come more and more interested in electronic mail records."

Certainly electronic mail networks will contain a wealth of data about the communications of their users. Telenet holds in its computers for anywhere from one day to two weeks copies of messages sent through the system. MCI plans to hold copies of the messages for six months, in case questions arise about billing or customers accidentally erase their messages.

Just the fact that MCI's computer capacity will enable it to hold the messages it transmits for six months makes "some customers nervous," said Marilyn M. Mouly, vice president for marketing of MCI Digital Information Services Corp.. the subsidiary that runs MCI's electronic mail system. "When you mail a letter with the Post Office, they don't Xerox it. Generally people see us as carrying messages, not keeping a copy."

There are clear rules on when ordinary mail sent through the Postal Service can be opened. Most correspondence can be opened only after a search warrant is obtained. When law enforcement officials want the Postal Service to tell them from whom a specific individual is receiving mail, they request a mail cover from the chief postal inspector. Under regulation, the inspector is supposed to approve requests only for the investigation of a felony, the location of a fugitive or a national security investigation. In 1983, the Postal Service approved 6.892 mail covers, up 56 per cent from a decade ago. Postal Service officials say these same rules would apply to mail sent through the Postal Service's electronic mail system, known as E-COM.

But the rules for access to privately transmitted electronic mail have not been established. "There is little, if any, legal protection for message information in the hands of private organizations," said Rand Corp. computer security expert Willis H. Ware in recent congressional testimony. In an interview, Ware said he was aware of no law that would prevent a private firm from releasing electronic mail records to police agencies or anyone else-merely upon their request.

Both Telenet and MCI said they would not release the information to law enforcement officials on request alone and would require a search warrant or a subpoena. But those are voluntary decisions subject to change, and some in the industry would like to see clear legal standards. "It certainly is a gray area of what kind of protection a company has from federal government intrusion," said computer consultant Ulrich.

Similarly, there are no laws governing requests by police officials for the records of the traditional courier services, such as Federal Express. Federal Express attor

54 NATIONAL JOURNAL 1/14/84

Ronald L. Plesser, former general counsel of the Privacy Protection Study Commission. "Our laws have not kept pace with the [new computer or communications technology."

ney Elizabeth McKania said the firm generally would require a subpoena before releasing records, but in some cases, such as the investigation of a bank robbery, might not. "It certainly is not illegal for us to provide them with information," she said.

ELECTRONIC BLINDSPOT?

Also in dispute among experts in the field is whether any law protects an electronic mail transmission or any other communication between two computers. from unauthorized interception while it is

in transit.

Two laws govern the interception of telecommunications. Title III of the 1968 Omnibus Crime Control and Safe Streets Act bans the private interception of wire or spoken communications and establishes a process for approval of wiretaps by law enforcement officials. To wiretap a suspect, a federal law enforcement official must obtain the approval of the Attorney General and then a federal judge after demonstrating that there is "probable cause" that the suspect has committed or is about to commit one of a list of specified crimes. Approval is granted only for 30 days or less, and the law allows the judge to require reports on the investigation. These standards are much tougher than the rules governing search warrants or other investigative tools. The second law, the 1934 Communications Act. makes it illegal "to intercept any radio communication and divulge or publish" the contents.

The problem for computer commun cations arises from the definition of intercept in the crime control law Though it bans unauthorized interception, the law defines that as "aural acquisition of the contents of any wire or oral communica tion"- that is, the interception of a voce communication that could be understood by the human ear, as a wiretapper listen ing to an ordinary phone call would de But computers utilize non-aural comme nications that transmit data through a series of digitized bits that cannot be understood by the human car For that reason, they are not covered by the law

No one is accusing the Justice Depart ment or FBI of abusing this provision of the law Deputy assistant attorney gen eral for the Criminal Division John C Keeney said in an interview that he has not seen any requests to intercept com puter transmissions But computer users and civil libertarians are concerned that the potential for abuse remains uniess computer transmissions are given the same legal protections as telephone con

versations

G Robert Blakey, a law professor at the University of Notre Dame who was the principal author of Title 111 and sev eral other major crime bills when he was an aide on the Senate Judiciary Commit tee, said that the exclusion of computer communications was not an oversight "Did we intend to exclude machine-based data? Yes we did." he said in an interview. Congress was worried about wiretaps, whose use had been severely limited by two Supreme Court decisions in the mid-1960s. not about computer privacy Blakey said. "Congress wasn't prepared to step into computer privacy, and that the reason we put that word ["aural there." he said "Aural' is a neat little word It simply confines the bill to the consensus that was there" in Congress at the time

The Justice Department agrees that computers are not covered and that federal officials would not have to g through the extended Title III process to intercept communications between two) computers. In a 1978 case. US Sendlitz, the US Court of Appeals for the 4th Circuit also ruled that non-aural commenications were not protected by Title III

That much seems clear What is an clear is whether law enforcement officials have to go through any legal process before intercepting computer transmis sions.

