[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
ECPA REFORM AND THE REVOLUTION IN
CLOUD COMPUTING
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON THE CONSTITUTION,
CIVIL RIGHTS, AND CIVIL LIBERTIES
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 23, 2010
__________
Serial No. 111-149
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
U.S. GOVERNMENT PRINTING OFFICE
58-409 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California LAMAR SMITH, Texas
RICK BOUCHER, Virginia F. JAMES SENSENBRENNER, Jr.,
JERROLD NADLER, New York Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina ELTON GALLEGLY, California
ZOE LOFGREN, California BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas DANIEL E. LUNGREN, California
MAXINE WATERS, California DARRELL E. ISSA, California
WILLIAM D. DELAHUNT, Massachusetts J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee STEVE KING, Iowa
HENRY C. ``HANK'' JOHNSON, Jr., TRENT FRANKS, Arizona
Georgia LOUIE GOHMERT, Texas
PEDRO PIERLUISI, Puerto Rico JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois TED POE, Texas
JUDY CHU, California JASON CHAFFETZ, Utah
TED DEUTCH, Florida TOM ROONEY, Florida
LUIS V. GUTIERREZ, Illinois GREGG HARPER, Mississippi
TAMMY BALDWIN, Wisconsin
CHARLES A. GONZALEZ, Texas
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SANCHEZ, California
DANIEL MAFFEI, New York
JARED POLIS, Colorado
Perry Apelbaum, Majority Staff Director and Chief Counsel
Sean McLaughlin, Minority Chief of Staff and General Counsel
------
Subcommittee on the Constitution, Civil Rights, and Civil Liberties
JERROLD NADLER, New York, Chairman
MELVIN L. WATT, North Carolina F. JAMES SENSENBRENNER, Jr.,
ROBERT C. ``BOBBY'' SCOTT, Virginia Wisconsin
WILLIAM D. DELAHUNT, Massachusetts TOM ROONEY, Florida
HENRY C. ``HANK'' JOHNSON, Jr., STEVE KING, Iowa
Georgia TRENT FRANKS, Arizona
TAMMY BALDWIN, Wisconsin LOUIE GOHMERT, Texas
JOHN CONYERS, Jr., Michigan JIM JORDAN, Ohio
STEVE COHEN, Tennessee
SHEILA JACKSON LEE, Texas
JUDY CHU, California
David Lachmann, Chief of Staff
Paul B. Taylor, Minority Counsel
C O N T E N T S
----------
SEPTEMBER 23, 2010
Page
OPENING STATEMENTS
The Honorable Jerrold Nadler, a Representative in Congress from
the State of New York, and Chairman, Subcommittee on the
Constitution, Civil Rights, and Civil Liberties................ 1
The Honorable Trent Franks, a Representative in Congress from the
State of Arizona, and Member, Subcommittee on the Constitution,
Civil Rights, and Civil Liberties.............................. 3
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, Chairman, Committee on the
Judiciary, and Member, Subcommittee on the Constitution, Civil
Rights, and Civil Liberties.................................... 4
WITNESSES
Mr. Edward W. Felten, Director, Center for Information Technology
Policy, Princeton University
Oral Testimony................................................. 10
Prepared Statement............................................. 12
Mr. Richard Salgado, Senior Counsel, Law Enforcement and
Information Security, Google, Inc.
Oral Testimony................................................. 17
Prepared Statement............................................. 19
Mr. Mike Hintze, Associate General Counsel, Microsoft Corporation
Oral Testimony................................................. 24
Prepared Statement............................................. 26
Mr. David Schellhase, Executive Vice President and General
Counsel, Salesforce.Com
Oral Testimony................................................. 39
Prepared Statement............................................. 41
Mr. Perry Robinson, Associate General Counsel, Rackspace Hosting
Oral Testimony................................................. 55
Prepared Statement............................................. 57
Mr. Paul Misener, Vice President for Global Public Policy,
Amazon.Com
Oral Testimony................................................. 64
Prepared Statement............................................. 66
Mr. Kevin Werbach, Professor, The Wharton School, University of
Pennsylvania
Oral Testimony................................................. 78
Prepared Statement............................................. 80
Mr. Fred H. Cate, Professor, Director, Center for Applied
Cybersecurity Research, Indiana University
Oral Testimony................................................. 91
Prepared Statement............................................. 93
Mr. Thomas B. Hurbanek, Senior Investigator, Computer Crime Unit,
New YorK State Police
Oral Testimony................................................. 101
Prepared Statement............................................. 104
Mr. Kurt F. Schmid, Executive Director, Chicago High Intensity
Drug Trafficking Area Program
Oral Testimony................................................. 109
Prepared Statement............................................. 112
Mr. Marc J. Zwillinger, Zwillinger Genetski, LLP
Oral Testimony................................................. 118
Prepared Statement............................................. 121
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Prepared Statement of the Honorable John Conyers, Jr., a
Representative in Congress from the State of Michigan,
Chairman, Committee on the Judiciary, and Member, Subcommittee
on the Constitution, Civil Rights, and Civil Liberties......... 6
APPENDIX
Material Submitted for the Hearing Record
Prepared Statement of the Honorable Henry C. ``Hank'' Johnson,
Jr., a Representative in Congress from the State of Georgia,
and Member, Subcommittee on the Constitution, Civil Rights, and
Civil Liberties................................................ 137
Response to Post-Hearing Questions from Richard Salgado, Senior
Counsel, Law Enforcement and Information Security, Google, Inc. 139
Response to Post-Hearing Questions from Mike Hintze, Associate
General Counsel, Microsoft Corporation......................... 143
Letter from the Federal Law Enforcement Officers Association..... 147
Prepared Statement of the Competitive Enterprise Institute (CEI),
The Progress & Freedom Foundation, Citizens Against Government
Waste, Americans for Tax Reform, and the Center for Financial
Privacy and Human Rights....................................... 150
ECPA REFORM AND THE REVOLUTION IN CLOUD COMPUTING
----------
THURSDAY, SEPTEMBER 23, 2010
House of Representatives,
Subcommittee on the Constitution,
Civil Rights, and Civil Liberties,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 11:08 a.m., in
room 2141, Rayburn House Office Building, the Honorable Jerrold
Nadler (Chairman of the Subcommittee) presiding.
Present: Representatives Nadler, Conyers, Watt, Johnson,
and Franks.
Staff present: (Majority) David Lachmann, Subcommittee
Chief of Staff; Stephanie Pell, Counsel; and Art Radford Baker,
Minority Counsel.
Mr. Nadler. This hearing of the Subcommittee on the
Constitution, Civil Rights, and Civil Liberties will come to
order. To begin with I will recognize myself for an opening
statement.
Today's hearing is the third in which this Subcommittee
will consider the statutory framework Congress established in
the 1986 Electronic Communications Privacy Act, ECPA, in light
of the enormous technological advances in electronic
communications in the 24 years since ECPA's passage. At the
last hearing we learned about advancements in cellular
location-based technologies and related services and how such
technologies, while enriching our lives, could provide law
enforcement with more precise, and to many of us more
sensitive, information about where we may be located at any
given time.
Today we will continue our examination of whether ECPA
still strikes the right balance among the interests and needs
of law enforcement, industry, and the privacy interests of the
American people by discussing a new technology commonly
referred to as cloud computing. It is important that the law
sustain the public's confidence in the security and privacy of
their communications and information. That confidence is
absolutely essential to fostering the emerging market for cloud
computing services and the rapid innovation that is fundamental
to that market's health.
This Subcommittee's exploration of where the appropriate
balance may lie with respect to the content and associated
transactional information of electronic communications and data
stored by certain third party providers must begin with a
lesson about cloud computing technologies and capabilities.
When ECPA was passed back in 1986 few of us used e-mail or
imagined a world where we could securely share information and
edit electronic documents online with our colleagues or where,
again online, a business could input, store, process, and
access all data necessary for the management of its business
processes, from sales to customer service.
That world is here and it promises tremendous efficiencies
for government, private industry, and individuals. It is an
exciting technological advance and we must ensure that the law
keeps pace in a manner that protects this market, protects the
rights of consumers and the government's law enforcement
responsibilities.
We are fortunate to have two distinguished panels of
witnesses who bring a great deal of expertise to both the legal
and technological issues before us, including witnesses who
represent five major U.S. cloud computing companies.
I should mention at this point that--and if I am wrong
someone will correct me, I am sure, at some point today--cloud
computing simply means--or the cloud simply means where the
data is stored on a third party's server--not in your home, but
on somebody else's server, so it is not given as much privacy
protection under current law as if it were on your own computer
at home.
Along with other experts our witnesses today will educate
us about what is happening in the cloud today and discuss the
type of laws and rules that industry needs to promote the
continuing innovation and growing efficiency that cloud
computing affords to individuals and businesses of all types
and sizes. This initial educational effort is, in my view, not
only warranted but essential before we undertake any effort at
amending or otherwise reforming ECPA.
In many respects, at least for the moment, the testimony we
hear and discussions we have today may raise more questions
than they answer. Since we are to hear about technologies, both
existing and perhaps yet to come, that are revolutionary--
certainly by 1986 standards--I want to acknowledge that our
task will be a challenge to find the appropriate balance
between privacy and law enforcement interests, to protect the
public while preserving consumer privacy and confidence, to
support rapid technological innovation and growth yet discern
standards for law enforcement access that will not become
outdated with each new generation of technology, which is to
say every 6 months or so.
Just as it would not have been possible for Congress to
anticipate the exciting technologies we will be discussing
today it is more than likely that in the years to come new
technologies will present us with equally vexing legal
questions. We must learn to take advantage of these emerging
technologies without ushering in a new privacy-free
civilization, to boldly go toward the creation of a new
productive balance among the interests of law enforcement,
personal privacy, and industry that no legislation has quite
stricken before.
This Subcommittee needs the assistance and input of all
stakeholders--law enforcement, private industry, and civil
liberties groups alike--to get this balance right, hopefully
for at least another generation. I look forward to the
testimony of our witnesses today and to working with all
stakeholders on this very timely mission.
I yield back the balance of my time and I now represent the
distinguished--I now recognize, rather, the distinguished
gentleman from Arizona.
Mr. Franks. Well, thank you, Mr. Chairman.
Thank all of you for being here.
And we are grateful that you are holding this hearing
examining the need to update the Electronic Communications
Privacy Act of 1986, or ECPA, as it relates to cloud computing.
This is the third in a series of hearings to examine ECPA and
possible ECPA reforms. I can say, if there is one thing I hope
or believe we can all agree upon it is that we don't have a
precise definition of cloud computing, and as someone said,
there is an old quote that said, ``The secret to the universe
is in the true naming of things.'' It often means different
things to different people.
Today we will hopefully learn exactly what the cloud is and
have a better understanding of how, if at all, ECPA falls short
of addressing this new technology. Some proponents of ECPA
reform propose requiring a search warrant for communications in
the cloud, regardless of the age of those communications, how
they are stored, or how they are accessed. This would be a
fairly significant departure from current law.
The information possessed by law enforcement in the very
early stages of an investigation does not always have to lend
itself to establishing probable cause for the purposes of
obtaining a search warrant. A blanket warrant requirement for
communications in the cloud, regardless of how or where they
are stored, could potentially deprive law enforcement officials
of essential building blocks for criminal investigations and
may actually deprive them of their ability to establish
probable cause for wire taps, physical searches, or arrests.
I am always mindful of the potential encroachment on
individual liberty and privacy by new technologies and I have
tried to be one of the first to defend those rights. However, I
will also be one of the first to protect the legitimate needs
of law enforcement, including their ability to keep pace with
rapidly changing technologies.
Now, I am not aware of any of the practices by law
enforcement that have inhibited the use of the development of
these services. I am also not aware of any practices by the law
enforcement authorities that have discouraged the willingness
of individuals or businesses to store data in the cloud.
There may very well be a need to clear up statutory
ambiguities so that the police know what they have to do to
obtain certain information and service providers know what they
have to do, in terms of the law, to provide that information.
But I am concerned that the increasing--I am concerned that
increasing the evidentiary standard to such a degree as some
have proposed would create a hurdle that is simply too high to
clear.
Cloud technology is a significant advancement in how we
send, store, and process a very large array of data. Companies
that provide these services have a vested interest in assuring
a certain level of privacy to their customers, and obviously
this has to be weighed against the government's legitimate need
to access this data.
And while we consider these issues I believe we must also
be cognizant of other privacy-related issues. We should not
simply focus on revising or restricting law enforcement access
to the cloud; we must also be aware of who owns the cloud, who
has access to the cloud, and whether there are sufficient
safeguards to protect the cloud against criminal and foreign
adversaries.
