[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
GOING DARK:
LAWFUL ELECTRONIC SURVEILLANCE IN THE FACE OF NEW TECHNOLOGIES
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
AND HOMELAND SECURITY
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
FEBRUARY 17, 2011
__________
Serial No. 112-59
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
64-581 PDF WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON THE JUDICIARY
LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina JERROLD NADLER, New York
ELTON GALLEGLY, California ROBERT C. ``BOBBY'' SCOTT,
BOB GOODLATTE, Virginia Virginia
DANIEL E. LUNGREN, California MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio ZOE LOFGREN, California
DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana MAXINE WATERS, California
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona Georgia
LOUIE GOHMERT, Texas PEDRO PIERLUISI, Puerto Rico
JIM JORDAN, Ohio MIKE QUIGLEY, Illinois
TED POE, Texas JUDY CHU, California
JASON CHAFFETZ, Utah TED DEUTCH, Florida
TOM REED, New York LINDA T. SANCHEZ, California
TIM GRIFFIN, Arkansas DEBBIE WASSERMAN SCHULTZ, Florida
TOM MARINO, Pennsylvania
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
Sean McLaughlin, Majority Chief of Staff and General Counsel
Perry Apelbaum, Minority Staff Director and Chief Counsel
------
Subcommittee on Crime, Terrorism, and Homeland Security
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
LOUIE GOHMERT, Texas, Vice-Chairman
BOB GOODLATTE, Virginia ROBERT C. ``BOBBY'' SCOTT,
DANIEL E. LUNGREN, California Virginia
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
TED POE, Texas HENRY C. ``HANK'' JOHNSON, Jr.,
JASON CHAFFETZ, Utah Georgia
TIM GRIFFIN, Arkansas PEDRO PIERLUISI, Puerto Rico
TOM MARINO, Pennsylvania JUDY CHU, California
TREY GOWDY, South Carolina TED DEUTCH, Florida
SANDY ADAMS, Florida DEBBIE WASSERMAN SCHULTZ, Florida
BEN QUAYLE, Arizona SHEILA JACKSON LEE, Texas
MIKE QUIGLEY, Illinois
Caroline Lynch, Chief Counsel
Bobby Vassar, Minority Counsel
C O N T E N T S
----------
FEBRUARY 17, 2011
Page
OPENING STATEMENTS
The Honorable Tim Griffin, a Representative in Congress from the
State of Arkansas, and Member, Subcommittee on Crime,
Terrorism, and Homeland Security............................... 1
The Honorable Robert C. ``Bobby'' Scott, a Representative in
Congress from the State of Virginia, and Ranking Member,
Subcommittee on Crime, Terrorism, and Homeland Security........ 2
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary.................................................. 3
WITNESSES
Valerie Caproni, General Counsel, Federal Bureau of Investigation
Oral Testimony................................................. 6
Prepared Statement............................................. 9
Chief Mark Marshall, President, International Association of
Chiefs of Police
Oral Testimony................................................. 16
Prepared Statement............................................. 19
Susan Landau, Ph.D., Radcliffe Institute for Advanced Study,
Harvard University
Oral Testimony................................................. 23
Prepared Statement............................................. 25
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Prepared Statement of the Honorable Henry C. ``Hank'' Johnson,
Jr., a Representative in Congress from the State of Georgia,
and Member, Subcommittee on Crime, Terrorism, and Homeland
Security....................................................... 4
Prepared Statement of the American Civil Liberties Union (ACLU)
submitted by the Honorable Robert C. ``Bobby'' Scott, a
Representative in Congress from the State of Virginia, and
Ranking Member, Subcommittee on Crime, Terrorism, and Homeland
Security....................................................... 52
APPENDIX
Material Submitted for the Hearing Record
Prepared Statement of Joel M. Margolis, Senior Regulatory
Counsel, Subsentio, Inc........................................ 59
Responses to Post-Hearing Questions from Valerie Caproni, General
Counsel, Federal Bureau of Investigation....................... 73
Prepared Statement of the Center for Democracy and Technology
(CDT).......................................................... 78
GOING DARK: LAWFUL ELECTRONIC SURVEILLANCE IN THE FACE OF NEW
TECHNOLOGIES
----------
THURSDAY, FEBRUARY 17, 2011
House of Representatives,
Subcommittee on Crime, Terrorism,
and Homeland Security,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 11:23 a.m., in
room 2141, Rayburn House Office Building, the Honorable Tim
Griffin (acting Chairman of the Subcommittee), presiding.
Present: Representatives Griffin, Forbes, Gowdy, Adams,
Quayle, Conyers, Scott, Johnson, Chu, and Quigley.
Staff Present: (Majority) Richard Hertling, Deputy Chief of
Staff; Caroline Lynch, Subcommittee Chief Counsel; Arthur
Radford Baker, Counsel; Lindsay Hamilton, Clerk; (Minority)
Bobby Vassar, Subcommittee Chief Counsel; Joe Graupensberger,
Counsel; and Veronica Eligan, Professional Staff Member.
Mr. Griffin. The Subcommittee will come to order.
Welcome to today's hearing on ``Going Dark: Lawful
Electronic Surveillance in the Face of New Technologies.'' I
would especially like to welcome our witnesses and thank you
for joining us today.
I am joined today by my colleague from Virginia,
distinguished Ranking Member of the Subcommittee, Bobby Scott.
And I don't see the Chairman emeritus Conyers, but he may join
us.
Today's hearing examines the issue of the growing gap
between the legal authority and the technological capability to
intercept electronic communications. This is known in law
enforcement circles as ``going dark.''
Going dark is not about requiring new or expanded legal
authorities. It is about law enforcement's inability to
actually collect the information that a judge has authorized.
Simply stated, the technical capabilities of law enforcement
agencies have not kept pace with the dazzling array of new
communication devices and other technologies that are now
widely available in the marketplace.
Court-ordered electronic surveillance has long been a
valuable tool for effective law enforcement. It is a technique
that is used as a last resort, when other investigative
techniques have failed or would be likely to fail or would even
be too dangerous to try.
The judicial process that must be followed to seek a court
order to authorize this type of surveillance is neither easily
nor quickly obtained. There are many layers of review, many
facts that must be established, and ultimately, a judge decides
if such a technique is warranted.
Once authorized, law enforcement must comply with reporting
requirements to the court that issued the order, and there are
procedures to protect the privacy rights of innocent parties
that may use the communication device at issue. The loss of
this investigative technique would be a huge risk to both our
public safety and our national security.
Congress initially addressed the growing gap between what
law enforcement was legally authorized to intercept and what
they were technically capable of intercepting by passing the
Communications Assistance for Law Enforcement Act. By
clarifying the obligations of the telecommunications industry,
this act attempted to close the gap and enable law enforcement
to address the electronic surveillance challenges presented by
new technologies.
But that was back in 1994. Since then, extraordinary
developments in communication technology have yielded new
communication devices, new services, and new modes of
communication that did not exist or had not fully reached their
maximum potential when we first addressed this problem.
CALEA, as it currently exists, does not address the
contemporary challenge that law enforcement agencies face when
attempting to legally intercept electronic communications.
This issue is not unique to Federal agencies. But many of
our State and local agencies may be at an even greater risk of
going dark because many of them do not have the financial
resources or the expertise to resolve interception problems.
Interception solutions are not cheap, and one size does not
necessarily fit all. The competition in the communication
industry has yielded a shift from standardized to proprietary
technology. This often requires law enforcement agencies to
develop individual interception solutions that may or may not
work in other instances.
The debate on how best to modernize the law and ensure that
our law enforcement agencies do not lose this valuable
investigative tool will not be easily resolved. Balancing
privacy interests, ensuring continued innovation by the
communications industry, and securing networks from
unauthorized interceptions must all be a part of the debate,
and they will all need to be factored into any solution.
I am particularly interested in hearing about collaboration
and information sharing among the various Federal, State, and
local law enforcement agencies as they attempt to efficiently
find solutions to the interception challenges.
I welcome our witnesses and look forward to hearing their
testimony.
I now recognize for his opening statement the Ranking
Member of the Subcommittee, Congressman Bobby Scott of
Virginia.
Mr. Scott. Well, thank you very much, and thank you for
holding this hearing.
I am glad to have the hearing today because over the past
few months, there have been news reports that new
communications technologies are making it more difficult for
law enforcement to engage in court-authorized wiretaps. The
same reports indicate that the Administration may be preparing
legislation to deal with this issue.
All of this has led to conjecture and speculation about
whether or not there is, in fact, a problem, what the scope of
the problem may be, and what Congress may be asked to do about
it. Today's hearing is constructive because we need information
to see what is really going on.
Some communications companies cited in the news reports
tell us that they have not been given any specific complaints
about their cooperation with law enforcement, and they say they
have yet to hear details of any reported problems. So I am
pleased that we have two distinguished law enforcement
witnesses here today to discuss these matters.
We also have a witness to testify with us today who is not
a law enforcement representative, but an engineer with
extensive experience in communications technology and who is an
expert in the relationship between security and surveillance. I
realize that this is the beginning of a discussion about a
range of issues, which are likely to include implementation of
the CALEA statute, as you have indicated, as well as what law
enforcement is currently experiencing.
