[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                     ECPA (PART I): LAWFUL ACCESS 
                           TO STORED CONTENT 

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON CRIME, TERRORISM,
                 HOMELAND SECURITY, AND INVESTIGATIONS

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 19, 2013

                               __________

                           Serial No. 113-16

                               __________

         Printed for the use of the Committee on the Judiciary

      Available via the World Wide Web: http://judiciary.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

80-065 PDF                       WASHINGTON : 2013 



                       COMMITTEE ON THE JUDICIARY

                   BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        JERROLD NADLER, New York
HOWARD COBLE, North Carolina         ROBERT C. ``BOBBY'' SCOTT, 
LAMAR SMITH, Texas                       Virginia
STEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina
SPENCER BACHUS, Alabama              ZOE LOFGREN, California
DARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona                  Georgia
LOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio                     JUDY CHU, California
TED POE, Texas                       TED DEUTCH, Florida
JASON CHAFFETZ, Utah                 LUIS V. GUTIERREZ, Illinois
TOM MARINO, Pennsylvania             KAREN BASS, California
TREY GOWDY, South Carolina           CEDRIC RICHMOND, Louisiana
MARK AMODEI, Nevada                  SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho                 JOE GARCIA, Florida
BLAKE FARENTHOLD, Texas              HAKEEM JEFFRIES, New York
GEORGE HOLDING, North Carolina
DOUG COLLINS, Georgia
RON DeSANTIS, Florida
KEITH ROTHFUS, Pennsylvania

           Shelley Husband, Chief of Staff & General Counsel
        Perry Apelbaum, Minority Staff Director & Chief Counsel
                                 ------                                

Subcommittee on Crime, Terrorism, Homeland Security, and Investigations

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman

                  LOUIE GOHMERT, Texas, Vice-Chairman

HOWARD COBLE, North Carolina         ROBERT C. ``BOBBY'' SCOTT, 
SPENCER BACHUS, Alabama              Virginia
J. RANDY FORBES, Virginia            PEDRO R. PIERLUISI, Puerto Rico
TRENT FRANKS, Arizona                JUDY CHU, California
JASON CHAFFETZ, Utah                 LUIS V. GUTIERREZ, Illinois
TREY GOWDY, South Carolina           KAREN BASS, California
RAUL LABRADOR, Idaho                 CEDRIC RICHMOND, Louisiana

                     Caroline Lynch, Chief Counsel

                     Bobby Vassar, Minority Counsel



                           C O N T E N T S

                              ----------                              

                             MARCH 19, 2013

                                                                   Page

                           OPENING STATEMENTS

The Honorable F. James Sensenbrenner, Jr., a Representative in 
  Congress from the State of Wisconsin, and Chairman, 
  Subcommittee on Crime, Terrorism, Homeland Security, and 
  Investigations.................................................     1
The Honorable Robert C. ``Bobby'' Scott, a Representative in 
  Congress from the State of Virginia, and Ranking Member, 
  Subcommittee on Crime, Terrorism, Homeland Security, and 
  Investigations.................................................     2
The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Committee on the Judiciary     3
The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, and Ranking Member, Committee on 
  the Judiciary..................................................     5

                               WITNESSES

Elana Tyrangiel, Acting Assistant Attorney General, Office of 
  Legal Policy, Department of Justice
  Oral Testimony.................................................    13
  Prepared Statement.............................................    16
Richard Littlehale, Assistant Special Agent in Charge, Technical 
  Services Unit, Tennessee Bureau of Investigation
  Oral Testimony.................................................    24
  Prepared Statement.............................................    27
Orin S. Kerr, Fred C. Stevenson Research Professor, George 
  Washington University Law School
  Oral Testimony.................................................    36
  Prepared Statement.............................................    38
Richard Salgado, Director, Law Enforcement and Information 
  Security, Google, Inc.
  Oral Testimony.................................................    45
  Prepared Statement.............................................    47

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Material submitted by the Honorable John Conyers, Jr., a 
  Representative in Congress from the State of Michigan, and 
  Ranking Member, Committee on the Judiciary.....................     6

                                APPENDIX
               Material Submitted for the Hearing Record

Letter from the Federal Law Enforcement Officers Association 
  (FLEOA)........................................................    66
Prepared Statement of the American Civil Liberties Union (ACLU)..    69


                     ECPA (PART I): LAWFUL ACCESS 
                           TO STORED CONTENT

                              ----------                              


                        TUESDAY, MARCH 19, 2013

                        House of Representatives

                   Subcommittee on Crime, Terrorism, 
                 Homeland Security, and Investigations

                       Committee on the Judiciary

                            Washington, DC.

