b"<html>\n<title> - INTERNATIONAL CONFLICTS OF LAW AND THEIR IMPLICATIONS FOR CROSS BORDER DATA REQUESTS BY LAW ENFORCEMENT</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n                INTERNATIONAL CONFLICTS OF LAW AND THEIR\n                  IMPLICATIONS FOR CROSS BORDER DATA \n                      REQUESTS BY LAW ENFORCEMENT\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                           FEBRUARY 25, 2016\n\n                               __________\n\n                           Serial No. 114-84\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n                                  ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n98-827 PDF                     WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n      \n                       COMMITTEE ON THE JUDICIARY\n\n                   BOB GOODLATTE, Virginia, Chairman\nF. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan\n    Wisconsin                        JERROLD NADLER, New York\nLAMAR S. SMITH, Texas                ZOE LOFGREN, California\nSTEVE CHABOT, Ohio                   SHEILA JACKSON LEE, Texas\nDARRELL E. ISSA, California          STEVE COHEN, Tennessee\nJ. RANDY FORBES, Virginia            HENRY C. ``HANK'' JOHNSON, Jr.,\nSTEVE KING, Iowa                       Georgia\nTRENT FRANKS, Arizona                PEDRO R. PIERLUISI, Puerto Rico\nLOUIE GOHMERT, Texas                 JUDY CHU, California\nJIM JORDAN, Ohio                     TED DEUTCH, Florida\nTED POE, Texas                       LUIS V. GUTIERREZ, Illinois\nJASON CHAFFETZ, Utah                 KAREN BASS, California\nTOM MARINO, Pennsylvania             CEDRIC RICHMOND, Louisiana\nTREY GOWDY, South Carolina           SUZAN DelBENE, Washington\nRAUL LABRADOR, Idaho                 HAKEEM JEFFRIES, New York\nBLAKE FARENTHOLD, Texas              DAVID N. CICILLINE, Rhode Island\nDOUG COLLINS, Georgia                SCOTT PETERS, California\nRON DeSANTIS, Florida\nMIMI WALTERS, California\nKEN BUCK, Colorado\nJOHN RATCLIFFE, Texas\nDAVE TROTT, Michigan\nMIKE BISHOP, Michigan\n\n           Shelley Husband, Chief of Staff & General Counsel\n                            Perry Apelbaum,\n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n\n                           FEBRUARY 25, 2016\n\n                                                                   Page\n\n                           OPENING STATEMENTS\n\nThe Honorable Bob Goodlatte, a Representative in Congress from \n  the State of Virginia, and Chairman, Committee on the Judiciary     1\n\nThe Honorable John Conyers, Jr., a Representative in Congress \n  from the State of Michigan, and Ranking Member, Committee on \n  the Judiciary..................................................     3\n\n                               WITNESSES\n\nDavid Bitkower, Principal Deputy Assistant Attorney General \n  United States Department of Justice\n  Oral Testimony.................................................    11\n  Prepared Statement.............................................    14\n\nBrad Smith, President and Chief Legal Officer, Microsoft \n  Corporation\n  Oral Testimony.................................................    57\n  Prepared Statement.............................................    60\n\nThe Honorable Michael Chertoff, Co-Founder and Executive \n  Chairman, The Chertoff Group\n  Oral Testimony.................................................    72\n  Prepared Statement.............................................    74\n\nThe Honorable David S. Kris, former Assistant Attorney General \n  for National Security, United States Department of Justice\n  Oral Testimony.................................................    80\n  Prepared Statement.............................................    82\n\nJennifer Daskal, Assistant Professor, American University \n  Washington College of Law\n  Oral Testimony.................................................    84\n  Prepared Statement.............................................    86\n\n          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING\n\nPrepared Statement of the Honorable Sheila Jackson Lee, a \n  Representative in Congress from the State of Texas, and Member, \n  Committee on the Judiciary.....................................     5\n\nMaterial submitted by the Honorable Sheila Jackson Lee, a \n  Representative in Congress from the State of Texas, and Member, \n  Committee on the Judiciary.....................................   109\n\n                                APPENDIX\n               Material Submitted for the Hearing Record\n\nQuestions for the Record submitted to David Bitkower, Principal \n  Deputy Assistant Attorney General United States Department of \n  Justice........................................................   128\n\nResponse to Questions for the Record from Brad Smith, President \n  and Chief Legal Officer, Microsoft Corporation.................   130\n\nQuestions for the Record submitted to the Honorable Michael \n  Chertoff, Co-Founder and Executive Chairman, The Chertoff Group   138\n\nResponse to Questions for the Record from the Honorable David S. \n  Kris, former Assistant Attorney General for National Security, \n  United States Department of Justice............................   140\n\nResponse to Questions for the Record from Jennifer Daskal, \n  Assistant Professor, American University Washington College of \n  Law............................................................   143\n \nINTERNATIONAL CONFLICTS OF LAW AND THEIR IMPLICATIONS FOR CROSS BORDER \n                    DATA REQUESTS BY LAW ENFORCEMENT\n\n                              ----------                              \n\n\n                      THURSDAY, FEBRUARY 25, 2016\n\n                        House of Representatives\n\n                       Committee on the Judiciary\n\n                            Washington, DC.\n\n    The Committee met, pursuant to call, at 10 a.m., in room \n2141, Rayburn House Office Building, the Honorable Bob \nGoodlatte, (Chairman of the Committee) presiding.\n    Present: Representatives Goodlatte, Chabot, Issa, King, \nJordan, Poe, Marino, Gowdy, Collins, DeSantis, Walters, Buck, \nRatcliffe, Bishop, Conyers, Lofgren, Johnson, Chu, DelBene, \nJeffries, and Peters.\n    Staff Present: Shelley Husband, Chief of Staff & General \nCounsel; Branden Ritchie, Deputy Chief of Staff & Chief \nCounsel; Zachary Somers, Parliamentarian & General Counsel; \nKelsey Williams, Clerk; Jason Herring, Counsel, Subcommittee on \nCrime, Terrorism, Homeland Security, and Investigations; \n(Minority) Perry Apelbaum, Minority Staff Director & Chief \nCounsel; Danielle Brown, Parliamentarian & Chief Legislative \nCounsel; Aaron Hiller, Chief Oversight Counsel; Joe \nGraupensperger, Chief Counsel, Subcommittee on Crime, \nTerrorism, Homeland Security, and Investigations; and Veronica \nEligan, Professional Staff Member.\n    Mr. Goodlatte. Good morning. The Judiciary Committee will \ncome to order, and without objection, the Chair is authorized \nto declare recesses of the Committee at any time.\n    We welcome everyone to this morning's hearing on \n``International Conflicts of Law and Their Implications for \nCross-Border Data Requests by Law Enforcement,'' and I will \nbegin by recognizing myself for an opening statement.\n    Today's hearing will examine international conflicts of law \nand how these conflicts impact law enforcement access to data \nboth here and abroad. This is an extremely important issue that \naffects individuals, technology companies, law enforcement, and \nthe economy. In the digital age, where the Internet knows no \nboundaries, U.S. technology companies have flourished \ninternationally and provide services to customers and \nsubscribers around the world, but there is a growing tension \nbetween U.S. law and foreign law, and U.S. technology companies \nare caught in the middle.\n    U.S. law places restrictions on access to data by foreign \ncountries, making it difficult if not impossible in some \ninstances to obtain evidence of crimes or terror plots carried \nout by their own citizens in violation of their laws. This has \nprovided an incentive for foreign governments to enact their \nown legislation to address the problem. Some foreign \ngovernments have enacted laws requiring U.S. technology \ncompanies as a requirement for doing business there to comply \nwith that government's requests for data.\n    Alternatively, other countries are considering legislation \nthat would require U.S. providers to locate servers in that \ncountry to ensure that country's jurisdiction over the U.S. \nprovider. This is sometimes referred to as data localization. \nThe disparity between U.S. and foreign law has similarly \ncreated a conflict with regard to what law governs requests by \nthe U.S. Government to U.S. companies for data stored in \nforeign countries.\n    Certain foreign countries prohibit the removal of data from \ntheir boundaries in contravention of their law. U.S. law, on \nthe other hand, makes no distinction between data stored \ndomestically versus data stored abroad, nor any distinction \nwith regard to the nationality or location of the customer.\n    The result of these conflicts is that U.S. technology \ncompanies find themselves with a Hobson's choice: either comply \nwith U.S. law, or comply with foreign law. But it is \nincreasingly impossible to comply with both. This is an \nuntenable situation for U.S. tech companies. This conflict also \nthwarts timely access to information by foreign governments, \nand has the potential to create additional barriers for U.S. \nlaw enforcement.\n    Current U.S. law requires foreign governments who want \naccess to content maintained by a U.S. technology company to \nmake a government-to-government request for the data.\n    This is generally accomplished through the mutual legal \nassistance treaty, or MLAT process, but frankly, the MLAT \nprocess is slow and cumbersome. It has been reported that an \nMLAT request takes, on average, approximately 10 months. This \nis clearly causing serious frustration from foreign governments \nwho have legitimate interests in their own public safety.\n    For example, a foreign government may be investigating \ncriminal activity that has occurred wholly within that \ngovernment's borders by its own citizens, but because the \nperpetrators are utilizing the email services of a U.S. email \nprovider, that foreign government cannot get access to email \ncontent for evidentiary purposes, except through the MLAT \nprocess, which takes entirely too long. The current arduous \nMLAT process likewise poses significant hurdles to the U.S. \nGovernment obtaining information stored abroad from U.S. \ncompanies, and is not designed to carry the heavy burden of \nthese types of cross-border data requests.\n    It is abundantly clear that Congress must find a \nlegislative approach that embraces the modern manner in which \ndata is stored and acquired internationally.\n    One such approach could be bilateral agreements between the \nU.S. and foreign countries that work to resolve or waive these \nconflicts of law. Earlier this month, it was reported that the \nU.S. and the United Kingdom recently commenced negotiations on \na bilateral agreement that would allow the U.K. Government to \nrequest data directly from U.S. companies in criminal and \nnational security investigations not involving U.S. persons. \nThis type of agreement may serve as model for future \nagreements, and thus relieve some of the international pressure \non U.S. tech companies, but we must closely examine important \ndetails, such as the legal standard for which the U.K. \nGovernment may make requests of U.S. tech companies, whether \nsuch requests would require an independent review, and what \nprivacy protections should be implemented.\n    Such an agreement could also help alleviate any conflicts \nof law relating to requests by the U.S. for data stored abroad \nby U.S. companies. But any such agreements must preserve \nAmerican civil liberties and privacy protections embodied in \nU.S. law.\n    Ultimately, in order for a bilateral agreement of this kind \nto have effect, Congress would first need to enact legislation \nenabling direct access to U.S. companies by foreign \ngovernments, and prescribing the criteria that must be met by \nthe foreign government to receive such access.\n    Once again, the House Judiciary Committee finds itself at \nthe forefront of a pressing issue that impacts personal \nprivacy, national security, public safety, economic viability, \nand the rule of law. Members of this Committee have been \ndedicated to finding a legislative solution to address the \nissues raised by the current conflict of laws, and we will \ncontinue to examine all options presented to the Committee.\n    As always, we will not shy away from the heady task ahead \nof us in finding a thoughtful, balanced solution to this \nproblem. I look forward to closely examining these issues today \nand hearing from our distinguished witnesses, and with that, I \nam pleased to recognize the Ranking Member of the Committee, \nthe gentleman from Michigan, Mr. Conyers, for his opening \nstatement.\n    Mr. Conyers. Thank you, Chairman Goodlatte. And thanks to \nall of our witnesses on both panels for the time they are \ntaking to be with us today. The House Judiciary Committee is \nthe appropriate forum for a topic that never seems to leave the \nnews: how government agencies access the content of our \ncommunications.\n    Over the past few years, we have explored this theme in \nvarious forms: government surveillance, the FBI's effort to \nbuild back doors into strong encryption, and our works to \nreform the Electronic Communications Privacy Act. Today, we \ndiscuss a different aspect of this theme: how law enforcement \nagencies attempt to access data stored beyond their \njurisdictional reach.\n    Whatever your favorite policy solution may be, everyone in \nthis room agrees that there is a problem that must be solved. \nTwenty years ago, a police officer in the United Kingdom \ninvestigating a routine crime would have had little reason to \nseek evidence stored in the United States, but today, on a \ndaily basis, law enforcement agencies around the world request \naccess to digital evidence stored in other countries. And the \nlegal framework in place for making those requests is wholly \ninadequate to the task.\n    The mutual legal assistance treaty system was written for a \ndifferent era, and struggles to keep pace with the scope and \npace of modern communications. Our Members have also been \noutspoken in the need to modernize the Electronic \nCommunications Privacy Act, and I hope we will do it soon.\n    I am also a co-sponsor of H.R. 1174, the ``Law Enforcement \nAccess to Data Stored Abroad Act.'' Now I signed onto this bill \nbecause it is an important vehicle for the discussion that we \nwill have today, and I thank the gentleman from Pennsylvania, \nMr. Marino, the gentlelady from Washington, Ms. DelBene, and \nMr. Amodei, Nevada for their leadership on this issue. The \nLEADS Act takes a holistic view of the system.\n    It reforms ECPA to require warrants for content in the \ndomestic content. It also provides one solution for Federal law \nenforcement to reach data that is stored abroad. And, it begins \na much needed overhaul of the mutual legal assistance treaty \nframework, and even if we may reach consensus on a solution \nthat differs from the LEADS Act, it will have been important \nlegislation for having recognized early that we need to use \nevery tool in our toolbox to update Federal law for the digital \nage.\n    One other possibility for reform that I would like to \ndiscuss today is the idea of bilateral agreements with our \nclosest allies. Those Nations we trust most on civil liberties \nand due process issues. We should add this concept to the mix. \nIn addition to amending the Electronic Communications Privacy \nAct, and updating our treaty system, these agreements could \ncounter the trend toward data localization, incentivize our \npartners to set better standards for data protection, and help \nour closest friends investigate serious crimes that often \nimpact the United States either directly or indirectly. I would \nadd only two notes on this topic for our distinguished guests \nfrom the Department of Justice.\n    First, I hope to have your agreement today that no deal \nwith the United Kingdom is better than a deal that does not \nhonor privacy, due process, and free expression on both sides \nof the Atlantic.\n    Secondly, I hope that this will be a collaborative process. \nIt is unfortunate that we learned about your discussions with \nthe British from the Washington Post before we heard about them \nfrom you. I appreciate that the Department took the time to \nbrief Committee staff earlier this week. It was important, I \nappreciate how candid the Department was about possible civil \nliberties concerns going forward. I am sure that working \ntogether, we can come up with a system of reforms that benefits \neach of the stakeholders in this discussion.\n    And so I thank the Chairman and yield back any time that \nmight be remaining. Thank you.\n    Mr. Goodlatte. Thank you, Mr. Conyers. And without \nobjection, all other Members' opening statements will be made a \npart of the record.\n    [The prepared statement of Ms. Jackson Lee follows:]\n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n  \n                               __________\n    Mr. Goodlatte. We welcome our distinguished witness of \ntoday's first panel. And if you would please rise, I will begin \nby swearing you in. Do you swear that the testimony that you \nare about to give shall be the truth, the whole truth, and \nnothing but the truth so help you God? Thank you very much.\n    And I will now introduce our witness for today's first \npanel. Mr. David Bitkower serves as the Principal Deputy \nAssistant Attorney General of the U.S. Department of Justice. \nPrior to joining the criminal division at the DOJ, Mr. Bitkower \nwas an Assistant United States Attorney in the eastern district \nof New York.\n    He is a graduate of Yale University and Harvard Law School. \nYour written testimony will be entered into the record in its \nentirety, and we ask that you summarize your testimony in 5 \nminutes or less; and to help you stay within that time, there \nis a timing light on your table. When the light switches from \ngreen to yellow, you have 1 minute to conclude you testimony. \nWhen it turns red, that is it. Your time is up. Welcome. Please \nbegin.\n\n    TESTIMONY OF DAVID BITKOWER, PRINCIPAL DEPUTY ASSISTANT \n      ATTORNEY GENERAL UNITED STATES DEPARTMENT OF JUSTICE\n\n    Mr. Bitkower. Thank you. And good morning Chairman \nGoodlatte, Ranking Member Conyers, and Members of the \nCommittee. Thank you for the opportunity to testify on behalf \nof the Department of Justice concerning international conflicts \nof law, cross border data flow, and law enforcement requests. \nThe Department recognizes that issues concerning cross border \nlaw enforcement access to data, while vitally important, can be \ncomplex and require balancing several sometimes competing \ngoals.\n    Mr. Goodlatte. Mr. Bitkower, you may want to pull that \nmicrophone a little closer to you.\n    Mr. Bitkower. Certainly, thank you. Most importantly, we \nmust fulfill the responsibility that Congress and the American \npeople have entrusted to us by taking lawful steps to protect \nAmericans from threats to their safety and security. But we \nmust also do our best to meet legitimate public safety needs of \nother countries that require access to evidence that happens to \nbe stored in the United States without compromising users' \nprivacy interests, and we must recognize that U.S. service \nproviders, seeking to compete in a global marketplace, may in \nsome instances face conflicting legal obligations from the \nNations where they choose to do business; and we should seek to \nminimize those conflicts where possible.\n    Finding solutions that satisfy all of these goals will be \ndifficult, and we welcome this hearing as part of an important \ndiscussion about how to do so. I will focus on two issues this \nmorning.\n    First, I will discuss the increasingly important role that \ncross border access to data plays in the protection of the \npublic, both for the United States and for our foreign \npartners. Second, I will discuss a potential new opportunity to \nbuild a framework for cross border access to data that would \nfacilitate legitimate law enforcement requests for electronic \ninformation, help to alleviate conflicts of law as faced by \nservice providers, and protect privacy and civil liberties.\n    Two related trends have significantly increased the need \nfor U.S. law enforcement to be able to access electronic data \nthat may be stored overseas.\n    First, the rapid growth of Internet use has meant that law \nenforcement increasingly relies on electronic data, such as the \ncontent of emails or text messages, in identifying perpetrators \nand bringing them to justice.\n    Second, while much of this information is stored within the \nUnited States, providers are increasingly storing information \noutside the United States as well. United States law generally \ndoes not require providers to store data here, and U.S. \nproviders increasingly face tax or other business incentives as \nwell as pressure by foreign governments to store data outside \nthe United States.\n    In fact, many of the largest American providers now operate \ndata centers abroad, and it is unusual for a major provider to \nstore all of its data within a single country. For these \nreasons, although law enforcement access to data stored abroad \nis already a key issue for the United States, its importance is \nlikely to grow over time. Under United States law, when a \nprovider is subject to the jurisdiction of U.S. courts, U.S. \nlaw enforcement may use the Stored Communications Act, or SCA, \nto obtain this data.\n    The SCA's efficient and privacy protecting process is \ncritical to successful investigations. When SCA process is \nunavailable, U.S. law enforcement may attempt to obtain \ninformation stored abroad through international cooperation \nmechanisms, such as mutual legal assistance treaty, or MLAT \nrequests, but the MLAT system can be cumbersome and is \noverburdened, and the United States does not even have MLAT \ntreaties with half the countries in the world.\n    As a result, criminals may remain free to commit serious \ncrimes against Americans. The United States is of course not \nalone in confronting these challenges. Many of our foreign \npartners, including close allies such as the United Kingdom, \nfind themselves in an even more difficult situation reliant on \nevidence stored outside their borders, often within the United \nStates, to protect public safety and national security. The \ndifficulty arises in part because the SCA not only serves as \nthe mechanism for U.S. law enforcement to require a provider to \ndisclose information, but also precludes providers from \ndisclosing the contents of communications unless certain \nexceptions are met; and the SCA contains no exception \npermitting a provider to disclose the contents of \ncommunications in response to a foreign production order.\n    Thus, when a foreign country makes a request under its own \nlaw for an American provider to disclose data stored in the \nUnited States, the provider may face conflicting legal demands, \ncompulsion to disclose under foreign law, and simultaneous \npreclusion of that disclosure under American law. This is so \neven if, for example, the order relates solely to a crime \ncommitted by the country's national within its own territory.\n    The result may be to stymie legitimate investigations, \nmotivate foreign countries to require data to be stored within \ntheir own borders, and expose American companies and their \nemployees to potential enforcement actions abroad. There is \nwidespread acknowledgement that this status quo is untenable. \nTo address these problems, the Administration is currently \nconsidering a framework under which U.S. providers could \ndisclose data directly to the United Kingdom in response to a \nlawful U.K. order. The agreement would not permit the targeting \nof U.S. persons or persons within the United States, and would \nnot be used for bulk collection. The agreement would also \nsecure reciprocal access for the U.S. to data located in the \nUnited Kingdom. We recognized that any such agreement would \nrequire legislation, both to lift conflicts of laws in \ncarefully specified circumstances, and also to set forth base \nline standards to project privacy and civil liberties.\n    We look forward to working with Congress as we continue to \nexplore this approach. Should the approach prove successful, we \nwould consider it for other like-minded governments as well. We \nbelieve the framework I have described rather than legislation \nthat would unilaterally restrict U.S. law enforcement \nauthority, offers a path forward to efficient and privacy \nprotecting cross border law enforcement access to data. Thank \nyou, and I look forward to answering your questions.\n    [The prepared statement of Mr. Bitkower follows:]\n    \n    \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] \n    \n    \n        \n                               __________\n                               \n    Mr. Goodlatte. Thank you. We will now begin the \nquestioning, and I will recognize myself. Mr. Bitkower, what \nwill happen if Congress fails to implement legislation to \nfacilitate international agreements such as the one currently \nbeing negotiated with the United Kingdom?\n    Mr. Bitkower. Thank you for the question, Congressman. And \nI think it goes to the heart of why such a framework is so \nhelpful. As we said, the status quo today is untenable, both \nfor our close allies and for our companies. If there is no \nagreement or path forward, then our companies will increasingly \nface conflicts of law situations when foreign countries, \nincluding close allies such as the United Kingdom, have \nlegitimate requests for data related to legitimate \ninvestigations under their own law, the only connection to the \nUnited States of which is that the data happens to be stored \nhere, and the provider is precluded under United States law \nfrom complying with that request.\n    I think we will see that situation continuing to grow as \ncrime becomes more international and as data can move around \nmore easily, and if we do not resolve those questions, then we \nwill face both continuing pressure from our allies as well as \ncontinuing pressure on our own companies.\n    Mr. Goodlatte. Do you agree that the Stored Communications \nAct is silent as to whether its procedures apply to data stored \noutside the U.S. or to non-U.S. persons outside the U.S.?\n    Mr. Bitkower. Again, thank you for the question, \nCongressman. So, the U.S. Stored Communications Act is a form \nof compulsory process. And U.S. law at the time the SCA was \nenacted and in fact, for many decades has provided the \ncompulsory process, if served on a company within the \njurisdiction of the United States, can require that company to \nproduce materials, even if those materials happen to be stored \nabroad. This has been the law of the United States for many \ndecades and in fact many countries have similar laws. I think \nwe saw, in fact, even in the case involving Microsoft in \nIreland.