[Senate Hearing 111-1002]
[From the U.S. Government Publishing Office]
S. Hrg. 111-1002
THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: PROMOTING SECURITY AND
PROTECTING PRIVACY IN THE DIGITAL AGE
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 22, 2010
__________
Serial No. J-111-109
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
66-875 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin JEFF SESSIONS, Alabama
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
RUSSELL D. FEINGOLD, Wisconsin CHARLES E. GRASSLEY, Iowa
ARLEN SPECTER, Pennsylvania JON KYL, Arizona
CHARLES E. SCHUMER, New York LINDSEY GRAHAM, South Carolina
RICHARD J. DURBIN, Illinois JOHN CORNYN, Texas
BENJAMIN L. CARDIN, Maryland TOM COBURN, Oklahoma
SHELDON WHITEHOUSE, Rhode Island
AMY KLOBUCHAR, Minnesota
EDWARD E. KAUFMAN, Delaware
AL FRANKEN, Minnesota
Bruce A. Cohen, Chief Counsel and Staff Director
Matthew S. Miner, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Cardin, Hon. Benjamin L., a U.S. Senator from the State of
Maryland....................................................... 2
Feingold, Hon. Russell D., a U.S. Senator from the State of
Wisconsin, prepared statement.................................. 151
Franken, Hon. Al, a U.S. Senator from the State of Minnesota..... 3
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 1
prepared statement........................................... 185
WITNESSES
Baker, James A., Esq., Associate Deputy Attorney General, U.S.
Department of Justice, Washington, DC.......................... 6
Dempsey, James X., Esq., Vice President for Public Policy, Center
for Democracy and Technology, San Francisco, California........ 15
Jaffer, Jamil N., Esq., Attorney, Washington, DC................. 19
Kerry, Cameron F., Esq., General Counsel, U.S. Department of
Commerce....................................................... 3
Smith, Brad, Esq., General Counsel and Senior Vice President,
Legal and Corporate Affairs, Microsoft Corporation, Redmond,
Washington..................................................... 17
QUESTIONS AND ANSWERS
Responses of James A. Baker to questions submitted by Senator
Leahy, Specter and Feingold.................................... 33
SUBMISSIONS FOR THE RECORD
American Civil Liberties Union (ACLU), Laura W. Murphy, Director,
Washington Legislative Office, Christopher Calabrese,
Legislative Counsel, Washington Legislative Office, and Nicole
A. Ozer, seq., Technology and Civil Liberties Policy Director,
Northern California, joint statement........................... 47
Baker, James A., Esq., Associate Deputy Attorney General, U.S.
Department of Justice, Washington, DC, statement............... 57
Blaze, Matt, Professor, University of Pennsylvania, Philadelphia,
Pennsylvania, statement........................................ 64
Burr, J. Beckwith, Partner, Wilmer Cutler Pickering Hale and
Dorr, LLP, Washington, DC, statement........................... 78
Competitive Enterprise Institute, Ryan Radia, Associate Director
of Technology Studies; The Progress & Freedom Foundation, Berin
Szoka, Senior Fellow and Director, Center for Internet Freedom;
Citizens Against Government Waste, Thomas A. Schatz, President;
Americans for Tax Reform, Kelly William Cobb, Executive
Director, Digital Liberty Project; and Center for Financial
Privacy and Human Rights, J. Bradley Jansen, Director,
Washington, DC, joint statement................................ 101
Computer & Communications Industry Association (CCIA),
Washington, DC, statement...................................... 108
Constitution Project, Washington, DC, statement.................. 122
Dempsey, James X., Esq., Vice President for Public Policy, Center
for Democracy and Technology, San Francisco, California,
statement...................................................... 125
Department of Commerce, Comments of Digital Due Process, June 14,
2010, statement................................................ 141
Freeman, Frederick W., Student, George Mason University,
statement...................................................... 153
Jaffer, Jamil N., Esq., Attorney, Washington, DC, statement...... 156
Kerry, Cameron F., Esq., General Counsel, U.S. Department of
Commerce, Washington, DC, statement............................ 171
Schellhase, David, Executive Vice President and General Counsel,
San Francisco, California, statement........................... 187
Smith, Brad, Esq., General Counsel and Senior Vice President,
Legal and Corporate Affairs, Microsoft Corporation, Redmond,
Washington, statement.......................................... 201
THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: PROMOTING SECURITY AND
PROTECTING PRIVACY IN THE DIGITAL AGE
----------
TUESDAY, SEPTEMBER 22, 2010
U.S. Senate,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10:10 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Patrick J.
Leahy, Chairman of the Committee, presiding.
Present: Senators Leahy, Cardin, Whitehouse, Klobuchar, and
Franken.
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM
THE STATE OF VERMONT
Chairman Leahy. I apologize for the delay. In the back
room, we were settling all the problems of the world with our
distinguished witnesses, but I think that one of the things
that we have learned very quickly in this area is that the
Electronic Communications Privacy Act, or ECPA, is one of the
Nation's premier digital privacy laws. But it is only as
important as our efforts to keep it up to date might be.
It was 40 years ago that Chief Justice Earl Warren wrote
that ``the fantastic advances in the field of electronic
communication constitute a greater danger to the privacy of the
individual.'' That was 40 years ago. Now, Chief Justice Warren
could not have imagined--in fact, I do not know if anybody
could have 40 years ago--what types of communications we would
have today and the differences in it.
But what he said, even with all the changes, is as relevant
today as it was then. For many years, ECPA has provided vital
tools to law enforcement to investigate crime and to keep us
safe, while at the same time protecting individual privacy
online. As the country continues to grapple with the urgent
need to develop a comprehensive national cybersecurity
strategy, determining how best to bring this privacy law into
the Digital Age is going to be one of our biggest challenges,
especially here in Congress.
When Congress enacted ECPA in 1986, we wanted to ensure
that all Americans would enjoy the same privacy protections in
their online communications as they did in the offline world,
and at the same time allowing law enforcement to have access
under legitimate ways for information needed to combat crime.
We put together--and I remember very well the long negotiations
we had on that--a careful, bipartisan law designed in part to
protect electronic communications from real-time monitoring or
interception by the Government, as e-mails were being delivered
and from searches when these communications were then stored
electronically. But the many advances in communication
technologies have really outpaced the privacy protections that
Congress put in place.
ECPA today is a law that is often hampered by conflicting
privacy standards that create uncertainty and confusion for law
enforcement, for the business community, and for American
consumers.
For example, the content of a single e-mail could be
subject to as many as four different levels of privacy
protections under ECPA, depending upon where it is stored and
when it is sent. Now, no one would quibble with the notion that
ECPA is outdated, but the question of how best to update this
law does not have a simple answer. And I believe there are a
few core principles that should guide our work.
First, privacy, public safety, and security are not
mutually exclusive goals. Reform can, and should, carefully
balance and accomplish each.
Second, reforms to ECPA must not only protect Americans'
privacy, but also encourage America's innovation.
And, last, updates to ECPA must instill confidence in
American consumers.
I am pleased that we are going to hear from the General
Counsel of the Department of Commerce, who has unique insights
into the impact of ECPA on American innovation. We will also
get the views of the Department of Justice, which relies upon
ECPA to carry out its vital law enforcement and national
security duties.
Then we will have a panel of expert witnesses to advise the
Committee, and I applaud the work of the Center for Democracy &
Technology, Microsoft, and other stakeholders who are trying to
bring together industry consensus because we want something
that works. We want to protect privacy. We do not want to
stifle innovation. We want to make law enforcement possible in
the way with the privacies this country gives.
So having said all that, I thank those who are here. I
would ask my fellow panel members, Senator Cardin, did you have
anything you wished to say?
STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR FROM THE
STATE OF MARYLAND
Senator Cardin. Well, Mr. Chairman, let me thank you very
much for holding this hearing. I think this subject is one that
just the hearing itself will have a beneficial impact. I think
we really need to understand that it is difficult to get ahead
of technology and we do not want to do anything in our laws
that prevents the development of technology. It is amazing what
we can accomplish today through our cell phones that we could
only imagine when this bill was originally passed.
Now, the question is how do you protect the privacy of
Americans, which is critically important and constitutionally
protected in a way that also allows for the appropriate law
enforcement tools to be effectively used.
I think it is important that we carry out one of the most
important responsibilities of the Senate, which is oversight,
to see how the current law is operating, to see whether it is
being administered--whether those who administer it have the
tools they need under existing law to effectively protect the
privacy of Americans and carry out their important work.
So I welcome this hearing. I think we come to it without
any preconceived thoughts as to what we need to do, but it is
important that we protect privacy, give the tools to law
enforcement that it needs, and understand that we do not want
to do anything that would hamper the development of technology,
which is critically important for America's advancement.
Chairman Leahy. Senator Franken.
STATEMENT OF HON. AL FRANKEN, A U.S. SENATOR FROM THE STATE OF
MINNESOTA
Senator Franken. I did not prepare an opening statement,
but I am really looking forward to this, just to hear things
like what kind of conflicts are inherent in protecting privacy
while at the same time protecting against things like identity
theft or what kind of conflicts there are in transparency
versus protecting business proprietary information, the
conflicts between sort of openness and yet protection. So I am
looking forward to the hearing, and thank you, Mr. Chairman,
for calling this.
Chairman Leahy. Well, thank you very much.
Our first witness will be Cameron Kerry. Mr. Kerry is the
General Counsel of the Department of Commerce, where he serves
as the Department's chief legal officer, chief ethics officer,
and is Chair of the Department of Commerce Privacy Council. Mr.
Kerry is somebody I have known for--I was going to say years--
decades, actually. He has been a leader on work across the U.S.
Government on patent reform and intellectual property issues,
privacy, security, efforts against transnational bribery.
Previously he was a partner in Mintz, Levin, a national law
firm, with over 30 years of practice. He has been a
communications lawyer, litigator in a range of areas, including
telecommunications, environmental law, torts, privacy, and
insurance regulation. Harvard College under graduate, a law
degree at the Boston College School of Law.
Mr. Kerry, delighted to have you here. Please go ahead,
sir. Hit the ``Talk'' button. Is it on red?
STATEMENT OF HON. CAMERON F. KERRY, ESQ., GENERAL COUNSEL, U.S.
DEPARTMENT OF COMMERCE
Mr. Kerry. Thank you. Chairman Leahy and members of the
Committee, thank you for the invitation to testify today.
I think it is clear that in the 25 years since ECPA, the
Electronic Communications Privacy Act, was enacted, the
communications and information landscape has been transformed.
The authors of the law, including you, Mr. Chairman, recognized
that this landscape would evolve continually, but I doubt that
anyone foresaw the scale, the scope of the revolution that
would be fueled by mobile telecommunications, by the global
Internet, and by ever smaller, more powerful devices.
I welcome the Committee's decision to hold this hearing and
to begin another of its periodic reviews of ECPA. The goal of
this effort, as always, should be to ensure that as technology
and new market conditions change, ECPA continues to serve its
original purpose as articulated by this Committee: to establish
``a fair balance between the privacy expectations of American
citizens and the legitimate needs of law enforcement.''
I am especially pleased to be appearing today with
colleagues from the Department of Justice. We work with the
Department of Justice on an administration effort to develop
policies on commercial data privacy and a range of issues
related to information and communications technologies. While
our effort is in its early phases, it is guided by our shared
belief that legislative review of ECPA must be undertaken
carefully and must adequately protect privacy and build
consumer trust; must address concerns about competition,
innovation, and other challenges in the global marketplace; and
must allow the Government to protect the public in timely and
effective ways.
