[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
ELECTRONIC COMMUNICATIONS
PRIVACY ACT REFORM
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON THE CONSTITUTION,
CIVIL RIGHTS, AND CIVIL LIBERTIES
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
MAY 5, 2010
__________
Serial No. 111-98
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
56-271 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California LAMAR SMITH, Texas
RICK BOUCHER, Virginia F. JAMES SENSENBRENNER, Jr.,
JERROLD NADLER, New York Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina ELTON GALLEGLY, California
ZOE LOFGREN, California BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas DANIEL E. LUNGREN, California
MAXINE WATERS, California DARRELL E. ISSA, California
WILLIAM D. DELAHUNT, Massachusetts J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee STEVE KING, Iowa
HENRY C. ``HANK'' JOHNSON, Jr., TRENT FRANKS, Arizona
Georgia LOUIE GOHMERT, Texas
PEDRO PIERLUISI, Puerto Rico JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois TED POE, Texas
JUDY CHU, California JASON CHAFFETZ, Utah
TED DEUTCH, Florida TOM ROONEY, Florida
LUIS V. GUTIERREZ, Illinois GREGG HARPER, Mississippi
TAMMY BALDWIN, Wisconsin
CHARLES A. GONZALEZ, Texas
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SANCHEZ, California
DANIEL MAFFEI, New York
JARED POLIS, Colorado
Perry Apelbaum, Majority Staff Director and Chief Counsel
Sean McLaughlin, Minority Chief of Staff and General Counsel
------
Subcommittee on the Constitution, Civil Rights, and Civil Liberties
JERROLD NADLER, New York, Chairman
MELVIN L. WATT, North Carolina F. JAMES SENSENBRENNER, Jr.,
ROBERT C. ``BOBBY'' SCOTT, Virginia Wisconsin
WILLIAM D. DELAHUNT, Massachusetts TOM ROONEY, Florida
HENRY C. ``HANK'' JOHNSON, Jr., STEVE KING, Iowa
Georgia TRENT FRANKS, Arizona
TAMMY BALDWIN, Wisconsin LOUIE GOHMERT, Texas
JOHN CONYERS, Jr., Michigan JIM JORDAN, Ohio
STEVE COHEN, Tennessee
SHEILA JACKSON LEE, Texas
JUDY CHU, California
David Lachmann, Chief of Staff
Paul B. Taylor, Minority Counsel
C O N T E N T S
----------
MAY 5, 2010
Page
OPENING STATEMENTS
The Honorable Jerrold Nadler, a Representative in Congress from
the State of New York, and Chairman, Subcommittee on the
Constitution, Civil Rights, and Civil Liberties................ 1
The Honorable F. James Sensenbrenner, Jr., a Representative in
Congress from the State of Wisconsin, and Ranking Member,
Subcommittee on the Constitution, Civil Rights, and Civil
Liberties...................................................... 2
WITNESSES
Mr. James X. Dempsey, Center for Democracy and Technology, Vice
President for Public Policy
Oral Testimony................................................. 4
Prepared Statement............................................. 7
Mr. Albert Gidari, Perkins Coie LLP
Oral Testimony................................................. 21
Prepared Statement............................................. 24
Mr. Orin S. Kerr, Professor, The George Washington University Law
School
Oral Testimony................................................. 34
Prepared Statement............................................. 36
Ms. Annmarie Levins, Associate General Counsel, Microsoft
Corporation
Oral Testimony................................................. 43
Prepared Statement............................................. 45
APPENDIX
Material Submitted for the Hearing Record........................ 89
ELECTRONIC COMMUNICATIONS
PRIVACY ACT REFORM
----------
WEDNESDAY, MAY 5, 2010
House of Representatives,
Subcommittee on the Constitution,
Civil Rights, and Civil Liberties,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:53 p.m., in
room 2141, Rayburn House Office Building, the Honorable Jerrold
Nadler (Chairman of the Subcommittee) presiding.
Present: Representatives Nadler, Watt, Scott, Johnson,
Cohen, Chu, and Sensenbrenner.
Staff present: (Majority) David Lachman, Subcommittee Chief
of Staff; Stephanie Pell, Counsel; (Minority) Caroline Lynch,
Counsel; and Art Baker, Counsel.
Mr. Nadler. This hearing of the Subcommittee on the
Constitution, Civil Rights, and Civil Liberties will come to
order. We apologize for coming to order late, but the votes on
the floor necessitated that. We will begin by recognizing
myself for a 5-minute opening statement.
Today's hearing is the beginning of a process through which
the Subcommittee will revisit the statutory framework Congress
established in the 1986 Electronic Communication Privacy Act,
ECPA, in spite of the enormous technological advances which
have taken place in electronic communications over the last 24
years.
Because of the complexity of the subject, both legal and
technological, this hearing will probably be the first of
several we will hold as we consider what, if any, reforms
should be made to the Act so that it might function more
effectively in the future.
ECPA was passed in 1986, well before we commonly used the
Internet for e-mail, much less for cloud computing and remote
storage, at a time when cell phones were rare, often the size
of small kitchen appliances, and included no tracking
technologies capable of mapping our every movement.
Communications technology now evolves at an exponential pace.
So in 1986 ECPA fixed the statutory standards law
enforcement would have to meet to access private communications
data in a technological environment as far removed from our own
as that of 1986 was from the day Alexander Graham Bell said,
``Mr. Watson, come here. I need you.'' in the first telephone
call 110 years earlier.
The lightning pace of innovation in communications
technology brings with it enormous improvements in the quality
of life for our citizens that in many ways marked the age we
live in as a new epoch, which might be called the Internet Age.
But it must be said, particularly by the Committee on the
Judiciary, that these events also provide criminals with new
platforms for unlawful activity.
Moreover, it must also be said here on the Subcommittee on
the Constitution that these robust new communications
technologies bring with them new opportunities for law
enforcement agencies, charged to protect us from such
criminals, to intervene in our private lives. Thus, we must
consider whether ECPA still strikes the right balance between
the interests and needs of law enforcement and privacy
interests of the American people.
This is only the beginning of a dialogue that must go on to
include the input of, among others, law enforcement at the
Federal, state and local level, private industry stakeholders
across the complex network of networks that is modern
communications, and academic experts on technology, privacy and
Fourth Amendment issues.
But today all of the Members of the Subcommittee can begin
this inquiry through a dialogue that raises these issues with
this distinguished panel of witnesses. Today we can begin the
work of making ECPA work for our time and for all concerned.
This is an enormous responsibility, and this Subcommittee needs
everyone's help to get it right. As such, all of us sit on this
panel at least in part as students today.
I thank you in advance for what you will teach us.
As for myself, some of the questions I propose to the class
are how have changes in the Internet made it difficult for
private industry to determine its obligations under Title II of
ECPA, the Stored Communications Act? How do current advances in
location technology test traditional standards of the ECPA of
1986?
More generally, in what ways have these and other
technologies potentially subverted one of the original and
central goals of ECPA, which was to preserve ``a fair balance
between the privacy expectations of citizens and the legitimate
needs of law enforcement?'' If we are out of balance, what
concepts should guide reform? I know my distinguished
colleagues will have other questions.