Creating barriers to law enforcement in the name of privacy
may have the unintended consequence of inhibiting law
enforcement investigations into data breaches and other privacy
intrusions by hackers and spies and the like. ECPA reform is
simply not about Federal investigations--or I should say it is
not simply about those things. These laws govern every criminal
investigation in the country.
For this reason this Committee must be thoroughly balanced
and informed in any ECPA reform it undertakes, and I hope all
of you can help us understand the best way to move forward. I
am grateful that you are here. I thank every one of you, look
forward to your testimony, and yield back.
Mr. Nadler. I thank the gentleman.
I will now recognize for an opening statement the
distinguished Chairman of the full Committee, the gentleman
from Michigan, Mr. Conyers.
Mr. Conyers. Thank you, Chairman Nadler, and Trent Franks.
I am always glad to be here with us three and the staff.
As if this is not an important issue, I think it is being
very undervalued by many on our Committee, certainly not those
of you that have taken time to join us here in the hearing room
today.
It just so happens that I was the only one here in 1986,
and that is not to date myself, but the one thing I can't
remember right now is whether the Chairman of the Committee was
Jack Brooks or Peter Rodino. I am inclined to think it was Jack
Brooks, of Texas, but we are researching it right now.
Now, so far when we start talking about the reform and
how--what we ought to consider it turns on whether or not we
are going to restrict privacy or, in the name of law
enforcement, we are going to be able to be more invasive. And
sure enough, Trent Franks runs right into the conservative
position of wanting to let the law enforcement people have
their way more. And I am just predicting this; he didn't really
come out and say it, but we have been listening to each other
now for a growing period of years.
But is there something else involved here? And I am so glad
we have got the witnesses here today.
Of course we are going to have to balance it, but, you
know, I am listening to questions of whether or not we are
going to be able to work out agreements over cyberspace
differences that are now becoming more discussed in our world.
We now find out that not only do we have arms race control and
nuclear control, we now have the whole question of how we can
create severe damage to civilian populations through
dismantling and disabling their cyber connections in terms of
conflict.
And so we move into this, I hope, not just worrying about
how much law enforcement leeway are we going to get? Of course
we want to protect our people's privacy as much as possible,
but at the same time there seem to me to be other issues that I
am hoping that you will bring up that are related to who is
going to control and what happens--is this an infinite growth
situation that we are in? Are there limits? Are we going to run
out of what we need to work with or not? Or are there other
considerations?
And it is in that spirit that I join you today, and also
ask unanimous consent to put my written statement in the
record.
Mr. Nadler. Without objection.
Mr. Conyers. Thank you, Mr. Chairman.
[The prepared statement of Mr. Conyers follows:]
__________
Mr. Nadler. Thank you.
Without objection, all Members will have 5 legislative days
to submit opening statements for inclusion in the record.
Without objection, the Chair will be authorized to declare a
recess of the hearing at any point. We will now turn to our
first panel of witnesses, and instead of reading the usual
boilerplate about our procedures we will follow the Committee's
usual procedures of questioning witnesses.
Our first witness will be Edward Felten, who is a professor
of computer science and public affairs at Princeton University
and is the founding director of Princeton's Center for
Information Technology Policy. His research interests include
computer security and privacy, especially relating to the
Internet and computer product--and consumer products, and
technology law and policy.
He received his Ph.D. in computer science and engineering
from the University of Washington, an M.S. in computer science
and engineering from the University of Washington, and then his
B.S. in physics with honors from the California Institute of
Technology.
Richard Salgado, our next witness, is a senior counsel with
Google for information, security, and law enforcement matters.
Prior to joining Google Mr. Salgado worked at Yahoo, focusing
on international security and compliance.
He also served as senior counsel in the computer crime and
intellectual property section of the United States Department
of Justice. Mr. Salgado received his law degree from Yale Law
School.
Michael Hintze is an associate general counsel in Microsoft
Corporation's legal and corporate affairs group. He joined
Microsoft in 1998 and his practice currently includes a number
of regulatory and public policy issues, including privacy,
security, telecom, online safety, and free expression matters
worldwide. Mr. Hintze is a graduate of Columbia University
School of Law.
David Schellhase is--I hope I got that right--thank you--
David Schellhase is executive vice president and general
counsel of Salesforce.com, Inc., where he leads the legal,
internal audit, and public policy teams. Mr. Schellhase joined
Salesforce.com in 2002 and has practiced law in the technology
industry for 20 years. Mr. Schellhase is a graduate of Cornell
Law School.
Perry Robinson is associate general counsel at Rackspace
Hosting. Mr. Robinson oversees Rackspace's program for
compliance with state and Federal law enforcement agency
requests and leads their legal team on contractual matters
relating to the provision of services to Rackspace's customers.
Mr. Robinson earned his J.D. from Baylor Law School.
Paul Misener is Amazon.com's vice president for global
public policy and has served in this position for a decade. He
is responsible for formulating and representing the company's
public policy positions worldwide as well as for managing
policy specialists in Asia, Europe, and North America. Mr.
Misener received his J.D. from George Mason University.
I am pleased to welcome all of you. Your written statements
in their entirety will be made part of the record. I would ask
each of you to summarize your testimony in 5 minutes or less.
To help you stay within that time limit there is a timing
light at your table. When 1 minute remains the light will
switch from green to yellow, and then red when 5 minutes are
up.
Before we begin it is customary--well, let me just say
before we do this, the Chair reserves for himself the right to
recess the hearing, which I anticipate doing only if there are
votes on the floor. Before we begin it is customary for the
Committee to swear in its witnesses.
If you would please stand and raise your right hands to
take the oath?
Let the record reflect that the witnesses answered in the
affirmative, and you may, of course, be seated.
I will now recognize for 5 minutes our first witness,
Professor Felten, and use your mic please.
TESTIMONY OF EDWARD W. FELTEN, DIRECTOR, CENTER FOR INFORMATION
TECHNOLOGY POLICY, PRINCETON UNIVERSITY
Mr. Felten. A lot has changed on the Internet since ECPA
was passed in 1986. Back then there were only a couple thousand
computers online. Commercial activity was strictly forbidden;
the Net was only for research and education purposes. And
several of the companies represented on this panel did not even
exist. The eventual founder of Facebook was 2 years old.
The computers at that time would not even be recognizable
to today's teenagers; the equipment is vastly different.
Today's cell phones are vastly better than the super-computers
of 1986. But more important than these changes in equipment and
sheer numbers of computers has been the change in the way
people use the Internet, and one of the big changes there has
been the move to cloud computing.
As you said before, Mr. Chairman, the defining
characteristic of cloud computing is that a person is--a person
or company is taking their data and moving it onto someone
else's computer, and along with that taking the computation and
other management functions and putting those as well onto
someone else's computer, typically a service provider's
computer. Cloud computing is used both by individuals and by
businesses large and small.
To give an example of the use of cloud computing by an
individual let me talk about my own use of my personal
calendar. I keep my calendar in the cloud. I have a deal with
the service provider in which they support that.
And that provides a number of advantages to me. First, it
means that the data and the systems are professionally managed.
The computers that store the master copy of my calendar are
run by the service provider and not by me; the service
provider's employees take care of backing up the data,
maintaining security, keeping everything up-to-date, and
keeping everything running. I don't have to worry about that at
all.
The second advantage is that my calendar is accessible to
me anywhere--on my desktop computer, on my laptop computer, on
my mobile phone. The service provider gives me software that
runs on all of those devices and that software always gets an
up-to-date copy of my calendar. If I change something in one of
those places it is immediately reflected in the master copy and
then in the other copies so that there is a single view of my
calendar which I always see regardless of where I am.
And the third main advantage is that it is easily
shareable. I can give my wife, and my colleagues, and my
students access to my calendar and they can see what I see in
real time. Some of them, with my permission, can modify the
calendar; others can just see.
Any kind of service which would benefit from these
advantages of professional management, accessibility anywhere,
and sharing can be put in the cloud and typically is, and there
are many examples of different kinds of services that happen in
the cloud--e-mail, document management, investment tracking,
photo sharing, project management, hard drive backup, and many
more.
Cloud computing is also valuable for businesses. A business
can take some of their back office computing operations--things
like payroll, sales, and inventory--and move those into the
cloud.
They can also move their consumer facing technology
infrastructure into the cloud. For example, an ecommerce
company might take these servers that provide their image to
customers and that customers interact with and put those in the
cloud by hiring out that function to someone else.
Even companies that are technically sophisticated often do
this because they find it cheaper, due to the economies of
scale, in having things centrally managed. As another example,
I wrote my written testimony that was submitted earlier in a
cloud document-editing system, and I did that because it was
easy for me to use across devices, and because when I wanted
someone to review the document and give me feedback they could
easily do that by using the same cloud service, and we could
interact and edit in real time.
Now, in an ideal world people would be making the decision
to use the cloud or not use the cloud based on considerations
of technical efficiency and cost. They would be balancing those
factors and deciding to do whatever was best in their
individual case. But to the extent that a law like ECPA puts
its thumb on the scale and pushes people toward putting their
data and functions in the cloud or moving them out of the cloud
you end up with solutions that are less technically efficient,
more expensive, and harder to use, and you end up ultimately
with less innovation in technology and in business processes.
Thank you.
[The prepared statement of Mr. Felten follows:]
Prepared Statement of Edward W. Felten
__________
Mr. Nadler. I thank the gentleman.
I now recognize Mr. Salgado?
TESTIMONY OF RICHARD SALGADO, SENIOR COUNSEL, LAW ENFORCEMENT
AND INFORMATION SECURITY, GOOGLE, INC.
Mr. Salgado. Thank you, Chairman Nadler, Ranking Member
Sensenbrenner, and Members of the Subcommittee. As Google's
senior counsel for law enforcement and information security I
oversee Google's response to government requests for user
information under many authorities, including the Electronic
Communications Privacy Act of 1986. I have also worked with
ECPA extensively from a law enforcement perspective as a senior
counsel in the criminal division in the Department of Justice.
ECPA was a forward-looking statute for 1986, and much of it
remains relevant today. But over my many years of experience in
implementing, in trying to interpret, and frankly often
wrestling with the statute I have seen large gaps grow between
the technological assumptions of that earlier era and the
reality of how electronic communication works today.
As a result of those gaps, providers, users, law
enforcement agents, investigators, and prosecutors, as well as
judges often face complex and baffling rules that are difficult
to explain and challenging to apply. Even more significant,
however, in important respects ECPA now fails to provide the
privacy protection that people reasonable expect, and that is
why Google helped found and strongly supports the Digital Due
Process coalition.
The coalition, which many of you may have heard of, is a
broad coalition. It includes telecommunications companies like
AT&T; we have Internet companies, many of whom are represented
on the panel today; and other organizations, including
Americans for Tax Reform and the ACLU, among many other members
that I haven't mentioned.
The coalition has proposed a set of common sense principles
for updating ECPA. The reforms seek to preserve the structure
of the statute and certainly the tools needed by law
enforcement to perform their important functions, but are
intended to ensure that the protections afforded to data stored
in the cloud are no less than those extended to data stored in
the home or in the office.
Cloud computing is a new term, as has been noted, but most
of us use cloud services every day even if the label isn't
particularly familiar to us. When you use the Web to send an e-
mail, to edit a document, or to manipulate a calendar, as
Professor Felten has reflected to us, you are actually using
cloud computing services.
The services now are very robust and very feature-rich. In
fact, many companies are moving their entire I.T.
infrastructure into the Internet-based cloud and getting the
functionality through service providers. Shifting all of these
computing tasks from our desktops to cloud providers offers
tremendous social benefits, tremendous economic benefits, and
security benefits.
Today's technology bears little resemblance to the
mainframe computers of the 1980's. Back then remote computing
and storage were rare luxuries for companies, usually used for
bulk processing, like payroll services or data backup. ECPA has
not kept pace with the rapid technological advances that we
have enjoyed in the last few years, and as a result the
problems are becoming obvious.
One example that has been alluded to already: Under ECPA
the government must obtain a warrant to get the content of an
e-mail that is no older than 6 months, but for older messages
the government can simply issue a subpoena, obviously without a
judge's approval, to compel the production of the e-mail's
content from a provider. Under the Department of Justice's
interpretation of ECPA, which has been rejected by the 9th
Circuit, opened e-mail, regardless of the age, can be obtained
using that lower subpoena standard.
Distinguishing the privacy protections of e-mail based on
age and by access of the user makes no sense today. In 1986
perhaps it did. Remote storage was so expensive that users
rarely stored messages for very long; they either downloaded or
deleted the messages soon after receiving them. Today people
often keep messages and mail for indefinite periods of time,
possibly forever.
With Gmail, which is Google's free mail service, Google
offers enough free storage that space constraints are not a
reason ever to delete an old mail. Many of our users have
messages going back to when Gmail was launched over 6 years
ago. Gmail accounts have essentially become the filing cabinets
of today.
