[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] GOING DARK: LAWFUL ELECTRONIC SURVEILLANCE IN THE FACE OF NEW TECHNOLOGIES ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CRIME, TERRORISM, AND HOMELAND SECURITY OF THE COMMITTEE ON THE JUDICIARY HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ FEBRUARY 17, 2011 __________ Serial No. 112-59 __________ Printed for the use of the Committee on the JudiciaryAvailable via the World Wide Web: http://judiciary.house.gov _____ U.S. GOVERNMENT PRINTING OFFICE 64-581 PDF WASHINGTON : 2011 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON THE JUDICIARY LAMAR SMITH, Texas, Chairman F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan Wisconsin HOWARD L. BERMAN, California HOWARD COBLE, North Carolina JERROLD NADLER, New York ELTON GALLEGLY, California ROBERT C. ``BOBBY'' SCOTT, BOB GOODLATTE, Virginia Virginia DANIEL E. LUNGREN, California MELVIN L. WATT, North Carolina STEVE CHABOT, Ohio ZOE LOFGREN, California DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas MIKE PENCE, Indiana MAXINE WATERS, California J. RANDY FORBES, Virginia STEVE COHEN, Tennessee STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr., TRENT FRANKS, Arizona Georgia LOUIE GOHMERT, Texas PEDRO PIERLUISI, Puerto Rico JIM JORDAN, Ohio MIKE QUIGLEY, Illinois TED POE, Texas JUDY CHU, California JASON CHAFFETZ, Utah TED DEUTCH, Florida TOM REED, New York LINDA T. SANCHEZ, California TIM GRIFFIN, Arkansas DEBBIE WASSERMAN SCHULTZ, Florida TOM MARINO, Pennsylvania TREY GOWDY, South Carolina DENNIS ROSS, Florida SANDY ADAMS, Florida BEN QUAYLE, Arizona Sean McLaughlin, Majority Chief of Staff and General Counsel Perry Apelbaum, Minority Staff Director and Chief Counsel ------ Subcommittee on Crime, Terrorism, and Homeland Security F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman LOUIE GOHMERT, Texas, Vice-Chairman BOB GOODLATTE, Virginia ROBERT C. ``BOBBY'' SCOTT, DANIEL E. LUNGREN, California Virginia J. RANDY FORBES, Virginia STEVE COHEN, Tennessee TED POE, Texas HENRY C. ``HANK'' JOHNSON, Jr., JASON CHAFFETZ, Utah Georgia TIM GRIFFIN, Arkansas PEDRO PIERLUISI, Puerto Rico TOM MARINO, Pennsylvania JUDY CHU, California TREY GOWDY, South Carolina TED DEUTCH, Florida SANDY ADAMS, Florida DEBBIE WASSERMAN SCHULTZ, Florida BEN QUAYLE, Arizona SHEILA JACKSON LEE, Texas MIKE QUIGLEY, Illinois Caroline Lynch, Chief Counsel Bobby Vassar, Minority Counsel C O N T E N T S ---------- FEBRUARY 17, 2011 Page OPENING STATEMENTS The Honorable Tim Griffin, a Representative in Congress from the State of Arkansas, and Member, Subcommittee on Crime, Terrorism, and Homeland Security............................... 1 The Honorable Robert C. ``Bobby'' Scott, a Representative in Congress from the State of Virginia, and Ranking Member, Subcommittee on Crime, Terrorism, and Homeland Security........ 2 The Honorable John Conyers, Jr., a Representative in Congress from the State of Michigan, and Ranking Member, Committee on the Judiciary.................................................. 3 WITNESSES Valerie Caproni, General Counsel, Federal Bureau of Investigation Oral Testimony................................................. 6 Prepared Statement............................................. 9 Chief Mark Marshall, President, International Association of Chiefs of Police Oral Testimony................................................. 16 Prepared Statement............................................. 19 Susan Landau, Ph.D., Radcliffe Institute for Advanced Study, Harvard University Oral Testimony................................................. 23 Prepared Statement............................................. 25 LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING Prepared Statement of the Honorable Henry C. ``Hank'' Johnson, Jr., a Representative in Congress from the State of Georgia, and Member, Subcommittee on Crime, Terrorism, and Homeland Security....................................................... 4 Prepared Statement of the American Civil Liberties Union (ACLU) submitted by the Honorable Robert C. ``Bobby'' Scott, a Representative in Congress from the State of Virginia, and Ranking Member, Subcommittee on Crime, Terrorism, and Homeland Security....................................................... 52 APPENDIX Material Submitted for the Hearing Record Prepared Statement of Joel M. Margolis, Senior Regulatory Counsel, Subsentio, Inc........................................ 59 Responses to Post-Hearing Questions from Valerie Caproni, General Counsel, Federal Bureau of Investigation....................... 73 Prepared Statement of the Center for Democracy and Technology (CDT).......................................................... 78 GOING DARK: LAWFUL ELECTRONIC SURVEILLANCE IN THE FACE OF NEW TECHNOLOGIES ---------- THURSDAY, FEBRUARY 17, 2011 House of Representatives, Subcommittee on Crime, Terrorism, and Homeland Security, Committee on the Judiciary, Washington, DC. The Subcommittee met, pursuant to notice, at 11:23 a.m., in room 2141, Rayburn House Office Building, the Honorable Tim Griffin (acting Chairman of the Subcommittee), presiding. Present: Representatives Griffin, Forbes, Gowdy, Adams, Quayle, Conyers, Scott, Johnson, Chu, and Quigley. Staff Present: (Majority) Richard Hertling, Deputy Chief of Staff; Caroline Lynch, Subcommittee Chief Counsel; Arthur Radford Baker, Counsel; Lindsay Hamilton, Clerk; (Minority) Bobby Vassar, Subcommittee Chief Counsel; Joe Graupensberger, Counsel; and Veronica Eligan, Professional Staff Member. Mr. Griffin. The Subcommittee will come to order. Welcome to today's hearing on ``Going Dark: Lawful Electronic Surveillance in the Face of New Technologies.'' I would especially like to welcome our witnesses and thank you for joining us today. I am joined today by my colleague from Virginia, distinguished Ranking Member of the Subcommittee, Bobby Scott. And I don't see the Chairman emeritus Conyers, but he may join us. Today's hearing examines the issue of the growing gap between the legal authority and the technological capability to intercept electronic communications. This is known in law enforcement circles as ``going dark.'' Going dark is not about requiring new or expanded legal authorities. It is about law enforcement's inability to actually collect the information that a judge has authorized. Simply stated, the technical capabilities of law enforcement agencies have not kept pace with the dazzling array of new communication devices and other technologies that are now widely available in the marketplace. Court-ordered electronic surveillance has long been a valuable tool for effective law enforcement. It is a technique that is used as a last resort, when other investigative techniques have failed or would be likely to fail or would even be too dangerous to try. The judicial process that must be followed to seek a court order to authorize this type of surveillance is neither easily nor quickly obtained. There are many layers of review, many facts that must be established, and ultimately, a judge decides if such a technique is warranted. Once authorized, law enforcement must comply with reporting requirements to the court that issued the order, and there are procedures to protect the privacy rights of innocent parties that may use the communication device at issue. The loss of this investigative technique would be a huge risk to both our public safety and our national security. Congress initially addressed the growing gap between what law enforcement was legally authorized to intercept and what they were technically capable of intercepting by passing the Communications Assistance for Law Enforcement Act. By clarifying the obligations of the telecommunications industry, this act attempted to close the gap and enable law enforcement to address the electronic surveillance challenges presented by new technologies. But that was back in 1994. Since then, extraordinary developments in communication technology have yielded new communication devices, new services, and new modes of communication that did not exist or had not fully reached their maximum potential when we first addressed this problem. CALEA, as it currently exists, does not address the contemporary challenge that law enforcement agencies face when attempting to legally intercept electronic communications. This issue is not unique to Federal agencies. But many of our State and local agencies may be at an even greater risk of going dark because many of them do not have the financial resources or the expertise to resolve interception problems. Interception solutions are not cheap, and one size does not necessarily fit all. The competition in the communication industry has yielded a shift from standardized to proprietary technology. This often requires law enforcement agencies to develop individual interception solutions that may or may not work in other instances. The debate on how best to modernize the law and ensure that our law enforcement agencies do not lose this valuable investigative tool will not be easily resolved. Balancing privacy interests, ensuring continued innovation by the communications industry, and securing networks from unauthorized interceptions must all be a part of the debate, and they will all need to be factored into any solution. I am particularly interested in hearing about collaboration and information sharing among the various Federal, State, and local law enforcement agencies as they attempt to efficiently find solutions to the interception challenges. I welcome our witnesses and look forward to hearing their testimony. I now recognize for his opening statement the Ranking Member of the Subcommittee, Congressman Bobby Scott of Virginia. Mr. Scott. Well, thank you very much, and thank you for holding this hearing. I am glad to have the hearing today because over the past few months, there have been news reports that new communications technologies are making it more difficult for law enforcement to engage in court-authorized wiretaps. The same reports indicate that the Administration may be preparing legislation to deal with this issue. All of this has led to conjecture and speculation about whether or not there is, in fact, a problem, what the scope of the problem may be, and what Congress may be asked to do about it. Today's hearing is constructive because we need information to see what is really going on. Some communications companies cited in the news reports tell us that they have not been given any specific complaints about their cooperation with law enforcement, and they say they have yet to hear details of any reported problems. So I am pleased that we have two distinguished law enforcement witnesses here today to discuss these matters. We also have a witness to testify with us today who is not a law enforcement representative, but an engineer with extensive experience in communications technology and who is an expert in the relationship between security and surveillance. I realize that this is the beginning of a discussion about a range of issues, which are likely to include implementation of the CALEA statute, as you have