[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
                       ELECTRONIC COMMUNICATIONS 
                           PRIVACY ACT REFORM 

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON THE CONSTITUTION, 
                   CIVIL RIGHTS, AND CIVIL LIBERTIES

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 5, 2010

                               __________

                           Serial No. 111-98

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

56-271 PDF                       WASHINGTON : 2010 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 




















                       COMMITTEE ON THE JUDICIARY

                 JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California         LAMAR SMITH, Texas
RICK BOUCHER, Virginia               F. JAMES SENSENBRENNER, Jr., 
JERROLD NADLER, New York                 Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia  HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina       ELTON GALLEGLY, California
ZOE LOFGREN, California              BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas            DANIEL E. LUNGREN, California
MAXINE WATERS, California            DARRELL E. ISSA, California
WILLIAM D. DELAHUNT, Massachusetts   J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee               STEVE KING, Iowa
HENRY C. ``HANK'' JOHNSON, Jr.,      TRENT FRANKS, Arizona
  Georgia                            LOUIE GOHMERT, Texas
PEDRO PIERLUISI, Puerto Rico         JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois               TED POE, Texas
JUDY CHU, California                 JASON CHAFFETZ, Utah
TED DEUTCH, Florida                  TOM ROONEY, Florida
LUIS V. GUTIERREZ, Illinois          GREGG HARPER, Mississippi
TAMMY BALDWIN, Wisconsin
CHARLES A. GONZALEZ, Texas
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SANCHEZ, California
DANIEL MAFFEI, New York
JARED POLIS, Colorado

       Perry Apelbaum, Majority Staff Director and Chief Counsel
      Sean McLaughlin, Minority Chief of Staff and General Counsel
                                 ------                                

  Subcommittee on the Constitution, Civil Rights, and Civil Liberties

                   JERROLD NADLER, New York, Chairman

MELVIN L. WATT, North Carolina       F. JAMES SENSENBRENNER, Jr., 
ROBERT C. ``BOBBY'' SCOTT, Virginia  Wisconsin
WILLIAM D. DELAHUNT, Massachusetts   TOM ROONEY, Florida
HENRY C. ``HANK'' JOHNSON, Jr.,      STEVE KING, Iowa
  Georgia                            TRENT FRANKS, Arizona
TAMMY BALDWIN, Wisconsin             LOUIE GOHMERT, Texas
JOHN CONYERS, Jr., Michigan          JIM JORDAN, Ohio
STEVE COHEN, Tennessee
SHEILA JACKSON LEE, Texas
JUDY CHU, California

                     David Lachmann, Chief of Staff

                    Paul B. Taylor, Minority Counsel
















                            C O N T E N T S

                              ----------                              

                              MAY 5, 2010

                                                                   Page

                           OPENING STATEMENTS

The Honorable Jerrold Nadler, a Representative in Congress from 
  the State of New York, and Chairman, Subcommittee on the 
  Constitution, Civil Rights, and Civil Liberties................     1
The Honorable F. James Sensenbrenner, Jr., a Representative in 
  Congress from the State of Wisconsin, and Ranking Member, 
  Subcommittee on the Constitution, Civil Rights, and Civil 
  Liberties......................................................     2

                               WITNESSES

Mr. James X. Dempsey, Center for Democracy and Technology, Vice 
  President for Public Policy
  Oral Testimony.................................................     4
  Prepared Statement.............................................     7
Mr. Albert Gidari, Perkins Coie LLP
  Oral Testimony.................................................    21
  Prepared Statement.............................................    24
Mr. Orin S. Kerr, Professor, The George Washington University Law 
  School
  Oral Testimony.................................................    34
  Prepared Statement.............................................    36
Ms. Annmarie Levins, Associate General Counsel, Microsoft 
  Corporation
  Oral Testimony.................................................    43
  Prepared Statement.............................................    45

