[Senate Hearing 111-601]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 111-601
 
     VIDEO LAPTOP SURVEILLANCE: DOES TITLE III NEED TO BE UPDATED? 

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 29, 2010

                               __________

                       PHILADELPHIA, PENNSYLVANIA

                               __________

                          Serial No. J-111-83

                               __________

         Printed for the use of the Committee on the Judiciary

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

58-268 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 

















                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 JEFF SESSIONS, Alabama
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
RUSSELL D. FEINGOLD, Wisconsin       CHARLES E. GRASSLEY, Iowa
CHARLES E. SCHUMER, New York         JON KYL, Arizona
RICHARD J. DURBIN, Illinois          LINDSEY GRAHAM, South Carolina
BENJAMIN L. CARDIN, Maryland         JOHN CORNYN, Texas
SHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma
AMY KLOBUCHAR, Minnesota
EDWARD E. KAUFMAN, Delaware
ARLEN SPECTER, Pennsylvania
AL FRANKEN, Minnesota
            Bruce A. Cohen, Chief Counsel and Staff Director
                  Matt Miner, Republican Chief Counsel
















                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Specter, Hon. Arlen, a U.S. Senator from the State of 
  Pennsylvania...................................................     1

                               WITNESSES

Bankston, Kevin, Senior Staff Attorney, Electronic Frontier 
  Foundation, San Francisco, California..........................     7
Cate, Fred H., Professor of Law and Director, Center for Applied 
  Cybersecurity Research, Indiana University Maurer School and 
  Law, Bloomington, Indiana......................................     2
Livingston, John, Chairman and CEO, Absolute Software 
  Corporation, Vancouver, BC Canada..............................    11
Richardson, Robert, Director, Computer Security Institute (CSI), 
  Swarthmore, Pennsylvania.......................................     9
Wegbreit, Robert, Parent, Lower Marion School District...........    22
Zwillinger, Marc, Partner, Zwillinger Genetski, LLP, Washington, 
  DC.............................................................     4

                       SUBMISSIONS FOR THE RECORD

Bankston, Kevin, Senior Staff Attorney, Electronic Frontier 
  Foundation, San Francisco, California, statement...............    28
Cate, Fred H., Professor of Law and Director, Center for Applied 
  Cybersecurity Research, Indiana University Maurer School and 
  Law, Bloomington, Indiana, statement...........................    40
Livingston, John, Chairman and CEO, Absolute Software 
  Corporation, Vancouver, BC Canada, statement...................    47
Richardson, Robert, Director, Computer Security Institute (CSI), 
  Swarthmore, Pennsylvania, statement............................    49
Zwillinger, Marc, Partner, Zwillinger Genetski, LLP, Washington, 
  DC, statement..................................................    53


     VIDEO LAPTOP SURVEILLANCE: DOES TITLE III NEED TO BE UPDATED?

                              ----------                              


                         MONDAY, MARCH 29, 2010

                              United States Senate,
                                Committee on the Judiciary,
                                                     Washington, DC
    The Committee met, pursuant to notice, at 10:00 a.m., U.S. 
District Court for the Eastern District of Pennsylvania 
(Philadelphia), Courtroom 3B, Hon. Arlen Specter presiding.

 OPENING STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM 
                   THE STATE OF PENNSYLVANIA

    Chairman Specter. Good morning ladies and gentlemen. The 
hour of 10:00 having arrived, the Judiciary Subcommittee on 
Crime & Drugs of the Senate Judiciary Committee will now 
proceed with this hearing which has been entitled Video Laptop 
Surveillance: Does Title III Need to Be Updated?
    There was a recent incident at Lower Marion Township High 
School where video laptops were taken from the school into 
private residences and on one of these laptops it was activated 
so that the surveillance can be conducted secretly or there 
could be seen what was going on inside of private homes which 
raises an issue of violation of privacy.
    Privacy is one of our most prized values in our society 
protected by the Fourth Amendment of the Constitution of the 
United States and by a variety of federal statutes. The 
incident raises a question as to whether the law has kept up 
with technology or there to have been an interception of a 
telephone communication it would violate federal law or there 
have been a secret surveillance with sounds that would have 
been a violation of federal law, but there appears to be a gap 
where there was no sound but only an opportunity to watch what 
people were doing inside a private residence.
    Our inquiry here is not directed to this specific incident 
or incidents or whether the school district acted properly or 
whether there was any civil claim. There is litigation pending 
in the federal court on that subject, but the inquiry of the 
subcommittee is focused on the public policy question as to 
whether federal law ought to be changed.
    We have a very distinguished array of expert witnesses who 
have traveled here from far and wide to give us their views on 
this subject.
    Professor Frederick H. Cate from the Indiana University 
School of Law in Bloomington and Director of the Indiana 
University Center for Applied Cybersecurity will be our lead 
witness.
    We will have testimony from Mr. Marc Zwillinger, founding 
partner of Zwillinger Genetski, a law firm specializing in the 
complex laws governing internet practices.
    Mr. Kevin Bankston, Staff Attorney specializing in free 
speech and privacy law with the Electronic Frontier Foundation.
    Mr. Richardson, Mr. Robert Richardson, Director of Computer 
Security Institute specializing in security trends and 
strategies for protecting information.
    Mr. Jack Livingston, Chairman and CEO of Vancouver based 
Absolute Software Corporation.
    We have a lot which is happening on the Internet and we 
have a great deal which is happening in cyberspace, real issues 
as to national security and related fields, a real issue to 
commercial enterprises being able to protect their trade 
secrets.
    Looking back at one of the landmark decisions at American 
Jurisprudence, Olmstead versus the United States Justice 
Brandeis made a comment about a violation of Fourth Amendment 
rights of the defendant stating that, ``In the application of a 
constitution, our contemplation cannot be only of what has been 
but of what may be.''
    Justice Brandeis was prescient in so many ways and he was 
here looking at a complex issue decades removed. When you talk 
about the right of privacy, we live in a complex society. We 
have been battling in Washington the issue of warrantless wire 
taps, the power of the President under Article II as Commander 
in Chief contrasted with the authority of Congress under 
Article I on the Foreign Intelligence Surveillance Act in 
cyberspace and the Internet, a very prized American valued 
privacy is at issue here. We are going to try to find out where 
we ought to head.
    We turn now to our first witness, Professor Cate whom I 
have already introduced in effect. Professor Cate, the floor is 
yours.

   STATEMENT OF FRED H. CATE, PROFESSOR OF LAW AND DIRECTOR, 
 CENTER FOR APPLIED CYBERSECURITY RESEARCH, INDIANA UNIVERSITY 
           MAURER SCHOOL OF LAW, BLOOMINGTON, INDIANA

