Richard Clarke is the Washington personality of the week.  Marc Rotenberg testified in early December 2003 before the same Commission on a separate issue re security/privacy issues for going forward in preventing attacks. 

Four key points he made then:

1. long tradition of privacy protection for communications and records stored by governments.  Established during times when US faced nuclear weapons, unrest, assassinations -- but Congress went ahead and set them up.

2.  Sept. 11 provides major challenges, and the people involved in coordinating in govt. efforts completely changes the Terry landscape.  Checks and balances have been changed.

3.  Our understanding of privacy enhancing technologies following 9/11 has changed.  We thought there were tools that could enhance privacy -- TIA bothersome because message was that it would protect privacy, because govt surveillance under it would be less intrusive than other alternatives.

To understand this issue, three dimensions:

1.  What do we mean by privacy enhancing.

2.  What's relationship between federal govt and legal obs to safeguard privacy

3.  How does this all work in practice.

First, definitional problem.  What is a privacy enhancing technology?  Prior to 9/11, we all thought definition was an electronic world where transactions could occur that were verifiable and authenticated, but personally identifiable information wouldn't be necessary.  So these techniques would limit use of this personal information.

In the physical world, we can imagine cash, postage stamps etc. -- forms of value that allow transactions without personally identifiable information.  How translate this to the online world?  This was our core concept prior to 9/11.

No one proposed in Florida in 2000 that there should be an availability to check that vote had gone through.  Why?  Because concept of anonymity at that point, and recognition of need to sever transaction from surveillance is a core part of our democratic society.

This concept of a privacy enhancing technology was derailed by two processes:  first, in the private sector, the view that we wouldn't provide legal obligations to collection and use in the digital world.  it's just notice and choice.  So we saw P3P emerge to translate rights and obligations into a market-based transaction where anything goes. 

Post 9/11, law enforcement said we need to enable surveillance that respect privacy -- but what they meant by privacy was "within the context of a larger scheme that anticipates surveillance."  So, when a vote is cast, it becomes possible to link transaction back to the identified individual.  That's a principle without a boundary.

Rotenberg thought this idea died in the Clipper chip era.  People then said to open the door to this form of storage would create unlimited opportunities for abuse. 

Now our challenge is:  where do we stop?  If you assume all information might be useful in some investigation, where do we draw the line?

Go back to Brandeis dissent in Olmstead v. US.  What would be the appropriate 4A standard to apply to the conduct of telephone surveillance?  Was this warrant-based, or just out there in the ether?  Court said no physical entry has occurred, it's just information out there in the ether; if you are concerned, go to Congress.

Holmes dissented ("a dirty business").  Brandeis said:  look at surveillance in electronic space -- this is far more invasive than what would happen in physical space.  In electronic space, we're unbounded by space and time.  Could be lots of people talking, on many different subjects.  He argues for a higher standard of oversight, because oppty to obtain information is so vast.

When you go to wiretap statute of 1968, it's a "super warrant" when compared to what you get in physical space.  Constitutional response is based on fear that govt will overreach. 

So answer about incorporation of techniques to protect privacy post 9/11 is to keep in mind:  to the extent actors seek to comply with legal obligations and claim that they are "privacy enhancing," then technologies must incorporate auditing, transparency, all other requirements -- because of the enormous risk of government misuse.

Sonia Katyal is up, reminding us that it's important to think about the relationships among public/private law enforcement and surveillance.  Cyberspace allows us to contemplate the limits and possibilities of architecture and law.

Focusing on piracy surveillance:  monitoring users.  Convergence between modes of consumer surveillance and law enforcement -- but quite distinct from both.  An extrajudicial regime of copyright enforcement that poses serious complications for privacy, security, and anonymity.

