[Senate Hearing 114-905]
[From the U.S. Government Publishing Office]






                                                        S. Hrg. 114-905

                  GOING DARK: ENCRYPTION, TECHNOLOGY,
                     AND THE BALANCE BETWEEN PUBLIC
                           SAFETY AND PRIVACY

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               ----------                              

                              JULY 8, 2015

                               ----------                              

                           Serial No. J-114-22

                               ----------                              

         Printed for the use of the Committee on the Judiciary






    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






                        www.judiciary.senate.gov
                            www.govinfo.gov














































                                                        S. Hrg. 114-905

                  GOING DARK: ENCRYPTION, TECHNOLOGY,
                     AND THE BALANCE BETWEEN PUBLIC
                           SAFETY AND PRIVACY

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              JULY 8, 2015

                               __________

                           Serial No. J-114-22

                               __________

         Printed for the use of the Committee on the Judiciary







    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






                        www.judiciary.senate.gov
                            www.govinfo.gov

                                   _______
                                   
                 U.S. GOVERNMENT PUBLISHING OFFICE 
                 
53-117                    WASHINGTON : 2025



































                       COMMITTEE ON THE JUDICIARY

                  CHARLES E. GRASSLEY, Iowa, Chairman
ORRIN G. HATCH, Utah                 PATRICK J. LEAHY, Vermont, Ranking 
JEFF SESSIONS, Alabama                   Member
LINDSEY O. GRAHAM, South Carolina    DIANNE FEINSTEIN, California
JOHN CORNYN, Texas                   CHARLES E. SCHUMER, New York
MICHAEL S. LEE, Utah                 RICHARD J. DURBIN, Illinois
TED CRUZ, Texas                      SHELDON WHITEHOUSE, Rhode Island
JEFF FLAKE, Arizona                  AMY KLOBUCHAR, Minnesota
DAVID VITTER, Louisiana              AL FRANKEN, Minnesota
DAVID PERDUE, Georgia                CHRISTOPHER A. COONS, Delaware
THOM TILLIS, North Carolina          RICHARD BLUMENTHAL, Connecticut

                Kolan L. Davis, Majority Staff Director
                Kristine Lucius, Minority Staff Director
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page

Grassley, Hon. Charles E.........................................     1
    Prepared statement...........................................    55
Leahy, Hon. Patrick J............................................     3
    Prepared statement...........................................    57

                               WITNESSES

Comey, James B...................................................     7
    Prepared statement...........................................    59
    Responses to written questions...............................   146

Lin, Herbert, Ph.D...............................................    34
    Prepared statement...........................................    93
    Responses to written questions...............................   157

Swire, Peter.....................................................    36
    Prepared statement...........................................   124
    Responses to written questions...............................   158

Vance, Cyrus R., Jr..............................................    32
    Prepared statement...........................................    71
    Responses to written questions...............................   160

Yates, Sally Quillian............................................     6
    Prepared statement...........................................    59
    Responses to written questions...............................   151

                                APPENDIX

Items submitted for the record...................................    53

 
                  GOING DARK: ENCRYPTION, TECHNOLOGY, 
                     AND THE BALANCE BETWEEN PUBLIC 
                           SAFETY AND PRIVACY 

                              ----------                              


                        WEDNESDAY, JULY 8, 2015

                              United States Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:05 a.m., in 
Room 226, Dirksen Senate Office Building, Hon. Charles E. 
Grassley, Chairman of the Committee, presiding.
    Present: Senators Grassley [presiding], Hatch, Cornyn, Lee, 
Flake, Perdue, Tillis, Leahy, Feinstein, Schumer, Whitehouse, 
Klobuchar, Franken, and Blumenthal.

         OPENING STATEMENT OF HON. CHARLES E. GRASSLEY,

             A U.S. SENATOR FROM THE STATE OF IOWA

    Chairman Grassley. Before I read my statement, I would like 
to give you a bottom line. One word would be ``conversation.'' 
Another word would be--three words would be ``start a 
conversation.'' Or if a conversation has already started, then 
this would be part of continuing a conversation. It is 
obviously something that those of us on the Committee feel is 
an issue that needs to be--have a little more highlight because 
it is a very major issue that we have to discuss, and my 
statement will go into detail.
    Today's hearing is intended to start a conversation in the 
Senate about whether recent technological changes have upset 
the balance between public safety and privacy. Just a few days 
ago, we celebrated the birth of our country. That occasion 
should serve as a reminder of the gifts bestowed upon us by the 
Founders, not only the Declaration of Independence adopted July 
the 4th, but the Constitution that followed it. The protection 
of our privacy and civil liberties by the Bill of Rights, more 
specifically by the Fourth Amendment, provides a useful place 
to begin our conversation today.
    The core of the Fourth Amendment is the requirement that, 
with limited exceptions, when a law enforcement officer is 
investigating a crime, the officer must obtain an individual 
warrant or a court order to conduct a search that would violate 
a person's reasonable expectation of privacy. That order must 
be issued by a neutral and detached judge based on facts that 
demonstrate probable cause. Through this brilliant framework, 
for over 200 years now, our constitutional system has preserved 
the rule of law, ensured our public safety is maintained, and 
protected our individual privacy and civil liberties in part 
through the separation of powers. Recently, prominent law 
enforcement officials have been questioning whether the laws 
Congress has enacted over the years to adapt that framework to 
changing technology, such as the Communications Assistance for 
Law Enforcement Act--and I will call that ``CALEA,'' as it is 
known around here--whether or not that is adequate to the task 
for today.
    What they have been telling us is that increasingly, even 
after they have obtained authority from a judge to conduct a 
search for evidence of a crime, they lack the technical means 
to do so. Director Comey and Deputy Attorney General Yates have 
recently spoke out about this issue, and I have heard about it 
from State and local officials in my State of Iowa as well. 
They describe two distinct but related components to the 
problem.
    First, they report a decreasing ability to intercept real-
time communications, such as phone calls, emails, texts, and 
other kinds of so-called data in motion. Second, they relate a 
similar concern regarding their inability to execute search 
warrants on encrypted phones, laptops, and other devices, which 
store what they refer to as ``data at rest.''
    Companies are increasingly choosing to encrypt these 
devices in such a way that the company itself is unable to 
unlock them, even when presented with a lawful search warrant. 
These encrypted devices, they fear, are becoming the equivalent 
of closets and safes that can never be opened, even when a 
judge has expressly authorized a search for evidence inside 
them. In their view, this development has the potential to 
impact the fair and impartial application of our laws by 
effectively placing certain places, and, therefore, certain 
people, outside of the law. These officials describe the 
cumulative effect of these changes on their ability to do their 
jobs as ``Going Dark.'' It is not a new issue. According to 
them, it is a problem that is getting dramatically worse, and 
it is having a real effect on their ability to protect the 
public and to bring criminals to justice.
    The reason for these sweeping changes is not difficult to 
understand. Rapidly changing technology has made the way that 
we store and the way we communicate our personal data quite 
different than it was, obviously, in 1776--not just that, let 
alone even 5 or 10 years ago.
    Today's revolution then is a technological one. It is a 
revolution that has resulted in a proliferation of new devices, 
networks, apps, and other modes of communication. By leading 
this revolution, some of our finest American companies are 
enriching our lives. Through their ingenuity and through their 
innovation, they are allowing us to be in closer touch with our 
loved ones, sharing the things important to us in very new 
ways. However, as more of our lives have ended up on digital 
platforms, devices, and on the internet, our data has 
increasingly become a target for hackers, criminals, and 
foreign governments.
    We pick up the newspaper and read about breaches that have 
left personal data exposed almost on a daily basis. We want our 
data to remain private; we want it to be secure; and it is 
natural that companies seek to respond to this market demand. 
At the same time, these wonderful technologies are also being 
employed by those who seek to do us great harm.
    In particular, Director Comey has talked about the 
challenges this issue presents the FBI in the national security 
context. According to the Director, ISIS is recruiting 
Americans online and then directing them to encrypted 
communication platforms that are beyond the FBI's ability to 
monitor, even with a court order. If this is accurate, it 
obviously represents a dangerous state of affairs.
    Then this question: How do we balance the need for both 
public safety and privacy? Are there ways that we can provide 
law enforcement judicially sanctioned access to these platforms 
without compromising their overall security? Or are there other 
potential reforms that could simply shift the balance less 
dramatically? These are questions that have right now no easy 
answers.
    I know many of our privacy and technology communities are 
highly skeptical that any reform can be accomplished without 
unacceptably undermining both the privacy interests of our 
citizens as well as the international competitiveness of our 
technology companies. These are, no doubt, fundamental 
important considerations. As a start, we need to have an open 
and honest conversation that examines the costs and benefits 
both of potential reforms, as well as continuing down the path 
we are headed. We need to do so with humility and respect for 
those who come to the issue from different perspectives.
    Last year, The Washington Post ran an editorial on the 
``Going Dark'' issue, describing our time as quote, ``an 
important moment in which technology, privacy, and the rule of 
law are colliding,'' end of quote. Ultimately, the newspaper 
called for compromise. That is the spirit of Framers--that the 
Framers brought to Philadelphia that gave us the Constitution 
and that eventually produced our Bill of Rights.
    Today I hope the Senate takes a first step at seeing if any 
consensus is possible on this very important issue and a 
complicated issue.
    Without objection, I would like to place into the record a 
few statements for the record that the Committee has received: 
one from the National District Attorneys Association, another 
from the Application Developers Alliance, and a third from the 
ACLU.
    [The information appears as a submission for the record.]
    Chairman Grassley. Thank you for listening to my long 
statement, and now Senator Leahy will give his statement.

          OPENING STATEMENT OF HON. PATRICK J. LEAHY,

            A U.S. SENATOR FROM THE STATE OF VERMONT

    Senator Leahy. Thank you very much, Mr. Chairman. Director 
Comey and Deputy AG Yates, thank you for being here. I also 
appreciate very much the earlier informative meeting, without 
going into what was discussed because of the classified nature, 
that you gave us on this subject. I think those kind of--I 
might say to the Chairman, as he knows, I used to try to do 
these similar things. Sometimes those informal meetings are 
even more productive than the formal ones.
    We know how the internet has transformed the lives of 
Vermonters and all Americans over the last 20 years. We use it 
to communicate, make financial transactions; we get our medical 
records, we file taxes. We store personal information, and I 
certainly store an awful lot of photographs I have taken, 
including photographs of both of you.
    Critical to the digital revolution has been the development 
and use of strong encryption. Ensures that if we send or store 
electronically--and I am thinking now of financial records and 
medical records and things like that--it is protected against 
hackers or criminals or spies. We also know that it is creating 
problems for law enforcement.
    Two decades ago, during the so-called Crypto Wars, the FBI 
and others argued that strong encryption prevented 
investigations from obtaining access to information even when 
they had a court order.
    As one who was a prosecutor, I am sympathetic to these 
public safety concerns. You can use encryption to impede 
investigations by Federal, State, and local law enforcement, 
and I think we have heard from all of them. As we learned in 
the 1990s, this--in many ways, it was simpler then, but it was 
still a complicated issue.
    Some have suggested that technology companies should build 
special law enforcement access into their systems. Let us 
consider the risks of that approach. Strong encryption has 
revolutionized the online marketplace. It protects American 
businesses and consumers from cyber crime, espionage, identity 
theft, stalking, and other threats on the internet. If you 
undermine encryption, you could make our data more vulnerable.
    In the 1990s, I opposed efforts to regulate the development 
of encryption technology. I was concerned that if you regulated 
encryption, you are going to stifle innovation, you would harm 
American businesses, you would impede technological 
advancement, undercut security, and, of course, all our 
competitors worldwide would just go ahead and do it anyway, and 
we would be left behind.
    Fifteen years later, the vast majority of security experts 
explain that creating special access for law enforcement would 
still introduce into the digital space significant security 
weaknesses--at a time when we need the strongest possible 
cybersecurity. Just yesterday, a group of the world's 
preeminent computer scientists and security experts released a 
report concluding that any special access for law enforcement 
would pose ``grave security risks, imperil innovation, and 
raise thorny issues for human rights and international 
relations.'' Last month, nearly 150 security experts, tech 
companies, and other organizations wrote to the President 
making similar points, and I would ask consent that these 
materials be made part of the record.
    Chairman Grassley. Without objection.
    [The information appears as a submission for the record.]
    Senator Leahy. Even if the U.S. were to take steps to 
facilitate law enforcement access to encrypted communication, I 
think we have to ask ourselves how much would it help. You know 
that strong encryption is still going to be available from 
foreign providers, although they have their own problems, as 
this article in The Wall Street Journal yesterday showed, where 
it says a foreign company, an Italian company, a hacking 
software firm, was hacked. This was a firm that was supposed to 
be a specialist in hacking. They themselves got hacked.
    I also want to say that we have to ask ourselves, do we put 
American companies in one position and the rest of the world in 
an entirely different one? Then we lose the edge that we have 
in innovation today.
    I hope when we have some--I think it is important we are 
having this hearing today, but I hope when we have further 
hearings, we will have witnesses from the technology industry, 
which would be directly affected by any effort to regulate 
encryption. I would ask that materials from that industry be 
placed in the record.
    Chairman Grassley. Without objection.
    [The information appears as a submission for the record.]
    Senator Leahy. I think we are very fortunate, Mr. Chairman, 
to have Deputy Attorney General Yates here. It is her first 
appearance before this Committee since her confirmation. It is 
always good to see Director Comey, who was in Vermont a couple 
months ago. The only disadvantage to that, while I have always 
been used to pictures of me in the paper in Vermont, I was 
always the tallest one in the room. They are asking, ``Who is 
the little guy with Director Comey?'', when it was in the 
Vermont press.
    Thank you.
    Chairman Grassley. I will introduce the witnesses before I 
administer an oath.
    Our first witness is Deputy Attorney General Sally Yates. 
Ms. Yates was recently sworn into her current position. She 
previously served as U.S. Attorney for the Northern District of 
Georgia since 2010. Before that, she was a line prosecutor and 
supervisor with the U.S. Attorney's Office there, where she led 
a number of investigations and prosecutions and, maybe most 
famously, the prosecution of Olympic Bomber Eric Rudolph. Ms. 
Yates is from Georgia and received her undergraduate and law 
degrees from the University of Georgia.
    Our second witness is FBI Director James Comey, and I often 
say how smart he is because he married a girl from Iowa. Mr. 
Comey took over the leadership of the FBI in 2013. He 
previously served under President George W. Bush as Deputy 
Attorney General, U.S. Attorney for the Southern District of 
New York, and Managing Assistant U.S. Attorney in the Eastern 
District of Virginia. Between his careers in public service, 
Mr. Comey was general counsel at Lockheed Martin and worked at 
a hedge fund. Mr. Comey is from New York, received his 
undergraduate degree from William and Mary, and went to law 
school at the University of Chicago.
    I thank both of you for being here, and before we begin, 
since this is an oversight hearing, I would like to swear you 
in, if you would. Do you affirm that the testimony you are 
about to give before the Committee will be the truth, the whole 
truth, and nothing but the truth, so help you God?
    Deputy Attorney General Yates. I do.
    Director Comey. I do.
    [Witnesses are sworn in.]
    Chairman Grassley. Thank you.
    Ms. Yates, would you proceed, please? We always have to 
remind people to turn on their microphones, so I might as well 
do that now.

