[Senate Hearing 111-1002]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 111-1002
 
   THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: PROMOTING SECURITY AND 
                 PROTECTING PRIVACY IN THE DIGITAL AGE

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 22, 2010

                               __________

                          Serial No. J-111-109

                               __________

         Printed for the use of the Committee on the Judiciary




                  U.S. GOVERNMENT PRINTING OFFICE
66-875                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 JEFF SESSIONS, Alabama
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
RUSSELL D. FEINGOLD, Wisconsin       CHARLES E. GRASSLEY, Iowa
ARLEN SPECTER, Pennsylvania          JON KYL, Arizona
CHARLES E. SCHUMER, New York         LINDSEY GRAHAM, South Carolina
RICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas
BENJAMIN L. CARDIN, Maryland         TOM COBURN, Oklahoma
SHELDON WHITEHOUSE, Rhode Island
AMY KLOBUCHAR, Minnesota
EDWARD E. KAUFMAN, Delaware
AL FRANKEN, Minnesota
            Bruce A. Cohen, Chief Counsel and Staff Director
               Matthew S. Miner, Republican Chief Counsel


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Cardin, Hon. Benjamin L., a U.S. Senator from the State of 
  Maryland.......................................................     2
Feingold, Hon. Russell D., a U.S. Senator from the State of 
  Wisconsin, prepared statement..................................   151
Franken, Hon. Al, a U.S. Senator from the State of Minnesota.....     3
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     1
    prepared statement...........................................   185

                               WITNESSES

Baker, James A., Esq., Associate Deputy Attorney General, U.S. 
  Department of Justice, Washington, DC..........................     6
Dempsey, James X., Esq., Vice President for Public Policy, Center 
  for Democracy and Technology, San Francisco, California........    15
Jaffer, Jamil N., Esq., Attorney, Washington, DC.................    19
Kerry, Cameron F., Esq., General Counsel, U.S. Department of 
  Commerce.......................................................     3
Smith, Brad, Esq., General Counsel and Senior Vice President, 
  Legal and Corporate Affairs, Microsoft Corporation, Redmond, 
  Washington.....................................................    17

                         QUESTIONS AND ANSWERS

Responses of James A. Baker to questions submitted by Senator 
  Leahy, Specter and Feingold....................................    33

                       SUBMISSIONS FOR THE RECORD

American Civil Liberties Union (ACLU), Laura W. Murphy, Director, 
  Washington Legislative Office, Christopher Calabrese, 
  Legislative Counsel, Washington Legislative Office, and Nicole 
  A. Ozer, seq., Technology and Civil Liberties Policy Director, 
  Northern California, joint statement...........................    47
Baker, James A., Esq., Associate Deputy Attorney General, U.S. 
  Department of Justice, Washington, DC, statement...............    57
Blaze, Matt, Professor, University of Pennsylvania, Philadelphia, 
  Pennsylvania, statement........................................    64
Burr, J. Beckwith, Partner, Wilmer Cutler Pickering Hale and 
  Dorr, LLP, Washington, DC, statement...........................    78
Competitive Enterprise Institute, Ryan Radia, Associate Director 
  of Technology Studies; The Progress & Freedom Foundation, Berin 
  Szoka, Senior Fellow and Director, Center for Internet Freedom; 
  Citizens Against Government Waste, Thomas A. Schatz, President; 
  Americans for Tax Reform, Kelly William Cobb, Executive 
  Director, Digital Liberty Project; and Center for Financial 
  Privacy and Human Rights, J. Bradley Jansen, Director, 
  Washington, DC, joint statement................................   101
Computer & Communications Industry Association (CCIA), 
  Washington, DC, statement......................................   108
Constitution Project, Washington, DC, statement..................   122
Dempsey, James X., Esq., Vice President for Public Policy, Center 
  for Democracy and Technology, San Francisco, California, 
  statement......................................................   125
Department of Commerce, Comments of Digital Due Process, June 14, 
  2010, statement................................................   141
Freeman, Frederick W., Student, George Mason University, 
  statement......................................................   153
Jaffer, Jamil N., Esq., Attorney, Washington, DC, statement......   156
Kerry, Cameron F., Esq., General Counsel, U.S. Department of 
  Commerce, Washington, DC, statement............................   171
Schellhase, David, Executive Vice President and General Counsel, 
  San Francisco, California, statement...........................   187
Smith, Brad, Esq., General Counsel and Senior Vice President, 
  Legal and Corporate Affairs, Microsoft Corporation, Redmond, 
  Washington, statement..........................................   201


   THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: PROMOTING SECURITY AND 
                 PROTECTING PRIVACY IN THE DIGITAL AGE

                              ----------                              


                      TUESDAY, SEPTEMBER 22, 2010

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:10 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Patrick J. 
Leahy, Chairman of the Committee, presiding.
    Present: Senators Leahy, Cardin, Whitehouse, Klobuchar, and 
Franken.

OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM 
                      THE STATE OF VERMONT

    Chairman Leahy. I apologize for the delay. In the back 
room, we were settling all the problems of the world with our 
distinguished witnesses, but I think that one of the things 
that we have learned very quickly in this area is that the 
Electronic Communications Privacy Act, or ECPA, is one of the 
Nation's premier digital privacy laws. But it is only as 
important as our efforts to keep it up to date might be.
    It was 40 years ago that Chief Justice Earl Warren wrote 
that ``the fantastic advances in the field of electronic 
communication constitute a greater danger to the privacy of the 
individual.'' That was 40 years ago. Now, Chief Justice Warren 
could not have imagined--in fact, I do not know if anybody 
could have 40 years ago--what types of communications we would 
have today and the differences in it.
    But what he said, even with all the changes, is as relevant 
today as it was then. For many years, ECPA has provided vital 
tools to law enforcement to investigate crime and to keep us 
safe, while at the same time protecting individual privacy 
online. As the country continues to grapple with the urgent 
need to develop a comprehensive national cybersecurity 
strategy, determining how best to bring this privacy law into 
the Digital Age is going to be one of our biggest challenges, 
especially here in Congress.
    When Congress enacted ECPA in 1986, we wanted to ensure 
that all Americans would enjoy the same privacy protections in 
their online communications as they did in the offline world, 
and at the same time allowing law enforcement to have access 
under legitimate ways for information needed to combat crime. 
We put together--and I remember very well the long negotiations 
we had on that--a careful, bipartisan law designed in part to 
protect electronic communications from real-time monitoring or 
interception by the Government, as e-mails were being delivered 
and from searches when these communications were then stored 
electronically. But the many advances in communication 
technologies have really outpaced the privacy protections that 
Congress put in place.
    ECPA today is a law that is often hampered by conflicting 
privacy standards that create uncertainty and confusion for law 
enforcement, for the business community, and for American 
consumers.
    For example, the content of a single e-mail could be 
subject to as many as four different levels of privacy 
protections under ECPA, depending upon where it is stored and 
when it is sent. Now, no one would quibble with the notion that 
ECPA is outdated, but the question of how best to update this 
law does not have a simple answer. And I believe there are a 
few core principles that should guide our work.
    First, privacy, public safety, and security are not 
mutually exclusive goals. Reform can, and should, carefully 
balance and accomplish each.
    Second, reforms to ECPA must not only protect Americans' 
privacy, but also encourage America's innovation.
    And, last, updates to ECPA must instill confidence in 
American consumers.
    I am pleased that we are going to hear from the General 
Counsel of the Department of Commerce, who has unique insights 
into the impact of ECPA on American innovation. We will also 
get the views of the Department of Justice, which relies upon 
ECPA to carry out its vital law enforcement and national 
security duties.
    Then we will have a panel of expert witnesses to advise the 
Committee, and I applaud the work of the Center for Democracy & 
Technology, Microsoft, and other stakeholders who are trying to 
bring together industry consensus because we want something 
that works. We want to protect privacy. We do not want to 
stifle innovation. We want to make law enforcement possible in 
the way with the privacies this country gives.
    So having said all that, I thank those who are here. I 
would ask my fellow panel members, Senator Cardin, did you have 
anything you wished to say?

 STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR FROM THE 
                       STATE OF MARYLAND

    Senator Cardin. Well, Mr. Chairman, let me thank you very 
much for holding this hearing. I think this subject is one that 
just the hearing itself will have a beneficial impact. I think 
we really need to understand that it is difficult to get ahead 
of technology and we do not want to do anything in our laws 
that prevents the development of technology. It is amazing what 
we can accomplish today through our cell phones that we could 
only imagine when this bill was originally passed.
    Now, the question is how do you protect the privacy of 
Americans, which is critically important and constitutionally 
protected in a way that also allows for the appropriate law 
enforcement tools to be effectively used.
    I think it is important that we carry out one of the most 
important responsibilities of the Senate, which is oversight, 
to see how the current law is operating, to see whether it is 
being administered--whether those who administer it have the 
tools they need under existing law to effectively protect the 
privacy of Americans and carry out their important work.
    So I welcome this hearing. I think we come to it without 
any preconceived thoughts as to what we need to do, but it is 
important that we protect privacy, give the tools to law 
enforcement that it needs, and understand that we do not want 
to do anything that would hamper the development of technology, 
which is critically important for America's advancement.
    Chairman Leahy. Senator Franken.

STATEMENT OF HON. AL FRANKEN, A U.S. SENATOR FROM THE STATE OF 
                           MINNESOTA

    Senator Franken. I did not prepare an opening statement, 
but I am really looking forward to this, just to hear things 
like what kind of conflicts are inherent in protecting privacy 
while at the same time protecting against things like identity 
theft or what kind of conflicts there are in transparency 
versus protecting business proprietary information, the 
conflicts between sort of openness and yet protection. So I am 
looking forward to the hearing, and thank you, Mr. Chairman, 
for calling this.
    Chairman Leahy. Well, thank you very much.
    Our first witness will be Cameron Kerry. Mr. Kerry is the 
General Counsel of the Department of Commerce, where he serves 
as the Department's chief legal officer, chief ethics officer, 
and is Chair of the Department of Commerce Privacy Council. Mr. 
Kerry is somebody I have known for--I was going to say years--
decades, actually. He has been a leader on work across the U.S. 
Government on patent reform and intellectual property issues, 
privacy, security, efforts against transnational bribery. 
Previously he was a partner in Mintz, Levin, a national law 
firm, with over 30 years of practice. He has been a 
communications lawyer, litigator in a range of areas, including 
telecommunications, environmental law, torts, privacy, and 
insurance regulation. Harvard College under graduate, a law 
degree at the Boston College School of Law.
    Mr. Kerry, delighted to have you here. Please go ahead, 
sir. Hit the ``Talk'' button. Is it on red?