                                APPENDIX

Material Submitted for the Hearing Record........................    89


                       ELECTRONIC COMMUNICATIONS 
                           PRIVACY ACT REFORM

                              ----------                              


                         WEDNESDAY, MAY 5, 2010

              House of Representatives,    
              Subcommittee on the Constitution,    
                 Civil Rights, and Civil Liberties,
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 2:53 p.m., in 
room 2141, Rayburn House Office Building, the Honorable Jerrold 
Nadler (Chairman of the Subcommittee) presiding.
    Present: Representatives Nadler, Watt, Scott, Johnson, 
Cohen, Chu, and Sensenbrenner.
    Staff present: (Majority) David Lachman, Subcommittee Chief 
of Staff; Stephanie Pell, Counsel; (Minority) Caroline Lynch, 
Counsel; and Art Baker, Counsel.
    Mr. Nadler. This hearing of the Subcommittee on the 
Constitution, Civil Rights, and Civil Liberties will come to 
order. We apologize for coming to order late, but the votes on 
the floor necessitated that. We will begin by recognizing 
myself for a 5-minute opening statement.
    Today's hearing is the beginning of a process through which 
the Subcommittee will revisit the statutory framework Congress 
established in the 1986 Electronic Communication Privacy Act, 
ECPA, in spite of the enormous technological advances which 
have taken place in electronic communications over the last 24 
years.
    Because of the complexity of the subject, both legal and 
technological, this hearing will probably be the first of 
several we will hold as we consider what, if any, reforms 
should be made to the Act so that it might function more 
effectively in the future.
    ECPA was passed in 1986, well before we commonly used the 
Internet for e-mail, much less for cloud computing and remote 
storage, at a time when cell phones were rare, often the size 
of small kitchen appliances, and included no tracking 
technologies capable of mapping our every movement. 
Communications technology now evolves at an exponential pace.
    So in 1986 ECPA fixed the statutory standards law 
enforcement would have to meet to access private communications 
data in a technological environment as far removed from our own 
as that of 1986 was from the day Alexander Graham Bell said, 
``Mr. Watson, come here. I need you.'' in the first telephone 
call 110 years earlier.
    The lightning pace of innovation in communications 
technology brings with it enormous improvements in the quality 
of life for our citizens that in many ways marked the age we 
live in as a new epoch, which might be called the Internet Age. 
But it must be said, particularly by the Committee on the 
Judiciary, that these events also provide criminals with new 
platforms for unlawful activity.
    Moreover, it must also be said here on the Subcommittee on 
the Constitution that these robust new communications 
technologies bring with them new opportunities for law 
enforcement agencies, charged to protect us from such 
criminals, to intervene in our private lives. Thus, we must 
consider whether ECPA still strikes the right balance between 
the interests and needs of law enforcement and privacy 
interests of the American people.
    This is only the beginning of a dialogue that must go on to 
include the input of, among others, law enforcement at the 
Federal, state and local level, private industry stakeholders 
across the complex network of networks that is modern 
communications, and academic experts on technology, privacy and 
Fourth Amendment issues.
    But today all of the Members of the Subcommittee can begin 
this inquiry through a dialogue that raises these issues with 
this distinguished panel of witnesses. Today we can begin the 
work of making ECPA work for our time and for all concerned. 
This is an enormous responsibility, and this Subcommittee needs 
everyone's help to get it right. As such, all of us sit on this 
panel at least in part as students today.
    I thank you in advance for what you will teach us.
    As for myself, some of the questions I propose to the class 
are how have changes in the Internet made it difficult for 
private industry to determine its obligations under Title II of 
ECPA, the Stored Communications Act? How do current advances in 
location technology test traditional standards of the ECPA of 
1986?
    More generally, in what ways have these and other 
technologies potentially subverted one of the original and 
central goals of ECPA, which was to preserve ``a fair balance 
between the privacy expectations of citizens and the legitimate 
needs of law enforcement?'' If we are out of balance, what 
concepts should guide reform? I know my distinguished 
colleagues will have other questions.
    Finally, I would like to observe that we are aware that 
privacy advocates and members of industry have worked together 
in an impressive common effort to derive and propose some 
common principles that should guide our inquiry on ECPA reform. 
I look forward to hearing them articulated by our witnesses 
here in person.
    It is my hope that we on this Subcommittee can emulate your 
example and come together in a bipartisan spirit as we forge 
ECPA reform legislation that will put needed reforms in place, 
hopefully this year. I welcome our witnesses, and I look 
forward to your testimony.
    With that, I yield back. And I will now recognize for an 
opening statement the distinguished Ranking Member of the 
Subcommittee.
    Mr. Sensenbrenner. Thank you very much, Mr. Chairman.
    The purpose of today's hearing is to examine the need to 
update the Electronic Communications Privacy Act of 1986. 
Today's hearing is a result of calls by a coalition called the 
Digital Due Process to examine how far apart technology and the 
law may have become and to see if reforms are necessary to keep 
the law current with constantly evolving technology.
    The genesis of ECPA in 1986 was a needed response to the 
emergence and rapid development of wireless communications 
services and electronic communications of the digital era. At 
that time e-mail, cordless phones and pagers were by today's 
standards in their infancy, and as these devices have become 
smaller, cheaper and more sophisticated, we have embraced them 
more and more in our everyday lives.
    The evolution of the digital age has given us devices and 
capabilities that have created conveniences for society and 
efficiencies for commerce. But they have also created 
conveniences and efficiency for criminals, as well as 
innovative new ways to commit crimes. Fortunately, new ways to 
detect and investigate crimes and criminals have also evolved.
    At the intersection of all these developments and 
capabilities are the privacy rights of the public, the economic 
interest in expanding commerce, the public policy of 
encouraging development of even better technologies, and the 
legitimate investigative needs of law enforcement 
professionals.
    While some of the issues we will hear about today have been 
heard before, this new initiative by the Digital Due Process 
coalition was officially launched on March 30th this year. 
There has been neither sufficient time to examine the concepts 
that are being advanced in any meaningful way, nor has there 
been time to hear from other stakeholders, including relevant 
members of the law enforcement community.
    While the Digital Due Process coalition makes note that 
some of the principles have been previously embraced by the 
House Judiciary Committee in 2000, it should be noted that just 
last year the full Committee voted down advancing the 
requirements for obtaining authority to utilize the pen 
register and for obtaining authority to utilize the trap and 
trace device.
    In fact, enhancing the standard for a pen register and trap 
and trace device drew strong opposition from the National 
District Attorneys Association, the National Sheriffs 
Association, the Fraternal Order of Police, and the 
International Association of Chiefs of Police, all of whom 
agree that the proposed changes to criminal pen register and 
trap and trace devices would unduly burden state and local law 
enforcement agencies, who regularly use these tools in state 
criminal investigations.
    There will no doubt be considerable debate on what may or 
may not need to be changed, but there will also be debate on 
how any needed change should be effected. I look forward to the 
witnesses today, and I look forward to having you start the 
debate. Let me say it won't be the end of the debate.
    Mr. Nadler. In the interests of getting to our witnesses 
and mindful of our busy schedules, I ask that other Members 
submit their statements for the record. Without objection, all 
Members will have 5 legislative days to submit opening 
statements for inclusion in the record. Without objection, the 
Chair will be authorized to declare a recess of the hearing.
    We will now turn to our first panel of witnesses--in fact, 
our only panel of witnesses.
    Jim Dempsey is vice president for public policy at the 
Center for Democracy and Technology, where he concentrates on 
privacy and government surveillance issues. Mr. Dempsey 
coordinates the Digital Privacy and Security Working Group, a 
forum for companies, trade associations, think tanks and public 
interest advocates interested in cyber security, government 
surveillance and related issues. He received his J.D. from 
Harvard Law School. Additionally, Mr. Dempsey was counsel to 
this Subcommittee under Chairman Don Edwards. He continues to 
carry on that work at CDT, and I am pleased to welcome him 
back.
    Albert Gidari is a partner at Perkins Coie--or Perkins 
Coie, I think, LLP, where he represents a broad range of 
companies on privacy, security, Internet, electronic 
surveillance and communications law. His practice also includes 
both civil and criminal litigation, investigations and 
regulatory compliance counseling. He is a graduate of the 
George Mason University School of Law.
    Orin Kerr is a law professor at George Washington 
University, who has written extensively on the Electronic 
Communications Privacy Act. From 1998 to 2001, Mr. Kerr was a 
trial attorney at the computer crime and intellectual property 
section of the U.S. Department of Justice. He earned his JD 
magna cum laude from Harvard Law School.
    Annmarie Levins is an associate general counsel at 
Microsoft Corporation. She manages the legal support for 
Microsoft's U.S. and Canadian subsidiaries, directing the legal 
teams responsible for licensing and service transactions, anti-
piracy investigations and enforcement, Internet safety work and 
other areas. Ms. Levins formerly served in the U.S. Attorney's 
Office in Seattle and in the Southern District of New York. She 
graduated summa cum laude from the University of Maine School 
of Law.
    I am pleased to welcome all of you. Your written statements 
in their entirety will be made part of the record. I would ask 
each of you to summarize your testimony in 5 minutes or less. 
There is a light in front of you. When it turns yellow, that 
means you have a minute left. And I would advise you that the 
Chair is somewhat lax in--or latitude in that area maybe in 
interpreting the time limit.
    Before we begin, it is customary for the Committee to swear 
in its witnesses.
    Let the record reflect that the witnesses answered in the 
affirmative.
    You may be seated.
    And we will first--I now recognize Mr. Dempsey for 5 
minutes.

