[Senate Hearing 112-130]
[From the U.S. Government Publishing Office]
S. Hrg. 112-130
THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: GOVERNMENT PERSPECTIVES ON
PROTECTING PRIVACY IN THE DIGITAL AGE
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
APRIL 6, 2011
__________
Serial No. J-112-14
__________
Printed for the use of the Committee on the Judiciary
_____
U.S. GOVERNMENT PRINTING OFFICE
70-856 PDF WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York JON KYL, Arizona
DICK DURBIN, Illinois JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas
AL FRANKEN, Minnesota MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
Bruce A. Cohen, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Counsel and Staff Director
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa...... 2
prepared statement........................................... 48
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 1
prepared statement........................................... 62
WITNESSES
Baker, James A., Associate Deputy Attorney General, U.S.
Department of Justice, Washington, DC.......................... 5
Kerry, Cameron F., General Counsel, U.S. Department of Commerce,
Washington, DC................................................. 3
QUESTIONS AND ANSWERS
Responses of James A. Baker to questions submitted by Senators
Franken and Leahy.............................................. 25
Responses of Cameron F. Kerry to questions submitted by Senator
Leahy.......................................................... 32
SUBMISSIONS FOR THE RECORD
Baker, James A., Associate Deputy Attorney General, U.S.
Department of Justice, Washington, DC, statement............... 36
Kerry, Cameron F., General Counsel, U.S. Department of Commerce,
Washington, DC, statement...................................... 51
Tech Freedom; Competitive Enterprise Institute; Americans for Tax
Reform's Digital Liberty Project; Freedom Works; Campaign for
Liberty; Washington Policy Center; Liberty Coalition; Center
for Financial Privacy and Human Rights and Less Goverment,
April 6, 2011, joint letter.................................... 64
THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: GOVERNMENT PERSPECTIVES ON
PROTECTING PRIVACY IN THE DIGITAL AGE
----------
WEDNESDAY, APRIL 6, 2011
U.S. Senate,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10:08 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Patrick J.
Leahy, Chairman of the Committee, presiding.
Present: Senators Leahy, Whitehouse, Klobuchar, Franken,
Coons, Blumenthal, and Grassley.
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM
THE STATE OF VERMONT
Chairman Leahy. Good morning. Today the Committee will hold
a timely and I think important hearing on the Federal
Government's use of the Electronic Communications Privacy Act,
or ECPA, as we know it. It is one of the Nation's premier
digital privacy laws. ECPA has been a bridge between what are,
of course, legitimate law enforcement needs but also the
equally legitimate privacy rights of Americans. When the
Committee held its first hearing on ECPA reform last September,
I said that while there is general agreement that ECPA has
become outdated by vast technological advances and changing law
enforcement missions since the law's initial enactment, the
question of how best to update this law has no simple answer.
We know it has to be updated. The difficult part is exactly how
do we do it.
Congress is considering many different approaches to ECPA
reform, but I think there should be a few core principles to
guide our work. Meaningful ECPA reform must carefully balance
privacy rights, public safety, and security. Reforms must also
encourage American innovation, and they have got to instill
confidence in American consumers, law enforcement, and the
business community. All these principles we should agree on. It
is how best to do it.
For many years, ECPA has provided vital tools to law
enforcement to investigate crime and to keep us safe. At the
same time, the law has been crucial to safeguarding Americans'
digital privacy rights. I know. I was one of the ones who
helped write this bill. With the explosion, though, of cloud
computing, social networking sites, and other new technologies,
determining how best to bring this privacy law into the Digital
Age is going to be one of Congress' greatest challenges.
While still a useful tool for our Government today, ECPA is
a law that is hampered by conflicting standards that cause
confusion for law enforcement, the business community, and
American consumers alike. For example, just to put it right
down in the concrete, a single e-mail could be subject to as
many as four different levels of privacy protections under
ECPA, depending on where it is stored and when it is sent.
There are also no clear standards under that law for how and
under what circumstances the Government can access cell phone
or other mobile location information when investigating crime
or national security matters. And on that, it is a much
different era than when I was first in law enforcement where,
if police had legitimate rights and legitimate--reasons,
rather, to get into a phone conversation, they would have their
warrant, and they basically went and clipped on to some wires
in one particular area. That is not the situation today, and,
of course, it becomes even more aggravated in national security
matters.
So we are having this hearing so we can examine how these
and other shortcomings impact the Government's ability to fight
crime and protect national security. We will also examine the
Government's views about various proposals being considered by
Congress to update this privacy law.
We are going to hear from the General Counsel of the
Department of Commerce, who has unique insights into the impact
of ECPA on American innovation, but also the views of the
Department of Justice, which relies upon ECPA to carry out its
vital law enforcement and national security duties. So I am
glad both are here, and I will yield to my good friend from
Iowa, the Ranking Member of this Committee, Senator Grassley.
STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM THE STATE
OF IOWA
Senator Grassley. Thank you, Chairman Leahy. This hearing
provides us an opportunity to hear the Government's view on the
need to reform this law.
At our 2010 hearing the Departments of Justice and Commerce
both testified about the need for our laws to keep pace with
technological developments. Both witnesses agreed that
technology has changed significantly since the law was passed
in 1986, but neither witness offered proposals. The hearing
focused largely upon changes sought by private sector
businesses and interest groups that have formed a coalition to
reform the law.
We in Congress need to work to ensure that our laws are up
to date and do not negatively impact business innovation. We
also need to address legitimate privacy concerns.
We need to hear from the law enforcement community to
ensure that we do not limit their ability to obtain information
necessary to catch criminals and terrorists who use electronic
communications. This statute, just like the PATRIOT Act, has
specific meanings and definitions, and any amendment requires
careful consideration to ensure that we do not create loopholes
that make it harder for law enforcement to do their job.
Today we have an opportunity to follow up with both of
those departments. No legislative proposal has been put forward
by the administration. Instead, the witnesses, it seems to me,
will point out areas where changes could be made to bring
clarity to the law.
I hope the Department of Justice changes what they view
will be brought forward and what they feel will harm
investigations. I also want to hear what Commerce has to say
about changes that they feel are necessary to ensure that we
remain competitive and how reforming our privacy laws could
enhance business.
That said, there is clearly a tension between the two
points, and that was how we arrived at the current law, a
carefully crafted compromise. The 1986 statute struck a balance
then between privacy and law enforcement. Replicating that
balance will be the key to any possibility of being successful
on proposed legislation.
I will put the rest of my statement in the record.
[The prepared statement of Senator Grassley appears as a
submission for the record.]
Chairman Leahy. Thank you very much.
Our first witness will be Mr. Cameron Kerry. He is the
General Counsel of the Department of Commerce. He serves as the
Department's chief legal officer, chief ethics, officer, and is
Chair of the Department of Commerce Privacy Council. He has
been a leader on work across the U.S. Government on patent
reform and intellectual property issues and privacy security
and efforts against transnational bribery. Previously he was a
partner at Mintz Levin, a national law firm. In over 30 years
of practice--and I might note personally I think I have known
you for most of the 30 years of that practice--he has been a
communications lawyer and litigator in a range of areas,
including telecommunications, environmental law, toxic torts,
privacy, and insurance regulation. He is a graduate of Harvard
College and earned his law degree at the Boston College School
of Law.
