[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]








                INTERNATIONAL CONFLICTS OF LAW AND THEIR
                  IMPLICATIONS FOR CROSS BORDER DATA 
                      REQUESTS BY LAW ENFORCEMENT

=======================================================================

                                HEARING

                               BEFORE THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 25, 2016

                               __________

                           Serial No. 114-84

                               __________

         Printed for the use of the Committee on the Judiciary


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





      Available via the World Wide Web: http://judiciary.house.gov
                                  ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

98-827 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
                       COMMITTEE ON THE JUDICIARY

                   BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        JERROLD NADLER, New York
LAMAR S. SMITH, Texas                ZOE LOFGREN, California
STEVE CHABOT, Ohio                   SHEILA JACKSON LEE, Texas
DARRELL E. ISSA, California          STEVE COHEN, Tennessee
J. RANDY FORBES, Virginia            HENRY C. ``HANK'' JOHNSON, Jr.,
STEVE KING, Iowa                       Georgia
TRENT FRANKS, Arizona                PEDRO R. PIERLUISI, Puerto Rico
LOUIE GOHMERT, Texas                 JUDY CHU, California
JIM JORDAN, Ohio                     TED DEUTCH, Florida
TED POE, Texas                       LUIS V. GUTIERREZ, Illinois
JASON CHAFFETZ, Utah                 KAREN BASS, California
TOM MARINO, Pennsylvania             CEDRIC RICHMOND, Louisiana
TREY GOWDY, South Carolina           SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho                 HAKEEM JEFFRIES, New York
BLAKE FARENTHOLD, Texas              DAVID N. CICILLINE, Rhode Island
DOUG COLLINS, Georgia                SCOTT PETERS, California
RON DeSANTIS, Florida
MIMI WALTERS, California
KEN BUCK, Colorado
JOHN RATCLIFFE, Texas
DAVE TROTT, Michigan
MIKE BISHOP, Michigan

           Shelley Husband, Chief of Staff & General Counsel
                            Perry Apelbaum,
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            C O N T E N T S

                              ----------                              

                           FEBRUARY 25, 2016

                                                                   Page

                           OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Committee on the Judiciary     1

The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, and Ranking Member, Committee on 
  the Judiciary..................................................     3

                               WITNESSES

David Bitkower, Principal Deputy Assistant Attorney General 
  United States Department of Justice
  Oral Testimony.................................................    11
  Prepared Statement.............................................    14

Brad Smith, President and Chief Legal Officer, Microsoft 
  Corporation
  Oral Testimony.................................................    57
  Prepared Statement.............................................    60

The Honorable Michael Chertoff, Co-Founder and Executive 
  Chairman, The Chertoff Group
  Oral Testimony.................................................    72
  Prepared Statement.............................................    74

The Honorable David S. Kris, former Assistant Attorney General 
  for National Security, United States Department of Justice
  Oral Testimony.................................................    80
  Prepared Statement.............................................    82

Jennifer Daskal, Assistant Professor, American University 
  Washington College of Law
  Oral Testimony.................................................    84
  Prepared Statement.............................................    86

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Prepared Statement of the Honorable Sheila Jackson Lee, a 
  Representative in Congress from the State of Texas, and Member, 
  Committee on the Judiciary.....................................     5

Material submitted by the Honorable Sheila Jackson Lee, a 
  Representative in Congress from the State of Texas, and Member, 
  Committee on the Judiciary.....................................   109

                                APPENDIX
               Material Submitted for the Hearing Record

Questions for the Record submitted to David Bitkower, Principal 
  Deputy Assistant Attorney General United States Department of 
  Justice........................................................   128

Response to Questions for the Record from Brad Smith, President 
  and Chief Legal Officer, Microsoft Corporation.................   130

Questions for the Record submitted to the Honorable Michael 
  Chertoff, Co-Founder and Executive Chairman, The Chertoff Group   138

Response to Questions for the Record from the Honorable David S. 
  Kris, former Assistant Attorney General for National Security, 
  United States Department of Justice............................   140

Response to Questions for the Record from Jennifer Daskal, 
  Assistant Professor, American University Washington College of 
  Law............................................................   143
 
INTERNATIONAL CONFLICTS OF LAW AND THEIR IMPLICATIONS FOR CROSS BORDER 
                    DATA REQUESTS BY LAW ENFORCEMENT

                              ----------                              


                      THURSDAY, FEBRUARY 25, 2016

                        House of Representatives

                       Committee on the Judiciary

                            Washington, DC.

    The Committee met, pursuant to call, at 10 a.m., in room 
2141, Rayburn House Office Building, the Honorable Bob 
Goodlatte, (Chairman of the Committee) presiding.
    Present: Representatives Goodlatte, Chabot, Issa, King, 
Jordan, Poe, Marino, Gowdy, Collins, DeSantis, Walters, Buck, 
Ratcliffe, Bishop, Conyers, Lofgren, Johnson, Chu, DelBene, 
Jeffries, and Peters.
    Staff Present: Shelley Husband, Chief of Staff & General 
Counsel; Branden Ritchie, Deputy Chief of Staff & Chief 
Counsel; Zachary Somers, Parliamentarian & General Counsel; 
Kelsey Williams, Clerk; Jason Herring, Counsel, Subcommittee on 
Crime, Terrorism, Homeland Security, and Investigations; 
(Minority) Perry Apelbaum, Minority Staff Director & Chief 
Counsel; Danielle Brown, Parliamentarian & Chief Legislative 
Counsel; Aaron Hiller, Chief Oversight Counsel; Joe 
Graupensperger, Chief Counsel, Subcommittee on Crime, 
Terrorism, Homeland Security, and Investigations; and Veronica 
Eligan, Professional Staff Member.
    Mr. Goodlatte. Good morning. The Judiciary Committee will 
come to order, and without objection, the Chair is authorized 
to declare recesses of the Committee at any time.
    We welcome everyone to this morning's hearing on 
``International Conflicts of Law and Their Implications for 
Cross-Border Data Requests by Law Enforcement,'' and I will 
begin by recognizing myself for an opening statement.
    Today's hearing will examine international conflicts of law 
and how these conflicts impact law enforcement access to data 
both here and abroad. This is an extremely important issue that 
affects individuals, technology companies, law enforcement, and 
the economy. In the digital age, where the Internet knows no 
boundaries, U.S. technology companies have flourished 
internationally and provide services to customers and 
subscribers around the world, but there is a growing tension 
between U.S. law and foreign law, and U.S. technology companies 
are caught in the middle.
    U.S. law places restrictions on access to data by foreign 
countries, making it difficult if not impossible in some 
instances to obtain evidence of crimes or terror plots carried 
out by their own citizens in violation of their laws. This has 
provided an incentive for foreign governments to enact their 
own legislation to address the problem. Some foreign 
governments have enacted laws requiring U.S. technology 
companies as a requirement for doing business there to comply 
with that government's requests for data.
    Alternatively, other countries are considering legislation 
that would require U.S. providers to locate servers in that 
country to ensure that country's jurisdiction over the U.S. 
provider. This is sometimes referred to as data localization. 
The disparity between U.S. and foreign law has similarly 
created a conflict with regard to what law governs requests by 
the U.S. Government to U.S. companies for data stored in 
foreign countries.
    Certain foreign countries prohibit the removal of data from 
their boundaries in contravention of their law. U.S. law, on 
the other hand, makes no distinction between data stored 
domestically versus data stored abroad, nor any distinction 
with regard to the nationality or location of the customer.
    The result of these conflicts is that U.S. technology 
companies find themselves with a Hobson's choice: either comply 
with U.S. law, or comply with foreign law. But it is 
increasingly impossible to comply with both. This is an 
untenable situation for U.S. tech companies. This conflict also 
thwarts timely access to information by foreign governments, 
and has the potential to create additional barriers for U.S. 
law enforcement.
    Current U.S. law requires foreign governments who want 
access to content maintained by a U.S. technology company to 
make a government-to-government request for the data.
    This is generally accomplished through the mutual legal 
assistance treaty, or MLAT process, but frankly, the MLAT 
process is slow and cumbersome. It has been reported that an 
MLAT request takes, on average, approximately 10 months. This 
is clearly causing serious frustration from foreign governments 
who have legitimate interests in their own public safety.
    For example, a foreign government may be investigating 
criminal activity that has occurred wholly within that 
government's borders by its own citizens, but because the 
perpetrators are utilizing the email services of a U.S. email 
provider, that foreign government cannot get access to email 
content for evidentiary purposes, except through the MLAT 
process, which takes entirely too long. The current arduous 
MLAT process likewise poses significant hurdles to the U.S. 
Government obtaining information stored abroad from U.S. 
companies, and is not designed to carry the heavy burden of 
these types of cross-border data requests.
    It is abundantly clear that Congress must find a 
legislative approach that embraces the modern manner in which 
data is stored and acquired internationally.
    One such approach could be bilateral agreements between the 
U.S. and foreign countries that work to resolve or waive these 
conflicts of law. Earlier this month, it was reported that the 
U.S. and the United Kingdom recently commenced negotiations on 
a bilateral agreement that would allow the U.K. Government to 
request data directly from U.S. companies in criminal and 
national security investigations not involving U.S. persons. 
This type of agreement may serve as model for future 
agreements, and thus relieve some of the international pressure 
on U.S. tech companies, but we must closely examine important 
details, such as the legal standard for which the U.K. 
Government may make requests of U.S. tech companies, whether 
such requests would require an independent review, and what 
privacy protections should be implemented.
    Such an agreement could also help alleviate any conflicts 
of law relating to requests by the U.S. for data stored abroad 
by U.S. companies. But any such agreements must preserve 
American civil liberties and privacy protections embodied in 
U.S. law.
    Ultimately, in order for a bilateral agreement of this kind 
to have effect, Congress would first need to enact legislation 
enabling direct access to U.S. companies by foreign 
governments, and prescribing the criteria that must be met by 
the foreign government to receive such access.
    Once again, the House Judiciary Committee finds itself at 
the forefront of a pressing issue that impacts personal 
privacy, national security, public safety, economic viability, 
and the rule of law. Members of this Committee have been 
dedicated to finding a legislative solution to address the 
issues raised by the current conflict of laws, and we will 
continue to examine all options presented to the Committee.
    As always, we will not shy away from the heady task ahead 
of us in finding a thoughtful, balanced solution to this 
problem. I look forward to closely examining these issues today 
and hearing from our distinguished witnesses, and with that, I 
am pleased to recognize the Ranking Member of the Committee, 
the gentleman from Michigan, Mr. Conyers, for his opening 
statement.
    Mr. Conyers. Thank you, Chairman Goodlatte. And thanks to 
all of our witnesses on both panels for the time they are 
taking to be with us today. The House Judiciary Committee is 
the appropriate forum for a topic that never seems to leave the 
news: how government agencies access the content of our 
communications.
    Over the past few years, we have explored this theme in 
various forms: government surveillance, the FBI's effort to 
build back doors into strong encryption, and our works to 
reform the Electronic Communications Privacy Act. Today, we 
discuss a different aspect of this theme: how law enforcement 
agencies attempt to access data stored beyond their 
jurisdictional reach.
    Whatever your favorite policy solution may be, everyone in 
this room agrees that there is a problem that must be solved. 
Twenty years ago, a police officer in the United Kingdom 
investigating a routine crime would have had little reason to 
seek evidence stored in the United States, but today, on a 
daily basis, law enforcement agencies around the world request 
access to digital evidence stored in other countries. And the 
legal framework in place for making those requests is wholly 
inadequate to the task.
    The mutual legal assistance treaty system was written for a 
different era, and struggles to keep pace with the scope and 
pace of modern communications. Our Members have also been 
outspoken in the need to modernize the Electronic 
Communications Privacy Act, and I hope we will do it soon.
    I am also a co-sponsor of H.R. 1174, the ``Law Enforcement 
Access to Data Stored Abroad Act.'' Now I signed onto this bill 
because it is an important vehicle for the discussion that we 
will have today, and I thank the gentleman from Pennsylvania, 
Mr. Marino, the gentlelady from Washington, Ms. DelBene, and 
Mr. Amodei, Nevada for their leadership on this issue. The 
LEADS Act takes a holistic view of the system.
    It reforms ECPA to require warrants for content in the 
domestic content. It also provides one solution for Federal law 
enforcement to reach data that is stored abroad. And, it begins 
a much needed overhaul of the mutual legal assistance treaty 
framework, and even if we may reach consensus on a solution 
that differs from the LEADS Act, it will have been important 
legislation for having recognized early that we need to use 
every tool in our toolbox to update Federal law for the digital 
age.
    One other possibility for reform that I would like to 
discuss today is the idea of bilateral agreements with our 
closest allies. Those Nations we trust most on civil liberties 
and due process issues. We should add this concept to the mix. 
In addition to amending the Electronic Communications Privacy 
Act, and updating our treaty system, these agreements could 
counter the trend toward data localization, incentivize our 
partners to set better standards for data protection, and help 
our closest friends investigate serious crimes that often 
impact the United States either directly or indirectly. I would 
add only two notes on this topic for our distinguished guests 
from the Department of Justice.
    First, I hope to have your agreement today that no deal 
with the United Kingdom is better than a deal that does not 
honor privacy, due process, and free expression on both sides 
of the Atlantic.
    Secondly, I hope that this will be a collaborative process. 
It is unfortunate that we learned about your discussions with 
the British from the Washington Post before we heard about them 
from you. I appreciate that the Department took the time to 
brief Committee staff earlier this week. It was important, I 
appreciate how candid the Department was about possible civil 
liberties concerns going forward. I am sure that working 
together, we can come up with a system of reforms that benefits 
each of the stakeholders in this discussion.
    And so I thank the Chairman and yield back any time that 
might be remaining. Thank you.
    Mr. Goodlatte. Thank you, Mr. Conyers. And without 
objection, all other Members' opening statements will be made a 
part of the record.
    [The prepared statement of Ms. Jackson Lee follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
  
                               __________
    Mr. Goodlatte. We welcome our distinguished witness of 
today's first panel. And if you would please rise, I will begin 
by swearing you in. Do you swear that the testimony that you 
are about to give shall be the truth, the whole truth, and 
nothing but the truth so help you God? Thank you very much.
    And I will now introduce our witness for today's first 
panel. Mr. David Bitkower serves as the Principal Deputy 
Assistant Attorney General of the U.S. Department of Justice. 
Prior to joining the criminal division at the DOJ, Mr. Bitkower 
was an Assistant United States Attorney in the eastern district 
of New York.
    He is a graduate of Yale University and Harvard Law School. 
Your written testimony will be entered into the record in its 
entirety, and we ask that you summarize your testimony in 5 
minutes or less; and to help you stay within that time, there 
is a timing light on your table. When the light switches from 
green to yellow, you have 1 minute to conclude you testimony. 
When it turns red, that is it. Your time is up. Welcome. Please 
begin.

    TESTIMONY OF DAVID BITKOWER, PRINCIPAL DEPUTY ASSISTANT 
      ATTORNEY GENERAL UNITED STATES DEPARTMENT OF JUSTICE

    Mr. Bitkower. Thank you. And good morning Chairman 
Goodlatte, Ranking Member Conyers, and Members of the 
Committee. Thank you for the opportunity to testify on behalf 
of the Department of Justice concerning international conflicts 
of law, cross border data flow, and law enforcement requests. 
The Department recognizes that issues concerning cross border 
law enforcement access to data, while vitally important, can be 
complex and require balancing several sometimes competing 
goals.
    Mr. Goodlatte. Mr. Bitkower, you may want to pull that 
microphone a little closer to you.
    Mr. Bitkower. Certainly, thank you. Most importantly, we 
must fulfill the responsibility that Congress and the American 
people have entrusted to us by taking lawful steps to protect 
Americans from threats to their safety and security. But we 
must also do our best to meet legitimate public safety needs of 
other countries that require access to evidence that happens to 
be stored in the United States without compromising users' 
privacy interests, and we must recognize that U.S. service 
providers, seeking to compete in a global marketplace, may in 
some instances face conflicting legal obligations from the 
Nations where they choose to do business; and we should seek to 
minimize those conflicts where possible.
    Finding solutions that satisfy all of these goals will be 
difficult, and we welcome this hearing as part of an important 
discussion about how to do so. I will focus on two issues this 
morning.
    First, I will discuss the increasingly important role that 
cross border access to data plays in the protection of the 
public, both for the United States and for our foreign 
partners. Second, I will discuss a potential new opportunity to 
build a framework for cross border access to data that would 
facilitate legitimate law enforcement requests for electronic 
information, help to alleviate conflicts of law as faced by 
service providers, and protect privacy and civil liberties.
    Two related trends have significantly increased the need 
for U.S. law enforcement to be able to access electronic data 
that may be stored overseas.
    First, the rapid growth of Internet use has meant that law 
enforcement increasingly relies on electronic data, such as the 
content of emails or text messages, in identifying perpetrators 
and bringing them to justice.
    Second, while much of this information is stored within the 
United States, providers are increasingly storing information 
outside the United States as well. United States law generally 
does not require providers to store data here, and U.S. 
providers increasingly face tax or other business incentives as 
well as pressure by foreign governments to store data outside 
the United States.
    In fact, many of the largest American providers now operate 
data centers abroad, and it is unusual for a major provider to 
store all of its data within a single country. For these 
reasons, although law enforcement access to data stored abroad 
is already a key issue for the United States, its importance is 
likely to grow over time. Under United States law, when a 
provider is subject to the jurisdiction of U.S. courts, U.S. 
law enforcement may use the Stored Communications Act, or SCA, 
to obtain this data.
    The SCA's efficient and privacy protecting process is 
critical to successful investigations. When SCA process is 
unavailable, U.S. law enforcement may attempt to obtain 
information stored abroad through international cooperation 
mechanisms, such as mutual legal assistance treaty, or MLAT 
requests, but the MLAT system can be cumbersome and is 
overburdened, and the United States does not even have MLAT 
treaties with half the countries in the world.
    As a result, criminals may remain free to commit serious 
crimes against Americans. The United States is of course not 
alone in confronting these challenges. Many of our foreign 
partners, including close allies such as the United Kingdom, 
find themselves in an even more difficult situation reliant on 
evidence stored outside their borders, often within the United 
States, to protect public safety and national security. The 
difficulty arises in part because the SCA not only serves as 
the mechanism for U.S. law enforcement to require a provider to 
disclose information, but also precludes providers from 
disclosing the contents of communications unless certain 
exceptions are met; and the SCA contains no exception 
permitting a provider to disclose the contents of 
communications in response to a foreign production order.
    Thus, when a foreign country makes a request under its own 
law for an American provider to disclose data stored in the 
United States, the provider may face conflicting legal demands, 
compulsion to disclose under foreign law, and simultaneous 
preclusion of that disclosure under American law. This is so 
even if, for example, the order relates solely to a crime 
committed by the country's national within its own territory.
    The result may be to stymie legitimate investigations, 
motivate foreign countries to require data to be stored within 
their own borders, and expose American companies and their 
employees to potential enforcement actions abroad. There is 
widespread acknowledgement that this status quo is untenable. 
To address these problems, the Administration is currently 
considering a framework under which U.S. providers could 
disclose data directly to the United Kingdom in response to a 
lawful U.K. order. The agreement would not permit the targeting 
of U.S. persons or persons within the United States, and would 
not be used for bulk collection. The agreement would also 
secure reciprocal access for the U.S. to data located in the 
United Kingdom. We recognized that any such agreement would 
require legislation, both to lift conflicts of laws in 
carefully specified circumstances, and also to set forth base 
line standards to project privacy and civil liberties.
    We look forward to working with Congress as we continue to 
explore this approach. Should the approach prove successful, we 
would consider it for other like-minded governments as well. We 
believe the framework I have described rather than legislation 
that would unilaterally restrict U.S. law enforcement 
authority, offers a path forward to efficient and privacy 
protecting cross border law enforcement access to data. Thank 
you, and I look forward to answering your questions.
    [The prepared statement of Mr. Bitkower follows:]
    