\n    Mr. Goodlatte. Yeah, can you answer the question though? Is \nit silent with regard to these parties?\n    Mr. Bitkower. So the text of the law does not particularly \nmention where the data is stored and does not turn one way or \nthe other in where data is stored.\n    Mr. Goodlatte. So, what guidance do U.S. providers have as \nto the application of the Stored Communications Act to data or \ncustomers that are outside the U.S.?\n    Mr. Bitkower. So again, we think that since this SCA was \nlegislated against a backdrop of U.S. law, which applies across \na variety of contexts, not just in electronic communications \ncontexts.\n    Mr. Goodlatte. Is your answer that it does not give \nguidance to this?\n    Mr. Bitkower. No, to the contrary, sir. My answer is that \nit operates like other forms of compulsory process where the \nlaw is clear that companies may be required to retrieve data \nfrom abroad in response to a lawful request.\n    Mr. Goodlatte. Okay. Should a bilateral agreement such as \nthe one under consideration with the U.K. also ameliorate any \nconflicts of law with regard to U.S. requests for data held by \nU.S. companies in that other country that is a party of the \nbilateral agreement?\n    Mr. Bitkower. Yes, Congressman. One of the primary benefits \nin an agreement of this nature would be to have reciprocal \nbenefits for the United States in lifting any conflicts of law \nthat might be present in the other country from where we \nrequest data.\n    Mr. Goodlatte. And in your written testimony, you say that \na successful bilateral framework must establish adequate base \nlines for protecting privacy and civil liberties, both through \nthe agreement and implementing legislation. And you also go on \nto say that, for example, legislation should require the \nforeign country's law to have in place appropriate substantive \nand procedural protections for privacy and civil liberties. \nWhat does that mean?\n    Mr. Bitkower. So thank you, Congressman. That is an area \nwhere we had hoped to work very closely with Congress and in \nparticular with this Committee in establishing what those base \nlines ought to be. Our goal is that when we choose a country to \nconclude such an agreement with, we would want to ensure that \nthat country has adequate substantive and procedural base lines \nto ensure that the orders that they are submitting and serving \non our providers are ones based on a rule of law framework, \nthey provide protections for civil liberties, they provide \nprotections for privacy. And so that way our companies can be \nsure they are complying with legitimate requests.\n    Mr. Goodlatte. Thank you very much. I now recognize the \ngentleman from Michigan, Mr. Conyers for his questions.\n    Mr. Conyers. Thank you, Mr. Chairman. And welcome to our \nhearing, sir. In the case pending before the Second Circuit \nright now, the Department of Justice and Microsoft differ on \nthe application of the law to data stored on servers outside \nthe United States.\n    I would like to focus on some areas that I think we may be \nin agreement on. Do you believe that companies like Microsoft \nface a difficult decision when U.S. laws like the Electronic \nCommunications Privacy Act dictates one outcome, and the law of \na different country dictates another? That is a pretty \ndifficult situation, is it not?\n    Mr. Bitkower. I absolutely agree, Congressman. Our \ncompanies currently can be caught in difficult conflicting \nlegal obligations, in particular when foreign countries seek \naccess to data that is stored here in the United States.\n    Mr. Conyers. Do you believe that the Electronic \nCommunications Privacy Act should be reformed to address this \nissue?\n    Mr. Bitkower. So, thank you, Congressman. I am aware this \nCommittee held a hearing in December on the subject of the \nElectronic Communications Privacy Act. The Department was \nprivileged to submit testimony to that hearing, and obviously \nwe stand by that today. We recognize that certain aspects of \nthe Electronic Communications Privacy Act have not kept date \nwith the way technology is used, and the Department is open to \ncertain changes in that statute, provided contingencies are \nmade to protect important civil and criminal law enforcement \nfunctions.\n    Mr. Conyers. Now, in February, the Washington Post reported \nthat the Department of Justice had entered into negotiations \nwith the British government on an agreement that would allow \nBritish agencies to serve wiretap orders directly on United \nStates companies. Do you think it might have been appropriate \nfor us to learn about this activity from the Department of \nJustice rather than the Washington Post?\n    Mr. Bitkower. Certainly, Congressman. We believe that close \ncollaboration with Congress is essential in this area as in \nmany others. I do not want to overstate any progress we have \nmade. The negotiations began just very recently. We only very \nrecently received, in fact, the authorization to begin those \nnegotiations, at approximately the time that that Washington \nPost article was published. We obviously did look forward to \nthe opportunity to brief this Committee and other Committees of \njurisdiction and we hope to work with you in the future as \nwell.\n    Mr. Conyers. Well, is it your position that our government \nshould be able to obtain data stored abroad by applying the \nElectronic Communications Privacy Act to any company based in \nthe United States?\n    Mr. Bitkower. Thank you, Congressman. We think it is \nessential that the United States be able to obtain data without \nregard to its location, if the provider is subject to U.S. \njurisdiction. As I noted in my testimony, there are numerous \nexamples of cases where individuals who may be outside the \nUnited States, who may not be United States citizens, whether \nthey are in the United States or not, commit very serious \ncrimes against Americans, and if we do not have access to data \nand evidence, then those crimes could continue. So we do take \nseriously potential conflicts of laws that our companies may \nface.\n    We do everything in our power to minimize those and see if \nthere are work arounds we can engage in. But at the end of the \nday, if the United States does not have the authority to gather \nevidence simply based on the location of that evidence, then \nnot only will our citizens suffer, but in fact, an agreement of \nthe type we are talking about today, would have no reciprocal \nbenefit for the United States.\n    Mr. Conyers. All right. Is there some way we can speed up \nthe negotiations and the conferences and all this business so \nthat this does not take months and months, and jeopardize the \ninterest of a lot of individuals and companies? How would we \nreact if the Chinese government, for example required, a \nChinese company like Alibaba, which maintains the data center \nin the United States, to produce account information that \nbelongs to a U.S. citizen or citizens?\n    Mr. Bitkower. So thank you, Congressman. Again, that is I \nthink one of the key conflicts of laws that our companies may \nface. That is they receive requests from other companies in \nother countries, for data that our companies may store in the \nUnited States. Sometimes those are requests that they very much \nwant to respond to. Legitimate requests from close allies to \nresolve crimes in their territory; and sometimes they come from \ncountries who do not have the same human rights record and \nwhere the request is not as obviously legitimate.\n    We do not believe the solution to that problem is to enact \nlegislation that would unilaterally strip U.S. authority to \ninvestigate serious crimes, but we do think a framework of the \ntype I am talking about today, under discussion between the \nU.S. and the U.K., which allows us to pick and choose \nlikeminded countries and circumstances in which we would reduce \nthose conflicts is a path forward.\n    Mr. Conyers. Well, I hope we work more closely together in \nthis area, and I thank you for your response to my questions. \nAnd I thank the Chair.\n    Mr. Bitkower. Thank you.\n    Mr. Goodlatte. The Chair recognizes the gentleman from \nCalifornia, Mr. Issa, for 5 minutes.\n    Mr. Issa. Thank you, Mr. Chairman, Mr. Bitkower. Is it \nBitkower?\n    Mr. Bitkower. Yes.\n    Mr. Issa. Okay. Sometimes, here from the dais, the best way \nto deal with a new problem is see if the problem is new or not. \nSo let me ask you a few questions just to see if the problem is \nnew. The country of Ireland decides that, in fact, you \ncommitted a crime, and they want you back there. Should they be \nable to simply unilaterally go to an Irish court, issue a \nwarrant, and come get you?\n    Mr. Bitkower. So if the country grounds had an extradition \nrequest for me?\n    Mr. Issa. No, no. They just want to come haul your ass in.\n    Mr. Bitkower. I would oppose that, sir.\n    Mr. Issa. Okay. So, in the tangible world, that is an \nexample where we have absolutely no authority whatsoever to \ntake a person--by the way, U.S. or otherwise, from another \nsovereign country. We have had a long tradition--and I just \nleft the Foreign Affairs Committee--I have got Secretary Kerry \nthere so I apologize I am going back and forth between the two \nmost important people I will see today--so, for all these years \nwe have set up a list of countries in which we do business on \nextradition.\n    We want tangible evidence. Let's just say an M-16 used in a \ncrime, but it left the country. Or, an M-16 was found in \nIreland being used, but we believe it is from the U.S. When you \nwant that tangible property, you do not go to a U.S. court \norder alone. You go to a U.S. court to plead your case, and \nthen you go to a foreign jurisdiction, and you negotiate with \nthe foreign jurisdiction whether or not, as to that person, as \nto that equipment, as to that evidence, they are willing to, \nthrough their court system, allow you access or, in fact, \nremoval from their country. Correct?\n    Mr. Bitkower. So the question is--Congressman, I do \nappreciate the question, I think, across a wide variety of \ncontexts. We face a wide variety of situations where we--there \nmay or may not be a conflict of law.\n    Mr. Issa. Right, but let's just look at the intangible \nworld, the piece of paper reduced to a PDF. Because that is \nreally what we are talking about. We are talking about \nsomething that could be tangible fairly quickly but happens to \nbe in electronic format, correct?\n    Mr. Bitkower. Certainly.\n    Mr. Issa. Okay, and you want us to assume that somehow, as \nto U.S. corporations, Microsoft, Apple, whoever it happens to \nbe, that in my opinion the bully--is being bullied by the \nJustice Department today in some ways. You want us to believe \nthat you should throw out all the history of extradition, all \nthe history of you do not get it, you get to ask another \ncountry for it. And you want to have an absolute right to \ndemand it and get it if a U.S. court says it, and you have \njurisdiction over the entity who could control the bringing of \nit back electronically to you. Is that correct?\n    Mr. Bitkower. That is not precisely correct.\n    Mr. Issa. It is pretty close though, is it not?\n    Mr. Bitkower. Well, respectfully, sir, the U.S. courts do \nhave a long tradition of balancing----\n    Mr. Issa. I am not asking what the U.S. court is. I am \nasking what you are asking for. You are asking for the U.S. \ncourts to summarily order U.S. corporations or any entity that \nyou believe the court has jurisdiction over, to deliver to you \nsomething from another country and circumvent that other \ncountry's opportunity to tell you yes or no. And that is \nessentially what you are asking for.\n    So let me ask it in another way, and I will be asking the \nnext panel. Should we not fashion legislation that treats \nintangible evidence exactly the same as we treat tangible \nevidence? That treats the summoning of something from somewhere \nelse to the United States substantially similar to how we would \ndo so if, in fact, it was tangible, like a person, M-16, or a \npiece of paper? Is that not where--not your position. Your \nposition is rightfully so, self-serving, that you would like \nthe evidence as quickly and easily as possible. But from our \nstandpoint, our Founding Fathers saw 200 years evolve without \nthis sort of an idea that you can order an U.S. entity to bring \nback something to the United States.\n    Can you give me a good reason as the time expires--I will \ngive you the rest of the time and as much as the Chairman gives \nus--can you give me the good reason why I should treat this \nintangible substantially different than we have treated \ntangible for 240 years?\n    Mr. Bitkower. So thank you, Congressman. We do not believe \nthat our position either in the Microsoft case or with regard \nto the SCA treats tangible and intangible objects differently. \nAs I said before, there is a long tradition where corporations \nand banks, for example, subject to U.S. jurisdiction, may be \nrequired by lawful process in the United States to retrieve \ndocuments from abroad. If after that order is given, the \nprovider can show, or the company can show that there is \nlegitimate competitive laws we work every with companies in \nthat context, in our financial investigations, in trade secret \ninvestigations, and so on.\n    Mr. Issa. So you go to the court, you get an order, and \nthen with the threat of the order and the financial loss to \nthem you negotiate. Is that right?\n    Mr. Bitkower. That is correct.\n    Mr. Issa. But only if they file an opposition and they are \ntying it up in court. Then you negotiate because you want it \nfaster. Is that right?\n    Mr. Bitkower. That is not correct. They do not have to file \nan opposition. They simply have to tell us there is a conflict \nof laws and we will talk to them right away. I will point out \nin the Microsoft litigation you are referring to, there has \nbeen no claim or allegation by Microsoft of any conflict of \nlaw.\n    Mr. Issa. Thank you. Thank you, Mr. Chairman.\n    Mr. Goodlatte. The Chair recognizes the gentlewoman from \nCalifornia, Ms. Lofgren, for 5 minutes.\n    Ms. Lofgren. Well, thank you, Mr. Chairman, and thank you \nfor scheduling this and a series of hearings on this important \ntopic before our country. You know, I will just join with the \nother Members' concern with the negotiations with Britain with \nthe newspaper instead of from the Department. I just do not \nthink that is the way this should work. And looking at that, I \njust got to express some concerns.\n    Yes, Britain is our ally, but they do not have a First \nAmendment. I mean, they do not protect speech. And they do not \nhave judicial review. I mean, they do not have a magistrate \nthat oversees the issuance of warrants. And they do not have a \nprobable cause standard either. So to think that just because \nthey are our ally, they meet our standards I think is \ncompletely mistaken, and I have very grave concerns about what \nis going on.\n    Obviously this is not the focus of this hearing, but I will \njust get that out there. I have very grave concerns. And \ncertainly Britain is moving in a direction away from what we \nwould consider basic liberties that are guaranteed by our \nConstitution. So their direction in our negotiation I think is \ncause for grave concern in this country. And I will--we are \ngoing to have to get further into that later.\n    Since you are here, I would like to ask a couple of \nquestions about ECPA reform, because I think what we do with \nECPA reform will greatly impact the conflict of laws issues \nthat is the subject of this hearing. We have a bill that has, I \nthink, hundreds of co-sponsors. I am for that bill. But what \nthe bill does not have in it is protection for geolocation. \nNow, our Supreme Court is moving in the direction of projection \ngeo location, so it may be that our Supreme Court is going to \nsolve that, even though the legislation does not include it, \nbut I am interested in the Department's policy.\n    Now, it is my understanding that the Department recently \nenacted a policy requiring a warrant before deploying a cell \nsite simulator, sometimes called a StingRay, to locate a \nsuspect using their cell phone. Does that mean that the \nDepartment of Justice is going to require a warrant for all \nother means of obtaining real time geo location information of \na person or mobile device? And if not, what technologies and \ntechniques require a warrant and which do not?\n    Mr. Bitkower. Thank you, Congresswoman for raising two \ndifferent but both very important issues. Initially, with \nrespect to the U.K., I do want to emphasize we are at an early \nstage in the negotiations. We fully recognize and appreciate \nthat Congress will have to legislate in this area, and we hope \nto work with this Committee and others in order to establish \nthe appropriate base line standards for the protection of \nprivacy and civil liberties.\n    And I will also note, as you note, that the U.K. has \nintroduced substantial reforms to its Investigative Powers Act. \nAny determination with respect to any country, including the \nU.K., will only be made after there is legislation in place at \nthat time. With respect to geo location, I will note also at \nthe beginning we follow the law, whether it is in the statute \nor created by court decisions, including the Supreme Court. So \nwe will follow it, obviously no matter what the circumstance \nis.\n    There is no single category of geo location data that law \nenforcement can obtain from third parties. There are various \ntypes of data and various types of technology. It depends \nwhether you're looking at prospective information or historical \ninformation, information provided voluntarily by an individual, \nor information collected without their consent. And they vary \nin terms of precision. So our practices vary depending on the \ntype of information, and the type of technology, and we make \nthe showing that is required under law for any of those.\n    Ms. Lofgren. So, let me ask you this. If you are requiring \na warrant for--which I must say, apparently the U.S. Marshals \nService is not--to deploy StingRay for real time geo location \nwould you require a warrant generally to obtain historical geo \nlocation?\n    Mr. Bitkower. So, again Congresswoman, it depends on what \nyou mean by geo location information.\n    Ms. Lofgren. Where you are.\n    Mr. Bitkower. Well, again, that can be determined with \ndifferent degrees of precision. That could be as precise as are \nyou in this room? It could be more generally, are you in the \ncity? Or are you in this country? When you get more precise, \ngenerally speaking the law does require a higher showing, often \nincluding a warrant based on probably cause. When you are less \nprecise, often the law requires a lower showing and we will \nfollow that law.\n    Ms. Lofgren. Well, in some cases there is a void in terms \nof the law, in terms of where the court has so far acted. So it \nsounds like, Mr. Chairman, that as we take this up, we may want \nto include some geo location protection and precision to guide \nthe Department in the future, and I see my time has expired, \nand I would yield back.\n    Mr. Goodlatte. The Chair thanks the gentlewoman and \nrecognizes the gentleman from Iowa, Mr. King, for 5 minutes.\n    Mr. King. Thank you, Mr. Chairman. Thanks for your \ntestimony, Mr. Bitkower. I would like to ask you about the \nbroader picture of this. I mean, we are bouncing this back and \nforth between the United States and the U.K., and it is far \nmore complex than this as I understand it. And the several \nhundred countries there are in the world, that would seem to me \nthat that is several hundred different bilateral relationships \nthat need to be negotiated. Could you paint this big picture on \nwhat would be the optimum here? I mean, if we had the picture \nof what's optimum, perhaps then, as we move the pieces around \non this jigsaw puzzle, we might be able to get that picture \neventually put together, or at least have a target?\n    Mr. Bitkower. Sure, and thank you, Congressman. And I will \ndo my best. I think we all start from the recognition that the \ncurrent situation is untenable, and the optimum would be to \nmove in the right direction, which means both to facilitate \nlegitimate requests from countries to solve crimes and protect \npublic safety, but also to take our companies out of the middle \nwhen they are stuck between conflicting legal obligations, both \nof which they respect.\n    We do not believe that we will wind up with 181 bilateral \nagreements. I think that is not even close to being \ncontemplated. There are not that many countries, I think, that \nshare our values in that sense that would be willing to conduct \nsuch an agreement with. If it proves successful with the U.K., \nhowever, we would be amenable to exploring it with other \ncountries with whom we have similar close relationships, and \nwho have similar values and have similar rule of law respecting \nsystems.\n    So I think the approach that we want to take is one that \nsolves the problem that we see, the problem being lack of \naccess because of conflicting laws and our country is caught in \nthe middle. The approach we want to avoid is one that would \nunilaterally strip U.S. law enforcement of its authority to \nprotect Americans, even in cases where there are no conflicts.\n    Mr. King. I would add to that, that by some of the memos \nhere I have in front of me, there is an indication that perhaps \njust valuable evidence in a criminal investigation might be \ndelayed as long as 10 months. It would seem to me that that \nwould be a big discouragement from the prosecutors in whichever \ncountry was waiting for 10 months. How much is that a \nconsideration of your initiative here?\n    Mr. Bitkower. That is an everyday consideration, sir, for \nthe most serious crimes we face, ranging from terrorism to \nchild sexual exploitation to computer crime, and I will add the \n10 months is an estimate of the time it takes us to respond to \nrequests from foreign countries.\n    When we are talking about situations where the Department \nof Justice is required to request information--I am sorry, the \n10 months is when we produce information. When we are talking \nabout situations where we are required to request information \nfrom foreign countries, 10 months may be a best-case scenario. \nIn many cases we will never see that evidence at all, and in \nmany cases we do not even have a mutual legal assistance \ntreaty, as I said, with about half the countries in the world.\n    So, if we are required to pursue international cooperation \nmechanisms to gather evidence, that is going to stop many \nimportant investigations dead in their tracks.\n    Mr. King. So that would imply that there are many criminals \ngoing free because of these delays.\n    Mr. Bitkower. There is no question that that is true, sir.\n    Mr. King. And also, what about intelligence purposes? Say \ninvestigations of radical Islamic terrorists? How much of this \nproposal is contemplated that would be gathering that kind of \nintel?\n    Mr. Bitkower. So that is a core consideration. So, if, for \nexample, the United Kingdom was investigating a U.K. citizen \nwho had gone off to Syria to fight with ISIL, and was \ncommunicating with his co-conspirators through a U.S. provider, \nand that data was stored in the United States, right now the \nU.K. would have to come to us for an MLAT, and we would have to \ngo through all those same procedures.\n    By the same token, when we investigate Syria's terrorism \noffenses--and I have a couple in my written testimony--quite \noften terrorists are non-U.S. persons who are located overseas, \nand that might be exactly the type of data that our providers \nstore overseas. If we have to go through MLAT procedures to \nobtain that evidence, and if any conflicts of law are \nautomatically resolved against the United States, those \ninvestigations will automatically suffer.\n    Mr. King. Let me just suggest then that if we are \ncontemplating a degree of change in our foreign policy, that \nMr. Issa referenced foreign policy and foreign affairs--a \nchange in our foreign policy that we were committed to actually \ndefeating ISIS and doing so in a comprehensive way, not only \ntactically in the Caliphate, but throughout our initiation of a \nglobal war against terrorists, and using data as a component of \nthat as well as finances, would you say that this is a critical \nelement that we are addressing here today?\n    Mr. Bitkower. When it comes to the fight against terrorism \nby both us and our allies, access to evidence stored abroad is \na key part of that. Absolutely.\n    Mr. King. And right now we are handcuffed to a degree?\n    Mr. Bitkower. Yes.\n    Mr. King. Thank you. I appreciate your testimony, Mr. \nBitkower, and I yield back the balance of my time.\n    Mr. Marino [presiding]. The Chair now recognizes Mr. \nJohnson from Georgia.\n    Mr. Johnson. Thank you, Mr. Chairman. Sir, thank you for \nyour testimony today. In what ways, if any, would a bilateral \nor series of bilateral agreements be preferable to a mutual \nlegal assistance treaty?\n    Mr. Bitkower. Thank you, sir, for the question. So let me \nsay from the very beginning, the mutual legal assistance \nprocess is a vital part of international cooperation. We rely \non it all of the time on a daily basis, and I do not by any \nmeans mean to suggest that that is not a key element going \nforward, but the mutual legal assistance process can be \nburdensome, because it requires essentially a diplomatic \nrequest from one country to another, the need for a country to \ntranslate its documents not only in terms of language but also \nin terms of legal process.\n    Mr. Johnson. Well, that is within the current framework \nof--yeah.\n    Mr. Bitkower. Exactly, exactly. And the idea of a new \nframework of the type I am talking about today between the U.S. \nand the U.K. is that it would permit direct requests from the \nU.K. under U.K. law to providers that are doing business in the \nU.K. And that would circumvent the need to go through all the \nprocedures in the MLAT process that are not privacy protecting, \nthat do not enhance investigations, but simply add time and \ndelay.\n    Mr. Johnson. A new MLAT process or framework could \nincorporate the features of the bilateral agreement that is \nbeing negotiated with the U.K. Is that not correct?\n    Mr. Bitkower. So, in a sense the U.S.-U.K. framework is one \nof mutual legal assistance, but it is not mutual legal \nassistance in the type contemplated by our current treaties, \nwhich require requests to go through those diplomatic channels.