Mr. Kerry, we will put your full statement in the record,
but please go ahead, and then we will hear from Mr. Baker, and
then we will go to questions.
STATEMENT OF HON. CAMERON F. KERRY, GENERAL COUNSEL, U.S.
DEPARTMENT OF COMMERCE, WASHINGTON, DC
Mr. Kerry. Mr. Chairman, thank you and good morning. Mr.
Chairman, Ranking Member Grassley, and members of the
Committee, I am pleased to be joining you again to discuss
updating the Electronic Communications Privacy Act of 1986.
I am here today to say that the administration fully
understands and supports the Committee's rationale for
reexamining this statute, and I am here to offer to you two
recommendations.
The first is that there should be a principled relationship
between the legal protections and the procedures that apply to
law enforcement access to electronic information and the legal
protections and procedures for comparable materials in the
physical world. What those protections and procedures should be
should be determined by reference to a number of factors,
including the privacy expectations of the parties involved, who
has access to or control of the information, and the reasonable
needs of law enforcement and national security.
The second is that the legal protection afforded to
electronic content should not turn simply on factors that are
disconnected from reasonable privacy interests of ordinary
citizens.
As the Chairman and as other members of the Committee
observed when we were here last September, one may question
whether the Stored Communications Act's 180-day rule, the
notion that privacy protection accorded to an electronic
message could change 180 days after it is sent, should
continue. If Congress wants to revisit this issue, the
appropriate level of privacy protection once again should turn
on an assessment of other factors, including the expectation of
privacy of the parties to the communication, the mode of
communication used in connection with the content, and who
controls it, and, again, of course, the interests of law
enforcement and national security.
Since we were here in September, the Department of Commerce
has been at work on a commercial data privacy framework to meet
the needs of the 21st century information economy. When we were
here in September, we told you that even though we had not
asked about ECPA, a number of industry players came to us and
volunteered concerns about the statute.
Last December, we published a green paper that is included
with my written testimony, which included the recommendation
that, in light of changes in technology and changes in market
condition, the administration should review ECPA with a view to
assessing privacy protections in cloud computing and location-
based services. That is a process which we are conducting. It
is under with the Department of Justice and other
administration colleagues.
In response to the green paper, we have received further
comments from industry and from consumer groups. All of these
endorsed updating ECPA. So I would be happy to provide the
Committee with a summary of those comments and what they had to
say about the impact of ECPA in light of new technologies, the
uncertainties and emerging gaps in privacy protection.
There is another reason why this ongoing examination of
ECPA is timely, which I discussed in my written testimony, and
that is court decisions in recent years that have injected
uncertainty on the standards and the privacy protections in
emerging technologies.
So, Mr. Chairman, as you and members of the Committee
proceed with what you have said is a difficult, challenging
process of striking a new balance, we stand ready to work with
you, and now I stand ready to respond to your questions.
Thank you.
[The prepared statement of Mr. Kerry appears as a
submission for the record.]
Chairman Leahy. Thank you, Mr. Kerry.
I may note that in 37 years--I do not even want to think
about how many thousands of hearings I have either attended or
presided over. I think this is the first time I have had
somebody give their testimony from an electronic pad, and so
I----
Mr. Kerry. I am an early adopter, Mr. Chairman. We try to
stay on top of technology.
Chairman Leahy. I have seen that, and I appreciate that
very much. I do not use my old Selectric typewriter as much as
I used to.
[Laughter.]
Chairman Leahy. That is a joke. I actually found one in a
closet at home the other day. I do not whether to give it to
the Smithsonian.
Our next witness, James Baker, is the Associate Deputy
Attorney General at the U.S. Department of Justice. He has
worked extensively on all aspects of national security policy
and investigations. He has been an official at the U.S.
Department of Justice for nearly two decades, well respected by
this Committee and by me for his work. He has provided the
United States intelligence community legal and policy advice
for many years. In 2006, he received the George H.W. Bush Award
for Excellence in Counterterrorism, the CIA's highest award for
counterterrorism achievements.
I am well aware of the background of that award, and it was
justly and honorably deserved.
Mr. Baker also taught at Harvard Law School, served as
resident fellow at Harvard University's Institute of Policy.
Mr. Baker, please go ahead, sir.
STATEMENT OF HON. JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY
GENERAL, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC
Mr. Baker. Good morning, Mr. Chairman, Ranking Member
Grassley, and members of the Committee. Thank you for the
opportunity to testify on behalf of the Department of Justice
here today regarding ECPA, and here with my colleague, Mr.
Kerry, from the Department of Commerce.
As you know, ECPA, which includes the Stored Communications
Act and the pen register statute, is part of a set of laws that
controls the collection and disclosure of both content and non-
content information related to electronic communications, as
well as content that has been stored remotely. These laws serve
two functions, as folks have mentioned today. They are critical
tools for law enforcement, national security, and cyber
security activities, and they are essential for protecting the
privacy interests of all Americans.
ECPA has never been more important than it is now. Because
many criminals, terrorists, and spies use telephones or the
Internet, electronic evidence obtained pursuant to ECPA is now
critical in prosecuting cases involving a wide range of crimes,
including terrorism, espionage, and violent crimes.
ECPA has three key components that regulate the disclosure
of certain communications and related data. The first prohibits
unlawful access to stored communications; The second regulates
voluntary disclosures by network service providers of customer
communications and records, both to Government and to non-
governmental entities; and the third regulates Government
access to stored communications and provides procedures for law
enforcement officers to follow to compel disclosure of stored
communications and related data. ECPA, as you know, was
originally enacted in 1986, but it has been amended repeatedly
since then, especially with substantial revisions in 1994 and
in 2001.
Mr. Chairman, the Department of Justice is charged with the
responsibility of enforcing the laws, safeguarding the
constitutional rights of Americans, and protecting the national
security of the United States. As such, we welcome these
hearings on this very important topic. We appreciate the
concerns that some in Congress, the courts, and the public have
expressed about ECPA, and we know that some believe that ECPA
has not kept pace with technological changes or the way that
people today communicate and store records, notwithstanding the
fact that ECPA has been amended several times, as I just
mentioned. We respect those concerns, and we appreciate the
opportunity to discuss them here today. We also applaud your
efforts to undertake a renewed examination of whether the
current statutory scheme appropriately accommodates such
concerns and adequately protects privacy while at the same time
fostering innovation and economic development. It is legitimate
to have a discussion about our present conceptions of privacy,
about judicially supervised tools the Government needs to
conduct vital law enforcement and national security
investigations, and how our statutes should accommodate both.
For example, we appreciate that there are concerns regarding
ECPA's treatment of stored communications--in particular, the
rule that the Government may use lawful process short of a
warrant to obtain the content of e-mails that are stored for
more than 180 days. And we are ready and willing to engage in a
robust discussion of these matters to ensure that the law
continues to provide appropriate protections for the privacy
and civil liberties of Americans as technology develops.
As we engage in that discussion, as several have referenced
this morning, what we must not do--either intentionally or
unintentionally--is unnecessarily hinder the Government's
ability to effectively and efficiently enforce the criminal law
and protect national security. The Government's ability to
access, review, analyze, and act promptly upon the
communications of criminals that we lawfully acquire, as well
as data pertaining to such communications, is vital to our
mission to protect the public from terrorists, spies, organized
criminals, kidnappers, and other malicious actors. At the
Department of Justice, we are prepared to consider reasonable
proposals to update the statute--and indeed, as set forth in my
written statement for the record, we have a few of our own to
suggest--provided that they do not compromise our ability to
protect the public from the real threats that we face.
