[Senate Hearing 112-130]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 112-130

 THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: GOVERNMENT PERSPECTIVES ON 
                 PROTECTING PRIVACY IN THE DIGITAL AGE

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 6, 2011

                               __________

                          Serial No. J-112-14

                               __________

         Printed for the use of the Committee on the Judiciary





                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
70-856 PDF                WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001





                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York              JON KYL, Arizona
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island     LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
AL FRANKEN, Minnesota                MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
            Bruce A. Cohen, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director










                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa......     2
    prepared statement...........................................    48
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     1
    prepared statement...........................................    62

                               WITNESSES

Baker, James A., Associate Deputy Attorney General, U.S. 
  Department of Justice, Washington, DC..........................     5
Kerry, Cameron F., General Counsel, U.S. Department of Commerce, 
  Washington, DC.................................................     3

                         QUESTIONS AND ANSWERS

Responses of James A. Baker to questions submitted by Senators 
  Franken and Leahy..............................................    25
Responses of Cameron F. Kerry to questions submitted by Senator 
  Leahy..........................................................    32

                       SUBMISSIONS FOR THE RECORD

Baker, James A., Associate Deputy Attorney General, U.S. 
  Department of Justice, Washington, DC, statement...............    36
Kerry, Cameron F., General Counsel, U.S. Department of Commerce, 
  Washington, DC, statement......................................    51
Tech Freedom; Competitive Enterprise Institute; Americans for Tax 
  Reform's Digital Liberty Project; Freedom Works; Campaign for 
  Liberty; Washington Policy Center; Liberty Coalition; Center 
  for Financial Privacy and Human Rights and Less Goverment, 
  April 6, 2011, joint letter....................................    64

 
 THE ELECTRONIC COMMUNICATIONS PRIVACY ACT: GOVERNMENT PERSPECTIVES ON 
                 PROTECTING PRIVACY IN THE DIGITAL AGE

                              ----------                              


                        WEDNESDAY, APRIL 6, 2011

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:08 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Patrick J. 
Leahy, Chairman of the Committee, presiding.
    Present: Senators Leahy, Whitehouse, Klobuchar, Franken, 
Coons, Blumenthal, and Grassley.

OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM 
                      THE STATE OF VERMONT

    Chairman Leahy. Good morning. Today the Committee will hold 
a timely and I think important hearing on the Federal 
Government's use of the Electronic Communications Privacy Act, 
or ECPA, as we know it. It is one of the Nation's premier 
digital privacy laws. ECPA has been a bridge between what are, 
of course, legitimate law enforcement needs but also the 
equally legitimate privacy rights of Americans. When the 
Committee held its first hearing on ECPA reform last September, 
I said that while there is general agreement that ECPA has 
become outdated by vast technological advances and changing law 
enforcement missions since the law's initial enactment, the 
question of how best to update this law has no simple answer. 
We know it has to be updated. The difficult part is exactly how 
do we do it.
    Congress is considering many different approaches to ECPA 
reform, but I think there should be a few core principles to 
guide our work. Meaningful ECPA reform must carefully balance 
privacy rights, public safety, and security. Reforms must also 
encourage American innovation, and they have got to instill 
confidence in American consumers, law enforcement, and the 
business community. All these principles we should agree on. It 
is how best to do it.
    For many years, ECPA has provided vital tools to law 
enforcement to investigate crime and to keep us safe. At the 
same time, the law has been crucial to safeguarding Americans' 
digital privacy rights. I know. I was one of the ones who 
helped write this bill. With the explosion, though, of cloud 
computing, social networking sites, and other new technologies, 
determining how best to bring this privacy law into the Digital 
Age is going to be one of Congress' greatest challenges.
    While still a useful tool for our Government today, ECPA is 
a law that is hampered by conflicting standards that cause 
confusion for law enforcement, the business community, and 
American consumers alike. For example, just to put it right 
down in the concrete, a single e-mail could be subject to as 
many as four different levels of privacy protections under 
ECPA, depending on where it is stored and when it is sent. 
There are also no clear standards under that law for how and 
under what circumstances the Government can access cell phone 
or other mobile location information when investigating crime 
or national security matters. And on that, it is a much 
different era than when I was first in law enforcement where, 
if police had legitimate rights and legitimate--reasons, 
rather, to get into a phone conversation, they would have their 
warrant, and they basically went and clipped on to some wires 
in one particular area. That is not the situation today, and, 
of course, it becomes even more aggravated in national security 
matters.
    So we are having this hearing so we can examine how these 
and other shortcomings impact the Government's ability to fight 
crime and protect national security. We will also examine the 
Government's views about various proposals being considered by 
Congress to update this privacy law.
    We are going to hear from the General Counsel of the 
Department of Commerce, who has unique insights into the impact 
of ECPA on American innovation, but also the views of the 
Department of Justice, which relies upon ECPA to carry out its 
vital law enforcement and national security duties. So I am 
glad both are here, and I will yield to my good friend from 
Iowa, the Ranking Member of this Committee, Senator Grassley.

STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM THE STATE 
                            OF IOWA

    Senator Grassley. Thank you, Chairman Leahy. This hearing 
provides us an opportunity to hear the Government's view on the 
need to reform this law.
    At our 2010 hearing the Departments of Justice and Commerce 
both testified about the need for our laws to keep pace with 
technological developments. Both witnesses agreed that 
technology has changed significantly since the law was passed 
in 1986, but neither witness offered proposals. The hearing 
focused largely upon changes sought by private sector 
businesses and interest groups that have formed a coalition to 
reform the law.
    We in Congress need to work to ensure that our laws are up 
to date and do not negatively impact business innovation. We 
also need to address legitimate privacy concerns.
    We need to hear from the law enforcement community to 
ensure that we do not limit their ability to obtain information 
necessary to catch criminals and terrorists who use electronic 
communications. This statute, just like the PATRIOT Act, has 
specific meanings and definitions, and any amendment requires 
careful consideration to ensure that we do not create loopholes 
that make it harder for law enforcement to do their job.
    Today we have an opportunity to follow up with both of 
those departments. No legislative proposal has been put forward 
by the administration. Instead, the witnesses, it seems to me, 
will point out areas where changes could be made to bring 
clarity to the law.
    I hope the Department of Justice changes what they view 
will be brought forward and what they feel will harm 
investigations. I also want to hear what Commerce has to say 
about changes that they feel are necessary to ensure that we 
remain competitive and how reforming our privacy laws could 
enhance business.
    That said, there is clearly a tension between the two 
points, and that was how we arrived at the current law, a 
carefully crafted compromise. The 1986 statute struck a balance 
then between privacy and law enforcement. Replicating that 
balance will be the key to any possibility of being successful 
on proposed legislation.
    I will put the rest of my statement in the record.
    [The prepared statement of Senator Grassley appears as a 
submission for the record.]
    Chairman Leahy. Thank you very much.
    Our first witness will be Mr. Cameron Kerry. He is the 
General Counsel of the Department of Commerce. He serves as the 
Department's chief legal officer, chief ethics, officer, and is 
Chair of the Department of Commerce Privacy Council. He has 
been a leader on work across the U.S. Government on patent 
reform and intellectual property issues and privacy security 
and efforts against transnational bribery. Previously he was a 
partner at Mintz Levin, a national law firm. In over 30 years 
of practice--and I might note personally I think I have known 
you for most of the 30 years of that practice--he has been a 
communications lawyer and litigator in a range of areas, 
including telecommunications, environmental law, toxic torts, 
privacy, and insurance regulation. He is a graduate of Harvard 
College and earned his law degree at the Boston College School 
of Law.
    Mr. Kerry, we will put your full statement in the record, 
but please go ahead, and then we will hear from Mr. Baker, and 
then we will go to questions.