Finally, I would like to observe that we are aware that
privacy advocates and members of industry have worked together
in an impressive common effort to derive and propose some
common principles that should guide our inquiry on ECPA reform.
I look forward to hearing them articulated by our witnesses
here in person.
It is my hope that we on this Subcommittee can emulate your
example and come together in a bipartisan spirit as we forge
ECPA reform legislation that will put needed reforms in place,
hopefully this year. I welcome our witnesses, and I look
forward to your testimony.
With that, I yield back. And I will now recognize for an
opening statement the distinguished Ranking Member of the
Subcommittee.
Mr. Sensenbrenner. Thank you very much, Mr. Chairman.
The purpose of today's hearing is to examine the need to
update the Electronic Communications Privacy Act of 1986.
Today's hearing is a result of calls by a coalition called the
Digital Due Process to examine how far apart technology and the
law may have become and to see if reforms are necessary to keep
the law current with constantly evolving technology.
The genesis of ECPA in 1986 was a needed response to the
emergence and rapid development of wireless communications
services and electronic communications of the digital era. At
that time e-mail, cordless phones and pagers were by today's
standards in their infancy, and as these devices have become
smaller, cheaper and more sophisticated, we have embraced them
more and more in our everyday lives.
The evolution of the digital age has given us devices and
capabilities that have created conveniences for society and
efficiencies for commerce. But they have also created
conveniences and efficiency for criminals, as well as
innovative new ways to commit crimes. Fortunately, new ways to
detect and investigate crimes and criminals have also evolved.
At the intersection of all these developments and
capabilities are the privacy rights of the public, the economic
interest in expanding commerce, the public policy of
encouraging development of even better technologies, and the
legitimate investigative needs of law enforcement
professionals.
While some of the issues we will hear about today have been
heard before, this new initiative by the Digital Due Process
coalition was officially launched on March 30th this year.
There has been neither sufficient time to examine the concepts
that are being advanced in any meaningful way, nor has there
been time to hear from other stakeholders, including relevant
members of the law enforcement community.
While the Digital Due Process coalition makes note that
some of the principles have been previously embraced by the
House Judiciary Committee in 2000, it should be noted that just
last year the full Committee voted down advancing the
requirements for obtaining authority to utilize the pen
register and for obtaining authority to utilize the trap and
trace device.
In fact, enhancing the standard for a pen register and trap
and trace device drew strong opposition from the National
District Attorneys Association, the National Sheriffs
Association, the Fraternal Order of Police, and the
International Association of Chiefs of Police, all of whom
agree that the proposed changes to criminal pen register and
trap and trace devices would unduly burden state and local law
enforcement agencies, who regularly use these tools in state
criminal investigations.
There will no doubt be considerable debate on what may or
may not need to be changed, but there will also be debate on
how any needed change should be effected. I look forward to the
witnesses today, and I look forward to having you start the
debate. Let me say it won't be the end of the debate.
Mr. Nadler. In the interests of getting to our witnesses
and mindful of our busy schedules, I ask that other Members
submit their statements for the record. Without objection, all
Members will have 5 legislative days to submit opening
statements for inclusion in the record. Without objection, the
Chair will be authorized to declare a recess of the hearing.
We will now turn to our first panel of witnesses--in fact,
our only panel of witnesses.
Jim Dempsey is vice president for public policy at the
Center for Democracy and Technology, where he concentrates on
privacy and government surveillance issues. Mr. Dempsey
coordinates the Digital Privacy and Security Working Group, a
forum for companies, trade associations, think tanks and public
interest advocates interested in cyber security, government
surveillance and related issues. He received his J.D. from
Harvard Law School. Additionally, Mr. Dempsey was counsel to
this Subcommittee under Chairman Don Edwards. He continues to
carry on that work at CDT, and I am pleased to welcome him
back.
Albert Gidari is a partner at Perkins Coie--or Perkins
Coie, I think, LLP, where he represents a broad range of
companies on privacy, security, Internet, electronic
surveillance and communications law. His practice also includes
both civil and criminal litigation, investigations and
regulatory compliance counseling. He is a graduate of the
George Mason University School of Law.
Orin Kerr is a law professor at George Washington
University, who has written extensively on the Electronic
Communications Privacy Act. From 1998 to 2001, Mr. Kerr was a
trial attorney at the computer crime and intellectual property
section of the U.S. Department of Justice. He earned his JD
magna cum laude from Harvard Law School.
Annmarie Levins is an associate general counsel at
Microsoft Corporation. She manages the legal support for
Microsoft's U.S. and Canadian subsidiaries, directing the legal
teams responsible for licensing and service transactions, anti-
piracy investigations and enforcement, Internet safety work and
other areas. Ms. Levins formerly served in the U.S. Attorney's
Office in Seattle and in the Southern District of New York. She
graduated summa cum laude from the University of Maine School
of Law.
I am pleased to welcome all of you. Your written statements
in their entirety will be made part of the record. I would ask
each of you to summarize your testimony in 5 minutes or less.
There is a light in front of you. When it turns yellow, that
means you have a minute left. And I would advise you that the
Chair is somewhat lax in--or latitude in that area maybe in
interpreting the time limit.
Before we begin, it is customary for the Committee to swear
in its witnesses.
Let the record reflect that the witnesses answered in the
affirmative.
You may be seated.
And we will first--I now recognize Mr. Dempsey for 5
minutes.
TESTIMONY OF JAMES X. DEMPSEY, CENTER FOR DEMOCRACY AND
TECHNOLOGY, VICE PRESIDENT FOR PUBLIC POLICY
Mr. Dempsey. Chairman Nadler, Members of the Subcommittee,
good afternoon. Thank you for holding this hearing.
In setting rules for electronic surveillance, the courts
and Congress have long sought to balance three critical
interests--the individual's right to privacy, the government's
need to obtain evidence to prevent and investigate crimes and
respond to emergencies, and the corporate interest in clear
rules that provide confidence to consumers and that afford the
companies the certainty they need to invest in the development
of innovative new services.
Today it is clear that the balance among those three
interests has been lost. Powerful new technologies create and
store more and more information about our daily lives. The
protections provided by judicial precedent and statute have
failed to keep pace.
The major Federal statute setting standards for
governmental access to communications, the Electronic
Communications Privacy Act, or ECPA, was written in 1986, light
years ago in Internet time. Among other key points, private
information directly analogous to a telephone call or letter
now falls outside of the traditional warrant standard when
stored online. As a result, a major section of ECPA is probably
unconstitutional in many applications.
Every witness at this table today agrees that ECPA is
outdated and needs to be reformed to provide strong privacy
protections while also preserving the tools that law
enforcement agencies need to act quickly to investigate crimes
and respond to emergencies.
For the past several years the Center for Democracy and
Technology, my organization, has been chairing a dialogue among
leading Internet companies, communications companies, privacy
advocates, law professors and attorneys in private practice to
discuss how ECPA was working and how it needed to be updated.
We had as part of our group several former prosecutors and
several alumni of the Computer Crime and Intellectual Property
Section of the Department of Justice.
In our discussions we were acutely aware of the needs of
law enforcement. We started with a list of over a dozen issues.
