The most significant challenges for law enforcement officials in catching cybercriminals are legal rather than technical, according to Department of Justice officials testifying at a Congressional hearing on the Fourth Amendment and the Internet held Thursday afternoon.
Hosted by the Judiciary Committee's Constitution Subcommittee, the hearing explored whether existing statutes protect citizens from unreasonable searches and seizures in an era when more personal information is communicated over the Internet.
Subcomittee Chairman Charles Canady (R-Fla.) says Congress must consider whether "additional legislation or oversight is necessary to ensure that legal protections of personally sensitive information keep pace with rapidly advancing technology related to electronic communication and information storage."
Kevin DiGregory, deputy associate attorney general, asked Congress to update statutes written for tracing telephone calls to allow for end-to-end tracing of Internet communications. The current statutes outline the standards for getting a court order to place a pen register, a device that records telephone numbers dialed from a telephone, or a trap-and-trace device, which records the phone number of incoming calls. Pen register and trap-and-trace orders are used more frequently than wiretaps in law enforcement investigations.
Both of these statutes require law enforcement officials to obtain court orders in multiple jurisdictions to trace a single online communication that includes hops along many carrier routes. The Justice Department wants judges to issue trace orders nationwide to speed their investigations of crimes such as the recent denial-of-service attacks.
"Often hackers are weaving from one system to another, and it's hard for us to tell where the communication is coming from," explains David Green, deputy chief of the Justice Department's Computer Crime and Intellectual Property Section. "We want to see the trap-and-trace law updated so we can trace a communication to the source, so we can serve the court order on the next carrier down the line."
Green says the Justice Department also wants ISPs to keep their message and traffic logs for longer periods of time so that law enforcement officials can track past online activities of suspected criminals. However, Green says the agency is not looking for a legal remedy in this case and understands that archiving data is a costly issue for ISPs. "We want to work with the ISP industry on this," he says.
Privacy groups are urging Congress to reject nationwide Internet trace orders. Gregory Nojeim, legislative counsel of the American Civil Liberties Union, says the standard for obtaining a court order authorizing placement of a pen register or trap-and-trace device is extremely low and that it is unclear what information the government is obtaining under the current statutes.
"We urge you to reject this request because the standard for issuing a pen register or trap-and-trace order must first be strengthened substantially," Nojeim says.
Nojeim also argues that the existing statutes would not allow law enforcement officials to ascertain a suspect's e-mail address or the e-mail addresses of incoming and outgoing messages for that suspect. "It is not clear whether law enforcement agents use or should use authority under the pen register statute to access a variety of data, including IP addresses, dial-up numbers and e-mail logs," he says.
James Dempsey, senior staff counsel at the Center for Democracy and Technology, also recommends that Congress establish a tougher standard for law enforcement officials to get court orders for pen registers. He says that the personal information disclosed under a pen register or trap-and-trace order served on an ISP should be defined and limited.
The debate over nationwide tracing of online communications comes a few weeks after the Internet Engineering Task Force rejected a proposal to develop protocols that would make it easier for law enforcement agencies to intercept communications over the 'Net. The Internet Engineering Task Force cited concerns that a built-in wiretapping capability would lessen the security and increase the complexity of its protocols.
IETF Chair Fred Baker testified at the hearing that the international standards development group is the wrong forum for designing protocols to meet the wiretapping laws of specific countries.
"For the IETF to try to develop one comprehensive specification that supports the wiretap laws of every country would be an impossibly complex undertaking," he says. "The IETF concluded that these are national matters that are best left to national bodies."
RELATED LINKS