STATEMENT OF HON. CAMERON F. KERRY, ESQ., GENERAL COUNSEL, U.S. 
                     DEPARTMENT OF COMMERCE

    Mr. Kerry. Thank you. Chairman Leahy and members of the 
Committee, thank you for the invitation to testify today.
    I think it is clear that in the 25 years since ECPA, the 
Electronic Communications Privacy Act, was enacted, the 
communications and information landscape has been transformed. 
The authors of the law, including you, Mr. Chairman, recognized 
that this landscape would evolve continually, but I doubt that 
anyone foresaw the scale, the scope of the revolution that 
would be fueled by mobile telecommunications, by the global 
Internet, and by ever smaller, more powerful devices.
    I welcome the Committee's decision to hold this hearing and 
to begin another of its periodic reviews of ECPA. The goal of 
this effort, as always, should be to ensure that as technology 
and new market conditions change, ECPA continues to serve its 
original purpose as articulated by this Committee: to establish 
``a fair balance between the privacy expectations of American 
citizens and the legitimate needs of law enforcement.''
    I am especially pleased to be appearing today with 
colleagues from the Department of Justice. We work with the 
Department of Justice on an administration effort to develop 
policies on commercial data privacy and a range of issues 
related to information and communications technologies. While 
our effort is in its early phases, it is guided by our shared 
belief that legislative review of ECPA must be undertaken 
carefully and must adequately protect privacy and build 
consumer trust; must address concerns about competition, 
innovation, and other challenges in the global marketplace; and 
must allow the Government to protect the public in timely and 
effective ways.
    I would like this morning to highlight some of the points 
in my written testimony about the importance of digital 
communications innovation to the U.S. economy and society and 
the contribution that ECPA has made to that innovation through 
its privacy framework.
    Over several decades, the explosion of electronic 
communications, and especially the proliferation of broadband 
Internet service and Internet-based services and applications, 
as well as the expansion of wireless communications, has 
created enormous benefits to our society. By some estimates, 
the Internet contributes $2 trillion to the Nation's annual GDP 
and supports some 3 million jobs. ECPA has contributed to this 
remarkable growth as Congress recognized in 1986 the absence of 
sound privacy protections for electronic communications 
discourages potential customers from using innovative 
communications systems and discourages American businesses from 
developing innovative forms of telecommunications and computer 
technology. In this area, trust is an essential element of 
development.
    ECPA created clear, predictable rules for service providers 
and a protected, trusted environment for digital commerce. It 
also ensured that law enforcement and national security 
personnel can gain access to electronic communications, subject 
to judicial oversight and consistent with the Fourth Amendment 
and American principles. As your Committee examines ECPA and 
its ongoing role in this process, you face the question whether 
the sea changes in the digital communications environment since 
1986 call for changes in the statute so as to preserve the 
balance that Congress struck in 1986 and has maintained over 
time.
    Let me touch on some of the changes that have occurred.
    One prominent example is the global growth of cloud 
computing services. The range of services of platforms, of 
applications that are available today remotely, and the 
pervasiveness of their use far exceed the levels that existed 
in remote computing 25 years ago. According to one projection 
the Department of Commerce received, cloud computing revenues 
are going to grow from $46 billion in 2009 to $150 billion in 
2012, and by next year, 25 percent of new software deployments 
are going to be cloud-based applications.
    Another example is the growth of wireless service and 
location services. In the United States alone, roughly 91 
percent of the population now has a wireless phone. The use of 
smart phones in the United States grew by roughly 51 percent 
from 2008 to 2009, and the sales of those devices are expected 
to eclipse earlier-generation cell phones by 2011. These phones 
multiply the use of online services, and they also provide new, 
unique, and informative data streams.
    When a cell phone is on, a cell phone or other wireless 
devices are in constant communication with nearby cell towers. 
They supply information about the phone's whereabouts that is 
necessary to supply the cell service. And, as those phone 
deploy, many third-party applications providers are now 
developing innovative services that use location services in 
real time from carriers or from the devices themselves.
    So cloud computing and the growth of wireless services and 
location services are just some of the wholesale changes in the 
ways that Americans use electronic communications. They signal 
a pervasive shift in the volume-sensitive information that we 
entrust to third parties. Clarity of rules is critical for 
successful deployment, development, and adoption of innovative 
services that have become part of the fabric of our society and 
our economy.
    So I want to thank you for the Committee's decision to 
examine ECPA again. The administration stands ready to work 
with the Committee as you move forward. We do not come with 
proposals today, but we come ready to work to maintain the fair 
balance of reasonable law enforcement access, individual 
privacy protection, and clarity for service providers, for 
investigators, and for judges.
    Chairman Leahy. Of course, those are goals that we all 
seek.
    Mr. Kerry. Good.
    Chairman Leahy. Now the hard part is how to fit it in.
    Mr. Kerry. I would be happy to answer questions, Mr. 
Chairman.
    [The prepared statement of Mr. Kerry appears as a 
submission for record.]
    Chairman Leahy. We want innovation, we want clarity, we 
want people to understand the rules, we want law enforcement to 
be able to use it, and we do not want to give up our ability to 
communicate with each other, especially as this has become not 
just a personal thing but it has become very much of a 
business-oriented thing.
    Your whole statement will be part of the record. I do 
appreciate very much the offer of working with us because we 
did this in a bipartisan fashion before, and I expect to do it 
again as we update this.
    In that case, we are very fortunate to have James Baker 
with us. Mr. Baker is the Associate Deputy Attorney General at 
the U.S. Department of Justice. He has worked extensively on 
all aspects of national security investigations and policies 
with the U.S. Department of Justice for nearly two decades. Am 
I correct on that? He has also provided the United States 
intelligence community with legal and policy advice for many 
years. In 2006, he received the George H.W. Bush Award for 
Excellence in Counterterrorism. For those who do not know that, 
that is the CIA's highest award for counterterrorism 
achievements. He also taught a course in national security 
investigation and litigation at Harvard Law School and served 
as a resident fellow at Harvard University Institute of 
Politics.
    Mr. Baker, please go ahead, and, again, your full statement 
will be put in the record, but please go ahead and tell us what 
you would like, sir.

   STATEMENT OF HON. JAMES A. BAKER, ESQ., ASSOCIATE DEPUTY 
  ATTORNEY GENERAL, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC

    Mr. Baker. Yes, thank you, Mr. Chairman. Mr. Chairman and 
members of the Committee, thank you the opportunity to testify 
today on behalf of the Department of Justice regarding ECPA. It 
is a pleasure for me to be here with our colleagues from the 
Department of Commerce, and as Mr. Kerry said, we are working 
closely with the Department of Commerce on ECPA reform.
    I have just a few brief points that I would like to make in 
my oral remarks today and then respond to any questions that 
you might have.
    For many years this Committee has been a leader in ensuring 
that our laws appropriately balance privacy and economic 
considerations with the Government's need to protect public 
safety and national security. As we have done regularly in the 
past, the Department looks forward to working with you again as 
you examine whether ECPA is properly calibrated to address all 
of these very important interests.
    Although Congress has amended ECPA on several occasions 
since it was first enacted in 1986, the statute has proven 
remarkably resilient in its ability to keep pace with changes 
in technology. Many of ECPA's key concepts and distinctions 
remain fundamentally sound. Where changes have been necessary 
over the years, we have worked closely with you to ensure that 
those changes do not upset the delicate balance between 
individual privacy interests and the needs of public safety. It 
is essential that we do so again as we move forward.
    In addition to getting the balance between privacy and 
security right, I would like to emphasize a few additional key 
points.
    First, as some have mentioned, the Government relies 
heavily upon the legal framework that ECPA establishes to 
protect national security and public safety. ECPA is critical 
to our ability to effectively and efficiently conduct 
investigations of terrorists, gangs, drug traffickers, 
murderers, kidnappers, child predators, cyber criminals, and 
the whole range of criminal activity.
    Second, it is vital that ECPA remain an effective and 
efficient tool for these investigations. In particular, it is 
essential that investigators have the ability under ECPA to 
obtain non-content information about a suspect's activities in 
a timely and efficient manner, particularly at early stages of 
an investigation. These types of information are the basic 
building blocks of our investigations, and if it is unduly 
difficult for investigators to obtain such data, it may hamper 
the Government's ability to respond promptly and effectively to 
these real threats.
    For example, in a recent undercover investigation, an FBI 
agent downloaded images of child pornography and used an ECPA 
subpoena to identify the computer involved. Using that 
information to obtain and execute a search warrant, agents 
discovered that the person running the server was a high school 
special-needs teacher, a registered foster care provider, and a 
respite care provider who had adopted two children. The 
investigation revealed that he had sexually abused and produced 
child pornography of 19 children. The man pleaded guilty and is 
awaiting sentencing.
    Finally, while we welcome the opportunity to work with the 
Committee as it considers whether changes to ECPA are needed, 
we urge you to approach that question with extreme care. It is 
critical that Congress carefully evaluate any proposed 
amendments to ensure that they do not adversely affect the 
ability of Federal, State, local, and tribal authorities to 
keep us safe from harm.
    That said, I want to emphasize that the administration has 
not taken a position on any particular ECPA reform proposal to 
date, but we look forward to working with the Committee as it 
begins consideration of these important matters.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Baker appears as a 
submission for the record.]
    Chairman Leahy. Thank you very much, Mr. Baker.
    We have overlapping concerns here. Let me begin first with 
Mr. Kerry. You obviously in your work with the Commerce 
Department understand how our privacy laws are affecting our 
economy. We are having all kinds of economic problems, and also 
so many businesses and individuals are using the Internet, e-
mail, and everything else to improve their financial condition 
of their businesses and so on.
    Does ECPA still remain important to our economy?
    Mr. Kerry. Absolutely, Senator.
    Chairman Leahy. Press the button.
    Mr. Kerry. OK. I am looking at the green light. Sorry. It 
does, Mr. Chairman. One of the important aspects of ECPA is the 
private rights of action that it creates, the expectations of 
privacy that it establishes as a matter of law, and the set of 
rules that it provides that providers as well as customers as 
well as law enforcement officials and judges and magistrates 
are able to follow.
    Chairman Leahy. OK. And those rules become confusing enough 
that it stifles innovation. I mean, even when this was written 
and everybody thought we were at the cutting edge, it looks 
pretty old-fashioned to go back to those days.
    Mr. Kerry. Certainly the landscape has changed. There is no 
question about that. I think what Mr. Baker said about the 
adaptability of ECPA has proven true as well. I think this 
statute, Mr. Chairman, has proved more adaptable to changes in 
technology, for example, than the Communications Act. And I 
think we need to move carefully in how we change because there 
is a value in stability and predictability, in establishing a 
set of rules, a known set of rules that everybody can operate 
by, and certainly we need to look at unintended consequences.
    So I think there are important questions about the 
application to cloud computing, to business models for cloud 
computing in the ways both that customers entrust data and what 
providers are permitted to do with that data. But----
    Chairman Leahy. Well, when you go from the commercial part 
to another part--and I am going to be fairly careful in this 
next question for Mr. Baker because I do not want to go into 
classified areas. But you are well aware of some of the threats 
to our National security on cybersecurity.
    Mr. Baker. Yes, sir.
    Chairman Leahy. A lot of it has been in the press, and 
other parts we have been briefed on are pretty significant. So 
how do we keep the openness? I was talking about my wife and I 
e-mailing a friend in Europe back and forth, and it is like 
doing it from our BlackBerrys and so on, and you do not think 
anything about it. But you also have some major cyber threats 
that we face. 2702 tells how providers can voluntarily share 
electronic communications information with the Government, and 
you know that has been used. How does that impact the way the 
Government responds to threats to cybersecurity? And can that 
be improved?
    Mr. Baker. Well, Senator, I think you put your finger 
exactly on one of the key points with respect to cybersecurity. 
The main question is how do we appropriately share information 
regarding cybersecurity threats between and among the private 
sector entities that are involved and with those entities 
sharing it with the Government. That is exactly the right 
question.
    ECPA lays out a framework for this, as do other laws, and 
so we need to make sure as we go forward, the laws we have are 
appropriate for today's circumstances with respect to 
cybersecurity. And when I am talking about cybersecurity in 
this context, I am talking not about necessarily pursuing a 
particular criminal investigation of an intrusion of a 
particular location. I am talking more about, sort of, 
defensive cybersecurity, and that is where I think some of the 
issues that you mentioned, the information sharing that ECPA 
does regulate, are critically important.
    And so, obviously, we need to work closely together to make 
sure that whatever we do addresses our cybersecurity needs of 
today at the same time is appropriate and gives appropriate 
protection for the privacy of Americans.
    Chairman Leahy. But you also go into the area of NSL 
authority, and the Department seeks to expand its ability to 
get information, electronic information without a court 
approval.
    Mr. Baker. Well, Senator, what our objective is, our 
objective is to not expand what we are trying to obtain; it is, 
rather, to restore the status quo that existed before with 
respect to our ability to obtain information from providers. 
Some providers have raised concerns about the way the current 
statute is drafted. So we look forward to working with you to 
come up with something that is acceptable to everybody, but our 
intent is not to expand the scope of what we are doing but to 
enable us to get what we actually were getting for many years 
under the NSL authority with respect to this type of record.
    Chairman Leahy. Well, my time is up, but I will work with 
you and you could have your staff work with mine on this. I 
know that the way of obtaining information and what is 
available is a lot different from the days when I was in law 
enforcement. But also the threats are a lot greater today, too. 
So we will work together on that.
    Senator Cardin.
    Senator Cardin. Well, thank you, Mr. Chairman. Let me again 
thank both of our witnesses.
    Let me try to get to some of the practical applications 
here. Several years ago, I visited an employer. It was a 
hospital that was a new building, implementing new technology 
at the time. And what they had, their employees all had to wear 
identification badges, which is not unusual, but that 
identification badge told the employer exactly where that 
employee was at all times. So that the hospital could locate 
the employee, know where the employee was, and provide a more 
efficient, effective health care for the people that entered 
the hospital.
    I then met with representatives of the employees to see how 
they felt about that. And they generally were OK, but they 
said, you know, there are times when we should have privacy, 
even at work, and that the protections weren't clearly in 
place; that our employers would use it for management of health 
care or could be using it to get information about us that 
really was not appropriate for an employer.
    So I raise the same question today with new technology 
where the Government can track pretty much where everyone is 
through the use of their cell phones. What protections do we 
have under ECPA so that I know the Government is not trailing 
me in private places? What standards are necessary? Is there a 
difference in regard to whether I am in a public place or a 
private place? What can you tell us about the current law does 
as far as protecting privacy, but yet allowing the Government 
to pursue real-time information that is necessary for law 
enforcement? And if you had to get a subpoena, does that hamper 
your ability to get real-time information that may become 
necessary?
    So what are the tradeoffs here and how does the current law 
apply to a real situation that, I must tell you, does concern 
me?
    Mr. Baker. Yes, I will start with that one, if that is 
okay. There are several different parts of your question. So 
the first thing was that you raised the prospect or the issue 
with respect to private entities collecting this data and what 
they----
    Senator Cardin. I used that as an example. I am concerned 
about Government.
    Mr. Baker. Yes, because what ECPA focuses on, what we are 
focused on is the interaction between--or the ability of the 
Government to obtain information from the private sector in 
certain circumstances.
    Senator Cardin. I am just using that as an example of how 
technology has changed.
    Mr. Baker. So the basic idea is with respect to the kinds 
of information you are talking about with respect to cell 
phones, when you are talking about cell phone records, first of 
all, just to be clear, my understanding of the technology--and 
it is changing over time, but, you know, currently it is not 
pinpoint accuracy with respect to where a person----
    Senator Cardin. And I expect that will change over time.
    Mr. Baker. As the technology develops, it may, Senator. But 
currently, and at least in the immediate future, it gives you a 
rough geographic location of where a person is. It does not 
tell you exactly where they are in a particular building, for 
example. So----
    Senator Cardin. I do not want to get too technical. I asked 
that question to some of the experts, and they tell me by 
looking at the different cell phone towers, you can pinpoint 
pretty closely to where people are today.
    Mr. Baker. I think, again, it depends if you are in an 
urban area, a suburban area, a rural area, things like that. 
But I take your point, Senator.
    But just to make clear, when the Government wants to get 
historical cell site information which is critically important 
for our investigations to find where someone is, for example, 
in a kidnapping case, a murder case, a terrorism case. These 
are all critical examples of where we need location information 
in certain circumstances. We need to get a court order of some 
sort. It is under a couple of different particular provisions 
of ECPA. It is a showing of specific and articulable facts, 
giving reason to believe that the information is relevant or 
material to a lawful investigation. That is for historical 
information and for some of the prospective information. With 
respect to the prospective information, we combine an order 
like that with a pen/trap order. So, in other words, to get 
that kind of information, we do have to go to a court. It is 
not a probable cause showing, clearly. It's lower than that. 
But we do have to go to a court.
    Senator Cardin. And that is not hampering you from getting 
timely information?
    Mr. Baker. I'm not going to say that in any investigation 
ever that it has never hampered us or slowed us down, but I 
think we are able to work effectively in the existing legal 
regime in order to obtain this kind of information.
    Senator Cardin. One more very quick question, Mr. Chairman.
    As I understand the current law on e-mail communications, 
it has some distinctions between the age--whether it is on your 
home computer or centrally stored, whether it has been opened 
or not opened, which may have been relevant in the 1980s, which 
is no longer relevant today because e-mail is very comparable 
to our traditional letters. Is there any reason for the 
distinction on the standard necessary for the protection of e-
mail communications?
    Mr. Baker. Well, Congress did make the judgment, as you 
reflect, back in 1986, and since then to differentiate between 
where a particular e-mail is, how old it is, who has access to 
it, is it stored as a third-party record, has it been opened 
yet, in other words, has the transmission been completed. So 
the administration has not--I mean, that is the law today, but 
the administration has not taken a position on changing that at 
this point in time, but we look forward to working with you on 
that.
    Senator Cardin. Well, I appreciate you dodging the 
question, and I understand--if there is a rationale, please let 
us know the rationale. I am trying to figure out a rationale 
for--I understand back then----
    Mr. Baker. I think----
    Senator Cardin.--e-mails were looked at a lot differently 
than they are today. We thought they could not be stored 
forever, and we now know they can be stored forever. So it is--
--
    Mr. Baker. Well, and I--Senator, I am sorry.
    Senator Cardin. No.
    Mr. Baker. I was just going to say, I mean, I think the 
law--in a number of different ways, the law differentiates 
between records that we store in our home, truly in our home, 
and records that we store with third parties. It makes 
distinctions in lots of different ways, and it differs 
depending on whether it is in----
    Senator Cardin. But don't you think we will be storing 
almost everything in third parties in the near future? As you 
pointed out, cloud computing is becoming the norm, not the 
exception.
    Mr. Baker. Well, the consumer, individuals, businesses have 
to make a determination whether storing something in a cloud is 
advantageous to them for a whole variety of reasons, including 
whether it is secure--I mean, not just from the Government but 
from malicious actors. Issues have been raised with respect to 
that. Privacy issues, efficiency, accessibility to data, all 
those kinds of things are different items that folks have to 
work with.
    Senator Cardin. [Presiding.] I appreciate it. I did not 
realize that I was temporarily holding the gavel. I could have 
gone on for a lot longer.
    Senator Franken.
    Senator Franken. Thank you, Mr. Chairman.
    Mr. Kerry, I know that you said that you are not here to 
make recommendations, and I kind of heard that from you, too, 
in what I think the Chairman fairly characterized as an 
evasion. But you guys really have clearly given this stuff a 
lot of thought. That is kind of your job. So I am going to ask 
you to ruminate here a little bit. What are the hard choices 
here that we are going to have to make? This is for both of you 
or either of you. Could you give me an example of what you 
might think would be a tempting but unwise change in ECPA? And 
what is a change we might make that is wise but is not obvious 
at first blush?
    Mr. Kerry. Well, Senator Franken, thank you. We have not 
gone through all of the thought process that we need to go 
through as an administration to answer all of those questions 
concretely. But let me address one about the difficult choices, 
and it goes back to Senator Cardin's question. It is how the 
law should apply to location services and location information.
    ECPA and the body of laws that it operates on draws a 
fundamental distinction between content information and non-
content information. Interception of content, disclosure of 
content are subject to higher standards. Location information 
does not fit the--is not content of communications. Does it 
necessarily fit within the non-content construct?
    As Senator Cardin indicated in his discussion of his 
experience in the hospital, there are different sets of 
expectations, depending on the circumstances of the location 
information, depending on the amount of that information. And I 
think there is a----
    Senator Franken. Can I give you an example? I am sorry to 
interrupt, but in February, Newsweek reported that police 
officers in Michigan had requested cell phone--you are talking 
about location--cell phone location data for a group of people 
congregating for a labor protest. The officer said they were 
doing it to stop a possible riot. Now, what protections, Mr. 
Baker, would you say are in place to prevent this sort of thing 
from happening? I am sorry, but since you brought up location, 
this seems to be a place where maybe abuse of the location is 
there.
    Mr. Baker. Senator, I do not know the particulars of that 
particular investigation, but they should have been--in order 
to obtain that information, they should have gone to a court. 
They should have had to articulate what their reason was for 
wanting that information, and they should have had a legitimate 
law enforcement purpose to obtain that. If they had some other 
purpose that they did not say, that they were not up front 
about, or whether, you know, they covered up exactly what they 
were doing, I have no way of knowing. But that is more of a 
question, I think, of the legitimacy of the investigation as 
opposed to the particular authorities or predication required 
for obtaining that kind of information.
    Senator Franken. OK. And there are different levels of 
authority. Sometimes you need a warrant. Sometimes you need a 
subpoena. Sometimes you need a super warrant.
    Let me give you an example. Let us say I use Outlook and 
you use Gmail. I send you an e-mail and you read it. In most 
circuits, the Government would need to get a warrant to get the 
e-mails stored on my computer in my Outlook sent messages 
folder. They actually have to go before a judge and show 
probable cause that they need this e-mail to investigate a 
crime. But if the Government does not have probable cause, they 
can get the e-mail from your Gmail because it is stored 
remotely in a cloud. They do not need a warrant for that. They 
can issue a subpoena for that all by themselves.
    Do you think that the probable cause standard is weakened 
when it is so easy to get an e-mail without a warrant?
    Mr. Baker. Senator, I guess I am not sure that the probable 
cause standard is weakened with respect to the ability to 
obtain the communications from--I assume your computer is at 
your home. That is why we need a warrant to get it. I am not 
sure it is a question of probable cause. I would suggest that 
it is more a question of whether collectively everyone thinks 
that the balance between law enforcement interests and privacy 
is appropriate in that circumstance. And that is one of the 
things that we do not have a position on. I know it may seem 
evasive, but we just do not have a position yet on that because 
we have not finished our review of that.
    But in any event, I take your point. I understand the 
difference. There is a difference, and, again, the law 
recognizes, and has for a long time, differences when 
information is stored with a third party than when it is stored 
in your home.
    Senator Franken. OK. I am out of time, but, Mr. Kerry, I 
did interrupt you, and I wanted to know if you wanted to finish 
your response.
    Mr. Kerry. Thank you, Senator. I think I conveyed the main 
sense of my response.
    Senator Franken. OK. Thank you both.
    Thank you, Mr. Chairman.
    Chairman Leahy. Senator Klobuchar.
    Senator Klobuchar. Thank you very much, Mr. Chairman. Thank 
you to both of you. It is good to see you.
    As a former prosecutor, I listened to this and I think of 
my old job. Every day we would be balancing that. One day I 
would be authorizing a wiretap and sitting in on it, and the 
next day protecting victims' sensitive information from getting 
out on the Internet. And just recently, we have been working on 
two issues in our office that are examples of how we have to 
update the laws to be as sophisticated as the crooks that are 
breaking them. One is the cyber stalking that has now become a 
trend of offenses, as illustrated by the ESPN reporter who got 
filmed in her hotel room and then it was put out on the 
Internet. And then the other one was just the one that Chairman 
Leahy has been leading and a number of us working on it, 
pirated entertainment that has been sold not just on DVDs but 
also on the Internet. And the criminal laws are not updated to 
keep pace with what is happening with what the criminals are 
basically doing.
    So I think this is always a balance, and I guess my first 
question would be of you, Mr. Baker, and that is, you talked 
about how we should proceed cautiously when making changes to 
ECPA, and you mentioned that you do not want us to change the 
Electronic Communications Privacy Act in a way that would delay 
law enforcement's ability to access time-sensitive data. And I 
thoroughly believe in doing things for privacy, but at the same 
time I know when these crimes occur and there is some madman 
out on the street, people want to be able to locate him.
    So are there changes you think that could be made to ECPA 
that would make it easier for law enforcement to access 
information while at the same time protecting our privacy 
concerns?
    Mr. Baker. Well, at the risk of saying the same thing again 
that has gotten me in trouble so far, we just----
    [Laughter.]
    Senator Klobuchar. Try it with me.
    Mr. Baker. We have not finished our--we simply have not 
finished our review of that. We are looking at them closely, at 
the various proposals that have been put forward. One of the 
difficulties right now, frankly, is that we do not have 
statutory language to actually look at and evaluate. And our 
experience is that getting these words exactly right--I mean, I 
have an amazing group of lawyers sitting behind me who are 
experts in this area, and they spend lots of time trying to 
understand and prognosticate about if you change this word, 
what impact is it going to have on our investigations, our 
ability to locate the kind of people you are talking about.
    So, unfortunately, we do not have a position on the reforms 
today to put forward, but all I would say is to echo what you 
say. It is very important that we get this right, and we just 
have to do it carefully.
    Senator Klobuchar. You talk about the real-time mobile 
phone location information. What level of scrutiny is required 
to get that? And is it the same as GPS information that we now 
can get?
    Mr. Baker. It is not the same as GPS. So with respect to 
the cell site information, which, again, is less precise than 
GPS, you need to go to court, you need to get an order. It is 
not a probable cause order. It is less than that. But, 
nevertheless, you need to get an order.
    When you start talking about latitude and longitude, 
locating type of information, then you are talking about the 
need to get a warrant because it can reveal that you are in a 
constitutionally protected location, such as your home, and 
moving about, let us say, in a home and being able to figure 
out exactly where you are. So there are different standards 
depending on how precise the information is that the technology 
reveals.
    Senator Klobuchar. And does that make sense to you? Do you 
think there could be changes to that? Or do you want to wait 
until----
    Mr. Baker. Again, we are working on that, but it is a 
distinction that the law recognizes in other areas as well.
    Senator Klobuchar. And then also we talked here about that 
180 days with the e-mail protection, with the open e-mail. Does 
that still make sense to you? Are there privacy concerns there 
with how that is working?
    Mr. Baker. Well, again, we are looking at that. We are 
working on it. We understand--I mean, we understand the privacy 
concerns. We hear what folks are saying, and I have met 
personally with the DDP Coalition, had a very fruitful 
discussion with them, and it was very illuminating to me. So we 
understand all of those concerns, but, again, our position is 
if changes are to be made, then we just have to get them right.
    Senator Klobuchar. OK. Mr. Kerry, I know in your testimony 
you talked about the clear distinction between content and non-
content information at the heart of ECPA. How has technology 
blurred that distinction?
    Mr. Kerry. As new data streams become available, in part 
the volume of data--location information being one example--
provides additional information about consumers' activities 
that may provide information that begins to make a portrait 
that is more than just the sort of identity information of a 
pen register or of transaction records. Certainly when you get 
to Internet searches and you go beyond simply a URL, that 
becomes content. So these are areas where those boundaries 
begin to blur because of the volume of information that becomes 
available from a host of data streams and there becomes more 
and more capability of capturing and of analyzing that data.
    Senator Klobuchar. I just noted one last thing, that 
Secretary Locke held a privacy and innovation symposium this 
year, and I am sure we can get that information from your 
staff. I head up the Subcommittee on Innovation for Commerce, 
and obviously in Commerce this is an overlap between these two 
Committees. We have focused on these privacy issues as well. 
Did anything come out of that that would be helpful? Or do you 
want to just send it to us?
    Mr. Kerry. We have a number of streams of work that are 
coming out with that. We are actually collating and drafting a 
report, a discussion draft of some of the work that comes out 
of the privacy inquiry and have other inquiries on free flow of 
information, intellectual property, cybersecurity that are 
already--I would be happy to share that with you.
    Senator Klobuchar. Are you looking at how innovation and 
new methods are sort of butting up against privacy concerns or 
how we can use new technology to get at privacy concerns?
    Mr. Kerry. Both of those, Senator. We are looking at 
really--in parallel to the balance that ECPA strikes in the law 
enforcement context, the balance between innovation, 
competition, the global free flow of information, and privacy 
and security.
    Senator Klobuchar. OK. Thank you very much.
    Mr. Kerry. Thanks.
    Chairman Leahy. Thank you. Anything else for this panel?
    [No response.]
    Chairman Leahy. OK. Gentlemen, I appreciate this. I may 
have a couple other questions for the record, but I would ask 
both of you and your staffs to work with us as we try to put 
together an updated ECPA. I think we know we need that. We just 
do not want to throw the good out with the bad as we do it. 
Thank you both very much.
    Mr. Kerry. Thank you, Senator. We will look forward to 
doing that.
    Chairman Leahy. Thank you. And then the staff can set up 
for our next panel.
    Chairman Leahy. For our next witnesses, first will be James 
Dempsey who currently serves as Vice President for Public 
Policy at the Center for Democracy and Technology. Prior to 
joining CDT in 1997, he was Deputy Director of the Center for 
National Security Studies, previously served as assistant 
counsel to the House Judiciary Subcommittee on Civil and 
Constitutional Rights, concentrating on oversight of the FBI 
and privacy and civil liberties; former associate in the law 
firm of Arnold and Porter in Washington; former clerk of Judge 
Robert Braucher of the Massachusetts Judicial Court; graduate 
of Yale, law degree from Harvard. He is somebody who has 
testified here before this Committee numerous times.
    Mr. Dempsey, good to have you back, sir. Go ahead, please. 
And, again, all witnesses' full statements will be made part of 
the record.

