Copyright 2000 Federal News Service, Inc.
Federal News Service
September 6, 2000, Wednesday
SECTION: PREPARED TESTIMONY
LENGTH: 3004 words
HEADLINE:
PREPARED TESTIMONY OF MARC ROTENBERG EXECUTIVE DIRECTOR ELECTRONIC PRIVACY
INFORMATION CENTER
BEFORE THE HOUSE JUDICIARY
COMMITTEE CONSTITUTION SUBCOMMITTEE
SUBJECT - H.R. 5018,
ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 2000; H.R. 4987, DIGITAL PRIVACY ACT OF
2000; AND H.R. 4908, NOTICE OF ELECTRONIC MONITORING ACT.
BODY:
Summary
EPIC is a public
interest research organization in Washington, DC that favors the development of
strong legal and technical measures to safeguard the right of privacy. We have a
particular interest in the operation of Title 18 and the conduct of electronic
surveillance by the federal government. We have followed closely the
developments with wiretap authority, and we were the lead civil liberties
plaintiff in the recent case challenging the implementation of the
Communications Assistance for Law Enforcement Act (CALEA). EPIC is also
currently seeking the documents describing the Carnivore surveillance system in
a widely reported Freedom of Information Act case EPIC favors provisions
contained in HR 4987 and HR 5018 to strengthen the standards and oversight for
wiretapping. Specifically, we support the provisions that would extend current
reporting requirements, clarify the scope of the exclusionary rule, establish a
high standard for the issuance of warrants for pen register and trap and trace
devices as well as access to locational information. We have mixed views about
HR 4908, the Notice of Electronic Monitoring Act. A bill that offers only notice
and lacks any of the substantive provisions otherwise found in privacy law may
reduce the amount of covert surveillance, but it could also promote more
widespread overt surveillance. When Congress confronted privacy issues in the
use of polygraphs in the workplace, it established more comprehensive
safeguards. While we do not oppose HR 4908, we believe that other US privacy
laws and the recognized standards of the International Labor Organization
provide a better framework for workplace privacy protection.
Introduction
My name is Marc Rotenberg. I am the Executive
Director of the Electronic Privacy Information Center (EPIC) and an adjunct
professor at Georgetown where I teach the law of information privacy. I
appreciate the opportunity to appear before the Subcommittee to discuss privacy
legislation.
EPIC's Interest
EPIC has a long-standing interest
in the protection of privacy and a particular interest in the scope of
electronic surveillance by the federal government and the application of the
wiretap statute. We opposed adoption of the Communications Assistance for Law
Enforcement Act of 1994 (CALEA). We argued that it was a costly and unnecessary
extension of federal wiretap authority. We believe that history has demonstrated
that we were correct.
EPIC was also the lead civil liberties plaintiff
in the recent litigation concerning the implementation of the CALEA, and we are
currently seeking the documents describing the Carnivore surveillance systems in
a widely reported Freedom of Information Act case.1
We have reviewed
closely the annual reports produced by the Administrative Office of the US
Courts on the electronic surveillance.2 We were the first to note the
significant increase of federal wiretapping by the Clinton Administration, and
also the first to argue that new reporting requirements would be necessary for
the new types of electronic surveillance undertaken by the government.
We have also worked closely with labor organizations on emerging
technology issues and recently published a report that discusses developments in
the area of workplace privacy.
Recent Developments
We believe
there is a clear need to strengthen the federal wiretap statute and to clarify
the scope of existing law, particularly in light of recent law enforcement
practices. surrounding the FBI's Carnivore system and law enforcement access to
locational information. We share the views expressed in the editorial pages of
the nation's newspapers that these proposals require a response from Congress.3
We also note the recent decision Appeals Court in CTIA v. FCC
(implementation of CALEA) in which the court indicated that the highest standard
should apply to new forms of electronic surveillance. At the same time, a recent
opinion from the Tenth Circuit in US West v. FCC has suggested that Congress
should be very clear when it uses the term "consent" to make sure that the
courts understand that consent has to be meaningful.
Assessment of
Proposed Wiretap Legislation
Clarification of Exclusionary Rule
Central to the operation of the federal wiretap statute is the need to
ensure that information that is unlawfully obtained not be used in a court
proceeding. This principle goes back to the dissent of Justice Oliver Wendell
Holmes in Olmstead v. United States in which he referred to the use of evidence
obtained in violation of state law as a "dirty business."4 This principle is
just as important today, but the technology has changed and the current law
fails to make clear that the exclusionary rule applies to "electronic
communication," the term introduced in 1986, as it does to "wire and oral
communication," the original phrase from the 1968 Act.
We support the
proposed changes, contained in HR 5018 (Sect. 2) and HR 4987 (Sect. 3), to
section. 2515 that would clarify that the exclusionary rule covers "electronic
communication" as well as "wire and oral communication", and also the proposed
change in HR 5018 (Sect. 2), that would extend the statutory exclusionary rule
to "any stored electronic communication" in HR 5018 (Sect. 2).
