EPIC logo

Prepared Testimony and Statement for the Record of

Marc Rotenberg, Executive Director
Electronic Privacy Information Center
Washington, DC

on

HR 5018, "Electronic Communications Privacy Act of 2000,"
HR 4987, "Digital Privacy Act of 2000," and
HR 4908, "Notice of Electronic Monitoring Act"

before the

House Judiciary Committee,
Subcommittee on the Constitution

Washington, DC
September 6, 2000

 

Summary

EPIC is a public interest research organization in Washington, DC that favors the development of strong legal and technical measures to safeguard the right of privacy. We have a particular interest in the operation of Title 18 and the conduct of electronic surveillance by the federal government. We have followed closely the developments with wiretap authority, and we were the lead civil liberties plaintiff in the recent case challenging the implementation of the Communications Assistance for Law Enforcement Act (CALEA). EPIC is also currently seeking the documents describing the Carnivore surveillance system in a widely reported Freedom of Information Act case

EPIC favors provisions contained in HR 4987 and HR 5018 to strengthen the standards and oversight for wiretapping. Specifically, we support the provisions that would extend current reporting requirements, clarify the scope of the exclusionary rule, establish a high standard for the issuance of warrants for pen register and trap and trace devices as well as access to locational information.

We have mixed views about HR 4908, the Notice of Electronic Monitoring Act. A bill that offers only notice and lacks any of the substantive provisions otherwise found in privacy law may reduce the amount of covert surveillance, but it could also promote more widespread overt surveillance. When Congress confronted privacy issues in the use of polygraphs in the workplace, it established more comprehensive safeguards. While we do not oppose HR 4908, we believe that other US privacy laws and the recognized standards of the International Labor Organization provide a better framework for workplace privacy protection.

Introduction

My name is Marc Rotenberg. I am the Executive Director of the Electronic Privacy Information Center (EPIC) and an adjunct professor at Georgetown where I teach the law of information privacy. I appreciate the opportunity to appear before the Subcommittee to discuss privacy legislation.

EPIC's Interest

EPIC has a long-standing interest in the protection of privacy and a particular interest in the scope of electronic surveillance by the federal government and the application of the wiretap statute. We opposed adoption of the Communications Assistance for Law Enforcement Act of 1994 (CALEA). We argued that it was a costly and unnecessary extension of federal wiretap authority. We believe that history has demonstrated that we were correct.

EPIC was also the lead civil liberties plaintiff in the recent litigation concerning the implementation of the CALEA, and we are currently seeking the documents describing the Carnivore surveillance systems in a widely reported Freedom of Information Act case.

We have reviewed closely the annual reports produced by the Administrative Office of the US Courts on the electronic surveillance. We were the first to note the significant increase of federal wiretapping by the Clinton Administration, and also the first to argue that new reporting requirements would be necessary for the new types of electronic surveillance undertaken by the government.

We have also worked closely with labor organizations on emerging technology issues and recently published a report that discusses developments in the area of workplace privacy.

Recent Developments

We believe there is a clear need to strengthen the federal wiretap statute and to clarify the scope of existing law, particularly in light of recent law enforcement practices. surrounding the FBI's Carnivore system and law enforcement access to locational information. We share the views expressed in the editorial pages of the nation's newspapers that these proposals require a response from Congress.

We also note the recent decision Appeals Court in CTIA v. FCC (implementation of CALEA) in which the court indicated that the highest standard should apply to new forms of electronic surveillance. At the same time, a recent opinion from the Tenth Circuit in US West v. FCC has suggested that Congress should be very clear when it uses the term "consent" to make sure that the courts understand that consent has to be meaningful.

Assessment of Proposed Wiretap Legislation

Clarification of Exclusionary Rule

Central to the operation of the federal wiretap statute is the need to ensure that information that is unlawfully obtained not be used in a court proceeding. This principle goes back to the dissent of Justice Oliver Wendell Holmes in Olmstead v. United States in which he referred to the use of evidence obtained in violation of state law as a "dirty business." This principle is just as important today, but the technology has changed and the current law fails to make clear that the exclusionary rule applies to "electronic communication," the term introduced in 1986, as it does to "wire and oral communication," the original phrase from the 1968 Act.

We support the proposed changes, contained in HR 5018 [Sect. 2] and HR 4987 [Sect. 3], to section. 2515 that would clarify that the exclusionary rule covers "electronic communication" as well as "wire and oral communication", and also the proposed change in HR 5018 [Sect. 2], that would extend the statutory exclusionary rule to "any stored electronic communication" in HR 5018 [Sect. 2].