But I believe at the onset of this discussion, eyes need to
be open to all of the considerations involved. There is no way
around the fact that any calls for increased surveillance
capabilities will have significant implications for
technological and economic development, as well as basic
privacy concerns. I am glad to hear that we will have a variety
of perspectives on these issues from our witnesses today.
I want to make one last comment before concluding my
statement, and that is that last week I attended a classified
briefing given by the FBI including one of our witnesses today.
And I appreciate the opportunity to hear the information that
was presented.
But while I think that sometimes it is appropriate for
Government officials to discuss classified material in closed
sessions, particularly discussions of specific cases, it is
critical that we discuss this issue in as public a manner as
possible. I do not think that congressional consideration of
these issues should rest on arguments made in secret. It would
be ironic to tell the American people that their privacy rights
may be jeopardized because of discussions held in secret.
So, Mr. Chairman, I look forward to our witnesses today,
and thank you for Chairing the hearing.
Mr. Griffin. Thank you.
I now recognize the most recent Chairman emeritus of the
Committee, John Conyers of Michigan, for his opening remarks.
Mr. Conyers. Thank you, Mr. Acting Chairman.
I am happy to be here today to welcome all of the
witnesses. And to me, this is a question of building back doors
into systems hearing, if we had to give it a nickname. And I
believe that legislatively forcing telecommunications providers
to build back doors into systems will actually make us less
safe and less secure.
I believe further that requiring back doors in all
communication systems by law runs counter to how the Internet
works and may make it impossible for some companies to offer
their services.
And finally, it is my belief that our communication
companies must be allowed to innovate without technological
constraints if they are to continue to develop products and
services that successfully compete with foreign companies.
Now that I have given you my views, I would be eager to
hear yours, and I thank you very much, Mr. Chairman.
Mr. Griffin. Thank you.
Without objection, other Members' opening statements will
be made a part of the record.
[The prepared statement of Mr. Johnson follows:]
Prepared Statement of the Honorable Henry C. ``Hank'' Johnson, Jr., a
Representative in Congress from the State of Georgia, and Member,
Subcommittee on Crime, Terrorism, and Homeland Security
Good morning. I would like to thank the witnesses for being here. I
want to begin by applauding the Chairman's efforts in seeking to arm
law enforcement with the tools they need.
This hearing will largely focus on the Communications Assistance
for Law Enforcement Act, CALEA.
CALEA's purpose is to enhance the ability of law enforcement and
intelligence agencies to conduct electronic surveillance by requiring
that telecommunications carriers and manufacturers of
telecommunications equipment modify and design their equipment to
ensure that they have built-in surveillance capabilities, allowing
federal agencies to monitor communications.
In the wake of new technologies, law enforcement, particularly the
FBI, has concerns about its inability to conduct court ordered
surveillance and refers to this inability as ``Going Dark.''
Law enforcement would like to extend the CALEA requirement to more
communications like Skype, encrypted BlackBerry devices, and social
networking sites like Facebook and Twitter.
While it is important to arm law enforcement with the tools they
need, we must be mindful of what such an expansion would cost the
American people?
Not simply in terms of dollars and cents, but in privacy rights,
civil liberties, our national security, innovation and global
competitiveness?
In addition to sitting on the Judiciary Committee, I sit on the
Armed Services Committee and am very concerned about how expanding
CALEA could jeopardize national security, especially cyber security.
As Susan Landau states in her written testimony, we must be careful
that the difficulties faced by law enforcement are not solved in a
manner that puts U.S. communications at serious risk of being hacked by
criminals, non-state actors, or other nations.
It is important that we move with caution when it comes to
expanding CALEA. Legislatively forcing telecommunications providers to
build back doors into their systems to allow for surveillance by law
enforcement may also provide opportunities for hackers and foreign
adversaries to gain access to these systems.
Legislatively expanding CALEA could create vulnerabilities in our
communications systems that would allow cyber criminals and terrorists
to attack us.
Expanding CALEA could also hurt America's competitiveness. Our
economic growth depends in large part on the continued expansion of
ways we use the Internet. Imposing technological constraints on
communications companies may make it more difficult for American
companies to develop products and services that successfully compete
with other countries.
Expanding CALEA could certainly have some unintended consequences
that would be detrimental to our country. We must keep this in mind as
we examine this issue.
I look forward to hearing from our witnesses about how we can
balance the rights of law enforcement without compromising our national
security interests or trampling over the privacy rights of millions of
Americans.
Thank you, Mr. Chairman, and I yield back the balance of my time.
__________
Mr. Forbes. Mr. Chairman?
Mr. Griffin. Yes, sir?
Mr. Forbes. Mr. Chairman, could I just take 2 minutes for
the Committee?
I just want to recognize a good friend of mine who is here
today. We are proud of Chief Marshall. He is the president of
the International Association of Chiefs of Police. But near and
dear to me, he is the chief of police in Smithfield, Virginia,
in Congressman Scott and my home State.
And we are proud of all of our witnesses, but particularly
glad to see him. And I just wanted him to know that I have got
some amendments on the floor. So I will be slipping in and out,
but we are so glad to have you here today.
Thank you, Mr. Chairman. I yield back.
Mr. Griffin. Did he bring any hams with him? [Laughter.]
Mr. Forbes. Mr. Chairman, if he did, they would be the best
hams in the world, I will tell you. [Laughter.]
Mr. Marshall. If it would help you with your deliberations.
[Laughter.]
Mr. Griffin. It might make me go to sleep. Thank you for
that.
It is now my pleasure to introduce today's witnesses.
Valerie Caproni--is that correct?
Ms. Caproni. That is correct.
Mr. Griffin. Oh, great. Ms. Caproni has been a general
counsel in the FBI's Office of the General Counsel since 2003.
Prior to her work with the FBI, she was regional director of
the Pacific Regional Office of the Securities and Exchange
Commission. She then became a counsel at the law firm of
Simpson, Thacher, and Bartlett, specializing in white-collar
criminal defense and SEC enforcement actions.
Ms. Caproni has also previously worked in the U.S.
Attorney's Office as an assistant U.S. attorney, chief of
special prosecutions, and chief of the Organized Crime and
Racketeering Section, and as chief of the Criminal Division.
Ms. Caproni received her bachelor of arts in psychology
from Newcomb College of Tulane University--I am a Tulane grad
as well--in 1976 and her law degree from the University of
Georgia in 1979.
Chief Marshall is president of the International
Association for Chiefs of Police. He has held the position of
chief of police in Smithfield for over 18 years and has been in
State and local law enforcement for 25 years. Chief Marshall
serves as Chairman for the Law Enforcement Date Exchange and
sits on the Advisory Policy Board for the FBI's CJIS Division.
Chief Marshall is the past president of the Hampton Roads
Chiefs Association and is on the executive board of the
Virginia Association of Chiefs of Police.
Chief Marshall received his bachelor of arts in criminology
from St. Leo University and his master's in public
administration from Old Dominion University. He is a graduate
of the FBI National Academy and the Police Executive Leadership
Program through the University of Virginia and the Virginia
Police Chiefs Foundation.
Susan Landau, Dr. Landau, studies the interplay between
privacy, cybersecurity, and public policy for Radcliffe
Institute at Harvard University. Prior to her work at the
Radcliffe Institute, Dr. Landau was a distinguished engineer at
Sun Microsystems for 12 years.
Before her work at Sun Microsystems, she taught computer
science at the University of Massachusetts and Wesleyan
University. Dr. Landau is the co-author with Whitfield Diffie
of ``Privacy on the Line: The Politics of Wiretapping and
Encryption.'' And her book ``Surveillance or Security: The
Risks Posed by New Wiretapping Technologies'' will be published
this spring.
Dr. Landau received her bachelor of arts from Princeton
University, her master's of science from Cornell University,
and her Ph.D. from MIT.
Without objection, the witnesses' statements will appear in
the record, put in their entirety. Each witness will be
recognized for 5 minutes to summarize their written statement.
The Chair now recognizes Ms. Caproni.
TESTIMONY OF VALERIE CAPRONI, GENERAL COUNSEL, FEDERAL BUREAU
OF INVESTIGATION
Ms. Caproni. Thank you.
Good morning, Chairman Griffin, Ranking Member Scott, and
Members of the Subcommittee. Thank you for the opportunity to
testify before you today regarding the problem that we refer to
as ``going dark.''
Most of us are old enough to remember when the world of
communications involved a home telephone and an office
telephone. In that world, when a court authorized law
enforcement to conduct a wiretap, we knew exactly where and how
to conduct it.
We placed a device called a ``loop extender'' on the
target's telephone line. That device intercepted the target's
telephone conversations, which were then routed to our
monitoring plant so we could hear everything said on the
telephone and learn the telephone numbers of all incoming and
outgoing calls.
Then the world of communications got a little more
complicated. The telephone companies started to shift their
technology from analog to digital signals, and cell phones
became ubiquitous. The phone companies were adding services
like call forwarding, call waiting, and three-way calling.
All of that had a negative impact on our ability to conduct
authorized wiretaps, and Congress stepped into the breach. In
1994, it passed the Communications Assistance for Law
Enforcement, or CALEA.