In closing, Mr. Chairman, it is important to note that ECPA
protects privacy in another way as well. By authorizing law
enforcement officers to obtain evidence from communication
providers, ECPA enables the Government to investigate and
prosecute hackers, identity thieves, and other online
criminals. Pursuant to ECPA, the Government obtains evidence
critical to our ability to prosecute these privacy-related
crimes.
Mr. Chairman and members of the Committee, ECPA is an
important topic, and I look forward to taking your questions
here today, and I would ask that my written statement be
submitted as part of the record.
Chairman Leahy. It will be made part of the record.
Mr. Baker. Thank you, Mr. Chairman.
[The prepared statement of Mr. Baker appears as a
submission for the record.]
Chairman Leahy. I was struck when you said you are willing
to consider proposals we might have, and, of course, the fact
is if we do not have proposals as we go forward, then we stay
with the law the way it is, and I do not think anybody would
find that best. So it is a case where this is not just let us
consider what Congress thinks. The fact is either Congress acts
or you are stuck with the old law.
Mr. Kerry, I was pleased to learn the Commerce Department
and the Justice Department are working together to consider
potential updates to ECPA, so we would welcome any feedback.
Can you give us a short summary of the progress of this
partnership to date? Then I am going to ask the same question
of Mr. Baker.
Mr. Kerry. Well, we have been in active discussions really
through the year to try to deal with proposals to update and
re-strike the balance. The written testimony that you have from
each of us is a reflection of some of the direction that that
has taken. We are certainly prepared to put our shoulders to
the wheel with the Committee. I think the process of you,
Senator, and the Committee holding our feet to the fire and
developing this testimony has helped to advance the
discussions, and I think we are in a position to move forward
in a concrete way.
Chairman Leahy. Well, I would like to see the
administration recommendations because, as I said, sometimes I
find that inertia sometimes gets the greatest bipartisan
support on the Hill, but I would like to see us move forward.
So, Mr. Baker, I would ask you the same question: How is
this work with Commerce going?
Mr. Baker. Yes, Senator, I agree with Mr. Kerry completely.
We have been working on a whole range of issues related to
surveillance, privacy, innovation, all of these issues. We have
made, I think, substantial progress. I think the two statements
together indicate that we have worked through a lot of issues.
We actually got some concrete areas at least that we agree that
we should focus on that are reflected in the statement. So I
think that is significant progress.
We have certainly been working at the Department of Justice
on language that supports the proposals that we have put
forward, or at least raised. We have not finished that work
yet, even within the Department and with the interagency, so we
have got some additional work to do in that regard. But we have
made significant progress, Senator.
Chairman Leahy. For an incentive, I think there is a
willingness of Republicans and Democrats to work together on
this because when I talk about the inertia, I do not find many
people who want to just stick with the law the way it is. It is
outdated from both a national security point of view, but from
a privacy point of view, and we worked very, very hard on the
first law to get that balance, realizing that technology
changes and a lot of the things that we could consider at the
time we wrote the law, that those of us who worked on it knew
technology might change, but none of us could predict where and
to what extent. Nobody knew about the cloud at that time, for
example.
Now, let me ask you a couple of specifics. Last year, the
Court of Appeals for the Third Circuit held the Government
could be required to obtain a search warrant before it could
access an individual's cell phone location data. Under ECPA the
Government can obtain cell phone location data by several
different methods, including seeking a court order, but the
statute does not specify whether the Government must always
establish probable cause to get this order, as would be the
case with a search warrant.
What is the Department's view about the legal standard that
should apply in order for the Government to access cell phone
location information?
Mr. Baker. Senator, just to clarify, when we speak about
cell phone location information, there is a variety of
different types that are potentially available. So there is the
very precise GPS type of information that might be available
that more pinpoints accuracy.
Chairman Leahy. That is right.
Mr. Baker. And then you have cell site location
information, which it is increasingly more accurate in terms of
determining where a cell phone is, but it still is not as
precise as----
Chairman Leahy. It just says that cell phone is next to
this--that cell phone is within the area of this cell tower,
but it could be----
Mr. Baker. There is a range of----
Chairman Leahy. Yes.
Mr. Baker. Depending upon where you are, in a rural,
suburban, or urban area, it depends. So it is key to understand
that there are different technologies that exist with respect
to cell phone location information.
The Department's policy now is that if we want the GPS
Information, we have to go get a warrant in order to obtain
that. For the cell site location information, the less precise
information, we have to still go get a court order, a variety
of orders depending upon whether it is historical or
prospective, but in any event, you still have to go to court
and get an order, albeit under a lower standard than you have
for a warrant.
Chairman Leahy. Would it help to have some clarification
specifically in this area?
Mr. Baker. Well, we think that based on the Third Circuit
case that--and we have suggested that it is definitely an area
that is worth examining.
Chairman Leahy. Well, let me ask you that, because we also
have the D.C. Circuit. They vacated the life sentence of an
individual who had been convicted, I believe it was in drugs,
but he was--they had installed a global positioning device on
his car to track him in connection, and they vacated it.
Now, I understand the Department is considering appealing
this case. Am I correct? Or are you aware of that?
Mr. Baker. I do not think we have--I would have to check on
that.
It is being reviewed by the Department right now, Senator.
Chairman Leahy. What is the legal standard to apply if you
want to obtain information by using or installing a global
positioning device? And does that change whether it is
historical, as you had referred to earlier, or realtime?
Mr. Baker. So just to make sure I understand, the device
you are talking about is a device that is attached to a
vehicle----
Chairman Leahy. That is right.
Mr. Baker [continuing]. As opposed to a communications
device. So it is a little bit different in that sense.
Chairman Leahy. A GPS device.
Mr. Baker. It is a GPS, but it is not a cell phone, it is
not a personal----
Chairman Leahy. That is right. You are not talking----
Mr. Baker. Correct.
Chairman Leahy. It is simply a locator.
Mr. Baker. So there have been a lot of rulings on these
kinds of cases over the years, and I think, unfortunately, the
answer depends on the facts of the case. And so it depends
where you are when you install the device, and it depends what
the device is attached to and where it goes. In circumstances
in which it would go into an area that is protected by the
Fourth Amendment, then you would have to get a warrant to
continue to monitor the signals from that device. But to the
extent that the device is attached in an unprotected area, in
terms of the Fourth America, and then travels in areas that are
not protected by the Fourth Amendment, then currently you would
not need a warrant to obtain that information.
Chairman Leahy. Thank you. And does it make a difference if
it is historical information or realtime?
Mr. Baker. I guess it would depend. I am thinking about the
beeper. I mean, I guess if you had the beeper recording for a
period of time and then downloaded the information, that would
be historical. But I think the same rules that I just discussed
would apply in that context since it is not a communication
device.
Chairman Leahy. Whether you put it on their garage or
whether you put it on the----
Mr. Baker. On the public street or something, where the car
goes and so on, yes, all those factors are relevant to the
analysis.
Chairman Leahy. Thank you.
Senator Grassley.
Senator Grassley. I am going to start with Mr. Baker. This
coalition that is promoting these changes wants to increase the
standards to obtain non-content information through the--just a
minute. I am on the wrong question. Just a minute.