    TESTIMONY OF JAMES X. DEMPSEY, CENTER FOR DEMOCRACY AND 
          TECHNOLOGY, VICE PRESIDENT FOR PUBLIC POLICY

    Mr. Dempsey. Chairman Nadler, Members of the Subcommittee, 
good afternoon. Thank you for holding this hearing.
    In setting rules for electronic surveillance, the courts 
and Congress have long sought to balance three critical 
interests--the individual's right to privacy, the government's 
need to obtain evidence to prevent and investigate crimes and 
respond to emergencies, and the corporate interest in clear 
rules that provide confidence to consumers and that afford the 
companies the certainty they need to invest in the development 
of innovative new services.
    Today it is clear that the balance among those three 
interests has been lost. Powerful new technologies create and 
store more and more information about our daily lives. The 
protections provided by judicial precedent and statute have 
failed to keep pace.
    The major Federal statute setting standards for 
governmental access to communications, the Electronic 
Communications Privacy Act, or ECPA, was written in 1986, light 
years ago in Internet time. Among other key points, private 
information directly analogous to a telephone call or letter 
now falls outside of the traditional warrant standard when 
stored online. As a result, a major section of ECPA is probably 
unconstitutional in many applications.
    Every witness at this table today agrees that ECPA is 
outdated and needs to be reformed to provide strong privacy 
protections while also preserving the tools that law 
enforcement agencies need to act quickly to investigate crimes 
and respond to emergencies.
    For the past several years the Center for Democracy and 
Technology, my organization, has been chairing a dialogue among 
leading Internet companies, communications companies, privacy 
advocates, law professors and attorneys in private practice to 
discuss how ECPA was working and how it needed to be updated. 
We had as part of our group several former prosecutors and 
several alumni of the Computer Crime and Intellectual Property 
Section of the Department of Justice.
    In our discussions we were acutely aware of the needs of 
law enforcement. We started with a list of over a dozen issues. 
Some of the privacy advocates and scholars wanted to go farther 
in strengthening the rules, but the former prosecutors 
emphasized the importance of preserving a sliding scale of 
authorities. We met monthly and then even weekly.
    Ultimately, we reached consensus on four principles--
consistent application of the warrant standard to private 
communications and documents, consistent application of the 
warrant standard for location tracking of cell phones and other 
mobile devices, true judicial review of pen registers and trap 
and trace devices--and we can go into more detail about what 
pen register/trap and trace devices are and how they work--and 
no blanket use of subpoenas.
    Now, in some ways--many ways, actually--these proposals are 
modest. The proposals would preserve all current exceptions, 
including the emergency exception that permits disclosure of e-
mail and other content without a warrant, even without a 
subpoena, in times of emergency. We do not propose any changes 
to FISA or to the national security letter provision in ECPA.
    Our proposals on e-mail and stored documents focus solely 
on compelled production from a service provider providing 
service to third parties. We do not propose any change to the 
rules governing how you get information directly from the 
subject of an investigation. A company could not hide behind 
ECPA if the government is investigating that company. The rules 
permitting subpoenas served directly on targets of an 
investigation will remain unchanged.
    As Chairman Nadler indicated, the companies and 
organizations endorsing this principle call themselves the 
Digital Due Process coalition. The coalition now includes major 
Internet and communications companies, major think tanks, and 
advocacy organizations ranging from the ACLU to Americans for 
Tax Reform and FreedomWorks. We are continuing to add new 
members each week.
    We see our principles as the first step--and I emphasize 
this--just an opening framework in a process that will require 
public discussion, the engagement of other stakeholders, and 
most importantly, dialogue with law enforcement agencies. We 
have already begun the process of discussing these principles 
with the Department of Justice, the FBI, and the National 
Association of Attorneys General.
    We intend to get very specific in follow-up discussions, 
addressing concrete hypotheticals about how updates to the law 
would affect ongoing practices.
    Mr. Chairman, the coalition is not urging the introduction 
of legislation. Many details remain to be discussed before we 
get to the legislative phase. Other issues might be brought 
forward in addition to the four that we have put on the table. 
We urge this Committee and we are urging the Senate Judiciary 
Committee to move cautiously, to hold further hearings, as you 
already indicated you would, to listen to the views of law 
enforcement, of the telephone companies and other carriers.
    Professor Kerr in his testimony has proposed some excellent 
questions that need to be and can be addressed and resolved. 
Some of them, speaking for CDT, I have answers to. Others of 
them I don't have answers to yet. But we agree they need to be 
addressed. Our coalition foresees a long-term process of 
hearings, dialogue and consensus building. Together, though, we 
can re-establish the balance among those interests that were 
critical in 1986--law enforcement, privacy and business.
    I look forward to your questions, Mr. Chairman and Members 
of the Subcommittee. Thank you.
    [The prepared statement of Mr. Dempsey follows:]
                 Prepared Statement of James X. Dempsey

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                               __________

    Mr. Nadler. Thank you.
    Mr. Gidari is recognized for 5 minutes.

          TESTIMONY OF ALBERT GIDARI, PERKINS COIE LLP

    Mr. Gidari. Thank you, Mr. Chairman, Committee Members. It 
is a pleasure to be here.
    Today I appear as an individual not representing any 
particular service providers or clients, but over 15 years I 
have had the pleasure of working with many in industry in their 
implementation and compliance with ECPA and with the 
Communications Assistance for Law Enforcement Act.
    These service providers are caught in the middle every day. 
The best way to determine whether ECPA is out of balance is to 
take a look at what service providers do every day, and that is 
essentially guess.
    They try to understand what the law requires and implement 
it on a daily basis, but because the law relies so much on 
definitions, like an electronic communication service provider 
to the public or a remote computing service provider to the 
public, service providers have to understand how the law 
applies to them and the legal process they need to disclose 
user communications and information. If they don't understand 
the bright line rule, then mistakes can be made, and those 
mistakes carry real consequences.
    We have cases, one heard just recently in the U.S. Supreme 
Court, where the service provider guessed wrong, thinking it 
was one thing when it was another, in disclosing communications 
on a lower standard than it should have and therefore being 
liable for that privacy breach.
    That is an untenable position for the men and women of 
service provider security offices, who every day deal with 
these requests from law enforcement and understand that those 
requests are valid, important, and sometimes life-threatening, 
but yet they also have user privacy concerns, and they must 
meet that imperative to protect user information.
    So it is an untenable position for them. They have a real 
identity crisis about what they are today when in a social 
networking environment, you could be just as easy an electric 
communications service provider as a remote computing service 
provider, and who knows under the definition what you are? It 
is a very difficult position.
    So we know it is out of balance, and we know clarity is 
important. As much as the academic debate about what the right 
standard is interesting, it isn't as interesting to service 
providers as having a clear rule. So if there is anything that 
can come out of this hearing and future hearings, clarity first 
and foremost.
    I would like to observe also with location-based services, 
for 15 years I have worked with wireless carriers and their 
response to law enforcement requests to use what is a 
remarkably robust and important tool for law enforcement, 
tracking capabilities, the ability to find a bad person or a 
kidnap victim in real time as quickly and as efficiently as 
possible. It is a great, great capability, but right now it is 
a muddle.
    Service providers haven't got a clue what the right legal 
standard is, and within the same judicial district, you might 
have two magistrates who disagree and issue contrary orders for 
the standard upon which to disclose that information. And what 
information should be disclosed? How often? How frequently? It 
is not uncommon for law enforcement to ask for a phone to be 
pinged every 15 minutes.
    In a lot of ways service providers' security offices and 
their personnel feel like they are the customer service of some 
computer organization, having to respond to incessant and 
continuous requests. Now, they are important requests, but the 
fact is the law does not state how often, how frequently, how 
rich, how detailed and to whom that information should be 
provided. The service providers simply need the clarity to 
understand what to do.
    Lastly, I would like to just observe that in ECPA there are 
some areas for improvement on transparency. It is difficult to 
make policy if one doesn't know how much information is 
collected. And from a personal perspective dealing with the 
volume of requests every day, this Committee and the public 
would do well to have clear numbers before them.
    The number of user records requested on a daily basis is 
astronomical. We can commend Google, who recently published 
through their transparency project, a list of statistics that 
show the number of requests that they receive on a regular 
basis. Those numbers are dwarfed by the number of requests that 
service providers like wireless carriers receive every day.
    Just yesterday the administrator of the courts received the 
wiretap report, and that annual report tells you the number of 
wiretaps conducted each year. For the past year, 2009, the 
numbers went up 26 percent. There is some good in those 
numbers. The U.S. stacks up pretty well compared to the rest of 
the world. If all we had was 2,600 total Federal and state 
wiretaps last year, somebody is doing something right and 
reviewing them carefully and not over using them.
    Unfortunately, we don't know how many pen registers have 
been implemented. We don't know how many location orders are 
implemented. And we certainly don't know how many user records 
have been asked for, used, and how long those are retained. If 
we could do anything to improve ECPA and its transparency, the 
collection and publication of that data would go a long way to 
helping the Committee make decisions on good, solid policy.
    Thank you, and I hope to answer any questions you have.
    [The prepared statement of Mr. Gidari follows:]
                  Prepared Statement of Albert Gidari

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                               __________

    Mr. Nadler. Thank you.
    And I now recognize Mr. Kerr for 5 minutes.