Basic premise of the paper is an architecture of p2p transmissions.  Rise of piracy surveillance in cyberspace is attributable to this type of architecture.  In property, we have bricks for architecture; in cyberspace, architecture is permeable, allows facilitation of surveillance.  As consumer surveillance rises, we see rise of piracy surveillance.  (By piracy surveillance, she means monitoring that encompasses private notions of infringement; done privately; extralegal -- outside of ongoing litigation). 

Interesting from an IP perspective, because this kind of surveillance alters understanding of IP rights in cyberspace, by giving copyright a predatory and invasive and panoptic dimension.  Speech-based judgments as well.  Enables a copyright owner to determine whether or not an individual is engaging in fair use (and raises substantial due process concerns).

Three major forms of surveillance:  raise similar issues.  Eg, monitoring, using smart agents or bots that search for files.  Key problem raised by that is seen in Verizon case (challenge to 512(h)).  Disclosure of identity with very little real judicial oversight.

Also, problem that similar (but noninfringing) files will be caught up in this.

And how do we protect anonymous speech.

Two other forms of surveillance:  DRM collecting consumer information.  And interference (self-help).

Normative conclusions:  This modes raise complicated questions about the intersection of privacy and identity.  We shouldn't avoid enforcement, but should do it to fit freedom of speech and informational privacy.  Don't force tradeoff between privacy and protection of property.

Orin Kerr is up.  His suggestion is that computer-related crimes will end up with a different set of procedural rules -- "network" criminal procedures.  Even if crimes remain the same, they're committed in different ways.  New facts will trigger needs for new laws.

Start with physical world crime -- bank robbery.  Fred will walk in, go to teller, hands note, teller gives money, goes to car, runs away. 

Cop will show up -- what does he do? He looks for eyewitness testimony.  He also observes what the bank is like and whether there are trace materials of the crime.  He will collect physical evidence tying the crime to Fred.  Eg, the threatening note.

Fred gets out of prison, says he'll be an online bank robber.  He'll hack into the bank.  Logs onto ISP and passes through intermediaries to hide his tracks.   Sets up account, fills with money, sends money offshore.

Now you're the police officer called to investigate this crime.  You'll notice a really different crime scene.  No physical evidence, no eyewitnesses.  Just zeros and ones.  Have to trace evidence back to attacker, but can't do it in traditional ways. 

So you start from bank victim, track back through intermediaries. Hope that system admin has these records.  Trace back to Fred's ISP, and hope that ISP will help you.  But you don't have proof beyond a reasonable doubt -- you only have electronic evidence from third parties.  You have to get a search warrant and go to the target's home -- then forensically analyze Fred's computer.  Fred might keep notes ("I'm looking forward to hacking into the bank tonight.")  You seize the drive and image it, then run a string searcdh for that account number.  Takes weeks.

Different set of processes.  What does this mean for law?  Means that we need new rules to regulate these processes.  4th Amendment and 5th Amendment are tailored to the physical world.  Eg, search rules are about "the entry of the place."  Also, collecting physical evidence is about 4th Amendment seizure rules.  So how do those rules map on to facts of investigations of online crimes?

They don't map well.  You either get extraordinarily expansive rules or rules that are too narrow (where there are no real threats).  We need a relatively balanced set of rules.

Eg, if you want to get records from a third party, you have to get a subpoena.  No privacy protection there.  Traditional 4A doesn't apply to third-party stored information.  This just isn't a problem in the offline world.  So we have new facts where the information is collected and stored in a different way.  Old rule doesn't help.

Last stage -- forensics.  Bunch of interesting problems.  If you map what has to happen to 4A rules, you have big issues.  For a warrant, you have to describe things and only take that.  But in online crime, might be lots of other evidence involved.  Can't get a pinpointed warrant -- have to seize more than you have probable cause to seize.  What about making a bitstream copy?  Is that a seizure of a person's computer?  Traditionally, no -- not a seizure, just making a copy.  So govt could run off a copy and search that!  But intuitively that seems like a problem.