STATEMENT OF JAMES X. DEMPSEY, ESQ., VICE PRESIDENT FOR PUBLIC 
  POLICY, CENTER FOR DEMOCRACY AND TECHNOLOGY, SAN FRANCISCO, 
                           CALIFORNIA

    Mr. Dempsey. Chairman Leahy, Senators, good morning. Thank 
you for holding this hearing today.
    In setting rules for electronic surveillance, we must 
balance three critical interests: the individual's right to 
privacy; the Government's need to obtain evidence to prevent 
and investigate crimes, and the corporate interest in clear 
rules that provide confidence to consumers and that afford the 
companies the certainty they need to invest in the development 
of innovative new services.
    When it was adopted, ECPA well served those interests, 
thanks in large part, Mr. Chairman, to your leadership and to 
the willingness of companies, privacy advocates, and the DOJ to 
work together to develop a balanced solution.
    Today, it is clear that the balance has been lost. 1986 was 
light years ago in Internet time. Powerful new technologies 
create and store more and more information about our daily 
lives and permit the Government to conduct surveillance in ways 
or at a depth and precision that were simply impossible 24 
years ago. It is those new capabilities that need to be 
addressed.
    ECPA has been amended in at least 18 statutes since 1986, 
but almost all of those changes were at the request of the 
Justice Department, not in response to privacy concerns. Almost 
all of them expanded Government access to information. There 
has never really been a comprehensive look at the statute since 
1986.
    Consequently, there are a few elements of ECPA that no 
longer comport with the way people depend on this technology in 
their personal and professional lives. E-mail, which a number 
of Senators have cited, is an egregious example. The same e-
mail is subject to a judge's warrant one second and is 
available with a prosecutor's subpoena the next. An open e-mail 
is covered by the warrant in the Ninth Circuit, and it is 
available without a judge's approval in the rest of the 
country. Draft documents, calendars, address books stored 
online are all available with a mere subpoena regardless of 
age.
    What is perhaps most important to recognize about the e-
mail standards is that they are constitutionally vulnerable. 
Orin Kerr, a scholar well known to this Committee, has 
concluded in his latest article that ECPA is unconstitutional 
to the extent that it permits access to e-mail content without 
a warrant.
    The rules are also illogical and possibly unconstitutional 
with regard to cell phone tracking data. The Justice Department 
itself believes that it is best to use a warrant to use GPS to 
track someone. However, the cell phone companies have been 
making their cells smaller and smaller and have begun offering 
mini cells, which are basically a cell tower for your home or 
for your office, making tower data as accurate as GPS in some 
cases.
    Earlier this year, a diverse coalition was launched calling 
itself Digital Due Process. The coalition said that ECPA needs 
to be updated to provide full warrant protection to all e-mail 
content and to location tracking data, subject to exceptions 
for emergencies and cybersecurity and other exceptions.
    The breadth and diversity of this coalition speaks volumes. 
It includes not only CDT and ACLU, but also major Internet and 
communications companies: AOL, AT&T, Microsoft, Google, eBay, 
Salesforce. It includes conservative and libertarian groups: 
ATR, Americans for Tax Reform; FreedomWorks; libertarian think 
tanks. Individual supporters include former prosecutors, former 
members of the CCIPS unit at DOJ. All are saying that the 
current system is crazy; it just does not make sense anymore 
and needs to be reformed.
    Now, it is very important to appreciate the modesty and 
reasonableness of this coalition's proposals. A fundamental 
premise of our recommendations is that it is necessary to 
preserve the building blocks of criminal investigations. Under 
our principles we would continue to authorize the use of 
subpoenas to get stored meta data on telephone calls; that is, 
the dialed number information. We would continue to permit the 
use of subpoenas to get subscriber identifying information. We 
would not change the standard in Section 2703(d) of the statute 
for getting transactional data regarding Internet 
communications. We would preserve all the current exceptions, 
including the emergency exceptions, which allow interception 
without a warrant or without even a subpoena. We would preserve 
the current cybersecurity exceptions. We would not propose any 
changes to FISA or to the National Security Letter provision. 
We do not propose changing any rules on getting information 
directly from the subject of an investigation. So the FTC and 
the SEC could continue to use subpoenas to get documents from 
companies under investigation. We have focused on a very few of 
the most salient problems: the e-mail content issue that a 
number of Senators have referred to, and the location tracking 
question.
    Now, our proposals are just a first step. The process will 
require further dialog, the engagement of other stakeholders, 
and, most importantly, a dialog and discussion and compromise 
with law enforcement agencies and understanding their 
positions.
    We want to be careful in our amendment of ECPA to avoid 
collateral damage. We want to be incremental. We are not 
proposing a general overhaul of the statute. We cannot fix 
everything. We want to preserve the efficiency and speed and 
the building blocks of investigations.
    But, together, with dialog, with an understanding of the 
technology and the way it has changed, we can reestablish the 
goal that ECPA had in 1986: to balance law enforcement, 
privacy, and business interests.
    Thank you. I look forward to your questions.
    [The prepared statement of Mr. Dempsey appears as a 
submission for the record.]
    Senator Cardin. [Presiding.] Thank you very much, Mr. 
Dempsey.
    We will now hear from Mr. Brad Smith, who is the Senior 
Vice President and General Counsel, Corporate Secretary, and 
Compliance Officer for Microsoft. He leads the company's Legal 
and Corporate Affairs Department and is responsible for its 
legal work, its intellectual property portfolio, and its 
government affairs and philanthropic work.
    Mr. Smith.