    The Subcommittee met, pursuant to call, at 10:02 a.m., in 
room 2141, Rayburn Office Building, the Honorable F. James 
Sensenbrenner, Jr. (Chairman of the Subcommittee) presiding.
    Present: Representatives Sensenbrenner, Goodlatte, Coble, 
Gohmert, Labrador, Scott, Conyers, Bass, Richmond, and Chu.
    Staff present: (Majority) Caroline Lynch, Chief Counsel; 
Anthony Angeli; Counsel; Alicia Church, Clerk; (Minority) Bobby 
Vassar, Minority Counsel; Joe Graupensperger, Counsel.
    Mr. Sensenbrenner. The Subcommittee on Crime, Terrorism, 
Homeland Security, and Investigations will come to order.
    The Chair recognizes himself for 5 minutes for an opening 
statement.
    The Electronic Communications Privacy Act of 1986, or ECPA, 
is complicated, outdated, and largely unconstitutional. ECPA 
made sense when it was drafted, but the role of the Internet 
and electronic communications in our daily lives is vastly 
different now than it was during the Reagan administration. 
Needed reforms can better protect privacy and allow the growth 
of electronic communications in the economy without 
compromising the needs of law enforcement.
    ECPA was drafted in 1986, the same year Fox News was 
launched. That year, President Reagan ordered a strike against 
Muammar Qaddafi. Arnold Schwarzenegger married Maria Shriver, 
and at this time in 1986, Mark Zuckerberg was 1 year old. The 
world is a different place. I think we all can agree on that. 
The 1986 law governing the Internet is like having a national 
highway policy drafted in the 19th century.
    Today's hearing is the first in a series the Subcommittee 
will hold to examine ECPA. Today we will explore the needs of 
Government to access the contents of stored electronic 
communications and the level of judicial review currently 
required to obtain them.
    ECPA was the necessary response to the emergence and rapid 
development of wireless communications services and electronic 
communications in the digital era. At that time, electronic 
mail, cordless phones, and pagers were in their infancy.
    The Federal wiretap statute has been limited to voice 
communications and addressed an area of communications for 
which there is a Fourth Amendment right to privacy. ECPA 
extended the wiretap provisions to include wireless voice 
communications and electronic communications such as e-mail and 
other computer-to-computer transmissions. It established a 
framework for law enforcement to obtain the content of 
communications.
    The evolution of the digital age has given us devices and 
capabilities that have created conveniences for society and 
efficiencies for commerce, but they also have created 
convenience and efficiencies for criminals, as well as 
innovative new ways to commit crimes. Fortunately, new ways to 
detect and investigate crimes and criminals have also evolved.
    At the intersection of all of these developments and 
capabilities are the privacy rights of the public, economic 
interests in expanding commerce, public policy of encouraging 
the development of even better technologies, and the legitimate 
investigative needs of law enforcement professionals.
    We are eager to hear about the constitutional 
considerations that would require changes to the level of 
judicial review for access to stored communications. We must 
also consider the lawful access to stored content by the 
Government in civil litigation, particularly when the 
Government is a defendant.
    Lastly, we must examine the effect that ECPA reform would 
have on investigations at the State and local levels.
    Today's hearing will focus on the actual contents of 
electronic stored communications. Email content is the body of 
a private electronic communication transmitted from the sender 
to one or more recipients. The primary question is whether the 
Fourth Amendment protections apply and to what type of stored 
communications. Our ultimate goal is to enact reforms that will 
endure for decades. This will give everyone the certainty they 
need to move forward in the digital age.
    It is no secret in the digital age privacy is harder to 
maintain, but Americans should not have to choose between 
privacy and the Internet. In 1986, if you wanted privacy, you 
might keep a personal document in the filing cabinet instead of 
posted on a cork bulletin board. Today, you would probably save 
the same document behind the password in the Google account 
rather than to post it on your Facebook wall.
    But our expectations of privacy have not changed. The 
Fourth Amendment protects more than just Luddites. If our laws 
fail to recognize this, we needlessly risk stunting 
technological progress and economic growth.
    I look forward to hearing from all of our witnesses today.
    And I now recognize the Ranking Member, the gentleman from 
Virginia, Mr. Scott.
    Mr. Scott. Thank you, Mr. Chairman.
    Today the Subcommittee follows last week's hearing about 
cyberthreats and our computer crime laws with a hearing about 
privacy of stored electronic communications content. Whether 
the issue is countering the use of computers to commit crime or 
setting standards for law enforcement's access to stored 
electronic information in order to investigate crime, the pace 
of the technology change has exceeded the limits of our 
statutes in these areas.
    The Electronic Communications Privacy Act, a statute 
designed in 1986 to govern law enforcement's access to the then 
emerging electronic and wireless technologies, is now outdated. 
Because of the growth of the Internet and related technologies, 
most of our private communications and other sensitive 
information are transmitted online and are stored in computer 
networks. To the extent that this has taken place and the ways 
in which technologies have evolved, that was not envisioned by 
Congress when we adopted the current statute. The result is 
that the standards for compelled disclosure under the statute 
are not adequate and their application is inconsistent.
    For example, under the statute a single e-mail or 
electronic document could be subject to multiple legal 
standards in its lifetime from the moment it is typed to the 
moment it is opened by the recipient or uploaded into a user's 
account in the cloud where it may be subject to an entirely 
different standard. This occurs because content may be stored 
in places governed by different statutory definitions from 
moment to moment.
    While a warrant is required to access the content of e-
mails while it waits in electronic communications service 
storage to be read by the recipient, the instant the e-mail is 
opened by the recipient, it may lose that high standard of 
protection and become accessible by subpoena rather than by a 
warrant.
    Also, following the disclosure rules can prove difficult if 
the service provider is unsure whether the data is stored by an 
electronic communications service or a remote computing 
service. Indeed, the distinction is made somewhat confusing 
because most network services are multi-functional. They can 
act as providers of a communications service in some context or 
a remote service in others and neither in still others. And to 
address these concerns, we need clarity, fairness of 
application, and appropriate protection of the privacy rights 
expected by our citizens.
    So I look forward to our discussion today from the various 
people who have an interest in this, and I thank you for 
holding the hearing.
    Mr. Sensenbrenner. Thank you, Mr. Scott.
    The Chair now recognizes the gentleman from Virginia, Mr. 
Goodlatte, the Chair of the full Committee.
    Mr. Goodlatte. Thank you, Chairman Sensenbrenner. I 
appreciate your holding this hearing.
    The dawn of the digital age and the explosive development 
of communication methods have brought with it faster ways to 
compile, transmit, and store information. These developments 
have produced faster and more efficient ways to do everything 
from conducting commerce to connecting with friends. 
Unfortunately, criminals have found ways to convert the 
benefits offered by new technology into new ways to commit 
crimes. At the intersection of these activities are the privacy 
rights of the public, society's interest in encouraging and 
expanding commerce, the investigative needs of law enforcement 
professionals, and the demands of the United States 
Constitution.
    The Electronic Communications Privacy Act was designed to 
provide rules for Government surveillance in the modern age. 
The technology of 1986 now seems ancient in comparison to 
today's. The interactive nature of the Internet now, including 
elements such as home banking and telecommuting, has produced 
an environment in which many people spend many hours each day 
online. In this context, a person's electronic communications 
encompass much more than they did in 1986. Indeed, in 2013, a 
person's electronic communications encompass much more than 
they did in 2000 when Congress acknowledged that much had 
changed since the original ECPA of 1986.
    ECPA reform must be undertaken so that despite the 
evolution of technology and its use in the world, the 
constitutional protections reinforced by ECPA will endure. ECPA 
was intended to establish a balance between privacy and law 
enforcement. In addition, ECPA sought to advance the goal of 
supporting the development and use of new technologies and 
services. Those original tenets must and will be upheld as this 
law is improved.
    There are many investigations in which ECPA is working and 
working well. Pedophiles who sexually assault children and 
distribute video recordings over the Internet have become 
increasingly savvy. They encrypt their communications and use 
technologies to hide their identities and whereabouts. 
Investigators routinely use court orders under ECPA to identify 
these offenders, uncover caches of child pornography that has 
been stored remotely in the cloud, and develop probable cause 
to execute warrants and arrest them.
    ECPA reform is one of the top priorities of the House 
Judiciary Committee. Technology will help us solve many of the 
pressing problems our Nation currently faces. We need to make 
sure that the Federal Government's efforts are focused on 
creating incentives that encourage innovation and eliminating 
policies that hinder it. In updating a law passed before the 
creation of the Internet, the modernization of ECPA needs to 
provide electronic communications with protection comparable to 
their more traditional counterparts and take into account the 
recent boom in new technologies like cloud computing, social 
networking sites, and video streaming.
    That is why we will modernize the decades' old Electronic 
Communications Privacy Act to reflect our current digital 
economy while preserving constitutional protections.
    This particular hearing focuses on issues related to the 
lawful access to stored communications under the current law. 
It is becoming clear that some reforms are necessary, but this 
Committee will move toward modernization and reform after a 
thorough review and with input from all stakeholders.
    I look forward to working with all Members on both sides of 
the aisle to modernize the Electronic Communications Privacy 
Act.
    And I yield back to the Chairman.
    Mr. Sensenbrenner. Thank you, Mr. Goodlatte.
    The Chair now recognizes the Chairman emeritus and Ranking 
Member of the full Committee, the gentleman from Michigan, Mr. 
Conyers.
    Mr. Conyers. Chairman Sensenbrenner, Members of the 
Committee, we have heard in opening statements that we are all 
for modernizing. This hearing could be very important with our 
witnesses telling us what kind of modernization do we want. 
That is where this is all going, and I am glad to hear both the 
Chairman of the Committee and the Chairman of the Subcommittee 
hit those points along, of course, with our Ranking minority 
Member, Mr. Scott.
    I have a list of Digital Due Process Coalition members, 
some 80 or more organizations that are with us on this, and I 
would like unanimous consent to include this in the record.
    Mr. Sensenbrenner. Without objection.
    [The information referred to follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                   __________
    Mr. Conyers. Thank you.
    And I conclude by raising the two issues that I will be 
looking at most carefully, one, that the standard of probable 
cause should apply to the Government's ability to compel a 
communications provider to disclose the customer's e-mail 
message no matter how old the message is. And we have got the 
Warshak case that has now come down. It makes no sense for the 
Government to need a subpoena to obtain e-mail messages that 
are older than 180 days.
    And finally, the law does not adequately protect 
communications stored in the cloud by third parties on behalf 
of consumers. And a probable cause warrant should be required 
for Government access.
    These are very important considerations, and I think we 
will be observing the Fourth Amendment, the right to be free 
from unreasonable searches and seizures, and still move into 
the 21st century.
    I thank the Chairman, and I return any unused time.
    Mr. Sensenbrenner. Thank you, Mr. Conyers.
    We have a very distinguished panel today, and I will begin 
by swearing in our witnesses before introducing them. So could 
all of you please stand and raise your right hands?
    [Witnesses sworn.]
    Mr. Sensenbrenner. Let the record show that each of the 
witnesses answered in the affirmative.
    The first witness is Ms. Tyrangiel who currently serves as 
the Assistant Attorney General for the Office of Legal Policy. 
She joined OLP in 2009 and has served in various roles since 
then, including chief of staff, deputy assistant attorney 
general, and principal deputy. Ms. Tyrangiel worked in the 
Office of White House Counsel before joining OLP. From 2000 to 
2009, she was an assistant United States attorney in the U.S. 
Attorney's Office for the District of Columbia where she served 
as deputy chief of the Sex Offense and Domestic Violence 
Section.
    Ms. Tyrangiel graduated from Brown University and received 
her law degree from the University of Michigan Law School.
    Mr. Richard Littlehale, currently serves as the Assistant 
Special Agent in charge of the Tennessee Bureau of 
Investigations Technical Service Unit. He coordinates and 
supervises the use of a wide range of advanced technologies in 
support of law enforcement operations. This includes 
supervision of TBI's Internet Crimes Against Children Task 
Force and TBI's Joint Cybercrime and Child Exploitation Task 
Forces with the FBI.
    Mr. Littlehale and the TBI agents he supervises developed 
intelligence and evidence from communications records in a wide 
range of cases, including homicide investigations, the search 
for dangerous fugitives, Internet crimes against children, 
computer intrusions, and child abduction responses.
    He ensures that TBI agents are trained to use electronic 
surveillance techniques in strict compliance with State and 
Federal law. He also provides instruction to law enforcement 
officers at all levels of government in techniques for 
obtaining and using communications evidence in support of 
criminal investigations and is active in national groups of law 
enforcement technical and electronic surveillance specialists.
    He graduated from Bowdoin College and received his law 
degree from Vanderbilt Law School.
    Professor Orin Kerr is a professor of law at George 
Washington University where he teaches criminal law, criminal 
procedure, and computer crime law. Before joining the faculty 
in 2001, Professor Kerr was an honors program trial attorney in 
the Computer Crime and Intellectual Property Section of the 
Criminal Division of the U.S. Department of Justice, as well as 
a special assistant U.S. attorney for the Eastern District of 
Virginia.
    He is a former law clerk for Justice Anthony M. Kennedy of 
the U.S. Supreme Court and Judge Leonard I. Garth of the U.S. 
Court of Appeals for the Third Circuit. In the summer of 2009 
and 2010, he served as special counsel for Supreme Court 
nominations to Senator John Cornyn on the Senate Judiciary 
Committee.
    He has been a visiting professor at the University of 
Chicago Law School and the University of Pennsylvania Law 
School.
    He received his bachelor of science degree in engineering 
from Princeton and his master of science from Stanford. He 
earned his juris doctor from Harvard Law School.
    Mr. Salgado serves as Google's Director of Information 
Security and Law Enforcement Matters. He has also served as 
senior counsel in the Computer Crime and Intellectual Property 
Section of the U.S. Department of Justice. As a Federal 
prosecutor, he specialized in investigating and prosecuting 
computer network cases such as computer hacking, illegal 
computer wiretaps, denial of service attacks, malicious code, 
and other technology-driven privacy crime.
    He graduated from the University of New Mexico and received 
his law degree from Yale Law School.
    Each of you will be recognized for 5 minutes. Without 
objection, each of your full written statements will appear in 
the record after your statement has been completed.
    And also without objection, all Members' opening statements 
will be placed in the record as well.
    Ms. Tyrangiel, you are first.