Some of the privacy advocates and scholars wanted to go farther
in strengthening the rules, but the former prosecutors
emphasized the importance of preserving a sliding scale of
authorities. We met monthly and then even weekly.
Ultimately, we reached consensus on four principles--
consistent application of the warrant standard to private
communications and documents, consistent application of the
warrant standard for location tracking of cell phones and other
mobile devices, true judicial review of pen registers and trap
and trace devices--and we can go into more detail about what
pen register/trap and trace devices are and how they work--and
no blanket use of subpoenas.
Now, in some ways--many ways, actually--these proposals are
modest. The proposals would preserve all current exceptions,
including the emergency exception that permits disclosure of e-
mail and other content without a warrant, even without a
subpoena, in times of emergency. We do not propose any changes
to FISA or to the national security letter provision in ECPA.
Our proposals on e-mail and stored documents focus solely
on compelled production from a service provider providing
service to third parties. We do not propose any change to the
rules governing how you get information directly from the
subject of an investigation. A company could not hide behind
ECPA if the government is investigating that company. The rules
permitting subpoenas served directly on targets of an
investigation will remain unchanged.
As Chairman Nadler indicated, the companies and
organizations endorsing this principle call themselves the
Digital Due Process coalition. The coalition now includes major
Internet and communications companies, major think tanks, and
advocacy organizations ranging from the ACLU to Americans for
Tax Reform and FreedomWorks. We are continuing to add new
members each week.
We see our principles as the first step--and I emphasize
this--just an opening framework in a process that will require
public discussion, the engagement of other stakeholders, and
most importantly, dialogue with law enforcement agencies. We
have already begun the process of discussing these principles
with the Department of Justice, the FBI, and the National
Association of Attorneys General.
We intend to get very specific in follow-up discussions,
addressing concrete hypotheticals about how updates to the law
would affect ongoing practices.
Mr. Chairman, the coalition is not urging the introduction
of legislation. Many details remain to be discussed before we
get to the legislative phase. Other issues might be brought
forward in addition to the four that we have put on the table.
We urge this Committee and we are urging the Senate Judiciary
Committee to move cautiously, to hold further hearings, as you
already indicated you would, to listen to the views of law
enforcement, of the telephone companies and other carriers.
Professor Kerr in his testimony has proposed some excellent
questions that need to be and can be addressed and resolved.
Some of them, speaking for CDT, I have answers to. Others of
them I don't have answers to yet. But we agree they need to be
addressed. Our coalition foresees a long-term process of
hearings, dialogue and consensus building. Together, though, we
can re-establish the balance among those interests that were
critical in 1986--law enforcement, privacy and business.
I look forward to your questions, Mr. Chairman and Members
of the Subcommittee. Thank you.
[The prepared statement of Mr. Dempsey follows:]
Prepared Statement of James X. Dempsey
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Nadler. Thank you.
Mr. Gidari is recognized for 5 minutes.
TESTIMONY OF ALBERT GIDARI, PERKINS COIE LLP
Mr. Gidari. Thank you, Mr. Chairman, Committee Members. It
is a pleasure to be here.
Today I appear as an individual not representing any
particular service providers or clients, but over 15 years I
have had the pleasure of working with many in industry in their
implementation and compliance with ECPA and with the
Communications Assistance for Law Enforcement Act.
These service providers are caught in the middle every day.
The best way to determine whether ECPA is out of balance is to
take a look at what service providers do every day, and that is
essentially guess.
They try to understand what the law requires and implement
it on a daily basis, but because the law relies so much on
definitions, like an electronic communication service provider
to the public or a remote computing service provider to the
public, service providers have to understand how the law
applies to them and the legal process they need to disclose
user communications and information. If they don't understand
the bright line rule, then mistakes can be made, and those
mistakes carry real consequences.
We have cases, one heard just recently in the U.S. Supreme
Court, where the service provider guessed wrong, thinking it
was one thing when it was another, in disclosing communications
on a lower standard than it should have and therefore being
liable for that privacy breach.
That is an untenable position for the men and women of
service provider security offices, who every day deal with
these requests from law enforcement and understand that those
requests are valid, important, and sometimes life-threatening,
but yet they also have user privacy concerns, and they must
meet that imperative to protect user information.
So it is an untenable position for them. They have a real
identity crisis about what they are today when in a social
networking environment, you could be just as easy an electric
communications service provider as a remote computing service
provider, and who knows under the definition what you are? It
is a very difficult position.
So we know it is out of balance, and we know clarity is
important. As much as the academic debate about what the right
standard is interesting, it isn't as interesting to service
providers as having a clear rule. So if there is anything that
can come out of this hearing and future hearings, clarity first
and foremost.
I would like to observe also with location-based services,
for 15 years I have worked with wireless carriers and their
response to law enforcement requests to use what is a
remarkably robust and important tool for law enforcement,
tracking capabilities, the ability to find a bad person or a
kidnap victim in real time as quickly and as efficiently as
possible. It is a great, great capability, but right now it is
a muddle.
Service providers haven't got a clue what the right legal
standard is, and within the same judicial district, you might
have two magistrates who disagree and issue contrary orders for
the standard upon which to disclose that information. And what
information should be disclosed? How often? How frequently? It
is not uncommon for law enforcement to ask for a phone to be
pinged every 15 minutes.
In a lot of ways service providers' security offices and
their personnel feel like they are the customer service of some
computer organization, having to respond to incessant and
continuous requests. Now, they are important requests, but the
fact is the law does not state how often, how frequently, how
rich, how detailed and to whom that information should be
provided. The service providers simply need the clarity to
understand what to do.
Lastly, I would like to just observe that in ECPA there are
some areas for improvement on transparency. It is difficult to
make policy if one doesn't know how much information is
collected. And from a personal perspective dealing with the
volume of requests every day, this Committee and the public
would do well to have clear numbers before them.
The number of user records requested on a daily basis is
astronomical. We can commend Google, who recently published
through their transparency project, a list of statistics that
show the number of requests that they receive on a regular
basis. Those numbers are dwarfed by the number of requests that
service providers like wireless carriers receive every day.
Just yesterday the administrator of the courts received the
wiretap report, and that annual report tells you the number of
wiretaps conducted each year. For the past year, 2009, the
numbers went up 26 percent. There is some good in those
numbers. The U.S. stacks up pretty well compared to the rest of
the world. If all we had was 2,600 total Federal and state
wiretaps last year, somebody is doing something right and
reviewing them carefully and not over using them.
Unfortunately, we don't know how many pen registers have
been implemented. We don't know how many location orders are
implemented. And we certainly don't know how many user records
have been asked for, used, and how long those are retained. If
we could do anything to improve ECPA and its transparency, the
collection and publication of that data would go a long way to
helping the Committee make decisions on good, solid policy.
Thank you, and I hope to answer any questions you have.
[The prepared statement of Mr. Gidari follows:]
Prepared Statement of Albert Gidari
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Nadler. Thank you.
And I now recognize Mr. Kerr for 5 minutes.
TESTIMONY OF ORIN S. KERR, PROFESSOR, THE GEORGE WASHINGTON
UNIVERSITY LAW SCHOOL
Mr. Kerr. Chairman Nadler and Members of the Subcommittee,
thank you very much for the invitation to be here today.