Extension of Reporting Requirements

Over the last several years EPIC has made frequent use of the annual report of the Administrative Office of the US Courts to evaluate trends in electronic surveillance practices and to assess policy proposals by law enforcement agencies. During the debate over adoption of the Communications Assistance for Law Enforcement Act (CALEA), for example, we noted that contrary to the claims of the FBI and the Department of Justice, the federal wiretap statute was hardly ever used for investigations of kidnapping or bombing. Then as today, title III warrants are issued primarily for narcotics investigations.

We have also noted the significant increase in the use of pen registers and trap and trace orders in the last few years as well as the very large percentage of non-incriminating communications that are routinely intercepted by government agents. We believe that the reporting requirements are central to operation of the wiretap statute and that these reports provide critical information for lawmakers and citizen organizations.

We favor proposals to amend current reporting requirements and to provide information about stored electronic communications similar to those requirements that currently exist in section 2519 for intercepted communications. These proposals will improve accountability and provide a means to assess the scope and effectiveness of wiretapping conducted by government pursuant to title 18. We further support the provision contained in HR 4987 on "Reports Concerning Other Disclosures" that would extend reporting requirement to other warrants and subpoenas. We believe this will ensure a higher level of accountability and greater accuracy in reporting.

Strengthening Pen Register Standards

We support proposed changes to sect. 3123 that would strengthen the standard for the issuance of an order for a pen register or a trap and trace device. If it is the purpose to apply this standard only to the instance where an e-mail address should be obtained, then the language should be clarified so that it is clear the address is necessary for the investigation that is being pursued.

We further support the extension from one hundred and eighty days to one year for the period of times warrant under the Federal Rules of Criminal procedure or equivalent state warrant must be obtained for government access to the contents of electronic communications in electronic storage.

Access to Locational Information

Finally, we support the proposal to require a court order before location information is disclosed to the government by the provider of mobile electronic information service. We recognize that law enforcement is currently gaining access to locational information and also that the court in USTA v. FCC implicitly recognized that such activity . For these reasons, it is important to establish a legal standard for access to this information

We are concerned, however, that an authorization to permit access to locational information coupled with a technical requirement in CALEA to mandate the availability of locational information will go further than the purpose of the wiretap law or the spirit Fourth Amendment should permit. It is generally not the case that the law both provides law enforcement the right to conduct a search and also requires technical steps be taken prior to the issuance of a warrant to ensure that success in the search be assured. We believe this is an area that the Subcommittee on the Constitution should consider carefully as similar issues arise in the future regarding the scope of the federal wiretap statute.

We further recommend that the consent provision in the proposed provision (i)(2) be modified such that "meaningful consent" or "explicit consent" or "affirmative consent" be obtained. Particularly in light of the Tenth Circuit's recent holding in US West v. FCC regarding a similar provisions in the Telecommunications Act of 1996, we believe that Congress has to make clear that consent cannot be indirect, assumed, or implied.

Leaving the Cable Act Privacy Safeguards Unchanged

We appreciate the fact that none of the bills before the Subcommittee modify the privacy provisions in the Cable Act of 1984 to address the problems with electronic surveillance. We believe it would be a mistake to alter that very good provision or to harmonize downward current privacy safeguards, as the White House has proposed. We urge the Subcommittee to be very wary about reducing the level of privacy protection currently established in US law.

Comments on HR 4908

We share the Subcommittee's interest in the need to address the growing problem of workplace surveillance. According to a report released earlier this year by the American Management Association (AMA), nearly three-quarters of major US firms monitor their employees' communications and activities on the job, including their phone calls, e-mail, Internet connections and computer files. This figure has doubled since 1997, driven by a dramatic increase in employers' interest in what employees are doing on their computers. The share of major U.S. firms that checks employee e-mail messages has jumped to 27 percent from 15 percent in 1997, and overall electronic monitoring of communications and performance has increased to 45 percent from 35 percent two years ago.

Workplace surveillance is also growing problem around the world. As we note in our recent report on Privacy and Human Rights:

Traditionally this monitoring and information gathering involved some form of human intervention and either the consent, or at least the knowledge, of employees. The changing structure and nature of the workplace has led to more invasive and often covert monitoring practices with call into question employees' most basic right to privacy and dignity within the workplace . . . .

Advances in science have also pushed the boundaries of what personal details and information an employer can acquire from an employee. Psychological test, general intelligence test, performance tests, personality test, honesty and background checks, drug test, and medical tests are a routine requirement in workplace recruitment and evaluation methods.