    TESTIMONY OF ELANA TYRANGIEL, ACTING ASSISTANT ATTORNEY 
     GENERAL, OFFICE OF LEGAL POLICY, DEPARTMENT OF JUSTICE

    Ms. Tyrangiel. Thank you. Chairman Sensenbrenner, Ranking 
Member Scott, Chairman Goodlatte, Ranking Member Conyers, and 
Members of the Subcommittee, thank you for the opportunity to 
testify on behalf of the Department of Justice regarding the 
Electronic Communications Privacy Act, or ECPA. This topic is 
particularly important to the Department. We are pleased to 
engage with the Subcommittee in discussions about how ECPA is 
used and how it might be updated and improved.
    Since its inception, ECPA has sought to ensure public 
safety and other law enforcement imperatives, while at the same 
time ensuring individual privacy. It is important that efforts 
to amend ECPA remain focused on maintaining both of these 
goals.
    During any discussions of possible changes to ECPA, it is 
important to keep in mind its wide-ranging application and 
scope. The typical scenario that comes to mind is a law 
enforcement agency conducting a criminal investigation and 
seeking a target's e-mail from a service provider that makes 
its services available to the public. And indeed, ECPA is 
critical to all sorts of criminal investigations into murder, 
kidnapping, organized crime, sexual abuse, or exploitation of 
children, identity theft, and more.
    But the statute applies to all government entities, 
Federal, State, and local when they seek to obtain content or 
non-content information from a service provider. This means 
that the statute applies not only to criminal investigators but 
also when the government is acting as a civil litigator or even 
as an ordinary civil litigant. Moreover, the statute applies 
not only to public and widely accessible service providers, but 
also to non-public providers such as companies that provide e-
mail to their employees.
    Although ECPA has been updated several times since its 
enactment in 1986, many have noted--and we agree--that some of 
the lines drawn by the statute have failed to keep up with the 
development of technology and the ways in which we use 
electronic and stored communications. We agree, for example, 
that there is no principal basis to treat e-mail less than 180 
days old differently than e-mail more than 180 days old. 
Similarly, it makes sense that the statute not accord lesser 
protection to open e-mails than it gives to e-mails that are 
unopened.
    Acknowledging these things is an important first step. The 
harder question is how to update the statute in light of new 
and changing technologies while maintaining protections for 
privacy and adequately providing for public safety and other 
law enforcement imperatives.
    Personal privacy is critically important to all Americans 
and individuals around the world. All of us use e-mail and 
other technologies to share personal and private information, 
and we want it to be protected appropriately.
    Some have suggested that the best way to enhance privacy 
under ECPA would be to require law enforcement to obtain a 
warrant based on probable cause to compel disclosure of stored 
e-mail and similar stored content information from a service 
provider. We believe that this approach has considerable merit, 
provided that Congress consider contingencies for certain 
limited functions for which this may pose a problem.
    For example, civil regulators and litigators typically 
investigate conduct that, while unlawful, is not a crime. But 
criminal search warrants are only available if an investigator 
can show probable cause that a crime has occurred. Lacking 
warrant authority, civil investigators enforcing civil rights, 
environmental, antitrust, and a host of other laws would be 
left unable to obtain stored contents of communications from 
providers, if they could no longer use a subpoena.
    Reform efforts must also account for existing practices as 
to entities such as corporations that provide e-mail to their 
employees. Investigations of corporate malfeasance, both civil 
and criminal, have long been conducted by subpoena. For 
example, it is settled law that a government investigator may 
use a subpoena to obtain corporate records such as memoranda, 
letters, or even printed e-mails. It would be anomalous for 
ECPA to afford greater protection to electronic corporate 
records than to the identical records in hard copy. To be 
clear, it is decidedly not our view that subpoenas are blanket 
substitutes for warrants, but in the narrow context of 
corporate investigations, it is important to remember that 
subpoenas are the norm for obtaining business records, and 
creating a different standard for different means of 
communications would hamper many such investigations.
    Finally, we also believe that there are a number of other 
parts of the statute that may merit further examination as you 
consider ways to update and clarify the statute, and I have 
noted some of them in my written statement.
    The Department of Justice appreciates the opportunity to 
discuss this issue with the Subcommittee and I look forward to 
your questions here today.
    [The prepared statement of Ms. Tyrangiel follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                   __________

    Mr. Sensenbrenner. Thank you very much.
    Mr. Littlehale.

  TESTIMONY OF RICHARD LITTLEHALE, ASSISTANT SPECIAL AGENT IN 
     CHARGE, TECHNICAL SERVICES UNIT, TENNESSEE BUREAU OF 
                         INVESTIGATION

    Mr. Littlehale. Chairman Sensenbrenner, Ranking Member 
Scott, Chairman Goodlatte, and Ranking Member Conyers, Members 
of the Subcommittee, thank you for inviting me to testify. My 
name is Richard Littlehale and I am Assistant Special Agent in 
Charge of the TBI Technical Services Unit. I also serve on the 
Technology Committee of the Association of State Criminal 
Investigative Agencies and am representing their position 
today.
    I will make eight points very briefly, and I welcome your 
questions if you would like to explore them further.
    First, setting the standard necessary for government to 
obtain content is just the first step. We also have to make 
sure we can actually get it. To date, much of the attention 
given to the question of lawful access to stored content has 
focused on the level of proof required for law enforcement to 
obtain it. The reality is that legal barriers are not the only 
ones that keep communications records out of our hands. 
Technological barriers and a lack of a mandatory compliance 
framework regarding service provider response slow our efforts 
as much or more as a change in the standard of proof might. I 
urge you to ensure that whatever standard of proof you decide 
is appropriate, you also ensure that law enforcement can access 
evidence reliably and quickly.
    Second, timeliness and quality of service must be 
addressed. There is no requirement in current law that compels 
providers to respond in a timely fashion to our legal demands. 
Some respond relatively quickly but others do not. In 
particular, this sometimes prevents us from efficiently 
processing large volumes of leads like cybertips from the 
National Center for Missing and Exploited Children. In those 
leads, there may be an emergency, but we cannot know about it 
until we get the routine response back from the service 
provider. Speed is important. A reasonable legal mandate for 
responsiveness should be considered as a part of any ECPA 
reform proposal.
    Third, emergency provisions. Law enforcement must have 
rapid access to communications evidence in a life-threatening 
emergency, but that is not always the reality. The emergency 
provision in today's ECPA is voluntary for the providers, not 
mandatory. Even when emergency access is granted, there is no 
guarantee we will get the records immediately. In some cases, 
there is insufficient service provider compliance staff to 
process these requests quickly. In other cases, providers have 
chosen never to provide evidence in the absence of legal 
process no matter the circumstances, and the current emergency 
provision does not preclude this.
    Fourth, notification requirements. Requiring law 
enforcement to seek additional process to prevent providers 
from informing customers of the existence of a demand is a 
labor-intensive process. We urge the Committee to carefully 
balance the need for notification and reporting against the 
practical resource burden it places on law enforcement.
    Fifth, records retention. Some cellular service providers 
claim they do not retain text messages for any time at all or 
retain them for very short periods of time. Millions of texts 
are sent every day and some contain key evidence about criminal 
activity. I urge you to find a balance on retention policy that 
is not overly burdensome to service providers but that ensures 
that law enforcement can obtain access to critical evidence 
with appropriate legal process.
    Sixth, preservation. Preservation under section 2703 has 
been offered by some as an alternative to records retention, 
but some service providers have a stated policy of notifying 
customers of the demand unless a court tells them not to. A 
2703 preservation request does not allow law enforcement to 
gain access to information but merely ensures it exists when we 
serve appropriate process. There should be no customer notice 
for preservation.
    Seventh, the definition of content. Definitions of content 
and non-content information need to be clear and comprehensive. 
If Congress determines that any kind of content whatsoever 
requires a probable cause standard of access, then ECPA should 
define content explicitly and not infer it from less explicit 
definitions in other parts of the code.
    Finally, the volume of law enforcement legal demands. 
Recent media reports have expressed alarm that the number of 
law enforcement requests for communications evidence is 
growing. Of course, the requests are growing because today a 
rapidly growing percentage of the available evidence in any 
criminal case exists in the digital world.
    Google's transparency initiative puts the volume of law 
enforcement demands in perspective. In June of 2012, Google 
claimed 425 million individual account holders for its Gmail 
service. In the U.S., Google reported just over 16,000 
government requests affecting over 31,000 accounts. That means 
a tiny fraction of 1 percent of Google's accounts were affected 
by government demands, and given that there are 17,000 law 
enforcement agencies in the United States, on average there was 
less than one request for information per law enforcement 
agency per year for Google records. It is hard to conclude from 
these numbers that law enforcement demands were excessive.
    I will close by reemphasizing the importance of ensuring 
that law enforcement concerns about access to evidence become a 
central part of this ECPA reform discussion. My fellow 
electronic surveillance practitioners and I are well aware of 
the need to balance privacy and public safety, and we look 
forward to working with the Subcommittee to get ECPA reform 
right.
    Thank you for having me here and I look forward to your 
questions.
    [The prepared statement of Mr. Littlehale follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                   __________
    Mr. Sensenbrenner. Thank you very much.
    Professor Kerr.