  TESTIMONY OF ORIN S. KERR, PROFESSOR, THE GEORGE WASHINGTON 
                     UNIVERSITY LAW SCHOOL

    Mr. Kerr. Chairman Nadler and Members of the Subcommittee, 
thank you very much for the invitation to be here today.
    I think it might help to start with understanding why we 
are here. In traditional criminal investigations, the police do 
the work on their own. They walk the beat. They conduct their 
own searches. If they see evidence of a crime that they think 
they need, they take it. They don't work with providers. They 
don't work with anybody else. They make all the decisions on 
their own, sometimes pursuant to judicial review by a judge, 
but not with the work of any private party.
    The opposite is true with new online crimes, crimes 
committed using networks, whether it is the Internet, crimes 
committed using telephones, or simply a case where there 
happens to be evidence that is stored or available over some 
sort of a network, whether the Internet or the cell network.
    In all those cases, the government is working through the 
intermediary of the provider. There is a company, a company 
that runs a network that has data, and the real question, and 
the question that the Electronic Communications Privacy Act is 
designed to address, is what should the rules be when the 
government wants data that the network has, or when the network 
company, the third-party provider, wants to disclose 
information to the government?
    Now, that means that in order to understand the issues 
raised by ECPA, we need to think about what the data is and 
when does the government obtain it. So it may be helpful to 
think about two different kinds of data that the communications 
providers may have.
    One category is content of communication. That is the 
actual message that somebody may be sending or receiving over 
the network. It might be an e-mail. It might be a text message. 
In the case of a phone call, it would be the actual 
conversation that two people are having.
    And then there is lots of non-content information. The non-
content information is information that the network is 
generating and using in order to deliver the communication. 
Now, we can understand what kind of content the network might 
have, because we as users of the network are aware of that. If 
somebody sends you an e-mail, for example, you know that the e-
mail is there.
    Non-content information is quite different. The amount of 
information that may exist depends on the technology, depends 
on the network. It may depend on the company, depends on 
business decisions that each company is making as to whether to 
keep records, whether to generate certain records. And that 
means there are lots of records available, and those records 
may vary dramatically, based on the company and based on the 
technology. So that is the issue of what the records are that 
are out there.
    The next thing you need to think about is when is the 
government collecting the information. So again, we can think 
of two basic categories. The one category would be when the 
government comes to the provider and says, ``We are going to 
compel you to disclose certain information. We want you to act 
on our behalf as our agent, essentially, and provide certain 
information.''
    Maybe it will be stored content that the government wants. 
Maybe it will be stored non-content information that the 
government wants, these records. And other times the government 
will want a real-time surveillance to occur, sometimes of 
content in the case of wiretapping, sometimes in the case of 
non-content information, for example, where somebody's cell 
phone is located or who somebody is e-mailing. So that is the 
case when the government is compelling information.
    And then the flipside of that is what if the provider comes 
across evidence and wants to disclose it to the government? 
Maybe the provider has uncovered child pornography. Maybe the 
provider has discovered some evidence of some other crime and 
wants to provide that information either to the government or 
even to a non-government group. What should those rules be? 
That is the question that the Electronic Communications Privacy 
Act was designed to address in 1986.
    Now, of course, in 2010, technology has changed 
dramatically. And I am very glad to hear that the Committee has 
planned more hearings, because I think what really we need to 
hear from is we need to hear from these providers. We need to 
find out what information do they have.
    What are their practices? What is the technology? How does 
it work? What kind of cell phone location information do 
different providers have? How close can they get to finding out 
the location of the user of the phone? How long do they keep 
their records?
    So we need to find out from the providers what are their 
practices. And then we also need to find out from the 
government how do their investigations work? Those of us that 
watch a lot of television know we have seen a lot of Law and 
Order, and we know how those investigations work, or at least 
how they work on TV.
    But mostly we don't know how these new online 
investigations work. We haven't seen those investigations. Very 
few people have. So we need hearings to talk about not only the 
technology, but what are the kinds of cases that the government 
is working? How do these cases actually unfold?
    And I think it is only after getting that informed sense of 
what the technology is and how the investigations actually work 
that the Committee can think about what do these rules need to 
be like. How do these rules need to change? It has been a 
quarter century since ECPA was passed, and it is time to think 
about how the technology has changed and how to balance the 
security interests and privacy interests, given the technology 
of today, not the technology of 1986.
    So I am very glad that the Committee is interested in these 
issues. Obviously, today's hearing is just the tip of the 
iceberg. There is a lot that we can talk about. But I think 
starting off by recognizing that this problem exists, both in 
terms of the new technologies and these new types of 
investigations, is a very important first start, and I am happy 
to be here. Thank you.
    [The prepared statement of Mr. Kerr follows:]
                   Prepared Statement of Orin S. Kerr

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                               __________

    Mr. Nadler. Well, thank you.
    And we will now recognize Ms. Levins for an opening 
statement.

   TESTIMONY OF ANNMARIE LEVINS, ASSOCIATE GENERAL COUNSEL, 
                     MICROSOFT CORPORATION

    Ms. Levins. Thank you, Mr. Chairman.
    Mr. Chairman, Members of the Subcommittee, my name is 
Annmarie Levins. I am an associate general counsel at 
Microsoft. I manage the legal support for Microsoft U.S. and 
Canadian subsidiaries. My team is responsible for contracts 
with our customers and partners for anti-piracy and digital 
crimes investigations, for Internet safety work and other 
areas.
    Before joining Microsoft in 1998, I had the privilege of 
serving as an Assistant United States Attorney in Seattle for 3 
years and before that in the Southern District of New York for 
seven. During my 10 years as an A-USA, I worked with many 
smart, dedicated law enforcement officers investigating 
organized crime, racketeering, narcotics and financial fraud 
cases.
    Thank you for this opportunity to share Microsoft's views 
on the reform of ECPA. Microsoft is in a unique position to 
comment on the need for ECPA reform. We have offered Internet-
based services for almost 15 years, dating back to MSN dial-up 
Internet service. We have offered Hotmail, our free Web-based 
mail service, since 1997.
    Today we offer a full array of cloud computing services, 
including our hosted suite of Enterprise class e-mail, 
relationship management and collaboration tools, and our cloud-
based storage and computing resources called Microsoft Azure. 
Our customers range from individuals to small and medium-sized 
businesses to some of the largest multi-national corporations 
in the world.
    From our vantage point, we have seen how the technologies 
governed by ECPA have evolved over the years since its 
enactment and the tremendous potential these technologies 
represent for all of our customers. Today users can store 
documents, data and communications to central locations and 
access them anywhere in the world on a wide variety of devices, 
including laptops, phones and other forms of personal devices.
    Increasingly, Web-based accounts are used interchangeably 
with local storage devices. As these Internet-based resources 
become part of our everyday computing experiences, users may 
not even realize that the legal protection afforded their data 
and documents are not necessarily the same when they use third-
party storage and processing capabilities in place of their own 
computers or networks.
    While there has been a fundamental shift in the amount of 
sensitive information that we now trust to third parties, the 
law has not shifted in parallel to preserve reasonable privacy 
interests. Quite simply, the basic technological assumptions 
upon which ECPA was based are outdated. The nature of the 
protection afforded to stored electronic communications has not 
kept pace with the many innovations in online computing over 
the last 24 years.
    For example, ECPA extends greater privacy protections to e-
mail storage for less than 180 days than e-mail stored for more 
than 180 days. This distinction might have made sense in 1986 
when e-mail services did not automatically retain messages for 
long periods of time, but the distinctions no longer bear any 
relationship to reality. Hosted e-mail and other online 
services regularly store e-mails and other content for years, 
and users today reasonably expect these communications to 
remain just as private on day 181 as they were on day 179.
    Microsoft believes that now is the time to address these 
issues. We are on the verge of a transformative age in Internet 
cloud-based computing. Cloud computing services can increase 
efficiencies for business and government, lower IT costs, 
create energy savings, and spur innovative job-creating 
enterprises. They will enable small and medium-size businesses, 
individual entrepreneurs and other innovators to tap into 
computing resources that previously had only been available to 
the largest companies, and at a fraction of the cost.
    These capabilities can drive innovation, make America's 
businesses more competitive, and ultimately contribute to 
economic growth. But unless we are able to preserve and protect 
users' privacy interests to meet their reasonable expectations, 
adoption of cloud computing services may be limited, and the 
full potential of cloud computing may not be realized.
    Indeed, in a recent poll conducted for Microsoft, more than 
90 percent of the general population and senior business 
leaders said they were concerned about security and privacy 
when they contemplated storing their own data in the cloud. 
This is among the reasons why Microsoft joined the Digital Due 
Process coalition in the launch of a new initiative to update 
ECPA.
    We understand the importance of supporting lawful 
investigations and spend significant resources every year to 
help make the online environment safer for all users. The 
Microsoft Digital Crimes Unit that I oversee was created 
specifically to assist law enforcement in pursuing digital 
crimes and to provide training to prosecutors and investigators 
around the world.
    In conclusion, Microsoft believes that the decisions about 
the right balance between users' reasonable expectations of 
privacy and law enforcement's legitimate interests should be 
made by Congress, with input from all key stakeholders, rather 
than as a result of unanticipated shifts in technology.
    We view the Digital Due Process coalition proposal as a 
good starting point for Congress' inquiry. Ultimately, smart, 
targeted reforms of ECPA are essential to restore proper 
balance between privacy and law enforcement in the digital age 
and will help cloud computing fully deliver on its promise.
    Thank you for the opportunity to testify today. On behalf 
of Microsoft, we appreciate this Committee's leadership in 
addressing these important issues, and we look forward to 
working with you.
    [The prepared statement of Ms. Levins follows:]
                 Prepared Statement of Annmarie Levins