The coalition, a group of businesses and interest groups,
as we know, supports a probable cause standard for obtaining
all electronic communications regardless of its age, the
location or storage facilities, or the provider's access to
information. Do you support raising the legal standard for
obtaining all electronic communications to a probable cause
determination?
Mr. Baker. Senator, I think that is the kind of concern
that we have that I expressed in my statement, that we have to
make sure--that the kinds of information we are talking about,
especially when you come to non-content information, is
critical for our ability to conduct investigations. And if we
were to raise the standard with respect to some electronic
communications, even content, it is going to have an impact on
law enforcement investigations. We have to be mindful of that.
We have to be thoughtful about that. And so whatever proposals
come forward, we have to look at that in that light.
Senator Grassley. Well, I think you just told me, and if
you did not say this, say I interpreted you wrong. But my next
question dealt with the probable cause determination, the
effect on law enforcement. And you just told me it would be
more difficult.
Mr. Baker. It would be more difficult.
Senator Grassley. Could this significant change also unduly
burden the agencies and prosecutors and the courts?
Mr. Baker. It would impact our--let me just stick with the
location information that Senator Leahy was asking about. We
use that information as sort of the basic building blocks of
investigations. So an IP address, a cell phone piece of
information, where you were when you placed a particular call,
these are the kinds of information that we use to locate
people, suspects, and also to investigate links between
suspects. So we use it as sort of the basic building blocks,
and we also use that kind of information to build our way
toward obtaining probable cause. And so we need to be able to
obtain a certain amount of information to work our way to the
more intrusive types of techniques that we have available.
Senator Grassley. Okay. It takes longer to prepare a
2703(d) order application than a subpoena, and it takes longer
to prepare a search warrant application than a 2703(d) order
application. If you would agree with those two statements, is
it fair to say that raising the standard will slow down a
criminal investigation?
Mr. Baker. I think it would have an impact along those
lines, Senator, yes. It would consume more resources and
require us to engage in more process. I think there is no doubt
about that.
Senator Grassley. And since time is a critical factor
during a lot of criminal investigations and speed is essential,
if Congress slows down the process, then this could have real-
life consequences, you know, particularly where human life is
involved?
Mr. Baker. Absolutely, Senator. As I said, whatever we do
in this area, we need to get the balance right. We need to make
sure that we achieve all the objectives that we want to
achieve.
Senator Grassley. Let me focus on the court for just a
minute, and I referred to that just a couple questions ago. If
all electronic communications, with emphasis upon ``all,''
required a search warrant, the courts would experience
additional burdens as well, and these increased burdens on the
court system would naturally increase the delays when
investigating time-sensitive threats to human life. Would that
be right?
Mr. Baker. Senator, I expect there would be some additional
burden on the court. I have worked with judges for many years,
and they are always ready to take on whatever the Government
brings to them. So I am not sure that they would say that it
would burden them that much, but I think it is additional
requirements that we would have to meet and have to go to a
court to achieve.
Senator Grassley. This coalition supports increasing the
standard to obtain non-content information through pen register
or trap-and-trace orders. They are pushing for a standard to be
at least as strong as that required under an electronic
communication 2703(d) order. They are further pushing for this
increased standard to apply to e-mail addresses, instant
messages, texts, Internet protocols, addresses of Internet
sites.
Currently does the legal process and authority for
obtaining pen register information work well?
Mr. Baker. For obtaining pen register information? I think
our perspective would be that it does work well actually
currently.
Senator Grassley. And are you aware of any problems in
using it?
Mr. Baker. Using the pen registers?
Senator Grassley. Yes.
Mr. Baker. I think the answer is we are generally satisfied
with the way the statute is now. There was a particular
amendment in 2001 that was extremely helpful, so I think--with
respect to all these, if I just may add, we are working through
all these issues. I think everybody agrees that these are the
significant issues to focus on. We do not have a cleared
position from the administration yet on these proposals, but I
think we have identified the concerns that we have.
Senator Grassley. If I could just have three short
questions here.
Chairman Leahy. Go ahead.
Senator Grassley. Then that will finish this point.
Do you think the legal standard to obtain information
through pen register or trap-and-trace orders would be
increased to a probable cause or 2703 standard?
Mr. Baker. I am sorry, Senator. Do I think it would be----
Senator Grassley. The legal standard to obtain information
should be increased.
Mr. Baker. Oh, again, this is an area--the pen registers
and these kinds of things are the basic building blocks for our
investigations, so any changes to those would have to be
reviewed very carefully. Any changes to that standard would
have to be reviewed very carefully.
Senator Grassley. Well, then, I will skip a question and go
to my last one. Would not a change like this increase burdens
on investigators, prosecutors, and the courts?
Mr. Baker. Yes.
Senator Grassley. Okay. Thank you, Mr. Chairman.
Chairman Leahy. Thank you very much.
I will yield to Senator Whitehouse and then in a few
minutes turn the gavel over to him.
Senator Whitehouse. Thank you, Chairman, and thank you,
gentlemen, both for being here. I appreciate your work on this
issue.
I am going to be here until the end of the hearing because
I will be taking over the gavel, so I am just going to ask a
sort of brief set of overview questions now that are kind of in
the nature of framing what the topics should be that we should
be prepared to address as we go forward. And I assume that you
are working on them as well.
One obviously is how location information should be
treated. As a general proposition, I do not know that there is
an established privacy right cognizable under the Fourth
Amendment regarding your location. If the police want to put a
tail on somebody, they do not get a warrant for that or take
any action, and they can follow to the best of their ability
and figure out where somebody is. When you move up to pen
register and trap-and-trace, there is a more complicated
standard. And when you go to a full-blown Fourth Amendment
search warrant requirement and you are involved in content,
there is a much higher standard. And as I understand it, we
should be sorting out where the location information, which is
now newly available really in ways that it was not when ECPA
was written, where it falls into that array of possibilities.
Correct?
Mr. Kerry. Yes.
Senator Whitehouse. So that is one. Okay. We should review
the question--as a general proposition, you both agree that
warrants are ordinarily required to access content of a
communication. Correct?
Mr. Baker. Not always.
Senator Whitehouse. Ordinarily.
Mr. Baker. Ordinarily. But--I am sorry. It depends. Not
always. So we can talk about that.
Senator Whitehouse. But the 180-day rule under ECPA
specifically allows access to content if it is more than 180
days old without a warrant----
Mr. Baker. Correct.
Senator Whitehouse. We should review that determination
given the change in technology and practice that has taken
place. Correct?
Mr. Baker. We agree that is definitely an area that people
want to talk about, and we are happy to engage in that
discussion.
Senator Whitehouse. The next issue is private sector
disclosures, and they come in two ways. One is private sector
disclosures to other private sector commercial operators and
whether we should put some restrictions on that so that, for
instance, your ISP is not selling your location to McDonald's
so that every time you are within 100 feet of a McDonald's you
are getting a message saying, ``Don't you feel like a
hamburger.'' And at the same time, on the other side, there is
the concern that the ISPs now have considerable access and
considerable situational awareness about the cyber threat and
what is happening out there, and ECPA restricts their ability
to warn Government about those activities so that Government
can be prepared to take national security protection action.
And both of those are things we should be examining, correct?
Mr. Kerry. That is correct, Senator, yes. Those are
actively at work in interagency processes within the
administration.