   STATEMENT OF HON. CAMERON F. KERRY, GENERAL COUNSEL, U.S. 
             DEPARTMENT OF COMMERCE, WASHINGTON, DC

    Mr. Kerry. Mr. Chairman, thank you and good morning. Mr. 
Chairman, Ranking Member Grassley, and members of the 
Committee, I am pleased to be joining you again to discuss 
updating the Electronic Communications Privacy Act of 1986.
    I am here today to say that the administration fully 
understands and supports the Committee's rationale for 
reexamining this statute, and I am here to offer to you two 
recommendations.
    The first is that there should be a principled relationship 
between the legal protections and the procedures that apply to 
law enforcement access to electronic information and the legal 
protections and procedures for comparable materials in the 
physical world. What those protections and procedures should be 
should be determined by reference to a number of factors, 
including the privacy expectations of the parties involved, who 
has access to or control of the information, and the reasonable 
needs of law enforcement and national security.
    The second is that the legal protection afforded to 
electronic content should not turn simply on factors that are 
disconnected from reasonable privacy interests of ordinary 
citizens.
    As the Chairman and as other members of the Committee 
observed when we were here last September, one may question 
whether the Stored Communications Act's 180-day rule, the 
notion that privacy protection accorded to an electronic 
message could change 180 days after it is sent, should 
continue. If Congress wants to revisit this issue, the 
appropriate level of privacy protection once again should turn 
on an assessment of other factors, including the expectation of 
privacy of the parties to the communication, the mode of 
communication used in connection with the content, and who 
controls it, and, again, of course, the interests of law 
enforcement and national security.
    Since we were here in September, the Department of Commerce 
has been at work on a commercial data privacy framework to meet 
the needs of the 21st century information economy. When we were 
here in September, we told you that even though we had not 
asked about ECPA, a number of industry players came to us and 
volunteered concerns about the statute.
    Last December, we published a green paper that is included 
with my written testimony, which included the recommendation 
that, in light of changes in technology and changes in market 
condition, the administration should review ECPA with a view to 
assessing privacy protections in cloud computing and location-
based services. That is a process which we are conducting. It 
is under with the Department of Justice and other 
administration colleagues.
    In response to the green paper, we have received further 
comments from industry and from consumer groups. All of these 
endorsed updating ECPA. So I would be happy to provide the 
Committee with a summary of those comments and what they had to 
say about the impact of ECPA in light of new technologies, the 
uncertainties and emerging gaps in privacy protection.
    There is another reason why this ongoing examination of 
ECPA is timely, which I discussed in my written testimony, and 
that is court decisions in recent years that have injected 
uncertainty on the standards and the privacy protections in 
emerging technologies.
    So, Mr. Chairman, as you and members of the Committee 
proceed with what you have said is a difficult, challenging 
process of striking a new balance, we stand ready to work with 
you, and now I stand ready to respond to your questions.
    Thank you.
    [The prepared statement of Mr. Kerry appears as a 
submission for the record.]
    Chairman Leahy. Thank you, Mr. Kerry.
    I may note that in 37 years--I do not even want to think 
about how many thousands of hearings I have either attended or 
presided over. I think this is the first time I have had 
somebody give their testimony from an electronic pad, and so 
I----
    Mr. Kerry. I am an early adopter, Mr. Chairman. We try to 
stay on top of technology.
    Chairman Leahy. I have seen that, and I appreciate that 
very much. I do not use my old Selectric typewriter as much as 
I used to.
    [Laughter.]
    Chairman Leahy. That is a joke. I actually found one in a 
closet at home the other day. I do not whether to give it to 
the Smithsonian.
    Our next witness, James Baker, is the Associate Deputy 
Attorney General at the U.S. Department of Justice. He has 
worked extensively on all aspects of national security policy 
and investigations. He has been an official at the U.S. 
Department of Justice for nearly two decades, well respected by 
this Committee and by me for his work. He has provided the 
United States intelligence community legal and policy advice 
for many years. In 2006, he received the George H.W. Bush Award 
for Excellence in Counterterrorism, the CIA's highest award for 
counterterrorism achievements.
    I am well aware of the background of that award, and it was 
justly and honorably deserved.
    Mr. Baker also taught at Harvard Law School, served as 
resident fellow at Harvard University's Institute of Policy.
    Mr. Baker, please go ahead, sir.

  STATEMENT OF HON. JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY 
      GENERAL, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC

    Mr. Baker. Good morning, Mr. Chairman, Ranking Member 
Grassley, and members of the Committee. Thank you for the 
opportunity to testify on behalf of the Department of Justice 
here today regarding ECPA, and here with my colleague, Mr. 
Kerry, from the Department of Commerce.
    As you know, ECPA, which includes the Stored Communications 
Act and the pen register statute, is part of a set of laws that 
controls the collection and disclosure of both content and non-
content information related to electronic communications, as 
well as content that has been stored remotely. These laws serve 
two functions, as folks have mentioned today. They are critical 
tools for law enforcement, national security, and cyber 
security activities, and they are essential for protecting the 
privacy interests of all Americans.
    ECPA has never been more important than it is now. Because 
many criminals, terrorists, and spies use telephones or the 
Internet, electronic evidence obtained pursuant to ECPA is now 
critical in prosecuting cases involving a wide range of crimes, 
including terrorism, espionage, and violent crimes.
    ECPA has three key components that regulate the disclosure 
of certain communications and related data. The first prohibits 
unlawful access to stored communications; The second regulates 
voluntary disclosures by network service providers of customer 
communications and records, both to Government and to non-
governmental entities; and the third regulates Government 
access to stored communications and provides procedures for law 
enforcement officers to follow to compel disclosure of stored 
communications and related data. ECPA, as you know, was 
originally enacted in 1986, but it has been amended repeatedly 
since then, especially with substantial revisions in 1994 and 
in 2001.
    Mr. Chairman, the Department of Justice is charged with the 
responsibility of enforcing the laws, safeguarding the 
constitutional rights of Americans, and protecting the national 
security of the United States. As such, we welcome these 
hearings on this very important topic. We appreciate the 
concerns that some in Congress, the courts, and the public have 
expressed about ECPA, and we know that some believe that ECPA 
has not kept pace with technological changes or the way that 
people today communicate and store records, notwithstanding the 
fact that ECPA has been amended several times, as I just 
mentioned. We respect those concerns, and we appreciate the 
opportunity to discuss them here today. We also applaud your 
efforts to undertake a renewed examination of whether the 
current statutory scheme appropriately accommodates such 
concerns and adequately protects privacy while at the same time 
fostering innovation and economic development. It is legitimate 
to have a discussion about our present conceptions of privacy, 
about judicially supervised tools the Government needs to 
conduct vital law enforcement and national security 
investigations, and how our statutes should accommodate both. 
For example, we appreciate that there are concerns regarding 
ECPA's treatment of stored communications--in particular, the 
rule that the Government may use lawful process short of a 
warrant to obtain the content of e-mails that are stored for 
more than 180 days. And we are ready and willing to engage in a 
robust discussion of these matters to ensure that the law 
continues to provide appropriate protections for the privacy 
and civil liberties of Americans as technology develops.
    As we engage in that discussion, as several have referenced 
this morning, what we must not do--either intentionally or 
unintentionally--is unnecessarily hinder the Government's 
ability to effectively and efficiently enforce the criminal law 
and protect national security. The Government's ability to 
access, review, analyze, and act promptly upon the 
communications of criminals that we lawfully acquire, as well 
as data pertaining to such communications, is vital to our 
mission to protect the public from terrorists, spies, organized 
criminals, kidnappers, and other malicious actors. At the 
Department of Justice, we are prepared to consider reasonable 
proposals to update the statute--and indeed, as set forth in my 
written statement for the record, we have a few of our own to 
suggest--provided that they do not compromise our ability to 
protect the public from the real threats that we face.
    In closing, Mr. Chairman, it is important to note that ECPA 
protects privacy in another way as well. By authorizing law 
enforcement officers to obtain evidence from communication 
providers, ECPA enables the Government to investigate and 
prosecute hackers, identity thieves, and other online 
criminals. Pursuant to ECPA, the Government obtains evidence 
critical to our ability to prosecute these privacy-related 
crimes.
    Mr. Chairman and members of the Committee, ECPA is an 
important topic, and I look forward to taking your questions 
here today, and I would ask that my written statement be 
submitted as part of the record.
    Chairman Leahy. It will be made part of the record.
    Mr. Baker. Thank you, Mr. Chairman.
    [The prepared statement of Mr. Baker appears as a 
submission for the record.]
    Chairman Leahy. I was struck when you said you are willing 
to consider proposals we might have, and, of course, the fact 
is if we do not have proposals as we go forward, then we stay 
with the law the way it is, and I do not think anybody would 
find that best. So it is a case where this is not just let us 
consider what Congress thinks. The fact is either Congress acts 
or you are stuck with the old law.
    Mr. Kerry, I was pleased to learn the Commerce Department 
and the Justice Department are working together to consider 
potential updates to ECPA, so we would welcome any feedback. 
Can you give us a short summary of the progress of this 
partnership to date? Then I am going to ask the same question 
of Mr. Baker.
    Mr. Kerry. Well, we have been in active discussions really 
through the year to try to deal with proposals to update and 
re-strike the balance. The written testimony that you have from 
each of us is a reflection of some of the direction that that 
has taken. We are certainly prepared to put our shoulders to 
the wheel with the Committee. I think the process of you, 
Senator, and the Committee holding our feet to the fire and 
developing this testimony has helped to advance the 
discussions, and I think we are in a position to move forward 
in a concrete way.
    Chairman Leahy. Well, I would like to see the 
administration recommendations because, as I said, sometimes I 
find that inertia sometimes gets the greatest bipartisan 
support on the Hill, but I would like to see us move forward.
    So, Mr. Baker, I would ask you the same question: How is 
this work with Commerce going?
    Mr. Baker. Yes, Senator, I agree with Mr. Kerry completely. 
We have been working on a whole range of issues related to 
surveillance, privacy, innovation, all of these issues. We have 
made, I think, substantial progress. I think the two statements 
together indicate that we have worked through a lot of issues. 
We actually got some concrete areas at least that we agree that 
we should focus on that are reflected in the statement. So I 
think that is significant progress.
    We have certainly been working at the Department of Justice 
on language that supports the proposals that we have put 
forward, or at least raised. We have not finished that work 
yet, even within the Department and with the interagency, so we 
have got some additional work to do in that regard. But we have 
made significant progress, Senator.
    Chairman Leahy. For an incentive, I think there is a 
willingness of Republicans and Democrats to work together on 
this because when I talk about the inertia, I do not find many 
people who want to just stick with the law the way it is. It is 
outdated from both a national security point of view, but from 
a privacy point of view, and we worked very, very hard on the 
first law to get that balance, realizing that technology 
changes and a lot of the things that we could consider at the 
time we wrote the law, that those of us who worked on it knew 
technology might change, but none of us could predict where and 
to what extent. Nobody knew about the cloud at that time, for 
example.
    Now, let me ask you a couple of specifics. Last year, the 
Court of Appeals for the Third Circuit held the Government 
could be required to obtain a search warrant before it could 
access an individual's cell phone location data. Under ECPA the 
Government can obtain cell phone location data by several 
different methods, including seeking a court order, but the 
statute does not specify whether the Government must always 
establish probable cause to get this order, as would be the 
case with a search warrant.
    What is the Department's view about the legal standard that 
should apply in order for the Government to access cell phone 
location information?
    Mr. Baker. Senator, just to clarify, when we speak about 
cell phone location information, there is a variety of 
different types that are potentially available. So there is the 
very precise GPS type of information that might be available 
that more pinpoints accuracy.
    Chairman Leahy. That is right.
    Mr. Baker. And then you have cell site location 
information, which it is increasingly more accurate in terms of 
determining where a cell phone is, but it still is not as 
precise as----
    Chairman Leahy. It just says that cell phone is next to 
this--that cell phone is within the area of this cell tower, 
but it could be----
    Mr. Baker. There is a range of----
    Chairman Leahy. Yes.
    Mr. Baker. Depending upon where you are, in a rural, 
suburban, or urban area, it depends. So it is key to understand 
that there are different technologies that exist with respect 
to cell phone location information.
    The Department's policy now is that if we want the GPS 
Information, we have to go get a warrant in order to obtain 
that. For the cell site location information, the less precise 
information, we have to still go get a court order, a variety 
of orders depending upon whether it is historical or 