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                               __________

    Mr. Nadler. Thank you.
    The witnesses having completed their initial statements, we 
will turn to questions. And I will begin by recognizing myself 
for 5 minutes.
    Mr. Dempsey, are any of the Digital Due Process principles 
intended to change a service provider's ability to share 
information with law enforcement in an emergency?
    Mr. Dempsey. Absolutely not. We make it clear that there 
are emergency exceptions in the law right now, which permit 
disclosure of information without a warrant, without a 
subpoena, in emergency circumstances, and we would leave those 
untouched.
    Mr. Nadler. Thank you.
    Ms. Levins, you indicated in your testimony that ECPA 
relies on outdated notions of how individuals and businesses 
interact with information technology. I assume among other 
things you are talking about--well, we know you are talking 
about cloud computing, because you mentioned it specifically.
    Can you tell us more about cloud computing and why this 
technology is ``transformative?'' And what benefits does it 
offer to society? And how do we support such technological 
progress as we attempt to balance the interests of privacy and 
law enforcement? All in about 5 minutes.
    Ms. Levins. Thank you, Mr. Chairman. I would be happy to 
address that.
    Cloud computing is important, because it opens the door for 
everyone to use the most powerful computer capabilities there 
are. It used to be that you couldn't afford to buy that kind of 
computing capability and storage unless you were a big company, 
but now you can use your desktop, your laptop, and use storage 
facilities that are maintained by a third party to do that kind 
of computing and storage that was previously unavailable on 
your home network.
    Mr. Nadler. Storage or storage and computing capacity?
    Ms. Levins. Both.
    Mr. Nadler. Both.
    Ms. Levins. Both.
    So that is the first part. I mean, and I think that that 
opens doors to all kinds of businesses to expand the way they 
do business in ways that weren't even thinkable when ECPA was 
passed in 1986.
    Mr. Nadler. And what do you think the implications for the 
development of cloud computing are if government access to e-
mail content stored in the cloud continues to be subject to a 
legal standard different from that applied to other forms of 
data storage?
    Ms. Levins. And I think that is a critical question, 
because what we found and what our poll showed is that people 
are very concerned that by putting data in the cloud, are they 
going to have the same level of privacy and security that they 
would have if they maintained it within their own four walls of 
their company or home. I think that they will be reluctant to 
move to the cloud and take advantage of this opportunity, if 
they aren't assured of what the standard of that privacy is and 
it doesn't meet their reasonable expectations.
    Mr. Nadler. So we have to make sure that there is a 
standard of privacy equal to what they would be on your own 
personal hard drive, or just a certainty of letting people know 
at some other level?
    Ms. Levins. Well, certainty is important, but I think in 
fact if you are talking about content, people expect that what 
they would have on their hard drive, in their personal hard 
drive, should be protected in the same way. Put the other way, 
the information in the cloud should be protected in the same 
way that their----
    Mr. Nadler. And to the same legal standard.
    Ms. Levins [continuing]. Hard drive would. And that is 
particularly true, I think, of corporations, I would guess.
    Mr. Nadler. Now, but the importance of maintaining privacy 
in the cloud is what you just said, but we have to maintain 
security in the cloud, too. How do you balance them?
    Ms. Levins. Well, I don't think they are inconsistent. And 
Microsoft, for example, has taken lots of steps to make sure 
that we have the best security that we can, and we are 
constantly working toward meeting the highest standards that 
are recognized in the industry.
    We think one of the most important things that could happen 
in this area is to have greater transparency about the security 
practices that companies offering cloud services are adopting 
and using. So it goes hand-in-hand with privacy. Users want to 
know that their information is safe, and they want to know that 
it is being secured and their privacy is being secured.
    Mr. Nadler. Thank you.
    Professor Gidari--Mr. Gidari--you indicated in your 
testimony with respect to location-based information that there 
has been a magistrate's revolt for several years. Can you 
describe what you mean by this phrase and in what ways, if any, 
it has been fomented by the government's interpretation of 
ECPA?
    Mr. Gidari. Yes, Mr. Chairman.
    Over the last 3 or 4 years, a number of magistrates have 
objected to automatically approving, as part of pen register 
orders, requests to disclose the location of a cell phone in 
real time prospectively on an ongoing basis. They objected to 
using the pen register standard alone or in combination with 
what is known as a specific and articulable facts order, or as 
the government calls it, a hybrid order, to authorize that 
disclosure.
    Other magistrates disagree and believe that the standard is 
acceptable. But about three to one ratio, these magistrates 
have believed that a probable cause standard is necessary to 
track and follow an individual.
    And that mini revolt, if you will, has resulted in very 
inconsistent standards within judicial districts, as a 
magistrate sitting next to another magistrate could completely 
disagree, and have disagreed, issuing orders that have 
different standards. So one person might be tracked according 
to one standard, another one to a higher standard. And then 
within the states themselves, the ECPA, of course, that is the 
floor.
    Mr. Nadler. But you would get that in any event. Even if we 
wrote a standard in law, a more specific standard, you would 
get judges disagreeing with that, and until it went up to the 
circuit or Supreme Court, you would have judges sitting next to 
each other issuing different decisions, no?
    Mr. Gidari. You certainly would, from a service providers' 
perspective. Which rule applies? Which order should pertain? 
What responsibilities do they have to their users to object to 
that order? The rules for location information today just 
simply don't state under----
    Mr. Nadler. They should state it more specifically.
    Mr. Gidari. Absolutely.
    Mr. Nadler. Mr. Dempsey, you look like you wanted to 
comment on that.
    Mr. Dempsey. I am just saying that right now you sort of 
have an open field, a green field--sort of no guidance at all.
    Mr. Nadler. So we need statutory guidance.
    Mr. Dempsey. The statute would--we would try to make it as 
specific as possible and precise as possible, but at least it 
would provide some context within which the courts would 
operate.
    Mr. Nadler. Okay. Thank you.
    My final question is to Professor Kerr. In some of your 
recent scholarship in applying the Fourth Amendment to the 
Internet, you talk about replacing the inside-outside 
distinction common to Fourth Amendment jurisprudence with the 
content-noncontent distinction.
    Can you tell us what this means and how you believe it 
extends consistent application of the Fourth Amendment 
principle to cyberspace? And is the analogy perfect, or does it 
give rise to any notable exceptions we should be aware of?
    Mr. Kerr. The basic idea here is when courts are 
considering how to apply the Fourth Amendment, which was 
created for a physical space, to a network environment, they 
should think about how to create a set of rules that tries to 
replicate how the Fourth Amendment applies in the physical 
world to this network space. And the basic idea is that the 
contents of some of these communications, these actual 
messages, are the online equivalent of stuff that would happen 
inside and would be protected by the Fourth Amendment in the 
physical world.
    On the other hand, the non-content information that a 
network creates is essentially the online equivalent to 
transactional information that would have occurred outside in 