indicated, as well as what law enforcement is currently experiencing. But I believe at the onset of this discussion, eyes need to be open to all of the considerations involved. There is no way around the fact that any calls for increased surveillance capabilities will have significant implications for technological and economic development, as well as basic privacy concerns. I am glad to hear that we will have a variety of perspectives on these issues from our witnesses today. I want to make one last comment before concluding my statement, and that is that last week I attended a classified briefing given by the FBI including one of our witnesses today. And I appreciate the opportunity to hear the information that was presented. But while I think that sometimes it is appropriate for Government officials to discuss classified material in closed sessions, particularly discussions of specific cases, it is critical that we discuss this issue in as public a manner as possible. I do not think that congressional consideration of these issues should rest on arguments made in secret. It would be ironic to tell the American people that their privacy rights may be jeopardized because of discussions held in secret. So, Mr. Chairman, I look forward to our witnesses today, and thank you for Chairing the hearing. Mr. Griffin. Thank you. I now recognize the most recent Chairman emeritus of the Committee, John Conyers of Michigan, for his opening remarks. Mr. Conyers. Thank you, Mr. Acting Chairman. I am happy to be here today to welcome all of the witnesses. And to me, this is a question of building back doors into systems hearing, if we had to give it a nickname. And I believe that legislatively forcing telecommunications providers to build back doors into systems will actually make us less safe and less secure. I believe further that requiring back doors in all communication systems by law runs counter to how the Internet works and may make it impossible for some companies to offer their services. And finally, it is my belief that our communication companies must be allowed to innovate without technological constraints if they are to continue to develop products and services that successfully compete with foreign companies. Now that I have given you my views, I would be eager to hear yours, and I thank you very much, Mr. Chairman. Mr. Griffin. Thank you. Without objection, other Members' opening statements will be made a part of the record. [The prepared statement of Mr. Johnson follows:] Prepared Statement of the Honorable Henry C. ``Hank'' Johnson, Jr., a Representative in Congress from the State of Georgia, and Member, Subcommittee on Crime, Terrorism, and Homeland Security Good morning. I would like to thank the witnesses for being here. I want to begin by applauding the Chairman's efforts in seeking to arm law enforcement with the tools they need. This hearing will largely focus on the Communications Assistance for Law Enforcement Act, CALEA. CALEA's purpose is to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor communications. In the wake of new technologies, law enforcement, particularly the FBI, has concerns about its inability to conduct court ordered surveillance and refers to this inability as ``Going Dark.'' Law enforcement would like to extend the CALEA requirement to more communications like Skype, encrypted BlackBerry devices, and social networking sites like Facebook and Twitter. While it is important to arm law enforcement with the tools they need, we must be mindful of what such an expansion would cost the American people? Not simply in terms of dollars and cents, but in privacy rights, civil liberties, our national security, innovation and global competitiveness? In addition to sitting on the Judiciary Committee, I sit on the Armed Services Committee and am very concerned about how expanding CALEA could jeopardize national security, especially cyber security. As Susan Landau states in her written testimony, we must be careful that the difficulties faced by law enforcement are not solved in a manner that puts U.S. communications at serious risk of being hacked by criminals, non-state actors, or other nations. It is important that we move with caution when it comes to expanding CALEA. Legislatively forcing telecommunications providers to build back doors into their systems to allow for surveillance by law enforcement may also provide opportunities for hackers and foreign adversaries to gain access to these systems. Legislatively expanding CALEA could create vulnerabilities in our communications systems that would allow cyber criminals and terrorists to attack us. Expanding CALEA could also hurt America's competitiveness. Our economic growth depends in large part on the continued expansion of ways we use the Internet. Imposing technological constraints on communications companies may make it more difficult for American companies to develop products and services that successfully compete with other countries. Expanding CALEA could certainly have some unintended consequences that would be detrimental to our country. We must keep this in mind as we examine this issue. I look forward to hearing from our witnesses about how we can balance the rights of law enforcement without compromising our national security interests or trampling over the privacy rights of millions of Americans. Thank you, Mr. Chairman, and I yield back the balance of my time. __________ Mr. Forbes. Mr. Chairman? Mr. Griffin. Yes, sir? Mr. Forbes. Mr. Chairman, could I just take 2 minutes for the Committee? I just want to recognize a good friend of mine who is here today. We are proud of Chief Marshall. He is the president of the International Association of Chiefs of Police. But near and dear to me, he is the chief of police in Smithfield, Virginia, in Congressman Scott and my home State. And we are proud of all of our witnesses, but particularly glad to see him. And I just wanted him to know that I have got some amendments on the floor. So I will be slipping in and out, but we are so glad to have you here today. Thank you, Mr. Chairman. I yield back. Mr. Griffin. Did he bring any hams with him? [Laughter.] Mr. Forbes. Mr. Chairman, if he did, they would be the best hams in the world, I will tell you. [Laughter.] Mr. Marshall. If it would help you with your deliberations. [Laughter.] Mr. Griffin. It might make me go to sleep. Thank you for that. It is now my pleasure to introduce today's witnesses. Valerie Caproni--is that correct? Ms. Caproni. That is correct. Mr. Griffin. Oh, great. Ms. Caproni has been a general counsel in the FBI's Office of the General Counsel since 2003. Prior to her work with the FBI, she was regional director of the Pacific Regional Office of the Securities and Exchange Commission. She then became a counsel at the law firm of Simpson, Thacher, and Bartlett, specializing in white-collar criminal defense and SEC enforcement actions. Ms. Caproni has also previously worked in the U.S. Attorney's Office as an assistant U.S. attorney, chief of special prosecutions, and chief of the Organized Crime and Racketeering Section, and as chief of the Criminal Division. Ms. Caproni received her bachelor of arts in psychology from Newcomb College of Tulane University--I am a Tulane grad as well--in 1976 and her law degree from the University of Georgia in 1979. Chief Marshall is president of the International Association for Chiefs of Police. He has held the position of chief of police in Smithfield for over 18 years and has been in State and local law enforcement for 25 years. Chief Marshall serves as Chairman for the Law Enforcement Date Exchange and sits on the Advisory Policy Board for the FBI's CJIS Division. Chief Marshall is the past president of the Hampton Roads Chiefs Association and is on the executive board of the Virginia Association of Chiefs of Police. Chief Marshall received his bachelor of arts in criminology from St. Leo University and his master's in public administration from Old Dominion University. He is a graduate of the FBI National Academy and the Police Executive Leadership Program through the University of Virginia and the Virginia Police Chiefs Foundation. Susan Landau, Dr. Landau, studies the interplay between privacy, cybersecurity, and public policy for Radcliffe Institute at Harvard University. Prior to her work at the Radcliffe Institute, Dr. Landau was a distinguished engineer at Sun Microsystems for 12 years. Before her work at Sun Microsystems, she taught computer science at the University of Massachusetts and Wesleyan University. Dr. Landau is the co-author with Whitfield Diffie of ``Privacy on the Line: The Politics of Wiretapping and Encryption.'' And her book ``Surveillance or Security: The Risks Posed by New Wiretapping Technologies'' will be published this spring. Dr. Landau received her bachelor of arts from Princeton University, her master's of science from Cornell University, and her Ph.D. from MIT. Without objection, the witnesses' statements will appear in the record, put in their entirety. Each witness will be recognized for 5 minutes to summarize their written statement. The Chair now recognizes Ms. Caproni. TESTIMONY OF VALERIE CAPRONI, GENERAL COUNSEL, FEDERAL BUREAU OF INVESTIGATION Ms. Caproni. Thank you. Good morning, Chairman Griffin, Ranking Member Scott, and Members of the Subcommittee. Thank you for the opportunity to testify before you today regarding the problem that we refer to as ``going dark.'' Most of us are old enough to remember when the world of communications involved a home telephone and an office telephone. In that world, when a court authorized law enforcement to conduct a wiretap, we knew exactly where and how to conduct it. We placed a device called a ``loop extender'' on the target's telephone line. That device intercepted the target's telephone conversations, which were then routed to our monitoring plant so we could hear everything said on the telephone and learn the telephone numbers of all incoming and outgoing calls. Then the world of communications got a little more complicated. The telephone companies started to shift their technology from analog to digital signals, and cell phones became ubiquitous. The phone companies were adding services like call forwarding, call waiting, and three-way calling. All of that had a negative impact on our ability to conduct authorized wiretaps, and Congress stepped into the breach. In 1994, it passed the Communications Assistance for Law Enforcement, or CALEA. To ensure that advances in technology would not outstrip law enforcement's ability to conduct court-approved wiretaps, CALEA required telecommunication carriers to develop and deploy intercept solutions in their networks so that when the Government gets a wiretap order, it can actually conduct the authorized surveillance. Since then, the number of ways in which we communicate has exploded. We still have home office and cell telephones that can be forwarded, put on hold, and make three-way calls. But we also now have home and office email accounts, Twitter accounts, Facebook and MySpace pages, BlackBerrys and Androids, iPhones and iPads. We