prospective, but in any event, you still have to go to court 
and get an order, albeit under a lower standard than you have 
for a warrant.
    Chairman Leahy. Would it help to have some clarification 
specifically in this area?
    Mr. Baker. Well, we think that based on the Third Circuit 
case that--and we have suggested that it is definitely an area 
that is worth examining.
    Chairman Leahy. Well, let me ask you that, because we also 
have the D.C. Circuit. They vacated the life sentence of an 
individual who had been convicted, I believe it was in drugs, 
but he was--they had installed a global positioning device on 
his car to track him in connection, and they vacated it.
    Now, I understand the Department is considering appealing 
this case. Am I correct? Or are you aware of that?
    Mr. Baker. I do not think we have--I would have to check on 
that.
    It is being reviewed by the Department right now, Senator.
    Chairman Leahy. What is the legal standard to apply if you 
want to obtain information by using or installing a global 
positioning device? And does that change whether it is 
historical, as you had referred to earlier, or realtime?
    Mr. Baker. So just to make sure I understand, the device 
you are talking about is a device that is attached to a 
vehicle----
    Chairman Leahy. That is right.
    Mr. Baker [continuing]. As opposed to a communications 
device. So it is a little bit different in that sense.
    Chairman Leahy. A GPS device.
    Mr. Baker. It is a GPS, but it is not a cell phone, it is 
not a personal----
    Chairman Leahy. That is right. You are not talking----
    Mr. Baker. Correct.
    Chairman Leahy. It is simply a locator.
    Mr. Baker. So there have been a lot of rulings on these 
kinds of cases over the years, and I think, unfortunately, the 
answer depends on the facts of the case. And so it depends 
where you are when you install the device, and it depends what 
the device is attached to and where it goes. In circumstances 
in which it would go into an area that is protected by the 
Fourth Amendment, then you would have to get a warrant to 
continue to monitor the signals from that device. But to the 
extent that the device is attached in an unprotected area, in 
terms of the Fourth America, and then travels in areas that are 
not protected by the Fourth Amendment, then currently you would 
not need a warrant to obtain that information.
    Chairman Leahy. Thank you. And does it make a difference if 
it is historical information or realtime?
    Mr. Baker. I guess it would depend. I am thinking about the 
beeper. I mean, I guess if you had the beeper recording for a 
period of time and then downloaded the information, that would 
be historical. But I think the same rules that I just discussed 
would apply in that context since it is not a communication 
device.
    Chairman Leahy. Whether you put it on their garage or 
whether you put it on the----
    Mr. Baker. On the public street or something, where the car 
goes and so on, yes, all those factors are relevant to the 
analysis.
    Chairman Leahy. Thank you.
    Senator Grassley.
    Senator Grassley. I am going to start with Mr. Baker. This 
coalition that is promoting these changes wants to increase the 
standards to obtain non-content information through the--just a 
minute. I am on the wrong question. Just a minute.
    The coalition, a group of businesses and interest groups, 
as we know, supports a probable cause standard for obtaining 
all electronic communications regardless of its age, the 
location or storage facilities, or the provider's access to 
information. Do you support raising the legal standard for 
obtaining all electronic communications to a probable cause 
determination?
    Mr. Baker. Senator, I think that is the kind of concern 
that we have that I expressed in my statement, that we have to 
make sure--that the kinds of information we are talking about, 
especially when you come to non-content information, is 
critical for our ability to conduct investigations. And if we 
were to raise the standard with respect to some electronic 
communications, even content, it is going to have an impact on 
law enforcement investigations. We have to be mindful of that. 
We have to be thoughtful about that. And so whatever proposals 
come forward, we have to look at that in that light.
    Senator Grassley. Well, I think you just told me, and if 
you did not say this, say I interpreted you wrong. But my next 
question dealt with the probable cause determination, the 
effect on law enforcement. And you just told me it would be 
more difficult.
    Mr. Baker. It would be more difficult.
    Senator Grassley. Could this significant change also unduly 
burden the agencies and prosecutors and the courts?
    Mr. Baker. It would impact our--let me just stick with the 
location information that Senator Leahy was asking about. We 
use that information as sort of the basic building blocks of 
investigations. So an IP address, a cell phone piece of 
information, where you were when you placed a particular call, 
these are the kinds of information that we use to locate 
people, suspects, and also to investigate links between 
suspects. So we use it as sort of the basic building blocks, 
and we also use that kind of information to build our way 
toward obtaining probable cause. And so we need to be able to 
obtain a certain amount of information to work our way to the 
more intrusive types of techniques that we have available.
    Senator Grassley. Okay. It takes longer to prepare a 
2703(d) order application than a subpoena, and it takes longer 
to prepare a search warrant application than a 2703(d) order 
application. If you would agree with those two statements, is 
it fair to say that raising the standard will slow down a 
criminal investigation?
    Mr. Baker. I think it would have an impact along those 
lines, Senator, yes. It would consume more resources and 
require us to engage in more process. I think there is no doubt 
about that.
    Senator Grassley. And since time is a critical factor 
during a lot of criminal investigations and speed is essential, 
if Congress slows down the process, then this could have real-
life consequences, you know, particularly where human life is 
involved?
    Mr. Baker. Absolutely, Senator. As I said, whatever we do 
in this area, we need to get the balance right. We need to make 
sure that we achieve all the objectives that we want to 
achieve.
    Senator Grassley. Let me focus on the court for just a 
minute, and I referred to that just a couple questions ago. If 
all electronic communications, with emphasis upon ``all,'' 
required a search warrant, the courts would experience 
additional burdens as well, and these increased burdens on the 
court system would naturally increase the delays when 
investigating time-sensitive threats to human life. Would that 
be right?
    Mr. Baker. Senator, I expect there would be some additional 
burden on the court. I have worked with judges for many years, 
and they are always ready to take on whatever the Government 
brings to them. So I am not sure that they would say that it 
would burden them that much, but I think it is additional 
requirements that we would have to meet and have to go to a 
court to achieve.
    Senator Grassley. This coalition supports increasing the 
standard to obtain non-content information through pen register 
or trap-and-trace orders. They are pushing for a standard to be 
at least as strong as that required under an electronic 
communication 2703(d) order. They are further pushing for this 
increased standard to apply to e-mail addresses, instant 
messages, texts, Internet protocols, addresses of Internet 
sites.
    Currently does the legal process and authority for 
obtaining pen register information work well?
    Mr. Baker. For obtaining pen register information? I think 
our perspective would be that it does work well actually 
currently.
    Senator Grassley. And are you aware of any problems in 
using it?
    Mr. Baker. Using the pen registers?
    Senator Grassley. Yes.
    Mr. Baker. I think the answer is we are generally satisfied 
with the way the statute is now. There was a particular 
amendment in 2001 that was extremely helpful, so I think--with 
respect to all these, if I just may add, we are working through 
all these issues. I think everybody agrees that these are the 
significant issues to focus on. We do not have a cleared 
position from the administration yet on these proposals, but I 
think we have identified the concerns that we have.
    Senator Grassley. If I could just have three short 
questions here.
    Chairman Leahy. Go ahead.
    Senator Grassley. Then that will finish this point.
    Do you think the legal standard to obtain information 
through pen register or trap-and-trace orders would be 
increased to a probable cause or 2703 standard?
    Mr. Baker. I am sorry, Senator. Do I think it would be----
    Senator Grassley. The legal standard to obtain information 
should be increased.
    Mr. Baker. Oh, again, this is an area--the pen registers 
and these kinds of things are the basic building blocks for our 
investigations, so any changes to those would have to be 
reviewed very carefully. Any changes to that standard would 
have to be reviewed very carefully.
    Senator Grassley. Well, then, I will skip a question and go 
to my last one. Would not a change like this increase burdens 
on investigators, prosecutors, and the courts?
    Mr. Baker. Yes.
    Senator Grassley. Okay. Thank you, Mr. Chairman.
    Chairman Leahy. Thank you very much.
    I will yield to Senator Whitehouse and then in a few 
minutes turn the gavel over to him.
    Senator Whitehouse. Thank you, Chairman, and thank you, 
gentlemen, both for being here. I appreciate your work on this 
issue.
    I am going to be here until the end of the hearing because 
I will be taking over the gavel, so I am just going to ask a 
sort of brief set of overview questions now that are kind of in 
the nature of framing what the topics should be that we should 
be prepared to address as we go forward. And I assume that you 
are working on them as well.
    One obviously is how location information should be 
treated. As a general proposition, I do not know that there is 
an established privacy right cognizable under the Fourth 