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    
        
                               __________
                               
    Mr. Goodlatte. Thank you. We will now begin the 
questioning, and I will recognize myself. Mr. Bitkower, what 
will happen if Congress fails to implement legislation to 
facilitate international agreements such as the one currently 
being negotiated with the United Kingdom?
    Mr. Bitkower. Thank you for the question, Congressman. And 
I think it goes to the heart of why such a framework is so 
helpful. As we said, the status quo today is untenable, both 
for our close allies and for our companies. If there is no 
agreement or path forward, then our companies will increasingly 
face conflicts of law situations when foreign countries, 
including close allies such as the United Kingdom, have 
legitimate requests for data related to legitimate 
investigations under their own law, the only connection to the 
United States of which is that the data happens to be stored 
here, and the provider is precluded under United States law 
from complying with that request.
    I think we will see that situation continuing to grow as 
crime becomes more international and as data can move around 
more easily, and if we do not resolve those questions, then we 
will face both continuing pressure from our allies as well as 
continuing pressure on our own companies.
    Mr. Goodlatte. Do you agree that the Stored Communications 
Act is silent as to whether its procedures apply to data stored 
outside the U.S. or to non-U.S. persons outside the U.S.?
    Mr. Bitkower. Again, thank you for the question, 
Congressman. So, the U.S. Stored Communications Act is a form 
of compulsory process. And U.S. law at the time the SCA was 
enacted and in fact, for many decades has provided the 
compulsory process, if served on a company within the 
jurisdiction of the United States, can require that company to 
produce materials, even if those materials happen to be stored 
abroad. This has been the law of the United States for many 
decades and in fact many countries have similar laws. I think 
we saw, in fact, even in the case involving Microsoft in 
Ireland.
    Mr. Goodlatte. Yeah, can you answer the question though? Is 
it silent with regard to these parties?
    Mr. Bitkower. So the text of the law does not particularly 
mention where the data is stored and does not turn one way or 
the other in where data is stored.
    Mr. Goodlatte. So, what guidance do U.S. providers have as 
to the application of the Stored Communications Act to data or 
customers that are outside the U.S.?
    Mr. Bitkower. So again, we think that since this SCA was 
legislated against a backdrop of U.S. law, which applies across 
a variety of contexts, not just in electronic communications 
contexts.
    Mr. Goodlatte. Is your answer that it does not give 
guidance to this?
    Mr. Bitkower. No, to the contrary, sir. My answer is that 
it operates like other forms of compulsory process where the 
law is clear that companies may be required to retrieve data 
from abroad in response to a lawful request.
    Mr. Goodlatte. Okay. Should a bilateral agreement such as 
the one under consideration with the U.K. also ameliorate any 
conflicts of law with regard to U.S. requests for data held by 
U.S. companies in that other country that is a party of the 
bilateral agreement?
    Mr. Bitkower. Yes, Congressman. One of the primary benefits 
in an agreement of this nature would be to have reciprocal 
benefits for the United States in lifting any conflicts of law 
that might be present in the other country from where we 
request data.
    Mr. Goodlatte. And in your written testimony, you say that 
a successful bilateral framework must establish adequate base 
lines for protecting privacy and civil liberties, both through 
the agreement and implementing legislation. And you also go on 
to say that, for example, legislation should require the 
foreign country's law to have in place appropriate substantive 
and procedural protections for privacy and civil liberties. 
What does that mean?
    Mr. Bitkower. So thank you, Congressman. That is an area 
where we had hoped to work very closely with Congress and in 
particular with this Committee in establishing what those base 
lines ought to be. Our goal is that when we choose a country to 
conclude such an agreement with, we would want to ensure that 
that country has adequate substantive and procedural base lines 
to ensure that the orders that they are submitting and serving 
on our providers are ones based on a rule of law framework, 
they provide protections for civil liberties, they provide 
protections for privacy. And so that way our companies can be 
sure they are complying with legitimate requests.
    Mr. Goodlatte. Thank you very much. I now recognize the 
gentleman from Michigan, Mr. Conyers for his questions.
    Mr. Conyers. Thank you, Mr. Chairman. And welcome to our 
hearing, sir. In the case pending before the Second Circuit 
right now, the Department of Justice and Microsoft differ on 
the application of the law to data stored on servers outside 
the United States.
    I would like to focus on some areas that I think we may be 
in agreement on. Do you believe that companies like Microsoft 
face a difficult decision when U.S. laws like the Electronic 
Communications Privacy Act dictates one outcome, and the law of 
a different country dictates another? That is a pretty 
difficult situation, is it not?
    Mr. Bitkower. I absolutely agree, Congressman. Our 
companies currently can be caught in difficult conflicting 
legal obligations, in particular when foreign countries seek 
access to data that is stored here in the United States.
    Mr. Conyers. Do you believe that the Electronic 
Communications Privacy Act should be reformed to address this 
issue?
    Mr. Bitkower. So, thank you, Congressman. I am aware this 
Committee held a hearing in December on the subject of the 
Electronic Communications Privacy Act. The Department was 
privileged to submit testimony to that hearing, and obviously 
we stand by that today. We recognize that certain aspects of 
the Electronic Communications Privacy Act have not kept date 
with the way technology is used, and the Department is open to 
certain changes in that statute, provided contingencies are 
made to protect important civil and criminal law enforcement 
functions.
    Mr. Conyers. Now, in February, the Washington Post reported 
that the Department of Justice had entered into negotiations 
with the British government on an agreement that would allow 
British agencies to serve wiretap orders directly on United 
States companies. Do you think it might have been appropriate 
for us to learn about this activity from the Department of 
Justice rather than the Washington Post?
    Mr. Bitkower. Certainly, Congressman. We believe that close 
collaboration with Congress is essential in this area as in 
many others. I do not want to overstate any progress we have 
made. The negotiations began just very recently. We only very 
recently received, in fact, the authorization to begin those 
negotiations, at approximately the time that that Washington 
Post article was published. We obviously did look forward to 
the opportunity to brief this Committee and other Committees of 
jurisdiction and we hope to work with you in the future as 
well.
    Mr. Conyers. Well, is it your position that our government 
should be able to obtain data stored abroad by applying the 
Electronic Communications Privacy Act to any company based in 
the United States?
    Mr. Bitkower. Thank you, Congressman. We think it is 
essential that the United States be able to obtain data without 
regard to its location, if the provider is subject to U.S. 
jurisdiction. As I noted in my testimony, there are numerous 
examples of cases where individuals who may be outside the 
United States, who may not be United States citizens, whether 
they are in the United States or not, commit very serious 
crimes against Americans, and if we do not have access to data 
and evidence, then those crimes could continue. So we do take 
seriously potential conflicts of laws that our companies may 
face.
    We do everything in our power to minimize those and see if 
there are work arounds we can engage in. But at the end of the 
day, if the United States does not have the authority to gather 
evidence simply based on the location of that evidence, then 
not only will our citizens suffer, but in fact, an agreement of 
the type we are talking about today, would have no reciprocal 
benefit for the United States.
    Mr. Conyers. All right. Is there some way we can speed up 
the negotiations and the conferences and all this business so 
that this does not take months and months, and jeopardize the 
interest of a lot of individuals and companies? How would we 
react if the Chinese government, for example required, a 
Chinese company like Alibaba, which maintains the data center 
in the United States, to produce account information that 
belongs to a U.S. citizen or citizens?
    Mr. Bitkower. So thank you, Congressman. Again, that is I 
think one of the key conflicts of laws that our companies may 
face. That is they receive requests from other companies in 
other countries, for data that our companies may store in the 
United States. Sometimes those are requests that they very much 
want to respond to. Legitimate requests from close allies to 
resolve crimes in their territory; and sometimes they come from 
countries who do not have the same human rights record and 
where the request is not as obviously legitimate.
    We do not believe the solution to that problem is to enact 
legislation that would unilaterally strip U.S. authority to 
investigate serious crimes, but we do think a framework of the 
type I am talking about today, under discussion between the 
U.S. and the U.K., which allows us to pick and choose 
likeminded countries and circumstances in which we would reduce 
those conflicts is a path forward.
    Mr. Conyers. Well, I hope we work more closely together in 
this area, and I thank you for your response to my questions. 
And I thank the Chair.
    Mr. Bitkower. Thank you.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
California, Mr. Issa, for 5 minutes.
    Mr. Issa. Thank you, Mr. Chairman, Mr. Bitkower. Is it 
Bitkower?
    Mr. Bitkower. Yes.
    Mr. Issa. Okay. Sometimes, here from the dais, the best way 
to deal with a new problem is see if the problem is new or not. 
So let me ask you a few questions just to see if the problem is 
new. The country of Ireland decides that, in fact, you 
committed a crime, and they want you back there. Should they be 
able to simply unilaterally go to an Irish court, issue a 
warrant, and come get you?
    Mr. Bitkower. So if the country grounds had an extradition 
request for me?
    Mr. Issa. No, no. They just want to come haul your ass in.
    Mr. Bitkower. I would oppose that, sir.
    Mr. Issa. Okay. So, in the tangible world, that is an 
example where we have absolutely no authority whatsoever to 
take a person--by the way, U.S. or otherwise, from another 
sovereign country. We have had a long tradition--and I just 
left the Foreign Affairs Committee--I have got Secretary Kerry 
there so I apologize I am going back and forth between the two 
most important people I will see today--so, for all these years 
we have set up a list of countries in which we do business on 
extradition.
    We want tangible evidence. Let's just say an M-16 used in a 
crime, but it left the country. Or, an M-16 was found in 
Ireland being used, but we believe it is from the U.S. When you 
want that tangible property, you do not go to a U.S. court 
order alone. You go to a U.S. court to plead your case, and 
then you go to a foreign jurisdiction, and you negotiate with 
the foreign jurisdiction whether or not, as to that person, as 
to that equipment, as to that evidence, they are willing to, 
through their court system, allow you access or, in fact, 
removal from their country. Correct?
    Mr. Bitkower. So the question is--Congressman, I do 
appreciate the question, I think, across a wide variety of 
contexts. We face a wide variety of situations where we--there 
may or may not be a conflict of law.
    Mr. Issa. Right, but let's just look at the intangible 
world, the piece of paper reduced to a PDF. Because that is 
really what we are talking about. We are talking about 
something that could be tangible fairly quickly but happens to 
be in electronic format, correct?
    Mr. Bitkower. Certainly.
    Mr. Issa. Okay, and you want us to assume that somehow, as 
to U.S. corporations, Microsoft, Apple, whoever it happens to 
be, that in my opinion the bully--is being bullied by the 
Justice Department today in some ways. You want us to believe 
that you should throw out all the history of extradition, all 
the history of you do not get it, you get to ask another 
country for it. And you want to have an absolute right to 
demand it and get it if a U.S. court says it, and you have 
jurisdiction over the entity who could control the bringing of 
it back electronically to you. Is that correct?
    Mr. Bitkower. That is not precisely correct.
    Mr. Issa. It is pretty close though, is it not?
    Mr. Bitkower. Well, respectfully, sir, the U.S. courts do 
have a long tradition of balancing----
    Mr. Issa. I am not asking what the U.S. court is. I am 
asking what you are asking for. You are asking for the U.S. 
courts to summarily order U.S. corporations or any entity that 
you believe the court has jurisdiction over, to deliver to you 
something from another country and circumvent that other 
country's opportunity to tell you yes or no. And that is 
essentially what you are asking for.
    So let me ask it in another way, and I will be asking the 
next panel. Should we not fashion legislation that treats 
intangible evidence exactly the same as we treat tangible 
evidence? That treats the summoning of something from somewhere 
else to the United States substantially similar to how we would 
do so if, in fact, it was tangible, like a person, M-16, or a 
piece of paper? Is that not where--not your position. Your 
position is rightfully so, self-serving, that you would like 
the evidence as quickly and easily as possible. But from our 
standpoint, our Founding Fathers saw 200 years evolve without 
this sort of an idea that you can order an U.S. entity to bring 
back something to the United States.
    Can you give me a good reason as the time expires--I will 
give you the rest of the time and as much as the Chairman gives 
us--can you give me the good reason why I should treat this 
intangible substantially different than we have treated 
tangible for 240 years?
    Mr. Bitkower. So thank you, Congressman. We do not believe 
that our position either in the Microsoft case or with regard 
to the SCA treats tangible and intangible objects differently. 
As I said before, there is a long tradition where corporations 
and banks, for example, subject to U.S. jurisdiction, may be 
required by lawful process in the United States to retrieve 
documents from abroad. If after that order is given, the 
provider can show, or the company can show that there is 
legitimate competitive laws we work every with companies in 
that context, in our financial investigations, in trade secret 
investigations, and so on.
    Mr. Issa. So you go to the court, you get an order, and 
then with the threat of the order and the financial loss to 
them you negotiate. Is that right?
    Mr. Bitkower. That is correct.
    Mr. Issa. But only if they file an opposition and they are 
tying it up in court. Then you negotiate because you want it 
faster. Is that right?
    Mr. Bitkower. That is not correct. They do not have to file 
an opposition. They simply have to tell us there is a conflict 
of laws and we will talk to them right away. I will point out 
in the Microsoft litigation you are referring to, there has 
been no claim or allegation by Microsoft of any conflict of 
law.
    Mr. Issa. Thank you. Thank you, Mr. Chairman.
    Mr. Goodlatte. The Chair recognizes the gentlewoman from 
California, Ms. Lofgren, for 5 minutes.
    Ms. Lofgren. Well, thank you, Mr. Chairman, and thank you 
for scheduling this and a series of hearings on this important 
topic before our country. You know, I will just join with the 
other Members' concern with the negotiations with Britain with 
the newspaper instead of from the Department. I just do not 
think that is the way this should work. And looking at that, I 
just got to express some concerns.
    Yes, Britain is our ally, but they do not have a First 
Amendment. I mean, they do not protect speech. And they do not 
have judicial review. I mean, they do not have a magistrate 
that oversees the issuance of warrants. And they do not have a 
probable cause standard either. So to think that just because 
they are our ally, they meet our standards I think is 
completely mistaken, and I have very grave concerns about what 
is going on.
    Obviously this is not the focus of this hearing, but I will 
just get that out there. I have very grave concerns. And 
certainly Britain is moving in a direction away from what we 
would consider basic liberties that are guaranteed by our 
Constitution. So their direction in our negotiation I think is 
cause for grave concern in this country. And I will--we are 
going to have to get further into that later.
    Since you are here, I would like to ask a couple of 
questions about ECPA reform, because I think what we do with 
ECPA reform will greatly impact the conflict of laws issues 
that is the subject of this hearing. We have a bill that has, I 
think, hundreds of co-sponsors. I am for that bill. But what 
the bill does not have in it is protection for geolocation. 
Now, our Supreme Court is moving in the direction of projection 
geo location, so it may be that our Supreme Court is going to 
solve that, even though the legislation does not include it, 
but I am interested in the Department's policy.
    Now, it is my understanding that the Department recently 
enacted a policy requiring a warrant before deploying a cell 
site simulator, sometimes called a StingRay, to locate a 
suspect using their cell phone. Does that mean that the 
Department of Justice is going to require a warrant for all 
other means of obtaining real time geo location information of 
a person or mobile device? And if not, what technologies and 
techniques require a warrant and which do not?
    Mr. Bitkower. Thank you, Congresswoman for raising two 
different but both very important issues. Initially, with 
respect to the U.K., I do want to emphasize we are at an early 
stage in the negotiations. We fully recognize and appreciate 
that Congress will have to legislate in this area, and we hope 
to work with this Committee and others in order to establish 
the appropriate base line standards for the protection of 
privacy and civil liberties.
    And I will also note, as you note, that the U.K. has 
introduced substantial reforms to its Investigative Powers Act. 
Any determination with respect to any country, including the 
U.K., will only be made after there is legislation in place at 
that time. With respect to geo location, I will note also at 
the beginning we follow the law, whether it is in the statute 
or created by court decisions, including the Supreme Court. So 
we will follow it, obviously no matter what the circumstance 
is.
    There is no single category of geo location data that law 
enforcement can obtain from third parties. There are various 
types of data and various types of technology. It depends 
whether you're looking at prospective information or historical 
information, information provided voluntarily by an individual, 
or information collected without their consent. And they vary 
in terms of precision. So our practices vary depending on the 
type of information, and the type of technology, and we make 
the showing that is required under law for any of those.
    Ms. Lofgren. So, let me ask you this. If you are requiring 
a warrant for--which I must say, apparently the U.S. Marshals 
Service is not--to deploy StingRay for real time geo location 
would you require a warrant generally to obtain historical geo 
location?
    Mr. Bitkower. So, again Congresswoman, it depends on what 
you mean by geo location information.
    Ms. Lofgren. Where you are.
    Mr. Bitkower. Well, again, that can be determined with 
different degrees of precision. That could be as precise as are 
you in this room? It could be more generally, are you in the 
city? Or are you in this country? When you get more precise, 
generally speaking the law does require a higher showing, often 
including a warrant based on probably cause. When you are less 
precise, often the law requires a lower showing and we will 
follow that law.
    Ms. Lofgren. Well, in some cases there is a void in terms 
of the law, in terms of where the court has so far acted. So it 
sounds like, Mr. Chairman, that as we take this up, we may want 
to include some geo location protection and precision to guide 
the Department in the future, and I see my time has expired, 
and I would yield back.
    Mr. Goodlatte. The Chair thanks the gentlewoman and 
recognizes the gentleman from Iowa, Mr. King, for 5 minutes.
    Mr. King. Thank you, Mr. Chairman. Thanks for your 
testimony, Mr. Bitkower. I would like to ask you about the 
broader picture of this. I mean, we are bouncing this back and 
forth between the United States and the U.K., and it is far 
more complex than this as I understand it. And the several 
hundred countries there are in the world, that would seem to me 
that that is several hundred different bilateral relationships 
that need to be negotiated. Could you paint this big picture on 
what would be the optimum here? I mean, if we had the picture 
of what's optimum, perhaps then, as we move the pieces around 
on this jigsaw puzzle, we might be able to get that picture 
eventually put together, or at least have a target?
    Mr. Bitkower. Sure, and thank you, Congressman. And I will 
do my best. I think we all start from the recognition that the 
current situation is untenable, and the optimum would be to 
move in the right direction, which means both to facilitate 
legitimate requests from countries to solve crimes and protect 
public safety, but also to take our companies out of the middle 
when they are stuck between conflicting legal obligations, both 
of which they respect.
    We do not believe that we will wind up with 181 bilateral 
agreements. I think that is not even close to being 
contemplated. There are not that many countries, I think, that 
share our values in that sense that would be willing to conduct 
such an agreement with. If it proves successful with the U.K., 
however, we would be amenable to exploring it with other 
countries with whom we have similar close relationships, and 
who have similar values and have similar rule of law respecting 
systems.
    So I think the approach that we want to take is one that 
solves the problem that we see, the problem being lack of 
access because of conflicting laws and our country is caught in 
the middle. The approach we want to avoid is one that would 
unilaterally strip U.S. law enforcement of its authority to 
protect Americans, even in cases where there are no conflicts.
    Mr. King. I would add to that, that by some of the memos 
here I have in front of me, there is an indication that perhaps 
just valuable evidence in a criminal investigation might be 
delayed as long as 10 months. It would seem to me that that 
would be a big discouragement from the prosecutors in whichever 
country was waiting for 10 months. How much is that a 
consideration of your initiative here?
    Mr. Bitkower. That is an everyday consideration, sir, for 
the most serious crimes we face, ranging from terrorism to 
child sexual exploitation to computer crime, and I will add the 
10 months is an estimate of the time it takes us to respond to 
requests from foreign countries.
    When we are talking about situations where the Department 
of Justice is required to request information--I am sorry, the 
10 months is when we produce information. When we are talking 
about situations where we are required to request information 
from foreign countries, 10 months may be a best-case scenario. 
In many cases we will never see that evidence at all, and in 
many cases we do not even have a mutual legal assistance 
treaty, as I said, with about half the countries in the world.
    So, if we are required to pursue international cooperation 
mechanisms to gather evidence, that is going to stop many 
important investigations dead in their tracks.
    Mr. King. So that would imply that there are many criminals 
going free because of these delays.
    Mr. Bitkower. There is no question that that is true, sir.
    Mr. King. And also, what about intelligence purposes? Say 
investigations of radical Islamic terrorists? How much of this 
proposal is contemplated that would be gathering that kind of 
intel?
    Mr. Bitkower. So that is a core consideration. So, if, for 
example, the United Kingdom was investigating a U.K. citizen 
who had gone off to Syria to fight with ISIL, and was 
communicating with his co-conspirators through a U.S. provider, 
and that data was stored in the United States, right now the 
U.K. would have to come to us for an MLAT, and we would have to 
go through all those same procedures.
    By the same token, when we investigate Syria's terrorism 
offenses--and I have a couple in my written testimony--quite 
often terrorists are non-U.S. persons who are located overseas, 
and that might be exactly the type of data that our providers 
store overseas. If we have to go through MLAT procedures to 
obtain that evidence, and if any conflicts of law are 
automatically resolved against the United States, those 
investigations will automatically suffer.
    Mr. King. Let me just suggest then that if we are 
contemplating a degree of change in our foreign policy, that 
Mr. Issa referenced foreign policy and foreign affairs--a 
change in our foreign policy that we were committed to actually 
defeating ISIS and doing so in a comprehensive way, not only 
tactically in the Caliphate, but throughout our initiation of a 
global war against terrorists, and using data as a component of 
that as well as finances, would you say that this is a critical 
element that we are addressing here today?
    Mr. Bitkower. When it comes to the fight against terrorism 
by both us and our allies, access to evidence stored abroad is 
a key part of that. Absolutely.
    Mr. King. And right now we are handcuffed to a degree?
    Mr. Bitkower. Yes.
    Mr. King. Thank you. I appreciate your testimony, Mr. 
Bitkower, and I yield back the balance of my time.
    Mr. Marino [presiding]. The Chair now recognizes Mr. 
Johnson from Georgia.
    Mr. Johnson. Thank you, Mr. Chairman. Sir, thank you for 
your testimony today. In what ways, if any, would a bilateral 
or series of bilateral agreements be preferable to a mutual 
legal assistance treaty?
    Mr. Bitkower. Thank you, sir, for the question. So let me 
say from the very beginning, the mutual legal assistance 
process is a vital part of international cooperation. We rely 
on it all of the time on a daily basis, and I do not by any 
means mean to suggest that that is not a key element going 
forward, but the mutual legal assistance process can be 
burdensome, because it requires essentially a diplomatic 
request from one country to another, the need for a country to 
translate its documents not only in terms of language but also 
in terms of legal process.
    Mr. Johnson. Well, that is within the current framework 
of--yeah.
    Mr. Bitkower. Exactly, exactly. And the idea of a new 
framework of the type I am talking about today between the U.S. 
and the U.K. is that it would permit direct requests from the 
U.K. under U.K. law to providers that are doing business in the 
U.K. And that would circumvent the need to go through all the 
procedures in the MLAT process that are not privacy protecting, 
that do not enhance investigations, but simply add time and 
delay.
    Mr. Johnson. A new MLAT process or framework could 
incorporate the features of the bilateral agreement that is 
being negotiated with the U.K. Is that not correct?
    Mr. Bitkower. So, in a sense the U.S.-U.K. framework is one 
of mutual legal assistance, but it is not mutual legal 
assistance in the type contemplated by our current treaties, 
which require requests to go through those diplomatic channels.
    Mr. Johnson. Well, I guess I am getting to the issue of 
whether or not it is better to try to, for this country, to 
address its cross-border access to data issues--and other 
countries that have the same issue--whether or not it is better 
to negotiate within a treaty format as opposed to a series of 
bilateral agreements. Why would a bilateral agreement process 
with at least 190 different Nations in this world--why would 
that be a superior route as opposed to a treaty?
    Mr. Bitkower. So, I absolutely agree with you. We should 
continue to work and reform the MLAT system, and there are a 
number of steps that we are taking in that regard. And we are 
happy to work with this Committee and others to continue to do 
so. That is an essential step as well.
    Mr. Johnson. It seems like that is on the back burner 
though.
    Mr. Bitkower. Not at all, sir. That is actually on the 
front burner for the Department of Justice, and it is an area 
where we put a lot of resources and intend to continue to do 
so. In fact, we think a framework of the type--a bilateral 
framework with the U.K. of the type I have discussed would 
actually contribute to reforming and improving the MLAT 
process, because it would take certain high volume countries 
like the U.K. out of that system to a degree and free up 
resources for uses for all other countries, even those that are 
not part of the framework. But the reason we would go through a 
bilateral framework is for certain close allies with 
particularly--with legal systems that have adequate substantive 
and procedural protections for privacy and civil liberties, the 
idea is that this would be an expedited method, that they would 
not have to go through the normal MLAT procedures for crimes 
that are of particular concern to them, and do not involve U.S. 
persons, they have not targeted at U.S. persons or persons 
located in the United States.
    So we would get the best of both worlds in a sense of 
expediting process that have privacy protecting features and 
favor our close allies, but also lifting all boats by freeing 
up resources for people who are not part of that process.
    Mr. Johnson. So, I presume that you are working under the 