STATEMENT OF BRAD SMITH, ESQ., GENERAL COUNSEL AND SENIOR VICE 
PRESIDENT, LEGAL AND CORPORATE AFFAIRS, MICROSOFT CORPORATION, 
                      REDMOND, WASHINGTON

    Mr. Smith. Well, thank you, Senator Cardin, Senator 
Franken. I very much appreciate the opportunity to be here this 
morning to offer just a few thoughts to introduce some comments 
on this topic.
    First, not surprisingly, those of us in industry are very 
enthusiastic about where we think the next generation of 
computing is going to take us. As we build data centers, as 
more and more software and information move to the so-called 
cloud, we make it cheaper for small businesses to implement 
computing solutions; we make it easier for them to create new 
jobs; we create more powerful tools for them to reach consumers 
in new ways; we create new ways for individuals to communicate 
and interact with each other. There is a lot of good that we 
see in the new technology that is being created.
    If we are going to go forward and if we are going to go 
forward successfully, we need the right kind of legal rules in 
this field. And I think that means three things: First, we want 
to ensure that the law continues to be balanced--balanced 
between the rights of citizens and the needs of Government with 
respect to law enforcement. We need some certainty so that when 
those of us in industry are designing this technology we can do 
so with some confidence about how the law is going to be 
applied to it. And we need some clarity. I might say we need 
most of all clarity for consumers, for citizens, so that they 
can understand what their rights and obligations may be.
    Listening to this debate on this issue, listening to this 
hearing this morning, there is obviously a first question, 
which is: Does the law, does ECPA itself need to be updated. 
Personally, I listened to that, and I am reminded of the story 
of the emperor who was walking down the street in the parade. 
This emperor has lost some of his clothes. And I think we need 
to recognize that. People may be reluctant to say it until they 
know exactly how they want to knit the next suit. But the truth 
is the first step in knitting the next suit is to recognize 
that the current one is increasingly tattered, and we really do 
need to roll up our sleeves together and dig into the kinds of 
questions that are important.
    The reality today is that ECPA increasingly falls short of 
a common-sense test, not because the law was flawed when it was 
written in 1986, but because technology in some cases--not 
every case, but in some cases--has simply passed it by. Why 
should e-mail in somebody's inbox be subjected to a different 
standard than e-mail in somebody else's sent mail folder? That 
is the question posed by Senator Franken. Why should e-mail 
that I move to my junk mail file and choose not to open be 
subjected to a higher level of privacy protection than an e-
mail I receive and decide to read? That is hard to square with 
common sense.
    As we sit here in September, why should e-mail that I sent 
in early March be entitled to less privacy protection than e-
mail that I sent in early April because of the 180-day rule?
    Technology really is moving forward. It is continuing to 
move forward, and we do need the law to catch up. There is no 
substitute for action by Congress. I think that much has become 
abundantly clear. We are talking about rights of Americans, 
fundamental principles that have their roots in the Fourth 
Amendment to the Constitution. But the reality is that the 
Supreme Court earlier this year basically signaled that it is 
not likely to move quickly.
    In the Quon decision, there was one sentence that stood out 
above all else, and I think that sentence speaks to it today. 
The Court said, ``The judiciary risks error by elaborating too 
fully on the Fourth Amendment implications of emerging 
technology before its role in society has become clear.''
    There is a lot of wisdom in those words. But they are also 
discomforting because it takes time for the role of new 
technology in society to become clear. And there is a certain 
risk that by the time that role becomes clear, the technology 
will be well on the road to becoming obsolete. It will be 
replaced by something else. And if that is the case, then the 
Fourth Amendment will never really catch up, and we must look 
to Congress to fill the gap. Congress did that in the 1980s. 
Congress needs to do that again today.
    In closing, I am reminded of the advice offered recently by 
famous basketball coach John Wooden. He said, ``One of the 
important things to do in life is be quick but do not rush.'' 
We do need to be quick. We should not rush. We should use 
hearings like this to sort out the issues. But we do need some 
decisions to be made because if they are not, then we are going 
to find that some new issues are going to emerge and there is 
going to be a lot of pressure on everybody to rush far too 
quickly.
    Thank you.
    [The prepared statement of Mr. Smith appears as a 
submission for the record.]
    Senator Cardin. Thank you, Mr. Smith.
    Our next witness is Mr. Jamil Jaffer. Mr. Jaffer is a 
private attorney in Washington, D.C. From 2008 to 2009, Mr. 
Jaffer served as an Associate Counsel to President George W. 
Bush. Prior to that appointment, he served in several senior 
positions within the Department of Justice, including counsel 
to the Assistant Attorney General for the National Security 
Division and Senior Counsel for National Security Law and 
Policy.
    Mr. Jaffer.