    Mr. Cate. Thank you very much, Mr. Chairman, and let me say 
how much I appreciate both your holding this hearing on this 
very important subject and your including me in it. It is a 
privilege to also be on such a distinguished panel of other 
commentators on this issue.
    I have just three points which I will make quite briefly. 
The first is there is no question but that Title III of the 
Omnibus Crime Control and Safe Streets Act, what we refer to as 
the Wire Tap Act, needs to be revised. It does not cover video, 
unaccompanied surveillance video unaccompanied by sound, and 
therefore in situations such as that which has given rise to 
this hearing, those situations are not covered by the Wire Tap 
Act.
    The reality that the Wire Tap Act does not extend to video 
or other optical surveillance if the sounds are not captured at 
the same time has been highlighted in many prior situations in 
which cameras were installed in bedrooms and bathrooms and 
changing rooms and elsewhere causing some states to enact video 
voyeurism laws.
    To avoid this gap in the future, it is going to be 
necessary to either amend the Wire Tap Act or to enact some 
other standalone piece of legislation. But doing so is not 
going to be quite as simple as it may sound because the Wire 
Tap Act deals with intercepting communications between parties 
and not the mere observation of parties or the observation of a 
setting such as a bedroom. Therefore, it will also be critical 
not to make any amendment to the Wire Tap Act so broad that it 
restricts the use of security cameras in public, which serve a 
very important purpose and one that I don't think anyone would 
wish to eliminate.
    So it is clear that the gap needs to be closed. It is less 
clear precisely as to how that will be done, but it is 
certainly Congress who will have to do it.
    The second point I would like to make is that the alleged 
use of the laptop camera to capture images of a student within 
his home is only the most recent in a long series of events 
that we have seen in which modern digital technologies are 
deployed in ways that challenge both existing laws and our 
existing understanding of privacy.
    So RFID tags, GPS devices, cell phones and cell phone 
cameras, OnStar and other vehicle assistance services, digital 
audio and video surveillance technologies that have exploded in 
cities largely thanks to federal funding and other technologies 
are constantly challenging our understanding of what is and 
what should be private.
    So individual courts are grappling with these issues and 
states are grappling with these issues, but increasingly it is 
clear that it is the thoughtful intervention of Congress that 
is necessary to resolve this conundrum.
    In 2004, the Technology and Privacy Advisory Committee 
which was appointed as an independent committee to oversee the 
situation created by the Terrorism Information Awareness 
Program and the Department of Defense concluded in its final 
report current laws are often inadequate to address the new and 
difficult challenges presented by dramatic developments and 
information technologies and that inadequacy will only become 
more acute as the storage of digital data and the ability to 
search it continue to expand dramatically in the future.
    That panel recommended, and I quote, ``It is time to update 
the law to respond to new challenges.'' Now, that was 2004. I 
think later this week we will be hearing from a large coalition 
led by the Center for Democracy and Technology that has been 
working for almost two years to develop specific principles 
around which revision of these laws might be based.
    I know that the members of that coalition are eager to work 
with you and with members of this Subcommittee and the 
Judiciary Committee to develop an appropriate and balanced 
update to the law.
    The final point that I would like to make is that there are 
important steps that institutional providers, users of these 
digital technologies can and should already be taking 
irrespective of their specific legal obligations to diminish 
the impact of those technologies on privacy and other protected 
civil liberties.
    For example, having in place written policies on the use 
and the retention of the material, having in place oversight 
mechanisms, audit tools, designated chief privacy officer or 
chief compliance officer to ensure that those rules are being 
followed, and in many ways perhaps most importantly, a level of 
transparency so that any users of those technologies know what 
they should reasonably expect when using them.
    Now, I don't want to belabor those in this testimony, but I 
think those are important not only for individual users to be 
concerned with, but may also play an important role in whatever 
form of legislative recommendation you and your colleagues 
craft so that we see not merely a binary black and white on or 
off--either it is private or it's not private--but rather we 
see in place tools to help maximize privacy even while engaging 
in surveillance that may be necessary or serve very important 
values.
    So my time is up. Let me say again how much I appreciate 
your having launched this very important dialogue. Thank you, 
sir.
    Chairman Specter. Thank you very much, Professor Cate. Our 
next witness is Mr. Mark Zwillinger, founding partner of 
Zwillinger Genetski, a law firm specializing in the increasing 
complex issues governing internet practices including wire 
taps, Communication Act, privacy and spyware.
    Thank you for coming, Mr. Zwillinger and we look forward to 
your testimony.

  STATEMENT OF MARC ZWILLINGER, PARTNER, ZWILLINGER GENETSKI, 
                     L.L.P., WASHINGTON, DC

    Mr. Zwillinger. Thank you, Chairman Specter. I'm pleased to 
appear today to discuss the topic of amending Title III to 
include video surveillance. My views on this issue come from my 
prior experience as a federal prosecutor, my current work in 
private practice in privacy and security issues and my role as 
an adjunct law professor at Georgetown University Law Center.
    Every so often we become aware of an incident like what 
happened in Lower Marion that makes us question whether our 
privacy laws are adequate. This past fall, similar concerns 
came up when a man tracked ESPN reporter Erin Andrews around 
the country, installing secret cameras in her hotel rooms and 
capturing and uploading videos of her to the internet.
    A review of recent cases demonstrates other abuses of 
surveillance technology to film people in places where they 
should expect privacy, including landlords who have secretly 
videotaped tenants, hotel managers who have spied on guests, 
and schools who have videotaped students in changing rooms.
    Title III does not address these problems because silent 
video surveillance is not covered by the statute. But while 
it's tempting to conclude that Title III should prohibit this 
behavior, amending it to do so would likely be a mistake.
    Just as we are troubled that our remote video surveillance 
of children can be possible in private places, we rely on 
secret video surveillance to keep us safe--from the cameras 
that protect our children at places like Hershey Park or Sesame 
Place to the closed circuit TV cameras outside our apartments. 
Silent video has become our extra set of eyes.
    Companies regularly use technology such as silent video to 
protect their employees and their property. Therefore, when we 
consider how to prevent abuses of our surveillance, we must not 
ban the uses of technology that does strike the right balance 
between privacy and security.
    Now, as written, Title III serves three distinct purposes. 
It places limits on law enforcement, it defines what is a 
federal crime and it creates a civil cause of action. But it 
only does so with respect to wire communications like phone 
calls, electronic communications like emails and oral 
communications, like the things we say to each other in person.
    Now, wire and electronic communications are covered in all 
circumstances, but oral communications are only covered where 
the speaker has a reasonable expectation that their 
communication will be private.
    Clearly we cannot equate videos and photos to wire and 
electronic communications under Title III. This would make 
thousands of security cameras in public places illegal and it 
would turn parents and journalists and security professionals 
into criminals. Therefore, video surveillance like oral 
surveillance and oral communications would have to be 
prohibited only where the person has a reasonable expectation 
of privacy.
    Even then, adding video to the Title III framework may 
create more problems than it would solve. As to the government, 
the Courts of Appeal have already held that video surveillance 
in a private area must comport with the Fourth Amendment and 
that search warrants for video surveillance must meet existing 
Title III standards.
    So when it's the government that's peering into citizen's 
homes, the constitution may already provide an effective 
remedy. But adding video to Title III would create tremendous 
problems for the private sector.
    Under Title III, the standard for when oral communications 
may be recorded without consent is the same fact-based 
reasonable expectation of privacy test under the Fourth 
Amendment. So predicting in advance when it is acceptable to 
record audio under this standard is difficult. That judicial 
opinions teach us that the answer is frequently ``it depends''. 
It depends on the location, it depends who is captured, what 
they were doing, whether third parties would be anticipated to 
be present, whether you needed technology to do the oral 
surveillance, and more.
    If you apply this body of existing case law to video 
surveillance, it would raise very hard questions, especially in 
those semi-secluded places where we do want video cameras, like 
in elevators with no other passengers or in the locked 
entrances of banks where ATMs may be located.
    If Title III included video, every wrongdoer who was caught 
on a security camera in these areas would challenge the 
lawfulness of the surveillance. Evidence of crime in private 
secluded spaces could be suppressed, companies could be held 
liable and none would want to be on the hook for installing 
cameras due to the risk of civil liability or criminal 
punishment. This is one of the reasons why video surveillance 
is silent today. The risk of capturing audio is too great.
    Instead of Title III, there are more targeted alternatives 
that could address the privacy concerns raised by the Lower 
Marion and Erin Andrews examples without diminishing our 
security.
    Generally video seems to concern us most when it intrudes 
in the home or an area where someone may be naked, when 
legitimate surveillance tools are redirected for voyeurism and 
when it involves children.
    Legislation to prevent these first types of intrusions on 
federal land was already enacted in the Video Voyeurism 
Prevention Act of 2004 which prohibits voyeurism in areas where 
people could reasonably be expected to change clothes without 
prohibiting the legitimate use of surveillance in quasi-public 
places.
    This approach is not perfect. It doesn't cover all of the 
examples where we wouldn't want video surveillance, but it 
provides a better starting point than Title III for a 
comprehensive federal statute that protects private spaces from 
video intrusion.
    Several other states have also tried to take on this 
problem. Some examples are cited in my written testimony. 
Delaware, for example, focuses on the place where the 
surveillance is installed and whether people have a reasonable 
expectation of privacy in that place.
    These state laws, like the Video Voyeurism Prevention Act 
could serve as a model for future federal legislation. Such 
legislation could also have a safe harbor from liability for 
organizations that use security cameras if they have adequate 
controls to prevent against rogue uses of the technology.
    In conclusion, the idea that our children can be subject to 
video surveillance in private areas is troubling. But what 
really bothers us about video surveillance is the fact that the 
camera may catch us unaware or even undressed.
    In the hierarchy of privacy protection, we should be more 
focused on ensuring that our private thoughts, our 
conversations, our phone calls, our emails and our instant 
messages remain private and that neither the government nor 
private individuals can get access to them without adequate 
notice or probable cause to believe that we are committing a 
crime.
    There is no question that our privacy statutes are in need 
of reform, especially to bring the privacy protections for 
electronic communications into the modern age of computing. But 
when we are addressing video surveillance, we need to carefully 
craft legislation to target the specific harms we're going 
after without eliminating the ability to use silent video for 
security purposes.
    Thank you for the opportunity to testify. I look forward to 
answering your questions and working with the subcommittee.
    Chairman Specter. Thank you, Mr. Zwillinger. Our next 
witness is Mr. Kevin Bankston, Senior Staff Attorney 
specializing in free speech and privacy laws with the 
Electronic Frontier Foundation.
    He has worked, he has focused on the impact of post 9/11 
antiterrorism laws and surveillance initiatives on online 
privacy and free expression.
    We appreciate your coming in, Mr. Bankston and appreciate 
your testimony.