     TESTIMONY OF ORIN S. KERR, FRED C. STEVENSON RESEARCH 
       PROFESSOR, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL

    Mr. Kerr. Chairman Sensenbrenner, Ranking Member Scott, 
Members of the Subcommittee, thank you for the invitation to 
testify here this morning.
    I wanted to focus on the constitutional issues raised by 
the Stored Communications Act.
    As several of you noted in your opening statements, the 
leading cases so far in the lower courts indicate that the 
Fourth Amendment fully protects the contents of e-mail and 
other remotely stored files in the cloud, meaning that the 
constitutional standards or the standards adopted by the 
statute in 1986 are currently below the constitutional 
threshold. So one pressing reason to amend the statute is 
because the Constitution requires more privacy protection than 
current statutory law requires.
    The lower court case law is, as of yet, not fully 
developed. We have one significant decision from the Sixth 
Circuit Court of Appeals. We do not yet have a decision from 
the United States Supreme Court, and also we are still in the 
beginning stages of getting case law on fact patterns beyond e-
mail. So, for example, in addition to storing contents, 
remotely stored contents by e-mail, individuals may have stored 
Facebook messages, Google documents stored in the cloud, lots 
of information that is available on remote servers that does 
not fit the specific category of e-mail. The lower court cases 
so far suggest that they are also fully protected by the Fourth 
Amendment's warrant requirement, but as of yet, we do not have 
a lot of case law in the lower courts to indicate whether that 
is the case.
    I think it is correct, though. I think it is difficult to 
distinguish between e-mail, for example, and Facebook messages 
and documents in the cloud. In my view, they are all protected 
under the Fourth Amendment under the reasonable expectation of 
privacy test.
    The difficulty then with the existing statute is not only 
that it is below the constitutional threshold, but that because 
it is below the constitutional threshold, it actually becomes 
significantly harder for the constitutional protections to be 
recognized, thanks to the good faith exception under the Fourth 
Amendment when the government relies on a statute that allows a 
search or seizure. The key case here is another 1986 decision, 
Illinois v. Krull, which held that when the government 
reasonably relies on a statute that might be considered 
constitutional, the exclusionary rule does not apply under the 
good faith exception.
    What that means as a practical matter is that the existence 
of ECPA actually makes it harder to recognize constitutional 
rights. It actually cuts constitutional protection rather than 
adds privacy protection because the government under current 
law can rely on the good faith exception to rely on the statute 
to obtain contents with less process than a warrant. As the 
case law becomes more established, it will be harder for the 
government to do that. But ironically, the existing statute 
actually makes it harder for Americans to recognize their 
constitutional rights and to get those constitutional rights 
recognized in cases than there would be if there were no 
statute at all.
    Ultimately the ECPA statute was designed to fill in 
constitutional protections where at the time in the 1980's it 
was not clear how the Fourth Amendment would apply. So it may 
be as we get more and more case law establishing those Fourth 
Amendment protections, there is less and less of a need for 
statutory protections that regulate that same territory, and at 
the very least, it is important for those statutory protections 
to not be below the threshold of the constitutional protection 
in light of the good faith exception.
    I also wanted to address a few aspects of the Justice 
Department's testimony. I think it is very significant that the 
Justice Department is taking the view agreeing generally to the 
idea that there needs to be a rewrite of the statute and that 
there is merit to the idea of a general warrant requirement.
    The Justice Department's testimony suggests that there are 
two potential exceptions to that, one of which I think is 
justified and one of which I am skeptical about.
    The one that I think is justified is allowing a subpoena 
authority when the government is investigating a company and 
its own e-mail services in the corporate crime context where 
traditionally the Justice Department and State prosecutors as 
well have relied on subpoena authorities to investigate, say, a 
company engaged in some sort of white-collar crime. I think it 
makes a lot of sense to have an exception to the general 
warrant requirement for that particular context.
    On the other hand, I am skeptical about the idea of having 
civil discovery subpoenas widely used in the ECPA setting. I do 
not think we want to have our service providers turned into 
essentially places where anyone who files a civil lawsuit can 
go and get somebody else's e-mail to look through in a routine 
civil investigation. Maybe there are some reasons to treat 
Federal Government investigations differently in some cases, 
but I think it is dangerous to allow providers to be used in 
this way. In general, in civil litigation, it should be the 
people go through the parties not through service providers.
    I thank you and I look forward to your questions.
    [The prepared statement of Mr. Kerr follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                   __________

    Mr. Sensenbrenner. Thank you very much.
    Mr. Salgado.

  TESTIMONY OF RICHARD SALGADO, DIRECTOR, LAW ENFORCEMENT AND 
               INFORMATION SECURITY, GOOGLE, INC.

    Mr. Salgado. Chairman Sensenbrenner, Chairman Goodlatte, 
Ranking Member Scott, Ranking Member Conyers, and Members of 
the Subcommittee, thank you very much for the opportunity to 
appear before you this morning.
    I am Richard Salgado. As Director for Law Enforcement and 
Information Security at Google, I oversee the company's 
compliance with legal requests for data, including those 
submitted under the Electronic Communications Privacy Act of 
1986, otherwise known as ECPA.
    In the past, I worked on ECPA issues in my capacity as 
senior counsel in the Computer Crime and Intellectual Property 
Section in the Department of Justice.
    In 2010, I appeared before what was then the House 
Judiciary Subcommittee on the Constitution, Civil Rights, and 
Civil Liberties. When I spoke then, I highlighted the numerous 
ways in which the Internet has contributed to our economy and 
our society as a whole.
    Today, not surprisingly, the impact is greater. In addition 
to the millions of jobs that have been created, the Internet 
economy accounts for almost 5 percent of our gross domestic 
product, according to a recent Boston Consulting Group study. 
The Internet has put information and opportunity at the 
fingertips of millions of users, and we need updated laws to 
allow this ecosystem to continue growing.
    On a nearly daily basis, I see the challenges created by 
ECPA. In 2010, Google launched a Transparency Report which 
details the volume of requests for user data that we receive 
from government entities. In the last half of 2012, the number 
of requests Google received from government agencies in the 
United States in criminal cases more than doubled compared to 
the same period in 2009.
    ECPA was passed in 1986 when electronic communications 
services were in their infancy. With the dramatic changes that 
we have seen since then, the statute no longer provides the 
privacy protection that user of these services reasonably 
expect. And one example that the Committee may already be 
familiar with is from the ECPA rules around compelled 
disclosure of e-mail. As a general rule, law enforcement under 
the statute needs to obtain a warrant to compel an electronic 
communications service provider to disclose content that is 
held in electronic storage, as that term is defined in the 
statute, for 180 days or less. Once that message becomes 181 
days old, it loses that level of statutory protection and a 
government entity can compel its disclosure with a mere 
subpoena which, of course, is issued on a much lower standard 
than a search warrant and without any judicial review.
    I will also note that the Department of Justice has taken 
the position that government can use a subpoena to compel the 
production of e-mail that has been opened even if it is younger 
than 181 days. It is a position that has been rejected by one 
court of appeals in the Federal system.
    If one could discern a policy rationale for this 180-day 
rule in 1986, it is not evident any longer and contravenes 
users' reasonable expectations of privacy. We are encouraged to 
hear that the Department of Justice seems to acknowledge this 
as well.
    In fact, the Sixth Circuit in the latter part of 2010 held 
that ECPA violates the Fourth Amendment to the extent that it 
allows government to use legal process less than a warrant to 
compel the production of content from a service provider. 
Google believes this is correct, and to the extent ECPA 
provides otherwise, it is unconstitutional.
    The 180-day rule reveals the gap between where the statute 
is and where users' reasonable expectations of privacy lie. The 
privacy protection afforded to e-mail content from law 
enforcement should not vary based on a communication's age or 
its opened state. ECPA should be updated to require a warrant 
to compel the production of any content. Updating ECPA should 
be a top privacy priority for the 113th Congress.
    And Google is not alone in taking this view. More than 80 
companies and organizations that span the political spectrum 
are now members of the Digital Due Process Coalition which 
supports updating ECPA. And these include Americans for Tax 
Reform, the American Civil Liberties Union, the Center for 
Democracy & Technology, the Competitive Enterprise Institute, 
and the U.S. Chamber of Commerce. Notably, these organizations 
do not always agree on other privacy issues, but they are 
united in the effort to support updated provisions in ECPA for 
the requirement of a warrant for the production of content.
    As the benefits of Internet computing become more obvious, 
including the data security benefits, the growth of the 
Internet should not be artificially slowed by outdated 
technological assumptions that are currently baked into part of 
ECPA. And the progression and innovation in technology should 
not be hobbled by pre-Internet ECPA provisions that no longer 
reflect what users should expect.
    We look forward to working with the Subcommittee and the 
full Judiciary Committee and Congress as a whole to update the 
statute.
    Thank you for your time and consideration. I would be happy 
to answer any questions.
    [The prepared statement of Mr. Salgado follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                                   __________

