[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
                   ECPA REFORM AND THE REVOLUTION IN 
                            CLOUD COMPUTING

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON THE CONSTITUTION, 
                   CIVIL RIGHTS, AND CIVIL LIBERTIES

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 23, 2010

                               __________

                           Serial No. 111-149

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
58-409                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                       COMMITTEE ON THE JUDICIARY

                 JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California         LAMAR SMITH, Texas
RICK BOUCHER, Virginia               F. JAMES SENSENBRENNER, Jr., 
JERROLD NADLER, New York                 Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia  HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina       ELTON GALLEGLY, California
ZOE LOFGREN, California              BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas            DANIEL E. LUNGREN, California
MAXINE WATERS, California            DARRELL E. ISSA, California
WILLIAM D. DELAHUNT, Massachusetts   J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee               STEVE KING, Iowa
HENRY C. ``HANK'' JOHNSON, Jr.,      TRENT FRANKS, Arizona
  Georgia                            LOUIE GOHMERT, Texas
PEDRO PIERLUISI, Puerto Rico         JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois               TED POE, Texas
JUDY CHU, California                 JASON CHAFFETZ, Utah
TED DEUTCH, Florida                  TOM ROONEY, Florida
LUIS V. GUTIERREZ, Illinois          GREGG HARPER, Mississippi
TAMMY BALDWIN, Wisconsin
CHARLES A. GONZALEZ, Texas
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SANCHEZ, California
DANIEL MAFFEI, New York
JARED POLIS, Colorado

       Perry Apelbaum, Majority Staff Director and Chief Counsel
      Sean McLaughlin, Minority Chief of Staff and General Counsel
                                 ------                                

  Subcommittee on the Constitution, Civil Rights, and Civil Liberties

                   JERROLD NADLER, New York, Chairman

MELVIN L. WATT, North Carolina       F. JAMES SENSENBRENNER, Jr., 
ROBERT C. ``BOBBY'' SCOTT, Virginia  Wisconsin
WILLIAM D. DELAHUNT, Massachusetts   TOM ROONEY, Florida
HENRY C. ``HANK'' JOHNSON, Jr.,      STEVE KING, Iowa
  Georgia                            TRENT FRANKS, Arizona
TAMMY BALDWIN, Wisconsin             LOUIE GOHMERT, Texas
JOHN CONYERS, Jr., Michigan          JIM JORDAN, Ohio
STEVE COHEN, Tennessee
SHEILA JACKSON LEE, Texas
JUDY CHU, California

                     David Lachmann, Chief of Staff

                    Paul B. Taylor, Minority Counsel


                            C O N T E N T S

                              ----------                              

                           SEPTEMBER 23, 2010

                                                                   Page

                           OPENING STATEMENTS

The Honorable Jerrold Nadler, a Representative in Congress from 
  the State of New York, and Chairman, Subcommittee on the 
  Constitution, Civil Rights, and Civil Liberties................     1
The Honorable Trent Franks, a Representative in Congress from the 
  State of Arizona, and Member, Subcommittee on the Constitution, 
  Civil Rights, and Civil Liberties..............................     3
The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, Chairman, Committee on the 
  Judiciary, and Member, Subcommittee on the Constitution, Civil 
  Rights, and Civil Liberties....................................     4

                               WITNESSES

Mr. Edward W. Felten, Director, Center for Information Technology 
  Policy, Princeton University
  Oral Testimony.................................................    10
  Prepared Statement.............................................    12
Mr. Richard Salgado, Senior Counsel, Law Enforcement and 
  Information Security, Google, Inc.
  Oral Testimony.................................................    17
  Prepared Statement.............................................    19
Mr. Mike Hintze, Associate General Counsel, Microsoft Corporation
  Oral Testimony.................................................    24
  Prepared Statement.............................................    26
Mr. David Schellhase, Executive Vice President and General 
  Counsel, Salesforce.Com
  Oral Testimony.................................................    39
  Prepared Statement.............................................    41
Mr. Perry Robinson, Associate General Counsel, Rackspace Hosting
  Oral Testimony.................................................    55
  Prepared Statement.............................................    57
Mr. Paul Misener, Vice President for Global Public Policy, 
  Amazon.Com
  Oral Testimony.................................................    64
  Prepared Statement.............................................    66
Mr. Kevin Werbach, Professor, The Wharton School, University of 
  Pennsylvania
  Oral Testimony.................................................    78
  Prepared Statement.............................................    80
Mr. Fred H. Cate, Professor, Director, Center for Applied 
  Cybersecurity Research, Indiana University
  Oral Testimony.................................................    91
  Prepared Statement.............................................    93
Mr. Thomas B. Hurbanek, Senior Investigator, Computer Crime Unit, 
  New YorK State Police
  Oral Testimony.................................................   101
  Prepared Statement.............................................   104
Mr. Kurt F. Schmid, Executive Director, Chicago High Intensity 
  Drug Trafficking Area Program
  Oral Testimony.................................................   109
  Prepared Statement.............................................   112
Mr. Marc J. Zwillinger, Zwillinger Genetski, LLP
  Oral Testimony.................................................   118
  Prepared Statement.............................................   121

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Prepared Statement of the Honorable John Conyers, Jr., a 
  Representative in Congress from the State of Michigan, 
  Chairman, Committee on the Judiciary, and Member, Subcommittee 
  on the Constitution, Civil Rights, and Civil Liberties.........     6

                                APPENDIX
               Material Submitted for the Hearing Record

Prepared Statement of the Honorable Henry C. ``Hank'' Johnson, 
  Jr., a Representative in Congress from the State of Georgia, 
  and Member, Subcommittee on the Constitution, Civil Rights, and 
  Civil Liberties................................................   137
Response to Post-Hearing Questions from Richard Salgado, Senior 
  Counsel, Law Enforcement and Information Security, Google, Inc.   139
Response to Post-Hearing Questions from Mike Hintze, Associate 
  General Counsel, Microsoft Corporation.........................   143
Letter from the Federal Law Enforcement Officers Association.....   147
Prepared Statement of the Competitive Enterprise Institute (CEI), 
  The Progress & Freedom Foundation, Citizens Against Government 
  Waste, Americans for Tax Reform, and the Center for Financial 
  Privacy and Human Rights.......................................   150


           ECPA REFORM AND THE REVOLUTION IN CLOUD COMPUTING

                              ----------                              


                      THURSDAY, SEPTEMBER 23, 2010

              House of Representatives,    
              Subcommittee on the Constitution,    
                 Civil Rights, and Civil Liberties,
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 11:08 a.m., in 
room 2141, Rayburn House Office Building, the Honorable Jerrold 
Nadler (Chairman of the Subcommittee) presiding.
    Present: Representatives Nadler, Conyers, Watt, Johnson, 
and Franks.
    Staff present: (Majority) David Lachmann, Subcommittee 
Chief of Staff; Stephanie Pell, Counsel; and Art Radford Baker, 
Minority Counsel.
    Mr. Nadler. This hearing of the Subcommittee on the 
Constitution, Civil Rights, and Civil Liberties will come to 
order. To begin with I will recognize myself for an opening 
statement.
    Today's hearing is the third in which this Subcommittee 
will consider the statutory framework Congress established in 
the 1986 Electronic Communications Privacy Act, ECPA, in light 
of the enormous technological advances in electronic 
communications in the 24 years since ECPA's passage. At the 
last hearing we learned about advancements in cellular 
location-based technologies and related services and how such 
technologies, while enriching our lives, could provide law 
enforcement with more precise, and to many of us more 
sensitive, information about where we may be located at any 
given time.
    Today we will continue our examination of whether ECPA 
still strikes the right balance among the interests and needs 
of law enforcement, industry, and the privacy interests of the 
American people by discussing a new technology commonly 
referred to as cloud computing. It is important that the law 
sustain the public's confidence in the security and privacy of 
their communications and information. That confidence is 
absolutely essential to fostering the emerging market for cloud 
computing services and the rapid innovation that is fundamental 
to that market's health.
    This Subcommittee's exploration of where the appropriate 
balance may lie with respect to the content and associated 
transactional information of electronic communications and data 
stored by certain third party providers must begin with a 
lesson about cloud computing technologies and capabilities. 
When ECPA was passed back in 1986 few of us used e-mail or 
imagined a world where we could securely share information and 
edit electronic documents online with our colleagues or where, 
again online, a business could input, store, process, and 
access all data necessary for the management of its business 
processes, from sales to customer service.
    That world is here and it promises tremendous efficiencies 
for government, private industry, and individuals. It is an 
exciting technological advance and we must ensure that the law 
keeps pace in a manner that protects this market, protects the 
rights of consumers and the government's law enforcement 
responsibilities.
    We are fortunate to have two distinguished panels of 
witnesses who bring a great deal of expertise to both the legal 
and technological issues before us, including witnesses who 
represent five major U.S. cloud computing companies.
    I should mention at this point that--and if I am wrong 
someone will correct me, I am sure, at some point today--cloud 
computing simply means--or the cloud simply means where the 
data is stored on a third party's server--not in your home, but 
on somebody else's server, so it is not given as much privacy 
protection under current law as if it were on your own computer 
at home.
    Along with other experts our witnesses today will educate 
us about what is happening in the cloud today and discuss the 
type of laws and rules that industry needs to promote the 
continuing innovation and growing efficiency that cloud 
computing affords to individuals and businesses of all types 
and sizes. This initial educational effort is, in my view, not 
only warranted but essential before we undertake any effort at 
amending or otherwise reforming ECPA.
    In many respects, at least for the moment, the testimony we 
hear and discussions we have today may raise more questions 
than they answer. Since we are to hear about technologies, both 
existing and perhaps yet to come, that are revolutionary--
certainly by 1986 standards--I want to acknowledge that our 
task will be a challenge to find the appropriate balance 
between privacy and law enforcement interests, to protect the 
public while preserving consumer privacy and confidence, to 
support rapid technological innovation and growth yet discern 
standards for law enforcement access that will not become 
outdated with each new generation of technology, which is to 
say every 6 months or so.
    Just as it would not have been possible for Congress to 
anticipate the exciting technologies we will be discussing 
today it is more than likely that in the years to come new 
technologies will present us with equally vexing legal 
questions. We must learn to take advantage of these emerging 
technologies without ushering in a new privacy-free 
civilization, to boldly go toward the creation of a new 
productive balance among the interests of law enforcement, 
personal privacy, and industry that no legislation has quite 
stricken before.
    This Subcommittee needs the assistance and input of all 
stakeholders--law enforcement, private industry, and civil 
liberties groups alike--to get this balance right, hopefully 
for at least another generation. I look forward to the 
testimony of our witnesses today and to working with all 
stakeholders on this very timely mission.
    I yield back the balance of my time and I now represent the 
distinguished--I now recognize, rather, the distinguished 
gentleman from Arizona.
    Mr. Franks. Well, thank you, Mr. Chairman.
    Thank all of you for being here.
    And we are grateful that you are holding this hearing 
examining the need to update the Electronic Communications 
Privacy Act of 1986, or ECPA, as it relates to cloud computing. 
This is the third in a series of hearings to examine ECPA and 
possible ECPA reforms. I can say, if there is one thing I hope 
or believe we can all agree upon it is that we don't have a 
precise definition of cloud computing, and as someone said, 
there is an old quote that said, ``The secret to the universe 
is in the true naming of things.'' It often means different 
things to different people.
    Today we will hopefully learn exactly what the cloud is and 
have a better understanding of how, if at all, ECPA falls short 
of addressing this new technology. Some proponents of ECPA 
reform propose requiring a search warrant for communications in 
the cloud, regardless of the age of those communications, how 
they are stored, or how they are accessed. This would be a 
fairly significant departure from current law.
    The information possessed by law enforcement in the very 
early stages of an investigation does not always have to lend 
itself to establishing probable cause for the purposes of 
obtaining a search warrant. A blanket warrant requirement for 
communications in the cloud, regardless of how or where they 
are stored, could potentially deprive law enforcement officials 
of essential building blocks for criminal investigations and 
may actually deprive them of their ability to establish 
probable cause for wire taps, physical searches, or arrests.
    I am always mindful of the potential encroachment on 
individual liberty and privacy by new technologies and I have 
tried to be one of the first to defend those rights. However, I 
will also be one of the first to protect the legitimate needs 
of law enforcement, including their ability to keep pace with 
rapidly changing technologies.
    Now, I am not aware of any of the practices by law 
enforcement that have inhibited the use of the development of 
these services. I am also not aware of any practices by the law 
enforcement authorities that have discouraged the willingness 
of individuals or businesses to store data in the cloud.
    There may very well be a need to clear up statutory 
ambiguities so that the police know what they have to do to 
obtain certain information and service providers know what they 
have to do, in terms of the law, to provide that information. 
But I am concerned that the increasing--I am concerned that 
increasing the evidentiary standard to such a degree as some 
have proposed would create a hurdle that is simply too high to 
clear.
    Cloud technology is a significant advancement in how we 
send, store, and process a very large array of data. Companies 
that provide these services have a vested interest in assuring 
a certain level of privacy to their customers, and obviously 
this has to be weighed against the government's legitimate need 
to access this data.
    And while we consider these issues I believe we must also 
be cognizant of other privacy-related issues. We should not 
simply focus on revising or restricting law enforcement access 
to the cloud; we must also be aware of who owns the cloud, who 
has access to the cloud, and whether there are sufficient 
safeguards to protect the cloud against criminal and foreign 
adversaries.
    Creating barriers to law enforcement in the name of privacy 
may have the unintended consequence of inhibiting law 
enforcement investigations into data breaches and other privacy 
intrusions by hackers and spies and the like. ECPA reform is 
simply not about Federal investigations--or I should say it is 
not simply about those things. These laws govern every criminal 
investigation in the country.
    For this reason this Committee must be thoroughly balanced 
and informed in any ECPA reform it undertakes, and I hope all 
of you can help us understand the best way to move forward. I 
am grateful that you are here. I thank every one of you, look 
forward to your testimony, and yield back.
    Mr. Nadler. I thank the gentleman.
    I will now recognize for an opening statement the 
distinguished Chairman of the full Committee, the gentleman 
from Michigan, Mr. Conyers.
    Mr. Conyers. Thank you, Chairman Nadler, and Trent Franks. 
I am always glad to be here with us three and the staff.
    As if this is not an important issue, I think it is being 
very undervalued by many on our Committee, certainly not those 
of you that have taken time to join us here in the hearing room 
today.
    It just so happens that I was the only one here in 1986, 
and that is not to date myself, but the one thing I can't 
remember right now is whether the Chairman of the Committee was 
Jack Brooks or Peter Rodino. I am inclined to think it was Jack 
Brooks, of Texas, but we are researching it right now.
    Now, so far when we start talking about the reform and 
how--what we ought to consider it turns on whether or not we 
are going to restrict privacy or, in the name of law 
enforcement, we are going to be able to be more invasive. And 
sure enough, Trent Franks runs right into the conservative 
position of wanting to let the law enforcement people have 
their way more. And I am just predicting this; he didn't really 
come out and say it, but we have been listening to each other 
now for a growing period of years.
    But is there something else involved here? And I am so glad 
we have got the witnesses here today.
    Of course we are going to have to balance it, but, you 
know, I am listening to questions of whether or not we are 
going to be able to work out agreements over cyberspace 
differences that are now becoming more discussed in our world. 
We now find out that not only do we have arms race control and 
nuclear control, we now have the whole question of how we can 
create severe damage to civilian populations through 
dismantling and disabling their cyber connections in terms of 
conflict.
    And so we move into this, I hope, not just worrying about 
how much law enforcement leeway are we going to get? Of course 
we want to protect our people's privacy as much as possible, 
but at the same time there seem to me to be other issues that I 
am hoping that you will bring up that are related to who is 
going to control and what happens--is this an infinite growth 
situation that we are in? Are there limits? Are we going to run 
out of what we need to work with or not? Or are there other 
considerations?
    And it is in that spirit that I join you today, and also 
ask unanimous consent to put my written statement in the 
record.
    Mr. Nadler. Without objection.
    Mr. Conyers. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Conyers follows:]