The example reveals how parts of ECPA need to be updated
for the 21st century. The Digital Due Process proposal would go
far toward achieving that goal. Advances in technology depend
not just on smart engineers, but also on smart laws that will
not stand in the way of continued innovation and adoption of
technology.
I thank the Subcommittee for giving the attention to this
issue and urge you to help bring ECPA into the Internet age.
Thank you.
[The prepared statement of Mr. Salgado follows:]
Prepared Statement of Richard Salgado
__________
Mr. Nadler. I thank the gentleman.
I now recognize Mr. Hintze?
TESTIMONY OF MIKE HINTZE, ASSOCIATE GENERAL COUNSEL, MICROSOFT
CORPORATION
Mr. Hintze. Chairman Nadler, Congressman Franks, Chairman
Conyers, honorable Members of the Committee, thank you for the
opportunity to discuss Microsoft's perspectives on ECPA reform.
We appreciate the attention with which this Subcommittee has
approached the issue and we are committed to working with you,
law enforcement agencies, and other stakeholders to ensure that
we responsibly update ECPA for the era of cloud computing.
ECPA was enacted into law in 1986 to address the issues
being raised by new digital technologies. What are the
appropriate standards under which law enforcement can compel
service providers to disclose customer content and account
information? ECPA addressed this issue by striking a balance
between the legitimate needs of law enforcement and the
public's reasonable expectations of privacy.
Technology has changed dramatically since 1986. Today we
are in a new era of computing, one in which users are empowered
to store unprecedented amounts of digital information online.
This cloud computing revolution creates numerous benefits.
It makes businesses more efficient and competitive by enabling
companies of all sizes to access cutting-edge computing
resources. It facilitates collaboration through anytime,
anywhere access. And it provides new opportunities for
innovation and job creation.
Microsoft has participated actively in this transformation.
We come to the issue of ECPA reform as a provider of desktop
and server software that has moved into hosting online cloud-
based services.
Our history gives us a clear perspective on how ECPA has
failed to keep pace with the technological time. Take the
example of e-mail. As we have heard, ECPA extends greater
privacy protections to e-mail stored less than 180 days than e-
mail stored for more than 180 days.
For many years this distinction made sense. Even 10 years
after the enactment of ECPA Microsoft was offering the first
version of Microsoft Exchange, software in which a user
typically would download e-mail to a local machine for it to be
read and stored, after which it would no longer reside on the
server. Because the e-mail typically was downloaded to a local
drive it was reasonable to conclude that e-mail left with a
service provider for more than 180 days was abandoned with
little expectation of privacy.
But shortly thereafter, in 1997, we acquired Hotmail, a
Web-based e-mail service that enabled e-mails to be stored
online or in the cloud for longer periods of time. This ability
to retain e-mails online even after they were read began to
call into question the justification for the 180-day
distinction. Even then, however, the amount of storage
available online was quite limited.
But since 1997 the amount of online storage available to
consumers has progressively increased to the point where it has
become essentially unlimited. Today users regularly store e-
mails and attachments, including photos, documents, and other
data, online for years, and these users reasonably expect that
this data will be just as private on day 181 as it was on day
179.
These concerns are not limited to individual consumers.
Enterprises of all sizes are increasingly using products like
Microsoft Business Productivity Online Suite to store their e-
mail and confidential business documents in the cloud, but we
regularly hear from enterprises considering the move to the
cloud that doing so could negatively impact their privacy
protection.
In short, the balance Congress struck in 1986 has fallen
out of alignment, putting more and more user data within the
reach of law enforcement tools that require lower burdens of
proof. This trend has serious potential consequences.
Users will be deterred from adopting cloud services if they
do not trust their data and will be kept private and secure in
the cloud. In addition, cloud service providers will hesitate
to invest in new innovation if there are not clear rules that
make sense in the context of this evolving technology.
To restore the balance the Congress struck in 1986 Congress
should revisit ECPA and ensure that users do not suffer a
decrease in their privacy protections when they move their data
to the cloud. We believe that the principles advanced by the
Digital Due Process coalition will enable citizens to trust
their data will be subject to reasonable privacy protections
while at the same time preserving the ability of law
enforcement to collect the information necessary to protect the
public. The principles will also provide greater clarity for
all stakeholders, and we see them as a good starting point for
the discussion.
As Congress takes up the important issue of ECPA reform we
believe it should also look at privacy and security issues
related to cloud computing in the broader policy context. Users
of cloud computing services must have confidence that their
data will be kept secure and private not just vis-a-vis the
government but also with respect to service providers and other
third parties. The importance of protecting privacy and
security also extends beyond the United States and can be
impacted by the laws of other governments.
To address these concerns Microsoft has proposed that
Congress consider comprehensive legislation that advances
privacy and security in the context of cloud computing, and in
turn helps to promote confidence in the cloud.
Thank you for the opportunity to testify today. Microsoft
appreciates the Subcommittee's leadership, and we look forward
to working with you on these important issues.
[The prepared statement of Mr. Hintze follows:]
Prepared Statement of Michael Hintze
__________
Mr. Nadler. I thank the gentleman.
Mr. Schellhase is now recognized.
TESTIMONY OF DAVID SCHELLHASE, EXECUTIVE VICE PRESIDENT AND
GENERAL COUNSEL, SALESFORCE.COM
Mr. Schellhase. Chairman Nadler, Chairman Conyers,
Congressman Franks--oh yes, I am sorry--thank you for holding
this hearing and inviting me to share my views with you.
Cloud computing is emerging as a powerful engine for
economic growth and jobs and it is important that we create a
policy framework that supports it. Salesforce.com, my employer,
is a leading enterprise cloud computing company that provides
Internet-based business applications primarily for helping to
automate sales and customer support functions to organizations
of all sizes around the world.
Instead of building and maintaining costly I.T.
infrastructure our customers simply log onto our Web site and
access our cloud services using a unique username and password.
Over 82,000 organizations globally, including numerous U.S.
Federal Government agencies and businesses in highly regulated
industries, trust Salesforce.com to store and process their
data.
In my remarks today I will make reference to the enterprise
cloud computing model. In doing so I will emphasize two points:
First, U.S. public policy should support cloud computing
because it is a powerful driver of economic growth and job
creation. Second, in order to build confidence in cloud
computing the rules for government access to data held in the
cloud should be the same as for data held on premise.
Every major analyst firm believes that cloud computing will
see explosive growth. Gartner Group estimates that the
worldwide market for cloud services will be worth $148 billion
by 2014, and a recent Goldman Sachs report called the shift
toward cloud computing ``unstoppable.''
Just as the electric power grid paved the way for the rise
of the modern business economy, cloud computing is paving the
way for the 21st century digital economy. By unleashing
innovation and productivity cloud computing will create jobs
not only in the technology industry but also create jobs in
sectors as diverse as manufacturing, health care, and
government. Cloud computing has already spawned scores of new
companies, and as the market for cloud computing accelerates
Congress should adopt policies that support the cloud computing
model or, at a minimum, that do not discriminate against it.
Government has a very legitimate--has very legitimate
reasons to access privately-held data for such purposes as
fighting crime and preventing terrorist attacks. In order to
generate public confidence in the way that the government
obtains this access, however, it is essential that the
guidelines for them be applied in a predictable way that is
appropriately transparent.
At Salesforce.com we create trust in our cloud computing
applications by maintaining robust security practices based on
international standards, hosting a public Web site that shows
the performance and trust of our system on a daily basis, and
contractually agreeing to keep our customers' data confidential
with exceptions for due process of law. For many customers
these actions are all the evidence they need to determine that
they can trust the privacy and security of our data--of our
cloud services.
For others, however, especially those outside the United
States, these actions are not enough. These customers want
something more. They want assurances that the U.S. government
will not access their data without appropriate due process.
At Salesforce.com we face this issue on a regular basis,
principally from customers who believe that the current
regulatory framework permits the U.S. government overly broad
access to data stored in the cloud. We need to have clear laws
that prove that this belief is unfounded.
As a company, Salesforce.com cannot make representations to
its customers that government will not gain access to data.
What we can do is point to the legal process that the
government must undertake to access data held in the cloud.
This is where reform of the Electronic Communications Privacy
Act is so crucial.
Because ECPA codifies guidelines for U.S. government access
to data it sends a clear signal to other countries about the
confidentiality of data held in the cloud. As a result, it is
important that Congress update ECPA to clarify that data stored
and processed in the cloud on behalf of a customer has the same
protections and standards for law enforcement access as data
stored locally by that customer.
As Congress contemplates ECPA reform it should embrace the
concept of technology neutrality. In practice, technology
neutrality that a particular kind of information will receive
the same level of protection regardless of the technology
platform or business model used to create, communicate, or
store it. We are not asking for special treatment for data in
the cloud, but rather for equal treatment.
In order to assure technology neutrality in private
communications, documents and other private user content stored
in or transmitted through the cloud should be subject to the
same warrant standard that the Constitution and the Wiretap Act
have traditionally provided for privacy of our phone calls or
the physical files we store in our homes. In practice, this
recommendation would mean that the government must obtain a
search warrant based on probable cause before it can compel a
service provider to disclose a user's private communications or
documents stored online.
By making sure that ECPA is technology neutral Congress can
send a clear signal to individuals, companies, and governments
around the world that they can safely use cloud computing
platforms. We believe that doing so will unleash a wave of
innovation and productivity that will drive economic growth and
create jobs for years to come.
Thank you.
[The prepared statement of Mr. Schellhase follows:]
Prepared Statement of David Schellhase
__________
Mr. Nadler. Thank you.
I will now recognize Mr. Robinson.
TESTIMONY OF PERRY ROBINSON, ASSOCIATE GENERAL COUNSEL,
RACKSPACE HOSTING
Mr. Robinson. Thank you, Mr. Chairman, Members of the
Committee. Thank you for taking the time to address this
important matter.
I am here on behalf of Rackspace Hosting, and unlike many
of the other panelists, which are household names--is that a
little bit better?--which are household names, Rackspace is a
smaller organization. Provide just a little bit of background:
We are a company that is based out of San Antonio, Texas. We
were founded in 1998 by four college students.
Over the time we have grown. We have now got about 3,000
employees. We employ people in San Antonio, Texas; Austin;
Chicago, Illinois; Herndon, Virginia. And we have had this
growth in part due to the growth of the cloud. Rackspace is
invested heavily in cloud technology and offers cloud servers,
cloud sites, and cloud files to its customers. Now, I provide
this information as background to the context in which ECPA
applies to a company such as ours, which is an emerging
organization.
So I would also like to briefly explain some examples of
how Rackspace provides cloud computing technology to its
customers. Cloud technology can be somewhat challenging, I
think, to understand at first.
The concept at a high level, though, can also be very
simple. In fact, for many consumers they are not aware of the
times at which they are actually using cloud technology.
To oversimplify the concept a bit, cloud servers is kind of
like a motor pool, right, in which a vehicle is provided at
just the right time for your use. Its function is the same as a
physical vehicle but it has essentially been virtualized
through computing code.
The fact that this virtual instance is virtual and not
physical in nature, though, doesn't change the experience of
the consumer itself. And so the end user of this technology
oftentimes has the same understanding of the rights and
implications of this use of technology as they would any other
traditional form of communication.
Cloud storage, on the other hand, makes use of file
technology to provide storage which is provided through a
connection to the Internet. Many applications, or apps, on
mobile devices and telephones make use of such cloud storage.
An example of such storage might be the storage of documents
which are created on a mobile device or, as Professor Felten
was saying, the use of an online calendar.
For many of its customers Rackspace provides the base
technology on which her customers are able to develop the use
of cloud servers or cloud storage for the development of their
businesses. Our customers are often businesses who are,
themselves, providing services to an end user. Now, the
complication here is that as you move down the chain you have a
process which goes from the provider of the cloud services down
to an end user and there is--and that created a gap, sometimes,
in which, again, the end user doesn't always have an absolute
understanding of how the technology is actually provided to
them.
In each case there are expectations by these users that
their use of this technology--of cloud servers, of cloud
files--is subject to control of the end user itself and that
the content will not be accessed by third parties or others
unless permission has been granted. This privacy expectation is
a fundamental aspect of the acceptance of cloud technology.
Rackspace believes that ECPA has fallen behind these
advances in technology. To be clear, Rackspace does not believe
that ECPA is flawed in its intent and does not seek to change
the balance of the individual interests and the privacy of
their electronic communication with the needs of law
enforcement.
However, Rackspace does see ECPA as having fundamentally
failed to maintain pace with changes in technology. As a
result, there is a great deal of confusion regarding the level
of protection afforded to end users which is stored on or
accessed through the cloud.