    Mr. Sensenbrenner. The time of the gentleman has expired.
    The Chair will withhold his questions until the end and now 
recognizes the gentleman who is the Chairman of the full 
Committee, the gentleman from Virginia, Mr. Goodlatte.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    Let me direct this question to each of you. To obtain a 
document from someone's home requires a warrant. When the same 
person gives and stores that document with another person or a 
company, a subpoena can be used to obtain it.
    What is an individual's expectation of privacy when 
electronic documents are stored with third parties? Why should 
stored electronic communications be treated any differently 
under the Fourth Amendment?
    We will start with you, Ms. Tyrangiel. Is that how you 
pronounce your name?
    Ms. Tyrangiel. Tyrangiel.
    Mr. Goodlatte. Sorry. Thank you.
    Ms. Tyrangiel. That is okay.
    So as to what can be obtained in what circumstances, the 
Fourth Amendment is very fact-specific and dependent on 
circumstances. So with that caveat, in obtaining documents from 
someone's home, certainly if there is a desire to go in and 
compel that document, there can be a search warrant used. You 
can also subpoena people to bring you documents that they have 
in their home. So depending on the circumstances, even in the 
paper world, there can be permutations of what rules apply.
    With respect to what the standard should be for electronic 
communications, we have suggested that many have advocated on 
behalf of a warrant requirement for the government to compel 
stored communications from providers. And in those 
circumstances, as a general matter, we think that idea has some 
merit, and we understand the appeal of that.
    Mr. Goodlatte. Let me interrupt because I have got a lot of 
people and a couple more questions.
    Mr. Littlehale.
    Mr. Littlehale. Mr. Chairman, I welcome the question, and I 
would suggest that it suggests that even beyond ECPA, search 
warrant law, statutory search warrant law, in general is also a 
little bit behind the times in terms of technology. For 
example, if I serve a search warrant on a residence, then it is 
up to me and the fellow agents to determine what we are going 
to take. We decide what we are going to get and we get it and 
we leave in a quick fashion or as quick as we choose to, as 
quick as we choose to expedite that warrant.
    On the other hand, even if the Committee chooses that law 
enforcement needs probable cause to obtain these records, we 
are at the mercy of the service providers to determine how long 
it is going to take them to comply with that request.
    So in keeping with my testimony, I would suggest that 
whatever the level of standard of proof, the thing that really 
matters most to those of us in State and local law 
enforcement----
    Mr. Goodlatte. Is prompt response.
    Mr. Littlehale [continuing]. Is prompt response.
    Mr. Goodlatte. Professor Kerr?
    Mr. Kerr. Mr. Goodlatte, the answer in the physical world 
would really depend on whether the documents that you handed to 
the other person were sealed or not. If it is an open set of 
documents, you would be relinquishing your expectation to 
privacy. The government could get that information from the 
other person without a warrant. If it is sealed documents, for 
example, in a sealed envelope or a sealed box, then it would be 
protected.
    Mr. Goodlatte. So if it is stored in the cloud but no one 
else--is that the equivalent of a sealed document?
    Mr. Kerr. Yes, I think it is the equivalent of a sealed 
document, and that is the right analogy that the Warshak court 
adopted.
    Mr. Goodlatte. Thank you.
    Mr. Salgado.
    Mr. Salgado. Mr. Chairman, we do not see a distinction 
there. There needs to be Fourth Amendment protection to 
documents that a user stores in the cloud just the same as if 
they had stored them in their office or their home. The 
reasonable expectation to privacy of the Fourth Amendment 
requires that result, and we would like to see ECPA updated to 
reflect that.
    Mr. Goodlatte. All right.
    And then to follow up on Professor Kerr's statement, we 
will ask both of you. So is there a diminished expectation of 
privacy when a document is stored in the cloud but multiple 
people have access to it for editing purposes or for whatever 
purpose?
    Mr. Kerr. No, there is no diminished expectation of privacy 
in the same way that there would be in--if you live with 
several other people in your home, there is still warrant 
protection for the home. In the physical world, the slight 
exception to that would be that other people who share the 
space can consent to the government going in and looking at 
your stuff.
    And where ECPA plays an important role is in section 2702, 
limiting the ability of the provider--that is the sort of third 
party there--from voluntarily disclosing information to the 
government. So it is a very important protection that 
effectively recognizes the fact that in the cloud, it is the 
provider who has access to the information and also the user 
who has access.
    Mr. Goodlatte. Very good.
    And, Mr. Salgado, would you elaborate on some of the ``in 
the cloud'' services that are currently being marketed by 
Google and by others? And will a higher standard for law 
enforcement to access the information stored in the cloud make 
such a service more attractive to consumers? And similarly, 
will it make it more attractive to criminals?
    Mr. Salgado. Thank you, Mr. Goodlatte.
    The answer is yes. The services that we offer are very 
popular. But the failure of current law to keep up with the 
reasonable expectation of privacy has been a drag on the 
adoption of these services, and there is certainly resistance 
to it both in the United States but also from markets outside 
of the United States where customers may be concerned that the 
U.S. Government has access to the materials with a standard 
that is lower than what they ought to expect--the users ought 
to expect.
    Some of the services that we can point to as examples of 
this include, of course, the Gmail product, but there are also 
other services like our YouTube video upload and viewing 
service; Docs, which allows users to collaborate on the 
drafting and editing of documents; Blogger, which is a very 
popular site for the publication of blogs which can at times be 
private or shared among a limited group of people.
    Mr. Goodlatte. What about criminals?
    Mr. Salgado. I am sorry?
    Mr. Goodlatte. Criminals, the other part of my question.
    Mr. Salgado. Well, we have certainly recognized that the 
services we offer can be misused. There are some miscreants out 
there who will, whatever communications service is available, 
find ways to turn it against the good. And we are very much in 
favor of an amendment to ECPA that still allows law enforcement 
to conduct the investigations it needs and to fulfill its 
important responsibilities.
    Mr. Sensenbrenner. The gentleman from Virginia, Mr. Scott.
    Mr. Scott. Thank you, Mr. Chairman.
    I would like to follow up on this, Mr. Salgado. Do people 
generally know where the e-mail is physically stored and should 
that make a difference in terms of the privacy expectations?
    Mr. Salgado. Mr. Chairman, I do not think people 
necessarily know where their e-mail is stored. Part of the 
reason for that, of course, is the, if you will, magic of the 
cloud as it is, which is by having data spread throughout lots 
of data centers in different locations, even the existence of a 
single e-mail may itself have been scattered among different 
data centers to provide for security, for robust services, to 
reduce latency. The rules around disclosure of the data should 
not have anything to do with the location of it, which is, in 
some sense, driven by the physics and architecture of the 
Internet and not by choice of users or companies. It is more to 
make----
    Mr. Scott. And should that affect the expectation of 
privacy? I mean, you would expect the e-mail to be private, 
whatever Google does with it.
    Mr. Salgado. That is right. We agree with that, that the e-
mail ought to be private regardless of where it is located and 
the state of its storage or the age of the message itself.
    Mr. Scott. Professor Kerr, you mentioned the case law as 
being worked on through the courts. How much of that case law 
is statutory interpretation, which we could clearly clarify, 
and how much of it is constitutional law that we would have no 
control over?
    Mr. Kerr. Well, the case law that I was referring to was 
constitutional case law. So we have the Sixth Circuit Court of 
Appeals, a few district courts, a few State intermediate 
courts. Those are Fourth Amendment interpretations governing e-
mail which, of course, Congress could not change.
    Mr. Scott. Thank you.
    Mr. Littlehale, you referred to content and said you might 
want to say a little bit more about it. Are there different 
levels of information that we are talking about whether it is 
the fact that the e-mail was sent or the content of the e-mail 
and there ought to be possible different standards for that?
    Mr. Littlehale. Well, the first level of categories that I 
would suggest we need to be cautious of, as we reform ECPA, is 
making a clear distinction between the actual content of a 
communication, the substance of the communication, and 
signaling and routing information, stored transactional 
information, that law enforcement can use, we believe, at a 
lesser standard whether it is determined the pattern of contact 
between two individuals, what communications technologies they 
are using, use that as a component of probable cause to further 
our investigation. So in my oral remarks, I was referring to 
clarifying the standard of content so whatever the level of 
access we determine for content, we are sure what content is.
    Mr. Scott. Ms. Tyrangiel, is there a problem now with the 