    
    
    
    
    
    
                               __________

    Mr. Nadler. Thank you.
    Without objection, all Members will have 5 legislative days 
to submit opening statements for inclusion in the record. 
Without objection, the Chair will be authorized to declare a 
recess of the hearing at any point. We will now turn to our 
first panel of witnesses, and instead of reading the usual 
boilerplate about our procedures we will follow the Committee's 
usual procedures of questioning witnesses.
    Our first witness will be Edward Felten, who is a professor 
of computer science and public affairs at Princeton University 
and is the founding director of Princeton's Center for 
Information Technology Policy. His research interests include 
computer security and privacy, especially relating to the 
Internet and computer product--and consumer products, and 
technology law and policy.
    He received his Ph.D. in computer science and engineering 
from the University of Washington, an M.S. in computer science 
and engineering from the University of Washington, and then his 
B.S. in physics with honors from the California Institute of 
Technology.
    Richard Salgado, our next witness, is a senior counsel with 
Google for information, security, and law enforcement matters. 
Prior to joining Google Mr. Salgado worked at Yahoo, focusing 
on international security and compliance.
    He also served as senior counsel in the computer crime and 
intellectual property section of the United States Department 
of Justice. Mr. Salgado received his law degree from Yale Law 
School.
    Michael Hintze is an associate general counsel in Microsoft 
Corporation's legal and corporate affairs group. He joined 
Microsoft in 1998 and his practice currently includes a number 
of regulatory and public policy issues, including privacy, 
security, telecom, online safety, and free expression matters 
worldwide. Mr. Hintze is a graduate of Columbia University 
School of Law.
    David Schellhase is--I hope I got that right--thank you--
David Schellhase is executive vice president and general 
counsel of Salesforce.com, Inc., where he leads the legal, 
internal audit, and public policy teams. Mr. Schellhase joined 
Salesforce.com in 2002 and has practiced law in the technology 
industry for 20 years. Mr. Schellhase is a graduate of Cornell 
Law School.
    Perry Robinson is associate general counsel at Rackspace 
Hosting. Mr. Robinson oversees Rackspace's program for 
compliance with state and Federal law enforcement agency 
requests and leads their legal team on contractual matters 
relating to the provision of services to Rackspace's customers. 
Mr. Robinson earned his J.D. from Baylor Law School.
    Paul Misener is Amazon.com's vice president for global 
public policy and has served in this position for a decade. He 
is responsible for formulating and representing the company's 
public policy positions worldwide as well as for managing 
policy specialists in Asia, Europe, and North America. Mr. 
Misener received his J.D. from George Mason University.
    I am pleased to welcome all of you. Your written statements 
in their entirety will be made part of the record. I would ask 
each of you to summarize your testimony in 5 minutes or less.
    To help you stay within that time limit there is a timing 
light at your table. When 1 minute remains the light will 
switch from green to yellow, and then red when 5 minutes are 
up.
    Before we begin it is customary--well, let me just say 
before we do this, the Chair reserves for himself the right to 
recess the hearing, which I anticipate doing only if there are 
votes on the floor. Before we begin it is customary for the 
Committee to swear in its witnesses.
    If you would please stand and raise your right hands to 
take the oath?
    Let the record reflect that the witnesses answered in the 
affirmative, and you may, of course, be seated.
    I will now recognize for 5 minutes our first witness, 
Professor Felten, and use your mic please.

TESTIMONY OF EDWARD W. FELTEN, DIRECTOR, CENTER FOR INFORMATION 
            TECHNOLOGY POLICY, PRINCETON UNIVERSITY

    Mr. Felten. A lot has changed on the Internet since ECPA 
was passed in 1986. Back then there were only a couple thousand 
computers online. Commercial activity was strictly forbidden; 
the Net was only for research and education purposes. And 
several of the companies represented on this panel did not even 
exist. The eventual founder of Facebook was 2 years old.
    The computers at that time would not even be recognizable 
to today's teenagers; the equipment is vastly different. 
Today's cell phones are vastly better than the super-computers 
of 1986. But more important than these changes in equipment and 
sheer numbers of computers has been the change in the way 
people use the Internet, and one of the big changes there has 
been the move to cloud computing.
    As you said before, Mr. Chairman, the defining 
characteristic of cloud computing is that a person is--a person 
or company is taking their data and moving it onto someone 
else's computer, and along with that taking the computation and 
other management functions and putting those as well onto 
someone else's computer, typically a service provider's 
computer. Cloud computing is used both by individuals and by 
businesses large and small.
    To give an example of the use of cloud computing by an 
individual let me talk about my own use of my personal 
calendar. I keep my calendar in the cloud. I have a deal with 
the service provider in which they support that.
    And that provides a number of advantages to me. First, it 
means that the data and the systems are professionally managed.
    The computers that store the master copy of my calendar are 
run by the service provider and not by me; the service 
provider's employees take care of backing up the data, 
maintaining security, keeping everything up-to-date, and 
keeping everything running. I don't have to worry about that at 
all.
    The second advantage is that my calendar is accessible to 
me anywhere--on my desktop computer, on my laptop computer, on 
my mobile phone. The service provider gives me software that 
runs on all of those devices and that software always gets an 
up-to-date copy of my calendar. If I change something in one of 
those places it is immediately reflected in the master copy and 
then in the other copies so that there is a single view of my 
calendar which I always see regardless of where I am.
    And the third main advantage is that it is easily 
shareable. I can give my wife, and my colleagues, and my 
students access to my calendar and they can see what I see in 
real time. Some of them, with my permission, can modify the 
calendar; others can just see.
    Any kind of service which would benefit from these 
advantages of professional management, accessibility anywhere, 
and sharing can be put in the cloud and typically is, and there 
are many examples of different kinds of services that happen in 
the cloud--e-mail, document management, investment tracking, 
photo sharing, project management, hard drive backup, and many 
more.
    Cloud computing is also valuable for businesses. A business 
can take some of their back office computing operations--things 
like payroll, sales, and inventory--and move those into the 
cloud.
    They can also move their consumer facing technology 
infrastructure into the cloud. For example, an ecommerce 
company might take these servers that provide their image to 
customers and that customers interact with and put those in the 
cloud by hiring out that function to someone else.
    Even companies that are technically sophisticated often do 
this because they find it cheaper, due to the economies of 
scale, in having things centrally managed. As another example, 
I wrote my written testimony that was submitted earlier in a 
cloud document-editing system, and I did that because it was 
easy for me to use across devices, and because when I wanted 
someone to review the document and give me feedback they could 
easily do that by using the same cloud service, and we could 
interact and edit in real time.
    Now, in an ideal world people would be making the decision 
to use the cloud or not use the cloud based on considerations 
of technical efficiency and cost. They would be balancing those 
factors and deciding to do whatever was best in their 
individual case. But to the extent that a law like ECPA puts 
its thumb on the scale and pushes people toward putting their 
data and functions in the cloud or moving them out of the cloud 
you end up with solutions that are less technically efficient, 
more expensive, and harder to use, and you end up ultimately 
with less innovation in technology and in business processes.
    Thank you.
    [The prepared statement of Mr. Felten follows:]

                 Prepared Statement of Edward W. Felten











                               __________

    Mr. Nadler. I thank the gentleman.
    I now recognize Mr. Salgado?

 TESTIMONY OF RICHARD SALGADO, SENIOR COUNSEL, LAW ENFORCEMENT 
             AND INFORMATION SECURITY, GOOGLE, INC.

    Mr. Salgado. Thank you, Chairman Nadler, Ranking Member 
Sensenbrenner, and Members of the Subcommittee. As Google's 
senior counsel for law enforcement and information security I 
oversee Google's response to government requests for user 
information under many authorities, including the Electronic 
Communications Privacy Act of 1986. I have also worked with 
ECPA extensively from a law enforcement perspective as a senior 
counsel in the criminal division in the Department of Justice.
    ECPA was a forward-looking statute for 1986, and much of it 
remains relevant today. But over my many years of experience in 
implementing, in trying to interpret, and frankly often 
wrestling with the statute I have seen large gaps grow between 
the technological assumptions of that earlier era and the 
reality of how electronic communication works today.
    As a result of those gaps, providers, users, law 
enforcement agents, investigators, and prosecutors, as well as 
judges often face complex and baffling rules that are difficult 
to explain and challenging to apply. Even more significant, 
however, in important respects ECPA now fails to provide the 
privacy protection that people reasonable expect, and that is 
why Google helped found and strongly supports the Digital Due 
Process coalition.
    The coalition, which many of you may have heard of, is a 
broad coalition. It includes telecommunications companies like 
AT&T we have Internet companies, many of whom are represented 
on the panel today; and other organizations, including 
Americans for Tax Reform and the ACLU, among many other members 
that I haven't mentioned.
    The coalition has proposed a set of common sense principles 
for updating ECPA. The reforms seek to preserve the structure 
of the statute and certainly the tools needed by law 
enforcement to perform their important functions, but are 
intended to ensure that the protections afforded to data stored 
in the cloud are no less than those extended to data stored in 
the home or in the office.
    Cloud computing is a new term, as has been noted, but most 
of us use cloud services every day even if the label isn't 
particularly familiar to us. When you use the Web to send an e-
mail, to edit a document, or to manipulate a calendar, as 
Professor Felten has reflected to us, you are actually using 
cloud computing services.
    The services now are very robust and very feature-rich. In 
fact, many companies are moving their entire I.T. 
infrastructure into the Internet-based cloud and getting the 
functionality through service providers. Shifting all of these 
computing tasks from our desktops to cloud providers offers 
tremendous social benefits, tremendous economic benefits, and 
security benefits.
    Today's technology bears little resemblance to the 
mainframe computers of the 1980's. Back then remote computing 
and storage were rare luxuries for companies, usually used for 
bulk processing, like payroll services or data backup. ECPA has 
not kept pace with the rapid technological advances that we 
have enjoyed in the last few years, and as a result the 
problems are becoming obvious.
    One example that has been alluded to already: Under ECPA 
the government must obtain a warrant to get the content of an 
e-mail that is no older than 6 months, but for older messages 
the government can simply issue a subpoena, obviously without a 
judge's approval, to compel the production of the e-mail's 
content from a provider. Under the Department of Justice's 
interpretation of ECPA, which has been rejected by the 9th 
Circuit, opened e-mail, regardless of the age, can be obtained 
using that lower subpoena standard.
    Distinguishing the privacy protections of e-mail based on 
age and by access of the user makes no sense today. In 1986 
perhaps it did. Remote storage was so expensive that users 
rarely stored messages for very long; they either downloaded or 
deleted the messages soon after receiving them. Today people 
often keep messages and mail for indefinite periods of time, 
possibly forever.
    With Gmail, which is Google's free mail service, Google 
offers enough free storage that space constraints are not a 
reason ever to delete an old mail. Many of our users have 
messages going back to when Gmail was launched over 6 years 
ago. Gmail accounts have essentially become the filing cabinets 
of today.
    The example reveals how parts of ECPA need to be updated 
for the 21st century. The Digital Due Process proposal would go 
far toward achieving that goal. Advances in technology depend 
not just on smart engineers, but also on smart laws that will 
not stand in the way of continued innovation and adoption of 
technology.
    I thank the Subcommittee for giving the attention to this 
issue and urge you to help bring ECPA into the Internet age. 
Thank you.
    [The prepared statement of Mr. Salgado follows:]

                 Prepared Statement of Richard Salgado











                               __________

    Mr. Nadler. I thank the gentleman.
    I now recognize Mr. Hintze?

