come more and more interested in electronic mail records."

Certainly electronic mail networks will contain a wealth of data about the communications of their users. Telenet holds in its computers for anywhere from one day to two weeks copies of messages sent through the system. MCI plans to hold copies of the messages for six months, in case questions arise about billing or customers accidentally erase their messages.

Just the fact that MCI's computer capacity will enable it to hold the messages it transmits for six months makes "some customers nervous," said Marilyn M. Mouly, vice president for marketing of MCI Digital Information Services Corp.. the subsidiary that runs MCI's electronic mail system. "When you mail a letter with the Post Office, they don't Xerox it. Generally people see us as carrying messages, not keeping a copy."

There are clear rules on when ordinary mail sent through the Postal Service can be opened. Most correspondence can be opened only after a search warrant is obtained. When law enforcement officials want the Postal Service to tell them from whom a specific individual is receiving mail, they request a mail cover from the chief postal inspector. Under regulation, the inspector is supposed to approve requests only for the investigation of a felony, the location of a fugitive or a national security investigation. In 1983, the Postal Service approved 6.892 mail covers, up 56 per cent from a decade ago. Postal Service officials say these same rules would apply to mail sent through the Postal Service's electronic mail system, known as E-COM.

But the rules for access to privately transmitted electronic mail have not been established. "There is little, if any, legal protection for message information in the hands of private organizations." said Rand Corp. computer security expert Willis H. Ware in recent congressional testimony. In an interview, Ware said he was aware of no law that would prevent a private firm from releasing electronic mail records to police agencies or anyone else-merely upon their request.

Both Telenet and MCI said they would not release the information to law enforcement officials on request alone and would require a search warrant or a subpoena. But those are voluntary decisions subject to change, and some in the industry would like to see clear legal standards. "It certainly is a gray area of what kind of protection a company has from federal government intrusion," said computer consultant Ulrich.

Similarly, there are no laws governing requests by police officials for the records of the traditional courier services, such as Federal Express. Federal Express attor

54 NATIONAL JOURNAL 1/14/84

Ronald L. Plesser, former general counsel of the Privacy Protection Study Commission "Our laws have not kept pace with the [new computer or communications] technology."

ney Elizabeth McKanna said the firm generally would require a subpoena before releasing records, but in some cases, such as the investigation of a bank robbery, might not. "It certainly is not illegal for us to provide them with information," she said.

ELECTRONIC BLINDSPOT?

Also in dispute among experts in the field is whether any law protects an electronic mail transmission or any other communication between two computers. from unauthorized interception while it is in transit.

Two laws govern the interception of telecommunications. Title III of the 1968 Omnibus Crime Control and Safe Streets Act bans the private interception of wire or spoken communications and establishes a process for approval of wiretaps by law enforcement officials. To wiretap a suspect, a federal law enforcement official must obtain the approval of the Attorney General and then a federal judge after demonstrating that there is "probable cause" that the suspect has committed or is about to commit one of a list of specified crimes. Approval is granted only for 30 days or less, and the law allows the judge to require reports on the investigation. These standards are much tougher than the rules governing search warrants or other investigative tools. The second law, the 1934 Communications Act, makes it illegal "to intercept any radio communication and divulge or publish" the contents.

The problem for computer commun cations arises from the definition of intercept in the crime control law Though it bans unauthorized interception the aw defines that as "aural acquisition of the contents of any wire or oral communica tion"- that is, the interception of a voce communication that could be understood by the human ear, as a wiretapper listen ing to an ordinary phone call would do But computers utilize non-aural comme nications that transmit data through series of digitized bits that cannot be understood by the human car For that reason, they are not covered by the law

No one is accusing the Justice Depanment or FBI of abusing this provision of the law Deputy assistant attorney gen eral for the Criminal Division John C Keeney said in an interview that he has not seen any requests to intercept com puter transmissions But computer users and civil libertarians are concerned that the potential for abuse remains uniess computer transmissions are given the same legal protections as telephone con versations.

