[Senate Hearing 111-601]
[From the U.S. Government Publishing Office]
S. Hrg. 111-601
VIDEO LAPTOP SURVEILLANCE: DOES TITLE III NEED TO BE UPDATED?
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
MARCH 29, 2010
__________
PHILADELPHIA, PENNSYLVANIA
__________
Serial No. J-111-83
__________
Printed for the use of the Committee on the Judiciary
----------
U.S. GOVERNMENT PRINTING OFFICE
58-268 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin JEFF SESSIONS, Alabama
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
RUSSELL D. FEINGOLD, Wisconsin CHARLES E. GRASSLEY, Iowa
CHARLES E. SCHUMER, New York JON KYL, Arizona
RICHARD J. DURBIN, Illinois LINDSEY GRAHAM, South Carolina
BENJAMIN L. CARDIN, Maryland JOHN CORNYN, Texas
SHELDON WHITEHOUSE, Rhode Island TOM COBURN, Oklahoma
AMY KLOBUCHAR, Minnesota
EDWARD E. KAUFMAN, Delaware
ARLEN SPECTER, Pennsylvania
AL FRANKEN, Minnesota
Bruce A. Cohen, Chief Counsel and Staff Director
Matt Miner, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Specter, Hon. Arlen, a U.S. Senator from the State of
Pennsylvania................................................... 1
WITNESSES
Bankston, Kevin, Senior Staff Attorney, Electronic Frontier
Foundation, San Francisco, California.......................... 7
Cate, Fred H., Professor of Law and Director, Center for Applied
Cybersecurity Research, Indiana University Maurer School and
Law, Bloomington, Indiana...................................... 2
Livingston, John, Chairman and CEO, Absolute Software
Corporation, Vancouver, BC Canada.............................. 11
Richardson, Robert, Director, Computer Security Institute (CSI),
Swarthmore, Pennsylvania....................................... 9
Wegbreit, Robert, Parent, Lower Marion School District........... 22
Zwillinger, Marc, Partner, Zwillinger Genetski, LLP, Washington,
DC............................................................. 4
SUBMISSIONS FOR THE RECORD
Bankston, Kevin, Senior Staff Attorney, Electronic Frontier
Foundation, San Francisco, California, statement............... 28
Cate, Fred H., Professor of Law and Director, Center for Applied
Cybersecurity Research, Indiana University Maurer School and
Law, Bloomington, Indiana, statement........................... 40
Livingston, John, Chairman and CEO, Absolute Software
Corporation, Vancouver, BC Canada, statement................... 47
Richardson, Robert, Director, Computer Security Institute (CSI),
Swarthmore, Pennsylvania, statement............................ 49
Zwillinger, Marc, Partner, Zwillinger Genetski, LLP, Washington,
DC, statement.................................................. 53
VIDEO LAPTOP SURVEILLANCE: DOES TITLE III NEED TO BE UPDATED?
----------
MONDAY, MARCH 29, 2010
United States Senate,
Committee on the Judiciary,
Washington, DC
The Committee met, pursuant to notice, at 10:00 a.m., U.S.
District Court for the Eastern District of Pennsylvania
(Philadelphia), Courtroom 3B, Hon. Arlen Specter presiding.
OPENING STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM
THE STATE OF PENNSYLVANIA
Chairman Specter. Good morning ladies and gentlemen. The
hour of 10:00 having arrived, the Judiciary Subcommittee on
Crime & Drugs of the Senate Judiciary Committee will now
proceed with this hearing which has been entitled Video Laptop
Surveillance: Does Title III Need to Be Updated?
There was a recent incident at Lower Marion Township High
School where video laptops were taken from the school into
private residences and on one of these laptops it was activated
so that the surveillance can be conducted secretly or there
could be seen what was going on inside of private homes which
raises an issue of violation of privacy.
Privacy is one of our most prized values in our society
protected by the Fourth Amendment of the Constitution of the
United States and by a variety of federal statutes. The
incident raises a question as to whether the law has kept up
with technology or there to have been an interception of a
telephone communication it would violate federal law or there
have been a secret surveillance with sounds that would have
been a violation of federal law, but there appears to be a gap
where there was no sound but only an opportunity to watch what
people were doing inside a private residence.
Our inquiry here is not directed to this specific incident
or incidents or whether the school district acted properly or
whether there was any civil claim. There is litigation pending
in the federal court on that subject, but the inquiry of the
subcommittee is focused on the public policy question as to
whether federal law ought to be changed.
We have a very distinguished array of expert witnesses who
have traveled here from far and wide to give us their views on
this subject.
Professor Frederick H. Cate from the Indiana University
School of Law in Bloomington and Director of the Indiana
University Center for Applied Cybersecurity will be our lead
witness.
We will have testimony from Mr. Marc Zwillinger, founding
partner of Zwillinger Genetski, a law firm specializing in the
complex laws governing internet practices.
Mr. Kevin Bankston, Staff Attorney specializing in free
speech and privacy law with the Electronic Frontier Foundation.
Mr. Richardson, Mr. Robert Richardson, Director of Computer
Security Institute specializing in security trends and
strategies for protecting information.
Mr. Jack Livingston, Chairman and CEO of Vancouver based
Absolute Software Corporation.
We have a lot which is happening on the Internet and we
have a great deal which is happening in cyberspace, real issues
as to national security and related fields, a real issue to
commercial enterprises being able to protect their trade
secrets.
Looking back at one of the landmark decisions at American
Jurisprudence, Olmstead versus the United States Justice
Brandeis made a comment about a violation of Fourth Amendment
rights of the defendant stating that, ``In the application of a
constitution, our contemplation cannot be only of what has been
but of what may be.''
Justice Brandeis was prescient in so many ways and he was
here looking at a complex issue decades removed. When you talk
about the right of privacy, we live in a complex society. We
have been battling in Washington the issue of warrantless wire
taps, the power of the President under Article II as Commander
in Chief contrasted with the authority of Congress under
Article I on the Foreign Intelligence Surveillance Act in
cyberspace and the Internet, a very prized American valued
privacy is at issue here. We are going to try to find out where
we ought to head.
We turn now to our first witness, Professor Cate whom I
have already introduced in effect. Professor Cate, the floor is
yours.
STATEMENT OF FRED H. CATE, PROFESSOR OF LAW AND DIRECTOR,
CENTER FOR APPLIED CYBERSECURITY RESEARCH, INDIANA UNIVERSITY
MAURER SCHOOL OF LAW, BLOOMINGTON, INDIANA
Mr. Cate. Thank you very much, Mr. Chairman, and let me say
how much I appreciate both your holding this hearing on this
very important subject and your including me in it. It is a
privilege to also be on such a distinguished panel of other
commentators on this issue.
I have just three points which I will make quite briefly.
The first is there is no question but that Title III of the
Omnibus Crime Control and Safe Streets Act, what we refer to as
the Wire Tap Act, needs to be revised. It does not cover video,
unaccompanied surveillance video unaccompanied by sound, and
therefore in situations such as that which has given rise to
this hearing, those situations are not covered by the Wire Tap
Act.
The reality that the Wire Tap Act does not extend to video
or other optical surveillance if the sounds are not captured at
the same time has been highlighted in many prior situations in
which cameras were installed in bedrooms and bathrooms and
changing rooms and elsewhere causing some states to enact video
voyeurism laws.
To avoid this gap in the future, it is going to be
necessary to either amend the Wire Tap Act or to enact some
other standalone piece of legislation. But doing so is not
going to be quite as simple as it may sound because the Wire
Tap Act deals with intercepting communications between parties
and not the mere observation of parties or the observation of a
setting such as a bedroom. Therefore, it will also be critical
not to make any amendment to the Wire Tap Act so broad that it
restricts the use of security cameras in public, which serve a
very important purpose and one that I don't think anyone would
wish to eliminate.
So it is clear that the gap needs to be closed. It is less
clear precisely as to how that will be done, but it is
certainly Congress who will have to do it.
The second point I would like to make is that the alleged
use of the laptop camera to capture images of a student within
his home is only the most recent in a long series of events
that we have seen in which modern digital technologies are
deployed in ways that challenge both existing laws and our
existing understanding of privacy.
So RFID tags, GPS devices, cell phones and cell phone
cameras, OnStar and other vehicle assistance services, digital
audio and video surveillance technologies that have exploded in
cities largely thanks to federal funding and other technologies
are constantly challenging our understanding of what is and
what should be private.