Amendment regarding your location. If the police want to put a 
tail on somebody, they do not get a warrant for that or take 
any action, and they can follow to the best of their ability 
and figure out where somebody is. When you move up to pen 
register and trap-and-trace, there is a more complicated 
standard. And when you go to a full-blown Fourth Amendment 
search warrant requirement and you are involved in content, 
there is a much higher standard. And as I understand it, we 
should be sorting out where the location information, which is 
now newly available really in ways that it was not when ECPA 
was written, where it falls into that array of possibilities. 
Correct?
    Mr. Kerry. Yes.
    Senator Whitehouse. So that is one. Okay. We should review 
the question--as a general proposition, you both agree that 
warrants are ordinarily required to access content of a 
communication. Correct?
    Mr. Baker. Not always.
    Senator Whitehouse. Ordinarily.
    Mr. Baker. Ordinarily. But--I am sorry. It depends. Not 
always. So we can talk about that.
    Senator Whitehouse. But the 180-day rule under ECPA 
specifically allows access to content if it is more than 180 
days old without a warrant----
    Mr. Baker. Correct.
    Senator Whitehouse. We should review that determination 
given the change in technology and practice that has taken 
place. Correct?
    Mr. Baker. We agree that is definitely an area that people 
want to talk about, and we are happy to engage in that 
discussion.
    Senator Whitehouse. The next issue is private sector 
disclosures, and they come in two ways. One is private sector 
disclosures to other private sector commercial operators and 
whether we should put some restrictions on that so that, for 
instance, your ISP is not selling your location to McDonald's 
so that every time you are within 100 feet of a McDonald's you 
are getting a message saying, ``Don't you feel like a 
hamburger.'' And at the same time, on the other side, there is 
the concern that the ISPs now have considerable access and 
considerable situational awareness about the cyber threat and 
what is happening out there, and ECPA restricts their ability 
to warn Government about those activities so that Government 
can be prepared to take national security protection action. 
And both of those are things we should be examining, correct?
    Mr. Kerry. That is correct, Senator, yes. Those are 
actively at work in interagency processes within the 
administration.
    Senator Whitehouse. It seems to me that as we move more 
into the cyber realm, there are searches and then there are 
searches. And the Constitution concerns itself with searches in 
which somebody gains awareness of your personal papers and 
communications. That strikes me as the fundamental protection 
of the Fourth Amendment. Where you have a mechanism that 
potentially no human actually is aware of that scans the flow 
of data that goes through cyber space and simply alerts when it 
determines that a virus or a malware or some kind of threat is 
attached to that content, it is conceivable in that 
circumstance that no person actually locates that, although 
technically is remains a search because an agent has deployed 
this technology and has actually scanned the packet of content. 
Is that a distinction that is worth beginning to pursue? That 
seems to be a novelty nowadays. You know, in the old days, if 
somebody went through your papers, it was an agent and they 
were looking at it, and your privacy was really implicated in a 
very significant way when another person was looking at your 
papers. If all that is happening is that the content of your e-
mail stream is being scanned for known malware and viruses and 
that is causing a safety action to be taken to protect the 
Internet, that is a slightly different piece of--it is a 
slightly different privacy interest involved there, isn't it?
    Mr. Baker. Senator, these are exactly the right kinds of 
questions to ask and areas to think about. I have seen some 
folks analogize what I think you are talking about to a 
situation like a dog sniffing luggage at the airport for either 
explosives or for narcotics or something like that, and they go 
along the line and, you know, sniff what is there, and then 
they alert only on the thing that has contraband in it. So it 
is a different regime. It depends on the context. Airports are 
different than a lot of other things. But in any event----
    Senator Whitehouse. Conceivably, there is even less of a 
privacy interest in this because what happens when the dog 
alerts is that your suitcase gets opened and people plow 
through it, and a human knows what you have in your suitcase, 
and that affects the privacy interest; whereas, it is not 
unusual that what happens to a digital alert is that simply the 
message is rerouted and nobody actually ever gets awareness of 
the content.
    Mr. Baker. Well, that is one way you could do it, 
certainly, but I think there would be an interest in looking at 
that communication and trying to analyze it from a cyber 
security perspective to have a better idea where it came from, 
what its purpose is, and what its destination is.
    Senator Whitehouse. All right. My time has expired, and I 
just to figure out who was here first.
    Senator Franken was here first.
    Senator Franken. Thank you, Mr. Chairman, and thank you, 
gentlemen, for your testimony.
    ECPA gives citizens privacy protections with respect to law 
enforcement, but ECPA also says when an ISP can share our 
information with other businesses or the general public, and I 
am worried that these privacy protections are just far too 
weak.
    Here is an example. If I make a phone call from my smart 
phone and my phone company learns of my location, they cannot 
go out and sell that information or give it to anybody unless 
they have my express consent. But I use the same smart phone to 
do a Google search, under certain court decisions that same 
phone company would likely be free to give my location 
information to any business or person that it wants to. The 
difference is that my phone call is covered by the 
Telecommunications Act, and my Internet search is covered by 
ECPA.
    Mr. Baker. and Mr. Kerry, are you aware of this 
discrepancy? And what do you think of it?
    Mr. Kerry. I am aware of the discrepancy, and that, in 
fact, is the case. I mentioned the effort that we have 
undertaken to address privacy policy in the commercial data 
context. Indeed, a couple of weeks ago, the administration 
announced support for baseline privacy regulation in the online 
area.
    The issue of what usage, what resale, what communication 
with third parties can be made of the kind of location 
information that you described, among many other kinds of 
information that people generate as they go online, is one of 
the issues that needs to be addressed as part of baseline 
privacy protection.
    Senator Franken. And as part of rewriting this bill?
    Mr. Kerry. I am not sure that that necessarily fits under 
changing ECPA. There are aspects of it that need to be 
addressed under ECPA, as Mr. Baker said in response to earlier 
questions. Trying to establish some certainty on Government 
access to geo-location data and other location data is 
certainly an appropriate subject for consideration.
    Senator Franken. Well, this specific issue with location is 
part of a broader problem in ECPA, and you note in your 
testimony, Mr. Baker, that ECPA allows ISPs to disclose 
customer records to pretty much anyone they want as long as it 
is not the Government. That includes information on whom you e-
mail, when you e-mail, and to some extent the websites that you 
visit. This is totally out of line with the Cable Act and 
Communications Act, which require cable and phone companies to 
get your consent before making these disclosures to third 
parties.
    Mr. Baker., I applaud the Department's position that this 
part of ECPA may be insufficiently protective of customer 
privacy. Would you agree that in this respect ECPA's consumer 
privacy protections represent a lower standard than the kind of 
protections our law provides to cable and phone service 
customers?
    Mr. Baker. I think it is lower with respect to the 
providers that ECPA applies to when compared to the regulations 
under the Communication Act and the Cable Act, those kinds of 
things that apply to different companies or at least companies 
wearing different hats at different times. And as you said, 
yes, it is one provision of ECPA that allows this more robust 
sharing of consumer data--not communications, not the content, 
but the data.
    Senator Franken. So it is a lower standard.
    Mr. Baker. It is a lower--well, it permits it. It permits 
the sharing without more to anybody who is not a governmental 
entity. And if I could just note that a foreign government 
falls within that category. In other words, it prohibits 
disclosures to the U.S. Government or a State government. It 
does not prohibit disclosures to a foreign government. So we 
are----
    Senator Franken. Thank you for that distinction.
    Mr. Kerry, Minnesota is home to a lot of so-called cloud 
computing businesses. These are businesses that allow other 
businesses or individuals to store their e-mails, documents, 
and photos remotely instead of on their computers. I recently 
heard from one company in Minnesota, N Stratus. They said they 
are losing business because they cannot definitively tell their 
prospective clients when and how the Government will access 
their information. Because of this uncertainty, people are not 
deciding to put their documents on the cloud. They are choosing 
to keep their documents on their own computers and servers.
    Mr. Kerry, I am sure you have heard of many companies that 
are in this situation. How can we amend ECPA to help businesses 
like N Stratus?
    Mr. Kerry. Senator Franken, I certainly have heard that 
from a great many companies. I spoke yesterday at a gathering 
of technology and software general counsels. There was a lot of 
interest in this issue. We have seen in the development of e-
commerce that, you know, people's willingness to trust vendors 
with credit card information was a critical threshold to get 