I think it might help to start with understanding why we
are here. In traditional criminal investigations, the police do
the work on their own. They walk the beat. They conduct their
own searches. If they see evidence of a crime that they think
they need, they take it. They don't work with providers. They
don't work with anybody else. They make all the decisions on
their own, sometimes pursuant to judicial review by a judge,
but not with the work of any private party.
The opposite is true with new online crimes, crimes
committed using networks, whether it is the Internet, crimes
committed using telephones, or simply a case where there
happens to be evidence that is stored or available over some
sort of a network, whether the Internet or the cell network.
In all those cases, the government is working through the
intermediary of the provider. There is a company, a company
that runs a network that has data, and the real question, and
the question that the Electronic Communications Privacy Act is
designed to address, is what should the rules be when the
government wants data that the network has, or when the network
company, the third-party provider, wants to disclose
information to the government?
Now, that means that in order to understand the issues
raised by ECPA, we need to think about what the data is and
when does the government obtain it. So it may be helpful to
think about two different kinds of data that the communications
providers may have.
One category is content of communication. That is the
actual message that somebody may be sending or receiving over
the network. It might be an e-mail. It might be a text message.
In the case of a phone call, it would be the actual
conversation that two people are having.
And then there is lots of non-content information. The non-
content information is information that the network is
generating and using in order to deliver the communication.
Now, we can understand what kind of content the network might
have, because we as users of the network are aware of that. If
somebody sends you an e-mail, for example, you know that the e-
mail is there.
Non-content information is quite different. The amount of
information that may exist depends on the technology, depends
on the network. It may depend on the company, depends on
business decisions that each company is making as to whether to
keep records, whether to generate certain records. And that
means there are lots of records available, and those records
may vary dramatically, based on the company and based on the
technology. So that is the issue of what the records are that
are out there.
The next thing you need to think about is when is the
government collecting the information. So again, we can think
of two basic categories. The one category would be when the
government comes to the provider and says, ``We are going to
compel you to disclose certain information. We want you to act
on our behalf as our agent, essentially, and provide certain
information.''
Maybe it will be stored content that the government wants.
Maybe it will be stored non-content information that the
government wants, these records. And other times the government
will want a real-time surveillance to occur, sometimes of
content in the case of wiretapping, sometimes in the case of
non-content information, for example, where somebody's cell
phone is located or who somebody is e-mailing. So that is the
case when the government is compelling information.
And then the flipside of that is what if the provider comes
across evidence and wants to disclose it to the government?
Maybe the provider has uncovered child pornography. Maybe the
provider has discovered some evidence of some other crime and
wants to provide that information either to the government or
even to a non-government group. What should those rules be?
That is the question that the Electronic Communications Privacy
Act was designed to address in 1986.
Now, of course, in 2010, technology has changed
dramatically. And I am very glad to hear that the Committee has
planned more hearings, because I think what really we need to
hear from is we need to hear from these providers. We need to
find out what information do they have.
What are their practices? What is the technology? How does
it work? What kind of cell phone location information do
different providers have? How close can they get to finding out
the location of the user of the phone? How long do they keep
their records?
So we need to find out from the providers what are their
practices. And then we also need to find out from the
government how do their investigations work? Those of us that
watch a lot of television know we have seen a lot of Law and
Order, and we know how those investigations work, or at least
how they work on TV.
But mostly we don't know how these new online
investigations work. We haven't seen those investigations. Very
few people have. So we need hearings to talk about not only the
technology, but what are the kinds of cases that the government
is working? How do these cases actually unfold?
And I think it is only after getting that informed sense of
what the technology is and how the investigations actually work
that the Committee can think about what do these rules need to
be like. How do these rules need to change? It has been a
quarter century since ECPA was passed, and it is time to think
about how the technology has changed and how to balance the
security interests and privacy interests, given the technology
of today, not the technology of 1986.
So I am very glad that the Committee is interested in these
issues. Obviously, today's hearing is just the tip of the
iceberg. There is a lot that we can talk about. But I think
starting off by recognizing that this problem exists, both in
terms of the new technologies and these new types of
investigations, is a very important first start, and I am happy
to be here. Thank you.
[The prepared statement of Mr. Kerr follows:]
Prepared Statement of Orin S. Kerr
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Nadler. Well, thank you.
And we will now recognize Ms. Levins for an opening
statement.
TESTIMONY OF ANNMARIE LEVINS, ASSOCIATE GENERAL COUNSEL,
MICROSOFT CORPORATION
Ms. Levins. Thank you, Mr. Chairman.
Mr. Chairman, Members of the Subcommittee, my name is
Annmarie Levins. I am an associate general counsel at
Microsoft. I manage the legal support for Microsoft U.S. and
Canadian subsidiaries. My team is responsible for contracts
with our customers and partners for anti-piracy and digital
crimes investigations, for Internet safety work and other
areas.
Before joining Microsoft in 1998, I had the privilege of
serving as an Assistant United States Attorney in Seattle for 3
years and before that in the Southern District of New York for
seven. During my 10 years as an A-USA, I worked with many
smart, dedicated law enforcement officers investigating
organized crime, racketeering, narcotics and financial fraud
cases.
Thank you for this opportunity to share Microsoft's views
on the reform of ECPA. Microsoft is in a unique position to
comment on the need for ECPA reform. We have offered Internet-
based services for almost 15 years, dating back to MSN dial-up
Internet service. We have offered Hotmail, our free Web-based
mail service, since 1997.
Today we offer a full array of cloud computing services,
including our hosted suite of Enterprise class e-mail,
relationship management and collaboration tools, and our cloud-
based storage and computing resources called Microsoft Azure.
Our customers range from individuals to small and medium-sized
businesses to some of the largest multi-national corporations
in the world.
From our vantage point, we have seen how the technologies
governed by ECPA have evolved over the years since its
enactment and the tremendous potential these technologies
represent for all of our customers. Today users can store
documents, data and communications to central locations and
access them anywhere in the world on a wide variety of devices,
including laptops, phones and other forms of personal devices.
Increasingly, Web-based accounts are used interchangeably
with local storage devices. As these Internet-based resources
become part of our everyday computing experiences, users may
not even realize that the legal protection afforded their data
and documents are not necessarily the same when they use third-
party storage and processing capabilities in place of their own
computers or networks.
While there has been a fundamental shift in the amount of
sensitive information that we now trust to third parties, the
law has not shifted in parallel to preserve reasonable privacy
interests. Quite simply, the basic technological assumptions
upon which ECPA was based are outdated. The nature of the
protection afforded to stored electronic communications has not
kept pace with the many innovations in online computing over
the last 24 years.
For example, ECPA extends greater privacy protections to e-
mail storage for less than 180 days than e-mail stored for more
than 180 days. This distinction might have made sense in 1986
when e-mail services did not automatically retain messages for
long periods of time, but the distinctions no longer bear any
relationship to reality. Hosted e-mail and other online
services regularly store e-mails and other content for years,
and users today reasonably expect these communications to
remain just as private on day 181 as they were on day 179.