So individual courts are grappling with these issues and
states are grappling with these issues, but increasingly it is
clear that it is the thoughtful intervention of Congress that
is necessary to resolve this conundrum.
In 2004, the Technology and Privacy Advisory Committee
which was appointed as an independent committee to oversee the
situation created by the Terrorism Information Awareness
Program and the Department of Defense concluded in its final
report current laws are often inadequate to address the new and
difficult challenges presented by dramatic developments and
information technologies and that inadequacy will only become
more acute as the storage of digital data and the ability to
search it continue to expand dramatically in the future.
That panel recommended, and I quote, ``It is time to update
the law to respond to new challenges.'' Now, that was 2004. I
think later this week we will be hearing from a large coalition
led by the Center for Democracy and Technology that has been
working for almost two years to develop specific principles
around which revision of these laws might be based.
I know that the members of that coalition are eager to work
with you and with members of this Subcommittee and the
Judiciary Committee to develop an appropriate and balanced
update to the law.
The final point that I would like to make is that there are
important steps that institutional providers, users of these
digital technologies can and should already be taking
irrespective of their specific legal obligations to diminish
the impact of those technologies on privacy and other protected
civil liberties.
For example, having in place written policies on the use
and the retention of the material, having in place oversight
mechanisms, audit tools, designated chief privacy officer or
chief compliance officer to ensure that those rules are being
followed, and in many ways perhaps most importantly, a level of
transparency so that any users of those technologies know what
they should reasonably expect when using them.
Now, I don't want to belabor those in this testimony, but I
think those are important not only for individual users to be
concerned with, but may also play an important role in whatever
form of legislative recommendation you and your colleagues
craft so that we see not merely a binary black and white on or
off--either it is private or it's not private--but rather we
see in place tools to help maximize privacy even while engaging
in surveillance that may be necessary or serve very important
values.
So my time is up. Let me say again how much I appreciate
your having launched this very important dialogue. Thank you,
sir.
Chairman Specter. Thank you very much, Professor Cate. Our
next witness is Mr. Mark Zwillinger, founding partner of
Zwillinger Genetski, a law firm specializing in the increasing
complex issues governing internet practices including wire
taps, Communication Act, privacy and spyware.
Thank you for coming, Mr. Zwillinger and we look forward to
your testimony.
STATEMENT OF MARC ZWILLINGER, PARTNER, ZWILLINGER GENETSKI,
L.L.P., WASHINGTON, DC
Mr. Zwillinger. Thank you, Chairman Specter. I'm pleased to
appear today to discuss the topic of amending Title III to
include video surveillance. My views on this issue come from my
prior experience as a federal prosecutor, my current work in
private practice in privacy and security issues and my role as
an adjunct law professor at Georgetown University Law Center.
Every so often we become aware of an incident like what
happened in Lower Marion that makes us question whether our
privacy laws are adequate. This past fall, similar concerns
came up when a man tracked ESPN reporter Erin Andrews around
the country, installing secret cameras in her hotel rooms and
capturing and uploading videos of her to the internet.
A review of recent cases demonstrates other abuses of
surveillance technology to film people in places where they
should expect privacy, including landlords who have secretly
videotaped tenants, hotel managers who have spied on guests,
and schools who have videotaped students in changing rooms.
Title III does not address these problems because silent
video surveillance is not covered by the statute. But while
it's tempting to conclude that Title III should prohibit this
behavior, amending it to do so would likely be a mistake.
Just as we are troubled that our remote video surveillance
of children can be possible in private places, we rely on
secret video surveillance to keep us safe--from the cameras
that protect our children at places like Hershey Park or Sesame
Place to the closed circuit TV cameras outside our apartments.
Silent video has become our extra set of eyes.
Companies regularly use technology such as silent video to
protect their employees and their property. Therefore, when we
consider how to prevent abuses of our surveillance, we must not
ban the uses of technology that does strike the right balance
between privacy and security.
Now, as written, Title III serves three distinct purposes.
It places limits on law enforcement, it defines what is a
federal crime and it creates a civil cause of action. But it
only does so with respect to wire communications like phone
calls, electronic communications like emails and oral
communications, like the things we say to each other in person.
Now, wire and electronic communications are covered in all
circumstances, but oral communications are only covered where
the speaker has a reasonable expectation that their
communication will be private.
Clearly we cannot equate videos and photos to wire and
electronic communications under Title III. This would make
thousands of security cameras in public places illegal and it
would turn parents and journalists and security professionals
into criminals. Therefore, video surveillance like oral
surveillance and oral communications would have to be
prohibited only where the person has a reasonable expectation
of privacy.
Even then, adding video to the Title III framework may
create more problems than it would solve. As to the government,
the Courts of Appeal have already held that video surveillance
in a private area must comport with the Fourth Amendment and
that search warrants for video surveillance must meet existing
Title III standards.
So when it's the government that's peering into citizen's
homes, the constitution may already provide an effective
remedy. But adding video to Title III would create tremendous
problems for the private sector.
Under Title III, the standard for when oral communications
may be recorded without consent is the same fact-based
reasonable expectation of privacy test under the Fourth
Amendment. So predicting in advance when it is acceptable to
record audio under this standard is difficult. That judicial
opinions teach us that the answer is frequently ``it depends''.
It depends on the location, it depends who is captured, what
they were doing, whether third parties would be anticipated to
be present, whether you needed technology to do the oral
surveillance, and more.
If you apply this body of existing case law to video
surveillance, it would raise very hard questions, especially in
those semi-secluded places where we do want video cameras, like
in elevators with no other passengers or in the locked
entrances of banks where ATMs may be located.
If Title III included video, every wrongdoer who was caught
on a security camera in these areas would challenge the
lawfulness of the surveillance. Evidence of crime in private
secluded spaces could be suppressed, companies could be held
liable and none would want to be on the hook for installing
cameras due to the risk of civil liability or criminal
punishment. This is one of the reasons why video surveillance
is silent today. The risk of capturing audio is too great.
Instead of Title III, there are more targeted alternatives
that could address the privacy concerns raised by the Lower
Marion and Erin Andrews examples without diminishing our
security.
Generally video seems to concern us most when it intrudes
in the home or an area where someone may be naked, when
legitimate surveillance tools are redirected for voyeurism and
when it involves children.
Legislation to prevent these first types of intrusions on
federal land was already enacted in the Video Voyeurism
Prevention Act of 2004 which prohibits voyeurism in areas where
people could reasonably be expected to change clothes without
prohibiting the legitimate use of surveillance in quasi-public
places.
This approach is not perfect. It doesn't cover all of the
examples where we wouldn't want video surveillance, but it
provides a better starting point than Title III for a
comprehensive federal statute that protects private spaces from
video intrusion.
Several other states have also tried to take on this
problem. Some examples are cited in my written testimony.
Delaware, for example, focuses on the place where the
surveillance is installed and whether people have a reasonable
expectation of privacy in that place.
These state laws, like the Video Voyeurism Prevention Act
could serve as a model for future federal legislation. Such
legislation could also have a safe harbor from liability for
organizations that use security cameras if they have adequate
controls to prevent against rogue uses of the technology.
In conclusion, the idea that our children can be subject to
video surveillance in private areas is troubling. But what
really bothers us about video surveillance is the fact that the
camera may catch us unaware or even undressed.
In the hierarchy of privacy protection, we should be more
focused on ensuring that our private thoughts, our
conversations, our phone calls, our emails and our instant
messages remain private and that neither the government nor
private individuals can get access to them without adequate
notice or probable cause to believe that we are committing a
crime.
There is no question that our privacy statutes are in need
of reform, especially to bring the privacy protections for
electronic communications into the modern age of computing. But
when we are addressing video surveillance, we need to carefully
craft legislation to target the specific harms we're going
after without eliminating the ability to use silent video for
security purposes.
Thank you for the opportunity to testify. I look forward to
answering your questions and working with the subcommittee.
Chairman Specter. Thank you, Mr. Zwillinger. Our next
witness is Mr. Kevin Bankston, Senior Staff Attorney
specializing in free speech and privacy laws with the
Electronic Frontier Foundation.
He has worked, he has focused on the impact of post 9/11
antiterrorism laws and surveillance initiatives on online
privacy and free expression.
We appreciate your coming in, Mr. Bankston and appreciate
your testimony.