STATEMENT OF KEVIN BANKSTON, SENIOR STAFF ATTORNEY, ELECTRONIC 
         FRONTIER FOUNDATION, SAN FRANCISCO, CALIFORNIA

    Mr. Bankston. Thank you. Senator. Thank you. Good morning, 
Chairman Specter, and thank you for inviting me to testify here 
on behalf of the Electronic Frontier Foundation on this very 
important subject.
    Laptop cameras or webcams represent an awesomely useful new 
technology. However, this new technology also carries with it 
an awesome new privacy risk with millions upon millions of 
laptops being carried with webcams routinely being carried into 
the home and other private spaces.
    Surreptitious video surveillance has become a newly 
pervasive threat. Put simply, any camera controlled by software 
on a computer that is connected to the internet carries the 
risk that the camera will be remotely activated without the 
knowledge of the user, whether by stalkers, computer criminals 
or even foreign governments using malware or malicious software 
to break into the computer and take control of the camera or by 
schools or employers with the ability to install their own 
software on their computer or by U.S. state or local government 
law enforcement investigators attempting to monitor a suspect.
    Recent allegations that school administrators of the Lower 
Merion school district have secretly photographed students 
inside their homes using the webcams on student's school-issued 
laptops have put a spotlight on how this new technology puts 
American's privacy at risk and should be a wake up call to 
Congress to address a troubling gap in privacy law.
    As the other commentators have noted, Title III, otherwise 
known simply as the Wire Tap Act currently only regulates 
electronic eavesdropping on private conversations and the wire 
tapping of voice and electronic communications or in terms of 
the statute, it only regulates the interception of oral, wire 
or electronic communications.
    It does not regulate the unconsented video surveillance of 
private spaces as the legislative history makes clear and as 
all seven federal circuit courts to consider the question have 
held.
    So, for example, secret monitoring of your email 
transmissions, wiretapping of your telephone calls or secret 
eavesdropping using a microphone hidden in your home, all of 
these would violate Title III. However, the secret use of the 
webcam or a radio controlled camera to photograph you inside 
your home would not violate Title III because in such a case 
there would be no oral, wire or electronic communication of 
yours to be intercepted.
    Even though such secret surveillance can be as invasive if 
not more invasive than listening in on your conversations or 
monitoring your internet communications, Title III simply 
doesn't apply.
    Judge Posner of the 7th Circuit who in 1984 in the Case of 
U.S. v. Perez wrote the first Circuit Court opinion applying 
this logic holding that Title III does not regulate video 
observed in that opinion of course it is anomalous to have 
detailed statutory regulation of bugging and wiretapping but 
not of television surveillance in Title III.
    We would think it a very good thing if Congress responded 
to the issues discussed in this opinion by amending Title III 
to bring television surveillance within its scope.
    Over 25 years have passed since Judge Posner first 
recommended such a change, but Congress has not yet acted even 
though the threat of surreptitious video surveillance has 
increased exponentially along with the number of internet 
connected cameras.
    We at EFF are therefore thankful to this subcommittee for 
taking up the issue and reexamining the question of whether 
Title III should be updated to regulate video surveillance 
because, to put it bluntly, the current inapplicability to 
Title III doesn't make sense.
    It makes no sense that if the school administrators had 
eavesdropped on student conversations at home using the 
laptop's microphone or it intercepted a student's private video 
chats they would have clearly violated Title III, but equally 
invasive video spying is not regulated by the statute at all.
    It also makes no sense that a public school or any other 
governmental entity that wanted to legally spy on a student in 
this matter would have to get a prosecutor to obtain a probable 
cause warrant that satisfies Title III's core requirements in 
order to comply with the Fourth Amendment, yet a private school 
could do so without any regard to Title III at all.
    Finally it makes no sense that Congress while strictly 
regulating electronic eavesdropping would leave the regulation 
of equally invasive video surveillance up to the states. As in 
2003 when the Reporters Committee for Freedom of the Press last 
surveyed the state of the law, only 13 states had passed 
statutes expressly prohibiting the unauthorized installation or 
use of cameras in private places, and several of those statutes 
regulate cameras only in certain limited circumstances such as 
in locker rooms or restrooms or where the purpose is to view 
someone who is partially or fully nude.
    One federal law mentioned by Mr. Zwillinger, the Video 
Voyeurism Prevention Act of 2004, similarly restricts only 
secret videotaping persons in a state of undress and only 
applies in the special maritime and territorial jurisdiction of 
the U.S. rather than applying generally.
    It is EFF's opinion that in the face of the 21st Century 
landscape literally littered with cameras that are vulnerable 
to abuse, this kind of patchwork response to a growing 
nationwide problem is increasingly unacceptable.
    In conclusion, Mr. Chairman, the Committee asked us whether 
Title III needs to be updated in light of video laptop spying 
and EFF's answer is plainly yes. Title III should cover video 
surveillance in private spaces where there is a reasonable 
expectation that you won't be photographed.
    We look forward to the possibility of working with the 
subcommittee to update the law to regulate video surveillance 
in a manner that appropriately balances the interest of privacy 
and free expression and public safety, but would also echo the 
comments of Professor Cate and Mr. Zwillinger that this is only 
one area where our electronic privacy statutes need to be 
updated. We look forward to an announcement hopefully this week 
of this coalition's work which we are also a part of.
    In the meantime, thank you again for having us and I look 
forward to your questions.
    Chairman Specter. Thank you, Mr. Bankston. Our next witness 
is Mr. Robert Richardson, Director of Computer Security 
Institute, a professional membership organization for 
information security professionals.
    That institute seeks to follow security trends and 
recommend strategies for organizations seeking to protect their 
information and technology.
    Mr. Richardson, we appreciate your coming in. The floor is 
yours.

  STATEMENT OF ROBERT RICHARDSON, DIRECTOR, COMPUTER SECURITY 
           INSTITUTE (CSI), SWARTHMORE, PENNSYLVANIA

    Mr. Richardson. Chairman Specter, thank you for inviting my 
written statement and for this opportunity to speak to the 
issue of video surveillance, particularly as it relates to 
surveillance using common consumer mobile computing devices 
such as notebooks, cell phones and personal digital assistants.
    These devices, because of their ubiquity, clearly present 
opportunities for enhanced communication, but they also 
challenge our notion of security practices as they relate to 
privacy and surveillance.
    As Director of the Computer Security Institute, I am 
engaged daily with these issues as they relate to organizations 
that maintain large computer and network infrastructures.
    The instigation for our discussion today was the desire of 
one such organization to protect its computer assets, and as 
one would probably expect, concern that mobile assets may be 
lost or stolen is completely well-founded.
    One project undertaken by the Computer Security Institute 
over the past 14 years is an annual survey of our information 
security professional community specifically within the United 
States. In the most recent survey, 42 percent of 443 
respondents said that their organizations had suffered the 
theft of laptops or mobile devices in the previous year. Only 
infection by malicious software or malware reported by 64 
percent of the respondents was more prevalent.
    Perhaps ironically the modus operandi of today's 
sophisticated malware is not at all unlike that of the software 
deployed by some organizations to monitor their notebook 
computer assets. Both with tracking software and malware, this 
fundamental level of direct control of the device is 
transferred to a third party at a distance.
    This transfer is achieved in both cases because malware and 
tracking software have gained or been granted access to the 
most extensive level of control of the computer, so called root 
control.
    Most issues of privacy and access within the confines of a 
computer have at their root the issue of root access.
    When the owner and primary user of a device are one in the 
same, control and responsibility is easily understood and it is 
the user who has control of the root account. But in the 
instance of say an employer that loans a notebook to an 
employee, the employer may well withhold root privileges from 
the employee. This gives the employer more control over the 
device than the user and indeed more control than the user may 
be aware of such as the ability to remotely operate a built in 
camera.
    Root control may be abused in many ways, including by 
surreptitious spying. But this notion of root control is a 
necessary one and extended only slightly gives us an opening to 
separate and protect different categories of use within a 
device. There can be a category of work place use, for example, 
that is entirely walled off from personal use.
    There are multiple ways to achieve this that would be too 
lengthy and technical a discussion to delve into here, but in 
fact most Americans are already familiar with one such division 
of control. Ninety five percent of cell phones sold each year 
within the U.S. are locked phones meaning that their use is 
controlled and restricted by the carrier that originally sold 
the phone and that is providing service to it.
    Using the phone for conversation or texting is understood 
to be a context where the user is in control. That same user, 
however, cannot update the core software that runs the phone. 
The service provider can and does because the service provider 
has what is in effect root control over the phone.
    It is possible in short to lock down part of a system so 
that the locked down element's function has a complete computer 
system under themselves with separate software applications and 
separate storage for files. That this lock down environment is 
truly separate from the rest of the computer can be rigorously 
demonstrated using well understood techniques based on advanced 
forms of encryption as well as a computing framework known as 
trusted computing.
    Almost all notebook computers sold since 2004 include a 
trusted platform module housed in a sealed, tamper proof 
component within the computer. This provides a reliable 
foundation for protected, high control partition of the 
computer.
    In the vast majority of cases, however, this TPM 
functionality is not enabled and it would be disingenuous not 
to note that trusted computer systems have raised a great deal 
of controversy within the information security community.
    This controversy, however, stems precisely from a fear that 
third parties, parties such as Microsoft, will have 
overreaching control over consumer owned PCs. This is not a 
concern when we are speaking of an organizational owner 
extending control over its own PCs. Within this lock down 
system of third parties such as a school or employer, they have 
an oasis of control. If they don't want to allow chat programs, 
chat programs can be barred. If they don't want pornography 
stored, they can scan for it and monitor employee use at will. 
The user of that system will know that whenever they are using 
the system in this workplace context, they may well be 
monitored.
    On the same system, however, it is possible to use what is 
effectively a second computer that is not locked down or that 
is locked down in a less restrictive way.
    That we can create clear technical boundaries means that we 
can by extension create clear legal boundaries. We have the 
option to legislate in a way that recognizes the possibility of 
such boundaries. By doing so, we can establish that the context 
in which any kind of surveillance occurs is either clearly 
within or outside legal bounds.
    Once again, I appreciate the opportunity to discuss this 
important issue and I will be happy to answer any questions.
    Chairman Specter. Thank you, Mr. Richardson. Our final 
witness is Mr. John Livingston, Chairman and CEO of Vancouver 
based Absolute Software Corporation, a publicly traded global 
company specializing in tracking, managing and protecting 
computers and mobile devices and providing theft recovery. We 
welcome you, Mr. Livingston, and look forward to your 
testimony.