can chat, text, and send instant messages. We can video chat. We can upload videos with comments, and we can communicate using an avatar in Second Life. If all of that is not complicated enough, we can access our accounts from our home desktop computer via cable connection to the Internet or from a laptop that has a wireless connection. We can access our accounts from our office computer, from a computer in the business center of a hotel, and even from an iPad via a Wi-Fi hotspot while drinking no-fat latte at the closest Starbucks. The advances in our ability to communicate have many advantages, but they also have made it exponentially more difficult for law enforcement to execute court-authorized wiretaps. Over the past several years, the FBI and other law enforcement agencies have increasingly found themselves serving wiretap orders on providers that are not covered by CALEA and, therefore, under no pre-existing legal obligation to design into their systems a wiretap capability. Such providers may or may not have intercept capabilities in place for all of their services. If they have no capability or only limited capability, it takes time to engineer a solution--sometimes days, sometimes months, and sometimes longer. Potentially critical evidence in intelligence can be lost while the provider designs a solution so that it can isolate to the exclusion of all others the communications of the particular person whose account we are authorized to wiretap and then deliver those communications and only those communications to law enforcement with the relevant metadata. Our inability to immediately and completely execute court wiretap orders is not limited to new and exotic ways of communicating. Providers that are covered by CALEA and, therefore, required to maintain a solution in their systems are sometimes unable to immediately execute wiretaps. Sometimes that happens because the company has made changes to its network but did not adjust its intercept solution so that it would still work. Sometimes the problem is that the approved industry standard does not provide the Government all the information it is lawfully authorized to collect. Whatever the reason, this is a problem that creates national security and public safety risks. The challenge facing us and our State and local counterparts is exacerbated by the fact that there is currently no systematic way to make electronic intercept solutions widely available across the law enforcement community. Federal, State, and local law enforcement agencies have varying degrees of technical expertise regarding electronic surveillance and lack an effective mechanism for sharing information about existing intercept capabilities. This leads to the inefficient use of scarce technical resources and missed opportunities to leverage existing solutions. The absence of institutionalized ways to coordinate and share information in this area impedes the deployment of timely, cost-effective intercept capabilities that are broadly available to the law enforcement community. Today's technical advances inure to the great benefit of society, but they create significant challenges to the Government's ability to conduct lawful wiretaps. We see going dark as a problem with many facets, but they all boil down to this. The combination of carrots and sticks that the Government has are not working to incentivize industries to develop and maintain adequate intercept solutions for their services. As a consequence, when a court issues an order authorizing a wiretap, we are not consistently able to execute that order and promptly begin to collect evidence and intelligence. If we continue to be unable to accomplish that which even the most ardent privacy advocates will agree we ought to be able to accomplish--namely, to execute a wiretap order when authorized to do so by a court--then we will be significantly hobbled in achieving our mission of protecting the public safety and national security. Thank you for the opportunity to address this Subcommittee, and I look forward to answering your questions. [The prepared statement of Ms. Caproni follows:]
__________ Mr. Gowdy [presiding]. Thank you, Ms. Caproni. Chief Marshall? TESTIMONY OF CHIEF MARK MARSHALL, PRESIDENT, INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE Mr. Marshall. Good morning, Mr. Chairman and Members of the Subcommittee. My name is Mark Marshall, and I serve as the chief of police in Smithfield, Virginia. I also serve as the president of the International Association of Chiefs of Police. I am here today representing over 20,000 of IACP's members who are law enforcement executives in over 100 countries throughout the world. The majority of our membership, however, is here in the United States. As my good friend Congressman Forbes indicated, I am from Hampton Roads, Virginia, a smaller jurisdiction there. I have the big-city problems without the big-city resources. And I have got 2 million people sitting on my doorstep. I am pleased to be here to represent and to discuss the challenges currently confronting the U.S. law enforcement community on electronic surveillance issues. In the United States, there are more than 18,000 law enforcement agencies and well over 800,000 officers who patrol our State highways and the streets of our communities each and every day. Very simply, in this day and age with budgets, we are tasked to do more with less. A great number of those officers also use electronic surveillance as they investigate crimes. Each day, local, State, tribal, and Federal law enforcement agencies use lawful electronic surveillance as a critical tool for enforcing the Nation's laws and protecting the citizens we have the honor to serve. Moreover, electronic evidence is now a routine issue in all crimes and at most crime scenes. The IACP believes that the lawful interception of voice and data communications is one of the most valuable techniques available to law enforcement in identifying and crippling criminal and terrorist organizations. Understandably, there is an increased volume and complexity of today's communication services and technologies. And the evolution and development of communication devices has had a significant impact on law enforcement's ability to be able to conduct that surveillance, as well as to recover valuable evidence from communication devices. Additionally, legal mandates and authorities have not kept pace with the changing technology. CALEA or, the Communications Assistance for Law Enforcement Act, for example, does not cover many types of services that are, unfortunately, used routinely by criminals. The advanced features of today's phones can process more information about where people have been, who they know, who they are calling, what they are texting, pictures they have sent and/or are sending, as well as larger amounts of data than ever before. Information recovered can also produce connections to other media like Facebook and Twitter, contact lists, call histories, calendars, waypoints, and email. If properly recovered, this sort of stored data on communication devices has great investigative and intelligence value to assist law enforcement with investigations. The proposed center, however, does not attempt to thwart or inhibit social discourse, which is a fundamental piece to democratic societies, not attempting to water down Title III or judicial orders for these electronic intercepts. Unfortunately, many of the agencies that need to be able to conduct electronic surveillance of real-time communications are on the verge of going dark because they are increasingly unable to access, intercept, collect, and process wire or electronic communications information when they are lawfully authorized to do so. This serious intercept capability gap often undercuts State, local, and tribal law enforcement agencies' efforts to investigate criminal activity such as organized crime, drug- related offenses, child abduction, child exploitation, prison escape, and other threats to public safety. This must change. Law enforcement must be able to effectively use lawful electronic surveillance to combat terrorism and fight crime. Law enforcement needs the Federal Government to generate a uniform set of standards and guidelines to assist in this exploration. In order for law enforcement to maintain its ability to conduct electronic surveillance, laws must be updated to require companies that provide individuals with the ability to communicate. In September, the Law Enforcement Executive Forum, comprised of law enforcement executives, including the IACP, released a plan to address the spectrum of issues related to electronic surveillance. This plan was the National Domestic Communications Assistance Center, otherwise known as NDCAC. In the Federal Government, we have to have lots of acronyms. The proposal calls for a strategy to be created to address issues related to maintaining law enforcement's ability to conduct court-authorized electronic surveillance. The proposal calls on Congress and the Administration to make funding available to establish the center. The center would leverage the research and development efforts of the law enforcement community with respect to lawful electronic surveillance capabilities. The center would also facilitate the sharing of technology between law enforcement agencies. I see that my time is up. So let me just wrap this up. State, local, tribal, and Federal law enforcement are doing all that we can to protect our communities from increasing crime rates and the specter of terrorism, both in our streets and in the many communications devices available today. But we cannot do it alone. We need the full support, we need the assistance of the Federal Government. We need clear guidance and regulations on our use of lawful interception of voice and data communications to aid us in successfully investigating and prosecuting the most dangerous of criminals. It is important for the safety of our hometowns, and that will equate to the safety of our homeland. Thank you. [The prepared statement of Mr. Marshall follows:]
__________ Mr. Gowdy. Thank you, Chief. Dr. Landau? TESTIMONY OF SUSAN LANDAU, Ph.D., RADCLIFFE INSTITUTE FOR ADVANCED STUDY, HARVARD UNIVERSITY Dr. Landau. Mr. Griffin and Members of the Committee, thank you very much for inviting me to testify. I am Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University. I am here representing my own opinions and not that of Harvard or any of the other institutions with which I am affiliated. I have spent, for the last half dozen years and more, time looking at the risks involved when you build wiretapping capabilities into communications infrastructures. And while there are issues in CALEA about security versus privacy and security versus innovation, I am here to talk about security risks in building the surveillance technology in. A major national security problem facing the United States is cyber exploitation. We have nation states and criminals penetrating systems, finding the files of interest, and downloading them quickly and shipping them out of the country. This began happening in the