STATEMENT OF KEVIN BANKSTON, SENIOR STAFF ATTORNEY, ELECTRONIC
FRONTIER FOUNDATION, SAN FRANCISCO, CALIFORNIA
Mr. Bankston. Thank you. Senator. Thank you. Good morning,
Chairman Specter, and thank you for inviting me to testify here
on behalf of the Electronic Frontier Foundation on this very
important subject.
Laptop cameras or webcams represent an awesomely useful new
technology. However, this new technology also carries with it
an awesome new privacy risk with millions upon millions of
laptops being carried with webcams routinely being carried into
the home and other private spaces.
Surreptitious video surveillance has become a newly
pervasive threat. Put simply, any camera controlled by software
on a computer that is connected to the internet carries the
risk that the camera will be remotely activated without the
knowledge of the user, whether by stalkers, computer criminals
or even foreign governments using malware or malicious software
to break into the computer and take control of the camera or by
schools or employers with the ability to install their own
software on their computer or by U.S. state or local government
law enforcement investigators attempting to monitor a suspect.
Recent allegations that school administrators of the Lower
Merion school district have secretly photographed students
inside their homes using the webcams on student's school-issued
laptops have put a spotlight on how this new technology puts
American's privacy at risk and should be a wake up call to
Congress to address a troubling gap in privacy law.
As the other commentators have noted, Title III, otherwise
known simply as the Wire Tap Act currently only regulates
electronic eavesdropping on private conversations and the wire
tapping of voice and electronic communications or in terms of
the statute, it only regulates the interception of oral, wire
or electronic communications.
It does not regulate the unconsented video surveillance of
private spaces as the legislative history makes clear and as
all seven federal circuit courts to consider the question have
held.
So, for example, secret monitoring of your email
transmissions, wiretapping of your telephone calls or secret
eavesdropping using a microphone hidden in your home, all of
these would violate Title III. However, the secret use of the
webcam or a radio controlled camera to photograph you inside
your home would not violate Title III because in such a case
there would be no oral, wire or electronic communication of
yours to be intercepted.
Even though such secret surveillance can be as invasive if
not more invasive than listening in on your conversations or
monitoring your internet communications, Title III simply
doesn't apply.
Judge Posner of the 7th Circuit who in 1984 in the Case of
U.S. v. Perez wrote the first Circuit Court opinion applying
this logic holding that Title III does not regulate video
observed in that opinion of course it is anomalous to have
detailed statutory regulation of bugging and wiretapping but
not of television surveillance in Title III.
We would think it a very good thing if Congress responded
to the issues discussed in this opinion by amending Title III
to bring television surveillance within its scope.
Over 25 years have passed since Judge Posner first
recommended such a change, but Congress has not yet acted even
though the threat of surreptitious video surveillance has
increased exponentially along with the number of internet
connected cameras.
We at EFF are therefore thankful to this subcommittee for
taking up the issue and reexamining the question of whether
Title III should be updated to regulate video surveillance
because, to put it bluntly, the current inapplicability to
Title III doesn't make sense.
It makes no sense that if the school administrators had
eavesdropped on student conversations at home using the
laptop's microphone or it intercepted a student's private video
chats they would have clearly violated Title III, but equally
invasive video spying is not regulated by the statute at all.
It also makes no sense that a public school or any other
governmental entity that wanted to legally spy on a student in
this matter would have to get a prosecutor to obtain a probable
cause warrant that satisfies Title III's core requirements in
order to comply with the Fourth Amendment, yet a private school
could do so without any regard to Title III at all.
Finally it makes no sense that Congress while strictly
regulating electronic eavesdropping would leave the regulation
of equally invasive video surveillance up to the states. As in
2003 when the Reporters Committee for Freedom of the Press last
surveyed the state of the law, only 13 states had passed
statutes expressly prohibiting the unauthorized installation or
use of cameras in private places, and several of those statutes
regulate cameras only in certain limited circumstances such as
in locker rooms or restrooms or where the purpose is to view
someone who is partially or fully nude.
One federal law mentioned by Mr. Zwillinger, the Video
Voyeurism Prevention Act of 2004, similarly restricts only
secret videotaping persons in a state of undress and only
applies in the special maritime and territorial jurisdiction of
the U.S. rather than applying generally.
It is EFF's opinion that in the face of the 21st Century
landscape literally littered with cameras that are vulnerable
to abuse, this kind of patchwork response to a growing
nationwide problem is increasingly unacceptable.
In conclusion, Mr. Chairman, the Committee asked us whether
Title III needs to be updated in light of video laptop spying
and EFF's answer is plainly yes. Title III should cover video
surveillance in private spaces where there is a reasonable
expectation that you won't be photographed.
We look forward to the possibility of working with the
subcommittee to update the law to regulate video surveillance
in a manner that appropriately balances the interest of privacy
and free expression and public safety, but would also echo the
comments of Professor Cate and Mr. Zwillinger that this is only
one area where our electronic privacy statutes need to be
updated. We look forward to an announcement hopefully this week
of this coalition's work which we are also a part of.
In the meantime, thank you again for having us and I look
forward to your questions.
Chairman Specter. Thank you, Mr. Bankston. Our next witness
is Mr. Robert Richardson, Director of Computer Security
Institute, a professional membership organization for
information security professionals.
That institute seeks to follow security trends and
recommend strategies for organizations seeking to protect their
information and technology.
Mr. Richardson, we appreciate your coming in. The floor is
yours.
STATEMENT OF ROBERT RICHARDSON, DIRECTOR, COMPUTER SECURITY
INSTITUTE (CSI), SWARTHMORE, PENNSYLVANIA
Mr. Richardson. Chairman Specter, thank you for inviting my
written statement and for this opportunity to speak to the
issue of video surveillance, particularly as it relates to
surveillance using common consumer mobile computing devices
such as notebooks, cell phones and personal digital assistants.
These devices, because of their ubiquity, clearly present
opportunities for enhanced communication, but they also
challenge our notion of security practices as they relate to
privacy and surveillance.
As Director of the Computer Security Institute, I am
engaged daily with these issues as they relate to organizations
that maintain large computer and network infrastructures.
The instigation for our discussion today was the desire of
one such organization to protect its computer assets, and as
one would probably expect, concern that mobile assets may be
lost or stolen is completely well-founded.
One project undertaken by the Computer Security Institute
over the past 14 years is an annual survey of our information
security professional community specifically within the United
States. In the most recent survey, 42 percent of 443
respondents said that their organizations had suffered the
theft of laptops or mobile devices in the previous year. Only
infection by malicious software or malware reported by 64
percent of the respondents was more prevalent.
Perhaps ironically the modus operandi of today's
sophisticated malware is not at all unlike that of the software
deployed by some organizations to monitor their notebook
computer assets. Both with tracking software and malware, this
fundamental level of direct control of the device is
transferred to a third party at a distance.
This transfer is achieved in both cases because malware and
tracking software have gained or been granted access to the
most extensive level of control of the computer, so called root
control.
Most issues of privacy and access within the confines of a
computer have at their root the issue of root access.
When the owner and primary user of a device are one in the
same, control and responsibility is easily understood and it is
the user who has control of the root account. But in the
instance of say an employer that loans a notebook to an
employee, the employer may well withhold root privileges from
the employee. This gives the employer more control over the
device than the user and indeed more control than the user may
be aware of such as the ability to remotely operate a built in
camera.
Root control may be abused in many ways, including by
surreptitious spying. But this notion of root control is a
necessary one and extended only slightly gives us an opening to
separate and protect different categories of use within a
device. There can be a category of work place use, for example,
that is entirely walled off from personal use.
There are multiple ways to achieve this that would be too
lengthy and technical a discussion to delve into here, but in
fact most Americans are already familiar with one such division
of control. Ninety five percent of cell phones sold each year
within the U.S. are locked phones meaning that their use is
controlled and restricted by the carrier that originally sold
the phone and that is providing service to it.
Using the phone for conversation or texting is understood
to be a context where the user is in control. That same user,
however, cannot update the core software that runs the phone.
The service provider can and does because the service provider
has what is in effect root control over the phone.
It is possible in short to lock down part of a system so
that the locked down element's function has a complete computer
system under themselves with separate software applications and
separate storage for files. That this lock down environment is
truly separate from the rest of the computer can be rigorously
demonstrated using well understood techniques based on advanced
forms of encryption as well as a computing framework known as
trusted computing.