emergency provisions in getting information?
    Ms. Tyrangiel. That is not something on which we have an 
Administration position here today. We are certainly happy to 
talk further with you about the robustness of the emergency 
provisions and whether any situation----
    Mr. Scott. You have access to information on an emergency 
basis now. You can skip a couple of steps if there is, in fact, 
an emergency. Has that been a problem?
    Ms. Tyrangiel. So currently the law allows for an exception 
for life and limb, essentially when there is physical harm or 
danger to physical life. With respect to Mr. Littlehale and the 
additional emergencies that might be necessary, we do not have 
a position on that right now, but we are eager to discuss the 
matter with Congress and with the Subcommittee and find a way 
forward.
    Mr. Scott. Is there any problem with--in civil litigation 
you can get a lot of information that may not have been able to 
be obtained on a criminal warrant. If someone obtains 
information through civil litigation, can that be converted 
into criminal evidence?
    Ms. Tyrangiel. So with respect to what we are suggesting 
that Congress consider, there would be much opportunity--and, 
in fact, there would need to be an opportunity--to consider the 
means by which information could be used between civil and 
criminal; that is, in suggesting that there be an opportunity 
for civil components to obtain contents of e-mail, there would 
still need to be discussions about how the practicalities of 
that would play out. So there are currently--and it depends on 
context--ways in which information is passed from civil to 
criminal, but it need not always be the case depending on the 
situation.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Sensenbrenner. Thank you.
    The gentleman from North Carolina, Mr. Coble.
    Mr. Coble. Thank you, Mr. Chairman, and thank you for 
calling this hearing, Mr. Chairman.
    I thank the witnesses for appearing.
    I was going to start with Chairman Goodlatte's first 
question. So you beat me to the punch, Bob. Let me go to 
another.
    Mr. Littlehale, is there any evidence at all that even 
hints that the current law in place since 1986 has in any way 
inhibited either the development or the use of the Internet or 
other technologies?
    Mr. Littlehale. I am not aware of any, no, sir.
    Mr. Coble. Any other witnesses? Professor?
    Mr. Kerr. I think it is a difficult question to answer 
because, of course, it is a counter-factual issue. We do not 
know what the world would look like if the statute were 
different. So I think it is just a difficult question to answer 
one way or the other.
    Mr. Coble. Thank you, sir.
    Anybody else want to be heard on it?
    Mr. Salgado. For companies like Google--and there are 
others--that have been following Warshak for a couple of years, 
we actually have seen what the world looks like where there is 
a warrant requirement for content. So we have had that for a 
couple years now. I am not aware of this presenting any 
difficulties in any context.
    Mr. Coble. I thank you for that.
    Mr. Littlehale, this may have been discussed, but let me 
try it again if it has. Do heightened legal standards result in 
a slower police response which may have real life or death 
consequences? And if so, give me an example.
    Mr. Littlehale. Well, sir, let me begin by saying that the 
case that was discussed earlier--Tennessee is in the Sixth 
Circuit. So for us now we live under a probable cause standard 
for all stored content.
    Having said that, in talking with practitioners across the 
country, there are some who believe that the 180-day 
distinction is appropriate and should remain and others who do 
not.
    I will say that, again returning to my earlier point, 
anytime you talk about raising the level of proof, in some 
cases you do reduce the number of leads we can process in the 
same amount of time. If that is the will of Congress, certainly 
we will operate within those parameters, but we also would urge 
you that if there are going to be proof--you know, the levels 
of proof are going to be raised and we are going to be able to 
process a large number of leads a little bit slower in that 
context, that if you can give us assistance in these other 
areas, timeliness of service provider respond, records 
retention, and so on, then that will allow us to contract the 
investigative timeline and make sure that we are able to 
perform our responsibilities even with a higher standard.
    Mr. Coble. I thank you, sir.
    Anyone else want to be heard on that?
    Thank you all for being with us today.
    Thank you, Mr. Chairman. I yield back.
    Mr. Sensenbrenner. Thank you.
    The gentleman from Louisiana, Mr. Richmond.
    Mr. Richmond. Thank you, Mr. Chairman and Ranking Member, 
especially for calling this meeting today.
    And I would just pick up where you left off because, Mr. 
Littlehale, I have heard you mention timeliness of response a 
number of times. So I guess my question would be if we went to 
almost like a subpoena-type model for some things, would it not 
be up to you all to request the return or a judge to give that 
date by which the provider has to respond to the subpoena?
    Mr. Littlehale. Well, sir, partly that depends on which 
statute we are proceeding under. Under ECPA, there are 
provisions for State orders to have federally expansive effect. 
That is going to vary from State to State, whether we are 
permitted to require a certain response or not. I am certainly 
aware of a number of instances over the course of my career 
where, regardless of what the court order said on it or what 
the subpoena said on it, the response was still delayed. And 
frankly, again as a practical matter as a practitioner, is it 
worth my taking my time and prosecutors' time away from 
investigations in order to seek a motion for a show cause 
hearing and try to bring a provider into town? Very often we 
just do not have the time to do that. So often we just live 
with what we can get. So regardless of the level of process, a 
universal mandate for some more structured form of service 
provider response is critical to our effectiveness.
    Mr. Richmond. Right, but it would still have to have teeth 
in it. I mean, we can have a mandated time that they have to 
respond, but if you are telling me that if they ignore it, you 
have to make a decision whether it is worth your time and 
energy and using an agent to go to court to do a motion to 
compel or a contempt hearing, then whether we put a date in or 
not, you would still have to make that decision.
    Mr. Littlehale. Yes, sir. I think a mandate would have 
several benefits. First, it would allow all service providers 
to build to the same standard as opposed to the situation we 
have now where some make different corporate choices than 
others and may be penalized because of it.
    The truth is we would prefer to work with the service 
providers and, of course, the law enforcement electronic 
surveillance community has historically. We would rather 
resolve this in a cooperative manner and find a mandate that 
they could all build to rather than making an adversarial 
situation because the truth is we depend on these people every 
day to partner with us, save the victims, and get us the 
information we need.
    Mr. Richmond. Now, anyone can answer this question because, 
in fact, we are talking about the subpoena aspect of it now.
    One thing that I like about subpoenas, at least in my 
practice, is that if the person whose records you are asking 
for feels that it is just a fishing expedition or some other 
violation of their rights, they have an option to file a motion 
to quash or go see a judge or a court of jurisdiction to say, 
you know, this is just a fishing expedition and I do not want 
to do it, and then have a judge make a determination. How do 
you all envision encompassing that same protection, the same 
right, in what we are talking about now? Mr. Kerr.
    Mr. Kerr. I think it depends on whether we are discussing a 
probable cause-like regime, a traditional warrant approach, or 
a subpoena that is not based on probable cause. If it is a 
subpoena approach, then generally there would need to be some 
prior notice. The current ECPA statute allows for prior notice, 
requires prior notice when the government is pursuing a 
subpoena, but then allows for delayed notice which, 
unfortunately, is obtained in the routine case. As a result, 
nobody ever finds out that their e-mails are being accessed or 
at least does not find out until much later if they are 
ultimately notified. As a result, you do not see those 
challenges which should be available.
    Under the warrant authority--and this is, I think, a 
complex question--if the government proceeds under the warrant 
authority, what notice should there be? The current statute 
says if the government obtains a probable cause-based warrant, 
there is no notice requirement. Of course, there is notice to 
the provider, but not to the user.
    Mr. Richmond. Right. Well, under a warrant, the theory is 
that you have an independent person who has looked at it and 
determined that, one, it is reasonable; two, there is probable 
cause and it is not a fishing expedition.
    So now my question is with the delayed notice, what 
standard is there for law enforcement to ask for and receive 
the ability or permission to do delayed notice as opposed to 
immediate--allowing the provider to immediately notify someone 
that their e-mails have been requested, seized, searched, or 
whatever.
    Mr. Kerr. The exact phrasing of the statute is--I cannot 
recall off the top of my head, but it is essentially if it 
would interfere with an ongoing investigation. And of course, 
notice to a suspect could interfere with a lot of 
investigations possibly. So that is obtained, unfortunately, 
pretty routinely. And the notice requirement written into the 