         STATEMENT OF HON. SALLY QUILLIAN YATES, DEPUTY

         ATTORNEY GENERAL, U.S. DEPARTMENT OF JUSTICE,

                         WASHINGTON, DC

    Deputy Attorney General Yates. Good morning, Chairman 
Grassley, Ranking Member Leahy, and Members of the Senate 
Judiciary Committee. Thank you for this opportunity to talk 
with you this morning about the information and collection 
problem that we commonly refer to as ``Going Dark.'' I think 
that Senators Leahy and Grassley's statements this morning 
really pointed out a number of the difficult issues surrounding 
this problem.
    Twenty-five years ago, I started my career at the Justice 
Department prosecuting pretty much every kind of case there is, 
from guns and drugs to financial fraud and terrorism. During 
that time, the world has changed in really remarkable ways.
    Technological innovations have changed the way that we 
communicate with our colleagues and our loved ones, and 
increasingly sophisticated means of encryption have helped to 
ensure that these communications remain private.
    For many reasons, these have been very good developments, 
and these are developments that the Department of Justice 
embraces. It is important that we not let these technological 
innovations undermine our ability to protect our country from 
significant national security threats and from public safety 
challenges.
    The Fourth Amendment of the Constitution and our criminal 
justice system provide a well-balanced framework for a careful 
balance between privacy rights and public safety, while 
adhering to the basic principle of judicial authorization 
established by probable cause and determined by a neutral 
judge.
    That framework governs searches of everything, including 
all communications, regardless of whether they are by private 
letter or smartphone and regardless of whether we are 
wiretapping a landline or intercepting instant messages over 
the latest applications.
    This framework has protected the interests that we all have 
in safety and in privacy for many years. Recent technological 
innovations threaten that careful balance. Although we still 
have the statutory authorities that Congress provided to us to 
protect the community, like the Wiretap Act and like FISA, 
increasingly we are finding that even when we have the 
authority to search certain types of digital communications, we 
cannot get the information that we need because encryption has 
been designed so that the information is only available to the 
user, and the providers are simply unable to comply with a 
court order or a warrant.
    The need and the justification for the evidence has been 
established, and yet that evidence cannot be accessed. Critical 
information becomes, in effect, warrant-proof. Because of this, 
we are creating safe zones where dangerous criminals and 
terrorists can operate and avoid detection. It impacts us in 
two ways: We cannot get access to information that is stored on 
someone's smartphone, like a child pornographer's photographs 
or a gang member's saved text messages. This is known as ``data 
at rest.'' We also at times can no longer effectuate wiretap 
orders to intercept certain communications as they happen, like 
ISIL members plotting to carry out an attack in the United 
States or a kidnapper communicating with co-conspirators. This 
is known as ``data in motion.''
    These technological changes come with real national 
security and public safety costs. In just the short months that 
I have been serving as Deputy Attorney General, I have seen the 
threat picture from ISIL change. ISIL currently communicates on 
Twitter, sending communications to thousands of would-be 
followers right here in our country. When someone responds and 
the conversations begin, they are then directed to encrypted 
platforms for further communication. Even with a court order, 
we cannot see those communications. This is a serious threat, 
and our inability to access these communications with valid 
court orders is a real national security problem.
    The current public debate about how to strike the careful 
balance between private rights and public safety has at times 
been challenging and highly charged. I believe that we have to 
protect the privacy of our citizens and the safety of the 
internet. Those interests have to be balanced against the risks 
that we face from creating warrant-proof zones of 
communication.
    There are no easy answers to this dilemma, and reasonable 
people can disagree on where that balance should be struck. I 
do not think that we advance the analysis to vilify those who 
prioritize privacy for their customers. From where I sit, as 
Deputy Attorney General, I believe that that balance must be 
struck in such a way that allows us to continue to enforce 
court orders to obtain the critical information that we need to 
combat crime and national security threats.
    Regardless of how one believes that that balance should be 
struck, we can all agree that we need to have ongoing, honest, 
and informed conversations about how to protect liberty and our 
security.
    I want to thank you again for giving us this opportunity 
this morning to highlight this growing threat to public safety. 
We must find a solution to this pressing problem, and we need 
to find it soon. The Government's ability to protect our Nation 
from our most significant threats, both foreign and domestic, 
depends on it.
    I look forward to answering your questions.
    [The prepared statement of Deputy Attorney General Yates 
appears as a submission for the record.]
    Chairman Grassley. Thank you, Ms. Yates. Director Comey, 
thank you.