Almost all notebook computers sold since 2004 include a
trusted platform module housed in a sealed, tamper proof
component within the computer. This provides a reliable
foundation for protected, high control partition of the
computer.
In the vast majority of cases, however, this TPM
functionality is not enabled and it would be disingenuous not
to note that trusted computer systems have raised a great deal
of controversy within the information security community.
This controversy, however, stems precisely from a fear that
third parties, parties such as Microsoft, will have
overreaching control over consumer owned PCs. This is not a
concern when we are speaking of an organizational owner
extending control over its own PCs. Within this lock down
system of third parties such as a school or employer, they have
an oasis of control. If they don't want to allow chat programs,
chat programs can be barred. If they don't want pornography
stored, they can scan for it and monitor employee use at will.
The user of that system will know that whenever they are using
the system in this workplace context, they may well be
monitored.
On the same system, however, it is possible to use what is
effectively a second computer that is not locked down or that
is locked down in a less restrictive way.
That we can create clear technical boundaries means that we
can by extension create clear legal boundaries. We have the
option to legislate in a way that recognizes the possibility of
such boundaries. By doing so, we can establish that the context
in which any kind of surveillance occurs is either clearly
within or outside legal bounds.
Once again, I appreciate the opportunity to discuss this
important issue and I will be happy to answer any questions.
Chairman Specter. Thank you, Mr. Richardson. Our final
witness is Mr. John Livingston, Chairman and CEO of Vancouver
based Absolute Software Corporation, a publicly traded global
company specializing in tracking, managing and protecting
computers and mobile devices and providing theft recovery. We
welcome you, Mr. Livingston, and look forward to your
testimony.
STATEMENT OF JOHN LIVINGSTON, CHAIRMAN AND CEO ABSOLUTE
SOFTWARE CORPORATION, VANCOUVER, BC, CANADA
Mr. Livingston. Chairman Specter, members of the
subcommittee, Absolute Software is pleased to have this
opportunity to discuss Absolute's products and services as well
as our protocols and policies as they relate to property
protection and privacy issues which is something that Absolute
values and cares deeply about.
I co-founded Absolute Software in 1994 with the notion that
individuals and businesses should be able to manage, secure and
recover the mobile devices, regardless of their physical
location.
Since that time, Absolute has developed one of the premiere
managed theft recovery services in the world. Our security as a
service solutions protect more than 5 million computers
worldwide for subscribers who range from individuals to large
public and private sector organizations.
To date, we have recovered over 13,500 stolen computers in
50 different countries with our flagship service, Computrace.
We average approximately 100 stolen computer recoveries each
week.
Absolute believes very strongly in protecting Computer
theft victims and mitigating the multiple downstream
consequences of computer theft. For an organization with a
stolen computer, the cost of hardware is really just the
beginning. In addition to the lost productivity and competitive
threats an organization experiences, an organization that
experiences a data breech may be subject to fines, media
scrutiny and a damaged reputation.
Computer theft has other costs and consequences, including
the potential theft of personal identifying information that
may later be sold or otherwise misused by identity thieves.
In fact, we have assisted the Philadelphia police on many
occasions. We have an inspector and detective with us today,
including cases where recovering laptop led to apprehending a
child pornographer or recovering illegal drugs, weapons and
stolen cash. This is not atypical.
Our case experience indicates that laptop thieves are often
involved with other very serious crimes, including child
pornography, identity theft, drug trafficking, home invasions,
and of course large scale burglaries that may involve public
school districts.
I will share a few brief examples. In San Diego, Computrace
assisted a school district in recovering 13 laptops that had
been stolen during a burglary. The thieves were also charged
with possession of methamphetamines and various parole
violations. In Chicago, Computrace uncovered an airline's
luggage handler theft ring at O'Hare Airport after which law
enforcement arrested five workers and recovered eight laptops,
four cameras, two GPS units and cash.
In Florida, Computrace helped to capture a career criminal
who had been burglarizing offices nationwide and taking up to
12 to 15 laptops at a time. He was sentenced to 10 years in
prison for his various crimes.
We believe our numerous successes are possible because our
post-theft recovery services are carried out by Absolute
trained theft recovery personnel. The theft recovery process
only begins when the customer reports their computer as stolen
to local law enforcement. Then the customer must report the
theft to Absolute, provide the police theft report file number
which is required before any theft recovery process begins, and
give their authorization to have Absolute's theft recovery team
start the investigation.
Our trained Computrace investigative team of law
enforcement veterans coordinate the computer theft recovery
process and cooperates with local law enforcement to recover
the stolen property and return it to its rightful owner.
We are ISO 27001 certified and have policies, procedures
and controls in place to protect customer data which I would be
happy to describe if that has interest to your committee.
Thus, our Computrace solution is premised upon a managed
theft recovery model that relies upon a filed police theft
report to open a case investigation which is then handled by
our staff of highly trained formal law enforcement personnel.
Some of our competitors instead offer end user solutions
which operate in a manner similar to the Lan Rev Theft Track
tool set where a purchaser such as an IT administrator at a
school district could choose to enable taking still images from
a laptop's Web cam.
Absolute did not itself offer Web cam functionality in its
Computrace product line because we did not see a need for such
a tool set in our very different and in our view, superior
managed theft recovery model.
We acquired Lan Rev's assets late last year for their
computer, inventory power management and asset management
functionality. Through a software patch offered to the theft
track customers we acquired, we removed the Web cam feature
earlier this year.
With that, I conclude my comments. Thank you, Senator, for
inviting me. I appreciate it very much and welcome your
questions.
Chairman Specter. Thank you, Mr. Livingston. Well, it is a
very intriguing, complex subject matter. I note the invitation
from Judge Posner of the Seventh Circuit, a very distinguished
federal judge in 1984 as the testimony has noted in inviting
Congress to deal with this gap in federal law, and I note
Professor Cate's comment that there is room for a ``thoughtful
intervention of Congress.''
That may limit Congress' role. It is not so funny
considering the legislation we passed last week and the public
disagreement with it, although our job is to call them as we
see them. In a representative democracy we have to make the
judgments, to consider our constituents, but ultimately to make
the judgments ourselves, we don't run by polling or public
opinion polls.
That raises a threshold question which I ask of each of
you. Does the passage of 25 years since Judge Posner's
invitation for Congress to fill the gap suggest that perhaps
Congress ought not to act? What do you think, Mr. Livingston?
Mr. Livingston. We believe the current legislation that is
in place, Senator, really does cover this well.
Chairman Specter. Which legislation in place do you think
covers it well?
Mr. Livingston. Well, the different federal legislation and
state legislation that's in place regarding how evidence might
be gathered.
Chairman Specter. But there is no federal legislation which
covers pure visual surveillance, is there?
Mr. Livingston. Senator, in our managed theft recovery
model where we are representing the owner of the device, it is
not a common carrier type situation.
We are actually able to locate a device with the owner's
permission in cooperation with law enforcement. We feel that
the existing law and the legal framework that's in place allows
owners of computers and private property to be able to get
their stolen computers back.
Chairman Specter. Well, that is where the issue is one of
ownership and retrieval. But suppose that is not an issue.
Suppose it is only a gap. The wire tap law says you can't have
the interception of a telephone call, you can't have
surreptitious surveillance, a secret surveillance if there is
an oral communication but it leaves open if it is just visual.
So if you don't have retrieval of property, isn't the gap
present?
Mr. Livingston. Sir, my only experience is representing the
owner, the legitimate owner of the device in the context of it
being lost or stolen. In that context, we have our internal
processes and procedures in place to be able to effect a stolen
computer recovery with the help of law enforcement. We work in
that framework and that's all I can really comment on.
Chairman Specter. All right. That's fair enough within the
purview of your experience, but there is a vast issue beyond
your own particular purview.
While we are, well, let me move to Mr. Richardson. Do you
think that the unanswered invitation, Judge Posner's unanswered
invitation for 25 years suggests that Congress ought to stay
out of it?
Mr. Richardson. No, Senator, I don't. I think that two
relevant changes that have occurred in the past 25 years that I
would point to are the vast increase in Internet connectivity
and specifically in high bandwidth Internet connectivity which
makes the transmission of video images easily accomplished
across the Internet in a way that was not possible when Judge
Posner made those remarks.