    STATEMENT OF JOHN LIVINGSTON, CHAIRMAN AND CEO ABSOLUTE 
          SOFTWARE CORPORATION, VANCOUVER, BC, CANADA

    Mr. Livingston. Chairman Specter, members of the 
subcommittee, Absolute Software is pleased to have this 
opportunity to discuss Absolute's products and services as well 
as our protocols and policies as they relate to property 
protection and privacy issues which is something that Absolute 
values and cares deeply about.
    I co-founded Absolute Software in 1994 with the notion that 
individuals and businesses should be able to manage, secure and 
recover the mobile devices, regardless of their physical 
location.
    Since that time, Absolute has developed one of the premiere 
managed theft recovery services in the world. Our security as a 
service solutions protect more than 5 million computers 
worldwide for subscribers who range from individuals to large 
public and private sector organizations.
    To date, we have recovered over 13,500 stolen computers in 
50 different countries with our flagship service, Computrace. 
We average approximately 100 stolen computer recoveries each 
week.
    Absolute believes very strongly in protecting Computer 
theft victims and mitigating the multiple downstream 
consequences of computer theft. For an organization with a 
stolen computer, the cost of hardware is really just the 
beginning. In addition to the lost productivity and competitive 
threats an organization experiences, an organization that 
experiences a data breech may be subject to fines, media 
scrutiny and a damaged reputation.
    Computer theft has other costs and consequences, including 
the potential theft of personal identifying information that 
may later be sold or otherwise misused by identity thieves.
    In fact, we have assisted the Philadelphia police on many 
occasions. We have an inspector and detective with us today, 
including cases where recovering laptop led to apprehending a 
child pornographer or recovering illegal drugs, weapons and 
stolen cash. This is not atypical.
    Our case experience indicates that laptop thieves are often 
involved with other very serious crimes, including child 
pornography, identity theft, drug trafficking, home invasions, 
and of course large scale burglaries that may involve public 
school districts.
    I will share a few brief examples. In San Diego, Computrace 
assisted a school district in recovering 13 laptops that had 
been stolen during a burglary. The thieves were also charged 
with possession of methamphetamines and various parole 
violations. In Chicago, Computrace uncovered an airline's 
luggage handler theft ring at O'Hare Airport after which law 
enforcement arrested five workers and recovered eight laptops, 
four cameras, two GPS units and cash.
    In Florida, Computrace helped to capture a career criminal 
who had been burglarizing offices nationwide and taking up to 
12 to 15 laptops at a time. He was sentenced to 10 years in 
prison for his various crimes.
    We believe our numerous successes are possible because our 
post-theft recovery services are carried out by Absolute 
trained theft recovery personnel. The theft recovery process 
only begins when the customer reports their computer as stolen 
to local law enforcement. Then the customer must report the 
theft to Absolute, provide the police theft report file number 
which is required before any theft recovery process begins, and 
give their authorization to have Absolute's theft recovery team 
start the investigation.
    Our trained Computrace investigative team of law 
enforcement veterans coordinate the computer theft recovery 
process and cooperates with local law enforcement to recover 
the stolen property and return it to its rightful owner.
    We are ISO 27001 certified and have policies, procedures 
and controls in place to protect customer data which I would be 
happy to describe if that has interest to your committee.
    Thus, our Computrace solution is premised upon a managed 
theft recovery model that relies upon a filed police theft 
report to open a case investigation which is then handled by 
our staff of highly trained formal law enforcement personnel.
    Some of our competitors instead offer end user solutions 
which operate in a manner similar to the Lan Rev Theft Track 
tool set where a purchaser such as an IT administrator at a 
school district could choose to enable taking still images from 
a laptop's Web cam.
    Absolute did not itself offer Web cam functionality in its 
Computrace product line because we did not see a need for such 
a tool set in our very different and in our view, superior 
managed theft recovery model.
    We acquired Lan Rev's assets late last year for their 
computer, inventory power management and asset management 
functionality. Through a software patch offered to the theft 
track customers we acquired, we removed the Web cam feature 
earlier this year.
    With that, I conclude my comments. Thank you, Senator, for 
inviting me. I appreciate it very much and welcome your 
questions.
    Chairman Specter. Thank you, Mr. Livingston. Well, it is a 
very intriguing, complex subject matter. I note the invitation 
from Judge Posner of the Seventh Circuit, a very distinguished 
federal judge in 1984 as the testimony has noted in inviting 
Congress to deal with this gap in federal law, and I note 
Professor Cate's comment that there is room for a ``thoughtful 
intervention of Congress.''
    That may limit Congress' role. It is not so funny 
considering the legislation we passed last week and the public 
disagreement with it, although our job is to call them as we 
see them. In a representative democracy we have to make the 
judgments, to consider our constituents, but ultimately to make 
the judgments ourselves, we don't run by polling or public 
opinion polls.
    That raises a threshold question which I ask of each of 
you. Does the passage of 25 years since Judge Posner's 
invitation for Congress to fill the gap suggest that perhaps 
Congress ought not to act? What do you think, Mr. Livingston?
    Mr. Livingston. We believe the current legislation that is 
in place, Senator, really does cover this well.
    Chairman Specter. Which legislation in place do you think 
covers it well?
    Mr. Livingston. Well, the different federal legislation and 
state legislation that's in place regarding how evidence might 
be gathered.
    Chairman Specter. But there is no federal legislation which 
covers pure visual surveillance, is there?
    Mr. Livingston. Senator, in our managed theft recovery 
model where we are representing the owner of the device, it is 
not a common carrier type situation.
    We are actually able to locate a device with the owner's 
permission in cooperation with law enforcement. We feel that 
the existing law and the legal framework that's in place allows 
owners of computers and private property to be able to get 
their stolen computers back.
    Chairman Specter. Well, that is where the issue is one of 
ownership and retrieval. But suppose that is not an issue. 
Suppose it is only a gap. The wire tap law says you can't have 
the interception of a telephone call, you can't have 
surreptitious surveillance, a secret surveillance if there is 
an oral communication but it leaves open if it is just visual.
    So if you don't have retrieval of property, isn't the gap 
present?
    Mr. Livingston. Sir, my only experience is representing the 
owner, the legitimate owner of the device in the context of it 
being lost or stolen. In that context, we have our internal 
processes and procedures in place to be able to effect a stolen 
computer recovery with the help of law enforcement. We work in 
that framework and that's all I can really comment on.
    Chairman Specter. All right. That's fair enough within the 
purview of your experience, but there is a vast issue beyond 
your own particular purview.
    While we are, well, let me move to Mr. Richardson. Do you 
think that the unanswered invitation, Judge Posner's unanswered 
invitation for 25 years suggests that Congress ought to stay 
out of it?
    Mr. Richardson. No, Senator, I don't. I think that two 
relevant changes that have occurred in the past 25 years that I 
would point to are the vast increase in Internet connectivity 
and specifically in high bandwidth Internet connectivity which 
makes the transmission of video images easily accomplished 
across the Internet in a way that was not possible when Judge 
Posner made those remarks.
    Additionally, I think the ubiquity of camera devices 
embedded in mobile consumer goods is something that while it 
may be a difference in degree, it is an extraordinarily large 
degree of difference. I think basically there were no cell 
phones 25 years ago with cameras and my suspicion is that every 
cell phone in the room today has a camera, although I might be 
wrong.
    But I think those two differences are, they really create 
an atmosphere that is ripe for abuse.
    Chairman Specter. Mr. Bankston, what do you think? Should 
the federal government stay out?
    Mr. Bankston. No, Senator. First I agree with Mr. 
Richardson that even if there were a good reason for Congress 
not to intervene in this issue in the past, the changed 
technological landscape really requires action here.
    But I don't think that Congress made a reasoned decision to 
stay out of this in that it had an opportunity in 1986 with the 
Electronic Communications Privacy Act to make these updates. It 
clearly did not based on the legislative history which 
explicitly says this doesn't cover video surveillance.
    Even though they noted Judge Posner's decision and other 
decisions applying Title III's requirements to video 
surveillance by law enforcement if only to satisfy the Fourth 
Amendment.
    I have not been able to find any explanation for why 
Congress refrained from regulating video surveillance in 1986.
    Chairman Specter. You have not found any explanation for 
why Congress refrained from doing something?
    Mr. Bankston. No.
    Chairman Specter. Have you on any other occasion? I have 
been there awhile and I haven't figured that one out myself.
    Mr. Bankston. But I have my suspicions, Senator, and I 
think it was simply a drafting difficulty. As in particular Mr. 
Zwillinger pointed out----
    Chairman Specter. Drafting difficulty?
    Mr. Bankston. Well, a structural difficulty.
    Chairman Specter. Weren't you available to help?
    Mr. Bankston. I guess I was in high school back then.
    Chairman Specter. Weren't you available to help?
    Mr. Bankston. I am now available to help, Senator, if you'd 
like. But I think the basic difficulty is that Title III in its 
current structure protects the privacy of communications.
    Here we are talking about trying to regulate something that 
is not necessarily a communication. When you have 
communications, you have parties and therefore you know whose 
consent you need or whose expectation of privacy the question 
should hinge on. So there is a structural difference between 
them.
    Chairman Specter. Not withstanding the structural 
difference, you think Congress ought to be in it?
    Mr. Bankston. Absolutely.
    Chairman Specter. How about you, Mr. Zwillinger?
    Mr. Zwillinger. Well, with due respect to Judge Posner and 
Mr. Bankston, I do think it makes sense to treat video 
differently.
    If you think of one example, if the student's remote laptop 
could be turned on to intercept emails, we would want that to 
be illegal wherever the student is because they have a right to 
send a private email, even in a public place.
    But with regard to video, we don't have a problem with the 
video being activated while the student is in the classroom or 