G. Robert Blakey, a law professor at the University of Notre Dame, who was the principal author of Title 111 and sev eral other major crime bills when he was an aide on the Senate Judiciary Commit tee, said that the exclusion of computer communications was not an oversight "Did we intend to exclude machine-based data? Yes we did." he said in an interview. Congress was worried about wiretaps, whose use had been severely limited by two Supreme Court decisions in the mid-1960s. not about computer privacy Blakey said. "Congress wasn't prepared to step into computer privacy, and that the reason we put that word ('aural, in there." he said. "Aural' is a neat little word It simply confines the bill to the consensus that was there" in Congress at the time

The Justice Department agrees that computers are not covered and that federal officials would not have to go through the extended Title III process to intercept communications between two computers. In a 1978 case. LS Sew litz, the US Court of Appeals for the 4th Circuit also ruled that non-aural commu nications were not protected by Title III

That much seems clear. What is un clear is whether law enforcement officials have to go through any legal process before intercepting computer transma

sions.

One answer comes from the courts rulings on pen registers, devices that record the numbers dialed on a phone. but not the contents of the conversations themselves. In the mid-1970s, American Telephone & Telegraph Co. (AT&T) as serted that the FBI had to receive a True

III authorization before the company would install pen registers. The FBI argued that an ordinary search warrant was sufficient. In December 1977, a sharply divided Supreme Court ruled, 5-4, that because the pen register was intercepting non-aural communications (the tones that indicate the number dialed) and legislative history made clear Congress intended to exclude pen registers, the FBI did not need a Title III warrant. In two subsequent cases, the Supreme Court and a federal appeals court have held that law enforcement officials did not even need a search warrant to install a pen register. Nonetheless, H. W. William Caming, AT&T's senior counsel on privacy issues, said the firm will not cooperate with pen register requests without a

warrant.

But the signals captured by pen registers may be different from other computer transmissions. Because the caller knows that records of the numbers he dials will routinely be held by the phone company for billing purposes, he does not have the same expectation of privacy for that information as he does for the contents of his conversation.

In a transmission of information between two computers, though, the parties would have a reasonable expectation of privacy, several experts said. Legally that expectation puts the communication under the 4th Amendment's protection against unreasonable search and seizure, these experts argue. "In a computer-tocomputer transmission, there is a reasonable expectation of privacy, and any interception would be violative of a person's civil rights if done by law enforcement officials without a search warrant," said Caming.

Moreover, a Senate expert on surveillance maintained that the 1978 Foreign Intelligence Surveillance Act, which covers national security wiretaps on foreign agents, limits the ability of federal law enforcement officials to tap non-aural communications. One section of the foreign intelligence law prohibits any federal wiretapping not specifically authorized by statute, he argued; and Title III, because it does not mention non-aural interception, does not specifically authorize it. The foreign intelligence law provides a defense against that ban if law enforcement officials have obtained a court order or search warrant. Other experts, such as Caming, dispute that interpretation of the foreign intelligence law and maintain that it has no bearing on domestic wiretaps.

Justice Department official Keeney said that "if you are going to make any sort of invasion or intrusion, get a court order." It would be his "guess." he said. that law enforcement officials seeking to

intercept computer transmissions would not necessarily need a search warrantwhich requires probable cause-but a court order, for which they would have to meet a lesser standard of proof.

But Keeney said he could not make a blanket statement that all interceptions of computer transmissions would require even a court order. "I'm not ready to go that far, no," he said. "You're dealing with a question of expectation of privacy. In some of these areas, there is no expectation of privacy. If you're putting something in the airwaves that almost anyone can pick out, there is no expectation of privacy."

PRIVATE WIRETAPPING

The same kind of uncertainties arise over the laws prohibiting the private interception of computer transmissions. Again, it is clear that Title III's ban on private wiretapping does not protect computer communications, since they are non-aural. But does any other law apply? Many experts are concerned that there are no clear federal laws prohibiting the private interception of computer transmissions. Other laws could be stretched to cover that situation, said AT&T's Caming: someone intercepting computer transmissions might be prosecuted under the federal wire fraud laws, or under computer protection statutes in the states that have them, and could even face civil liability for the theft of trade secrets. "But," he said, "that is not as strong a deterrent as a specific federal law."

An attorney for a private data transmission company said that the 1934 Communications Act, which bars the unauthorized interception of radio commu

nications, could protect some of these messages. Before 1968, this law had established the rules for interception of both wire and radio communications, but Congress removed wire communications from its scope with the passage of the crime control act.