Additionally, I think the ubiquity of camera devices
embedded in mobile consumer goods is something that while it
may be a difference in degree, it is an extraordinarily large
degree of difference. I think basically there were no cell
phones 25 years ago with cameras and my suspicion is that every
cell phone in the room today has a camera, although I might be
wrong.
But I think those two differences are, they really create
an atmosphere that is ripe for abuse.
Chairman Specter. Mr. Bankston, what do you think? Should
the federal government stay out?
Mr. Bankston. No, Senator. First I agree with Mr.
Richardson that even if there were a good reason for Congress
not to intervene in this issue in the past, the changed
technological landscape really requires action here.
But I don't think that Congress made a reasoned decision to
stay out of this in that it had an opportunity in 1986 with the
Electronic Communications Privacy Act to make these updates. It
clearly did not based on the legislative history which
explicitly says this doesn't cover video surveillance.
Even though they noted Judge Posner's decision and other
decisions applying Title III's requirements to video
surveillance by law enforcement if only to satisfy the Fourth
Amendment.
I have not been able to find any explanation for why
Congress refrained from regulating video surveillance in 1986.
Chairman Specter. You have not found any explanation for
why Congress refrained from doing something?
Mr. Bankston. No.
Chairman Specter. Have you on any other occasion? I have
been there awhile and I haven't figured that one out myself.
Mr. Bankston. But I have my suspicions, Senator, and I
think it was simply a drafting difficulty. As in particular Mr.
Zwillinger pointed out----
Chairman Specter. Drafting difficulty?
Mr. Bankston. Well, a structural difficulty.
Chairman Specter. Weren't you available to help?
Mr. Bankston. I guess I was in high school back then.
Chairman Specter. Weren't you available to help?
Mr. Bankston. I am now available to help, Senator, if you'd
like. But I think the basic difficulty is that Title III in its
current structure protects the privacy of communications.
Here we are talking about trying to regulate something that
is not necessarily a communication. When you have
communications, you have parties and therefore you know whose
consent you need or whose expectation of privacy the question
should hinge on. So there is a structural difference between
them.
Chairman Specter. Not withstanding the structural
difference, you think Congress ought to be in it?
Mr. Bankston. Absolutely.
Chairman Specter. How about you, Mr. Zwillinger?
Mr. Zwillinger. Well, with due respect to Judge Posner and
Mr. Bankston, I do think it makes sense to treat video
differently.
If you think of one example, if the student's remote laptop
could be turned on to intercept emails, we would want that to
be illegal wherever the student is because they have a right to
send a private email, even in a public place.
But with regard to video, we don't have a problem with the
video being activated while the student is in the classroom or
at the mall. We have problems when it is activated in the home
or in the bathroom or in any other private place.
So I don't think Congress should stay out. I don't want you
to misinterpret. I think Congress should stay out of putting
video in Title III and Congress should focus on a narrow
targeted statute like the states have done to prevent video in
private spheres without interfering with the ability to have a
camera in an ATM or a camera in an elevator or even to turn on
a webcam remotely in the office so employers can monitor in the
office, just not at the home.
Chairman Specter. Professor Cate, would you keep the
federal government out? Or should the federal government be
legislating here?
Mr. Cate. Mr. Chairman, there is no question I believe the
federal government should be legislating in this area. I would
go far beyond what my colleague Mr. Zwillinger said because
this is not just a question of location.
Location matters. We certainly feel special about bedrooms
and bathrooms and changing rooms. But in the years in which,
between when Judge Posner wrote and today, we have seen a
proliferation of video cameras in every aspect of our lives.
We have the largest censored network in the world in the
video cameras contained in cell phones. We have major
investments by federal, local and state governments in video
cameras on street corners, video cameras with extraordinary
capabilities.
So, for example, facial recognition. So they say I know
that that is Senator Specter walking down that street. We have
linked video cameras so they can follow you from one street
corner to the next.
When you go into your doctor's office, they can follow you
in. They can link that together. We see major cities now,
Chicago, for example, where private industry has linked its
video cameras with government controlled cameras so that a
government agent sitting in a bunker can access a business's
cameras for the purpose of following people as they move.
In the workplace, the presence of cameras there while I
certainly agree there may be a different expectation of privacy
in the workplace, even the Supreme Court, no great friend of
privacy, has found there is an expectation of privacy in the
workplace.
So before an employer could turn on a camera that would
surreptitiously record me in the workplace, presumably there
should be some process there and that is process that I think
Congress is in the best position to create.
Chairman Specter. Well, Professor Cate, as you described a
hypothetical camera following a person through all the person's
activities and to the doctor's office, to wherever he or she
may go, that's a pretty ominous big brother scenario.
Mr. Cate. Yes, sir, Senator. I think it is quite ominous. I
want to be clear.
Chairman Specter. Quite ominous.
Mr. Cate. Well, it is not, frankly, nearly as onerous as it
is ominous because today the digital technology makes it much
simpler now that we are beginning to link these cameras.
Moreover, many of these cameras, in fact the majority----
Chairman Specter. We are onerous and ominous. Would you
amplify that?
Mr. Cate. Well, I think it is both a, it is a tremendous
burden on civil liberties that individuals may effectively have
no expectation of privacy. They may be identified, they may be
linked to who they are talking to, they may be linked to where
they are going. Even though many of those activities occur in
public.
Chairman Specter. So you think it ought not to turn on an
expectation?
Mr. Cate. I think it ought not to turn on a location. I
think an expectation might be entirely appropriate. So that,
for example, and as I suggested in my written statement, just
as we define oral communications under Title III based in part
on a reasonable expectation that a conversation will not be
overheard, we could define video surveillance as occurring in
an area where there is a reasonable expectation that one would
not be the subject of video surveillance.
Chairman Specter. Well, if you say when you are walking
down the street there is no expectation of privacy, if you say
when you are in the elevator there is no expectation of
privacy, certainly if you go into your doctor's office there is
an expectation of privacy, but perhaps even in the
circumstances where there is no expectation of privacy, if you
aggregate them and put them all together and have a whole
profile on a person, does that change the, is that a game
changer?
Mr. Cate. Yes, sir. I believe it can be. I don't believe in
every instance it must be, but I think that is the type of
place where the protection of privacy would benefit enormously
for some process around that so that we would say before an
agent could do those things, we would like to know is there
individualized suspicion, for example.
Let me just give you a very practical example. The Province
of Ontario in Canada uses video surveillance extensively
including on its public transportation, but they have a rule
that they use a technology that obfuscates the face when the
video is recorded and you can only get the technological screen
removed from the face if you meet certain legal conditions.
So they have it, they are capturing it. It is all there.
But they have protected it with a small technological
protection which offers great privacy protection.
Chairman Specter. The comment was made about how many cell
phones there are available. What is realistic to have some
limitation, an enforceable limitation on cell phones?
There is a big sign in my health club, no cell phone
cameras inside the premises. I had not thought of the cell
phone camera beforehand, but there are so many. How do you deal
with that? Mr. Richardson, do you care to venture?
Mr. Richardson. Yes, Senator. In my own view, I think it's
important, we have talked about the importance of place. I also
think there is an opportunity to think about the context of the
use of the device.
So while I don't think there is any effective way to
legislate what people do with a cell phone that has a camera in
it, I do think there are ways to legislate what they do with
any video that they happen to take with those cameras and that
the use of it either by the owner or by a third party could be
determined in part by context. By that I mean if someone is
using a work issued device whether it's a cell phone with a
camera or a notebook, they could be clearly told that when they
were using that in a workplace context that they might be
monitored or the camera might be turned on.
I'm not saying that that would be good policy for a
company, but it might be legal. In a sort of private workplace,
not workplace, but personal environment, the use of that video
captured capability without the consent of parties who appear
in the video I think would be something that could be made
unlawful.
Chairman Specter. Are there sufficient laws now to deal
with the issue of pornography and videotaping?
Mr. Richardson. Are you asking me, Senator?
Chairman Specter. Yes.
Mr. Richardson. I would venture to say this. That with
particular emphasis on child pornography, that is one area in
the realm of computer security where there have been laudable
results and a reduction in overall crime detection that the
sort of single mindedness of purpose and the broad deployment
of crime fighting capabilities worldwide really did see some
results there.
Chairman Specter. So as to child pornography, you think we
are, we have sufficient laws? Does anybody disagree with that?