at the mall. We have problems when it is activated in the home 
or in the bathroom or in any other private place.
    So I don't think Congress should stay out. I don't want you 
to misinterpret. I think Congress should stay out of putting 
video in Title III and Congress should focus on a narrow 
targeted statute like the states have done to prevent video in 
private spheres without interfering with the ability to have a 
camera in an ATM or a camera in an elevator or even to turn on 
a webcam remotely in the office so employers can monitor in the 
office, just not at the home.
    Chairman Specter. Professor Cate, would you keep the 
federal government out? Or should the federal government be 
legislating here?
    Mr. Cate. Mr. Chairman, there is no question I believe the 
federal government should be legislating in this area. I would 
go far beyond what my colleague Mr. Zwillinger said because 
this is not just a question of location.
    Location matters. We certainly feel special about bedrooms 
and bathrooms and changing rooms. But in the years in which, 
between when Judge Posner wrote and today, we have seen a 
proliferation of video cameras in every aspect of our lives.
    We have the largest censored network in the world in the 
video cameras contained in cell phones. We have major 
investments by federal, local and state governments in video 
cameras on street corners, video cameras with extraordinary 
capabilities.
    So, for example, facial recognition. So they say I know 
that that is Senator Specter walking down that street. We have 
linked video cameras so they can follow you from one street 
corner to the next.
    When you go into your doctor's office, they can follow you 
in. They can link that together. We see major cities now, 
Chicago, for example, where private industry has linked its 
video cameras with government controlled cameras so that a 
government agent sitting in a bunker can access a business's 
cameras for the purpose of following people as they move.
    In the workplace, the presence of cameras there while I 
certainly agree there may be a different expectation of privacy 
in the workplace, even the Supreme Court, no great friend of 
privacy, has found there is an expectation of privacy in the 
workplace.
    So before an employer could turn on a camera that would 
surreptitiously record me in the workplace, presumably there 
should be some process there and that is process that I think 
Congress is in the best position to create.
    Chairman Specter. Well, Professor Cate, as you described a 
hypothetical camera following a person through all the person's 
activities and to the doctor's office, to wherever he or she 
may go, that's a pretty ominous big brother scenario.
    Mr. Cate. Yes, sir, Senator. I think it is quite ominous. I 
want to be clear.
    Chairman Specter. Quite ominous.
    Mr. Cate. Well, it is not, frankly, nearly as onerous as it 
is ominous because today the digital technology makes it much 
simpler now that we are beginning to link these cameras.
    Moreover, many of these cameras, in fact the majority----
    Chairman Specter. We are onerous and ominous. Would you 
amplify that?
    Mr. Cate. Well, I think it is both a, it is a tremendous 
burden on civil liberties that individuals may effectively have 
no expectation of privacy. They may be identified, they may be 
linked to who they are talking to, they may be linked to where 
they are going. Even though many of those activities occur in 
public.
    Chairman Specter. So you think it ought not to turn on an 
expectation?
    Mr. Cate. I think it ought not to turn on a location. I 
think an expectation might be entirely appropriate. So that, 
for example, and as I suggested in my written statement, just 
as we define oral communications under Title III based in part 
on a reasonable expectation that a conversation will not be 
overheard, we could define video surveillance as occurring in 
an area where there is a reasonable expectation that one would 
not be the subject of video surveillance.
    Chairman Specter. Well, if you say when you are walking 
down the street there is no expectation of privacy, if you say 
when you are in the elevator there is no expectation of 
privacy, certainly if you go into your doctor's office there is 
an expectation of privacy, but perhaps even in the 
circumstances where there is no expectation of privacy, if you 
aggregate them and put them all together and have a whole 
profile on a person, does that change the, is that a game 
changer?
    Mr. Cate. Yes, sir. I believe it can be. I don't believe in 
every instance it must be, but I think that is the type of 
place where the protection of privacy would benefit enormously 
for some process around that so that we would say before an 
agent could do those things, we would like to know is there 
individualized suspicion, for example.
    Let me just give you a very practical example. The Province 
of Ontario in Canada uses video surveillance extensively 
including on its public transportation, but they have a rule 
that they use a technology that obfuscates the face when the 
video is recorded and you can only get the technological screen 
removed from the face if you meet certain legal conditions.
    So they have it, they are capturing it. It is all there. 
But they have protected it with a small technological 
protection which offers great privacy protection.
    Chairman Specter. The comment was made about how many cell 
phones there are available. What is realistic to have some 
limitation, an enforceable limitation on cell phones?
    There is a big sign in my health club, no cell phone 
cameras inside the premises. I had not thought of the cell 
phone camera beforehand, but there are so many. How do you deal 
with that? Mr. Richardson, do you care to venture?
    Mr. Richardson. Yes, Senator. In my own view, I think it's 
important, we have talked about the importance of place. I also 
think there is an opportunity to think about the context of the 
use of the device.
    So while I don't think there is any effective way to 
legislate what people do with a cell phone that has a camera in 
it, I do think there are ways to legislate what they do with 
any video that they happen to take with those cameras and that 
the use of it either by the owner or by a third party could be 
determined in part by context. By that I mean if someone is 
using a work issued device whether it's a cell phone with a 
camera or a notebook, they could be clearly told that when they 
were using that in a workplace context that they might be 
monitored or the camera might be turned on.
    I'm not saying that that would be good policy for a 
company, but it might be legal. In a sort of private workplace, 
not workplace, but personal environment, the use of that video 
captured capability without the consent of parties who appear 
in the video I think would be something that could be made 
unlawful.
    Chairman Specter. Are there sufficient laws now to deal 
with the issue of pornography and videotaping?
    Mr. Richardson. Are you asking me, Senator?
    Chairman Specter. Yes.
    Mr. Richardson. I would venture to say this. That with 
particular emphasis on child pornography, that is one area in 
the realm of computer security where there have been laudable 
results and a reduction in overall crime detection that the 
sort of single mindedness of purpose and the broad deployment 
of crime fighting capabilities worldwide really did see some 
results there.
    Chairman Specter. So as to child pornography, you think we 
are, we have sufficient laws? Does anybody disagree with that? 
Professor Cate?
    Mr. Cate. No, sir. I don't disagree with that.
    Chairman Specter. Mr. Zwillinger.
    Mr. Zwillinger. No, sir, I do not disagree.
    Chairman Specter. Mr. Bankston.
    Mr. Bankston. No disagreement.
    Chairman Specter. Mr. Livingston.
    Mr. Livingston. No.
    Chairman Specter. There has been a bit of conversation on 
focusing on the right of privacy in the state of undress. Is 
that suggestive of a category of privacy where legislation 
might be directed to specific categories, undress being one and 
others like that specific situation which would limit the scope 
of legislation? Mr. Zwillinger, you are nodding in the 
affirmative?
    Mr. Zwillinger. I am, Mr. Chairman. I do think that's a 
useful limiting principle because we think about what bothers 
us about video, we think about private spaces. When we think 
about truly private spaces, they are spaces in which we feel 
comfortable doing things like changing clothes.
    It's not because the statute should only be geared towards 
voyeurism, it's because that defines a category of location 
where we are truly worried about privacy because we don't 
generally do that in public places. Change our clothes, that 
is.
    Chairman Specter. Any other category come to mind, Mr. 
Zwillinger, like undress which would be one for specific 
inclusion?
    Mr. Zwillinger. The other is the home certainly. Maybe you 
won't undress in your kitchen, but as the homeowner you 
certainly have a reasonable expectation that your home is 
sacrosanct, vis-a-vis third parties.
    Chairman Specter. And how about your office?
    Mr. Zwillinger. I think less so, Mr. Chairman.
    Chairman Specter. Why?
    Mr. Zwillinger. One of the problems with the case law about 
offices is employers also have an interest in protecting the 
security of their work space, protecting their employees, 
protecting their property.
    So work spaces vary dramatically from federal government 
spaces with signs that say ``everything may be monitored'' to 
private companies with thousands of employees where they are 
monitoring product to small businesses like mine where we have 
ten employees.
    So the circumstances are so different that trying to 
determine when somebody has a reasonable expectation of privacy 
in a hallway in front of an office, in a break area, in a 
kitchen, in an entranceway, it becomes very difficult to answer 
the questions that my clients ask in advance, which is ``can I 
put up a camera here to prevent theft? ''
    So I think offices are different than homes and locker 
rooms and bathrooms.
    Chairman Specter. Anybody disagree with the office?
    Mr. Bankston. Yes, sir. I mean, I respectfully disagree to 
the extent that certainly the question of an expectation of 
privacy is often a case by case, very fact dependent inquiry. 
But it is the same type of inquiry that courts have been 
engaged in for over 40 years when considering electronic 
eavesdropping. It's not an insurmountable problem or something 
that people cannot prepare for.
    I am less worried that people will be chilled from engaging 
in what would have been legitimate security video surveillance. 
Rather, I expect that a prohibition on video surveillance where 
there is an expectation of privacy would instead incentivize 
people to better notify those who are being put under 
surveillance.
    Another point is I am wary of limiting our privacy 
protections based on whether we are in a state of undress or 
otherwise in a state of undress in that we don't distinguish in 
Title III when it comes to eavesdropping or wire tapping 
whether or not our conversations are particularly sensitive or 
what content they contain.
    The question is whether these are private communications or 
not. Here the question is whether someone has an expectation of 
privacy that they are going to be photographed or not. I don't 
see why our privacy protection should turn on what amount of 
clothing we are wearing.
    Mr. Zwillinger. Mr. Chairman, may I respond briefly?
