emphasis added), some clarification is in order. First, what an ISP ``gives'' to law enforcement, when it identifies a ``particular part of [its] . . . network]'' is a vantage point through which ``access'' can be achieved as to the specific communications traffic of a particular criminal subject, based exclusively upon that particular criminal subject's unique identifying information. Further, to better respond to your question, it is useful to explain more particularly how Carnivore actually works. As we set forth in our statement for the record, Carnivore is a special purpose electronic surveillance system which, pursuant to an appropriate court order or lawful consent, is used to acquire or intercept a criminal subject's communications addressing and transactional information or communications content, respectively, based exclusively upon filtering that segregates a criminal subject's communications traffic based upon his/her unique identifying information (e.g., his/her E-mail address, IP address). Carnivore does not acquire or intercept any innocent, non- criminal subject's communications addressing or transactional information or communications content. Moreover, it is important to understand that Carnivore's filtering operates in stages--and that all filtering occurs exclusively within the ``Carnivore box.'' As noted, Carnivore's first operation is exclusively to detect the criminal subject's identifying information. The first stage of filtering in the Carnivore system is to match (in purely binary computer code) the ``pattern'' of ``1's'' and ``0's'' in the computer bit stream that matches the criminal subject's identifying information ``pattern''--which identifying information is set forth in the court's order. So, in a very simplified example, with the filter exclusively set to detect the criminal subjects's computer bit pattern ``1100,'' if the first bit in the computer bit stream was an ``0,'' Carnivore would automatically conclude that since ``0'' and ``1'' are not a match, that this circumstance does not meet the filter pattern criteria, and it would quickly move onto conduct the next pattern match effort. If the first digit is a match, Carnivore would then go to the next digit in the computer bit stream, and repeat the process, until an exact, complete match is arrived at. Importantly, nothing happens at all, by way of any interception of communications content or acquisition of communications addressing information, unless and until the criminal subject's unique identifying information has been matched. Then, and only then, does Carnivore move on to the second stage of filtering, in terms of applying the appropriate filters required to filter either for communications addressing information acquisition or for full communications content interception, depending upon the particular authorization found within the court's order. Finally, FBI personnel only receive and ``see'' the communications addressing information or communications content of the criminal subject, as appropriate--based upon the court's order--after all of the Carnivore filtering has been completed exclusively within the Carnivore box. Indeed, whenever any network traffic is stored on the Carnivore system, it remains in the same format of 0's and 1's; and, importantly, it is not turned into a format intelligible to humans until after it is transferred from the Carnivore system. In sum, Carnivore never conducts a search of the communications addressing or transactional information or communications content of any innocent, non-criminal subject at all. Indeed, even with the criminal subject's communications traffic, Carnivore filters the criminal subject's ``machine readable only'' binary code exclusively within the box; and FBI personnel only obtain, in a humanly intelligible format--and ``outside of the box''--the appropriate criminal evidence sought after Carnivore has completely concluded its programmed filtering efforts within the box. Answer 9C As implied in your question, and as anticipated in CALEA, a communications service provider's business could offer both telecommunications services and information services. Examples of such companies are AT&T and MCI WorldCom. CALEA's coverage with reference to the definition of ``telecommunications carrier'' ``does not include (i) persons or entities insofar as they are engaged in providing information services (emphasis added). `` See 47 U.S.C. 1001(8)(C). Answer 9D. The D.C. Court of Appeals decision pertained to the actions taken by the Federal Communications Commission in light of its CALEA-implementing Third Report and Order, and with reference to actions taken by the Telecommunications Industry Association in its CALEA-implementing J-Standard. The court's decision, hence, was CALEA- centric. The FBI and the Department of Justice (DOJ) have articulated their perspectives with regard to packet mode communications at some length in their comments before the FCC (see FBI and Department of Justice ``Comments Regarding Further Notice of Proposed Rulemaking,'' CC Docket No. 97-213 at 77-81) and in their brief before the D.C. Circuit Court of Appeals (see Final Brief for the United States at 15- 18). With reference to the aforementioned FBI/DOJ Comments before the FCC, we note, as did the FBI/DOJ Comments at pages 79-80, that there is nothing in CALEA or its legislative history to indicate that Congress meant to prohibit the use of law enforcement electronic surveillance equipment which has the capability of separating signals of communications content from communications transactional information. For example, all ``local loop'' electronic surveillance efforts necessitate such tools and approaches. And no one, to our knowledge, is suggesting,for example, that ``local loop'' interceptions are in any way affected or curtailed by CALEA or otherwise. Further, to quote from the Comments: ``It is worth noting that Section 103(a)(4) does not state that carriers ``shall no deliver'' communications and