Professor Cate?
Mr. Cate. No, sir. I don't disagree with that.
Chairman Specter. Mr. Zwillinger.
Mr. Zwillinger. No, sir, I do not disagree.
Chairman Specter. Mr. Bankston.
Mr. Bankston. No disagreement.
Chairman Specter. Mr. Livingston.
Mr. Livingston. No.
Chairman Specter. There has been a bit of conversation on
focusing on the right of privacy in the state of undress. Is
that suggestive of a category of privacy where legislation
might be directed to specific categories, undress being one and
others like that specific situation which would limit the scope
of legislation? Mr. Zwillinger, you are nodding in the
affirmative?
Mr. Zwillinger. I am, Mr. Chairman. I do think that's a
useful limiting principle because we think about what bothers
us about video, we think about private spaces. When we think
about truly private spaces, they are spaces in which we feel
comfortable doing things like changing clothes.
It's not because the statute should only be geared towards
voyeurism, it's because that defines a category of location
where we are truly worried about privacy because we don't
generally do that in public places. Change our clothes, that
is.
Chairman Specter. Any other category come to mind, Mr.
Zwillinger, like undress which would be one for specific
inclusion?
Mr. Zwillinger. The other is the home certainly. Maybe you
won't undress in your kitchen, but as the homeowner you
certainly have a reasonable expectation that your home is
sacrosanct, vis-a-vis third parties.
Chairman Specter. And how about your office?
Mr. Zwillinger. I think less so, Mr. Chairman.
Chairman Specter. Why?
Mr. Zwillinger. One of the problems with the case law about
offices is employers also have an interest in protecting the
security of their work space, protecting their employees,
protecting their property.
So work spaces vary dramatically from federal government
spaces with signs that say ``everything may be monitored'' to
private companies with thousands of employees where they are
monitoring product to small businesses like mine where we have
ten employees.
So the circumstances are so different that trying to
determine when somebody has a reasonable expectation of privacy
in a hallway in front of an office, in a break area, in a
kitchen, in an entranceway, it becomes very difficult to answer
the questions that my clients ask in advance, which is ``can I
put up a camera here to prevent theft? ''
So I think offices are different than homes and locker
rooms and bathrooms.
Chairman Specter. Anybody disagree with the office?
Mr. Bankston. Yes, sir. I mean, I respectfully disagree to
the extent that certainly the question of an expectation of
privacy is often a case by case, very fact dependent inquiry.
But it is the same type of inquiry that courts have been
engaged in for over 40 years when considering electronic
eavesdropping. It's not an insurmountable problem or something
that people cannot prepare for.
I am less worried that people will be chilled from engaging
in what would have been legitimate security video surveillance.
Rather, I expect that a prohibition on video surveillance where
there is an expectation of privacy would instead incentivize
people to better notify those who are being put under
surveillance.
Another point is I am wary of limiting our privacy
protections based on whether we are in a state of undress or
otherwise in a state of undress in that we don't distinguish in
Title III when it comes to eavesdropping or wire tapping
whether or not our conversations are particularly sensitive or
what content they contain.
The question is whether these are private communications or
not. Here the question is whether someone has an expectation of
privacy that they are going to be photographed or not. I don't
see why our privacy protection should turn on what amount of
clothing we are wearing.
Mr. Zwillinger. Mr. Chairman, may I respond briefly?
Chairman Specter. Sure.
Mr. Zwillinger. You asked the question before about cell
phones and the cameras that are ubiquitous in cell phone
technology. When you did that, there are three things about
that that relate to this debate.
The first was if I turn on someone else's cell phone,
that's hacking, right? I'm hacking into their computer, hacking
into their device so there may be adequate federal laws to
cover that in the Computer Fraud and Abuse Act.
When I use my own cell phone, we have to be very wary of
getting into First Amendment territory where we say it's
illegal to take a video or picture without the consent of those
who are photographed, because the First Amendment will also
speak to that.
So when we are answering the question of why are we
concerned in private spaces and not public spaces, our concern
in public spaces is outweighed by other things. It is
outweighed by the right to take film of what happens in public
places for news reporting and it is outweighed by our notion
that while we're concerned that a camera might follow us to the
doctor's office, we are much more concerned that the
conversation with the doctor is private and the hierarchy of
protection, the fact that I went to my doctor is somewhat below
what I said to my doctor. That's true about priests and that's
true about attorneys and that's true about everyone where we
have a privileged relationship.
I'm sensitive to this and I'm suggesting that Congress
target it, but in a more limited fashion than we treat some of
these other things because there are unique differences in
public spaces that don't exist in private spaces.
Mr. Bankston. To be clear, I'm not suggesting that we
regulate the taking of photographs in public. We are, like Mr.
Zwillinger, very sensitive to First Amendment concerns in this
area and do not in any way want to hinder legitimate news
gathering activity that takes place in public.
Mr. Cate. But Mr. Chairman, if I may, we currently apply
Title III to prohibit the recording of conversations that take
place in public if they take place with a manifestation of a
reasonable expectation of privacy.
So in fact this would be cutting back on the existing
protection we already have in Title III. So there are settings
in public where we regard something that takes place there as
being nevertheless private.
Of course the problem is categorizing. So even the state of
undress, but if you have been to a beach recently, there is a
great deal of state of undress going on there. So we would have
to use these categories as a way of demonstrating I think a
broader principle, namely the one already reflected in the law,
a reasonable expectation of privacy so that a person undressing
in a dressing room with a door around it would have an arguably
reasonable expectation of privacy. A person undressing on a
beach would presumably not have a reasonable expectation of
privacy.
It would not be determinative by whether they were
undressing or by where they were located. It would be all of
the circumstances that answer the reasonable expectation of
privacy question.
Chairman Specter. Professor Cate, the Supreme Court will
soon hear argument in City of Ontario v. Quon, the case in
which the Ontario California police department read text
messages on papers given to its SWAT officers without a
warrant.
Will the Supreme Court's ruling in that case, which
concerns employee privacy rights in the workplace, have any
applicability on the issues which we have discussed today?
Mr. Cate. I don't think so, Mr. Chairman. Again, because
what we have been talking about today is primarily a vacuum in
current law, and what the Supreme Court will be talking about
is the application but of a clearly defined area of law.
I would add, our conversation is largely focused on this as
if it is a binary issue. You either can or you can't. But
practical experience has demonstrated rarely does Title III
result in a binary result, either yes or no.
So, for example, the audio monitoring, the oral
conversation monitoring provisions have led businesses that do
audio monitoring to put warnings in their windows to say we do
audio monitoring, thereby defeating the reasonable expectation
of privacy so that it's legal for them to do it.
It's not that they are prohibited from doing it, it is that
they have to comply with some reasonable standard in order to
do it.
Mr. Richardson. Mr. Chairman, if I might.
Chairman Specter. Go ahead, Mr. Richardson.
Mr. Richardson. I would say with due respect that the
Ontario California case may have some bearing here precisely
because it relates to a case, the expectation of someone using
an institutionally owned device in their private lives. I think
that that is one area of expectation and I agree with my
colleagues that expectation in terms of privacy is an important
element.
But I think as a practical matter increasingly people use,
they don't want to carry two cell phones and so they tend, I
mean, some of you may have to right now, but they do tend to
intermingle regular life so to speak and their work lives.
I don't think there is any way in today's world to
disentangle those. So the context I think determines to some
degree the expectation of privacy. The thorny part for
institutional owners of these devices is how they can protect
their own interests while still allowing and not getting
involved in personal business that may be conducted on those
devices.
Chairman Specter. Mr. Cate, you have to depart shortly for
a plane and we want to respect that.
I want to get an idea from each of you experts as to at
least the four of you who have said that the federal government
should get into the picture, what would you propose that the
federal legislation provide?
Mr. Cate. Well, thank you very much and I apologize again
for having to leave this very interesting discussion early.
I would have to say that I am agnostic over the question of
whether the legislation should address video surveillance
within Title III or whether it does it in a separate piece of
legislation.
Chairman Specter. How does being agnostic affect that?
Mr. Cate. Well, I certainly understand the argument why it
would be better addressed in a separate piece of legislation.
Chairman Specter. Which way would you go? We have plenty of
paper.
Mr. Cate. On the other hand, I think it is very difficult
to get anything new passed through Congress. So amending an
existing law strikes me as more likely to succeed and given
that we've been at this for 25 years, it is time we need this
change in the law. So I would be happy to see an amendment to
Title III.