assumption that British legal standards are acceptable with 
respect to U.S. legal standards?
    Mr. Bitkower. So, again, we are not working on any 
assumptions. We recognize the need to and we look forward to 
working with this Committee and others to establish exactly 
what those standards ought to be and only then would be 
evaluate the U.K. as an applicant for such a process.
    Mr. Johnson. And, last question: would a bilateral 
agreement with the U.K. waive U.S. Fourth Amendment protections 
with respect to requests from British for electronic data 
stored here in the U.S.?
    Mr. Bitkower. So, any agreement obviously would require 
MLAT legislation and that legislation would have to be 
consistent with the Fourth Amendment. We certainly recognize 
that. The Fourth Amendment, of course, takes particular views 
with regards to investigations by foreign governments as 
opposed to our own. Or data that does not belong to U.S. 
persons or persons who are in the United States.
    Mr. Johnson. Thank you. And would a bilateral agreement be 
subject to congressional approval?
    Mr. Bitkower. So Congress would have to enact legislation 
to make this entire process possible, sir.
    Mr. Johnson. Thank you, and I yield back.
    Mr. Marino. The Chair now recognizes the gentleman from 
Texas, a former judge, Congressman Poe.
    Mr. Poe. I thank the Chair. I am over here on the far 
right. Let me just go back to the basic, what the law is right 
now. Under current law, information that is stored in the cloud 
that is over 6 months old, the Department of Justice, on behalf 
of some law enforcement agency, makes a request or a demand to 
the provider for that information in the cloud such as an email 
that belongs to Bubba down in Texas. Is that a fair statement 
of what the law is right now?
    Mr. Bitkower. Yes, sir. For the content of email, we would 
generally proceed with a warrant.
    Mr. Poe. Okay. You would get a warrant from a judge.
    Mr. Bitkower. Yes, sir.
    Mr. Poe. When is it you do not get a warrant, but you get a 
subpoena or a request made by some person in the Department of 
Justice?
    Mr. Bitkower. So we would proceed by subpoena with--under 
the SCA with respect to certain non-content information, such 
as metadata, or subscriber information.
    Mr. Poe. So that is not a law enforcement agency, though. 
Is that correct?
    Mr. Bitkower. That would be on behalf of law enforcement 
agencies, sir, yes.
    Mr. Poe. Oh, a law enforcement agency. So when do you 
request the subpoena and when do you have to get the warrant?
    Mr. Bitkower. So the Department's practice is to seek a 
warrant when content of the communications are at issue, sir.
    Mr. Poe. But to get the data, you issue a subpoena.
    Mr. Bitkower. For certain types of non-content information, 
that is correct, sir.
    Mr. Poe. Okay. And, right now, Congress, for the last 4 
years, has been discussing and trying to update ECPA to deal 
with the issue of content and information that is stored in the 
cloud that is over 6 months old. Is it the Department of 
Justice's position that a warrant should be required to get 
that information, whether it is data or whether it is content?
    Mr. Bitkower. So the Department is open to a warrant 
requirement for that type of data if exceptions for certain 
limited contingencies involving civil investigators are made.
    Mr. Poe. Okay. All right. And just so you are clear, I 
think that the--you ought to have a warrant for all of that. 
And the reason that the SEC wants to have an exception is 
exactly the reason that the SEC should have a warrant 
requirement as well. Its content I think is--or data I think is 
protected under the Fourth Amendment. That is one of the bills 
that we are debating here. And regardless of what we eventually 
come up with, do you think it is important that Congress 
actually make a decision on reforming ECPA?
    Mr. Bitkower. So again, the Department is certainly open to 
that change that you are describing, and I would agree with you 
that any access to data has to comply with the Fourth 
Amendment. There are ways other than warrants to comply with 
the Fourth Amendment, and we think those ways might be 
available to civil investigators.
    Mr. Poe. And I think it ought to apply to the civil 
agencies in the Federal Government as well. That is my personal 
opinion. Do you think that Congress--I am asking your opinion 
if you are open to it, are you open to it now, or do you think 
we ought to wait to figure out some deal with the British on 
what they are doing? Or should we go ahead and make that 
decision as our responsibility in Congress?
    Mr. Bitkower. So certainly, we do not see one process as 
dependent on the other. Our concern is when, for example, DOJ 
civil investigative agencies or civil components, such as the 
Civil Rights Division, do need to seek information for an 
important civil rights investigation, and they are not able to 
get a warrant because it is not a criminal investigation. And 
in that case there ought to be some mechanism for them to get 
access to data from the provider, but with full privacy 
protections, and we are open to a variety of solutions in that 
regard.
    Mr. Poe. I did not ask you that. I asked you about dealing 
with the British. I did not ask you about civil rights. Do you 
think that we ought to wait to deal--make a treaty with the 
British on content that is stored in the cloud, and what they 
think and what we think and come up with some agreement, 
treaty, whatever it is called, or should we act on behalf of 
the American public now?
    Mr. Bitkower. We do not think there is any need to wait to 
act on ECPA, but to resolve the situation with the U.K. either, 
no.
    Mr. Poe. All right. Well I agree with you on that. That is 
Congress' responsibility, and it is long overdue that we deal 
with storing information in the cloud, and I think the Fourth 
Amendment ought to apply to the information stored in the 
cloud, over 4 months or over 6 months old, whether it is civil 
process or criminal process. And maybe we will get that 
legislation that is now pending with over 300 sponsors of 
Congress to the House floor soon. Thank you very much; I will 
yield back the balance of the time.
    Mr. Marino. Chair now recognizes the congresswoman from the 
great State of Washington, Congresswoman DelBene, who is a 
coauthor with me on the LEADS Act.
    Ms. DelBene. Thank you, Mr. Chair, and you thank you, Mr. 
Bitkower, for being with us today. The DOJ argued in the 
Microsoft Ireland case that congressional inaction with respect 
to updating the Electronic Communications Privacy Act is 
evidence of legislative intent, and that Congress generally 
think the law is fine, but the courts should feel free to apply 
it to all of the unique situations that arise given the way 
technology works today, including international data storage. 
Now as was mentioned by my colleague from Texas moments ago, 
are you aware that this Committee has held hearings and 
announced plans to mark up the Email Privacy Act, and there are 
over 300 cosponsors on that very basic reform bill waiting for 
this Committee to take it up, and over 100 on the LEADS Act 
that addresses the international question?
    Mr. Bitkower. I am aware of those facts, yes.
    Ms. DelBene. So, you have indicated that DOJ's position is 
that in all cases, the Electronic Communications Privacy Act as 
written reaches data oversees. So where it is stored does not 
matter.
    Mr. Bitkower. With respect to the government's ability to 
compel a provider to disclose information, it does not matter 
where the provider chooses to store that information, that is 
correct.
    Ms. DelBene. Now, you know, Congress is looking at a number 
of ways to update the Electronic Communications Privacy Act to 
account for the global nature of cloud computing, and the needs 
of law enforcement to access critical evidence, but some of the 
threshold questions that we have discussed include the 
citizenship of the account holder, the location of the data, or 
the headquarters of the company holding the data. Would you say 
that the DOJ's position is that ECPA as written already 
addresses questions about how to handle data stored abroad, and 
that all these questions are essentially superfluous to--and we 
should not be asking them?
    Mr. Bitkower. So I think ECPA today currently does not make 
distinctions that restrict the government's ability to 
investigate based on the nationality of the account holder, and 
does not make distinctions about the DOJ's ability to 
investigate based on where the data is stored. We think that is 
a wise course to continue with, because there are many 
investigations where we need to take action where the 
individual may be abroad and the individual may not be an 
American. So obviously we are concerned with legislation that 
would unilaterally strip our authority to investigate in those 
cases.
    Ms. DelBene. So if we follow the model that says it is 
based on a company, then--and I think this was mentioned 
earlier as well--China could make subsidiaries of Chinese 
companies in the U.S., turn over whatever information it wants, 
is that a desirable outcome?
    Mr. Bitkower. That is certainly not a desirable outcome, 
and that is in fact why we are looking for a creative way 
forward that would address conflicts of laws in targeted ways 
that lower those conflicts in case we have legitimate requests 
from companies that respect--countries that respect rights. But 
we can pick and choose which country to make a deal with.
    Ms. DelBene. So, many of us would agree though that the 
MLAT system is in need of modernization to function officially 
in a digital age. Could you share with the Committee how many 
times an MLAT has been used to obtain data stored overseas 
versus a warrant stored under the Stored Communications Act?
    Mr. Bitkower. So it is difficult to answer that question, 
because for the most part, if you are talking about the context 
of the SCA, the government is not aware where the data is 
stored. So if a company complies with an SCA warrant, we will 
not know one way or the other where the company got that data 
from, Seattle, San Francisco, or Ireland. So I cannot give you 
an answer to that question. I can only give you answers based 
on the information we have received from companies when we 
serve that process on them.
    Ms. DelBene. But can you give us your best estimation of 
that answer then? Or is that a different----
    Mr. Bitkower. So this may not be a scientific answer, but 
to our knowledge, in the history of serving SCA warrants on 
U.S. providers, we have never been told that they cannot comply 
because of the conflict of law.
    Ms. DelBene. It is my understanding that before the 
Microsoft Ireland case, standard practice in these 
circumstances was to use the MLAT process. So if the MLAT 
process is broken, it is--you know, I would urge the DOJ to 
start working with Congress on reforms, rather than coming up 
with new legal theories that apparently you have relied on in 
the past to get there, and I really would love to get more 
information on the difference of these numbers, if you can 
provide those to us.
    Mr. Bitkower. So we would be happy to work with you on 
that. I guess the one area where I think that it is important 
to clarify, is that there was no change in DOJ policy for--or 
in the law. For upwards of three decades, it has been the clear 
law of the United States that lawful process served under an 
American company cannot require that company to bring data back 
from abroad.
    We have never heard from an SCA provider to my knowledge 
that they cannot comply with one of those warrants because of a 
conflict of law. If we were ever told so in a given situation, 
we would take that very seriously. We would work with a 
provider and endeavor to see what that conflict of law is. If 
there is a true conflict, we would try to see if there are ways 
around that. That situation has not actually occurred yet, 
including in the Microsoft Ireland case, whereas I said before, 
Microsoft has not alleged any conflict of law. In fact, 
Microsoft submitted a declaration on behalf of itself, and 
Ireland submitted a declaration on behalf of itself, and 
neither one have alleged a conflict of law in that situation.
    So we take very seriously conflict of laws, we do it across 
a variety of investigative contexts. Nearly every one of our 
financial investigations involving banks and the like involve 
claims with conflicts of laws. We work through those processes. 
If we do proceed to a compulsion action in court, the court is 
then empowered to balance important considerations, including 
comity, including the value to the investigation, including the 
burden that might be facing the company, and we take all of 
those very seriously.
    Our concern is with legislation that in every single case, 
if there was a conflict, resolve that conflict against law 
enforcement and in favor of the foreign country.
    Ms. DelBene. My time has expired. I think we need laws that 
work the way the world works today, and that is going to be 
critical for us all to follow up on. Thank you. I yield back.
    Mr. Marino. Thank you. I now my recognize myself for my 
questioning, and thank you for being here, sir. Assume that I 
am back down near in my position where the Marino thing is, and 
the gentleman to my left, Trey Gowdy, former Assistant U.S. 
Attorney. The gentleman to my right, the former judge from 
Texas, Judge Poe and myself. And I am going to include you in 
this because you would not be where you are at if you were not. 
There is no one in this room that is more law enforcement than 
the four of us in our careers, and I thank you for your service 
to this country in law enforcement and prosecution. I read your 
statement, thoroughly, and I agree with you.
    Your first issue, cross border access. We all know how 
incredibly important that is. Your second issue, current rules 
governing access to data in other countries. Again, another 
complicated issue that we must deal with, and your third issue 
of the possible legislation. While it is not possible 
legislation from my perspective, it is going to be legislation 
from my perspective. We are talking about dealing with 2016 
issues based on a 1986 law, ECPA, which we are talking about 
data collection when we did not even--when that law was 
implemented, we barely had these. We did not have this, we had 
such a model that my mother still likes to use, just the flip 
one with the big buttons.
    So let me ask you this, if you would please? You talked 
about treaties, and of course the SCA. Would legislation not 
make life simpler if we got a consensus on the legislation, 
instead of having 194 different agreements with countries or 
referring to a law that is, what, 30 years old?
    Mr. Bitkower. So certainly, sir, we would not contemplate 
194 different agreements. We think this agreement would be 
available to a very small set of countries, at least at the 
beginning.
    Mr. Marino. Okay. At least in the beginning. But okay, you 
start out with two countries, and then you go to six, and then 
you go to 16, and then you go to 60. These countries are not 
going anywhere, and the electronic age is going to continue to 
explode. So why not have definitive legislation? Do you think 
that justice should be legislating or interpreting a 1986 law, 
instead of a 2016 Congress legislating what is important to law 
enforcement, without tying the hands of law enforcement, but 
also with having a law--a rule of law that we can agree on with 
other countries once we get established here in the 
legislature.
    Mr. Bitkower. So I fully agree with you that there is an 
important role for legislative change here and legislative 
change would absolutely be necessary to enable us to take down 
these conflicts of laws in carefully targeted ways. The way we 
anticipate it working is that Congress would act by 
establishing the parameters for an agreement, and then we would 
be able to fit particular countries in that agreement if they 
qualify.
    Mr. Marino. I do not get that from reading DOJ information. 
I am getting that DOJ does not like the LEADS act.
    Mr. Bitkower. Well so, to be clear sir, even under the 
context of a bilateral agreement of the type we are discussing 
in the United Kingdom, that sort of agreement presupposes both 
the United States and for the United Kingdom the ability to 
compel the production of data that might be stored abroad.
    Mr. Marino. My point exactly then. Would legislation not 
simplify that matter? And when you have a direct source of law 
that we could point to when we need to. Let me pose a scenario 
to you. Assume there is a company with a presence in Brazil. 
One of our companies, a presence in Brazil. And the Brazilian 
Government wants some of that information, they issue a 
warrant, but that warrant would violate U.S. law. What do we 
do?
    Mr. Bitkower. That is a serious situation of course. That 
is one we face in real life. That is not a hypothetical 
situation.
    Mr. Marino. Okay. But would legislation not then address 
that issue? Good concise legislation working closely with 
justice and the private sector from a law enforcement 
perspective. Would that not be the approach to take?
    Mr. Bitkower. Yes. I do not want to speak to any particular 
country obviously, because there is a wide variety of----
    Mr. Marino. Neither do I. That is why I keep going back to 
legislation. And it is Congress' role to legislate. And looking 
back at a 30-year law based on where we are today, I do not 
think is logical. So at no time I do not think, at least I do 
not know that Justice even called my office, called Ms. 
DelBene's office, called the Chairman to discuss LEADS. We 
would like to do that; we want input from Justice on these 
issues.
    So again, I thank you for your service, but the point I 
want to get across is Congress legislates, and I yield back my 
time. The Chair now recognizes Congressman Jeffries from New 
York.
    Mr. Jeffries. I thank the Chair for yielding, and for your 
leadership in putting forth the LEADS Act and on this very 
important issue. And I thank you for your testimony here today. 
The law is currently silent as to whether the DOJ can compel a 
U.S. company to produce the email content of a non-U.S. citizen 
when the server is in another country. Is that correct?
    Mr. Bitkower. So, we would not agree with that, sir.
    Mr. Jeffries. Okay. But the Stored Communication Act is 
silent on this issue, correct?
    Mr. Bitkower. So, we would agree that the Stored 
Communication Act does not address that through tax, that is 
correct.
    Mr. Jeffries. Okay. And in light of this silence, the 
Department of Justice has chosen to take the broadest possible 
interpretation as to what its authority can be. Is that right?
    Mr. Bitkower. Well respectfully sir, there are court 
decisions on the matter, and we are following those decisions.
    Mr. Jeffries. Okay. Now do you agree that Congress, in 
light of the silence that you have acknowledged at least as it 
relates to the Stored Communications Act, should step into the 
void to clarify the situation for all parties involved?
    Mr. Bitkower. So again sir, we think Congress did act, and 
Congress legislated against a backdrop of which the government 
could compel the production of documents from abroad. So we 
think that already occurred. Obviously we will see how the 
courts come out on these issues, and it may be the case that 
for the legislation might be helpful.
    Mr. Jeffries. So at the end of the day, in the absence of 
congressional action, at least as it relates to the specific 
circumstance that I laid out, is it fair to say that we could 
put a United States company in the position of providing email 
content located internationally as it relates to a non-U.S. 
citizen in violation of another country's laws. Is that a 
possibility, sir?
    Mr. Bitkower. That is a possibility.
    Mr. Jeffries. Okay. Now in the 21st century we live in a 
global economy. Is that right?
    Mr. Bitkower. Yes, sir.
    Mr. Jeffries. Okay. And compelling United States companies 
to violate, potentially as you have acknowledged, United States 
law by disclosing email content of non-U.S. citizens could 
possibly place United States businesses at a competitive 
disadvantage. Is that correct?
    Mr. Bitkower. Sir, the way I would answer that question is 
to say, again, for many decades ,we have engaged in the 
enforcement of our laws, and that often results in us trying to 
compel records from companies which store those records abroad. 
This is not a new issue, it is not unique to the SCA. It is not 
unique to the United States. In fact most countries, or many 
countries at least, have similar provisions in their law that 
authorize them to seek evidence that may be stored abroad.
    Mr. Jeffries. There is at least a possibility that by 
compelling a United States company to violate international 
law, as you have acknowledged, is potentially the case here, 
that that could place a United States company as a competitive 
disadvantage. Yes or no?
    Mr. Bitkower. So to be clear, I did not say to violate 
international law, I said it is possibly the conflict with the 
law of another country.
    Mr. Jeffries. The law of another country.
    Mr. Bitkower. Yes.
    Mr. Jeffries. Correct.
    Mr. Bitkower. So that is correct. It could absolutely put 
companies in a situation conflict to legal obligations.
    Mr. Jeffries. Okay. Now, and that could in my view I think 
in the view of many reasonable people place them at a 
competitive disadvantage, which I think could undermine the 
United States' national interest economically. And in fact I 
would just point out that Article I, Section 8, Clause 3 of the 
United States Constitution states that Congress shall have the 
power to regulate commerce with foreign Nations. Are you 
familiar with that clause?
    Mr. Bitkower. Yes, sir.
    Mr. Jeffries. Now I think that the Founding Fathers in 
their great brilliance understood that Congress should be the 
entity to decide how to properly balance United States' 
interests across the legal, economic, constitutional spectrum. 
True?
    Mr. Bitkower. Congress certainly has that authority, sir.
    Mr. Jeffries. So is it not correct that Congress should act 
in this specific circumstance where you have acknowledged at 
least that there is silence? Some ambiguity in order to clarify 
this very complex situation.
    Mr. Bitkower. So, again sir, I do not think there is 
ambiguity in terms of how the statute works today. Certainly we 
do welcome the opportunity to work with Congress in addressing 
the very conflicts of laws you were talking about. Our concern 
is simply if we address them in a way that unilaterally strips 
U.S. law enforcement authority and does not address the 
situation of foreign law enforcement authority, that is not the 
approach we are seeking, but we do think there is definitely 
options that Congress can work on here.
    Mr. Jeffries. Okay. Lastly I would point out, and I think 
my colleague Darrell Issa began this line of inquiry, I think 
it was very important, the U.S. has a history of respecting the 
sovereignty of other Nations when conducting criminal 
investigations in the context of extradition treaties. Correct?
    Mr. Bitkower. Yes, sir.
    Mr. Jeffries. And we have got extradition treaties with 
about 120 Nations. True?
    Mr. Bitkower. I do not know the exact number.
    Mr. Jeffries. Including Mexico, correct?
    Mr. Bitkower. That is certainly true.
    Mr. Jeffries. Are you familiar with El Chapo?
    Mr. Bitkower. I am, sir.
    Mr. Jeffries. He is an international drug dealer. Correct?
    Mr. Bitkower. Yes, sir.
    Mr. Jeffries. Seven United States jurisdictions have 
currently criminal charges pending against him, including 
murder. True?
    Mr. Bitkower. Yes, sir.
    Mr. Jeffries. Would you conceive of a circumstance where 
the United States, in violation of its treaty with Mexico, 
would go across the border, snatch El Chapo, and bring him back 
to justice, notwithstanding the serious United States interest? 
Would you conceive of that circumstance?
    Mr. Bitkower. No, sir, I could not.
    Mr. Jeffries. Okay. And if we would not do it in such a 
serious situation, for the life of me, respectfully, I cannot 
figure out why Congress should not step into this vacuum that 
exists as it relates to email content and respecting the 
principles of comity and the competitive disadvantage that will 
replace the United States companies and which would undermine 
our national economic interests. I yield back.
    Mr. Marino. Thank you. The Chair now recognizes the 
congressman from Georgia, Mr. Collins.
    Mr. Collins. Thank you, Mr. Chairman. I think at this point 
I am just going to have a few questions. But I do not agree 
with the Chairman. I mean, from my background, I think this has 
become the new discussion over the years, as, you know, yes, 
there are many Members who are prosecutors on those, judges on 
this. I take it from a little different perspective.
    I am the son of a State Trooper from Georgia. As I have 
jokingly said, I have fought the law on many occasions, and I 
lost most of the time, but the issue here is not an issue of 
law enforcement. This is an issue of where are we at in 21st 
century privacy, where are we at in a 21st century and digital 
environment, and why do we continue many times to continue to 
hold to issues that really need to be updated? I would agree 
with my friend from Texas, the judge, and I would agree with my 
friend from New York and also Washington. The LEADS Act, 
although it seems to be in some of the questions and some here 
tends to denigrate this LEADS Act, I think that something needs 
to be done and something that we need to put our companies and 
the world on notice on how we are going to do this.
    ECPA also was another issue which is again baffling to me. 
And I know it has been said that well 300 Members could be 
wrong. Well yeah, I agree, this is Congress, but I think 300 
Members also have a pretty good idea that something is not 
right too. And to continue to hold this out is a frustration, 
but especially from DOJ's position.
    And in the Second Circuit Court of Appeals, I think it is 
the Microsoft case, as we work on this, the DOJ lawyer argued 
in the case that it does not--that ECPA does not apply to 
disclosure of information abroad. Even if the information to be 
disclosed is private email correspondence of a U.S. citizen.
    In other words, the Department argued that U.S. citizens' 
emails have no privacy protection under ECPA outside the U.S. 
They were pressed on this issue by the court, and the court--
the DOJ attorney said the result should be of some concern to 
U.S. technology users, but suggests this is the norm, was his 
words. Or their words. I am concerned about the Department's 
position. I reject this notion that this is the new norm, and 
in fact, I think Congress is speaking in to say Congress the 
silence on this is not accurate in this environment. But I just 
want a clarification.
    Do you agree that ECPA does not provide or protect email 
communications even if sent and received within the U.S. from 
disclosures abroad?
    Mr. Bitkower. Thank you, Congressman. So I think it is 
important to distinguish between two different provisions of 
ECPA. The provisions at issue in the Microsoft case generally 
are the provisions in 2703, which relate to the United States 
government's authority to compel a provider that is already 
subject to our jurisdiction to compel records that are in its 
custody or control. The provisions I think you are talking 
about now are the ones contained in 2702, which prevent a 
provider from disclosing content except in certain limited 
circumstances.
    Mr. Collins. Well, let's go there, because there is a 
concern there, because what it seems to be, and again, you--it 
is your time to clarify. It seems that what the Department of 
Justice is not seeing is that they are trading private emails 
of technology users as a business record of a service provider. 
That is a leap.
    Mr. Bitkower. So, certainly, sir, that is not the standard 
that we are applying. The standard we are applying when it 
relates to our ability to compel----
    Mr. Collins. But you have taken that position in 
litigation.
    Mr. Bitkower. No, that is not precisely correct, sir.
    Mr. Collins. Okay. Elaborate.
    Mr. Bitkower. I would be happy to clarify, sir. So, the 
precedent we have taken is that a long line of cases stretching 
back over 30 years allows us to compel companies that are 
subject to our jurisdiction to produce responsive materials 
pursuant to lawful process, even if they may be stored abroad. 
Now if that production produces a conflict of laws, there is 
further work to be done. There is further work to be done both 
by us in discussing it with the company and by the courts if 
applicable.
    The question I think that you are raising now about whether 
a company is free to disclose information is a slightly 
separate question. And that is if a company, American or 
otherwise, stores data abroad, then the protections of 2702 may 
not apply. That is, that company, irrespective of what DOJ does 
one way or the other, may be free to disclose that information 
to a foreign government or to any other person. The provisions 
of ECPA have simply been interpreted not to apply as it regards 
to 2702, which protects the information.
    Mr. Collins. I think at this point in time, in the effort 
to defend the what if, I think DOJ has had some contorted 
positions in this. And I think understandably you have a job to 
do, you feel this is the best way to do your job. I think this 
panel, if you have heard today, has some very different 
opinions on how that actually is playing out in the real world, 
dealing not only with businesses and the cross country data 
flows and other issues, but also just the issues of privacy and 
the issues of when this is. And again, when you get that to a 
point of, you know, whether the company can disclose or not, 
and it being a business record of a company which has nothing, 
there is some concern there.
    So we are going to continue this hearing, I appreciate your 
service, but the LEADS Act and ECPA need to move forward, and 
this needs to be--have a debate. It is not up to an executive 
agency to determine law or intent. It is up to this Congress to 
do so. We are doing that, and I think that is where it needs to 
go. And with that Mr. Chairman, I yield back.
    Mr. Marino. Chair recognizes Congresswoman Jackson Lee from 
Texas.
    Ms. Jackson Lee. Thank you very much. I was very pleased to 