             STATEMENT OF HON. JAMES B. COMEY, JR.,

           DIRECTOR, FEDERAL BUREAU OF INVESTIGATION,

                         WASHINGTON, DC

    Director Comey. Thank you, Mr. Chairman, Senator Leahy. 
Senators, it is great to be back before the Committee. Thank 
you so much for this opportunity. Thank you, Mr. Chairman, for 
styling this as a conversation.
    As Senator Leahy said, I have heard lots of folks refer to 
what went on 20 years ago as the ``Crypto Wars.'' I am not 
looking to fight a war. I am not up here trying to win 
anything. I think the folks involved in this conversation in 
the private sector and in the Government care about the same 
things. I care deeply--it is part of my job, it is also part of 
my life--about security on the internet. One of our primary 
responsibilities at the FBI is cybersecurity. Encryption is a 
great thing. It keeps us all safe. It protects innovation. It 
protects my children. It protects my health care. It is a great 
thing.
    We also care about public safety. That is what I have 
devoted my life to. That is what Sally Yates has devoted her 
life to. I think all Americans care about the same things. 
There is not a war being fought here. There is, I hope, a 
conversation among serious people to figure out is there a way 
to maximize both, to keep ourselves secure on the internet and, 
as best we can, to keep ourselves safe in our streets and our 
communities, because I do believe, as the Deputy Attorney 
General has said, we stand at an inflection point. There has 
always been a crypto discussion, but the world has changed in 
the last 2 years. Decryption has moved from being something 
available to something that is the default, both on devices and 
on data in motion, as you said, Mr. Chairman. We are moving 
inexorably to a place where all of our lives, all of our papers 
and effects, all of our communications will be covered by 
universal strong encryption, and that is a world that in some 
ways is wonderful and in some ways has serious public safety 
ramifications. I hope we can have a conversation about that 
before we get to that world and people start looking at us and 
saying, ``What do you mean you cannot? What do you mean you 
cannot do what we pay you to do?''
    The ISIL threat I think illustrates the inflection point. 
As the Deputy Attorney General said, this is not your 
grandfather's al-Qaeda. This is a group of people using social 
media to reach thousands and thousands of followers, find the 
ones who might be interested in committing acts of violence, 
and then moving them to an end-to-end encrypted messaging app. 
Our job is to look at a haystack the size of this country for 
needles that are increasingly invisible to us because of end-
to-end encryption. This is something we have to talk about as a 
people.
    The FBI is not some alien force imposed upon the United 
States. We belong to the American people. The tools we have are 
only tools given to us by the American people through this 
Congress. I am finding that the tools we are being asked to use 
are increasingly ineffective in our national security work and 
in our criminal work. And I think my job is to tell folks about 
that so we can talk about it.
    I do not come with a solution. This is a really, really 
hard problem. I hear lots of folks say, ``It is too hard, 
cannot be fixed.'' My reaction to that is: ``Really?''
    I think Silicon Valley is full of folks who, when they 
stood in their garage years ago were told, ``Your dreams are 
too hard to achieve; it is too hard.'' Thank goodness they did 
not listen, and they built remarkable things that have changed 
all our lives. Maybe this is too hard, but given the stakes, 
given the importance of security on the internet and public 
safety for the good folks of this country, we have got to give 
it a shot. I do not think it has been given an honest, hard 
look, which is why I am so grateful for this conversation.
    Thank you for this opportunity.
    [The prepared statement of Director Comey appears as a 
submission for the record.]
    Chairman Grassley. Thank you both for your testimony.
    Normally we have 7-minute rounds, but we have got two 
panels, so I think I am going to limit it to 5 minutes unless 
somebody objects to that.
    Director Comey, you have spoken repeatedly about the impact 
that going dark is a problem and the problem it is having on 
the FBI's ability to protect the country from terrorism, 
particularly by Americans recruited by ISIS to carry out 
attacks here. You have spoken about how your job is to find 
needles in a haystack and that because of ISIS directing these 
recruits to encrypted messaging, the needles are now invisible.
    You were kind enough to provide a classified briefing for 
Members of Congress and staff earlier today, but in order to 
have us have a public debate, the people deserve to hear as 
much as you can tell them about the issue without compromising 
anything.
    Question: What more can you tell the American people about 
how the going dark problem is affecting FBI's ability to 
protect the United States from ISIL and other terrorists?
    Director Comey. Thank you, Mr. Chairman. I think the 
American people need to know the terrorism threat today is very 
different. Al-Qaeda, before 9/11 and in the years after 9/11, 
was focused on the national landmark, multi-pronged 
sophisticated attack where they would carefully select 
operatives, put them in place, train, surveil over many, many 
months or years.
    ISIL is totally different. ISIL is reaching out, primarily 
through Twitter, to now about 21,000 English language 
followers. There is a group of tweeters in Syria, and their 
message is two-pronged: Come to the so-called caliphate and 
live a life of some sort of glory or something; and if you 
cannot come, kill somebody where you are, kill somebody in 
uniform, kill anybody. If you can cut their head off, great. 
Videotape it, do it, do it, do it. They are pushing this 
through Twitter. It is no longer the case that someone who is 
troubled needs to go find this propaganda and this motivation. 
It buzzes in their pocket.
    There is a device, almost a devil on their shoulder, all 
day long saying, ``Kill, kill, kill, kill.'' If they find 
someone--and they have found many of those someones in the 
United States who are interested in this. We can see Twitter. 
We will see them give them directions to a mobile messaging app 
that is end-to-end encrypted and tell them, ``Contact me 
here,'' and they disappear.
    I have investigations in all 50 States of people who are 
consuming this stuff. It is buzzing in their pocket all day 
long, and they are trying to seek meaning in some sick way, and 
they are responding to this. Then they disappear and move over 
to mobile messaging apps. This is an enormous problem. It is 
very different. Al-Qaeda would never vet an operative by 
tasking them. ISIL says, ``Go kill, go kill, and here is a list 
of military members you can go kill. Go do it.''
    We are stopping these things so far through tremendous hard 
work, the use of sources, the use of online undercovers. It is 
incredibly difficult. I cannot see me stopping these 
indefinitely. I am not trying to scare folks. I just want 
people to know this is a change in my world, in the top 
responsibility of the FBI, that implicates this going dark 
problem, they come together. I really think we have to talk 
about it.
    Chairman Grassley. Okay. Ms. Yates, the going dark problem 
is not completely new. In 2012--so you are not responsible for 
this--there were reports that the FBI and the Department of 
Justice had settled on legislative proposals to expand CALEA. 
During an FBI oversight hearing that year, I told Director 
Mueller that Congress was quote, ``waiting patiently for the 
administration to put forth a proposal,'' end of quote, that 
would address that issue. Such a proposal would have at least 
moved the debate forward, but here we are in 2015. We are 
hearing from both you and the Director that this is a major 
problem.
    In January, the President acknowledged that, quote, ``The 
laws that might have been designed for the traditional wiretap 
have to be updated,'' end of quote. Yet this administration 
still has not come forward with a legislative proposal.
    Question: Is the administration any closer to coming 
forward with a proposal and a legislative solution to the going 
dark issue? Then, also, what happened to the proposal from 
2012, if you can tell us about that? Obviously, you were not in 
office then, so go ahead and tell us what you know.
    Deputy Attorney General Yates. Thank you, Mr. Chairman. The 
approach of the administration is not to try to have a one-
size-fits-all legislative solution at this point to essentially 
cram down the throats of the technology industry. Instead, what 
we want to do is actually to work with the communications 
providers to try to figure out a way with them where we can get 
access to the information that we need through them, while at 
the same time we are protecting the privacy interests that all 
of us have, as well as the internet security interests that we 
have.
    Our goal here is not to mandate a legislative solution that 
might not be the best way to approach it for these different 
providers but, rather, to have each provider think about and 
work out a way where they will be able to respond to lawful 
court orders.
    We are not seeking a front door, back door, or any other 
kind of door. We are not seeking for the Government to have 
direct access to any of these communications. We are seeking to 
work with the industry such that they will be able to respond 
to these valid orders.
    Chairman Grassley. We will not have a legislative proposal. 
Then let me ask you, along the lines of what you are trying to 
do is lead by persuasion, is the way I interpret it. Is there a 
process in place or a target timeline within the administration 
to reach the end results that you hope to reach?
    Deputy Attorney General Yates. Let me be clear. We are not 
ruling out a legislative solution if that is ultimately what is 
necessary. We think that the more productive way to approach 
this, the best way to approach it, is to work with the industry 
to come up with individualized solutions for each particular 
company rather than a one-size-fits-all solution.
    Chairman Grassley. Okay. Senator Leahy.
    Senator Leahy. Thank you, and Senator Schumer has asked me 
to put his statement in the record, so I ask consent that we do 
that.
    Chairman Grassley. Oh, I am sorry. What did you ask?
    Senator Leahy. Chuck Schumer wants his statement in the 
record.
    Chairman Grassley. Oh, yes, without objection.
    [The information appears as a submission for the record.]
    Senator Leahy. Okay.
    To sort of follow on what you were just saying with Senator 
Grassley, that in this case, just as the previous 
administration talked about and raised, appropriately, the 
concerns, did not have--the last administration did not have a 
legislative solution they are proposing, and that is the same 
situation today. You are raising the problems that are here, 
but----
    Deputy Attorney General Yates. That is right. We are not 
suggesting a legislative solution today. That may ultimately be 
necessary, but we are hopeful that it will not be.
    Senator Leahy. That is very similar to the position of the 
last administration, and I do not mean that as a criticism of 
either administration. It is such a complex and moving target. 
I think as the Director has pointed out, it is creating 
increasing problems for the FBI and for other law enforcement. 
I see District Attorney Vance in the audience and others. It is 
a problem for all of them.
    A group of the world's leading computer scientists issued a 
report detailing the significant security risk, as they see it, 
of providing special law enforcement access to encrypted data. 
That is this report. They concluded that the security risks are 
even greater now than they were in the 1990s when we first 
debated this. The report highlights that the technical 
challenges have become even more difficult, and multiple 
countries seek their own methods of access. We learned what 
happened with OPM, the hack that affected millions of Federal 
workers and reduced confidence in the Government being able to 
protect data. I know the device encryption presents a different 
set of security issues.
    Would you agree that we have to carefully consider 
cybersecurity risks in any proposal?
    Deputy Attorney General Yates. Absolutely, Senator. We do 
have to carefully consider it.
    I do want to clarify one thing, though, and that is that we 
are not seeking special law enforcement access to any 
information. Instead, what we are seeking is that the 
individual companies retain some ability to be able to respond 
to lawful orders. Many of our communications companies, in 
fact, retain that ability, and they do so with strong 
encryption. They retain that authority for a variety of 
reasons. Sometimes it is a business reason because they want to 
be able to sell ads, for example, to their customers. Sometimes 
they do it for security reasons because they want to be able to 
scan for malware. These companies find a way to be able to 
continue to have access to their customers' information while 
also providing strong encryption, and so that is what we are 
seeking----
    Senator Leahy. I remember when we had a debate in this 
Congress on the illegal sale of content on the various 
companies that have websites and how upset they were and got 
everybody all upset that we were somehow delving into their 
personal information, and so the legislation went nowhere. Then 
about a week later, it turned out one of the biggest of those 
companies was data mining their own customers, the sort of 
things they were warning them about, because they were selling 
ads.
    Incidentally, that report, Mr. Chairman, I would ask that 
the report be part of the record.
    Chairman Grassley. Yes, it will be part of the record, 
without objection.
    [The information appears as a submission for the record.]
    Senator Leahy. I was struck, Director Comey, by your 
comment about devil on the shoulder, and without going into 
some of the classified things, not only the briefing this 
morning but in other briefings I have had, I am struck by so 
many of these people that have been brought into this network; 
their age, young people, the same as the horrific case of the 
young person who murdered the people in Charleston, obviously 
susceptible from a lot of the websites he read.
    Didn't the FBI recommend on its website a series of safety 
tips for mobile phone users that users could employ encryption 
to protect the user's personal data in the case of loss or 
theft? I do not know if that is still on your website, but it 
was on there originally.
    Director Comey. I am sure that we did. I hope it is still 
there. I think encryption for that reason is a very good thing, 
as I said earlier.
    Senator Leahy. Last, I know we are going to have a meeting, 
Deputy AG Yates. We talked about this briefly as we were 
leaving the meeting on sentencing reform. Does the Department 
have a position on the Smarter Sentencing Act and its impact on 
public safety other than the fact that we are spending about a 
third of the Department of Justice's budget on running the 
Bureau of Prisons?
    Deputy Attorney General Yates. Indeed we do have a 
position, Senator, and that is, we are strongly in favor of the 
Smarter Sentencing Act. We think it is critical not only to 
ensure that we are administering justice in a fair and 
equitable way, but it also is the only thing that makes any 
fiscal sense going forward.
    Senator Leahy. Thank you. As an old trial lawyer, I would 
not have asked that question if I did not know the answer. 
Thank you.
    Chairman Grassley. Obviously, I was born at night, but not 
last night, and I know that question was a reference to me, and 
I want everybody to know that we are working hard on getting a 
sentencing reform compromise that we can introduce. If we do 
not get one pretty soon, I will probably have my own ideas to 
put forward.
    We will do it in this order: Senator Lee is next, and then 
Senator Feinstein.
    Senator Lee. Thank you very much to both of you for joining 
us today, and thanks for all you do to keep us safe and to 
maintain law and order in our country in very difficult times. 
You both come to us with very impressive credentials and having 
considered a lot of these issues at great length.
    Consumers have, understandably, demanded greater privacy 
protections, and tech companies have responded to this by 
offering very strong encryption in the services that they 
offer.
    There are now concerns regarding law enforcement's access 
to the data that it needs to disrupt criminal activities and 
secure convictions. These concerns are, of course, real and 
complex for reasons that you have outlined. They deserve 
serious thought, and it is, of course, Congress' job, it is 
Congress' duty to consider any appropriate solutions.
    I think we should be wary of reaching first for the most 
blunt and sweeping type of solution. We need to be wary of 
precipitously adopting the wrong approach.
    Some have suggested that Congress should compel tech 
companies like Apple and Google to create a back door in their 
encryption walls through which law enforcement could gain 
passage if it secured an appropriate warrant. That approach, 
the enactment of a new Federal Government mandate, threatens to 
undermine consumer choice, weaken American companies, and 
create a back door for Chinese, Russian, or perhaps other 
hackers from around the world. At least at this stage, we 
should be able to do better. Again, I thank you both for coming 
to talk to us about these very important questions.
    You may be aware that last month the House overwhelmingly 
approved two amendments to an appropriations bill that would 
bar any agency from attempting to mandate that a tech company 
provide a back door of some kind or another. With such a clear 
demonstration of political opposition to mandating back doors 
in mind, what alternative policy proposals have you considered 
by which Congress could address the so-called going dark 
concern?
    Deputy Attorney General Yates. First, Senator, we are not 
seeking a back door, and I understand why that makes people 
uncomfortable. Consumers have, rightly, demanded that companies 
be able to provide them with the kind of privacy and security 
that they need.
    What we are seeking is to be able to work with the industry 
such that the companies themselves will retain an ability to be 
able to access the information and to provide that information 
to us with lawful court orders. This is not the situation of 
the 1990s where it was discussed at that time that the 
Government actually would retain keys and would have an ability 
to be able to access consumer information.
    What we are talking about is the individual companies, many 
of which are already doing this right now for their own 
business purposes or other security purposes, while still 
maintaining strong encryption. What we are asking is that 
public safety and national security also be one of the factors 
that industry considers in determining what type of encryption 
to use.
    Senator Lee. You are saying that in some cases the back 
door that you would want to access through a warrant already 
exists, the company has the key, it uses it for its own 
purposes internally?
    Deputy Attorney General Yates. Right. There are a number of 
the communications companies that do retain the ability to 
access their customers' information, and they do that with very 
strong encryption. They value privacy, and they value security 
as well. We are able to execute warrants in court orders with 
those companies. It is the evolution of what they call end-to-
end encryption, where the only person who has access then is 
the user. In those relatively rare but critically important 
instances where we need to be able to get those communications, 
the only one who can access it is the bad guy, and that creates 
a very dangerous situation.
    Senator Lee. Are there companies with technologies that do 
not have that kind of capability? In other words, are there 
companies that don't have access to some devices, even for the 
company's own purposes, even when it is deemed to be in the 
interest of the company, do not have access to whatever is 
encrypted and is on the device?
    Deputy Attorney General Yates. There has been an 
evolution--very recently, but there has been an evolution--
where, yes, some companies do not retain access either to data 
in motion or data at rest. What that means, for example, if we 
were to get some phones, some cell phones, it is essentially a 
brick to us. We cannot access any of the information on that 
phone. That is a problem for a number of reasons. We know 
pedophiles, for example, those who are exploiting children, 
maintain their information, maintain the photographs and 
records of the children they are abusing on their phones. We 
cannot get that information, we cannot identify other victims, 
and we cannot identify others who are abusing and exploiting 
children because we cannot get access to that device. We cannot 
get it because the company no longer has access to that device.
    Senator Lee. My time has expired, but let me ask just one 
quick follow-up. As to those companies that do not have a key 
to the data in motion or the data at rest, either or both, what 
are you recommending that we do?
    Deputy Attorney General Yates. We are recommending that you 
engage with the industry, as we are now, to work with them to 
be able to find a way, some technological way--and as Director 
Comey was saying, I, too, have a lot of confidence in the minds 
in Silicon Valley to be able to identify a way for us to be 
able--in those rare instances to be able to get access to that 
information through them, not directly but through them.
    Chairman Grassley. After Senator Feinstein, it will be 
Senator Tillis, unless Senator Perdue comes back. Senator 
Feinstein.
    Senator Feinstein. Thanks very much, Mr. Chairman.
    Director Comey, I want to start by thanking you and the men 
and women of the FBI for all the extraordinary efforts that are 
taking place to keep this country safe. I am aware of what you 
are doing, and I just want you to know how grateful I believe 
Americans are for this service. It is not easy, I know, and I 
also know it is very costly. I think the activities that are 
going on are really excellent, and so thank you very, very 
much.
    I would like to read a paragraph from the district attorney 
of the largest D.A.'s office in America, and, of course, that 
is Los Angeles. Jackie Lacey writes to this Committee, ``While 
I fully understand and appreciate the tremendous value of 
privacy, the terrible costs that Apple's and Google's actions 
will have on State and local law enforcement and on crime 
victims across the country must also be considered. Simply put, 
if criminal wrongdoers can hide the evidence of their crimes on 
their smartphones, and if that evidence is forever beyond the 
reach of law enforcement, then crimes will go unsolved, 
criminals will go free, and the safety of all of our citizens 
will be diminished. In the arms race between criminals and law 
enforcement, the criminals will have won.''
    I actually think she is correct. I think this is a most 
serious problem, and I myself, who represents Silicon Valley, 
have tried to interact with them. In May, I met with the 
general counsels from several of the major internet and social 
media companies, to include Google, Facebook, Yahoo, Twitter, 
and Microsoft. I met in California; also the general counsel 
from Microsoft came back to meet me here in Washington. That 
was to discuss the terrorists' use of their products to 
recruit, inspire, and direct attacks. I would like to just tell 
you what I understand the companies are doing.
    Twitter, Facebook, and YouTube all, as I understand it, 
remove content on their sites that comes to their attention if 
it violates their terms of service, including terrorism. Those 
companies actually remove thousands of posts, tweets, and 
videos every month and take down user accounts. The companies 
do not proactively monitor their sites to identify such 
content, nor do they inform the FBI when they identify and 
remove their content. I believe they should.
    I think, as you have suggested, Director Comey, that there 
really are grounds to have these discussions and would like to 
suggest that you pull together the CEOs of these big companies 
and say directly to them what you have said to us. I have no 
question from an intelligence point of view supporting 
virtually every one of your words. You are absolutely correct, 
because where we are going is to allow those who would do us 
enormous harm a respite from any kind of interaction with law 
enforcement. That is the black situation that is increasingly 
existing.
    As you know, I have been very concerned about the 
proliferation of materials, particularly bomb-making materials, 
and particularly one of the latest publications which has a 
recipe for a nonmetallic bomb that will go through a 
magnetometer, which is an actual recipe. It tells people where 
to sit on a plane to have maximum effect. It tells people 
specific people to go after and kill and which airlines to get 
on.
    The question comes: Should this also be able to be picked 
up by anyone with a couple of clicks of their computer? It is 
my understanding that the Boston bombers received their 
materials on how to build the pressure cooker bomb from one of 
these manuals. Is that correct?
    Director Comey. Yes, Senator.
    Senator Feinstein. I think it says a little bit about the 
depth and size of the problem that we face for civilian law 
enforcement as well as for any activity that is going to keep 
this country safe in being able to interdict a possible 
terrorist threat.
    Let me ask a couple of questions. If the FBI was aware of 
communications happening on messaging apps, regardless of 
whether those apps are used on Apple or Android devices, what 