I suggested one possibility in my written testimony to
mirror the definition of oral communications but instead use it
for video surveillance. I think there are other excellent
approaches, but I think it can be done and I think it's time to
do it.
Chairman Specter. Mr. Zwillinger, how would you approach
legislation?
Mr. Zwillinger. I think I would commend the Delaware
statute as a potential model. The Delaware state statute, one
of the states that has taken on this issue, has passed a
statute that does two things.
It makes it a crime to capture without the consent of the
person, the image of a person who is getting dressed or
undressed in specific locations where persons normally disrobe
and they have a reasonable expectation of privacy and it makes
it a crime to install video surveillance in a private place
without the consent of the people entitled to an expectation of
privacy there.
So it's limited by place in one aspect and the other aspect
is limited by intent, the voyeuristic intent. I think that is
the type of narrow targeted approach that if there is a federal
hook for interstate commerce nexus that the federal government
should consider.
Chairman Specter. Mr. Bankston.
Mr. Bankston. Unlike Mr. Cate, I'm not agnostic in terms of
which statute would be the best home for something covering
video surveillance. I do think Title III is the appropriate
home if only because the courts have already been applying
Title III's requirements in terms of law enforcement video
surveillance.
Like Mr. Cate, I think that the appropriate approach would
be analogous to the way the statute currently handles oral
communications hinging on one's expectation of privacy as to
whether one will be photographed as opposed to recorded in
terms of oral communications.
Yes, so that's basically it. I think Title III should be
amended to cover this conduct. I think that oral communications
are the best analogy here. There will be some difficulties in
mapping the video surveillance onto Title III because these are
not communications and they do not have parties. But difficulty
in drafting should not be a reason to not do this because it
has been a quarter of a century and it is time to get the job
done.
Chairman Specter. And Mr. Richardson, what would your
thinking be as to how to approach the statute.
Mr. Richardson. Well, I think it may be somewhat to my
credit that I'm not a legal expert, but to my way of thinking,
the distinction made between oral and video interception of
communications is a bit of a red herring, particularly when it
comes to surveillance on devices like mobile computers.
In the Lower Merion case, so far as we know, no audio was
recorded, but as a practical matter generally when you turn on
the webcam in a notebook, the audio does turn on. There may
have been a choice on the receiving end and the storage end
only to store one still frame, but almost certainly what was
sent upstream across the Internet was video with audio.
So trying to draw a distinction about whether that, what
form that data took I think is probably misguided and I would
agree with my colleagues that expectation and context are the
relevant factors.
Chairman Specter. Mr. Livingston, your work as you have
noted is on recovery for property. Without getting unduly into
the Lower Merion situation, there has been the thought that
there is justification in the context of stolen laptops taken
off premises with the intent not to return, whether that would
be sufficient justification for turning them on to identify
what has happened to them for purposes of recovering the
property.
Do you think that is a sufficient basis as a generalization
for activating them and having whatever happens with respect to
privacy happen?
Mr. Livingston. In our framework we work with law
enforcement. We do require the owner of the device that has
been stolen to register that theft report with law enforcement
and that begins the recovery process.
Fundamentally we are most always working with stolen
devices reported to Law Enforcement so we don't believe the
unauthorized user of the device has any expectation of privacy
at that point.
Chairman Specter. I am advised that Mr. Robert Wegbreit is
in the audience, a parent of a student from the Lower Merion
school district. Is Mr. Wegbreit present? Would you care to
step forward?
Since you are here on this subject, have a chair. Would you
care to make a statement?
Mr. Wegbreit. Sure. My name is Bob Wegbreit.
Chairman Specter. You are not compelled to make a
statement.
Mr. Wegbreit. That's fine.
Chairman Specter. It is if you are interested and willing
to make a statement.
Mr. Wegbreit. I am willing to make a statement.
Chairman Specter. I just didn't want to have you in the
room without having the opportunity to say something if you
wanted to do so.
STATEMENT OF ROBERT WEGBREIT, PARENT, LOWER MERION SCHOOL
DISTRICT
Mr. Wegbreit. My name is Bob Wegbreit. My daughter, Anna
Wegbreit, is a student at Harriton High School, one of Lower
Merion school district high schools.
Chairman Specter. When Strom Thurman used to preside over
hearings like this, he would say pull the machine a little
closer.
Mr. Wegbreit. Thank you. First of all, Senator, thank you
very much for holding this. It is a very important issue for
our community.
When this occurred, myself and three other parents formed a
group, LMSDparents.org to see what the other parents felt about
this. Since then, we have communicated with over 500 of the
probably 1,800 or 1,900 families who have students at Lower
Merion high schools.
Overwhelmingly, the conversation was that we have excellent
schools, that we want our children and other students
throughout the country to have access to excellent technology
and cutting edge technology.
We also trust our educators, our administrators, our school
board to the point that they have the best interest of our
students' education and our students' welfare at heart. You
would be surprised that unlike the headlines, if something
truly damaging did occur to our students, however, the concern
of what privacy breaches did occur were common throughout the
comments that we have gotten from many of these parents.
How do we protect and prevent this from happening with
these type of privacy laws to our children?
This morning I asked my daughter, if you knew that the
webcams could be activated, what would we, what would she have
done different? I'm very fortunate that she said daddy, I don't
do anything inappropriate. However, that's not the answer that
we need to look to as a community.
I think the parents of the families that were affected
learned that perhaps the webcam was activated in their
household, they want it almost like cigarettes with a warning
so that we can respond properly. But at the same time, like
cigarettes we must recognize the second hand smoke concept that
surveillance that occurs beyond the intended surveillance and
is not anticipated by others in the room, in the property who
have expected privacy, that must be addressed also.
So those are the concerns of the community as we look at
why was there a camera potentially on in our household but we
didn't know that would have happened? At the same time we don't
believe that our school district is anything but an excellent
place to have our children educated. Thank you.
Chairman Specter. Would you like to see federal legislation
on this subject?
Mr. Wegbreit. I would, because then we would all know where
everything stands. What that legislation says, if the school
district mandates my child have a laptop with a webcam and that
they can turn that on at anytime, I don't agree with that, but
at least we know and recognize it, we would maintain that
laptop in a very specific area of the house which might be
better than my daughter being in her bedroom on the laptop all
evening.
But we would know that and I think that's what the
consistent tone of the parents that I've spoken to, I've been
very fortunate to hear from so many of them both in personal
communication and emails and signing a petition. They trust
that the district knows what is in the best interest of our
children, but we want to know what that interest is.
Chairman Specter. Thank you very much, Mr. Wegbreit.
Mr. Wegbreit. Thank you.
Chairman Specter. We appreciate you being here. Let me go
back to some broader questions with this group of experts here
on, so much is swirling around in the news on cyberspace. What
should we be doing to protect cyberspace? We see comments by
the Secretary of Defense, Robert Gates, about the United States
being at risk on invasions of cyberspace.
Are any of the issues which we have discussed here today
relevant on that subject? Mr. Zwillinger?
Mr. Zwillinger. Well, in many ways it is a much broader
topic than the question for the hearing. There are lots of
things that we need to be doing to protect cyberspace and one
of those things, one of those easy things is making cyberspace
security a real focus of research and development and career
technology in developing and putting America's smarts to work
in a field that has for too long not been the number one
priority in the country.
So cybersecurity is a topic that is near and dear to my
heart and there has been some federal legislation that has been
proposed over time that makes some sense.
The question that you've asked is a difficult one as to
what extent this relates to that. I think that goes back to
some of my opening remarks that we have an issue with trying to
strike the right balance between privacy and security and
despite Mr. Bankston's and my disagreement about the mechanism
about Title III, we generally agree that for too long in many
places that balance has been towards security.
In cyberspace, we have a deficiency in both areas. That is
our statutes aren't updated to protect privacy the way we would
like in the cloud computing sphere when our data is stored with
remote providers and our security posture is not where we would
like it as well.
I don't think that turning on or turning off remote video
monitoring has anything to do with the need to secure our cyber
infrastructure.
One might think the more security you can have the better,
but I don't know that remote video would help recover the
laptop, I don't know that remote video helps us determine who
the foreigners who may be attacking U.S. computer systems are.