To ensure that advances in technology would not outstrip
law enforcement's ability to conduct court-approved wiretaps,
CALEA required telecommunication carriers to develop and deploy
intercept solutions in their networks so that when the
Government gets a wiretap order, it can actually conduct the
authorized surveillance.
Since then, the number of ways in which we communicate has
exploded. We still have home office and cell telephones that
can be forwarded, put on hold, and make three-way calls. But we
also now have home and office email accounts, Twitter accounts,
Facebook and MySpace pages, BlackBerrys and Androids, iPhones
and iPads.
We can chat, text, and send instant messages. We can video
chat. We can upload videos with comments, and we can
communicate using an avatar in Second Life.
If all of that is not complicated enough, we can access our
accounts from our home desktop computer via cable connection to
the Internet or from a laptop that has a wireless connection.
We can access our accounts from our office computer, from a
computer in the business center of a hotel, and even from an
iPad via a Wi-Fi hotspot while drinking no-fat latte at the
closest Starbucks.
The advances in our ability to communicate have many
advantages, but they also have made it exponentially more
difficult for law enforcement to execute court-authorized
wiretaps. Over the past several years, the FBI and other law
enforcement agencies have increasingly found themselves serving
wiretap orders on providers that are not covered by CALEA and,
therefore, under no pre-existing legal obligation to design
into their systems a wiretap capability.
Such providers may or may not have intercept capabilities
in place for all of their services. If they have no capability
or only limited capability, it takes time to engineer a
solution--sometimes days, sometimes months, and sometimes
longer.
Potentially critical evidence in intelligence can be lost
while the provider designs a solution so that it can isolate to
the exclusion of all others the communications of the
particular person whose account we are authorized to wiretap
and then deliver those communications and only those
communications to law enforcement with the relevant metadata.
Our inability to immediately and completely execute court
wiretap orders is not limited to new and exotic ways of
communicating. Providers that are covered by CALEA and,
therefore, required to maintain a solution in their systems are
sometimes unable to immediately execute wiretaps.
Sometimes that happens because the company has made changes
to its network but did not adjust its intercept solution so
that it would still work. Sometimes the problem is that the
approved industry standard does not provide the Government all
the information it is lawfully authorized to collect.
Whatever the reason, this is a problem that creates
national security and public safety risks. The challenge facing
us and our State and local counterparts is exacerbated by the
fact that there is currently no systematic way to make
electronic intercept solutions widely available across the law
enforcement community.
Federal, State, and local law enforcement agencies have
varying degrees of technical expertise regarding electronic
surveillance and lack an effective mechanism for sharing
information about existing intercept capabilities. This leads
to the inefficient use of scarce technical resources and missed
opportunities to leverage existing solutions.
The absence of institutionalized ways to coordinate and
share information in this area impedes the deployment of
timely, cost-effective intercept capabilities that are broadly
available to the law enforcement community. Today's technical
advances inure to the great benefit of society, but they create
significant challenges to the Government's ability to conduct
lawful wiretaps.
We see going dark as a problem with many facets, but they
all boil down to this. The combination of carrots and sticks
that the Government has are not working to incentivize
industries to develop and maintain adequate intercept solutions
for their services.
As a consequence, when a court issues an order authorizing
a wiretap, we are not consistently able to execute that order
and promptly begin to collect evidence and intelligence. If we
continue to be unable to accomplish that which even the most
ardent privacy advocates will agree we ought to be able to
accomplish--namely, to execute a wiretap order when authorized
to do so by a court--then we will be significantly hobbled in
achieving our mission of protecting the public safety and
national security.
Thank you for the opportunity to address this Subcommittee,
and I look forward to answering your questions.
[The prepared statement of Ms. Caproni follows:]
__________
Mr. Gowdy [presiding]. Thank you, Ms. Caproni.
Chief Marshall?
TESTIMONY OF CHIEF MARK MARSHALL, PRESIDENT,
INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE
Mr. Marshall. Good morning, Mr. Chairman and Members of the
Subcommittee.
My name is Mark Marshall, and I serve as the chief of
police in Smithfield, Virginia. I also serve as the president
of the International Association of Chiefs of Police.
I am here today representing over 20,000 of IACP's members
who are law enforcement executives in over 100 countries
throughout the world. The majority of our membership, however,
is here in the United States.
As my good friend Congressman Forbes indicated, I am from
Hampton Roads, Virginia, a smaller jurisdiction there. I have
the big-city problems without the big-city resources. And I
have got 2 million people sitting on my doorstep.
I am pleased to be here to represent and to discuss the
challenges currently confronting the U.S. law enforcement
community on electronic surveillance issues.
In the United States, there are more than 18,000 law
enforcement agencies and well over 800,000 officers who patrol
our State highways and the streets of our communities each and
every day. Very simply, in this day and age with budgets, we
are tasked to do more with less.
A great number of those officers also use electronic
surveillance as they investigate crimes. Each day, local,
State, tribal, and Federal law enforcement agencies use lawful
electronic surveillance as a critical tool for enforcing the
Nation's laws and protecting the citizens we have the honor to
serve. Moreover, electronic evidence is now a routine issue in
all crimes and at most crime scenes.
The IACP believes that the lawful interception of voice and
data communications is one of the most valuable techniques
available to law enforcement in identifying and crippling
criminal and terrorist organizations. Understandably, there is
an increased volume and complexity of today's communication
services and technologies. And the evolution and development of
communication devices has had a significant impact on law
enforcement's ability to be able to conduct that surveillance,
as well as to recover valuable evidence from communication
devices.
Additionally, legal mandates and authorities have not kept
pace with the changing technology. CALEA or, the Communications
Assistance for Law Enforcement Act, for example, does not cover
many types of services that are, unfortunately, used routinely
by criminals.
The advanced features of today's phones can process more
information about where people have been, who they know, who
they are calling, what they are texting, pictures they have
sent and/or are sending, as well as larger amounts of data than
ever before. Information recovered can also produce connections
to other media like Facebook and Twitter, contact lists, call
histories, calendars, waypoints, and email.
If properly recovered, this sort of stored data on
communication devices has great investigative and intelligence
value to assist law enforcement with investigations. The
proposed center, however, does not attempt to thwart or inhibit
social discourse, which is a fundamental piece to democratic
societies, not attempting to water down Title III or judicial
orders for these electronic intercepts.
Unfortunately, many of the agencies that need to be able to
conduct electronic surveillance of real-time communications are
on the verge of going dark because they are increasingly unable
to access, intercept, collect, and process wire or electronic
communications information when they are lawfully authorized to
do so.
This serious intercept capability gap often undercuts
State, local, and tribal law enforcement agencies' efforts to
investigate criminal activity such as organized crime, drug-
related offenses, child abduction, child exploitation, prison
escape, and other threats to public safety. This must change.
Law enforcement must be able to effectively use lawful
electronic surveillance to combat terrorism and fight crime.
Law enforcement needs the Federal Government to generate a
uniform set of standards and guidelines to assist in this
exploration.
In order for law enforcement to maintain its ability to
conduct electronic surveillance, laws must be updated to
require companies that provide individuals with the ability to
communicate.
In September, the Law Enforcement Executive Forum,
comprised of law enforcement executives, including the IACP,
released a plan to address the spectrum of issues related to
electronic surveillance. This plan was the National Domestic
Communications Assistance Center, otherwise known as NDCAC. In
the Federal Government, we have to have lots of acronyms.
The proposal calls for a strategy to be created to address
issues related to maintaining law enforcement's ability to
conduct court-authorized electronic surveillance. The proposal
calls on Congress and the Administration to make funding
available to establish the center.
The center would leverage the research and development
efforts of the law enforcement community with respect to lawful
electronic surveillance capabilities. The center would also
facilitate the sharing of technology between law enforcement
agencies.
I see that my time is up. So let me just wrap this up.
State, local, tribal, and Federal law enforcement are doing
all that we can to protect our communities from increasing
crime rates and the specter of terrorism, both in our streets
and in the many communications devices available today. But we
cannot do it alone. We need the full support, we need the
assistance of the Federal Government.
We need clear guidance and regulations on our use of lawful
interception of voice and data communications to aid us in
successfully investigating and prosecuting the most dangerous
of criminals. It is important for the safety of our hometowns,
and that will equate to the safety of our homeland.
Thank you.
[The prepared statement of Mr. Marshall follows:]
__________
Mr. Gowdy. Thank you, Chief.
Dr. Landau?
TESTIMONY OF SUSAN LANDAU, Ph.D., RADCLIFFE INSTITUTE FOR
ADVANCED STUDY, HARVARD UNIVERSITY
Dr. Landau. Mr. Griffin and Members of the Committee, thank
you very much for inviting me to testify.
I am Susan Landau, a fellow at the Radcliffe Institute for
Advanced Study at Harvard University. I am here representing my
own opinions and not that of Harvard or any of the other
institutions with which I am affiliated.
I have spent, for the last half dozen years and more, time
looking at the risks involved when you build wiretapping
capabilities into communications infrastructures. And while
there are issues in CALEA about security versus privacy and
security versus innovation, I am here to talk about security
risks in building the surveillance technology in.