statute, unfortunately, ends up being a non-notice requirement 
in practice.
    Mr. Richmond. Well, I see my time has expired.
    Ms. Tyrangiel, if you could just, at some point, think 
about--and you do not have to answer it now--just how do we do 
it in the regulatory scheme in terms of enforcement without 
hampering the government's ability.
    Thank you, Mr. Chairman.
    Mr. Sensenbrenner. If Ms. Tyrangiel, the Justice Department 
can answer Mr. Richmond's question promptly, without objection, 
we will put that answer in the record because all of us would 
like to know that.
    The gentlewoman from California, Ms. Chu.
    Ms. Chu. Thank you, Mr. Chair.
    Ms. Tyrangiel, in your testimony you raise the point that 
if ECPA is amended to require the government to get a warrant 
to compel a service provider to disclose private 
communications, that this would hinder civil investigations. 
And you say that since civil regulators and litigators lack 
warrant authority, they would be left unable to obtain stored 
contents of communications from providers.
    I am trying to understand the scope of the problem if this 
is the case. Do you know how frequently civil investigators try 
to obtain information from third party service providers? Why 
could they not just get a subpoena for e-mails directly from 
the party? And in fact, would it not be more likely the case 
that they would do such a thing? In other words, is the 
frequency more or less than the requests for criminal 
investigators?
    Ms. Tyrangiel. So thank you for that question.
    There are a couple of reasons why going to a subscriber 
directly is not a reliable way of always getting the content 
that is being sought. One is there are times when the 
subscriber has gone out of business, is bankrupt, is deceased. 
Another reason is that occasionally or with some frequency a 
subscriber will deny ownership of the account or of the 
communications at issue. And a third is that there are also 
those who would violate the law may be tempted to destroy 
rather than hand over evidence to the government. So those are 
a couple of reasons why going to a subscriber directly does not 
solve the problem.
    And perhaps a couple of examples would point this out. For 
instance, in a civil civil rights investigation, if a landlord 
sends racially harassing texts to tenants and the tenants 
delete them because they recoil and their first instinct is to 
get them off their phone, and the landlord denies having sent 
those e-mails and denies ownership of the account, the Stored 
Communications Act is going to govern whether the government 
can get those e-mails.
    In the False Claims Act context, when the civil division is 
seeking information about a fraud perpetrated on the government 
and wants to get e-mails that it has reason to believe exist 
that show the fraud was perpetrated but the corporation says we 
do not actually use e-mail for business purposes, the Stored 
Communications Act is going to govern that as well.
    So I could provide additional examples, but those are the 
sorts of ways in which civil investigations and suits would be 
impacted.
    Ms. Chu. Well, for e-mail in transit, you have to have a 
warrant. For e-mail in storage, you have to have a warrant. For 
e-mail in remote storage stored for 180 days or less, you have 
to have a warrant. So do you not have to have probable cause 
anyway?
    Ms. Tyrangiel. So the laws of ECPA are somewhat complicated 
on this point. That is, with respect to e-mail that is older 
than 180 days and opened or unopened, a subpoena under ECPA 
would suffice. With respect to e-mail that is unopened and 
younger than 180 days, you would need a warrant, and with e-
mail that is opened and younger than 180 days, ECPA provides 
for a subpoena.
    Now, there is case law that is layered on top of that, but 
there are different rules that apply in different scenarios. 
And one of the things that we have said in our written 
testimony is we recognize that these 180-day rules and the 
opened/unopened distinctions have not kept pace with the way 
technology is used today.
    Ms. Chu. Yes, but my point is you have had to prove 
probable cause for these other cases that are 180 days or less.
    Ms. Tyrangiel. So in a small category of cases under ECPA, 
there is currently a warrant requirement, but in a larger 
category of cases under ECPA, there is the subpoena 
requirement.
    If your question is how, after Warshak, the Department is 
operating, the answer in part is that civil components are 
already feeling this harm, and it is harmful.
    Ms. Chu. Well, do you have a solution to deal with this 
disparity between the civil and criminal investigations?
    Ms. Tyrangiel. So we are asking that Congress--or 
suggesting that Congress could consider formulating a 
contingency to ensure that civil regulators and litigators can 
do their work effectively. We do not have a specific proposal 
on that here today, but we are eager to discuss that further 
with you as you move forward.
    Ms. Chu. And, Mr. Salgado, do you have a sense for how many 
requests received by Google are from civil investigators?
    Mr. Salgado. Chairwoman, we do not have a specific breakout 
for those types of requests. I can tell you that Google would 
not honor subpoenas for the production of content from 
government agencies, civil or criminal. Our understanding is 
that the civil agencies get the content through other means, 
more precisely through the customer directly, after subpoenaing 
Google to identify who the subscriber is.
    Mr. Sensenbrenner. The gentlewoman's time has expired.
    The gentleman from Texas, Mr. Gohmert.
    Mr. Gohmert. Thank you, Mr. Chairman.
    Thank you to the witnesses. Professor Kerr, nice to see you 
back.
    Mr. Salgado, I was curious. Does Google not sell 
information acquired from e-mails to different vendors so that 
they can target certain individuals with their promotions?
    Mr. Salgado. Mr. Congressman, no, we do not sell e-mail 
content. We do have a system, similar to the system we use for 
scanning for spam and malware, that can identify what type of 
ads are most relevant to serve on e-mail messages. It is an 
automated process. There is no human interaction, and certainly 
the e-mail is not sold to anybody or disclosed.
    Mr. Gohmert. So how do these other vendors get our e-mail 
and think that we may be interested in the products they are 
selling?
    Mr. Salgado. They do not actually get your e-mail. What 
they are able to do is, through our advertising business, be 
able to identify key words that they would like to trigger the 
display of one of their ads, but they do not get information 
about who the user is or----
    Mr. Gohmert. Okay. Well, that brings me back. So they get 
information about key words in our e-mails that they use to 
decide who to send promotions to, albeit it automatically done. 
Correct?
    Mr. Salgado. The e-mail context is used to identify what 
ads are going to be most relevant to the user.
    Mr. Gohmert. Do they pay for the right or the contractual 
ability to target those individuals that use those key words?
    Mr. Salgado. I might phrase that slightly differently, but 
the gist is correct, that advertisers are able to bid for the 
placement of advertisements to users who our system has 
detected might be interested in the advertisement.
    Mr. Gohmert. Okay. So what would prevent the Federal 
Government from making a deal with Google so they could also 
scroogle people and saying I want to know everyone who has ever 
used the term ``Benghazi'' or I want everyone who has ever used 
a certain term? Would you discriminate against the government 
or would you allow the government to know about all e-mails 
that included those words?
    Mr. Salgado. Sir, I think those are apples and oranges. I 
think the disclosure of the identity----
    Mr. Gohmert. Well, I am not asking for a fruit comparison. 
I am just asking would you be willing to make that deal with 
the government, the same one you do with private advertisers, 
so that the government would know which e-mails are using which 
words.
    Mr. Salgado. Thank you, sir. I meant by that that it is not 
the same deal that is being suggested there. We certainly would 
not----
    Mr. Gohmert. But I am asking specifically if the same type 
of deal could be made by the Federal Government, heck, the same 
Government that will make a commercial and pay for it to air 
overseas saying we had nothing to do with the video, which we 
know now had nothing to do with Benghazi, but if that same 
government will spend tens of thousands of dollars to do a 
commercial, they might under some harebrained idea like the 
idea of cutting a deal with Google to get all the addresses, 
all the e-mail addresses that use certain words. Could they not 
make that same kind of deal that private advertisers do?
    Mr. Salgado. We would not honor a request from the 
Government for such a----
    Mr. Gohmert. So you would discriminate against the 
Government if they tried to do what your private advertisers 
do.
    Mr. Salgado. I do not think that that describes what 
private advertisers----
    Mr. Gohmert. All right. Does anybody here have any--
obviously, you are doing a good job protecting your employer. 
But does anybody have any proposed legislation that would 
assist us in what we are doing?
    I see my time is running out. I would be very interested in 
any phrase, any clauses, any items that we might add to 
legislation or take from existing legislation to help us deal 
with this problem because I am very interested and very 
concerned about our privacy in our e-mail.
    Mr. Sensenbrenner. If the gentleman will yield, I am sure 
as this debate goes on, we will be getting a lot of advice from 
a lot of different sources, some of which will be trying to 
twist the law in favor of somebody or another. So stay tuned.