I would like this morning to highlight some of the points
in my written testimony about the importance of digital
communications innovation to the U.S. economy and society and
the contribution that ECPA has made to that innovation through
its privacy framework.
Over several decades, the explosion of electronic
communications, and especially the proliferation of broadband
Internet service and Internet-based services and applications,
as well as the expansion of wireless communications, has
created enormous benefits to our society. By some estimates,
the Internet contributes $2 trillion to the Nation's annual GDP
and supports some 3 million jobs. ECPA has contributed to this
remarkable growth as Congress recognized in 1986 the absence of
sound privacy protections for electronic communications
discourages potential customers from using innovative
communications systems and discourages American businesses from
developing innovative forms of telecommunications and computer
technology. In this area, trust is an essential element of
development.
ECPA created clear, predictable rules for service providers
and a protected, trusted environment for digital commerce. It
also ensured that law enforcement and national security
personnel can gain access to electronic communications, subject
to judicial oversight and consistent with the Fourth Amendment
and American principles. As your Committee examines ECPA and
its ongoing role in this process, you face the question whether
the sea changes in the digital communications environment since
1986 call for changes in the statute so as to preserve the
balance that Congress struck in 1986 and has maintained over
time.
Let me touch on some of the changes that have occurred.
One prominent example is the global growth of cloud
computing services. The range of services of platforms, of
applications that are available today remotely, and the
pervasiveness of their use far exceed the levels that existed
in remote computing 25 years ago. According to one projection
the Department of Commerce received, cloud computing revenues
are going to grow from $46 billion in 2009 to $150 billion in
2012, and by next year, 25 percent of new software deployments
are going to be cloud-based applications.
Another example is the growth of wireless service and
location services. In the United States alone, roughly 91
percent of the population now has a wireless phone. The use of
smart phones in the United States grew by roughly 51 percent
from 2008 to 2009, and the sales of those devices are expected
to eclipse earlier-generation cell phones by 2011. These phones
multiply the use of online services, and they also provide new,
unique, and informative data streams.
When a cell phone is on, a cell phone or other wireless
devices are in constant communication with nearby cell towers.
They supply information about the phone's whereabouts that is
necessary to supply the cell service. And, as those phone
deploy, many third-party applications providers are now
developing innovative services that use location services in
real time from carriers or from the devices themselves.
So cloud computing and the growth of wireless services and
location services are just some of the wholesale changes in the
ways that Americans use electronic communications. They signal
a pervasive shift in the volume-sensitive information that we
entrust to third parties. Clarity of rules is critical for
successful deployment, development, and adoption of innovative
services that have become part of the fabric of our society and
our economy.
So I want to thank you for the Committee's decision to
examine ECPA again. The administration stands ready to work
with the Committee as you move forward. We do not come with
proposals today, but we come ready to work to maintain the fair
balance of reasonable law enforcement access, individual
privacy protection, and clarity for service providers, for
investigators, and for judges.
Chairman Leahy. Of course, those are goals that we all
seek.
Mr. Kerry. Good.
Chairman Leahy. Now the hard part is how to fit it in.
Mr. Kerry. I would be happy to answer questions, Mr.
Chairman.
[The prepared statement of Mr. Kerry appears as a
submission for record.]
Chairman Leahy. We want innovation, we want clarity, we
want people to understand the rules, we want law enforcement to
be able to use it, and we do not want to give up our ability to
communicate with each other, especially as this has become not
just a personal thing but it has become very much of a
business-oriented thing.
Your whole statement will be part of the record. I do
appreciate very much the offer of working with us because we
did this in a bipartisan fashion before, and I expect to do it
again as we update this.
In that case, we are very fortunate to have James Baker
with us. Mr. Baker is the Associate Deputy Attorney General at
the U.S. Department of Justice. He has worked extensively on
all aspects of national security investigations and policies
with the U.S. Department of Justice for nearly two decades. Am
I correct on that? He has also provided the United States
intelligence community with legal and policy advice for many
years. In 2006, he received the George H.W. Bush Award for
Excellence in Counterterrorism. For those who do not know that,
that is the CIA's highest award for counterterrorism
achievements. He also taught a course in national security
investigation and litigation at Harvard Law School and served
as a resident fellow at Harvard University Institute of
Politics.
Mr. Baker, please go ahead, and, again, your full statement
will be put in the record, but please go ahead and tell us what
you would like, sir.
STATEMENT OF HON. JAMES A. BAKER, ESQ., ASSOCIATE DEPUTY
ATTORNEY GENERAL, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC
Mr. Baker. Yes, thank you, Mr. Chairman. Mr. Chairman and
members of the Committee, thank you the opportunity to testify
today on behalf of the Department of Justice regarding ECPA. It
is a pleasure for me to be here with our colleagues from the
Department of Commerce, and as Mr. Kerry said, we are working
closely with the Department of Commerce on ECPA reform.
I have just a few brief points that I would like to make in
my oral remarks today and then respond to any questions that
you might have.
For many years this Committee has been a leader in ensuring
that our laws appropriately balance privacy and economic
considerations with the Government's need to protect public
safety and national security. As we have done regularly in the
past, the Department looks forward to working with you again as
you examine whether ECPA is properly calibrated to address all
of these very important interests.
Although Congress has amended ECPA on several occasions
since it was first enacted in 1986, the statute has proven
remarkably resilient in its ability to keep pace with changes
in technology. Many of ECPA's key concepts and distinctions
remain fundamentally sound. Where changes have been necessary
over the years, we have worked closely with you to ensure that
those changes do not upset the delicate balance between
individual privacy interests and the needs of public safety. It
is essential that we do so again as we move forward.
In addition to getting the balance between privacy and
security right, I would like to emphasize a few additional key
points.
First, as some have mentioned, the Government relies
heavily upon the legal framework that ECPA establishes to
protect national security and public safety. ECPA is critical
to our ability to effectively and efficiently conduct
investigations of terrorists, gangs, drug traffickers,
murderers, kidnappers, child predators, cyber criminals, and
the whole range of criminal activity.
Second, it is vital that ECPA remain an effective and
efficient tool for these investigations. In particular, it is
essential that investigators have the ability under ECPA to
obtain non-content information about a suspect's activities in
a timely and efficient manner, particularly at early stages of
an investigation. These types of information are the basic
building blocks of our investigations, and if it is unduly
difficult for investigators to obtain such data, it may hamper
the Government's ability to respond promptly and effectively to
these real threats.
For example, in a recent undercover investigation, an FBI
agent downloaded images of child pornography and used an ECPA
subpoena to identify the computer involved. Using that
information to obtain and execute a search warrant, agents
discovered that the person running the server was a high school
special-needs teacher, a registered foster care provider, and a
respite care provider who had adopted two children. The
investigation revealed that he had sexually abused and produced
child pornography of 19 children. The man pleaded guilty and is
awaiting sentencing.
Finally, while we welcome the opportunity to work with the
Committee as it considers whether changes to ECPA are needed,
we urge you to approach that question with extreme care. It is
critical that Congress carefully evaluate any proposed
amendments to ensure that they do not adversely affect the
ability of Federal, State, local, and tribal authorities to
keep us safe from harm.
That said, I want to emphasize that the administration has
not taken a position on any particular ECPA reform proposal to
date, but we look forward to working with the Committee as it
begins consideration of these important matters.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Baker appears as a
submission for the record.]
Chairman Leahy. Thank you very much, Mr. Baker.
We have overlapping concerns here. Let me begin first with
Mr. Kerry. You obviously in your work with the Commerce
Department understand how our privacy laws are affecting our
economy. We are having all kinds of economic problems, and also
so many businesses and individuals are using the Internet, e-
mail, and everything else to improve their financial condition
of their businesses and so on.
Does ECPA still remain important to our economy?
Mr. Kerry. Absolutely, Senator.
Chairman Leahy. Press the button.
Mr. Kerry. OK. I am looking at the green light. Sorry. It
does, Mr. Chairman. One of the important aspects of ECPA is the
private rights of action that it creates, the expectations of
privacy that it establishes as a matter of law, and the set of
rules that it provides that providers as well as customers as
well as law enforcement officials and judges and magistrates
are able to follow.
Chairman Leahy. OK. And those rules become confusing enough
that it stifles innovation. I mean, even when this was written
and everybody thought we were at the cutting edge, it looks
pretty old-fashioned to go back to those days.
Mr. Kerry. Certainly the landscape has changed. There is no
question about that. I think what Mr. Baker said about the
adaptability of ECPA has proven true as well. I think this
statute, Mr. Chairman, has proved more adaptable to changes in
technology, for example, than the Communications Act. And I
think we need to move carefully in how we change because there
is a value in stability and predictability, in establishing a
set of rules, a known set of rules that everybody can operate
by, and certainly we need to look at unintended consequences.
So I think there are important questions about the
application to cloud computing, to business models for cloud
computing in the ways both that customers entrust data and what
providers are permitted to do with that data. But----
Chairman Leahy. Well, when you go from the commercial part
to another part--and I am going to be fairly careful in this
next question for Mr. Baker because I do not want to go into
classified areas. But you are well aware of some of the threats
to our National security on cybersecurity.
Mr. Baker. Yes, sir.
Chairman Leahy. A lot of it has been in the press, and
other parts we have been briefed on are pretty significant. So
how do we keep the openness? I was talking about my wife and I
e-mailing a friend in Europe back and forth, and it is like
doing it from our BlackBerrys and so on, and you do not think
anything about it. But you also have some major cyber threats
that we face. 2702 tells how providers can voluntarily share
electronic communications information with the Government, and
you know that has been used. How does that impact the way the
Government responds to threats to cybersecurity? And can that
be improved?
Mr. Baker. Well, Senator, I think you put your finger
exactly on one of the key points with respect to cybersecurity.
The main question is how do we appropriately share information
regarding cybersecurity threats between and among the private
sector entities that are involved and with those entities
sharing it with the Government. That is exactly the right
question.
ECPA lays out a framework for this, as do other laws, and
so we need to make sure as we go forward, the laws we have are
appropriate for today's circumstances with respect to
cybersecurity. And when I am talking about cybersecurity in
this context, I am talking not about necessarily pursuing a
particular criminal investigation of an intrusion of a
particular location. I am talking more about, sort of,
defensive cybersecurity, and that is where I think some of the
issues that you mentioned, the information sharing that ECPA
does regulate, are critically important.
And so, obviously, we need to work closely together to make
sure that whatever we do addresses our cybersecurity needs of
today at the same time is appropriate and gives appropriate
protection for the privacy of Americans.
Chairman Leahy. But you also go into the area of NSL
authority, and the Department seeks to expand its ability to
get information, electronic information without a court
approval.
Mr. Baker. Well, Senator, what our objective is, our
objective is to not expand what we are trying to obtain; it is,
rather, to restore the status quo that existed before with
respect to our ability to obtain information from providers.
Some providers have raised concerns about the way the current
statute is drafted. So we look forward to working with you to
come up with something that is acceptable to everybody, but our
intent is not to expand the scope of what we are doing but to
enable us to get what we actually were getting for many years
under the NSL authority with respect to this type of record.
Chairman Leahy. Well, my time is up, but I will work with
you and you could have your staff work with mine on this. I
know that the way of obtaining information and what is
available is a lot different from the days when I was in law
enforcement. But also the threats are a lot greater today, too.