A major national security problem facing the United States
is cyber exploitation. We have nation states and criminals
penetrating systems, finding the files of interest, and
downloading them quickly and shipping them out of the country.
This began happening in the early 2000's and has occurred
at U.S. military sites, at Government labs, and private
industry. Google, Lockheed Martin, NASA, Northrop Grumman, Oak
Ridge National Labs, the list goes on.
How serious is the threat? According to Deputy Secretary
William Lynn, it may be the most significant cyber threat that
the U.S. will face over the long term. In 2003, the FBI
reported that industrial espionage cost the U.S. $200 billion.
It is many times higher now.
Can wiretapping capabilities built into communications
infrastructures be exploited? The answer is, unfortunately,
``yes'' because wiretapping is an architected security breach.
Let me tell you a story about Vodafone Greece. A CALEA-type
switch was built into Vodafone Greece's network, built in by
Ericsson. Vodafone Greece didn't want this switch. So it had
been turned off. Because they didn't pay for that piece of the
switch, they also didn't have auditing capabilities.
The result? A hundred senior members of the Greek
government--including the prime minister, the head of the
ministry of defense, the ministry of interior--were wiretapped
for a period of 10 months until a text message went awry and
they discovered the problem with the system.
At Telecom Italia over a period of 10 years, presumably
from an insider attack, people using the system--celebrities,
politicians, judges, sports figures--were wiretapped for a
period of 10 years. Six thousand Italians. That is 1 in 10,000
Italians was wiretapped. Presumably, no large business deal or
political arrangement was ever really private.
A Cisco switch made to comply with law enforcement
wiretapping standards in Europe was discovered to have
mechanisms in it that were designed in such a way that it was
easy to spoof the system and evade auditing. When you think
about a wiretapping system that can evade auditing, I want to
remind you of people like Robert Hanssen, who evaded the
auditing systems of the FBI for many years.
If you think about it, when a Lockheed Martin or a Northrop
Grumman fails to adequately secure its networks, the cost can
be thousands of proprietary files stolen. But if a
communications provider, an applications provider, or a switch
provider fails to have an adequately secured communications
system, that cost occurs over the millions of communications
that utilize that switch or application.
It is unlikely that surveillance can be built in securely.
In the U.S., there are hundreds of communications providers,
many of them very small, with fewer than 100 employees.
Many startups producing new communications applications are
similarly small. Putting wiretapping into the mix risks the
communications of all their customers.
I want to step back for a moment and talk about
cryptography, a fight we had in the 1990's in which the NSA and
the FBI opposed the deployment of cryptography through the
communications infrastructure. In 1999, the U.S. Government
changed its policy.
The NSA has been firmly behind the change of policy, and
endorsed a full set of unclassified algorithms to be used for
securing the communications network. The NSA obviously believes
that in the conflict between communications surveillance and
communications security, we need to have communications
security.
What needs to happen? I agree that law enforcement has a
problem. Law enforcement needs to be more entrepreneurial.
Instead of the one-size-fits-all of CALEA, it needs more
tailored solutions.
It is already using transactional information. Chief
Marshall described all of the information currently available
on the PDAs and so on. That was not information available at
the time that the wiretap laws were passed.
Transactional information is what enabled us to capture
Khalid Sheikh Mohammed, the designer behind September 11th. It
enabled us to capture the July 21st bomber who fled from London
to Rome. It is what enables U.S. Marshals Service to have cut
the time to catch fugitives from an average of 42 days to 2.
I think we should augment the FBI going dark effort. I know
that is expensive in a time of financial austerity, but we are
going to have to pay for this, and we don't want to pay for it
by increasing security risks or threatening innovation.
I agree that with new communications technologies there is
a need for law enforcement access to legally authorized
surveillance. But let us not do it in a way that makes things
more dangerous and unsecures the U.S.
Thanks very much. I would be happy to take questions.
[The prepared statement of Ms.. Landau follows:]
__________
Mr. Gowdy. Thank you.
Because I am merely keeping the seat warm for my
distinguished colleague from the great State of Arkansas, Mr.
Griffin, I would call on my equally distinguished colleague
from the great State of Virginia, Mr. Scott.
Mr. Scott. Thank you.
Ms. Caproni, are you asking for any surveillance authority
over and above what you have now--requirement for warrant,
probable cause, and all of that?
Ms. Caproni. No, we are not. We believe that the authority
that we have to conduct court-authorized wiretaps, which
appears in Title III as well as in FISA, is more than adequate.
Mr. Scott. And when you have a wiretap and the technology
doesn't let you listen in, that is the problem we are dealing
with, right?
Ms. Caproni. Correct. We are dealing with the problem of we
have a wiretap order. So a court has authorized us to conduct
the surveillance. But when we serve it on the provider, the
provider tells us they don't have the ability to isolate our
target's communication to the exclusion of all others and
deliver them to us in a secure manner.
Mr. Scott. And Chief Marshall, good to see you. As
indicated, their recommendation that a technological way to get
into the conversation be required to be part of cell phones or
whatever else. Is that right, Chief Marshall?
Mr. Marshall. Yes, sir. I mean, there is so much--there is
valuable data that is contained in every--most criminals are
using their cell phone in one way, shape, fashion, or form.
Mr. Scott. Now, Ms. Landau, if law enforcement can get into
a conversation, what would prevent anyone else who is a skilled
hacker, what would be the problem for them getting in?
Dr. Landau. You want a tailored solution for the problem.
So the problem with the case in Vodafone Greece is that the
wiretapping capability was built into the switch, and it was
easy to go in and turn the switch on instead of off. Not
completely trivial, but easy.
And what you want to do, what I am proposing is that it not
be built in in a way that decreases the security of all
communications.
Mr. Scott. Well, how can the law enforcement get into a
conversation and a skilled hacker not be able to? Can you
construct it in such a way that only law enforcement can listen
in and not others?
Dr. Landau. That is right. It used to be that you had to
go----
Mr. Scott. That is right you can, or you can't?
Dr. Landau. You can. You can. But you can't have it done in
a method that makes it possible to just automatically turn it
on remotely, deliver it. You have to make it more specially
tailored.
Mr. Scott. Is this hard? I mean, Chief Marshall, as he
indicated, is from a small city. They don't have a lot of high-
tech people sitting around. Is that something that is easy to
put together?
Dr. Landau. No, it is not easy to put together, which is
why I applaud the FBI effort to do much better information
sharing with State and local law enforcement. I think that the
FBI should be the one taking the lead in developing those
capabilities, and doing that information sharing is absolutely
crucial.
Mr. Scott. Now this back door would be required in
domestically produced cell phones, for example. Could we
require imported phones to have this same capability?
Dr. Landau. I don't want to see a back door. I want to see
specially tailored capability, and those are different
requirements. We can require what we want about systems sold
here. The question is how they can operate here and----
Mr. Scott. Well, can a phone, imported phone be hacked into
by law enforcement and not hacked into by others?
Dr. Landau. It depends on how you do the hacking. And that
is really the question. If you build the system in a way that
simplifies the hacking and makes it very easy for somebody to
get in, and that is the problem with applying CALEA to IP-based
communications. It is simply too easy to do that. Then you run
into trouble.
Mr. Scott. Well----
Dr. Landau. So I am arguing for something that is more
expensive. But you are measuring the cost of a more expensive
tailored solution against the national security cost of risking
communications of everybody going through that switch or that
application being accessible.
Mr. Scott. If we could require this technology be placed in
phones that are imported, we could have no ability to require
that for phones that are manufactured outside of the United
States and reportedly sold outside of the United States?
Dr. Landau. That is right. But the question is where you do
the tapping. You could do it at the phone. You could do it at
the switch. You can do it at many places along the pathway.
In the case of a cell phone, you can do it at a switch.
That is how we do it now.
Mr. Scott. So if you had an out of the country phone and
brought it into the United States, the capability would be in
the system, not in the phone itself?
Dr. Landau. That is correct.
Mr. Scott. And American manufacturers would, therefore, not
be at a disadvantage?
Dr. Landau. That is correct.
Mr. Scott. Mr. Chairman, I yield back.
Dr. Landau. But there is currently not a problem typically
with wiretapping cell phones. The problem is with IP-based
communications.
Mr. Griffin [presiding]. I recognize Mrs. Adams for 5
minutes.
Mrs. Adams. Thank you, Mr. Chair.
Ms. Caproni, you have listened to Dr. Landau, and are you
concerned at all about her concerns?
Ms. Caproni. We share some of the same concerns, and I am
little concerned that some of the answers to the questions to
Representative Scott may have left a misunderstanding of how we
conduct intercepts.
There is no--the attacking of the device or hacking into a
device, if we had a court order, is sometimes permitted. That
is sometimes the best way to do it. It is not the normal way to
conduct a wiretap.
We want the wiretap and the device that conducts the
wiretap to be under the control of the provider. So, to that
extent, I think Dr. Landau and I may actually agree that we
don't want the intercept solution to be somewhere where it can
be gotten to by third-party actors.
Mrs. Adams. Manipulated.
Ms. Caproni. Correct. The lawful intercept solution should
be under the control of the provider, and the provider is
responsible for security. There is always risk from insiders.