\n    Mr. Johnson. Well, I guess I am getting to the issue of \nwhether or not it is better to try to, for this country, to \naddress its cross-border access to data issues--and other \ncountries that have the same issue--whether or not it is better \nto negotiate within a treaty format as opposed to a series of \nbilateral agreements. Why would a bilateral agreement process \nwith at least 190 different Nations in this world--why would \nthat be a superior route as opposed to a treaty?\n    Mr. Bitkower. So, I absolutely agree with you. We should \ncontinue to work and reform the MLAT system, and there are a \nnumber of steps that we are taking in that regard. And we are \nhappy to work with this Committee and others to continue to do \nso. That is an essential step as well.\n    Mr. Johnson. It seems like that is on the back burner \nthough.\n    Mr. Bitkower. Not at all, sir. That is actually on the \nfront burner for the Department of Justice, and it is an area \nwhere we put a lot of resources and intend to continue to do \nso. In fact, we think a framework of the type--a bilateral \nframework with the U.K. of the type I have discussed would \nactually contribute to reforming and improving the MLAT \nprocess, because it would take certain high volume countries \nlike the U.K. out of that system to a degree and free up \nresources for uses for all other countries, even those that are \nnot part of the framework. But the reason we would go through a \nbilateral framework is for certain close allies with \nparticularly--with legal systems that have adequate substantive \nand procedural protections for privacy and civil liberties, the \nidea is that this would be an expedited method, that they would \nnot have to go through the normal MLAT procedures for crimes \nthat are of particular concern to them, and do not involve U.S. \npersons, they have not targeted at U.S. persons or persons \nlocated in the United States.\n    So we would get the best of both worlds in a sense of \nexpediting process that have privacy protecting features and \nfavor our close allies, but also lifting all boats by freeing \nup resources for people who are not part of that process.\n    Mr. Johnson. So, I presume that you are working under the \nassumption that British legal standards are acceptable with \nrespect to U.S. legal standards?\n    Mr. Bitkower. So, again, we are not working on any \nassumptions. We recognize the need to and we look forward to \nworking with this Committee and others to establish exactly \nwhat those standards ought to be and only then would be \nevaluate the U.K. as an applicant for such a process.\n    Mr. Johnson. And, last question: would a bilateral \nagreement with the U.K. waive U.S. Fourth Amendment protections \nwith respect to requests from British for electronic data \nstored here in the U.S.?\n    Mr. Bitkower. So, any agreement obviously would require \nMLAT legislation and that legislation would have to be \nconsistent with the Fourth Amendment. We certainly recognize \nthat. The Fourth Amendment, of course, takes particular views \nwith regards to investigations by foreign governments as \nopposed to our own. Or data that does not belong to U.S. \npersons or persons who are in the United States.\n    Mr. Johnson. Thank you. And would a bilateral agreement be \nsubject to congressional approval?\n    Mr. Bitkower. So Congress would have to enact legislation \nto make this entire process possible, sir.\n    Mr. Johnson. Thank you, and I yield back.\n    Mr. Marino. The Chair now recognizes the gentleman from \nTexas, a former judge, Congressman Poe.\n    Mr. Poe. I thank the Chair. I am over here on the far \nright. Let me just go back to the basic, what the law is right \nnow. Under current law, information that is stored in the cloud \nthat is over 6 months old, the Department of Justice, on behalf \nof some law enforcement agency, makes a request or a demand to \nthe provider for that information in the cloud such as an email \nthat belongs to Bubba down in Texas. Is that a fair statement \nof what the law is right now?\n    Mr. Bitkower. Yes, sir. For the content of email, we would \ngenerally proceed with a warrant.\n    Mr. Poe. Okay. You would get a warrant from a judge.\n    Mr. Bitkower. Yes, sir.\n    Mr. Poe. When is it you do not get a warrant, but you get a \nsubpoena or a request made by some person in the Department of \nJustice?\n    Mr. Bitkower. So we would proceed by subpoena with--under \nthe SCA with respect to certain non-content information, such \nas metadata, or subscriber information.\n    Mr. Poe. So that is not a law enforcement agency, though. \nIs that correct?\n    Mr. Bitkower. That would be on behalf of law enforcement \nagencies, sir, yes.\n    Mr. Poe. Oh, a law enforcement agency. So when do you \nrequest the subpoena and when do you have to get the warrant?\n    Mr. Bitkower. So the Department's practice is to seek a \nwarrant when content of the communications are at issue, sir.\n    Mr. Poe. But to get the data, you issue a subpoena.\n    Mr. Bitkower. For certain types of non-content information, \nthat is correct, sir.\n    Mr. Poe. Okay. And, right now, Congress, for the last 4 \nyears, has been discussing and trying to update ECPA to deal \nwith the issue of content and information that is stored in the \ncloud that is over 6 months old. Is it the Department of \nJustice's position that a warrant should be required to get \nthat information, whether it is data or whether it is content?\n    Mr. Bitkower. So the Department is open to a warrant \nrequirement for that type of data if exceptions for certain \nlimited contingencies involving civil investigators are made.\n    Mr. Poe. Okay. All right. And just so you are clear, I \nthink that the--you ought to have a warrant for all of that. \nAnd the reason that the SEC wants to have an exception is \nexactly the reason that the SEC should have a warrant \nrequirement as well. Its content I think is--or data I think is \nprotected under the Fourth Amendment. That is one of the bills \nthat we are debating here. And regardless of what we eventually \ncome up with, do you think it is important that Congress \nactually make a decision on reforming ECPA?\n    Mr. Bitkower. So again, the Department is certainly open to \nthat change that you are describing, and I would agree with you \nthat any access to data has to comply with the Fourth \nAmendment. There are ways other than warrants to comply with \nthe Fourth Amendment, and we think those ways might be \navailable to civil investigators.\n    Mr. Poe. And I think it ought to apply to the civil \nagencies in the Federal Government as well. That is my personal \nopinion. Do you think that Congress--I am asking your opinion \nif you are open to it, are you open to it now, or do you think \nwe ought to wait to figure out some deal with the British on \nwhat they are doing? Or should we go ahead and make that \ndecision as our responsibility in Congress?\n    Mr. Bitkower. So certainly, we do not see one process as \ndependent on the other. Our concern is when, for example, DOJ \ncivil investigative agencies or civil components, such as the \nCivil Rights Division, do need to seek information for an \nimportant civil rights investigation, and they are not able to \nget a warrant because it is not a criminal investigation. And \nin that case there ought to be some mechanism for them to get \naccess to data from the provider, but with full privacy \nprotections, and we are open to a variety of solutions in that \nregard.\n    Mr. Poe. I did not ask you that. I asked you about dealing \nwith the British. I did not ask you about civil rights. Do you \nthink that we ought to wait to deal--make a treaty with the \nBritish on content that is stored in the cloud, and what they \nthink and what we think and come up with some agreement, \ntreaty, whatever it is called, or should we act on behalf of \nthe American public now?\n    Mr. Bitkower. We do not think there is any need to wait to \nact on ECPA, but to resolve the situation with the U.K. either, \nno.\n    Mr. Poe. All right. Well I agree with you on that. That is \nCongress' responsibility, and it is long overdue that we deal \nwith storing information in the cloud, and I think the Fourth \nAmendment ought to apply to the information stored in the \ncloud, over 4 months or over 6 months old, whether it is civil \nprocess or criminal process. And maybe we will get that \nlegislation that is now pending with over 300 sponsors of \nCongress to the House floor soon. Thank you very much; I will \nyield back the balance of the time.\n    Mr. Marino. Chair now recognizes the congresswoman from the \ngreat State of Washington, Congresswoman DelBene, who is a \ncoauthor with me on the LEADS Act.\n    Ms. DelBene. Thank you, Mr. Chair, and you thank you, Mr. \nBitkower, for being with us today. The DOJ argued in the \nMicrosoft Ireland case that congressional inaction with respect \nto updating the Electronic Communications Privacy Act is \nevidence of legislative intent, and that Congress generally \nthink the law is fine, but the courts should feel free to apply \nit to all of the unique situations that arise given the way \ntechnology works today, including international data storage. \nNow as was mentioned by my colleague from Texas moments ago, \nare you aware that this Committee has held hearings and \nannounced plans to mark up the Email Privacy Act, and there are \nover 300 cosponsors on that very basic reform bill waiting for \nthis Committee to take it up, and over 100 on the LEADS Act \nthat addresses the international question?\n    Mr. Bitkower. I am aware of those facts, yes.\n    Ms. DelBene. So, you have indicated that DOJ's position is \nthat in all cases, the Electronic Communications Privacy Act as \nwritten reaches data oversees. So where it is stored does not \nmatter.\n    Mr. Bitkower. With respect to the government's ability to \ncompel a provider to disclose information, it does not matter \nwhere the provider chooses to store that information, that is \ncorrect.\n    Ms. DelBene. Now, you know, Congress is looking at a number \nof ways to update the Electronic Communications Privacy Act to \naccount for the global nature of cloud computing, and the needs \nof law enforcement to access critical evidence, but some of the \nthreshold questions that we have discussed include the \ncitizenship of the account holder, the location of the data, or \nthe headquarters of the company holding the data. Would you say \nthat the DOJ's position is that ECPA as written already \naddresses questions about how to handle data stored abroad, and \nthat all these questions are essentially superfluous to--and we \nshould not be asking them?\n    Mr. Bitkower. So I think ECPA today currently does not make \ndistinctions that restrict the government's ability to \ninvestigate based on the nationality of the account holder, and \ndoes not make distinctions about the DOJ's ability to \ninvestigate based on where the data is stored. We think that is \na wise course to continue with, because there are many \ninvestigations where we need to take action where the \nindividual may be abroad and the individual may not be an \nAmerican. So obviously we are concerned with legislation that \nwould unilaterally strip our authority to investigate in those \ncases.\n    Ms. DelBene. So if we follow the model that says it is \nbased on a company, then--and I think this was mentioned \nearlier as well--China could make subsidiaries of Chinese \ncompanies in the U.S., turn over whatever information it wants, \nis that a desirable outcome?\n    Mr. Bitkower. That is certainly not a desirable outcome, \nand that is in fact why we are looking for a creative way \nforward that would address conflicts of laws in targeted ways \nthat lower those conflicts in case we have legitimate requests \nfrom companies that respect--countries that respect rights. But \nwe can pick and choose which country to make a deal with.\n    Ms. DelBene. So, many of us would agree though that the \nMLAT system is in need of modernization to function officially \nin a digital age. Could you share with the Committee how many \ntimes an MLAT has been used to obtain data stored overseas \nversus a warrant stored under the Stored Communications Act?\n    Mr. Bitkower. So it is difficult to answer that question, \nbecause for the most part, if you are talking about the context \nof the SCA, the government is not aware where the data is \nstored. So if a company complies with an SCA warrant, we will \nnot know one way or the other where the company got that data \nfrom, Seattle, San Francisco, or Ireland. So I cannot give you \nan answer to that question. I can only give you answers based \non the information we have received from companies when we \nserve that process on them.\n    Ms. DelBene. But can you give us your best estimation of \nthat answer then? Or is that a different----\n    Mr. Bitkower. So this may not be a scientific answer, but \nto our knowledge, in the history of serving SCA warrants on \nU.S. providers, we have never been told that they cannot comply \nbecause of the conflict of law.\n    Ms. DelBene. It is my understanding that before the \nMicrosoft Ireland case, standard practice in these \ncircumstances was to use the MLAT process. So if the MLAT \nprocess is broken, it is--you know, I would urge the DOJ to \nstart working with Congress on reforms, rather than coming up \nwith new legal theories that apparently you have relied on in \nthe past to get there, and I really would love to get more \ninformation on the difference of these numbers, if you can \nprovide those to us.\n    Mr. Bitkower. So we would be happy to work with you on \nthat. I guess the one area where I think that it is important \nto clarify, is that there was no change in DOJ policy for--or \nin the law. For upwards of three decades, it has been the clear \nlaw of the United States that lawful process served under an \nAmerican company cannot require that company to bring data back \nfrom abroad.\n    We have never heard from an SCA provider to my knowledge \nthat they cannot comply with one of those warrants because of a \nconflict of law. If we were ever told so in a given situation, \nwe would take that very seriously. We would work with a \nprovider and endeavor to see what that conflict of law is. If \nthere is a true conflict, we would try to see if there are ways \naround that. That situation has not actually occurred yet, \nincluding in the Microsoft Ireland case, whereas I said before, \nMicrosoft has not alleged any conflict of law. In fact, \nMicrosoft submitted a declaration on behalf of itself, and \nIreland submitted a declaration on behalf of itself, and \nneither one have alleged a conflict of law in that situation.\n    So we take very seriously conflict of laws, we do it across \na variety of investigative contexts. Nearly every one of our \nfinancial investigations involving banks and the like involve \nclaims with conflicts of laws. We work through those processes. \nIf we do proceed to a compulsion action in court, the court is \nthen empowered to balance important considerations, including \ncomity, including the value to the investigation, including the \nburden that might be facing the company, and we take all of \nthose very seriously.\n    Our concern is with legislation that in every single case, \nif there was a conflict, resolve that conflict against law \nenforcement and in favor of the foreign country.\n    Ms. DelBene. My time has expired. I think we need laws that \nwork the way the world works today, and that is going to be \ncritical for us all to follow up on. Thank you. I yield back.\n    Mr. Marino. Thank you. I now my recognize myself for my \nquestioning, and thank you for being here, sir. Assume that I \nam back down near in my position where the Marino thing is, and \nthe gentleman to my left, Trey Gowdy, former Assistant U.S. \nAttorney. The gentleman to my right, the former judge from \nTexas, Judge Poe and myself. And I am going to include you in \nthis because you would not be where you are at if you were not. \nThere is no one in this room that is more law enforcement than \nthe four of us in our careers, and I thank you for your service \nto this country in law enforcement and prosecution. I read your \nstatement, thoroughly, and I agree with you.\n    Your first issue, cross border access. We all know how \nincredibly important that is. Your second issue, current rules \ngoverning access to data in other countries. Again, another \ncomplicated issue that we must deal with, and your third issue \nof the possible legislation. While it is not possible \nlegislation from my perspective, it is going to be legislation \nfrom my perspective. We are talking about dealing with 2016 \nissues based on a 1986 law, ECPA, which we are talking about \ndata collection when we did not even--when that law was \nimplemented, we barely had these. We did not have this, we had \nsuch a model that my mother still likes to use, just the flip \none with the big buttons.\n    So let me ask you this, if you would please? You talked \nabout treaties, and of course the SCA. Would legislation not \nmake life simpler if we got a consensus on the legislation, \ninstead of having 194 different agreements with countries or \nreferring to a law that is, what, 30 years old?\n    Mr. Bitkower. So certainly, sir, we would not contemplate \n194 different agreements. We think this agreement would be \navailable to a very small set of countries, at least at the \nbeginning.\n    Mr. Marino. Okay. At least in the beginning. But okay, you \nstart out with two countries, and then you go to six, and then \nyou go to 16, and then you go to 60. These countries are not \ngoing anywhere, and the electronic age is going to continue to \nexplode. So why not have definitive legislation? Do you think \nthat justice should be legislating or interpreting a 1986 law, \ninstead of a 2016 Congress legislating what is important to law \nenforcement, without tying the hands of law enforcement, but \nalso with having a law--a rule of law that we can agree on with \nother countries once we get established here in the \nlegislature.\n    Mr. Bitkower. So I fully agree with you that there is an \nimportant role for legislative change here and legislative \nchange would absolutely be necessary to enable us to take down \nthese conflicts of laws in carefully targeted ways. The way we \nanticipate it working is that Congress would act by \nestablishing the parameters for an agreement, and then we would \nbe able to fit particular countries in that agreement if they \nqualify.\n    Mr. Marino. I do not get that from reading DOJ information. \nI am getting that DOJ does not like the LEADS act.\n    Mr. Bitkower. Well so, to be clear sir, even under the \ncontext of a bilateral agreement of the type we are discussing \nin the United Kingdom, that sort of agreement presupposes both \nthe United States and for the United Kingdom the ability to \ncompel the production of data that might be stored abroad.\n    Mr. Marino. My point exactly then. Would legislation not \nsimplify that matter? And when you have a direct source of law \nthat we could point to when we need to. Let me pose a scenario \nto you. Assume there is a company with a presence in Brazil. \nOne of our companies, a presence in Brazil. And the Brazilian \nGovernment wants some of that information, they issue a \nwarrant, but that warrant would violate U.S. law. What do we \ndo?\n    Mr. Bitkower. That is a serious situation of course. That \nis one we face in real life. That is not a hypothetical \nsituation.\n    Mr. Marino. Okay. But would legislation not then address \nthat issue? Good concise legislation working closely with \njustice and the private sector from a law enforcement \nperspective. Would that not be the approach to take?\n    Mr. Bitkower. Yes. I do not want to speak to any particular \ncountry obviously, because there is a wide variety of----\n    Mr. Marino. Neither do I. That is why I keep going back to \nlegislation. And it is Congress' role to legislate. And looking \nback at a 30-year law based on where we are today, I do not \nthink is logical. So at no time I do not think, at least I do \nnot know that Justice even called my office, called Ms. \nDelBene's office, called the Chairman to discuss LEADS. We \nwould like to do that; we want input from Justice on these \nissues.\n    So again, I thank you for your service, but the point I \nwant to get across is Congress legislates, and I yield back my \ntime. The Chair now recognizes Congressman Jeffries from New \nYork.\n    Mr. Jeffries. I thank the Chair for yielding, and for your \nleadership in putting forth the LEADS Act and on this very \nimportant issue. And I thank you for your testimony here today. \nThe law is currently silent as to whether the DOJ can compel a \nU.S. company to produce the email content of a non-U.S. citizen \nwhen the server is in another country. Is that correct?\n    Mr. Bitkower. So, we would not agree with that, sir.\n    Mr. Jeffries. Okay. But the Stored Communication Act is \nsilent on this issue, correct?\n    Mr. Bitkower. So, we would agree that the Stored \nCommunication Act does not address that through tax, that is \ncorrect.\n    Mr. Jeffries. Okay. And in light of this silence, the \nDepartment of Justice has chosen to take the broadest possible \ninterpretation as to what its authority can be. Is that right?\n    Mr. Bitkower. Well respectfully sir, there are court \ndecisions on the matter, and we are following those decisions.\n    Mr. Jeffries. Okay. Now do you agree that Congress, in \nlight of the silence that you have acknowledged at least as it \nrelates to the Stored Communications Act, should step into the \nvoid to clarify the situation for all parties involved?\n    Mr. Bitkower. So again sir, we think Congress did act, and \nCongress legislated against a backdrop of which the government \ncould compel the production of documents from abroad. So we \nthink that already occurred. Obviously we will see how the \ncourts come out on these issues, and it may be the case that \nfor the legislation might be helpful.\n    Mr. Jeffries. So at the end of the day, in the absence of \ncongressional action, at least as it relates to the specific \ncircumstance that I laid out, is it fair to say that we could \nput a United States company in the position of providing email \ncontent located internationally as it relates to a non-U.S. \ncitizen in violation of another country's laws. Is that a \npossibility, sir?\n    Mr. Bitkower. That is a possibility.\n    Mr. Jeffries. Okay. Now in the 21st century we live in a \nglobal economy. Is that right?\n    Mr. Bitkower. Yes, sir.\n    Mr. Jeffries. Okay. And compelling United States companies \nto violate, potentially as you have acknowledged, United States \nlaw by disclosing email content of non-U.S. citizens could \npossibly place United States businesses at a competitive \ndisadvantage. Is that correct?\n    Mr. Bitkower. Sir, the way I would answer that question is \nto say, again, for many decades ,we have engaged in the \nenforcement of our laws, and that often results in us trying to \ncompel records from companies which store those records abroad. \nThis is not a new issue, it is not unique to the SCA. It is not \nunique to the United States. In fact most countries, or many \ncountries at least, have similar provisions in their law that \nauthorize them to seek evidence that may be stored abroad.\n    Mr. Jeffries. There is at least a possibility that by \ncompelling a United States company to violate international \nlaw, as you have acknowledged, is potentially the case here, \nthat that could place a United States company as a competitive \ndisadvantage. Yes or no?\n    Mr. Bitkower. So to be clear, I did not say to violate \ninternational law, I said it is possibly the conflict with the \nlaw of another country.\n    Mr. Jeffries. The law of another country.\n    Mr. Bitkower. Yes.\n    Mr. Jeffries. Correct.\n    Mr. Bitkower. So that is correct. It could absolutely put \ncompanies in a situation conflict to legal obligations.\n    Mr. Jeffries. Okay. Now, and that could in my view I think \nin the view of many reasonable people place them at a \ncompetitive disadvantage, which I think could undermine the \nUnited States' national interest economically. And in fact I \nwould just point out that Article I, Section 8, Clause 3 of the \nUnited States Constitution states that Congress shall have the \npower to regulate commerce with foreign Nations. Are you \nfamiliar with that clause?\n    Mr. Bitkower. Yes, sir.\n    Mr. Jeffries. Now I think that the Founding Fathers in \ntheir great brilliance understood that Congress should be the \nentity to decide how to properly balance United States' \ninterests across the legal, economic, constitutional spectrum. \nTrue?\n    Mr. Bitkower. Congress certainly has that authority, sir.\n    Mr. Jeffries. So is it not correct that Congress should act \nin this specific circumstance where you have acknowledged at \nleast that there is silence? Some ambiguity in order to clarify \nthis very complex situation.\n    Mr. Bitkower. So, again sir, I do not think there is \nambiguity in terms of how the statute works today. Certainly we \ndo welcome the opportunity to work with Congress in addressing \nthe very conflicts of laws you were talking about. Our concern \nis simply if we address them in a way that unilaterally strips \nU.S. law enforcement authority and does not address the \nsituation of foreign law enforcement authority, that is not the \napproach we are seeking, but we do think there is definitely \noptions that Congress can work on here.\n    Mr. Jeffries. Okay. Lastly I would point out, and I think \nmy colleague Darrell Issa began this line of inquiry, I think \nit was very important, the U.S. has a history of respecting the \nsovereignty of other Nations when conducting criminal \ninvestigations in the context of extradition treaties. Correct?\n    Mr. Bitkower. Yes, sir.\n    Mr. Jeffries. And we have got extradition treaties with \nabout 120 Nations. True?\n    Mr. Bitkower. I do not know the exact number.\n    Mr. Jeffries. Including Mexico, correct?\n    Mr. Bitkower. That is certainly true.\n    Mr. Jeffries. Are you familiar with El Chapo?\n    Mr. Bitkower. I am, sir.\n    Mr. Jeffries. He is an international drug dealer. Correct?\n    Mr. Bitkower. Yes, sir.\n    Mr. Jeffries. Seven United States jurisdictions have \ncurrently criminal charges pending against him, including \nmurder. True?\n    Mr. Bitkower. Yes, sir.\n    Mr. Jeffries. Would you conceive of a circumstance where \nthe United States, in violation of its treaty with Mexico, \nwould go across the border, snatch El Chapo, and bring him back \nto justice, notwithstanding the serious United States interest? \nWould you conceive of that circumstance?\n    Mr. Bitkower. No, sir, I could not.\n    Mr. Jeffries. Okay. And if we would not do it in such a \nserious situation, for the life of me, respectfully, I cannot \nfigure out why Congress should not step into this vacuum that \nexists as it relates to email content and respecting the \nprinciples of comity and the competitive disadvantage that will \nreplace the United States companies and which would undermine \nour national economic interests. I yield back.