early 2000's and has occurred at U.S. military sites, at Government labs, and private industry. Google, Lockheed Martin, NASA, Northrop Grumman, Oak Ridge National Labs, the list goes on. How serious is the threat? According to Deputy Secretary William Lynn, it may be the most significant cyber threat that the U.S. will face over the long term. In 2003, the FBI reported that industrial espionage cost the U.S. $200 billion. It is many times higher now. Can wiretapping capabilities built into communications infrastructures be exploited? The answer is, unfortunately, ``yes'' because wiretapping is an architected security breach. Let me tell you a story about Vodafone Greece. A CALEA-type switch was built into Vodafone Greece's network, built in by Ericsson. Vodafone Greece didn't want this switch. So it had been turned off. Because they didn't pay for that piece of the switch, they also didn't have auditing capabilities. The result? A hundred senior members of the Greek government--including the prime minister, the head of the ministry of defense, the ministry of interior--were wiretapped for a period of 10 months until a text message went awry and they discovered the problem with the system. At Telecom Italia over a period of 10 years, presumably from an insider attack, people using the system--celebrities, politicians, judges, sports figures--were wiretapped for a period of 10 years. Six thousand Italians. That is 1 in 10,000 Italians was wiretapped. Presumably, no large business deal or political arrangement was ever really private. A Cisco switch made to comply with law enforcement wiretapping standards in Europe was discovered to have mechanisms in it that were designed in such a way that it was easy to spoof the system and evade auditing. When you think about a wiretapping system that can evade auditing, I want to remind you of people like Robert Hanssen, who evaded the auditing systems of the FBI for many years. If you think about it, when a Lockheed Martin or a Northrop Grumman fails to adequately secure its networks, the cost can be thousands of proprietary files stolen. But if a communications provider, an applications provider, or a switch provider fails to have an adequately secured communications system, that cost occurs over the millions of communications that utilize that switch or application. It is unlikely that surveillance can be built in securely. In the U.S., there are hundreds of communications providers, many of them very small, with fewer than 100 employees. Many startups producing new communications applications are similarly small. Putting wiretapping into the mix risks the communications of all their customers. I want to step back for a moment and talk about cryptography, a fight we had in the 1990's in which the NSA and the FBI opposed the deployment of cryptography through the communications infrastructure. In 1999, the U.S. Government changed its policy. The NSA has been firmly behind the change of policy, and endorsed a full set of unclassified algorithms to be used for securing the communications network. The NSA obviously believes that in the conflict between communications surveillance and communications security, we need to have communications security. What needs to happen? I agree that law enforcement has a problem. Law enforcement needs to be more entrepreneurial. Instead of the one-size-fits-all of CALEA, it needs more tailored solutions. It is already using transactional information. Chief Marshall described all of the information currently available on the PDAs and so on. That was not information available at the time that the wiretap laws were passed. Transactional information is what enabled us to capture Khalid Sheikh Mohammed, the designer behind September 11th. It enabled us to capture the July 21st bomber who fled from London to Rome. It is what enables U.S. Marshals Service to have cut the time to catch fugitives from an average of 42 days to 2. I think we should augment the FBI going dark effort. I know that is expensive in a time of financial austerity, but we are going to have to pay for this, and we don't want to pay for it by increasing security risks or threatening innovation. I agree that with new communications technologies there is a need for law enforcement access to legally authorized surveillance. But let us not do it in a way that makes things more dangerous and unsecures the U.S. Thanks very much. I would be happy to take questions. [The prepared statement of Ms.. Landau follows:]
__________ Mr. Gowdy. Thank you. Because I am merely keeping the seat warm for my distinguished colleague from the great State of Arkansas, Mr. Griffin, I would call on my equally distinguished colleague from the great State of Virginia, Mr. Scott. Mr. Scott. Thank you. Ms. Caproni, are you asking for any surveillance authority over and above what you have now--requirement for warrant, probable cause, and all of that? Ms. Caproni. No, we are not. We believe that the authority that we have to conduct court-authorized wiretaps, which appears in Title III as well as in FISA, is more than adequate. Mr. Scott. And when you have a wiretap and the technology doesn't let you listen in, that is the problem we are dealing with, right? Ms. Caproni. Correct. We are dealing with the problem of we have a wiretap order. So a court has authorized us to conduct the surveillance. But when we serve it on the provider, the provider tells us they don't have the ability to isolate our target's communication to the exclusion of all others and deliver them to us in a secure manner. Mr. Scott. And Chief Marshall, good to see you. As indicated, their recommendation that a technological way to get into the conversation be required to be part of cell phones or whatever else. Is that right, Chief Marshall? Mr. Marshall. Yes, sir. I mean, there is so much--there is valuable data that is contained in every--most criminals are using their cell phone in one way, shape, fashion, or form. Mr. Scott. Now, Ms. Landau, if law enforcement can get into a conversation, what would prevent anyone else who is a skilled hacker, what would be the problem for them getting in? Dr. Landau. You want a tailored solution for the problem. So the problem with the case in Vodafone Greece is that the wiretapping capability was built into the switch, and it was easy to go in and turn the switch on instead of off. Not completely trivial, but easy. And what you want to do, what I am proposing is that it not be built in in a way that decreases the security of all communications. Mr. Scott. Well, how can the law enforcement get into a conversation and a skilled hacker not be able to? Can you construct it in such a way that only law enforcement can listen in and not others? Dr. Landau. That is right. It used to be that you had to go---- Mr. Scott. That is right you can, or you can't? Dr. Landau. You can. You can. But you can't have it done in a method that makes it possible to just automatically turn it on remotely, deliver it. You have to make it more specially tailored. Mr. Scott. Is this hard? I mean, Chief Marshall, as he indicated, is from a small city. They don't have a lot of high- tech people sitting around. Is that something that is easy to put together? Dr. Landau. No, it is not easy to put together, which is why I applaud the FBI effort to do much better information sharing with State and local law enforcement. I think that the FBI should be the one taking the lead in developing those capabilities, and doing that information sharing is absolutely crucial. Mr. Scott. Now this back door would be required in domestically produced cell phones, for example. Could we require imported phones to have this same capability? Dr. Landau. I don't want to see a back door. I want to see specially tailored capability, and those are different requirements. We can require what we want about systems sold here. The question is how they can operate here and---- Mr. Scott. Well, can a phone, imported phone be hacked into by law enforcement and not hacked into by others? Dr. Landau. It depends on how you do the hacking. And that is really the question. If you build the system in a way that simplifies the hacking and makes it very easy for somebody to get in, and that is the problem with applying CALEA to IP-based communications. It is simply too easy to do that. Then you run into trouble. Mr. Scott. Well---- Dr. Landau. So I am arguing for something that is more expensive. But you are measuring the cost of a more expensive tailored solution against the national security cost of risking communications of everybody going through that switch or that application being accessible. Mr. Scott. If we could require this technology be placed in phones that are imported, we could have no ability to require that for phones that are manufactured outside of the United States and reportedly sold outside of the United States? Dr. Landau. That is right. But the question is where you do the tapping. You could do it at the phone. You could do it at the switch. You can do it at many places along the pathway. In the case of a cell phone, you can do it at a switch. That is how we do it now. Mr. Scott. So if you had an out of the country phone and brought it into the United States, the capability would be in the system, not in the phone itself? Dr. Landau. That is correct. Mr. Scott. And American manufacturers would, therefore, not be at a disadvantage? Dr. Landau. That is correct. Mr. Scott. Mr. Chairman, I yield back. Dr. Landau. But there is currently not a problem typically with wiretapping cell phones. The problem is with IP-based communications. Mr. Griffin [presiding]. I recognize Mrs. Adams for 5 minutes. Mrs. Adams. Thank you, Mr. Chair. Ms. Caproni, you have listened to Dr. Landau, and are you concerned at all about her concerns? Ms. Caproni. We share some of the same concerns, and I am little concerned that some of the answers to the questions to Representative Scott may have left a misunderstanding of how we conduct intercepts. There is no--the attacking of the device or hacking into a device, if we had a court order, is sometimes permitted. That is sometimes the best way to do it. It is not the normal way to conduct a wiretap. We want the wiretap and the device that conducts the wiretap to be under the control of the provider. So, to that extent, I think Dr. Landau and I may actually agree that we don't want the intercept solution to be somewhere where it can be gotten to by third-party actors. Mrs. Adams. Manipulated. Ms. Caproni. Correct. The lawful intercept solution should be under the control of the provider, and the provider is responsible for security. There is always risk from insiders. That is a risk that companies manage all the time, particularly big communication providers. So they need to manage that risk. And we will look, obviously, very hard at the issue of the security associated with anything that we propose to deal with this problem. So security is a legitimate concern. I think we may disagree that having a lawful intercept solution under the control of a provider increases that risk in any kind of a material