So we will work together on that.
Senator Cardin.
Senator Cardin. Well, thank you, Mr. Chairman. Let me again
thank both of our witnesses.
Let me try to get to some of the practical applications
here. Several years ago, I visited an employer. It was a
hospital that was a new building, implementing new technology
at the time. And what they had, their employees all had to wear
identification badges, which is not unusual, but that
identification badge told the employer exactly where that
employee was at all times. So that the hospital could locate
the employee, know where the employee was, and provide a more
efficient, effective health care for the people that entered
the hospital.
I then met with representatives of the employees to see how
they felt about that. And they generally were OK, but they
said, you know, there are times when we should have privacy,
even at work, and that the protections weren't clearly in
place; that our employers would use it for management of health
care or could be using it to get information about us that
really was not appropriate for an employer.
So I raise the same question today with new technology
where the Government can track pretty much where everyone is
through the use of their cell phones. What protections do we
have under ECPA so that I know the Government is not trailing
me in private places? What standards are necessary? Is there a
difference in regard to whether I am in a public place or a
private place? What can you tell us about the current law does
as far as protecting privacy, but yet allowing the Government
to pursue real-time information that is necessary for law
enforcement? And if you had to get a subpoena, does that hamper
your ability to get real-time information that may become
necessary?
So what are the tradeoffs here and how does the current law
apply to a real situation that, I must tell you, does concern
me?
Mr. Baker. Yes, I will start with that one, if that is
okay. There are several different parts of your question. So
the first thing was that you raised the prospect or the issue
with respect to private entities collecting this data and what
they----
Senator Cardin. I used that as an example. I am concerned
about Government.
Mr. Baker. Yes, because what ECPA focuses on, what we are
focused on is the interaction between--or the ability of the
Government to obtain information from the private sector in
certain circumstances.
Senator Cardin. I am just using that as an example of how
technology has changed.
Mr. Baker. So the basic idea is with respect to the kinds
of information you are talking about with respect to cell
phones, when you are talking about cell phone records, first of
all, just to be clear, my understanding of the technology--and
it is changing over time, but, you know, currently it is not
pinpoint accuracy with respect to where a person----
Senator Cardin. And I expect that will change over time.
Mr. Baker. As the technology develops, it may, Senator. But
currently, and at least in the immediate future, it gives you a
rough geographic location of where a person is. It does not
tell you exactly where they are in a particular building, for
example. So----
Senator Cardin. I do not want to get too technical. I asked
that question to some of the experts, and they tell me by
looking at the different cell phone towers, you can pinpoint
pretty closely to where people are today.
Mr. Baker. I think, again, it depends if you are in an
urban area, a suburban area, a rural area, things like that.
But I take your point, Senator.
But just to make clear, when the Government wants to get
historical cell site information which is critically important
for our investigations to find where someone is, for example,
in a kidnapping case, a murder case, a terrorism case. These
are all critical examples of where we need location information
in certain circumstances. We need to get a court order of some
sort. It is under a couple of different particular provisions
of ECPA. It is a showing of specific and articulable facts,
giving reason to believe that the information is relevant or
material to a lawful investigation. That is for historical
information and for some of the prospective information. With
respect to the prospective information, we combine an order
like that with a pen/trap order. So, in other words, to get
that kind of information, we do have to go to a court. It is
not a probable cause showing, clearly. It's lower than that.
But we do have to go to a court.
Senator Cardin. And that is not hampering you from getting
timely information?
Mr. Baker. I'm not going to say that in any investigation
ever that it has never hampered us or slowed us down, but I
think we are able to work effectively in the existing legal
regime in order to obtain this kind of information.
Senator Cardin. One more very quick question, Mr. Chairman.
As I understand the current law on e-mail communications,
it has some distinctions between the age--whether it is on your
home computer or centrally stored, whether it has been opened
or not opened, which may have been relevant in the 1980s, which
is no longer relevant today because e-mail is very comparable
to our traditional letters. Is there any reason for the
distinction on the standard necessary for the protection of e-
mail communications?
Mr. Baker. Well, Congress did make the judgment, as you
reflect, back in 1986, and since then to differentiate between
where a particular e-mail is, how old it is, who has access to
it, is it stored as a third-party record, has it been opened
yet, in other words, has the transmission been completed. So
the administration has not--I mean, that is the law today, but
the administration has not taken a position on changing that at
this point in time, but we look forward to working with you on
that.
Senator Cardin. Well, I appreciate you dodging the
question, and I understand--if there is a rationale, please let
us know the rationale. I am trying to figure out a rationale
for--I understand back then----
Mr. Baker. I think----
Senator Cardin.--e-mails were looked at a lot differently
than they are today. We thought they could not be stored
forever, and we now know they can be stored forever. So it is--
--
Mr. Baker. Well, and I--Senator, I am sorry.
Senator Cardin. No.
Mr. Baker. I was just going to say, I mean, I think the
law--in a number of different ways, the law differentiates
between records that we store in our home, truly in our home,
and records that we store with third parties. It makes
distinctions in lots of different ways, and it differs
depending on whether it is in----
Senator Cardin. But don't you think we will be storing
almost everything in third parties in the near future? As you
pointed out, cloud computing is becoming the norm, not the
exception.
Mr. Baker. Well, the consumer, individuals, businesses have
to make a determination whether storing something in a cloud is
advantageous to them for a whole variety of reasons, including
whether it is secure--I mean, not just from the Government but
from malicious actors. Issues have been raised with respect to
that. Privacy issues, efficiency, accessibility to data, all
those kinds of things are different items that folks have to
work with.
Senator Cardin. [Presiding.] I appreciate it. I did not
realize that I was temporarily holding the gavel. I could have
gone on for a lot longer.
Senator Franken.
Senator Franken. Thank you, Mr. Chairman.
Mr. Kerry, I know that you said that you are not here to
make recommendations, and I kind of heard that from you, too,
in what I think the Chairman fairly characterized as an
evasion. But you guys really have clearly given this stuff a
lot of thought. That is kind of your job. So I am going to ask
you to ruminate here a little bit. What are the hard choices
here that we are going to have to make? This is for both of you
or either of you. Could you give me an example of what you
might think would be a tempting but unwise change in ECPA? And
what is a change we might make that is wise but is not obvious
at first blush?
Mr. Kerry. Well, Senator Franken, thank you. We have not
gone through all of the thought process that we need to go
through as an administration to answer all of those questions
concretely. But let me address one about the difficult choices,
and it goes back to Senator Cardin's question. It is how the
law should apply to location services and location information.
ECPA and the body of laws that it operates on draws a
fundamental distinction between content information and non-
content information. Interception of content, disclosure of
content are subject to higher standards. Location information
does not fit the--is not content of communications. Does it
necessarily fit within the non-content construct?
As Senator Cardin indicated in his discussion of his
experience in the hospital, there are different sets of
expectations, depending on the circumstances of the location
information, depending on the amount of that information. And I
think there is a----
Senator Franken. Can I give you an example? I am sorry to
interrupt, but in February, Newsweek reported that police
officers in Michigan had requested cell phone--you are talking
about location--cell phone location data for a group of people
congregating for a labor protest. The officer said they were
doing it to stop a possible riot. Now, what protections, Mr.
Baker, would you say are in place to prevent this sort of thing
from happening? I am sorry, but since you brought up location,
this seems to be a place where maybe abuse of the location is
there.
Mr. Baker. Senator, I do not know the particulars of that
particular investigation, but they should have been--in order
to obtain that information, they should have gone to a court.
They should have had to articulate what their reason was for
wanting that information, and they should have had a legitimate
law enforcement purpose to obtain that. If they had some other
purpose that they did not say, that they were not up front
about, or whether, you know, they covered up exactly what they
were doing, I have no way of knowing. But that is more of a
question, I think, of the legitimacy of the investigation as
opposed to the particular authorities or predication required
for obtaining that kind of information.
Senator Franken. OK. And there are different levels of
authority. Sometimes you need a warrant. Sometimes you need a
subpoena. Sometimes you need a super warrant.
Let me give you an example. Let us say I use Outlook and
you use Gmail. I send you an e-mail and you read it. In most
circuits, the Government would need to get a warrant to get the
e-mails stored on my computer in my Outlook sent messages
folder. They actually have to go before a judge and show
probable cause that they need this e-mail to investigate a
crime. But if the Government does not have probable cause, they
can get the e-mail from your Gmail because it is stored
remotely in a cloud. They do not need a warrant for that. They
can issue a subpoena for that all by themselves.
Do you think that the probable cause standard is weakened
when it is so easy to get an e-mail without a warrant?
Mr. Baker. Senator, I guess I am not sure that the probable
cause standard is weakened with respect to the ability to
obtain the communications from--I assume your computer is at
your home. That is why we need a warrant to get it. I am not
sure it is a question of probable cause. I would suggest that
it is more a question of whether collectively everyone thinks
that the balance between law enforcement interests and privacy
is appropriate in that circumstance. And that is one of the
things that we do not have a position on. I know it may seem
evasive, but we just do not have a position yet on that because
we have not finished our review of that.
But in any event, I take your point. I understand the
difference. There is a difference, and, again, the law
recognizes, and has for a long time, differences when
information is stored with a third party than when it is stored
in your home.
Senator Franken. OK. I am out of time, but, Mr. Kerry, I
did interrupt you, and I wanted to know if you wanted to finish
your response.
Mr. Kerry. Thank you, Senator. I think I conveyed the main
sense of my response.
Senator Franken. OK. Thank you both.
Thank you, Mr. Chairman.
Chairman Leahy. Senator Klobuchar.
Senator Klobuchar. Thank you very much, Mr. Chairman. Thank
you to both of you. It is good to see you.
As a former prosecutor, I listened to this and I think of
my old job. Every day we would be balancing that. One day I
would be authorizing a wiretap and sitting in on it, and the
next day protecting victims' sensitive information from getting
out on the Internet. And just recently, we have been working on
two issues in our office that are examples of how we have to
update the laws to be as sophisticated as the crooks that are
breaking them. One is the cyber stalking that has now become a
trend of offenses, as illustrated by the ESPN reporter who got
filmed in her hotel room and then it was put out on the
Internet. And then the other one was just the one that Chairman
Leahy has been leading and a number of us working on it,
pirated entertainment that has been sold not just on DVDs but
also on the Internet. And the criminal laws are not updated to
keep pace with what is happening with what the criminals are
basically doing.
So I think this is always a balance, and I guess my first
question would be of you, Mr. Baker, and that is, you talked
about how we should proceed cautiously when making changes to
ECPA, and you mentioned that you do not want us to change the
Electronic Communications Privacy Act in a way that would delay
law enforcement's ability to access time-sensitive data. And I
thoroughly believe in doing things for privacy, but at the same
time I know when these crimes occur and there is some madman
out on the street, people want to be able to locate him.
So are there changes you think that could be made to ECPA
that would make it easier for law enforcement to access
information while at the same time protecting our privacy
concerns?
Mr. Baker. Well, at the risk of saying the same thing again
that has gotten me in trouble so far, we just----
[Laughter.]
Senator Klobuchar. Try it with me.
Mr. Baker. We have not finished our--we simply have not
finished our review of that. We are looking at them closely, at
the various proposals that have been put forward. One of the
difficulties right now, frankly, is that we do not have
statutory language to actually look at and evaluate. And our
experience is that getting these words exactly right--I mean, I
have an amazing group of lawyers sitting behind me who are
experts in this area, and they spend lots of time trying to
understand and prognosticate about if you change this word,
what impact is it going to have on our investigations, our
ability to locate the kind of people you are talking about.