\n    Mr. Marino. Thank you. The Chair now recognizes the \ncongressman from Georgia, Mr. Collins.\n    Mr. Collins. Thank you, Mr. Chairman. I think at this point \nI am just going to have a few questions. But I do not agree \nwith the Chairman. I mean, from my background, I think this has \nbecome the new discussion over the years, as, you know, yes, \nthere are many Members who are prosecutors on those, judges on \nthis. I take it from a little different perspective.\n    I am the son of a State Trooper from Georgia. As I have \njokingly said, I have fought the law on many occasions, and I \nlost most of the time, but the issue here is not an issue of \nlaw enforcement. This is an issue of where are we at in 21st \ncentury privacy, where are we at in a 21st century and digital \nenvironment, and why do we continue many times to continue to \nhold to issues that really need to be updated? I would agree \nwith my friend from Texas, the judge, and I would agree with my \nfriend from New York and also Washington. The LEADS Act, \nalthough it seems to be in some of the questions and some here \ntends to denigrate this LEADS Act, I think that something needs \nto be done and something that we need to put our companies and \nthe world on notice on how we are going to do this.\n    ECPA also was another issue which is again baffling to me. \nAnd I know it has been said that well 300 Members could be \nwrong. Well yeah, I agree, this is Congress, but I think 300 \nMembers also have a pretty good idea that something is not \nright too. And to continue to hold this out is a frustration, \nbut especially from DOJ's position.\n    And in the Second Circuit Court of Appeals, I think it is \nthe Microsoft case, as we work on this, the DOJ lawyer argued \nin the case that it does not--that ECPA does not apply to \ndisclosure of information abroad. Even if the information to be \ndisclosed is private email correspondence of a U.S. citizen.\n    In other words, the Department argued that U.S. citizens' \nemails have no privacy protection under ECPA outside the U.S. \nThey were pressed on this issue by the court, and the court--\nthe DOJ attorney said the result should be of some concern to \nU.S. technology users, but suggests this is the norm, was his \nwords. Or their words. I am concerned about the Department's \nposition. I reject this notion that this is the new norm, and \nin fact, I think Congress is speaking in to say Congress the \nsilence on this is not accurate in this environment. But I just \nwant a clarification.\n    Do you agree that ECPA does not provide or protect email \ncommunications even if sent and received within the U.S. from \ndisclosures abroad?\n    Mr. Bitkower. Thank you, Congressman. So I think it is \nimportant to distinguish between two different provisions of \nECPA. The provisions at issue in the Microsoft case generally \nare the provisions in 2703, which relate to the United States \ngovernment's authority to compel a provider that is already \nsubject to our jurisdiction to compel records that are in its \ncustody or control. The provisions I think you are talking \nabout now are the ones contained in 2702, which prevent a \nprovider from disclosing content except in certain limited \ncircumstances.\n    Mr. Collins. Well, let's go there, because there is a \nconcern there, because what it seems to be, and again, you--it \nis your time to clarify. It seems that what the Department of \nJustice is not seeing is that they are trading private emails \nof technology users as a business record of a service provider. \nThat is a leap.\n    Mr. Bitkower. So, certainly, sir, that is not the standard \nthat we are applying. The standard we are applying when it \nrelates to our ability to compel----\n    Mr. Collins. But you have taken that position in \nlitigation.\n    Mr. Bitkower. No, that is not precisely correct, sir.\n    Mr. Collins. Okay. Elaborate.\n    Mr. Bitkower. I would be happy to clarify, sir. So, the \nprecedent we have taken is that a long line of cases stretching \nback over 30 years allows us to compel companies that are \nsubject to our jurisdiction to produce responsive materials \npursuant to lawful process, even if they may be stored abroad. \nNow if that production produces a conflict of laws, there is \nfurther work to be done. There is further work to be done both \nby us in discussing it with the company and by the courts if \napplicable.\n    The question I think that you are raising now about whether \na company is free to disclose information is a slightly \nseparate question. And that is if a company, American or \notherwise, stores data abroad, then the protections of 2702 may \nnot apply. That is, that company, irrespective of what DOJ does \none way or the other, may be free to disclose that information \nto a foreign government or to any other person. The provisions \nof ECPA have simply been interpreted not to apply as it regards \nto 2702, which protects the information.\n    Mr. Collins. I think at this point in time, in the effort \nto defend the what if, I think DOJ has had some contorted \npositions in this. And I think understandably you have a job to \ndo, you feel this is the best way to do your job. I think this \npanel, if you have heard today, has some very different \nopinions on how that actually is playing out in the real world, \ndealing not only with businesses and the cross country data \nflows and other issues, but also just the issues of privacy and \nthe issues of when this is. And again, when you get that to a \npoint of, you know, whether the company can disclose or not, \nand it being a business record of a company which has nothing, \nthere is some concern there.\n    So we are going to continue this hearing, I appreciate your \nservice, but the LEADS Act and ECPA need to move forward, and \nthis needs to be--have a debate. It is not up to an executive \nagency to determine law or intent. It is up to this Congress to \ndo so. We are doing that, and I think that is where it needs to \ngo. And with that Mr. Chairman, I yield back.\n    Mr. Marino. Chair recognizes Congresswoman Jackson Lee from \nTexas.\n    Ms. Jackson Lee. Thank you very much. I was very pleased to \nlisten to a sizeable part of the exchange, and Mr. Bitkower, I \nthank you for your service representing this Nation and the \nDepartment of Justice. But as I listen to the series of back \nand forth, I think one of the things that I want to restate for \nthe record is the large gap of response by Congress, in \nparticular the passage of the Electronic Communication Privacy \nAct in 1986.\n    I guess I am in awe, and I might use the term appalled, \nthat there is that large, enormous gap that has lasted on a \nnumber of issues. Then a state for the record that the SCA was \nnot designed for international application, and ECPA does not \npermit providers to disclose information directly to a foreign \nlaw enforcement agency, even when the agency is investigating \none of its own citizens. I think we had as an example what a \npolice officer would do, 20 years ago in the United Kingdom, \nwhat they might need to do now, which is to ask for the \ninformation.\n    I also want to put into the record the dilemma that \nMicrosoft faced. Their case is now pending. They answered part \nof it, Microsoft produced a non-content information. But they \nmade the argument I think legitimately when the other material \nwas stored in Dublin, Ireland. And so we find ourselves in a \ndilemma that must be answered. And what I would like to see is \nthat we answer it with DOJ, even as we move legislation \nforward.\n    And so I am going to ask process questions, and what you \nare seeing in the day-to-day operations of the Department of \nJustice. So I will just ask the question. One, is it obvious \nthat you are seeing a massive increase of requests for data \ninternationally?\n    Mr. Bitkower. Thank you, Congresswoman. We are seeing a \nmassive increase of requests for----\n    Ms. Jackson Lee. Well if massive takes you back, you are \nseeing an increase in requests coming in.\n    Mr. Bitkower. I would say massive, Congresswoman.\n    Ms. Jackson Lee. All right. I had the right----\n    Mr. Bitkower. We have seen a massive increase in this, \nparticularly for digital evidence.\n    Ms. Jackson Lee. And as I see, part of the process in \nparticular, some of the processes under the DOJ requires a \nrequest to come into the international office, and then it gets \nspread out to U.S. attorneys across the Nation. Already I am \noverwhelmed by just the process of it having to leave you, \nheadquarters, and reach to places beyond and find offices of \nvarying sizes that have to respond.\n    So let me just get a more detailed response from you. Do \nforeign law enforcement officers ever attempt to obtain data \nthrough faster, informal channels? Do they call their \ncolleagues in the FBI or the NSA for a faster result?\n    Mr. Bitkower. So there are a range of methods of \ninternational cooperation. Each one of them must obviously \nfollow the law, but certainly there are occasions where we can \nshare information on a more informal basis. If consistent with \nthe law, of course.\n    Ms. Jackson Lee. The question implied that maybe there was \nthe normal collegiate responses, and so you cannot attest here \ntoday that that does not happen. I hear what you are saying, in \ncompliance with the law, but----\n    Mr. Bitkower. That is correct.\n    Ms. Jackson Lee [continuing]. Because the law is so--I \nwould say it does not answer the questions, it could be \npossible that relationships and people's interpretation of the \nlaw, information could just be given or access could be given.\n    Mr. Bitkower. Well again, certainly Congresswoman, \ninformation relating to law enforcement threats is shared every \nday by police forces around the world. When it comes to \ncompelling data from a provider, then there needs to be a legal \nprocess, and that legal process has to be obtained either under \nthe law of the United States pursuant to if it is content a \nprobable cause standard, or if under the law of a foreign \njurisdiction. What we are trying to do here is eliminate some \nof the obstacles and burdens that are created when one country \nhas to go through the processes of another country in order to \nget that information.\n    Ms. Jackson Lee. And particularly when it involves the \nproviders. Let me ask, one of the chief concerns underlying \nthis discussion is the move toward data localization laws in \nother countries. And so, would you explain why the current \nenvironment has motivated some countries to try to balkanize \nthe internet in this way, with respect to the data \nlocalization?\n    Mr. Bitkower. Yes, thank you very much. So one of the \nconcerns we have seen with regard to the new world of cloud \ncomputing and international data storage is that countries make \nrequests that may be legitimate under their own laws for data \nthat happens to be stored in another country, perhaps in the \nUnited States. If they cannot get those requests fulfilled in \nan efficient manner under their own law, then there is an \nincentive for them to mandate that that data be stored in their \nown country, so they do not have to go through these cumbersome \nprocesses, whether it is with U.S. or another country.\n    So one of the goals of the framework we are discussing \ntoday is to try to eliminate those incentives, but in a very \ncarefully targeted way that protects privacy and civil \nliberties, and only for countries with an established rule of \nlaw system.\n    Ms. Jackson Lee. Would you say that legitimate major \ncompanies, many of them creating genius through intellectual \nproperty, created here in the United States, become the tennis \nball, the batting ball, and they become batted from one place \nto another? I hesitate to say that they are victims, but in \nessence, are they batted from one place to the next under the \npresent structure that we now have?\n    Mr. Goodlatte. The time of the gentlewoman has expired, but \nthe witness will be permitted to answer the question.\n    Mr. Bitkower. Thank you. So yes, in particular, the \nrequests by foreign countries for data stored within the United \nStates, that is correct.\n    Ms. Jackson Lee. And so we need a fix.\n    Mr. Goodlatte. The gentlewoman's time has expired.\n    Ms. Jackson Lee. I yield back, thank you, Mr. Chairman.\n    Mr. Goodlatte. The Chair recognizes the gentleman from \nColorado, Mr. Buck, for 5 minutes.\n    Mr. Buck. Thank you, Mr. Chairman. Mr. Bitkower, I assume \nthat as a United States citizen, you would agree with me that I \nam afforded certain protections by our Constitution and laws.\n    Mr. Bitkower. That is correct, sir.\n    Mr. Buck. And that an individual in Ireland would be also \nafforded certain protections by their laws?\n    Mr. Bitkower. Yes sir.\n    Mr. Buck. And we have a treaty between the United States \nand the United Kingdom that recognizes those protections, and \nboth countries agreed to.\n    Mr. Bitkower. Both the United Kingdom and with Ireland, yes \nsir. Separate treaties.\n    Mr. Buck. Excuse me. And when the Department of Justice \ngoes around that treaty, you have made a decision that--and I \nassume it is fair to say that you went around the treaty by \ngetting information in the Microsoft case outside of the \nprocesses created by that treaty.\n    Mr. Bitkower. So I would actually disagree with that, sir. \nThe treaty between the United States and Ireland, first of \nall--let me back up. At the time the request was made in the \nMicrosoft case, the Department of Justice had no knowledge that \nthe data was stored in Ireland. Typically we would not be aware \nof that information unless we were told by the provider after \nit happens.\n    Mr. Buck. Did you withdraw your request when you learned \nthat the information was stored in Ireland?\n    Mr. Bitkower. So that brings me to the second point, sir, \nwhich is that many mutual legal systems treaties do not require \nthat they are the exclusive mechanism for getting data from one \ncountry to another. They are one option.\n    Mr. Buck. Well, is there a just kidding clause in that \ntreaty? Is there something in the treaty that says, ``Well you \ndo not really have to follow the treaty? You can do anything \nyou want, this is just one way of getting information.''\n    Mr. Bitkower. Well, so in essence, sir, the treaty does \nstate as one way of getting information necessary. It is not \nthe only way of getting information.\n    Mr. Buck. And so, does the Department of Justice recognize \nthe situation you have put American corporations in across the \nworld when you go around treaties and use a completely separate \nprocess? Why would any country want to do business with an \nAmerican corporation if America has access to that information \nall across the world?\n    Mr. Bitkower. So again sir, I have to emphasize that we do \nnot go around treaties if those treaties do not require that \nthey have the present mechanism.\n    Mr. Buck. You said you used a different process to get \ninformation.\n    Mr. Bitkower. That is correct. That is correct.\n    Mr. Buck. Now that is not going around the treaty?\n    Mr. Bitkower. It is not, sir. The treaty does not require \nthat it be the exclusive mechanism for the transfer of data.\n    Mr. Buck. So answer my question. Do you recognize the \nsituation you have put American corporations in across the \nworld?\n    Mr. Bitkower. So if our actions did create a true conflict \nof laws, we would recognize that as a serious problem, yes sir.\n    Mr. Buck. I did not ask about conflict of law. We are \ntrying to do business with other countries. And if the \nDepartment of Justice has a way of going around a treaty and \ngetting information from an American corporation for an Irish \ncitizen on an Irish server, why would any country want to do \nbusiness or any citizens of any country want to do business \nwith American corporations?\n    Mr. Bitkower. So again sir, I need to specify. The \ndiscussion in terms of the Microsoft case did not necessarily \ninvolve an Irish citizen or a person in Ireland. It is data \nthat happens to be stored in Ireland. It could belong to--as \nfar as the record is clear, a citizen of any country, including \nan American citizen. That is said, the only fact we know about \nit from the record of that case is that the company has chosen \nto store that information in Ireland.\n    If, for example, it belongs to an American citizen, or a \ncitizen committing a crime who is located in America, I think \nwe would all agree that the United States has legitimate \ninterest in obtaining that information as expeditiously as \npossible so long as it follows----\n    Mr. Buck. Are you going to answer my question? Why would an \nAmerican company--why would anybody want to do business with an \nAmerican company overseas if the United States has access to \nany information it so chooses by going around a treaty?\n    Mr. Bitkower. So again, sir, if there is a conflict of \nlaws, we would take that seriously. And if that is brought to \nour attention, we absolutely will do everything we can to avoid \na----\n    Mr. Buck. I am not talking about the laws, though. I am \ntalking about the competitive disadvantage you are placing \nAmerican companies in.\n    Mr. Bitkower. So my understanding is of what we have heard \nfrom companies is certainly the competitive disadvantage, if \nany, comes from the fact that they are placed in conflicting \nlegal obligations. That is one country tells them to do one \nthing, another tells them to do another. If that comes to our \nattention, we take it seriously, and American law already also \ntakes that seriously.\n    The situation we are talking about now is, however, where \ndata may be stored in a country with no connection to that \ncountry other than the fact that it is chosen to be stored \nthere. It could be the information of vital importance to the \nUnited States, and information with very little connection to \nIreland. And in that case, we just need to have a mechanism to \nmake sure we can get that data to the United States to protect \nAmerican citizens.\n    If it turns out there is a conflict of law at any point, if \nthat is brought to our attention by the company or by the \ncountry itself, then obviously we would have further work to do \nand further discussions to be had. I want to clarify, that has \nnot happened in the Microsoft case.\n    Mr. Buck. If Microsoft is put in a position where--or any \nAmerican company--and frankly what is most bothersome to me is \nMicrosoft has the resources to battle with the Department of \nJustice. A startup company, a company with 10, 12 employees in \na similar situation would just cave. The coercive effect of the \ngovernment would be placed on a company like that, and they \ncould not--they do not have the resources to fight the \nDepartment of Justice. But in this situation, a foreign citizen \nwould not want to do business with a U.S. company if that U.S. \ncompany is forced by the U.S. Government to turn over \ninformation that is located in that foreign country. And I am \nconcerned about that.\n    Mr. Bitkower. So again sir, that is the very purpose of the \nU.S.-U.K. framework that we are trying to explore now, is to \nfind the ways of eliminating those conflicts of laws, prevent \nany competitive disadvantage to our companies, but do it in a \ncareful way that allows the different investigations to take \nplace, both on our behalf and on behalf of foreign governments \nin a way that it respects privacy.\n    Mr. Buck. I yield back, thank you, Mr. Chairman.\n    Mr. Goodlatte. The gentlewoman from California, Ms. Chu, is \nrecognized for 5 minutes.\n    Ms. Chu. Mr. Bitkower, the process to exchange data under \nthe MLAT process has been criticized as being slow and \ncumbersome, with requests taking average 10 months to fulfill. \nYou argue that the MLAT is also unreliable, given that our \ncountry does not have MLATs with about half of the countries in \nthe world. And some countries exclude certain categories, or do \nnot cooperate at all. Is this occurring because they believe \nthe MLAT process is too slow, or do they not believe in this \nprocess at all?\n    Mr. Bitkower. So again, the MLAT process faces a variety of \nchallenges. You have identified some of them. That is, even if \nwe have a fully functioning MLAT relationship with another \ncountry, it will take many months at best to get that \ninformation. And as you point out, we may never get it at all, \nand that is even when we have a treaty, and as you point out \nagain, for about half the world, we do not even have such a \ntreaty, so in those cases, the requirement to rely exclusively \non MLAT channels would end investigations.\n    Ms. Chu. Well, you have referred to the proposed deal \nbetween the U.S. and the U.K., and providers under this deal \ncould disclose data directly to the U.K. for serious criminal \nand national security investigations when the U.K. obtains \nauthorization to access the data under its own legal system. \nWhile the courts may have provisions to protect individuals' \nprivacy rights, other countries may not. If we use the U.K. \nagreement as a model, what steps will the Department of Justice \ntake to ensure that there are sufficient protections for \nprivacy and civil liberties moving forward?\n    Mr. Bitkower. Thank you Congresswoman. So that is an area \nwhere we would hope to work very closely with Congress in \nsetting up exactly what those adequate baselines are for \nprotecting privacy and for protecting civil liberties, and we \nwant to make sure that any country we choose to negotiate an \nagreement with fits into that category based on its own legal \nframework. It does not require that it exactly mirror the \nAmerican framework certainly, and if it did require it, then no \ncountry would quality, but it does require that the country \nhave those adequate protections.\n    Ms. Chu. And what kind of enforcement mechanisms could you \nput in place to ensure that that they would comply with, with \nprivacy terms as well as other terms of the bilateral \nagreement?\n    Mr. Bitkower. So again, we are obviously at the early \nstages of discussing what these agreements would look like and \nwhat the legislation would look like. We would certainly \nanticipate that there would have to be a mechanism to provide \noversight of the agreement to make sure that it is being \napplied correctly.\n    Ms. Chu. And if the bilateral agreement approach is taken \nby the U.S., how do we determine whether or not a country is an \nappropriate partner? For example, how many of the witnesses \nhave discussed about a country's policy on human rights. How do \nwe evaluate that consideration and whether the country meets \nthat requirement?\n    Mr. Bitkower. So that would be a topic for close and \nongoing conversation, I think, between us and Congress \ncertainly. There are a number of factors we would look at. We \nwould look at the system as a whole certainly, but with \nparticular regard to its surveillance laws. We would want to \nmake sure that there is a rule of law framework in place and \nappropriate procedural and substantive protections for privacy \nand civil liberties.\n    And these are areas of course, it is easier in cases like \nthe U.K. where it is a longtime ally with a long democratic \ntradition with whom we have actually had a very long MLAT \nrelationship as well. So we have a certain knowledge and \nvisibility about how their system works, and I think that would \nbe helpful in the process.\n    Ms. Chu. And with a country that is not as clear as the \nU.K., what would you do?\n    Mr. Bitkower. So a country that is not as clear as the U.K. \nmight not qualify at the end of the day, and that is just a \nfact. So we would have to make sure that the country, whatever \nits laws are, that we get good visibility into what those laws \nare. Not just what the laws are on the books, but how they are \napplied in practice, and to make sure there are those \nappropriate protections in place before we would consider such \nan agreement.\n    Ms. Chu. Okay. Thank you. I yield back.\n    Mr. Goodlatte. The Chair recognizes the gentleman from \nRhode Island, Mr. Cicilline, for 5 minutes.\n    Mr. Cicilline. Thank you Mr. Chairman. Thank you, Mr. \nBitkower. I want to just pick up on something you just said. \nYou said in your testimony that the MLAT is not the only way of \ngetting information. It is not the exclusive way. I just want \nto challenge you on that for a moment. It is in fact the \nagreement by which we set out a procedure for the sharing of \ninformation. That is the purpose of the treaty.\n    Mr. Bitkower. So all MLATs are different, and some of them \nhave different provisions, but MLATs are generally one method \nof exchanging information. They are not typically the exclusive \nmechanism.\n    Mr. Cicilline. But I mean, is not the purpose of the treaty \nso that both parties to a treaty have an understanding about a \nprocess that will be followed for a particular activity? And \nthat is the whole purpose of it, otherwise what would be the \npurpose of having an MLAT if it were not in fact the \nexpectation of both parties that this process be followed in \nthe sharing of information?\n    Mr. Bitkower. Well, so again, sir, every treaty is \ndifferent. Typically the treaties make sure that a process is \navailable to be followed in the case of a need in the \nrequesting country.\n    Mr. Cicilline. And with respect to the negotiations with \nthe United Kingdom, what is the exact status of that \nnegotiation, and what action will be required by Congress \naccording to you, if any, if that agreement is successfully \nconcluded?\n    Mr. Bitkower. So, thank you, sir. The negotiations began, I \nthink as you know, fairly recently, where we received formal \nauthority to begin those negotiations within the last month or \nso. We have been hard at work in seeing what an agreement would \nlook like, but we absolutely recognize that action by Congress \nwould be necessary to make this project feasible in the first \ninstance, both to lower in a targeted fashion the legislative \nbars that are present in our own law, and also to set up the \nframework to determine which countries would be eligible to \njoin such an agreement.\n    Mr. Cicilline. And so, to use this example again of British \nlaw. As you know, British law is not always compatible with \nU.S. law, particularly in the areas of due process and probable \ncause determinations. And if you think about the requirements \nwe have in this country in terms of judicial review, a concept \nwhich is not omnipresent in the British system, how do you \nsquare some of those standards and practices? And that is a \ncountry that I think most people would agree might have more \ncompatibility than many other countries. How do you make those \ndeterminations so that we can be certain those very deeply held \nvalues are reflected in this process?