  STATEMENT OF JAMIL N. JAFFER, ESQ., ATTORNEY, WASHINGTON, DC

    Mr. Jaffer. Thank you, Senator Cardin. I would like to 
thank the Chairman and the Ranking Member for inviting me here 
today. I would like to actually take on Mr. Smith's remarks and 
take the advice of John Wooden. I am a UCLA graduate, so I will 
also try to be quick but not rush.
    I would like to address three items briefly today in my 
oral statement: first, the threat that we face and the use of 
these tools by the Government; second, briefly touch on the law 
in this area; and then, third, suggest a path forward for 
Congress to consider.
    First, with respect to the threat, today we face an 
increasing threat stream from cyber actors, whether they be 
cyber criminals, child predators, or national security threats: 
whether they be terrorists or foreign intelligence operatives. 
Cybersecurity is critical. I know this; in the Government I 
worked on the Comprehensive National Cybersecurity Initiative, 
which has now been partially declassified by the 
Administration. We are engaged in an effort, an ongoing effort, 
to protect both Government and private networks from these 
cyber threats. And the tools provided by ECPA play an important 
role in allowing the Government to assemble the key building 
blocks of investigations in this area. They help ferret our 
child predators who hide out in virtual communities. They help 
ferret out virtual terrorist caves. They help ferret out 
virtual gang hideouts on the Internet.
    They also help find the people who inhabit these virtual 
hideouts on the Internet, and it is important to remember that 
the key tools in ECPA, the non-content tools, are the ones that 
really form the building blocks. And with respect to those non-
content tools, the Fourth Amendment does not the use of those 
tools. As a general matter, the Supreme Court has held that the 
Fourth Amendment does not protect information that you give to 
third parties. That is because you always run the risk that a 
third party is going to be a Government agent and is going to 
hand over the information to the Government, whether 
voluntarily or otherwise. And with respect to non-content 
data--your dialed number data, who you send e-mails to and 
from--that information generally also is not protected by the 
Fourth Amendment because you provide it to a third-party 
provider to route your data. And that has been the case since 
Smith v. Maryland in the 1970s.
    And so this is not new law. This is not a change in 
technology. It is simply what the Fourth Amendment protects.
    Now, Congress very wisely decided that is not enough. What 
the Fourth Amendment offers is not enough. We need to provide 
statutory protections to ensure that the privacy interests of 
Americans are protected. In doing so, though, Congress decided 
that it was important to balance security on the one hand, and 
privacy on the other, and ECPA is an example of that. A lot of 
times you will hear today: ECPA does not make a lot of sense. 
The 180-day rule does not make sense. The opened e-mail rule 
does not make sense. But these rules are not a product of any 
constitutional decisionmaking. They are, fundamentally, the 
compromise that Congress struck in enacting additional privacy 
protections-beyond what the Constitution-provides in statute.
    Now, Congress can and should consider revisiting those 
privacy protections, but in doing so, it is important to think 
about is this balance that you heard about on the first panel. 
And in thinking about that balance, we really have to consider 
whether, at a time when these cyber threats are dramatically 
increasing, at a time when cybersecurity is crucial and 
Congress is considering how to provide tools in industry--and I 
do not think the answer is regulation of industry; I think the 
answer is providing tools to allow the Government to share 
information with industry about cybersecurity threats--does it 
really make sense to raise the bar on the Government in 
protecting in the security of American citizens? It may make 
sense, but Congress needs to do it in a very careful, limited 
way.
    Now, as far as the path forward goes--and I see my time is 
almost expired--I think the right path forward is as follows:
    First, there are consensus things that industry, the 
Executive Branch, and the Congress can agree to in the very 
near future about how to fix ECPA. You can make ECPA easier to 
use for industry. You can make it clearer. You can make it more 
consistent. One of the fixes you could consider is how the 
definitions of the various types of providers can be harmonized 
and made one, because the fact of the matter is that providers 
today in the cloud computing environment, provide multiple 
sources, not just e-mail transmission and delivery; they also 
provide remote computing services. You can harmonize these 
definitions.
    You can also provide industry with clarity about what it 
can and cannot provide to the Government, and when it can and 
cannot provide information to the Government; and you can make 
it a lot clearer than it is today. This does not mean you have 
to change what the Government can get and how the Government 
can get it, but you can provide clarity. That I think can be 
done in the next session of Congress without a problem.
    With respect to the larger changes, some of the changes 
proposed by the coalition that is out there today, as well as 
others, about raising the requirements on the Government, in 
terms of what they might get and how they might get it, those 
need to be considered very carefully, particularly in light of 
this growing threat stream.
    With that, I appreciate the opportunity to present my 
views, and I am happy to take questions.
    [The prepared statement of Mr. Jaffer appears as a 
submission for the record.]
    Chairman Leahy. Well, thank you, and thank you for telling 
me what we in Congress intended to do when we wrote the 
legislation. As one of those who was there when we did it, it 
is always good to be told what we were doing and what we were 
compromising by even if it was somebody who was not there.
    I do agree with you that we have got to have a balance that 
allows us to protect law enforcement and allows us to protect 
individual liberties and allows us at the same time to have the 
innovation we need.
    Let me go first to Mr. Dempsey. I commend you and the 
Center for Democracy and Technology for being such persuasive 
voices in trying to update ECPA, and I appreciate the work you 
have done in trying to get some diverse voices together on 
this.
    But with your proposal, how would that improve, on the 
hand, digital privacy but also protect law enforcement and make 
sure it has the tools it needs to investigate crime?
    Mr. Dempsey. Mr. Chairman, one thing we were very careful 
to do in our process here was to focus on preserving the 
building blocks of investigations. That is, there is some data 
that is appropriately available with a subpoena: the subscriber 
identifying information, the telephone dialing information. 
There is other information, as you go up the ladder, so to 
speak, where a court order is required, but on less than a 
finding of probable cause, on less than the constitutional type 
standard, and we preserve that. And then, clearly, when you get 
to the top of the stack, so to speak, when you get to the 
content, that should be protected by the warrant.
    Now, right now the courts are struggling with this. As Mr. 
Smith said, they are not making much progress, but they are 
casting a lot of uncertainty over the field. Courts are letting 
some information in, letting it out, granting orders, denying 
orders, vacating opinions where they came to one conclusion or 
another.
    I think one of the major benefits to law enforcement is the 
certainty and the clarity. If you leave this to the courts and 
then evidence gets thrown out, you get all the way through the 
investigative process and evidence gets thrown out, that is the 
worst that could happen to the prosecution. If you bring it 
within ECPA, you have your exceptions, you have your 
requirements on service providers to cooperate, you have your 
rules on immunity, your rules on compensation, your rules on 
how the information can be used. As the Justice Department has 
said, those are very important rules.
    Chairman Leahy. And so you believe that we can do this and 
write it in such a way that it would be upheld? Mr. Jaffer has 
spoken about it in the next session of Congress, although I--
and I agree with you, it could be. I also wish--and I am sure 
you do, too--that we could do it in this session of Congress. 
But this has been the most dysfunctional session of Congress I 
can remember. That is just a personal view, but from one who 
has been here 36 years. But tell me, Mr. Dempsey, can we do 
that? This is the most difficult thing. I think----
    Mr. Dempsey. I think we can----
    Chairman Leahy. I think we have a bipartisan coalition on 
this, but we also want to make sure we have something that is 
going to be upheld by the courts.
    Mr. Dempsey. Well, I think that one motto here is to work 
incrementally. Do not try to solve everything at once. Do not 
try to disrupt anything that does not need to be fixed or to 
which we are not sure of the answer.
    As Mr. Baker said, it is going to be important to start 
looking at some legislative language because you really want to 
make sure you are not having those unintended consequences.
    Chairman Leahy. Well, let us take a specific one. The 
Department of Justice proposed that we amend Section 2709 to 
make it easier for the FBI to obtain electronic transaction 
records. How do you feel about that?
    Mr. Dempsey. Well, first of all, I think that that is a 
perfect example of how we are taking a change without 
considering the other aspects of the statute that might be 
implicated. And with the Justice Department change, there is a 
kernel of logic to what they are saying here, and there is a 
problem with that provision of the statute.
    The trouble is the Justice Department has been unwilling to 
come forward and define for that purpose the key term in the 
statute, ``electronic communications transactional records,'' 
which is a very broad term.
    Now, if you look in 2703 of the statute on the criminal 
side, Congress has actually drawn some lines, and I think those 
are good lines that were drawn in terms of what should be 
available with a subpoena or its equivalent, the National 
Security Letter, versus what should require a court order. And 
I think until the Justice Department is willing to give 
definition to that term, which is a very broad term, 
``electronic communications transactional records,'' I do not 
think we can move forward on that 2709.
    Chairman Leahy. I suspect they will be listening to what 
you said here today.
    With my colleagues' permission, I will just ask one more 
question. My time has expired.
    I know with Mr. Smith here and Microsoft are doing a great 
deal to protect information and privacy, and you have called 
for--the company has called for stricter privacy protections in 
so-called cloud computing. Can ECPA reform help that?
    Mr. Smith. I definitely think, Senator, that the updating 
of ECPA fits into a larger set of issues that it is important 
for Congress to address. As we look to the future, we really 
think that there are three areas of the law that are related 
that need attention. One relates to privacy, and part of the 
privacy issue involves ECPA. Another part of the privacy issue 
involves ensuring transparency and clarity for what service 
providers do with customer information. So we believe that it 
would make sense to take action there.
    Second, we think that it is important to take new steps 
with respect to security. We believe that law enforcement needs 
new tools to be able to prosecute computer crimes. We believe 
that service providers, such as ourselves, should have new 
tools to help protect our customers against computer crimes. So 
that is the second area.
    Third, we believe new steps are needed across borders. 
Information moves from country to country in such a way today 
that in truth one cannot rely with confidence on the 
expectation that only a single country's law will be applied to 
a single piece of information. So we do need some new 
international frameworks and some new international cooperation 
as well.
    Chairman Leahy. I agree with that. I am just trying to 
figure out how we write it in such a way that it would take 
care of the problem of the moment and not create new problems 
as technology changes a week down the way. I go back again to 
the Earl Warren statement I made at the beginning of the 
hearing. And we will work with you on that flexibility. That is 
why what all three of you have been saying here has been so 
important.
    Senator Cardin, and I apologize for taking extra time, but 
I wanted to hear what Mr. Smith had to say on that.
    Senator Cardin. Well, thank you, Mr. Chairman. I thank all 
three of our witnesses.
    Mr. Jaffer, let me first say that I agree with you that the 
threats against this Nation are real, particularly as it 
relates to cybersecurity. We have conducted some hearings on 
cybersecurity, and the challenges are certainly very serious 
and very difficult. But I must tell you, I strongly believe 
that having the appropriate safeguards on law enforcement on 
getting information makes us safer because then our resources 
are used more effectively. And we are not flooded with 
information that has limited value, but that we really are 
focusing on the threats. I think it makes law enforcement 
stronger rather than weaker if you do it right, and that is, of 
course, what we are trying to do here.
    Mr. Smith, I want to ask you a question about technology. 
Are there any cautionary notes that we should be aware of as we 
look at this statute and modifications of it, that we do not 
have unintended consequences hampering the development of new 
technologies that are important for this country?
    Mr. Smith. I think that is a very good question, Senator 
Cardin. I think there is fundamentally a risk in Congress doing 
too much and there is a risk in Congress doing too little. I 
think the definition of doing too much would be to deal with 
issues before we have some confidence about how we really 
should address them as a country, and I think that Mr. Dempsey 
pointed us in the right direction when he said there is real 
value in incrementalism.
    The truth is any law that can go 24 years before people 
come here and say it needs some updating passes a pretty high 
bar. I think that if we can look to Congress to take steps once 
a decade and solve the problems immediately before it, that is 
a good thing. And if one tries to go farther than that, one 
does risk creating unintended consequences.
    I would say the flip side of the coin would be doing too 
little because the law at this point is clearly in need of some 
improvement.
    Senator Cardin. That is good advice. I thank you, Mr. 
Smith.
    Mr. Dempsey, let me ask you a question about how we can 
anticipate change. I know we do not know what technology is 
going to look like 10 years from now, but we know it is going 
to be different. We know that information exchanges are going 
to take place in a much more timely way.
    Is there anything we can do in a statute that protects us 
with new technologies so that law enforcement can get the 
information they need and privacy is protected, knowing full 
well what the Chairman said, that Congress does not always act 
quickly. Sometimes it takes us a while to get to where we need 
to be. Is there anything, any advice that you might have for us 
as to how we draft changes that can at least protect us during 
transition as new technologies come effective?
    Mr. Dempsey. Yes, I think that is an excellent question, 
and I think there are two ways to approach that. One is to look 
at what are the broad trends, and I think we can identify 
some--what seem to me to be--pretty inexorable trends in 
technology that are going to dominate innovation over the next 
decade, let us say. One would be the cloud; that is, the 
movement of data off of local servers onto interconnected, 
Internet-based servers, and that is supported by ubiquitous 
broadband. It is supported by cost-efficiency reasons why you 
would do that. The data in the cloud in some ways may actually 
be more secure and backed up and better protected than the data 
stored locally. There are a lot of drivers pushing in that 
direction, and I think so much of the data that we used to hold 
locally in the office, in the home, on the laptop, on the 
personal device, the handheld device, is moving into the cloud, 
and that is where things are going to go. That is why we 
focused on that as one of our recommendations.
    The other major trend, I think, is mobility and the power 
of that handheld device and the way it can support location-
based services and the way that that location data is becoming 
more and more precise--the map services and the friend-finder 
services and a whole host of other services that build on--when 
you see services building on a technology, you can be pretty 
sure that that is going to represent a significant trend. So 
that is why of all of the non-content data, if you think of 
location data as non-content, of all the non-content data, that 
is one that sort of pops out immediately as this is just not 
dialed number information, this is just not who is making a 
phone call. This is very pervasive, very precise, very 
different from anything we have ever seen before, really.
    Another major trend is social networking, obviously, and 
the social networks are becoming platforms not only for posting 
photos but for one-to-one communication, real-time 
communication, et cetera. Those are already included, I think, 
in ECPA. It maybe would be interesting to pose that question to 
the Justice Department to make sure they agree. I think those 
platforms do fit within the statute.
    So of the three trends, although a lot of that stored data 
currently falls outside of the warrant protection, even purely 
private stuff, the way the definitions work in the statute now. 
So I think those three trends look to me as pretty reliable and 
certain trends, and if we build around those, we sort of know 
where we are going.
    Senator Cardin. Thank you. I appreciate that answer, and I 
really do appreciate all three of your testimonies.
    Chairman Leahy. Thank you very much.
    Senator Franken.
    Senator Franken. Thank you, Mr. Chairman.
    Mr. Smith, I was very glad to hear your answer to Senator 
Cardin's question about essentially responding to the ``be 
quick,'' because I was worried there that you are basically 
saying that to keep up with the technology, Congress would have 
to double the speed that it legislates every year.
    [Laughter.]
    Senator Franken. And I think that would be highly unlikely. 
The once-a-decade sounds about right on this.
    [Laughter.]
    Senator Franken. And Mr. Jaffer did kind of speak to 
Congress' intent when this was written in 1986, but technology 
really, really, really, really has changed since then, which 
you spoke to. And there seems to be something of a divide here 
between you and Mr. Dempsey and Mr. Jaffer on this, and 
specifically talking about someone who has an e-mail account 
and you are in a cloud, you get your thing from a cloud, you 
are on Gmail or something, and the distinction between 
something I got 6 months ago and something I got yesterday and 
something I have read and something I have not read, I think 
most people would be surprised about this rather than sanguine. 
And Mr. Jaffer seemed to think that this is settled law and 
that we should be sanguine about it.
    This, I guess, is for Mr. Dempsey. My understanding is that 
there is a series of Supreme Court precedents that explain that 
people can have protected Fourth Amendment interests in items 
they store with third parties or on property that is not 
theirs. Can you walk us fairly quickly through the precedents?
    Mr. Dempsey. Well, you know, you can go all the way back to 
1878 when the Supreme Court held that the letter passing 
through the mail--I mean, you give your letter not merely to a 
third party, but at that time to a Government agency, 
voluntarily surrender it, and yet the Supreme Court held in 
1878 that the Government cannot open that letter without a 
warrant as it passes through the network.
    If you have a storage locker, one of those storage lockers 
where you store the junk that you do not really want to give 
away or throw away, but you also do not want in your house, you 