These concerns translate to hesitancy regarding the
adoption of cloud technology despite the benefits, the
flexibility, and cost savings that it provides. They have a
financial impact on the growth of businesses such as Rackspace,
Rackspace's other customers, and quite frankly, they have an
impact on, potentially, the economy itself.
Rackspace believes now is the time to update ECPA and to
bring clarity and predictability to the law so that people will
know what protections are afforded to their data and their use
of their technology, thereby allowing the sector to grow and
create jobs and help drive the economy forward.
Thank you for your time.
[The prepared statement of Mr. Robinson follows:]
Prepared Statement of Perry Robinson
__________
Mr. Nadler. Thank you.
And we will now hear from--I will now recognize Mr.
Misener.
TESTIMONY OF PAUL MISENER, VICE PRESIDENT FOR GLOBAL PUBLIC
POLICY, AMAZON.COM
Mr. Misener. Thank you very much, Mr. Chairman, and Mr.
Franks, and Chairman Conyers, and Members of the Subcommittee.
My name is Paul Misener, and I am Amazon.com's vice president
for global public policy. On behalf of our company and our
millions of customers, thank you very much for inviting me to
testify on this important hearing.
Amazon.com Web site began in 1995 as a place to buy books.
Since then we have strived to be earth's most customer-centric
company where people can find and discover virtually anything
that they may want to buy online. Now Amazon Web Services
provides a family of cloud computing functions to small and
large businesses, government agencies, academic institutions,
and other users.
Cloud computing, as others have described for the
Subcommittee, is a means of providing, through the Internet,
computing functions similar to what a desktop or laptop
computing can provide but far more efficiently and reliably,
and at much greater scales and speeds. For example, desktop PCs
can store files like memos, spreadsheets, digital photos, and
music. So can cloud computing services, only much more
efficiently and reliably.
A desktop computer's hard drive can crash, for instance,
potentially deleting files. Cloud computing storage done well,
however, is redundant, and thus files are far more durable and
the chance of unintentionally deleting them is virtually nil.
Amazon offers data storage as Amazon Simple Storage
Service, or S3. This service can be used to store and retrieve
any amount of data at any time from anywhere on the Web. S3
gives users access to the same highly scalable, reliable,
secure, fast, inexpensive infrastructure that Amazon uses to
run its own global network of Web sites.
The service aims to maximize benefits of scale and pass
those benefits to users. In one example a company called
ElephantDrive uses Amazon S3 storage to pride consumers an
inexpensive way to make backup copies of digital files.
Likewise, desktop PCs can perform calculations on data.
Although many of us never perform calculations much more
complicated than with spreadsheets, small and large businesses,
researchers, and government agencies often need to perform
complicated and data-intensive calculations.
Desktop PCs are often not up to the task, and even
dedicated local workhorse computers often can't deliver
satisfactory results or are a cost-prohibitive capital
investment. Cloud computing, on the other hand, can provide
virtually unlimited computation capacity that may be rented as
needed rather than obtained through a large, wasteful, up-front
capital expenditure that requires expert setup and maintenance
and rapidly becomes obsolete.
Amazon also offers a service known as Amazon Elastic
Compute Cloud, or EC2, that is designed to make Web-scale
computing easier. Just as S3 enables storage in the cloud,
Amazon EC2 enables compute in the cloud.
The EC2 Web interface allows users to obtain and configure
capacity and control computing resources. Users may quickly
scale up capacity--and then down--as their computing
requirements change, and they pay only for the capacity that
they actually use. In one case an engineer at The Washington
Post used the equivalent of over 1,400 server hours on EC2 to
convert over 17,000 pages of First Lady Hillary Rodham
Clinton's newly-released documents into a Web-friendly format
within just 9 hours and for less than $150.
The benefits of these and other cloud computing services to
businesses large and small, government agencies, to
researchers, and other organizations are manifest. The power of
expensive and complicated computer hardware is available
immediately on a pay-as-you-go basis. No longer must an
enterprise expend capital up front and endure delays. And the
computing capacity is completely elastic, scaling up in time of
high demand and down as appropriate.
Bottom line, with cloud computing enterprises can focus
their engineering resources on their own specialties. No longer
must they manage the difficult tasks of building and
maintaining computer infrastructure.
Accordingly, we believe that it is in the public interest
to ensure that there are no inappropriate legal impediments to
cloud computing and that applicable law, including ECPA, is
clear and current. We appreciate the Subcommittee's interest in
this matter and the investigation of whether and how ECPA
should be modified.
Amazon is a member of the Digital Due Process coalition,
which has proposed clarifications of ECPA in four areas,
covering requests for: one, the content of electronic
communications; two, location information; three, real-time
transactional data about communications; and four, broad
information requests about broad categories of users. Although
we are aware, for example, that the standards applied to
location information may need clarification our experience
primarily relates to requests for the content of
communications, as a provider of remote computing service.
With respect to the content of electronic communications we
believe that ECPA requires law enforcement authorities to
obtain a search warrant to compel disclosure. We do not release
information without valid process and have not disclosed
content without a search warrant.
In order to protect the privacy of communications we
certainly agree with our fellow members of the Digital Due
Process coalition that this is how the law should operate:
compelled disclosure of content should require a search
warrant, just as obtaining content out of a person's desk
drawer would. If there is any significant ambiguity in ECPA,
such as with respect to the age of a communication, we would
support legislation to clarify that compelled disclosure of
content may only come as a result of a search warrant,
regardless of the age of a communication.
Thank you again for the opportunity to testify on the
important topic of cloud computing services. Amazon believes
that these new services have important societal benefits, and
if laws such as ECPA should be clarified to address cloud
computing we support the effort.
[The prepared statement of Mr. Misener follows:]
Prepared Statement of Paul Misener
__________
Mr. Nadler. Thank you very much.
We will now begin the questioning by--I will recognize
myself for the 5 minutes.
Professor Felten, in your testimony you described the many
ways you use cloud computing technology and services in your
professional and personal life. When you think about your and
society's digital life now as compared to 1986 do you think
that ECPA's 1986 concept of electronic communications service
and remote communications service accurately reflect network
usage today, and if not why not?
Mr. Felten. I think not. In 1986 it made more sense, in
terms of people's use of these services, to separate
communication and computing into separate products and separate
mental categories, but these days these computation, storage,
and communication are really integrated together to provide a
unified product that meets some need of the end user for
managing a calendar, or document collaboration, or whatever it
is that the user is wanting. Users often don't think about and
often don't know what is happening behind the scenes to make
all this work, and so it is a line that is not visible to a lot
of the decision-makers, and it makes a lot less sense than it
did then.
Mr. Nadler. Thank you. And you also, in your testimony,
discussed the fact that it may be difficult for a user to tell
whether or not his or her data is stored in the cloud because
cloud services can offer nearly the same user experience as
local servers. And as someone who uses a computer all the time
and never heard the phrase ``cloud computing'' until a few
weeks ago I certainly never think about--or certainly never
thought about--whether it is in the cloud or not.
Elaborate on this concept, and how might a user be unaware
or unsure of whether or not he is working or operating in the
cloud, and why should it make a difference to him?
Mr. Felten. Well, at one level it should not make a
difference to the user as long as the job that they want done
is being done well. It may prove to make a difference to the
user if there is a legal line that gets drawn.
But increasingly what users are after is the experience of
solving their problem, doing their job without having----
Mr. Nadler. And they don't care how it is done. They just
care about the result; they don't care how the problem is
solved.
Mr. Felten. Absolutely.
Mr. Nadler. Thank you.
Mr. Salgado and perhaps Mr. Hintze, my understanding is the
Stored Communications Act, and specifically the electronic
communications service and remote communications services
distinctions can be difficult to apply to many of today cloud-
based services, as Professor Felten just said. And of course,
under the law ECS provides greater privacy protection than RCS.
What position do you generally take regarding classifying
services or information as either ECS or RCS and the legal
process you require before disclosing information when you get
law enforcement requests for the following: Web mail search--on
the one hand, Web mail search, word processing, online photo
video storage services, and on the other, names or I.P.
addresses of users who search for a specific phrase? And in
answering the question, please indicate whether you must make
creative arguments or take an aggressive view of the law in
order to provide great privacy protections to your customers--
in order to provide the privacy protections you thing they
require.
Mr. Salgado first?
Mr. Salgado. Thank you, Mr. Chairman. The question is
complicated because of how the ECPA is written, so I apologize
at the beginning for probably not being able to address each
one of those categories, but it is the very fact of the
complexity of ECPA that makes that difficult to answer.
In in ideal world I would like to be able to tell you, this
is the type of legal process we require for all those types of
information and it is a result of a--it is the result of a
thoughtful balance and a consideration of the equities of law
enforcement and the interests of the users and the providers.
That is not the situation and so the result is, as you list
these different products each one of those requires a separate
legal analysis, oftentimes requiring consulting with outside
counsel, pulling out the statute again, rereading the statute
to figure out what type of legal process is required for what
types of data.
The distinctions between RCS and material and ECS material
are often arbitrary, and even within the category of ECS
material--electronic stored material--the definition is so
tiered and complex there is nothing intuitive about it. It
often turns on whether the communication is, using the terms of
the statute, in electronic storage. And I think a lot of
people, if you ask them, ``What does it mean to be in
electronic storage?'' would answer, ``It means to be stored
electronically,'' and they would be wrong. And in fact, they
would have to look at the statute to understand that that term
is actually a very complex, tiered test to figure out whether
something is in electronic storage for the purposes of the
statute.
This is where the 180-day rule comes in. That is the part
of the definition of electronic storage. So the question you
ask is a complex one because the statute doesn't make it an
easy answer.
I think the Digital Due Process coalition members believe
the answer to that should be, it requires a search warrant. It
should require a search warrant.
Mr. Nadler. And Mr. Heintz, would you comment on the same
question? In particular, indicate whether your experience has
necessitated the use of what one might call creative arguments
or an aggressive view of the law in order to do your job
properly.
Mr. Hintze. Certainly. I would be happy to. I would point
out that, as Mr. Salgado's experience as both a prosecutor and
in business having trouble answering these questions, you know,
I think that is indicative of the fact that all of us do and
these are very complicated matters.
You know, the various types of data that may become an
issue here--of those probably the ones that ECPA speaks to most
clearly would be e-mail, because that was one of those things
that was contemplated at the time that ECPA was drafted. But as
we have heard, the way e-mail is used has changed dramatically
since 1986 and a lot of those distinctions make--no longer make
sense, although I think it is quite clear that e-mail is an ECS
under ECPA and the content of a message and the subject line
would be considered content and protected by the warrant
statute standard up to 180 days or up to when it has been
opened, except for in the 9th Circuit where it is--so crystal
clear, right?
Other services are even more difficult to discern and what
the various levels of protection might be depending on the
nature of the service, the nature of the data, the timeframe
under which it has been stored electronically, what circuit you
happen to reside in.
Mr. Nadler. And all this is carefully considered in the
privacy expectations by the customer, right?
Mr. Hintze. Yes, absolutely.
You know, I think also, you know, some of these questions
are theoretical. You know, the bulk of the requests we get from
law enforcement are for traditional communications, e-mail.
Some of these things we just simply haven't gotten requests.
But you look at new services like search that both Google
and Microsoft provide, and the question is how that applies
under these definitions. I mean, looking at the definitions you
would have no idea. There are arguments that could be made in
different ways.
I mean, we think probably the best interpretation of search
under ECPA is that the query itself would be content, yes, but
you know, trying to find that and trying to discern that in the
statute is very difficult. That is why we--one of the reasons
we support the Digital Due Process coalition principles is that
it makes those distinctions. While it doesn't touch the
definitions, per se, it says that all content, whether the
content of a search query or the content of an e-mail, the
content of your documents would be protected by the warrant
standard for probable cause.
Mr. Nadler. Thank you.
Let me ask Mr. Schellhase and Mr. Robinson, both of your
firms have indicated in your written testimony that you have
customers who are concerned that the U.S. government has
overly-broad access to their data that is stored in the cloud.
What you appear to be saying is that overly-broad U.S.
government access to data is a consideration for some customers
in determining whether they should put their information in the
cloud.
How does such a concern affect your business model? How do
you address this concern with your customers? What aspects of
ECPA reform could address this issue specifically?
Let me add one other thing: Why should we protect people
who want to keep secrets from the government? Isn't that for no
good purposes?
Mr. Schellhase. I will answer first, Mr. Chairman. I think
in part what we fight largely is a perception problem, right?
And there is a perception on the part of many of our European
customers and prospects that the U.S. government has undue
access to data----
Mr. Nadler. More from European than from the American
customers?
Mr. Schellhase. Yes. Much more from European customers.