across. You see the same thing with cloud computing.
    Harris research, market research by computing companies, 
indicates a very large number of both businesses and consumers 
are concerned about their privacy and their security in putting 
information into the cloud--80 percent in the Harris survey.
    One of the reasons that we have engaged in the privacy and 
security discussion at the Department of Commerce is because 
trust is such a critical component of the digital economy, and 
cloud providers need to be able to assure their customers that 
what they provide to them in the cloud is as trustworthy as 
physical records or other ways of storing digital information, 
and that, you know, they have no competitive disadvantage with 
other business models. That is the clear message that we have 
gotten from a great many companies in this area.
    Senator Franken. Thank you.
    Senator Whitehouse. Senator Coons.
    Senator Coons. Thank you, Senator Whitehouse. And I must 
say, as I read the background of the briefing in the materials 
in preparation for today's hearing, I initially thought I must 
be mistaken that the murkiness of the legal field--it was the 
last memo I read before falling asleep last night. I thought it 
was my error. It is a truly unclear and unresolved legal 
landscape in the balance between Fourth Amendment interests and 
privacy rights between the law enforcement and the commercial. 
We have here a statute that has truly been exceeded by 
developments in technology over the last decade and more. And I 
am concerned about the uncertainty for law enforcement, for 
companies, for individuals in their privacy rights, and the 
interests of law enforcement.
    One comment, if I might, in opening and follow-up to what 
Senator Grassley said. The only concern for law enforcement, I 
think, is not just speed. It is also efficacy. The county 
police department over which I had responsibility before this, 
we could kick down doors, arrest people, haul them out, but if 
it was not done in a way that was legally sound, if the 
evidence was not gathered in a legally sound way, then lots of 
the investigation and the prosecution ultimately would be 
wasted. And the uncertainty of the legal standards under which 
you are proceeding with investigations and prosecutions here I 
think puts law enforcement equally at risk as the possibility 
of raising the standards in a way that would slow down law 
enforcement. Law enforcement needs to be both swift and certain 
and done in a way that protects the privacy rights that makes 
America a unique place.
    I would like to follow up on some of the questions Senator 
Franken was asking about the tensions between consumer 
interests and privacy rights.
    Mr. Kerry, how do the U.S. protections for stored 
communications, data, and documents, particularly those stored 
in the cloud--we were talking about the tension between paper 
records, internal records, and those that are electronic but 
offsite. How does this compare with protections abroad? What is 
the status of the EU Data Privacy Directive? And how do our 
protections compare around the world given that many companies 
now are truly global in terms of the communications and the 
documents?
    Mr. Kerry. Thank you, Senator Coons. As a general matter, 
certainly as it is perceived, the European protections under 
the European Data Privacy Directive are more extensive, 
certainly more prescriptive than those under the United States 
regime. Part of that is because there is no comprehensive 
protection in the United States; so we have some very strong 
sectoral regimes, we have strong common law, FTC protections, 
but there are gaps.
    So part of our effort is to fill those gaps. That is a 
major reason for the administration's endorsement of baseline 
privacy protection. It is a key ingredient in cloud computing 
and data, the free flow of data as an instrument of trade and 
of economic growth. We have seen over the past years, the past 
couple of years, that the digital sector, the information 
economy, is leading the way out of the recession. It is a key 
component of our economic growth, so we need to take steps 
internationally to align our privacy law with consumer 
expectations. That is the effort on the data privacy front. I 
think it is an appropriate effort under ECPA.
    Senator Coons. Thank you, Mr. Kerry.
    Mr. Baker. Your written testimony argued current 
protections for communications stored longer than 180 days 
makes sense because analogous paper records can be accessed 
with just a subpoena. Are stored e-mail communications really 
analogous to records accessible with a subpoena? And how do you 
make that analogy?
    Mr. Baker. I guess we make the analogy based upon where you 
are storing them, with whom, for how long, and so on. So in the 
paper world, if you store your records with someone else, 
depending upon a lot of facts and circumstances, so we can go 
into that if you want, but we can go and we can use a grand 
jury subpoena, for example, go to that third party, deliver the 
subpoena, and demand the records. Even somebody's personal 
records that they maintain in their own house, we can go with a 
grand jury subpoena and ask for those records. There may be 
some other issues there in terms of them producing them, but 
the basic idea is we can subpoena records when they are in the 
hands of either yourself or third parties if we do not want to 
use a warrant.
    Senator Coons. And at what point does the standard rise to 
requiring a warrant?
    Mr. Baker. Well, if we are going to intrude on a protected 
privacy interest, so if we want to go--if we do not think you 
are going to produce the documents from your house, we want to 
go in your house and take them, we get a warrant that 
authorizes us to do that. If we thought that a third party even 
would pose a threat or might destroy the records, something 
like that, we would go and get a warrant and take them from the 
third party.
    Senator Coons. And given the dramatic developments in the 
last decade in terms of the capacity for storage for e-mail--I 
think none of us 20 years ago had years of stored e-mail just 
sitting out there somewhere--how do you measure emerging 
privacy standards and how do we strike an appropriate balance 
in the law enforcement context?
    Mr. Baker. Well, I think for us our obligation on that last 
part is to come up and explain to you what we think the 
proposed changes would have on our ability to do our jobs. I 
think that is what we need to do.
    I think it is difficult and I think courts are struggling 
with actually understanding what people's personal subjective 
expectations of privacy are because in some circumstances 
people want to share a lot of data with others in the world. 
But the question under the Fourth Amendment is not only what do 
they subjectively think, but what objectively is a reasonable 
expectation of privacy. And that is what I think Congress is 
going to struggle with over the next period of time to 
understand that and try to deduce that.
    I think it is hard to understand, though. I think it is 
hard to actually figure out what people's reasonable 
conceptions of privacy are today.
    Senator Coons. And I do think----
    Senator Whitehouse. Senator Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman.
    I want to focus on the area of potential legislation that 
you have identified as No. 6 in your testimony, Mr. Baker, 
restricting disclosures of personal information by service 
providers, that is, the commercial disclosure of information, 
sharing, exchanging, selling information, where I think a lot 
of consumers are most directly impacted. We can debate in this 
Committee hearing the standards that ought to apply to 
disclosure by service providers to the Government, but as we 
have seen in the security breach that occurred, reported just 
recently occurred sometime in the past with Epsilon, literally 
millions of consumers are now going to be at risk of phishing, 
potential identity theft as a result of the breach of security 
concerning Epsilon that has received information from some of 
the major retailers around the country. And both as to content 
and non-content information, I think there is a significant 
privacy interest at stake here, as you very correctly 
identified in your testimony. And, in fact, I have asked the 
Attorney General of the United States to begin an 
investigation. I sent him a letter yesterday concerning the 
Epsilon breach, and I would like to emphasize to you now how 
concerning I believe this breach is. I have asked for this 
investigation literally within the last 24 hours, so I am not 
going to ask you for a response here on behalf of the 
Department. But I believe that it is extraordinarily important 
for the Department of Justice to indicate its interest in this 
area.
    I would like to ask in my question to you whether you 
believe that there is a need for more explicit restrictions. 
You say there are none now in the legislation concerning 
disclosure, sharing, exchange of this kind of information, 
whether you believe this is an appropriate topic for us to 
legislate on in reforming ECPA.
    Mr. Baker. Thank you, Senator. Obviously, as the statement 
reflects, we certainly think it is an area--we agree--I mean, 
the Commerce Department agrees that this is an area that we 
should look at. How you exactly change the rules, if at all, is 
another matter, but it is an area that a number of people have 
raised, and so it seems to be a legitimate area of inquiry.
    Obviously, if people want to share information voluntarily 
for whatever purpose, they are free to do so. That is clear. 
And I do not think anybody is talking about trying to restrict 
people's ability to voluntarily share information to take 
advantage of all these amazing technologies that are out there 
for a whole range of different purposes. But the question is: 
To what extent should the companies be able to share that 
information consistent with their obligations to their 
customers? And should law enforcement be in a different 
position with respect to such data than private sector entities 
are? Maybe they should be. Maybe they should not be. But at 
least the key thing is to understand that.
