CHIEF OF STAFF JOHN PODESTA
White House aides have been known to write kiss and tell books. I'm slightly embarrassed to say that the only book I've ever written was Protecting Electronic Messaging not exactly up there with All Too Human.
But today I want to return to some of the topics from that not-quite best-selling book particularly the issue of how to protect privacy and civil liberties, while also protecting public safety in an electronic age.
To understand what these themes mean today, I need to give you a little bit of history. More than a hundred and fifty years ago, not too far from here, Samuel Morse sent the first telegraph message. With the touch of a finger, he shattered barriers of time and space, opening up a world of possibility that wasn't even imagined just a few years before. Morse's invention set in motion a technological revolution that would forever change the way man would communicate.
In the 21st Century, this great revolution in communication technology continues. From small towns to big cities, the Internet is bringing millions of people closer together, giving them new ways to find information and to stay in touch. When it was invented thirty years ago, there were just two computers exchanging very simple messages. Now there are almost 50 million households online, all with the same access to a remarkable reservoir of information - from Shakespeare's first sonnet ... to medical research ... to the photos just taken of Mars.
The Internet, like Morse's telegraph, brings with it new possibilities. It also brings new challenges to our most fundamental values - and the need for new laws and new protections to maintain them. Because we are so interconnected, more people now have easier access to our most personal information -from bank statements to our medical history. International narcotics traffickers can communicate with each other via computer messages. Hackers can destroy cyberproperty by defacing homepages and maliciously manipulating private information. That's why we have to make sure the Internet is used to the benefit of people - not to their detriment.
Over the last seven and a half years, our Administration has worked to build a framework for trust and security in this new world of electronic networks. We've taken action to ensure that what should be private, stays private, including the medical and financial records of our citizens.
And to combat cyber-terrorism, we've introduced new legislation, increased law enforcement efforts, and coordinated public-private partnerships to build security and trust in online activities.
This February, in his Cyber Security Summit, the President emphasized the primary role and responsibility of the private sector in ensuring computer and network security. As you know, most computers and networks that we rely on every day are owned and operated by the private sector. It's only right that they -- not the government -- take a leading role in making security a standard part of the Internet.
The private sector is also taking a leading role in electronic messages and commerce.
Our Administration has already moved to liberalize export controls on encryption, allowing more companies to export the technology to more end users. And we've done so while maintaining a framework necessary to protect our national security.
Today we are announcing significant new updates to our export controls. Under our new policy, American companies can export any encryption product to any end user in the European Union and eight other trading partners. We're also speeding up the time-to-market, by eliminating the thirty-day waiting period when exporting encryption goods to these countries.
While the private sector has a key role -- the government also needs to protect its own systems from security risks, such as hacker attacks and computer viruses. Our Administration has already taken action to ensure that cyber security measures are included as part of all government computer systems. But good security needs to be updated constantly - and it costs money. We've proposed $90 million to help detect computer attacks, to conduct research on security technology, to hire and train more security experts, and to create an internal expert review team for non-defense agencies. Unfortunately, the Congress still refuses to appropriate one dime to put these initiatives in place. It's time they picked up the pace and provided the protections that are essential to America's cyber security.
Implementing strong encryption is only one step in building a framework of cybersecurity and trust. We also need to keep our laws consistent with the latest advances by updating our existing communications privacy laws for the Internet age. At the heart of the issue is the Fourth Amendment, which protects, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures."
In 1787, a person's most important "papers and effects" -- like diaries and letters -- were almost undoubtedly in their home or place of business. These papers were protected by the requirement of a warrant before the state could enter and search. But over time, with advances in technology, people no longer relied solely on paper and pen to communicate with one another.
By the turn of the 20st Century, people started using the telephone for personal calls and business transactions.
By the 1980s, Americans began using e-mail. Looking ahead, even more of our "papers and effects," like word processing software and files, will be kept outside of the home. These advances in technology have forced an ongoing debate in Congress and in the Courts over the application of the Fourth Amendment.
This debate is not a new one. In the 1928 Olmstead case, the Supreme Court found that warrantless wiretaps were not protected by Fourth Amendment. Louis Brandeis in his fiery dissent in defense of privacy rights argued that, "There is, in essence, no difference between the sealed letter and private telephone message." Wiretaps of phones, Brandeis argued, invaded the privacy of people on both ends of the line - the same privacy the framers intended to protect with the Fourth Amendment.
Forty years later the Court embraced Brandeis and ruled in Katz vs. the United States that an individual's phone conversation was protected by the Fourth Amendment. Later that year, Congress responded to the Court's decision by passing new legislation with strict standards for all wiretaps.
Title III of the 1968 Crime Control and Safe Streets Act required a court order and high level Justice Department approval for all phone wiretaps. It only allowed wiretaps in the most serious crimes, such as espionage, treason, and crimes of violence.
Title III remained relatively untouched until the 1980s, when cellular telephone service, e-mail, and other computer-to-computer communication began to put new demands on the 1968 law.
By 1984, Title III simply did not protect the conversations of the 7,000 Americans who were using cellular phones, and the 400,000 who were logging onto electronic mail.