Senator Whitehouse. It seems to me that as we move more
into the cyber realm, there are searches and then there are
searches. And the Constitution concerns itself with searches in
which somebody gains awareness of your personal papers and
communications. That strikes me as the fundamental protection
of the Fourth Amendment. Where you have a mechanism that
potentially no human actually is aware of that scans the flow
of data that goes through cyber space and simply alerts when it
determines that a virus or a malware or some kind of threat is
attached to that content, it is conceivable in that
circumstance that no person actually locates that, although
technically is remains a search because an agent has deployed
this technology and has actually scanned the packet of content.
Is that a distinction that is worth beginning to pursue? That
seems to be a novelty nowadays. You know, in the old days, if
somebody went through your papers, it was an agent and they
were looking at it, and your privacy was really implicated in a
very significant way when another person was looking at your
papers. If all that is happening is that the content of your e-
mail stream is being scanned for known malware and viruses and
that is causing a safety action to be taken to protect the
Internet, that is a slightly different piece of--it is a
slightly different privacy interest involved there, isn't it?
Mr. Baker. Senator, these are exactly the right kinds of
questions to ask and areas to think about. I have seen some
folks analogize what I think you are talking about to a
situation like a dog sniffing luggage at the airport for either
explosives or for narcotics or something like that, and they go
along the line and, you know, sniff what is there, and then
they alert only on the thing that has contraband in it. So it
is a different regime. It depends on the context. Airports are
different than a lot of other things. But in any event----
Senator Whitehouse. Conceivably, there is even less of a
privacy interest in this because what happens when the dog
alerts is that your suitcase gets opened and people plow
through it, and a human knows what you have in your suitcase,
and that affects the privacy interest; whereas, it is not
unusual that what happens to a digital alert is that simply the
message is rerouted and nobody actually ever gets awareness of
the content.
Mr. Baker. Well, that is one way you could do it,
certainly, but I think there would be an interest in looking at
that communication and trying to analyze it from a cyber
security perspective to have a better idea where it came from,
what its purpose is, and what its destination is.
Senator Whitehouse. All right. My time has expired, and I
just to figure out who was here first.
Senator Franken was here first.
Senator Franken. Thank you, Mr. Chairman, and thank you,
gentlemen, for your testimony.
ECPA gives citizens privacy protections with respect to law
enforcement, but ECPA also says when an ISP can share our
information with other businesses or the general public, and I
am worried that these privacy protections are just far too
weak.
Here is an example. If I make a phone call from my smart
phone and my phone company learns of my location, they cannot
go out and sell that information or give it to anybody unless
they have my express consent. But I use the same smart phone to
do a Google search, under certain court decisions that same
phone company would likely be free to give my location
information to any business or person that it wants to. The
difference is that my phone call is covered by the
Telecommunications Act, and my Internet search is covered by
ECPA.
Mr. Baker. and Mr. Kerry, are you aware of this
discrepancy? And what do you think of it?
Mr. Kerry. I am aware of the discrepancy, and that, in
fact, is the case. I mentioned the effort that we have
undertaken to address privacy policy in the commercial data
context. Indeed, a couple of weeks ago, the administration
announced support for baseline privacy regulation in the online
area.
The issue of what usage, what resale, what communication
with third parties can be made of the kind of location
information that you described, among many other kinds of
information that people generate as they go online, is one of
the issues that needs to be addressed as part of baseline
privacy protection.
Senator Franken. And as part of rewriting this bill?
Mr. Kerry. I am not sure that that necessarily fits under
changing ECPA. There are aspects of it that need to be
addressed under ECPA, as Mr. Baker said in response to earlier
questions. Trying to establish some certainty on Government
access to geo-location data and other location data is
certainly an appropriate subject for consideration.
Senator Franken. Well, this specific issue with location is
part of a broader problem in ECPA, and you note in your
testimony, Mr. Baker, that ECPA allows ISPs to disclose
customer records to pretty much anyone they want as long as it
is not the Government. That includes information on whom you e-
mail, when you e-mail, and to some extent the websites that you
visit. This is totally out of line with the Cable Act and
Communications Act, which require cable and phone companies to
get your consent before making these disclosures to third
parties.
Mr. Baker., I applaud the Department's position that this
part of ECPA may be insufficiently protective of customer
privacy. Would you agree that in this respect ECPA's consumer
privacy protections represent a lower standard than the kind of
protections our law provides to cable and phone service
customers?
Mr. Baker. I think it is lower with respect to the
providers that ECPA applies to when compared to the regulations
under the Communication Act and the Cable Act, those kinds of
things that apply to different companies or at least companies
wearing different hats at different times. And as you said,
yes, it is one provision of ECPA that allows this more robust
sharing of consumer data--not communications, not the content,
but the data.
Senator Franken. So it is a lower standard.
Mr. Baker. It is a lower--well, it permits it. It permits
the sharing without more to anybody who is not a governmental
entity. And if I could just note that a foreign government
falls within that category. In other words, it prohibits
disclosures to the U.S. Government or a State government. It
does not prohibit disclosures to a foreign government. So we
are----
Senator Franken. Thank you for that distinction.
Mr. Kerry, Minnesota is home to a lot of so-called cloud
computing businesses. These are businesses that allow other
businesses or individuals to store their e-mails, documents,
and photos remotely instead of on their computers. I recently
heard from one company in Minnesota, N Stratus. They said they
are losing business because they cannot definitively tell their
prospective clients when and how the Government will access
their information. Because of this uncertainty, people are not
deciding to put their documents on the cloud. They are choosing
to keep their documents on their own computers and servers.
Mr. Kerry, I am sure you have heard of many companies that
are in this situation. How can we amend ECPA to help businesses
like N Stratus?
Mr. Kerry. Senator Franken, I certainly have heard that
from a great many companies. I spoke yesterday at a gathering
of technology and software general counsels. There was a lot of
interest in this issue. We have seen in the development of e-
commerce that, you know, people's willingness to trust vendors
with credit card information was a critical threshold to get
across. You see the same thing with cloud computing.
Harris research, market research by computing companies,
indicates a very large number of both businesses and consumers
are concerned about their privacy and their security in putting
information into the cloud--80 percent in the Harris survey.
One of the reasons that we have engaged in the privacy and
security discussion at the Department of Commerce is because
trust is such a critical component of the digital economy, and
cloud providers need to be able to assure their customers that
what they provide to them in the cloud is as trustworthy as
physical records or other ways of storing digital information,
and that, you know, they have no competitive disadvantage with
other business models. That is the clear message that we have
gotten from a great many companies in this area.
Senator Franken. Thank you.
Senator Whitehouse. Senator Coons.
Senator Coons. Thank you, Senator Whitehouse. And I must
say, as I read the background of the briefing in the materials
in preparation for today's hearing, I initially thought I must
be mistaken that the murkiness of the legal field--it was the
last memo I read before falling asleep last night. I thought it
was my error. It is a truly unclear and unresolved legal
landscape in the balance between Fourth Amendment interests and
privacy rights between the law enforcement and the commercial.
We have here a statute that has truly been exceeded by
developments in technology over the last decade and more. And I
am concerned about the uncertainty for law enforcement, for
companies, for individuals in their privacy rights, and the
interests of law enforcement.