    Chairman Specter. Sure.
    Mr. Zwillinger. You asked the question before about cell 
phones and the cameras that are ubiquitous in cell phone 
technology. When you did that, there are three things about 
that that relate to this debate.
    The first was if I turn on someone else's cell phone, 
that's hacking, right? I'm hacking into their computer, hacking 
into their device so there may be adequate federal laws to 
cover that in the Computer Fraud and Abuse Act.
    When I use my own cell phone, we have to be very wary of 
getting into First Amendment territory where we say it's 
illegal to take a video or picture without the consent of those 
who are photographed, because the First Amendment will also 
speak to that.
    So when we are answering the question of why are we 
concerned in private spaces and not public spaces, our concern 
in public spaces is outweighed by other things. It is 
outweighed by the right to take film of what happens in public 
places for news reporting and it is outweighed by our notion 
that while we're concerned that a camera might follow us to the 
doctor's office, we are much more concerned that the 
conversation with the doctor is private and the hierarchy of 
protection, the fact that I went to my doctor is somewhat below 
what I said to my doctor. That's true about priests and that's 
true about attorneys and that's true about everyone where we 
have a privileged relationship.
    I'm sensitive to this and I'm suggesting that Congress 
target it, but in a more limited fashion than we treat some of 
these other things because there are unique differences in 
public spaces that don't exist in private spaces.
    Mr. Bankston. To be clear, I'm not suggesting that we 
regulate the taking of photographs in public. We are, like Mr. 
Zwillinger, very sensitive to First Amendment concerns in this 
area and do not in any way want to hinder legitimate news 
gathering activity that takes place in public.
    Mr. Cate. But Mr. Chairman, if I may, we currently apply 
Title III to prohibit the recording of conversations that take 
place in public if they take place with a manifestation of a 
reasonable expectation of privacy.
    So in fact this would be cutting back on the existing 
protection we already have in Title III. So there are settings 
in public where we regard something that takes place there as 
being nevertheless private.
    Of course the problem is categorizing. So even the state of 
undress, but if you have been to a beach recently, there is a 
great deal of state of undress going on there. So we would have 
to use these categories as a way of demonstrating I think a 
broader principle, namely the one already reflected in the law, 
a reasonable expectation of privacy so that a person undressing 
in a dressing room with a door around it would have an arguably 
reasonable expectation of privacy. A person undressing on a 
beach would presumably not have a reasonable expectation of 
privacy.
    It would not be determinative by whether they were 
undressing or by where they were located. It would be all of 
the circumstances that answer the reasonable expectation of 
privacy question.
    Chairman Specter. Professor Cate, the Supreme Court will 
soon hear argument in City of Ontario v. Quon, the case in 
which the Ontario California police department read text 
messages on papers given to its SWAT officers without a 
warrant.
    Will the Supreme Court's ruling in that case, which 
concerns employee privacy rights in the workplace, have any 
applicability on the issues which we have discussed today?
    Mr. Cate. I don't think so, Mr. Chairman. Again, because 
what we have been talking about today is primarily a vacuum in 
current law, and what the Supreme Court will be talking about 
is the application but of a clearly defined area of law.
    I would add, our conversation is largely focused on this as 
if it is a binary issue. You either can or you can't. But 
practical experience has demonstrated rarely does Title III 
result in a binary result, either yes or no.
    So, for example, the audio monitoring, the oral 
conversation monitoring provisions have led businesses that do 
audio monitoring to put warnings in their windows to say we do 
audio monitoring, thereby defeating the reasonable expectation 
of privacy so that it's legal for them to do it.
    It's not that they are prohibited from doing it, it is that 
they have to comply with some reasonable standard in order to 
do it.
    Mr. Richardson. Mr. Chairman, if I might.
    Chairman Specter. Go ahead, Mr. Richardson.
    Mr. Richardson. I would say with due respect that the 
Ontario California case may have some bearing here precisely 
because it relates to a case, the expectation of someone using 
an institutionally owned device in their private lives. I think 
that that is one area of expectation and I agree with my 
colleagues that expectation in terms of privacy is an important 
element.
    But I think as a practical matter increasingly people use, 
they don't want to carry two cell phones and so they tend, I 
mean, some of you may have to right now, but they do tend to 
intermingle regular life so to speak and their work lives.
    I don't think there is any way in today's world to 
disentangle those. So the context I think determines to some 
degree the expectation of privacy. The thorny part for 
institutional owners of these devices is how they can protect 
their own interests while still allowing and not getting 
involved in personal business that may be conducted on those 
devices.
    Chairman Specter. Mr. Cate, you have to depart shortly for 
a plane and we want to respect that.
    I want to get an idea from each of you experts as to at 
least the four of you who have said that the federal government 
should get into the picture, what would you propose that the 
federal legislation provide?
    Mr. Cate. Well, thank you very much and I apologize again 
for having to leave this very interesting discussion early.
    I would have to say that I am agnostic over the question of 
whether the legislation should address video surveillance 
within Title III or whether it does it in a separate piece of 
legislation.
    Chairman Specter. How does being agnostic affect that?
    Mr. Cate. Well, I certainly understand the argument why it 
would be better addressed in a separate piece of legislation.
    Chairman Specter. Which way would you go? We have plenty of 
paper.
    Mr. Cate. On the other hand, I think it is very difficult 
to get anything new passed through Congress. So amending an 
existing law strikes me as more likely to succeed and given 
that we've been at this for 25 years, it is time we need this 
change in the law. So I would be happy to see an amendment to 
Title III.
    I suggested one possibility in my written testimony to 
mirror the definition of oral communications but instead use it 
for video surveillance. I think there are other excellent 
approaches, but I think it can be done and I think it's time to 
do it.
    Chairman Specter. Mr. Zwillinger, how would you approach 
legislation?
    Mr. Zwillinger. I think I would commend the Delaware 
statute as a potential model. The Delaware state statute, one 
of the states that has taken on this issue, has passed a 
statute that does two things.
    It makes it a crime to capture without the consent of the 
person, the image of a person who is getting dressed or 
undressed in specific locations where persons normally disrobe 
and they have a reasonable expectation of privacy and it makes 
it a crime to install video surveillance in a private place 
without the consent of the people entitled to an expectation of 
privacy there.
    So it's limited by place in one aspect and the other aspect 
is limited by intent, the voyeuristic intent. I think that is 
the type of narrow targeted approach that if there is a federal 
hook for interstate commerce nexus that the federal government 
should consider.
    Chairman Specter. Mr. Bankston.
    Mr. Bankston. Unlike Mr. Cate, I'm not agnostic in terms of 
which statute would be the best home for something covering 
video surveillance. I do think Title III is the appropriate 
home if only because the courts have already been applying 
Title III's requirements in terms of law enforcement video 
surveillance.
    Like Mr. Cate, I think that the appropriate approach would 
be analogous to the way the statute currently handles oral 
communications hinging on one's expectation of privacy as to 
whether one will be photographed as opposed to recorded in 
terms of oral communications.
    Yes, so that's basically it. I think Title III should be 
amended to cover this conduct. I think that oral communications 
are the best analogy here. There will be some difficulties in 
mapping the video surveillance onto Title III because these are 
not communications and they do not have parties. But difficulty 
in drafting should not be a reason to not do this because it 
has been a quarter of a century and it is time to get the job 
done.
    Chairman Specter. And Mr. Richardson, what would your 
thinking be as to how to approach the statute.
    Mr. Richardson. Well, I think it may be somewhat to my 
credit that I'm not a legal expert, but to my way of thinking, 
the distinction made between oral and video interception of 
communications is a bit of a red herring, particularly when it 
comes to surveillance on devices like mobile computers.
    In the Lower Merion case, so far as we know, no audio was 
recorded, but as a practical matter generally when you turn on 
the webcam in a notebook, the audio does turn on. There may 
have been a choice on the receiving end and the storage end 
only to store one still frame, but almost certainly what was 
sent upstream across the Internet was video with audio.
    So trying to draw a distinction about whether that, what 
form that data took I think is probably misguided and I would 
agree with my colleagues that expectation and context are the 
relevant factors.
    Chairman Specter. Mr. Livingston, your work as you have 
noted is on recovery for property. Without getting unduly into 
the Lower Merion situation, there has been the thought that 
there is justification in the context of stolen laptops taken 
off premises with the intent not to return, whether that would 
be sufficient justification for turning them on to identify 
what has happened to them for purposes of recovering the 
property.
    Do you think that is a sufficient basis as a generalization 
for activating them and having whatever happens with respect to 
privacy happen?
    Mr. Livingston. In our framework we work with law 
enforcement. We do require the owner of the device that has 
been stolen to register that theft report with law enforcement 
and that begins the recovery process.
    Fundamentally we are most always working with stolen 
devices reported to Law Enforcement so we don't believe the 
unauthorized user of the device has any expectation of privacy 
at that point.
    Chairman Specter. I am advised that Mr. Robert Wegbreit is 
in the audience, a parent of a student from the Lower Merion 
school district. Is Mr. Wegbreit present? Would you care to 
step forward?
    Since you are here on this subject, have a chair. Would you 
care to make a statement?
    Mr. Wegbreit. Sure. My name is Bob Wegbreit.
    Chairman Specter. You are not compelled to make a 
statement.
    Mr. Wegbreit. That's fine.
    Chairman Specter. It is if you are interested and willing 
to make a statement.
    Mr. Wegbreit. I am willing to make a statement.
    Chairman Specter. I just didn't want to have you in the 
room without having the opportunity to say something if you 
wanted to do so.