One answer comes from the courts rulings on pen registers, devices that record the numbers dialed on a phone. but not the contents of the conversations themselves. In the mid-1970s, American Telephone & Telegraph Co. (AT&T) asserted that the FBI had to receive a Tiue

III authorization before the company would install pen registers. The FBI argued that an ordinary search warrant was sufficient. In December 1977, a sharply divided Supreme Court ruled, 5-4, that because the pen register was intercepting non-aural communications (the tones that indicate the number dialed) and legislative history made clear Congress intended to exclude pen registers, the FBI did not need a Title III warrant. In two subsequent cases, the Supreme Court and a federal appeals court have held that law enforcement officials did not even need a search warrant to install a pen register. Nonetheless, H. W. William Caming, AT&T's senior counsel on privacy issues, said the firm will not cooperate with pen register requests without a warrant.

But the signals captured by pen registers may be different from other computer transmissions. Because the caller knows that records of the numbers he dials will routinely be held by the phone company for billing purposes, he does not have the same expectation of privacy for that information as he does for the contents of his conversation.

In a transmission of information between two computers, though, the parties would have a reasonable expectation of privacy, several experts said. Legally that expectation puts the communication under the 4th Amendment's protection against unreasonable search and seizure, these experts argue. "In a computer-tocomputer transmission, there is a reasonable expectation of privacy, and any interception would be violative of a person's civil rights if done by law enforcement officials without a search warrant," said Caming.

Moreover, a Senate expert on surveillance maintained that the 1978 Foreign Intelligence Surveillance Act, which covers national security wiretaps on foreign agents, limits the ability of federal law enforcement officials to tap non-aural communications. One section of the foreign intelligence law prohibits any federal wiretapping not specifically authorized by statute, he argued; and Title III, because it does not mention non-aural interception, does not specifically authorize it. The foreign intelligence law provides a defense against that ban if law enforcement officials have obtained a court order or search warrant. Other experts, such as Caming, dispute that interpretation of the foreign intelligence law and maintain that it has no bearing on domestic wiretaps.

Justice Department official Keeney said that "if you are going to make any sort of invasion or intrusion, get a court order." It would be his "guess," he said. that law enforcement officials seeking to

intercept computer transmissions would not necessarily need a search warrantwhich requires probable cause-but a court order, for which they would have to meet a lesser standard of proof.

But Keeney said he could not make a blanket statement that all interceptions of computer transmissions would require even a court order. "I'm not ready to go that far, no," he said. "You're dealing with a question of expectation of privacy. In some of these areas, there is no expectation of privacy. If you're putting something in the airwaves that almost anyone can pick out, there is no expectation of privacy."

PRIVATE WIRETAPPING

The same kind of uncertainties arise over the laws prohibiting the private interception of computer transmissions. Again, it is clear that Title III's ban on private wiretapping does not protect computer communications, since they are non-aural. But does any other law apply?

Many experts are concerned that there are no clear federal laws prohibiting the private interception of computer transmissions. Other laws could be stretched to cover that situation, said AT&T's Caming: someone intercepting computer transmissions might be prosecuted under the federal wire fraud laws, or under computer protection statutes in the states that have them, and could even face civil liability for the theft of trade secrets. "But," he said, "that is not as strong a deterrent as a specific federal law."

An attorney for a private data transmission company said that the 1934 Communications Act, which bars the unauthorized interception of radio commu

nications, could protect some of these messages. Before 1968, this law had established the rules for interception of both wire and radio communications, but Congress removed wire communications from its scope with the passage of the crime control act.

Computer messages, though, like other telecommunications, often go through several steps to completion: along local phone wires, through microwave relays and off satellites. The attorney argued that the 1934 act's ban on intercepting radio communications would make it illegal to intercept computer communications during the microwave or satellite. though not the wire, portions of their journey.

At least two appellate court decisions cast doubt on that interpretation. In a 1973 case, the U.S. Court of Appeals for the 9th Circuit ruled that when any part of a communication is carried by telephone wires, the entire communication is covered not by the Communications Act but by Title III. In a 1975 case, the U.S. Court of Appeals for the 5th Circuit rejected the argument that long-distance calls carried over microwave relays were covered by the Communications Act.

AT&T's view, said Caming, is that both the microwave and satellite portions of a telephone communication fall under Title III's definition of a wire communication.