But nevertheless I think, you know, the defense that we
fall back on, as I mentioned in my testimony, is we provide
contractual assurances but we also look to the U.S. to have
appropriate due process around accessing data, and so that--you
know, so any consistency and reinforcement of consistency in
the law benefits us when we sell to customers who have this
perception.
Mr. Robinson. Yes, a similar situation on Rackspace's side.
A good deal of my time is spent each week explaining to
customers, both from the United States and customers in Europe
and Canada, Australia, basically all over the world, exactly
what circumstances in which their data may be accessed, right?
And what becomes difficult is with the current state of the
law, with ECPA that answer is not easy, right? And so it makes
it a very challenging discussion.
The answer, quite frankly, is if we are required by law to
provide your information over we will have to do that. They
say, ``Okay, in what circumstance?''
Well, that is a very long conversation. Where would you
like to start? You get into the specifics of how ECPA applies
and, you know, as some of the other panelists have mentioned
you have to start at times, you know, going back to the
statute, considering, you know, bringing in outside counsel
especially.
This makes it challenging to do business, and quite frankly
it has an impact on our ability for our product.
Mr. Nadler. Thank you very much.
My time is expired. I now recognize the gentleman from
Arizona.
Mr. Franks. Well, thank you, Mr. Chairman. It seems like
this is a pretty important subject.
It occurs to me that even programs and whole systems
essentially could eventually be completely operated in the
cloud and all of the programs could be updated from there, even
operating systems where you only have an Internet operating
system intervening between the customer and the cloud. And it
is a pretty impressive technology and so it does seem to be a
very, very important trend.
And I guess I will start out by asking you, Mr. Hintze--and
I am assuming it is Hintze and not Hintze, correct?
Okay, Mr. Hintze, you state that in a poll conducted by
Microsoft earlier this year that 90 percent of the general
population and senior business leaders say that they are
concerned about the security and privacy of data as it relates
to cloud storage, and I guess my question is, does this number
specifically relate to concern about a government intruder or
is this number broader to include criminals and other
individuals seeking to hack into the cloud, and is that a
significant issue?
Mr. Hintze. It certainly is a significant issue, and that
number encompasses both. People are concerned about the impact
on their privacy and security of their data as they put it in
the cloud. Whether that is from the government, whether it is
from the service provider itself, or whether it is from
nefarious actors outside of the service provider who are trying
to get into it.
That is one of the reasons that we support a broad approach
to addressing these privacy issues and security issues in the
cloud. In addition to privacy vis-a-vis the government we think
that there is a role for Congress in ensuring privacy vis-a-vis
service providers' own practices, which support broad privacy
legislation affecting the private sector.
We think that law enforcement should be given tools to go
after the hackers who are trying to get into the cloud. We
think there is a role for giving service providers a private
right of action to go after those malicious actors as well, and
other similar enhancements of security online.
And then, as I mentioned in my oral testimony, these issues
are not simply U.S.-focused as well, and we think that as cloud
infrastructures grow and data crosses borders we are seeing
increasing challenges with respect to the laws of a foreign
government that create conflict of laws issues, distinctions
between law enforcement and privacy, and data retention and
privacy, and we think there is a role for Congress to encourage
the Federal Government to engage on a bilateral and
multilateral basis to address some of those.
Mr. Franks. Well, it takes me in a little different
direction where I was going, but let me go ahead and ask this
based on some of your comments: While the cloud would be
subject to the jurisdiction of the United States, you know--or
I guess that is if the cloud resides in the United States--
wouldn't a U.S.-based cloud with heightened access requirements
for law enforcement be potentially a haven for laundered or
data hiding, or would this be especially attractive to foreign
customers as a result? In other words, does it represent any
sort of a vulnerability for data to be stored in a cloud here
in the United States and sort of hidden away based on some
nefarious or malevolent purpose?
Mr. Hintze. As we have heard from other panelists today,
today the concern is that the standards around government
access to data may be lower than in other places, so there is a
concern from foreign customers particularly about doing
business with U.S. providers, which makes it challenging for us
to sell our products and services to customers outside the
United States.
With the Digital Due Process coalition proposals we think
that will bring more clarity and bring the statute back into
balance and line with where the judgments were made between the
interests of privacy and law enforcement back when they were in
1996. We view it as a fairly modest proposal, not one that
would create such high barriers that the United States would be
looked at as some kind of data haven that Switzerland----
Mr. Franks. I understand.
Mr. Hintze [continuing]. Computing.
Mr. Franks. Well, Professor Felten, you state that even
those few who don't know or don't even use the Internet or
don't have cell phones will still leave an extensive electronic
trail online, including their health records and financial
records, you know, and I guess I would ask you to elaborate
both on the cell records that we leave, our health care
records, all of the records that we leave just as a matter of
doing everyday activities.
Are those things left in the cloud somewhere? Is there a
way to ever completely erase them? And in terms of the actual
practice--and I don't want to make this too complicated--of law
enforcement, does law enforcement on a routine basis ask for
that data that is just kind of somewhere out there floating
without a clear reference point?
Mr. Felten. Well, as to what data there is and where it
might be stored, I as a consumer have little idea. Most
businesses keep extensive records of the interactions they have
with their customers. That is true in a lot of areas such as
health care as well.
Cell phone companies have records which they keep for some
length of time about the location and movement and calls, and
so on. And in today's world where computer storage is so cheap
the default, in a lot of cases, is to keep everything in the
hopes that there might be a business use for it.
And so I think it is very difficult for consumers to really
know exactly what exists, but as more things go online and as
areas like health care move toward electronic records and
toward networking you are going to see more and more of the
characteristics of the cloud emerging there as well.
Mr. Franks. But do you think--and I throw this last
question out, Mr. Chairman, to anyone to--do you think that
there is a vulnerability in general for the myriad amounts of
information that represent text messages, and pictures, and
things that people send all the time? Is that something that is
regularly or even irregularly accessed by either law
enforcement or hackers, or just in general?
I mean, how safe is our information out there right now? Is
it something where a lot of it is compromised?
Mr. Felten. Certainly there are compromises and it is
something that we should be concerned about. There are a lot of
different types of data and they can be mosaicked together to
get a lot of information about what people are doing, and
especially to track down people who might have special concerns
about being victims of crimes. I think it is an issue that is
important even beyond the scope of ECPA.
Mr. Franks. Mr. Chairman, it is an important issue and I
yield back.
Thank you all.
Mr. Nadler. Thank you.
I would like to follow up one thing Mr. Hintze said. You
mentioned private right of action by victims of hackers?
Mr. Hintze. Among the things we have supported would be a
private right of action for cloud service providers to go
after----
Mr. Nadler. Cloud service providers. Does the victim
already have that private right, does he not?
Mr. Hintze. I think under some cases that might be the
case. We do think that the service providers have the resources
and the incentives to really go after the hackers----
Mr. Nadler. And they don't have that private right of
action?
Mr. Hintze [continuing]. Private right of action today
under the Computer Fraud and Abuse Act.
Mr. Nadler. Thank you very much. I want to thank this panel
for their expert testimony, and thank you.
And let's seat the second panel. We are going to have a
series of votes in a few minutes but we can get some of this
done before that series of votes.
And again, thank you to the members of the first panel.
We will now proceed with our second panel. I would ask the
witnesses to take their places. In the interest of time I will
introduce the witnesses while they are taking their seats,
although I see they have already done that.
Kevin Werbach is an associate professor of legal studies at
the Wharton School, University of Pennsylvania. Professor
Werbach co-led the review of the Federal Communications
Commission for the Obama administration's presidential
transition team and was an advisor in broadband issues to the
FCC and the National Telecommunications and Information
Administration.
Earlier in his career he served as counsel for new
technology policy for the FCC during the Clinton
administration. Professor Werbach received his J.D. from
Harvard University and his B.A. from University of California
at Berkeley.
Fred Cate is the distinguished professor and C. Ben Dutton
professor of law, adjunct professor of informatics and
computing, and director of the Center for Applied Cybersecurity
Research at Indiana University.
I won't ask you today, but sometime you will tell me what
informatics is.
Professor Cate served as a member of the National Academy
of Science's committee on technical and privacy dimensions of
information for terrorism prevention, counsel to the Department
of Defense technology and privacy advisory committee, and as a
member of the Federal Trade Commission's advisory committee on
online access and security. He earned his undergraduate and law
degree from Stanford University.
Senior Investigator Thomas H. Hurbanek--and I hope I got
that right--is a 24-year veteran of the New York State Police.
He has been assigned to the state police computer crime unit
since 1997, working on investigations and forensic cases
involving computers and technology. His current assignment
involves supervising the cybercrime and critical infrastructure
response section of the computer crime unit, working jointly
with Federal and state agency partners to respond to incidents
impacting New York's computing infrastructure.
Kurt Schmid has been a law enforcement official for 40
years and currently serves as the executive director of the
Chicago High Intensity Drug Trafficking Area, or HIDTA,
program. Previous to this assignment Mr. Schmid served as
senior law enforcement advisor for the Counterdrug Technology
Assessment Center and the national director of the HIDTA
program in the White House Office of National Drug Control
policy in Washington for 10 years.
Marc Zwillinger is a founding partner of Zwillinger
Genetski, LLP, where for 10 years his practice has focused on
issues related to Electronic Communications Privacy Act, the
Wiretap and Communications Act, surveillance law and privacy.
Previously Mr. Zwillinger ran the privacy and security practice
groups at Sonnenaschein Nath & Rosenthal and at Kirkland &
Ellis.
Prior to that he served 3 years as a trial attorney in the
computer crime and intellectual property section of the
criminal division of the Department of Justice. Mr. Zwillinger
earned his J.D. magna cum laude from Harvard Law School.
I am pleased to welcome all of you. Your written statements
will be made part of the record in their entirety. I would ask
each of you to summarize your testimony in 5 minutes or less,
and I presume you heard what I said about the lights earlier
and what they mean.
Before we begin it is customary for the Committee to swear
in its witnesses.
If you would please stand and raise your right hands to
take the oath?
Let the record reflect that the witnesses answered in the
affirmative, and you may be seated.
Well, we can start the testimony. We will see how far we
get before we are called to votes.
So I will recognize Professor Werbach to begin.
TESTIMONY OF KEVIN WERBACH, PROFESSOR, THE WHARTON SCHOOL,
UNIVERSITY OF PENNSYLVANIA
Mr. Werbach. Thank you, Mr. Chairman, Congressman Franks,
and Members of the Committee.
On the prior panel you heard from a number of cloud
computing vendors. As a business school professor who studies
emerging technologies I would like to give you a broader
picture of the business changes that the Internet has fostered
in recent years. Reform of ECPA should be considered against
the backdrop of these trends.
Cloud computing is not just a set of popular services like
Web mail or even a market segment; it is all around us. The
quarter-century from the birth of the personal computer
industry until 2000 marked the progress towards, in the words
of Microsoft's original mission statement, ``a computer on
every desk and in every home.''
Today the model is no longer one computer per person but
many devices for each user in different locations offering
different form factors and functionality. This multi-device era
is necessarily a connected era because devices draw upon the
network to offer services, and it is necessarily a cloud
computing era.
When users access their data from many devices that data
must be stored remotely or synchronized through the network. In
particular, the growth of mobile smartphones, like the iPhone
and Android devices, and newer classes like netbooks, tablets
such as the iPad, and set-top boxes eliminate the traditional
assumption that a personal computer is the sole repository of a
user's information and application. As these devices
proliferate file-hosting and software as a service will become
integral parts of the computing experience rather than options.
The Internet is no longer a nascent technology. There are
over 2 billion people around the world online. In 1986, when
ECPA was passed, there were no Web sites; in 1996 there were
roughly 100,000; today there are over 100 million.
Facebook was just founded in 2004. It now has half a
billion members worldwide. I could give many other examples.
As the external usage of the network has changed the
internal components have evolved as well. Google probably has
more Web-connected servers than the entire Internet did 15
years ago, all linked into a colossal virtual super-computer.
Many other providers are building their own cloud data
centers. All others tap into public clouds from companies like
Amazon.com.
Increasing bandwidth and storage are making the cloud
architecture increasingly pervasive. These cloud-based services
are online intermediaries. The Internet creates and depends
upon a large number of such intermediaries, including search
engines, ecommerce marketplaces, social networks, content
hosting tools, collaboration services, payment processors, and
more.
These intermediaries create value for users and sometimes
become application platforms of their own. However, they also
necessarily raise important privacy and security issues. By
their very nature cloud computing intermediaries require users
to give up physical control over their data. This distributed
processing can be transparent to the end user who may not
realize that her data is sitting in a pool of servers far away.
In several statutes Congress effectively made a deal with
online intermediaries. They avoid intermediary liability in
return for commitment not to meddle with their users' data and
to establish orderly procedures for access when sought for
legitimate purposes, such as law enforcement. This structure
underlies the safe harbors of Section 230 of the
Telecommunications Act of 1996 and Section 512 of the Digital
Millennium Copyright Act.