That is a risk that companies manage all the time, particularly
big communication providers. So they need to manage that risk.
And we will look, obviously, very hard at the issue of the
security associated with anything that we propose to deal with
this problem. So security is a legitimate concern. I think we
may disagree that having a lawful intercept solution under the
control of a provider increases that risk in any kind of a
material way.
Mrs. Adams. Chief, you have heard the concerns, and I
preface this by I will tell you I am a past law enforcement
officer. And it did send some red flags up to me when I start
reading the breaches and everything else and on the security
level of it. I would like to hear your opinion.
Mr. Marshall. Yes, ma'am. Thank you.
We certainly don't want to circumvent the stringent legal
process involved in, one, obtaining those intercepts, whether
it is voice and/or data. Again, I think we are, particularly at
the local and State level--you know, I represent all of law
enforcement. The bulk of our membership is really at the local
and State level, and it is where law enforcement actually takes
place on a day-to-day basis in this country.
We need a place, particularly for the smaller and mid-sized
agencies that don't have the capabilities to be able to go out,
to be able to get those tools, to be able to retrieve that
data. We need that place that we can make that call, that we
would have that one-stop shop, if you would. That would at
least, it may not have the information but would at least be
able to direct us to be able to get that information.
In terms of, at the same time, I agree with Ms. Caproni's
statement that it is--that I think that this is the industry or
the provider would have that, and they would only be providing
that when you had that lawful intercept order, that judicial
order. For us, it is about going dark. It is most of the
criminal element are using and exploiting the ability of the
communication tools that are out there. They change every day.
It is amazing to me.
I waited 2 years to get a Verizon phone. I finally ordered
one. Came into the D.C. area last night, turned on the TV, and
I found out that they have got the new generation. Generation
5G is now going to be out in June. That is the problem. I have
already done my order. So it is too late.
But that is the problem, and that is what we are seeing,
that this is just--this changes so quickly.
Mrs. Adams. Technology is changing rapidly.
Ms. Caproni, leaving it at the provider, are you at least
the least bit concerned that a possibility could arise, and is
there a way to check the auditing system, if it is at the
provider, so that we don't have a Greece or an Italy?
Ms. Caproni. I think the answer to that is yes, and the
providers who provide lawful intercept to us also have
responsibilities for the general security of their system. The
providers are responsible for making sure that their systems
are not being hacked into overall.
Mrs. Adams. Correct.
Ms. Caproni. As well----
Mrs. Adams. But are you aware if any of the systems
currently have that switch that they just haven't turned on?
Ms. Caproni. I am not sure about the specific switch that
Dr. Landau was talking about. She references two instances
where that switch has been compromised. I would say that switch
has been deployed to literally hundreds of thousands of
telephone companies throughout the world.
So two out of hundreds of thousands, that is a balance. We
will obviously be looking, though, at security issues.
Mrs. Adams. Okay.
Ms. Caproni. We are concerned--we would not propose
anything to solve this problem that would appreciably change
the security situation that exists in our telecommunication or
the Internet system.
Mrs. Adams. That is what I wanted to hear. Thank you.
Mr. Griffin. Chairman emeritus Conyers is recognized for 5
minutes.
Mr. Conyers. Thank you, Mr. Chairman.
To our distinguished chief of police and the president of
the International Association of Police, you don't have much
personal contact with these kinds of issues of cryptography
going on, do you?
Mr. Marshall. No, sir. We don't have it in terms of the
cryptography. We do, however, have the issue surrounding cell
phones and being able to extrapolate that data because, as we
have found, they are using--anymore it is not even about voice,
it is also about texting. It is IM messages. It is all of those
things.
Mr. Conyers. Yes.
Mr. Marshall. Those are pieces that we need that would
help, would significantly help our crime-fighting capabilities.
The unfortunate----
Mr. Conyers. Okay. Let me get to the point that I am
working at. Have you had much contact or experienced problems
with Federal or State law enforcement officials seeking to
conduct electronic surveillance and you were stymied because
you wanted access to encrypted information that was unavailable
from the communications service that you were using?
Mr. Marshall. Yes, sir. We have, and it happens every day
throughout the law enforcement community, an inability for us
to be able to retrieve that data. In other words, if I seize a
cell phone, I don't have the capabilities--as you well
understand, I don't have the capabilities to be able to do it
except with some off-the-shelf products that are, frankly,
obsolete.
I send it to the State lab. They then have to go do the
search to try to find the newest, the latest and greatest tool
to be able to get that. Quite often, they come back that they
are unable to do it. And that, unfortunately, is something that
is happening with my law enforcement colleagues in agencies
across this country.
Mr. Conyers. Dr. Landau, we have all agreed there is a
problem here, and it is complicated. It is expensive and could
also be very dangerous to our national security. What would
your recommendations as first steps be in terms of dealing with
this?
Dr. Landau. So I think that Ms. Caproni and I will find
that we agree more than we disagree. I think it is imperative
that the FBI, which is in a positive to develop solutions to
emerging communications technologies, have a very good
information-sharing system with State and local law enforcement
because they clearly are overwhelmed and cannot manage that on
their own.
I think transactional information, which has become much
more valuable as emerging technologies come out, should be used
even to greater extent than it is at present. And I think the
research arm of the going dark program has to be expanded so
that the FBI does the same kind of thing that the NSA does,
finds out the emerging communications technologies and figures
out solutions to the wiretapping before there is a case. So
that when the case comes, they are ready with the solution.
And so, I think that we would find we agree quite a bit.
Mr. Conyers. Well, Ms. Caproni, you are here under I think
you have come out from under the cloud that the whole Federal
Bureau of Investigation was under the last time you were here,
namely, that the IG had found out that you had been abusing the
national security letters and that you promised to clean it up.
And my general counsel says that he feels satisfied about
it. I don't sound like I am too satisfied about it. But you are
here now telling us that and it is being recommended by our own
witness that you need more resources to effect this more
satisfactory communication with Federal and State law
enforcement officials. Is that correct?
Ms. Caproni. Congressman, the FBI is always eager to have
additional resources. Resources will help, but resources to the
FBI standing alone is not going to solve this problem.
The reality is that we have ways and we know how certain
intercepts can be done. Our technicians know how to do that.
But these systems need to be deployed within the provider's
system.
And I think from both the privacy perspective and in kind
of real life what you want, you don't really want the FBI
crawling around in providers' systems to install the wiretap
solution. We want them to develop and deploy the wiretap
solution. We think----
Mr. Conyers. I ask unanimous consent for one additional
minute, Mr. Chairman.
Mr. Griffin. Go right ahead.
Mr. Conyers. Thank you very much.
Well, then that gets us to my back door comments when I
started off. Do you recall that I was saying the back door way
won't work?
Mr. Caproni. Congressman, I actually wrote that down, that
you were concerned about building back doors into systems. And
let me make one thing clear. The FBI's view is that this is not
about back doors into systems.
In fact, quite the contrary. We don't want a back door.
What we want is for the provider to isolate the transactions
and isolate the communications that the court has authorized us
to get and to hand those communications and no others to us
through the front door.
Mr. Conyers. All right. Great.
Ms. Caproni. We do not want a back door----
Mr. Conyers. That sounds good.
Dr. Landau, do you agree or disagree?
Dr. Landau. I disagree. It is a bit of word play here. Ms.
Caproni said, look, the Telecom Italia and the Vodafone Greece
case were only two cases out of thousands of deployed switches.
If it were the President of the United States or the
Speaker of the House instead of the prime minister of Greece,
would we still be saying only two switches out of thousands
deployed? Surely not.
When you build wiretapping capability into an application,
when you build it into a switch, you are creating a serious
security risk. I would say in light of the cyber exploitations
we have been seeing nationally the last half dozen years, that
is not a risk we can afford.
Mr. Conyers. Thank you very much, Mr. Chairman.
Mr. Griffin. Thank you.
The Chair recognizes Mr. Gowdy for 5 minutes.
Mr. Gowdy. Thank you, Mr. Chairman.
Ms. Caproni, to those who may misapprehend and fear that
you are seeking an expansion of the Bureau's legal authority in
this realm, alleviate those fears for them.
Ms. Caproni. I will do the best I can. We are not looking
for any new authority. We believe that the authority that we
have to conduct wiretaps that appears in Title III on the
criminal side and in FISA on the national security side are
adequate to our needs.
But what we are concerned is that we are losing ground to
actually be able to gather the information that we are
authorized to gather. For example, Dr. Landau is focusing on
and suggests that we should rely more on transactional data.
Transactional data is valuable. It is useful to us. It is not
the same as the actual conversation, the content of the
conversation, which is critically important, again, from both
the national security and public safety perspective.
But I would also point out that even gathering
transactional data, like PIN register data, which is the most
basic information. Who is the telephone calling? Who are the
two sides of the communication? Under the J standards that has
been adopted by industry, under CALEA, we can't get basic PIN
register data.
So while we may know that a telephone is texting, we don't
know what the telephone number of each side of the transaction
is. Without that very basic information, our investigations are
stymied. We need that information in order to keep the public
safe.