One comment, if I might, in opening and follow-up to what
Senator Grassley said. The only concern for law enforcement, I
think, is not just speed. It is also efficacy. The county
police department over which I had responsibility before this,
we could kick down doors, arrest people, haul them out, but if
it was not done in a way that was legally sound, if the
evidence was not gathered in a legally sound way, then lots of
the investigation and the prosecution ultimately would be
wasted. And the uncertainty of the legal standards under which
you are proceeding with investigations and prosecutions here I
think puts law enforcement equally at risk as the possibility
of raising the standards in a way that would slow down law
enforcement. Law enforcement needs to be both swift and certain
and done in a way that protects the privacy rights that makes
America a unique place.
I would like to follow up on some of the questions Senator
Franken was asking about the tensions between consumer
interests and privacy rights.
Mr. Kerry, how do the U.S. protections for stored
communications, data, and documents, particularly those stored
in the cloud--we were talking about the tension between paper
records, internal records, and those that are electronic but
offsite. How does this compare with protections abroad? What is
the status of the EU Data Privacy Directive? And how do our
protections compare around the world given that many companies
now are truly global in terms of the communications and the
documents?
Mr. Kerry. Thank you, Senator Coons. As a general matter,
certainly as it is perceived, the European protections under
the European Data Privacy Directive are more extensive,
certainly more prescriptive than those under the United States
regime. Part of that is because there is no comprehensive
protection in the United States; so we have some very strong
sectoral regimes, we have strong common law, FTC protections,
but there are gaps.
So part of our effort is to fill those gaps. That is a
major reason for the administration's endorsement of baseline
privacy protection. It is a key ingredient in cloud computing
and data, the free flow of data as an instrument of trade and
of economic growth. We have seen over the past years, the past
couple of years, that the digital sector, the information
economy, is leading the way out of the recession. It is a key
component of our economic growth, so we need to take steps
internationally to align our privacy law with consumer
expectations. That is the effort on the data privacy front. I
think it is an appropriate effort under ECPA.
Senator Coons. Thank you, Mr. Kerry.
Mr. Baker. Your written testimony argued current
protections for communications stored longer than 180 days
makes sense because analogous paper records can be accessed
with just a subpoena. Are stored e-mail communications really
analogous to records accessible with a subpoena? And how do you
make that analogy?
Mr. Baker. I guess we make the analogy based upon where you
are storing them, with whom, for how long, and so on. So in the
paper world, if you store your records with someone else,
depending upon a lot of facts and circumstances, so we can go
into that if you want, but we can go and we can use a grand
jury subpoena, for example, go to that third party, deliver the
subpoena, and demand the records. Even somebody's personal
records that they maintain in their own house, we can go with a
grand jury subpoena and ask for those records. There may be
some other issues there in terms of them producing them, but
the basic idea is we can subpoena records when they are in the
hands of either yourself or third parties if we do not want to
use a warrant.
Senator Coons. And at what point does the standard rise to
requiring a warrant?
Mr. Baker. Well, if we are going to intrude on a protected
privacy interest, so if we want to go--if we do not think you
are going to produce the documents from your house, we want to
go in your house and take them, we get a warrant that
authorizes us to do that. If we thought that a third party even
would pose a threat or might destroy the records, something
like that, we would go and get a warrant and take them from the
third party.
Senator Coons. And given the dramatic developments in the
last decade in terms of the capacity for storage for e-mail--I
think none of us 20 years ago had years of stored e-mail just
sitting out there somewhere--how do you measure emerging
privacy standards and how do we strike an appropriate balance
in the law enforcement context?
Mr. Baker. Well, I think for us our obligation on that last
part is to come up and explain to you what we think the
proposed changes would have on our ability to do our jobs. I
think that is what we need to do.
I think it is difficult and I think courts are struggling
with actually understanding what people's personal subjective
expectations of privacy are because in some circumstances
people want to share a lot of data with others in the world.
But the question under the Fourth Amendment is not only what do
they subjectively think, but what objectively is a reasonable
expectation of privacy. And that is what I think Congress is
going to struggle with over the next period of time to
understand that and try to deduce that.
I think it is hard to understand, though. I think it is
hard to actually figure out what people's reasonable
conceptions of privacy are today.
Senator Coons. And I do think----
Senator Whitehouse. Senator Blumenthal.
Senator Blumenthal. Thank you, Mr. Chairman.
I want to focus on the area of potential legislation that
you have identified as No. 6 in your testimony, Mr. Baker,
restricting disclosures of personal information by service
providers, that is, the commercial disclosure of information,
sharing, exchanging, selling information, where I think a lot
of consumers are most directly impacted. We can debate in this
Committee hearing the standards that ought to apply to
disclosure by service providers to the Government, but as we
have seen in the security breach that occurred, reported just
recently occurred sometime in the past with Epsilon, literally
millions of consumers are now going to be at risk of phishing,
potential identity theft as a result of the breach of security
concerning Epsilon that has received information from some of
the major retailers around the country. And both as to content
and non-content information, I think there is a significant
privacy interest at stake here, as you very correctly
identified in your testimony. And, in fact, I have asked the
Attorney General of the United States to begin an
investigation. I sent him a letter yesterday concerning the
Epsilon breach, and I would like to emphasize to you now how
concerning I believe this breach is. I have asked for this
investigation literally within the last 24 hours, so I am not
going to ask you for a response here on behalf of the
Department. But I believe that it is extraordinarily important
for the Department of Justice to indicate its interest in this
area.
I would like to ask in my question to you whether you
believe that there is a need for more explicit restrictions.
You say there are none now in the legislation concerning
disclosure, sharing, exchange of this kind of information,
whether you believe this is an appropriate topic for us to
legislate on in reforming ECPA.
Mr. Baker. Thank you, Senator. Obviously, as the statement
reflects, we certainly think it is an area--we agree--I mean,
the Commerce Department agrees that this is an area that we
should look at. How you exactly change the rules, if at all, is
another matter, but it is an area that a number of people have
raised, and so it seems to be a legitimate area of inquiry.
Obviously, if people want to share information voluntarily
for whatever purpose, they are free to do so. That is clear.
And I do not think anybody is talking about trying to restrict
people's ability to voluntarily share information to take
advantage of all these amazing technologies that are out there
for a whole range of different purposes. But the question is:
To what extent should the companies be able to share that
information consistent with their obligations to their
customers? And should law enforcement be in a different
position with respect to such data than private sector entities
are? Maybe they should be. Maybe they should not be. But at
least the key thing is to understand that.
One quick final point. With a lot of this data, as Mr.
Kerry said, people are very concerned about their privacy. We
understand it. And as you reference, they are also concerned
about their security, the security of all this data that is out
there. And the more data you share and the more data third
parties have, the more data, you know, that is subject to the
kinds of cybersecurity threats that Senator Whitehouse was
referencing.
Senator Blumenthal. Well, let me ask you very directly. If
there were a requirement, for example, carrying out the policy
that you have just articulated so well that people ought to be
given the choice whether to share data or not, that Best Buy or
L.L. Bean should be required to get a consumer's consent before
they share that information, law enforcement would be impacted
in absolutely no way.