So, unfortunately, we do not have a position on the reforms
today to put forward, but all I would say is to echo what you
say. It is very important that we get this right, and we just
have to do it carefully.
Senator Klobuchar. You talk about the real-time mobile
phone location information. What level of scrutiny is required
to get that? And is it the same as GPS information that we now
can get?
Mr. Baker. It is not the same as GPS. So with respect to
the cell site information, which, again, is less precise than
GPS, you need to go to court, you need to get an order. It is
not a probable cause order. It is less than that. But,
nevertheless, you need to get an order.
When you start talking about latitude and longitude,
locating type of information, then you are talking about the
need to get a warrant because it can reveal that you are in a
constitutionally protected location, such as your home, and
moving about, let us say, in a home and being able to figure
out exactly where you are. So there are different standards
depending on how precise the information is that the technology
reveals.
Senator Klobuchar. And does that make sense to you? Do you
think there could be changes to that? Or do you want to wait
until----
Mr. Baker. Again, we are working on that, but it is a
distinction that the law recognizes in other areas as well.
Senator Klobuchar. And then also we talked here about that
180 days with the e-mail protection, with the open e-mail. Does
that still make sense to you? Are there privacy concerns there
with how that is working?
Mr. Baker. Well, again, we are looking at that. We are
working on it. We understand--I mean, we understand the privacy
concerns. We hear what folks are saying, and I have met
personally with the DDP Coalition, had a very fruitful
discussion with them, and it was very illuminating to me. So we
understand all of those concerns, but, again, our position is
if changes are to be made, then we just have to get them right.
Senator Klobuchar. OK. Mr. Kerry, I know in your testimony
you talked about the clear distinction between content and non-
content information at the heart of ECPA. How has technology
blurred that distinction?
Mr. Kerry. As new data streams become available, in part
the volume of data--location information being one example--
provides additional information about consumers' activities
that may provide information that begins to make a portrait
that is more than just the sort of identity information of a
pen register or of transaction records. Certainly when you get
to Internet searches and you go beyond simply a URL, that
becomes content. So these are areas where those boundaries
begin to blur because of the volume of information that becomes
available from a host of data streams and there becomes more
and more capability of capturing and of analyzing that data.
Senator Klobuchar. I just noted one last thing, that
Secretary Locke held a privacy and innovation symposium this
year, and I am sure we can get that information from your
staff. I head up the Subcommittee on Innovation for Commerce,
and obviously in Commerce this is an overlap between these two
Committees. We have focused on these privacy issues as well.
Did anything come out of that that would be helpful? Or do you
want to just send it to us?
Mr. Kerry. We have a number of streams of work that are
coming out with that. We are actually collating and drafting a
report, a discussion draft of some of the work that comes out
of the privacy inquiry and have other inquiries on free flow of
information, intellectual property, cybersecurity that are
already--I would be happy to share that with you.
Senator Klobuchar. Are you looking at how innovation and
new methods are sort of butting up against privacy concerns or
how we can use new technology to get at privacy concerns?
Mr. Kerry. Both of those, Senator. We are looking at
really--in parallel to the balance that ECPA strikes in the law
enforcement context, the balance between innovation,
competition, the global free flow of information, and privacy
and security.
Senator Klobuchar. OK. Thank you very much.
Mr. Kerry. Thanks.
Chairman Leahy. Thank you. Anything else for this panel?
[No response.]
Chairman Leahy. OK. Gentlemen, I appreciate this. I may
have a couple other questions for the record, but I would ask
both of you and your staffs to work with us as we try to put
together an updated ECPA. I think we know we need that. We just
do not want to throw the good out with the bad as we do it.
Thank you both very much.
Mr. Kerry. Thank you, Senator. We will look forward to
doing that.
Chairman Leahy. Thank you. And then the staff can set up
for our next panel.
Chairman Leahy. For our next witnesses, first will be James
Dempsey who currently serves as Vice President for Public
Policy at the Center for Democracy and Technology. Prior to
joining CDT in 1997, he was Deputy Director of the Center for
National Security Studies, previously served as assistant
counsel to the House Judiciary Subcommittee on Civil and
Constitutional Rights, concentrating on oversight of the FBI
and privacy and civil liberties; former associate in the law
firm of Arnold and Porter in Washington; former clerk of Judge
Robert Braucher of the Massachusetts Judicial Court; graduate
of Yale, law degree from Harvard. He is somebody who has
testified here before this Committee numerous times.
Mr. Dempsey, good to have you back, sir. Go ahead, please.
And, again, all witnesses' full statements will be made part of
the record.
STATEMENT OF JAMES X. DEMPSEY, ESQ., VICE PRESIDENT FOR PUBLIC
POLICY, CENTER FOR DEMOCRACY AND TECHNOLOGY, SAN FRANCISCO,
CALIFORNIA
Mr. Dempsey. Chairman Leahy, Senators, good morning. Thank
you for holding this hearing today.
In setting rules for electronic surveillance, we must
balance three critical interests: the individual's right to
privacy; the Government's need to obtain evidence to prevent
and investigate crimes, and the corporate interest in clear
rules that provide confidence to consumers and that afford the
companies the certainty they need to invest in the development
of innovative new services.
When it was adopted, ECPA well served those interests,
thanks in large part, Mr. Chairman, to your leadership and to
the willingness of companies, privacy advocates, and the DOJ to
work together to develop a balanced solution.
Today, it is clear that the balance has been lost. 1986 was
light years ago in Internet time. Powerful new technologies
create and store more and more information about our daily
lives and permit the Government to conduct surveillance in ways
or at a depth and precision that were simply impossible 24
years ago. It is those new capabilities that need to be
addressed.
ECPA has been amended in at least 18 statutes since 1986,
but almost all of those changes were at the request of the
Justice Department, not in response to privacy concerns. Almost
all of them expanded Government access to information. There
has never really been a comprehensive look at the statute since
1986.
Consequently, there are a few elements of ECPA that no
longer comport with the way people depend on this technology in
their personal and professional lives. E-mail, which a number
of Senators have cited, is an egregious example. The same e-
mail is subject to a judge's warrant one second and is
available with a prosecutor's subpoena the next. An open e-mail
is covered by the warrant in the Ninth Circuit, and it is
available without a judge's approval in the rest of the
country. Draft documents, calendars, address books stored
online are all available with a mere subpoena regardless of
age.
What is perhaps most important to recognize about the e-
mail standards is that they are constitutionally vulnerable.
Orin Kerr, a scholar well known to this Committee, has
concluded in his latest article that ECPA is unconstitutional
to the extent that it permits access to e-mail content without
a warrant.
The rules are also illogical and possibly unconstitutional
with regard to cell phone tracking data. The Justice Department
itself believes that it is best to use a warrant to use GPS to
track someone. However, the cell phone companies have been
making their cells smaller and smaller and have begun offering
mini cells, which are basically a cell tower for your home or
for your office, making tower data as accurate as GPS in some
cases.
Earlier this year, a diverse coalition was launched calling
itself Digital Due Process. The coalition said that ECPA needs
to be updated to provide full warrant protection to all e-mail
content and to location tracking data, subject to exceptions
for emergencies and cybersecurity and other exceptions.
The breadth and diversity of this coalition speaks volumes.
It includes not only CDT and ACLU, but also major Internet and
communications companies: AOL, AT&T, Microsoft, Google, eBay,
Salesforce. It includes conservative and libertarian groups:
ATR, Americans for Tax Reform; FreedomWorks; libertarian think
tanks. Individual supporters include former prosecutors, former
members of the CCIPS unit at DOJ. All are saying that the
current system is crazy; it just does not make sense anymore
and needs to be reformed.
Now, it is very important to appreciate the modesty and
reasonableness of this coalition's proposals. A fundamental
premise of our recommendations is that it is necessary to
preserve the building blocks of criminal investigations. Under
our principles we would continue to authorize the use of
subpoenas to get stored meta data on telephone calls; that is,
the dialed number information. We would continue to permit the
use of subpoenas to get subscriber identifying information. We
would not change the standard in Section 2703(d) of the statute
for getting transactional data regarding Internet
communications. We would preserve all the current exceptions,
including the emergency exceptions, which allow interception
without a warrant or without even a subpoena. We would preserve
the current cybersecurity exceptions. We would not propose any
changes to FISA or to the National Security Letter provision.
We do not propose changing any rules on getting information
directly from the subject of an investigation. So the FTC and
the SEC could continue to use subpoenas to get documents from
companies under investigation. We have focused on a very few of
the most salient problems: the e-mail content issue that a
number of Senators have referred to, and the location tracking
question.
Now, our proposals are just a first step. The process will
require further dialog, the engagement of other stakeholders,
and, most importantly, a dialog and discussion and compromise
with law enforcement agencies and understanding their
positions.
We want to be careful in our amendment of ECPA to avoid
collateral damage. We want to be incremental. We are not
proposing a general overhaul of the statute. We cannot fix
everything. We want to preserve the efficiency and speed and
the building blocks of investigations.
But, together, with dialog, with an understanding of the
technology and the way it has changed, we can reestablish the
goal that ECPA had in 1986: to balance law enforcement,
privacy, and business interests.
Thank you. I look forward to your questions.
[The prepared statement of Mr. Dempsey appears as a
submission for the record.]
Senator Cardin. [Presiding.] Thank you very much, Mr.
Dempsey.
We will now hear from Mr. Brad Smith, who is the Senior
Vice President and General Counsel, Corporate Secretary, and
Compliance Officer for Microsoft. He leads the company's Legal
and Corporate Affairs Department and is responsible for its
legal work, its intellectual property portfolio, and its
government affairs and philanthropic work.
Mr. Smith.
STATEMENT OF BRAD SMITH, ESQ., GENERAL COUNSEL AND SENIOR VICE
PRESIDENT, LEGAL AND CORPORATE AFFAIRS, MICROSOFT CORPORATION,
REDMOND, WASHINGTON
Mr. Smith. Well, thank you, Senator Cardin, Senator
Franken. I very much appreciate the opportunity to be here this
morning to offer just a few thoughts to introduce some comments
on this topic.
First, not surprisingly, those of us in industry are very
enthusiastic about where we think the next generation of
computing is going to take us. As we build data centers, as
more and more software and information move to the so-called
cloud, we make it cheaper for small businesses to implement
computing solutions; we make it easier for them to create new
jobs; we create more powerful tools for them to reach consumers
in new ways; we create new ways for individuals to communicate
and interact with each other. There is a lot of good that we
see in the new technology that is being created.
If we are going to go forward and if we are going to go
forward successfully, we need the right kind of legal rules in
this field. And I think that means three things: First, we want
to ensure that the law continues to be balanced--balanced
between the rights of citizens and the needs of Government with
respect to law enforcement. We need some certainty so that when
those of us in industry are designing this technology we can do
so with some confidence about how the law is going to be
applied to it. And we need some clarity. I might say we need
most of all clarity for consumers, for citizens, so that they
can understand what their rights and obligations may be.
Listening to this debate on this issue, listening to this
hearing this morning, there is obviously a first question,
which is: Does the law, does ECPA itself need to be updated.
Personally, I listened to that, and I am reminded of the story
of the emperor who was walking down the street in the parade.