Computer messages, though, like other telecommunications, often go through several steps to completion: along local phone wires, through microwave relays and off satellites. The attorney argued that the 1934 act's ban on intercepting radio communications would make it illegal to intercept computer communications during the microwave or satellite. though not the wire, portions of their journey.

At least two appellate court decisions cast doubt on that interpretation. In a 1973 case, the U.S. Court of Appeals for the 9th Circuit ruled that when any part of a communication is carried by telephone wires, the entire communication is covered not by the Communications Act but by Title III. In a 1975 case, the U.S. Court of Appeals for the 5th Circuit rejected the argument that long-distance calls carried over microwave relays were covered by the Communications Act.

AT&T's view, said Caming, is that both the microwave and satellite portions of a telephone communication fall under Title III's definition of a wire communication.

Blakey, though, argues that it is erroneous to assume that courts would come to these same conclusions about the coverage of the Communications Act if faced with a private interception of computer transmissions. In defining wire and radio communications, the courts have gener

NATIONAL JOURNAL 1/14/84 55

ally been looking for ways to allow evidence obtained by law enforcement officials to be used over the objections of defendants who maintain that it was illegally collected. It is not likely, Blakey maintained, that the courts would allow

Computer

it costs more to send an encrypted message. Citicorp uses a simple encryption for its electronic mail and a much more sophisticated system for its electronic funds transfers, whose security is of far greater concern to the bank. Those trans

private wiretappers to use those definitions to slip through a blind spot in the law and escape punishment. Wiretappers would face liability under either the wire fraud statute or the Communications Act, he said.

Nonetheless, Blakey, like many other experts in this area, said he would "applaud any effort by Congress to take a look at the specific protections" available for computer communications. Several legislators already are. Kastenmeier's staff has been looking at the issue, and Sen. Walter D. Huddleston, D-Ky., a member of the Select Committee on Intelligence, has indicated he would support legislation to protect non-aural com

munications.

Whatever the state of the law, catching private wiretappers is not easy. No one has a good estimate of the amount of private wiretapping that is going on, said computer security expert Ware.

Although it is technically easy to intercept microwave transmissions, most would-be wiretappers are deterred from seeking to tap the phone company's network that way because of the high cost of sifting through the mass of messages flowing through the microwave links to find the ones they want. (That is not a problem if the wiretapper is looking for the messages of a single company, such as Citicorp, that are carried along a private network.) Usually private wiretappers seek to intercept messages by breaking into local phone lines near the subject, say security experts.

The Carter Administration, which was concerned about the Soviet Union's intercepting microwave transmissions with equipment in its offices in New York, San Francisco and Washington, undertook a series of steps to increase the security of government communications and pushed private companies to protect their communications through encryption, or encoding of the information. Only about 100 companies, mainly financial institutions worried about embezzlers sending phony messages to transfer funds. encrypt their data communications, said a government official

Firms have resisted encryption because

56 NATIONAL JOURNAL 1/14/84

fers cost twice as much to send as the electronic mail messages

To some extent, new telecommunications technology itself will offer greater protection against interception. More messages are being sent through packet switching technology, which breaks up a communication into separate pieces and routes each piece along whatever space is free on many different communications paths. The result is that a single message may travel on several different paths, and the bits of information following each other on any single path may be unrelated.

AT&T is changing its current system under which a phone conversation follows on the same communications path as the tones that indicate which phone number has been dialed. That system allows wiretappers to program their computers to look for a specific phone number and then begin recording. Under the new system, which is already in place in half of the interstate network, the tones will travel along a different path from the communication itself. Neither of these offer insurmountable problems to the most sophisticated wiretappers--such as the Soviet Union-but they do make the job harder, communications experts say. COMPUTER MATCHING

Another area where privacy laws are fuzzy is the use of computer matching, a technique used by government investigators to find fraud Matching takes many forms, but generally it entails the computer comparison of two lists to find anomolies that would indicate fraud.