Mr. Gowdy. Cite for me the specific remedies you are
seeking and Congress's authority to grant them to you.
Ms. Caproni. Congressman, the Administration is still
working on what the solution would be, and we hope to have
something that we can work with Congress on in the near future.
Mr. Gowdy. I take it by your title, counsel, that you are
legally trained?
Ms. Caproni. I am.
Mr. Gowdy. No doubt better than me. So help me with the
authority that Congress would have to, as I understand it,
dictate to telecommunications companies changes that they have
to make.
Ms. Caproni. Well, CALEA, which was enacted in 1994,
already requires telecommunications companies to have a wiretap
solution built into their system. There are some issues with
CALEA and some ways that I think with the experience of 16
years with it, it could be improved, and I think that would be
part of--conceivably, that would be part of what we would
recommend is how to make the CALEA process for those companies
that it covers more productive, and it would better accomplish
the goal that Congress created in '94.
As to providers that aren't covered by CALEA, I think that
is the bigger challenge. And that is where, through the
interagency process, there is a lot of discussion about what is
the right way to walk the line, which is an important line,
between having providers have the ability to execute a wiretap
order when it is delivered to them and not squashing innovation
and not hurting the competitiveness of U.S. companies.
We have a very active discussion in the interagency about
how to walk that line. I think it is going to be something that
Congress is going to be incredibly interested in. Is there a
way to accomplish these two goals?
I am optimistic that there are ways to incentivize
companies to have intercept solutions engineered into their
systems that are safe and secure and not make their system more
vulnerable to outside attacks while still encouraging the sort
of innovation that we have seen in the American market.
Mr. Gowdy. Chief, let me thank you for your service and ask
you are there specific instances that you can cite within the
confines of an open hearing where you or members of your
membership have had investigations thwarted because of
inadequacies in our information-capturing systems?
Mr. Marshall. Thank you, Congressman.
I don't have specific instances. I have talked to a number
of my colleagues around the country who indicate that this
happens on almost a daily basis.
I know that we are just inundated with our case logs. We
are also--because of the budgets, we have been forced to make
reductions. And because of some of those case reductions, when
we are trying to do some of these investigations, particularly
in terms of retrieval of data that is being stored on phones or
other electronic devices, they simply can't do it.
When we send it, for example, in my agency, we send it, we
send it to the Virginia State lab, who then contacts the
Federal partners, typically the FBI. The problem is, is they
also have their own case log. And because of the number of
small industry agencies or small providers that are continuing
to pop up with the new electronic, what ends up happening is we
get the report back that it simply can't be found.
And that happens every day.
Mr. Gowdy. Thank you, Chief.
Thank you, Mr. Chairman.
Mr. Griffin. Mr. Johnson is recognized for 5 minutes.
Mr. Johnson. Thank you, Mr. Chairman.
Law enforcement wants us to extend the CALEA requirement to
more communications like Skype, encrypted BlackBerry devices,
and social networking sites like Facebook and Twitter. It is
important, I believe, that we move with caution when it comes
to expanding CALEA, which may also provide opportunities for
hackers and foreign adversaries to gain access to these
systems.
I have a couple of questions. Number one, how big is the
problem, Ms. Caproni, that you are trying to solve? In rough
numbers, how many times in the last year did Federal and State
law enforcement officials seek to conduct electronic
surveillance and were stymied because the communications it
wanted to access were encrypted or were unavailable from the
communications service that carried them?
And secondly, as you know, governments around the world
have recently shown a strong interest in accessing the
communications of BlackBerry business users whose emails are
currently encrypted with a key not known to BlackBerry's parent
company or the wireless carrier or anyone other than the
company employing the individual user.
Several countries have threatened to ban the use and sale
of BlackBerry devices unless BlackBerry's parent company
provides them with intercept capabilities. The ability of
American business people to communicate securely, particularly
when they travel abroad, is obviously of great importance to
our own economic well-being.
If the emails of a U.S. businessman or woman can be
monitored by the Saudi, Indian, or Indonesian governments when
they travel abroad, we risk losing the intellectual property
advantage that is at the very core of our economy. However, if
we force BlackBerry's parent company to give U.S. law
enforcement agencies intercept capabilities over these business
users, it will likely be quite difficult for the company to
keep saying no to those other governments.
Is providing U.S. law enforcement agencies with this access
worth it if it means that foreign governments will then be able
to get the same intercept capabilities in their own countries?
Ms. Caproni. So there are several questions in that
question. Let me try to take them one at a time.
First, let me start with law enforcement or at least FBI
has not suggested that CALEA should be expanded to cover all of
the Internet. In fact, the subject of how you would achieve the
goal that we are talking about is very actively being discussed
in the interagency. That might be a solution. That might not be
a solution. So we are not really suggesting that.
But let us turn directly to encryption. Encryption is a
problem, and it is a problem that we see for certain providers.
It is not the only problem. And if I don't communicate anything
else today, I want to make sure that everyone understands that
this is a multifaceted problem. And encryption is one element
of it, but it is not the entire element.
There are services that are not encrypted that do not have
an intercept solution. So it is not a problem of it being
encrypted. It is a problem of the provider being able to
isolate the communications and deliver them to us in a
reasonable way so that they are usable in response to a court
order.
Mr. Johnson. Well, that is not to minimize, however, the
encryption problem.
Ms. Caproni. Absolutely not. But what I do want to say is,
as we said in the written statement, that we are not looking,
and we think this problem--there are individual encryption
problems that have to be dealt with on an individual basis.
The solution to encryption that is part of CALEA, which
says if the provider isn't encrypting the communications, and
so they have the ability to decrypt and give them in the clear,
then they are obligated to do that. That basic premise that
provider-imposed encryption, that the provider can give us
communications in the clear, they should do that.
We think that is the right model. No one is suggesting that
Congress should reenter the encryption battles that were fought
in the late '90's and talk about sequestered keys or escrowed
keys or the like. That is not what this is all about.
For individuals who put encryption on their traffic, we
understand that there would need to be some individualized
solutions if we get a wiretap order for such persons.
The other thing I would note, and I thought at one point
you were referencing the public reports that we do relative to
how often encryption is encountered in Title III collection.
What we find is that our agents know, for instance, that
BlackBerrys are encrypted. So if their target is using a
BlackBerry, they are not going to get a Title III order for
that.
Title III orders, for those of you who were never AUSAs,
Title IIIs are a lot of work to obtain. It requires an awful
lot of work from the agent's part, a lot of work on the AUSA's
part. They are not going to do that to get a Title III order on
a BlackBerry that they know has encrypted traffic, and
therefore, they would not be able to get any usable proceeds
from that Title III.
So you see very low numbers in terms of the report of the
number of times that we encounter encryption. But I think it is
because agents, and I think Chief Marshall sort of referenced
this, they will see a problem. And agents, rather than just
sort of--and police officers, rather than throwing up their
hands and saying, ``Well, I can't do it,'' they will figure out
another way to get to where they need to go.
And it may not be a Title III. It may be that they will
then approach the problem from a different direction because
they know that a Title III is simply not going to be productive
use of their time.
Mr. Johnson. Thank you.
Mr. Griffin. Thank you.
Mr. Quayle is recognized for 5 minutes.
Mr. Quayle. Thank you, Mr. Chairman.
Ms. Caproni, I want to go back to the back door issue that
we were talking about earlier so that we can just clear up any
misconceptions. But as you know, a lot of the public reports
say that solving the problem that we have would create the back
door to the Internet, where law enforcement would have the key
to all communication systems in the U.S.
Is that accurate? Would the Government have direct access
to these communication systems?
Ms. Caproni. No, that is not accurate. In fact, the way
that we execute wiretaps is we go to the provider who is
providing the communication service. We serve the order on
them. We ask them to isolate the communications and deliver
them to us.
To some extent, actually, what Dr. Landau I think is
proposing, although it is not entirely clear, that is for the
FBI to individually have solutions, that we then deploy the
intercept solution throughout the Internet. That is actually a
much less privacy protective way of doing an inception.
It is also not as accurate. With packet-switched
communications, you have to collect all of the packets or you
can't put the message back together. So there would always be
the question of where would you deploy the device if we were
simply deploying it in the Internet?
It is for that reason that we want to do the collection
with the provider. We want to be able to serve our order on the
provider, which then puts a third party in the mix. We serve
our order on the provider. The provider figures out what
account it is, isolates that account and delivers those
communications to us and only those communications to us.
So there is no wiretapping of the Internet. It is really
just our ability to serve a targeted order on a targeted
account on a particular provider.
Mr. Quayle. Okay. And with those communications that the
Government would be seeking, has a court reviewed and
authorized you to obtain those communications? And also could
you briefly go through that process so everybody knows how that
is done?
Ms. Caproni. Absolutely. So looking at a Title III, because
that is the authority in a criminal case, the agent and the
AUSA have to put together an affidavit that establishes
probable cause to believe that the target is engaged in
particular criminal activity. They are committing felonies.
They are using the targeted facility to commit the felony, that
evidence will be--of the felony will be obtained if we
intercept their communications.
They also have to show that other investigative techniques
have been tried and failed or are too dangerous to use or would
likely fail. So this is really a last-resort type of technique.