TESTIMONY OF MIKE HINTZE, ASSOCIATE GENERAL COUNSEL, MICROSOFT 
                          CORPORATION

    Mr. Hintze. Chairman Nadler, Congressman Franks, Chairman 
Conyers, honorable Members of the Committee, thank you for the 
opportunity to discuss Microsoft's perspectives on ECPA reform. 
We appreciate the attention with which this Subcommittee has 
approached the issue and we are committed to working with you, 
law enforcement agencies, and other stakeholders to ensure that 
we responsibly update ECPA for the era of cloud computing.
    ECPA was enacted into law in 1986 to address the issues 
being raised by new digital technologies. What are the 
appropriate standards under which law enforcement can compel 
service providers to disclose customer content and account 
information? ECPA addressed this issue by striking a balance 
between the legitimate needs of law enforcement and the 
public's reasonable expectations of privacy.
    Technology has changed dramatically since 1986. Today we 
are in a new era of computing, one in which users are empowered 
to store unprecedented amounts of digital information online.
    This cloud computing revolution creates numerous benefits. 
It makes businesses more efficient and competitive by enabling 
companies of all sizes to access cutting-edge computing 
resources. It facilitates collaboration through anytime, 
anywhere access. And it provides new opportunities for 
innovation and job creation.
    Microsoft has participated actively in this transformation. 
We come to the issue of ECPA reform as a provider of desktop 
and server software that has moved into hosting online cloud-
based services.
    Our history gives us a clear perspective on how ECPA has 
failed to keep pace with the technological time. Take the 
example of e-mail. As we have heard, ECPA extends greater 
privacy protections to e-mail stored less than 180 days than e-
mail stored for more than 180 days.
    For many years this distinction made sense. Even 10 years 
after the enactment of ECPA Microsoft was offering the first 
version of Microsoft Exchange, software in which a user 
typically would download e-mail to a local machine for it to be 
read and stored, after which it would no longer reside on the 
server. Because the e-mail typically was downloaded to a local 
drive it was reasonable to conclude that e-mail left with a 
service provider for more than 180 days was abandoned with 
little expectation of privacy.
    But shortly thereafter, in 1997, we acquired Hotmail, a 
Web-based e-mail service that enabled e-mails to be stored 
online or in the cloud for longer periods of time. This ability 
to retain e-mails online even after they were read began to 
call into question the justification for the 180-day 
distinction. Even then, however, the amount of storage 
available online was quite limited.
    But since 1997 the amount of online storage available to 
consumers has progressively increased to the point where it has 
become essentially unlimited. Today users regularly store e-
mails and attachments, including photos, documents, and other 
data, online for years, and these users reasonably expect that 
this data will be just as private on day 181 as it was on day 
179.
    These concerns are not limited to individual consumers. 
Enterprises of all sizes are increasingly using products like 
Microsoft Business Productivity Online Suite to store their e-
mail and confidential business documents in the cloud, but we 
regularly hear from enterprises considering the move to the 
cloud that doing so could negatively impact their privacy 
protection.
    In short, the balance Congress struck in 1986 has fallen 
out of alignment, putting more and more user data within the 
reach of law enforcement tools that require lower burdens of 
proof. This trend has serious potential consequences.
    Users will be deterred from adopting cloud services if they 
do not trust their data and will be kept private and secure in 
the cloud. In addition, cloud service providers will hesitate 
to invest in new innovation if there are not clear rules that 
make sense in the context of this evolving technology.
    To restore the balance the Congress struck in 1986 Congress 
should revisit ECPA and ensure that users do not suffer a 
decrease in their privacy protections when they move their data 
to the cloud. We believe that the principles advanced by the 
Digital Due Process coalition will enable citizens to trust 
their data will be subject to reasonable privacy protections 
while at the same time preserving the ability of law 
enforcement to collect the information necessary to protect the 
public. The principles will also provide greater clarity for 
all stakeholders, and we see them as a good starting point for 
the discussion.
    As Congress takes up the important issue of ECPA reform we 
believe it should also look at privacy and security issues 
related to cloud computing in the broader policy context. Users 
of cloud computing services must have confidence that their 
data will be kept secure and private not just vis-a-vis the 
government but also with respect to service providers and other 
third parties. The importance of protecting privacy and 
security also extends beyond the United States and can be 
impacted by the laws of other governments.
    To address these concerns Microsoft has proposed that 
Congress consider comprehensive legislation that advances 
privacy and security in the context of cloud computing, and in 
turn helps to promote confidence in the cloud.
    Thank you for the opportunity to testify today. Microsoft 
appreciates the Subcommittee's leadership, and we look forward 
to working with you on these important issues.
    [The prepared statement of Mr. Hintze follows:]

                  Prepared Statement of Michael Hintze



























                               __________

    Mr. Nadler. I thank the gentleman.
    Mr. Schellhase is now recognized.

  TESTIMONY OF DAVID SCHELLHASE, EXECUTIVE VICE PRESIDENT AND 
                GENERAL COUNSEL, SALESFORCE.COM

    Mr. Schellhase. Chairman Nadler, Chairman Conyers, 
Congressman Franks--oh yes, I am sorry--thank you for holding 
this hearing and inviting me to share my views with you.
    Cloud computing is emerging as a powerful engine for 
economic growth and jobs and it is important that we create a 
policy framework that supports it. Salesforce.com, my employer, 
is a leading enterprise cloud computing company that provides 
Internet-based business applications primarily for helping to 
automate sales and customer support functions to organizations 
of all sizes around the world.
    Instead of building and maintaining costly I.T. 
infrastructure our customers simply log onto our Web site and 
access our cloud services using a unique username and password. 
Over 82,000 organizations globally, including numerous U.S. 
Federal Government agencies and businesses in highly regulated 
industries, trust Salesforce.com to store and process their 
data.
    In my remarks today I will make reference to the enterprise 
cloud computing model. In doing so I will emphasize two points: 
First, U.S. public policy should support cloud computing 
because it is a powerful driver of economic growth and job 
creation. Second, in order to build confidence in cloud 
computing the rules for government access to data held in the 
cloud should be the same as for data held on premise.
    Every major analyst firm believes that cloud computing will 
see explosive growth. Gartner Group estimates that the 
worldwide market for cloud services will be worth $148 billion 
by 2014, and a recent Goldman Sachs report called the shift 
toward cloud computing ``unstoppable.''
    Just as the electric power grid paved the way for the rise 
of the modern business economy, cloud computing is paving the 
way for the 21st century digital economy. By unleashing 
innovation and productivity cloud computing will create jobs 
not only in the technology industry but also create jobs in 
sectors as diverse as manufacturing, health care, and 
government. Cloud computing has already spawned scores of new 
companies, and as the market for cloud computing accelerates 
Congress should adopt policies that support the cloud computing 
model or, at a minimum, that do not discriminate against it.
    Government has a very legitimate--has very legitimate 
reasons to access privately-held data for such purposes as 
fighting crime and preventing terrorist attacks. In order to 
generate public confidence in the way that the government 
obtains this access, however, it is essential that the 
guidelines for them be applied in a predictable way that is 
appropriately transparent.
    At Salesforce.com we create trust in our cloud computing 
applications by maintaining robust security practices based on 
international standards, hosting a public Web site that shows 
the performance and trust of our system on a daily basis, and 
contractually agreeing to keep our customers' data confidential 
with exceptions for due process of law. For many customers 
these actions are all the evidence they need to determine that 
they can trust the privacy and security of our data--of our 
cloud services.
    For others, however, especially those outside the United 
States, these actions are not enough. These customers want 
something more. They want assurances that the U.S. government 
will not access their data without appropriate due process.
    At Salesforce.com we face this issue on a regular basis, 
principally from customers who believe that the current 
regulatory framework permits the U.S. government overly broad 
access to data stored in the cloud. We need to have clear laws 
that prove that this belief is unfounded.
    As a company, Salesforce.com cannot make representations to 
its customers that government will not gain access to data. 
What we can do is point to the legal process that the 
government must undertake to access data held in the cloud. 
This is where reform of the Electronic Communications Privacy 
Act is so crucial.
    Because ECPA codifies guidelines for U.S. government access 
to data it sends a clear signal to other countries about the 
confidentiality of data held in the cloud. As a result, it is 
important that Congress update ECPA to clarify that data stored 
and processed in the cloud on behalf of a customer has the same 
protections and standards for law enforcement access as data 
stored locally by that customer.
    As Congress contemplates ECPA reform it should embrace the 
concept of technology neutrality. In practice, technology 
neutrality that a particular kind of information will receive 
the same level of protection regardless of the technology 
platform or business model used to create, communicate, or 
store it. We are not asking for special treatment for data in 
the cloud, but rather for equal treatment.
    In order to assure technology neutrality in private 
communications, documents and other private user content stored 
in or transmitted through the cloud should be subject to the 
same warrant standard that the Constitution and the Wiretap Act 
have traditionally provided for privacy of our phone calls or 
the physical files we store in our homes. In practice, this 
recommendation would mean that the government must obtain a 
search warrant based on probable cause before it can compel a 
service provider to disclose a user's private communications or 
documents stored online.
    By making sure that ECPA is technology neutral Congress can 
send a clear signal to individuals, companies, and governments 
around the world that they can safely use cloud computing 
platforms. We believe that doing so will unleash a wave of 
innovation and productivity that will drive economic growth and 
create jobs for years to come.
    Thank you.
    [The prepared statement of Mr. Schellhase follows:]

                 Prepared Statement of David Schellhase































                               __________
    Mr. Nadler. Thank you.
    I will now recognize Mr. Robinson.

    TESTIMONY OF PERRY ROBINSON, ASSOCIATE GENERAL COUNSEL, 
                       RACKSPACE HOSTING

    Mr. Robinson. Thank you, Mr. Chairman, Members of the 
Committee. Thank you for taking the time to address this 
important matter.
    I am here on behalf of Rackspace Hosting, and unlike many 
of the other panelists, which are household names--is that a 
little bit better?--which are household names, Rackspace is a 
smaller organization. Provide just a little bit of background: 
We are a company that is based out of San Antonio, Texas. We 
were founded in 1998 by four college students.
    Over the time we have grown. We have now got about 3,000 
employees. We employ people in San Antonio, Texas; Austin; 
Chicago, Illinois; Herndon, Virginia. And we have had this 
growth in part due to the growth of the cloud. Rackspace is 
invested heavily in cloud technology and offers cloud servers, 
cloud sites, and cloud files to its customers. Now, I provide 
this information as background to the context in which ECPA 
applies to a company such as ours, which is an emerging 
organization.
    So I would also like to briefly explain some examples of 
how Rackspace provides cloud computing technology to its 
customers. Cloud technology can be somewhat challenging, I 
think, to understand at first.
    The concept at a high level, though, can also be very 
simple. In fact, for many consumers they are not aware of the 
times at which they are actually using cloud technology.
    To oversimplify the concept a bit, cloud servers is kind of 
like a motor pool, right, in which a vehicle is provided at 
just the right time for your use. Its function is the same as a 
physical vehicle but it has essentially been virtualized 
through computing code.
    The fact that this virtual instance is virtual and not 
physical in nature, though, doesn't change the experience of 
the consumer itself. And so the end user of this technology 
oftentimes has the same understanding of the rights and 
implications of this use of technology as they would any other 
traditional form of communication.
    Cloud storage, on the other hand, makes use of file 
technology to provide storage which is provided through a 
connection to the Internet. Many applications, or apps, on 
mobile devices and telephones make use of such cloud storage. 
An example of such storage might be the storage of documents 
which are created on a mobile device or, as Professor Felten 
was saying, the use of an online calendar.
    For many of its customers Rackspace provides the base 
technology on which her customers are able to develop the use 
of cloud servers or cloud storage for the development of their 
businesses. Our customers are often businesses who are, 
themselves, providing services to an end user. Now, the 
complication here is that as you move down the chain you have a 
process which goes from the provider of the cloud services down 
to an end user and there is--and that created a gap, sometimes, 
in which, again, the end user doesn't always have an absolute 
understanding of how the technology is actually provided to 
them.
    In each case there are expectations by these users that 
their use of this technology--of cloud servers, of cloud 
files--is subject to control of the end user itself and that 
the content will not be accessed by third parties or others 
unless permission has been granted. This privacy expectation is 
a fundamental aspect of the acceptance of cloud technology.
    Rackspace believes that ECPA has fallen behind these 
advances in technology. To be clear, Rackspace does not believe 
that ECPA is flawed in its intent and does not seek to change 
the balance of the individual interests and the privacy of 
their electronic communication with the needs of law 
enforcement.
    However, Rackspace does see ECPA as having fundamentally 
failed to maintain pace with changes in technology. As a 
result, there is a great deal of confusion regarding the level 
of protection afforded to end users which is stored on or 
accessed through the cloud.
    These concerns translate to hesitancy regarding the 
adoption of cloud technology despite the benefits, the 
flexibility, and cost savings that it provides. They have a 
financial impact on the growth of businesses such as Rackspace, 
Rackspace's other customers, and quite frankly, they have an 
impact on, potentially, the economy itself.
    Rackspace believes now is the time to update ECPA and to 
bring clarity and predictability to the law so that people will 
know what protections are afforded to their data and their use 
of their technology, thereby allowing the sector to grow and 
create jobs and help drive the economy forward.
    Thank you for your time.
    [The prepared statement of Mr. Robinson follows:]

                  Prepared Statement of Perry Robinson















                               __________

    Mr. Nadler. Thank you.
    And we will now hear from--I will now recognize Mr. 
Misener.