the physical world. Now, if you follow that idea, the basic 
idea is that networks are doing for us what we used to do in 
the physical world. Basically, the network is coming to us 
instead of us having to go out into the world. And the idea is 
it creates a rough parallel between how the Fourth Amendment 
should apply in the physical world and how the Fourth Amendment 
should apply in the Internet.
    Now, of course, it is just a Law Review article. We don't 
know whether courts are ever going to follow this. And in fact, 
there is a Supreme Court case right now, Quon versus City of 
Ontario, in which the Supreme Court is trying to figure out for 
the first time how does the Fourth Amendment apply to text 
messages. I went to the oral argument, and the justices were as 
puzzled about this question as anyone could be.
    So we are just trying to figure out these issues, and the 
idea that content-noncontent distinction is just an initial 
first start to try to figure out how the Fourth Amendment 
should apply, and by analogy, how the statute could be drafted 
to recognize the stronger protection for content and for 
noncontent.
    Mr. Nadler. Thank you very much.
    My time has expired. I will now recognize the distinguished 
gentleman from North Carolina.
    Mr. Watt. Thank you, Mr. Chairman.
    I think I will acknowledge at the outset how ill prepared 
technologically I feel to engage in this discussion, and ill 
prepared, yes. I feel like a Neanderthal in this area. So let 
me--I want to ask a couple of questions that--and then I just 
want somebody to give me some examples of the kinds of things 
that are going out there that we should be worried about, given 
the failure to update the statute. But let me talk about 
process first.
    Mr. Dempsey, you talked in your testimony about a long 
period of dialogue and consensus building being needed.
    Mr. Gidari, you seemed to suggest, although not explicitly, 
that clarity was more important than substance of where you get 
to, so I am trying to figure out how long we should be working 
on this before we get to some kind of legislative solution. Is 
clarity of a rule more important than getting the rule right, 
the new standard right?
    What kind of time are you talking about for dialogue and 
consensus building, Mr. Dempsey, and does that fit with your 
urgency for clarity, even if the clear standard is the wrong 
standard?
    Mr. Dempsey. Well, honestly, I think, you know, my own 
timeframe is if a year from now we could be here with that 
piece of legislation that would be, you know, a markup or 
something a year from now would be a good target. But I think 
it is going to take a while. We are not pushing, as I said, for 
introduction of legislation immediately.
    I think we do have, and as we go through this process here, 
we do have some touchstones, and we can think about some of the 
analogies. They only take you so far, but they help. Take what 
we are talking about in terms of cloud computing. If you have a 
document on your computer in your office, or if you have that 
document printed out, that is protected by the Fourth 
Amendment--a person's house, his papers and effects. I think 
nobody has any doubt that ``papers'' includes your laptop.
    If, however, as now--and by the way, if you----
    Mr. Watt. Wait a minute, now. You are going to take my 
whole 5 minutes talking about something that I am trying to 
find--you say a year from now, and I--let me give----
    Mr. Dempsey. Okay, but I do want to come back to the 
question here of what are the guideposts we have that get us 
both the clarity and the substance.
    Mr. Watt. I am just talking about the timeframe now. I am 
not even talking about what the content is. Is a year from now 
too long from a clarity perspective, Mr. Gidari?
    Mr. Gidari. I think lawyers will find ambiguity in a No 
Smoking sign for the rest of our lives, but if that is the 
case, fix it, fix it right. If it takes a little longer to do 
that, we would rather have it right than wrong. But that 
doesn't mean they are inconsistent.
    Mr. Watt. So the real question I am trying to get to is 
what risk do we run in this interim? And that is where I get to 
the second part of the question. I mean, what are the horror 
stories that are going on out there? I mean, give me a couple 
of concrete horror stories that is going on in this interim 
while we are trying to either build consensus or get the 
standard right.
    Mr. Dempsey. Well, here is one example. Every one of us 
probably has 5, 6, maybe 10 years worth of e-mail stored, 
either stored on our local computer or often stored with a 
service provider like MSN or Gmail or another provider.
    Mr. Watt. That is somewhere in a cloud stored.
    Mr. Dempsey. That data is stored on a remote----
    Mr. Watt. Which I had never heard of until today, but that 
is all right.
    Mr. Dempsey. We are talking here just about, you know, when 
people used to draw a picture with a computer over here and a 
computer over here and then a cloud in the middle, that 
Internet server is in the cloud.
    Mr. Watt. I get the concept.
    Mr. Dempsey. And that is where a lot of our data is going.
    The way ECPA now works, it says that that e-mail 180 days 
old or less is protected by the Fourth Amendment warrant 
standard. The minute it turns 180 days old, it is available 
with a mere subpoena issued without judicial approval.
    The Justice Department takes the position that the minute 
that e-mail is opened at all--in fact, from the sender's 
perspective, the minute it is sent, it loses its warrant 
protection. Fully protected passing over the wire, the minute 
it reaches--you finish sending it or the minute the user, the 
intended recipient, opens it and looks at it, it falls outside 
of the protection of the warrant.
    Same document, if you print it out, leave it on your desk, 
protected. Same document, you put it in a box and you lock it 
in one of those storage lockers out in the suburbs, protected 
by the Fourth Amendment. But locked up in the cloud, not 
protected by that requirement.
    In the Ninth Circuit, the Ninth Circuit has rejected the 
Justice Department view and has said that a warrant is 
required. So what happens now is if the warrant is subject to 
the jurisdiction or the subpoena is subject to the jurisdiction 
of the Ninth Circuit, it is rejected, and a warrant is 
required. If it is outside of that, it is a little unclear.
    In Colorado a month ago the Justice Department sought e-
mail without a warrant. Yahoo said, ``No, go get a warrant, 
even though we are outside of the Ninth Circuit.'' The Justice 
Department backed down, said okay, withdrew the request.
    That is the kind of uncertainty you are getting. And there 
is overarching it all the possibility that these cases will 
percolate up through the courts and that the statute will be 
held unconstitutional, if the Justice Department pushes its 
position.
    Mr. Watt. Because it is too vague?
    Mr. Dempsey. No, because the warrant is not. Where the 
statute currently permits access without a warrant, if 
Professor Kerr is right that a warrant is required, that 
content is like a letter, it is like a phone call, it should be 
protected, so you do run that constitutional risk.
    I still agree with Mr. Gidari and my initial statement 
that, you know, we have lived with that ambiguity now for 5, 10 
years. I just don't see how we are going to push this forward. 
Given the law of unintended consequences, we want to make sure 
we don't screw things up worse.
    Mr. Watt. Thank you.
    I am way over my time, so I will yield back.
    Mr. Nadler. In that case, we will recognize the gentleman 
from Virginia for 5 minutes.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Dempsey, it seems to me that a person doesn't think any 
different about an e-mail as saved in the cloud as on the 
computer. Why would the e-mail in the cloud be any different 
than the e-mail stored in that storage bin in the suburbs that 
you talked about?
    Mr. Dempsey. I don't think it should, and the conclusion 
that we came to in our preliminary dialogue is that it 
shouldn't.
    If you go back to 1986, I think what you end up with is 
this was a distinction based upon the way the technology worked 
in 1986. Storage was expensive, and service providers did not 