Microsoft believes that now is the time to address these
issues. We are on the verge of a transformative age in Internet
cloud-based computing. Cloud computing services can increase
efficiencies for business and government, lower IT costs,
create energy savings, and spur innovative job-creating
enterprises. They will enable small and medium-size businesses,
individual entrepreneurs and other innovators to tap into
computing resources that previously had only been available to
the largest companies, and at a fraction of the cost.
These capabilities can drive innovation, make America's
businesses more competitive, and ultimately contribute to
economic growth. But unless we are able to preserve and protect
users' privacy interests to meet their reasonable expectations,
adoption of cloud computing services may be limited, and the
full potential of cloud computing may not be realized.
Indeed, in a recent poll conducted for Microsoft, more than
90 percent of the general population and senior business
leaders said they were concerned about security and privacy
when they contemplated storing their own data in the cloud.
This is among the reasons why Microsoft joined the Digital Due
Process coalition in the launch of a new initiative to update
ECPA.
We understand the importance of supporting lawful
investigations and spend significant resources every year to
help make the online environment safer for all users. The
Microsoft Digital Crimes Unit that I oversee was created
specifically to assist law enforcement in pursuing digital
crimes and to provide training to prosecutors and investigators
around the world.
In conclusion, Microsoft believes that the decisions about
the right balance between users' reasonable expectations of
privacy and law enforcement's legitimate interests should be
made by Congress, with input from all key stakeholders, rather
than as a result of unanticipated shifts in technology.
We view the Digital Due Process coalition proposal as a
good starting point for Congress' inquiry. Ultimately, smart,
targeted reforms of ECPA are essential to restore proper
balance between privacy and law enforcement in the digital age
and will help cloud computing fully deliver on its promise.
Thank you for the opportunity to testify today. On behalf
of Microsoft, we appreciate this Committee's leadership in
addressing these important issues, and we look forward to
working with you.
[The prepared statement of Ms. Levins follows:]
Prepared Statement of Annmarie Levins
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Nadler. Thank you.
The witnesses having completed their initial statements, we
will turn to questions. And I will begin by recognizing myself
for 5 minutes.
Mr. Dempsey, are any of the Digital Due Process principles
intended to change a service provider's ability to share
information with law enforcement in an emergency?
Mr. Dempsey. Absolutely not. We make it clear that there
are emergency exceptions in the law right now, which permit
disclosure of information without a warrant, without a
subpoena, in emergency circumstances, and we would leave those
untouched.
Mr. Nadler. Thank you.
Ms. Levins, you indicated in your testimony that ECPA
relies on outdated notions of how individuals and businesses
interact with information technology. I assume among other
things you are talking about--well, we know you are talking
about cloud computing, because you mentioned it specifically.
Can you tell us more about cloud computing and why this
technology is ``transformative?'' And what benefits does it
offer to society? And how do we support such technological
progress as we attempt to balance the interests of privacy and
law enforcement? All in about 5 minutes.
Ms. Levins. Thank you, Mr. Chairman. I would be happy to
address that.
Cloud computing is important, because it opens the door for
everyone to use the most powerful computer capabilities there
are. It used to be that you couldn't afford to buy that kind of
computing capability and storage unless you were a big company,
but now you can use your desktop, your laptop, and use storage
facilities that are maintained by a third party to do that kind
of computing and storage that was previously unavailable on
your home network.
Mr. Nadler. Storage or storage and computing capacity?
Ms. Levins. Both.
Mr. Nadler. Both.
Ms. Levins. Both.
So that is the first part. I mean, and I think that that
opens doors to all kinds of businesses to expand the way they
do business in ways that weren't even thinkable when ECPA was
passed in 1986.
Mr. Nadler. And what do you think the implications for the
development of cloud computing are if government access to e-
mail content stored in the cloud continues to be subject to a
legal standard different from that applied to other forms of
data storage?
Ms. Levins. And I think that is a critical question,
because what we found and what our poll showed is that people
are very concerned that by putting data in the cloud, are they
going to have the same level of privacy and security that they
would have if they maintained it within their own four walls of
their company or home. I think that they will be reluctant to
move to the cloud and take advantage of this opportunity, if
they aren't assured of what the standard of that privacy is and
it doesn't meet their reasonable expectations.
Mr. Nadler. So we have to make sure that there is a
standard of privacy equal to what they would be on your own
personal hard drive, or just a certainty of letting people know
at some other level?
Ms. Levins. Well, certainty is important, but I think in
fact if you are talking about content, people expect that what
they would have on their hard drive, in their personal hard
drive, should be protected in the same way. Put the other way,
the information in the cloud should be protected in the same
way that their----
Mr. Nadler. And to the same legal standard.
Ms. Levins [continuing]. Hard drive would. And that is
particularly true, I think, of corporations, I would guess.
Mr. Nadler. Now, but the importance of maintaining privacy
in the cloud is what you just said, but we have to maintain
security in the cloud, too. How do you balance them?
Ms. Levins. Well, I don't think they are inconsistent. And
Microsoft, for example, has taken lots of steps to make sure
that we have the best security that we can, and we are
constantly working toward meeting the highest standards that
are recognized in the industry.
We think one of the most important things that could happen
in this area is to have greater transparency about the security
practices that companies offering cloud services are adopting
and using. So it goes hand-in-hand with privacy. Users want to
know that their information is safe, and they want to know that
it is being secured and their privacy is being secured.
Mr. Nadler. Thank you.
Professor Gidari--Mr. Gidari--you indicated in your
testimony with respect to location-based information that there
has been a magistrate's revolt for several years. Can you
describe what you mean by this phrase and in what ways, if any,
it has been fomented by the government's interpretation of
ECPA?
Mr. Gidari. Yes, Mr. Chairman.
Over the last 3 or 4 years, a number of magistrates have
objected to automatically approving, as part of pen register
orders, requests to disclose the location of a cell phone in
real time prospectively on an ongoing basis. They objected to
using the pen register standard alone or in combination with
what is known as a specific and articulable facts order, or as
the government calls it, a hybrid order, to authorize that
disclosure.
Other magistrates disagree and believe that the standard is
acceptable. But about three to one ratio, these magistrates
have believed that a probable cause standard is necessary to
track and follow an individual.
And that mini revolt, if you will, has resulted in very
inconsistent standards within judicial districts, as a
magistrate sitting next to another magistrate could completely
disagree, and have disagreed, issuing orders that have
different standards. So one person might be tracked according
to one standard, another one to a higher standard. And then
within the states themselves, the ECPA, of course, that is the
floor.
Mr. Nadler. But you would get that in any event. Even if we
wrote a standard in law, a more specific standard, you would
get judges disagreeing with that, and until it went up to the
circuit or Supreme Court, you would have judges sitting next to
each other issuing different decisions, no?
Mr. Gidari. You certainly would, from a service providers'
perspective. Which rule applies? Which order should pertain?
What responsibilities do they have to their users to object to
that order? The rules for location information today just
simply don't state under----
Mr. Nadler. They should state it more specifically.
Mr. Gidari. Absolutely.
Mr. Nadler. Mr. Dempsey, you look like you wanted to
comment on that.
Mr. Dempsey. I am just saying that right now you sort of
have an open field, a green field--sort of no guidance at all.