listen to a sizeable part of the exchange, and Mr. Bitkower, I 
thank you for your service representing this Nation and the 
Department of Justice. But as I listen to the series of back 
and forth, I think one of the things that I want to restate for 
the record is the large gap of response by Congress, in 
particular the passage of the Electronic Communication Privacy 
Act in 1986.
    I guess I am in awe, and I might use the term appalled, 
that there is that large, enormous gap that has lasted on a 
number of issues. Then a state for the record that the SCA was 
not designed for international application, and ECPA does not 
permit providers to disclose information directly to a foreign 
law enforcement agency, even when the agency is investigating 
one of its own citizens. I think we had as an example what a 
police officer would do, 20 years ago in the United Kingdom, 
what they might need to do now, which is to ask for the 
information.
    I also want to put into the record the dilemma that 
Microsoft faced. Their case is now pending. They answered part 
of it, Microsoft produced a non-content information. But they 
made the argument I think legitimately when the other material 
was stored in Dublin, Ireland. And so we find ourselves in a 
dilemma that must be answered. And what I would like to see is 
that we answer it with DOJ, even as we move legislation 
forward.
    And so I am going to ask process questions, and what you 
are seeing in the day-to-day operations of the Department of 
Justice. So I will just ask the question. One, is it obvious 
that you are seeing a massive increase of requests for data 
internationally?
    Mr. Bitkower. Thank you, Congresswoman. We are seeing a 
massive increase of requests for----
    Ms. Jackson Lee. Well if massive takes you back, you are 
seeing an increase in requests coming in.
    Mr. Bitkower. I would say massive, Congresswoman.
    Ms. Jackson Lee. All right. I had the right----
    Mr. Bitkower. We have seen a massive increase in this, 
particularly for digital evidence.
    Ms. Jackson Lee. And as I see, part of the process in 
particular, some of the processes under the DOJ requires a 
request to come into the international office, and then it gets 
spread out to U.S. attorneys across the Nation. Already I am 
overwhelmed by just the process of it having to leave you, 
headquarters, and reach to places beyond and find offices of 
varying sizes that have to respond.
    So let me just get a more detailed response from you. Do 
foreign law enforcement officers ever attempt to obtain data 
through faster, informal channels? Do they call their 
colleagues in the FBI or the NSA for a faster result?
    Mr. Bitkower. So there are a range of methods of 
international cooperation. Each one of them must obviously 
follow the law, but certainly there are occasions where we can 
share information on a more informal basis. If consistent with 
the law, of course.
    Ms. Jackson Lee. The question implied that maybe there was 
the normal collegiate responses, and so you cannot attest here 
today that that does not happen. I hear what you are saying, in 
compliance with the law, but----
    Mr. Bitkower. That is correct.
    Ms. Jackson Lee [continuing]. Because the law is so--I 
would say it does not answer the questions, it could be 
possible that relationships and people's interpretation of the 
law, information could just be given or access could be given.
    Mr. Bitkower. Well again, certainly Congresswoman, 
information relating to law enforcement threats is shared every 
day by police forces around the world. When it comes to 
compelling data from a provider, then there needs to be a legal 
process, and that legal process has to be obtained either under 
the law of the United States pursuant to if it is content a 
probable cause standard, or if under the law of a foreign 
jurisdiction. What we are trying to do here is eliminate some 
of the obstacles and burdens that are created when one country 
has to go through the processes of another country in order to 
get that information.
    Ms. Jackson Lee. And particularly when it involves the 
providers. Let me ask, one of the chief concerns underlying 
this discussion is the move toward data localization laws in 
other countries. And so, would you explain why the current 
environment has motivated some countries to try to balkanize 
the internet in this way, with respect to the data 
localization?
    Mr. Bitkower. Yes, thank you very much. So one of the 
concerns we have seen with regard to the new world of cloud 
computing and international data storage is that countries make 
requests that may be legitimate under their own laws for data 
that happens to be stored in another country, perhaps in the 
United States. If they cannot get those requests fulfilled in 
an efficient manner under their own law, then there is an 
incentive for them to mandate that that data be stored in their 
own country, so they do not have to go through these cumbersome 
processes, whether it is with U.S. or another country.
    So one of the goals of the framework we are discussing 
today is to try to eliminate those incentives, but in a very 
carefully targeted way that protects privacy and civil 
liberties, and only for countries with an established rule of 
law system.
    Ms. Jackson Lee. Would you say that legitimate major 
companies, many of them creating genius through intellectual 
property, created here in the United States, become the tennis 
ball, the batting ball, and they become batted from one place 
to another? I hesitate to say that they are victims, but in 
essence, are they batted from one place to the next under the 
present structure that we now have?
    Mr. Goodlatte. The time of the gentlewoman has expired, but 
the witness will be permitted to answer the question.
    Mr. Bitkower. Thank you. So yes, in particular, the 
requests by foreign countries for data stored within the United 
States, that is correct.
    Ms. Jackson Lee. And so we need a fix.
    Mr. Goodlatte. The gentlewoman's time has expired.
    Ms. Jackson Lee. I yield back, thank you, Mr. Chairman.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
Colorado, Mr. Buck, for 5 minutes.
    Mr. Buck. Thank you, Mr. Chairman. Mr. Bitkower, I assume 
that as a United States citizen, you would agree with me that I 
am afforded certain protections by our Constitution and laws.
    Mr. Bitkower. That is correct, sir.
    Mr. Buck. And that an individual in Ireland would be also 
afforded certain protections by their laws?
    Mr. Bitkower. Yes sir.
    Mr. Buck. And we have a treaty between the United States 
and the United Kingdom that recognizes those protections, and 
both countries agreed to.
    Mr. Bitkower. Both the United Kingdom and with Ireland, yes 
sir. Separate treaties.
    Mr. Buck. Excuse me. And when the Department of Justice 
goes around that treaty, you have made a decision that--and I 
assume it is fair to say that you went around the treaty by 
getting information in the Microsoft case outside of the 
processes created by that treaty.
    Mr. Bitkower. So I would actually disagree with that, sir. 
The treaty between the United States and Ireland, first of 
all--let me back up. At the time the request was made in the 
Microsoft case, the Department of Justice had no knowledge that 
the data was stored in Ireland. Typically we would not be aware 
of that information unless we were told by the provider after 
it happens.
    Mr. Buck. Did you withdraw your request when you learned 
that the information was stored in Ireland?
    Mr. Bitkower. So that brings me to the second point, sir, 
which is that many mutual legal systems treaties do not require 
that they are the exclusive mechanism for getting data from one 
country to another. They are one option.
    Mr. Buck. Well, is there a just kidding clause in that 
treaty? Is there something in the treaty that says, ``Well you 
do not really have to follow the treaty? You can do anything 
you want, this is just one way of getting information.''
    Mr. Bitkower. Well, so in essence, sir, the treaty does 
state as one way of getting information necessary. It is not 
the only way of getting information.
    Mr. Buck. And so, does the Department of Justice recognize 
the situation you have put American corporations in across the 
world when you go around treaties and use a completely separate 
process? Why would any country want to do business with an 
American corporation if America has access to that information 
all across the world?
    Mr. Bitkower. So again sir, I have to emphasize that we do 
not go around treaties if those treaties do not require that 
they have the present mechanism.
    Mr. Buck. You said you used a different process to get 
information.
    Mr. Bitkower. That is correct. That is correct.
    Mr. Buck. Now that is not going around the treaty?
    Mr. Bitkower. It is not, sir. The treaty does not require 
that it be the exclusive mechanism for the transfer of data.
    Mr. Buck. So answer my question. Do you recognize the 
situation you have put American corporations in across the 
world?
    Mr. Bitkower. So if our actions did create a true conflict 
of laws, we would recognize that as a serious problem, yes sir.
    Mr. Buck. I did not ask about conflict of law. We are 
trying to do business with other countries. And if the 
Department of Justice has a way of going around a treaty and 
getting information from an American corporation for an Irish 
citizen on an Irish server, why would any country want to do 
business or any citizens of any country want to do business 
with American corporations?
    Mr. Bitkower. So again sir, I need to specify. The 
discussion in terms of the Microsoft case did not necessarily 
involve an Irish citizen or a person in Ireland. It is data 
that happens to be stored in Ireland. It could belong to--as 
far as the record is clear, a citizen of any country, including 
an American citizen. That is said, the only fact we know about 
it from the record of that case is that the company has chosen 
to store that information in Ireland.
    If, for example, it belongs to an American citizen, or a 
citizen committing a crime who is located in America, I think 
we would all agree that the United States has legitimate 
interest in obtaining that information as expeditiously as 
possible so long as it follows----
    Mr. Buck. Are you going to answer my question? Why would an 
American company--why would anybody want to do business with an 
American company overseas if the United States has access to 
any information it so chooses by going around a treaty?
    Mr. Bitkower. So again, sir, if there is a conflict of 
laws, we would take that seriously. And if that is brought to 
our attention, we absolutely will do everything we can to avoid 
a----
    Mr. Buck. I am not talking about the laws, though. I am 
talking about the competitive disadvantage you are placing 
American companies in.
    Mr. Bitkower. So my understanding is of what we have heard 
from companies is certainly the competitive disadvantage, if 
any, comes from the fact that they are placed in conflicting 
legal obligations. That is one country tells them to do one 
thing, another tells them to do another. If that comes to our 
attention, we take it seriously, and American law already also 
takes that seriously.
    The situation we are talking about now is, however, where 
data may be stored in a country with no connection to that 
country other than the fact that it is chosen to be stored 
there. It could be the information of vital importance to the 
United States, and information with very little connection to 
Ireland. And in that case, we just need to have a mechanism to 
make sure we can get that data to the United States to protect 
American citizens.
    If it turns out there is a conflict of law at any point, if 
that is brought to our attention by the company or by the 
country itself, then obviously we would have further work to do 
and further discussions to be had. I want to clarify, that has 
not happened in the Microsoft case.
    Mr. Buck. If Microsoft is put in a position where--or any 
American company--and frankly what is most bothersome to me is 
Microsoft has the resources to battle with the Department of 
Justice. A startup company, a company with 10, 12 employees in 
a similar situation would just cave. The coercive effect of the 
government would be placed on a company like that, and they 
could not--they do not have the resources to fight the 
Department of Justice. But in this situation, a foreign citizen 
would not want to do business with a U.S. company if that U.S. 
company is forced by the U.S. Government to turn over 
information that is located in that foreign country. And I am 
concerned about that.
    Mr. Bitkower. So again sir, that is the very purpose of the 
U.S.-U.K. framework that we are trying to explore now, is to 
find the ways of eliminating those conflicts of laws, prevent 
any competitive disadvantage to our companies, but do it in a 
careful way that allows the different investigations to take 
place, both on our behalf and on behalf of foreign governments 
in a way that it respects privacy.
    Mr. Buck. I yield back, thank you, Mr. Chairman.
    Mr. Goodlatte. The gentlewoman from California, Ms. Chu, is 
recognized for 5 minutes.
    Ms. Chu. Mr. Bitkower, the process to exchange data under 
the MLAT process has been criticized as being slow and 
cumbersome, with requests taking average 10 months to fulfill. 
You argue that the MLAT is also unreliable, given that our 
country does not have MLATs with about half of the countries in 
the world. And some countries exclude certain categories, or do 
not cooperate at all. Is this occurring because they believe 
the MLAT process is too slow, or do they not believe in this 
process at all?
    Mr. Bitkower. So again, the MLAT process faces a variety of 
challenges. You have identified some of them. That is, even if 
we have a fully functioning MLAT relationship with another 
country, it will take many months at best to get that 
information. And as you point out, we may never get it at all, 
and that is even when we have a treaty, and as you point out 
again, for about half the world, we do not even have such a 
treaty, so in those cases, the requirement to rely exclusively 
on MLAT channels would end investigations.
    Ms. Chu. Well, you have referred to the proposed deal 
between the U.S. and the U.K., and providers under this deal 
could disclose data directly to the U.K. for serious criminal 
and national security investigations when the U.K. obtains 
authorization to access the data under its own legal system. 
While the courts may have provisions to protect individuals' 
privacy rights, other countries may not. If we use the U.K. 
agreement as a model, what steps will the Department of Justice 
take to ensure that there are sufficient protections for 
privacy and civil liberties moving forward?
    Mr. Bitkower. Thank you Congresswoman. So that is an area 
where we would hope to work very closely with Congress in 
setting up exactly what those adequate baselines are for 
protecting privacy and for protecting civil liberties, and we 
want to make sure that any country we choose to negotiate an 
agreement with fits into that category based on its own legal 
framework. It does not require that it exactly mirror the 
American framework certainly, and if it did require it, then no 
country would quality, but it does require that the country 
have those adequate protections.
    Ms. Chu. And what kind of enforcement mechanisms could you 
put in place to ensure that that they would comply with, with 
privacy terms as well as other terms of the bilateral 
agreement?
    Mr. Bitkower. So again, we are obviously at the early 
stages of discussing what these agreements would look like and 
what the legislation would look like. We would certainly 
anticipate that there would have to be a mechanism to provide 
oversight of the agreement to make sure that it is being 
applied correctly.
    Ms. Chu. And if the bilateral agreement approach is taken 
by the U.S., how do we determine whether or not a country is an 
appropriate partner? For example, how many of the witnesses 
have discussed about a country's policy on human rights. How do 
we evaluate that consideration and whether the country meets 
that requirement?
    Mr. Bitkower. So that would be a topic for close and 
ongoing conversation, I think, between us and Congress 
certainly. There are a number of factors we would look at. We 
would look at the system as a whole certainly, but with 
particular regard to its surveillance laws. We would want to 
make sure that there is a rule of law framework in place and 
appropriate procedural and substantive protections for privacy 
and civil liberties.
    And these are areas of course, it is easier in cases like 
the U.K. where it is a longtime ally with a long democratic 
tradition with whom we have actually had a very long MLAT 
relationship as well. So we have a certain knowledge and 
visibility about how their system works, and I think that would 
be helpful in the process.
    Ms. Chu. And with a country that is not as clear as the 
U.K., what would you do?
    Mr. Bitkower. So a country that is not as clear as the U.K. 
might not qualify at the end of the day, and that is just a 
fact. So we would have to make sure that the country, whatever 
its laws are, that we get good visibility into what those laws 
are. Not just what the laws are on the books, but how they are 
applied in practice, and to make sure there are those 
appropriate protections in place before we would consider such 
an agreement.
    Ms. Chu. Okay. Thank you. I yield back.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
Rhode Island, Mr. Cicilline, for 5 minutes.
    Mr. Cicilline. Thank you Mr. Chairman. Thank you, Mr. 
Bitkower. I want to just pick up on something you just said. 
You said in your testimony that the MLAT is not the only way of 
getting information. It is not the exclusive way. I just want 
to challenge you on that for a moment. It is in fact the 
agreement by which we set out a procedure for the sharing of 
information. That is the purpose of the treaty.
    Mr. Bitkower. So all MLATs are different, and some of them 
have different provisions, but MLATs are generally one method 
of exchanging information. They are not typically the exclusive 
mechanism.
    Mr. Cicilline. But I mean, is not the purpose of the treaty 
so that both parties to a treaty have an understanding about a 
process that will be followed for a particular activity? And 
that is the whole purpose of it, otherwise what would be the 
purpose of having an MLAT if it were not in fact the 
expectation of both parties that this process be followed in 
the sharing of information?
    Mr. Bitkower. Well, so again, sir, every treaty is 
different. Typically the treaties make sure that a process is 
available to be followed in the case of a need in the 
requesting country.
    Mr. Cicilline. And with respect to the negotiations with 
the United Kingdom, what is the exact status of that 
negotiation, and what action will be required by Congress 
according to you, if any, if that agreement is successfully 
concluded?
    Mr. Bitkower. So, thank you, sir. The negotiations began, I 
think as you know, fairly recently, where we received formal 
authority to begin those negotiations within the last month or 
so. We have been hard at work in seeing what an agreement would 
look like, but we absolutely recognize that action by Congress 
would be necessary to make this project feasible in the first 
instance, both to lower in a targeted fashion the legislative 
bars that are present in our own law, and also to set up the 
framework to determine which countries would be eligible to 
join such an agreement.
    Mr. Cicilline. And so, to use this example again of British 
law. As you know, British law is not always compatible with 
U.S. law, particularly in the areas of due process and probable 
cause determinations. And if you think about the requirements 
we have in this country in terms of judicial review, a concept 
which is not omnipresent in the British system, how do you 
square some of those standards and practices? And that is a 
country that I think most people would agree might have more 
compatibility than many other countries. How do you make those 
determinations so that we can be certain those very deeply held 
values are reflected in this process?
    Mr. Bitkower. So I think that is the key question, and it 
is one that we will be grappling as we go forward. I think it 
is important on the one hand that we do not require that the 
other countries' legal processes exactly mirror our own, or 
else no country would ever qualify of course. We have some of 
the highest privacy protections in the world, and we are proud 
of those, and justifiably so, and we want to make sure that 
other countries have substantial protections and legitimate 
protections, but we cannot demand that they have the exact same 
legal standards for every sort of process along the way. Some 
of them have lower standards in one area and higher standards 
in another, and they have their own checks and balances within 
their own system.
    So the U.K. is a country with which we have a great 
familiarity. As I said before, a very long democratic 
tradition, a tradition of rule of law. We are comfortable with 
understanding how their system works. As I mentioned earlier, 
they have also introduced a new investigative powers bill which 
would introduce further reforms. So we will have to keep 
looking at that as it goes forward. We will make any evaluation 
at the time when the legislation is prepared.
    Mr. Cicilline. But Mr. Bitkower, I think it is very clear 
that most of us on the Committee recognize that there is an 
important role for Congress to play in this. And if you have 
already answered this, I apologize, but it seems particularly 
disturbing that in light of the complicated nature of this and 
the important role of Congress should be playing that many of 
us learned about this from reading it in a news account. And I 
am just wondering, what was the reason that you would not have 
engaged Congress more as you developed or thought about the 
development of framework, so that we might have some alignment 
of what ultimately Congress might intend to do in this area?
    Mr. Bitkower. So again sir, I want to make clear that we 
only very recently began negotiations with the U.K., and only 
very recently, in fact, we received permission to do so through 
the intergovernmental process. So we tried to notify this 
Committee as soon as we possible could once those negotiations 
started. It was approximately the same exact week, I believe, 
that the Washington Post article came out.
    We have tried to make ourselves available to brief this 
Committee and others. We expect to continue to do so, and there 
is no question that we fully respect the essential role that 
Congress has to play in these agreements.
    Mr. Cicilline. Thank you. I yield back.
    Mr. Goodlatte. The Chair thanks the gentleman. The 
gentleman from California, Mr. Peters, is recognized for 5 
minutes.
    Mr. Peters. Thank you, Mr. Chairman. I want to thank you, 
sir, for your patience and for hanging in there. I think you 
have answered the questions very clearly. As I understand it, 
you are following the law as was passed in 1986 and interpreted 
by the courts. I am not sure what else we would ask you to do. 
You have been admonished or exhorted by a number of Members of 
Congress, that Congress should act.
    I am not sure what you are supposed to do about that 
either. These are all Members of Congress, maybe they are 
responsible for amending the laws if we see a need to do so, 
but I appreciate how you have illuminated the issues. But it 
was a little bit Alice in Wonderland-y to hear them lecturing 
you about why Congress should take some action, because they 
are Congress Members.
    But I would say your testimony spells out pretty long 
detail of some concerns about the LEADS Act. I apologize, I do 
not have the testimony that you refer--cross reference about 
the ECPA amendments that are proposed, but maybe you could just 
take a few minutes to sort of outline what your main issues 
are. And then I would like to know kind of how you think it 
would be most constructive given the discussion we have had 
about the negotiations with Britain, that this Committee might 
engage you in talking through some of those issues so that we 
could actually update the law to reflect not both privacy 
concerns--both privacy concerns as they are 30 years on, but 
also security concerns.
    Mr. Bitkower. So thank you, Congressman. I will begin with 
the ECPA related proposals, and I am concerning to make sure 
you get a copy of the testimony we submitted in connection with 
that hearing. But as we have said in that testimony and 
elsewhere, the Department absolutely recognizes that some of 
the provisions of ECPA have not kept pace with the way 
technology is used today, and the way people think of their 
emails.
    And we are certainly open to a change that would require a 
warrant when criminal law enforcement authorities seek to 
compel the content of emails, whether they are older than 180 
degrees, newer than 180 degrees, whether they have been opened, 
whether they have not been opened. We are certainly open to 
that change. We do have a concern that any change in law create 
an accommodation for certain very limited civil investigative 
functions where a warrant is simply not available, because they 
are not criminal investigators.
    Mr. Peters. That would be something of the SEC for 
instance.
    Mr. Bitkower. The SEC, I am talking about important civil 
rights investigations, anti-trust investigations. Things that 
affect important rights for Americans every day. We have a 
number of other concerns with the Email Privacy Act, which we 
are happy to provide further information on, but we do have 
some concerns.
    For example, in the area where it permits us to obtain 
records from a corporation, where a corporation provides email 
to its employees, there needs to be a mechanism and a 
functional mechanism where you can get those emails. 
Traditionally we do those investigations by subpoena, because 
traditionally the employees do not have privacy rights in those 
emails, and we want to make sure that provision works well. And 
there were a couple of other areas where the bill gives us some 
concerns. But we are happy to work with this Committee and 
others in making those understood.
    Mr. Peters. Have you been in conversation with Committee 
staff about these issues?
    Mr. Bitkower. We certainly have, sir.
    Mr. Peters. Okay. Well I appreciate that. And I thank you 
again for your time. I am looking forward to the second panel. 
And I yield back.
    Mr. Bitkower. Thank you.
    Mr. Goodlatte. I thank the gentleman. Mr. Bitkower, we very 
much appreciate your testimony here this morning, and we can 
excuse you at this time, and we will go to our second panel.
    Mr. Bitkower. Thank you very much.
    Mr. Goodlatte. We now welcome our second panel of 
distinguished witnesses today, and if you would all please rise 
up, I will begin by swearing you in. Please raise your right 
hand. Do you and each of you swear that the testimony that you 
are about to give shall be the truth, the whole truth and 
nothing but the truth, so help you God? Thank you very much.
    Let us let the record reflect that all of the witnesses 
have responded in the affirmative. And we will begin our 
introductions by recognizing the gentlewoman from Washington 
for the purpose of introducing Mr. Smith.
    Ms. DelBene. Thank you Mr. Chair. It is my pleasure to 
welcome Brad Smith as a witness today. Brad serves as the 
president and chief legal officer at Microsoft, and had joined 
Microsoft in 1993 and became general counsel in 2002 and then 
was made president and chief legal officer just last summer. He 
is responsible for the company's corporate external and legal 
affairs, and he is a graduate of Princeton University and the 
Columbia University School of Law. And it is great to have 
someone here from Washington State and we just want to welcome 
you and thank you for being here. I yield back.
    Mr. Goodlatte. Welcome. Our next witness is the Honorable 
Michael Chertoff. He is the executive chairman and co-founder 
of the Chertoff Group. From 2005 to 2009, Mr. Chertoff served 
as Secretary of the Department of Homeland Security. Federal 
judge of the U.S. Court of Appeals for the Third Circuit and 
Assistant Attorney General of the Department of Justice, 
Criminal Division. Mr. Chertoff is a graduate of Harvard 
College and Harvard Law School.
    Our next witness, the Honorable David Kris, began his 
career with the U.S. Department of Justice serving as an 
attorney in the criminal division and then as Associate Deputy 
Attorney General. He went on to be deputy general counsel and 
chief ethics and compliance officer at Time Warner, 
Incorporated, as well as an adjunct professor of law at 
Georgetown University and a non-resident senior fellow at the 
Brookings Institution. Mr. Kris currently teaches national 
security law at the University of Washington Law School, and he 
is a graduate of Haverford College and Harvard Law School. 
Harvard Law School is well represented here.
    Our final witness is Ms. Jennifer Daskal. Ms. Daskal is an 
associate professor of law at American University, Washington 
College of Law where she teaches and writes in the fields of 
criminal law, national security law and constitutional law. 
From 2009 to 2011, Ms. Daskal was counsel to the Assistant 
Attorney General for National Security at the Department of 
Justice and among other things, served as the Secretary of 
Defense and Attorney General-led Detention Policy Task Force. 
Prior to joining the Department of Justice, she was the senior 
counter-terrorism counsel at Human Rights Watch and worked as a 
staff attorney for the Public Defender's Service for the 
District of Columbia. She earned a bachelor's degree from Brown 
University, a master's degree from Cambridge University and not 
surprisingly, a J.D. from Harvard Law School.
    We welcome all of you. Your written statements will be 
entered into the record in their entirety and I ask that each 
of you summarize your testimony in 5 minutes or less. To help 
you stay within that time, there is a timing light at the 
table. When the light switches from green to yellow, you have 1 
minute to conclude your testimony. When the light turns red, 
that is it. You are done.
    Mr. Smith, welcome. We are pleased to have you here, and 
you may begin the testimony.