Extension
of Reporting Requirements
Over the last several years EPIC has made
frequent use of the annual report of the Administrative Office of the US Courts
to evaluate trends in electronic surveillance practices and to assess policy
proposals by law enforcement agencies. During the debate over adoption of the
Communications Assistance for Law Enforcement Act (CALEA), for example, we noted
that contrary to the claims of the FBI and the Department of Justice, the
federal wiretap statute was hardly ever used for investigations of kidnapping or
bombing.5 Then as today, title III warrants are issued primarily for narcotics
investigations.
We have also noted the significant increase in the use
of pen registers and trap and trace orders in the last few years as well as the
very large percentage of non-incriminating communications that are routinely
intercepted by government agents. We believe that the reporting requirements are
central to operation of the wiretap statute and that these reports provide
critical information for lawmakers and citizen organizations.
We favor
proposals to amend current reporting requirements and to provide information
about stored electronic communications similar to those requirements that
currently exist in section 2519 for intercepted communications. These proposals
will improve accountability and provide a means to assess the scope and
effectiveness of wiretapping conducted by government pursuant to title 18. We
further support the provision contained in HR 4987 on "Reports Concerning Other
Disclosures" that would extend reporting requirement to other warrants and
subpoenas. We believe this will ensure a higher level of accountability and
greater accuracy in reporting.
Strengthening Pen Register Standards
We support proposed changes to sect. 3123 that would strengthen the
standard for the issuance of an order for a pen register or a trap and trace
device. If it is the purpose to apply this standard only to the instance where
an e-mail address should be obtained, then the language should be clarified so
that it is clear the address is necessary for the investigation that is being
pursued.
We further support the extension from one hundred and eighty
days to one year for the period of times warrant under the Federal Rules of
Criminal procedure or equivalent state warrant must be obtained for government
access to the contents of electronic communications in electronic storage.
Access to Locational Information
Finally, we support the
proposal to require a court order before location information is disclosed to
the government by the provider of mobile electronic information service. We
recognize that law enforcement is currently gaining access to locational
information and also that the court in USTA v. FCC implicitly recognized that
such activity . For these reasons, it is important to establish a legal standard
for access to this information.
We are concerned, however, that an
authorization to permit access to locational information coupled with a
technical requirement in CALEA to mandate the availability of locational
information will go further than the purpose of the wiretap law or the spirit
Fourth Amendment should permit. It is generally not the case that the law both
provides law enforcement the right to conduct a search and also requires
technical steps be taken prior to the issuance of a warrant to ensure that
success in the search be assured. We believe this is an area that the
Subcommittee on the Constitution should consider carefully as similar issues
arise in the future regarding the scope of the federal wiretap statute.
We further recommend that the consent provision in the proposed
provision (i)(2) be modified such that "meaningful consent" or "explicit
consent" or "affirmative consent" be obtained. Particularly in light of the
Tenth Circuit's recent holding in US West v. FCC regarding a similar provisions
in the Telecommunications Act of 1996, we believe that Congress has to make
clear that consent cannot be indirect, assumed, or implied.
Leaving the
Cable Act Privacy Safeguards Unchanged
We appreciate the fact that none
of the bills before the Subcommittee modify the privacy provisions in the Cable
Act of 1984 to address the problems with electronic surveillance. We believe it
would be a mistake to alter that very good provision or to harmonize downward
current privacy safeguards, as the White House has proposed. We urge the
Subcommittee to be very wary about reducing the level of privacy protection
currently established in US law.
Comments on HR 4908
We share
the Subcommittee's interest in the need to address the growing problem of
workplace surveillance. According to a report released earlier this year by the
American Management Association (AMA), nearly three-quarters of major US firms
monitor their employees' communications and activities on the job, including
their phone calls, e-mail, Internet connections and computer files. This figure
has doubled since 1997, driven by a dramatic increase in employers' interest in
what employees are doing on their computers. The share of major U.S. firms that
checks employee e-mail messages has jumped to 27 percent from 15 percent in
1997, and overall electronic monitoring of communications and performance has
increased to 45 percent from 35 percent two years ago.
Workplace
surveillance is also growing problem around the world. As we note in our recent
report on Privacy and Human Rights:
Traditionally this monitoring and
information gathering involved some form of human intervention and either the
consent, or at least the knowledge, of employees. The changing structure and
nature of the workplace has led to more invasive and often covert monitoring
practices with call into question employees' most basic right to privacy and
dignity within the workplace.
Advances in science have also pushed the
boundaries of what personal details and information an employer can acquire from
an employee.
Psychological test, general intelligence test, performance
tests, personality test, honesty and background checks, drug test, and medical
tests are a routine requirement in workplace recruitment and evaluation methods.
However, we do not think that the bill as currently drafted provides
sufficient protection to address the problem. The bill is very narrow in two
respects. First, it covers only communications monitoring and leaves many
current practices untouched. Second, it provides only the single requirement of
notice, which standing by itself, could operate more as a disclaimer than any
actual safeguard.