way. Mrs. Adams. Chief, you have heard the concerns, and I preface this by I will tell you I am a past law enforcement officer. And it did send some red flags up to me when I start reading the breaches and everything else and on the security level of it. I would like to hear your opinion. Mr. Marshall. Yes, ma'am. Thank you. We certainly don't want to circumvent the stringent legal process involved in, one, obtaining those intercepts, whether it is voice and/or data. Again, I think we are, particularly at the local and State level--you know, I represent all of law enforcement. The bulk of our membership is really at the local and State level, and it is where law enforcement actually takes place on a day-to-day basis in this country. We need a place, particularly for the smaller and mid-sized agencies that don't have the capabilities to be able to go out, to be able to get those tools, to be able to retrieve that data. We need that place that we can make that call, that we would have that one-stop shop, if you would. That would at least, it may not have the information but would at least be able to direct us to be able to get that information. In terms of, at the same time, I agree with Ms. Caproni's statement that it is--that I think that this is the industry or the provider would have that, and they would only be providing that when you had that lawful intercept order, that judicial order. For us, it is about going dark. It is most of the criminal element are using and exploiting the ability of the communication tools that are out there. They change every day. It is amazing to me. I waited 2 years to get a Verizon phone. I finally ordered one. Came into the D.C. area last night, turned on the TV, and I found out that they have got the new generation. Generation 5G is now going to be out in June. That is the problem. I have already done my order. So it is too late. But that is the problem, and that is what we are seeing, that this is just--this changes so quickly. Mrs. Adams. Technology is changing rapidly. Ms. Caproni, leaving it at the provider, are you at least the least bit concerned that a possibility could arise, and is there a way to check the auditing system, if it is at the provider, so that we don't have a Greece or an Italy? Ms. Caproni. I think the answer to that is yes, and the providers who provide lawful intercept to us also have responsibilities for the general security of their system. The providers are responsible for making sure that their systems are not being hacked into overall. Mrs. Adams. Correct. Ms. Caproni. As well---- Mrs. Adams. But are you aware if any of the systems currently have that switch that they just haven't turned on? Ms. Caproni. I am not sure about the specific switch that Dr. Landau was talking about. She references two instances where that switch has been compromised. I would say that switch has been deployed to literally hundreds of thousands of telephone companies throughout the world. So two out of hundreds of thousands, that is a balance. We will obviously be looking, though, at security issues. Mrs. Adams. Okay. Ms. Caproni. We are concerned--we would not propose anything to solve this problem that would appreciably change the security situation that exists in our telecommunication or the Internet system. Mrs. Adams. That is what I wanted to hear. Thank you. Mr. Griffin. Chairman emeritus Conyers is recognized for 5 minutes. Mr. Conyers. Thank you, Mr. Chairman. To our distinguished chief of police and the president of the International Association of Police, you don't have much personal contact with these kinds of issues of cryptography going on, do you? Mr. Marshall. No, sir. We don't have it in terms of the cryptography. We do, however, have the issue surrounding cell phones and being able to extrapolate that data because, as we have found, they are using--anymore it is not even about voice, it is also about texting. It is IM messages. It is all of those things. Mr. Conyers. Yes. Mr. Marshall. Those are pieces that we need that would help, would significantly help our crime-fighting capabilities. The unfortunate---- Mr. Conyers. Okay. Let me get to the point that I am working at. Have you had much contact or experienced problems with Federal or State law enforcement officials seeking to conduct electronic surveillance and you were stymied because you wanted access to encrypted information that was unavailable from the communications service that you were using? Mr. Marshall. Yes, sir. We have, and it happens every day throughout the law enforcement community, an inability for us to be able to retrieve that data. In other words, if I seize a cell phone, I don't have the capabilities--as you well understand, I don't have the capabilities to be able to do it except with some off-the-shelf products that are, frankly, obsolete. I send it to the State lab. They then have to go do the search to try to find the newest, the latest and greatest tool to be able to get that. Quite often, they come back that they are unable to do it. And that, unfortunately, is something that is happening with my law enforcement colleagues in agencies across this country. Mr. Conyers. Dr. Landau, we have all agreed there is a problem here, and it is complicated. It is expensive and could also be very dangerous to our national security. What would your recommendations as first steps be in terms of dealing with this? Dr. Landau. So I think that Ms. Caproni and I will find that we agree more than we disagree. I think it is imperative that the FBI, which is in a positive to develop solutions to emerging communications technologies, have a very good information-sharing system with State and local law enforcement because they clearly are overwhelmed and cannot manage that on their own. I think transactional information, which has become much more valuable as emerging technologies come out, should be used even to greater extent than it is at present. And I think the research arm of the going dark program has to be expanded so that the FBI does the same kind of thing that the NSA does, finds out the emerging communications technologies and figures out solutions to the wiretapping before there is a case. So that when the case comes, they are ready with the solution. And so, I think that we would find we agree quite a bit. Mr. Conyers. Well, Ms. Caproni, you are here under I think you have come out from under the cloud that the whole Federal Bureau of Investigation was under the last time you were here, namely, that the IG had found out that you had been abusing the national security letters and that you promised to clean it up. And my general counsel says that he feels satisfied about it. I don't sound like I am too satisfied about it. But you are here now telling us that and it is being recommended by our own witness that you need more resources to effect this more satisfactory communication with Federal and State law enforcement officials. Is that correct? Ms. Caproni. Congressman, the FBI is always eager to have additional resources. Resources will help, but resources to the FBI standing alone is not going to solve this problem. The reality is that we have ways and we know how certain intercepts can be done. Our technicians know how to do that. But these systems need to be deployed within the provider's system. And I think from both the privacy perspective and in kind of real life what you want, you don't really want the FBI crawling around in providers' systems to install the wiretap solution. We want them to develop and deploy the wiretap solution. We think---- Mr. Conyers. I ask unanimous consent for one additional minute, Mr. Chairman. Mr. Griffin. Go right ahead. Mr. Conyers. Thank you very much. Well, then that gets us to my back door comments when I started off. Do you recall that I was saying the back door way won't work? Mr. Caproni. Congressman, I actually wrote that down, that you were concerned about building back doors into systems. And let me make one thing clear. The FBI's view is that this is not about back doors into systems. In fact, quite the contrary. We don't want a back door. What we want is for the provider to isolate the transactions and isolate the communications that the court has authorized us to get and to hand those communications and no others to us through the front door. Mr. Conyers. All right. Great. Ms. Caproni. We do not want a back door---- Mr. Conyers. That sounds good. Dr. Landau, do you agree or disagree? Dr. Landau. I disagree. It is a bit of word play here. Ms. Caproni said, look, the Telecom Italia and the Vodafone Greece case were only two cases out of thousands of deployed switches. If it were the President of the United States or the Speaker of the House instead of the prime minister of Greece, would we still be saying only two switches out of thousands deployed? Surely not. When you build wiretapping capability into an application, when you build it into a switch, you are creating a serious security risk. I would say in light of the cyber exploitations we have been seeing nationally the last half dozen years, that is not a risk we can afford. Mr. Conyers. Thank you very much, Mr. Chairman. Mr. Griffin. Thank you. The Chair recognizes Mr. Gowdy for 5 minutes. Mr. Gowdy. Thank you, Mr. Chairman. Ms. Caproni, to those who may misapprehend and fear that you are seeking an expansion of the Bureau's legal authority in this realm, alleviate those fears for them. Ms. Caproni. I will do the best I can. We are not looking for any new authority. We believe that the authority that we have to conduct wiretaps that appears in Title III on the criminal side and in FISA on the national security side are adequate to our needs. But what we are concerned is that we are losing ground to actually be able to gather the information that we are authorized to gather. For example, Dr. Landau is focusing on and suggests that we should rely more on transactional data. Transactional data is valuable. It is useful to us. It is not the same as the actual conversation, the content of the conversation, which is critically important, again, from both the national security and public safety perspective. But I would also point out that even gathering transactional data, like PIN register data, which is the most basic information. Who is the telephone calling? Who are the two sides of the communication? Under the J standards that has been adopted by industry, under CALEA, we can't get basic PIN register data. So while we may know that a telephone is texting, we don't know what the telephone number of each side of the transaction is. Without that very basic information, our investigations are stymied. We need that information in order to keep the public safe. Mr. Gowdy. Cite for me the specific remedies you are seeking and Congress's authority to grant them to you. Ms. Caproni. Congressman, the Administration is still working on what the solution would be, and we hope to have something that we can work with Congress on in the near future. Mr. Gowdy. I take it by your title, counsel, that you are legally trained? Ms. Caproni. I am. Mr. Gowdy. No doubt better than me. So help