  TESTIMONY OF PAUL MISENER, VICE PRESIDENT FOR GLOBAL PUBLIC 
                       POLICY, AMAZON.COM

    Mr. Misener. Thank you very much, Mr. Chairman, and Mr. 
Franks, and Chairman Conyers, and Members of the Subcommittee. 
My name is Paul Misener, and I am Amazon.com's vice president 
for global public policy. On behalf of our company and our 
millions of customers, thank you very much for inviting me to 
testify on this important hearing.
    Amazon.com Web site began in 1995 as a place to buy books. 
Since then we have strived to be earth's most customer-centric 
company where people can find and discover virtually anything 
that they may want to buy online. Now Amazon Web Services 
provides a family of cloud computing functions to small and 
large businesses, government agencies, academic institutions, 
and other users.
    Cloud computing, as others have described for the 
Subcommittee, is a means of providing, through the Internet, 
computing functions similar to what a desktop or laptop 
computing can provide but far more efficiently and reliably, 
and at much greater scales and speeds. For example, desktop PCs 
can store files like memos, spreadsheets, digital photos, and 
music. So can cloud computing services, only much more 
efficiently and reliably.
    A desktop computer's hard drive can crash, for instance, 
potentially deleting files. Cloud computing storage done well, 
however, is redundant, and thus files are far more durable and 
the chance of unintentionally deleting them is virtually nil.
    Amazon offers data storage as Amazon Simple Storage 
Service, or S3. This service can be used to store and retrieve 
any amount of data at any time from anywhere on the Web. S3 
gives users access to the same highly scalable, reliable, 
secure, fast, inexpensive infrastructure that Amazon uses to 
run its own global network of Web sites.
    The service aims to maximize benefits of scale and pass 
those benefits to users. In one example a company called 
ElephantDrive uses Amazon S3 storage to pride consumers an 
inexpensive way to make backup copies of digital files.
    Likewise, desktop PCs can perform calculations on data. 
Although many of us never perform calculations much more 
complicated than with spreadsheets, small and large businesses, 
researchers, and government agencies often need to perform 
complicated and data-intensive calculations.
    Desktop PCs are often not up to the task, and even 
dedicated local workhorse computers often can't deliver 
satisfactory results or are a cost-prohibitive capital 
investment. Cloud computing, on the other hand, can provide 
virtually unlimited computation capacity that may be rented as 
needed rather than obtained through a large, wasteful, up-front 
capital expenditure that requires expert setup and maintenance 
and rapidly becomes obsolete.
    Amazon also offers a service known as Amazon Elastic 
Compute Cloud, or EC2, that is designed to make Web-scale 
computing easier. Just as S3 enables storage in the cloud, 
Amazon EC2 enables compute in the cloud.
    The EC2 Web interface allows users to obtain and configure 
capacity and control computing resources. Users may quickly 
scale up capacity--and then down--as their computing 
requirements change, and they pay only for the capacity that 
they actually use. In one case an engineer at The Washington 
Post used the equivalent of over 1,400 server hours on EC2 to 
convert over 17,000 pages of First Lady Hillary Rodham 
Clinton's newly-released documents into a Web-friendly format 
within just 9 hours and for less than $150.
    The benefits of these and other cloud computing services to 
businesses large and small, government agencies, to 
researchers, and other organizations are manifest. The power of 
expensive and complicated computer hardware is available 
immediately on a pay-as-you-go basis. No longer must an 
enterprise expend capital up front and endure delays. And the 
computing capacity is completely elastic, scaling up in time of 
high demand and down as appropriate.
    Bottom line, with cloud computing enterprises can focus 
their engineering resources on their own specialties. No longer 
must they manage the difficult tasks of building and 
maintaining computer infrastructure.
    Accordingly, we believe that it is in the public interest 
to ensure that there are no inappropriate legal impediments to 
cloud computing and that applicable law, including ECPA, is 
clear and current. We appreciate the Subcommittee's interest in 
this matter and the investigation of whether and how ECPA 
should be modified.
    Amazon is a member of the Digital Due Process coalition, 
which has proposed clarifications of ECPA in four areas, 
covering requests for: one, the content of electronic 
communications; two, location information; three, real-time 
transactional data about communications; and four, broad 
information requests about broad categories of users. Although 
we are aware, for example, that the standards applied to 
location information may need clarification our experience 
primarily relates to requests for the content of 
communications, as a provider of remote computing service.
    With respect to the content of electronic communications we 
believe that ECPA requires law enforcement authorities to 
obtain a search warrant to compel disclosure. We do not release 
information without valid process and have not disclosed 
content without a search warrant.
    In order to protect the privacy of communications we 
certainly agree with our fellow members of the Digital Due 
Process coalition that this is how the law should operate: 
compelled disclosure of content should require a search 
warrant, just as obtaining content out of a person's desk 
drawer would. If there is any significant ambiguity in ECPA, 
such as with respect to the age of a communication, we would 
support legislation to clarify that compelled disclosure of 
content may only come as a result of a search warrant, 
regardless of the age of a communication.
    Thank you again for the opportunity to testify on the 
important topic of cloud computing services. Amazon believes 
that these new services have important societal benefits, and 
if laws such as ECPA should be clarified to address cloud 
computing we support the effort.
    [The prepared statement of Mr. Misener follows:]