This emperor has lost some of his clothes. And I think we need
to recognize that. People may be reluctant to say it until they
know exactly how they want to knit the next suit. But the truth
is the first step in knitting the next suit is to recognize
that the current one is increasingly tattered, and we really do
need to roll up our sleeves together and dig into the kinds of
questions that are important.
The reality today is that ECPA increasingly falls short of
a common-sense test, not because the law was flawed when it was
written in 1986, but because technology in some cases--not
every case, but in some cases--has simply passed it by. Why
should e-mail in somebody's inbox be subjected to a different
standard than e-mail in somebody else's sent mail folder? That
is the question posed by Senator Franken. Why should e-mail
that I move to my junk mail file and choose not to open be
subjected to a higher level of privacy protection than an e-
mail I receive and decide to read? That is hard to square with
common sense.
As we sit here in September, why should e-mail that I sent
in early March be entitled to less privacy protection than e-
mail that I sent in early April because of the 180-day rule?
Technology really is moving forward. It is continuing to
move forward, and we do need the law to catch up. There is no
substitute for action by Congress. I think that much has become
abundantly clear. We are talking about rights of Americans,
fundamental principles that have their roots in the Fourth
Amendment to the Constitution. But the reality is that the
Supreme Court earlier this year basically signaled that it is
not likely to move quickly.
In the Quon decision, there was one sentence that stood out
above all else, and I think that sentence speaks to it today.
The Court said, ``The judiciary risks error by elaborating too
fully on the Fourth Amendment implications of emerging
technology before its role in society has become clear.''
There is a lot of wisdom in those words. But they are also
discomforting because it takes time for the role of new
technology in society to become clear. And there is a certain
risk that by the time that role becomes clear, the technology
will be well on the road to becoming obsolete. It will be
replaced by something else. And if that is the case, then the
Fourth Amendment will never really catch up, and we must look
to Congress to fill the gap. Congress did that in the 1980s.
Congress needs to do that again today.
In closing, I am reminded of the advice offered recently by
famous basketball coach John Wooden. He said, ``One of the
important things to do in life is be quick but do not rush.''
We do need to be quick. We should not rush. We should use
hearings like this to sort out the issues. But we do need some
decisions to be made because if they are not, then we are going
to find that some new issues are going to emerge and there is
going to be a lot of pressure on everybody to rush far too
quickly.
Thank you.
[The prepared statement of Mr. Smith appears as a
submission for the record.]
Senator Cardin. Thank you, Mr. Smith.
Our next witness is Mr. Jamil Jaffer. Mr. Jaffer is a
private attorney in Washington, D.C. From 2008 to 2009, Mr.
Jaffer served as an Associate Counsel to President George W.
Bush. Prior to that appointment, he served in several senior
positions within the Department of Justice, including counsel
to the Assistant Attorney General for the National Security
Division and Senior Counsel for National Security Law and
Policy.
Mr. Jaffer.
STATEMENT OF JAMIL N. JAFFER, ESQ., ATTORNEY, WASHINGTON, DC
Mr. Jaffer. Thank you, Senator Cardin. I would like to
thank the Chairman and the Ranking Member for inviting me here
today. I would like to actually take on Mr. Smith's remarks and
take the advice of John Wooden. I am a UCLA graduate, so I will
also try to be quick but not rush.
I would like to address three items briefly today in my
oral statement: first, the threat that we face and the use of
these tools by the Government; second, briefly touch on the law
in this area; and then, third, suggest a path forward for
Congress to consider.
First, with respect to the threat, today we face an
increasing threat stream from cyber actors, whether they be
cyber criminals, child predators, or national security threats:
whether they be terrorists or foreign intelligence operatives.
Cybersecurity is critical. I know this; in the Government I
worked on the Comprehensive National Cybersecurity Initiative,
which has now been partially declassified by the
Administration. We are engaged in an effort, an ongoing effort,
to protect both Government and private networks from these
cyber threats. And the tools provided by ECPA play an important
role in allowing the Government to assemble the key building
blocks of investigations in this area. They help ferret our
child predators who hide out in virtual communities. They help
ferret out virtual terrorist caves. They help ferret out
virtual gang hideouts on the Internet.
They also help find the people who inhabit these virtual
hideouts on the Internet, and it is important to remember that
the key tools in ECPA, the non-content tools, are the ones that
really form the building blocks. And with respect to those non-
content tools, the Fourth Amendment does not the use of those
tools. As a general matter, the Supreme Court has held that the
Fourth Amendment does not protect information that you give to
third parties. That is because you always run the risk that a
third party is going to be a Government agent and is going to
hand over the information to the Government, whether
voluntarily or otherwise. And with respect to non-content
data--your dialed number data, who you send e-mails to and
from--that information generally also is not protected by the
Fourth Amendment because you provide it to a third-party
provider to route your data. And that has been the case since
Smith v. Maryland in the 1970s.
And so this is not new law. This is not a change in
technology. It is simply what the Fourth Amendment protects.
Now, Congress very wisely decided that is not enough. What
the Fourth Amendment offers is not enough. We need to provide
statutory protections to ensure that the privacy interests of
Americans are protected. In doing so, though, Congress decided
that it was important to balance security on the one hand, and
privacy on the other, and ECPA is an example of that. A lot of
times you will hear today: ECPA does not make a lot of sense.
The 180-day rule does not make sense. The opened e-mail rule
does not make sense. But these rules are not a product of any
constitutional decisionmaking. They are, fundamentally, the
compromise that Congress struck in enacting additional privacy
protections-beyond what the Constitution-provides in statute.
Now, Congress can and should consider revisiting those
privacy protections, but in doing so, it is important to think
about is this balance that you heard about on the first panel.
And in thinking about that balance, we really have to consider
whether, at a time when these cyber threats are dramatically
increasing, at a time when cybersecurity is crucial and
Congress is considering how to provide tools in industry--and I
do not think the answer is regulation of industry; I think the
answer is providing tools to allow the Government to share
information with industry about cybersecurity threats--does it
really make sense to raise the bar on the Government in
protecting in the security of American citizens? It may make
sense, but Congress needs to do it in a very careful, limited
way.
Now, as far as the path forward goes--and I see my time is
almost expired--I think the right path forward is as follows:
First, there are consensus things that industry, the
Executive Branch, and the Congress can agree to in the very
near future about how to fix ECPA. You can make ECPA easier to
use for industry. You can make it clearer. You can make it more
consistent. One of the fixes you could consider is how the
definitions of the various types of providers can be harmonized
and made one, because the fact of the matter is that providers
today in the cloud computing environment, provide multiple
sources, not just e-mail transmission and delivery; they also
provide remote computing services. You can harmonize these
definitions.
You can also provide industry with clarity about what it
can and cannot provide to the Government, and when it can and
cannot provide information to the Government; and you can make
it a lot clearer than it is today. This does not mean you have
to change what the Government can get and how the Government
can get it, but you can provide clarity. That I think can be
done in the next session of Congress without a problem.
With respect to the larger changes, some of the changes
proposed by the coalition that is out there today, as well as
others, about raising the requirements on the Government, in
terms of what they might get and how they might get it, those
need to be considered very carefully, particularly in light of
this growing threat stream.
With that, I appreciate the opportunity to present my
views, and I am happy to take questions.
[The prepared statement of Mr. Jaffer appears as a
submission for the record.]
Chairman Leahy. Well, thank you, and thank you for telling
me what we in Congress intended to do when we wrote the
legislation. As one of those who was there when we did it, it
is always good to be told what we were doing and what we were
compromising by even if it was somebody who was not there.
I do agree with you that we have got to have a balance that
allows us to protect law enforcement and allows us to protect
individual liberties and allows us at the same time to have the
innovation we need.
Let me go first to Mr. Dempsey. I commend you and the
Center for Democracy and Technology for being such persuasive
voices in trying to update ECPA, and I appreciate the work you
have done in trying to get some diverse voices together on
this.
But with your proposal, how would that improve, on the
hand, digital privacy but also protect law enforcement and make
sure it has the tools it needs to investigate crime?
Mr. Dempsey. Mr. Chairman, one thing we were very careful
to do in our process here was to focus on preserving the
building blocks of investigations. That is, there is some data
that is appropriately available with a subpoena: the subscriber
identifying information, the telephone dialing information.
There is other information, as you go up the ladder, so to
speak, where a court order is required, but on less than a
finding of probable cause, on less than the constitutional type
standard, and we preserve that. And then, clearly, when you get
to the top of the stack, so to speak, when you get to the
content, that should be protected by the warrant.
Now, right now the courts are struggling with this. As Mr.
Smith said, they are not making much progress, but they are
casting a lot of uncertainty over the field. Courts are letting
some information in, letting it out, granting orders, denying
orders, vacating opinions where they came to one conclusion or
another.
I think one of the major benefits to law enforcement is the
certainty and the clarity. If you leave this to the courts and
then evidence gets thrown out, you get all the way through the
investigative process and evidence gets thrown out, that is the
worst that could happen to the prosecution. If you bring it
within ECPA, you have your exceptions, you have your
requirements on service providers to cooperate, you have your
rules on immunity, your rules on compensation, your rules on
how the information can be used. As the Justice Department has
said, those are very important rules.
Chairman Leahy. And so you believe that we can do this and
write it in such a way that it would be upheld? Mr. Jaffer has
spoken about it in the next session of Congress, although I--
and I agree with you, it could be. I also wish--and I am sure
you do, too--that we could do it in this session of Congress.
But this has been the most dysfunctional session of Congress I
can remember. That is just a personal view, but from one who
has been here 36 years. But tell me, Mr. Dempsey, can we do
that? This is the most difficult thing. I think----
Mr. Dempsey. I think we can----
Chairman Leahy. I think we have a bipartisan coalition on
this, but we also want to make sure we have something that is
going to be upheld by the courts.
Mr. Dempsey. Well, I think that one motto here is to work
incrementally. Do not try to solve everything at once. Do not
try to disrupt anything that does not need to be fixed or to
which we are not sure of the answer.
As Mr. Baker said, it is going to be important to start
looking at some legislative language because you really want to
make sure you are not having those unintended consequences.
Chairman Leahy. Well, let us take a specific one. The
Department of Justice proposed that we amend Section 2709 to
make it easier for the FBI to obtain electronic transaction
records. How do you feel about that?
Mr. Dempsey. Well, first of all, I think that that is a
perfect example of how we are taking a change without
considering the other aspects of the statute that might be
implicated. And with the Justice Department change, there is a
kernel of logic to what they are saying here, and there is a
problem with that provision of the statute.
The trouble is the Justice Department has been unwilling to
come forward and define for that purpose the key term in the
statute, ``electronic communications transactional records,''
which is a very broad term.
Now, if you look in 2703 of the statute on the criminal
side, Congress has actually drawn some lines, and I think those
are good lines that were drawn in terms of what should be
available with a subpoena or its equivalent, the National
Security Letter, versus what should require a court order. And
I think until the Justice Department is willing to give
definition to that term, which is a very broad term,
``electronic communications transactional records,'' I do not
think we can move forward on that 2709.
Chairman Leahy. I suspect they will be listening to what
you said here today.
With my colleagues' permission, I will just ask one more
question. My time has expired.
I know with Mr. Smith here and Microsoft are doing a great
deal to protect information and privacy, and you have called
for--the company has called for stricter privacy protections in
so-called cloud computing. Can ECPA reform help that?