  TESTIMONY OF BRAD SMITH, PRESIDENT AND CHIEF LEGAL OFFICER, 
                     MICROSOFT CORPORATION

    Mr. Smith. Chairman Goodlatte, Ranking Member Conyers, 
Members of the Committee, it is my pleasure to represent 
Microsoft this morning. Today's hearing provides an important 
opportunity to address a critical issue--the growing conflict 
between countries and among laws that are affecting not only 
technology, but people's safety and privacy. I think the 
ramifications of this issue are really illustrated by two real-
world examples.
    The first is a case involving Microsoft a year ago in 
Paris. The day after the horrific terrorist attack on Charlie 
Hebdo, the French police using international legal process 
worked with the FBI and served on Microsoft lawful requests 
seeking the emails of the two terrorists that were at large in 
the streets of France. Because the French used international 
legal process, we at Microsoft were able to examine the orders, 
determine they were valid, pull the email and provide them to 
the FBI and the French all in exactly 45 minutes. That was a 
day when the system worked. But unfortunately, that has become 
the exception, not the norm. The norm is illustrated by the 
second example. A case involving Microsoft in Brazil; there, 
the Brazilian police have in pursuit of a local suspect served 
a local order requiring Microsoft to turn over content that is 
not in Brazil, but is in the United States. And because U.S. 
law prohibits us from turning over some of this content, 
Microsoft has had to refuse. The Brazilians have not turned to 
international process. They have not obtained the information 
they need, but they have fined Microsoft, and they are pursuing 
a criminal prosecution of one of our executives in Brazil for 
the sole reason that we are comply with United States law.
    And unfortunately, that kind of case is spreading. It is 
spreading because other governments, including the United 
States government is using unilateral legal process rather than 
international legal process to obtain data around the world. 
Now, we appreciate that law enforcement needs information, 
sometimes located in other countries to do its job, but this 
approach to using unilateral process is causing concern around 
the world. It is causing concern in other countries about 
people's privacy rights. It is causing concern about whether 
other countries can even trust and use American products and 
technology. It is causing concern that is leading other 
countries to enact new laws to block the very steps that our 
government typically takes through unilateral search warrants.
    Now, the good news is there are solutions at hand. There is 
a solution in the form of Federal legislation modeled on 
something like the LEADS Act. There is a solution in the form 
of modernization of the mutual legal assistance treaties. There 
is a solution in the form of new international agreements that 
are designed and built for the 21st century. Like the one that 
is now being considered between the U.S. and the U.K. All of 
this will require action across the executive branch, but it 
requires action by Congress as well because all of these 
problems have a root cause. Our law is old and has become 
outdated.
    When Congress passed the Electronic Communications Privacy 
Act, when the House passed that bill by voice vote on June the 
23rd, 1986, Ronald Reagan was president, Tip O'Neill was 
speaker, and Mark Zuckerberg was 2 years old. In the 30 years 
that have followed, 125 million new Americans have been born. 
Technology has moved ahead by leaps and bounds, but at least in 
this field, the law has mostly stood still. I have here on one 
hand, and IBM computer that was first sold in 1986, and I have 
here on the other hand, a Microsoft Surface that is for sale 
today. The computer that is for sale today not only connects to 
all of the world's information on the internet, it has 355,000 
times as much storage capacity as the floppy diskette that one 
had to use in this computer that was sold when ECPA was passed. 
These two computers make the story clear. Technology has moved 
forward. Now, the law needs to catch up. Thank you very much.
    [The prepared statement of Mr. Smith follows:]
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    
                               __________
                               
    Mr. Goodlatte. Thank you, Mr. Smith. Mr. Chertoff, welcome.

  TESTIMONY OF THE HONORABLE MICHAEL CHERTOFF, CO-FOUNDER AND 
             EXECUTIVE CHAIRMAN, THE CHERTOFF GROUP

    Mr. Chertoff. Mr. Chairman, it is good to be back. I am 
looking at that IBM computer. It looks like what I have at home 
still. I obviously would like to indicate that I am speaking 
here in a personal capacity, although my firm does do work with 
Microsoft and other tech companies in this area, and as I also 
previously disclosed, I am of counsel with Covington and 
Burling, which is actually involved in representing Microsoft 
in this litigation. But whatever I am saying here really 
reflects my own views and no one else should be held 
accountable for them.
    I think it is really important that this Committee have 
this hearing, and that Congress get involved in legislating in 
this area. The issues that surround the intersection between 
modern technology and the law are frankly quite complicated. 
They are quite technical, and even having been a Federal judge, 
I have to say I am not sure the Federal courts in the first 
instance are the right place to resolve all of the competing 
issues in technical dimensions of these kinds of questions. 
Now, here, we are dealing with one aspect of this, which is as 
Brad Smith pointed out kind of dramatically--the amount of data 
now which is--moves around the world and is held in this so 
called cloud dwarfs what was being confronted when ECPA was 
passed. And contrary to what maybe some people think, obviously 
when the data is in the cloud, it is not really in the cloud. 
It is living somewhere in the world in a server, and the 
ability to house it anywhere in the world and to move it around 
rapidly as possible really changes the dimensions of the 
question about where something is and who ought to have the 
jurisdiction to compel it to be turned over.
    I think we are seeing the issue of conflict of laws in 
three areas. First substantive areas where different countries 
in parts of the world have different views about what gets 
protected as private and what does not. Second, the question of 
process--different standards of process about what is required 
when a government seeks data, and finally, the problem of 
global companies that are often caught between different legal 
regimes and are damned if they do and damned if they do not.
    And so, I think we do need to take the opportunity to look 
at rationalizing the law and particularly to the extent we can, 
globalizing the law. Coming up with agreements and processes 
that allow us to synchronize the law so that companies that are 
in the business of housing data are not caught between the so-
called rock and a hard place. And I would suggest as I do in my 
statement, just a couple of points about this.
    First, I think to the extent we can have agreements or 
frameworks in a statute that lead to agreements, we ought to be 
focusing on the citizenship of the accountholder and not where 
the data happens to be located. Data location should be driven 
by engineering considerations, and not by desires to create 
legal safe havens or to find places that are legally more or 
less hospitable.
    The second thing I would say is if we are going to have 
agreements, we do need to make sure that the companies we are 
dealing with have process in place that is comparable to what 
we require with respect to our own citizens when other 
countries want to have data that is held over here. We do not 
want to create a situation where we are jeopardizing the 
constitutional rights of our Americans by simply in the pursuit 
of an agreement.
    And finally, we have to recognize there will be certain 
types of requests from other countries that will run afoul 
substantive issues and so, we are going to have to create a 
regime--a legal regime in place through any agreement and 
through any statute that respects that. Finally, there has been 
a lot of discussion about the MLAT process and I think, you 
know, Brad Smith was very clear in indicating this process can 
work if we want it to work. Often, frankly, I can speak from my 
own experience, honoring MLAT requests goes to the bottom of 
the pile of overworked assistant U.S. attorneys, but with 
modern technology and if the government views these as high 
priority cases, we can move to the kind of process that gives 
you the results that occurred in the Paris case. And which I 
think would encourage both our country and other countries to 
use the international treaty process rather than unilateral 
action as a way to get information that is stored in other 
parts of the world.
    So, thank you, Mr. Chairman, and I look forward to 
answering questions.
    [The prepared statement of Mr. Chertoff follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
  
    
                               __________
                               
    Mr. Goodlatte. Thank you, Mr. Chertoiff. Mr. Kris, welcome.

  TESTIMONY OF THE HONORABLE DAVID S. KRIS, FORMER ASSISTANT 
     ATTORNEY GENERAL FOR NATIONAL SECURITY, UNITED STATES 
                     DEPARTMENT OF JUSTICE

    Mr. Kris. Thank you, Mr. Chairman, Mr. Ranking Member, and 
Members of the Committee for inviting me to testify. I, too, am 
speaking only in my personal capacity. There is obviously a 
range of opinion represented on the Committee today, but I 
think there is also an unusual degree of consensus, which I 
have heard during the course of this morning's proceedings on 
at least three important points. First, there is a problem.
    We have a situation where there are international conflicts 
of laws in which one government's laws can compel the 
production of data, while simultaneously, another government's 
laws will prohibit it. This is very vexing for the holders of 
data, like Microsoft, who understandably wish to comply with 
all of the laws and rules to which they are subject. Second, 
this problem is not unprecedented, but it is getting worse over 
time. I think that is true for three technical reasons and 
three political reasons which I will outline quickly.
    Technically, the size and scope of international data 
networks, the degree of international data storage in the cloud 
and the use of encryption are all on the rise in previous--in 
recent years. Politically, the Snowden disclosures, I think, 
have caused the U.S. Government to decrease the scope and 
increase the transparency of its surveillance. That is 
particularly true in the foreign intelligence realm, but there 
is a good deal of overlap with law enforcement.
    On the other hand, in Europe, the rise of ISIL and some of 
the technical factors that I have mentioned, I think have 
caused European governments to go the other way to expand their 
surveillance authorities and to put a lot of pressure on 
providers. And third, the providers for their part are a little 
bit caught in the middle of that. And they have reacted, 
understandably, again, I think in two ways. By reducing the 
degree of cooperation, one, with respect to voluntary 
production of data rather than compelled production of data, 
and then, also at the margins in resisting certain compulsions.
    I want to be clear this is not in any way some kind of 
wholesale civil disobedience and it is again perfectly 
understandable given their fiduciary duties. Even if, in any 
given instance, one might argue that it either does not go far 
enough or goes too far. Given that problem and the nature of 
the problem, I think there has been consensus third that some 
kind of international solution is in order to address it. You 
have heard today about the MLAT process, and one of the 
solutions that has been discussed is some kind of fairly 
drastic increase in the resources available for processing 
MLATs. If the current time to process is 10 months and the 
equation scales linearly and I am not sure it does--if you 
wanted to reduce the time down to 1 day, you would be scaling 
up by a factor of 300. Again, I am not sure, it scales in a 
linear fashion. There are some structural limits in MLAT.
    And the other means of addressing the problem we have 
talked about today involve direct access by foreign 
governments. In some carefully delineated class or sub-class of 
cases, I understand the executive branch is currently working 
with the U.K. on a bilateral agreement. Perhaps it would be 
limited to non-U.S. persons located abroad by analogy to the 
FISA Amendments Act. Perhaps to certain kinds of crimes; 
perhaps to certain kinds of directives on certain predicate 
showings made by certain officials in the U.K. You can imagine 
lots of limits here. And then, of course, Congress will need to 
evaluate whether those limits are appropriate and only then 
make the necessary amendments to the Stored Communications Act 
to allow that agreement to be effectuated.
    So, there is definitely a profound role for Congress in 
this area regardless of these executive agreement. Finally, I 
want to mention, but I do not know as we can discuss fully in 
this setting, a couple of foreign intelligence surveillance 
concerns that I outlined in my testimony. I urge you to have a 
conversation with the executive branch about the two gaps in 
FISA that I have set forth. I would love to be wrong about 
those, but I think it is something that is worth your exploring 
in an appropriate setting with the executive branch. Thank you 
very much.
    [The prepared statement of Mr. Kris follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
   
                               __________
                               
    Mr. Goodlatte. Thank you, Mr. Kris. Ms. Daskal, welcome.