    One quick final point. With a lot of this data, as Mr. 
Kerry said, people are very concerned about their privacy. We 
understand it. And as you reference, they are also concerned 
about their security, the security of all this data that is out 
there. And the more data you share and the more data third 
parties have, the more data, you know, that is subject to the 
kinds of cybersecurity threats that Senator Whitehouse was 
referencing.
    Senator Blumenthal. Well, let me ask you very directly. If 
there were a requirement, for example, carrying out the policy 
that you have just articulated so well that people ought to be 
given the choice whether to share data or not, that Best Buy or 
L.L. Bean should be required to get a consumer's consent before 
they share that information, law enforcement would be impacted 
in absolutely no way.
    Mr. Baker. Well, I think if they agree to it--and I believe 
that in many circumstances they do agree to it. When you accept 
the terms of service, when you click ``I agree'' after you read 
or at least see these long statements that are out there, that 
is a legally binding contract, and so----
    Senator Blumenthal. Well, sometimes they do and sometimes 
they do not. But my question to you really is separate and 
apart from what the means of consent might be. It is whether 
law enforcement would have an interest or would be impacted--in 
other words, to put it more directly, I would posit the theory 
that the law enforcement of and the protection and security of 
the United States of America would not be impacted if L.L. Bean 
or Best Buy would be required to have a great big box requiring 
consumer consent before they share or sell this information, 
because it would not impact the standard that you would need to 
go to a service provider and seek the same information. You are 
in two separate realms of legal accountability.
    Mr. Baker. I see what you are saying, Senator. Yes, I think 
that is right. Obviously, we do investigate the kinds of crimes 
that you are talking about, so we have an interest in what is 
being shared and what information is out there and what 
information we have to investigate the unlawful disclosure of. 
But I think you are right. It at least puts us in no worse a 
position, but in terms of looking at privacy and understanding 
what the rules of the road are with respect to privacy, it is 
at least a legitimate area of inquiry.
    Senator Blumenthal. Thank you.
    Senator Whitehouse. Senator Klobuchar.
    Senator Klobuchar. Thank you very much, Mr. Chairman.
    Thank you to both of you for joining us today to talk about 
this important topic. As a former prosecutor, I see both sides: 
the fundamental right to privacy, but also the way criminals 
can try to take advantage of our respect for that privacy by 
claiming communications are protected and by making it very 
hard to get at things. So that is the way I look at this and 
have had some interesting times in my past jobs trying to get 
information.
    I wanted to talk about, first of all, cloud computing. It 
was raised by two other Senators, and I have been working in 
the last 6 months on a bill with Senator Hatch that we are 
going to put out shortly, and I wondered if you could talk, Mr. 
Kerry, about how Commerce is looking at that as you look at 
this bill and how you are going to work cloud computing into 
ECPA as you move ahead.
    Mr. Kerry. Thank you, Senator. We will be interested to 
work with you on that bill.
    The Obama administration has made cloud computing a 
priority, and it is part of the technological initiatives that 
Federal agencies have been directed under a Cloud First 
Initiative to move toward cloud computing. It provides 
important economic advantages of scalability, of efficiency, 
which, as the digital economy leads the way to economic growth, 
is an important driver of innovation, of economic growth, of 
our ability to compete in the world and to outcompete and 
outinnovate the rest of the world. So that is an important 
driver here.
    I spoke earlier--I do not recall whether you were here at 
the time--about the concern among cloud computing companies 
about leveling the playing field, about enabling them to 
provide the same assurance of trust in both privacy and 
security that their competitors have, both, you know, in the 
United States and around the world. So aligning the law to 
consumer privacy expectations is an important step toward that.
    Senator Klobuchar. Very good.
    Mr. Baker. What is the current law for data stored in the 
cloud under the Privacy Act? And does the Justice Department 
have any proposals for updating as it relates to that data?
    Mr. Baker. Well, the law--it depends on a lot of different 
facts and circumstances. In particular, it depends upon whether 
the information is in transmission still or whether the 
transmission has been completed and it has been received by the 
intended recipient of the communication if you are talking 
about communications data in the cloud. Obviously, you can 
store non-communications data in the cloud as well--business 
records and other things that corporations, for example, might 
want to store with a third party, or individuals--photos, 
things of this nature.
    So I think the answer is it depends upon the kind of 
communication that you are talking about, and I think different 
rules would apply depending upon the amount of time that it has 
been stored there, whether it is in transmission or not, things 
of this nature. So it is a relatively complicated area.
    Also, there is a key distinction in the law between content 
and non-content, as we have been talking about, so if the 
Government wants non-content information, one set of rules 
applies. And if we want content information, a different set 
applies.
    Senator Klobuchar. Okay. In your testimony you explained 
the difference between cell site location, cell phone tower 
information, and GPS location information, and you mentioned 
that some courts seem to confuse the two. Your testimony states 
that since cell site information is much less precise than GPS 
information, the burden for law enforcement should be lower to 
obtain it.
    It seems to me that the appropriate burden on law 
enforcement depends heavily on the precision of the 
information. I was hoping you could clarify just how precise 
the cell site information is. I have had some experiences with 
this before when I was a prosecutor, and I know that it gives a 
location within a cell tower's area and can often be as precise 
as giving location within a cell sector. But how precise is it 
in real-world terms?
    Mr. Baker. So my understanding is that--again, we are 
talking about a cell site, so one tower, and then that is 
divided up into sectors. And so if the company has the 
information and it is available, it can identify it with 
respect to the particular sector. As I mentioned earlier, it 
depends upon whether you are in a rural area, a suburban area, 
or certain urban areas. And the ranges that I have seen have 
been from 5 miles, so it ``pinpoints'' you within 5 miles of 
where you are, to 1 to 2 miles as you get into a more heavily 
populated area, to up to 100 yards. So that is the lowest 
amount that I have seen, 100 yards.
    A key thing also that I would suggest the Committee should 
think about is not only the precision but also the issue with 
respect to the voluntariness of the sharing of that 
information. So generally speaking, it is information that when 
you move around or when you have a communication, when you move 
around through certain sectors and certain areas, or when you 
have a communication, when you initiate a communication, that 
is when this data is obtained. And so at least in our minds, it 
does bear similarities to the type of pen register information 
that you collect when you are at your home in your private 
residence and you decide to make a phone call and you reveal 
something about where you are at that date and time.
    Senator Klobuchar. Okay. Thank you very much.
    Senator Whitehouse. Before we conclude, I see Senator 
Blumenthal is still here. Would you like to do a second round?
    Senator Blumenthal. I would, Mr. Chairman. I wonder if you 
would like----
    Senator Whitehouse. No, why don't you proceed? I have to be 
here anyway, so I will wrap up.
    Senator Blumenthal. Thank you, Mr. Chairman. And thank you 
again for your testimony.
    I would like to pursue some of the areas that we began 
discussing relating to the consent provisions and the need and 
advisability perhaps of restrictions. In your testimony, Mr. 
Baker, you say there are no explicit restrictions on a provider 
disclosing non-content information. Are there any restrictions, 
in your view?
    Mr. Baker. Well, one thing that comes to mind is the kinds 
of documents that we were talking about earlier, so you could 
have a contractual limitation that the provider agrees to when 
you agree to engage in that service. So that is one off the top 
of my head.
    Senator Blumenthal. I am sorry. When I asked the question, 
I should have said that your testimony says that ECPA contains 
no explicit restrictions, and I assume from your answer that 
that kind of contractual provision is not in ECPA.
    Mr. Baker. That is correct. That is correct. As we 
discussed earlier, I think with Senator Franken, there are 
other parts of law that restrict other entities from disclosing 
certain types of data that is comparable at least, so there are 
other parts of law that affect that. But when we are talking 
about ECPA, there is no explicit limitation.
    Senator Blumenthal. And in your view, are those protections 
sufficient right now? Or should we consider it as part of this 
process? I know that you have suggested it may be appropriate, 
but given the administration's interest in privacy for 
consumers, would that be an appropriate area?
    Mr. Baker. Let me just first correct what I said. When I 
say there is no limitations, that is on the non-content 
information, so just to be clear about that.
    The administration does not have a position yet on the 
exact answer to this question, but we can see that it is a 
legitimate question to ask. And so that is what we--you hear 