The court considers that. They issue an order. It lasts
only for 30 days. During the period of that 30 days, law
enforcement has to report back to the judge to tell the judge
how the wiretap is going, what sort of evidence is being
collected.
The wiretap itself has to be minimized. So they will do
real-time review of the traffic that is coming in. If it is not
evidence of a crime so that they are not authorized to keep it,
it gets minimized. So they don't keep that information. So they
only keep the information that is actually relevant to their
investigation, and it is evidence of criminality.
Mr. Quayle. Okay. And just so we are brief, so there is no
warrantless wiretap?
Ms. Caproni. Absolutely not.
Mr. Quayle. Okay. And a final question for Chief Marshall.
What role does State and local law enforcement play in the
research and development of interception solutions? Do you feel
that State and locals have had adequate voice in this process
to address this issue?
Mr. Marshall. Thank you for the question.
Yes, we are putting together and we actually met about a
year and a half ago with the FBI and other Federal justice
agencies and a significant portion represented at the State and
local level to discuss this problem. Because at the State and
local level, we don't have the same level of resources,
particularly the smaller and mid-sized agencies don't have the
same resources to be able to do these.
So we rely on our Federal partners to be able to do it. At
the same time, we also know that we are increasingly seeing the
difficulty in being able to achieve that. That was why a year
and a half ago, when we started meeting, we ended up meeting,
looking at the problems, particularly at the State and local
level, and coming up with this proposal for the NDCAC.
And the NDCAC actually, its proposed governance--and we are
still continuing to work some of that out--but it would have a
significant proportion would be relegated at the State and
local so that we have that representation, that we have that
voice, that we have that ability to be able to share some of
the solutions that have been developed by some of--and for the
most part, they are usually some of the major metropolitan
areas.
But we have that place that we can all put in that we would
be able to share those best practices and strategies and also
be able to have a voice in this problem. This is a problem for
all of law enforcement, not just for the FBI. It is not just
for the DEA. This is a problem whether it is a 5-member
department or 5,000.
Mr. Quayle. All right. Thank you.
Mr. Griffin. Chairman emeritus Conyers is recognized for
another question.
Mr. Conyers. Thank you very much, Mr. Chairman.
Dr. Landau, I would like to feel a little bit more
comfortable with you commenting on the question of our
colleague Mr. Quayle in terms of the back door question that he
initially asked. Do you remember what that was?
Dr. Landau. If he could restate it, that would be great.
Mr. Griffin. We are playing musical chairs.
Mr. Quayle. Oh, great. What was that?
Dr. Landau. Restate your back door question.
Mr. Quayle. Okay. Basically, would the solutions to the
problem that we are talking about actually provide a back door
to the Internet where law enforcement could have a key to all
communications systems in the U.S.?
Dr. Landau. So Ms. Caproni said that I talked about
building the wiretapping into the fabric of the Internet, and
certainly not. Earlier, I said that I couldn't speak for
Harvard, and that is absolutely true. Let me point out that I
also can't speak for the NSA.
The NSA has been pushing hard for communications security
within the United States. It pushed out in 2005 a set of
recommendations on how to secure a communications network using
publicly available cryptography developed through the National
Institute for Standards and Technology.
It is pushing that land mobile radio be available. Secure,
interoperable land mobile radio can be purchased over the
counter in a place like Radio Shack, and we know that it is not
just local law enforcement and first responders who will be
using those systems.
So if the NSA can function in that environment, I would
certainly hope that the FBI can learn to function in that
environment. I am saying that building wiretapping into a
communications infrastructure, whether a switch or an
application, building interception into that communications
infrastructure is a dangerous model, whether you are Vodafone
Greece, Telecom Italia, or the United States.
Thank you.
Mr. Conyers. Could I give, Mr. Chairman, the representative
from the FBI the last word on this in this discussion?
Ms. Caproni. I am sorry. On the discussion of whether it is
a back door?
Mr. Conyers. Yes. Just what Dr. Landau just commented on.
Ms. Caproni. I think what she is suggesting is that there
should be security for information, and we agree with that. I
mean, that is not--we are not suggesting that communications
should be insecure. We are suggesting that if the provider has
the communications in the clear and we have a wiretap order,
that the provider should give us those communications in the
clear.
But, for example, Google, for the last 9 months, has been
encrypting all gmail. So as it travels on the Internet, it is
encrypted. We think that is great. But we also know that Google
has those communications in the clear, and in response to a
wiretap order, they should give them to us in the clear.
Dr. Landau. No problem there.
Mr. Conyers. Thank you very much, Mr. Chairman.
Mr. Quayle [presiding]. Thank you.
The gentle lady from California, Ms. Chu, is recognized for
5 minutes.
Ms. Chu. Thank you, Mr. Chair.
For Ms. Caproni and Mr. Marshall, today you have described
difficulties in gaining assistance from companies in complying
with lawful wiretap orders under 18 U.S.C. 2518. Title III
orders include a requirement that all providers furnish the
applicant forthwith all information, facilities, and technical
assistance necessary to accomplish this interception.
Have you pursued contempt motions against any providers who
have failed to comply with these lawful orders?
Ms. Caproni. Our approach with industry is one of
cooperation. So we try to work with the companies to get them
to develop a solution that will work.
Our sense has been that it is very difficult on the one
hand to be cooperative and to work with a company who tells you
we are trying, we are trying to figure out how to do this so
that it will work and not interfere with our solution--with our
general system, to at the same time be hauling those people
into court. It seems to interfere with the cooperative
relationship.
So, no, we have not hauled any of these providers into
court on an order to show cause why they should not be held in
contempt.
Ms. Chu. Mr. Marshall?
Mr. Marshall. Yes, ma'am. My answer is a little bit more
basic. No, we have not pursued that because we typically do not
have any direct involvement. We don't have the involvement
directly with industry.
In other words, we are working through our lab or we are
working, if it would be a Title III, it would be worked through
our Federal partners, whether it is a task force application or
something of that nature.
I will say, and I certainly I would stress this, I think
that this has to be a partnership with industry. Industry, we
want industry to be involved in a collaborative effort to come
up with a solution. We understand that certainly there are
costs involved, but a piece of this is it also has to be about
what is good for public safety and being able to have that
ability to be able to keep our crime-fighting capabilities at
least up to the level that we have.
Ms. Chu. Ms. Landau, how do you respond to that?
Dr. Landau. So I am mystified in some sense by the
discussion because while I certainly understand the going dark
issue, and I hear the FBI and local law enforcement saying we
are having problems, what I am not hearing are specific types
of solutions. Ideas were floated last fall about getting rid of
peer-to-peer and Skype, getting rid of encryption or making
keys required to be stored.
And as we saw in Ms. Caproni's testimony, the written
testimony, the FBI is no longer asking for any re-architecting
the Internet, no longer asking at least for certain changes on
encryption. So I am a little confused.
I understand that there are serious problems, and I agree
that the new technologies sometimes do cause those problems.
But there aren't concrete suggestions on the table. The only
one being better research at the FBI, and I think that is
important.
I want to tell a little story, which is a couple of weeks
ago when the situation was developing in Egypt and all the
communications were cut off with the rest of the world, all the
Internet communications, Google sat down with Twitter over a
weekend and developed Speak to Tweet.
That was a handful of engineers. You could speak into a
call. It could be translated into a Tweet message, and that was
a way for the Egyptians to communicate with one another. That
is terrific.
I was delighted to see that innovation was happening here.
It was happening with a handful of engineers. And that is the
way many systems are developed in the U.S., whether you are
talking about Google, which started with two engineers at
Stanford, or Facebook, with a handful of people at Harvard.
So I don't quite understand what the FBI is pushing for,
other than saying we are having a problem. We would like to
augment our research arm, which I think is good. We would like
industry to deliver things when they have it in the clear.
Industry, when they are capable of delivering it in the
clear, should be delivering it in the clear. So, thank you.
Ms. Chu. Okay. Last question. If we do grant the FBI the
authority it seeks, will this stop sophisticated criminals and
terrorists from encrypting their communication, or will they
simply start using communication tools provided by companies or
programmers outside the U.S.?
And what do we do when criminals start using secure
communication tools provided by developers associated with the
WikiLeaks organization, who will ignore requests by U.S. law
enforcement agencies?
Ms. Caproni. Thank you for that question.
There will always be criminals, terrorists, and spies who
use very sophisticated means of communications that are going
to create very specific problems for law enforcement. We
understand that there are times when you need to design an
individual solution for an individual target, and that is what
those targets present.
We are looking for a better solution for most of our
targets, and the reality is, I think, sometimes we want to
think that criminals are a lot smarter than they really are.
Criminals tend to be somewhat lazy, and a lot of times, they
will resort to what is easy.
And so, long as we have a solution that will get us the
bulk of our targets, the bulk of criminals, the bulk of
terrorists, the bulk of spies, we will be ahead of the game. We
can't have individual--have to design individualized solutions
as though they were a very sophisticated target who was self-
encrypting and putting a very difficult encryption algorithm on
for every target we confront because not every target is using
such sophisticated communications.
Ms. Chu. And Dr. Landau, any response?
Dr. Landau. Thank you.