Blakey, though, argues that it is erroneous to assume that courts would come to these same conclusions about the coverage of the Communications Act if faced with a private interception of computer transmissions. In defining wire and radio communications, the courts have gener

NATIONAL JOURNAL 1/14/84 55

Nonetheless, Blakey, like many other experts in this area, said he would "applaud any effort by Congress to take a look at the specific protections" available for computer communications. Several legislators already are. Kastenmeier's staff has been looking at the issue, and Sen. Walter D Huddleston, D-Ky., a member of the Select Committee on Intelligence, has indicated he would support legislation to protect non-aural communications.

Whatever the state of the law, catching private wiretappers is not easy. No one has a good estimate of the amount of private wiretapping that is going on, said computer security expert Ware.

Although it is technically easy to intercept microwave transmissions, most would-be wiretappers are deterred from seeking to tap the phone company's network that way because of the high cost of sifting through the mass of messages flowing through the microwave links to find the ones they want. (That is not a problem if the wiretapper is looking for the messages of a single company, such as Citicorp, that are carried along a private network) Usually private wiretappers seek to intercept messages by breaking into local phone lines near the subject, say security experts.

The Carter Administration, which was concerned about the Soviet Union's intercepting microwave transmissions with equipment in its offices in New York, San Francisco and Washington. undertook a series of steps to increase the security of government communications and pushed private companies to protect their communications through encryption, or encoding of the information. Only about 100 companies, mainly financial institutions worried about embezzlers sending phony messages to transfer funds. encrypt their data communications, said a government official

Firms have resisted encryption because

56 NATIONAL JOURNAL 1/14/84

fers cost twice as much to send as the electronic mail messages.

To some extent, new telecommunications technology itself will offer greater protection against interception. More messages are being sent through packet switching technology, which breaks up a communication into separate pieces and routes each piece along whatever space is free on many different communications paths. The result is that a single message may travel on several different paths, and the bits of information following each other on any single path may be unrelated.

AT&T is changing its current system under which a phone conversation follows on the same communications path as the tones that indicate which phone number has been dialed. That system allows wiretappers to program their computers to look for a specific phone number and then begin recording. Under the new system, which is already in place in half of the interstate network, the tones will travel along a different path from the communication itself. Neither of these offer insurmountable problems to the most sophisticated wiretappers-such as the Soviet Union-but they do make the job harder, communications experts say.

COMPUTER MATCHING

Another area where privacy laws are fuzzy is the use of computer matching, a technique used by government investigators to find fraud. Matching takes many forms, but generally it entails the computer comparison of two lists to find anomolies that would indicate fraud.

security payment records to uncover pay ments to people who have died.

In one case, during the final months of the Carter Administration, a regional HHS office in Sacramento analyzed its enforcement records to compile a portrait of what it called a "welfare queen" and then ran that profile against a list of county welfare recipients. Those who met the characteristics were singled out for further investigation, though because of staff limits, the office actually invest)gated only a few of those identified

Over all, an HHS official estimated. the federal government has undertaken 2.000-3,000 matches, many of which are repeated regularly

Supporters say that matching is a costeffective and efficient way to uncover possible fraud in federal programs without creating an undue invasion of privacy "Of course we have to match," said for mer privacy commission chairman Linowes "You have a need for law en forcement. for proper administration in government You just can't say one thing is completely wrong in most cases"

Critics say that even if each individua use can be justified, the cumulative uses of computer matching can constitute a serious invasion of privacy. Public opposi tion quickly grounded plans discussed by the Johnson Administration to create a national data bank that would have centralized all the data held on individuals by the government. Matching, said John H. Shattuck, national legislative director of the American Civil Liberties Union (ACLU), accomplishes the same end "through the back door"

Some critics say that matching undermines 4th Amendment protections, since the records of all individuals in a program are searched, not only those for whom program administrators have reason to suspect of a crime. Others, such as Sen William S. Cohen, R-Maine, worry that in the rush to find waste and fraud. the privacy implications of the growing use of matching are being overlooked

"As you look at each case, you can make a reasonable case for an exemption from our privacy law." Cohen said in an interview "I'm trying to say we need to stand back and take a broader view

In Massachusetts, for example, state welfare officials have compared recipient roles for welfare, medicaid, food stamps and other benefit programs against account records in the state's banks to find beneficiaries with more than the legal limit in assets. The Health and Human Services Department (HHS) has matched welfare rolls against lists of federal employees and compared the employee lists with the list of those who have defaulted on student loans. The depart ment's Project Spectre compares medicaid and medicare death files to social

was a funeral bond, which is permitted under the rules. Since then, the state has made procedural changes in the match program that have alleviated many of the concerns of advocates for benefit recipients. And the state estimates it has saved at least $5 million by finding 2,000 benefit recipients with assets over the legal limit.