put it in a storage locker. You have a Fourth Amendment right 
in that storage locker. The owner of the locker can even go in 
to make sure nothing is deteriorating in there or going bad. 
But for the police to get in, they need a warrant. Luggage, 
closed containers of luggage checked or stored, subject to the 
warrant protection, whether they are locked or not, whether 
they are sealed or not.
    So we have dealt with this already, and I think those 
analogies are perfectly applicable now to this digital storage 
locker or this digital storage function for the content--and we 
are focusing here on the content. There are a lot of people who 
argue that now the transactional data associated with the 
Internet is so much richer than the dialed number information. 
And I think there is a good argument there, and if you look 
back at the original Supreme Court cases on pen registers, they 
were very, very narrow. But for now, at least our coalition is 
saying let us leave that content versus non-content distinction 
in place. Let us provide lower protection for most of the non-
content data, but that content, like that letter in 1878, 
should be protected regardless of where it is.
    Senator Franken. OK. Speaking of the distinction, this may 
be a little bit off topic if we are talking about law 
enforcement and security. But you did talk about this as 
business. This is about business. And this is--and individuals. 
And I have a question about how do you make people feel safe to 
use the cloud communicating activity and how much of your 
information can be used by other commercial--can be used 
commercially. How can one control information that is, you 
know, about--say your e-mail traffic. And part of this is who 
you are sending back and forth to, but they can see, like, oh, 
he went to this or she went to this e-mail site or this website 
to, you know, Track magazine, and therefore, let us sell them 
shoes or--you know. What control over your information can you 
have on the Internet or in your e-mail so you cannot have 
people use your information commercially without your 
permission? Is that a good question?
    [Laughter.]
    Mr. Dempsey. That is a good and clear question and a 
critical one here. Speaking just for my own organization, the 
Center for Democracy and Technology, we believe that the law 
needs to be improved on that side, too. Now, we have tended, as 
you suggest, to look at the law enforcement issues, which to 
some extent have the foundation of the Constitution underneath 
them; we look at the law enforcement governmental access issues 
in one bucket; and we look at the commercial reuse, commercial 
disclosure and advertising issues in another bucket.
    I think it is better to keep them in separate buckets for 
now if only because, as you are alluding to, this Committee has 
jurisdiction over the question of governmental access; there 
are entire other committees that have jurisdiction over the 
commercial side of things.
    Legislation has been introduced--most recently, Chairman 
Rush of the House Subcommittee on consumer protection issues 
has introduced some very good legislation that would improve 
the rules and for the first time ever set baseline Federal 
rules for all of those issues associated with advertising and 
cookies and profiling on the commercial side. Like I say, I do 
think it is best that we keep those separate.
    By the way, if I could, Senator, one other point: The 
question of commercial access should not prejudice the question 
one way or the other of governmental access.
    Senator Franken. I was going to ask Mr. Smith if he had a 
reaction, but I am way over my time.
    Chairman Leahy. Thank you.
    Senator Whitehouse, thank you for joining us.
    Senator Whitehouse. Well, based on Senator Franken's very 
subtle invitation, I would be inclined to offer him the chance 
to get his answer from Mr. Smith.
    Chairman Leahy. Would you like--go ahead.
    Senator Whitehouse. That was very subtle, by the way.
    [Laughter.]
    Chairman Leahy. Go ahead, Senator Franken, and this will 
not come out of Senator Whitehouse's time. Go ahead.
    Senator Franken. Well, subtlety is my forte.
    [Laughter.]
    Senator Whitehouse. That is why I am so surprised that you 
departed from that strategy this time.
    Senator Franken. I just saw that Mr. Smith has a reaction. 
That is all. And I wanted to know if you wanted to speak to it.
    Mr. Smith. Sure. And being a lawyer, brevity is obviously 
mine.
    There are two relationships here that are really important. 
There is the relationship between a consumer and a company that 
is a service provider, and there is the relationship between 
the citizen and Government. And to get both of these 
relationships right, I think we need to look to industry to do 
its part, and we need to look to Government to do its part.
    Those of us in industry I think have a responsibility to 
build technology that is reliable, that is secure, that has 
privacy protection built in, and we have a responsibility to be 
transparent with consumers so they know what the practices are, 
it is easy for them to understand them, and they can make real 
choices. And then I think Government obviously has an important 
role to play in both of these areas in terms of ensuring that 
ultimately there are legal rules that give consumers the 
confidence they need and strike the right balance between 
consumer needs, industry innovation, and law enforcement.
    Senator Franken. Thank you. Thank you for your brevity, and 
I thank you, Senator Whitehouse.
    Chairman Leahy. Senator Whitehouse.
    Senator Whitehouse. Thank you. I appreciate the discussion 
that has taken place, particularly with respect to e-mail, that 
I think is confounding to even experts, let alone an ordinary 
American who relies on their e-mail to communicate with friends 
and businesses and has an expectation of privacy, a personal 
expectation that, frankly, is not matched by questions of what 
folder you happen to drop it into affecting how Government can 
access it.
    And I counter that to a very different hypothetical, and 
let me sort of walk through the hypothetical. Let us say that 
there is a dangerous virus that is out there on the Internet 
that is potentially causative of harm to American businesses 
and interests and so forth. And let us say that the virus has 
an electronic fingerprint of some kind. You can identify it. 
That is how you find it. And let us say further that that virus 
can be housed by the people who are propagating it in the 
content portion of e-mail. And that is how it propagates, that 
is how it gets around, and that creates the vulnerability to 1 
day that virus being triggered by those malign forces.
    If there were a device that could do nothing but identify 
that fingerprint and signal the presence of that dangerous 
virus, because the virus could be propagated in the content 
portion of the transmission, that device would have an ECPA 
problem, would it not?
    Mr. Dempsey. Senator, that is a good question. I----
    Senator Whitehouse. Setting aside any question of 
voluntariness under the notice under the Fourth Amendment that 
there was one-party consent or any of that sort of stuff.
    Mr. Dempsey. The current statute has in it a provision 
specifically intended to allow service providers to monitor 
their own networks, and to some extent, ISPs, service providers 
at all levels, already are doing some of what you are talking 
about there; that is, they are looking at the content 
traversing their networks. For example, there is an awful lot 
of spam that never gets through. The carriers have the total 
right and discretion under the statute to look for spam and to 
basically throw it away. And they can get----
    Senator Whitehouse. So roll into the hypothesis that it is 
the Government that is required to--because of the complexity 
or the nature of the threat that it is the Government that is 
required to have access to this information, not just the ISP.
    Mr. Dempsey. So I think that----
    Senator Whitehouse. Now it is an ECPA problem.
    Mr. Dempsey. When you throw the Government in, you get a 
different set of concerns. I think that there should be more 
emphasis given to getting those signatures from the hands of 
the Government into the hands of the service providers so they 
can, in essence, add them to the list of what they are looking 
for and what they are blocking and protecting themselves and 
others----
    Senator Whitehouse. Although there is often a very high 
intelligence and security penalty to doing that because once it 
is clear that it is known, an enormous amount of other 
information can be deduced from that conclusion in some 
circumstances.
    Mr. Dempsey. In some circumstances, and we have to be 
careful there. But the service provider----
    Senator Whitehouse. So it is not a complete solution, 
although it is an important direction--you want to maximize 
that, but you cannot go to that point and say that solves the 
problem, we are just going to give all the signatures to the 
ISPs.
    Mr. Dempsey. I really think we need to keep the Government 
out of the center of the network here. The carriers do have 
some ability under current law to disclose to the Government 
what they find in their networks. And I think that the goal 
should be that the Government protects its networks and has in 
essence, I think, under the statute plenary authority to 
examine traffic to and from the Government itself, on the 
Government side of the network. On the private sector side of 
the network, I just do not see how we are going to be able to 
control getting the Government into the sort of----
    Senator Whitehouse. Or more importantly, getting it back 
out once it is in, right?
    Mr. Dempsey. Exactly.
    Senator Whitehouse. Well, I take your point, and I think 
that is one of the predicaments we have to work with. But I 
would also suggest that if you put side by side the restriction 
on the Government in my hypothetical from being able to do 
nothing more than identify the fingerprint of a particularly 
dangerous virus that may be attacking our hospital systems, 
that may be attacking our electronic grid, that may be 
attacking our National security structure, and where there is 
absolutely no inquiring human consciousness applied to the 
substantive content of any e-mail, that that should be an ECPA 
problem, and that it should be not an ECPA problem because an 
American put something in the wrong file folder for an actual 
inquiring Government human consciousness to be able to go and 
read substantive content. Those two do not line up as far as I 
can tell, and I think that is one of the inconsistencies that 
we need to try to resolve.
    Mr. Dempsey. And I think on the cybersecurity side, the----
    Senator Whitehouse. Let me ask Mr. Smith on that because 
you have got all the answer time so far and he was nodding 
trying to get a word in.
    Mr. Smith. I think it is a very good question. It is an 
important hypothetical. It is exactly the kind of question we 
should be focused on as this process moves forward.
    I believe we have a lot of tools to deal with that kind of 
situation today. It is an area where the industry is very 
focused, and what you are describing is basically something we 
do every day. We identify new fingerprints, and we are 
certainly able to work as a service provider to try to keep 
people from having them erode their computer files.
    It is an area of law that is impacted not only by ECPA, but 
by the Computer Fraud and Abuse Act and other things.
    Senator Whitehouse. With all due respect to the industry, a 
vast majority of our cyber vulnerability would disappear if we 
could simply get up to basic public, regular, ordinary levels 
of patching and security, and we have not even been able to do 
that. So when you get into the smaller percentage where it is 
really aggressive, really high end, we are dealing at the 
cutting edge of sophistication with the people who probably 
have not only the most dangerous capability but the worst 
intent, it is even more awkward to say, well, rely on our 
process because, frankly, that process is not even working for 
getting stuff patched adequately.
    Mr. Smith. Well, I would say one should rely on that 
process in part, and one needs to look to Government as well. 
And what we should do--and your question points us in the right 
direction--is ask ourselves today, Do we have enough tools? 
Would we benefit from having better and more tools? If the 
answer is yes, then let us think about what kinds of tools 
those should be.
    Mr. Jaffer. Senator Whitehouse, if I might.
    Senator Whitehouse. Well, my time has expired, so we are at 
the Chairman's discretion. But if you would like to answer, Mr. 
Jaffer, I will conclude with that. Thank you.
    Mr. Jaffer. I appreciate the opportunity, Senator 
Whitehouse. I think you raise excellent points, and these are 
very important issues, something that we looked at in the 
process of developing the Comprehensive National Cybersecurity 
Initiative. And one of the challenges that we found was how to 
share this information that the Government has--that you have 
identified--with the private sector, without sacrificing 
sources and methods. And I think that one way that Congress can 
assist both the Government--the executive branch--and the 
private sector with is creating a process by which that could 
happen. And I think it is important that that process be housed 
in the private sector, that there be trusted third parties who 
can take the Government's information, hold it--with security 
clearances--take the private sector's information, match it up, 
figure out what the threats are, report back to industry to 
help protect the industry, and if industry is comfortable--and 
industry might not be--provide anonymized data back to the 
Government about what threats are being seen at the boundary. 
And if Congress can create a framework which allows the private 
sector the ability to protect industry with Government 
information without giving up sources and methods, that would 
be a dramatic step forward, I think. And I think that folks on 
the panel might agree on this very point.
    And with respect to Senator Leahy's point on the intent of 
Congress, I certainly intended no disrespect. In fact, I was 
hoping to point to the wisdom of Congress in how that balance 
was struck in ECPA.
    Chairman Leahy. I did not hear any disrespect in it, Mr. 
Jaffer. It just brought me back to the memory of all the 
sitting and talking and trying to hold people together before, 
and my concern about where we will go next. We did this as a 
bipartisan effort before. We still pass bipartisan legislation. 
John Cornyn and I passed an update on FOIA in the Senate last 
night unanimously, and it shows that this can be done. This 
should not be a partisan issue, and I do not see it that way. I 
do appreciate the effort that corporations and private groups 
and others and Government have done in helping us work on this.
    I am glad, Senator Whitehouse, that we are not having to 
feed the meter of all the people who have actually volunteered 
their time to help us on it. And I have spoken only broadly 
about the cybersecurity problems, but you only have to pick up 
the paper and see the number of attacks on our computers at the 
Department of Defense, at the CIA, and others, and I mean what 
has been in the public press. And Senator Whitehouse knows from 
his briefings on the Intelligence Committee, the briefings I 
get in classified areas, it is a growing and will continue to 
be a growing concern. It is no longer an idea of fiction, for 
example, a power grid being shut down in the middle of winter 
in the northern part of the country and what that might do. We 
worry about somebody bringing an explosive on an airplane and 
killing 100 or 200 people. You could have cyber attacks that 
could kill thousands of people, and we have to guard against 
that.
    At the same time, I like to know that if I am in business, 
for example, and I am working in my business and somebody is 
stealing my trade secrets and getting away with it, but I also 
want to know that if I am--that my own personal e-mails are 
going around, the Government is not snooping in it just for the 
sake of snooping in it.
    So it is a difficult balance. I am urging the 
administration to promptly provide the Committee with its 
proposals to update ECPA. I thank the shareholders for sharing 
their views on this issue. I would note that we will start work 
on this very soon, and we are going to be back here for a lame 
duck session. We will continue to work that. We have superb 
members of the staff who have been working on it and will 
continue to.
    So this hearing today, any one of the people in the 
hearing, if you get ideas, if you want to add it to your 
testimony, feel free to do so, because we want that 
information. And I will again reiterate that I want the 
administration to come up with their proposals?
    Do you have further----
    Senator Whitehouse. Mr. Chairman, could I comment on that, 
also? I do not want to interrupt your remarks, but as you have 
pointed out, a number of committees that are looking at the 
concern about cybersecurity are now working together to try to 
put together a bill that we can move on. We are actually in a 
fairly late stage in terms of addressing this from a point of 
view of the risk. We are actually in an overdue stage; just 
from a point of view of the legislative positioning we are at a 
fairly late stage. And so I think that I would like to echo 
your message to the administration that this is--it is getting 
a little late to come before a Congressional Committee and not 
have a point of view and not have a proposal. Unless they want 
to be out of the debate or simply be commentators and let 
Congress lead, that is their choice. But considering the extent 
of the administration's role in this, I would hope that they 
would take a more active role and be more proactive. So I would 
like to echo that.
    And the other thing I just wanted to echo is that I am 
extremely strongly in favor of pushing as much of this to the 
private sector as possible, that as much data should go to the 
private sector, that should get out there; and the private 
sector should be dealing with this to the maximum possible 
extent. But you can make that argument until you are blue in 
the face, and it will not take away the fact that there will 
remain an area, whether it is because of revealing sources and 
methods or because of the extraordinarily adept nature of the 
technology involved or because of other national security 
concerns, there will ultimately have to be a Government role, 
and how we apply that in a way that we do not look like idiots 
when people are out in front of their banks looking for cash 
because the financial system is down and they cannot count on 
their electronic receipts any longer; or up in Vermont the grid 
is down, they are not going to be looking at Microsoft and 
Verizon then. They are going to be looking at the President of 
the United States; they are going to be looking at their local 
police; they are going to be looking at the FBI; they are going 
to be looking at the Army and the National Guard; and they are 
going to want results. And we have to be ready to provide that 
if that happens.
    Chairman Leahy. I could not agree more. It is easy to say 
we are all against terrorists. Of course, we are against 
terrorists. We are all against criminals. Of course, we are 
against criminals. Senator Whitehouse and I were both 
prosecutors. But it is a different era. You talk about the--
without going into war stories, we would have periodic bank 
robberies. We usually caught them because they were usually 
dumb. And we would catch them fairly quickly. The most they 
would have gotten away with is $10,000 or $15,000. I am very 
much worried about a bank robber who sits offshore and steals 
several hundred million dollars. And, you know, we worried 
about the arsonists that burned one building. I worry about 
somebody who could destroy whole blocks, whole communities.
    So, anyway, we could all come up with the darkest 
scenarios, but what we have to do is make sure we stop that. So 
I thank you for taking the time. I also thank you for all the 
time you took leading up to this and all the others whose 
comments and testimony are part of the record.
    This is going to be a priority, bringing this up to date, 
of this Committee, and I pass that out to everybody who is 
interested, and I thank you for your help.
    [Whereupon, at 12:01 p.m., the Committee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]