TESTIMONY OF MS. JENNIFER DASKAL, ASSISTANT PROFESSOR, AMERICAN 
              UNIVERSITY WASHINGTON COLLEGE OF LAW

    Ms. Daskal. Thank you, Mr. Chairman, Mr. Ranking Member, 
and Members of the Committee. Thank you for inviting me here 
today. I want to spend my time talking about three things. The 
problem, why Congress is needed, and specifically, what 
Congress should do. So, as has already been discussed pretty 
extensively, the Stored Communications Act operates as a 
blocking statute. It prohibits U.S. space providers from 
disclosing certain data, including emails to anyone other than 
the U.S. Government pursuant to a warrant.
    Now, let us consider U.S. investigation of a London murder. 
Imagine that the U.K. officials seek the emails of the alleged 
perpetrator to help establish motive. If the alleged 
perpetrator uses a U.K.-based provider, the officials could 
likely get access to the date within days, if not sooner. If 
instead, the data is held by an American-based provider, the 
Brits will be told that they need to go through the mutual 
legal assistance process and initiate a diplomatic request. 
This is, as we have already heard, a notoriously inefficient 
process taking an average of 10 months, and foreign governments 
are frustrated, understandably, by the state of affairs, and 
they are responding in a number of concerning ways, including 
the mandating of data localization which undercuts the growth 
potential of the internet, increases the cost to American 
businesses and facilitates domestic surveillance; unilateral 
assertions of extra territorial jurisdiction which put American 
companies in the crosshairs of two competing legal obligations 
with a foreign government demanding the compulsion of data and 
U.S. law prohibiting it; and the use of malware and other less 
accountable forms of accessing the sort after data, which 
undercut the privacy and security of all.
    Now, in response to this, as we have heard, the U.S. and 
U.K. have been negotiating an agreement that would allow the 
Brits, in certain circumstances, to make direct requests to 
U.S. companies for stored communications. Such an agreement is 
needed. If done right, it is an important step forward, which 
then brings me to my second point, the need for Congress. As we 
have already heard, none of this can be implemented without 
congressional authorization.
    So, what should Congress do? Congress should amend the 
Stored Communications Act. It should authorize the executive to 
enter into bilateral and multilateral agreements that would 
allow, in specified cases, foreign governments to directly 
request stored content from U.S. providers. In doing so, 
Congress should also set the key parameters of such agreements, 
ensuring, among other things, that the partner country meets 
basic human rights standards; that the particular requests 
satisfy a baseline set of procedural requirements; and, that 
the system is subject to meaningful transparency and 
accountability mechanisms. These parameters are essential and 
they are justified for at least two reasons.
    First, even as I think as envisioned by these agreements, 
the target of the request is a foreign national, it is likely, 
in fact, almost certain that at some point, some time, such 
requests will lead to the incidental collection of U.S. citizen 
data. And second, whereas, the United States is often in the 
position of exhorting other countries to improve their human 
rights standards and protect free expression, this is one of 
those rare opportunities to couple such exhortations with a 
carrot, that of expedited access to U.S. data. And in so doing, 
help set the system of a global system of cross border access 
to data.
    Now, in making these recommendations for Congress to 
engage, I am not alone. For the past 6 months, I have been 
working with a cross-section of civil liberties groups, 
companies and academics all focused on the need to reform the 
system governing law enforcement access to data across borders. 
My recommendations draw heavily on the conversations with this 
group. Although, I speak solely in my personal capacity and not 
on behalf of anybody else.
    To sum up, the system for responding to law enforcement 
requests for data is broken. The time to fix it is now. 
Congress has an opportunity, and in my view, a responsibility 
to help build a system for the future. One that simultaneously 
safeguards privacy, protects American businesses and promotes 
the growth of an open and secure internet. Thanks.
    [The prepared statement of Ms. Daskal follows:]
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
                               __________
                               
    Mr. Goodlatte. Thank you very much, Ms. Daskal. We will now 
begin a round of questioning and I will recognize myself. Mr. 
Smith, let me follow-up on what Ms. Daskal just said, because 
that seems to get right to the crux of what has held up here in 
this process. So Microsoft supports international agreements 
that will address and overcome conflicts of law, but these 
agreements are likely going to allow foreign countries to 
acquire data held by U.S. companies on a standard less than 
probable cause. Do you support this, and if so, why?
    Mr. Smith. Well, first of all, I would like to agree with 
the testimony that you just heard. I think we do need 
legislation. We do need international agreements, but I also 
believe that any international agreements that are negotiated 
should absolutely ensure that the rights of Americans are 
protected by U.S. law and the Constitution, including the 
probable cause requirement.
    Mr. Goodlatte. How does allowing foreign countries to 
obtain data from U.S. companies on a less than probable cause 
standard square with the call for a uniform probable cause 
standard for requests by the U.S. Government?
    Mr. Smith. Well, if the question is to me, I think the 
answer is two-fold. First, there will be benefit over time if 
the world can move toward a more uniform standard. But I think 
between now and then, the most important thing is that people 
have the protection of their own rights by their own law. I 
think that is fundamentally what most people in most countries 
want, and I think that is what Americans want for their own 
rights as well.
    Mr. Goodlatte. Ms. Daskal, do you want to respond to that?
    Ms. Daskal. I fully agree.
    Mr. Goodlatte. Okay, well, so I am not quite sure I 
understand. If they are protected under their own laws, but 
their own laws do not have the same high standard of 
protection, and they are coming to the U.S., how are we going 
to have the carrot that you just referred to in your testimony 
to incentivize countries to provide greater protections?
    Ms. Daskal. Sure, so that the suggestion that I was making 
is that when Congress authorizes these agreements, that it 
specify certain requirements that the country must meet, both 
at the country level and at making specific requests for that--
--
    Mr. Goodlatte. Would those be the standards contained in 
U.S. law?
    Ms. Daskal. So, my suggestion would be for Congress to 
write in the amendment to the Stored Communications Act an 
exception to the blocking provision that basically says, ``The 
executive has permission to enter into bilateral and 
multilateral agreements with foreign countries when the 
following conditions are met.'' And some of those conditions 
should specify minimal standards that the requests have to 
meet.
    Mr. Goodlatte. But not necessarily U.S. standards?
    Ms. Daskal. Not necessarily U.S. standards----
    Mr. Goodlatte. Okay, I got it. All right, good. Then you 
are in agreement. Should a bilateral agreement--I will direct 
this back to you, Mr. Smith--should a bilateral agreement, such 
as the one under consideration with the U.K. also ameliorate 
any conflicts of law with regards to U.S. requests for data 
held by U.S. companies in that country? Would this not resolve 
the issue currently being litigated in the Second Circuit?
    Mr. Smith. It would resolve the issue that is being 
litigated in the Second Circuit if the bilateral agreement were 
between the United States and Ireland. And I think what your 
question points to in part, is that if a model that works can 
be created between two countries, then there is an opportunity 
to replicate it elsewhere, but it will need to be replicated.
    Mr. Goodlatte. And do you see any conflict between your 
position as it relates to foreign government access to data 
stored in the U.S., and your position as it relates to U.S. 
Government access to data stored abroad?
    Mr. Smith. I believe that if you put an international 
agreement in place, that resolves any potential conflict. It 
creates the means by which two governments together, and 
respect the rule of law.
    Mr. Goodlatte. Well, I get that, but it seems to me that if 
we agree to their standard, they agree to our standard, you 
still have two different standards that are in place.
    Mr. Smith. But I think it really speaks to an important 
point. I think the American people want to have their rights 
protected by U.S. law. I was in London last week. I think the 
British people want to have their rights protected by British 
law. We need governments that have--I will just say a like-
minded approach. It does not mean that they have to agree on 
every particularity though.
    Mr. Goodlatte. Ms. Daskal, the rules established under ECPA 
govern what a U.S. provider can and cannot do with both 
communications content and non-content records. The result is 
that the ECPA procedures, including the warrant requirement 
apply to any customer of a U.S. provider regardless of that 
customer's nationality or location and regardless of where the 
data is stored. Why is this insufficient to protect the privacy 
interests of all U.S. provider customers including foreign 
customers?
    Ms. Daskal. So, I absolutely think that the answer to the 
question of the warrant's requirement for content is necessary 
and it is an important privacy protection for when the United 
States is accessing data, but that is not really the issue 
here.* The concern is not about insufficient privacy 
protections; the real concern is about this really significant 
conflict of laws which over time is going to lead to an 
increasing number of things, like increased data localization, 
increased unilateral assertions of extraterritorial 
jurisdiction, other means of getting around these restrictions. 
And so that is where the privacy concerns come in, not because 
of the warrant requirement, which is a great requirement, but 
about what other countries are doing in response and what 
happens as a result of these conflicting obligations.
---------------------------------------------------------------------------
    *Note: The witness amends her response as follows:

      So, I absolutely think that a warrant requirement for 
      content is necessary and is an important privacy protection 
      when the United States is accessing data, but that is not 
      the issue here.
    Mr. Goodlatte. Thank you. The Chair recognizes the 
gentleman from Michigan, Mr. Conyers, for his questions.
    Mr. Conyers. Thank you, Chairman. Mr. Smith, it is 
important for technology to protect both privacy and security. 
Can policy proposals being considered today do both, or do they 
pit one against the other?
    Mr. Smith. I think there are times when these two 
fundamental values, privacy and security, might be intentioned, 
but I think there are many times when creative and new laws 
that are designed for 21st century technology can move privacy 
and security forward together, and that is what we need to 
strive to do.
    Mr. Conyers. Secretary Chertoff, do you have any additional 
comments on that same question?
    Mr. Chertoff. No, I agree. I think that actually, although 
occasionally, there is tension between the two, in many 
instances, you cannot really have privacy without security, and 
the value of security without privacy is much diminished.
    Mr. Conyers. Thank you. One last comment from Mr. Smith 
from me--with respect to the Microsoft case pending in the 
Second Circuit, why has there been challenged the government's 
demand for data stored in Ireland? What is your goal, or what 
is the corporation's point in that case?
    Mr. Smith. I think fundamentally, we believe that people 
need to be able to trust the technology they use. And part of 
their ability to trust the technology they use turns on 
confidence that their rights, people's rights are going to be 
protected by their law. We store emails in data centers that 
are close to our customers. So, for example, when we have 
customers in the European Union, we store their data, their 
emails in our data center in Dublin or in Amsterdam. Our 
concern is that the U.S. Government first is using power that 
Congress never gave it. Namely, the power to go around the 
world to vacuum up emails pursuant to a U.S. search warrant.
    And second, our concern is because the U.S. is exercising 
this type of extraterritorial power on a unilateral basis, it 
is in effect saying, in this case, to the people of Ireland 
that their law does not matter; the DOJ does not even need to 
read it; it does not need to consult with the Irish Government; 
it does not need to pay any attention to the mutual legal 
assistance treaty in place between the U.S. and Ireland. All it 
has to do is turn to an American technology company and apply a 
power under U.S. law. That is not a recipe for the success of 
the U.S. technology sector, and it is not a recipe for ensuring 
people have trust in technology.
    Mr. Conyers. Thank you. For Mr. David Kris--and I might ask 
Ms. Daskal to both consider this: I think a bilateral agreement 
framework could be a useful tool in resolving some of the 
conflict of laws issues that have been discussed here today. 
But there remain concerns, for example, about how we will 
reconcile British law with our own legal customs. How will we 
make sure that privacy, due process and human rights are 
respected by our partners in these agreements?
    Mr. Kris. That is an excellent question and issue to raise. 
I am confident that Congress will have a role because even if 
the United States and Ireland or any other country reach an 
executive level agreement, for that agreement really to take 
effect, Congress will need to amend the blocking provisions, as 
Professor Daskal has referred to them, in the Stored 
Communications Act.
    And it will be, I think, up to you and incumbent on you as 
a Congress to decide which categories of cases involving what 
kind of, say, defendant, non-U.S. persons located abroad have 
been discussed, such that U.S. persons, or persons in the 
United States would not be subject to the exemption. Different 
kinds of crimes exempting political crimes from this provision, 
for example, various other limits are all possible. And 
Congress will have an opportunity to consider those, if and 
when it decides to amend the Stored Communications Act to 
permit this kind of direct access by way of executive agreement 
in some specified subset of cases that meet with your policy 
approval.
    Mr. Conyers. Ms. Daskal, would you add anything?
    Mr. Issa [presiding]. Go ahead, Mr. Ranking Member.
    Mr. Conyers. Thank you.
    Ms. Daskal. So, yes, I agree with all that and I would 
just--I think it is worth emphasizing that the agreement, as it 
was explained to us this morning, and I think as Congress 
should sort of adopt as parameters as well, would solely permit 
a foreign government to get access to non-U.S. person data and 
data of people who are not in the United States.** So, we are 
talking about the Brits being able to get data on their own 
citizens in connection with the investigation of a local crime.
---------------------------------------------------------------------------
    **Note: The witness amends her response as follows:

      So, yes, I agree with all that and I would just--I think it 
      is worth emphasizing that the agreement, as it was 
      explained to us this morning, and I think as Congress 
      should require as part of the adopted parameters, would 
      solely permit a foreign government to get access to non-
      U.S. person data and data of people who are not in the 
      United States. So, we are talking about the Brits being 
      able to get data on their own citizens in connection with 
      the investigation of a local crime.
    And Congress, I think, because we are talking about U.S. 
providers, has a role to play in setting some minimal 
standards, some minimal important procedural and substantive 
standards as to what the Brits must do in order to get access 
to that data from U.S.-based providers. But we are not talking 
about the British requesting data about American citizens, 
American permanent residents, or Americans in the United 
States.
    Mr. Conyers. Thank you all for your responses, and I thank 
you, Mr. Chairman.
    Mr. Issa. Well, thank you, Mr. Conyers. We now go to the 
distinguished gentleman from Texas, Mr. Poe.
    Mr. Poe. I want to thank the Chairman. Thank you all for 
being here. I, being a lawyer, I did not go to Harvard, but I 
went to the University of Houston, which we call Harvard on the 
bayou fondly in Texas. But, Mr. Chertoff, it is great to see 
you again. Thanks for your service to the country that you have 
done in the past.
    Mr. Smith, I am impressed by your statement. Passionate and 
you did not read it, so it is obvious that this is important to 
you. It is important to the country. This, by way of kind of 
review, ECPA, 30 years old. It would seem to me that we have 
known for a long time that ECPA law needed to be reformed. And 
30 years is long enough for Congress to finally pick a horse 
and ride it and make some choices and changes in the law to 
solve the problems that all of you have discussed; whether it 
is nationally; whether it deals with business; whether it deals 
with foreign countries; the information; do you think it is 
about time that we make a decision on reforming ECPA?
    Mr. Smith. I think that the time has come and it is perhaps 
even overdue. I think what you are really hearing from all of 
us today and you hear it from the tech sector every day, is 
that we really do need a new law, and we need Congress to write 
it.
    Mr. Poe. And it should be Congress' responsibility to set 
the standard of law rather than letting the courts make the 
determination as to what the expectation of privacy is for 
citizens, or corporations, or letting the Justice Department 
take the law as they see it and interpret it the way they see 
it. Congress needs to weigh in and make these decisions and 
make it the law of the land. I mean, that is our 
responsibility.
    Mr. Smith. Absolutely, and I think, frankly, one of the 
points that we have heard this morning that should give all of 
us the most concern is the acknowledge by the Justice 
Department that the Stored Communications Act passed in 1986 is 
silent on whether the DOJ has the authority to apply these 
search warrants worldwide. And the DOJ says, that because 
Congress was silent, the executive branch has power. Well, that 
basically amounts to an argument that Congress needs to write 
really long laws, because every time Congress neglects to 
address something, it is giving Congress--it is giving the 
executive branch some power. That is not the way the 
Constitution was written. That is not the way common sense 
works.
    Mr. Poe. There you go. I agree with that. And the Justice 
Department, they are doing what they think they can do under 
the law, and I think they are wrong, but ECPA was written to 
protect privacy of individuals. That is the purpose of the law, 
why it was written. So, Congress needs to weigh in on it, pass 
legislation that has been pending for a long time. I think we 
set the standard for the expectation of privacy. It should be 
up to us, not some judge or group of judges, and we need to 
move on with that. Set aside those comments, and tell me the 
economic impact of not making a decision, and how that is 
affecting industry.
    Mr. Smith. I think there are two ways to think about this. 
One is narrow, one is broad. They are both important. First, 
because we are seeing this emerging conflict of laws, we are 
seeing the risk of increasing fines on U.S. companies when we 
get into these conflicts. Already to date, Microsoft has been 
fined $28 million by the Brazilian authorities because of 
this----
    Mr. Poe. And that is a criminal fine. That is not a civil 
fine. That is a criminal crime.
    Mr. Smith. Right, yes. This is all connected to a criminal 
proceeding, and we are being fined simply for obeying U.S. law, 
and think about a start-up and what $28 million means. But the 
implications are really broader because I find, in countries 
like Germany and the United Kingdom, where I was last week, I 
increasingly meet people in government and elsewhere who say 
that unless this issue is resolved--they basically say, 
``Unless you win your case in New York, we are not going to be 
able to trust American technology and we are not going to be 
able to move our content to the cloud when the cloud is 
operated by a U.S. company with a data center.'' So, a lot is 
at stake for the American economy and American jobs.
    Mr. Poe. Well, I appreciate all of you being here. I do not 
have time to ask the rest of you questions. But I think you are 
exactly correct. For the problems that you have all mentioned, 
it is time for Congress, like I said, to pick a horse and ride 
it and let us pass some legislation to fix this problem. And I 
yield back.
    Mr. Issa. I thank the gentleman. We now go to the 
gentlelady from San Jose, Ms. Lofgren.
    Ms. Lofgren. Thank you. Before my questions, I would ask 
unanimous consent that we put into the record the Yale Law 
Journal article by our witness, Ms. Daskal.
    Mr. Issa. Without objection, the document will be placed in 
the record.
    Ms. Lofgren. Thank you. This has been a very interesting 
hearing and, comes at interesting time for our country, because 
the issues we face are of law, but also of technology. And I do 
not think we can talk about the legal issues without getting 
into the technology issues. And I was looking at the Trans-
Pacific Partnership Agreement. Now, some of us have issues 
about human rights in Vietnam, you know, health issues and the 
like, but in terms of encryption, it is pretty clear.
    It basically says that you cannot require a backdoor, an 
encryption, if you are a party to this agreement. It prohibits 
governments from requiring companies to either disclose their 
keys or to use specific cryptographic algorithms. And the 
Department of Justice's application and courts' subsequent 
decision to compel Apple to provide special software 
circumventing security protections would actually violate this 
international norm, that is specified in the TPP, against 
government mandates for backdoors. But also, we had several 
votes here in the House of Representatives where we had over 
two-thirds of the House vote in opposition to backdoors.
    So, I am wondering, Mr. Smith, if I could ask you, what is 
Microsoft's view of this? Do you support the position that 
Apple has taken, that the court is setting a dangerous 
precedent by forcing Apple to break its own security 
protections? Does Microsoft plan to be involved in the 
litigation that apparently is going to go on for a while? I 
know Mr. Gates said something, but he has been gone from the 
company since--for a long time. I am just wondering what the--
Microsoft's position is, if that is fair to ask?
    Mr. Smith. Yeah, we at Microsoft support Apple, and we will 
be filing an amicus brief to support Apple's position in the 
court case next week. And I believe that Apple is making an 
important point that, in fact, connects directly with the kinds 
of issues that are being considered by this hearing today.
    In the Apple case, the Justice Department has asked the 
magistrate to apply language in the All Writs Act that was 
passed by Congress, and written in 1911. The leading computing 
device of that era is right here in front of me. It is an 
adding machine that went on sale in 1912. Quite simply, we do 
not believe that courts should seek to resolve issues of 21st 
century technology with law that was written in the era of the 
adding machine. We need 21st century laws that address 21st 
century technology issues, and we need these laws to be written 
by Congress. We, therefore, agree wholeheartedly with Apple 
that the right place to bring this discussion is here, to the 
House of Representatives and the Senate, so the people who are 
elected by the people can make these decisions.
    Ms. Lofgren. Well, thank you very much, and do you have any 
other props?
    Mr. Smith. No, not props.
    Ms. Lofgren. I was surprised to see that, but----
    Mr. Smith. But believe me, it is amazing what you can buy 
on the internet.
    Ms. Lofgren. Well, I have heard that----
    Mr. Issa. Would the gentlelady yield?
    Ms. Lofgren. If I can get----
    Mr. Issa. What is the operating system on that?
    Ms. Lofgren. What is the operating system?
    Mr. Poe. It is called a hand crank.
    Ms. Lofgren. I would like to follow up because I actually 
very much believe that the encryption issue should be before 
Congress. The Judiciary Committee has started that process, but 
the Justice Department alleges that this is just one phone, and 
I was surprised to hear that when we heard the district 
attorney in New York saying he had 175 phones and then we found 
out there were a number of others where we are seeking to 
utilize the new operating system that the court has ordered 
Apple to devise. Do you think that this issue goes beyond that 
one phone?
    Mr. Smith. Well, every case is obviously about one case, 
but every case obviously has implications for lots of other 
cases. The real concern here is actually the law and the 
implications for the future. And the only way to get the law 
right for the future is for Congress to act.
    Ms. Lofgren. If I can just close, Mr. Chairman, I started 
with the TPP, the international standard, and that is important 
because encryption keeps us safe. It keeps people from breaking 
into our data systems and causing problems for us. The either 
hackers or terrorists or enemies of our country and I--the idea 
that my data would have to be opened to hackers in China 
because of specific cases is really what I think this is about, 
and I thank you very much, Mr. Smith, for answering.
    Mr. Issa. I thank the gentlelady. We now go to the 
gentleman from Pennsylvania, Mr. Marino.
    Mr. Marino. Thank you, Chairman. Secretary Chertoff, you 
mentioned a term, legal regime, in your opening. Would you 
expand on that? And do you mean legal regime, meaning 
legislation, or an expansion of MLAT, or something else, or a 
combination?
    Mr. Chertoff. I really principally meant legislation, 
because as I think we also started a discussion about 
encryption, in order to make decisions about how to structure a 
legal architecture, when you are dealing with global data, 
different forms of citizenship and evolving technology, I can 
tell you having been a judge, the courts are not equipped to 
weigh all of those things, and the unintended consequences of a 
decision are often not clear in an individual case. So, to me, 
this cries out--I know Chairman McCaul suggested a commission 
to look at the issue of encryption, but to me, this cries out 
for taking a comprehensive look at the way the technology 
actually exists in the real world, and how one can then 
reconcile the need to preserve privacy and the need to promote 
security with that technological background.
    To give you one example, you know, 100 years ago, when they 
first invented telephones and photography, initially the courts 
tried to deal with the issue of the Fourth Amendment by forcing 
the facts into those old rules about not searching someone's 
houses. So, we had the trespass cases. And finally, in some of 
the more recent cases, the court said, ``Wait a second. This is 
about expectation of privacy.'' It is not just about whether I 
physically invaded a room or wire. And I think we need to have 
that kind of technologically-informed discussion now.
    Mr. Marino. Thank you. Mr. Smith, what do you do in a 
situation when you have conflicts like you have explained, as 
far as advising your employees on how to approach these 
matters?
    Mr. Smith. Well, it is really a terrible situation that we 
are being put into. I thought Chairman Goodlatte put it well at 
the outset when he referred to it as a Hobbesian choice. 
Imagine the kind of meeting that I have had to have with a 
Brazilian employee who is being prosecuted. And imagine trying 
to talk about the fact that we cannot, in fact, take the steps 
that would bring the prosecution to an end in Brazil, because 
it would require that we commit a felony in the United States. 
This is a classic example, I think, of the fact that we need 
governments to act, and we need our own government and we need 
this Congress to act, perhaps most of all.
    Mr. Marino. Thank you. Ms. Daskal, referring back to the 
secretary's atement on legislation, do you agree with that, or 
do you see a combination of varieties of treaties and 
legislation, or just the legislation?
    Ms. Daskal. So, again, it depends on the specific issue, 
but with respect to the problem of conflicting laws, there 
absolutely needs to be legislation.
    Mr. Marino. Good.
    Ms. Daskal. Because the executive does not have the 
authority to enter into the kinds of agreements that are needed 
without Congress authorizing it and ideally setting parameters 
as what those agreements look like.
    Mr. Marino. Thank you, and Mr. Kris, would you expand a 
little bit on the two points you raised in the FISA gap?
    Mr. Kris. Sure. Again, I would love to be wrong on this. I 
mean, I do think you should have a conversation with the 
executive branch, but the jurisdiction and the reach of the 
FISA statute depend fundamentally on the definitions of 
electronic surveillance and physical search in the statute 
itself, and those are very, very complex. But I am concerned 
that given the way those definitions are written, the statute 
cannot currently be used to compel the production of data 
stored abroad; for example, the kind of situation we have in 
the Second Circuit case involving Microsoft.
    If the target of the surveillance is either a U.S. person 
located anywhere, or a person of any nationality located here, 
in either of those situations, I am concerned that the statute 
cannot be used to issue a compulsion order to a provider to 
turn over the data, and the government has to rely on a 
voluntary repatriation of the data back into this country to 
bring it within the jurisdiction of the statute.
    Mr. Marion. Thank you. I yield back.
    Mr. Issa. Gentleman yields back. With that, we go to the 
gentlelady from Texas, Ms. Sheila Jackson Lee.
    Ms. Jackson Lee. Thank you very much. I noticed in the 
course of materials that I have here that--oh, first of all, 
let me thank all the witnesses for their testimony. And I take 
note of the fact--and I want to ask Mr. Smith and Mr. Chertoff 
on this; that the issue at the European Union had been an 
outstanding issue for a period of time in terms of data and 
data protection, privacy. And just recently the U.S. data 
transfer pack was agreed to.
    Can both of you comment on what impact as we are discussing 
legislation, the LEAD Act, and where are in the having not 
acted, what that agreement does for you, even if it is sort of 
around the ring of what we are discussing? Mr. Smith first.
    Mr. Smith. Yeah, well thank you for asking that question, 
congresswoman, because it actually raises a very important 
point that we have not talked about yet today. You know, the 
recent Safe Harbor negotiation I think, you know, put a Band-
Aid on a legal system that has been in existence since the year 
2000 and, therefore, it appears the data will continue to be 
able to move across the Atlantic. But time and time again, to 
this morning you heard Mr. Bitkower talk about whether there is 
or is not a conflict of laws across the Atlantic. The key thing 
we need to think about here is that the new European Union 
General Data Protection Regulation will take effect in 2 years. 
And that regulation has an article, Article 43A, that will make 
it unlawful for a company to move data out of Europe to comply 
with a search warrant unless it is done pursuant to an 
international legal agreement or process.
    So in 2 years, a legal curtain is going to descend across 
the Atlantic. There is going to be a conflict in every one of 
these cases the Justice Department wants to pursue on a 
continent that has 508 million people living on it, unless 
action is taken to put new international agreements in place.
    Ms. Jackson Lee. And so that would be aside from a statute 
here in the United States. It would be additional international 
agreements.
    Mr. Smith. Basically what it means, I believe, is that we 
have 2 years to try to figure out how to craft an agreement, as 
we are trying to do with the United Kingdom, get legislation in 
Congress, and then determine how and whether to replicate that 
with the other countries in the European Union; so we do not 
have a day to waste.
    Ms.  Jackson Lee. Sense of urgency; Mr. Chertoff, thank you 
for your service as Homeland Security secretary. So, I am going 
to add a subset to the question is to reflect on the 
international agreements, but also reflect upon the crucial 
question of privacy and security in the backdrop of what we are 
facing now. And Microsoft case represents--even the case was a 
criminal case we have, as an ongoing looming issue, is at least 
a dialogue or the issue of Apple. But can you, from your 
perspective, speak to how we have a number of factors that are 
impacting on our decision for the legislation and our exchange 
on data?
    Mr. Chertoff. Yeah, well thank you. And again, it is a 
pleasure to appear before you again. I agree with what Mr. 
Smith said about the need to particularly work out an agreement 
with the Europeans, because they have typically been, at least 
some of the countries there, the most reluctant to cooperate in 
these areas. And yet the urgency of doing that cooperation now 
is more evident than ever when you look at what happened in 
Paris.
    So we ought to move forward with that. I think in general 
also, though, there are a series of issues which require us to 
think in a little bit more of a technologically savvy way about 
how we deal with data. And to go back to Congresswoman 
Lofgren's point on encryption--I am a real believer that it 
would be a mistake to legislate a requirement to create 
backdoors or duplicate keys or other limitations on the ability 
to have ubiquitous encryption. Because I know that encryption 
is one of the key tools that we use to protect innocent people 
against criminals or, for example, the North Koreans getting 
into your data. And to sacrifice the security of the many in 
this instance seems to me to be not worth it, particularly 
because I am quite confident that the bad guys can find tools 
overseas that are going to wind up allowing them to encrypt 
anyway.
    But, again, this is an area where I think--I know there is 
a litigation going on now. For a court to be asked to make or 
resolve this decision strikes me as the wrong way to go about 
it. This is something that requires looking end to end at what 
the problem is in trying to reconcile what--I do not think they 
are inevitably contradictory impulses. But what I think are 
impulses that need to be coordinated and synchronized so we do 
not go too far in the direction of handicapping security, and 
too far in the direction of handicapping privacy.
    Ms. Jackson Lee. Mr. Chairman, thank you very much. Mr. 
Chairman, can I sneak in one question for Mr.----
    Mr. Goodlatte. Quickly, because we have just enough time 
for each Member to have 5 minutes before our hard stop at 1:30.
    Ms. Jackson Lee. In answer to Mr. Chertoff, the LEADS 
legislation does lay out a process. What is your comment on the 
statutory fix for this issue? Did you hear me?
    Ms. Daskal. Yeah, yes.
    Ms. Jackson Lee. Yeah, thank you.
    Ms. Daskal. So I think the fact that the Congress is 
engaging with LEADS is a terrific step forward. I do have some 
concerns about LEADS as currently written in the way that it 
makes jurisdiction turn on the location of data, which I think 
has all kinds of practical and normative problems, because of 
the way data moves around so quickly, because of its 
divisibility, because of the fact that oftentimes when we store 
things in the cloud we do not even know where it is located at 
any given time. So making jurisdiction turn over where our data 
is does not seem to make a lot sense. That said----
    Mr. Issa. Thank you. I am afraid we are going to have to 
cut you off but----
    Ms. Jackson Lee. I think you and I thank the Chairman.
    Mr. Issa. Thank you.
    Ms. Jackson Lee. I thank the witnesses.
    Mr. Issa. Young lady from California, Ms. Walters.
    Ms. Walters. Thank you, Mr. Chairman. Mr. Smith, your 
testimony describes Microsoft's dilemma with the Brazilian 
Government seeking disclosures that would blatantly violate 
U.S. law. And I am sure that legal predicaments like this will 
only increase as governments enact laws that create additional 
conflicts. These legal quandaries undoubtedly have negative 
impact on Microsoft as well as other tech companies, and 
ultimately impair a vital sector of the American economy. And I 
know Mr. Poe had asked this question, and you had discussed the 
fines levied against Microsoft. But I wanted to give you 
additional time to discuss how this situation has impacted your 
global customer's willingness to trust Microsoft products, and 
what it has done to your business.
    Mr. Smith. Well I think more than anything else, 
congresswoman, your question, which is very important, just 
underscores, first of all, the importance that people would be 
able to trust technology. We are all putting so much of our 
most sensitive information on devices and in the cloud that 
people, by definition, only want to use technology they can 
trust.
    So the fundamental question that people around the world 
are asking is whether they can trust American technology. You 
know, we face this as one American company but I think this is 
a question that every American company is having to face. And 
there are a variety of steps we are trying to take to address 
it, we are being more transparent ourselves; I think that is a 
good thing. We are taking steps to advance privacy, to address 
and advance encryption; I think that is a good thing. But at 
the end of the day, the concern that I hear around the world is 
that regardless of what we do, the U.S. Government may use its 
long arm to reach unilaterally across borders and without 
regard for other countries' laws.
    So we need to fix that part as well. We obviously need to 
do it in a way that ensures that law enforcement can do its 
job; that is why these kinds of new agreements are needed.
    Ms. Walters. Yeah, thank you. And then I have a question 
for the entire panel. What does the internet look like if we do 
not act and data localization becomes the norm?
    Mr. Chertoff. I do not want to be overdramatic but you do 
not have an internet. You have a series of internets or 
intranets in individual countries. And so much of the value of 
the internet, which is the ability to operate on a global 
basis, is hampered. It also means that from an engineering 
standpoint some of the considerations that you have when you 
put a server in a particular place gets subordinated to issues 
about how to manage the legality or kind of legal arbitrage 
from one jurisdiction to another.
    Ms. Daskal. I would just add as well I completely agree. 
But I think the other piece of this that is important is when 
that happens, the United States no longer has a role to say in 
terms of what protections do or do not apply when a country is 
getting access to data. And so that is why this opportunity to 
enter into agreements and to set at least some parameters is a 
really important opportunity for the United States to engage, 
to set the parameters, and to do so in a way where the world is 
still talking to each other.***
---------------------------------------------------------------------------
    ***Note: The witness amends her response as follows:

      And so that is why this opportunity to enter into 
      agreements and to set at least some parameters is a really 
      important opportunity for the United States to engage, to 
      set the parameters, and do so in a way that protects our 
      privacy, security, and economic interests.
    Mr. Smith. And the last thing I would mention is the 
consequence of that kind of data localization trend and set of 
requirements is that computing gets more expensive, because it 
forces companies to build more data centers than, frankly, the 
world needs just so you can have a data center in every 
country. That costs money; that is going to lead to higher 
prices.
    Ms. Walters. Okay, thank you, I yield back. Do you have 
anything to add, Mr. Kris? No. I yield back, thank you.
    Mr. Issa. I thank the gentlelady. We now go to the 
gentleman from Georgia, Mr. Johnson.
    Mr. Johnson. Thank you. Since we have veered down the road 
of encryption, and it being a fact that encryption keeps us 
safe from hackers and garden-variety criminals, we also have 
this issue of a ungoverned space that is created by encryption; 
a ungoverned space wherein terrorists can conspire with 
impunity.
    So, you know, on one hand, we have encryption that helps 
keep us safe from hackers, but then we also have encryption 
that helps keep terrorist conspirators safe from discovery. And 
then we have the issue of international competition companies, 
multi-national corporations, multi-national companies competing 
in an international market for customers with privacy, or 
encryption, being a selling point. And this is quite 
interesting.
    It can cause a lot of fear in the minds of people concerned 
about law enforcement, concerned about intelligence, 
international intelligence. And so we see where we have gotten 
to the point where technology has exceeded the capacity of law 
enforcement, both internationally and domestically, to be on 
top of the situation which leads us into an area of anarchy, 
lawlessness. Encryption, Mr. Chertoff--you have talked about 
the fact that it protects us from hackers. What is your view 
about terrorists who are able to conspire with impunity in that 
environment?
    Mr. Chertoff. Well, Congressman, this is a--look, this is a 
serious issue, and I take the concerns of the FBI and the law 
enforcement community very seriously; I understand why this 
worries them. I guess my response is this: First of all, I know 
that even if Congress says that companies or items--companies 
that manufacture items here have to create backdoors or 
duplicate keys, people who want to do bad things will find 
devices that do not have backdoors or duplicate keys.
    I point out to people that the so-called dark web, where a 
lot of criminal activity goes on undetected because it is all 
anonymized, is powered by the Onion Router Tor, which was 
actually funded by the United States Government as a way of 
providing anonymity for people who were dissidents. The second 
thing I would say is that it has always been the case, and I go 
back in my years of doing law enforcement, that bad people were 
able to communicate with each other without being detected.
    In the old days when we were doing mob cases, they would 
either turn the radio way up so the listening device could not 
record it, or they would take a walk around the block. And we 
nevertheless succeeded in putting a lot of those folks in jail.
    And the third thing I would say is that actually, if you 
look at the technology that exists nowadays, and the amount of 
metadata that is generated that is not encrypted, I would 
venture to say that from the intelligence and law enforcement 
standpoint, the ability to detect terrorism now is 
fantastically better than it was even 15 years ago when, in the 
wake of 9/11, we were trying to hunt down terrorists in this 
country.
    So, as with all technologies, there are elements of it that 
are problematic for law enforcement, but there are elements 
that help law enforcement, and I still think the balance favors 
our security.
    Mr. Johnson. Thank you. I do not have anyone on the panel 
to ask if they would disagree with that, I assume. So with that 
I will yield back.
    Mr. Issa. And with that I would recognize the gentlelady 
from Texas for unanimous consent.
    Ms. Jackson Lee. Mr. Chairman, thank you and the Ranking 
Member. I would like to submit two articles into the record, 
``New European U.S. Data Transfer Pack Agreed,'' dated February 
2, 2016.
    Mr. Issa. Without objection so ordered.
    Ms. Jackson Lee. Reuters, and Washington Post, ``The 
British want to come to America with Wiretap Orders and Search 
Warrants,'' dated February 4th.
    Mr. Issa. Without objection so ordered.
    [The information referred to follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
                               
                               __________
                               
                               
                               