                   Prepared Statement of Paul Misener













                               __________
    Mr. Nadler. Thank you very much.
    We will now begin the questioning by--I will recognize 
myself for the 5 minutes.
    Professor Felten, in your testimony you described the many 
ways you use cloud computing technology and services in your 
professional and personal life. When you think about your and 
society's digital life now as compared to 1986 do you think 
that ECPA's 1986 concept of electronic communications service 
and remote communications service accurately reflect network 
usage today, and if not why not?
    Mr. Felten. I think not. In 1986 it made more sense, in 
terms of people's use of these services, to separate 
communication and computing into separate products and separate 
mental categories, but these days these computation, storage, 
and communication are really integrated together to provide a 
unified product that meets some need of the end user for 
managing a calendar, or document collaboration, or whatever it 
is that the user is wanting. Users often don't think about and 
often don't know what is happening behind the scenes to make 
all this work, and so it is a line that is not visible to a lot 
of the decision-makers, and it makes a lot less sense than it 
did then.
    Mr. Nadler. Thank you. And you also, in your testimony, 
discussed the fact that it may be difficult for a user to tell 
whether or not his or her data is stored in the cloud because 
cloud services can offer nearly the same user experience as 
local servers. And as someone who uses a computer all the time 
and never heard the phrase ``cloud computing'' until a few 
weeks ago I certainly never think about--or certainly never 
thought about--whether it is in the cloud or not.
    Elaborate on this concept, and how might a user be unaware 
or unsure of whether or not he is working or operating in the 
cloud, and why should it make a difference to him?
    Mr. Felten. Well, at one level it should not make a 
difference to the user as long as the job that they want done 
is being done well. It may prove to make a difference to the 
user if there is a legal line that gets drawn.
    But increasingly what users are after is the experience of 
solving their problem, doing their job without having----
    Mr. Nadler. And they don't care how it is done. They just 
care about the result; they don't care how the problem is 
solved.
    Mr. Felten. Absolutely.
    Mr. Nadler. Thank you.
    Mr. Salgado and perhaps Mr. Hintze, my understanding is the 
Stored Communications Act, and specifically the electronic 
communications service and remote communications services 
distinctions can be difficult to apply to many of today cloud-
based services, as Professor Felten just said. And of course, 
under the law ECS provides greater privacy protection than RCS.
    What position do you generally take regarding classifying 
services or information as either ECS or RCS and the legal 
process you require before disclosing information when you get 
law enforcement requests for the following: Web mail search--on 
the one hand, Web mail search, word processing, online photo 
video storage services, and on the other, names or I.P. 
addresses of users who search for a specific phrase? And in 
answering the question, please indicate whether you must make 
creative arguments or take an aggressive view of the law in 
order to provide great privacy protections to your customers--
in order to provide the privacy protections you thing they 
require.
    Mr. Salgado first?
    Mr. Salgado. Thank you, Mr. Chairman. The question is 
complicated because of how the ECPA is written, so I apologize 
at the beginning for probably not being able to address each 
one of those categories, but it is the very fact of the 
complexity of ECPA that makes that difficult to answer.
    In in ideal world I would like to be able to tell you, this 
is the type of legal process we require for all those types of 
information and it is a result of a--it is the result of a 
thoughtful balance and a consideration of the equities of law 
enforcement and the interests of the users and the providers. 
That is not the situation and so the result is, as you list 
these different products each one of those requires a separate 
legal analysis, oftentimes requiring consulting with outside 
counsel, pulling out the statute again, rereading the statute 
to figure out what type of legal process is required for what 
types of data.
    The distinctions between RCS and material and ECS material 
are often arbitrary, and even within the category of ECS 
material--electronic stored material--the definition is so 
tiered and complex there is nothing intuitive about it. It 
often turns on whether the communication is, using the terms of 
the statute, in electronic storage. And I think a lot of 
people, if you ask them, ``What does it mean to be in 
electronic storage?'' would answer, ``It means to be stored 
electronically,'' and they would be wrong. And in fact, they 
would have to look at the statute to understand that that term 
is actually a very complex, tiered test to figure out whether 
something is in electronic storage for the purposes of the 
statute.
    This is where the 180-day rule comes in. That is the part 
of the definition of electronic storage. So the question you 
ask is a complex one because the statute doesn't make it an 
easy answer.
    I think the Digital Due Process coalition members believe 
the answer to that should be, it requires a search warrant. It 
should require a search warrant.
    Mr. Nadler. And Mr. Heintz, would you comment on the same 
question? In particular, indicate whether your experience has 
necessitated the use of what one might call creative arguments 
or an aggressive view of the law in order to do your job 
properly.
    Mr. Hintze. Certainly. I would be happy to. I would point 
out that, as Mr. Salgado's experience as both a prosecutor and 
in business having trouble answering these questions, you know, 
I think that is indicative of the fact that all of us do and 
these are very complicated matters.
    You know, the various types of data that may become an 
issue here--of those probably the ones that ECPA speaks to most 
clearly would be e-mail, because that was one of those things 
that was contemplated at the time that ECPA was drafted. But as 
we have heard, the way e-mail is used has changed dramatically 
since 1986 and a lot of those distinctions make--no longer make 
sense, although I think it is quite clear that e-mail is an ECS 
under ECPA and the content of a message and the subject line 
would be considered content and protected by the warrant 
statute standard up to 180 days or up to when it has been 
opened, except for in the 9th Circuit where it is--so crystal 
clear, right?
    Other services are even more difficult to discern and what 
the various levels of protection might be depending on the 
nature of the service, the nature of the data, the timeframe 
under which it has been stored electronically, what circuit you 
happen to reside in.
    Mr. Nadler. And all this is carefully considered in the 
privacy expectations by the customer, right?
    Mr. Hintze. Yes, absolutely.
    You know, I think also, you know, some of these questions 
are theoretical. You know, the bulk of the requests we get from 
law enforcement are for traditional communications, e-mail. 
Some of these things we just simply haven't gotten requests.
    But you look at new services like search that both Google 
and Microsoft provide, and the question is how that applies 
under these definitions. I mean, looking at the definitions you 
would have no idea. There are arguments that could be made in 
different ways.
    I mean, we think probably the best interpretation of search 
under ECPA is that the query itself would be content, yes, but 
you know, trying to find that and trying to discern that in the 
statute is very difficult. That is why we--one of the reasons 
we support the Digital Due Process coalition principles is that 
it makes those distinctions. While it doesn't touch the 
definitions, per se, it says that all content, whether the 
content of a search query or the content of an e-mail, the 
content of your documents would be protected by the warrant 
standard for probable cause.
    Mr. Nadler. Thank you.
    Let me ask Mr. Schellhase and Mr. Robinson, both of your 
firms have indicated in your written testimony that you have 
customers who are concerned that the U.S. government has 
overly-broad access to their data that is stored in the cloud. 
What you appear to be saying is that overly-broad U.S. 
government access to data is a consideration for some customers 
in determining whether they should put their information in the 
cloud.
    How does such a concern affect your business model? How do 
you address this concern with your customers? What aspects of 
ECPA reform could address this issue specifically?
    Let me add one other thing: Why should we protect people 
who want to keep secrets from the government? Isn't that for no 
good purposes?
    Mr. Schellhase. I will answer first, Mr. Chairman. I think 
in part what we fight largely is a perception problem, right? 
And there is a perception on the part of many of our European 
customers and prospects that the U.S. government has undue 
access to data----
    Mr. Nadler. More from European than from the American 
customers?
    Mr. Schellhase. Yes. Much more from European customers.
    But nevertheless I think, you know, the defense that we 
fall back on, as I mentioned in my testimony, is we provide 
contractual assurances but we also look to the U.S. to have 
appropriate due process around accessing data, and so that--you 
know, so any consistency and reinforcement of consistency in 
the law benefits us when we sell to customers who have this 
perception.
    Mr. Robinson. Yes, a similar situation on Rackspace's side. 
A good deal of my time is spent each week explaining to 
customers, both from the United States and customers in Europe 
and Canada, Australia, basically all over the world, exactly 
what circumstances in which their data may be accessed, right? 
And what becomes difficult is with the current state of the 
law, with ECPA that answer is not easy, right? And so it makes 
it a very challenging discussion.
    The answer, quite frankly, is if we are required by law to 
provide your information over we will have to do that. They 
say, ``Okay, in what circumstance?''
    Well, that is a very long conversation. Where would you 
like to start? You get into the specifics of how ECPA applies 
and, you know, as some of the other panelists have mentioned 
you have to start at times, you know, going back to the 
statute, considering, you know, bringing in outside counsel 
especially.
    This makes it challenging to do business, and quite frankly 
it has an impact on our ability for our product.
    Mr. Nadler. Thank you very much.
    My time is expired. I now recognize the gentleman from 
Arizona.
    Mr. Franks. Well, thank you, Mr. Chairman. It seems like 
this is a pretty important subject.
    It occurs to me that even programs and whole systems 
essentially could eventually be completely operated in the 
cloud and all of the programs could be updated from there, even 
operating systems where you only have an Internet operating 
system intervening between the customer and the cloud. And it 
is a pretty impressive technology and so it does seem to be a 
very, very important trend.
    And I guess I will start out by asking you, Mr. Hintze--and 
I am assuming it is Hintze and not Hintze, correct?
    Okay, Mr. Hintze, you state that in a poll conducted by 
Microsoft earlier this year that 90 percent of the general 
population and senior business leaders say that they are 
concerned about the security and privacy of data as it relates 
to cloud storage, and I guess my question is, does this number 
specifically relate to concern about a government intruder or 
is this number broader to include criminals and other 
individuals seeking to hack into the cloud, and is that a 
significant issue?
    Mr. Hintze. It certainly is a significant issue, and that 
number encompasses both. People are concerned about the impact 
on their privacy and security of their data as they put it in 
the cloud. Whether that is from the government, whether it is 
from the service provider itself, or whether it is from 
nefarious actors outside of the service provider who are trying 
to get into it.
    That is one of the reasons that we support a broad approach 
to addressing these privacy issues and security issues in the 
cloud. In addition to privacy vis-a-vis the government we think 
that there is a role for Congress in ensuring privacy vis-a-vis 
service providers' own practices, which support broad privacy 
legislation affecting the private sector.
    We think that law enforcement should be given tools to go 
after the hackers who are trying to get into the cloud. We 
think there is a role for giving service providers a private 
right of action to go after those malicious actors as well, and 
other similar enhancements of security online.
    And then, as I mentioned in my oral testimony, these issues 
are not simply U.S.-focused as well, and we think that as cloud 
infrastructures grow and data crosses borders we are seeing 
increasing challenges with respect to the laws of a foreign 
government that create conflict of laws issues, distinctions 
between law enforcement and privacy, and data retention and 
privacy, and we think there is a role for Congress to encourage 
the Federal Government to engage on a bilateral and 
multilateral basis to address some of those.
    Mr. Franks. Well, it takes me in a little different 
direction where I was going, but let me go ahead and ask this 
based on some of your comments: While the cloud would be 
subject to the jurisdiction of the United States, you know--or 
I guess that is if the cloud resides in the United States--
wouldn't a U.S.-based cloud with heightened access requirements 
for law enforcement be potentially a haven for laundered or 
data hiding, or would this be especially attractive to foreign 
customers as a result? In other words, does it represent any 
sort of a vulnerability for data to be stored in a cloud here 
in the United States and sort of hidden away based on some 
nefarious or malevolent purpose?
    Mr. Hintze. As we have heard from other panelists today, 
today the concern is that the standards around government 
access to data may be lower than in other places, so there is a 
concern from foreign customers particularly about doing 
business with U.S. providers, which makes it challenging for us 
to sell our products and services to customers outside the 
United States.
    With the Digital Due Process coalition proposals we think 
that will bring more clarity and bring the statute back into 
balance and line with where the judgments were made between the 
interests of privacy and law enforcement back when they were in 
1996. We view it as a fairly modest proposal, not one that 
would create such high barriers that the United States would be 
looked at as some kind of data haven that Switzerland----
    Mr. Franks. I understand.
    Mr. Hintze [continuing]. Computing.
    Mr. Franks. Well, Professor Felten, you state that even 
those few who don't know or don't even use the Internet or 
don't have cell phones will still leave an extensive electronic 
trail online, including their health records and financial 
records, you know, and I guess I would ask you to elaborate 
both on the cell records that we leave, our health care 
records, all of the records that we leave just as a matter of 
doing everyday activities.
    Are those things left in the cloud somewhere? Is there a 
way to ever completely erase them? And in terms of the actual 
practice--and I don't want to make this too complicated--of law 
enforcement, does law enforcement on a routine basis ask for 
that data that is just kind of somewhere out there floating 
without a clear reference point?
    Mr. Felten. Well, as to what data there is and where it 
might be stored, I as a consumer have little idea. Most 
businesses keep extensive records of the interactions they have 
with their customers. That is true in a lot of areas such as 
health care as well.
    Cell phone companies have records which they keep for some 
length of time about the location and movement and calls, and 
so on. And in today's world where computer storage is so cheap 
the default, in a lot of cases, is to keep everything in the 
hopes that there might be a business use for it.
    And so I think it is very difficult for consumers to really 
know exactly what exists, but as more things go online and as 
areas like health care move toward electronic records and 
toward networking you are going to see more and more of the 
characteristics of the cloud emerging there as well.
    Mr. Franks. But do you think--and I throw this last 
question out, Mr. Chairman, to anyone to--do you think that 
there is a vulnerability in general for the myriad amounts of 
information that represent text messages, and pictures, and 
things that people send all the time? Is that something that is 
regularly or even irregularly accessed by either law 
enforcement or hackers, or just in general?
    I mean, how safe is our information out there right now? Is 
it something where a lot of it is compromised?
    Mr. Felten. Certainly there are compromises and it is 
something that we should be concerned about. There are a lot of 
different types of data and they can be mosaicked together to 
get a lot of information about what people are doing, and 
especially to track down people who might have special concerns 
about being victims of crimes. I think it is an issue that is 
important even beyond the scope of ECPA.
    Mr. Franks. Mr. Chairman, it is an important issue and I 
yield back.
    Thank you all.
    Mr. Nadler. Thank you.
    I would like to follow up one thing Mr. Hintze said. You 
mentioned private right of action by victims of hackers?
    Mr. Hintze. Among the things we have supported would be a 
private right of action for cloud service providers to go 
after----
    Mr. Nadler. Cloud service providers. Does the victim 
already have that private right, does he not?
    Mr. Hintze. I think under some cases that might be the 
case. We do think that the service providers have the resources 
and the incentives to really go after the hackers----
    Mr. Nadler. And they don't have that private right of 
action?
    Mr. Hintze [continuing]. Private right of action today 
under the Computer Fraud and Abuse Act.
    Mr. Nadler. Thank you very much. I want to thank this panel 
for their expert testimony, and thank you.
    And let's seat the second panel. We are going to have a 
series of votes in a few minutes but we can get some of this 
done before that series of votes.
    And again, thank you to the members of the first panel.
    We will now proceed with our second panel. I would ask the 
witnesses to take their places. In the interest of time I will 
introduce the witnesses while they are taking their seats, 
although I see they have already done that.
    Kevin Werbach is an associate professor of legal studies at 
the Wharton School, University of Pennsylvania. Professor 
Werbach co-led the review of the Federal Communications 
Commission for the Obama administration's presidential 
transition team and was an advisor in broadband issues to the 
FCC and the National Telecommunications and Information 
Administration.
    Earlier in his career he served as counsel for new 
technology policy for the FCC during the Clinton 
administration. Professor Werbach received his J.D. from 
Harvard University and his B.A. from University of California 
at Berkeley.
    Fred Cate is the distinguished professor and C. Ben Dutton 
professor of law, adjunct professor of informatics and 
computing, and director of the Center for Applied Cybersecurity 
Research at Indiana University.
    I won't ask you today, but sometime you will tell me what 
informatics is.
    Professor Cate served as a member of the National Academy 
of Science's committee on technical and privacy dimensions of 
information for terrorism prevention, counsel to the Department 
of Defense technology and privacy advisory committee, and as a 
member of the Federal Trade Commission's advisory committee on 
online access and security. He earned his undergraduate and law 
degree from Stanford University.
    Senior Investigator Thomas H. Hurbanek--and I hope I got 
that right--is a 24-year veteran of the New York State Police. 
He has been assigned to the state police computer crime unit 
since 1997, working on investigations and forensic cases 
involving computers and technology. His current assignment 
involves supervising the cybercrime and critical infrastructure 
response section of the computer crime unit, working jointly 
with Federal and state agency partners to respond to incidents 
impacting New York's computing infrastructure.
    Kurt Schmid has been a law enforcement official for 40 
years and currently serves as the executive director of the 
Chicago High Intensity Drug Trafficking Area, or HIDTA, 
program. Previous to this assignment Mr. Schmid served as 
senior law enforcement advisor for the Counterdrug Technology 
Assessment Center and the national director of the HIDTA 
program in the White House Office of National Drug Control 
policy in Washington for 10 years.
    Marc Zwillinger is a founding partner of Zwillinger 
Genetski, LLP, where for 10 years his practice has focused on 
issues related to Electronic Communications Privacy Act, the 
Wiretap and Communications Act, surveillance law and privacy. 
Previously Mr. Zwillinger ran the privacy and security practice 
groups at Sonnenaschein Nath & Rosenthal and at Kirkland & 
Ellis.
    Prior to that he served 3 years as a trial attorney in the 
computer crime and intellectual property section of the 
criminal division of the Department of Justice. Mr. Zwillinger 
earned his J.D. magna cum laude from Harvard Law School.
    I am pleased to welcome all of you. Your written statements 
will be made part of the record in their entirety. I would ask 
each of you to summarize your testimony in 5 minutes or less, 
and I presume you heard what I said about the lights earlier 
and what they mean.
    Before we begin it is customary for the Committee to swear 
in its witnesses.
    If you would please stand and raise your right hands to 
take the oath?
    Let the record reflect that the witnesses answered in the 
affirmative, and you may be seated.
    Well, we can start the testimony. We will see how far we 
get before we are called to votes.
    So I will recognize Professor Werbach to begin.

  TESTIMONY OF KEVIN WERBACH, PROFESSOR, THE WHARTON SCHOOL, 
                   UNIVERSITY OF PENNSYLVANIA

    Mr. Werbach. Thank you, Mr. Chairman, Congressman Franks, 
and Members of the Committee.
    On the prior panel you heard from a number of cloud 
computing vendors. As a business school professor who studies 
emerging technologies I would like to give you a broader 
picture of the business changes that the Internet has fostered 
in recent years. Reform of ECPA should be considered against 
the backdrop of these trends.
    Cloud computing is not just a set of popular services like 
Web mail or even a market segment; it is all around us. The 
quarter-century from the birth of the personal computer 
industry until 2000 marked the progress towards, in the words 
of Microsoft's original mission statement, ``a computer on 
every desk and in every home.''
    Today the model is no longer one computer per person but 
many devices for each user in different locations offering 
different form factors and functionality. This multi-device era 
is necessarily a connected era because devices draw upon the 
network to offer services, and it is necessarily a cloud 
computing era.
    When users access their data from many devices that data 
must be stored remotely or synchronized through the network. In 
particular, the growth of mobile smartphones, like the iPhone 
and Android devices, and newer classes like netbooks, tablets 
such as the iPad, and set-top boxes eliminate the traditional 
assumption that a personal computer is the sole repository of a 
user's information and application. As these devices 
proliferate file-hosting and software as a service will become 
integral parts of the computing experience rather than options.
    The Internet is no longer a nascent technology. There are 
over 2 billion people around the world online. In 1986, when 
ECPA was passed, there were no Web sites; in 1996 there were 
roughly 100,000; today there are over 100 million.
    Facebook was just founded in 2004. It now has half a 
billion members worldwide. I could give many other examples.
    As the external usage of the network has changed the 
internal components have evolved as well. Google probably has 
more Web-connected servers than the entire Internet did 15 
years ago, all linked into a colossal virtual super-computer.
    Many other providers are building their own cloud data 
centers. All others tap into public clouds from companies like 
Amazon.com.
    Increasing bandwidth and storage are making the cloud 
architecture increasingly pervasive. These cloud-based services 
are online intermediaries. The Internet creates and depends 
upon a large number of such intermediaries, including search 
engines, ecommerce marketplaces, social networks, content 
hosting tools, collaboration services, payment processors, and 
more.
    These intermediaries create value for users and sometimes 
become application platforms of their own. However, they also 
necessarily raise important privacy and security issues. By 
their very nature cloud computing intermediaries require users 
to give up physical control over their data. This distributed 
processing can be transparent to the end user who may not 
realize that her data is sitting in a pool of servers far away.
    In several statutes Congress effectively made a deal with 
online intermediaries. They avoid intermediary liability in 
return for commitment not to meddle with their users' data and 
to establish orderly procedures for access when sought for 
legitimate purposes, such as law enforcement. This structure 
underlies the safe harbors of Section 230 of the 
Telecommunications Act of 1996 and Section 512 of the Digital 
Millennium Copyright Act.
    This safe harbor approach provides confidence for all 
parties. A user has the confidence his or her information won't 
be accessed inappropriately; the service provider has 
confidence it won't accrue legal liability for the actions of 
its users; and law enforcement and other outside parties such 
as copyright holders have the confidence that service providers 
will provide them with access to necessary information subject 
to an appropriate process.
    All that, however, depends on clear definitions. If user 
data stored in the cloud is not subject to appropriate 
protections from unauthorized access, both private and 
governmental, trust in could computing could be undermined.
    A loss of trust in the Internet would impact far more than 
the companies providing cloud-based services. If users lose 
their trust in online intermediaries some will use encryption 
to make data less visible, some will keep more data locally 
even when the cloud architecture provides clear benefits, and 
some will simply engage in less activity online. These actions 
will be based on incomplete information and confusion.
    In other words, a drop in trust in online intermediaries 
will inevitably add greater friction to the Internet economy. 
The health of the Internet should be a national priority. 
American businesses and consumers have benefited enormously 
from the growth of our Internet economy during the past 2 
decades and cloud computing represents the next evolution of 
that economy.
    Already, there are few Americans who do not have some of 
their data stored on remote servers by these online 
intermediaries. Congress must consider how to ensure that our 
legislative and regulatory regimes do not undermine the 
benefits the Internet provides.
    Thank you.
    [The prepared statement of Mr. Werbach follows:]