Mr. Nadler. So we need statutory guidance.
Mr. Dempsey. The statute would--we would try to make it as
specific as possible and precise as possible, but at least it
would provide some context within which the courts would
operate.
Mr. Nadler. Okay. Thank you.
My final question is to Professor Kerr. In some of your
recent scholarship in applying the Fourth Amendment to the
Internet, you talk about replacing the inside-outside
distinction common to Fourth Amendment jurisprudence with the
content-noncontent distinction.
Can you tell us what this means and how you believe it
extends consistent application of the Fourth Amendment
principle to cyberspace? And is the analogy perfect, or does it
give rise to any notable exceptions we should be aware of?
Mr. Kerr. The basic idea here is when courts are
considering how to apply the Fourth Amendment, which was
created for a physical space, to a network environment, they
should think about how to create a set of rules that tries to
replicate how the Fourth Amendment applies in the physical
world to this network space. And the basic idea is that the
contents of some of these communications, these actual
messages, are the online equivalent of stuff that would happen
inside and would be protected by the Fourth Amendment in the
physical world.
On the other hand, the non-content information that a
network creates is essentially the online equivalent to
transactional information that would have occurred outside in
the physical world. Now, if you follow that idea, the basic
idea is that networks are doing for us what we used to do in
the physical world. Basically, the network is coming to us
instead of us having to go out into the world. And the idea is
it creates a rough parallel between how the Fourth Amendment
should apply in the physical world and how the Fourth Amendment
should apply in the Internet.
Now, of course, it is just a Law Review article. We don't
know whether courts are ever going to follow this. And in fact,
there is a Supreme Court case right now, Quon versus City of
Ontario, in which the Supreme Court is trying to figure out for
the first time how does the Fourth Amendment apply to text
messages. I went to the oral argument, and the justices were as
puzzled about this question as anyone could be.
So we are just trying to figure out these issues, and the
idea that content-noncontent distinction is just an initial
first start to try to figure out how the Fourth Amendment
should apply, and by analogy, how the statute could be drafted
to recognize the stronger protection for content and for
noncontent.
Mr. Nadler. Thank you very much.
My time has expired. I will now recognize the distinguished
gentleman from North Carolina.
Mr. Watt. Thank you, Mr. Chairman.
I think I will acknowledge at the outset how ill prepared
technologically I feel to engage in this discussion, and ill
prepared, yes. I feel like a Neanderthal in this area. So let
me--I want to ask a couple of questions that--and then I just
want somebody to give me some examples of the kinds of things
that are going out there that we should be worried about, given
the failure to update the statute. But let me talk about
process first.
Mr. Dempsey, you talked in your testimony about a long
period of dialogue and consensus building being needed.
Mr. Gidari, you seemed to suggest, although not explicitly,
that clarity was more important than substance of where you get
to, so I am trying to figure out how long we should be working
on this before we get to some kind of legislative solution. Is
clarity of a rule more important than getting the rule right,
the new standard right?
What kind of time are you talking about for dialogue and
consensus building, Mr. Dempsey, and does that fit with your
urgency for clarity, even if the clear standard is the wrong
standard?
Mr. Dempsey. Well, honestly, I think, you know, my own
timeframe is if a year from now we could be here with that
piece of legislation that would be, you know, a markup or
something a year from now would be a good target. But I think
it is going to take a while. We are not pushing, as I said, for
introduction of legislation immediately.
I think we do have, and as we go through this process here,
we do have some touchstones, and we can think about some of the
analogies. They only take you so far, but they help. Take what
we are talking about in terms of cloud computing. If you have a
document on your computer in your office, or if you have that
document printed out, that is protected by the Fourth
Amendment--a person's house, his papers and effects. I think
nobody has any doubt that ``papers'' includes your laptop.
If, however, as now--and by the way, if you----
Mr. Watt. Wait a minute, now. You are going to take my
whole 5 minutes talking about something that I am trying to
find--you say a year from now, and I--let me give----
Mr. Dempsey. Okay, but I do want to come back to the
question here of what are the guideposts we have that get us
both the clarity and the substance.
Mr. Watt. I am just talking about the timeframe now. I am
not even talking about what the content is. Is a year from now
too long from a clarity perspective, Mr. Gidari?
Mr. Gidari. I think lawyers will find ambiguity in a No
Smoking sign for the rest of our lives, but if that is the
case, fix it, fix it right. If it takes a little longer to do
that, we would rather have it right than wrong. But that
doesn't mean they are inconsistent.
Mr. Watt. So the real question I am trying to get to is
what risk do we run in this interim? And that is where I get to
the second part of the question. I mean, what are the horror
stories that are going on out there? I mean, give me a couple
of concrete horror stories that is going on in this interim
while we are trying to either build consensus or get the
standard right.
Mr. Dempsey. Well, here is one example. Every one of us
probably has 5, 6, maybe 10 years worth of e-mail stored,
either stored on our local computer or often stored with a
service provider like MSN or Gmail or another provider.
Mr. Watt. That is somewhere in a cloud stored.
Mr. Dempsey. That data is stored on a remote----
Mr. Watt. Which I had never heard of until today, but that
is all right.
Mr. Dempsey. We are talking here just about, you know, when
people used to draw a picture with a computer over here and a
computer over here and then a cloud in the middle, that
Internet server is in the cloud.
Mr. Watt. I get the concept.
Mr. Dempsey. And that is where a lot of our data is going.
The way ECPA now works, it says that that e-mail 180 days
old or less is protected by the Fourth Amendment warrant
standard. The minute it turns 180 days old, it is available
with a mere subpoena issued without judicial approval.
The Justice Department takes the position that the minute
that e-mail is opened at all--in fact, from the sender's
perspective, the minute it is sent, it loses its warrant
protection. Fully protected passing over the wire, the minute
it reaches--you finish sending it or the minute the user, the
intended recipient, opens it and looks at it, it falls outside
of the protection of the warrant.
Same document, if you print it out, leave it on your desk,
protected. Same document, you put it in a box and you lock it
in one of those storage lockers out in the suburbs, protected
by the Fourth Amendment. But locked up in the cloud, not
protected by that requirement.
In the Ninth Circuit, the Ninth Circuit has rejected the
Justice Department view and has said that a warrant is
required. So what happens now is if the warrant is subject to
the jurisdiction or the subpoena is subject to the jurisdiction
of the Ninth Circuit, it is rejected, and a warrant is
required. If it is outside of that, it is a little unclear.
In Colorado a month ago the Justice Department sought e-
mail without a warrant. Yahoo said, ``No, go get a warrant,
even though we are outside of the Ninth Circuit.'' The Justice
Department backed down, said okay, withdrew the request.
That is the kind of uncertainty you are getting. And there
is overarching it all the possibility that these cases will
percolate up through the courts and that the statute will be
held unconstitutional, if the Justice Department pushes its
position.
Mr. Watt. Because it is too vague?
Mr. Dempsey. No, because the warrant is not. Where the
statute currently permits access without a warrant, if
Professor Kerr is right that a warrant is required, that
content is like a letter, it is like a phone call, it should be
protected, so you do run that constitutional risk.