   STATEMENT OF ROBERT WEGBREIT, PARENT, LOWER MERION SCHOOL 
                            DISTRICT

    Mr. Wegbreit. My name is Bob Wegbreit. My daughter, Anna 
Wegbreit, is a student at Harriton High School, one of Lower 
Merion school district high schools.
    Chairman Specter. When Strom Thurman used to preside over 
hearings like this, he would say pull the machine a little 
closer.
    Mr. Wegbreit. Thank you. First of all, Senator, thank you 
very much for holding this. It is a very important issue for 
our community.
    When this occurred, myself and three other parents formed a 
group, LMSDparents.org to see what the other parents felt about 
this. Since then, we have communicated with over 500 of the 
probably 1,800 or 1,900 families who have students at Lower 
Merion high schools.
    Overwhelmingly, the conversation was that we have excellent 
schools, that we want our children and other students 
throughout the country to have access to excellent technology 
and cutting edge technology.
    We also trust our educators, our administrators, our school 
board to the point that they have the best interest of our 
students' education and our students' welfare at heart. You 
would be surprised that unlike the headlines, if something 
truly damaging did occur to our students, however, the concern 
of what privacy breaches did occur were common throughout the 
comments that we have gotten from many of these parents.
    How do we protect and prevent this from happening with 
these type of privacy laws to our children?
    This morning I asked my daughter, if you knew that the 
webcams could be activated, what would we, what would she have 
done different? I'm very fortunate that she said daddy, I don't 
do anything inappropriate. However, that's not the answer that 
we need to look to as a community.
    I think the parents of the families that were affected 
learned that perhaps the webcam was activated in their 
household, they want it almost like cigarettes with a warning 
so that we can respond properly. But at the same time, like 
cigarettes we must recognize the second hand smoke concept that 
surveillance that occurs beyond the intended surveillance and 
is not anticipated by others in the room, in the property who 
have expected privacy, that must be addressed also.
    So those are the concerns of the community as we look at 
why was there a camera potentially on in our household but we 
didn't know that would have happened? At the same time we don't 
believe that our school district is anything but an excellent 
place to have our children educated. Thank you.
    Chairman Specter. Would you like to see federal legislation 
on this subject?
    Mr. Wegbreit. I would, because then we would all know where 
everything stands. What that legislation says, if the school 
district mandates my child have a laptop with a webcam and that 
they can turn that on at anytime, I don't agree with that, but 
at least we know and recognize it, we would maintain that 
laptop in a very specific area of the house which might be 
better than my daughter being in her bedroom on the laptop all 
evening.
    But we would know that and I think that's what the 
consistent tone of the parents that I've spoken to, I've been 
very fortunate to hear from so many of them both in personal 
communication and emails and signing a petition. They trust 
that the district knows what is in the best interest of our 
children, but we want to know what that interest is.
    Chairman Specter. Thank you very much, Mr. Wegbreit.
    Mr. Wegbreit. Thank you.
    Chairman Specter. We appreciate you being here. Let me go 
back to some broader questions with this group of experts here 
on, so much is swirling around in the news on cyberspace. What 
should we be doing to protect cyberspace? We see comments by 
the Secretary of Defense, Robert Gates, about the United States 
being at risk on invasions of cyberspace.
    Are any of the issues which we have discussed here today 
relevant on that subject? Mr. Zwillinger?
    Mr. Zwillinger. Well, in many ways it is a much broader 
topic than the question for the hearing. There are lots of 
things that we need to be doing to protect cyberspace and one 
of those things, one of those easy things is making cyberspace 
security a real focus of research and development and career 
technology in developing and putting America's smarts to work 
in a field that has for too long not been the number one 
priority in the country.
    So cybersecurity is a topic that is near and dear to my 
heart and there has been some federal legislation that has been 
proposed over time that makes some sense.
    The question that you've asked is a difficult one as to 
what extent this relates to that. I think that goes back to 
some of my opening remarks that we have an issue with trying to 
strike the right balance between privacy and security and 
despite Mr. Bankston's and my disagreement about the mechanism 
about Title III, we generally agree that for too long in many 
places that balance has been towards security.
    In cyberspace, we have a deficiency in both areas. That is 
our statutes aren't updated to protect privacy the way we would 
like in the cloud computing sphere when our data is stored with 
remote providers and our security posture is not where we would 
like it as well.
    I don't think that turning on or turning off remote video 
monitoring has anything to do with the need to secure our cyber 
infrastructure.
    One might think the more security you can have the better, 
but I don't know that remote video would help recover the 
laptop, I don't know that remote video helps us determine who 
the foreigners who may be attacking U.S. computer systems are.
    We can't turn on their videos, and if we could, I don't 
know what we'd learn from that. So it's a very difficult 
question, but I think cybersecurity and privacy in cyberspace 
are two priorities that we need to work towards together.
    Chairman Specter. Well, when we pick up the privacy issue, 
of course it is a totally different dimension on privacy, but 
that is what comes to mind. Any thinking on this, Mr. Bankston?
    Mr. Bankston. A couple of points. In one factual way, this 
is relevant to cybersecurity to the extent that laptop cameras 
and microphones pose another vulnerability. There was a story 
that was cited in my written testimony describing how a 
particular U.S. government website when visited would exploit 
vulnerabilities in Microsoft's web browser to install software 
that could among other things be used to activate a camera.
    But the broader and I think more important light that this 
sheds on the cybersecurity debate is that where there is 
surveillance capability, it can be abused. So I think it is 
very important in the cybersecurity bill that was just marked 
up in the Commerce Committee, there were clear delineations of 
what the President's power was, in particular making sure that 
the President in his authority to create and execute a 
cybersecurity emergency plan was not given any kind of express 
or implied exception to or authorization beyond the wire 
tapping and stored communications statutes.
    So the broader point, surveillance power can be abused and 
in dealing with cybersecurity, we need to be clear in our 
protections in terms of surveillance such that in securing our 
national infrastructure we do not also violate the privacy of 
American citizens.
    Chairman Specter. Mr. Richardson, care to venture into this 
field?
    Mr. Richardson. With pleasure. I think that cybersecurity 
is an area where we have in several instances better technology 
than we have deployed and part of the reason for that lack of 
deployment is lack of incentive. There isn't sufficient fear of 
liability or inadequate security as one example. So there may 
be opportunities to apply some legislative pressure to improve 
that situation.
    Additionally, I have long been an advocate of a better 
framework for identity management on the internet than simply 
the knowledge of who is engaging in any activity on the 
internet and I think that that helps create deterrents.
    The problem with it of course is that it also raises 
serious privacy concerns. There are I think ways to deal with 
that, but these are areas that are very murky in current 
legislation. So as it relates specifically to the issue of 
surveillance and video surveillance, it is clear that in the 
current environment that there will be and surely already is 