The law governing the use of federal records is the 1974 Privacy Act. The act generally prohibits the dissemination of government records outside of the agency that collected them. But because of a concession made to get the bill through, the law allows agencies to exchange records for "routine use." That is defined as a purpose "compatible" with the one for which the records were originally collected.

The routine use exemption has become the legal basis for matching. Matching critics say that the intent of the privacy law was to prevent records from being passed between government agencies on a regular basis. "I don't think there was anything more clearly thought about than that," said James H. Davidson, a former Senate aide who helped draft the law. "That is what the Privacy Act is about." When the Carter Administration proposed its first match of federal employees against welfare rolls, the Civil Service Commission initially resisted on the ground that such use of employment records would violate the act.

But eventually, the commission backed down. And Shattuck said that whatever the intent of the Privacy Act's drafters. the language of the statute makes it virtually impossible to challenge a match in court. "I think any match that uses information that is not clearly in the public domain is a violation of the Privacy Act," he said. "Unfortunately, the act is written in such a way as to make that extremely difficult to prove in a court of law."

Christopher C. DeMuth, administrator of the Office of Management and Budget's (OMB) office of information and regulatory affairs, which is charged with ensuring federal compliance with the Privacy Act, agreed that the law does not offer clear guidance on what matches might be inappropriate. Congress. he said, "had to settle for a formulation that is sometimes attacked as too nebulous." But he said the fears about matching have proven unfounded. "The fears that these matches would be used as fishing expeditions have not come to pass," he said in an interview. "The matches have been quite narrow and related to highly plausible concerns about fraud and abuse."

With budget cuts forcing welfare program administrators to trim benefit rolls, few legislators have expressed much con

cern about the privacy implications of matching. The House Government Operations Committee recently criticized OMB for not monitoring agency compliance with the Privacy Act. Cohen held hearings in December 1982 on matching and is planning hearings on matches conducted by the Internal Revenue Service, including the use of mailing lists purchased from private firms to look for tax evaders and the growing use of IRS data for nontax purposes such as aiding in the collection of student loans. Recently, the National Senior Citizens Law Center won a case in the U.S. District Court for the District of Columbia stopping a proposed Social Security Administration program that would have required recipients of supplemental security income benefits to disclose their tax returns.

But over all, said Cohen, there is "not a whole lot of interest" in the subject among his colleagues. "The potential for abuse is there," he said, "although it does not seem imminent to most individuals

That assessment does not surprise Robert Ellis Smith, who has been watching these issues for almost a decade as publisher of the Privacy Journal. "I think legislation often gets enacted by anecdote," he said. "And the anecdotes are often more compelling on the side of access."

CONTROLLING RECORDS

For records held by the federal government, the Privacy Act establishes minimum standards that allow individuals to

see and correct their own records. But for the vast majority of records held by private firms, there are no laws. Congress has passed legislation placing some limits on the use of records held by banks, credit bureaus and educational institutions. And last year, as part of cable television legislation, the Senate voted to limit the use of information about subscribers without their consent. Similar provisions are contained in the House version of the bill, which has passed the House Energy and Commerce Subcommittee on Telecommunications, Consumer Protection and Finance. In full committee, it is likely that efforts will be made to revise those standards to reflect objections from the cable industry and advertisers who sell products on cable.

But generally, Congress has paid little attention to the central thrust of the privacy commission's study in the mid1970s. The commission argued that basic principles were needed to govern data collection and use of information about individuals held by institutions and to ensure that individuals could see and correct information about themselves. Since that report, only the legislation governing bank records, which is considered weak by many privacy experts, was enacted. Another major proposal dealing with medical records failed.

Like the issues of electronic mail and protection of computer transmissions, the use of privately held records has not yet attracted sustained political attention. "Our concepts involving information privacy haven't even begun to be addressed," said former privacy commission chairman Linowes. "We don't have a public policy on information protection and privacy."

Such a policy would not require limiting the advance of computer and communications technology, Linowes and other experts argue, but would establish principles of law "The technology makes it easier both to collect and disseminate personal information without the person's knowledge," said Richard M. Neustadt. who worked on privacy issues as an associate director of the domestic policy staff in the Carter Administration and is now the senior vice president of Private Satellite Network Inc. "But that's nothing new. We've had personal records existing in file cabinets for a long, long time. All the computer does is put more records in and make it easier to get at.

"What we're seeing is old problems made more complicated, more real. But they are solvable. I think you can have your cake and eat it too, if we write some good rules about this stuff. Unfortunately, there doesn't seem to be much interest in doing that in Washington

now

NATIONAL JOURNAL 1/14/84 57