This safe harbor approach provides confidence for all
parties. A user has the confidence his or her information won't
be accessed inappropriately; the service provider has
confidence it won't accrue legal liability for the actions of
its users; and law enforcement and other outside parties such
as copyright holders have the confidence that service providers
will provide them with access to necessary information subject
to an appropriate process.
All that, however, depends on clear definitions. If user
data stored in the cloud is not subject to appropriate
protections from unauthorized access, both private and
governmental, trust in could computing could be undermined.
A loss of trust in the Internet would impact far more than
the companies providing cloud-based services. If users lose
their trust in online intermediaries some will use encryption
to make data less visible, some will keep more data locally
even when the cloud architecture provides clear benefits, and
some will simply engage in less activity online. These actions
will be based on incomplete information and confusion.
In other words, a drop in trust in online intermediaries
will inevitably add greater friction to the Internet economy.
The health of the Internet should be a national priority.
American businesses and consumers have benefited enormously
from the growth of our Internet economy during the past 2
decades and cloud computing represents the next evolution of
that economy.
Already, there are few Americans who do not have some of
their data stored on remote servers by these online
intermediaries. Congress must consider how to ensure that our
legislative and regulatory regimes do not undermine the
benefits the Internet provides.
Thank you.
[The prepared statement of Mr. Werbach follows:]
Prepared Statement of Kevin Werbach
__________
Mr. Nadler. Thank you.
We will now hear from our second witness. Professor Cate is
recognized.
TESTIMONY OF FRED H. CATE, PROFESSOR, DIRECTOR, CENTER FOR
APPLIED CYBERSECURITY RESEARCH, INDIANA UNIVERSITY
Mr. Cate. Thank you very much, Mr. Chairman, Mr. Franks.
I have been asked to present a brief overview of the Stored
Communications Act, and although I would rather describe almost
anything else I will nevertheless take the next few minutes to
do so. But before doing so I would like to say first, Mr.
Chairman, how much I appreciate your holding these hearings
today and the series of hearings that you have been holding
about Electronic Communications Privacy Act reform. It is a
critical issue and worthy of the attention that you and this
Committee have been devoting to it.
The primary constitutional limit on the government's
ability to obtain personal information about individuals is the
Fourth Amendment. However, under the Supreme Court's Third
Party Doctrine records disclosed to or held by a third party
receive no constitutional protection. Searches of these records
need not be reasonable and no judicial oversight is involved.
Congress responded to the Court's Third Parry Doctrine
decisions by enacting a variety of laws to put in place
statutory protections where constitutional protections were
missing. One of those was the Stored Communications Act, which
deals, of course, as you know, with communications and other
records in electronic storage such as e-mail and voicemail.
The 1986 Senate report on the Stored Communications Act
explains that computer users at that time generally used
network services in two ways. First, they used networks to send
and receive e-mail.
Second, they used network services to remotely store and
process data--in other words, to do things which they could not
do on a local computer. Both of these sets of uses would
receive no constitutional protection so Congress enacted
statutory protection.
And the Stored Communications Act divides stored electronic
communications into two categories responding to these two
predominant uses in 1986. An electronic communication service
is defined by the statute as the temporary, intermediate
storage of a wire or electronic communications incidental to
the electronic transmission thereof, as well as storage for
certain backup protections. A remote computing service is the
provision to the public of computer storage or processing
services by means of an electronic communication system.
Now, records within an electronic communication service, an
ECS, are further divides into subcategories based on the
duration of storage. So government demands for records that are
held as part of an ECS that have been stored for 180 days or
less require a traditional warrant issued by a competent court.
To obtain material within an ECS that has been stored for
more than 180 days or to obtain material stored as part of an
RCS, or remote communication service, the government has three
options. It can use a warrant; it can use a subpoena, which has
no involvement of a court; or it can use a court order based on
specific and articulable facts, sometimes called a 2703D order,
or a D order, for short.
If the government chooses not to provide notice to the
individual then a warrant is required. If it does provide
contemporaneous, or in some cases delayed, notice then it may
use a subpoena or a D order, at its election. Under either
category of service, an ECS or an RCS, a service provider may
voluntarily provide the records to the government certain to--
subject to certain limitations.
Now, complicating this already somewhat complicated picture
is the fact that the Department of Justice believes, and most
courts who have considered the issue to date have agreed, that
the warrant requirement for records stored 180 or less only
applies to unopened e-mail. If you have opened the e-mail it is
automatically kicked into the more-than-180-days rule, which
would allow access without the involvement of a court.
Information about a customer's account, as opposed to the
content of a customer's communication, may be obtained under a
much lower standard, either, again, with a warrant, a 2703D
order, or, in the case of telemarketing fraud, merely upon
formal written request--it takes no judicial authorization at
all. And even more basic information, what the statute refers
to as ``basic subscriber information,'' such as name and
address and length of service and type of service and means of
payment, can be obtained with an administrative subpoena, a
grand jury subpoena, or a trial subpoena--again, no involvement
of a court; these can be issued by the law enforcement agency
itself.
This quite complicated set of arrangements is actually
described in a chart in my prepared testimony. It is rare that
I would ever refer you to a chart, but this is one instance in
which the Committee might find it of some use.
So let me conclude by noting, as I think you have heard
already, the Stored Communications Act has been the subject of
considerable criticism, and that criticism might be divided
into a number of categories. I would encourage you to
distinguish between two, however: those which related to the--
what we might think of as the ambiguity or the drafting of the
statute itself, and those--which I think have been highlighted
this morning--those caused by the transformation in the
technology, transformation which has actually rewritten the
statute without any action by Congress or by this Committee.
Thank you very much.
[The prepared statement of Mr. Cate follows:]
Prepared Statement of Fred H. Cate
__________
Mr. Nadler. Thank you.
As you may have noticed, the buzzers have rung. We have
four votes on--five votes on the floor. It will probably take
about 40, 45 minutes, of which 10 minutes have already elapsed.
So I thank the witnesses for their indulgence.
I will recess the hearing until immediately after the last
of the five votes, and I urge the Committee Members to return
as soon as possible immediately after the last vote. Pending
the completion of the votes on the floor the Committee is in
recess.
[Recess.]
Mr. Nadler. The Committee will reconvene, and I thank
everyone for their patience. We are about to hear from Mr.
Hurbanek, is recognized.
TESTIMONY OF THOMAS B. HURBANEK, SENIOR INVESTIGATOR, COMPUTER
CRIME UNIT, NEW YORK STATE POLICE
Mr. Hurbanek. Chairman Nadler, Congressman Franks, and
Members of the Subcommittee, my name is Thomas Hurbanek, and I
am a senior investigator with the New York State Police
computer crime unit, a statewide detail of specially trained
investigators and civilian staff that provides investigative
and forensic support to state, local, and Federal law
enforcement agencies. Thank you for the opportunity to testify
about ECPA reform and the revolution in cloud computing.
Today I would like to highlight the challenges that cloud
computing presents to state and local law enforcement officers
who are attempting to investigate and prevent crimes in order
to protect the citizens and businesses within their
jurisdiction.
We can look at cloud computing from two perspectives.
First, there is the delivery of computing services to end users
over the Internet; second, the migration of business computing
infrastructure to shared resources accessed over the Internet,
which can be provided within the enterprise or provisioned from
third party providers.
The connected consumer of today can be accessing and
storing information over the Internet using many devices--home
and work computers, one or more smartphones or other devices
connected to multiple wireless providers, GPS units, game
consoles, e-readers, even vehicles. The consumer can be
communicating with thousands of people using social networking
sites, multiple e-mail messaging and Internet telephone
accounts, and identities avilable from hundreds of possible
providers while also transacting business with thousands of
companies from around the world.
Criminals have adopted every piece of this technology and
used it to improve their ability to commit crimes or to
victimize individuals and businesses worldwide with no regard
for borders, laws, and jurisdiction. This can make
investigations involving the Internet daunting for the majority
of police officers and extremely challenging even for highly
trained investigators with access to advanced tools and
equipment.
One example is the theft of online banking credentials,
where highly organized groups are using very sophisticated
attacks to compromise legitimate Internet sites, infect the
computing devices we rely on, obtain legitimate access
credentials, and steal millions of dollars from consumers,
small-to medium-sized business, local governments, and school
districts. Banking regulators estimate that more money is being
stolen in online thefts than through traditional bank
robberies.
In the state of New York there are nearly 20 million
people. Citizens and businesses expect that when the call the
New York State Police or one of over 500 local police agencies
because they are a victim of crime that their case can be
investigated. When the crime involves the use of devices
connected to the Internet one of the primary sources of
information are business records maintained by private sector
entities from one-person, home-based business to multinational
corporations.
In New York State law enforcement does not have
administrative subpoena power. Requests for subpoenas must
first be reviewed by the district attorney and then presented
to a grand jury. Each county has its own procedure and criteria
for requesting and obtaining subpoenas, and in some
jurisdictions they can be difficult to obtain, especially for
investigations involving non-felony offenses.
Time is our enemy in Internet investigations. Records and
communications may not be retained or information may
intentionally or accidently be deleted or corrupted. Technology
has created many new sources of information that may be
accessed by law enforcement equalized by the very number of
private sector entities that must be contacted to build
information during an investigation.
The advances of cloud computing present even more
challenges for law enforcement. I would like to highlight a few
of these.
Encryption: Companies are using advanced encryption
technology to secure data transmitted across the Internet. This
may create situations where law enforcement does not have the
technological means to access communications regardless of the
legal authority to do so. The recent concerns in many countries
about the encryption implemented on Blackberry devices
demonstrates this problem.
Virtualization: We are rapidly moving to an environment
where software applications run on virtual computers and
servers that can instantly----
Mr. Nadler. Excuse me. Could you enlighten us what you mean
by ``virtual computers and servers''?
Mr. Hurbanek. Yes. Virtual computers would be a server that
is run in memory, so it loads up and it runs only while the
machine is running and then shuts down. It is not a physical
device. So I could run--and the Rackspace guys could talk about
this--I could run 100 servers in memory on one machine. Does
that explain it, or----
So the applications or the computers could instantly be
started, stopped, refreshed, removing traces of data that law
enforcement has been able to access during the forensic
examination of seized computers. These virtual environments can
be operated outside of the United States.
Data storage: With the evolution of cloud computing
services the storage locations for data will often be out of
the jurisdiction of state and local law enforcement. Data will
also be stored outside of this country and not only in
jurisdictions that have a friendly relationship with the United
States.
And apps: Applications in the cloud can be accessed from
anywhere and data can be imported from one storage location,
processed, and returned to the original location or another
location.
At the New York State Police we cannot sit at our computer
and access the extensive data about individuals and their
transactions with companies on the Internet. There is no
database that lets me choose an individual and identify all of
the e-mail, messaging, and social networking accounts they use.
I cannot access the subscriber information for all Internet-
based telephone accounts like we have done in the past with
telephone subscriber directories.
I would like to close with an example from a recent case in
New York State. While investigating a business and executing a
search warrant at the business location it was discovered that
there were no financial records about the business stored on
site. All records were stored and processed on offshore servers
which were accessed from the business and the accountants for
the business accessed a limited number of records from a
different location to prepare tax returns.
This is just one example of how the technological advances
and jurisdictional issues created by cloud computing may
already be negating the fact that there are new sources of
transactional records being maintained by companies operating
on the Internet, especially in the case of state and local law
enforcement.
Thank you for the opportunity for the New York State Police
to provide testimony.
[The prepared statement of Mr. Hurbanek follows:]
Prepared Statement of Thomas B. Hurbanek
__________
Mr. Nadler. Thank you.
Mr. Schmid, you are recognized.
TESTIMONY OF KURT F. SCHMID, EXECUTIVE DIRECTOR, CHICAGO HIGH
INTENSITY DRUG TRAFFICKING AREA PROGRAM
Mr. Schmid. Thank you, Mr. Chairman and Representative
Franks.
I appear to you as a law enforcement official with over 40
years of experience, and many of those 40 years dealing with
ever-evolving communication and computer technologies and the
attendant challenge to preserve law enforcement's lawfully-
authorized electronic surveillance capability while maintaining
the privacy rights of individuals and sustaining industry's
ability to keep pace in a fiercely competitive market.
Preserving those intercept capabilities for law enforcement
while reforming and aligning the ECPA to address new and
emerging communication technologies are the primary themes of
my testimony today.
And, Mr. Chairman, if you would convey to Representative
Conyers that, like Representative Conyers, I was also here in
1986 in my similar capacity.
The face of crime today--many aspects of the traditional
criminal landscape have changed significantly as a direct
result of new technology. Law enforcement embraces new and
innovative technologies, the entrepreneurial opportunities they
present, and all of the other positive impacts these
technologies have on our society today.