    Mr. Gohmert. And just so that the simpletons that sometimes 
write for Huffington Post understand, I do not want the 
Government having all that information.
    Thank you. I yield back.
    Mr. Sensenbrenner. With a point of personal privilege, my 
son writes for the Huffington Post. [Laughter.]
    Mr. Gohmert. Well, then maybe he is not one of the 
simpletons I was referring to.
    Mr. Sensenbrenner. He does have a Ph.D.
    The gentlewoman from California, Ms. Bass.
    Ms. Bass. Thank you, Mr. Chair.
    I wanted to ask a couple of questions, one of Mr. Salgado 
from Google. You said that the criminal cases that are 
investigated have doubled the requests, and I was wondering if 
you could give me some examples of the type of cases and then 
also why do you believe that the numbers have doubled.
    Mr. Salgado. Thank you, Congresswoman.
    The types of cases that we see come in in the form of legal 
process are a huge variety of cases. Certainly the cases you 
would be very familiar with, you might have seen press reports 
on, those types of cases are very common, kidnapping cases, 
child exploitation, fraud cases. You could almost open up title 
18 of the U.S. Code and walk through it, and at some point in 
the history of Google, there will have been some request about 
one of those crimes charged there.
    I must say that the legal process we receive very rarely 
describes the case that is under investigation. So on your 
average legal process, we do not actually know what the crime 
is that is under investigation.
    As to the second part of the question as to why we might 
have seen such an increase, it is a little bit speculative. I 
think part of that, though, is likely the result of the fact 
that our user base has grown, and as a necessary sort of result 
of that or inevitable result of that, there is going to be some 
more accounts that are used or have evidence relating to 
criminal conduct.
    Ms. Bass. Thank you. I appreciate this.
    And this might be for you or it also might be for Ms. 
Tyrangiel. You know, there is the Web site Backpage, and 
Backpage everybody knows is involved in sex trafficking and 
especially sex trafficking of minors. And I wanted to know how 
we can get at that. So, for example, if anybody monitors 
Backpage, there are e-mails that go back and forth requesting 
the services of the females that are advertised there, and what 
role can the Justice Department have in terms of trying to shut 
that down where you know it is taking place. And I do not know 
if the Federal Government routinely investigates that or what. 
I know that Craigslist used to do the same type of advertising 
and they stopped after public pressure, but because of First 
Amendment rights, of course, it is difficult to shut it down. 
But when we know that there is criminal behavior taking place 
and it is on display.
    Ms. Tyrangiel. Thank you for that question.
    I am not sufficiently versed with the specific facts of 
Backpage to answer to that circumstance with particularity, and 
if there were an ongoing investigation, I would not be able to 
speak about it in any event.
    But I can tell you with respect to sex trafficking and 
other sorts of crimes that the Government is investigating and 
trying to learn more about, the Government depends not only on 
the kind of content that we have been talking about here today, 
but also non-content information that forms the building blocks 
of investigations. And part of why ECPA is so important and 
part of why all the reform efforts should take into account not 
only privacy but also government needs and its law enforcement 
needs is because it is used with such breadth and it is used 
for non-content, it is used for content, it is used for civil 
cases, it is used for criminal cases and then within those 
categories for a wide variety of things.
    Ms. Bass. What do you mean by non-content?
    Ms. Tyrangiel. Non-content can range all the way from basic 
subscriber information and things like that to information 
about the way people use--sort of the traffic that they use. 
And there are different standards that apply to different kinds 
of non-content. But these are the sorts of things that can form 
the building blocks of investigations that allow us to focus on 
the right people, that allow us to free others from suspicion, 
and then allow us to build to probable cause to a place where 
we can go get a search warrant or where we can make an arrest.
    Ms. Bass. One of my concerns about the females or the 
girls, I should say, because they are not adults is that many 
of them are in the child welfare system. And so that means 
technically the government has removed them from a home which 
means we are in charge. And so I am wondering if there is any 
coordination between the Federal Government and--well, DOJ 
rather and child welfare departments.
    Ms. Tyrangiel. Certainly I am aware of coordination that 
occurs between Federal law enforcement and State jurisdictional 
enforcement so that they are talking to each other. So I think 
there is some coordination going on with respect to that. 
Whether there is direct communication between the Federal 
authorities and the child welfare authorities I cannot speak 
to, but I am happy to try and find out more and get back to 
you.
    Mr. Sensenbrenner. The gentlewoman's time has expired.
    The Chair will recognize himself for a final series of 
questions.
    Let me say that to amend ECPA, we are going to need to have 
a balancing act, which means that neither law enforcement nor 
the service community are going to get everything they want. I 
would say let me admonish you and others who may be in the 
audience that trying to do a balancing act to come up with 
something that protects the privacy of Americans, as well as 
allows law enforcement to do their job, particularly against 
people who use the Internet for criminal purposes, is going to 
be kind of a tough nut to crack. We tried it in the last 
Congress, and we were not able to get the ball over the goal 
line.
    Let me say that I think the different standards between a 
warrant and a subpoena is outdated and probably 
unconstitutional. And I think we are going to have to require a 
warrant with probable cause on most of the stuff that you can 
get from a subpoena, at least in criminal investigations, maybe 
not so in the civil ones, but at least in the criminal 
investigations.
    I also think that 180 days is too short to require the 
retention of material. And I would like to ask you both, Ms. 
Tyrangiel and Mr. Littlehale, what time do you think we ought 
to have in terms of requiring a service provider or somebody 
who stores e-mails in the cloud to retain that material? And I 
recognize that this will just be an arbitrary time just like 
the 180 days is.
    Ms. Tyrangiel. Well, I will start by saying that data 
retention is a very complicated and tricky issue. It is not 
something----
    Mr. Sensenbrenner. Believe me, we know that. [Laughter.]
    Ms. Tyrangiel. And certainly law enforcement's ability to 
get data is very important.
    The 180-day rule, I might also comment, has frankly in ECPA 
to do with sort of the ability to use----
    Mr. Sensenbrenner. Can you just give me a time period? At 
least we know what we are talking about then.
    Ms. Tyrangiel. I cannot today, but we are eager to discuss 
with you and understand that part----
    Mr. Sensenbrenner. I am sorry that you cannot today.
    Mr. Littlehale.
    Mr. Littlehale. Let me suggest, Mr. Chairman, that the 
answer to that question is linked to service provider 
timeliness because in many instances in these cases, for 
example, in the commercial and sexual exploitation of children 
case that we were just discussing, there are many layers of 
service providers that we have to jump through to identify that 
child victim. And so if I know that I am going to get those 
responses back in 7 days each time or in 3 days each time, then 
I do not need the records retained as long because I might not 
know, until I get two or three layers of subpoena responses or 
search warrant responses back, where I need to send a 
preservation request. If, however, those times are allowed to 
continue to be a month or 2 months, then my answer would be 6 
months or a year in many cases because it might take us that 
long to get to the records we need.
    Mr. Sensenbrenner. Okay.
    Now, I have a question for Ms. Tyrangiel. The Fourth 
Amendment recognizes emergency exceptions. Why does DOJ not 
have a position on looking at or defining the life or limb 
exception? I think that it would be very advisable to codify 
that so you do not have a multitude of different court 
decisions on what is life or limb and what is not.
    Ms. Tyrangiel. I am certainly happy to engage with the 
Subcommittee and with Congress to talk about that area and any 
others that the Committee would like to explore, certainly an 
important exception and one that the government, both at the 
Federal and State and local level, makes use of.
    Mr. Sensenbrenner. Well, you know, let me express my 
discomfort that you do not seem to have any answers to 
questions that have been asked, and it is not just by me but by 
other Members of the Subcommittee. And this really should not 
be any surprise to you that the questions were coming because 
this is not a new issue. This is not the first hearing that a 
congressional committee has had on the subject of modernizing 
ECPA. And I would hope that the Justice Department, when they 
come back next time to talk about this subject, can anticipate 
the questions and have an answer. You know, I can say that if 
this were a trial, there would be a lot of people that would 
not be happy about the counsel at the trial being as ill-
prepared as you have been.
    So with that admonition, let me say, without objection, 
this hearing is adjourned.
    [Whereupon, at 11:21 a.m., the Subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