this all the time, but we are happy to work with you to try to 
figure out what the answer is here and whether additional 
protections are appropriate, required--again, with trying to 
get the balance right between all these different interests 
that we are trying to achieve--privacy, innovation, and 
security.
    Senator Blumenthal. Well, I would welcome and I do welcome 
that willingness to work together. And I wonder whether there 
is a task force or a working group within the administration 
that is focusing on this issue, as often there is on matters of 
policy like this one.
    Mr. Kerry. Senator Blumenthal, in fact, there is. There is 
a Subcommittee of the National Science and Technology Council, 
which I co-chair with Assistant Attorney General Christopher 
Schroeder of the Office of Legal Policy, that is carrying 
forward the work to define what a privacy bill of rights should 
contain. We are actively at work on that, digesting the 
comments that we have received on the Commerce Department Green 
Paper and moving as quickly as we can to an administration 
white paper that would flesh out these questions and deal with 
a broad set of issues about commercial data privacy.
    Senator Blumenthal. And I know that the President has 
talked about a privacy bill of rights, which can mean a lot of 
things to a lot of different people. But I would just suggest--
and I would be eager to work with you--that it should encompass 
this area which is so vitally important to consumers and 
individuals who may have no idea that very private information 
has been shared or sold by entities with which they are doing 
business.
    Mr. Kerry. Thank you, Senator. We are hard at work, and I 
assure you that that is one of the topics we are working on.
    Senator Blumenthal. Thank you.
    Thank you, Mr. Chairman.
    Senator Whitehouse. Thank you, Senator Blumenthal.
    Let me close first by thanking both of you for your service 
and for your work on this issue. I think the testimony today 
has made clear that there is a lot of work to be done, not only 
on our side but also on the administration's side in arriving 
at positions, which I assume you consider to be an important 
part of the equation here. I do not know if it is your position 
that you are going to raise issues and we are going to resolve 
them all here without the administration ever taking a position 
or if this is an area in which you think the administration 
should take a position, but I am going to assume the latter and 
hope that to be true.
    With respect to the issue of cybersecurity, I am interested 
in any information that either of you might be able to provide 
about the timing of the conclusion of the interagency process, 
and the background to this question is that really I want to 
say over a year ago the Senate Commerce Committee completed its 
work, led by Chairman Rockefeller and Senator Snowe, who both 
also serve on the Intelligence Committee. Homeland Security I 
think also about a year ago completed its work. I believe it 
has been nearly a year since, with Senator Mikulski and Senator 
Snowe, I wrote the Intelligence Committee Cyber Security Task 
Force report. And in order to proceed to repairing the gaps in 
our National cyber security, we need to close on this issue. 
And it is very hard where there are discrepancies between where 
one Committee or another wants to go to resolve those 
discrepancies without a position being taken by the 
administration. And given the fact that the interagency process 
appears to have taken over a year at this point and that during 
that time the discussions back and forth between the executive 
and legislative branch have been reduced to, as best I can 
tell, zero but, in any event, very, very slender channels of 
communication, I think it is really important that we begin to 
open that up so that we can begin to legislate in this area and 
do so in a meaningful way.
    The folks who are attacking us are not waiting. I was 
visiting with a CEO of an American energy company that 
announced a new product on the media, and within the first 2 
hours of that announcement, the CEO's personal e-mail had been 
attacked 60,000 times. And, clearly, there are forces outside 
this country who want nothing more than siphon up all of our 
intellectual property that they can so that they can compete 
with us using our own knowledge against us, without paying for 
it, without licensing agreements, without any of the sort of 
accoutrements of rule of law in this area. And I would not be 
surprised if the number in terms of the loss to the U.S. 
economy is in the trillions at this point. And it is constant. 
It is thousands of attacks a minute, not thousands of attacks a 
day.
    And so when that is the timeframe of the attack, to spend a 
year in an interagency process and shut down the engagement 
necessary between the executive and legislative branches for 
that period before we can go forward I think is a necessary 
process, but it is one that is not without peril, and it is one 
that is not without cost.
    So the sooner we can bring it to its conclusion, the better 
off we will be as a country, and the safer we will be. So I 
hope very much you can provide some insight into when you think 
we might begin to re-engage on the cyber security bill, and 
even if the interagency process is not concluded to its last 
final comma and period, at least it will be sufficiently 
through its path that the administration feels that it can 
begin to re-engage with us.
    What can you tell me about that?
    Mr. Kerry. Well, Senator Whitehouse, thank you. It is an 
urgent process. I can tell you that that interagency process is 
winding up. Both Mr. Baker and I have participated in a number 
of deputies Committee meetings to resolve some of the top-line 
issues. The rest of more detailed proposals are now in the 
final processes of circulating interagency. So I do not want to 
put a date on it, particularly with the prospect of a 
Government shutdown looming. But, you know, I think we are very 
close, a matter of some weeks away from being able to share 
proposals with Congress.
    Senator Whitehouse. I had not thought of it in the context 
of the Government shutdown, but I guess you are right. Pretty 
significant national security cost to precipitate with a 
Government shutdown.
    Mr. Kerry. I think so.
    Senator Whitehouse. Mr. Baker, anything to add?
    Mr. Baker. I am not sure exactly when the process will be 
finished. We have made substantial progress in the past period 
of time. As you know well, these are very difficult issues. 
They raise a lot of the same kinds of issues that we talked 
about today in terms of security in a different context, but 
security, privacy, innovation, all of these things are front 
and center in the cyber security debate.
    I agree with your assessment of the threat. It is very 
grave. We need to move forward as expeditiously as possible. 
These are difficult issues to work our way through, and so we 
are doing that. And I would say that we have made substantial 
progress in at least teeing up a lot of these issues for 
decisionmakers to make a call on. So I think there is a lot of 
work that has been done.
    You may not feel as though it is a communication. I can 
tell you that from our end it feels like you are shouting with 
a bullhorn. So we have heard you that you want us to come up 
with proposals quickly. I am referring to the whole Congress. 
We get that message loud and clear, and so we are doing our 
homework and doing what we need to do on our end so that we can 
have something that is an administration position to come back 
to you with.
    Senator Whitehouse. For sure it will be this year, will it 
not?
    Mr. Baker. I beg your pardon, Senator?
    Senator Whitehouse. It will be for sure within this year, 
will it not?
    Mr. Baker. I am not going to sit and swear to you in front 
of the United States Congress----
    Senator Whitehouse. You are not under oath.
    Mr. Baker. Yes, Okay.
    [Laughter.]
    Senator Whitehouse. I am asking for your assessment of--I 
mean, realistically.
    Mr. Baker. Realistically, I think yes. Yes.
    Senator Whitehouse. Okay, good. Because I think it is 
important that we take up a cyber security bill this year and 
begin to move to repair some of the very wide open 
vulnerabilities that we have that are being exploited to vast 
effect by our economic rivals and our National security 
adversaries.
    Let me close----
    Mr. Kerry. And I would second that view, Mr. Chairman, for 
what it is worth.
    Senator Whitehouse. Yes, thank you. Let me close by saying 
that I really appreciate Chairman Leahy having called this 
hearing. Many years ago he was involved very deeply in the 
drafting of the original ECPA proposal. I think that the 
principles that he brought to that debate and the determination 
with which he sought through to a conclusion are lasting ones 
that should continue to inform what we do going forward and 
inspire us as we make these corrections.
    What has changed in the meantime has nothing to do with 
those principles or with his personal determination to achieve 
the right balance, but the landscape itself has changed as 
technology has changed. And surfaces that used to be in shadow 
are now in sunlight; surfaces that used to be in sunlight are 
now in shadow. We have to adapt to those changes, but I do 
believe that we can bring the same principles and the same 
desire for a sensible balance and the same determination that 
Chairman Leahy showed when he originally did it, and I think 
that will see us in good stead as we work through the updates 
that intervening events have precipitated.
    So I look forward to working with you on that. Thank you 
very much for your testimony here today and for your work going 
forward. We will keep the hearing open for an additional week 
in the event that anybody wishes to add anything to the 
record--we will keep the record of the hearing open for an 
additional week. We are not going to keep the hearing open for 
an additional week.
    The hearing is adjourned. Thank you.
    [Whereupon, at 11:29 a.m., the Committee was adjourned.]
    [Questions and answers and submission for the record 
follow.]




                                 