judicial process is currently available to obtain those 
communications?
    Director Comey. In theory, a court order from a judge in a 
criminal case under Title III or a court order from a judge in 
a national security intelligence case. If the data is strongly 
encrypted, we can collect it, but it will be gobbledygook.
    Senator Feinstein. What you are saying----
    Director Comey. Strong encryption----
    Senator Feinstein [continuing]. Is you have no recourse--is 
that right?--if the data is encrypted, currently, for a 
national security concern, to obtain that data.
    Director Comey. Right, if we intercept data in motion 
between two encrypted devices or across an encrypted mobile 
messaging app, and it is strongly encrypted, we cannot break 
it. This is sometimes--I hate that I am here saying this, but I 
actually think the problem is severe enough that I need to let 
the bad guys know that. That is the risk in what we are talking 
about here. I am just confirming something for the bad guys. 
Sometimes people watch TV and think, well, the FBI must have 
some way to break that strong encryption. We do not, which is 
why this is such an important issue.
    Chairman Grassley. Senator----
    Senator Feinstein. Mr. Chairman.
    Chairman Grassley. Go ahead.
    Senator Feinstein. This is where I think we need to go. I 
think we need to provide a court-ordered process for obtaining 
that data.
    Chairman Grassley. Senator Tillis, and thank you, Senator.
    Senator Feinstein. Thank you.
    Senator Tillis. Thank you, Mr. Chairman. Director Comey and 
Deputy Attorney General Yates, welcome. Thank you both for your 
service. Ms. Yates, congratulations on your confirmation.
    I would like to start with you. I think this is a very 
difficult subject for people watching this hearing or people 
reading a newspaper to understand what we are talking about. I 
would like to start by having you describe--and your opening 
comments is what prompted me to ask this question. The process 
that we are talking about going through, I think that many 
citizens believe that if we had this capability that I agree 
that we need, we would suddenly be analogous to police cars 
just riding up and down the road watching every telephone 
conversation, every text message, every tweet, every Snapchat, 
and then deciding, well, there is criminal activity there, I 
have got to go after it.
    Could you describe maybe in lay terms the process that you 
would have to go through to get to the point, to have already 
identified suspected criminal activity, to get to the point 
where you would want this capability to go further in your 
investigation?
    Deputy Attorney General Yates. Sure, and I think one of the 
things that is important that we do is to identify that we are 
not seeking any new authority that we do not already have. We 
already have the authority that we need under the wiretap 
statute and under FISA. What we do not have now is the 
capability to be able to execute that authority.
    Before we can go out and we can get a wiretap, we have to 
go to a judge, and we have to lay out in great detail the 
information that we have that establishes that there is 
probable cause to believe that an individual is involved in 
criminal activity and that that phone, that device, is being 
used in furtherance of that criminal activity.
    We have to--the judge has to review this, determine that he 
or she agrees with us that probable cause has been established, 
and then there are very strict rules about how long we can 
intercept the communications, as well as very strict rules 
about minimizing our review of any communications that do not 
relate to that criminal activity.
    Senator Tillis. There is a very specific and thoughtful 
process that you go through to get this information, and right 
now, as Director Comey said, you get it, but it is 
gobbledygook. It would be analogous to getting some sort of 
warrant and getting documents that have been all been shredded 
and pieces deleted; it is unusable. All you are really looking 
for is being able to use that information that you have 
rightfully obtained authority to look at to continue your 
criminal investigation.
    Deputy Attorney General Yates. That is absolutely right.
    Senator Tillis. Okay. Director Comey, you are the first 
person to give me the chance to use the word ``gobbledygook'' 
in a hearing, so I appreciate that. A question that I had for 
you really relates to the--when we are talking about 
intercepting and accessing criminal communications, I think you 
made a very good point which is also important for Americans to 
understand. We are fighting a war on terror, and we are 
fighting--one of the theaters of that war is our homeland. You 
mentioned, I think, some 20,000 suspected activities in every 
State. I know you are trying to intercept and access criminal 
communications. Is encryption the only impediment that you are 
facing right now? Or are there other things that we should open 
this discussion to, to help you be in a better position to do 
your job?
    Director Comey. Thank you, Senator. Just to quickly echo 
what the Deputy Attorney General said, the design of the 
Founders is genius for a lot of reasons, but the Fourth 
Amendment prohibits--it is against the law, folks will go to 
jail if there are general warrants. If law enforcement is 
reading everybody's Snapchats or everybody's Instagram posts, 
you cannot do that. It is particularized based on probable 
cause. It is a tradeoff inherent in ordered liberty that our 
Founders came up with. It is genius. It governs my entire life.
    With respect to the terrorism threat that we are facing, it 
is a--actually, I just lost my train of thought, Senator. I 
threw in the add-on. Can you tell me your question again?
    Senator Tillis. It was about other things, other tools that 
you may want.
    Director Comey. Thank you.
    Senator Tillis. Or need.
    Director Comey. Sorry for the gobbledygook in my head.
    Senator Tillis. It is okay. You scared me. I thought I lost 
my line of questioning.
    Director Comey. The encryption is a piece of a broader 
problem we call going dark. Sometimes going dark includes just 
our ability to get companies to comply, who have the 
capability, to comply with the laws that exist today. That is 
actually a significant issue we face where folks could do it 
but they say, ``We are not going to do it.'' We are faced with 
a dearth of a lack of enforcement mechanisms.
    Then, obviously, locked devices is the one that I think 
resonates most with ordinary Americans, right? One of your kids 
disappears, and their cell phone is left behind, and it is one 
of the new phones that is locked. We will not be able to open 
it for you to tell you who they were texting with.
    I have five kids. That is a big problem. That is a big 
piece of the going dark problem.
    Senator Tillis. Thank you, and my time is up. I spent most 
of my time in the high-tech sector. I share your optimism with 
our brilliant innovators coming up with a way to do this in a 
way that I think will actually be a market opportunity for 
them. I do wonder--because we are talking about Apple and 
Google--wonder whether or not to make sure we set standards 
that there is not going to have to be at some point down the 
road some legislative standards, because there will be another 
Google, there will be another Apple, and we need to make sure 
we are laying the ground work where we are not rethinking this 
again a year or two from now. Thank you.
    Chairman Grassley. Senator Whitehouse, and then Senator 
Cornyn.
    Senator Whitehouse. Thank you.
    Let me just set out kind of a hypothetical case. A girl 
goes missing. A neighbor reports that they saw her being taken 
into a van out in front of the house. The police are called. 
They come to the home. The parents are frantic. The girl's 
phone is still at home. Before this technology, what would law 
enforcement have done to help locate that girl that they now 
cannot do if the phone is encrypted pursuant to these new 
technologies?
    Deputy Attorney General Yates. Before the evolution of the 
type of encryption that we are talking about today, the company 
would have retained access, the ability to be able to open the 
phone, and so----
    Senator Whitehouse. The company would have done that.
    Deputy Attorney General Yates. The company would have. We 
would have had to have gotten a warrant for the company to then 
open the phone----
    Senator Whitehouse. The Government would not have. The 
company would have, and you would have had to get a warrant 
from a judge in order to access it, but you could.
    Deputy Attorney General Yates. We could, and that is all we 
are seeking now is for the company to have the ability to be 
able to open the phone.
    Senator Whitehouse. They have made the essentially 
unilateral decision not to--or actually to close off that 
access, correct?
    Deputy Attorney General Yates. Some companies have, and 
some still retain that access, yes.
    Senator Whitehouse. Mr. Comey, you mentioned that some 
folks could comply with requests, but they choose not to, some 
of these companies? Could you elaborate on that? Could you let 
me know if there is a record that is kept of these declinations 
by companies to cooperate with law enforcement and if that is a 
record that we could have access to on the Committee?
    Director Comey. Senator, I am sure that we have a record of 
it. I cannot sit here and give you chapter and verse on it, 
but----
    Senator Whitehouse. Let me make that a request for the 
record then.
    Director Comey. Sure, and we would be happy to give you 
that.
    Senator Whitehouse. Whatever you have that lets me know how 
that is happening.
    Director Comey. Yes.
    Senator Whitehouse. It strikes me that one of the balances 
that we have in these circumstances where a company may wish to 
privatize value by saying, gosh, we are secure now, we have got 
a really good product, you are going to love it, that is to 
their benefit. For the family of the girl that disappeared in 
the van, that is a pretty big cost. When we see corporations 
privatizing value and socializing cost so that other people 
have to bear the cost, one of the ways that we get back to that 
and try to put some balance into it is through the civil 
courts, through a liability system. If you are polluter and you 
are dumping poisonous waste into the water rather than treating 
it properly, somebody downstream can bring an action and can 
get damages for the harm that they sustained, can get an order 
telling you to knock it off. I would be interested in whether 
or not the Department of Justice has done any analysis as to 
what role the civil liability system might be playing now to 
support these companies in drawing the correct balance, or if 
they have immunized themselves from the cost entirely and are 
enjoying the benefits. I think in terms of our determination as 
to what, if anything, we should do, knowing where the 
Department of Justice believes the civil liability system 
leaves us might be a helpful piece of information.
    I do not know if you have undertaken that, but if you have, 
I would appreciate it if you would share that with us, and if 
you would consider doing it, I think that might be helpful to 
us.
    Deputy Attorney General Yates. Certainly, we would be glad 
to look at that. It is not something that we have done any kind 
of detailed analysis. We have been working hard on trying to 
figure out what the solution on the front end might be so that 
we are not in a situation where there could potentially be 
corporate liability for the inability to be able to access the 
device.
    Senator Whitehouse. In terms of just looking at this 
situation, does it not appear that it looks like a situation 
where value is being privatized and costs are being socialized 
under the rest of us?
    Deputy Attorney General Yates. That is certainly one way to 
look at it, and perhaps the companies have done greater 
analysis on that than we have. It is certainly something we can 
look at.
    Senator Whitehouse. All right. Thank you, Mr. Chairman. I 
appreciate this hearing. This is a very important issue, and 
the people who are going to pay the price, whether it is all of 
us through a terrorist attack of some kind someday or whether 
it is just family by family, as law enforcement is crippled in 
its ability to respond to ongoing dangerous criminal acts, 
there is a real price to be paid. There are two sides to this 
coin that we need to look at very carefully.
    Chairman Grassley. Thank you, Senator Whitehouse.
    Senator Cornyn, and then Senator Franken, and then I think 
it is Senator Hatch.
    Senator Cornyn. Thank you to both of you for being here and 
for your service. This is a very important topic, and I 
appreciate the spirit in which you have presented this to us. I 
do not believe that just because it is hard that that excuses 
us from making--using our best efforts to try to find a 
solution.
    Director Comey, I guess there may be some people listening 
who think that this is a fanciful idea that somehow by 
encrypting communications between ISIL overseas and Americans 
here at home, that somehow that will save American lives. Can 
you state without equivocation that unless we are able to solve 
this problem, Americans will die?
    Director Comey. Senator, we are going to do, as we do every 
day--I do nothing. I lead a remarkable organization. I have a 
whole lot of people who do a lot every day to do everything 
they can to make sure that does not happen. As I said, the 
tools we are given are the ones the American people give us 
through you. Whatever we have, we will work 24 hours a day to 
make sure that does not happen. I just think it would be 
irresponsible for me not to come to the Committee and say I see 
this tool, its effectiveness diminishing steadily, and I can 
imagine a future where it is useless to me. I am left having to 
follow people physically to see if I can tell what is in their 
head, trying to get undercovers in to talk to them or sources 
in to talk to them. We will do all of that.
    I do not want to scare people by saying I am certain people 
will die. What I am certain of is on the current course, 
current course and speed, my ability to discharge, my number 
one responsibility will be materially diminished in the not-
too-distant future. It is being diminished today.
    Senator Cornyn. It certainly raises the risk.
    Director Comey. Yes, it sure does.
    Senator Cornyn. I would just like to ask you, in terms of 
the framework of how we should think about this, if you are a 
regular American citizen and you are subpoenaed to come into 
court and you are sworn in by the judge, and you are asked a 
question, can you refuse to answer the question?
    Director Comey. You can assert a Fifth Amendment right not 
to answer the question, and then if----
    Senator Cornyn. Assuming there is no right against self-
incrimination, it is just you are providing information about a 
crime in which you are not directly implicated, would there be 
any basis, to your knowledge, for a citizen to refuse to answer 
the question?
    Director Comey. No. I think it is what they call black 
letter law that the grand jury is entitled to every man's--
every person's evidence.
    Senator Cornyn. If you do not, the judge can hold you in 
contempt and put you in jail until you do comply with the 
court's order to answer the question, correct?
    Director Comey. Yes, sir.
    Senator Cornyn. It strikes me that there may be some way 
of--just trying to think about the framework in which we ought 
to look at this--it strikes me as irresponsible, and perhaps 
worse, for a company to intentionally design a product in such 
a way that it prevents them from complying with a lawful court 
order, which is what Ms. Yates said you are seeking, a means to 
allow a response to a lawful court order. If you intentionally 
design a product in such a way that it prevents you from 
complying with a lawful court order, it strikes me that it is 
not a lot different. Maybe that is just food for thought. We 
ought to let that roll around in our brains awhile and think 
about that. I think we need to think about how to think about 
this and not in sort of any absolutist terms that will result 
in a higher risk of people being actually successfully targeted 
by ISIL here in the homeland, and then just responding after 
the fact, which I know you do not want to do and we do not want 
to do either.
    Ms. Yates, congratulations again for your confirmation. I 
just want to ask you on something a little bit different. I see 
that former Attorney General Eric Holder had suggested that 
there is a possibility that the Justice Department was entering 
into negotiations with Edward Snowden for some sort of plea 
deal. Are you aware of any negotiations on behalf of the U.S. 
Government, the Department of Justice, with Mr. Snowden?
    Deputy Attorney General Yates. Having read that same 
article myself, I believe what Attorney General Holder was 
saying was that he believed that there could be some deal that 
was possible. I can tell you it is the position of the 
Department of Justice that Mr. Snowden needs to return to the 
United States and face justice.
    Senator Cornyn. I appreciate your response. I would just 
ask, Mr. Chairman, I have a list of a couple of pages of harm 
resulting from Mr. Snowden's disclosure of classified 
information that I would like to be made part of the record.
    Chairman Grassley. Without objection, it will be made part 
of the record.
    [The information appears as a submission for the record.]
    Senator Cornyn. Based on my reading of the relevant 
charging documents, statutes, and the United States Sentencing 
Commission Guidelines, Mr. Snowden should not face any less 
than 12 to 20 years in Federal prison for his acts of illegally 
disclosing national defense information. I understand that that 
is the outward limit, presumably, and that a plea bargain could 
entail something different. The idea, as suggested in this 
article, that he would be subjected to only 3 to 5 years in 
prison strikes me as insulting and inappropriate. Thank you for 
your answer, and my time is up.
    Chairman Grassley. Senator Franken.
    Senator Franken. Thank you, Mr. Chairman, for this very 
complex problem that we are talking about today. Senator 
Cornyn, I think you put it very well, which is we need to think 
about how we think about this.
    Deputy Attorney General Yates, some people have 
characterized this issue as requiring a balance of privacy 
issues with security issues. You can also think of it, I think, 
as involving two kinds of security interests: on the one hand, 
law enforcement's interest in technologically unfettered 
access, and, on the other hand, our collective interests in the 
network and data security that strong encryption provides.
    Network and data security protect not only individuals' 
personal and financial privacy, but also protect the well-being 
of our critical infrastructure and the industries that drive 
our economy. With each new story about a cyber attack or 
breaches, Americans learn more about just how significant a 
security interest that we have in strong encryption.
    Before we or a regulatory body could really consider taking 
any kind of action in this arena, I think we first need to have 
a similarly clear understanding of the scope and the magnitude 
of law enforcement's security interest. To this date, we have 
not seen any real data about how often encryption is thwarting 
investigations. Can you shed any light on that? If DOJ does not 
have numbers to share at this time, is that something that 
could be studied?
    Deputy Attorney General Yates. Thank you, Senator. I want 
to tell you that we at the Department share your desire for 
strong encryption and share the desire that all of us in this 
country have for strong encryption.
    What we are concerned about, though, is warrant-proof 
encryption that then elevates the concern for privacy and 
internet security over our national security and public safety. 
We think that national security and public safety are factors 
that should always be considered in this balancing that we talk 
about here.
    With respect to numbers of cases that were thwarted or 
cases that we could not make, you know, it is really hard to 
prove a negative. For example, we do not go out and seek 
wiretaps now in applications where we know we are not going to 
be able to get that information. Preparing a wiretap 
application is a very time-consuming process, and when we know 
that that information is encrypted, we simply do not seek that 
warrant. Being able to give you hard numbers on the number of 
cases that have been impacted is really impossible for us.
    I can tell you from my experience as U.S. attorney and the 
experience that I have now in my capacity as Deputy Attorney 
General, we are encountering it every day. I remember when I 
was U.S. attorney and we would be up on wiretaps, and we would 
sometimes learn while we are up on a wiretap about a scheme to 
kill someone. Sometimes it was a witness. Sometimes it was a 
co-conspirator. Because we were up on that wiretap, we were 
able to thwart those plots and to stop people from being 
killed.
    With certain communications, we cannot be up on those 
wiretaps anymore. We do not have the ability to be able to 
listen and to be able to stop those violent acts from 
happening.
    I can tell you from personal experience it is happening, 
and it is happening every day, but we do not really have a 
mechanism--and I know that is frustrating for you, but we do 
not really have a mechanism to be able to give you numbers.
    Senator Franken. Right, but can there be--you are saying 
that there is no way to do a study that would yield any kind of 
valid numbers because you simply do not try to go after 
something you cannot go after?
    Deputy Attorney General Yates. Right, we do not go--we do 
not seek a warrant in a situation where we know we are not 
going to be able to get the information. We do not seek a 
wiretap when we know that it is encrypted and we know that we 
cannot get it.
    Senator Franken. Okay. I am trying to talk about how vexing 
a problem this can be, and so, I mean, you know, when you think 
about the OPM breach, now that is data that we held, the 
Government held.
    Deputy Attorney General Yates. Right.
    Senator Franken. I think that what I was talking about, 
this being also a security issue, I am just wondering that, is 
there a danger, if we do this wrong, of there also being a 
national security risk there. That is what I was talking about.
    Deputy Attorney General Yates. I think you are right. If we 
do this wrong, it could potentially increase the risk, which is 
one of the reasons why we are not coming to you today with a 
one-size-fits-all solution, which is one of the reasons why we 
really want to work with the industry on a company-by-company 
basis of what is going to be the best way for them to be able 
to ensure that their information remains secure, but in those 
instances where we have a valid court order, that we are able 
to get the information we need there. I think you are right, we 
have got to do this the right way.
    Senator Franken. Okay. I am out of my time, but thank you, 
and thank you, Mr. Chairman.
    Chairman Grassley. Senator Perdue, are you ready? Or I will 
call on Senator Hatch.
    Senator Perdue. No, sir. I am ready. Thank you.
    Chairman Grassley. Go ahead.
    Senator Perdue. Good morning. Thank you. I really 
appreciate the courtesy of giving us a private briefing earlier 
today. I am so proud that we have people of your caliber in 
your slots on the wall. I mentioned that to Ms. Yates walking 
over this morning.
    You know, 230 years ago, I do not think James Madison ever 
envisioned the internet, but he struggled with this thing that 
we are struggling with today of the balance between public 
safety and personal privacy. I look at the technology being 
developed, and it seems to be coming at us faster and faster. 
Here we have apps, we have platforms. This encryption is a very 
serious thing, and yet 1994 was the last time we had any real 
legislative adjustment here. I think that was CALEA. You know, 
just to put that in perspective, that was when Navigator--
Netscape Navigator was introduced in 1994. It was a long time 
ago. We know this is a tough question.
    Ms. Yates, you obviously have already had some conversation 
with the industry. I understand the conversation of trying to 
get everybody engaged. What is your plan relative to the idea 
of their responsibility as individual corporations versus this 
idea of public safety? How do we engage them, with or without 
legislation?
    Deputy Attorney General Yates. We have been engaging with 
the industry, and we have been having some productive 
conversations with individual companies and sometimes with 
groups in the industry. Look, the companies are not the 
villains here. They are responding to market demands, both to 
protect the privacy of their customers as well as the 
information security of their customers. That is one of the 
reasons why we think it is so important that we not mandate a 
solution across the board but, rather, work with them 
individually, because what works for one company to be able to 
maintain the security of their information while giving us 
access when we have a court order might not work for the other.
    We have been having some productive discussions. We are 
certainly hopeful that they will continue those discussions and 
that perhaps they will even be more incentivized to be creative 
and to try to think of ways where they can still protect those 
really important privacy and security interests while being 
able to give us the information we need to protect our national 
security and our public safety.
    Senator Perdue. Director, this process that we are talking 
about here, we know how long it takes to get legislation. When 
you get involved in an industry that has this many dimensions 
to it, you have got all these, like you said earlier today, 
these guys in a garage who have a new app, and there is one 