However, we do not think that the bill as currently drafted provides sufficient protection to address the problem. The bill is very narrow in two respects. First, it covers only communications monitoring and leaves many current practices untouched. Second, it provides only the single requirement of notice, which standing by itself, could operate more as a disclaimer than any actual safeguard.

Privacy laws are typically based on the concept of Fair Information Practices. The principles establish basic rights for individuals who give up personal information and basic responsibilities for organizations that obtain personal information. Virtually all privacy law, from the Fair Credit Reporting Act of 1970 through the Privacy Act of 1974 and the many bills under consideration in the current session follow this approach.

A notice-only privacy law, absent any of the substantive rights associated with Fair Information Practices, such as access, correction, or use limitation, is problematic. It could in practice reduce the amount of covert surveillance, but it will not limit overt surveillance. It may in fact increase the amount of overt surveillance, as companies under directions from their attorneys, write very broad policies outlining a wide range of possible surveillance activities that may not have previously occurred.

The impact is twofold: First, an employee's reasonable expectation of privacy, a critical legal standard for privacy protection, could be significantly diminished. Second, an employee's claims under state common law tort theories could be undermined because employees would be effectively on notice of the monitoring practices.

There is the additional problem that the bill could limit workplace communication for organizing purposes that might be otherwise protected by law. This question arose in a recent workplace privacy case where a company that imposed a blanket policy prohibiting communications in the workplace attempted to dismiss a worker for communicating with others about workplace issues. An NLRB judge sided with the employee and concluded that the employer simply could not prevent employees from communicating with one another by means of notice.

We think better approaches can be found both in other US privacy laws and in international standards. The Employee Polygraph Protection Act of 1988, for example, establishes substantive limitations on the use of lie detectors in the workplace. A particularly good framework for workplace privacy protection is provided by the International Labor Organization's "Code of Practices on the Protection of Worker's Data." The ILO issued these guidelines in 1997, following three comprehensive studies on international workplace privacy laws. The general principles of the Code suggest the range of interests that a workplace privacy bill could address:

- Personal data should be used lawfully and fairly; only for reasons directly relevant to the employment of the worker and only for the purposes for which they were originally collected;

- Employers should not collect sensitive personal data (e.g., concerning a worker's sex life, political, religious, or other beliefs, trade union membership or criminal convictions) unless that information is directly relevant to an employment decision and in conformity with national legislation;

- Polygraphs, truth-verification equipment or any other similar testing procedures should not be used;

- Medical data should only be collected in conformity with national legislation and principles of medical confidentiality; genetic screening should be prohibited or limited to cases explicitly authorized by national legislation; and drug testing should only be undertaken in conformity with national law and practices or international standards;

- Workers should be informed in advance of any monitoring and any data collected by such monitoring should not be the only factors in evaluating performance;

- Employers should ensure the security of personal data against loss, unauthorized access, use, alteration or disclosure; and

- Employees should be informed regularly of any data held about them and be given access to that data

Beyond these two fundamental problems -- covering only communications and requiring only notice of monitoring -- the bill is otherwise reasonably crafted. The exceptions to the notice requirement are reasonable, though it may also be appropriate to inform employees at some point after such monitoring has occurred and also to require the employer to formally note when such authority is exercised. The proposed civil action provision is also reasonable. A liquidated damage provision is particularly important in privacy statues because of the difficulty of otherwise assessing damages.

If the bill remains a notice-only measure, we would strongly urge the Committee to add a provision that would require the notice to be available by means of the World Wide Web. That would prevent intimidation of employees seen reading the notice (a common problem with paper notices) and would also help the labor market function by enabling prospective employees to evaluate the privacy policies of prospective employers.

Conclusions

Even though it is late in the session, it is not too late to strengthen the federal wiretap statute, particularly in light of the current concerns with Carnivore and the ongoing question of how government is to conduct electronic surveillance in the years ahead consistent with the principles in the Fourth Amendment and the spirit of the federal wiretap statute. We hope that the full Committee will act quickly on these two bills. Regarding the surveillance notice measure, we believe that a stronger measure is appropriate and necessary to safeguard privacy in the workplace.

References

David Banisar, Privacy and Human Rights: An International Survey of Privacy Law and Developments (EPIC and Privacy International 2000)

Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press 1998)

Bruce Schneir and David Banisar, The Electronic Privacy Papers (Addison Wesley 1997)

Marc Rotenberg, editor, The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments (EPIC 2000)

USTA v. FCC. No. 99-1442 (DC Cir. 2000)

EPIC Carnivore FOIA Litigation Page
http://www.epic.org/privacy/carnivore/default.html

EPIC Wiretap Page
http://www.epic.org/privacy/wiretap/