me with the authority that Congress would have to, as I understand it, dictate to telecommunications companies changes that they have to make. Ms. Caproni. Well, CALEA, which was enacted in 1994, already requires telecommunications companies to have a wiretap solution built into their system. There are some issues with CALEA and some ways that I think with the experience of 16 years with it, it could be improved, and I think that would be part of--conceivably, that would be part of what we would recommend is how to make the CALEA process for those companies that it covers more productive, and it would better accomplish the goal that Congress created in '94. As to providers that aren't covered by CALEA, I think that is the bigger challenge. And that is where, through the interagency process, there is a lot of discussion about what is the right way to walk the line, which is an important line, between having providers have the ability to execute a wiretap order when it is delivered to them and not squashing innovation and not hurting the competitiveness of U.S. companies. We have a very active discussion in the interagency about how to walk that line. I think it is going to be something that Congress is going to be incredibly interested in. Is there a way to accomplish these two goals? I am optimistic that there are ways to incentivize companies to have intercept solutions engineered into their systems that are safe and secure and not make their system more vulnerable to outside attacks while still encouraging the sort of innovation that we have seen in the American market. Mr. Gowdy. Chief, let me thank you for your service and ask you are there specific instances that you can cite within the confines of an open hearing where you or members of your membership have had investigations thwarted because of inadequacies in our information-capturing systems? Mr. Marshall. Thank you, Congressman. I don't have specific instances. I have talked to a number of my colleagues around the country who indicate that this happens on almost a daily basis. I know that we are just inundated with our case logs. We are also--because of the budgets, we have been forced to make reductions. And because of some of those case reductions, when we are trying to do some of these investigations, particularly in terms of retrieval of data that is being stored on phones or other electronic devices, they simply can't do it. When we send it, for example, in my agency, we send it, we send it to the Virginia State lab, who then contacts the Federal partners, typically the FBI. The problem is, is they also have their own case log. And because of the number of small industry agencies or small providers that are continuing to pop up with the new electronic, what ends up happening is we get the report back that it simply can't be found. And that happens every day. Mr. Gowdy. Thank you, Chief. Thank you, Mr. Chairman. Mr. Griffin. Mr. Johnson is recognized for 5 minutes. Mr. Johnson. Thank you, Mr. Chairman. Law enforcement wants us to extend the CALEA requirement to more communications like Skype, encrypted BlackBerry devices, and social networking sites like Facebook and Twitter. It is important, I believe, that we move with caution when it comes to expanding CALEA, which may also provide opportunities for hackers and foreign adversaries to gain access to these systems. I have a couple of questions. Number one, how big is the problem, Ms. Caproni, that you are trying to solve? In rough numbers, how many times in the last year did Federal and State law enforcement officials seek to conduct electronic surveillance and were stymied because the communications it wanted to access were encrypted or were unavailable from the communications service that carried them? And secondly, as you know, governments around the world have recently shown a strong interest in accessing the communications of BlackBerry business users whose emails are currently encrypted with a key not known to BlackBerry's parent company or the wireless carrier or anyone other than the company employing the individual user. Several countries have threatened to ban the use and sale of BlackBerry devices unless BlackBerry's parent company provides them with intercept capabilities. The ability of American business people to communicate securely, particularly when they travel abroad, is obviously of great importance to our own economic well-being. If the emails of a U.S. businessman or woman can be monitored by the Saudi, Indian, or Indonesian governments when they travel abroad, we risk losing the intellectual property advantage that is at the very core of our economy. However, if we force BlackBerry's parent company to give U.S. law enforcement agencies intercept capabilities over these business users, it will likely be quite difficult for the company to keep saying no to those other governments. Is providing U.S. law enforcement agencies with this access worth it if it means that foreign governments will then be able to get the same intercept capabilities in their own countries? Ms. Caproni. So there are several questions in that question. Let me try to take them one at a time. First, let me start with law enforcement or at least FBI has not suggested that CALEA should be expanded to cover all of the Internet. In fact, the subject of how you would achieve the goal that we are talking about is very actively being discussed in the interagency. That might be a solution. That might not be a solution. So we are not really suggesting that. But let us turn directly to encryption. Encryption is a problem, and it is a problem that we see for certain providers. It is not the only problem. And if I don't communicate anything else today, I want to make sure that everyone understands that this is a multifaceted problem. And encryption is one element of it, but it is not the entire element. There are services that are not encrypted that do not have an intercept solution. So it is not a problem of it being encrypted. It is a problem of the provider being able to isolate the communications and deliver them to us in a reasonable way so that they are usable in response to a court order. Mr. Johnson. Well, that is not to minimize, however, the encryption problem. Ms. Caproni. Absolutely not. But what I do want to say is, as we said in the written statement, that we are not looking, and we think this problem--there are individual encryption problems that have to be dealt with on an individual basis. The solution to encryption that is part of CALEA, which says if the provider isn't encrypting the communications, and so they have the ability to decrypt and give them in the clear, then they are obligated to do that. That basic premise that provider-imposed encryption, that the provider can give us communications in the clear, they should do that. We think that is the right model. No one is suggesting that Congress should reenter the encryption battles that were fought in the late '90's and talk about sequestered keys or escrowed keys or the like. That is not what this is all about. For individuals who put encryption on their traffic, we understand that there would need to be some individualized solutions if we get a wiretap order for such persons. The other thing I would note, and I thought at one point you were referencing the public reports that we do relative to how often encryption is encountered in Title III collection. What we find is that our agents know, for instance, that BlackBerrys are encrypted. So if their target is using a BlackBerry, they are not going to get a Title III order for that. Title III orders, for those of you who were never AUSAs, Title IIIs are a lot of work to obtain. It requires an awful lot of work from the agent's part, a lot of work on the AUSA's part. They are not going to do that to get a Title III order on a BlackBerry that they know has encrypted traffic, and therefore, they would not be able to get any usable proceeds from that Title III. So you see very low numbers in terms of the report of the number of times that we encounter encryption. But I think it is because agents, and I think Chief Marshall sort of referenced this, they will see a problem. And agents, rather than just sort of--and police officers, rather than throwing up their hands and saying, ``Well, I can't do it,'' they will figure out another way to get to where they need to go. And it may not be a Title III. It may be that they will then approach the problem from a different direction because they know that a Title III is simply not going to be productive use of their time. Mr. Johnson. Thank you. Mr. Griffin. Thank you. Mr. Quayle is recognized for 5 minutes. Mr. Quayle. Thank you, Mr. Chairman. Ms. Caproni, I want to go back to the back door issue that we were talking about earlier so that we can just clear up any misconceptions. But as you know, a lot of the public reports say that solving the problem that we have would create the back door to the Internet, where law enforcement would have the key to all communication systems in the U.S. Is that accurate? Would the Government have direct access to these communication systems? Ms. Caproni. No, that is not accurate. In fact, the way that we execute wiretaps is we go to the provider who is providing the communication service. We serve the order on them. We ask them to isolate the communications and deliver them to us. To some extent, actually, what Dr. Landau I think is proposing, although it is not entirely clear, that is for the FBI to individually have solutions, that we then deploy the intercept solution throughout the Internet. That is actually a much less privacy protective way of doing an inception. It is also not as accurate. With packet-switched communications, you have to collect all of the packets or you can't put the message back together. So there would always be the question of where would you deploy the device if we were simply deploying it in the Internet? It is for that reason that we want to do the collection with the provider. We want to be able to serve our order on the provider, which then puts a third party in the mix. We serve our order on the provider. The provider figures out what account it is, isolates that account and delivers those communications to us and only those communications to us. So there is no wiretapping of the Internet. It is really just our ability to serve a targeted order on a targeted account on a particular provider. Mr. Quayle. Okay. And with those communications that the Government would be seeking, has a court reviewed and authorized you to obtain those communications? And also could you briefly go through that process so everybody knows how that is done? Ms. Caproni. Absolutely. So looking at a Title III, because that is the authority in a criminal case, the agent and the AUSA have to put together an affidavit that establishes probable cause to believe that the target is engaged in particular criminal activity. They are committing felonies. They are using the targeted facility to commit the felony, that evidence will be--of the felony will be obtained if we intercept their communications. They