coming up every day, it seems. How do we catch up with that 
from an enforcement point of view and an interdiction 
perspective? I mean, this prevention is one thing that you guys 
are doing a great job over the last few years. I know most of 
that you cannot talk about. How do you see the timing of this 
relative to your two responsibilities?
    Director Comey. Senator, I think that it is, as the Deputy 
Attorney General said, something that we have to work on 
urgently. I also agree it is an unbelievably complicated 
problem. The proliferation of innovation is a wonderful thing, 
but it also makes it hard to work with individual players 
because there is a new garage every single day, and there is a 
big international component to this that I get that we have to 
figure out how to untangle as part of this so we do not hurt 
American innovation.
    I think the companies are run by good people. When we talk 
to them, they care about kids; they care about stopping 
terrorism. They care about the same stuff we do. It is just not 
their job to articulate the public safety risks here. That is 
our job. One of the reasons we are grateful for this 
conversation is so someone can articulate we have got a problem 
and bring the people together to try and solve it. Maybe it 
will require legislation. Maybe no one will have the incentive 
to be as creative as they need to be unless you force them to. 
I do not know. I do think there is an urgent need to have this 
conversation.
    Senator Perdue. Real quick, I am almost out of time, but 
this front-door versus back-door decryption capability, could 
you speak to that, Director, just a bit, and also the single 
key versus split key potential? I know we are getting ahead of 
ourselves, but these are the conversations you are going to be 
having technically with some of these developers. That, in 
combination with how do you ever deal with the new encryption 
apps that would be coming--and these are not companies. These 
are individuals, and they are in their garages today coming up 
with the next level of sophistication.
    Director Comey. The door metaphor throws me a little bit 
because, as the Deputy Attorney General said, we want people to 
be in a position to comply with judges' orders in the United 
States, which is rooted in our Constitution and part of ordered 
liberty. We want them, the creative people, to figure out how 
to comply with court orders. You should not be looking to the 
Director of the FBI for innovation. I can do many things well. 
I cannot think well about stuff like that. I need to tell you 
there is a problem, and great people need to think about it 
well and try and solve it.
    I get a little bit discouraged when I hear people saying, 
``Cannot be done. There is only a choice between secure and 
insecure.'' My response to that is, ``Really?'' I mean, there 
is no such thing as secure. There is only more secure and less 
secure.
    My question is, with all of us working together, how could 
we maximize both? Is it really impossible? Is it really binary? 
If you do it at all, it is all going to fall apart? I find that 
hard to believe. I know it was very hard in the 1990s. We have 
got a lot of smart people out there.
    Senator Perdue. Thank you again for what you are doing.
    Thank you, Mr. Chairman.
    Chairman Grassley. Senator Hatch.
    Senator Hatch. I want you both to know I have enormous 
respect for both of you. Let me just say you perform critically 
important work in safeguarding our country and bringing 
criminals to justice.
    At the same time, however, our constitutional laws 
recognize the importance of privacy and provide crucial checks 
on Government's ability to include private affairs. Protecting 
privacy means more than just preventing improper Government 
access. In our modern world where so much data is stored online 
or in electronic devices, it also means securing sensitive 
personal and financial information from hackers, identity 
thieves, and other bad actors.
    As Chairman of the Senate Republican High-Tech Task Force, 
I have had numerous conversations with industry leaders about 
the need for robust data protection. These leaders understand 
that today's consumers demand secure data and want assurances 
that their devices will not be hacked.
    Mr. Comey, with that background, let me begin by asking you 
about vulnerabilities. If we require companies that produce 
encrypted software for devices to create so-called keys to 
unlock encrypted data, how confident are you that hackers will 
not be able to exploit the vulnerabilities to access sensitive 
personal and financial data? Doesn't providing a way around 
encryption expose consumers to potential theft of personal 
information?
    Director Comey. Thank you, Senator. I understand from a lot 
of people smarter than I that there is risk whenever you try to 
create and accommodate both strong encryption and the 
Government's need to have court orders be enforceable, that 
there is risk. The question is, how much risk? How do we reduce 
that risk?
    A lot of smart people say you cannot, it is just 
impossible, and maybe that is where we end up. Maybe we end up 
in a place where the tools I have have to change in the way 
they have to change. I just do not think we have given it the 
try as a country that it needs to be given.
    Senator Hatch. Thank you.
    Ms. Yates, as a sponsor of the Law Enforcement Access to 
Data Stored Abroad Act, or LEADS Act, which is currently filed, 
I am sensitive to the fact that when we require businesses to 
provide law enforcement access to data both here and abroad, 
other countries may expect similar access.
    Do you have concerns that if we require companies to give 
us keys to unlock encrypted data, other countries will expect 
those companies to turn over such keys to them as well?
    Deputy Attorney General Yates. Thank you, Senator. First, 
we are not going to ask the companies for any keys to the data. 
Instead, what we are going to ask is that the companies have an 
ability to access it and, then with lawful process, we be able 
to get the information. That is very different from what some 
other countries, other repressive regimes, from the way that 
they are trying to get access to the information. I know that 
there is concern, for example, that if there is an ability here 
in this country for the companies to be able to access the 
data, that other countries such as China will require the same 
thing. In China and other countries, they do not follow the 
same lawful process that we do here. If they did, then they 
could potentially get the same information. China's system is 
not set up that way.
    Our companies here make business decisions every day when 
they do business in repressive regimes about how they are going 
to operate, and this is really no different than that.
    Senator Hatch. Okay. Do you have concerns that if we 
require companies to give us keys to unlock encrypted data, 
other countries will expect those companies to turn over keys 
to them as well? As you know, many countries have far less 
robust privacy protections than the United States. I just 
wondered if you have any concerns there as well.
    Deputy Attorney General Yates. That is the reason why we 
are not going to ask for the keys.
    Senator Hatch. That is the big reason----
    Deputy Attorney General Yates. It is one of the reasons why 
we would not ask for the keys, is that the companies would 
retain the key, and they would simply provide the information 
to us. We would not have the keys to decrypt data.
    Director Comey. Senator, could I just add a brief word on 
that? We are talking about using the United States 
Constitution, the rule of law, to obtain information in 
targeted, predicated investigations. If the Chinese are willing 
to sign up to that, it would be great for the Chinese people, 
neutral and detached magistrates, showing of probable cause.
    I am not sure I buy the, ``If we agree to do this within 
the framework of the United States Constitution, we will have 
to do whatever the Chinese ask us to do.'' That does not bowl 
me over.
    Senator Hatch. Okay. We can all agree that we want our 
technology industry to flourish, and one recent growth area has 
been apps that allow users to pay online or track their health 
data. These innovations depend on data security. If consumers 
know an app or device is vulnerable to hacking, they are not 
going to use it. Now, I worry that requiring companies to 
create keys to unlock encrypted data could undermine consumers' 
confidence in the security of their data and could chill 
innovation. Do you share that concern? If not, why not?
    Director Comey. I do. I think the Deputy Attorney General 
does as well, which is why this has to be done very 
thoughtfully, because there is risk, if you do not do it the 
right way, that you will damage both, that you will hurt strong 
information security and you will hurt public safety because 
you will have hurt the entire internet, frankly, and all the 
commerce that flows over it.
    Senator Hatch. My time is up, and I want to thank both of 
you for appearing here today.
    Chairman Grassley. Senator Blumenthal, are you ready? If 
you are not, I will--go ahead then.
    Senator Blumenthal. I am, Mr. Chairman. Thanks very much.
    There has been some discussion, I know--first of all, thank 
you both for your great work. I really appreciate your service 
to our Nation, and on this issue particularly, which is complex 
and challenging and I think offers no simple or simplistic 
answers, and I appreciate your addressing it as thoughtfully as 
you have.
    There has been some talk about what other countries do, and 
put aside China, which obviously has no guarantee, and some 
would say no respect, for the kinds of liberties and freedoms 
that bring us here today, but other countries that also have 
some respect, whether in Europe. What have other countries done 
to address this issue and this problem? Maybe they offer some 
models or insights for our country. What is your perspective?
    Director Comey. Thank you, Senator. I think all countries 
that care about the rule of law are grappling with this right 
now. I know that the French, in the wake of the Charlie Hebdo 
killings, passed intelligence legislation that strikes me as 
fairly sweeping. The Brits are wrestling with this same 
question right now. I think everybody--we may be--that small 
group may be a little ahead of where everybody else is, but 
they are all grappling with this same problem, because they can 
see both the present and, more importantly, the future that we 
can see.
    Senator Blumenthal. Are they ahead of us, do you think? Are 
those countries ahead of us?
    Director Comey. I am not sure that they--perhaps the French 
legislation is. The British legislation is largely about data 
retention. I know also they are considering requiring access to 
certain communications. I would say they are probably in about 
the same place.
    Senator Blumenthal. To what extent do you think the lowest 
common denominator may dictate what happens either here or 
elsewhere? Is there that danger?
    Director Comey. I think America has a unique ability to 
drive this discussion because we are the source of the 
innovation, and that is the beauty of this amazing country. It 
is here. The providers are here. Most of the clever apps are 
here. It is all here. What we do matters enormously, which is 
why it is so important, as the Deputy Attorney General said, 
that we get it right, because the rest of the rule-of-law 
countries, especially our colleagues in Europe, will be 
strongly influenced by that model.
    Senator Blumenthal. We are the source of the innovation, 
and to some extent, we are also the source of the greatest 
respect for those rights and liberties--or the most enduring 
and consistent respect for those rights and liberties. I think 
it gives us a special leadership opportunity. I do not know to 
what extent that is an opportunity vis-a-vis countries like 
China that are in a different position so far as respect for 
the rule of law is concerned.
    To what extent do you think it would--talking about 
innovation, would it help to just impose requirements on device 
manufacturers like Apple? Is that a potential solution?
    Deputy Attorney General Yates. It is certainly a potential 
solution perhaps down the road, but we do believe that it is 
important now, rather than seeking a legislative fix that is 
across the board, that we try to work with the individual 
companies, because what works for Apple might not be the best 
solution for another of the communication providers. We really 
think they know their systems best. They know the way they can 
maximize privacy and internet security while still being able 
to comply with lawful court orders.
    Senator Blumenthal. Are you satisfied with the degree of 
cooperation you have received?
    Deputy Attorney General Yates. We always would like more 
cooperation. We have been having some certainly productive 
discussions, but given the gravity of this problem and the 
urgency that we are facing now, I think that it is critical 
that we kick it up a notch.
    Senator Blumenthal. Can we, in this body, be helpful?
    Deputy Attorney General Yates. Certainly to the extent that 
you can encourage the industry to work with us to try to find a 
solution that accommodates all of these really critically 
important interests, I think that would be welcome.
    Senator Blumenthal. You have my commitment to do so. My 
time is up. I cannot speak for the rest of my colleagues, but 
thank you again for your work on this, and I look forward to 
continuing this conversation. Thank you.
    Chairman Grassley. Senator Flake.
    Senator Flake. Thank you, Mr. Chairman. Thank you for the 
thoughtful testimony and willingness to come here and speak in 
a classified setting as well. I just like the tone of this 
discussion because it really is in search of a solution here.
    Let me just ask, what are you hearing from the local law 
enforcement? If that has been covered in previous questions, 
forgive me. What is it overwhelmingly that you hear from them?
    Director Comey. Tremendous concern. I think my colleague 
and friend Cy Vance, the district attorney in Manhattan, is a 
very, very thoughtful spokesperson for the view that State and 
local prosecutors and investigators have. They are encountering 
it in data in motion, but actually most urgently in data at 
rest, stuff that is on a device, because the old days when you 
do a search warrant pursuant to a judge's order and find paper 
are almost gone. They find devices in domestic violence cases, 
in gang cases, and they are increasingly encountering devices 
that are encrypted and cannot be unlocked. I think that is an 
urgent problem for the bread--``bread and butter'' makes it 
sound like it is not serious--for the ordinary work that is 
done every day in violent crime cases of all sorts.
    Senator Flake. Just following up on that, what is more 
important, in your view, data at rest or data in motion? Or is 
one more important in the criminal law context as opposed to 
the terrorism context than the other?
    Director Comey. That is a great question, Senator. I guess 
my initial reaction is the data at rest is probably more 
important in the criminal investigations, especially the ones--
nearly all investigations and cases are done locally in the 
United States. I think that is a bigger feature of their lives. 
In the national security context, especially when we are trying 
to find needles in a haystack where the communications are 
coming in motion, it is probably a larger feature for us. That 
is how I would divide it.
    Senator Flake. If we decide, after robust discussion, that 
there is simply no way to have a front door or a back door, 
that encryption stands, what will we be forced to do in order 
to have a better balance between public safety and security? Is 
it double down in those areas where there is not an expectation 
of privacy? There are a number of areas that we can surveil. 
What is the response given that scenario if we do decide that 
we just cannot go there?
    Director Comey. That is a really hard one. For example, to 
answer that on behalf of State and local law enforcement and my 
criminal investigators, I do not know what the answer is, 
because the future really is one where all of our papers and 
effects are covered by strong encryption. I honestly do not 
know what we will do there. It may be we will have to evolve 
some sort of regime where it is easier to compel people to 
unlock their devices. That runs into Fifth Amendment problems. 
I do not know what the answer is there.
    In terms of our terrorism work, we will, I guess, have to 
make much more aggressive use of tools that might be able to go 
through the public part of social media and see what we can 
find, more aggressive use of undercovers and informants to try 
and fill that gap. It is actually hard to sit here and explain 
to you how I am going to fill that gap, because I do not think 
I am.
    Senator Flake. Thank you, Mr. Chairman. I appreciate the 
testimony and look forward to working through these issues with 
you. Thank you.
    Chairman Grassley. I have one question. I think Senator Lee 
and Senator Franken have questions.
    Just one question for you, Director Comey. You have talked 
about how the going dark problem affects your ability to obtain 
evidence to prosecute. Can you also speak to how the going dark 
problem impacts law enforcement's ability to exonerate innocent 
people? Do you have any real-world examples from your 
experience on the subject?
    Director Comey. I cannot think of a case off the top of my 
head. I am sure that we can find one. The evidence is important 
both to find the guilty and to clear others who have fallen 
under suspicion, so logic tells me that in every case where I 
cannot get access to evidence, I cannot do either of those 
things. Someone who the finger is pointed at we will not be 
able to clear, just as we will not be able to figure out who 
the bad guy really is. I bet we can come and find you cases 
where devices have been used to say so-and-so was not at the 
shooting actually, we can prove through texts or something that 
he was at home with his mother, so he is actually not guilty of 
this crime.
    Chairman Grassley. Senator Lee, then Senator Franken.
    Senator Lee. I just wanted to follow up on my prior line of 
questions. Let us suppose that we had a problem with people 
storing things in a particular type of safe, a home safety 
deposit box that had a secure combination lock, perhaps coupled 
with an iris scanner or something like that. It was made 
specifically so that nobody else could break into it. You as 
law enforcement officers wanted to get into it, but you could 
not without the cooperation of the person who owned it. Once it 
was programmed to both enter the combination lock and couple 
that with the iris scanner, no one else could get in. There was 
no back-door code supplied by the manufacturer.
    In that circumstance, how do you think the manufacturer of 
this safe, this safety deposit box, might react if told or 
strongly encouraged perhaps by the Government that it needed to 
provide a back door? Similarly, how do you think the people who 
owned those safety deposit boxes would feel upon learning that 
somebody at the corporate headquarters or the manufacturer had 
a back-door method into it and that somebody working there 
perhaps could take that information with them and sell it to 
the highest bidder?
    Director Comey. I think the company would be concerned, and 
I would hope we would have a conversation where we say, ``Who 
are your customers that they are afraid that a judge will, 
based on a showing of probable cause, issue a search warrant to 
be able to get access to that? Who are you marketing this to 
exactly? Is that really something that caused you the level of 
concern that it did at first blush?''
    To the customer--first of all, I do not think we have 
encountered that yet. We would blow that sucker. I mean, we 
would get that open.
    Senator Lee. You would blow it up.
    Director Comey. You would blow it up. There is not a safe-
--I do not know of a safe in the world that cannot be opened.
    Senator Lee. I guess you could blow up the iPhone, but it 
would be messy.
    Director Comey. That would be the end of the data, too. 
That is my reaction, which is I think ordinary Americans, when 
they hear this, think so long as it is pursuant to the Fourth 
Amendment, it is okay to live in a world where a judge can make 
a showing of probable cause and issue a warrant to get access 
to a safe or to a phone. I do not exactly know where the great 
demand for this is coming from. I have not met ordinary folks 
who say, ``You know what? I really want a device that cannot be 
opened, even if an American judge finds that it ought to be 
opened because it is really important.''
    Senator Lee. I assume the concern would lie with people 
saying, you know, if one person gets out and there is one 
encryption key, somebody could break into a whole lot of houses 
and get a whole lot of valuables that they are not entitled to, 
and these are not people who are armed with a warrant. That 
would probably be the concern. Thank you, Mr. Chairman.
    Chairman Grassley. Senator Franken, and then, Senator 
Tillis, would you signal me if you want a second round? 
Because--you do not? You do not want a second round, OK. 
Senator Franken.
    Senator Franken. Okay. Just quickly, Director Comey, in 
your written testimony you spoke about the importance of 
investing in developing tools, techniques, and capabilities 
designed to mitigate the increasing technical challenges 
associated with the going dark problem. Can you say a bit more 
about how these tools might function, to what extent you are 
already investing in these areas, and what kinds of additional 
resources do your agencies need?
    Director Comey. Yes, Senator, it is not something I want to 
talk about in this forum. I think I have told the bad guys a 
lot and do not want to go into particulars. Just as we invest 
in tools that will open safes or allow my Hostage Rescue Team 
to open a barricaded door to rescue somebody, we try to invest 
in tools that, if a judge gives us permission, we will be able 
to open a device or access something. As I said, what I am 
confirming here is we cannot break strong encryption. We have 
not found that tool. I do not think it exists. We look for 
other ways around the margins, if a judge gives us permission, 
to be able to get into a room or get into a device.
    Senator Franken. Okay. Fair enough.
    Deputy Attorney General, I understand why you may not have 
numbers today when I asked about that. Going forward, could you 
track the number of times you run into technological obstacles 
and, therefore, do not seek a warrant or a wiretap? Could you 
keep track of that so that could inform the scope of this 
problem?
    Deputy Attorney General Yates. Certainly, Senator, we can 
work on ways where we try to gather information to be able to 
answer your question about how big of a problem is this, 
whether it is numbers or more specific examples to be able to 
do that, because this is the first time that we have really 
encountered warrant-free zones. This is new for us. We are 
grappling ourselves with how--not only to get our arms around 
the problem, but how to quantify the problem as well.
    Senator Franken. Okay. Thank you. Thank you both. Thank 
you, Mr. Chairman.
    Chairman Grassley. Before you two leave, I think we all 
thank you very much for continuing this conversation, enhancing 
the conversation. Since this institution of the Senate speaks 
with 100 different voices and it kind of gets diluted in the 
process and this is a very important subject, I would admonish 
you, because of your particular positions and being a single 
individual, to enhance the volume on this issue. It is 
something that is very important that needs to be solved. Thank 
you all for coming.
    Would the next panel come, please? Before the next panel 
sits down, I would like to ask for affirmation. I will wait 
until you get to the table.
    [Pause.]
    Chairman Grassley. Before I introduce you, do the three of 
you affirm that the testimony you are about to give before the 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you God?
    Mr. Vance. I do.
    Mr. Lin. I do.
    Mr. Swire. I do.
    [Witnesses are sworn in.]
    Chairman Grassley. Thank you. I would like to introduce all 
three of you before you speak.
    Our first witness, Mr. Cyrus R. Vance, Jr., who has for the 
last 5 years served as district attorney, Borough of Manhattan, 
New York City. Mr. Vance was previously a lawyer in private 
practice in New York and Seattle and also served as an 
assistant district attorney, Manhattan District Office. Mr. 
Vance grew up in New York City, received his undergraduate 
degree from Yale, and graduated from Georgetown University Law 
Center.
    Dr. Herbert Lin, who is senior research scholar of cyber 
policy and security at the Center for International Security 
and Cooperation and research fellow at Hoover Institution, both 
at Stanford University. Dr. Lin is also chief scientist 
emeritus for the Computer Science and Telecommunications Board 
at the National Research Council of National Academies where he 
served 1990 through 2014. Dr. Lin also served as a professional 
staff member and staff assistant to the House Armed Services 
Committee. He received his doctorate in physics from MIT.
    Finally, Peter Swire is Nancy J. and Lawrence P. Huang 
Professor of Law and Ethics at Georgia Institute of Technology 
and a senior counsel at a private law firm. Mr. Swire 
previously served as President Obama's Review Group on 
Intelligence and Communications Technology and was Chief 
Counselor for Privacy in OMB under President Clinton. He is 
also a senior fellow with Future of Privacy Forum and a policy 
fellow with the Center for Democracy and Technology. Mr. Swire 
graduated from Princeton and Yale Law School.
    I want to thank all of you for being here today and giving 
us your opinions and expertise in this area. I will start with 
Mr. Vance.