Mr. Smith. I definitely think, Senator, that the updating
of ECPA fits into a larger set of issues that it is important
for Congress to address. As we look to the future, we really
think that there are three areas of the law that are related
that need attention. One relates to privacy, and part of the
privacy issue involves ECPA. Another part of the privacy issue
involves ensuring transparency and clarity for what service
providers do with customer information. So we believe that it
would make sense to take action there.
Second, we think that it is important to take new steps
with respect to security. We believe that law enforcement needs
new tools to be able to prosecute computer crimes. We believe
that service providers, such as ourselves, should have new
tools to help protect our customers against computer crimes. So
that is the second area.
Third, we believe new steps are needed across borders.
Information moves from country to country in such a way today
that in truth one cannot rely with confidence on the
expectation that only a single country's law will be applied to
a single piece of information. So we do need some new
international frameworks and some new international cooperation
as well.
Chairman Leahy. I agree with that. I am just trying to
figure out how we write it in such a way that it would take
care of the problem of the moment and not create new problems
as technology changes a week down the way. I go back again to
the Earl Warren statement I made at the beginning of the
hearing. And we will work with you on that flexibility. That is
why what all three of you have been saying here has been so
important.
Senator Cardin, and I apologize for taking extra time, but
I wanted to hear what Mr. Smith had to say on that.
Senator Cardin. Well, thank you, Mr. Chairman. I thank all
three of our witnesses.
Mr. Jaffer, let me first say that I agree with you that the
threats against this Nation are real, particularly as it
relates to cybersecurity. We have conducted some hearings on
cybersecurity, and the challenges are certainly very serious
and very difficult. But I must tell you, I strongly believe
that having the appropriate safeguards on law enforcement on
getting information makes us safer because then our resources
are used more effectively. And we are not flooded with
information that has limited value, but that we really are
focusing on the threats. I think it makes law enforcement
stronger rather than weaker if you do it right, and that is, of
course, what we are trying to do here.
Mr. Smith, I want to ask you a question about technology.
Are there any cautionary notes that we should be aware of as we
look at this statute and modifications of it, that we do not
have unintended consequences hampering the development of new
technologies that are important for this country?
Mr. Smith. I think that is a very good question, Senator
Cardin. I think there is fundamentally a risk in Congress doing
too much and there is a risk in Congress doing too little. I
think the definition of doing too much would be to deal with
issues before we have some confidence about how we really
should address them as a country, and I think that Mr. Dempsey
pointed us in the right direction when he said there is real
value in incrementalism.
The truth is any law that can go 24 years before people
come here and say it needs some updating passes a pretty high
bar. I think that if we can look to Congress to take steps once
a decade and solve the problems immediately before it, that is
a good thing. And if one tries to go farther than that, one
does risk creating unintended consequences.
I would say the flip side of the coin would be doing too
little because the law at this point is clearly in need of some
improvement.
Senator Cardin. That is good advice. I thank you, Mr.
Smith.
Mr. Dempsey, let me ask you a question about how we can
anticipate change. I know we do not know what technology is
going to look like 10 years from now, but we know it is going
to be different. We know that information exchanges are going
to take place in a much more timely way.
Is there anything we can do in a statute that protects us
with new technologies so that law enforcement can get the
information they need and privacy is protected, knowing full
well what the Chairman said, that Congress does not always act
quickly. Sometimes it takes us a while to get to where we need
to be. Is there anything, any advice that you might have for us
as to how we draft changes that can at least protect us during
transition as new technologies come effective?
Mr. Dempsey. Yes, I think that is an excellent question,
and I think there are two ways to approach that. One is to look
at what are the broad trends, and I think we can identify
some--what seem to me to be--pretty inexorable trends in
technology that are going to dominate innovation over the next
decade, let us say. One would be the cloud; that is, the
movement of data off of local servers onto interconnected,
Internet-based servers, and that is supported by ubiquitous
broadband. It is supported by cost-efficiency reasons why you
would do that. The data in the cloud in some ways may actually
be more secure and backed up and better protected than the data
stored locally. There are a lot of drivers pushing in that
direction, and I think so much of the data that we used to hold
locally in the office, in the home, on the laptop, on the
personal device, the handheld device, is moving into the cloud,
and that is where things are going to go. That is why we
focused on that as one of our recommendations.
The other major trend, I think, is mobility and the power
of that handheld device and the way it can support location-
based services and the way that that location data is becoming
more and more precise--the map services and the friend-finder
services and a whole host of other services that build on--when
you see services building on a technology, you can be pretty
sure that that is going to represent a significant trend. So
that is why of all of the non-content data, if you think of
location data as non-content, of all the non-content data, that
is one that sort of pops out immediately as this is just not
dialed number information, this is just not who is making a
phone call. This is very pervasive, very precise, very
different from anything we have ever seen before, really.
Another major trend is social networking, obviously, and
the social networks are becoming platforms not only for posting
photos but for one-to-one communication, real-time
communication, et cetera. Those are already included, I think,
in ECPA. It maybe would be interesting to pose that question to
the Justice Department to make sure they agree. I think those
platforms do fit within the statute.
So of the three trends, although a lot of that stored data
currently falls outside of the warrant protection, even purely
private stuff, the way the definitions work in the statute now.
So I think those three trends look to me as pretty reliable and
certain trends, and if we build around those, we sort of know
where we are going.
Senator Cardin. Thank you. I appreciate that answer, and I
really do appreciate all three of your testimonies.
Chairman Leahy. Thank you very much.
Senator Franken.
Senator Franken. Thank you, Mr. Chairman.
Mr. Smith, I was very glad to hear your answer to Senator
Cardin's question about essentially responding to the ``be
quick,'' because I was worried there that you are basically
saying that to keep up with the technology, Congress would have
to double the speed that it legislates every year.
[Laughter.]
Senator Franken. And I think that would be highly unlikely.
The once-a-decade sounds about right on this.
[Laughter.]
Senator Franken. And Mr. Jaffer did kind of speak to
Congress' intent when this was written in 1986, but technology
really, really, really, really has changed since then, which
you spoke to. And there seems to be something of a divide here
between you and Mr. Dempsey and Mr. Jaffer on this, and
specifically talking about someone who has an e-mail account
and you are in a cloud, you get your thing from a cloud, you
are on Gmail or something, and the distinction between
something I got 6 months ago and something I got yesterday and
something I have read and something I have not read, I think
most people would be surprised about this rather than sanguine.
And Mr. Jaffer seemed to think that this is settled law and
that we should be sanguine about it.
This, I guess, is for Mr. Dempsey. My understanding is that
there is a series of Supreme Court precedents that explain that
people can have protected Fourth Amendment interests in items
they store with third parties or on property that is not
theirs. Can you walk us fairly quickly through the precedents?
Mr. Dempsey. Well, you know, you can go all the way back to
1878 when the Supreme Court held that the letter passing
through the mail--I mean, you give your letter not merely to a
third party, but at that time to a Government agency,
voluntarily surrender it, and yet the Supreme Court held in
1878 that the Government cannot open that letter without a
warrant as it passes through the network.
If you have a storage locker, one of those storage lockers
where you store the junk that you do not really want to give
away or throw away, but you also do not want in your house, you
put it in a storage locker. You have a Fourth Amendment right
in that storage locker. The owner of the locker can even go in
to make sure nothing is deteriorating in there or going bad.
But for the police to get in, they need a warrant. Luggage,
closed containers of luggage checked or stored, subject to the
warrant protection, whether they are locked or not, whether
they are sealed or not.
So we have dealt with this already, and I think those
analogies are perfectly applicable now to this digital storage
locker or this digital storage function for the content--and we
are focusing here on the content. There are a lot of people who
argue that now the transactional data associated with the
Internet is so much richer than the dialed number information.
And I think there is a good argument there, and if you look
back at the original Supreme Court cases on pen registers, they
were very, very narrow. But for now, at least our coalition is
saying let us leave that content versus non-content distinction
in place. Let us provide lower protection for most of the non-
content data, but that content, like that letter in 1878,
should be protected regardless of where it is.
Senator Franken. OK. Speaking of the distinction, this may
be a little bit off topic if we are talking about law
enforcement and security. But you did talk about this as
business. This is about business. And this is--and individuals.
And I have a question about how do you make people feel safe to
use the cloud communicating activity and how much of your
information can be used by other commercial--can be used
commercially. How can one control information that is, you
know, about--say your e-mail traffic. And part of this is who
you are sending back and forth to, but they can see, like, oh,
he went to this or she went to this e-mail site or this website
to, you know, Track magazine, and therefore, let us sell them
shoes or--you know. What control over your information can you
have on the Internet or in your e-mail so you cannot have
people use your information commercially without your
permission? Is that a good question?
[Laughter.]
Mr. Dempsey. That is a good and clear question and a
critical one here. Speaking just for my own organization, the
Center for Democracy and Technology, we believe that the law
needs to be improved on that side, too. Now, we have tended, as
you suggest, to look at the law enforcement issues, which to
some extent have the foundation of the Constitution underneath
them; we look at the law enforcement governmental access issues
in one bucket; and we look at the commercial reuse, commercial
disclosure and advertising issues in another bucket.
I think it is better to keep them in separate buckets for
now if only because, as you are alluding to, this Committee has
jurisdiction over the question of governmental access; there
are entire other committees that have jurisdiction over the
commercial side of things.
Legislation has been introduced--most recently, Chairman
Rush of the House Subcommittee on consumer protection issues
has introduced some very good legislation that would improve
the rules and for the first time ever set baseline Federal
rules for all of those issues associated with advertising and
cookies and profiling on the commercial side. Like I say, I do
think it is best that we keep those separate.
By the way, if I could, Senator, one other point: The
question of commercial access should not prejudice the question
one way or the other of governmental access.
Senator Franken. I was going to ask Mr. Smith if he had a
reaction, but I am way over my time.
Chairman Leahy. Thank you.
Senator Whitehouse, thank you for joining us.
Senator Whitehouse. Well, based on Senator Franken's very
subtle invitation, I would be inclined to offer him the chance
to get his answer from Mr. Smith.
Chairman Leahy. Would you like--go ahead.
Senator Whitehouse. That was very subtle, by the way.
[Laughter.]
Chairman Leahy. Go ahead, Senator Franken, and this will
not come out of Senator Whitehouse's time. Go ahead.
Senator Franken. Well, subtlety is my forte.
[Laughter.]
Senator Whitehouse. That is why I am so surprised that you
departed from that strategy this time.
Senator Franken. I just saw that Mr. Smith has a reaction.
That is all. And I wanted to know if you wanted to speak to it.
Mr. Smith. Sure. And being a lawyer, brevity is obviously
mine.
There are two relationships here that are really important.
There is the relationship between a consumer and a company that
is a service provider, and there is the relationship between
the citizen and Government. And to get both of these
relationships right, I think we need to look to industry to do
its part, and we need to look to Government to do its part.
Those of us in industry I think have a responsibility to
build technology that is reliable, that is secure, that has
privacy protection built in, and we have a responsibility to be
transparent with consumers so they know what the practices are,
it is easy for them to understand them, and they can make real
choices. And then I think Government obviously has an important
role to play in both of these areas in terms of ensuring that
ultimately there are legal rules that give consumers the
confidence they need and strike the right balance between
consumer needs, industry innovation, and law enforcement.
Senator Franken. Thank you. Thank you for your brevity, and
I thank you, Senator Whitehouse.
Chairman Leahy. Senator Whitehouse.