\n    Mr. Bitkower. So I think that is the key question, and it \nis one that we will be grappling as we go forward. I think it \nis important on the one hand that we do not require that the \nother countries' legal processes exactly mirror our own, or \nelse no country would ever qualify of course. We have some of \nthe highest privacy protections in the world, and we are proud \nof those, and justifiably so, and we want to make sure that \nother countries have substantial protections and legitimate \nprotections, but we cannot demand that they have the exact same \nlegal standards for every sort of process along the way. Some \nof them have lower standards in one area and higher standards \nin another, and they have their own checks and balances within \ntheir own system.\n    So the U.K. is a country with which we have a great \nfamiliarity. As I said before, a very long democratic \ntradition, a tradition of rule of law. We are comfortable with \nunderstanding how their system works. As I mentioned earlier, \nthey have also introduced a new investigative powers bill which \nwould introduce further reforms. So we will have to keep \nlooking at that as it goes forward. We will make any evaluation \nat the time when the legislation is prepared.\n    Mr. Cicilline. But Mr. Bitkower, I think it is very clear \nthat most of us on the Committee recognize that there is an \nimportant role for Congress to play in this. And if you have \nalready answered this, I apologize, but it seems particularly \ndisturbing that in light of the complicated nature of this and \nthe important role of Congress should be playing that many of \nus learned about this from reading it in a news account. And I \nam just wondering, what was the reason that you would not have \nengaged Congress more as you developed or thought about the \ndevelopment of framework, so that we might have some alignment \nof what ultimately Congress might intend to do in this area?\n    Mr. Bitkower. So again sir, I want to make clear that we \nonly very recently began negotiations with the U.K., and only \nvery recently, in fact, we received permission to do so through \nthe intergovernmental process. So we tried to notify this \nCommittee as soon as we possible could once those negotiations \nstarted. It was approximately the same exact week, I believe, \nthat the Washington Post article came out.\n    We have tried to make ourselves available to brief this \nCommittee and others. We expect to continue to do so, and there \nis no question that we fully respect the essential role that \nCongress has to play in these agreements.\n    Mr. Cicilline. Thank you. I yield back.\n    Mr. Goodlatte. The Chair thanks the gentleman. The \ngentleman from California, Mr. Peters, is recognized for 5 \nminutes.\n    Mr. Peters. Thank you, Mr. Chairman. I want to thank you, \nsir, for your patience and for hanging in there. I think you \nhave answered the questions very clearly. As I understand it, \nyou are following the law as was passed in 1986 and interpreted \nby the courts. I am not sure what else we would ask you to do. \nYou have been admonished or exhorted by a number of Members of \nCongress, that Congress should act.\n    I am not sure what you are supposed to do about that \neither. These are all Members of Congress, maybe they are \nresponsible for amending the laws if we see a need to do so, \nbut I appreciate how you have illuminated the issues. But it \nwas a little bit Alice in Wonderland-y to hear them lecturing \nyou about why Congress should take some action, because they \nare Congress Members.\n    But I would say your testimony spells out pretty long \ndetail of some concerns about the LEADS Act. I apologize, I do \nnot have the testimony that you refer--cross reference about \nthe ECPA amendments that are proposed, but maybe you could just \ntake a few minutes to sort of outline what your main issues \nare. And then I would like to know kind of how you think it \nwould be most constructive given the discussion we have had \nabout the negotiations with Britain, that this Committee might \nengage you in talking through some of those issues so that we \ncould actually update the law to reflect not both privacy \nconcerns--both privacy concerns as they are 30 years on, but \nalso security concerns.\n    Mr. Bitkower. So thank you, Congressman. I will begin with \nthe ECPA related proposals, and I am concerning to make sure \nyou get a copy of the testimony we submitted in connection with \nthat hearing. But as we have said in that testimony and \nelsewhere, the Department absolutely recognizes that some of \nthe provisions of ECPA have not kept pace with the way \ntechnology is used today, and the way people think of their \nemails.\n    And we are certainly open to a change that would require a \nwarrant when criminal law enforcement authorities seek to \ncompel the content of emails, whether they are older than 180 \ndegrees, newer than 180 degrees, whether they have been opened, \nwhether they have not been opened. We are certainly open to \nthat change. We do have a concern that any change in law create \nan accommodation for certain very limited civil investigative \nfunctions where a warrant is simply not available, because they \nare not criminal investigators.\n    Mr. Peters. That would be something of the SEC for \ninstance.\n    Mr. Bitkower. The SEC, I am talking about important civil \nrights investigations, anti-trust investigations. Things that \naffect important rights for Americans every day. We have a \nnumber of other concerns with the Email Privacy Act, which we \nare happy to provide further information on, but we do have \nsome concerns.\n    For example, in the area where it permits us to obtain \nrecords from a corporation, where a corporation provides email \nto its employees, there needs to be a mechanism and a \nfunctional mechanism where you can get those emails. \nTraditionally we do those investigations by subpoena, because \ntraditionally the employees do not have privacy rights in those \nemails, and we want to make sure that provision works well. And \nthere were a couple of other areas where the bill gives us some \nconcerns. But we are happy to work with this Committee and \nothers in making those understood.\n    Mr. Peters. Have you been in conversation with Committee \nstaff about these issues?\n    Mr. Bitkower. We certainly have, sir.\n    Mr. Peters. Okay. Well I appreciate that. And I thank you \nagain for your time. I am looking forward to the second panel. \nAnd I yield back.\n    Mr. Bitkower. Thank you.\n    Mr. Goodlatte. I thank the gentleman. Mr. Bitkower, we very \nmuch appreciate your testimony here this morning, and we can \nexcuse you at this time, and we will go to our second panel.\n    Mr. Bitkower. Thank you very much.\n    Mr. Goodlatte. We now welcome our second panel of \ndistinguished witnesses today, and if you would all please rise \nup, I will begin by swearing you in. Please raise your right \nhand. Do you and each of you swear that the testimony that you \nare about to give shall be the truth, the whole truth and \nnothing but the truth, so help you God? Thank you very much.\n    Let us let the record reflect that all of the witnesses \nhave responded in the affirmative. And we will begin our \nintroductions by recognizing the gentlewoman from Washington \nfor the purpose of introducing Mr. Smith.\n    Ms. DelBene. Thank you Mr. Chair. It is my pleasure to \nwelcome Brad Smith as a witness today. Brad serves as the \npresident and chief legal officer at Microsoft, and had joined \nMicrosoft in 1993 and became general counsel in 2002 and then \nwas made president and chief legal officer just last summer. He \nis responsible for the company's corporate external and legal \naffairs, and he is a graduate of Princeton University and the \nColumbia University School of Law. And it is great to have \nsomeone here from Washington State and we just want to welcome \nyou and thank you for being here. I yield back.\n    Mr. Goodlatte. Welcome. Our next witness is the Honorable \nMichael Chertoff. He is the executive chairman and co-founder \nof the Chertoff Group. From 2005 to 2009, Mr. Chertoff served \nas Secretary of the Department of Homeland Security. Federal \njudge of the U.S. Court of Appeals for the Third Circuit and \nAssistant Attorney General of the Department of Justice, \nCriminal Division. Mr. Chertoff is a graduate of Harvard \nCollege and Harvard Law School.\n    Our next witness, the Honorable David Kris, began his \ncareer with the U.S. Department of Justice serving as an \nattorney in the criminal division and then as Associate Deputy \nAttorney General. He went on to be deputy general counsel and \nchief ethics and compliance officer at Time Warner, \nIncorporated, as well as an adjunct professor of law at \nGeorgetown University and a non-resident senior fellow at the \nBrookings Institution. Mr. Kris currently teaches national \nsecurity law at the University of Washington Law School, and he \nis a graduate of Haverford College and Harvard Law School. \nHarvard Law School is well represented here.\n    Our final witness is Ms. Jennifer Daskal. Ms. Daskal is an \nassociate professor of law at American University, Washington \nCollege of Law where she teaches and writes in the fields of \ncriminal law, national security law and constitutional law. \nFrom 2009 to 2011, Ms. Daskal was counsel to the Assistant \nAttorney General for National Security at the Department of \nJustice and among other things, served as the Secretary of \nDefense and Attorney General-led Detention Policy Task Force. \nPrior to joining the Department of Justice, she was the senior \ncounter-terrorism counsel at Human Rights Watch and worked as a \nstaff attorney for the Public Defender's Service for the \nDistrict of Columbia. She earned a bachelor's degree from Brown \nUniversity, a master's degree from Cambridge University and not \nsurprisingly, a J.D. from Harvard Law School.\n    We welcome all of you. Your written statements will be \nentered into the record in their entirety and I ask that each \nof you summarize your testimony in 5 minutes or less. To help \nyou stay within that time, there is a timing light at the \ntable. When the light switches from green to yellow, you have 1 \nminute to conclude your testimony. When the light turns red, \nthat is it. You are done.\n    Mr. Smith, welcome. We are pleased to have you here, and \nyou may begin the testimony.\n\n  TESTIMONY OF BRAD SMITH, PRESIDENT AND CHIEF LEGAL OFFICER, \n                     MICROSOFT CORPORATION\n\n    Mr. Smith. Chairman Goodlatte, Ranking Member Conyers, \nMembers of the Committee, it is my pleasure to represent \nMicrosoft this morning. Today's hearing provides an important \nopportunity to address a critical issue--the growing conflict \nbetween countries and among laws that are affecting not only \ntechnology, but people's safety and privacy. I think the \nramifications of this issue are really illustrated by two real-\nworld examples.\n    The first is a case involving Microsoft a year ago in \nParis. The day after the horrific terrorist attack on Charlie \nHebdo, the French police using international legal process \nworked with the FBI and served on Microsoft lawful requests \nseeking the emails of the two terrorists that were at large in \nthe streets of France. Because the French used international \nlegal process, we at Microsoft were able to examine the orders, \ndetermine they were valid, pull the email and provide them to \nthe FBI and the French all in exactly 45 minutes. That was a \nday when the system worked. But unfortunately, that has become \nthe exception, not the norm. The norm is illustrated by the \nsecond example. A case involving Microsoft in Brazil; there, \nthe Brazilian police have in pursuit of a local suspect served \na local order requiring Microsoft to turn over content that is \nnot in Brazil, but is in the United States. And because U.S. \nlaw prohibits us from turning over some of this content, \nMicrosoft has had to refuse. The Brazilians have not turned to \ninternational process. They have not obtained the information \nthey need, but they have fined Microsoft, and they are pursuing \na criminal prosecution of one of our executives in Brazil for \nthe sole reason that we are comply with United States law.\n    And unfortunately, that kind of case is spreading. It is \nspreading because other governments, including the United \nStates government is using unilateral legal process rather than \ninternational legal process to obtain data around the world. \nNow, we appreciate that law enforcement needs information, \nsometimes located in other countries to do its job, but this \napproach to using unilateral process is causing concern around \nthe world. It is causing concern in other countries about \npeople's privacy rights. It is causing concern about whether \nother countries can even trust and use American products and \ntechnology. It is causing concern that is leading other \ncountries to enact new laws to block the very steps that our \ngovernment typically takes through unilateral search warrants.\n    Now, the good news is there are solutions at hand. There is \na solution in the form of Federal legislation modeled on \nsomething like the LEADS Act. There is a solution in the form \nof modernization of the mutual legal assistance treaties. There \nis a solution in the form of new international agreements that \nare designed and built for the 21st century. Like the one that \nis now being considered between the U.S. and the U.K. All of \nthis will require action across the executive branch, but it \nrequires action by Congress as well because all of these \nproblems have a root cause. Our law is old and has become \noutdated.\n    When Congress passed the Electronic Communications Privacy \nAct, when the House passed that bill by voice vote on June the \n23rd, 1986, Ronald Reagan was president, Tip O'Neill was \nspeaker, and Mark Zuckerberg was 2 years old. In the 30 years \nthat have followed, 125 million new Americans have been born. \nTechnology has moved ahead by leaps and bounds, but at least in \nthis field, the law has mostly stood still. I have here on one \nhand, and IBM computer that was first sold in 1986, and I have \nhere on the other hand, a Microsoft Surface that is for sale \ntoday. The computer that is for sale today not only connects to \nall of the world's information on the internet, it has 355,000 \ntimes as much storage capacity as the floppy diskette that one \nhad to use in this computer that was sold when ECPA was passed. \nThese two computers make the story clear. Technology has moved \nforward. Now, the law needs to catch up. Thank you very much.\n    [The prepared statement of Mr. Smith follows:]\n    \n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n    \n    \n                               __________\n                               \n    Mr. Goodlatte. Thank you, Mr. Smith. Mr. Chertoff, welcome.\n\n  TESTIMONY OF THE HONORABLE MICHAEL CHERTOFF, CO-FOUNDER AND \n             EXECUTIVE CHAIRMAN, THE CHERTOFF GROUP\n\n    Mr. Chertoff. Mr. Chairman, it is good to be back. I am \nlooking at that IBM computer. It looks like what I have at home \nstill. I obviously would like to indicate that I am speaking \nhere in a personal capacity, although my firm does do work with \nMicrosoft and other tech companies in this area, and as I also \npreviously disclosed, I am of counsel with Covington and \nBurling, which is actually involved in representing Microsoft \nin this litigation. But whatever I am saying here really \nreflects my own views and no one else should be held \naccountable for them.\n    I think it is really important that this Committee have \nthis hearing, and that Congress get involved in legislating in \nthis area. The issues that surround the intersection between \nmodern technology and the law are frankly quite complicated. \nThey are quite technical, and even having been a Federal judge, \nI have to say I am not sure the Federal courts in the first \ninstance are the right place to resolve all of the competing \nissues in technical dimensions of these kinds of questions. \nNow, here, we are dealing with one aspect of this, which is as \nBrad Smith pointed out kind of dramatically--the amount of data \nnow which is--moves around the world and is held in this so \ncalled cloud dwarfs what was being confronted when ECPA was \npassed. And contrary to what maybe some people think, obviously \nwhen the data is in the cloud, it is not really in the cloud. \nIt is living somewhere in the world in a server, and the \nability to house it anywhere in the world and to move it around \nrapidly as possible really changes the dimensions of the \nquestion about where something is and who ought to have the \njurisdiction to compel it to be turned over.\n    I think we are seeing the issue of conflict of laws in \nthree areas. First substantive areas where different countries \nin parts of the world have different views about what gets \nprotected as private and what does not. Second, the question of \nprocess--different standards of process about what is required \nwhen a government seeks data, and finally, the problem of \nglobal companies that are often caught between different legal \nregimes and are damned if they do and damned if they do not.\n    And so, I think we do need to take the opportunity to look \nat rationalizing the law and particularly to the extent we can, \nglobalizing the law. Coming up with agreements and processes \nthat allow us to synchronize the law so that companies that are \nin the business of housing data are not caught between the so-\ncalled rock and a hard place. And I would suggest as I do in my \nstatement, just a couple of points about this.\n    First, I think to the extent we can have agreements or \nframeworks in a statute that lead to agreements, we ought to be \nfocusing on the citizenship of the accountholder and not where \nthe data happens to be located. Data location should be driven \nby engineering considerations, and not by desires to create \nlegal safe havens or to find places that are legally more or \nless hospitable.\n    The second thing I would say is if we are going to have \nagreements, we do need to make sure that the companies we are \ndealing with have process in place that is comparable to what \nwe require with respect to our own citizens when other \ncountries want to have data that is held over here. We do not \nwant to create a situation where we are jeopardizing the \nconstitutional rights of our Americans by simply in the pursuit \nof an agreement.\n    And finally, we have to recognize there will be certain \ntypes of requests from other countries that will run afoul \nsubstantive issues and so, we are going to have to create a \nregime--a legal regime in place through any agreement and \nthrough any statute that respects that. Finally, there has been \na lot of discussion about the MLAT process and I think, you \nknow, Brad Smith was very clear in indicating this process can \nwork if we want it to work. Often, frankly, I can speak from my \nown experience, honoring MLAT requests goes to the bottom of \nthe pile of overworked assistant U.S. attorneys, but with \nmodern technology and if the government views these as high \npriority cases, we can move to the kind of process that gives \nyou the results that occurred in the Paris case. And which I \nthink would encourage both our country and other countries to \nuse the international treaty process rather than unilateral \naction as a way to get information that is stored in other \nparts of the world.\n    So, thank you, Mr. Chairman, and I look forward to \nanswering questions.\n    [The prepared statement of Mr. Chertoff follows:]\n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n  \n    \n                               __________\n                               \n    Mr. Goodlatte. Thank you, Mr. Chertoiff. Mr. Kris, welcome.\n\n  TESTIMONY OF THE HONORABLE DAVID S. KRIS, FORMER ASSISTANT \n     ATTORNEY GENERAL FOR NATIONAL SECURITY, UNITED STATES \n                     DEPARTMENT OF JUSTICE\n\n    Mr. Kris. Thank you, Mr. Chairman, Mr. Ranking Member, and \nMembers of the Committee for inviting me to testify. I, too, am \nspeaking only in my personal capacity. There is obviously a \nrange of opinion represented on the Committee today, but I \nthink there is also an unusual degree of consensus, which I \nhave heard during the course of this morning's proceedings on \nat least three important points. First, there is a problem.\n    We have a situation where there are international conflicts \nof laws in which one government's laws can compel the \nproduction of data, while simultaneously, another government's \nlaws will prohibit it. This is very vexing for the holders of \ndata, like Microsoft, who understandably wish to comply with \nall of the laws and rules to which they are subject. Second, \nthis problem is not unprecedented, but it is getting worse over \ntime. I think that is true for three technical reasons and \nthree political reasons which I will outline quickly.\n    Technically, the size and scope of international data \nnetworks, the degree of international data storage in the cloud \nand the use of encryption are all on the rise in previous--in \nrecent years. Politically, the Snowden disclosures, I think, \nhave caused the U.S. Government to decrease the scope and \nincrease the transparency of its surveillance. That is \nparticularly true in the foreign intelligence realm, but there \nis a good deal of overlap with law enforcement.\n    On the other hand, in Europe, the rise of ISIL and some of \nthe technical factors that I have mentioned, I think have \ncaused European governments to go the other way to expand their \nsurveillance authorities and to put a lot of pressure on \nproviders. And third, the providers for their part are a little \nbit caught in the middle of that. And they have reacted, \nunderstandably, again, I think in two ways. By reducing the \ndegree of cooperation, one, with respect to voluntary \nproduction of data rather than compelled production of data, \nand then, also at the margins in resisting certain compulsions.\n    I want to be clear this is not in any way some kind of \nwholesale civil disobedience and it is again perfectly \nunderstandable given their fiduciary duties. Even if, in any \ngiven instance, one might argue that it either does not go far \nenough or goes too far. Given that problem and the nature of \nthe problem, I think there has been consensus third that some \nkind of international solution is in order to address it. You \nhave heard today about the MLAT process, and one of the \nsolutions that has been discussed is some kind of fairly \ndrastic increase in the resources available for processing \nMLATs. If the current time to process is 10 months and the \nequation scales linearly and I am not sure it does--if you \nwanted to reduce the time down to 1 day, you would be scaling \nup by a factor of 300. Again, I am not sure, it scales in a \nlinear fashion. There are some structural limits in MLAT.\n    And the other means of addressing the problem we have \ntalked about today involve direct access by foreign \ngovernments. In some carefully delineated class or sub-class of \ncases, I understand the executive branch is currently working \nwith the U.K. on a bilateral agreement. Perhaps it would be \nlimited to non-U.S. persons located abroad by analogy to the \nFISA Amendments Act. Perhaps to certain kinds of crimes; \nperhaps to certain kinds of directives on certain predicate \nshowings made by certain officials in the U.K. You can imagine \nlots of limits here. And then, of course, Congress will need to \nevaluate whether those limits are appropriate and only then \nmake the necessary amendments to the Stored Communications Act \nto allow that agreement to be effectuated.\n    So, there is definitely a profound role for Congress in \nthis area regardless of these executive agreement. Finally, I \nwant to mention, but I do not know as we can discuss fully in \nthis setting, a couple of foreign intelligence surveillance \nconcerns that I outlined in my testimony. I urge you to have a \nconversation with the executive branch about the two gaps in \nFISA that I have set forth. I would love to be wrong about \nthose, but I think it is something that is worth your exploring \nin an appropriate setting with the executive branch. Thank you \nvery much.\n    [The prepared statement of Mr. Kris follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n   \n                               __________\n                               \n    Mr. Goodlatte. Thank you, Mr. Kris. Ms. Daskal, welcome.\n\nTESTIMONY OF MS. JENNIFER DASKAL, ASSISTANT PROFESSOR, AMERICAN \n              UNIVERSITY WASHINGTON COLLEGE OF LAW\n\n    Ms. Daskal. Thank you, Mr. Chairman, Mr. Ranking Member, \nand Members of the Committee. Thank you for inviting me here \ntoday. I want to spend my time talking about three things. The \nproblem, why Congress is needed, and specifically, what \nCongress should do. So, as has already been discussed pretty \nextensively, the Stored Communications Act operates as a \nblocking statute. It prohibits U.S. space providers from \ndisclosing certain data, including emails to anyone other than \nthe U.S. Government pursuant to a warrant.\n    Now, let us consider U.S. investigation of a London murder. \nImagine that the U.K. officials seek the emails of the alleged \nperpetrator to help establish motive. If the alleged \nperpetrator uses a U.K.-based provider, the officials could \nlikely get access to the date within days, if not sooner. If \ninstead, the data is held by an American-based provider, the \nBrits will be told that they need to go through the mutual \nlegal assistance process and initiate a diplomatic request. \nThis is, as we have already heard, a notoriously inefficient \nprocess taking an average of 10 months, and foreign governments \nare frustrated, understandably, by the state of affairs, and \nthey are responding in a number of concerning ways, including \nthe mandating of data localization which undercuts the growth \npotential of the internet, increases the cost to American \nbusinesses and facilitates domestic surveillance; unilateral \nassertions of extra territorial jurisdiction which put American \ncompanies in the crosshairs of two competing legal obligations \nwith a foreign government demanding the compulsion of data and \nU.S. law prohibiting it; and the use of malware and other less \naccountable forms of accessing the sort after data, which \nundercut the privacy and security of all.\n    Now, in response to this, as we have heard, the U.S. and \nU.K. have been negotiating an agreement that would allow the \nBrits, in certain circumstances, to make direct requests to \nU.S. companies for stored communications. Such an agreement is \nneeded. If done right, it is an important step forward, which \nthen brings me to my second point, the need for Congress. As we \nhave already heard, none of this can be implemented without \ncongressional authorization.