store e-mail. If you go back to the early days of AOL, you read 
that, you downloaded it, it was deleted from the computer of 
the service provider.
    Congress thought 180 days would be the absolute conceivable 
outside limit, and after that it was sort of like abandoned 
property or a----
    Mr. Scott. Well, once it gets into the cloud, can anybody 
get access to it?
    Mr. Dempsey. The----
    Mr. Scott. I mean, beside--I mean, could I look into 
Representative Watts' cloud?
    Mr. Dempsey. No, no, no, no. It really is--the cloud 
actually is potentially more secure in some ways than local 
storage. You have the service providers of cloud storage 
capabilities making a lot of effort to secure that information.
    Mr. Scott. So this is being kept in a place that is secure 
from anybody else, and it is just I am the only one that can 
access my part of this cloud.
    Mr. Dempsey. You or the person to whom you give consent.
    Mr. Scott. And so I have an expectation that this is 
private information.
    Mr. Dempsey. That is certainly the way the average person 
looks at it. That is one of these changes that has occurred, 
the technology changes that have occurred in the past 10 years 
that we are talking about.
    Mr. Scott. Ms. Levins, when Microsoft has to respond to a 
lot of warrants and subpoenas, it costs money. Does the 
government incur any of the expense, or they just let you worry 
about it?
    Ms. Levins. Congressman Scott, that is not my area of 
expertise. I would have to get back to you with that 
information. I know my colleagues do know that. I don't have 
that with me.
    Mr. Scott. Does anybody know who--what----
    Mr. Gidari. The statute authorizes reimbursement for non-
toll records, so phone companies give them away for free in 
large amounts, but electronic communication service providers 
are entitled to charge for them. Not all of them do. Many 
provide that service to law enforcement for free. Others charge 
a reasonable cost.
    Mr. Scott. But some information can be obtained fairly 
easily. Some takes a little complication where you have to 
program the computer and pay expenses to get the information, 
and some of it, I imagine, gets kind of expensive after a 
while.
    Mr. Gidari. That is right.
    Mr. Scott. And you can charge for that expense?
    Mr. Gidari. That is correct.
    Mr. Scott. Does anybody have any concern, if we keep 
talking about how government does all this surveillance, that 
we might publicize their techniques and compromise 
investigations?
    Mr. Dempsey. I have always thought that we could have the 
discussion without compromising techniques. I think we can talk 
at the level of specificity necessary to draft a clear statute, 
incorporate the Fourth Amendment principles, and do that in a 
way that doesn't get into the technology at all. In fact, 
technology neutrality, I think, is one of the principles that 
we are trying to achieve here.
    Mr. Scott. Okay.
    And with the pinging the cell phone, can anybody ping 
somebody else's cell phone, or is that just something the 
company can do?
    Mr. Gidari. Something only the company can do.
    Mr. Scott. And I think there is an expectation that you are 
not being followed, because the company isn't supposed to be 
following you around, and the only way the government can do it 
is--what does the government need to order the company to find 
out where you are?
    Mr. Gidari. Depends on which magistrate you visit, but at 
least a pen register order and a specific and articulable facts 
order combined, but in many jurisdictions, a probable cause 
order--a probable cause warrant issued under Rule 41.
    Mr. Scott. But for a government request, I should have an 
expectation that I am not being pinged and shown up on 
somebody's computer screen. Is that a reasonable expectation, 
or, you know, should----
    Mr. Gidari. It is more than a reasonable expectation.
    Mr. Dempsey. And that is the way I think that carriers have 
designed their services. A number of carriers offer services 
whereby parents, for example, can--who are the subscribers to 
the service--can find out, for example, where their children 
are. But that is the case of the subscriber controlling their 
account.
    There are a variety of services now being offered where I 
can share my location with my friends. The companies who have 
designed those services have been very, very careful to design 
them in a way so that the user has control. To override that 
user control, the company has to be involved. The company has 
to be compelled to do something.
    And some of those services offer very, very precise 
location capability, in a sense almost pinpointing a person on 
a map. A number of those companies have said that they will 
insist upon a warrant for disclosure of that information, and I 
think they have strong constitutional argument for that. But 
the statute, as we have said, it is completely unclear.
    Mr. Nadler. Thank you.
    I now recognize the gentleman from Georgia.
    Mr. Johnson. Thank you, Mr. Chairman.
    If I were someone's wife, and I was out on the town running 
around with all kinds of males and females and engaged in doing 
my own thing pretty much, and I am wanting to keep all of that 
secret, I am certain that no one on the panel would want the 
husband of--or they would not want my husband to be able to go 
to the phone company and say, ``Look, I need to find out where 
my wife is, because I am going to kill her when I find her.'' 
None of you all would want that to happen, would you?
    And so no one is saying anything, so I assume----
    Mr. Dempsey. No.
    Mr. Johnson. Okay. All right.
    And now, what if I were a law enforcement officer--the 
husband. Or what if my husband was a law enforcement officer? 
Is there any--and only thing this law enforcement officer did 
was to go get a subpoena, which he carries around blank 
subpoenas, and comes to a cell phone provider and says, ``Look, 
I am conducting an investigation, and you must provide this 
information to me.'' Should that law enforcement officer, or 
any other law enforcement officer, be able to obtain that 
information, the whereabouts of his wife?
    Mr. Gidari. They would be shown the door with that request, 
the door to the courthouse, where they would have to ask a 
judge to approve an order to get it.
    Mr. Johnson. But that may be true at your cell phone 
company, but it is not necessarily compelled by law that the 
cell phone company refrain from producing those documents. Is 
that correct?
    Mr. Dempsey. Congressman, there is actually an interesting 
case that has emerged in the 11th Circuit recently, which dealt 
not with the location information, but instead with some e-
mails.
    And the case clearly involved a certain amount of 
favoritism on the part of the prosecutor and the sheriff in 
that area, who at least allegedly were doing a favor for a 
friend in defending that friend against some civil litigation 
or some civil controversy, issued a subpoena, like you say, 
served the subpoena on the service provider, and the service 
provider did turn over that e-mail.
    The case has gone up to the 11th Circuit, and 
unfortunately, this is one of the cases that I think went in 
the wrong direction. Professor Kerr has also written about it, 
criticizing the decision in this case, but the 11th Circuit 
held that there was zero constitutional privacy interest in 
that e-mail and that the sheriff and the prosecutor, in essence 
acting off on their own, had not violated anybody's rights.
    Mr. Johnson. So, and the reason why it was not private is 
because it was in the cloud somewhere?
    Mr. Dempsey. Yes, there was this notion that they had, 
which we think is wrong, that privacy was lost because of the 
use of that technology.
    Mr. Johnson. Yes.
    Is there anybody who would agree with the 11th Circuit 
decision in that case that is sitting on this panel?
    Yes, okay. All right. Well, you know, I have been sitting 
here all day trying to find something that someone on the panel 
would say that would incite me to issue forth with tough 
questions, but you all have deprived me of that option, and I 
am pretty much, I guess, singing to the choir when I say that I 
would hate to see either with content or with noncontent 
information requested by law enforcement, to use your analogy, 