I still agree with Mr. Gidari and my initial statement
that, you know, we have lived with that ambiguity now for 5, 10
years. I just don't see how we are going to push this forward.
Given the law of unintended consequences, we want to make sure
we don't screw things up worse.
Mr. Watt. Thank you.
I am way over my time, so I will yield back.
Mr. Nadler. In that case, we will recognize the gentleman
from Virginia for 5 minutes.
Mr. Scott. Thank you, Mr. Chairman.
Mr. Dempsey, it seems to me that a person doesn't think any
different about an e-mail as saved in the cloud as on the
computer. Why would the e-mail in the cloud be any different
than the e-mail stored in that storage bin in the suburbs that
you talked about?
Mr. Dempsey. I don't think it should, and the conclusion
that we came to in our preliminary dialogue is that it
shouldn't.
If you go back to 1986, I think what you end up with is
this was a distinction based upon the way the technology worked
in 1986. Storage was expensive, and service providers did not
store e-mail. If you go back to the early days of AOL, you read
that, you downloaded it, it was deleted from the computer of
the service provider.
Congress thought 180 days would be the absolute conceivable
outside limit, and after that it was sort of like abandoned
property or a----
Mr. Scott. Well, once it gets into the cloud, can anybody
get access to it?
Mr. Dempsey. The----
Mr. Scott. I mean, beside--I mean, could I look into
Representative Watts' cloud?
Mr. Dempsey. No, no, no, no. It really is--the cloud
actually is potentially more secure in some ways than local
storage. You have the service providers of cloud storage
capabilities making a lot of effort to secure that information.
Mr. Scott. So this is being kept in a place that is secure
from anybody else, and it is just I am the only one that can
access my part of this cloud.
Mr. Dempsey. You or the person to whom you give consent.
Mr. Scott. And so I have an expectation that this is
private information.
Mr. Dempsey. That is certainly the way the average person
looks at it. That is one of these changes that has occurred,
the technology changes that have occurred in the past 10 years
that we are talking about.
Mr. Scott. Ms. Levins, when Microsoft has to respond to a
lot of warrants and subpoenas, it costs money. Does the
government incur any of the expense, or they just let you worry
about it?
Ms. Levins. Congressman Scott, that is not my area of
expertise. I would have to get back to you with that
information. I know my colleagues do know that. I don't have
that with me.
Mr. Scott. Does anybody know who--what----
Mr. Gidari. The statute authorizes reimbursement for non-
toll records, so phone companies give them away for free in
large amounts, but electronic communication service providers
are entitled to charge for them. Not all of them do. Many
provide that service to law enforcement for free. Others charge
a reasonable cost.
Mr. Scott. But some information can be obtained fairly
easily. Some takes a little complication where you have to
program the computer and pay expenses to get the information,
and some of it, I imagine, gets kind of expensive after a
while.
Mr. Gidari. That is right.
Mr. Scott. And you can charge for that expense?
Mr. Gidari. That is correct.
Mr. Scott. Does anybody have any concern, if we keep
talking about how government does all this surveillance, that
we might publicize their techniques and compromise
investigations?
Mr. Dempsey. I have always thought that we could have the
discussion without compromising techniques. I think we can talk
at the level of specificity necessary to draft a clear statute,
incorporate the Fourth Amendment principles, and do that in a
way that doesn't get into the technology at all. In fact,
technology neutrality, I think, is one of the principles that
we are trying to achieve here.
Mr. Scott. Okay.
And with the pinging the cell phone, can anybody ping
somebody else's cell phone, or is that just something the
company can do?
Mr. Gidari. Something only the company can do.
Mr. Scott. And I think there is an expectation that you are
not being followed, because the company isn't supposed to be
following you around, and the only way the government can do it
is--what does the government need to order the company to find
out where you are?
Mr. Gidari. Depends on which magistrate you visit, but at
least a pen register order and a specific and articulable facts
order combined, but in many jurisdictions, a probable cause
order--a probable cause warrant issued under Rule 41.
Mr. Scott. But for a government request, I should have an
expectation that I am not being pinged and shown up on
somebody's computer screen. Is that a reasonable expectation,
or, you know, should----
Mr. Gidari. It is more than a reasonable expectation.
Mr. Dempsey. And that is the way I think that carriers have
designed their services. A number of carriers offer services
whereby parents, for example, can--who are the subscribers to
the service--can find out, for example, where their children
are. But that is the case of the subscriber controlling their
account.
There are a variety of services now being offered where I
can share my location with my friends. The companies who have
designed those services have been very, very careful to design
them in a way so that the user has control. To override that
user control, the company has to be involved. The company has
to be compelled to do something.
And some of those services offer very, very precise
location capability, in a sense almost pinpointing a person on
a map. A number of those companies have said that they will
insist upon a warrant for disclosure of that information, and I
think they have strong constitutional argument for that. But
the statute, as we have said, it is completely unclear.
Mr. Nadler. Thank you.
I now recognize the gentleman from Georgia.
Mr. Johnson. Thank you, Mr. Chairman.
If I were someone's wife, and I was out on the town running
around with all kinds of males and females and engaged in doing
my own thing pretty much, and I am wanting to keep all of that
secret, I am certain that no one on the panel would want the
husband of--or they would not want my husband to be able to go
to the phone company and say, ``Look, I need to find out where
my wife is, because I am going to kill her when I find her.''
None of you all would want that to happen, would you?
And so no one is saying anything, so I assume----
Mr. Dempsey. No.
Mr. Johnson. Okay. All right.
And now, what if I were a law enforcement officer--the
husband. Or what if my husband was a law enforcement officer?
Is there any--and only thing this law enforcement officer did
was to go get a subpoena, which he carries around blank
subpoenas, and comes to a cell phone provider and says, ``Look,
I am conducting an investigation, and you must provide this
information to me.'' Should that law enforcement officer, or
any other law enforcement officer, be able to obtain that
information, the whereabouts of his wife?
Mr. Gidari. They would be shown the door with that request,
the door to the courthouse, where they would have to ask a
judge to approve an order to get it.
Mr. Johnson. But that may be true at your cell phone
company, but it is not necessarily compelled by law that the
cell phone company refrain from producing those documents. Is
that correct?
Mr. Dempsey. Congressman, there is actually an interesting
case that has emerged in the 11th Circuit recently, which dealt
not with the location information, but instead with some e-
mails.
And the case clearly involved a certain amount of
favoritism on the part of the prosecutor and the sheriff in
that area, who at least allegedly were doing a favor for a
friend in defending that friend against some civil litigation
or some civil controversy, issued a subpoena, like you say,
served the subpoena on the service provider, and the service
provider did turn over that e-mail.
The case has gone up to the 11th Circuit, and
unfortunately, this is one of the cases that I think went in
the wrong direction. Professor Kerr has also written about it,
criticizing the decision in this case, but the 11th Circuit
held that there was zero constitutional privacy interest in
that e-mail and that the sheriff and the prosecutor, in essence
acting off on their own, had not violated anybody's rights.
Mr. Johnson. So, and the reason why it was not private is
because it was in the cloud somewhere?
Mr. Dempsey. Yes, there was this notion that they had,
which we think is wrong, that privacy was lost because of the
use of that technology.