\n    So, what should Congress do? Congress should amend the \nStored Communications Act. It should authorize the executive to \nenter into bilateral and multilateral agreements that would \nallow, in specified cases, foreign governments to directly \nrequest stored content from U.S. providers. In doing so, \nCongress should also set the key parameters of such agreements, \nensuring, among other things, that the partner country meets \nbasic human rights standards; that the particular requests \nsatisfy a baseline set of procedural requirements; and, that \nthe system is subject to meaningful transparency and \naccountability mechanisms. These parameters are essential and \nthey are justified for at least two reasons.\n    First, even as I think as envisioned by these agreements, \nthe target of the request is a foreign national, it is likely, \nin fact, almost certain that at some point, some time, such \nrequests will lead to the incidental collection of U.S. citizen \ndata. And second, whereas, the United States is often in the \nposition of exhorting other countries to improve their human \nrights standards and protect free expression, this is one of \nthose rare opportunities to couple such exhortations with a \ncarrot, that of expedited access to U.S. data. And in so doing, \nhelp set the system of a global system of cross border access \nto data.\n    Now, in making these recommendations for Congress to \nengage, I am not alone. For the past 6 months, I have been \nworking with a cross-section of civil liberties groups, \ncompanies and academics all focused on the need to reform the \nsystem governing law enforcement access to data across borders. \nMy recommendations draw heavily on the conversations with this \ngroup. Although, I speak solely in my personal capacity and not \non behalf of anybody else.\n    To sum up, the system for responding to law enforcement \nrequests for data is broken. The time to fix it is now. \nCongress has an opportunity, and in my view, a responsibility \nto help build a system for the future. One that simultaneously \nsafeguards privacy, protects American businesses and promotes \nthe growth of an open and secure internet. Thanks.\n    [The prepared statement of Ms. Daskal follows:]\n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  \n    \n    \n    \n                               __________\n                               \n    Mr. Goodlatte. Thank you very much, Ms. Daskal. We will now \nbegin a round of questioning and I will recognize myself. Mr. \nSmith, let me follow-up on what Ms. Daskal just said, because \nthat seems to get right to the crux of what has held up here in \nthis process. So Microsoft supports international agreements \nthat will address and overcome conflicts of law, but these \nagreements are likely going to allow foreign countries to \nacquire data held by U.S. companies on a standard less than \nprobable cause. Do you support this, and if so, why?\n    Mr. Smith. Well, first of all, I would like to agree with \nthe testimony that you just heard. I think we do need \nlegislation. We do need international agreements, but I also \nbelieve that any international agreements that are negotiated \nshould absolutely ensure that the rights of Americans are \nprotected by U.S. law and the Constitution, including the \nprobable cause requirement.\n    Mr. Goodlatte. How does allowing foreign countries to \nobtain data from U.S. companies on a less than probable cause \nstandard square with the call for a uniform probable cause \nstandard for requests by the U.S. Government?\n    Mr. Smith. Well, if the question is to me, I think the \nanswer is two-fold. First, there will be benefit over time if \nthe world can move toward a more uniform standard. But I think \nbetween now and then, the most important thing is that people \nhave the protection of their own rights by their own law. I \nthink that is fundamentally what most people in most countries \nwant, and I think that is what Americans want for their own \nrights as well.\n    Mr. Goodlatte. Ms. Daskal, do you want to respond to that?\n    Ms. Daskal. I fully agree.\n    Mr. Goodlatte. Okay, well, so I am not quite sure I \nunderstand. If they are protected under their own laws, but \ntheir own laws do not have the same high standard of \nprotection, and they are coming to the U.S., how are we going \nto have the carrot that you just referred to in your testimony \nto incentivize countries to provide greater protections?\n    Ms. Daskal. Sure, so that the suggestion that I was making \nis that when Congress authorizes these agreements, that it \nspecify certain requirements that the country must meet, both \nat the country level and at making specific requests for that--\n--\n    Mr. Goodlatte. Would those be the standards contained in \nU.S. law?\n    Ms. Daskal. So, my suggestion would be for Congress to \nwrite in the amendment to the Stored Communications Act an \nexception to the blocking provision that basically says, ``The \nexecutive has permission to enter into bilateral and \nmultilateral agreements with foreign countries when the \nfollowing conditions are met.'' And some of those conditions \nshould specify minimal standards that the requests have to \nmeet.\n    Mr. Goodlatte. But not necessarily U.S. standards?\n    Ms. Daskal. Not necessarily U.S. standards----\n    Mr. Goodlatte. Okay, I got it. All right, good. Then you \nare in agreement. Should a bilateral agreement--I will direct \nthis back to you, Mr. Smith--should a bilateral agreement, such \nas the one under consideration with the U.K. also ameliorate \nany conflicts of law with regards to U.S. requests for data \nheld by U.S. companies in that country? Would this not resolve \nthe issue currently being litigated in the Second Circuit?\n    Mr. Smith. It would resolve the issue that is being \nlitigated in the Second Circuit if the bilateral agreement were \nbetween the United States and Ireland. And I think what your \nquestion points to in part, is that if a model that works can \nbe created between two countries, then there is an opportunity \nto replicate it elsewhere, but it will need to be replicated.\n    Mr. Goodlatte. And do you see any conflict between your \nposition as it relates to foreign government access to data \nstored in the U.S., and your position as it relates to U.S. \nGovernment access to data stored abroad?\n    Mr. Smith. I believe that if you put an international \nagreement in place, that resolves any potential conflict. It \ncreates the means by which two governments together, and \nrespect the rule of law.\n    Mr. Goodlatte. Well, I get that, but it seems to me that if \nwe agree to their standard, they agree to our standard, you \nstill have two different standards that are in place.\n    Mr. Smith. But I think it really speaks to an important \npoint. I think the American people want to have their rights \nprotected by U.S. law. I was in London last week. I think the \nBritish people want to have their rights protected by British \nlaw. We need governments that have--I will just say a like-\nminded approach. It does not mean that they have to agree on \nevery particularity though.\n    Mr. Goodlatte. Ms. Daskal, the rules established under ECPA \ngovern what a U.S. provider can and cannot do with both \ncommunications content and non-content records. The result is \nthat the ECPA procedures, including the warrant requirement \napply to any customer of a U.S. provider regardless of that \ncustomer's nationality or location and regardless of where the \ndata is stored. Why is this insufficient to protect the privacy \ninterests of all U.S. provider customers including foreign \ncustomers?\n    Ms. Daskal. So, I absolutely think that the answer to the \nquestion of the warrant's requirement for content is necessary \nand it is an important privacy protection for when the United \nStates is accessing data, but that is not really the issue \nhere.* The concern is not about insufficient privacy \nprotections; the real concern is about this really significant \nconflict of laws which over time is going to lead to an \nincreasing number of things, like increased data localization, \nincreased unilateral assertions of extraterritorial \njurisdiction, other means of getting around these restrictions. \nAnd so that is where the privacy concerns come in, not because \nof the warrant requirement, which is a great requirement, but \nabout what other countries are doing in response and what \nhappens as a result of these conflicting obligations.\n---------------------------------------------------------------------------\n    *Note: The witness amends her response as follows:\n\n      So, I absolutely think that a warrant requirement for \n      content is necessary and is an important privacy protection \n      when the United States is accessing data, but that is not \n      the issue here.\n    Mr. Goodlatte. Thank you. The Chair recognizes the \ngentleman from Michigan, Mr. Conyers, for his questions.\n    Mr. Conyers. Thank you, Chairman. Mr. Smith, it is \nimportant for technology to protect both privacy and security. \nCan policy proposals being considered today do both, or do they \npit one against the other?\n    Mr. Smith. I think there are times when these two \nfundamental values, privacy and security, might be intentioned, \nbut I think there are many times when creative and new laws \nthat are designed for 21st century technology can move privacy \nand security forward together, and that is what we need to \nstrive to do.\n    Mr. Conyers. Secretary Chertoff, do you have any additional \ncomments on that same question?\n    Mr. Chertoff. No, I agree. I think that actually, although \noccasionally, there is tension between the two, in many \ninstances, you cannot really have privacy without security, and \nthe value of security without privacy is much diminished.\n    Mr. Conyers. Thank you. One last comment from Mr. Smith \nfrom me--with respect to the Microsoft case pending in the \nSecond Circuit, why has there been challenged the government's \ndemand for data stored in Ireland? What is your goal, or what \nis the corporation's point in that case?\n    Mr. Smith. I think fundamentally, we believe that people \nneed to be able to trust the technology they use. And part of \ntheir ability to trust the technology they use turns on \nconfidence that their rights, people's rights are going to be \nprotected by their law. We store emails in data centers that \nare close to our customers. So, for example, when we have \ncustomers in the European Union, we store their data, their \nemails in our data center in Dublin or in Amsterdam. Our \nconcern is that the U.S. Government first is using power that \nCongress never gave it. Namely, the power to go around the \nworld to vacuum up emails pursuant to a U.S. search warrant.\n    And second, our concern is because the U.S. is exercising \nthis type of extraterritorial power on a unilateral basis, it \nis in effect saying, in this case, to the people of Ireland \nthat their law does not matter; the DOJ does not even need to \nread it; it does not need to consult with the Irish Government; \nit does not need to pay any attention to the mutual legal \nassistance treaty in place between the U.S. and Ireland. All it \nhas to do is turn to an American technology company and apply a \npower under U.S. law. That is not a recipe for the success of \nthe U.S. technology sector, and it is not a recipe for ensuring \npeople have trust in technology.\n    Mr. Conyers. Thank you. For Mr. David Kris--and I might ask \nMs. Daskal to both consider this: I think a bilateral agreement \nframework could be a useful tool in resolving some of the \nconflict of laws issues that have been discussed here today. \nBut there remain concerns, for example, about how we will \nreconcile British law with our own legal customs. How will we \nmake sure that privacy, due process and human rights are \nrespected by our partners in these agreements?\n    Mr. Kris. That is an excellent question and issue to raise. \nI am confident that Congress will have a role because even if \nthe United States and Ireland or any other country reach an \nexecutive level agreement, for that agreement really to take \neffect, Congress will need to amend the blocking provisions, as \nProfessor Daskal has referred to them, in the Stored \nCommunications Act.\n    And it will be, I think, up to you and incumbent on you as \na Congress to decide which categories of cases involving what \nkind of, say, defendant, non-U.S. persons located abroad have \nbeen discussed, such that U.S. persons, or persons in the \nUnited States would not be subject to the exemption. Different \nkinds of crimes exempting political crimes from this provision, \nfor example, various other limits are all possible. And \nCongress will have an opportunity to consider those, if and \nwhen it decides to amend the Stored Communications Act to \npermit this kind of direct access by way of executive agreement \nin some specified subset of cases that meet with your policy \napproval.\n    Mr. Conyers. Ms. Daskal, would you add anything?\n    Mr. Issa [presiding]. Go ahead, Mr. Ranking Member.\n    Mr. Conyers. Thank you.\n    Ms. Daskal. So, yes, I agree with all that and I would \njust--I think it is worth emphasizing that the agreement, as it \nwas explained to us this morning, and I think as Congress \nshould sort of adopt as parameters as well, would solely permit \na foreign government to get access to non-U.S. person data and \ndata of people who are not in the United States.** So, we are \ntalking about the Brits being able to get data on their own \ncitizens in connection with the investigation of a local crime.\n---------------------------------------------------------------------------\n    **Note: The witness amends her response as follows:\n\n      So, yes, I agree with all that and I would just--I think it \n      is worth emphasizing that the agreement, as it was \n      explained to us this morning, and I think as Congress \n      should require as part of the adopted parameters, would \n      solely permit a foreign government to get access to non-\n      U.S. person data and data of people who are not in the \n      United States. So, we are talking about the Brits being \n      able to get data on their own citizens in connection with \n      the investigation of a local crime.\n    And Congress, I think, because we are talking about U.S. \nproviders, has a role to play in setting some minimal \nstandards, some minimal important procedural and substantive \nstandards as to what the Brits must do in order to get access \nto that data from U.S.-based providers. But we are not talking \nabout the British requesting data about American citizens, \nAmerican permanent residents, or Americans in the United \nStates.\n    Mr. Conyers. Thank you all for your responses, and I thank \nyou, Mr. Chairman.\n    Mr. Issa. Well, thank you, Mr. Conyers. We now go to the \ndistinguished gentleman from Texas, Mr. Poe.\n    Mr. Poe. I want to thank the Chairman. Thank you all for \nbeing here. I, being a lawyer, I did not go to Harvard, but I \nwent to the University of Houston, which we call Harvard on the \nbayou fondly in Texas. But, Mr. Chertoff, it is great to see \nyou again. Thanks for your service to the country that you have \ndone in the past.\n    Mr. Smith, I am impressed by your statement. Passionate and \nyou did not read it, so it is obvious that this is important to \nyou. It is important to the country. This, by way of kind of \nreview, ECPA, 30 years old. It would seem to me that we have \nknown for a long time that ECPA law needed to be reformed. And \n30 years is long enough for Congress to finally pick a horse \nand ride it and make some choices and changes in the law to \nsolve the problems that all of you have discussed; whether it \nis nationally; whether it deals with business; whether it deals \nwith foreign countries; the information; do you think it is \nabout time that we make a decision on reforming ECPA?\n    Mr. Smith. I think that the time has come and it is perhaps \neven overdue. I think what you are really hearing from all of \nus today and you hear it from the tech sector every day, is \nthat we really do need a new law, and we need Congress to write \nit.\n    Mr. Poe. And it should be Congress' responsibility to set \nthe standard of law rather than letting the courts make the \ndetermination as to what the expectation of privacy is for \ncitizens, or corporations, or letting the Justice Department \ntake the law as they see it and interpret it the way they see \nit. Congress needs to weigh in and make these decisions and \nmake it the law of the land. I mean, that is our \nresponsibility.\n    Mr. Smith. Absolutely, and I think, frankly, one of the \npoints that we have heard this morning that should give all of \nus the most concern is the acknowledge by the Justice \nDepartment that the Stored Communications Act passed in 1986 is \nsilent on whether the DOJ has the authority to apply these \nsearch warrants worldwide. And the DOJ says, that because \nCongress was silent, the executive branch has power. Well, that \nbasically amounts to an argument that Congress needs to write \nreally long laws, because every time Congress neglects to \naddress something, it is giving Congress--it is giving the \nexecutive branch some power. That is not the way the \nConstitution was written. That is not the way common sense \nworks.\n    Mr. Poe. There you go. I agree with that. And the Justice \nDepartment, they are doing what they think they can do under \nthe law, and I think they are wrong, but ECPA was written to \nprotect privacy of individuals. That is the purpose of the law, \nwhy it was written. So, Congress needs to weigh in on it, pass \nlegislation that has been pending for a long time. I think we \nset the standard for the expectation of privacy. It should be \nup to us, not some judge or group of judges, and we need to \nmove on with that. Set aside those comments, and tell me the \neconomic impact of not making a decision, and how that is \naffecting industry.\n    Mr. Smith. I think there are two ways to think about this. \nOne is narrow, one is broad. They are both important. First, \nbecause we are seeing this emerging conflict of laws, we are \nseeing the risk of increasing fines on U.S. companies when we \nget into these conflicts. Already to date, Microsoft has been \nfined $28 million by the Brazilian authorities because of \nthis----\n    Mr. Poe. And that is a criminal fine. That is not a civil \nfine. That is a criminal crime.\n    Mr. Smith. Right, yes. This is all connected to a criminal \nproceeding, and we are being fined simply for obeying U.S. law, \nand think about a start-up and what $28 million means. But the \nimplications are really broader because I find, in countries \nlike Germany and the United Kingdom, where I was last week, I \nincreasingly meet people in government and elsewhere who say \nthat unless this issue is resolved--they basically say, \n``Unless you win your case in New York, we are not going to be \nable to trust American technology and we are not going to be \nable to move our content to the cloud when the cloud is \noperated by a U.S. company with a data center.'' So, a lot is \nat stake for the American economy and American jobs.\n    Mr. Poe. Well, I appreciate all of you being here. I do not \nhave time to ask the rest of you questions. But I think you are \nexactly correct. For the problems that you have all mentioned, \nit is time for Congress, like I said, to pick a horse and ride \nit and let us pass some legislation to fix this problem. And I \nyield back.\n    Mr. Issa. I thank the gentleman. We now go to the \ngentlelady from San Jose, Ms. Lofgren.\n    Ms. Lofgren. Thank you. Before my questions, I would ask \nunanimous consent that we put into the record the Yale Law \nJournal article by our witness, Ms. Daskal.\n    Mr. Issa. Without objection, the document will be placed in \nthe record.\n    Ms. Lofgren. Thank you. This has been a very interesting \nhearing and, comes at interesting time for our country, because \nthe issues we face are of law, but also of technology. And I do \nnot think we can talk about the legal issues without getting \ninto the technology issues. And I was looking at the Trans-\nPacific Partnership Agreement. Now, some of us have issues \nabout human rights in Vietnam, you know, health issues and the \nlike, but in terms of encryption, it is pretty clear.\n    It basically says that you cannot require a backdoor, an \nencryption, if you are a party to this agreement. It prohibits \ngovernments from requiring companies to either disclose their \nkeys or to use specific cryptographic algorithms. And the \nDepartment of Justice's application and courts' subsequent \ndecision to compel Apple to provide special software \ncircumventing security protections would actually violate this \ninternational norm, that is specified in the TPP, against \ngovernment mandates for backdoors. But also, we had several \nvotes here in the House of Representatives where we had over \ntwo-thirds of the House vote in opposition to backdoors.\n    So, I am wondering, Mr. Smith, if I could ask you, what is \nMicrosoft's view of this? Do you support the position that \nApple has taken, that the court is setting a dangerous \nprecedent by forcing Apple to break its own security \nprotections? Does Microsoft plan to be involved in the \nlitigation that apparently is going to go on for a while? I \nknow Mr. Gates said something, but he has been gone from the \ncompany since--for a long time. I am just wondering what the--\nMicrosoft's position is, if that is fair to ask?\n    Mr. Smith. Yeah, we at Microsoft support Apple, and we will \nbe filing an amicus brief to support Apple's position in the \ncourt case next week. And I believe that Apple is making an \nimportant point that, in fact, connects directly with the kinds \nof issues that are being considered by this hearing today.\n    In the Apple case, the Justice Department has asked the \nmagistrate to apply language in the All Writs Act that was \npassed by Congress, and written in 1911. The leading computing \ndevice of that era is right here in front of me. It is an \nadding machine that went on sale in 1912. Quite simply, we do \nnot believe that courts should seek to resolve issues of 21st \ncentury technology with law that was written in the era of the \nadding machine. We need 21st century laws that address 21st \ncentury technology issues, and we need these laws to be written \nby Congress. We, therefore, agree wholeheartedly with Apple \nthat the right place to bring this discussion is here, to the \nHouse of Representatives and the Senate, so the people who are \nelected by the people can make these decisions.\n    Ms. Lofgren. Well, thank you very much, and do you have any \nother props?\n    Mr. Smith. No, not props.\n    Ms. Lofgren. I was surprised to see that, but----\n    Mr. Smith. But believe me, it is amazing what you can buy \non the internet.\n    Ms. Lofgren. Well, I have heard that----\n    Mr. Issa. Would the gentlelady yield?\n    Ms. Lofgren. If I can get----\n    Mr. Issa. What is the operating system on that?\n    Ms. Lofgren. What is the operating system?\n    Mr. Poe. It is called a hand crank.\n    Ms. Lofgren. I would like to follow up because I actually \nvery much believe that the encryption issue should be before \nCongress. The Judiciary Committee has started that process, but \nthe Justice Department alleges that this is just one phone, and \nI was surprised to hear that when we heard the district \nattorney in New York saying he had 175 phones and then we found \nout there were a number of others where we are seeking to \nutilize the new operating system that the court has ordered \nApple to devise. Do you think that this issue goes beyond that \none phone?\n    Mr. Smith. Well, every case is obviously about one case, \nbut every case obviously has implications for lots of other \ncases. The real concern here is actually the law and the \nimplications for the future. And the only way to get the law \nright for the future is for Congress to act.\n    Ms. Lofgren. If I can just close, Mr. Chairman, I started \nwith the TPP, the international standard, and that is important \nbecause encryption keeps us safe. It keeps people from breaking \ninto our data systems and causing problems for us. The either \nhackers or terrorists or enemies of our country and I--the idea \nthat my data would have to be opened to hackers in China \nbecause of specific cases is really what I think this is about, \nand I thank you very much, Mr. Smith, for answering.\n    Mr. Issa. I thank the gentlelady. We now go to the \ngentleman from Pennsylvania, Mr. Marino.\n    Mr. Marino. Thank you, Chairman. Secretary Chertoff, you \nmentioned a term, legal regime, in your opening. Would you \nexpand on that? And do you mean legal regime, meaning \nlegislation, or an expansion of MLAT, or something else, or a \ncombination?\n    Mr. Chertoff. I really principally meant legislation, \nbecause as I think we also started a discussion about \nencryption, in order to make decisions about how to structure a \nlegal architecture, when you are dealing with global data, \ndifferent forms of citizenship and evolving technology, I can \ntell you having been a judge, the courts are not equipped to \nweigh all of those things, and the unintended consequences of a \ndecision are often not clear in an individual case. So, to me, \nthis cries out--I know Chairman McCaul suggested a commission \nto look at the issue of encryption, but to me, this cries out \nfor taking a comprehensive look at the way the technology \nactually exists in the real world, and how one can then \nreconcile the need to preserve privacy and the need to promote \nsecurity with that technological background.\n    To give you one example, you know, 100 years ago, when they \nfirst invented telephones and photography, initially the courts \ntried to deal with the issue of the Fourth Amendment by forcing \nthe facts into those old rules about not searching someone's \nhouses. So, we had the trespass cases. And finally, in some of \nthe more recent cases, the court said, ``Wait a second. This is \nabout expectation of privacy.'' It is not just about whether I \nphysically invaded a room or wire. And I think we need to have \nthat kind of technologically-informed discussion now.\n    Mr. Marino. Thank you. Mr. Smith, what do you do in a \nsituation when you have conflicts like you have explained, as \nfar as advising your employees on how to approach these \nmatters?\n    Mr. Smith. Well, it is really a terrible situation that we \nare being put into. I thought Chairman Goodlatte put it well at \nthe outset when he referred to it as a Hobbesian choice. \nImagine the kind of meeting that I have had to have with a \nBrazilian employee who is being prosecuted. And imagine trying \nto talk about the fact that we cannot, in fact, take the steps \nthat would bring the prosecution to an end in Brazil, because \nit would require that we commit a felony in the United States. \nThis is a classic example, I think, of the fact that we need \ngovernments to act, and we need our own government and we need \nthis Congress to act, perhaps most of all.\n    Mr. Marino. Thank you. Ms. Daskal, referring back to the \nsecretary's atement on legislation, do you agree with that, or \ndo you see a combination of varieties of treaties and \nlegislation, or just the legislation?