Senator Whitehouse. Thank you. I appreciate the discussion
that has taken place, particularly with respect to e-mail, that
I think is confounding to even experts, let alone an ordinary
American who relies on their e-mail to communicate with friends
and businesses and has an expectation of privacy, a personal
expectation that, frankly, is not matched by questions of what
folder you happen to drop it into affecting how Government can
access it.
And I counter that to a very different hypothetical, and
let me sort of walk through the hypothetical. Let us say that
there is a dangerous virus that is out there on the Internet
that is potentially causative of harm to American businesses
and interests and so forth. And let us say that the virus has
an electronic fingerprint of some kind. You can identify it.
That is how you find it. And let us say further that that virus
can be housed by the people who are propagating it in the
content portion of e-mail. And that is how it propagates, that
is how it gets around, and that creates the vulnerability to 1
day that virus being triggered by those malign forces.
If there were a device that could do nothing but identify
that fingerprint and signal the presence of that dangerous
virus, because the virus could be propagated in the content
portion of the transmission, that device would have an ECPA
problem, would it not?
Mr. Dempsey. Senator, that is a good question. I----
Senator Whitehouse. Setting aside any question of
voluntariness under the notice under the Fourth Amendment that
there was one-party consent or any of that sort of stuff.
Mr. Dempsey. The current statute has in it a provision
specifically intended to allow service providers to monitor
their own networks, and to some extent, ISPs, service providers
at all levels, already are doing some of what you are talking
about there; that is, they are looking at the content
traversing their networks. For example, there is an awful lot
of spam that never gets through. The carriers have the total
right and discretion under the statute to look for spam and to
basically throw it away. And they can get----
Senator Whitehouse. So roll into the hypothesis that it is
the Government that is required to--because of the complexity
or the nature of the threat that it is the Government that is
required to have access to this information, not just the ISP.
Mr. Dempsey. So I think that----
Senator Whitehouse. Now it is an ECPA problem.
Mr. Dempsey. When you throw the Government in, you get a
different set of concerns. I think that there should be more
emphasis given to getting those signatures from the hands of
the Government into the hands of the service providers so they
can, in essence, add them to the list of what they are looking
for and what they are blocking and protecting themselves and
others----
Senator Whitehouse. Although there is often a very high
intelligence and security penalty to doing that because once it
is clear that it is known, an enormous amount of other
information can be deduced from that conclusion in some
circumstances.
Mr. Dempsey. In some circumstances, and we have to be
careful there. But the service provider----
Senator Whitehouse. So it is not a complete solution,
although it is an important direction--you want to maximize
that, but you cannot go to that point and say that solves the
problem, we are just going to give all the signatures to the
ISPs.
Mr. Dempsey. I really think we need to keep the Government
out of the center of the network here. The carriers do have
some ability under current law to disclose to the Government
what they find in their networks. And I think that the goal
should be that the Government protects its networks and has in
essence, I think, under the statute plenary authority to
examine traffic to and from the Government itself, on the
Government side of the network. On the private sector side of
the network, I just do not see how we are going to be able to
control getting the Government into the sort of----
Senator Whitehouse. Or more importantly, getting it back
out once it is in, right?
Mr. Dempsey. Exactly.
Senator Whitehouse. Well, I take your point, and I think
that is one of the predicaments we have to work with. But I
would also suggest that if you put side by side the restriction
on the Government in my hypothetical from being able to do
nothing more than identify the fingerprint of a particularly
dangerous virus that may be attacking our hospital systems,
that may be attacking our electronic grid, that may be
attacking our National security structure, and where there is
absolutely no inquiring human consciousness applied to the
substantive content of any e-mail, that that should be an ECPA
problem, and that it should be not an ECPA problem because an
American put something in the wrong file folder for an actual
inquiring Government human consciousness to be able to go and
read substantive content. Those two do not line up as far as I
can tell, and I think that is one of the inconsistencies that
we need to try to resolve.
Mr. Dempsey. And I think on the cybersecurity side, the----
Senator Whitehouse. Let me ask Mr. Smith on that because
you have got all the answer time so far and he was nodding
trying to get a word in.
Mr. Smith. I think it is a very good question. It is an
important hypothetical. It is exactly the kind of question we
should be focused on as this process moves forward.
I believe we have a lot of tools to deal with that kind of
situation today. It is an area where the industry is very
focused, and what you are describing is basically something we
do every day. We identify new fingerprints, and we are
certainly able to work as a service provider to try to keep
people from having them erode their computer files.
It is an area of law that is impacted not only by ECPA, but
by the Computer Fraud and Abuse Act and other things.
Senator Whitehouse. With all due respect to the industry, a
vast majority of our cyber vulnerability would disappear if we
could simply get up to basic public, regular, ordinary levels
of patching and security, and we have not even been able to do
that. So when you get into the smaller percentage where it is
really aggressive, really high end, we are dealing at the
cutting edge of sophistication with the people who probably
have not only the most dangerous capability but the worst
intent, it is even more awkward to say, well, rely on our
process because, frankly, that process is not even working for
getting stuff patched adequately.
Mr. Smith. Well, I would say one should rely on that
process in part, and one needs to look to Government as well.
And what we should do--and your question points us in the right
direction--is ask ourselves today, Do we have enough tools?
Would we benefit from having better and more tools? If the
answer is yes, then let us think about what kinds of tools
those should be.
Mr. Jaffer. Senator Whitehouse, if I might.
Senator Whitehouse. Well, my time has expired, so we are at
the Chairman's discretion. But if you would like to answer, Mr.
Jaffer, I will conclude with that. Thank you.
Mr. Jaffer. I appreciate the opportunity, Senator
Whitehouse. I think you raise excellent points, and these are
very important issues, something that we looked at in the
process of developing the Comprehensive National Cybersecurity
Initiative. And one of the challenges that we found was how to
share this information that the Government has--that you have
identified--with the private sector, without sacrificing
sources and methods. And I think that one way that Congress can
assist both the Government--the executive branch--and the
private sector with is creating a process by which that could
happen. And I think it is important that that process be housed
in the private sector, that there be trusted third parties who
can take the Government's information, hold it--with security
clearances--take the private sector's information, match it up,
figure out what the threats are, report back to industry to
help protect the industry, and if industry is comfortable--and
industry might not be--provide anonymized data back to the
Government about what threats are being seen at the boundary.
And if Congress can create a framework which allows the private
sector the ability to protect industry with Government
information without giving up sources and methods, that would
be a dramatic step forward, I think. And I think that folks on
the panel might agree on this very point.
And with respect to Senator Leahy's point on the intent of
Congress, I certainly intended no disrespect. In fact, I was
hoping to point to the wisdom of Congress in how that balance
was struck in ECPA.
Chairman Leahy. I did not hear any disrespect in it, Mr.
Jaffer. It just brought me back to the memory of all the
sitting and talking and trying to hold people together before,
and my concern about where we will go next. We did this as a
bipartisan effort before. We still pass bipartisan legislation.
John Cornyn and I passed an update on FOIA in the Senate last
night unanimously, and it shows that this can be done. This
should not be a partisan issue, and I do not see it that way. I
do appreciate the effort that corporations and private groups
and others and Government have done in helping us work on this.
I am glad, Senator Whitehouse, that we are not having to
feed the meter of all the people who have actually volunteered
their time to help us on it. And I have spoken only broadly
about the cybersecurity problems, but you only have to pick up
the paper and see the number of attacks on our computers at the
Department of Defense, at the CIA, and others, and I mean what
has been in the public press. And Senator Whitehouse knows from
his briefings on the Intelligence Committee, the briefings I
get in classified areas, it is a growing and will continue to
be a growing concern. It is no longer an idea of fiction, for
example, a power grid being shut down in the middle of winter
in the northern part of the country and what that might do. We
worry about somebody bringing an explosive on an airplane and
killing 100 or 200 people. You could have cyber attacks that
could kill thousands of people, and we have to guard against
that.
At the same time, I like to know that if I am in business,
for example, and I am working in my business and somebody is
stealing my trade secrets and getting away with it, but I also
want to know that if I am--that my own personal e-mails are
going around, the Government is not snooping in it just for the
sake of snooping in it.
So it is a difficult balance. I am urging the
administration to promptly provide the Committee with its
proposals to update ECPA. I thank the shareholders for sharing
their views on this issue. I would note that we will start work
on this very soon, and we are going to be back here for a lame
duck session. We will continue to work that. We have superb
members of the staff who have been working on it and will
continue to.
So this hearing today, any one of the people in the
hearing, if you get ideas, if you want to add it to your
testimony, feel free to do so, because we want that
information. And I will again reiterate that I want the
administration to come up with their proposals?
Do you have further----
Senator Whitehouse. Mr. Chairman, could I comment on that,
also? I do not want to interrupt your remarks, but as you have
pointed out, a number of committees that are looking at the
concern about cybersecurity are now working together to try to
put together a bill that we can move on. We are actually in a
fairly late stage in terms of addressing this from a point of
view of the risk. We are actually in an overdue stage; just
from a point of view of the legislative positioning we are at a
fairly late stage. And so I think that I would like to echo
your message to the administration that this is--it is getting
a little late to come before a Congressional Committee and not
have a point of view and not have a proposal. Unless they want
to be out of the debate or simply be commentators and let
Congress lead, that is their choice. But considering the extent
of the administration's role in this, I would hope that they
would take a more active role and be more proactive. So I would
like to echo that.
And the other thing I just wanted to echo is that I am
extremely strongly in favor of pushing as much of this to the
private sector as possible, that as much data should go to the
private sector, that should get out there; and the private
sector should be dealing with this to the maximum possible
extent. But you can make that argument until you are blue in
the face, and it will not take away the fact that there will
remain an area, whether it is because of revealing sources and
methods or because of the extraordinarily adept nature of the
technology involved or because of other national security
concerns, there will ultimately have to be a Government role,
and how we apply that in a way that we do not look like idiots
when people are out in front of their banks looking for cash
because the financial system is down and they cannot count on
their electronic receipts any longer; or up in Vermont the grid
is down, they are not going to be looking at Microsoft and
Verizon then. They are going to be looking at the President of
the United States; they are going to be looking at their local
police; they are going to be looking at the FBI; they are going
to be looking at the Army and the National Guard; and they are
going to want results. And we have to be ready to provide that
if that happens.
Chairman Leahy. I could not agree more. It is easy to say
we are all against terrorists. Of course, we are against
terrorists. We are all against criminals. Of course, we are
against criminals. Senator Whitehouse and I were both
prosecutors. But it is a different era. You talk about the--
without going into war stories, we would have periodic bank
robberies. We usually caught them because they were usually
dumb. And we would catch them fairly quickly. The most they
would have gotten away with is $10,000 or $15,000. I am very
much worried about a bank robber who sits offshore and steals
several hundred million dollars. And, you know, we worried
about the arsonists that burned one building. I worry about
somebody who could destroy whole blocks, whole communities.
So, anyway, we could all come up with the darkest
scenarios, but what we have to do is make sure we stop that. So
I thank you for taking the time. I also thank you for all the
time you took leading up to this and all the others whose
comments and testimony are part of the record.
This is going to be a priority, bringing this up to date,
of this Committee, and I pass that out to everybody who is
interested, and I thank you for your help.
[Whereupon, at 12:01 p.m., the Committee was adjourned.]
[Questions and answers and submissions for the record
follow.]