So what will happen in response to this problem?  We've begun to see a new field of network criminal procedure evolving.  Eg, ECPA, and 18 USC 2703, regulates process of going to third-party provider and asking for information.  So it's more than a mere a subpoena.  Statute recreates warrant requirement from the physical world.

Similarly, for forensics, courts are creating new rules to cover these last-stage searches.  So, eg., in a home, the police can't look for physical information that hasn't been described.  But electronically there's no restriction.  So courts have changed rule that governs whether intent matters when you're searching a computer.  Outside scope of warrant/inside distinction doesn't matter.  Subjective intent, though, does matter.  We'll ask agent "what were you thinking when you accessed this file."  Courts are responding to changed set of facts by looking at intent. 

We'll see more and more computer-specific set of rules.  A new body of law to study.

Great presentation.  Good work, Orin!

Beryl Howell, formerly counsel to the Senate Judiciary Committee, is up talking about real-world problems caused by crimes on digital networks.  Moral for all three stories:  specific laws directed to specific problems are very important.  So we need to keep updating these laws to fix mistakes and keep up with changes in technology.

First -- leak of many staffers' memos.  Two Republican staffers had taken thousands of documents and zipped them up with passwords.  Taken from common server.  No staffers were supposed to look at other staffers' memos, but permissions were set incorrectly and the files were wide open.  Appalling breach of custom.  Was a crime committed under the CFAA?  Or just an immoral action?  What does "authorized access" mean?

"Authorized access" was intended to be a case-by-case inquiry.  [note that civil liability requires damage as well, so a higher standard than the criminal part.]  Seems to be "you know it when you see it."

Second case:  FBI agents arrive at a suburban house, say computer being used to distribute child porn.  Teenager there had downloaded Kazaa, downloaded files that contained child porn, then had become a supernode, being used as a pointer.  Teenager had enough files for a felony.  Had he been emailing images to his friends? going to specific sites and downloading them beyond Kazaa?  Son said he wasn't aware of anything.  Child porn is strict liability; hard to do forensic exams because examiners don't want to be in possession of it either.  Happy ending:  prosecutor declined to prosecute.  But signals that technology can take you over a line.  Is the user at fault, or the technology?

Third case:  Company target of embarrassing emails with sexually explicit attachments (sexually explicit patents) sent on their behalf; clients took business elsewhere.  Company seemed incapable of stopping it.  Insecure wifi points and student internet accounts used to send these messages; couldn't track spoofer down.  Howell's company did an investigation.  Complaining emails about these attachments were also spoofed (from "wounded grizzly").  Started talking to wounded grizzly; got an extortion demand for 17million.  Suspect surveilled; able to pinpoint him as spoofer.  Arrested him two weeks ago; found ricin and guns in his house.  Threats you think you're aware of are just the tip of the iceberg.

So we have a problem: limits of CFAA.  Couldn't go after "wounded grizzly" because act unclear; stymied legitimate self-help efforts.

Alan Davidson from CDT is up.  Why does criminal law only seem to expand?  Does it ever go the other direction?  "how many laws have you broken today?"  There's a disconnect between social norms and the laws we have on the books.  Why can't we allow rulesets to evolve -- and why can't we have different views about what's wrong online v. what's wrong offline?  A lot of policy FUD here.  Will rote application of offline law lead to unintended consequences.

Three quick examples:  the case of the nation of felons.  How do we think about criminal copyright?  Has changed dramatically in the last ten years?  We've have criminal copyright for a long time on the books.  Was a misdemeanor for a long time.  With 1997 NET act, we got rid of "commercial profit" requirement; instead said if you distribute works of greater than X value over Y days, you're guilty.

And in 1998, DMCA creates new crimes for circumvention and removal of information.