[GRAPHIC] [TIFF OMITTED] T6875.001

[GRAPHIC] [TIFF OMITTED] T6875.002

[GRAPHIC] [TIFF OMITTED] T6875.003

[GRAPHIC] [TIFF OMITTED] T6875.004

[GRAPHIC] [TIFF OMITTED] T6875.005

[GRAPHIC] [TIFF OMITTED] T6875.006

[GRAPHIC] [TIFF OMITTED] T6875.007

[GRAPHIC] [TIFF OMITTED] T6875.008

[GRAPHIC] [TIFF OMITTED] T6875.009

[GRAPHIC] [TIFF OMITTED] T6875.010

[GRAPHIC] [TIFF OMITTED] T6875.011

[GRAPHIC] [TIFF OMITTED] T6875.012

[GRAPHIC] [TIFF OMITTED] T6875.013

[GRAPHIC] [TIFF OMITTED] T6875.014

[GRAPHIC] [TIFF OMITTED] T6875.015

[GRAPHIC] [TIFF OMITTED] T6875.016

[GRAPHIC] [TIFF OMITTED] T6875.017

[GRAPHIC] [TIFF OMITTED] T6875.018

[GRAPHIC] [TIFF OMITTED] T6875.019

[GRAPHIC] [TIFF OMITTED] T6875.020

[GRAPHIC] [TIFF OMITTED] T6875.021

[GRAPHIC] [TIFF OMITTED] T6875.022

[GRAPHIC] [TIFF OMITTED] T6875.023

[GRAPHIC] [TIFF OMITTED] T6875.024

[GRAPHIC] [TIFF OMITTED] T6875.025

[GRAPHIC] [TIFF OMITTED] T6875.026

[GRAPHIC] [TIFF OMITTED] T6875.027

[GRAPHIC] [TIFF OMITTED] T6875.028

[GRAPHIC] [TIFF OMITTED] T6875.029

[GRAPHIC] [TIFF OMITTED] T6875.030

[GRAPHIC] [TIFF OMITTED] T6875.031

[GRAPHIC] [TIFF OMITTED] T6875.032

[GRAPHIC] [TIFF OMITTED] T6875.033

[GRAPHIC] [TIFF OMITTED] T6875.034

[GRAPHIC] [TIFF OMITTED] T6875.035

[GRAPHIC] [TIFF OMITTED] T6875.036

[GRAPHIC] [TIFF OMITTED] T6875.037

[GRAPHIC] [TIFF OMITTED] T6875.038

[GRAPHIC] [TIFF OMITTED] T6875.039

[GRAPHIC] [TIFF OMITTED] T6875.040

[GRAPHIC] [TIFF OMITTED] T6875.041

[GRAPHIC] [TIFF OMITTED] T6875.042

[GRAPHIC] [TIFF OMITTED] T6875.043

[GRAPHIC] [TIFF OMITTED] T6875.044

[GRAPHIC] [TIFF OMITTED] T6875.045

[GRAPHIC] [TIFF OMITTED] T6875.046

[GRAPHIC] [TIFF OMITTED] T6875.047

[GRAPHIC] [TIFF OMITTED] T6875.048

[GRAPHIC] [TIFF OMITTED] T6875.049

[GRAPHIC] [TIFF OMITTED] T6875.050

[GRAPHIC] [TIFF OMITTED] T6875.051

[GRAPHIC] [TIFF OMITTED] T6875.052

[GRAPHIC] [TIFF OMITTED] T6875.053

[GRAPHIC] [TIFF OMITTED] T6875.054

[GRAPHIC] [TIFF OMITTED] T6875.055

[GRAPHIC] [TIFF OMITTED] T6875.056

[GRAPHIC] [TIFF OMITTED] T6875.057

[GRAPHIC] [TIFF OMITTED] T6875.058

[GRAPHIC] [TIFF OMITTED] T6875.059

[GRAPHIC] [TIFF OMITTED] T6875.060

[GRAPHIC] [TIFF OMITTED] T6875.061

[GRAPHIC] [TIFF OMITTED] T6875.062

[GRAPHIC] [TIFF OMITTED] T6875.063

[GRAPHIC] [TIFF OMITTED] T6875.064

[GRAPHIC] [TIFF OMITTED] T6875.065

[GRAPHIC] [TIFF OMITTED] T6875.066

[GRAPHIC] [TIFF OMITTED] T6875.067

[GRAPHIC] [TIFF OMITTED] T6875.068

[GRAPHIC] [TIFF OMITTED] T6875.069

[GRAPHIC] [TIFF OMITTED] T6875.070

[GRAPHIC] [TIFF OMITTED] T6875.071

[GRAPHIC] [TIFF OMITTED] T6875.072

[GRAPHIC] [TIFF OMITTED] T6875.073

[GRAPHIC] [TIFF OMITTED] T6875.074

[GRAPHIC] [TIFF OMITTED] T6875.075

[GRAPHIC] [TIFF OMITTED] T6875.076

[GRAPHIC] [TIFF OMITTED] T6875.077

[GRAPHIC] [TIFF OMITTED] T6875.078

[GRAPHIC] [TIFF OMITTED] T6875.079

[GRAPHIC] [TIFF OMITTED] T6875.080

[GRAPHIC] [TIFF OMITTED] T6875.081

[GRAPHIC] [TIFF OMITTED] T6875.082

[GRAPHIC] [TIFF OMITTED] T6875.083

[GRAPHIC] [TIFF OMITTED] T6875.084

[GRAPHIC] [TIFF OMITTED] T6875.085

[GRAPHIC] [TIFF OMITTED] T6875.086

[GRAPHIC] [TIFF OMITTED] T6875.087

[GRAPHIC] [TIFF OMITTED] T6875.088

[GRAPHIC] [TIFF OMITTED] T6875.089

[GRAPHIC] [TIFF OMITTED] T6875.090

[GRAPHIC] [TIFF OMITTED] T6875.091

[GRAPHIC] [TIFF OMITTED] T6875.092

[GRAPHIC] [TIFF OMITTED] T6875.093

[GRAPHIC] [TIFF OMITTED] T6875.094

[GRAPHIC] [TIFF OMITTED] T6875.095

[GRAPHIC] [TIFF OMITTED] T6875.096

[GRAPHIC] [TIFF OMITTED] T6875.097

[GRAPHIC] [TIFF OMITTED] T6875.098

[GRAPHIC] [TIFF OMITTED] T6875.099

[GRAPHIC] [TIFF OMITTED] T6875.100

[GRAPHIC] [TIFF OMITTED] T6875.101

[GRAPHIC] [TIFF OMITTED] T6875.102

[GRAPHIC] [TIFF OMITTED] T6875.103

[GRAPHIC] [TIFF OMITTED] T6875.104

[GRAPHIC] [TIFF OMITTED] T6875.105

[GRAPHIC] [TIFF OMITTED] T6875.106

[GRAPHIC] [TIFF OMITTED] T6875.107

[GRAPHIC] [TIFF OMITTED] T6875.108

[GRAPHIC] [TIFF OMITTED] T6875.109

[GRAPHIC] [TIFF OMITTED] T6875.110

[GRAPHIC] [TIFF OMITTED] T6875.111

[GRAPHIC] [TIFF OMITTED] T6875.112

[GRAPHIC] [TIFF OMITTED] T6875.113

[GRAPHIC] [TIFF OMITTED] T6875.114

[GRAPHIC] [TIFF OMITTED] T6875.115

[GRAPHIC] [TIFF OMITTED] T6875.116

[GRAPHIC] [TIFF OMITTED] T6875.117

[GRAPHIC] [TIFF OMITTED] T6875.118

[GRAPHIC] [TIFF OMITTED] T6875.119

[GRAPHIC] [TIFF OMITTED] T6875.120

[GRAPHIC] [TIFF OMITTED] T6875.121

[GRAPHIC] [TIFF OMITTED] T6875.122

[GRAPHIC] [TIFF OMITTED] T6875.123

[GRAPHIC] [TIFF OMITTED] T6875.124

[GRAPHIC] [TIFF OMITTED] T6875.125

[GRAPHIC] [TIFF OMITTED] T6875.126

[GRAPHIC] [TIFF OMITTED] T6875.127

[GRAPHIC] [TIFF OMITTED] T6875.128

[GRAPHIC] [TIFF OMITTED] T6875.129

[GRAPHIC] [TIFF OMITTED] T6875.130

[GRAPHIC] [TIFF OMITTED] T6875.131

[GRAPHIC] [TIFF OMITTED] T6875.132

[GRAPHIC] [TIFF OMITTED] T6875.133

[GRAPHIC] [TIFF OMITTED] T6875.134

[GRAPHIC] [TIFF OMITTED] T6875.135

[GRAPHIC] [TIFF OMITTED] T6875.136

[GRAPHIC] [TIFF OMITTED] T6875.137

[GRAPHIC] [TIFF OMITTED] T6875.138

[GRAPHIC] [TIFF OMITTED] T6875.139

[GRAPHIC] [TIFF OMITTED] T6875.140

[GRAPHIC] [TIFF OMITTED] T6875.141

[GRAPHIC] [TIFF OMITTED] T6875.142

[GRAPHIC] [TIFF OMITTED] T6875.143

[GRAPHIC] [TIFF OMITTED] T6875.144

[GRAPHIC] [TIFF OMITTED] T6875.145

[GRAPHIC] [TIFF OMITTED] T6875.146

[GRAPHIC] [TIFF OMITTED] T6875.147

[GRAPHIC] [TIFF OMITTED] T6875.148

[GRAPHIC] [TIFF OMITTED] T6875.149

[GRAPHIC] [TIFF OMITTED] T6875.150

[GRAPHIC] [TIFF OMITTED] T6875.151

[GRAPHIC] [TIFF OMITTED] T6875.152

[GRAPHIC] [TIFF OMITTED] T6875.153

[GRAPHIC] [TIFF OMITTED] T6875.154

[GRAPHIC] [TIFF OMITTED] T6875.155

[GRAPHIC] [TIFF OMITTED] T6875.156

[GRAPHIC] [TIFF OMITTED] T6875.157

[GRAPHIC] [TIFF OMITTED] T6875.158

[GRAPHIC] [TIFF OMITTED] T6875.159

[GRAPHIC] [TIFF OMITTED] T6875.160

[GRAPHIC] [TIFF OMITTED] T6875.161

[GRAPHIC] [TIFF OMITTED] T6875.162

[GRAPHIC] [TIFF OMITTED] T6875.163

[GRAPHIC] [TIFF OMITTED] T6875.164

[GRAPHIC] [TIFF OMITTED] T6875.165

[GRAPHIC] [TIFF OMITTED] T6875.166

[GRAPHIC] [TIFF OMITTED] T6875.167

[GRAPHIC] [TIFF OMITTED] T6875.168

[GRAPHIC] [TIFF OMITTED] T6875.169

[GRAPHIC] [TIFF OMITTED] T6875.170

[GRAPHIC] [TIFF OMITTED] T6875.171

[GRAPHIC] [TIFF OMITTED] T6875.172

[GRAPHIC] [TIFF OMITTED] T6875.173

[GRAPHIC] [TIFF OMITTED] T6875.174

[GRAPHIC] [TIFF OMITTED] T6875.175

[GRAPHIC] [TIFF OMITTED] T6875.176

[GRAPHIC] [TIFF OMITTED] T6875.177

[GRAPHIC] [TIFF OMITTED] T6875.178

[GRAPHIC] [TIFF OMITTED] T6875.179

[GRAPHIC] [TIFF OMITTED] T6875.180

[GRAPHIC] [TIFF OMITTED] T6875.181

                                 