\n    Ms. Daskal. So, again, it depends on the specific issue, \nbut with respect to the problem of conflicting laws, there \nabsolutely needs to be legislation.\n    Mr. Marino. Good.\n    Ms. Daskal. Because the executive does not have the \nauthority to enter into the kinds of agreements that are needed \nwithout Congress authorizing it and ideally setting parameters \nas what those agreements look like.\n    Mr. Marino. Thank you, and Mr. Kris, would you expand a \nlittle bit on the two points you raised in the FISA gap?\n    Mr. Kris. Sure. Again, I would love to be wrong on this. I \nmean, I do think you should have a conversation with the \nexecutive branch, but the jurisdiction and the reach of the \nFISA statute depend fundamentally on the definitions of \nelectronic surveillance and physical search in the statute \nitself, and those are very, very complex. But I am concerned \nthat given the way those definitions are written, the statute \ncannot currently be used to compel the production of data \nstored abroad; for example, the kind of situation we have in \nthe Second Circuit case involving Microsoft.\n    If the target of the surveillance is either a U.S. person \nlocated anywhere, or a person of any nationality located here, \nin either of those situations, I am concerned that the statute \ncannot be used to issue a compulsion order to a provider to \nturn over the data, and the government has to rely on a \nvoluntary repatriation of the data back into this country to \nbring it within the jurisdiction of the statute.\n    Mr. Marion. Thank you. I yield back.\n    Mr. Issa. Gentleman yields back. With that, we go to the \ngentlelady from Texas, Ms. Sheila Jackson Lee.\n    Ms. Jackson Lee. Thank you very much. I noticed in the \ncourse of materials that I have here that--oh, first of all, \nlet me thank all the witnesses for their testimony. And I take \nnote of the fact--and I want to ask Mr. Smith and Mr. Chertoff \non this; that the issue at the European Union had been an \noutstanding issue for a period of time in terms of data and \ndata protection, privacy. And just recently the U.S. data \ntransfer pack was agreed to.\n    Can both of you comment on what impact as we are discussing \nlegislation, the LEAD Act, and where are in the having not \nacted, what that agreement does for you, even if it is sort of \naround the ring of what we are discussing? Mr. Smith first.\n    Mr. Smith. Yeah, well thank you for asking that question, \ncongresswoman, because it actually raises a very important \npoint that we have not talked about yet today. You know, the \nrecent Safe Harbor negotiation I think, you know, put a Band-\nAid on a legal system that has been in existence since the year \n2000 and, therefore, it appears the data will continue to be \nable to move across the Atlantic. But time and time again, to \nthis morning you heard Mr. Bitkower talk about whether there is \nor is not a conflict of laws across the Atlantic. The key thing \nwe need to think about here is that the new European Union \nGeneral Data Protection Regulation will take effect in 2 years. \nAnd that regulation has an article, Article 43A, that will make \nit unlawful for a company to move data out of Europe to comply \nwith a search warrant unless it is done pursuant to an \ninternational legal agreement or process.\n    So in 2 years, a legal curtain is going to descend across \nthe Atlantic. There is going to be a conflict in every one of \nthese cases the Justice Department wants to pursue on a \ncontinent that has 508 million people living on it, unless \naction is taken to put new international agreements in place.\n    Ms. Jackson Lee. And so that would be aside from a statute \nhere in the United States. It would be additional international \nagreements.\n    Mr. Smith. Basically what it means, I believe, is that we \nhave 2 years to try to figure out how to craft an agreement, as \nwe are trying to do with the United Kingdom, get legislation in \nCongress, and then determine how and whether to replicate that \nwith the other countries in the European Union; so we do not \nhave a day to waste.\n    Ms.  Jackson Lee. Sense of urgency; Mr. Chertoff, thank you \nfor your service as Homeland Security secretary. So, I am going \nto add a subset to the question is to reflect on the \ninternational agreements, but also reflect upon the crucial \nquestion of privacy and security in the backdrop of what we are \nfacing now. And Microsoft case represents--even the case was a \ncriminal case we have, as an ongoing looming issue, is at least \na dialogue or the issue of Apple. But can you, from your \nperspective, speak to how we have a number of factors that are \nimpacting on our decision for the legislation and our exchange \non data?\n    Mr. Chertoff. Yeah, well thank you. And again, it is a \npleasure to appear before you again. I agree with what Mr. \nSmith said about the need to particularly work out an agreement \nwith the Europeans, because they have typically been, at least \nsome of the countries there, the most reluctant to cooperate in \nthese areas. And yet the urgency of doing that cooperation now \nis more evident than ever when you look at what happened in \nParis.\n    So we ought to move forward with that. I think in general \nalso, though, there are a series of issues which require us to \nthink in a little bit more of a technologically savvy way about \nhow we deal with data. And to go back to Congresswoman \nLofgren's point on encryption--I am a real believer that it \nwould be a mistake to legislate a requirement to create \nbackdoors or duplicate keys or other limitations on the ability \nto have ubiquitous encryption. Because I know that encryption \nis one of the key tools that we use to protect innocent people \nagainst criminals or, for example, the North Koreans getting \ninto your data. And to sacrifice the security of the many in \nthis instance seems to me to be not worth it, particularly \nbecause I am quite confident that the bad guys can find tools \noverseas that are going to wind up allowing them to encrypt \nanyway.\n    But, again, this is an area where I think--I know there is \na litigation going on now. For a court to be asked to make or \nresolve this decision strikes me as the wrong way to go about \nit. This is something that requires looking end to end at what \nthe problem is in trying to reconcile what--I do not think they \nare inevitably contradictory impulses. But what I think are \nimpulses that need to be coordinated and synchronized so we do \nnot go too far in the direction of handicapping security, and \ntoo far in the direction of handicapping privacy.\n    Ms. Jackson Lee. Mr. Chairman, thank you very much. Mr. \nChairman, can I sneak in one question for Mr.----\n    Mr. Goodlatte. Quickly, because we have just enough time \nfor each Member to have 5 minutes before our hard stop at 1:30.\n    Ms. Jackson Lee. In answer to Mr. Chertoff, the LEADS \nlegislation does lay out a process. What is your comment on the \nstatutory fix for this issue? Did you hear me?\n    Ms. Daskal. Yeah, yes.\n    Ms. Jackson Lee. Yeah, thank you.\n    Ms. Daskal. So I think the fact that the Congress is \nengaging with LEADS is a terrific step forward. I do have some \nconcerns about LEADS as currently written in the way that it \nmakes jurisdiction turn on the location of data, which I think \nhas all kinds of practical and normative problems, because of \nthe way data moves around so quickly, because of its \ndivisibility, because of the fact that oftentimes when we store \nthings in the cloud we do not even know where it is located at \nany given time. So making jurisdiction turn over where our data \nis does not seem to make a lot sense. That said----\n    Mr. Issa. Thank you. I am afraid we are going to have to \ncut you off but----\n    Ms. Jackson Lee. I think you and I thank the Chairman.\n    Mr. Issa. Thank you.\n    Ms. Jackson Lee. I thank the witnesses.\n    Mr. Issa. Young lady from California, Ms. Walters.\n    Ms. Walters. Thank you, Mr. Chairman. Mr. Smith, your \ntestimony describes Microsoft's dilemma with the Brazilian \nGovernment seeking disclosures that would blatantly violate \nU.S. law. And I am sure that legal predicaments like this will \nonly increase as governments enact laws that create additional \nconflicts. These legal quandaries undoubtedly have negative \nimpact on Microsoft as well as other tech companies, and \nultimately impair a vital sector of the American economy. And I \nknow Mr. Poe had asked this question, and you had discussed the \nfines levied against Microsoft. But I wanted to give you \nadditional time to discuss how this situation has impacted your \nglobal customer's willingness to trust Microsoft products, and \nwhat it has done to your business.\n    Mr. Smith. Well I think more than anything else, \ncongresswoman, your question, which is very important, just \nunderscores, first of all, the importance that people would be \nable to trust technology. We are all putting so much of our \nmost sensitive information on devices and in the cloud that \npeople, by definition, only want to use technology they can \ntrust.\n    So the fundamental question that people around the world \nare asking is whether they can trust American technology. You \nknow, we face this as one American company but I think this is \na question that every American company is having to face. And \nthere are a variety of steps we are trying to take to address \nit, we are being more transparent ourselves; I think that is a \ngood thing. We are taking steps to advance privacy, to address \nand advance encryption; I think that is a good thing. But at \nthe end of the day, the concern that I hear around the world is \nthat regardless of what we do, the U.S. Government may use its \nlong arm to reach unilaterally across borders and without \nregard for other countries' laws.\n    So we need to fix that part as well. We obviously need to \ndo it in a way that ensures that law enforcement can do its \njob; that is why these kinds of new agreements are needed.\n    Ms. Walters. Yeah, thank you. And then I have a question \nfor the entire panel. What does the internet look like if we do \nnot act and data localization becomes the norm?\n    Mr. Chertoff. I do not want to be overdramatic but you do \nnot have an internet. You have a series of internets or \nintranets in individual countries. And so much of the value of \nthe internet, which is the ability to operate on a global \nbasis, is hampered. It also means that from an engineering \nstandpoint some of the considerations that you have when you \nput a server in a particular place gets subordinated to issues \nabout how to manage the legality or kind of legal arbitrage \nfrom one jurisdiction to another.\n    Ms. Daskal. I would just add as well I completely agree. \nBut I think the other piece of this that is important is when \nthat happens, the United States no longer has a role to say in \nterms of what protections do or do not apply when a country is \ngetting access to data. And so that is why this opportunity to \nenter into agreements and to set at least some parameters is a \nreally important opportunity for the United States to engage, \nto set the parameters, and to do so in a way where the world is \nstill talking to each other.***\n---------------------------------------------------------------------------\n    ***Note: The witness amends her response as follows:\n\n      And so that is why this opportunity to enter into \n      agreements and to set at least some parameters is a really \n      important opportunity for the United States to engage, to \n      set the parameters, and do so in a way that protects our \n      privacy, security, and economic interests.\n    Mr. Smith. And the last thing I would mention is the \nconsequence of that kind of data localization trend and set of \nrequirements is that computing gets more expensive, because it \nforces companies to build more data centers than, frankly, the \nworld needs just so you can have a data center in every \ncountry. That costs money; that is going to lead to higher \nprices.\n    Ms. Walters. Okay, thank you, I yield back. Do you have \nanything to add, Mr. Kris? No. I yield back, thank you.\n    Mr. Issa. I thank the gentlelady. We now go to the \ngentleman from Georgia, Mr. Johnson.\n    Mr. Johnson. Thank you. Since we have veered down the road \nof encryption, and it being a fact that encryption keeps us \nsafe from hackers and garden-variety criminals, we also have \nthis issue of a ungoverned space that is created by encryption; \na ungoverned space wherein terrorists can conspire with \nimpunity.\n    So, you know, on one hand, we have encryption that helps \nkeep us safe from hackers, but then we also have encryption \nthat helps keep terrorist conspirators safe from discovery. And \nthen we have the issue of international competition companies, \nmulti-national corporations, multi-national companies competing \nin an international market for customers with privacy, or \nencryption, being a selling point. And this is quite \ninteresting.\n    It can cause a lot of fear in the minds of people concerned \nabout law enforcement, concerned about intelligence, \ninternational intelligence. And so we see where we have gotten \nto the point where technology has exceeded the capacity of law \nenforcement, both internationally and domestically, to be on \ntop of the situation which leads us into an area of anarchy, \nlawlessness. Encryption, Mr. Chertoff--you have talked about \nthe fact that it protects us from hackers. What is your view \nabout terrorists who are able to conspire with impunity in that \nenvironment?\n    Mr. Chertoff. Well, Congressman, this is a--look, this is a \nserious issue, and I take the concerns of the FBI and the law \nenforcement community very seriously; I understand why this \nworries them. I guess my response is this: First of all, I know \nthat even if Congress says that companies or items--companies \nthat manufacture items here have to create backdoors or \nduplicate keys, people who want to do bad things will find \ndevices that do not have backdoors or duplicate keys.\n    I point out to people that the so-called dark web, where a \nlot of criminal activity goes on undetected because it is all \nanonymized, is powered by the Onion Router Tor, which was \nactually funded by the United States Government as a way of \nproviding anonymity for people who were dissidents. The second \nthing I would say is that it has always been the case, and I go \nback in my years of doing law enforcement, that bad people were \nable to communicate with each other without being detected.\n    In the old days when we were doing mob cases, they would \neither turn the radio way up so the listening device could not \nrecord it, or they would take a walk around the block. And we \nnevertheless succeeded in putting a lot of those folks in jail.\n    And the third thing I would say is that actually, if you \nlook at the technology that exists nowadays, and the amount of \nmetadata that is generated that is not encrypted, I would \nventure to say that from the intelligence and law enforcement \nstandpoint, the ability to detect terrorism now is \nfantastically better than it was even 15 years ago when, in the \nwake of 9/11, we were trying to hunt down terrorists in this \ncountry.\n    So, as with all technologies, there are elements of it that \nare problematic for law enforcement, but there are elements \nthat help law enforcement, and I still think the balance favors \nour security.\n    Mr. Johnson. Thank you. I do not have anyone on the panel \nto ask if they would disagree with that, I assume. So with that \nI will yield back.\n    Mr. Issa. And with that I would recognize the gentlelady \nfrom Texas for unanimous consent.\n    Ms. Jackson Lee. Mr. Chairman, thank you and the Ranking \nMember. I would like to submit two articles into the record, \n``New European U.S. Data Transfer Pack Agreed,'' dated February \n2, 2016.\n    Mr. Issa. Without objection so ordered.\n    Ms. Jackson Lee. Reuters, and Washington Post, ``The \nBritish want to come to America with Wiretap Orders and Search \nWarrants,'' dated February 4th.\n    Mr. Issa. Without objection so ordered.\n    [The information referred to follows:]\n    \n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n                               \n                               __________\n                               \n                               \n                               \n    Ms. Jackson Lee. Thank you.\n    Mr. Issa. We now go to Mr. Ratcliffe.\n    Mr. Ratcliffe. Thank you, Mr. Chairman. Mr. Chertoff, or \nSecretary Chertoff, I thank you as well for your service while \nyou were over at the Department of Homeland Security, I was a \nU.S. attorney and a former terrorism prosecutor. So I wanted to \nask you about your testimony; you seem to suggest that we \nrevert to a global standard of data control based on where the \ntarget of the investigation is a resident, is that right?\n    Mr. Chertoff. Actually, I would be probably inclined to say \nit should be based on where the citizenship of the \naccountholder as opposed to the target. But I could see an \nargument that might look at the target as well. But I think \nprobably the accountholder makes the most sense.\n    Mr. Ratcliffe. Okay, well let's walk through a scenario \nthat we have probably both been through before. What if the \ninformation on say a suspected terrorist is located, and to use \nan example others have used here, is actually stored in Ireland \nbut we know--let's say we know that that individual is a Saudi \nnational. How would you reconcile that?\n    Mr. Chertoff. Well, so first of all, I mean I think the \ndefault position would be to go based on a treaty request, like \nan MLAT, but hopefully in a world in which these requests are \nnot 10 months, but are more like 10 hours. And we have seen \nfrom what Mr. Smith said that it is possible, in fact, to do \nthat.\n    Mr. Ratcliffe. Okay. So under the standard that you--tell \nme the impact that you would think that would have with respect \nto national security investigations generally.\n    Mr. Chertoff. Well, and again, I am predicating this on a \nmore efficient regime of answering these requests. But I think \nin many ways we have dealt with these cases in the past. I \nthink that provided people put an adequate priority on this--\nand my experience is generally they do in a terrorism case--I \nthink it would not impede investigations unduly, and I think \nwhat it would do is avoid the kind of conflict that actually \nwinds up slowing up investigations, because that person who is \nholding the data, or the entity that is holding the data, is \ncaught on maybe unnecessarily between two conflicting legal \nsystems when an agreement to go by way of a treaty would \neliminate that sense of conflict.\n    Mr. Ratcliffe. Do we get into a situation there where we \nwould be increasing our reliance on intelligence authorities \nrather than law enforcement authorities?\n    Mr. Chertoff. Well, I will acknowledge to you that when you \nare dealing with terrorism, particularly prevention, a lot of \nwhat we do is intelligence based. And that is a different set \nof issues than access by legal process. And so I am not \nsuggesting we do not do that, but I am saying if we are using \nlegal process, I think a system that eliminates conflict is \nsomething that both enables us to actually speed up \ncooperation, and avoids putting companies in a difficult \nposition.\n    Mr. Ratcliffe. Okay. And speaking of processes, you \nmentioned before the MLAT process. And you may have already \ngiven your thoughts with respect to reforms, but that was \nsomething that I tried to utilize during my time at the \nDepartment of Justice and admittedly not very effectively \nutilized it. And so I want to give you an opportunity to \nexpound on the MLAT process and the best way to reform that \nfrom a congressional perspective.\n    Mr. Chertoff. Well, your experience and mine are very \nsimilar. And I think there are two elements to this. One is I \nthink the technology, at least when I was a prosecutor, you \nknow, it was a paper-based system. And it tended to be, from a \ntechnological as well as, frankly, a priority standpoint, you \nknow, pretty slow. I think we could build a technology platform \nthat would make this much, much quicker. We see this in a lot \nof areas in the commercial domain.\n    I think the second issue would be the policy standpoint. \nAnd there, I think, whether it is additional resources, or a \ndecision at a high level of the law enforcement community to \ntreat at least a certain category of these very high priority \nwould be--enable us to move these more quickly. And I think, \nagain, the lesson of what happened after the Paris attacks, \nwhere it took 45 minutes to respond to a request is \nillustrative.\n    Mr. Ratcliffe. Right. Well, out of respect for the other \nMembers that have questions, I will yield back the balance of \nmy time. I do want to thank everyone for being here. We all \nunderstand what an important issue we are discussing today. I \nyield back.\n    Mr. Issa. I thank the gentleman. We now go to the \ngentlelady from Washington, Ms. DelBene.\n    Ms. DelBene. Thank you, Mr. Chair. And thanks to all of you \nfor being with us today. Mr. Smith, when ECPA was written many \nyears ago, as you were highlighting, in 1986, it was also the \nvery early days of email. When I first started working on email \nin 1989, even then it was still really only used in companies \nthat had it for internal communications. And if you did get an \nemail, folks always downloaded it from a server because \ncapacity in servers was very low. And they would regularly \ndelete those servers to have room for new information.\n    So it seems clear that some of the fundamental technical \nassumptions that were made when ECPA was written have \ndefinitely changed vastly since then. And I wonder if you could \ncomment on the mechanics of cloud computing today and what \nlegal questions that creates, especially with respect to ECPA. \nAnd why cannot the courts just shoehorn kind of all of these--\ntoday's legal issues and to, like, the international storage \nissue, into that old law.\n    Mr. Smith. Well I think your question raises an excellent \npoint. A company like Microsoft built its first data center \noutside the United States only in 2010. So cloud computing and \nthe explosion of cloud computing is really a phenomenon of this \ndecade. That is what has created all of these issues that we \nare talking about today. And it has created the need at times \nfor law enforcement, quite rightly, to want to get access to \ninformation, to content, to email in other countries.\n    I think the fundamental question in a sense from a U.S. \nlegal perspective is that when technology moves forward and the \nlaw needs to catch up, as it does here, what is the best way \nfor that to happen? And we would say the best way is for the \nexecutive branch, if it wants new power, to come back to \nCongress and ask Congress to enact it.\n    Ms. DelBene. And when you say when the law was written it \nwas written actually with respect to the way technology was \nworking then, as opposed to providing intent going forward.\n    Mr. Smith. Well absolutely, and the most interesting and \ntelling aspect of ECPA in this regard is the fact that it \napplied a lower standard to protect email that was over 6 \nmonths old. And that was all based on some thinking in the \n1980's that, I think, barely anybody can remember, that most \nbusinesses moved their paper records offsite after 6 months. \nMaybe that was true. But who the heck has an email account that \nhas only email that is less than 6 months old? The answer is \nonly email accounts that have been opened less than 6 months \nago. All the rest of us have email that is older than that, and \nthat just shows how much the world has changed.\n    Ms. DelBene. And with the shift to cloud computing now, \nmore and more of that information is stored on servers.\n    Mr. Smith. Well, the amazing thing about the cloud, as you \npoint out quite rightly, is now we are not only talking about \nemail, we are talking about all the photographs of our lives. \nWe are talking about all of the other digital records that we \nhave. We are talking about the PDFs that--in our lives. It is \neverything that sort of documents what we do every day.\n    Ms. DelBene. And do you think that people should have a \ndifferent expectation of how digital information is treated \nversus physical information? Is there a legal significance to \nthe fact that you might information that is in digital form \nversus paper form?\n    Mr. Smith. I think that technology needs to advance, but \ncertain timeless values need to endure. And among these \ntimeless values are the rights to privacy. And every time the \nAmerican public has been asked, they have said the same thing. \nThey want the data they store in the cloud to get the same \nprivacy protection as the information they store on paper. And \nI think that is exactly the right point of view.\n    Ms. DelBene. Does anyone else think there is a difference \nbetween digital or paper in terms of the legal significance and \nthat differentiation?\n    Mr. Chertoff. I agree with Mr. Smith. I think one of the \nchallenges here, frankly, is people--sometimes because of the \nfact that the data moves electronically and seamlessly, \nconflate what is a business record and a provider with what is \nsomething that a provider holds as a custodian so to speak. And \nto use an example from the banking world, it is one thing to \nsubpoena a bank for bank records which are the bank's own \ndocuments or the bank's own information.\n    It is another thing if you want to get into a safety \ndeposit box. The bank does not have a limitless right to enter \nthe box and, therefore, you need a warrant for the box that is \nseparate and distinct from a subpoena for the business records. \nAnd because electronic data does not neatly fall into that \nobvious category, categorization, there is a tendency to \nconflate the two. But I think as Brad says, that the principles \nought to be the same.\n    Ms. DelBene. Mr. Kris?\n    Mr. Kris. I would just say the two factors that strike me \nas the most significant here are first, the incredible amount \nof digital data that is now created and available. Digital dust \nor digital footprints of your daily life are everywhere \ncreated. And they are also, second point, stored with third \nparties in a way that they did not use to be. And so I find \nmyself in strong agreement with Mr. Smith when he had his 1912 \nadding machine in front of him.\n    It is, I think, important and appropriate for Congress to \nlook at the All Writs Act again. I would go further, and \nsuggest you also consider the technical assistance provisions \nin both the Wiretap Act and FISA to clarify exactly what kind \nof assistance is going to be required from third parties in \nmaking digital data in the clear available to the government. \nYou know, at one extreme is legislation now pending in the U.K. \nwhich, if I read it correctly, would essentially allow them to \ncompel providers to push down widgets, malware in bulk, across \na network and all the users on that network.