In Massachusetts, for example, state welfare officials have compared recipient roles for welfare, medicaid, food stamps and other benefit programs against account records in the state's banks to find beneficiaries with more than the legal limit in assets. The Health and Human Services Department (HHS) has matched welfare rolls against lists of federal employees and compared the employee lists with the list of those who have defaulted on student loans. The department's Project Spectre compares medicaid and medicare death files to social

security payment records to uncover payments to people who have died

In one case, during the final months of the Carter Administration, a regional HHS office in Sacramento analyzed its enforcement records to compile a portrait of what it called a "welfare queer" and then ran that profile against a list of county welfare recipients. Those who met the characteristics were singled out for further investigation, though because of staff limits. the office actually invest gated only a few of those identified

Over all, an HHS official estimated. the federal government has undertaker 2.000-3,000 matches, many of which are repeated regularly.

Supporters say that matching is a costeffective and efficient way to uncover possible fraud in federal programs without creating an undue invasion of privacy "Of course we have to match,” said for mer privacy commission chairman Linowes "You have a need for law enforcement, for proper administration in government You just can't say one thing is completely wrong in most cases

Critics say that even if each individua use can be justified, the cumulative uses of computer matching can constitute a serious invasion of privacy Public opposation quickly grounded plans discussed by the Johnson Administration to create a national data bank that would have centralized all the data held on individuals by the government. Matching, said John H. Shattuck. national legislative director of the American Civil Liberties Un (ACLU), accomplishes the same end "through the back door."

Some critics say that matching undermines 4th Amendment protections, since the records of all individuals in a program are searched, not only those for wh program administrators have reason to suspect of a crime. Others, such as Sen William S Cohen, R-Maine, worry that in the rush to find waste and fraud the privacy implications of the growing use of matching are being overlooked

"As you look at each case, you car make a reasonable case for an exempor from our privacy law." Cohen said par interview "I'm trying to say we need t stand back and take a broader view

There is another pressure (besides looking for fraud), more constitutional. more indigenous to our society, which s not being felt at this time: the need to protect privacy in our technologica¡ society

The Massachusetts case demonstrates both the advantages and hazards of matching. In one instance, the state te minated the medicaid benefits of an e derly woman in a nursing home because she possessed assets over the limit. But i was later revealed that her major holding

But eventually, the commission backed down And Shattuck said that whatever the intent of the Privacy Act's drafen the language of the statute makes tra ally impossible to challenge a match in court. "I think any match that uses information that is not clearly in the public domain is a violation of the Privacy Act he said "Unfortunately, the act is written in such a way as to make that extremely difficult to prove in a court of a

Christopher C. DeMuth, administrator of the Office of Management and Budget's (OMB) office of information and regulatory affairs, which is charged with ensuring federal compliance with the Privacy Act, agreed that the law does not offer clear guidance on what matches might be inappropriate Congress. he said. "had to settle for a formulation that is sometimes attacked as too nebulous But he said the fears about matching have proven unfounded. "The fears that these matches would be used as fishing expeditions have not come to pass," he said in an interview "The matches have been quite narrow and related to highly plausible concerns about fraud and abuse."

With budget cuts forcing welfare program administrators to trim benefit rolls. few legislators have expressed much con

collection a su cams Recen C Nationa Senver Crom Center

wor a case 1 de Done Car he Osnc di Coma song y posed Soca Securt ApT TROP program that would have euret e ents of supplemeta cart Tcume benents to sciose der 21 S But over a sad Coner there is "not a whole lot of merest"

among his colleagues The poema for abuse is there he said. Tarbout - does not seem to most noc

That assessment does not surprise Rook ert E.s Smuth who has been watch "g these issues for almost a decade as pubsher of the Privacy Juana legislation often gets enacted by anecdote he said. "And the anecdotes are often more compelling on the side of access"

CONTROLLING RECORDS

For records held by the federal government, the Privacy Act estabushes minimum standards that allow individuals to

SACT & PONCH ROLE TOT require my be at an aquer and comme TILLS Chung owes and other Case Du would estabust princ2 of 2 The technology makes

CEVET DOLT is colect and disseminate persona, formation thout the person's 674842 said Richard M. Neustad who worked on privacssues as an 2580crate director of the domestic policy staf -the Camer Administration and is now the senior vice president of Private Sater re Network Inc But that's nothing new We've had persona records existing infie cabinets for a long, long time. All the computer does is put more records in and make it easier to get at

"What we're seeing is old problems made more complicated, more real. But they are solvable I think you can have your cake and eat it too, if we write some good rules about this stuff Unfortunately, there doesn't seem to be much interest in doing that in Washington

now

NATIONAL JOURNAL 1 14 84 57