also have to show that other investigative techniques have been tried and failed or are too dangerous to use or would likely fail. So this is really a last-resort type of technique. The court considers that. They issue an order. It lasts only for 30 days. During the period of that 30 days, law enforcement has to report back to the judge to tell the judge how the wiretap is going, what sort of evidence is being collected. The wiretap itself has to be minimized. So they will do real-time review of the traffic that is coming in. If it is not evidence of a crime so that they are not authorized to keep it, it gets minimized. So they don't keep that information. So they only keep the information that is actually relevant to their investigation, and it is evidence of criminality. Mr. Quayle. Okay. And just so we are brief, so there is no warrantless wiretap? Ms. Caproni. Absolutely not. Mr. Quayle. Okay. And a final question for Chief Marshall. What role does State and local law enforcement play in the research and development of interception solutions? Do you feel that State and locals have had adequate voice in this process to address this issue? Mr. Marshall. Thank you for the question. Yes, we are putting together and we actually met about a year and a half ago with the FBI and other Federal justice agencies and a significant portion represented at the State and local level to discuss this problem. Because at the State and local level, we don't have the same level of resources, particularly the smaller and mid-sized agencies don't have the same resources to be able to do these. So we rely on our Federal partners to be able to do it. At the same time, we also know that we are increasingly seeing the difficulty in being able to achieve that. That was why a year and a half ago, when we started meeting, we ended up meeting, looking at the problems, particularly at the State and local level, and coming up with this proposal for the NDCAC. And the NDCAC actually, its proposed governance--and we are still continuing to work some of that out--but it would have a significant proportion would be relegated at the State and local so that we have that representation, that we have that voice, that we have that ability to be able to share some of the solutions that have been developed by some of--and for the most part, they are usually some of the major metropolitan areas. But we have that place that we can all put in that we would be able to share those best practices and strategies and also be able to have a voice in this problem. This is a problem for all of law enforcement, not just for the FBI. It is not just for the DEA. This is a problem whether it is a 5-member department or 5,000. Mr. Quayle. All right. Thank you. Mr. Griffin. Chairman emeritus Conyers is recognized for another question. Mr. Conyers. Thank you very much, Mr. Chairman. Dr. Landau, I would like to feel a little bit more comfortable with you commenting on the question of our colleague Mr. Quayle in terms of the back door question that he initially asked. Do you remember what that was? Dr. Landau. If he could restate it, that would be great. Mr. Griffin. We are playing musical chairs. Mr. Quayle. Oh, great. What was that? Dr. Landau. Restate your back door question. Mr. Quayle. Okay. Basically, would the solutions to the problem that we are talking about actually provide a back door to the Internet where law enforcement could have a key to all communications systems in the U.S.? Dr. Landau. So Ms. Caproni said that I talked about building the wiretapping into the fabric of the Internet, and certainly not. Earlier, I said that I couldn't speak for Harvard, and that is absolutely true. Let me point out that I also can't speak for the NSA. The NSA has been pushing hard for communications security within the United States. It pushed out in 2005 a set of recommendations on how to secure a communications network using publicly available cryptography developed through the National Institute for Standards and Technology. It is pushing that land mobile radio be available. Secure, interoperable land mobile radio can be purchased over the counter in a place like Radio Shack, and we know that it is not just local law enforcement and first responders who will be using those systems. So if the NSA can function in that environment, I would certainly hope that the FBI can learn to function in that environment. I am saying that building wiretapping into a communications infrastructure, whether a switch or an application, building interception into that communications infrastructure is a dangerous model, whether you are Vodafone Greece, Telecom Italia, or the United States. Thank you. Mr. Conyers. Could I give, Mr. Chairman, the representative from the FBI the last word on this in this discussion? Ms. Caproni. I am sorry. On the discussion of whether it is a back door? Mr. Conyers. Yes. Just what Dr. Landau just commented on. Ms. Caproni. I think what she is suggesting is that there should be security for information, and we agree with that. I mean, that is not--we are not suggesting that communications should be insecure. We are suggesting that if the provider has the communications in the clear and we have a wiretap order, that the provider should give us those communications in the clear. But, for example, Google, for the last 9 months, has been encrypting all gmail. So as it travels on the Internet, it is encrypted. We think that is great. But we also know that Google has those communications in the clear, and in response to a wiretap order, they should give them to us in the clear. Dr. Landau. No problem there. Mr. Conyers. Thank you very much, Mr. Chairman. Mr. Quayle [presiding]. Thank you. The gentle lady from California, Ms. Chu, is recognized for 5 minutes. Ms. Chu. Thank you, Mr. Chair. For Ms. Caproni and Mr. Marshall, today you have described difficulties in gaining assistance from companies in complying with lawful wiretap orders under 18 U.S.C. 2518. Title III orders include a requirement that all providers furnish the applicant forthwith all information, facilities, and technical assistance necessary to accomplish this interception. Have you pursued contempt motions against any providers who have failed to comply with these lawful orders? Ms. Caproni. Our approach with industry is one of cooperation. So we try to work with the companies to get them to develop a solution that will work. Our sense has been that it is very difficult on the one hand to be cooperative and to work with a company who tells you we are trying, we are trying to figure out how to do this so that it will work and not interfere with our solution--with our general system, to at the same time be hauling those people into court. It seems to interfere with the cooperative relationship. So, no, we have not hauled any of these providers into court on an order to show cause why they should not be held in contempt. Ms. Chu. Mr. Marshall? Mr. Marshall. Yes, ma'am. My answer is a little bit more basic. No, we have not pursued that because we typically do not have any direct involvement. We don't have the involvement directly with industry. In other words, we are working through our lab or we are working, if it would be a Title III, it would be worked through our Federal partners, whether it is a task force application or something of that nature. I will say, and I certainly I would stress this, I think that this has to be a partnership with industry. Industry, we want industry to be involved in a collaborative effort to come up with a solution. We understand that certainly there are costs involved, but a piece of this is it also has to be about what is good for public safety and being able to have that ability to be able to keep our crime-fighting capabilities at least up to the level that we have. Ms. Chu. Ms. Landau, how do you respond to that? Dr. Landau. So I am mystified in some sense by the discussion because while I certainly understand the going dark issue, and I hear the FBI and local law enforcement saying we are having problems, what I am not hearing are specific types of solutions. Ideas were floated last fall about getting rid of peer-to-peer and Skype, getting rid of encryption or making keys required to be stored. And as we saw in Ms. Caproni's testimony, the written testimony, the FBI is no longer asking for any re-architecting the Internet, no longer asking at least for certain changes on encryption. So I am a little confused. I understand that there are serious problems, and I agree that the new technologies sometimes do cause those problems. But there aren't concrete suggestions on the table. The only one being better research at the FBI, and I think that is important. I want to tell a little story, which is a couple of weeks ago when the situation was developing in Egypt and all the communications were cut off with the rest of the world, all the Internet communications, Google sat down with Twitter over a weekend and developed Speak to Tweet. That was a handful of engineers. You could speak into a call. It could be translated into a Tweet message, and that was a way for the Egyptians to communicate with one another. That is terrific. I was delighted to see that innovation was happening here. It was happening with a handful of engineers. And that is the way many systems are developed in the U.S., whether you are talking about Google, which started with two engineers at Stanford, or Facebook, with a handful of people at Harvard. So I don't quite understand what the FBI is pushing for, other than saying we are having a problem. We would like to augment our research arm, which I think is good. We would like industry to deliver things when they have it in the clear. Industry, when they are capable of delivering it in the clear, should be delivering it in the clear. So, thank you. Ms. Chu. Okay. Last question. If we do grant the FBI the authority it seeks, will this stop sophisticated criminals and terrorists from encrypting their communication, or will they simply start using communication tools provided by companies or programmers outside the U.S.? And what do we do when criminals start using secure communication tools provided by developers associated with the WikiLeaks organization, who will ignore requests by U.S. law enforcement agencies? Ms. Caproni. Thank you for that question. There will always be criminals, terrorists, and spies who use very sophisticated means of communications that are going to create very specific problems for law enforcement. We understand that there are times when you need to design an individual solution for an individual target, and that is what those targets present. We are looking for a better solution for most of our targets, and the reality is, I think, sometimes we want to think that criminals are a lot smarter than they really are. Criminals tend to be somewhat lazy, and a lot of times, they will resort to what is easy. And so, long as we have a solution that will get us the bulk of our targets, the bulk of criminals, the bulk of terrorists, the bulk of spies, we will be ahead of the game. We can't have