call-identifying information that law enforcement is not authorized to intercept, but only that carriers shall ``protect the privacy and security'' of such information. A carrier is entitled to rely on enforcement's discharge of its legal obligation under 18 U.S.C. Sec. 3121(c) as a means of ``protecting the privacy'' and security'' of information that law enforcement is not authorized to intercept. Accordingly, the J-Standard is not deficient in this regard.'' Comments at 80. Moreover, with reference to the aforementioned FBI/ DOJ Brief, we quote the following: ``* * * because the use of minimizing technology under Section 3121(c) can prevent law enforcement agencies from hearing or seeing the content portion of a packet stream, the J-Standard does not offend Title III or the Fourth Amendment. Cf. United States v.Miller, 116F.3d 641, 659-60 (2d Cir. 1997) (use of pen register device that is capable of recording call content as well as dialing information does not violate Title III), Sanders v. Robert Bosch Corp., 38 F.3d 736, 742 (4th Cir. 1994) (no Title III interception occurred when oral conversations were monitored and transmitted by hidden microphone but contents of conversations were neither heard nor recorded).'' Brief at 17. Thus, in light of the above, and notwithstanding any concerns which may have been expressed by the court with regard to packet-switched communications generally, we believe, both with regard to networks of telecommunications carriers and the networks of computer-based ``information services,'' that privacy and security protection can be satisfied in privacy-enhancing electronic surveillance tools such as Carnivore. Since we believe that privacy and security protection can be, and is being, maintained, we do not necessarily share the rendition of ``privacy concerns'' as alluded to in the dicta of the D.C. Court of Appeal's CALEA-based decision. Question 10. The public concern about use of Carnivore and government surveillance of the Internet has prompted at least one witness at the hearing to call for more Congressional oversight. In this connection, I introduced last year as part of the E-RIGHTS Act, S. 854, a proposal to require the Attorney General to provide the Congress annual reports on the number of warrants, court orders and subpoenas for government interceptions of e-mail and other electronic communications under 18 U.S.C. section 2703. What is your view of whether this proposal would assist Congress in providing appropriate oversight and necessary information about government practices under the law? Answer 10. The FBI is certainly on record as being amenable to Congressional oversight, including in the area of electronic surveillance. As noted in the last section of our Hearing statement for the record, a great deal of Congressional oversight already exists, particularly in the area of electronic surveillance. With regard to whether it is a good idea to require the Attorney General to provide to the Congress detailed annual reports regarding all of the Department of Justice agency components' warrants, court orders, and subpoenas pertaining to governmental acquisitions of stored E-mail and other electronic communications obtained under 18 U.S.C. Sec. 2703, we would defer to the Department of Justice. Sensitive Information Nondisclosure Agreement An Agreement between __________ and the Federal Bureau of Investigation (FBI) regarding the nondisclosure of sensitive FBI information, to wit: any and all information received, observed, or otherwise required from the FBI or the U.S. Department of Justice (DOJ) arising from a review requested by the Attorney General of the United States (the Review) of the FBI's Carnivore device and system, including, but not limited to, any and all information pertaining to the Carnivore software and associated software and hardware devices and systems; any and all information pertaining to investigations, investigative uses, operations, procedures, policies, practices, guidelines, contracts, sensitive (including proprietary) governmental information, nongovernmental proprietary information, training, training documents, manuals, technical descriptions, source code, object code, executable software, designs and design information, documentation, descriptions, tests, test results, test scenarios, deficiencies, and vulnerabilities associated with the Carnivore device and system (``Sensitive Information''). 1. Intending to be legally bound, I hereby accept the obligations contained in this Agreement in consideration of my being granted access to Sensitive Information from the FBI or the DOJ arising from the Review as required to perform my duties. I also understand and accept that by being granted access to this Sensitive Information, special confidence and trust shall be placed in me by the FBI. 2. I hereby acknowledge that I have been briefed concerning the nature and protection of Sensitive Information, including the procedures to be followed in ascertaining whether other persons to whom I contemplate disclosing this information have been approved for access to it, and that I understand these procedures. Further, I understand that unauthorized use or disclosure of Sensitive Information, marked or unmarked, including, but not limited to, oral communications or information observed or gleaned arising from the Review, may compromise, jeopardize or subvert current, past, or future law enforcement activities, investigations, or investigative techniques and may compromise, jeopardize or subvert existing or future FBI contracts, contractual relationships between the FBI and vendors, or the ability of the FBI to effectively contract with vendors now or in the future. 