So we're responding to a felt need to protect material, but what's wrong with this picture?  Millions of people regularly violate this law.  And this is likely to get worse.  Expectations offline (first sale, fair use) drive us to use works online.  Technology that precludes these kinds of uses will be counter-intuitive for a lot of people.  Seems odd from morality perspective -- "criminal" activities may not be felt as wrong.  And from deterrence/utilitarian perspective; these laws aren't having a large effect.  What does it mean for the rule of law if millions of people routinely ignore it?

Two approaches:  House Judiciary committee; maybe problem is that it's too hard to bring these cases (so eliminate wilfulness, make a single copy made a available on a P2P network trigger wilfulness).  Second, give govt civil enforcement powers here.  This seems to resonate with online social norm.  A speeding ticket and not a felony.  We may be overreaching in our expansion of criminal law.

Second:  case of culpable carrier.  Creating criminal liability for ISPs.  Challenge in Pappert case:  DA can get ex parte order from judge based on showing that child porn is there; gets order saying "you must block material from this source."  Make sure they can't see this web site.  Couple things wrong with that.  ISPs block bluntly -- by blocking IP address.  This blocks all other things hosted there.  We discovered over a million blocked based on 500 blocking orders coming out of PA.  Well-intentioned law leads to incredible overbreadth.  Trend is to look to ISPs to hold liable.  Begins to jeopardize end-to-end model.

Third case:  case of the aborted Koogle family vacation to France.  Tim Koogle subject of criminal action in France based on larger Yahoo! case.  So he can't go there.  This was ultimately resolved just last year when charge dismissed [is that true?], but leaves open question about how to deal with criminal laws.  US govt will certainly do this (eg, Elcomsoft).  Calls into question relationship between individuals and govt. 

In DC, legislators only expand laws -- don't contract them. 

Five modest suggestions:

1. go slow re cybercrimes

2. revise defs of crimes and access

3. prefer civil enforcement (things less harmful in the online context)

4. issues of international prosecution

5.  tie to social norms more carefully

this was the best presentation on this panel.  Very substantive and thoughtful -- great job, Alan.

I'm delighted to say that I've been added to the roster of Fellows of The Information Society Project at Yale Law School. This means more trips to New Haven ("The Hub"), and, with luck, some engaging meetings in New York. Thanks.

I'm here in Room 127 of the Yale Law School for a cybercrime conference.  So far, we had an excellent keynote from Dan Geer, and Tony Rutkowski (VP of Regulatory Affairs at VeriSign) is getting up to talk now.

But I'm distracted by a conversation I had with someone before the meeting began.  He said that this whole game of ICANN and VOIP and lots of other worries is essentially over -- FCC plans to assert jurisdiction over the DNS as an IP-enabled service (and assert jurisdiction over email and any other application that uses IP).  He pointed to an FCC NPRM (MC 04-36) in support of this assertion.  He also said that the EC has issued a similar notice.  These notices point to a limited set of obligations for providers.  Game over, in this individual's view.

Back to Tony.  He's pointing to the fact that there are very few content intercepts in the real world.  Most requests are made for subscriber information.  Law enforcement access is essential, and all we're talking about is what costs will be paid by whom.  Anonymity is over.  Key developments are happening in the private sector.  In the public sector, we're talking about the cybercrime treaty (probably will come into effect this year), the UK data retention code, and the FCC CALEA proceeding.  Europe cares only about data retention; they're way past CALEA.

He says re CALEA proceeding: 

Coverage:  Nothing really new here (real time access to data is a fact of life under state and federal law); we're just shifting costs to providers.  And need capabilities in place in order to do this stuff.  Law enforcement has a critical need for access in today's nomadic architecture environment.  He says this is innovative.

Compliance:  Creative, more flexible, adopts 15 month benchmark approach to enforcement.

Costs:  Pass on implementation costs to subscribers; transparency is good; service bureaus make the costs minor; parity with other regulatory mandates (E911, Universal Service); costs are trivial compared to stored data production via subpoenas. (that's an interesting point, if true, and Tony seems to know what he's talking about.)

More when the next panel comes up.