Privacy laws are typically based on the concept of
Fair Information Practices. The principles establish basic rights for
individuals who give up personal information and basic responsibilities for
organizations that obtain personal information. Virtually all
privacy law, from the Fair Credit Reporting Act of 1970 through
the Privacy Act of 1974 and the many bills under consideration in the current
session follow this approach.
A notice-only privacy law, absent any of
the substantive rights associated with Fair Information Practices, such as
access, correction, or use limitation, is problematic. It could in practice
reduce the amount of covert surveillance, but it will not limit overt
surveillance. It may in fact increase the amount of overt surveillance, as
companies under directions from their attorneys, write very broad policies
outlining a wide range of possible surveillance activities that may not have
previously occurred.
The impact is twofold: First, an employee's
reasonable expectation of privacy, a critical legal standard for privacy
protection, could be significantly diminished. Second, an employee's claims
under state common law tort theories could be undermined because employees would
be effectively on notice of the monitoring practices.
There is the
additional problem that the bill could limit workplace communication for
organizing purposes that might be otherwise protected by law. This question
arose in a recent workplace privacy case where a company that imposed a blanket
policy prohibiting communications in the workplace attempted to dismiss a worker
for communicating with others about workplace issues. An NLRB judge sided with
the employee and concluded that the employer simply could not prevent employees
from communicating with one another by means of notice.
We think better
approaches can be found both in other US privacy laws and in international
standards. The Employee Polygraph Protection Act of 1988, for example,
establishes substantive limitations on the use of lie detectors in the
workplace.
MORE
HSE-JUD-ROTENBERG-TXT PAGE 8 09/06/2000 Sep 06,
2000 16:15 ET .EOF A particularly good framework for workplace privacy
protection is provided by the International Labor Organization's "Code of
Practices on the Protection of Worker's Data." The ILO issued these guidelines
in 1997, following three comprehensive studies on international workplace
privacy laws. The general principles of the Code suggest the range of interests
that a workplace privacy bill could address:
Personal data should be
used lawfully and fairly; only for reasons directly relevant to the employment
of the worker and only for the purposes for which they were originally
collected;
Employers should not collect sensitive personal data (e.g.,
concerning a worker's sex life, political, religious, or other beliefs, trade
union membership or criminal convictions) unless that information is directly
relevant to an employment decision and in conformity with national legislation;
Polygraphs, truth-verification equipment or any other similar testing
procedures should not be used;
Medical data should only be collected in
conformity with national legislation and principles of medical confidentiality;
genetic screening should be prohibited or limited to cases explicitly authorized
by national legislation; and drug testing should only be undertaken in
conformity with national law and practices or international standards;
Workers should be informed in advance of any monitoring and any data
collected by such monitoring should not be the only factors in evaluating
performance;
Employers should ensure the security of personal data
against loss, unauthorized access, use, alteration or disclosure; and
Employees should be informed regularly of any data held about them and
be given access to that data
Beyond these two fundamental problems --
covering only communications and requiring only notice of monitoring -- the bill
is otherwise reasonably crafted. The exceptions to the notice requirement are
reasonable, though it may also be appropriate to inform employees at some point
after such monitoring has occurred and also to require the employer to formally
note when such authority is exercised. The proposed civil action provision is
also reasonable. A liquidated damage provision is particularly important in
privacy statues because of the difficulty of otherwise assessing damages.
If the bill remains a notice-only measure, we would strongly urge the
Committee to add a provision that would require the notice to be available by
means of the World Wide Web. That would prevent intimidation of employees seen
reading the notice (a common problem with paper notices) and would also help the
labor market function by enabling prospective employees to evaluate the privacy
policies of prospective employers.
Conclusions
Even though it is
late in the session, it is not too late to strengthen the federal wiretap
statute, particularly in light of the current concerns with Carnivore and the
ongoing question of how government is to conduct electronic surveillance in the
years ahead consistent with the principles in the Fourth Amendment and the
spirit of the federal wiretap statute. We hope that the full Committee will act
quickly on these two bills. Regarding the surveillance notice measure, we
believe that a stronger measure is appropriate and necessary to safeguard
privacy in the workplace.
References
David Banisar, Privacy and
Human Rights: An International Survey of Privacy Law and Developments (EPIC and
Privacy International 2000)
Whitfield Diffie and Susan Landau, Privacy
on the Line: The Politics of Wiretapping and Encryption (MIT Press 1998)
Bruce Schneir and David Banisar, The Electronic Privacy Papers (Addison
Wesley 1997)
Marc Rotenberg, editor, The Privacy Law Sourcebook: United
States Law, International Law, and Recent Developments (EPIC 2000)
USTA
v. FCC. No. 99-1442 (DC Cir. 2000)
EPIC Carnivore FOIA Litigation Page
http://www.epic.org/privacy/carnivore/default.html
EPIC Wiretap
Page
http://www.epic.org/privacy/wiretap/
END
LOAD-DATE: September 7, 2000 