So I am glad to hear, actually, the specific issue now of
individualized solutions versus better solutions for bulk. And
certainly, in some cases, and the one that Ms. Caproni
mentioned about getting the unencrypted gmail that gmail
obviously has at the other end or you couldn't read your gmail
when you logged on, in that case, in that particular
architecture, I suspect it is very easy for Google to deliver
that mail, and I suspect it does it forthwith.
But we are arguing about the issue of developing
individualized solutions for wiretapping versus creating bulk
solutions, what the FBI calls better solutions for bulk when we
have a national security threat of downloading and exploiting
U.S. industry, U.S. military, U.S. national labs, U.S. civilian
agencies.
And I don't think we can possibly build into the various
communications infrastructures wiretapping solutions that will
allow that type of bulk when it is so easy to subvert software
and so easy to subvert IP-based solutions.
Thank you.
Mr. Quayle. The Chair recognizes the gentleman from
Virginia, Mr. Scott, for one additional question.
Mr. Scott. Thank you.
I am a little confused. Ms. Caproni, you indicated that you
don't want the access through the phone itself, but through the
system, which would require--are you looking for real-time
access or a copy of conversations?
Ms. Caproni. We are looking for--I am sorry. Primarily,
what we are talking about here today is real-time interception.
Part of what Chief Marshall has talked about is actually
information that would not be collected in real time,
information that is stored on your cell phone or your smart
device, whatever.
But the bulk of what I have been talking about today is
electronic surveillance. So capturing the communications in
real time.
Mr. Scott. And having somebody in the industry go around
trying to find this would take obviously someone on company
payroll and expense. Who is paying for this expense, and how
much is it?
Ms. Caproni. So we are responsible, and we are typically
billed for the cost of electronic surveillance. So we will
reimburse. But they have to have a solution.
So they have to have the ability to find----
Mr. Scott. But law enforcement will pay the costs of the
finding and making access to the communication?
Ms. Caproni. Let me just double check, but I am pretty sure
that is right.
Yes.
Mr. Scott. And so, that would come out of Chief Marshall's
budget?
Ms. Caproni. Yes, I am sorry, Chief.
Mr. Scott. And does Chief Marshall have to have somebody on
staff technologically sophisticated to figure out what to ask
for and how to do all this?
Ms. Caproni. Well, that actually is an issue is different
providers want orders to be worded slightly differently, and
that actually is one of the things that we think the NDCAC, or
I can't remember what, the DCAC, this center that we are
talking about would provide. It would provide the ability to be
a single point of contact.
So law enforcement, if they are doing a wiretap, let us
say, of an RCN account that they have never done before, we
would probably have a relationship with RCN. We would know how
the order should be worded. We would know who in the company it
should be served on.
So we would provide that intermediary so that every law
enforcement agency in the country doesn't have to have that
level of expertise. So it could be much more tailored, and they
would have one-stop shopping, and we would serve as an
intermediary or the center would serve as a useful intermediary
between industry and law enforcement.
Mr. Quayle. The Chair recognizes the gentleman from
Georgia, Mr. Johnson, for one additional question.
Mr. Johnson. Thank you, Mr. Chairman.
CALEA's purpose is to require that telecommunications
carriers and manufacturers of telecommunications equipment
modify and design their equipment to ensure that they have
built-in surveillance capabilities, thus allowing Federal
agencies to surveille in real time electronically.
And that calls for individualized solutions to
communications like Skype or encrypted BlackBerry devices and
social networking sites. Am I correct about that? Am I on
track?
Ms. Caproni. CALEA doesn't cover social networking sites.
Mr. Johnson. Okay. All right. But as far as Skype and
BlackBerry devices, it is applicable to?
Ms. Caproni. So Skype is not a U.S. company. So it is not
covered by CALEA, or it may not be covered by CALEA because it
is not a U.S. company. The same with REM.
Mr. Johnson. Okay. So non-U.S. companies would not be
subject to any extension of CALEA. You are seeking--what are
you seeking here today? That is really, I think, Ms. Landau's
point, and that is my point also. What is it exactly that you
would want Congress to do, or are you asking Congress for
anything?
Ms. Caproni. Not yet.
Mr. Johnson. Or did we just simply invite you here to tell
us about this?
Ms. Caproni. You invited me, and we came. But we don't have
a specific request yet. We are still--the Administration is
considering--I am really here today to talk about the problem.
And I think if everyone understands that we have a problem,
that is the first step, and then figuring out how we fix it is
the second step.
The Administration does not yet have a proposal. It is
something that is actively being discussed within the
Administration, and I am optimistic that we will have a
proposal in the near future.
Mr. Johnson. So you mean I have been worried for the last
24 hours about some legislation or some issue that I could have
worried about later, I guess? I am still worried about it.
Ms. Caproni. I am sorry to have put you through a sleepless
night. I am sure we will have many others once we get a
proposal on the table to consider.
Mr. Johnson. Well, I will tell you, life becomes so
complicated that it is almost impossible to keep from worrying.
Thank you.
Ms. Caproni. I agree.
Mr. Quayle. I am going to recognize myself for one
additional question.
Ms. Caproni, I was just curious. Do you know if the number
of court-ordered electronic surveillance have actually gone
down or up than the previous years? You don't have to be
specific. But do you know if they have gone down or up?
Ms. Caproni. I think they are going up a little bit, and
the raw numbers may not be as revealing as the sort of services
that are being asked for now. So we are seeing more
sophisticated and difficult services, like VOIP is coming up
more and more in wiretaps.
I think the absolute number of wiretaps may be about the
same or going up slightly.
Dr. Landau. I actually know the answer, which is that I
believe, according to the wiretap report, it has been steadily
increasing with perhaps a little bump down in 2009. But a quite
steady increase.
What is also increasing quite substantially is the number
of PIN register requirements, PIN registers being asked for.
Mr. Quayle. Thank you.
Well, I would like to thank our witnesses.
Mr. Conyers. Mr. Chairman?
Mr. Quayle. Yes?
Mr. Conyers. Before we----
Mr. Quayle. Another one?
Mr. Conyers. Yes, one final question. Is the ACLU correct
in worrying about once we start trying to get into this
question it is going to spin out of control, and all the things
that may have kept Hank Johnson up last night is going to keep
all of us up?
I ask Dr. Landau that because there are some up here that
say, well, let us help the FBI out, and we will give them the
legislation that we think they need. And there are others that
say, well, if you do that, you are going to get something much
worse back. And there we get into this legislative turmoil.
Dr. Landau. Thank you very much for the question.
So I really said I was going to talk about security, but I
will take that privacy question. When you make it easy to
wiretap, when all you have to do is flip a switch, it becomes
much easier for privacy to be violated. So what we saw, and I
know this is not the issue being discussed now. But what we saw
during 2001 was a single opinion by a single relatively low
member of the Department of Justice about warrantless
wiretapping.
It was not reviewed by other members of the Department of
Justice, and it instituted the warrantless wiretapping. So the
point is that when you make it simple to wiretap, when you make
it technologically simple to wiretap, it can be abused.
Mr. Conyers. Thank you, Mr. Chairman, for your generosity.
Ms. Caproni. I am sorry. May I respond to that question?
Mr. Quayle. Yes. Ms. Caproni, could you please respond to
that?
Ms. Caproni. Representative Conyers, there are a lot of
things that keep me up at night. One thing is the privacy of
people who are communicating on the Internet. One is the
security of the Internet. FBI is responsible for cyber attacks.
We investigate them all the time. The security of the Internet
is extremely important to the FBI.
But I also get kept up by worrying that we have got
criminals running around that we can't arrest and can't
prosecute because we can't actually execute a wiretap order.
And that criminal may be a massive drug dealer. They may be an
arms trafficker. They may be a child pornographer or a child
molester.
Those are things, real-life things that keep us up at night
because we need the authority--I am sorry. We have the
authority, but we need the actual ability to conduct the
wiretap so that we can keep the streets safe.
I worry about things like a Mumbai-style attack where, God
forbid, the attackers are using communications modalities that
we don't have an intercept solution for.
Mr. Conyers. So what is a little privacy invasion compared
to all those big things that you could or are worrying about,
right?
Ms. Caproni. Remember, what we are talking about is court-
authorized wiretaps. So the privacy of people that are being
invaded is only being invaded if an Article III judge has said
that probable cause has been established and that the
Government has the right to intercept these communications.
Mr. Quayle. Well, I would like to thank all of our
witnesses--since we are kind of diverging off topic. I want to
thank all of the witnesses for their testimony today.
And without objection, all Members will have 5 legislative
days to submit to the Chair additional written questions for
the witnesses, which we will forward and ask the witnesses to
respond as promptly as they can so that their answers may be
made part of the record.
Without objection, all Members will have 5 legislative days
to submit any additional materials for inclusion in the record.
Mr. Scott. Mr. Chairman? Mr. Chairman? I would ask
unanimous consent that a statement from the ACLU, the Center
for Democracy and Technology, and other industry and privacy
advocates be included in the record.
Mr. Quayle. Without objection.
[The information referred to follows:]
__________
Mr. Quayle. This hearing is adjourned.
[Whereupon, at 12:50 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