             STATEMENT OF HON. CYRUS R. VANCE, JR.,

              DISTRICT ATTORNEY, NEW YORK COUNTY,

                       NEW YORK, NEW YORK

    Mr. Vance. Thank you. Good morning, Chairman Grassley, 
Ranking Member Leahy, and Members of the Judiciary Committee. 
Thank you very much for the opportunity to testify before you 
today as the Manhattan District Attorney, but also as a member 
of the Boards of the National District Attorneys Association 
and the American Prosecutors Association to give the 
perspective from local and State law enforcement on these 
issues.
    I am very grateful to be here today because, as my Federal 
colleagues have indicated in their testimonies, new encryption 
technology is being introduced, most notably by Apple and 
Google, which may make it impossible in today's digital world 
to obtain evidence that is vital for prosecutors. As the 
Manhattan District Attorney, I have come to realize in my 5 
years that this digital world is, in fact, the 21st century 
crime scene. I am here to ask for your help to ensure that law 
enforcement has lawful access to it.
    I would like to address two of the questions, Mr. Chairman, 
that were alluded to today: How should we balance the benefits, 
the clear benefits of encryption technology and privacy rights 
with the responsibilities we have in law enforcement to protect 
victims' rights? Second, who gets to decide that balance?
    Before September 2014, our investigators could access the 
relevant contents of a locked iPhone with a search warrant. 
Today, unless someone knows the passcode of that phone, we 
cannot. When you consider the use of smartphones by criminals 
and also by their victims, you begin to understand the profound 
impact this has on the pursuit of justice for everyday 
Americans.
    Today's criminals, please make no mistake, are taking 
advantage of developing smartphone technology to commit crimes 
and to prevent their discovery. They communicate by text. They 
include their criminal conspirators in their contact lists. 
They videotape sexual abuses of children and distribute those 
images to other sex offenders hiding behind the anonymity of 
the internet.
    It is undisputed that phones are used by criminals 
committing murders, rapes, and robberies, and most of the 
thousands of felonies we prosecute each year, and that key 
evidence is on those phones. At this time, it is unfortunate, 
but criminals are literally and figuratively laughing in the 
faces of law enforcement. That is not hyperbole. I would like 
to give you a real example from a case in my office where a 
defendant in jail for a felony case is speaking with his friend 
on a recorded landline outside of jail. I am here quoting from 
the transcript.
    ``Apple and Google came out with these softwares that can 
no longer be unencrypted by the police. If our phones are 
running on the i0S 8 software, they can't open my phone. This 
may be another gift from God,'' end of quote.
    Senators, that is not a gift from God but an unintended 
gift from two of the largest technology companies in the world. 
Full-disc encryption upsets the balance between privacy and 
public safety by allowing criminal activity to thrive in a 
medium now unavailable to law enforcement.
    Apple and Google's decisions in particular to limit our 
access for the sake of only a marginal increase in privacy 
comes at a great cost, I believe, a cost that will be borne by 
the victims of crime and by our society as a whole. Of course, 
Director Comey and others have alluded to perhaps the most 
difficult circumstances where this issue may arise. What am I 
as district attorney to say to the parents of a missing son or 
daughter when they ask why we cannot access the phone that was 
left behind, which likely contains information that should lead 
or could lead to the young person's whereabouts? Is my response 
to tell them that an upgrade to an operating system stands 
between law enforcement and finding their child?
    Like everyone here, all the prior speakers, I value my 
privacy. I understand there is a fear of mass security 
breaches, collection of bulk data, and warrantless 
surveillance. I believe, Mr. Chairman, that those are valid and 
legitimate concerns. That is not the access local and State law 
enforcement seeks or expects. Our access to electronic data is 
grounded in and it is limited by the Fourth Amendment to our 
Constitution authorizing only reasonable searches based on 
probable cause, supported by a particularized search warrant, 
and only after approval by a neutral judge.
    I have also read commentary that suggests we just want 
solving crimes and prosecuting criminals to be easier, to use 
this data to create a shortcut toward conviction. Our justice 
system was not designed, Senators, to make it easy to convict. 
Proof beyond a reasonable doubt, determined unanimously by 12 
jurors, has always been a high bar. We need compelling evidence 
obtained lawfully, and that is how it should be. With full-disc 
encryption, our ability to obtain important evidence and 
achieve justice for victims of crime is at best curtailed, at 
worst made impossible.
    I, like others, am sure there are technological solutions 
to this problem. I, like others, have every confidence that the 
brilliant minds at Apple and Google, working with Federal 
legislators and considering the interests of victims of crime 
can figure this out.
    As it stands today, Apple and Google have decided who can 
access key evidence in criminal investigations. I do not and I 
cannot believe it is right that they should decide the path 
toward justice for victims around the country or for our Nation 
as a whole. I do not think by default we should cede this 
important decision to the tech industry. Senators, I believe 
this decision should and must be yours.
    Thank you for the opportunity and the honor of addressing 
you.
    [The prepared statement of Mr. Vance appears as a 
submission for the record.]
    Chairman Grassley. Thank you, Mr. Vance. Now, Dr. Lin.

                STATEMENT OF HERBERT LIN, PH.D.,

              SENIOR RESEARCH SCHOLAR, CENTER FOR

            INTERNATIONAL SECURITY AND COOPERATION,

              RESEARCH FELLOW, HOOVER INSTITUTION,

           STANFORD UNIVERSITY, STANFORD, CALIFORNIA

    Dr. Lin. Mr. Chairman, Senator Franken, Members of the 
Committee, thank you for inviting me to testify today. I have 
worked on cybersecurity issues for many years, mostly at the 
National Academies, now at Stanford, but the views I present 
today are my own. The previous panel discussed going dark, and 
I want to address three issues here.
    First, the U.S. Government has framed solutions to going 
dark around what I am going to call the concept of NOBUS access 
to encrypted data. NOBUS stands for ``nobody but us'' where 
``us'' is the Government. This approach has generated 
polarization around two positions. One side says that NOBUS 
access inevitably weakens the security of a system and will 
eventually be compromised by a bad guy; and the other side says 
the opposite. Neither side can prove its case, and we see kind 
of a theological clash of absolutes.
    To get out of this, I proposed to consider time scale. If 
it takes 1,000 years for a bad guy to figure out how to hack a 
NOBUS mechanism, that is probably secure enough. If it takes 
him 30 seconds, then everyone would agree that mechanism is 
probably a bad idea. Somewhere between 30 seconds and 1,000 
years, that mechanism changes from being dumb to probably being 
secure enough.
    How do we estimate the time the bad guy needs? We do not 
understand very well today how to make these estimates for 
computer systems. We do know how to use certain methodologies 
for making such estimates in other domains. For example, an 
approach called probabilistic risk analysis is often used in 
estimating the time before a nuclear reactor experiences a 
meltdown. Generally speaking, one estimates the probabilities 
of various sequences of events that could lead to failure, what 
is called fault tree and event tree analysis, and out of that 
comes an estimate that it will take 10,000 years or a million 
years, or whatever number you get.
    Opponents and proponents of nuclear power use different 
numbers to make their estimates, but at least they use the same 
methodology, and they can identify where they disagree 
technically. That is a much better outcome, in my view, and 
progress over just shouting at each other over a table saying 
yes or no.
    The most important thing about this approach is that it 
requires a specific plan, a specific design to analyze. Only 
when specifics are involved can you have a meaningful technical 
debate.
    Would a similar approach work in analyzing a proposed NOBUS 
mechanism? I think so, but I could be wrong about that. That is 
what makes it a research problem. We need to assess whether 
such methodologies can be usefully applied to estimate how long 
it might take for a bad guy to hack any specific mechanism. The 
Government has not provided any specifics, arguing, as we heard 
in the last panel, that the private sector should do it. At the 
same time, the vendors are not interested in doing it because 
their customers are not demanding such access. Many of them do 
not think it is possible to do anyhow.
    Without specifics, there is going to be no progress, and I 
believe that the Government is actually afraid that any 
specific proposal will be subject to enormous criticism, and 
that is certainly true. The Government is the party that wants 
this kind of access, and rather than running away from such 
criticism, I think it should embrace the resulting--any 
resulting criticism as an opportunity to improve on its initial 
designs, at least as a proof of principle that it is possible.
    Exactly the same issues came up in the 1990s, only then the 
Government did propose a specific mechanism. When the National 
Academies studied the problem then, it made a recommendation 
that still makes sense today: a prerequisite for going down 
this path is for the Government to gain experience about how to 
properly operate a Government-only system allowing such access, 
before deploying it on a large scale. If you do it without that 
experience, deploying it on a large scale across the entire 
Nation is just asking for trouble.
    A final point is that asking the major vendors such as 
Apple and Google to provide NOBUS access is only the first 
step, as Director Comey implied in his comments about end-to-
end encryption in the previous panel.
    The next step after that is to impose access requirements 
on small applications developers and open source developers 
because they can build apps that bypass any such mechanisms 
built into the platforms. Then you have to prevent people from 
bringing into the U.S. apps from abroad that do not have such 
access, which means you have to build a firewall around the 
United States that blocks such apps and border inspections and 
import controls and all sorts of other things that make life 
very complicated.
    Second, a partial alternative to NOBUS access is for law 
enforcement authorities to obtain legal authorization to take 
advantage of the vulnerabilities that already exist in all 
software. With proper legal authorization, law enforcement 
could hack the devices of bad guys to obtain unencrypted 
information when the bad guys themselves accessed it, and, of 
course, law enforcement does this to some extent today with 
proper legal authorization.
    Third, I want to point out that criminals are just like the 
rest of us in that they also forget passwords, and if they have 
not saved them somewhere, certain crimes will not happen 
because the bad guys will not be able to get at the data that 
they need to commit them. Also, remember that data is often 
backed up to the cloud by default. Criminals will want 
mechanisms that enable them to retrieve inaccessible data, and 
if they do, that is a way also that law enforcement can gain 
access.
    I hope these comments are helpful, and I am ready to answer 
questions. I ask that a number of relevant documents that 
support my testimony be entered into the record. I have already 
provided these documents to staff.
    [The prepared statement of Dr. Lin appears as a submission 
for the record.]
    Chairman Grassley. Professor Swire, before you begin, just 
in case we have a vote in the middle of your comments, I am 
going to go vote, and Senator Franken is going to stay here, 
and then he will ask questions. Then when I get back, I will 
ask questions.
    Professor Swire.