Mr. Kerr--or not your analogy, but your terminology, I would 
hate to see a company turned into a agent for law enforcement 
at the expense of their customer.
    To me the issues that we confront are easily dealt with by 
legislatively extending the Fourth Amendment. And I do believe 
that there is an inherent right to privacy, which is implied in 
really the first nine amendments, but certainly the Fourth 
Amendment. All we have to do is just extend it to these new 
areas that have come to the fore since we have been embarked on 
this pursuit of intellectual supremacy, if you will.
    This is just human nature, but if we stick with the ideals 
of the founding fathers, particularly with respect to the 
Fourth Amendment, I think that our job should be easy.
    And I guess there could be an argument that we just leave 
each case up to the the courts to flesh out and ultimately to 
the U.S. Supreme Court, but I am afraid that we would--I am 
afraid to leave it up to the U.S. Supreme Court when we can put 
those things into legislation, which clears up the ambiguities 
that may arise.
    So I think this is a very important hearing. It bears upon 
the individual rights that we in this country oftentimes take 
for granted, but they are what made America what it is. So 
thank you very much.
    And I notice that the Chairman is now thinking about--
thinking pensively as we proceed.
    Mr. Nadler. And you yield back?
    Mr. Johnson. At this time, yes.
    Mr. Nadler. Then I will recognize the gentlelady from 
California.
    Ms. Chu. So, Mr. Dempsey, I would like to ask a question 
about the fate of an e-mail that I would send out, but under 
different circumstances with regard to privacy and the Fourth 
Amendment.
    Let us just say I e-mail a friend, Sarah, and what would 
happen to the fate of that e-mail if she has read it versus 
hasn't read it or with regard to if 8 months have passed versus 
tomorrow, whether it is on a Gmail account or whether it is on 
her hard drive? Or what if I took the content of that 
information and put it in a letter and just mailed it?
    Mr. Dempsey. In the Appendix A to my testimony, I talk 
about this example, and if I was better at graphics, I would 
have tried to it do a chart that showed this, because it really 
does almost take a matrix to explain this.
    While the e-mail is in transit, moving over the wires, so 
to speak, or moving through the network, it can be intercepted 
only with a warrant, a wiretap order issued under the Wiretap 
Act.
    Once it reaches the inbox, so to speak, the computer of the 
service provider of Sarah, the intended recipient, it comes 
under the Stored Communications Act and at least until she 
opens it, that e-mail sitting in her e-mail box is protected 
again by the warrant requirement.
    After she reads it, under my reading of ECPA, for 180 days 
it remains protected by the warrant requirement. After 180 
days, on day 181, it loses the warrant protection. So you go 
from warrant to non-warrant.
    An interesting example is if you are using Gmail, by the 
way, and you--or any other remote Web-based e-mail service--and 
you draft your e-mail and don't send it, because you haven't 
finished it, you are going to come back the next and finish it 
and send it, while that e-mail is sitting on the server of 
Google, it is available regardless of age.
    It is available with a mere subpoena. It is not protected 
by the warrant at all, because Google is at that time acting as 
a provider of remote computing services, not as a provider of 
electronic communication services. They are storing the e-mail.
    Once 180 days passes, then Google again reverts to its 
status as a remote computing service. It is available with the 
subpoena. The Justice Department argues that the copy of the e-
mail that you might store, since you store all your outgoing e-
mail, if it is stored in the cloud, loses its protection as 
soon as you send it, because it is no longer in transit in 
temporary storage incident to transmission. It is sort of your 
copy.
    Now if you had printed out a copy and kept a copy in your 
office, that is protected by the Fourth Amendment. If you have 
a copy on your desktop or laptop, that is protected by the 
Fourth Amendment. But the copy that is stored in your account, 
according to the Justice Department, from the minute you push 
``send,'' that is not protected by the warrant.
    Mr. Nadler. Will the gentlelady yield for a moment?
    Ms. Chu. Yes.
    Mr. Nadler. And the Justice Department in effect is saying 
that because you pressed the ``send'' button, the Fourth 
Amendment doesn't apply, because it is no longer your papers?
    Mr. Dempsey. It applies only--I think everybody would admit 
that it applies to the e-mail in transit.
    Mr. Nadler. But why doesn't it apply continuing?
    Mr. Dempsey. They argue, I think, that it is--it is hard to 
articulate their theory. It is a stored record, in their 
opinion, that has been entrusted to a third-party in such a way 
that you have surrendered your privacy interest in it.
    Now, I think the correct analogy is the storage locker 
analogy, in which a warrant is required to go into the storage 
locker. There are cases having--they analogize it to something 
like a check, a cancelled check which goes to the bank.
    Mr. Nadler. That is even more strange, when they say that 
it is not protected by the Fourth Amendment before you finished 
it.
    Mr. Dempsey. If you store it with some--if you leave it on 
some remote server.
    Mr. Nadler. I thank the gentlelady for yielding.
    Ms. Chu. And so if you have it on the hard drive, it is 
protected, but if it is in the cloud, it is not protected. And 
if it is a letter, I am presuming you are saying it is 
protected.
    Mr. Dempsey. The letter is interesting, because the letter 
is protected, of course, in the hands of the post office. This 
goes back to 1877, when the Supreme Court ruled that the Fourth 
Amendment does protect the letter moving through the mail 
system. The copy of the letter that I retained is protected. 
The copy of the letter that the recipient has is protected vis-
a-vis the recipient. They can always voluntarily turn it over, 
but to force them to disclose it would require a warrant or 
subpoena served directly on them.
    So you have got this crazy quilt that the average 
individual has absolutely no idea about. And increasingly, the 
services are being designed in a way to make all this 
completely seamless and completely non-apparent to the user.
    So we have these increasingly powerful Black Berries and 
handheld mobile Internet devices. We are constantly accessing 
information remotely. Sometimes it is on the device. Sometimes 
it isn't. Increasingly, it becomes even less clear where it is. 
And it is time to dispense with these technology-based, 
platform-based rules by which people do not lead their lives, 
people do not base their lives on these distinctions from 1986.
    Ms. Chu. Thank you.
    I yield back.
    Mr. Nadler. I thank the members of the panel, unless any 
member of the panel wants to say anything else.
    In which case without objection, all Members will have 5 
legislative days to submit to the Chair additional written 
questions for the witnesses, which we will forward and ask the 
witnesses to respond as promptly as they can so that their 
answers may be made part of the record. Without objection, all 
Members will have 5 legislative days to submit any additional 
materials for inclusion in the record.
    Mr. Dempsey, you wanted to make a statement.
    Mr. Dempsey. Yes, Mr. Chairman. Sorry, I did have one 
thing. I have a very good memo that was prepared by Becky Burr 
at the WilmerHale law firm, talking about some of these issues, 
and I would like to, with your permission, enter this into the 
record of the hearing as well.
    Mr. Nadler. Well, if you will give it to us, without 
objection, it will certainly be entered into the record, and I 
thank you.
    [The information referred to follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                   __________

    Mr. Nadler. With that, I thank the witnesses. And the 
hearing is adjourned.
    [Whereupon, at 4:06 p.m., the Subcommittee was adjourned.]
















                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