Mr. Johnson. Yes.
Is there anybody who would agree with the 11th Circuit
decision in that case that is sitting on this panel?
Yes, okay. All right. Well, you know, I have been sitting
here all day trying to find something that someone on the panel
would say that would incite me to issue forth with tough
questions, but you all have deprived me of that option, and I
am pretty much, I guess, singing to the choir when I say that I
would hate to see either with content or with noncontent
information requested by law enforcement, to use your analogy,
Mr. Kerr--or not your analogy, but your terminology, I would
hate to see a company turned into a agent for law enforcement
at the expense of their customer.
To me the issues that we confront are easily dealt with by
legislatively extending the Fourth Amendment. And I do believe
that there is an inherent right to privacy, which is implied in
really the first nine amendments, but certainly the Fourth
Amendment. All we have to do is just extend it to these new
areas that have come to the fore since we have been embarked on
this pursuit of intellectual supremacy, if you will.
This is just human nature, but if we stick with the ideals
of the founding fathers, particularly with respect to the
Fourth Amendment, I think that our job should be easy.
And I guess there could be an argument that we just leave
each case up to the the courts to flesh out and ultimately to
the U.S. Supreme Court, but I am afraid that we would--I am
afraid to leave it up to the U.S. Supreme Court when we can put
those things into legislation, which clears up the ambiguities
that may arise.
So I think this is a very important hearing. It bears upon
the individual rights that we in this country oftentimes take
for granted, but they are what made America what it is. So
thank you very much.
And I notice that the Chairman is now thinking about--
thinking pensively as we proceed.
Mr. Nadler. And you yield back?
Mr. Johnson. At this time, yes.
Mr. Nadler. Then I will recognize the gentlelady from
California.
Ms. Chu. So, Mr. Dempsey, I would like to ask a question
about the fate of an e-mail that I would send out, but under
different circumstances with regard to privacy and the Fourth
Amendment.
Let us just say I e-mail a friend, Sarah, and what would
happen to the fate of that e-mail if she has read it versus
hasn't read it or with regard to if 8 months have passed versus
tomorrow, whether it is on a Gmail account or whether it is on
her hard drive? Or what if I took the content of that
information and put it in a letter and just mailed it?
Mr. Dempsey. In the Appendix A to my testimony, I talk
about this example, and if I was better at graphics, I would
have tried to it do a chart that showed this, because it really
does almost take a matrix to explain this.
While the e-mail is in transit, moving over the wires, so
to speak, or moving through the network, it can be intercepted
only with a warrant, a wiretap order issued under the Wiretap
Act.
Once it reaches the inbox, so to speak, the computer of the
service provider of Sarah, the intended recipient, it comes
under the Stored Communications Act and at least until she
opens it, that e-mail sitting in her e-mail box is protected
again by the warrant requirement.
After she reads it, under my reading of ECPA, for 180 days
it remains protected by the warrant requirement. After 180
days, on day 181, it loses the warrant protection. So you go
from warrant to non-warrant.
An interesting example is if you are using Gmail, by the
way, and you--or any other remote Web-based e-mail service--and
you draft your e-mail and don't send it, because you haven't
finished it, you are going to come back the next and finish it
and send it, while that e-mail is sitting on the server of
Google, it is available regardless of age.
It is available with a mere subpoena. It is not protected
by the warrant at all, because Google is at that time acting as
a provider of remote computing services, not as a provider of
electronic communication services. They are storing the e-mail.
Once 180 days passes, then Google again reverts to its
status as a remote computing service. It is available with the
subpoena. The Justice Department argues that the copy of the e-
mail that you might store, since you store all your outgoing e-
mail, if it is stored in the cloud, loses its protection as
soon as you send it, because it is no longer in transit in
temporary storage incident to transmission. It is sort of your
copy.
Now if you had printed out a copy and kept a copy in your
office, that is protected by the Fourth Amendment. If you have
a copy on your desktop or laptop, that is protected by the
Fourth Amendment. But the copy that is stored in your account,
according to the Justice Department, from the minute you push
``send,'' that is not protected by the warrant.
Mr. Nadler. Will the gentlelady yield for a moment?
Ms. Chu. Yes.
Mr. Nadler. And the Justice Department in effect is saying
that because you pressed the ``send'' button, the Fourth
Amendment doesn't apply, because it is no longer your papers?
Mr. Dempsey. It applies only--I think everybody would admit
that it applies to the e-mail in transit.
Mr. Nadler. But why doesn't it apply continuing?
Mr. Dempsey. They argue, I think, that it is--it is hard to
articulate their theory. It is a stored record, in their
opinion, that has been entrusted to a third-party in such a way
that you have surrendered your privacy interest in it.
Now, I think the correct analogy is the storage locker
analogy, in which a warrant is required to go into the storage
locker. There are cases having--they analogize it to something
like a check, a cancelled check which goes to the bank.
Mr. Nadler. That is even more strange, when they say that
it is not protected by the Fourth Amendment before you finished
it.
Mr. Dempsey. If you store it with some--if you leave it on
some remote server.
Mr. Nadler. I thank the gentlelady for yielding.
Ms. Chu. And so if you have it on the hard drive, it is
protected, but if it is in the cloud, it is not protected. And
if it is a letter, I am presuming you are saying it is
protected.
Mr. Dempsey. The letter is interesting, because the letter
is protected, of course, in the hands of the post office. This
goes back to 1877, when the Supreme Court ruled that the Fourth
Amendment does protect the letter moving through the mail
system. The copy of the letter that I retained is protected.
The copy of the letter that the recipient has is protected vis-
a-vis the recipient. They can always voluntarily turn it over,
but to force them to disclose it would require a warrant or
subpoena served directly on them.
So you have got this crazy quilt that the average
individual has absolutely no idea about. And increasingly, the
services are being designed in a way to make all this
completely seamless and completely non-apparent to the user.
So we have these increasingly powerful Black Berries and
handheld mobile Internet devices. We are constantly accessing
information remotely. Sometimes it is on the device. Sometimes
it isn't. Increasingly, it becomes even less clear where it is.
And it is time to dispense with these technology-based,
platform-based rules by which people do not lead their lives,
people do not base their lives on these distinctions from 1986.
Ms. Chu. Thank you.
I yield back.
Mr. Nadler. I thank the members of the panel, unless any
member of the panel wants to say anything else.
In which case without objection, all Members will have 5
legislative days to submit to the Chair additional written
questions for the witnesses, which we will forward and ask the
witnesses to respond as promptly as they can so that their
answers may be made part of the record. Without objection, all
Members will have 5 legislative days to submit any additional
materials for inclusion in the record.
Mr. Dempsey, you wanted to make a statement.
Mr. Dempsey. Yes, Mr. Chairman. Sorry, I did have one
thing. I have a very good memo that was prepared by Becky Burr
at the WilmerHale law firm, talking about some of these issues,
and I would like to, with your permission, enter this into the
record of the hearing as well.
Mr. Nadler. Well, if you will give it to us, without
objection, it will certainly be entered into the record, and I
thank you.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Nadler. With that, I thank the witnesses. And the
hearing is adjourned.
[Whereupon, at 4:06 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