3. I agree to manage all Sensitive Information in a manner consistent with procedures recommended by the FBI or DOJ, and I will not now or in the future use, disclose, or retain Sensitive Information unless such disclosure is necessary in the performance of the Review, and I have either officially verified that the recipient of such information has been properly authorized by the FBI or DOJ to receive it, or been given prior written notice of authorizationfrom the FBI or the DOJ that such use, disclosure or retention is permitted. I understand that if I am uncertain as to the sensitive nature or status of information as Sensitive Information, I am required to confirm from an authorized FBI or DOJ official that such information may be used, disclosed or retained prior to its use, disclosure or retention. The obligations imposed upon me herein shall not apply to Sensitive Information which is disclosed pursuant to a valid order of a court or governmental body or any political subdivision thereof; provided, however, that I shall first have given notice to the FBI or DOJ in order to permit them to seek a protective order and in such case I shall assist the FBI or DOJ in filing a protective order in accordance with applicable rules; and if such order issues, disclosure under this provision shall be made only in accordance with the terms of the protective order. Not withstanding this provision, IITRI shall be able to retain one (1) copy of the draft and final reports provided to the FBI or DOJ as a result of the Review for a period of one year after completion of the Review, after which time such copies shall be returned to the FBI or DOJ. 4. I have been advised that except as necessary for the Review, any effort to reverse engineer the Carnivore software or other software, including software code, to which I may be given access during the Review may cause irreparable damage to (a) FBI investigations and investigative techniques; (b) FBI contracts, contracting capabilities, contractual relationships between the FBI and vendors, or the ability of the FBI to effectively contract with vendors now and in the future; or (c) the rights of third parties to protect their proprietary information; and I will not undertake any such action, use, or effort to reverse engineer Carnivore or other software, including software code, or undertake any other action, use, or effort that is inconsistent with the sensitive and protected nature of this software, unless I have been given prior and explicit written authorization from the FBI or DOJ that such action, use, or effort is permitted. I will also not duplicate or copy Sensitive Information arising from the Review in a manner inconsistent with the procedures recommended by the FBI or DOJ. I acknowledge that unauthorized duplication or copying of Sensitive Information arising from the Review may cause irreparable damage to FBI investigations, investigative techniques, or contracting capabilities. 5. I have been advised that any breach of this Agreement may result in the termination of my relationship with the FBI and the DOJ and my removal from the Review. In addition, I have been advised that any unauthorized disclosure, use, or retention of Sensitive Information by me may constitute a violation or violations of United States criminal laws, including those codified in title 18, United States code, or may lead to criminal prosecution for obstruction of lawful government functions. I realize that nothing in this Agreement constitutes a waiver by the United States of the right to prosecute me for any statutory violation. 6. I understand that all Sensitive Information to which I have access or may obtain access by signing this Agreement is now and will remain the property of, or in the control of the FBI or DOJ unless otherwise determined by an authorized FBI or DOJ official or final ruling in a court of law. I agree that I shall return all Sensitive Information provided to me by the FBI or DOJ in written or any other tangible form which has come or may come into my possession, or for which I am responsible because of such access: (a) upon demand by an authorized representative of the FBI or the DOJ, or (b) upon the conclusion of my relationship with the FBI or the DOJ incidental to this Review, whichever occurs first. 7. Unless and until I am released in writing by an authorized representative of the FBI or the DOJ, I understand that all conditions and obligations imposed upon me by this Agreement apply during the time I am granted access to the Sensitive Information and at all times thereafter. 8. Each provision of this Agreement is severable. If a court should find any provision of this Agreement to be unenforceable, all other provisions of this Agreement shall remain in full force and effect. 9. I understand that the United States Government may seek any remedy available to it to enforce this Agreement including, but not limited to, application for a court order prohibiting disclosure or use of Sensitive Information in breach of this Agreement. I hereby assign to the United States Government all royalties, remunerations, and emoluments that have resulted, will result, or may result from any disclosure, use, or retention of Sensitive Information not consistent with the terms of this Agreement. 10. I have read this Agreement carefully and my questions, if any, have been answered. Signature____________ Date____________ Organization (if contractor, provide name and address): The briefing and execution of this Agreement was witnessed by (type or print name) Signature____________ Date ____________ ______ Security Debriefing Acknowledgment I reaffirm that the provisions of the Federal criminal laws applicable to the safeguarding of Sensitive Information have been made available to me by the FBI or DOJ; that I have returned all Sensitive Information in my custody; that I will not use, disclose or retain myself Sensitive Information to any unauthorized person or organization; that I will promptly report to the FBI any attempt by an unauthorized person to solicit Sensitive Information; and that I have received a debriefing regarding the security of Sensitive Information. Signature____________ Date ____________ Name of Witness (type or print)____________ Signature of Witness____________ Date ____________