                  Prepared Statement of Kevin Werbach

























                               __________
    Mr. Nadler. Thank you.
    We will now hear from our second witness. Professor Cate is 
recognized.

  TESTIMONY OF FRED H. CATE, PROFESSOR, DIRECTOR, CENTER FOR 
       APPLIED CYBERSECURITY RESEARCH, INDIANA UNIVERSITY

    Mr. Cate. Thank you very much, Mr. Chairman, Mr. Franks.
    I have been asked to present a brief overview of the Stored 
Communications Act, and although I would rather describe almost 
anything else I will nevertheless take the next few minutes to 
do so. But before doing so I would like to say first, Mr. 
Chairman, how much I appreciate your holding these hearings 
today and the series of hearings that you have been holding 
about Electronic Communications Privacy Act reform. It is a 
critical issue and worthy of the attention that you and this 
Committee have been devoting to it.
    The primary constitutional limit on the government's 
ability to obtain personal information about individuals is the 
Fourth Amendment. However, under the Supreme Court's Third 
Party Doctrine records disclosed to or held by a third party 
receive no constitutional protection. Searches of these records 
need not be reasonable and no judicial oversight is involved.
    Congress responded to the Court's Third Parry Doctrine 
decisions by enacting a variety of laws to put in place 
statutory protections where constitutional protections were 
missing. One of those was the Stored Communications Act, which 
deals, of course, as you know, with communications and other 
records in electronic storage such as e-mail and voicemail.
    The 1986 Senate report on the Stored Communications Act 
explains that computer users at that time generally used 
network services in two ways. First, they used networks to send 
and receive e-mail.
    Second, they used network services to remotely store and 
process data--in other words, to do things which they could not 
do on a local computer. Both of these sets of uses would 
receive no constitutional protection so Congress enacted 
statutory protection.
    And the Stored Communications Act divides stored electronic 
communications into two categories responding to these two 
predominant uses in 1986. An electronic communication service 
is defined by the statute as the temporary, intermediate 
storage of a wire or electronic communications incidental to 
the electronic transmission thereof, as well as storage for 
certain backup protections. A remote computing service is the 
provision to the public of computer storage or processing 
services by means of an electronic communication system.
    Now, records within an electronic communication service, an 
ECS, are further divides into subcategories based on the 
duration of storage. So government demands for records that are 
held as part of an ECS that have been stored for 180 days or 
less require a traditional warrant issued by a competent court.
    To obtain material within an ECS that has been stored for 
more than 180 days or to obtain material stored as part of an 
RCS, or remote communication service, the government has three 
options. It can use a warrant; it can use a subpoena, which has 
no involvement of a court; or it can use a court order based on 
specific and articulable facts, sometimes called a 2703D order, 
or a D order, for short.
    If the government chooses not to provide notice to the 
individual then a warrant is required. If it does provide 
contemporaneous, or in some cases delayed, notice then it may 
use a subpoena or a D order, at its election. Under either 
category of service, an ECS or an RCS, a service provider may 
voluntarily provide the records to the government certain to--
subject to certain limitations.
    Now, complicating this already somewhat complicated picture 
is the fact that the Department of Justice believes, and most 
courts who have considered the issue to date have agreed, that 
the warrant requirement for records stored 180 or less only 
applies to unopened e-mail. If you have opened the e-mail it is 
automatically kicked into the more-than-180-days rule, which 
would allow access without the involvement of a court.
    Information about a customer's account, as opposed to the 
content of a customer's communication, may be obtained under a 
much lower standard, either, again, with a warrant, a 2703D 
order, or, in the case of telemarketing fraud, merely upon 
formal written request--it takes no judicial authorization at 
all. And even more basic information, what the statute refers 
to as ``basic subscriber information,'' such as name and 
address and length of service and type of service and means of 
payment, can be obtained with an administrative subpoena, a 
grand jury subpoena, or a trial subpoena--again, no involvement 
of a court; these can be issued by the law enforcement agency 
itself.
    This quite complicated set of arrangements is actually 
described in a chart in my prepared testimony. It is rare that 
I would ever refer you to a chart, but this is one instance in 
which the Committee might find it of some use.
    So let me conclude by noting, as I think you have heard 
already, the Stored Communications Act has been the subject of 
considerable criticism, and that criticism might be divided 
into a number of categories. I would encourage you to 
distinguish between two, however: those which related to the--
what we might think of as the ambiguity or the drafting of the 
statute itself, and those--which I think have been highlighted 
this morning--those caused by the transformation in the 
technology, transformation which has actually rewritten the 
statute without any action by Congress or by this Committee.
    Thank you very much.
    [The prepared statement of Mr. Cate follows:]

                   Prepared Statement of Fred H. Cate

















                               __________

    Mr. Nadler. Thank you.
    As you may have noticed, the buzzers have rung. We have 
four votes on--five votes on the floor. It will probably take 
about 40, 45 minutes, of which 10 minutes have already elapsed. 
So I thank the witnesses for their indulgence.
    I will recess the hearing until immediately after the last 
of the five votes, and I urge the Committee Members to return 
as soon as possible immediately after the last vote. Pending 
the completion of the votes on the floor the Committee is in 
recess.
    [Recess.]
    Mr. Nadler. The Committee will reconvene, and I thank 
everyone for their patience. We are about to hear from Mr. 
Hurbanek, is recognized.

TESTIMONY OF THOMAS B. HURBANEK, SENIOR INVESTIGATOR, COMPUTER 
               CRIME UNIT, NEW YORK STATE POLICE

    Mr. Hurbanek. Chairman Nadler, Congressman Franks, and 
Members of the Subcommittee, my name is Thomas Hurbanek, and I 
am a senior investigator with the New York State Police 
computer crime unit, a statewide detail of specially trained 
investigators and civilian staff that provides investigative 
and forensic support to state, local, and Federal law 
enforcement agencies. Thank you for the opportunity to testify 
about ECPA reform and the revolution in cloud computing.
    Today I would like to highlight the challenges that cloud 
computing presents to state and local law enforcement officers 
who are attempting to investigate and prevent crimes in order 
to protect the citizens and businesses within their 
jurisdiction.
    We can look at cloud computing from two perspectives. 
First, there is the delivery of computing services to end users 
over the Internet; second, the migration of business computing 
infrastructure to shared resources accessed over the Internet, 
which can be provided within the enterprise or provisioned from 
third party providers.
    The connected consumer of today can be accessing and 
storing information over the Internet using many devices--home 
and work computers, one or more smartphones or other devices 
connected to multiple wireless providers, GPS units, game 
consoles, e-readers, even vehicles. The consumer can be 
communicating with thousands of people using social networking 
sites, multiple e-mail messaging and Internet telephone 
accounts, and identities avilable from hundreds of possible 
providers while also transacting business with thousands of 
companies from around the world.
    Criminals have adopted every piece of this technology and 
used it to improve their ability to commit crimes or to 
victimize individuals and businesses worldwide with no regard 
for borders, laws, and jurisdiction. This can make 
investigations involving the Internet daunting for the majority 
of police officers and extremely challenging even for highly 
trained investigators with access to advanced tools and 
equipment.
    One example is the theft of online banking credentials, 
where highly organized groups are using very sophisticated 
attacks to compromise legitimate Internet sites, infect the 
computing devices we rely on, obtain legitimate access 
credentials, and steal millions of dollars from consumers, 
small-to medium-sized business, local governments, and school 
districts. Banking regulators estimate that more money is being 
stolen in online thefts than through traditional bank 
robberies.
    In the state of New York there are nearly 20 million 
people. Citizens and businesses expect that when the call the 
New York State Police or one of over 500 local police agencies 
because they are a victim of crime that their case can be 
investigated. When the crime involves the use of devices 
connected to the Internet one of the primary sources of 
information are business records maintained by private sector 
entities from one-person, home-based business to multinational 
corporations.
    In New York State law enforcement does not have 
administrative subpoena power. Requests for subpoenas must 
first be reviewed by the district attorney and then presented 
to a grand jury. Each county has its own procedure and criteria 
for requesting and obtaining subpoenas, and in some 
jurisdictions they can be difficult to obtain, especially for 
investigations involving non-felony offenses.
    Time is our enemy in Internet investigations. Records and 
communications may not be retained or information may 
intentionally or accidently be deleted or corrupted. Technology 
has created many new sources of information that may be 
accessed by law enforcement equalized by the very number of 
private sector entities that must be contacted to build 
information during an investigation.
    The advances of cloud computing present even more 
challenges for law enforcement. I would like to highlight a few 
of these.
    Encryption: Companies are using advanced encryption 
technology to secure data transmitted across the Internet. This 
may create situations where law enforcement does not have the 
technological means to access communications regardless of the 
legal authority to do so. The recent concerns in many countries 
about the encryption implemented on Blackberry devices 
demonstrates this problem.
    Virtualization: We are rapidly moving to an environment 
where software applications run on virtual computers and 
servers that can instantly----
    Mr. Nadler. Excuse me. Could you enlighten us what you mean 
by ``virtual computers and servers''?
    Mr. Hurbanek. Yes. Virtual computers would be a server that 
is run in memory, so it loads up and it runs only while the 
machine is running and then shuts down. It is not a physical 
device. So I could run--and the Rackspace guys could talk about 
this--I could run 100 servers in memory on one machine. Does 
that explain it, or----
    So the applications or the computers could instantly be 
started, stopped, refreshed, removing traces of data that law 
enforcement has been able to access during the forensic 
examination of seized computers. These virtual environments can 
be operated outside of the United States.
    Data storage: With the evolution of cloud computing 
services the storage locations for data will often be out of 
the jurisdiction of state and local law enforcement. Data will 
also be stored outside of this country and not only in 
jurisdictions that have a friendly relationship with the United 
States.
    And apps: Applications in the cloud can be accessed from 
anywhere and data can be imported from one storage location, 
processed, and returned to the original location or another 
location.
    At the New York State Police we cannot sit at our computer 
and access the extensive data about individuals and their 
transactions with companies on the Internet. There is no 
database that lets me choose an individual and identify all of 
the e-mail, messaging, and social networking accounts they use. 
I cannot access the subscriber information for all Internet-
based telephone accounts like we have done in the past with 
telephone subscriber directories.
    I would like to close with an example from a recent case in 
New York State. While investigating a business and executing a 
search warrant at the business location it was discovered that 
there were no financial records about the business stored on 
site. All records were stored and processed on offshore servers 
which were accessed from the business and the accountants for 
the business accessed a limited number of records from a 
different location to prepare tax returns.
    This is just one example of how the technological advances 
and jurisdictional issues created by cloud computing may 
already be negating the fact that there are new sources of 
transactional records being maintained by companies operating 
on the Internet, especially in the case of state and local law 
enforcement.
    Thank you for the opportunity for the New York State Police 
to provide testimony.
    [The prepared statement of Mr. Hurbanek follows:]

                Prepared Statement of Thomas B. Hurbanek













                               __________

    Mr. Nadler. Thank you.
    Mr. Schmid, you are recognized.