However, law enforcement must be vigilant in how the
criminal exploits them to harm others. Many criminals have
exploited new technologies in ways not previously anticipated.
As an example, more traditional crimes like prostitution,
street corner drug trafficking activity, laundering and moving
illicit proceeds, just to name a few, have taken on an entirely
new dimension using networked technologies and offers the
criminal a cloak of invisibility from traditional public or law
enforcement observation and detection.
Criminals have created entirely new, more effective ways to
operate their illicit enterprises. Examples include using
social networking applications as an instant communication tool
to coordinate and conduct violent gang operations and attacks,
a recruiting tool that can enlist and indoctrinate criminal
cohorts from around the world, or an effective training
platform to teach ways to avoid detection. Crimes like identity
theft, human trafficking, child exploitation, among others,
have taken on a global aspect as a result of access to these
powerful technologies.
As more and more users migrate from desktops and laptops to
the now ubiquitous and powerful smartphone to conduct their
computing and communication functions traditional data
retention guidelines under ECPA no longer apply to providers of
these services. These data retention gaps have often manifested
themselves as an end of a trail of electronic evidence in many
major criminal investigations.
Simply stated, law enforcement must preserve its ability to
conduct lawfully-authorized electronic surveillance and must
have reasonable and expeditious access to stored information
that may constitute evidence of a crime committed or about to
be committed regardless of the technology platform on which it
resides or is transferred. Retention of this information by
service providers is of paramount importance to law
enforcement, also.
The law enforcement community has repeatedly learned that
the criminal quickly adapts new technologies to his repertoire
of tools not only to enhance his illicit activities, but also
to create--and we hope only a temporary--safe haven in which to
operate. Law enforcement, generally lagging the technological
capability and/or the legal precedent to intercept or access
communication and data, must deal with these difficult
situations for sometimes long periods of time before solutions
are found. Opportunities to sit at the table with industry,
privacy advocates, and lawmakers prior to major technology
rollouts are crucial to preventing sometimes years of
unintended consequences.
The rollout and subsequent activity facilitated by Congress
enacting the Communications Assistance for Law Enforcement Act,
or CALEA, in 1994 defined statutory obligations telecom
carriers had to implement to help law enforcement preserve its
ability to conduct lawful electronic surveillance. This action
was taken by Congress to preserve the public safety.
As challenging as it has been, CALEA also created the
opportunity for law enforcement to sit at the table with
industry and develop standards by which law enforcement
requirements can be addressed. Absent CALEA, law enforcement's
ability to conduct lawful intercepts would have been
significantly diminished or even eliminated.
A similar approach addressing cloud computing and other
emerging technologies seems reasonable and necessary in
reforming ECPA. Law enforcement's preference to preserving its
ability to access relevant electronic data to detect, prevent,
and solve crime is to sit at the table with lawmakers, privacy
groups, industry, and others to articulate its concerns and
requirements. Such a process will more likely result in
effective legislation that balances privacy and public safety
and sustains a reasonably equitable and level playing field for
industry.
If no action is taken to reform ECPA other less desirable
outcomes, namely awaiting a court's decision, sometimes
promulgated by officials not sufficiently steeped in relevant
technology, law enforcement operational or other privacy issues
may determine how we deal with these complex issues. This type
of undesirable outcome can lead to long periods of having to
comply with flawed case law.
In summary, law enforcement is constantly striving to
preserve, not extend, its lawfully-authorized electronic
surveillance and digital data access authority. A very
important component of that preservation involves retaining,
not relinquishing, established thresholds when subpoenas and
search warrants are appropriate. Subpoenas assist law
enforcement to focus on investigative targets, frequently
serving as a tool to eliminate innocent persons from being
investigated while serving to develop additional leads and
evidence on the offender in question.
Our Nation's citizens demand that law enforcement connect
the dots to detect, prevent, and retrospectively investigate
crime. Subpoena authority assists law enforcement to collect
those dots.
We live in a rapidly changing and dangerous world. Any
erosion of law enforcement's lawful access to digital
information while criminals are continuing to empower
themselves with these technologies of unprecedented capability
create a perilous dilemma.
State and local law enforcement agencies, unlike government
agencies with abundant resources, are particularly susceptible
to and challenged by criminals exploiting emerging
communication technologies. A tragic but all too common--almost
daily--example of this susceptibility is a violent crime, such
as a homicide, committed in a local jurisdiction. A cellular
smartphone is often the key to solving the crime.
Quick access to data related to that phone often determines
whether or not the offender is captured before he commits other
egregious criminal acts. Lawful access to digital communication
media and sufficient retention of those data by service
providers are critical to state and local law enforcement's
daily investigative efforts and must be preserved.
Thank you for the opportunity to appear before you today. I
applaud your efforts to address this very important issue.
Thank you.
[The prepared statement of Mr. Schmid follows:]
Prepared Statement of Kurt F. Schmid
__________
Mr. Nadler. Thank you.
And Mr. Zwillinger is now recognized.
TESTIMONY OF MARC J. ZWILLINGER,
ZWILLINGER GENETSKI, LLP
Mr. Zwillinger. Thank you. Thank you, Chairman Nadler.
I am pleased to be back before this Subcommittee to discuss
ECPA reform and cloud computing. As you know, I have worked
with ECPA for over 13 years, both as a former DOJ attorney who
has taught prosecutors how to apply the law, and now as outside
counsel for Internet service providers.
Today I want to focus on three ways in which ECPA no longer
strikes the right balance between law enforcement interests and
user privacy when it comes to data stored in the cloud. First,
e-mails and other private messages lack adequate protection
under the law; second, the standard for law enforcement access
to stored files like documents and photos is too low; third,
ECPA's failure to address civil litigant and criminal defendant
access at all generates confusion and needless litigation.
To elaborate on my first point, e-mails are not fully
protected because ECPA does not state clearly enough that a
search warrant is required to obtain all types of stored e-
mails, and it does not protect e-mails regardless of age. In
fact, ECPA's protections run counter to user expectations.
If you are a typical e-mail user, the messages that are
most likely to be important to you and private are the ones
that you have already read and decided to save. Those e-mails
might include notes from a friend, communications with a health
care provider, or intimate messages from a spouse.
By contrast, the unopened messages in your inbox may be
spam, or ads, or automatically-generated confirmations that you
will delete without ever reading. Unfortunately, the
unimportant and unopened messages may be more protected than
the important ones.
Under ECPA the government needs a search warrant to access
messages in electronic storage for 180 days or less. But
electronic storage is defined as temporary, intermediate
storage incidental to transmission and the storage of such
message for backup protection.
When ECPA was passed, ISPs stored user e-mails only until
the user logged in and downloaded their mail. That storage was,
indeed, temporary and intermediate. After the user downloaded
the messages the ISP generally kept nothing.
Now services like Yahoo mail and Gmail and social networks
retain messages until they are deleted by the user. If users
don't download their messages when does temporary and
intermediate storage end?
DOJ believes that temporary storage ends the moment a
message becomes marked as ``read,'' even if it was only briefly
skimmed on a mobile device. That interpretation of ECPA is
arbitrary, as nothing magical happens when a user reads a Web
mail message. It stays exactly where it has been since it was
received--on a server in the cloud. In fact, a message can be
marked as ``read'' or ``unread'' regardless of whether the user
actually looked at it.
Federal statutory protection for e-mails cannot really
depend on how a user chooses to mark their mail. This ambiguity
about the protections for e-mails stored in the cloud needs to
be clarified.
An additional way in which ECPA fails to properly protect
e-mail is the 180-day rule. This statutory rule was based on
the fact that in 1986 e-mails were only stored briefly by the
ISP and any material it had after 6 months was likely to have
been abandoned by a user. This assumption, which is described
in the legislative history, has proven incorrect and it is time
to get rid of that restriction.
As to my second point, ECPA also underprotects stored
files, like photos or documents. Here the unilateral delayed
notice provisions are the culprit, making it too easy for the
government to obtain private content without user notice or
judicial oversight.
In fact, the government can get the content of such files
more easily than it can get transactional or other subscriber
records. Allow me two examples: If the government wants a list
of e-mail addresses with whom a user has communicated, it must
apply for a court order and it must show specific facts that
demonstrate the information is material to a criminal case.
Similarly, any data besides basic subscriber information, such
as a user's gender or birth date, also requires a court order.
But if a user stores a private journal in a password-
protected file online the government can get that private
journal with a mere subpoena and no notice to the user if it
believes that providing such notice might interfere with a
criminal case. If the same user kept the same journal on his
laptop, law enforcement would need a search warrant to get it
or it would have to serve the user directly with a subpoena so
that he could object.
So the government can get a user's private journal from an
ISP with a subpoena without judicial review or notice but needs
a judge's blessing to learn the user's gender or birth date.
That does not strike the right balance between privacy and law
enforcement needs.
In revising ECPA Congress should make clear that a subpoena
with delayed notice is not enough to access private content
stored online. Instead, the government should be required to
show a magistrate that there is probable cause to believe a
crime has been committed and that the user's account contains
evidence of that crime.
Finally, I want to briefly comment on ECPA's silence
regarding access by civil litigants and criminal defendants.
ECPA prohibits ISPs from disclosing the contents of
communications to anyone other than the government.
Often civil parties and criminal defendants are surprised
by this and file motions to compel production that are
misguided but costly. And while some courts have confirmed the
absence of civil discovery provisions in ECPA, other judges do
not initially recognize that such a prohibition exist because
it is not mentioned in the statute specifically.
This gets more complicated if a criminal defendant cannot
get access to files that he believes are exculpatory and key to
his defense. Some trial courts have ruled that the restrictions
in ECPA are unconstitutional to the extent they interfere with
a defendant's right to due process. An amended ECPA should
clarify the general prohibition on disclosure but create
exceptions in narrow circumstances with prior judicial review.
In conclusion, changes in technology and user behavior have
altered the way ECPA works in practice and the time is right
for a revision that restores the prior balance between law
enforcement needs and user privacy to reflect the uses of the
Internet in the 21st century.
Thank you for the opportunity to testify today.
[The prepared statement of Mr. Zwillinger follows:]
Prepared Statement of Marc J. Zwillinger
__________
Mr. Nadler. Thank you very much.
I recognize myself first for questioning.
Professor Werbach, we are mainly concerned with balancing
necessary access to data in the cloud by law enforcement with
the consumer's interests and personal privacy. You said, as a
number of others of our witnesses have said, that striking that
balance correctly will act as a driver for growth in the cloud
computing market and that not doing so would act as a deterrent
to business growth.
How could either uncertainty about government access or a
popular perception that such access is not adequately governed
impair that market, and what recommendations do you have from
your perspective as a business expert to make sure that doesn't
happen?
Mr. Werbach. Well, in terms of impairing the market, as I
said in my testimony, one issue is trust, that the growth of
this Internet economy, which, as I described, is not just a
narrow set of services but all the sorts of developments that
are happening based on this infrastructure depends on users and
service providers having a sense of trust that when they put
their data online that it will be protected. And anything that
interferes or diminishes that trust is going to have some
retarding effect.
Also, we are in a global environment here, so businesses
make decisions about where they invest based on the
environment. If they are going to invest in building
infrastructure, and building services, and marketing, and
building up customer bases here in the United States they have
to feel a confidence level that the processes and procedures
and protections around their data are appropriate, otherwise
they may choose to make those investments somewhere else.
So at every level the degree to which access to data and
protection of data is carried out is going to have some
influence on the decisions that get made and on the speed and
trajectory of this marketing.
Mr. Nadler. Thank you.
Professor Cate, in your testimony you described several
broad categories of criticism of the Stored Communications Act.
One category concerns the lack of publicly available aggregate
statistics detailing the extent to which third party providers
are routinely compelled to deliver customers' communications
and other private data to law enforcement agencies. You
indicate that because most service providers do not disclose
this information Congress has no reliable data to determine the
scale of requests and disclosures being made under the SCA.
Why do you think Congress should have access to this type
of information? What use might Congress make of such
information?
Mr. Cate. Thank you very much, Mr. Chairman. In most of the
laws which Congress has enacted which provide for access by the
government to private records it has required the government to
file reports with Congress on either an annual or a semiannual
basis saying how often do they use that authority and with what
effect. So this is true of wiretaps; it is true of pen
registers; it is true of trap and trace orders.
Having those statistics gives Congress a sound empirical
basis on which to evaluate how its laws are being used and
whether they need to be changed. It also provides that same
information for people such as those of us gathered at this
table when making recommendations to Congress. And it provides
information to the public and the press so that they know how
those laws are being used and to what effect.