Mr. Baker. Well, I think if they agree to it--and I believe
that in many circumstances they do agree to it. When you accept
the terms of service, when you click ``I agree'' after you read
or at least see these long statements that are out there, that
is a legally binding contract, and so----
Senator Blumenthal. Well, sometimes they do and sometimes
they do not. But my question to you really is separate and
apart from what the means of consent might be. It is whether
law enforcement would have an interest or would be impacted--in
other words, to put it more directly, I would posit the theory
that the law enforcement of and the protection and security of
the United States of America would not be impacted if L.L. Bean
or Best Buy would be required to have a great big box requiring
consumer consent before they share or sell this information,
because it would not impact the standard that you would need to
go to a service provider and seek the same information. You are
in two separate realms of legal accountability.
Mr. Baker. I see what you are saying, Senator. Yes, I think
that is right. Obviously, we do investigate the kinds of crimes
that you are talking about, so we have an interest in what is
being shared and what information is out there and what
information we have to investigate the unlawful disclosure of.
But I think you are right. It at least puts us in no worse a
position, but in terms of looking at privacy and understanding
what the rules of the road are with respect to privacy, it is
at least a legitimate area of inquiry.
Senator Blumenthal. Thank you.
Senator Whitehouse. Senator Klobuchar.
Senator Klobuchar. Thank you very much, Mr. Chairman.
Thank you to both of you for joining us today to talk about
this important topic. As a former prosecutor, I see both sides:
the fundamental right to privacy, but also the way criminals
can try to take advantage of our respect for that privacy by
claiming communications are protected and by making it very
hard to get at things. So that is the way I look at this and
have had some interesting times in my past jobs trying to get
information.
I wanted to talk about, first of all, cloud computing. It
was raised by two other Senators, and I have been working in
the last 6 months on a bill with Senator Hatch that we are
going to put out shortly, and I wondered if you could talk, Mr.
Kerry, about how Commerce is looking at that as you look at
this bill and how you are going to work cloud computing into
ECPA as you move ahead.
Mr. Kerry. Thank you, Senator. We will be interested to
work with you on that bill.
The Obama administration has made cloud computing a
priority, and it is part of the technological initiatives that
Federal agencies have been directed under a Cloud First
Initiative to move toward cloud computing. It provides
important economic advantages of scalability, of efficiency,
which, as the digital economy leads the way to economic growth,
is an important driver of innovation, of economic growth, of
our ability to compete in the world and to outcompete and
outinnovate the rest of the world. So that is an important
driver here.
I spoke earlier--I do not recall whether you were here at
the time--about the concern among cloud computing companies
about leveling the playing field, about enabling them to
provide the same assurance of trust in both privacy and
security that their competitors have, both, you know, in the
United States and around the world. So aligning the law to
consumer privacy expectations is an important step toward that.
Senator Klobuchar. Very good.
Mr. Baker. What is the current law for data stored in the
cloud under the Privacy Act? And does the Justice Department
have any proposals for updating as it relates to that data?
Mr. Baker. Well, the law--it depends on a lot of different
facts and circumstances. In particular, it depends upon whether
the information is in transmission still or whether the
transmission has been completed and it has been received by the
intended recipient of the communication if you are talking
about communications data in the cloud. Obviously, you can
store non-communications data in the cloud as well--business
records and other things that corporations, for example, might
want to store with a third party, or individuals--photos,
things of this nature.
So I think the answer is it depends upon the kind of
communication that you are talking about, and I think different
rules would apply depending upon the amount of time that it has
been stored there, whether it is in transmission or not, things
of this nature. So it is a relatively complicated area.
Also, there is a key distinction in the law between content
and non-content, as we have been talking about, so if the
Government wants non-content information, one set of rules
applies. And if we want content information, a different set
applies.
Senator Klobuchar. Okay. In your testimony you explained
the difference between cell site location, cell phone tower
information, and GPS location information, and you mentioned
that some courts seem to confuse the two. Your testimony states
that since cell site information is much less precise than GPS
information, the burden for law enforcement should be lower to
obtain it.
It seems to me that the appropriate burden on law
enforcement depends heavily on the precision of the
information. I was hoping you could clarify just how precise
the cell site information is. I have had some experiences with
this before when I was a prosecutor, and I know that it gives a
location within a cell tower's area and can often be as precise
as giving location within a cell sector. But how precise is it
in real-world terms?
Mr. Baker. So my understanding is that--again, we are
talking about a cell site, so one tower, and then that is
divided up into sectors. And so if the company has the
information and it is available, it can identify it with
respect to the particular sector. As I mentioned earlier, it
depends upon whether you are in a rural area, a suburban area,
or certain urban areas. And the ranges that I have seen have
been from 5 miles, so it ``pinpoints'' you within 5 miles of
where you are, to 1 to 2 miles as you get into a more heavily
populated area, to up to 100 yards. So that is the lowest
amount that I have seen, 100 yards.
A key thing also that I would suggest the Committee should
think about is not only the precision but also the issue with
respect to the voluntariness of the sharing of that
information. So generally speaking, it is information that when
you move around or when you have a communication, when you move
around through certain sectors and certain areas, or when you
have a communication, when you initiate a communication, that
is when this data is obtained. And so at least in our minds, it
does bear similarities to the type of pen register information
that you collect when you are at your home in your private
residence and you decide to make a phone call and you reveal
something about where you are at that date and time.
Senator Klobuchar. Okay. Thank you very much.
Senator Whitehouse. Before we conclude, I see Senator
Blumenthal is still here. Would you like to do a second round?
Senator Blumenthal. I would, Mr. Chairman. I wonder if you
would like----
Senator Whitehouse. No, why don't you proceed? I have to be
here anyway, so I will wrap up.
Senator Blumenthal. Thank you, Mr. Chairman. And thank you
again for your testimony.
I would like to pursue some of the areas that we began
discussing relating to the consent provisions and the need and
advisability perhaps of restrictions. In your testimony, Mr.
Baker, you say there are no explicit restrictions on a provider
disclosing non-content information. Are there any restrictions,
in your view?
Mr. Baker. Well, one thing that comes to mind is the kinds
of documents that we were talking about earlier, so you could
have a contractual limitation that the provider agrees to when
you agree to engage in that service. So that is one off the top
of my head.
Senator Blumenthal. I am sorry. When I asked the question,
I should have said that your testimony says that ECPA contains
no explicit restrictions, and I assume from your answer that
that kind of contractual provision is not in ECPA.
Mr. Baker. That is correct. That is correct. As we
discussed earlier, I think with Senator Franken, there are
other parts of law that restrict other entities from disclosing
certain types of data that is comparable at least, so there are
other parts of law that affect that. But when we are talking
about ECPA, there is no explicit limitation.
Senator Blumenthal. And in your view, are those protections
sufficient right now? Or should we consider it as part of this
process? I know that you have suggested it may be appropriate,
but given the administration's interest in privacy for
consumers, would that be an appropriate area?
Mr. Baker. Let me just first correct what I said. When I
say there is no limitations, that is on the non-content
information, so just to be clear about that.
The administration does not have a position yet on the
exact answer to this question, but we can see that it is a
legitimate question to ask. And so that is what we--you hear
this all the time, but we are happy to work with you to try to
figure out what the answer is here and whether additional
protections are appropriate, required--again, with trying to
get the balance right between all these different interests
that we are trying to achieve--privacy, innovation, and
security.
Senator Blumenthal. Well, I would welcome and I do welcome
that willingness to work together. And I wonder whether there
is a task force or a working group within the administration
that is focusing on this issue, as often there is on matters of
policy like this one.