                STATEMENT OF PETER SWIRE, HUANG

             PROFESSOR OF LAW AND ETHICS, SCHELLER

             COLLEGE OF BUSINESS, GEORGIA INSTITUTE

                OF TECHNOLOGY, ATLANTA, GEORGIA

    Professor Swire. Thank you, Chairman Grassley and Members 
of the Committee, for the opportunity to testify today.
    As my written testimony discusses, I have worked on 
encryption issues as a Government official and scholar for two 
decades. Under President Clinton, when I was Chief Counselor 
for Privacy at OMB, I chaired the White House Working Group on 
Encryption for the 1999 change that allows export of strong 
encryption. As the Chairman also mentioned, I was one of the 
five members of President Obama's Review Group on Intelligence 
and Communications Technology and testified before this 
Committee last year on those issues.
    My testimony today is in three parts: the Review Group, the 
going dark argument, and with time available, the harm to U.S. 
technological leadership that would result from extraordinary 
access requirements.
    First, the Review Group, after top secret briefings on 
encryption issues, concluded that strong cybersecurity and 
strong encryption should be vital national priorities. Our 
recommendation stated, quote, ``We recommend that, regarding 
encryption, the U.S. Government should fully support and not 
undermine efforts to create encryption standards; second, we 
should not in any way subvert, undermine, weaken, or make 
vulnerable generally available commercial software; and, third, 
increase the use of encryption and urge U.S. companies to do 
so, in order to better protect data in transit, at rest, in the 
cloud, and in other storage.''
    With full awareness of the going dark concerns, the Review 
Group, consisting of antiterrorist advisers to Presidents, 
senior CIA officials, et cetera, sharply criticized any attempt 
to introduce vulnerabilities into commercially available 
products and services. We found that these strong encryption 
policies would best fight cyber crime, improve cybersecurity, 
build trust in the global communications infrastructure, and 
promote national security.
    Second, law enforcement asserts that it is going dark, but 
it is more accurate to say--and this has not been the theme 
today, but I really believe it is true--that we are in a 
``Golden Age of Surveillance'', not darkness. In detailed 
writings over a period of years, I have explained why the going 
dark image is factually inaccurate. Law enforcement has access 
to growing and unparalleled evidence due to the technological 
changes in the past 25 years.
    Let me emphasize that I agree there are specific ways that 
law enforcement and national security agencies lose specific 
previous capabilities due to changing encryption technology. As 
electronic communications and evidence evolves, there will 
indeed be certain categories of information that are no longer 
available.
    Entirely absent from the law enforcement statements, 
however, is any recognition of the cornucopia of new evidence 
that our electronic communications provide, and consider three 
examples.
    First, location information. For the first time in human 
history, most of us carry tracking devices, called cell phones. 
When you add in video surveillance and the upcoming Internet of 
Things, evidence about a suspect's whereabouts at a time and 
date is far, far more often available than ever before.
    Second, information about confederates and co-conspirators. 
It is highly useful to law enforcement to know everyone that a 
suspect is in communication with. With texts, social network 
posts, emails, constant phone calls, and the rest, metadata on 
communications is available in absolutely unprecedented ways 
and volumes.
    Third, as we all know from our daily lives, our personal 
information is in an array of other new data bases for 
healthcare, financial services, online surfing, and everything 
else. Insights into suspects is further available through big 
data analytics.
    Taken together, consider the evidence-generating machines 
and practices that fill our daily lives. I have wondered how 
much of the reduction in crime in the last two decades has been 
due to the unprecedented records that help law enforcement 
prove their cases.
    Let us look at text messaging as a way to assess going dark 
versus the Golden Age of Surveillance. Relatively few text 
messages were sent 20 years ago, if you just think about your 
own experience. By 2010, the number exceeded 6 trillion per 
year. For the predominant share of these text messages, the 
content is available today from the provider. Even for the 
subset where the content is encrypted, law enforcement can gain 
access to the metadata linking suspects and witnesses to their 
entire social graphs.
    For text messages, it might be tempting to say that law 
enforcement could call the glass half-empty--some texts are 
encrypted--or half-full--some texts are in the clear. With over 
6 trillion messages filling the glass, though, it takes nerve 
to say the glass is empty. Text messages are a prime example of 
a golden age of surveillance, of new, powerful, and pervasive 
evidence assisting law enforcement and not of going dark.
    Chairman Grassley asked whether changing technology is 
upsetting the balance between public safety and privacy. For 
reasons stated here, the balance has indeed shifted in the last 
25 years, clearly in the direction of law enforcement having 
the evidence it never had before in human history.
    Because of time, I will not be able to go through some of 
the ways that U.S. technological leadership would be threatened 
by having limits on U.S. tech companies. We saw in the 1990s 
that these limits were imposed on U.S. companies. Russia, 
Israel, and other countries gained technological advantages 
from that. It turned out that this was an expensive policy for 
the U.S. economy and also was futile because the bad guys could 
get strong encryption anyways. That will be true in the future 
under any of the considered proposals. Thank you.
    [The prepared statement of Professor Swire appears as a 
submission for the record.]
    Senator Franken. I believe, according to my reading of the 
rules of the Senate, that, Senator Tillis, you are the Chairman 
of the Committee. Let me explain. I believe that you are in the 
majority, and by my reading of the rules, the Chair would have 
to be in the majority. If, however, the----
    Senator Tillis [presiding.] At the Chair's discretion in 
honoring what Senator Grassley stipulated, I think he has gone 
to vote. He will come back and in turn probably ask questions 
just after you. Senator, Senator Franken, I would defer to you 
for the first questions.
    Senator Franken. Thank you, Mr. Chairman. Would it be OK, 
since I----
    Senator Tillis. Would you just say that one more time 
before I have to step down from the chair?
    [Laughter.]
    Senator Franken. I know your mom watches these things on 
the web.
    [Laughter.]
    Senator Franken. Certainly, Mr. Chairman, and it is quite 
an honor to serve with your son--I mean with you.
    Let's see what I have here. Dr. Lin, thank you for your 
testimony. It is clear that this difficult issue is not just 
about hardware. Director Comey and Deputy Attorney General 
Yates spoke this morning about the availability and use of end-
to-end encrypted messaging apps. Even if all U.S. device 
manufacturers agreed to maintain the ability to give the 
Government access, there would still be developers offering 
fully encrypted programs or apps, whether authorized or 
unauthorized.
    Can you speak about the kinds of measures you think would 
be necessary to address this moving target, so to speak? Would 
we have to dramatically change how we think about internet 
governance?
    Dr. Lin. It is not so much internet governance as the fact 
that you would have to start imposing requirements on the apps 
that the American people were allowed to have access to. For 
example, you would start imposing requirements. You would have 
to say, for example, that no product in the Apple store or in 
the Google Play store could be marketed without having these 
exception--these law enforcement access requirements. Then you 
would have to say then nobody could download an application 
that was not part of the--that was not in these stores. Then 
you would have to start inspecting iPhones and Android devices 
that came in from abroad. When Americans go overseas, they come 
back. They can download an app overseas, and you have to make 
sure that that is not there.
    If you are serious about going down this path, the 
ramifications for product development and use in the United 
States are enormous.
    Senator Franken. That would affect that industry.
    Dr. Lin. It certainly would not do it any good.
    Senator Franken. Okay. It would have a negative effect.
    Professor Swire, to maintain our global competitiveness, it 
is crucial that American tech companies have access to European 
markets. Given your role years ago in development of the safe 
harbor agreement to allow data to flow between the EU and the 
U.S., I imagine you may be uniquely positioned to offer 
thoughts on the effect of requiring U.S. companies to issue 
full encryption might have on their ability to compete abroad. 
What would the ramifications of this be, do you believe?
    Professor Swire. Thank you, Senator. Since the Snowden 
revelations, there has been a number of studies about the 
economic impact and harm to U.S. sales abroad for cloud and 
other services. Those numbers are in the hundreds of billions 
of dollars. Major U.S. companies have had Government contracts 
canceled in the billions of dollars. The view that the United 
States companies would be cooperating by giving extraordinary 
access with the U.S. Government is exactly the view that causes 
the most harm overseas.
    The magnitude of this, when you talk to people in the 
field, has been much greater than people anticipated. It is 
continuing, and the encryption debates that are happening now 
reinforce the tendency in other countries to say stay away from 
U.S. products.
    Senator Franken. What do you say to Prosecutor Vance or to 
Director Comey when they say, well, we have got this, these 
parents have come home, and their daughter was last seen 
walking into a van, and her cell phone is there, and we want to 
see what--who was last in contact with her? What do you say to 
that?
    Professor Swire. I say there is basically two approaches. 
You can try to fuzz between them, but one approach is to create 
extraordinary access with the large costs and the technical 
problems and the harm to U.S. business overseas, et cetera, and 
then in some cases they will get information from the phone for 
the daughter. Or you can have strong cybersecurity as the 
default with all the benefits that come from that, recognizing 
that in a very small subset of cases---the Justice Department 
reports show numbers in the single digits per year or 12 in a 
year. In a very small number of cases, there will be new 
obstacles.
    We have many new advantages. We will have some new 
obstacles. The alternate regime has so many problems with it 
that have not been fully discussed today that building it is 
impractical and would be very, very expensive, and I do not 
think effective.
    Senator Franken. Mr. Vance, you look like you wanted to say 
something.
    Mr. Vance. I very much appreciate----
    Senator Franken. Turn on your mic.
    Mr. Vance. Thank you. I very much appreciate the 
complexities that have been identified by colleagues on the 
panel. I do not believe that--speaking at the national level, 
unlike at the Federal level, we are actually speaking with 
instances of crime at scale where the inability to access 
smartphones and search them has a greater impact in terms of 
volume.
    Senator, more than 90 percent of the crimes committed in 
America are committed at the local and State level. I am here 
speaking on behalf of the 3,000 counties where the impact of 
Apple and Google's decision is going to be felt most directly. 
In our written testimony, I have given examples of cases, 
dramatic cases, where access to the contents of the cell phone 
through a search warrant were absolutely necessary.
    I do not want the Committee to believe that this is simply 
a Federal issue, that it deals with a limited number of cases. 
Indeed, the impact is going to be around the country and at the 
local level of all the citizens.
    As to what the technological solution is, I, like others 
here today, do not have it. I do believe that, as I said in my 
testimony, there is an enormous amount of intellectual capacity 
in not only just the companies who manufacture these goods but 
also in the academic world and at the Government level. I do 
not believe that the option we should pursue when faced today 
with inaccessibility of access to lock smartphones, which is 
increasing as more iOS 8 devices come onto the market, is to 
say from a law enforcement perspective, ``I guess that is it, I 
guess there is nothing we can do.'' There has to be something 
we can do.
    You asked, Senator, if I can, about statistics. In our 
office, we started to keep some statistics once the iOS 8--
actually, over the 5 years, but since particularly iOS 8 came 
out, and in that timeframe, because we do--we have our own lab 
at the D.A.'s office in Manhattan because we have so many 
devices, we cannot always have them done timely by the police. 
Ninety-two devices came in running iOS 8 that we sought to 
analyze; 74 of those were locked at an 80-percent rate.
    In our office, in the last 6 months, iOS 8-run devices, 80 
percent we were not able to get into because they were locked. 
Apple----
    Senator Franken. Your testimony is quite different from 
Professor Swire's in terms of the number of cases this would 
affect, is what you are saying?
    Mr. Vance. Certainly, if that is my experience in one 
office in Manhattan, 100,000 cases a year, that is going to be 
a parallel experience across the country.
    Senator Franken [presiding.] I am sorry, but I have to 
vote, and so I want to thank you all for your testimony, and I 
guess we will keep--oh, I know. I am going to recess until 
they--so I am not adjourning this at all, and I am not--I am 
going. In the meantime, talk amongst yourselves. I hope 
Chairman Grassley will be back, so this Committee will be 
chaired by a proper Member of the Majority. But hang on.
    Mr. Vance. Thank you, sir.
    [Whereupon the hearing was recessed and reconvened.]
    Chairman Grassley [presiding.] I hope you can understand 
that nobody can predict the rudeness of the U.S. Senate to 
three people like you that they schedule votes right in the 
middle of a hearing. I may be the last person you have to deal 
with. We will wait and see. If nobody else comes back, then 
this will be it.
    I am going to start with you, Mr. Vance. Some have 
suggested that law enforcement, being in the midst of the 
Golden Age of Surveillance, they contend that law enforcement 
is not going dark because it now has access to metadata, other 
information. In addition, these people say device encryption is 
not a problem because law enforcement can focus on obtaining 
emails, text messages, other data stored in the cloud, or even 
obtain passwords from users themselves to access devices.
    Question: Is metadata a good substitute for the content of 
communications in your investigation? Are either relying on 
access to cloud storage or obtaining passwords from users 
unrealistic options for State and local law enforcement? Your 
reason why or why not.
    Mr. Vance. Thank you, Mr. Chairman.
    Mr. Chairman, when you were voting, I made the point--and I 
would simply like to make it to you now that you are here--is 
that the powerful testimony that we heard from our Federal 
colleagues is only a small part of the impact that inability to 
serve search warrants on companies for access to cell phones 
results in. Ninety-plus percent of the crime in America occurs 
in jurisdictions like mine, at the State and local level. That 
includes in my jurisdiction everything from terrorism but in 
all jurisdictions rape, robbery, murder, identity theft, and 
other fraud.
    As we--this discussion has over the last several months 
been focused upon the NSA and Federal issues. Mr. Chairman, I 
want you to know that I am here on behalf of district attorneys 
who have submitted letters for the record from many of the 
jurisdictions which the Senators here represent as well as 
prosecutive agencies and victims' groups saying this is very 
important at the local level and to make that point.
    As to a direct answer to your question, it is my 
observation that the cloud is not the answer to access to 
information, and that is because, Senator, you may remember 
from my opening testimony a quote from an individual 
incarcerated talking to his confederate outside about the fact 
that Apple has upgraded its system and, if they use iOS 8, the 
Government cannot get into the phones.
    If a run-of-the-mill individual in New York City charged 
with a crime knows that, I think one can assume that criminals 
all over the country, if not the world, know that. The reason 
that is important is because you can turn off your backup to 
the cloud with a switch of a button. If you knew as a criminal 
whether you were involved in identity theft or scouting 
locations for homegrown violent extremism, or you were a sexual 
offender and took photos of young children which you traded 
peer-to-peer with others, what you would do knowing that if 
there is no backup to the cloud is turn off your backup and 
understand that, therefore, in front of you, like with my 
iPhone, I would have a device that, if it was turned off and 
locked, no one can open except me. Knowing that people are now 
taking advantage of that fact, that is what is going to be 
happening.
    Another statistic, Senator, you were out when I gave it: We 
have started to monitor since September 14 the number of phones 
that come into our own lab at the D.A.'s office, and we have to 
do a part of the forensics for our phones because we have so 
many. Of the roughly 92 iPhone 8's that came in in that time 
period, 70-plus of them were locked. That means of that 70, we 
were really unable to move toward getting access to the 
contents. That includes crimes of murder and everything else.
    Yes, metadata is helpful. Yes, as the professor indicated, 
we do have access that we did not have 20 years ago to 
information that helps us identify itself and solve crimes. I 
think no one should misunderstand that this is not about 
getting a shortcut to conviction. To prove a criminal case 
requires convincing proof beyond a reasonable doubt. I think 
anybody who is the victim of a crime or who knows someone who 
is the victim of a crime understands just how hard it is.
    The argument that you do not need the information, you can 
get it elsewhere, is one that at least from a prosecutor's 
perspective betrays a certain naivete and ignorance of just how 
tough it is for police officers and prosecutors to do the job 
that is expected of them.
    Chairman Grassley. Dr. Lin--and then I will have a question 
for Professor Swire--in your testimony you proposed a method to 
test the risks associated with providing built-in law 
enforcement access to encryption. You suggest that this type of 
risk analysis might help to move the public debate forward. 
Yesterday, a group of noted cryptographers and security experts 
also issued a report opposing law enforcement access to 
encrypted systems, but also posing certain questions and 
technological requirements for such a system.
    Could you please explain your risk assessment analysis in a 
little more detail? What methodology would you use to test law 
enforcement access to an encrypted system? Do you agree with 
the question and technology requirements put forward yesterday 
by other cryptographers and security experts?
    Dr. Lin. Thank you, Senator. I have looked at that report, 
which just came out, as you noted, just came out yesterday, and 
it is a first-rate report. I would associate myself with most 
of the commentary in it, especially the call in it for more 
specifics. One of the problems that the debate to date has 
suffered from is that there is not a specific proposal on the 
table, and without that specific proposal, there is nothing to 
analyze.
    The approach that I am wanting to take is to see--to apply 
a certain methodologies to see how long an exceptional access 
system, a NOBUS system, could be resistant to a bad guy hacking 
it, how long it would take. As I say, if the analysis comes out 
that it takes 30 seconds, then it is a silly idea, that that 
mechanism is a silly idea. If it takes 1,000 years, then maybe 
that is good enough. You want to be able to do the analysis to 
see where the number comes out.
    The problem here--there are two problems with the approach 
that I am suggesting. One is we do not have a good methodology 
for doing that, but we have some suggestions that it may be 
possible. That is a research problem, and I do not know how it 
will come out.
    Even if it is possible, I do not know what the number will 
be when you actually go through the numbers, what the best 
credible estimate will be. It may be that the best credible 
estimate comes out as, you know, it will last for 2 years, in 
which case it is probably something that we should not do. I 
mean, Director Comey alluded to the possibility that maybe it 
is ``impossible.'' I think that is--what I just said is a more 
plausible interpretation of what ``impossible'' means. You 
know, if it would just last for 2 years without being hacked, 
then it is probably a bad idea. That is the sort of thing that 
I mean.
    Chairman Grassley. Okay. Dr. Swire, you recently wrote 
that, quote, ``If there is modest harm and enormous gain to be 
derived from using certain technology, society should logically 
adopt that technology.''
    Continuing to quote, ``In 1999, the U.S. Government 
concluded that strong encryption was precisely that type of 
valuable technology. It was worth going at least slightly dark 
in order to reap the many benefits of effective encryption,'' 
end of quote.
    It sounds like you agree with that, as a general matter on 
this issue, it is appropriate to try to find a balance between 
law enforcement interests, protecting public safety, and the 
other important interests at stake. Of course, one of those 
ways that our legal structure contributes to striking that 
balance is through the judicial process. In an op-ed to the New 
York Times back in 2013 about your work on the President's 
Review Group, you made clear that, quote, ``Public officials 
should not have access to otherwise private information without 
a court order, with emphasis upon `without a court order,' '' 
end of quote.
    My only question to you--or I guess really two questions: 
Do you think that in light of the rise of ISIS and the spread 
of default encryption, the current status quo strikes the right 
balance for society? Do you still believe that public officials 
should be able to gain access to otherwise private information 
so long as law enforcement has a court order?
    Professor Swire. Thank you, Mr. Chairman. There are a 
number of questions there. I might speak about court orders and 
then, very briefly, if I could, comment on Mr. Vance's example.
    On the court order point, having court orders is part of 
the genius of the American system of Government, is part of 
what this Committee fights to uphold in every era. The question 
when it comes to technology mandates is what the mandates might 
be. We could mandate, for instance--I am not saying it is a 
proposal--that the recorder on my phone be turned on by 
default, and then it would only be available with a proper 
court order, and that way we would have full judicial process, 
and we would have this wonderful set of information about 
everything I have said near my phone all along.
    In that case, we could have absolutely fabulous court 
orders, but we might as a society decide we want some things 
that are not going to be turned on, that we are going to turn 
that off. We should have great judicial process, appropriate 
process, but we also have to decide when to mandate things 
technologically, and I think that the weaknesses in encryption 