But there is an additional value which I think is really
quite important and should not be overlooked, and that is by
making the government agencies themselves keep those
statistics, and therefore have to account internally for how
they are using those, we get stronger oversight internally. So,
for example, when the FBI, in reporting its use of national
security letters, grossly underestimated its use of those, as
pointed out by the Office of the Inspector General and the
Department of Justice, it provided the Department of Justice an
opportunity to go in and help build better procedures for
making sure that the FBI was using its authority given to it by
Congress appropriately. It is only by having that reporting
requirement you see that opportunity carried out.
Mr. Nadler. Thank you.
Mr. Hurbanek, I was intrigued by one thing you said. You
talked about a law enforcement investigation in which a warrant
was served on a business and that warrant proved fairly useless
because there was no information there; everything was stored
in the cloud.
Now, I assume that if you had the warrant--or if the law
enforcement agency, not you--if the law enforcement agency had
the warrant for the business they could have gotten a warrant,
if necessary, to look at the same information in the cloud. But
would that have done any good if the cloud is stored in a
virtual situation? In other words, you seem to have indicated a
situation for which the issue is not whether--I mean, there has
been an implicit discussion here today as to whether we should
require a warrant for some of these things, but you have
described a situation where whether you have a warrant seems to
be irrelevant because given the warrant you can't get the
information.
Mr. Hurbanek. Yes, Mr. Chairman, and that--we have evolved
from where we used to drive to a business and take all of their
computers out on a big truck.
Mr. Nadler. You should turn on your microphone.
Mr. Hurbanek. It is on.
Mr. Nadler. Okay. Go ahead.
Mr. Hurbanek. Okay. So we no longer drive to the business
and take the records in a truck; we would go to a business and
extract whatever data we had in our warrant. This is moving so
now the data----
Mr. Nadler. You would go to the business and extract
whatever data you had in the warrant by accessing their
computers on the site?
Mr. Hurbanek. Yes.
Mr. Nadler. You wouldn't take the computer?
Mr. Hurbanek. No. We don't take boatloads of business
computers very often anymore. And so now the data may be hosted
by the third party in the cloud which, if in the United States,
we would have access to and we could get there and secure the
data.
The concern then becomes, what if the data is not in this
country? And because of the business means and the
opportunities around the world it is quite possible. Now, we
have a lot of legitimate businesses testifying here today;
those are not the only people offering places to store data.
Mr. Nadler. So if I were an illegitimate business, or if I
were a business that wanted to cut some corners I would
probably--and if I were thinking about it--I would store it
abroad.
Mr. Hurbanek. And you see that a lot with Internet gambling
and things like that. Or the recent thing with military
secrets--the person who published those on the Internet
specifically is doing that from certain countries, not from
within the United States.
Mr. Nadler. I see. Now, assume a frequent traveler keeps
his private diary online instead of at his bedside table. This
user keeps it stored in the cloud so he can type diary entries
when he travels so that he doesn't have to ever leave his diary
in a strange hotel room; he has been doing so for several
years. The account he keeps it in is password-protected and he
has shared the password with nobody.
Mr. Zwillinger and others suggest that law enforcement can
get access to this diary by serving a subpoena to an online
service provider and certifying that providing the user with
notice may cause him to destroy evidence or flee the
jurisdiction. Is that true? And if so, should that be the law?
Mr. Hurbanek. That is interesting that--and the lawyers
have identified all of the problems with ECPA. It is very
confusing. We don't know where to begin.
In a traditional criminal investigation we would come upon
the existence of a diary maybe through interview, and we might
search for the diary. In the virtual world, in the cloud, if we
became aware that the person kept a diary the first question we
have to ask is, where?
Where might the diary be stored? How would we find it? Who
has it? Does it even exist?
We can't make the barriers to even finding the mere
existence of the diary so strenuous that we can't conduct our
investigation. Whether or not we can access the content and
obtain the diary is pretty well written.
Mr. Nadler. Mr. Schmid, do you have anything to say on
that?
Mr. Schmid. Thank you, Mr. Chairman. By example, it gets
more and more complex for law enforcement. Back in 25 years
ago, when--as an example, when we would conduct a lawfully-
authorized court-ordered wiretap we would serve typically one
order on the phone company, service provider.
Today it is not unusual for a law enforcement officer or
investigation to have to serve seven, eight, nine different
court orders to be able to either access or ascertain where
some of these data are lying. So it becomes very, very complex.
And add that to the dimension of being a foreign-owned
business; that really throws us way out of the ballgame.
So it does become extraordinarily complex in just the
process of how we access----
Mr. Nadler. Okay. Thank you.
My time is running short so I will ask Mr. Zwillinger one
quick question.
As I have listened to your testimony today I am struck by
how some of the assumptions that Congress made in 1986 about
consumer and business network and how to protect consumer
privacy obviously do not hold true in today's technology
environment. Everybody has said the same thing.
You make the case in your testimony that,
counterintuitively, non-content transactional data sometimes
receives more protection than content. Given your law
enforcement background, what might the law enforcement argument
be, if any, to justify continuing the legal framework whereby
some types of content are more easily obtained than some types
of transactional records? Any justification for that?
Mr. Zwillinger. Yes. You know, I don't think the Department
of Justice or law enforcement disagrees conceptually that
content should be more protected than non-content. I think when
you shift what the law has evolved to they are going to want to
defend the status quo because, as Mr. Schmid said, it is more
efficient for them.
But in order----
Mr. Nadler. Excuse me--all this massive confusion is more
efficient for them?
Mr. Zwillinger. I agree with you, Mr. Chairman. You know, I
don't think it is that confusing either, because--let me give
you an example.
They would probably try to defend the status quo by saying
that when you store things online with a service provider,
since the service provider has some right to access the data
the individual has given up some of their privacy. But I don't
think that is right. That is not the way the law generally
works.
If I store my photos in an online album and only my wife
and I have the password, and we do that so they don't get
burned in a fire and we can see them wherever we go, we are not
intending to give up any protection to the service provider,
and the fact that a service provider could access them does not
take away our privacy interests. It would be like law
enforcement saying, ``You have photo albums in your house but
we can get them without a search warrant because when the
photos were developed the person at Kodak could see the
pictures, and therefore you gave up your privacy interests.''
We don't think that way. We don't say there is no privacy
in a phone call because the operator in 1967 could have
listened in.
So I think that is what the argument would be. I think they
have made that argument before. I just don't think it works
well anymore.
Mr. Nadler. I see.
Thank you very much.
I now recognize the distinguished gentleman from Arizona.
Mr. Franks. Well, thank you, Mr. Chairman.
Professor Cate, if I could start with you and maybe give a
couple of others a shot at it, what do you believe would be the
one most significant change to ECPA that would clarify what you
believe is not clear and what is confusing to law enforcement
officials, and service providers, and courts in general? What
is the one thing that we could do to bring some clarity and
balance to the whole thing?
Mr. Cate. Thank you very much, Congressman. I would like to
see the law move to a requirement that a warrant is required to
obtain content without regard for whether the content is in an
e-mail that has been opened or not and without regard for how
long it has been stored so that we would draw a bright line,
universally applied, to say when seeking content the same
condition, whether you come to my home computer, you go to my
service provider, or you go to some recipient's computer, it
would be the same legal standard in all of those settings.
Mr. Franks. Mr. Hurbanek, what would you say to that?
Mr. Hurbanek. I think it requires a case-by-case debate. I
think our concern is mostly that the initial records can be
obtained, that we--and that the Federal Government take some
leadership that helps the states craft statutes that make sense
for us.
I know that is a big lift, but right now it is very
difficult for us to initiate investigation. It is tough to get
subpoenas and it is tough to get started. So we need to look at
this as to what information is material and relevant early on,
and then what steps do we have to take beyond that.
Mr. Franks. And what would you--can you first just tell us
what the term ``going dark'' means?
Mr. Hurbanek. Going dark? That is an FBI discussion about
the fact that we are losing our ability to see what criminal
enterprises are doing. Even if we had the rights to tap into
the communication we technologically may not be able to see
them.
Mr. Franks. Mr. Chairman, that almost seems like the
elephant in the room here, is that regardless of the potential
accessibility by law enforcement that the technology is
outrunning that, and that because of the virtual capability of
being able to access the cloud and then essentially
disappearing without any, you know, electronic traceable data,
it almost seems to me like that is going to be a real boon to
the bad guys.
Mr. Hurbanek, I will go ahead and stay with you for a
moment. Can you explain what is meant by storing records in
the--by storing a record in the cloud and what is a private
cloud? Help us understand what a private cloud is.
Mr. Hurbanek. Well, the private cloud--clearly business
isn't completely ready to put all of their corporate secrets
and enterprises out with a third party. That is an evolution
that is taking place.
The private cloud is when a company such as Amazon,
Rackspace, Microsoft--all the ones that are here--provide you
with the technology within you enterprise. So the data may
still be traveling over the Internet; the data may still be
stored in multiple locations and accessed remotely. But you do
maintain enterprise control of it.
Those will then scale to external third parties partially,
and ultimately completely. Even the Federal Government is
studying how to outsource to the third party.
Mr. Franks. Well, I want to--if I could I just want to go
down and ask each one of you to just--a couple sentences at the
most--to tell me, from your varying perspectives, what you
believe--the same answer would be the question I asked
Professor Cate--what is the one thing that you would do that
you think would be most significant to protect what you
consider to be the most significant issue involved here?
Professor Werbach?
Mr. Werbach. I would agree with Professor Cate that
something to remove these artificial distinctions and to
recognize that today putting information on these remote
servers is not fundamentally different for users than storing
them locally on a computer.
Mr. Franks. Skip you here, Professor.
Mr. Hurbanek, would you take a shot at it?
Mr. Hurbanek. And my answer would be that whatever
framework is set up it needs to be straightforward and
understandable, and we need to efficiently be able to access it
through whatever courts or prosecutors, and through whatever
third party companies house the data.
Mr. Franks. And would that take with it any sort of mandate
that the information be indexed in some way that would be
proprietary to law enforcement to be able to access?
Mr. Hurbanek. We don't normally ask companies to index the
data for us. They are indexing data and storing data for their
business purposes. We just ask that if it is relevant that we
can get access to it.
Mr. Franks. Mr. Schmid?
Mr. Schmid. To appropriately align the statutory and
regulatory aspects of a reformed ECPA to the current
technology. And that involves actually bringing clarity not
only to this body but also brings clarity to law enforcement.
And that seems to be where a lot of the confusion and a lot of
the issues that really, really prevent us from doing our job
effectively have come.
Mr. Franks. The way things are going that might also
include trying to discover a new type of physics. You know, it
looks like----
Mr. Zwillinger. On the same question I would agree with the
professor at the other end of the table. I think a probable
cause requirement for content in the cloud is the one thing you
could do.
And just to respond to Mr. Schmid earlier, the types of
materials we are discussing were not generally in the cloud or
stored online in 1986. That is, a content requirement where you
have a probable cause for all content really restores the
balance to where it was; this content was stored locally.
So it is not relinquishing or giving up law enforcement
access and law enforcement will still have the building blocks
for investigations through records--transactional records,
subscriber information. But content should be protected by a
warrant.
Mr. Franks. And there is no one on the group here that
believes that having some type of warrant requirement for
content specifically would severely restrict or significantly
restrict law enforcement's capability to protect us? Anyone?
No?
Mr. Cate. If I may, Congressman, I would just point out
that the Congress, again, in ECPA put in place a very
significant wiretap warrant requirement, and in the time since
that has been put in place we have seen just over 40,000
wiretap orders granted and fewer than 40 denied by courts. So
the argument that is often made about warrants is that it is
not a new impediment; it doesn't result in the data becoming
unavailable. It is a new process for getting access to the data
that requires that some other person other than just the
investigator be involved, play some oversight role.
Mr. Franks. Yes.
Mr. Cate. Thank you, sir.
Mr. Franks. Thank you all very much.
Thank you, Mr. Chairman.
Mr. Nadler. I thank all the witnesses. It is clear we have
two problems, one of which we can address here, and that is the
proper standards, and subpoenas, and warrants, and so forth,
and the other is advancing technology.
I would simply observe that that advancing technology is
part of the war between offense and defense that has been going
on since time immemorial and will continue to go on. And at one
point offense has got the trump hand and at the other hand the
defense, and that will continue going on. But we have to deal
with the legal consequences of as it is now and as it will be
in the reasonably foreseeable technological future.
So I want to thank all the witnesses for the helping hand
you have given us today.
Without objection, all Members have 5 legislative days to
submit to the Chair additional written questions for the
witnesses which we will forward and ask the witnesses to
respond as promptly as they can so that their answers may be
made part of the record. Without objection all Members will
have 5 legislative days to submit any additional materials for
inclusion in the record.
And again, thanking our witnesses. And with that, this
hearing is adjourned.
[Whereupon, at 2:12 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