 TESTIMONY OF KURT F. SCHMID, EXECUTIVE DIRECTOR, CHICAGO HIGH 
            INTENSITY DRUG TRAFFICKING AREA PROGRAM

    Mr. Schmid. Thank you, Mr. Chairman and Representative 
Franks.
    I appear to you as a law enforcement official with over 40 
years of experience, and many of those 40 years dealing with 
ever-evolving communication and computer technologies and the 
attendant challenge to preserve law enforcement's lawfully-
authorized electronic surveillance capability while maintaining 
the privacy rights of individuals and sustaining industry's 
ability to keep pace in a fiercely competitive market. 
Preserving those intercept capabilities for law enforcement 
while reforming and aligning the ECPA to address new and 
emerging communication technologies are the primary themes of 
my testimony today.
    And, Mr. Chairman, if you would convey to Representative 
Conyers that, like Representative Conyers, I was also here in 
1986 in my similar capacity.
    The face of crime today--many aspects of the traditional 
criminal landscape have changed significantly as a direct 
result of new technology. Law enforcement embraces new and 
innovative technologies, the entrepreneurial opportunities they 
present, and all of the other positive impacts these 
technologies have on our society today.
    However, law enforcement must be vigilant in how the 
criminal exploits them to harm others. Many criminals have 
exploited new technologies in ways not previously anticipated. 
As an example, more traditional crimes like prostitution, 
street corner drug trafficking activity, laundering and moving 
illicit proceeds, just to name a few, have taken on an entirely 
new dimension using networked technologies and offers the 
criminal a cloak of invisibility from traditional public or law 
enforcement observation and detection.
    Criminals have created entirely new, more effective ways to 
operate their illicit enterprises. Examples include using 
social networking applications as an instant communication tool 
to coordinate and conduct violent gang operations and attacks, 
a recruiting tool that can enlist and indoctrinate criminal 
cohorts from around the world, or an effective training 
platform to teach ways to avoid detection. Crimes like identity 
theft, human trafficking, child exploitation, among others, 
have taken on a global aspect as a result of access to these 
powerful technologies.
    As more and more users migrate from desktops and laptops to 
the now ubiquitous and powerful smartphone to conduct their 
computing and communication functions traditional data 
retention guidelines under ECPA no longer apply to providers of 
these services. These data retention gaps have often manifested 
themselves as an end of a trail of electronic evidence in many 
major criminal investigations.
    Simply stated, law enforcement must preserve its ability to 
conduct lawfully-authorized electronic surveillance and must 
have reasonable and expeditious access to stored information 
that may constitute evidence of a crime committed or about to 
be committed regardless of the technology platform on which it 
resides or is transferred. Retention of this information by 
service providers is of paramount importance to law 
enforcement, also.
    The law enforcement community has repeatedly learned that 
the criminal quickly adapts new technologies to his repertoire 
of tools not only to enhance his illicit activities, but also 
to create--and we hope only a temporary--safe haven in which to 
operate. Law enforcement, generally lagging the technological 
capability and/or the legal precedent to intercept or access 
communication and data, must deal with these difficult 
situations for sometimes long periods of time before solutions 
are found. Opportunities to sit at the table with industry, 
privacy advocates, and lawmakers prior to major technology 
rollouts are crucial to preventing sometimes years of 
unintended consequences.
    The rollout and subsequent activity facilitated by Congress 
enacting the Communications Assistance for Law Enforcement Act, 
or CALEA, in 1994 defined statutory obligations telecom 
carriers had to implement to help law enforcement preserve its 
ability to conduct lawful electronic surveillance. This action 
was taken by Congress to preserve the public safety.
    As challenging as it has been, CALEA also created the 
opportunity for law enforcement to sit at the table with 
industry and develop standards by which law enforcement 
requirements can be addressed. Absent CALEA, law enforcement's 
ability to conduct lawful intercepts would have been 
significantly diminished or even eliminated.
    A similar approach addressing cloud computing and other 
emerging technologies seems reasonable and necessary in 
reforming ECPA. Law enforcement's preference to preserving its 
ability to access relevant electronic data to detect, prevent, 
and solve crime is to sit at the table with lawmakers, privacy 
groups, industry, and others to articulate its concerns and 
requirements. Such a process will more likely result in 
effective legislation that balances privacy and public safety 
and sustains a reasonably equitable and level playing field for 
industry.
    If no action is taken to reform ECPA other less desirable 
outcomes, namely awaiting a court's decision, sometimes 
promulgated by officials not sufficiently steeped in relevant 
technology, law enforcement operational or other privacy issues 
may determine how we deal with these complex issues. This type 
of undesirable outcome can lead to long periods of having to 
comply with flawed case law.
    In summary, law enforcement is constantly striving to 
preserve, not extend, its lawfully-authorized electronic 
surveillance and digital data access authority. A very 
important component of that preservation involves retaining, 
not relinquishing, established thresholds when subpoenas and 
search warrants are appropriate. Subpoenas assist law 
enforcement to focus on investigative targets, frequently 
serving as a tool to eliminate innocent persons from being 
investigated while serving to develop additional leads and 
evidence on the offender in question.
    Our Nation's citizens demand that law enforcement connect 
the dots to detect, prevent, and retrospectively investigate 
crime. Subpoena authority assists law enforcement to collect 
those dots.
    We live in a rapidly changing and dangerous world. Any 
erosion of law enforcement's lawful access to digital 
information while criminals are continuing to empower 
themselves with these technologies of unprecedented capability 
create a perilous dilemma.
    State and local law enforcement agencies, unlike government 
agencies with abundant resources, are particularly susceptible 
to and challenged by criminals exploiting emerging 
communication technologies. A tragic but all too common--almost 
daily--example of this susceptibility is a violent crime, such 
as a homicide, committed in a local jurisdiction. A cellular 
smartphone is often the key to solving the crime.
    Quick access to data related to that phone often determines 
whether or not the offender is captured before he commits other 
egregious criminal acts. Lawful access to digital communication 
media and sufficient retention of those data by service 
providers are critical to state and local law enforcement's 
daily investigative efforts and must be preserved.
    Thank you for the opportunity to appear before you today. I 
applaud your efforts to address this very important issue. 
Thank you.
    [The prepared statement of Mr. Schmid follows:]

                  Prepared Statement of Kurt F. Schmid














                               __________
    Mr. Nadler. Thank you.
    And Mr. Zwillinger is now recognized.

               TESTIMONY OF MARC J. ZWILLINGER, 
                    ZWILLINGER GENETSKI, LLP

    Mr. Zwillinger. Thank you. Thank you, Chairman Nadler.
    I am pleased to be back before this Subcommittee to discuss 
ECPA reform and cloud computing. As you know, I have worked 
with ECPA for over 13 years, both as a former DOJ attorney who 
has taught prosecutors how to apply the law, and now as outside 
counsel for Internet service providers.
    Today I want to focus on three ways in which ECPA no longer 
strikes the right balance between law enforcement interests and 
user privacy when it comes to data stored in the cloud. First, 
e-mails and other private messages lack adequate protection 
under the law; second, the standard for law enforcement access 
to stored files like documents and photos is too low; third, 
ECPA's failure to address civil litigant and criminal defendant 
access at all generates confusion and needless litigation.
    To elaborate on my first point, e-mails are not fully 
protected because ECPA does not state clearly enough that a 
search warrant is required to obtain all types of stored e-
mails, and it does not protect e-mails regardless of age. In 
fact, ECPA's protections run counter to user expectations.
    If you are a typical e-mail user, the messages that are 
most likely to be important to you and private are the ones 
that you have already read and decided to save. Those e-mails 
might include notes from a friend, communications with a health 
care provider, or intimate messages from a spouse.
    By contrast, the unopened messages in your inbox may be 
spam, or ads, or automatically-generated confirmations that you 
will delete without ever reading. Unfortunately, the 
unimportant and unopened messages may be more protected than 
the important ones.
    Under ECPA the government needs a search warrant to access 
messages in electronic storage for 180 days or less. But 
electronic storage is defined as temporary, intermediate 
storage incidental to transmission and the storage of such 
message for backup protection.
    When ECPA was passed, ISPs stored user e-mails only until 
the user logged in and downloaded their mail. That storage was, 
indeed, temporary and intermediate. After the user downloaded 
the messages the ISP generally kept nothing.
    Now services like Yahoo mail and Gmail and social networks 
retain messages until they are deleted by the user. If users 
don't download their messages when does temporary and 
intermediate storage end?
    DOJ believes that temporary storage ends the moment a 
message becomes marked as ``read,'' even if it was only briefly 
skimmed on a mobile device. That interpretation of ECPA is 
arbitrary, as nothing magical happens when a user reads a Web 
mail message. It stays exactly where it has been since it was 
received--on a server in the cloud. In fact, a message can be 
marked as ``read'' or ``unread'' regardless of whether the user 
actually looked at it.
    Federal statutory protection for e-mails cannot really 
depend on how a user chooses to mark their mail. This ambiguity 
about the protections for e-mails stored in the cloud needs to 
be clarified.
    An additional way in which ECPA fails to properly protect 
e-mail is the 180-day rule. This statutory rule was based on 
the fact that in 1986 e-mails were only stored briefly by the 
ISP and any material it had after 6 months was likely to have 
been abandoned by a user. This assumption, which is described 
in the legislative history, has proven incorrect and it is time 
to get rid of that restriction.
    As to my second point, ECPA also underprotects stored 
files, like photos or documents. Here the unilateral delayed 
notice provisions are the culprit, making it too easy for the 
government to obtain private content without user notice or 
judicial oversight.
    In fact, the government can get the content of such files 
more easily than it can get transactional or other subscriber 
records. Allow me two examples: If the government wants a list 
of e-mail addresses with whom a user has communicated, it must 
apply for a court order and it must show specific facts that 
demonstrate the information is material to a criminal case. 
Similarly, any data besides basic subscriber information, such 
as a user's gender or birth date, also requires a court order.
    But if a user stores a private journal in a password-
protected file online the government can get that private 
journal with a mere subpoena and no notice to the user if it 
believes that providing such notice might interfere with a 
criminal case. If the same user kept the same journal on his 
laptop, law enforcement would need a search warrant to get it 
or it would have to serve the user directly with a subpoena so 
that he could object.
    So the government can get a user's private journal from an 
ISP with a subpoena without judicial review or notice but needs 
a judge's blessing to learn the user's gender or birth date. 
That does not strike the right balance between privacy and law 
enforcement needs.
    In revising ECPA Congress should make clear that a subpoena 
with delayed notice is not enough to access private content 
stored online. Instead, the government should be required to 
show a magistrate that there is probable cause to believe a 
crime has been committed and that the user's account contains 
evidence of that crime.
    Finally, I want to briefly comment on ECPA's silence 
regarding access by civil litigants and criminal defendants. 
ECPA prohibits ISPs from disclosing the contents of 
communications to anyone other than the government.
    Often civil parties and criminal defendants are surprised 
by this and file motions to compel production that are 
misguided but costly. And while some courts have confirmed the 
absence of civil discovery provisions in ECPA, other judges do 
not initially recognize that such a prohibition exist because 
it is not mentioned in the statute specifically.
    This gets more complicated if a criminal defendant cannot 
get access to files that he believes are exculpatory and key to 
his defense. Some trial courts have ruled that the restrictions 
in ECPA are unconstitutional to the extent they interfere with 
a defendant's right to due process. An amended ECPA should 
clarify the general prohibition on disclosure but create 
exceptions in narrow circumstances with prior judicial review.
    In conclusion, changes in technology and user behavior have 
altered the way ECPA works in practice and the time is right 
for a revision that restores the prior balance between law 
enforcement needs and user privacy to reflect the uses of the 
Internet in the 21st century.
    Thank you for the opportunity to testify today.
    [The prepared statement of Mr. Zwillinger follows:]