abuse.
    Solving some of the broader problems of cybersecurity may 
help curb that abuse as well.
    Chairman Specter. Mr. Livingston, would you care to comment 
on this subject?
    Mr. Livingston. No, Senator. I will leave it to the other 
experts. Thank you.
    Chairman Specter. Okay. One other subject which is in the 
stratosphere. All this battle between China and Google, while 
we are talking about the subject, there is a lot of wonderment 
by non-experts in the field.
    Mr. Zwillinger, dealing with China is a big, vast subject 
all by itself of which I'm doing a lot of work on with the 
International Trade Commission on unfair trade practices where 
China violates the international trade laws, takes our jobs, 
takes our money, loans it back to us. It's a big part of the 
United States now.
    You have this battle royal between Google and China. Maybe 
Google is the right entity to fight China as opposed to anybody 
else.
    What in this whole field of the internet and cyberspace 
would be applicable to maybe some evaluation as to what's 
happening with China or Google? Mr. Zwillinger, any thoughts?
    Mr. Zwillinger. One of the difficulties which is not China 
specific but deals with any U.S. company that goes abroad to 
offer its communication services is how it reconciles the need 
to follow the rules of the local government and the local space 
with the American principles about when data should be turned 
over and when it should be exposed.
    When you do business with China and Vietnam and other 
places, there comes a question of when companies like Google 
should turn over data. If you don't obey the local law 
enforcement and the local processes, you subject people there 
to problems, and if you do, you do things that maybe you 
wouldn't do in the United States.
    So it seems to be very difficult to take a topic that we 
struggle with which is privacy and security and try to export 
them to other countries without significant consequences and 
difficulty.
    I think what Google is struggling with is a combination of 
all those things. It's a combination of when do they listen to 
the Chinese government and when do they not and when do they 
turn off their entire system to people from China as a step to 
tell the Chinese government that we don't approve of your 
behavior.
    I recognize the difficulty of the question. I'm not sure I 
can give you any help in answering it.
    Chairman Specter. Any thinking on that, Mr. Bankston.
    Mr. Bankston. I mean, I guess certainly the China situation 
highlights the difficult role of communications intermediaries 
both in terms of maintaining their user's privacy and 
protecting their user's ability to express themselves in the 
face of a government that may not always be friendly to either 
of those ideas.
    I think it should reflect also on the fact that the 
companies are in the same situation here in the United States. 
Not to analogize the United States government to the Chinese 
government, but certainly even companies here are often placed 
in an awkward and difficult situation trying to balance the 
needs of their users and the privacy rights of their users with 
the requests of the government.
    So I think that one thing we need to look to here which we 
can't expect from China but we should expect from ourselves is 
greater transparency in terms of how the government accesses 
communications data from companies here in the United States.
    Looking at Title III for example, it is the one of the 
major electronic privacy statutes that requires any meaningful 
reporting about when the government is engaged in this kind of 
conduct.
    So we know when the government is wire tapping. We don't 
know, for example, when the government is acquiring search 
queries from Google or acquiring stored email or doing any 
other kind of surveillance that isn't wire tapping itself.
    So I think we should look for transparency here in the 
United States which we certainly won't be seeing from 
governments like China.
    Chairman Specter. Thank you. Mr. Richardson.
    Mr. Richardson. Mr. Chairman, I think that if you will 
recall the Google incident first came to light because Google 
felt that they had been attacked by some entity in China. They 
were unwilling to go so far as to venture to say that it was 
the Chinese government that was responsible. I don't think any 
of us here is in a position to say one way or the other.
    What is clear is that Google reacted as if that were the 
case. Their response was made to the Chinese government, or how 
they would conduct business in China. As such, what struck me 
was that these were attacks that were carried out against 
internet resources and infrastructure in the U.S. and in that 
U.S., largely the infrastructure that we are discussing today 
is privately owned.
    Therefore, the role of the government in dealing with these 
kinds of attacks is at this point somewhat unclear. I think in 
this instance it certainly appeared to me that the Department 
of State, for example, was caught somewhat flat footed. I 
didn't get the impression that they had been briefed that 
Google was going to come out in force before it happened.
    That kind of coordination I think is going to be 
increasingly important where the federal government makes clear 
its role, and of course the new legislation that has just been 
marked up I think does go some ways to addressing that.
    But when it comes to cyber relations as it were between 
government entities, there is I think a great deal of work to 
be done in defining what our federal posture is.
    Chairman Specter. Thank you, Mr. Richardson. Any comment on 
that, Mr. Livingston? Or final comment?
    Mr. Livingston. Senator, we have recovered computers in 
about 50 countries around the world. We haven't had a lot of 
experience with China, but we'd be happy to report back at some 
future date if and when we do.
    I'd just like to say that if there was a Title III new 
legislation that was considered, I would hope that there would 
be an exception for devices that were stolen. Again, we don't 
believe that somebody in possession of stolen property 
necessarily has an expectation of privacy.
    Chairman Specter. Without objection, I will place in the 
record a statement by Mr. Blake J. Robbins concerning the, as 
he puts it, the laptop embedded internet camera capable of 
activation while in students' homes and it is pressing the view 
``as technology continues to improve at light speed, the need 
to protect the sanctity of our home from invasion grows even 
more urgent. Consequently, we earnestly support legislation 
that will govern against and punish the misuse of any 
technology that would prevent any such electronic invasion.''
    From Mr. Blake Robbins. His mother, Holly Robbins, his dad, 
Richard Robbins, and his sister, Paige Robbins. That is a 
statement for the record from plaintiffs in the litigation.
    The testimony in my opinion has been very forceful on the 
point of a need for legislation. There is no doubt that there 
is a gap in existing federal law. The language of the 
constitution itself of the Fourth Amendment is in my judgment 
not sufficient. It was not sufficient for oral or wire tap 
information which led Congress to legislate under Title III.
    This Senator will accept the invitation of Judge Posner to 
legislate. I will be drafting legislation to introduce into the 
Senate to try to carry the gap which now exists. I think the 
testimony has been very forceful and we have tried to steer 
away from the Lower Merion situation, but when the gentleman is 
present in the courtroom, in the hearing room, I thought it 
appropriate to have him testify briefly and to put into the 
record the statement of one of the students of the family 
expressing the concern and looking for protection for privacy.
    Without any doubt, privacy is a very highly valued American 
value. It is a value of the utmost importance. My sense is that 
my colleagues will be responsive and have been alerted by this 
specific incident. But beyond that as the testimony of this 
very distinguished panel has demonstrated, there is a gap and 
it ought to be closed. After 25 years, it is time.
    That concludes our hearing. I appreciate your coming in. 
Thank you.
    [Whereupon, the hearing was adjourned.]
    [Submissions for the record follow.]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
                                 