    Ms. Jackson Lee. Thank you.
    Mr. Issa. We now go to Mr. Ratcliffe.
    Mr. Ratcliffe. Thank you, Mr. Chairman. Mr. Chertoff, or 
Secretary Chertoff, I thank you as well for your service while 
you were over at the Department of Homeland Security, I was a 
U.S. attorney and a former terrorism prosecutor. So I wanted to 
ask you about your testimony; you seem to suggest that we 
revert to a global standard of data control based on where the 
target of the investigation is a resident, is that right?
    Mr. Chertoff. Actually, I would be probably inclined to say 
it should be based on where the citizenship of the 
accountholder as opposed to the target. But I could see an 
argument that might look at the target as well. But I think 
probably the accountholder makes the most sense.
    Mr. Ratcliffe. Okay, well let's walk through a scenario 
that we have probably both been through before. What if the 
information on say a suspected terrorist is located, and to use 
an example others have used here, is actually stored in Ireland 
but we know--let's say we know that that individual is a Saudi 
national. How would you reconcile that?
    Mr. Chertoff. Well, so first of all, I mean I think the 
default position would be to go based on a treaty request, like 
an MLAT, but hopefully in a world in which these requests are 
not 10 months, but are more like 10 hours. And we have seen 
from what Mr. Smith said that it is possible, in fact, to do 
that.
    Mr. Ratcliffe. Okay. So under the standard that you--tell 
me the impact that you would think that would have with respect 
to national security investigations generally.
    Mr. Chertoff. Well, and again, I am predicating this on a 
more efficient regime of answering these requests. But I think 
in many ways we have dealt with these cases in the past. I 
think that provided people put an adequate priority on this--
and my experience is generally they do in a terrorism case--I 
think it would not impede investigations unduly, and I think 
what it would do is avoid the kind of conflict that actually 
winds up slowing up investigations, because that person who is 
holding the data, or the entity that is holding the data, is 
caught on maybe unnecessarily between two conflicting legal 
systems when an agreement to go by way of a treaty would 
eliminate that sense of conflict.
    Mr. Ratcliffe. Do we get into a situation there where we 
would be increasing our reliance on intelligence authorities 
rather than law enforcement authorities?
    Mr. Chertoff. Well, I will acknowledge to you that when you 
are dealing with terrorism, particularly prevention, a lot of 
what we do is intelligence based. And that is a different set 
of issues than access by legal process. And so I am not 
suggesting we do not do that, but I am saying if we are using 
legal process, I think a system that eliminates conflict is 
something that both enables us to actually speed up 
cooperation, and avoids putting companies in a difficult 
position.
    Mr. Ratcliffe. Okay. And speaking of processes, you 
mentioned before the MLAT process. And you may have already 
given your thoughts with respect to reforms, but that was 
something that I tried to utilize during my time at the 
Department of Justice and admittedly not very effectively 
utilized it. And so I want to give you an opportunity to 
expound on the MLAT process and the best way to reform that 
from a congressional perspective.
    Mr. Chertoff. Well, your experience and mine are very 
similar. And I think there are two elements to this. One is I 
think the technology, at least when I was a prosecutor, you 
know, it was a paper-based system. And it tended to be, from a 
technological as well as, frankly, a priority standpoint, you 
know, pretty slow. I think we could build a technology platform 
that would make this much, much quicker. We see this in a lot 
of areas in the commercial domain.
    I think the second issue would be the policy standpoint. 
And there, I think, whether it is additional resources, or a 
decision at a high level of the law enforcement community to 
treat at least a certain category of these very high priority 
would be--enable us to move these more quickly. And I think, 
again, the lesson of what happened after the Paris attacks, 
where it took 45 minutes to respond to a request is 
illustrative.
    Mr. Ratcliffe. Right. Well, out of respect for the other 
Members that have questions, I will yield back the balance of 
my time. I do want to thank everyone for being here. We all 
understand what an important issue we are discussing today. I 
yield back.
    Mr. Issa. I thank the gentleman. We now go to the 
gentlelady from Washington, Ms. DelBene.
    Ms. DelBene. Thank you, Mr. Chair. And thanks to all of you 
for being with us today. Mr. Smith, when ECPA was written many 
years ago, as you were highlighting, in 1986, it was also the 
very early days of email. When I first started working on email 
in 1989, even then it was still really only used in companies 
that had it for internal communications. And if you did get an 
email, folks always downloaded it from a server because 
capacity in servers was very low. And they would regularly 
delete those servers to have room for new information.
    So it seems clear that some of the fundamental technical 
assumptions that were made when ECPA was written have 
definitely changed vastly since then. And I wonder if you could 
comment on the mechanics of cloud computing today and what 
legal questions that creates, especially with respect to ECPA. 
And why cannot the courts just shoehorn kind of all of these--
today's legal issues and to, like, the international storage 
issue, into that old law.
    Mr. Smith. Well I think your question raises an excellent 
point. A company like Microsoft built its first data center 
outside the United States only in 2010. So cloud computing and 
the explosion of cloud computing is really a phenomenon of this 
decade. That is what has created all of these issues that we 
are talking about today. And it has created the need at times 
for law enforcement, quite rightly, to want to get access to 
information, to content, to email in other countries.
    I think the fundamental question in a sense from a U.S. 
legal perspective is that when technology moves forward and the 
law needs to catch up, as it does here, what is the best way 
for that to happen? And we would say the best way is for the 
executive branch, if it wants new power, to come back to 
Congress and ask Congress to enact it.
    Ms. DelBene. And when you say when the law was written it 
was written actually with respect to the way technology was 
working then, as opposed to providing intent going forward.
    Mr. Smith. Well absolutely, and the most interesting and 
telling aspect of ECPA in this regard is the fact that it 
applied a lower standard to protect email that was over 6 
months old. And that was all based on some thinking in the 
1980's that, I think, barely anybody can remember, that most 
businesses moved their paper records offsite after 6 months. 
Maybe that was true. But who the heck has an email account that 
has only email that is less than 6 months old? The answer is 
only email accounts that have been opened less than 6 months 
ago. All the rest of us have email that is older than that, and 
that just shows how much the world has changed.
    Ms. DelBene. And with the shift to cloud computing now, 
more and more of that information is stored on servers.
    Mr. Smith. Well, the amazing thing about the cloud, as you 
point out quite rightly, is now we are not only talking about 
email, we are talking about all the photographs of our lives. 
We are talking about all of the other digital records that we 
have. We are talking about the PDFs that--in our lives. It is 
everything that sort of documents what we do every day.
    Ms. DelBene. And do you think that people should have a 
different expectation of how digital information is treated 
versus physical information? Is there a legal significance to 
the fact that you might information that is in digital form 
versus paper form?
    Mr. Smith. I think that technology needs to advance, but 
certain timeless values need to endure. And among these 
timeless values are the rights to privacy. And every time the 
American public has been asked, they have said the same thing. 
They want the data they store in the cloud to get the same 
privacy protection as the information they store on paper. And 
I think that is exactly the right point of view.
    Ms. DelBene. Does anyone else think there is a difference 
between digital or paper in terms of the legal significance and 
that differentiation?
    Mr. Chertoff. I agree with Mr. Smith. I think one of the 
challenges here, frankly, is people--sometimes because of the 
fact that the data moves electronically and seamlessly, 
conflate what is a business record and a provider with what is 
something that a provider holds as a custodian so to speak. And 
to use an example from the banking world, it is one thing to 
subpoena a bank for bank records which are the bank's own 
documents or the bank's own information.
    It is another thing if you want to get into a safety 
deposit box. The bank does not have a limitless right to enter 
the box and, therefore, you need a warrant for the box that is 
separate and distinct from a subpoena for the business records. 
And because electronic data does not neatly fall into that 
obvious category, categorization, there is a tendency to 
conflate the two. But I think as Brad says, that the principles 
ought to be the same.
    Ms. DelBene. Mr. Kris?
    Mr. Kris. I would just say the two factors that strike me 
as the most significant here are first, the incredible amount 
of digital data that is now created and available. Digital dust 
or digital footprints of your daily life are everywhere 
created. And they are also, second point, stored with third 
parties in a way that they did not use to be. And so I find 
myself in strong agreement with Mr. Smith when he had his 1912 
adding machine in front of him.
    It is, I think, important and appropriate for Congress to 
look at the All Writs Act again. I would go further, and 
suggest you also consider the technical assistance provisions 
in both the Wiretap Act and FISA to clarify exactly what kind 
of assistance is going to be required from third parties in 
making digital data in the clear available to the government. 
You know, at one extreme is legislation now pending in the U.K. 
which, if I read it correctly, would essentially allow them to 
compel providers to push down widgets, malware in bulk, across 
a network and all the users on that network.
    And at the other extreme would be, you know, essentially no 
compelled assistance. There is going to be a middle ground 
there, and I think Congress is the appropriate institution of 
our government to come to grips with that.
    Mr. Issa. I thank the gentlelady. And with that we go to 
the gentleman----
    Ms. DelBene. Sorry, my time expired.
    Mr. Issa. Yes, I am afraid so. And we now go to the 
gentleman from South Carolina, Mr. Gowdy.
    Mr. Gowdy. Thank you, Mr. Chairman. And I apologize for 
having to leave. I had a meeting on the Senate side. But I am 
happy to report that they are up at this early hour working on 
the Senate side. And I see that almost all the good lawyers 
have gone, so it is my turn. Mr. Smith, from a law enforcement 
perspective, you receive a warrant for information that you 
maintain in a foreign country. And I know some of this has 
already come up, but just humor me because I find this stuff 
interesting and I would rather you say it twice than not say it 
once. You get a search warrant for material that is in a 
foreign country from a U.S. law enforcement official, and it 
violates the law of that foreign country for you to access that 
information. How do you resolve that?
    Mr. Smith. Well I think the real problem is we are just 
being put in an impossible position. You know, certainly what 
we have done to date is looked at U.S. law and if the 
information is in the United States and it would violate the 
Stored Communications Act for us to turn it over, we simply do 
not turn it over. That is why, as I was saying earlier, we have 
now been fined $28 million by the Brazilian Government, and we 
have an executive there who is being prosecuted. I think the 
big quandary we are all going to face in 2 years is what 
happens once the new European Union regulation takes effect, 
and their blocking statute that would prohibit us from turning 
information over to the DOJ outside of an international 
agreement kicks in. I do not see how we can turn information 
over to the Justice Department if it is in Europe, and European 
law prohibits us from doing so, which is why I think the 
fundamental argument that the Justice Department, that it needs 
this, both has some merit but, ultimately, frankly, sort of 
misses the point. The day of unilateral search warrants is fast 
coming to an end; it needs to be replaced by something new and 
something better and we had better act quickly.
    Mr. Gowdy. Are there any facts from the Brazilian fact 
pattern where you have an executive that is facing--did you say 
criminal prosecution?
    Mr. Smith. Yes, criminal prosecution.
    Mr. Gowdy. For being out of compliance with a discovery 
order, or what is the procedure for where he finds himself, or 
herself?
    Mr. Smith. You can think of it as akin to what in the 
United States would be a contempt order from a court. You know, 
a local court has issued a local order requiring us to turn 
over certain information but in this case the information is 
not in Brazil, it is in the United States, and U.S. law 
prohibits us from turning it over. As we talk about pressure 
for data localization, this is the ultimate pressure for data 
localization. Because obviously, what it is intended to do is 
encourage U.S. companies to build data centers in Brazil so we 
no longer have to follow U.S. law.
    So, again, the specter of concerns that people have in some 
ways are coming true before our very eyes if we cannot find a 
better way to solve them.
    Mr. Gowdy. For those of us in the past who have experienced 
the joy of facing potential contempt from a judge, what is your 
executive supposed to do? How is he or she supposed to get out 
of this quandary?
    Mr. Smith. Let me just say I do not want to get into the 
privileged conversations that I have had with our employee. It 
is a darn complicated situation. Yeah, these are situations 
where people's life and liberty ultimately is at stake. And, 
you know, we at Microsoft are not alone in having faced these 
kinds of issues around the world. And there are a number of 
companies facing similar issues in Brazil itself. And, you 
know, it, among other things, calls into question how one 
continues to do business in certain countries, whether people 
can continue to live there. You know, these are not easy 
decisions to make.
    Mr. Gowdy. Have you proposed either a legislative or 
regulatory remedy to the Department on how to resolve fact 
patterns like the Brazilian one?
    Mr. Smith. Yes, and I have talked with the Brazilian 
Government as well as you might imagine. Ultimately, I believe 
that if the U.S. and the U.K. can fashion an agreement that 
works, the people in the United States can feel comfortable 
with, that law enforcement can feel meets its needs, it creates 
a model that we can consider then advancing in other countries.
    And I, frankly, hope there will a day when there is an 
agreement between the United States and Brazil as well. I think 
that that kind of solution is needed for the people of Brazil, 
and the Brazilian Government, who have legitimate needs I 
appreciate, but we just need a new solution, not an old one.
    Mr. Gowdy. I am almost out of time, so this will be my last 
question. Going back to when we were in law school and this 
expectation of privacy, and the fact that it has to be an 
expectation that the public considers to be reasonable, but the 
public can change its mind. So the bank records case from 30 
years ago, or however old that was, if that is really the most 
recent precedent or the precedent that people cite for this, 
where do you see the public's reasonable expectation in terms 
of what they think they have a privacy interest in?
    Mr. Smith. I think technology has moved forward, public 
expectations of privacy have caught up, people actually do 
expect the data they store in the cloud and put on their 
devices to be private. And the Supreme Court, I think, 
recognized this unanimously 2 years ago in the Riley case. And 
I thought the fact that it was a unanimous Supreme Court 
decision acknowledging this public expectation to privacy was 
of fundamental importance for the country.
    Mr. Gowdy. Thank you, Mr. Chairman.
    Mr. Issa. Thank you, Mr. Chairman. We now go to the 
gentleman from New York, Mr. Jeffries.
    Mr. Jeffries. Thank you, Mr. Chairman. I thank all the 
witnesses for their presence here today. Let me start with Mr. 
Smith. Microsoft is a U.S.-based company in Washington that 
employs around tens of thousands of individuals in the country, 
is that fair to say?
    Mr. Smith. That is correct. We employ more than 50,000 
people in the United States.
    Mr. Jeffries. And other companies like Google and Apple and 
Facebook also employ tens of thousands of people here in the 
country?
    Mr. Smith. Collectively our industry employs hundreds of 
thousands, indeed probably millions, of people in the United 
States.
    Mr. Jeffries. And it is projected, I think, over the next 5 
years that at least a million, if not more, jobs will be 
created here in America as a result of the activity of 
technology innovation companies.
    Mr. Smith. Assuming our country can give people the skills 
and education they need, absolutely we will create the jobs and 
fill them here.
    Mr. Jeffries. Now, collectively, companies like Microsoft 
and Apple and some of the others that I mentioned are sort of 
world leaders in the technology and innovation economy. Is that 
also a fair assessment?
    Mr. Smith. That is what we aspire to be every day, yes.
    Mr. Jeffries. And I would be interested in your thoughts as 
to this notion that the trust factor, which has been eroding 
all across the world as it relates to the view that many other 
countries have toward our leading technology companies, could 
adversely impact our position as a world leader in technology 
and innovation.
    Mr. Smith. It is, I just think, an imperative for the U.S. 
technology sector to restore trust in American technology. We 
really, over the last 3 years, since the Snowden disclosures, 
there has been a global conversation taking place about whether 
people can trust technology. And as a tech sector, we have been 
out taking new steps, including investments in end-to-end 
encryption to advance that kind of trust. And I just think it 
is fundamental to our ability to succeed globally in the 
future.
    Mr. Jeffries. Secretary Chertoff, could you comment in this 
trust dynamic and the notion of eroding American 
competitiveness?
    Mr. Chertoff. Yeah, I would be delighted to, Congressman. I 
will give you an example of what happens when you do not have 
trust. It is not a surprise that some of the major Chinese 
companies that are involved in producing telecommunications and 
IT equipment have a bit of a trust problem around the world. 
And I think in the last couple of years they wanted to be--one 
of them wanted to be the backbone of the IT system in 
Australia, and the Australian government said no, they would 
not allow it because, again, there was a trust issue.
    I think we underestimate sometime the strategic value of 
the United States of the ability to have an IT system, and to 
produce products and services that people do trust, and are 
willing to rely upon and implement. And I think, you know, 
since the Snowden disclosures, the effort to rebuild trust by 
making sure that first of all we have clear processes about, 
you know, what the law is, what is private, under what 
circumstances it has to be turned over--I think that is 
critical to maintaining our competitive position and that has 
an effect not only on our, frankly, our jobs, but on our 
national security as well.
    Mr. Jeffries. Thank you. Mr. Smith, the Department of 
Justice seems to have taken a position that there are no 
existing conflicts of law. Is that your understanding of their 
position, or your understanding of what the actual landscape is 
at this moment in time?
    Mr. Smith. It is clearly what Mr. Bitkower said this 
morning. I do not believe it is an accurate characterization of 
the issues in our lawsuit at the Second Circuit. We pointed out 
that there are serious issues and concerns involving the 
potential conflict between U.S. and Irish law. There is no 
Irish court decision that is yet on point, but I think that the 
issues are serious.
    As I have mentioned, in Europe the law will be clear. There 
will be a concrete conflict across Europe in 2 years. And 
fundamentally, the case is not about whether there is a 
conflict of laws. It is about whether the executive branch is 
exercising power that the Congress gave it in ECPA.
    Mr. Jeffries. Now are countries in other continents likely 
to follow the lead of the European Union and move in the 
direction that becomes more restrictive, countries on the 
Continent of South America, Africa, Asia?
    Mr. Smith. We are following these regulatory and legal 
trends around the world. And what we are basically seeing is a 
number of governments considering or enacting new laws or 
regulations that, in some cases, are requiring data 
localization, and in other cases are considering or moving 
toward these kinds of so-called blocking statutes like the one 
I have referred to in the European Union; yes.
    Mr. Jeffries. Thank you. And lastly, Secretary Chertoff, 
the 19th century was the century of the telegraph, the 20th 
century the century of the typewriter, and then the personal 
computer, 21st century, century of the smart phone, internet of 
things, who knows what other innovation will take place. There 
seems to be an emerging consensus from many colleagues on both 
sides of the aisle that Congress needs to step in, in this 
vacuum.
    My question is with the explosive growth of innovation and 
technology, which is a great thing, you know, how--it is 
difficult for Congress to keep up with the changes in 
technology. But what framework should we take in looking to 
enact legislation that recognizes the fact that we want to 
create some certainty, but also flexibility in interpretation 
in order to capture the dramatic and rapid change of 
technology?
    Mr. Chertoff. I think that is a very important question, it 
is one that I am not going to be able to fully answer in the 
remaining time allotted. I would say this--I do think it is 
time for Congress, whether they do it by way of a commission or 
some other body, to really take a comprehensive look at the 
question of how the change in technology has affected a lot of 
our expectations. I would not legislate on a micromanagement 
level but I do think some general principles could be fleshed 
out. And just to give you one example, Mr. Smith talked about 
the Riley case. Much of our rule about privacy is based on the 
idea that we are thinking about when you search an object or a 
case, you are searching what is in the case. But in many ways 
when you now pick up a smart phone and you start to search the 
phone, what you are doing is you are taking a key to your 
house. And it is as if you are taking the key and walking over 
to someone's house and searching the whole house.
    So as we think about the issue of, how do we deal with data 
that is remotely held I think there is a general set of 
principles that we could come up with that would not 
micromanage every situation, but would help give a framework 
for applying?
    Mr. Jeffries. Thank you, and I yield back.
    Mr. Issa. I thank the gentleman. Now all you have left are 
the non-attorney, four attorneys behind me, that will 
undoubtedly question a lot of my questions, but rightfully so. 
You know, Secretary Chertoff, I am going to use you as part of 
it; I am going to use probably Mr. Smith as part of it. First 
question was, since you brought all of your props and they are 
all tangible old props do you view--as I asked the first 
panel--do you view that, in fact, what we need to do is write 
specifics, but write them based on the same principles that we 
had in the tangible world? That is a fair analysis, is it? 
Secretary, same thing. Because I mean I think that is the first 
thing. We are going to have to write legislation. Do we write 
it based on principles of the past that our Founders saw in the 
tangible world, and then find a way to make them versatile in a 
instantaneous transfer world?
    Mr. Chertoff. I would say the answer to that is yes, in the 
sense that the enduring principles are what we want to make 
sure are preserved. But without minimizing the fact that it is 
not simply a matter of translating, you know, what is physical 
to what is virtual. There are going to be some differences, but 
the values remain the same.
    Mr. Issa. Well let me go over some of these values. And if 
I see a headshake no, I will call on you. Otherwise, we will 
assume that I have got some yeses on these, which I like to get 
to yes. You might have noticed that in the past. Principles 
that we need to do if we pass updated legislation; first of 
all, we need to deal with the predictability, not just in the 
United States, but around the world.
    We need to have a reciprocity concept at the time that we 
produce this legislation, because the rest of the world is 
looking to us for whether we will live by our rules when the 
shoe is on the other foot. The American people need to have a 
notice of what their rights are, and likely, in most cases, a 
notice of the taking of their information. We know there are 
certain times that it will not happen. We need to deal with 
what nexus is in a virtual world; not just is it a U.S. person, 
but did it originate in the United States? Did it transfer 
through the United States? And so on.
    We are likely, I believe, as a principle to have to break 
into two parts; one is the criminal part, including national 
security, the other is civil. Because, again, I suspect that we 
are going to have a custody battle between two people, and yet 
records are going to be demanded from around the world.
    It seems like, back to the same point, there has to be an 
informed consent. In other words, today most of us have no idea 
whether or not the storage of some item might give us 
additional rights or might not. And I presume we are going to 
have to look at that from a standpoint of both law and treaty. 
One that I, because I am also on foreign affairs, I am become 
very familiar with is the principle that does not seem to exist 
here but clearly exists in Europe, the right to be forgotten is 
going to have to be addressed if we are going to have 
reciprocal agreements with other countries who truly believe 
that if you host something in another country, it will not 
eliminate the likelihood that you have to honor, let's just say 
a European Union citizen, the right to disappear, which they 
are clearly working on. I have not got a no yet.
    Lastly, the expectation of privacy. It appears as though 
one of the most important things we are going to have to do is 
define what the American people can expect from data which is 
stored anywhere outside of their pocket in an inanimate object 
with no battery and a cloister of multiple different shrouds, 
so that it cannot possibly be energized remotely, and thus 
activated and taken.
    And, Mr. Chertoff, you were laughing because we all know 
exactly how that happens. So did I go through points you all 
agreed to? And it looks like I did. What did I leave out? What 
additional considerations should this Committee have in the 
record today as we look to what is obviously our primary 
jurisdiction and a long overdue look at the world as it exists 
electronically? And I will just go right down the list.
    Mr. Smith. Well first I would say that you have shown once 
again what Abraham Lincoln first proved, you do not have to go 
to law school to have a great legal mind. I think you have 
captured the legal issues that the world needs to address and 
certainly this Congress needs to address. I do not think there 
is anything that you have left out or--let me put it another 
way--if Congress could answer the questions that you have 
posed, the whole world of technology and the world for people 
would be much better off.
    Mr. Chertoff. I really agree with that. I would say one 
thing, just not to be naive. You know, I think in our minds 
when we talk about the ability to reach a global accommodation, 
we are thinking of the Europeans, we are thinking of countries 
that are more or less kind of western style democracies.
    Mr. Issa. But I serve on Foreign Affairs so I know that we 
are--we may all be created equally but we do not all think the 
same.
    Mr. Chertoff. Exactly. And I think when we deal, for 
example, with Russia, we are going to need to be realistic 
about that. But, you know, if we can reach a reasonable set of 
agreements with a good deal of the globe, that would be a 
major, major step forward.
    Mr. Issa. And so that is where the reciprocity may not be 
universal but at least the standards among those who have 
reciprocity would be universal. Mr. Kris.
    Mr. Kris. Yeah, I agree. I thought that was an excellent 
summary of all of the issues that need to be addressed.
    Mr. Issa. That is why I went last.
    Mr. Kris. Instantiating them, you know, in all of the 
various digital and other settings is going to be, as you know, 
enormously challenging. The only additional point I would make 
is you have, I will call it an opportunity, before the end of 
2017 to consider renewal of the FISA Amendments Act. And so 
that is, as an adjunct to this, another area in which you are 
going to want to, I think, harmonize your efforts. Thank you.
    Ms. Daskal. So I echo the agreement with the incredible 
list. I would just add that when one is thinking about the 
relevant nexus, which you raised just now and you also raised 
in your earlier questions to Mr. Bitkower, and the analogies to 
tangible property, I think the analogies are right in the sense 
that it does not make sense for the United States to assert 
unilateral jurisdiction over everything everywhere in the 
world; that there is a concern about that. At the same time, I 
think it is worth thinking about other jurisdictional hooks 
other than location of data, given the differences between data 
and other forms of tangible property.
    Mr. Issa. I think your point is good. And just as one 
Member of this Committee, I believe that is one of the 
challenges we face from a business standpoint. And I will put 
my recovering, hopefully, never fully recovered businessman's 
hat on for a moment.
    And that is that we want the world to have an expectation 
that rule of law will exist for them, no matter where the data 
is. The data transfer or, let's just take J.P. Morgan Chase; if 
they only have one server farm, or two server farms, and they 
are both in the United States that will not happen. But if it 
did, we do not want the world to believe they are 
disenfranchised and begin ordering balkanization. And I 
certainly think although that is not part of the principles of 
our Constitution here, it is good common sense that we have to 
find a solution that does not adversely affect business models, 
cause countries essentially to order, even if it is Russia, to 
order that you localize for some reason.
    Let me beg your indulgence; I have 4 minutes left on the 
Chairman's mandate that we finish at 1:30. There is an elephant 
not in the room, which is the Apple case, but since I am 
bringing it into the room, I want to ask just a basic question, 
and I will start with Mr. Smith. Microsoft, you mentioned in 
your testimony, and in some of your answers, you are looking at 
end-to-end encryption for a multitude of products. Your 
products, if they do not now, will shortly un-encrypt, use 
data, re-encrypt as a matter of course because we now have the 
processing power that allows you to do that. Is that a fair 
statement?
    Mr. Smith. Well we are certainly focused on implementing 
encryption. It was two and a half years ago we said we would 
implement encryption at rest, encryption in transit, encryption 
in more scenarios. So I think fundamentally encryption is an 
important part of safeguarding people's information for the 
future.
    Mr. Issa. So is it fair to say that what Apple is dealing 
with--you mentioned you are going to submit an amicus brief--
what Apple is dealing with, every software company, and 
probably every communication company, and perhaps most, if you 
will, social networking and even ecommerce companies, all are 
going to face similar questions to the one that Apple is facing 
today.
    Mr. Smith. I think in one form or another, many, many 
technology companies in many, many countries are going to need 
to address these encryption issues. And certainly Apple's case 
is an important example of one form of that.
    Mr. Issa. And Secretary Chertoff, I am going to take 
advantage of the fact you have worn so many hats, and your 
knowing what FISA judges go through, knowing how the NSA 
provides information, knowing what the Central Intelligence--
what their sources and methods historically have been. Let me 
just ask you a question in the open. Is not one of the most 
important tools that we have in going after terrorists and 
criminal networks, the lack of their predictability and 
knowledge of what we can or cannot break, what we do or do not 
know, and what we can or cannot find out?
    Mr. Chertoff. I think that is absolutely correct. And that 
is one of the things that was very damaging about Snowden is to 
some extent he at least put them on alert about certain things.
    Mr. Issa. So when Apple and others say that ordering a 
predictable key encryption, a backdoor, guarantees that at 
least as to those who have complied with it, that the bad guys 
will know not to use that product. And if I think of sort of 
the entrepreneurial nature of criminals and terrorists, by 
definition will we not be begging them to take their millions 
or billions of dollars and use it to develop items that do not 
have a backdoor and, thus, reduce the chances that we are going 
to have commercial off the shelf software that we might be able 
to produce our own independent backdoors from time to time 
without their knowing it?
    Mr. Chertoff. I think you are absolutely right. One of the 
unfortunate things about this being a public dispute is that it 
pretty much guarantees that terrorists will now be looking to 
other tools. And, in fact, there was something in the paper 
recently about a manual they found or some kind of a document 
of ISIS folks going through what are the best encrypted 
technologies. Now sometimes they are wrong, and that works for 
us, but only if we keep it quiet.
    Mr. Issa. Thank you. I want to thank all of our guests. You 
were great witnesses. It is exactly 1:30, and we stand 
adjourned.
    Ms. Daskal. Thank you.
    [Whereupon, at 1:30 p.m., the Committee adjourned subject 
to the call of the Chair.]

                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

Questions for the Record submitted to David Bitkower, Principal Deputy 
    Assistant Attorney General United States Department of Justice*
---------------------------------------------------------------------------
    *Note: The Committee did not receive a response from this witness 
before this hearing transcript was finalized in October 2016.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Response to Questions for the Record from Brad Smith, 
        President and Chief Legal Officer, Microsoft Corporation
        
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]        
        


 Questions for the Record submitted to the Honorable Michael Chertoff, 
         Co-Founder and Executive Chairman, The Chertoff Group*
---------------------------------------------------------------------------
    *Note: The Committee did not receive a response from this witness 
before this hearing transcript was finalized in October 2016.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



Response to Questions for the Record from the Honorable David S. Kris, 
former Assistant Attorney General for National Security, United States 
                         Department of Justice
                         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                         


 Response to Questions for the Record from Jennifer Daskal, Assistant 
        Professor, American University Washington College of Law
        
        
        
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      
        
        
        


                                 [all]