[GRAPHIC] [TIFF OMITTED] T6875.001
[GRAPHIC] [TIFF OMITTED] T6875.002
[GRAPHIC] [TIFF OMITTED] T6875.003
[GRAPHIC] [TIFF OMITTED] T6875.004
[GRAPHIC] [TIFF OMITTED] T6875.005
[GRAPHIC] [TIFF OMITTED] T6875.006
[GRAPHIC] [TIFF OMITTED] T6875.007
[GRAPHIC] [TIFF OMITTED] T6875.008
[GRAPHIC] [TIFF OMITTED] T6875.009
[GRAPHIC] [TIFF OMITTED] T6875.010
[GRAPHIC] [TIFF OMITTED] T6875.011
[GRAPHIC] [TIFF OMITTED] T6875.012
[GRAPHIC] [TIFF OMITTED] T6875.013
[GRAPHIC] [TIFF OMITTED] T6875.014
[GRAPHIC] [TIFF OMITTED] T6875.015
[GRAPHIC] [TIFF OMITTED] T6875.016
[GRAPHIC] [TIFF OMITTED] T6875.017
[GRAPHIC] [TIFF OMITTED] T6875.018
[GRAPHIC] [TIFF OMITTED] T6875.019
[GRAPHIC] [TIFF OMITTED] T6875.020
[GRAPHIC] [TIFF OMITTED] T6875.021
[GRAPHIC] [TIFF OMITTED] T6875.022
[GRAPHIC] [TIFF OMITTED] T6875.023
[GRAPHIC] [TIFF OMITTED] T6875.024
[GRAPHIC] [TIFF OMITTED] T6875.025
[GRAPHIC] [TIFF OMITTED] T6875.026
[GRAPHIC] [TIFF OMITTED] T6875.027
[GRAPHIC] [TIFF OMITTED] T6875.028
[GRAPHIC] [TIFF OMITTED] T6875.029
[GRAPHIC] [TIFF OMITTED] T6875.030
[GRAPHIC] [TIFF OMITTED] T6875.031
[GRAPHIC] [TIFF OMITTED] T6875.032
[GRAPHIC] [TIFF OMITTED] T6875.033
[GRAPHIC] [TIFF OMITTED] T6875.034
[GRAPHIC] [TIFF OMITTED] T6875.035
[GRAPHIC] [TIFF OMITTED] T6875.036
[GRAPHIC] [TIFF OMITTED] T6875.037
[GRAPHIC] [TIFF OMITTED] T6875.038
[GRAPHIC] [TIFF OMITTED] T6875.039
[GRAPHIC] [TIFF OMITTED] T6875.040
[GRAPHIC] [TIFF OMITTED] T6875.041
[GRAPHIC] [TIFF OMITTED] T6875.042
[GRAPHIC] [TIFF OMITTED] T6875.043
[GRAPHIC] [TIFF OMITTED] T6875.044
[GRAPHIC] [TIFF OMITTED] T6875.045
[GRAPHIC] [TIFF OMITTED] T6875.046
[GRAPHIC] [TIFF OMITTED] T6875.047
[GRAPHIC] [TIFF OMITTED] T6875.048
[GRAPHIC] [TIFF OMITTED] T6875.049
[GRAPHIC] [TIFF OMITTED] T6875.050
[GRAPHIC] [TIFF OMITTED] T6875.051
[GRAPHIC] [TIFF OMITTED] T6875.052
[GRAPHIC] [TIFF OMITTED] T6875.053
[GRAPHIC] [TIFF OMITTED] T6875.054
[GRAPHIC] [TIFF OMITTED] T6875.055
[GRAPHIC] [TIFF OMITTED] T6875.056
[GRAPHIC] [TIFF OMITTED] T6875.057
[GRAPHIC] [TIFF OMITTED] T6875.058
[GRAPHIC] [TIFF OMITTED] T6875.059
[GRAPHIC] [TIFF OMITTED] T6875.060
[GRAPHIC] [TIFF OMITTED] T6875.061
[GRAPHIC] [TIFF OMITTED] T6875.062
[GRAPHIC] [TIFF OMITTED] T6875.063
[GRAPHIC] [TIFF OMITTED] T6875.064
[GRAPHIC] [TIFF OMITTED] T6875.065
[GRAPHIC] [TIFF OMITTED] T6875.066
[GRAPHIC] [TIFF OMITTED] T6875.067
[GRAPHIC] [TIFF OMITTED] T6875.068
[GRAPHIC] [TIFF OMITTED] T6875.069
[GRAPHIC] [TIFF OMITTED] T6875.070
[GRAPHIC] [TIFF OMITTED] T6875.071
[GRAPHIC] [TIFF OMITTED] T6875.072
[GRAPHIC] [TIFF OMITTED] T6875.073
[GRAPHIC] [TIFF OMITTED] T6875.074
[GRAPHIC] [TIFF OMITTED] T6875.075
[GRAPHIC] [TIFF OMITTED] T6875.076
[GRAPHIC] [TIFF OMITTED] T6875.077
[GRAPHIC] [TIFF OMITTED] T6875.078
[GRAPHIC] [TIFF OMITTED] T6875.079
[GRAPHIC] [TIFF OMITTED] T6875.080
[GRAPHIC] [TIFF OMITTED] T6875.081
[GRAPHIC] [TIFF OMITTED] T6875.082
[GRAPHIC] [TIFF OMITTED] T6875.083
[GRAPHIC] [TIFF OMITTED] T6875.084
[GRAPHIC] [TIFF OMITTED] T6875.085
[GRAPHIC] [TIFF OMITTED] T6875.086
[GRAPHIC] [TIFF OMITTED] T6875.087
[GRAPHIC] [TIFF OMITTED] T6875.088
[GRAPHIC] [TIFF OMITTED] T6875.089
[GRAPHIC] [TIFF OMITTED] T6875.090
[GRAPHIC] [TIFF OMITTED] T6875.091
[GRAPHIC] [TIFF OMITTED] T6875.092
[GRAPHIC] [TIFF OMITTED] T6875.093
[GRAPHIC] [TIFF OMITTED] T6875.094
[GRAPHIC] [TIFF OMITTED] T6875.095
[GRAPHIC] [TIFF OMITTED] T6875.096
[GRAPHIC] [TIFF OMITTED] T6875.097
[GRAPHIC] [TIFF OMITTED] T6875.098
[GRAPHIC] [TIFF OMITTED] T6875.099
[GRAPHIC] [TIFF OMITTED] T6875.100
[GRAPHIC] [TIFF OMITTED] T6875.101
[GRAPHIC] [TIFF OMITTED] T6875.102
[GRAPHIC] [TIFF OMITTED] T6875.103
[GRAPHIC] [TIFF OMITTED] T6875.104
[GRAPHIC] [TIFF OMITTED] T6875.105
[GRAPHIC] [TIFF OMITTED] T6875.106
[GRAPHIC] [TIFF OMITTED] T6875.107
[GRAPHIC] [TIFF OMITTED] T6875.108
[GRAPHIC] [TIFF OMITTED] T6875.109
[GRAPHIC] [TIFF OMITTED] T6875.110
[GRAPHIC] [TIFF OMITTED] T6875.111
[GRAPHIC] [TIFF OMITTED] T6875.112
[GRAPHIC] [TIFF OMITTED] T6875.113
[GRAPHIC] [TIFF OMITTED] T6875.114
[GRAPHIC] [TIFF OMITTED] T6875.115
[GRAPHIC] [TIFF OMITTED] T6875.116
[GRAPHIC] [TIFF OMITTED] T6875.117
[GRAPHIC] [TIFF OMITTED] T6875.118
[GRAPHIC] [TIFF OMITTED] T6875.119
[GRAPHIC] [TIFF OMITTED] T6875.120
[GRAPHIC] [TIFF OMITTED] T6875.121
[GRAPHIC] [TIFF OMITTED] T6875.122
[GRAPHIC] [TIFF OMITTED] T6875.123
[GRAPHIC] [TIFF OMITTED] T6875.124
[GRAPHIC] [TIFF OMITTED] T6875.125
[GRAPHIC] [TIFF OMITTED] T6875.126
[GRAPHIC] [TIFF OMITTED] T6875.127
[GRAPHIC] [TIFF OMITTED] T6875.128
[GRAPHIC] [TIFF OMITTED] T6875.129
[GRAPHIC] [TIFF OMITTED] T6875.130
[GRAPHIC] [TIFF OMITTED] T6875.131
[GRAPHIC] [TIFF OMITTED] T6875.132
[GRAPHIC] [TIFF OMITTED] T6875.133
[GRAPHIC] [TIFF OMITTED] T6875.134
[GRAPHIC] [TIFF OMITTED] T6875.135
[GRAPHIC] [TIFF OMITTED] T6875.136
[GRAPHIC] [TIFF OMITTED] T6875.137
[GRAPHIC] [TIFF OMITTED] T6875.138
[GRAPHIC] [TIFF OMITTED] T6875.139
[GRAPHIC] [TIFF OMITTED] T6875.140
[GRAPHIC] [TIFF OMITTED] T6875.141
[GRAPHIC] [TIFF OMITTED] T6875.142
[GRAPHIC] [TIFF OMITTED] T6875.143
[GRAPHIC] [TIFF OMITTED] T6875.144
[GRAPHIC] [TIFF OMITTED] T6875.145
[GRAPHIC] [TIFF OMITTED] T6875.146
[GRAPHIC] [TIFF OMITTED] T6875.147
[GRAPHIC] [TIFF OMITTED] T6875.148
[GRAPHIC] [TIFF OMITTED] T6875.149
[GRAPHIC] [TIFF OMITTED] T6875.150
[GRAPHIC] [TIFF OMITTED] T6875.151
[GRAPHIC] [TIFF OMITTED] T6875.152
[GRAPHIC] [TIFF OMITTED] T6875.153
[GRAPHIC] [TIFF OMITTED] T6875.154
[GRAPHIC] [TIFF OMITTED] T6875.155
[GRAPHIC] [TIFF OMITTED] T6875.156
[GRAPHIC] [TIFF OMITTED] T6875.157
[GRAPHIC] [TIFF OMITTED] T6875.158
[GRAPHIC] [TIFF OMITTED] T6875.159
[GRAPHIC] [TIFF OMITTED] T6875.160
[GRAPHIC] [TIFF OMITTED] T6875.161
[GRAPHIC] [TIFF OMITTED] T6875.162
[GRAPHIC] [TIFF OMITTED] T6875.163
[GRAPHIC] [TIFF OMITTED] T6875.164
[GRAPHIC] [TIFF OMITTED] T6875.165
[GRAPHIC] [TIFF OMITTED] T6875.166
[GRAPHIC] [TIFF OMITTED] T6875.167
[GRAPHIC] [TIFF OMITTED] T6875.168
[GRAPHIC] [TIFF OMITTED] T6875.169
[GRAPHIC] [TIFF OMITTED] T6875.170
[GRAPHIC] [TIFF OMITTED] T6875.171
[GRAPHIC] [TIFF OMITTED] T6875.172
[GRAPHIC] [TIFF OMITTED] T6875.173
[GRAPHIC] [TIFF OMITTED] T6875.174
[GRAPHIC] [TIFF OMITTED] T6875.175
[GRAPHIC] [TIFF OMITTED] T6875.176
[GRAPHIC] [TIFF OMITTED] T6875.177
[GRAPHIC] [TIFF OMITTED] T6875.178
[GRAPHIC] [TIFF OMITTED] T6875.179
[GRAPHIC] [TIFF OMITTED] T6875.180
[GRAPHIC] [TIFF OMITTED] T6875.181