We can't turn on their videos, and if we could, I don't
know what we'd learn from that. So it's a very difficult
question, but I think cybersecurity and privacy in cyberspace
are two priorities that we need to work towards together.
Chairman Specter. Well, when we pick up the privacy issue,
of course it is a totally different dimension on privacy, but
that is what comes to mind. Any thinking on this, Mr. Bankston?
Mr. Bankston. A couple of points. In one factual way, this
is relevant to cybersecurity to the extent that laptop cameras
and microphones pose another vulnerability. There was a story
that was cited in my written testimony describing how a
particular U.S. government website when visited would exploit
vulnerabilities in Microsoft's web browser to install software
that could among other things be used to activate a camera.
But the broader and I think more important light that this
sheds on the cybersecurity debate is that where there is
surveillance capability, it can be abused. So I think it is
very important in the cybersecurity bill that was just marked
up in the Commerce Committee, there were clear delineations of
what the President's power was, in particular making sure that
the President in his authority to create and execute a
cybersecurity emergency plan was not given any kind of express
or implied exception to or authorization beyond the wire
tapping and stored communications statutes.
So the broader point, surveillance power can be abused and
in dealing with cybersecurity, we need to be clear in our
protections in terms of surveillance such that in securing our
national infrastructure we do not also violate the privacy of
American citizens.
Chairman Specter. Mr. Richardson, care to venture into this
field?
Mr. Richardson. With pleasure. I think that cybersecurity
is an area where we have in several instances better technology
than we have deployed and part of the reason for that lack of
deployment is lack of incentive. There isn't sufficient fear of
liability or inadequate security as one example. So there may
be opportunities to apply some legislative pressure to improve
that situation.
Additionally, I have long been an advocate of a better
framework for identity management on the internet than simply
the knowledge of who is engaging in any activity on the
internet and I think that that helps create deterrents.
The problem with it of course is that it also raises
serious privacy concerns. There are I think ways to deal with
that, but these are areas that are very murky in current
legislation. So as it relates specifically to the issue of
surveillance and video surveillance, it is clear that in the
current environment that there will be and surely already is
abuse.
Solving some of the broader problems of cybersecurity may
help curb that abuse as well.
Chairman Specter. Mr. Livingston, would you care to comment
on this subject?
Mr. Livingston. No, Senator. I will leave it to the other
experts. Thank you.
Chairman Specter. Okay. One other subject which is in the
stratosphere. All this battle between China and Google, while
we are talking about the subject, there is a lot of wonderment
by non-experts in the field.
Mr. Zwillinger, dealing with China is a big, vast subject
all by itself of which I'm doing a lot of work on with the
International Trade Commission on unfair trade practices where
China violates the international trade laws, takes our jobs,
takes our money, loans it back to us. It's a big part of the
United States now.
You have this battle royal between Google and China. Maybe
Google is the right entity to fight China as opposed to anybody
else.
What in this whole field of the internet and cyberspace
would be applicable to maybe some evaluation as to what's
happening with China or Google? Mr. Zwillinger, any thoughts?
Mr. Zwillinger. One of the difficulties which is not China
specific but deals with any U.S. company that goes abroad to
offer its communication services is how it reconciles the need
to follow the rules of the local government and the local space
with the American principles about when data should be turned
over and when it should be exposed.
When you do business with China and Vietnam and other
places, there comes a question of when companies like Google
should turn over data. If you don't obey the local law
enforcement and the local processes, you subject people there
to problems, and if you do, you do things that maybe you
wouldn't do in the United States.
So it seems to be very difficult to take a topic that we
struggle with which is privacy and security and try to export
them to other countries without significant consequences and
difficulty.
I think what Google is struggling with is a combination of
all those things. It's a combination of when do they listen to
the Chinese government and when do they not and when do they
turn off their entire system to people from China as a step to
tell the Chinese government that we don't approve of your
behavior.
I recognize the difficulty of the question. I'm not sure I
can give you any help in answering it.
Chairman Specter. Any thinking on that, Mr. Bankston.
Mr. Bankston. I mean, I guess certainly the China situation
highlights the difficult role of communications intermediaries
both in terms of maintaining their user's privacy and
protecting their user's ability to express themselves in the
face of a government that may not always be friendly to either
of those ideas.
I think it should reflect also on the fact that the
companies are in the same situation here in the United States.
Not to analogize the United States government to the Chinese
government, but certainly even companies here are often placed
in an awkward and difficult situation trying to balance the
needs of their users and the privacy rights of their users with
the requests of the government.
So I think that one thing we need to look to here which we
can't expect from China but we should expect from ourselves is
greater transparency in terms of how the government accesses
communications data from companies here in the United States.
Looking at Title III for example, it is the one of the
major electronic privacy statutes that requires any meaningful
reporting about when the government is engaged in this kind of
conduct.
So we know when the government is wire tapping. We don't
know, for example, when the government is acquiring search
queries from Google or acquiring stored email or doing any
other kind of surveillance that isn't wire tapping itself.
So I think we should look for transparency here in the
United States which we certainly won't be seeing from
governments like China.
Chairman Specter. Thank you. Mr. Richardson.
Mr. Richardson. Mr. Chairman, I think that if you will
recall the Google incident first came to light because Google
felt that they had been attacked by some entity in China. They
were unwilling to go so far as to venture to say that it was
the Chinese government that was responsible. I don't think any
of us here is in a position to say one way or the other.
What is clear is that Google reacted as if that were the
case. Their response was made to the Chinese government, or how
they would conduct business in China. As such, what struck me
was that these were attacks that were carried out against
internet resources and infrastructure in the U.S. and in that
U.S., largely the infrastructure that we are discussing today
is privately owned.
Therefore, the role of the government in dealing with these
kinds of attacks is at this point somewhat unclear. I think in
this instance it certainly appeared to me that the Department
of State, for example, was caught somewhat flat footed. I
didn't get the impression that they had been briefed that
Google was going to come out in force before it happened.
That kind of coordination I think is going to be
increasingly important where the federal government makes clear
its role, and of course the new legislation that has just been
marked up I think does go some ways to addressing that.
But when it comes to cyber relations as it were between
government entities, there is I think a great deal of work to
be done in defining what our federal posture is.
Chairman Specter. Thank you, Mr. Richardson. Any comment on
that, Mr. Livingston? Or final comment?
Mr. Livingston. Senator, we have recovered computers in
about 50 countries around the world. We haven't had a lot of
experience with China, but we'd be happy to report back at some
future date if and when we do.
I'd just like to say that if there was a Title III new
legislation that was considered, I would hope that there would
be an exception for devices that were stolen. Again, we don't
believe that somebody in possession of stolen property
necessarily has an expectation of privacy.
Chairman Specter. Without objection, I will place in the
record a statement by Mr. Blake J. Robbins concerning the, as
he puts it, the laptop embedded internet camera capable of
activation while in students' homes and it is pressing the view
``as technology continues to improve at light speed, the need
to protect the sanctity of our home from invasion grows even
more urgent. Consequently, we earnestly support legislation
that will govern against and punish the misuse of any
technology that would prevent any such electronic invasion.''
From Mr. Blake Robbins. His mother, Holly Robbins, his dad,
Richard Robbins, and his sister, Paige Robbins. That is a
statement for the record from plaintiffs in the litigation.
The testimony in my opinion has been very forceful on the
point of a need for legislation. There is no doubt that there
is a gap in existing federal law. The language of the
constitution itself of the Fourth Amendment is in my judgment
not sufficient. It was not sufficient for oral or wire tap
information which led Congress to legislate under Title III.
This Senator will accept the invitation of Judge Posner to
legislate. I will be drafting legislation to introduce into the
Senate to try to carry the gap which now exists. I think the
testimony has been very forceful and we have tried to steer
away from the Lower Merion situation, but when the gentleman is
present in the courtroom, in the hearing room, I thought it
appropriate to have him testify briefly and to put into the
record the statement of one of the students of the family
expressing the concern and looking for protection for privacy.
Without any doubt, privacy is a very highly valued American
value. It is a value of the utmost importance. My sense is that
my colleagues will be responsive and have been alerted by this
specific incident. But beyond that as the testimony of this
very distinguished panel has demonstrated, there is a gap and
it ought to be closed. After 25 years, it is time.
That concludes our hearing. I appreciate your coming in.
Thank you.
[Whereupon, the hearing was adjourned.]
[Submissions for the record follow.]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