In response, under the leadership of Senator Leahy and Representative Kastenmeier, Congress once again updated its laws to keep pace with changing technology. ECPA, the Electronic Communications Privacy Act, put in place many of the protections the courts had given to phone conversations two decades earlier.
Today, ECPA -- like its predecessors -- has, in many ways, become outdated by new advances in computer technology and electronic communication. Since its passage in 1986, we've seen a communications revolution with the explosion of the cell phone and the development and use of the World Wide Web. Today there are more 95 million cell phone users, and more than 50 million households online in the United States. More than 1.4 billion e-mails change hands each and every day. Computer users today send e-mail from their home phone lines through Internet Service Providers, and they download files and e-mails onto shared servers at work. A growing number of Americans -- 2.2 million today -- log on to the Internet and send email through cable modems -- a means of connection that wasn't even considered when ECPA was written.
ECPA was not devised to address many of the issues related to these newer, faster means of electronic communication. It doesn't extend the stringent Title III protections to the capture of e-mail that you send to your friends or business partners.
It doesn't include other important protections for electronic communications -- like the scope of the crimes covered ... the need for Justice Department approval, ... and a statutory suppression rule for government violations.
What does all this mean? It means that data transmitted over networks is not afford full privacy protection we give to traditional phone calls.
Basically, the same communication, if sent different ways - through a phone call, or a dial-up modem -- is subject to different and inconsistent privacy standards. Considering the extent to which our electronic correspondence contains our most sensitive thoughts and information -- shouldn't they count, as Louis Brandeis foreshadowed more than seventy years ago, as the "papers and effects" mentioned in the Fourth Amendment?
It's time to adopt legislative protections that map these important privacy principles onto the latest technology. It's time to update and harmonize our existing laws to give all forms of technology the same legislative protections as our telephone conversations. I would like to discuss several legislative proposals that the Administration is forwarding to the Hill today that would make this happen. Congress is already considering proposals in this area, and I believe together we can work to get them done this year.
First, current statutes set standards that only apply to wiretaps -- traditional hardware "devices" -- not to software programs that can conduct the same surveillance. Such telephone-era laws should be clearly updated to apply to the Internet era where hardware and software can be interchangeable. Our proposed legislation does that: It would amend statutes using outmoded language and that are hardware-specific, so that they are technologically neutral. In other words, the legislation would apply equal standards to both hardware and software surveillance.
Second, we need to achieve parity in the way the laws apply to different forms of communication. The current law sets stricter standards for law enforcement access to "wire" communications such as telephone calls, than for "electronic" communications such as e-mail. The market should play the central role in picking technological winners and losers, not Congress or the regulators.
Our proposed legislation would harmonize the legal standards that apply to law enforcement's access to e-mails, telephone calls, and cable services. For more than 30 years, federal law under Title III has set a tough, but workable standard for when law enforcement officers can listen to the contents of phone calls. Today, the same legal protections should apply equally to electronic communication.
At the same time, we propose to change the standards that apply to cable services. Under the current Cable Act, even where there is clear proof of serious crimes, law enforcement cannot gain access to subscriber records, unless the customer can first contest the issue in court. With our proposal, we would retain the underlying purpose of the Cable Act to keep confidential the list of shows that a customer has watched.
But, when cable systems are used to access the Internet, we believe the rules should be the tough, but sensible standard we also support for e-mails and telephone calls.
Third, we need to seek a better balance amongst the sometimes competing goals of the protection of public safety ... the achievement of economic growth and digital opportunity ... and the preservation of privacy and civil liberties. That's a challenge that our forefathers grappled with when they wrote the Constitution, and one that our government and courts have struggled with ever since. Our aim should be to enhance law enforcement's ability to address unlawful conduct, but also to enhance privacy and civil liberties on the Internet.
For example, we need, to update current law governs when law enforcement can track the identity of those with whom we communicate. Our "trap and trace" rules come from the era of the traditional telephone network, when one company offered nationwide phone service.
Today, we are proposing ways to make these "trap and trace" rules more effective for law enforcement, while also assuring privacy and civil liberties. We believe that a state or federal court should be able to issue an order to trace a communication to its source - irrespective of whether that communication has been channeled through various telephone or Internet providers. We also believe that there should be greater judicial oversight of trap and trace authorities.
Federal law should make clear that such orders should only be issued after a judicial officer has determined that the proper factual showing has been made. These are steps that will protect our public safety while preserving our civil liberties.
Fourth, and finally, in response to what we have learned about hacking attacks, we must update the Computer Fraud and Abuse Act. The Act should be strengthened to take account of the full range of damages caused by computer attacks. Small attacks -- with under $5,000 damage -- should be treated as a misdemeanor and not as a felony as proposed by some in Congress. However, multiple small attacks should be treated as one large attack and punished accordingly. And we should match punishments to the crime, by eliminating mandatory jail time for less serious attacks.
Let me conclude by quoting Thomas Jefferson, who said, "America's institutions must move forward hand-in-hand with the progress of the human mind." Today, the progress of the human mind is racing forward at an extraordinary pace. Technological discoveries are opening up new worlds of possibility -- but they are also challenging our privacy in ways we never imagined. As in any era of great progress, we must work to ensure that our democracy and our laws keep pace with our advances -- and that we protect our privacy and civil liberties, and not just the law enforcement mechanisms that we've instituted to preserve them.