Mr. Kerry. Senator Blumenthal, in fact, there is. There is
a Subcommittee of the National Science and Technology Council,
which I co-chair with Assistant Attorney General Christopher
Schroeder of the Office of Legal Policy, that is carrying
forward the work to define what a privacy bill of rights should
contain. We are actively at work on that, digesting the
comments that we have received on the Commerce Department Green
Paper and moving as quickly as we can to an administration
white paper that would flesh out these questions and deal with
a broad set of issues about commercial data privacy.
Senator Blumenthal. And I know that the President has
talked about a privacy bill of rights, which can mean a lot of
things to a lot of different people. But I would just suggest--
and I would be eager to work with you--that it should encompass
this area which is so vitally important to consumers and
individuals who may have no idea that very private information
has been shared or sold by entities with which they are doing
business.
Mr. Kerry. Thank you, Senator. We are hard at work, and I
assure you that that is one of the topics we are working on.
Senator Blumenthal. Thank you.
Thank you, Mr. Chairman.
Senator Whitehouse. Thank you, Senator Blumenthal.
Let me close first by thanking both of you for your service
and for your work on this issue. I think the testimony today
has made clear that there is a lot of work to be done, not only
on our side but also on the administration's side in arriving
at positions, which I assume you consider to be an important
part of the equation here. I do not know if it is your position
that you are going to raise issues and we are going to resolve
them all here without the administration ever taking a position
or if this is an area in which you think the administration
should take a position, but I am going to assume the latter and
hope that to be true.
With respect to the issue of cybersecurity, I am interested
in any information that either of you might be able to provide
about the timing of the conclusion of the interagency process,
and the background to this question is that really I want to
say over a year ago the Senate Commerce Committee completed its
work, led by Chairman Rockefeller and Senator Snowe, who both
also serve on the Intelligence Committee. Homeland Security I
think also about a year ago completed its work. I believe it
has been nearly a year since, with Senator Mikulski and Senator
Snowe, I wrote the Intelligence Committee Cyber Security Task
Force report. And in order to proceed to repairing the gaps in
our National cyber security, we need to close on this issue.
And it is very hard where there are discrepancies between where
one Committee or another wants to go to resolve those
discrepancies without a position being taken by the
administration. And given the fact that the interagency process
appears to have taken over a year at this point and that during
that time the discussions back and forth between the executive
and legislative branch have been reduced to, as best I can
tell, zero but, in any event, very, very slender channels of
communication, I think it is really important that we begin to
open that up so that we can begin to legislate in this area and
do so in a meaningful way.
The folks who are attacking us are not waiting. I was
visiting with a CEO of an American energy company that
announced a new product on the media, and within the first 2
hours of that announcement, the CEO's personal e-mail had been
attacked 60,000 times. And, clearly, there are forces outside
this country who want nothing more than siphon up all of our
intellectual property that they can so that they can compete
with us using our own knowledge against us, without paying for
it, without licensing agreements, without any of the sort of
accoutrements of rule of law in this area. And I would not be
surprised if the number in terms of the loss to the U.S.
economy is in the trillions at this point. And it is constant.
It is thousands of attacks a minute, not thousands of attacks a
day.
And so when that is the timeframe of the attack, to spend a
year in an interagency process and shut down the engagement
necessary between the executive and legislative branches for
that period before we can go forward I think is a necessary
process, but it is one that is not without peril, and it is one
that is not without cost.
So the sooner we can bring it to its conclusion, the better
off we will be as a country, and the safer we will be. So I
hope very much you can provide some insight into when you think
we might begin to re-engage on the cyber security bill, and
even if the interagency process is not concluded to its last
final comma and period, at least it will be sufficiently
through its path that the administration feels that it can
begin to re-engage with us.
What can you tell me about that?
Mr. Kerry. Well, Senator Whitehouse, thank you. It is an
urgent process. I can tell you that that interagency process is
winding up. Both Mr. Baker and I have participated in a number
of deputies Committee meetings to resolve some of the top-line
issues. The rest of more detailed proposals are now in the
final processes of circulating interagency. So I do not want to
put a date on it, particularly with the prospect of a
Government shutdown looming. But, you know, I think we are very
close, a matter of some weeks away from being able to share
proposals with Congress.
Senator Whitehouse. I had not thought of it in the context
of the Government shutdown, but I guess you are right. Pretty
significant national security cost to precipitate with a
Government shutdown.
Mr. Kerry. I think so.
Senator Whitehouse. Mr. Baker, anything to add?
Mr. Baker. I am not sure exactly when the process will be
finished. We have made substantial progress in the past period
of time. As you know well, these are very difficult issues.
They raise a lot of the same kinds of issues that we talked
about today in terms of security in a different context, but
security, privacy, innovation, all of these things are front
and center in the cyber security debate.
I agree with your assessment of the threat. It is very
grave. We need to move forward as expeditiously as possible.
These are difficult issues to work our way through, and so we
are doing that. And I would say that we have made substantial
progress in at least teeing up a lot of these issues for
decisionmakers to make a call on. So I think there is a lot of
work that has been done.
You may not feel as though it is a communication. I can
tell you that from our end it feels like you are shouting with
a bullhorn. So we have heard you that you want us to come up
with proposals quickly. I am referring to the whole Congress.
We get that message loud and clear, and so we are doing our
homework and doing what we need to do on our end so that we can
have something that is an administration position to come back
to you with.
Senator Whitehouse. For sure it will be this year, will it
not?
Mr. Baker. I beg your pardon, Senator?
Senator Whitehouse. It will be for sure within this year,
will it not?
Mr. Baker. I am not going to sit and swear to you in front
of the United States Congress----
Senator Whitehouse. You are not under oath.
Mr. Baker. Yes, Okay.
[Laughter.]
Senator Whitehouse. I am asking for your assessment of--I
mean, realistically.
Mr. Baker. Realistically, I think yes. Yes.
Senator Whitehouse. Okay, good. Because I think it is
important that we take up a cyber security bill this year and
begin to move to repair some of the very wide open
vulnerabilities that we have that are being exploited to vast
effect by our economic rivals and our National security
adversaries.
Let me close----
Mr. Kerry. And I would second that view, Mr. Chairman, for
what it is worth.
Senator Whitehouse. Yes, thank you. Let me close by saying
that I really appreciate Chairman Leahy having called this
hearing. Many years ago he was involved very deeply in the
drafting of the original ECPA proposal. I think that the
principles that he brought to that debate and the determination
with which he sought through to a conclusion are lasting ones
that should continue to inform what we do going forward and
inspire us as we make these corrections.
What has changed in the meantime has nothing to do with
those principles or with his personal determination to achieve
the right balance, but the landscape itself has changed as
technology has changed. And surfaces that used to be in shadow
are now in sunlight; surfaces that used to be in sunlight are
now in shadow. We have to adapt to those changes, but I do
believe that we can bring the same principles and the same
desire for a sensible balance and the same determination that
Chairman Leahy showed when he originally did it, and I think
that will see us in good stead as we work through the updates
that intervening events have precipitated.
So I look forward to working with you on that. Thank you
very much for your testimony here today and for your work going
forward. We will keep the hearing open for an additional week
in the event that anybody wishes to add anything to the
record--we will keep the record of the hearing open for an
additional week. We are not going to keep the hearing open for
an additional week.
The hearing is adjourned. Thank you.
[Whereupon, at 11:29 a.m., the Committee was adjourned.]
[Questions and answers and submission for the record
follow.]