individual--have to design individualized solutions as though they were a very sophisticated target who was self- encrypting and putting a very difficult encryption algorithm on for every target we confront because not every target is using such sophisticated communications. Ms. Chu. And Dr. Landau, any response? Dr. Landau. Thank you. So I am glad to hear, actually, the specific issue now of individualized solutions versus better solutions for bulk. And certainly, in some cases, and the one that Ms. Caproni mentioned about getting the unencrypted gmail that gmail obviously has at the other end or you couldn't read your gmail when you logged on, in that case, in that particular architecture, I suspect it is very easy for Google to deliver that mail, and I suspect it does it forthwith. But we are arguing about the issue of developing individualized solutions for wiretapping versus creating bulk solutions, what the FBI calls better solutions for bulk when we have a national security threat of downloading and exploiting U.S. industry, U.S. military, U.S. national labs, U.S. civilian agencies. And I don't think we can possibly build into the various communications infrastructures wiretapping solutions that will allow that type of bulk when it is so easy to subvert software and so easy to subvert IP-based solutions. Thank you. Mr. Quayle. The Chair recognizes the gentleman from Virginia, Mr. Scott, for one additional question. Mr. Scott. Thank you. I am a little confused. Ms. Caproni, you indicated that you don't want the access through the phone itself, but through the system, which would require--are you looking for real-time access or a copy of conversations? Ms. Caproni. We are looking for--I am sorry. Primarily, what we are talking about here today is real-time interception. Part of what Chief Marshall has talked about is actually information that would not be collected in real time, information that is stored on your cell phone or your smart device, whatever. But the bulk of what I have been talking about today is electronic surveillance. So capturing the communications in real time. Mr. Scott. And having somebody in the industry go around trying to find this would take obviously someone on company payroll and expense. Who is paying for this expense, and how much is it? Ms. Caproni. So we are responsible, and we are typically billed for the cost of electronic surveillance. So we will reimburse. But they have to have a solution. So they have to have the ability to find---- Mr. Scott. But law enforcement will pay the costs of the finding and making access to the communication? Ms. Caproni. Let me just double check, but I am pretty sure that is right. Yes. Mr. Scott. And so, that would come out of Chief Marshall's budget? Ms. Caproni. Yes, I am sorry, Chief. Mr. Scott. And does Chief Marshall have to have somebody on staff technologically sophisticated to figure out what to ask for and how to do all this? Ms. Caproni. Well, that actually is an issue is different providers want orders to be worded slightly differently, and that actually is one of the things that we think the NDCAC, or I can't remember what, the DCAC, this center that we are talking about would provide. It would provide the ability to be a single point of contact. So law enforcement, if they are doing a wiretap, let us say, of an RCN account that they have never done before, we would probably have a relationship with RCN. We would know how the order should be worded. We would know who in the company it should be served on. So we would provide that intermediary so that every law enforcement agency in the country doesn't have to have that level of expertise. So it could be much more tailored, and they would have one-stop shopping, and we would serve as an intermediary or the center would serve as a useful intermediary between industry and law enforcement. Mr. Quayle. The Chair recognizes the gentleman from Georgia, Mr. Johnson, for one additional question. Mr. Johnson. Thank you, Mr. Chairman. CALEA's purpose is to require that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment to ensure that they have built-in surveillance capabilities, thus allowing Federal agencies to surveille in real time electronically. And that calls for individualized solutions to communications like Skype or encrypted BlackBerry devices and social networking sites. Am I correct about that? Am I on track? Ms. Caproni. CALEA doesn't cover social networking sites. Mr. Johnson. Okay. All right. But as far as Skype and BlackBerry devices, it is applicable to? Ms. Caproni. So Skype is not a U.S. company. So it is not covered by CALEA, or it may not be covered by CALEA because it is not a U.S. company. The same with REM. Mr. Johnson. Okay. So non-U.S. companies would not be subject to any extension of CALEA. You are seeking--what are you seeking here today? That is really, I think, Ms. Landau's point, and that is my point also. What is it exactly that you would want Congress to do, or are you asking Congress for anything? Ms. Caproni. Not yet. Mr. Johnson. Or did we just simply invite you here to tell us about this? Ms. Caproni. You invited me, and we came. But we don't have a specific request yet. We are still--the Administration is considering--I am really here today to talk about the problem. And I think if everyone understands that we have a problem, that is the first step, and then figuring out how we fix it is the second step. The Administration does not yet have a proposal. It is something that is actively being discussed within the Administration, and I am optimistic that we will have a proposal in the near future. Mr. Johnson. So you mean I have been worried for the last 24 hours about some legislation or some issue that I could have worried about later, I guess? I am still worried about it. Ms. Caproni. I am sorry to have put you through a sleepless night. I am sure we will have many others once we get a proposal on the table to consider. Mr. Johnson. Well, I will tell you, life becomes so complicated that it is almost impossible to keep from worrying. Thank you. Ms. Caproni. I agree. Mr. Quayle. I am going to recognize myself for one additional question. Ms. Caproni, I was just curious. Do you know if the number of court-ordered electronic surveillance have actually gone down or up than the previous years? You don't have to be specific. But do you know if they have gone down or up? Ms. Caproni. I think they are going up a little bit, and the raw numbers may not be as revealing as the sort of services that are being asked for now. So we are seeing more sophisticated and difficult services, like VOIP is coming up more and more in wiretaps. I think the absolute number of wiretaps may be about the same or going up slightly. Dr. Landau. I actually know the answer, which is that I believe, according to the wiretap report, it has been steadily increasing with perhaps a little bump down in 2009. But a quite steady increase. What is also increasing quite substantially is the number of PIN register requirements, PIN registers being asked for. Mr. Quayle. Thank you. Well, I would like to thank our witnesses. Mr. Conyers. Mr. Chairman? Mr. Quayle. Yes? Mr. Conyers. Before we---- Mr. Quayle. Another one? Mr. Conyers. Yes, one final question. Is the ACLU correct in worrying about once we start trying to get into this question it is going to spin out of control, and all the things that may have kept Hank Johnson up last night is going to keep all of us up? I ask Dr. Landau that because there are some up here that say, well, let us help the FBI out, and we will give them the legislation that we think they need. And there are others that say, well, if you do that, you are going to get something much worse back. And there we get into this legislative turmoil. Dr. Landau. Thank you very much for the question. So I really said I was going to talk about security, but I will take that privacy question. When you make it easy to wiretap, when all you have to do is flip a switch, it becomes much easier for privacy to be violated. So what we saw, and I know this is not the issue being discussed now. But what we saw during 2001 was a single opinion by a single relatively low member of the Department of Justice about warrantless wiretapping. It was not reviewed by other members of the Department of Justice, and it instituted the warrantless wiretapping. So the point is that when you make it simple to wiretap, when you make it technologically simple to wiretap, it can be abused. Mr. Conyers. Thank you, Mr. Chairman, for your generosity. Ms. Caproni. I am sorry. May I respond to that question? Mr. Quayle. Yes. Ms. Caproni, could you please respond to that? Ms. Caproni. Representative Conyers, there are a lot of things that keep me up at night. One thing is the privacy of people who are communicating on the Internet. One is the security of the Internet. FBI is responsible for cyber attacks. We investigate them all the time. The security of the Internet is extremely important to the FBI. But I also get kept up by worrying that we have got criminals running around that we can't arrest and can't prosecute because we can't actually execute a wiretap order. And that criminal may be a massive drug dealer. They may be an arms trafficker. They may be a child pornographer or a child molester. Those are things, real-life things that keep us up at night because we need the authority--I am sorry. We have the authority, but we need the actual ability to conduct the wiretap so that we can keep the streets safe. I worry about things like a Mumbai-style attack where, God forbid, the attackers are using communications modalities that we don't have an intercept solution for. Mr. Conyers. So what is a little privacy invasion compared to all those big things that you could or are worrying about, right? Ms. Caproni. Remember, what we are talking about is court- authorized wiretaps. So the privacy of people that are being invaded is only being invaded if an Article III judge has said that probable cause has been established and that the Government has the right to intercept these communications. Mr. Quayle. Well, I would like to thank all of our witnesses--since we are kind of diverging off topic. I want to thank all of the witnesses for their testimony today. And without objection, all Members will have 5 legislative days to submit to the Chair additional written questions for the witnesses, which we will forward and ask the witnesses to respond as promptly as they can so that their answers may be made part of the record. Without objection, all Members will have 5 legislative days to submit any additional materials for inclusion in the record. Mr. Scott. Mr. Chairman? Mr. Chairman? I would ask unanimous consent that a statement from the ACLU, the Center for Democracy and Technology, and other industry and privacy advocates be included in the record. Mr. Quayle. Without objection. [The information referred to follows:]
__________ Mr. Quayle. This hearing is adjourned. [Whereupon, at 12:50 p.m., the Subcommittee was adjourned.] A P P E N D I X ---------- Material Submitted for the Hearing Record
![]()