                Prepared Statement of Marc J. Zwillinger



















                               __________

    Mr. Nadler. Thank you very much.
    I recognize myself first for questioning.
    Professor Werbach, we are mainly concerned with balancing 
necessary access to data in the cloud by law enforcement with 
the consumer's interests and personal privacy. You said, as a 
number of others of our witnesses have said, that striking that 
balance correctly will act as a driver for growth in the cloud 
computing market and that not doing so would act as a deterrent 
to business growth.
    How could either uncertainty about government access or a 
popular perception that such access is not adequately governed 
impair that market, and what recommendations do you have from 
your perspective as a business expert to make sure that doesn't 
happen?
    Mr. Werbach. Well, in terms of impairing the market, as I 
said in my testimony, one issue is trust, that the growth of 
this Internet economy, which, as I described, is not just a 
narrow set of services but all the sorts of developments that 
are happening based on this infrastructure depends on users and 
service providers having a sense of trust that when they put 
their data online that it will be protected. And anything that 
interferes or diminishes that trust is going to have some 
retarding effect.
    Also, we are in a global environment here, so businesses 
make decisions about where they invest based on the 
environment. If they are going to invest in building 
infrastructure, and building services, and marketing, and 
building up customer bases here in the United States they have 
to feel a confidence level that the processes and procedures 
and protections around their data are appropriate, otherwise 
they may choose to make those investments somewhere else.
    So at every level the degree to which access to data and 
protection of data is carried out is going to have some 
influence on the decisions that get made and on the speed and 
trajectory of this marketing.
    Mr. Nadler. Thank you.
    Professor Cate, in your testimony you described several 
broad categories of criticism of the Stored Communications Act. 
One category concerns the lack of publicly available aggregate 
statistics detailing the extent to which third party providers 
are routinely compelled to deliver customers' communications 
and other private data to law enforcement agencies. You 
indicate that because most service providers do not disclose 
this information Congress has no reliable data to determine the 
scale of requests and disclosures being made under the SCA.
    Why do you think Congress should have access to this type 
of information? What use might Congress make of such 
information?
    Mr. Cate. Thank you very much, Mr. Chairman. In most of the 
laws which Congress has enacted which provide for access by the 
government to private records it has required the government to 
file reports with Congress on either an annual or a semiannual 
basis saying how often do they use that authority and with what 
effect. So this is true of wiretaps; it is true of pen 
registers; it is true of trap and trace orders.
    Having those statistics gives Congress a sound empirical 
basis on which to evaluate how its laws are being used and 
whether they need to be changed. It also provides that same 
information for people such as those of us gathered at this 
table when making recommendations to Congress. And it provides 
information to the public and the press so that they know how 
those laws are being used and to what effect.
    But there is an additional value which I think is really 
quite important and should not be overlooked, and that is by 
making the government agencies themselves keep those 
statistics, and therefore have to account internally for how 
they are using those, we get stronger oversight internally. So, 
for example, when the FBI, in reporting its use of national 
security letters, grossly underestimated its use of those, as 
pointed out by the Office of the Inspector General and the 
Department of Justice, it provided the Department of Justice an 
opportunity to go in and help build better procedures for 
making sure that the FBI was using its authority given to it by 
Congress appropriately. It is only by having that reporting 
requirement you see that opportunity carried out.
    Mr. Nadler. Thank you.
    Mr. Hurbanek, I was intrigued by one thing you said. You 
talked about a law enforcement investigation in which a warrant 
was served on a business and that warrant proved fairly useless 
because there was no information there; everything was stored 
in the cloud.
    Now, I assume that if you had the warrant--or if the law 
enforcement agency, not you--if the law enforcement agency had 
the warrant for the business they could have gotten a warrant, 
if necessary, to look at the same information in the cloud. But 
would that have done any good if the cloud is stored in a 
virtual situation? In other words, you seem to have indicated a 
situation for which the issue is not whether--I mean, there has 
been an implicit discussion here today as to whether we should 
require a warrant for some of these things, but you have 
described a situation where whether you have a warrant seems to 
be irrelevant because given the warrant you can't get the 
information.
    Mr. Hurbanek. Yes, Mr. Chairman, and that--we have evolved 
from where we used to drive to a business and take all of their 
computers out on a big truck.
    Mr. Nadler. You should turn on your microphone.
    Mr. Hurbanek. It is on.
    Mr. Nadler. Okay. Go ahead.
    Mr. Hurbanek. Okay. So we no longer drive to the business 
and take the records in a truck; we would go to a business and 
extract whatever data we had in our warrant. This is moving so 
now the data----
    Mr. Nadler. You would go to the business and extract 
whatever data you had in the warrant by accessing their 
computers on the site?
    Mr. Hurbanek. Yes.
    Mr. Nadler. You wouldn't take the computer?
    Mr. Hurbanek. No. We don't take boatloads of business 
computers very often anymore. And so now the data may be hosted 
by the third party in the cloud which, if in the United States, 
we would have access to and we could get there and secure the 
data.
    The concern then becomes, what if the data is not in this 
country? And because of the business means and the 
opportunities around the world it is quite possible. Now, we 
have a lot of legitimate businesses testifying here today; 
those are not the only people offering places to store data.
    Mr. Nadler. So if I were an illegitimate business, or if I 
were a business that wanted to cut some corners I would 
probably--and if I were thinking about it--I would store it 
abroad.
    Mr. Hurbanek. And you see that a lot with Internet gambling 
and things like that. Or the recent thing with military 
secrets--the person who published those on the Internet 
specifically is doing that from certain countries, not from 
within the United States.
    Mr. Nadler. I see. Now, assume a frequent traveler keeps 
his private diary online instead of at his bedside table. This 
user keeps it stored in the cloud so he can type diary entries 
when he travels so that he doesn't have to ever leave his diary 
in a strange hotel room; he has been doing so for several 
years. The account he keeps it in is password-protected and he 
has shared the password with nobody.
    Mr. Zwillinger and others suggest that law enforcement can 
get access to this diary by serving a subpoena to an online 
service provider and certifying that providing the user with 
notice may cause him to destroy evidence or flee the 
jurisdiction. Is that true? And if so, should that be the law?
    Mr. Hurbanek. That is interesting that--and the lawyers 
have identified all of the problems with ECPA. It is very 
confusing. We don't know where to begin.
    In a traditional criminal investigation we would come upon 
the existence of a diary maybe through interview, and we might 
search for the diary. In the virtual world, in the cloud, if we 
became aware that the person kept a diary the first question we 
have to ask is, where?
    Where might the diary be stored? How would we find it? Who 
has it? Does it even exist?
    We can't make the barriers to even finding the mere 
existence of the diary so strenuous that we can't conduct our 
investigation. Whether or not we can access the content and 
obtain the diary is pretty well written.
    Mr. Nadler. Mr. Schmid, do you have anything to say on 
that?
    Mr. Schmid. Thank you, Mr. Chairman. By example, it gets 
more and more complex for law enforcement. Back in 25 years 
ago, when--as an example, when we would conduct a lawfully-
authorized court-ordered wiretap we would serve typically one 
order on the phone company, service provider.
    Today it is not unusual for a law enforcement officer or 
investigation to have to serve seven, eight, nine different 
court orders to be able to either access or ascertain where 
some of these data are lying. So it becomes very, very complex. 
And add that to the dimension of being a foreign-owned 
business; that really throws us way out of the ballgame.
    So it does become extraordinarily complex in just the 
process of how we access----
    Mr. Nadler. Okay. Thank you.
    My time is running short so I will ask Mr. Zwillinger one 
quick question.
    As I have listened to your testimony today I am struck by 
how some of the assumptions that Congress made in 1986 about 
consumer and business network and how to protect consumer 
privacy obviously do not hold true in today's technology 
environment. Everybody has said the same thing.
    You make the case in your testimony that, 
counterintuitively, non-content transactional data sometimes 
receives more protection than content. Given your law 
enforcement background, what might the law enforcement argument 
be, if any, to justify continuing the legal framework whereby 
some types of content are more easily obtained than some types 
of transactional records? Any justification for that?
    Mr. Zwillinger. Yes. You know, I don't think the Department 
of Justice or law enforcement disagrees conceptually that 
content should be more protected than non-content. I think when 
you shift what the law has evolved to they are going to want to 
defend the status quo because, as Mr. Schmid said, it is more 
efficient for them.
    But in order----
    Mr. Nadler. Excuse me--all this massive confusion is more 
efficient for them?
    Mr. Zwillinger. I agree with you, Mr. Chairman. You know, I 
don't think it is that confusing either, because--let me give 
you an example.
    They would probably try to defend the status quo by saying 
that when you store things online with a service provider, 
since the service provider has some right to access the data 
the individual has given up some of their privacy. But I don't 
think that is right. That is not the way the law generally 
works.
    If I store my photos in an online album and only my wife 
and I have the password, and we do that so they don't get 
burned in a fire and we can see them wherever we go, we are not 
intending to give up any protection to the service provider, 
and the fact that a service provider could access them does not 
take away our privacy interests. It would be like law 
enforcement saying, ``You have photo albums in your house but 
we can get them without a search warrant because when the 
photos were developed the person at Kodak could see the 
pictures, and therefore you gave up your privacy interests.''
    We don't think that way. We don't say there is no privacy 
in a phone call because the operator in 1967 could have 
listened in.
    So I think that is what the argument would be. I think they 
have made that argument before. I just don't think it works 
well anymore.
    Mr. Nadler. I see.
    Thank you very much.
    I now recognize the distinguished gentleman from Arizona.
    Mr. Franks. Well, thank you, Mr. Chairman.
    Professor Cate, if I could start with you and maybe give a 
couple of others a shot at it, what do you believe would be the 
one most significant change to ECPA that would clarify what you 
believe is not clear and what is confusing to law enforcement 
officials, and service providers, and courts in general? What 
is the one thing that we could do to bring some clarity and 
balance to the whole thing?
    Mr. Cate. Thank you very much, Congressman. I would like to 
see the law move to a requirement that a warrant is required to 
obtain content without regard for whether the content is in an 
e-mail that has been opened or not and without regard for how 
long it has been stored so that we would draw a bright line, 
universally applied, to say when seeking content the same 
condition, whether you come to my home computer, you go to my 
service provider, or you go to some recipient's computer, it 
would be the same legal standard in all of those settings.
    Mr. Franks. Mr. Hurbanek, what would you say to that?
    Mr. Hurbanek. I think it requires a case-by-case debate. I 
think our concern is mostly that the initial records can be 
obtained, that we--and that the Federal Government take some 
leadership that helps the states craft statutes that make sense 
for us.
    I know that is a big lift, but right now it is very 
difficult for us to initiate investigation. It is tough to get 
subpoenas and it is tough to get started. So we need to look at 
this as to what information is material and relevant early on, 
and then what steps do we have to take beyond that.
    Mr. Franks. And what would you--can you first just tell us 
what the term ``going dark'' means?
    Mr. Hurbanek. Going dark? That is an FBI discussion about 
the fact that we are losing our ability to see what criminal 
enterprises are doing. Even if we had the rights to tap into 
the communication we technologically may not be able to see 
them.
    Mr. Franks. Mr. Chairman, that almost seems like the 
elephant in the room here, is that regardless of the potential 
accessibility by law enforcement that the technology is 
outrunning that, and that because of the virtual capability of 
being able to access the cloud and then essentially 
disappearing without any, you know, electronic traceable data, 
it almost seems to me like that is going to be a real boon to 
the bad guys.
    Mr. Hurbanek, I will go ahead and stay with you for a 
moment. Can you explain what is meant by storing records in 
the--by storing a record in the cloud and what is a private 
cloud? Help us understand what a private cloud is.
    Mr. Hurbanek. Well, the private cloud--clearly business 
isn't completely ready to put all of their corporate secrets 
and enterprises out with a third party. That is an evolution 
that is taking place.
    The private cloud is when a company such as Amazon, 
Rackspace, Microsoft--all the ones that are here--provide you 
with the technology within you enterprise. So the data may 
still be traveling over the Internet; the data may still be 
stored in multiple locations and accessed remotely. But you do 
maintain enterprise control of it.
    Those will then scale to external third parties partially, 
and ultimately completely. Even the Federal Government is 
studying how to outsource to the third party.
    Mr. Franks. Well, I want to--if I could I just want to go 
down and ask each one of you to just--a couple sentences at the 
most--to tell me, from your varying perspectives, what you 
believe--the same answer would be the question I asked 
Professor Cate--what is the one thing that you would do that 
you think would be most significant to protect what you 
consider to be the most significant issue involved here?
    Professor Werbach?
    Mr. Werbach. I would agree with Professor Cate that 
something to remove these artificial distinctions and to 
recognize that today putting information on these remote 
servers is not fundamentally different for users than storing 
them locally on a computer.
    Mr. Franks. Skip you here, Professor.
    Mr. Hurbanek, would you take a shot at it?
    Mr. Hurbanek. And my answer would be that whatever 
framework is set up it needs to be straightforward and 
understandable, and we need to efficiently be able to access it 
through whatever courts or prosecutors, and through whatever 
third party companies house the data.
    Mr. Franks. And would that take with it any sort of mandate 
that the information be indexed in some way that would be 
proprietary to law enforcement to be able to access?
    Mr. Hurbanek. We don't normally ask companies to index the 
data for us. They are indexing data and storing data for their 
business purposes. We just ask that if it is relevant that we 
can get access to it.
    Mr. Franks. Mr. Schmid?
    Mr. Schmid. To appropriately align the statutory and 
regulatory aspects of a reformed ECPA to the current 
technology. And that involves actually bringing clarity not 
only to this body but also brings clarity to law enforcement. 
And that seems to be where a lot of the confusion and a lot of 
the issues that really, really prevent us from doing our job 
effectively have come.
    Mr. Franks. The way things are going that might also 
include trying to discover a new type of physics. You know, it 
looks like----
    Mr. Zwillinger. On the same question I would agree with the 
professor at the other end of the table. I think a probable 
cause requirement for content in the cloud is the one thing you 
could do.
    And just to respond to Mr. Schmid earlier, the types of 
materials we are discussing were not generally in the cloud or 
stored online in 1986. That is, a content requirement where you 
have a probable cause for all content really restores the 
balance to where it was; this content was stored locally.
    So it is not relinquishing or giving up law enforcement 
access and law enforcement will still have the building blocks 
for investigations through records--transactional records, 
subscriber information. But content should be protected by a 
warrant.
    Mr. Franks. And there is no one on the group here that 
believes that having some type of warrant requirement for 
content specifically would severely restrict or significantly 
restrict law enforcement's capability to protect us? Anyone? 
No?
    Mr. Cate. If I may, Congressman, I would just point out 
that the Congress, again, in ECPA put in place a very 
significant wiretap warrant requirement, and in the time since 
that has been put in place we have seen just over 40,000 
wiretap orders granted and fewer than 40 denied by courts. So 
the argument that is often made about warrants is that it is 
not a new impediment; it doesn't result in the data becoming 
unavailable. It is a new process for getting access to the data 
that requires that some other person other than just the 
investigator be involved, play some oversight role.
    Mr. Franks. Yes.
    Mr. Cate. Thank you, sir.
    Mr. Franks. Thank you all very much.
    Thank you, Mr. Chairman.
    Mr. Nadler. I thank all the witnesses. It is clear we have 
two problems, one of which we can address here, and that is the 
proper standards, and subpoenas, and warrants, and so forth, 
and the other is advancing technology.
    I would simply observe that that advancing technology is 
part of the war between offense and defense that has been going 
on since time immemorial and will continue to go on. And at one 
point offense has got the trump hand and at the other hand the 
defense, and that will continue going on. But we have to deal 
with the legal consequences of as it is now and as it will be 
in the reasonably foreseeable technological future.
    So I want to thank all the witnesses for the helping hand 
you have given us today.
    Without objection, all Members have 5 legislative days to 
submit to the Chair additional written questions for the 
witnesses which we will forward and ask the witnesses to 
respond as promptly as they can so that their answers may be 
made part of the record. Without objection all Members will 
have 5 legislative days to submit any additional materials for 
inclusion in the record.
    And again, thanking our witnesses. And with that, this 
hearing is adjourned.
    [Whereupon, at 2:12 p.m., the Subcommittee was adjourned.]

                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record







                                










                                










                                








                                















                                 