\n    And at the other extreme would be, you know, essentially no \ncompelled assistance. There is going to be a middle ground \nthere, and I think Congress is the appropriate institution of \nour government to come to grips with that.\n    Mr. Issa. I thank the gentlelady. And with that we go to \nthe gentleman----\n    Ms. DelBene. Sorry, my time expired.\n    Mr. Issa. Yes, I am afraid so. And we now go to the \ngentleman from South Carolina, Mr. Gowdy.\n    Mr. Gowdy. Thank you, Mr. Chairman. And I apologize for \nhaving to leave. I had a meeting on the Senate side. But I am \nhappy to report that they are up at this early hour working on \nthe Senate side. And I see that almost all the good lawyers \nhave gone, so it is my turn. Mr. Smith, from a law enforcement \nperspective, you receive a warrant for information that you \nmaintain in a foreign country. And I know some of this has \nalready come up, but just humor me because I find this stuff \ninteresting and I would rather you say it twice than not say it \nonce. You get a search warrant for material that is in a \nforeign country from a U.S. law enforcement official, and it \nviolates the law of that foreign country for you to access that \ninformation. How do you resolve that?\n    Mr. Smith. Well I think the real problem is we are just \nbeing put in an impossible position. You know, certainly what \nwe have done to date is looked at U.S. law and if the \ninformation is in the United States and it would violate the \nStored Communications Act for us to turn it over, we simply do \nnot turn it over. That is why, as I was saying earlier, we have \nnow been fined $28 million by the Brazilian Government, and we \nhave an executive there who is being prosecuted. I think the \nbig quandary we are all going to face in 2 years is what \nhappens once the new European Union regulation takes effect, \nand their blocking statute that would prohibit us from turning \ninformation over to the DOJ outside of an international \nagreement kicks in. I do not see how we can turn information \nover to the Justice Department if it is in Europe, and European \nlaw prohibits us from doing so, which is why I think the \nfundamental argument that the Justice Department, that it needs \nthis, both has some merit but, ultimately, frankly, sort of \nmisses the point. The day of unilateral search warrants is fast \ncoming to an end; it needs to be replaced by something new and \nsomething better and we had better act quickly.\n    Mr. Gowdy. Are there any facts from the Brazilian fact \npattern where you have an executive that is facing--did you say \ncriminal prosecution?\n    Mr. Smith. Yes, criminal prosecution.\n    Mr. Gowdy. For being out of compliance with a discovery \norder, or what is the procedure for where he finds himself, or \nherself?\n    Mr. Smith. You can think of it as akin to what in the \nUnited States would be a contempt order from a court. You know, \na local court has issued a local order requiring us to turn \nover certain information but in this case the information is \nnot in Brazil, it is in the United States, and U.S. law \nprohibits us from turning it over. As we talk about pressure \nfor data localization, this is the ultimate pressure for data \nlocalization. Because obviously, what it is intended to do is \nencourage U.S. companies to build data centers in Brazil so we \nno longer have to follow U.S. law.\n    So, again, the specter of concerns that people have in some \nways are coming true before our very eyes if we cannot find a \nbetter way to solve them.\n    Mr. Gowdy. For those of us in the past who have experienced \nthe joy of facing potential contempt from a judge, what is your \nexecutive supposed to do? How is he or she supposed to get out \nof this quandary?\n    Mr. Smith. Let me just say I do not want to get into the \nprivileged conversations that I have had with our employee. It \nis a darn complicated situation. Yeah, these are situations \nwhere people's life and liberty ultimately is at stake. And, \nyou know, we at Microsoft are not alone in having faced these \nkinds of issues around the world. And there are a number of \ncompanies facing similar issues in Brazil itself. And, you \nknow, it, among other things, calls into question how one \ncontinues to do business in certain countries, whether people \ncan continue to live there. You know, these are not easy \ndecisions to make.\n    Mr. Gowdy. Have you proposed either a legislative or \nregulatory remedy to the Department on how to resolve fact \npatterns like the Brazilian one?\n    Mr. Smith. Yes, and I have talked with the Brazilian \nGovernment as well as you might imagine. Ultimately, I believe \nthat if the U.S. and the U.K. can fashion an agreement that \nworks, the people in the United States can feel comfortable \nwith, that law enforcement can feel meets its needs, it creates \na model that we can consider then advancing in other countries.\n    And I, frankly, hope there will a day when there is an \nagreement between the United States and Brazil as well. I think \nthat that kind of solution is needed for the people of Brazil, \nand the Brazilian Government, who have legitimate needs I \nappreciate, but we just need a new solution, not an old one.\n    Mr. Gowdy. I am almost out of time, so this will be my last \nquestion. Going back to when we were in law school and this \nexpectation of privacy, and the fact that it has to be an \nexpectation that the public considers to be reasonable, but the \npublic can change its mind. So the bank records case from 30 \nyears ago, or however old that was, if that is really the most \nrecent precedent or the precedent that people cite for this, \nwhere do you see the public's reasonable expectation in terms \nof what they think they have a privacy interest in?\n    Mr. Smith. I think technology has moved forward, public \nexpectations of privacy have caught up, people actually do \nexpect the data they store in the cloud and put on their \ndevices to be private. And the Supreme Court, I think, \nrecognized this unanimously 2 years ago in the Riley case. And \nI thought the fact that it was a unanimous Supreme Court \ndecision acknowledging this public expectation to privacy was \nof fundamental importance for the country.\n    Mr. Gowdy. Thank you, Mr. Chairman.\n    Mr. Issa. Thank you, Mr. Chairman. We now go to the \ngentleman from New York, Mr. Jeffries.\n    Mr. Jeffries. Thank you, Mr. Chairman. I thank all the \nwitnesses for their presence here today. Let me start with Mr. \nSmith. Microsoft is a U.S.-based company in Washington that \nemploys around tens of thousands of individuals in the country, \nis that fair to say?\n    Mr. Smith. That is correct. We employ more than 50,000 \npeople in the United States.\n    Mr. Jeffries. And other companies like Google and Apple and \nFacebook also employ tens of thousands of people here in the \ncountry?\n    Mr. Smith. Collectively our industry employs hundreds of \nthousands, indeed probably millions, of people in the United \nStates.\n    Mr. Jeffries. And it is projected, I think, over the next 5 \nyears that at least a million, if not more, jobs will be \ncreated here in America as a result of the activity of \ntechnology innovation companies.\n    Mr. Smith. Assuming our country can give people the skills \nand education they need, absolutely we will create the jobs and \nfill them here.\n    Mr. Jeffries. Now, collectively, companies like Microsoft \nand Apple and some of the others that I mentioned are sort of \nworld leaders in the technology and innovation economy. Is that \nalso a fair assessment?\n    Mr. Smith. That is what we aspire to be every day, yes.\n    Mr. Jeffries. And I would be interested in your thoughts as \nto this notion that the trust factor, which has been eroding \nall across the world as it relates to the view that many other \ncountries have toward our leading technology companies, could \nadversely impact our position as a world leader in technology \nand innovation.\n    Mr. Smith. It is, I just think, an imperative for the U.S. \ntechnology sector to restore trust in American technology. We \nreally, over the last 3 years, since the Snowden disclosures, \nthere has been a global conversation taking place about whether \npeople can trust technology. And as a tech sector, we have been \nout taking new steps, including investments in end-to-end \nencryption to advance that kind of trust. And I just think it \nis fundamental to our ability to succeed globally in the \nfuture.\n    Mr. Jeffries. Secretary Chertoff, could you comment in this \ntrust dynamic and the notion of eroding American \ncompetitiveness?\n    Mr. Chertoff. Yeah, I would be delighted to, Congressman. I \nwill give you an example of what happens when you do not have \ntrust. It is not a surprise that some of the major Chinese \ncompanies that are involved in producing telecommunications and \nIT equipment have a bit of a trust problem around the world. \nAnd I think in the last couple of years they wanted to be--one \nof them wanted to be the backbone of the IT system in \nAustralia, and the Australian government said no, they would \nnot allow it because, again, there was a trust issue.\n    I think we underestimate sometime the strategic value of \nthe United States of the ability to have an IT system, and to \nproduce products and services that people do trust, and are \nwilling to rely upon and implement. And I think, you know, \nsince the Snowden disclosures, the effort to rebuild trust by \nmaking sure that first of all we have clear processes about, \nyou know, what the law is, what is private, under what \ncircumstances it has to be turned over--I think that is \ncritical to maintaining our competitive position and that has \nan effect not only on our, frankly, our jobs, but on our \nnational security as well.\n    Mr. Jeffries. Thank you. Mr. Smith, the Department of \nJustice seems to have taken a position that there are no \nexisting conflicts of law. Is that your understanding of their \nposition, or your understanding of what the actual landscape is \nat this moment in time?\n    Mr. Smith. It is clearly what Mr. Bitkower said this \nmorning. I do not believe it is an accurate characterization of \nthe issues in our lawsuit at the Second Circuit. We pointed out \nthat there are serious issues and concerns involving the \npotential conflict between U.S. and Irish law. There is no \nIrish court decision that is yet on point, but I think that the \nissues are serious.\n    As I have mentioned, in Europe the law will be clear. There \nwill be a concrete conflict across Europe in 2 years. And \nfundamentally, the case is not about whether there is a \nconflict of laws. It is about whether the executive branch is \nexercising power that the Congress gave it in ECPA.\n    Mr. Jeffries. Now are countries in other continents likely \nto follow the lead of the European Union and move in the \ndirection that becomes more restrictive, countries on the \nContinent of South America, Africa, Asia?\n    Mr. Smith. We are following these regulatory and legal \ntrends around the world. And what we are basically seeing is a \nnumber of governments considering or enacting new laws or \nregulations that, in some cases, are requiring data \nlocalization, and in other cases are considering or moving \ntoward these kinds of so-called blocking statutes like the one \nI have referred to in the European Union; yes.\n    Mr. Jeffries. Thank you. And lastly, Secretary Chertoff, \nthe 19th century was the century of the telegraph, the 20th \ncentury the century of the typewriter, and then the personal \ncomputer, 21st century, century of the smart phone, internet of \nthings, who knows what other innovation will take place. There \nseems to be an emerging consensus from many colleagues on both \nsides of the aisle that Congress needs to step in, in this \nvacuum.\n    My question is with the explosive growth of innovation and \ntechnology, which is a great thing, you know, how--it is \ndifficult for Congress to keep up with the changes in \ntechnology. But what framework should we take in looking to \nenact legislation that recognizes the fact that we want to \ncreate some certainty, but also flexibility in interpretation \nin order to capture the dramatic and rapid change of \ntechnology?\n    Mr. Chertoff. I think that is a very important question, it \nis one that I am not going to be able to fully answer in the \nremaining time allotted. I would say this--I do think it is \ntime for Congress, whether they do it by way of a commission or \nsome other body, to really take a comprehensive look at the \nquestion of how the change in technology has affected a lot of \nour expectations. I would not legislate on a micromanagement \nlevel but I do think some general principles could be fleshed \nout. And just to give you one example, Mr. Smith talked about \nthe Riley case. Much of our rule about privacy is based on the \nidea that we are thinking about when you search an object or a \ncase, you are searching what is in the case. But in many ways \nwhen you now pick up a smart phone and you start to search the \nphone, what you are doing is you are taking a key to your \nhouse. And it is as if you are taking the key and walking over \nto someone's house and searching the whole house.\n    So as we think about the issue of, how do we deal with data \nthat is remotely held I think there is a general set of \nprinciples that we could come up with that would not \nmicromanage every situation, but would help give a framework \nfor applying?\n    Mr. Jeffries. Thank you, and I yield back.\n    Mr. Issa. I thank the gentleman. Now all you have left are \nthe non-attorney, four attorneys behind me, that will \nundoubtedly question a lot of my questions, but rightfully so. \nYou know, Secretary Chertoff, I am going to use you as part of \nit; I am going to use probably Mr. Smith as part of it. First \nquestion was, since you brought all of your props and they are \nall tangible old props do you view--as I asked the first \npanel--do you view that, in fact, what we need to do is write \nspecifics, but write them based on the same principles that we \nhad in the tangible world? That is a fair analysis, is it? \nSecretary, same thing. Because I mean I think that is the first \nthing. We are going to have to write legislation. Do we write \nit based on principles of the past that our Founders saw in the \ntangible world, and then find a way to make them versatile in a \ninstantaneous transfer world?\n    Mr. Chertoff. I would say the answer to that is yes, in the \nsense that the enduring principles are what we want to make \nsure are preserved. But without minimizing the fact that it is \nnot simply a matter of translating, you know, what is physical \nto what is virtual. There are going to be some differences, but \nthe values remain the same.\n    Mr. Issa. Well let me go over some of these values. And if \nI see a headshake no, I will call on you. Otherwise, we will \nassume that I have got some yeses on these, which I like to get \nto yes. You might have noticed that in the past. Principles \nthat we need to do if we pass updated legislation; first of \nall, we need to deal with the predictability, not just in the \nUnited States, but around the world.\n    We need to have a reciprocity concept at the time that we \nproduce this legislation, because the rest of the world is \nlooking to us for whether we will live by our rules when the \nshoe is on the other foot. The American people need to have a \nnotice of what their rights are, and likely, in most cases, a \nnotice of the taking of their information. We know there are \ncertain times that it will not happen. We need to deal with \nwhat nexus is in a virtual world; not just is it a U.S. person, \nbut did it originate in the United States? Did it transfer \nthrough the United States? And so on.\n    We are likely, I believe, as a principle to have to break \ninto two parts; one is the criminal part, including national \nsecurity, the other is civil. Because, again, I suspect that we \nare going to have a custody battle between two people, and yet \nrecords are going to be demanded from around the world.\n    It seems like, back to the same point, there has to be an \ninformed consent. In other words, today most of us have no idea \nwhether or not the storage of some item might give us \nadditional rights or might not. And I presume we are going to \nhave to look at that from a standpoint of both law and treaty. \nOne that I, because I am also on foreign affairs, I am become \nvery familiar with is the principle that does not seem to exist \nhere but clearly exists in Europe, the right to be forgotten is \ngoing to have to be addressed if we are going to have \nreciprocal agreements with other countries who truly believe \nthat if you host something in another country, it will not \neliminate the likelihood that you have to honor, let's just say \na European Union citizen, the right to disappear, which they \nare clearly working on. I have not got a no yet.\n    Lastly, the expectation of privacy. It appears as though \none of the most important things we are going to have to do is \ndefine what the American people can expect from data which is \nstored anywhere outside of their pocket in an inanimate object \nwith no battery and a cloister of multiple different shrouds, \nso that it cannot possibly be energized remotely, and thus \nactivated and taken.\n    And, Mr. Chertoff, you were laughing because we all know \nexactly how that happens. So did I go through points you all \nagreed to? And it looks like I did. What did I leave out? What \nadditional considerations should this Committee have in the \nrecord today as we look to what is obviously our primary \njurisdiction and a long overdue look at the world as it exists \nelectronically? And I will just go right down the list.\n    Mr. Smith. Well first I would say that you have shown once \nagain what Abraham Lincoln first proved, you do not have to go \nto law school to have a great legal mind. I think you have \ncaptured the legal issues that the world needs to address and \ncertainly this Congress needs to address. I do not think there \nis anything that you have left out or--let me put it another \nway--if Congress could answer the questions that you have \nposed, the whole world of technology and the world for people \nwould be much better off.\n    Mr. Chertoff. I really agree with that. I would say one \nthing, just not to be naive. You know, I think in our minds \nwhen we talk about the ability to reach a global accommodation, \nwe are thinking of the Europeans, we are thinking of countries \nthat are more or less kind of western style democracies.\n    Mr. Issa. But I serve on Foreign Affairs so I know that we \nare--we may all be created equally but we do not all think the \nsame.\n    Mr. Chertoff. Exactly. And I think when we deal, for \nexample, with Russia, we are going to need to be realistic \nabout that. But, you know, if we can reach a reasonable set of \nagreements with a good deal of the globe, that would be a \nmajor, major step forward.\n    Mr. Issa. And so that is where the reciprocity may not be \nuniversal but at least the standards among those who have \nreciprocity would be universal. Mr. Kris.\n    Mr. Kris. Yeah, I agree. I thought that was an excellent \nsummary of all of the issues that need to be addressed.\n    Mr. Issa. That is why I went last.\n    Mr. Kris. Instantiating them, you know, in all of the \nvarious digital and other settings is going to be, as you know, \nenormously challenging. The only additional point I would make \nis you have, I will call it an opportunity, before the end of \n2017 to consider renewal of the FISA Amendments Act. And so \nthat is, as an adjunct to this, another area in which you are \ngoing to want to, I think, harmonize your efforts. Thank you.\n    Ms. Daskal. So I echo the agreement with the incredible \nlist. I would just add that when one is thinking about the \nrelevant nexus, which you raised just now and you also raised \nin your earlier questions to Mr. Bitkower, and the analogies to \ntangible property, I think the analogies are right in the sense \nthat it does not make sense for the United States to assert \nunilateral jurisdiction over everything everywhere in the \nworld; that there is a concern about that. At the same time, I \nthink it is worth thinking about other jurisdictional hooks \nother than location of data, given the differences between data \nand other forms of tangible property.\n    Mr. Issa. I think your point is good. And just as one \nMember of this Committee, I believe that is one of the \nchallenges we face from a business standpoint. And I will put \nmy recovering, hopefully, never fully recovered businessman's \nhat on for a moment.\n    And that is that we want the world to have an expectation \nthat rule of law will exist for them, no matter where the data \nis. The data transfer or, let's just take J.P. Morgan Chase; if \nthey only have one server farm, or two server farms, and they \nare both in the United States that will not happen. But if it \ndid, we do not want the world to believe they are \ndisenfranchised and begin ordering balkanization. And I \ncertainly think although that is not part of the principles of \nour Constitution here, it is good common sense that we have to \nfind a solution that does not adversely affect business models, \ncause countries essentially to order, even if it is Russia, to \norder that you localize for some reason.\n    Let me beg your indulgence; I have 4 minutes left on the \nChairman's mandate that we finish at 1:30. There is an elephant \nnot in the room, which is the Apple case, but since I am \nbringing it into the room, I want to ask just a basic question, \nand I will start with Mr. Smith. Microsoft, you mentioned in \nyour testimony, and in some of your answers, you are looking at \nend-to-end encryption for a multitude of products. Your \nproducts, if they do not now, will shortly un-encrypt, use \ndata, re-encrypt as a matter of course because we now have the \nprocessing power that allows you to do that. Is that a fair \nstatement?\n    Mr. Smith. Well we are certainly focused on implementing \nencryption. It was two and a half years ago we said we would \nimplement encryption at rest, encryption in transit, encryption \nin more scenarios. So I think fundamentally encryption is an \nimportant part of safeguarding people's information for the \nfuture.\n    Mr. Issa. So is it fair to say that what Apple is dealing \nwith--you mentioned you are going to submit an amicus brief--\nwhat Apple is dealing with, every software company, and \nprobably every communication company, and perhaps most, if you \nwill, social networking and even ecommerce companies, all are \ngoing to face similar questions to the one that Apple is facing \ntoday.\n    Mr. Smith. I think in one form or another, many, many \ntechnology companies in many, many countries are going to need \nto address these encryption issues. And certainly Apple's case \nis an important example of one form of that.\n    Mr. Issa. And Secretary Chertoff, I am going to take \nadvantage of the fact you have worn so many hats, and your \nknowing what FISA judges go through, knowing how the NSA \nprovides information, knowing what the Central Intelligence--\nwhat their sources and methods historically have been. Let me \njust ask you a question in the open. Is not one of the most \nimportant tools that we have in going after terrorists and \ncriminal networks, the lack of their predictability and \nknowledge of what we can or cannot break, what we do or do not \nknow, and what we can or cannot find out?\n    Mr. Chertoff. I think that is absolutely correct. And that \nis one of the things that was very damaging about Snowden is to \nsome extent he at least put them on alert about certain things.\n    Mr. Issa. So when Apple and others say that ordering a \npredictable key encryption, a backdoor, guarantees that at \nleast as to those who have complied with it, that the bad guys \nwill know not to use that product. And if I think of sort of \nthe entrepreneurial nature of criminals and terrorists, by \ndefinition will we not be begging them to take their millions \nor billions of dollars and use it to develop items that do not \nhave a backdoor and, thus, reduce the chances that we are going \nto have commercial off the shelf software that we might be able \nto produce our own independent backdoors from time to time \nwithout their knowing it?\n    Mr. Chertoff. I think you are absolutely right. One of the \nunfortunate things about this being a public dispute is that it \npretty much guarantees that terrorists will now be looking to \nother tools. And, in fact, there was something in the paper \nrecently about a manual they found or some kind of a document \nof ISIS folks going through what are the best encrypted \ntechnologies. Now sometimes they are wrong, and that works for \nus, but only if we keep it quiet.\n    Mr. Issa. Thank you. I want to thank all of our guests. You \nwere great witnesses. It is exactly 1:30, and we stand \nadjourned.\n    Ms. Daskal. Thank you.\n    [Whereupon, at 1:30 p.m., the Committee adjourned subject \nto the call of the Chair.]\n\n                            A P P E N D I X\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\nQuestions for the Record submitted to David Bitkower, Principal Deputy \n    Assistant Attorney General United States Department of Justice*\n---------------------------------------------------------------------------\n    *Note: The Committee did not receive a response from this witness \nbefore this hearing transcript was finalized in October 2016.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n         Response to Questions for the Record from Brad Smith, \n        President and Chief Legal Officer, Microsoft Corporation\n        \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]        \n        \n\n\n Questions for the Record submitted to the Honorable Michael Chertoff, \n         Co-Founder and Executive Chairman, The Chertoff Group*\n---------------------------------------------------------------------------\n    *Note: The Committee did not receive a response from this witness \nbefore this hearing transcript was finalized in October 2016.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\nResponse to Questions for the Record from the Honorable David S. Kris, \nformer Assistant Attorney General for National Security, United States \n                         Department of Justice\n                         \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                         \n\n\n Response to Questions for the Record from Jennifer Daskal, Assistant \n        Professor, American University Washington College of Law\n        \n        \n        \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      \n        \n        \n        \n\n\n                                 [all]\n</pre></body></html>\n"