are similar in that respect to turning on the recording, their 
weaknesses that cause more problems than they are worth.
    The point to Mr. Vance's very sensible concerns from law 
enforcement--and as a junior lawyer, I worked in the Manhattan 
D.A.'s office. I have great respect for the history of that 
office and all that it does. I think in terms of metadata 
helping, one thing metadata helps is to reveal co-conspirators, 
who is everybody you called and texted and emailed. In the old 
days, if you turned one co-conspirator in a criminal 
investigation, maybe you could get him to testify. Today, if 
you have a co-conspirator, you can give that person use 
immunity and compel them on pain of jail time to open up their 
phone for you, and then all the contents of everything they 
said to the main suspect are there plain for you to see.
    There is a much more complicated set of techniques for 
finding out how to get this information than the debate has 
often said, and so realizing the full range of capabilities 
that law enforcement has should be part of the debate as well.
    Mr. Vance. Senator, thank you. I did not know you had 
worked at the Manhattan D.A.'s office, but it is so nice to 
know that.
    If I may----
    Chairman Grassley. Go ahead, and then I will call on 
Senator Whitehouse.
    Mr. Vance. Actually it is a case that we spoke about with 
Federal colleagues. There are individuals who maintain content 
on their phone that is so incriminating and disturbing that, if 
given the option between an order by the court to--an order 
including immunity, some kind of immunity, use immunity to open 
the phone or contempt, the choice would be not to open the 
phone, number one.
    Second, in New York State Courts, at least, in the 
investigative level, we have transactional immunity as opposed 
to use immunity, which the Federal Government has. 
Transactional immunity means that if you provide testimony to a 
grand jury, not just that your words or what comes out of your 
mouth cannot be used at a future proceeding, but you are given 
an immunity bath about anything about which you testified. The 
professor's suggestion about ordering immunity in exchange for 
something in our courts would mean a person could commit crimes 
and simply be immune from prosecution altogether.
    Senator, the last thing I would like to say is that there 
is a question that really I would hope the Committee would ask. 
When we traveled to Apple last March to talk with them about 
these issues, the question that we had for them, which has yet 
to be answered, is, what was wrong, what was insecure, what 
evidence of bad things happening took place under iOS 7 that 
changed when it became iOS 8? I am not aware--at least I am not 
aware of that the Apple iPhones were insecure or that there 
were breaches as a result of the iOS 7 software, certainly as 
it pertained to access to the device itself.
    There are a lot of doomsday scenarios that are being 
portrayed about hacking, and I think all those should be taken 
seriously. It has yet to be identified what exactly was 
insecure about iOS 7 when in that format the Government--the 
company maintained a digital key as well as the user.
    Chairman Grassley. If it is okay with Senator Whitehouse, I 
am going to turn it over to you, and would you adjourn the 
meeting when you are done asking your questions?
    Senator Whitehouse. Once I have grilled the witnesses 
mercilessly for vast amounts of time?
    [Laughter.]
    Chairman Grassley. Can I also, since I will be leaving for 
a 12:30 meeting, could I say thank you for all of you. I 
suggested to the previous panel that we are continuing and 
enhancing a discussion in this area, and I am sure that you 
folks will feel free and want to and so you know we are open to 
it to continue your discussion with us and also to promote your 
points of view to maybe help us reach a point here where we 
find some effective process or compromise.
    Senator Whitehouse.
    Senator Whitehouse [presiding.] Thank you very much, 
Chairman Grassley. Let me welcome District Attorney Vance 
particularly here. I appreciate how busy the Manhattan D.A. is, 
and clearly it is a key matter for you when you have taken the 
trouble to prepare your testimony and come down here, and I 
appreciate it.
    I know also you have been trying to work with the tech 
sector to try to get some common understandings. How would you 
describe the nature and direction of those conversations?
    Mr. Vance. Senator, they are summarized in two letters 
appended to our written testimony--a letter to the general 
counsel of Google and to, I think, the chief legal officer at 
Apple. We had--I traveled last March to both companies to try 
to better understand their perspective and for them to 
understand ours. I believe that we had cordial and interesting 
meetings, but I was left at the end of those meetings with some 
important questions unanswered, and because of that, I wrote 
letters to both individuals asking for answers to those 
questions. Those--as I say, those letters are attached to my 
exhibit.
    Answers to questions we do not have, Senator, are, what 
exactly was the vulnerability of devices under iOS 7 versus iOS 
8?
    Senator Whitehouse. One is dated March 31st of this year; 
the other is dated April 1st, the following day, of this year. 
Have either been answered?
    Mr. Vance. To date, they have not been answered, and the 
question I asked to both, and I am quoting from the letter, 
``If Google kept a key so that it was able to unlock phones, 
would the phones be more vulnerable to hackers than if Google 
had no structure key? Is there a key or similar device that 
Google might keep without sacrificing the security of Android 
devices from hackers? Is there a way to measure or quantify the 
vulnerability of hackers of Android phones, A, if Google kept a 
key as compared to, B, if it did not keep a key?'' These, 
Senator, respectfully, I think are the questions that need to 
be answered in order to have an accurate assessment about 
industry's claim that they are going to be made unduly 
vulnerable and law enforcement's desire to gain access to 
evidence.
    Senator Whitehouse. When they do answer, may I ask you to 
send a copy of their answers to the Chairman and the Ranking 
Member so that they can be distributed to the Committee? The 
record of this particular hearing may well have closed, as it 
only lasts for 1 week, so good luck. If it does not come in in 
a week, if you could send it to Chairman Grassley and Ranking 
Member Leahy, then the Committee can distribute it to those of 
us who are interested in their responses. I would appreciate 
that if you would do so.
    Mr. Vance. Thank you.
    Senator Whitehouse. You also run an office that has an 
unusually wide array of offenses that you prosecute, everything 
from very simple low-level street crime to very significant 
financial fraud to national security investigations. Clearly, 
you have mentioned a couple of things. You have mentioned time-
sensitive investigations, a kidnapping or a child snatching 
where you need quick access to all the information you can. You 
have mentioned investigations where the content itself on the 
phone is criminal--pictures of child abuse and so forth. I know 
you have a vivid concern about national security.
    Could you just put for the record a little bit of context 
about any particular cases or types of cases that you could 
describe so that people who are not prosecutors on this 
Committee have a sense of how this plays out in the public 
safety responsibilities that you bear in those areas?
    Mr. Vance. I would be delighted to, Senator, and let me 
give you first an example of where the ability to open the 
phone itself was critical to obtaining justice in a serious 
case.
    In 2012, in our office, there was a murder. The murder was 
committed by a gunman who went into a room where a number of 
men were seated around, completely legally having a 
conversation, and one of the men in the room had his iPhone and 
was taping his friends as they were joking around and talking.
    When the door knock was heard, the young man with the 
phone, a father of two, turned his phone to the door, and in 
the door you could see on the iPhone a picture of a man with a 
gun. The man filming was shot and killed by the man with the 
gun whose picture is on the iPhone video. The iPhone video 
drops, the phone drops, and records the voice of the shooter 
threatening everyone in the room what he will do to them if 
they go to police--iOS 6. If that had been iOS 8, when that 
phone had dropped, the passcode to the phone would have died 
with its user. We would not have been able to obtain the actual 
killing itself memorialized on a video on the phone. We were 
able in that instance to obtain it, and he was sentenced to 35 
years to life after he was successfully prosecuted.
    In Evanston, Illinois, today, in a County--Cook County, 
where people are very concerned about gun violence--and Anita 
Alvarez, the D.A. there, who wrote a letter of support to this 
Commission Committee--in early December, a young father of six 
was murdered at gunpoint in the early morning hours. There was 
no surveillance video. There were no external ways that one 
could prove who came and who went. We also were--those 
prosecutors sent a search warrant and opening order to Apple 
and Google, and because those devices are operating--those 
phones that were recovered beside the victim were incapable of 
being opened under the technology, police and prosecutors are 
not able to gain access to those phones, and that homicide 
remains unsolved, the killer remained unapprehended.
    There are many, many, many, Senator, more instances that I 
could go to. We have included a number in our materials. One 
example I gave you shows how, if we had not had the ability to 
access the phone, we would not have been able to prosecute a 
murder case, and another one shows that today, with this new 
encryption technology, we are not able to get into the phone 
and obtain evidence which may well lead to understand who 
murdered the father of six.
    This is the State court experience every day in 3,000 
counties around the country. I have always thought it was 
ironic, personally, that the victims, the true victims of this 
security upgrade preventing search warrants to be executed on 
phones, the true victims are going to include the customers of 
Apple and Google themselves, who are going to be victims of 
crime and are going to be unable to have law enforcement access 
to phones of the conspirators that would prove they are the 
victims of crime. At the end of the day, Senator, I think this 
is a matter of such significance that it is a policy question 
which has to be decided by you, the lawmaker. It should not be, 
in my opinion, up to industry to say this is where we draw the 
line on access to information which we know may be critical not 
just on national security but on protecting our citizens in 
every city and town across the country.
    Senator Whitehouse. I would add particularly if they have 
no liability for what goes wrong and only the benefit for being 
able to market this technology.
    Mr. Lin, I think Senator Klobuchar is going to be joining 
us, so I am going to take a little bit of extra time here. You 
used the term ``NOBUS access,'' which is not a term I have 
heard before. The access that I think we are talking about here 
is an access that the company maintains, the service provider 
maintains, and until recently, always has, and then the 
operation of law under the Fourth Amendment to get a warrant 
and secure the information that is held by the company.
    Does NOBUS mean something different than what I just 
described?
    Dr. Lin. Sir, it depends on the context. If you imagine a 
company that for its own business reasons has decided never to 
provide key recovery or backup and so on to market that 
service, then NOBUS access is what--basically it says that the 
company itself does not have access, and then law enforcement, 
the U.S. Government, does have access to it under some means. 
And----
    Senator Whitehouse. That is not what anybody is asking for 
here. What we are asking for, at least to the extent that there 
is an ask on the table to be debated, is that there be a 
mechanism that has been the case heretofore where the company 
itself maintains access to the information and then yields it 
only when a judge has signed a search warrant that allows that 
information to be shared with law enforcement because law 
enforcement has proven probable cause that evidence of a crime 
is contained in that information.
    Dr. Lin. Under the circumstances you describe, the only 
purpose of asking the company to--of requiring the company to 
do it is, in fact, to provide Government access. That is the 
scenario that you just proposed.
    Senator Whitehouse. Yes.
    Dr. Lin. Effectively it does count, because the company 
itself by assumption has no reason to want to get to its data.
    Senator Whitehouse. They may have a reason to want to get 
to their data if they have an interest in helping law 
enforcement fight either terrorism or crimes in which the 
content is itself contraband, criminal content----
    Dr. Lin. Fair enough.
    Senator Whitehouse [continuing]. For and which there is an 
emergency with a family member lost and you need access to it. 
That is not a goal that a corporation necessarily would take no 
interest in, and I suspect if there were a civil liability 
component so that they own both sides of the risk equation, 
they might pretty quickly decide that this was a piece of the 
social safety net that protects all of us that is worth 
preserving. So----
    Dr. Lin. Sir, with the----
    Senator Whitehouse [continuing.] It would be their decision 
to make, of course, but I think it is not without meaning or 
value to a company to maintain that, and heretofore they have 
for a variety of other billing reasons and business reasons.
    Dr. Lin. I agree with you that if the world were adjusted 
in such a way that they did have liability, the business 
interests change. I think that is what you are proposing, and I 
think----
    Senator Whitehouse. Thinking about, anyway. I do not want 
to say I am proposing. If I were to propose it, you would see a 
bill. All I observe is that there is an imbalance in which the 
companies get the reputational and business value of being able 
to market their product as super-encrypted and unbreakable, but 
have none of the costs that society bears once evil people 
decide that they are going to take advantage of that technology 
and law enforcement remedies such as District Attorney Vance 
has elucidated are taken away by their technology.
    Dr. Lin. I love it as a research problem, and I am going to 
try to find some students who are going to work on it with me. 
The idea that you propose is not one that I have heard 
prominently in this debate, and it is a new idea, and----
    Senator Whitehouse. It is actually a really old idea. It 
goes all the way back to the earliest founding of the country 
where the Founding Fathers fought to have civil juries because 
they were worried that politicians might screw things up if 
there was no test where, back then 12 good men and true, now 12 
good people and true could make a decision about who was 
responsible for what kind of misconduct.
    Dr. Lin. The idea is new to this debate, and I commend you 
for--you know, thank you for introducing that into this debate. 
It is worth studying.
    Senator Whitehouse. Okay. I do not have confirmation 
Senator Klobuchar is actually on her way, so rather than run 
the proceedings out further, I will ask District Attorney Vance 
if he has any closing comments, and then close the hearing.
    Mr. Vance. Senator, I just thank you and all the Committee 
for inviting me and us here today. I understand that I must 
make a formal request to put letters that have come in to the 
Committee from victims' groups and law enforcement and have 
those----
    Senator Whitehouse. Without objection, the letters that you 
propose to us, as long as you get them into us within the week 
that the hearing is open, will be added to the record of the 
hearing.
    Senator Whitehouse. Thank you in turn for agreeing to 
provide the responses from the technology companies to the 
Chairman and to the Ranking Member whenever they come in. 
Indeed, here is Senator Klobuchar. Your timing is perfect. I 
was just about to give up, but here you are.
    I will turn the gavel over to Senator Klobuchar since it 
has been turned over to me, and all the mundane business of 
closing out the record and all that sort of stuff has been 
taken care of. You have the floor. You have your questions, and 
you have your panel, and I yield.
    Senator Klobuchar [presiding.] Okay. Thank you very much. 
Sorry I was late. We were at the White House--always a good 
excuse--trying to save the EXIM Bank. I appreciate you guys 
still hanging around here after a long hearing.
    I was here for the first hour of the testimony of the 
Deputy Attorney General and the FBI Director, and so I thought 
I would follow up on one question I was actually going to ask 
them, which was Apple's announcement with their new system last 
fall included a specific reference to the fact that the company 
could not circumvent encryption to assist law enforcement. It 
said, ``Unlike our competitors, Apple cannot bypass your 
passcode and, therefore, cannot access this data. It is not 
technically feasible for us to respond to Government warrants 
for the extraction of the data from devices in their 
possession.''
    I want to know if you are concerned about this kind of 
messaging sending a signal to consumers and other companies 
that they should be seeking encryption that prevents legitimate 
law enforcement access. I guess I would start with you, Mr. 
Vance. Thank you for your work also.
    Mr. Vance. Thank you. I know as a former prosecutor you 
understand it very well.
    Senator, first of all, like so many people here, I am an 
Apple/Google fan. I want to put that on the record. I wrote my 
remarks on an Apple laptop using Google Docs. I understand the 
value of what they do. I was very concerned when the iOS 8 came 
out and that marketing language was included on Apple's 
website. I think it does send a signal--it certainly sent a 
signal to me in law enforcement, and, by the way, I am not 
aware that Apple or Google had any dialog with law enforcement 
whatsoever before it conducted this upgrade to assess its 
potential impact. I was concerned. I addressed that concern to 
them directly when I traveled earlier this year, in March, to 
speak with them. I communicated it, and I do not believe that 
my conversations were enough to convince them to return to the 
status pre-iOS 8, which is really what ultimately I think was 
working. We had a system where, prior to September 2014, where 
I am not sure exactly what the risk was that was causing so 
much trouble. Apple has not identified how its phones were at 
risk on September 13th of 2014, but no longer at risk on 
September 17th of 2014. Part of the problem is you cannot get 
into the box. You are not really getting data about the impact 
of these matters by the company itself. What you are hearing is 
industry and experts saying this is going to have a big impact, 
this is--makes us much more vulnerable. I have yet to actually 
hear what was vulnerable about the Apple iPhone.
    Senator Klobuchar. I guess I would ask you, Dr. Lin and 
Professor Swire, in your view, to what extent are companies 
obligated to help law enforcement access data when they have a 
warrant in light of this announcement on the products?
    Dr. Lin. I am not the lawyer here, but it strikes me that 
if a company does not have the technological capability to do 
something, there is nothing it can do in response. That was----
    Senator Klobuchar. Suppose they would have the 
technological ability if they changed their product?
    Dr. Lin. If they did have the technological capability to, 
then I think they are obligated under all of the penalties that 
attend to not complying. I do not think there is any question 
about it. I do not think that anybody has disputed that.
    Senator Klobuchar. Professor Swire.
    Professor Swire. I would like to offer some observations, 
and this is partly responding to Mr. Vance's points, which are 
well taken, what was different the day before or the day after. 
I think as someone who teaches cybersecurity to grad students 
in computer science, I have a slightly different perspective of 
people living in that community, which is some things did 
change with Snowden, and in particular, the tech community was 
very surprised at how many things were broken in how many ways. 
As story after story came out, there were just a lot of 
different operating systems, a lot of different particular 
devices, et cetera, that turned out to be broken at scale.
    In their technical report issued yesterday by all the 
cryptographers, they talked about some jargon about perfect 
forward secrecy, but I think the English version of it is we do 
not want to have systems where, once they are compromised, they 
are broken at scale and millions of devices are compromised. 
The concern is when you have a master key sitting there, if 
that gets broken once--and a lot of things were broken--then we 
can have massive breaches at scale.
    When you see these very big flaws and bugs and breachers, 
customers start to expect an upgrade. What we have seen across 
the line from sophisticated customers wanting good security for 
their own products is better security than we had pre-Snowden. 
I think the Apple announcement, properly understood, is part of 
the upgrade the whole industry is trying to do because they 
found out they had flaws they did not know they had.
    Senator Klobuchar. Yes, I believe that. It is just having 
been a prosecutor in law enforcement when things were a lot 
simpler, I know that we would use this kind of data to track 
murderers, to track people who were on the loose who had hacked 
people up. I mean, these are not little things. I just remember 
being told by law enforcement, ``Well, we cannot say how we got 
that,'' you know? This is a long time ago. I mean, they were 
not violating the law. It is just that they were able to get 
that data. Now, if they cannot get that data, I am very 
concerned. You know, we are all thinking about cybersecurity 
and hacking, and my view of it is if the purpose is to protect 
people from hacking, if we just do nothing and do not go after 
the bad guys and just let them do it and we do not have access 
to be able to do it, it is just going to get worse.
    I understand this privacy concern, and that is why somehow 
allowing the law enforcement to get in to get this data and 
differentiating that from hackers and not equating law 
enforcement with hackers to me is the answer, because if you do 
not have law enforcement to go after the hackers, they are just 
going to keep doing it and finding new ways.
    Professor Swire. The point that I am making is a security 
concern, not primarily a privacy concern, which is, are we 
going to have systems that we know can be compromised at scale? 
We want to build systems that are not subject to that. We saw a 
lot of public reporting--a lot of which I wish we had not had 
as public reporting. We saw a lot of public reporting of hacks 
at scale, and the industry is responding by tightening up 
security.
    Senator Klobuchar. Mr. Vance.
    Mr. Vance. Certainly we have seen and are very concerned 
about hacks at the mass data level, but I am still not aware of 
someone or anyone hacking into Apple, grabbing the digital key 
that it held in my phone, which was only good for my phone, and 
that causing the digital chaos that is associated with either 
Snowden or Target or Home Depot.
    Senator Klobuchar. Target would be from Minnesota, so you 
might not want to use that exact example.
    [Laughter.]
    There are many others: T.J. Maxx.
    Mr. Vance. We have got JPMorgan. We have got plenty of our 
own.
    Senator Klobuchar. Nordstrom's. Okay.
    Mr. Vance. I understand there is a theoretical concern, but 
it seems to me that from everything we know, Apple held on to 
these individualized keys in a way that was secure unless 
something has happened that I do not know about.
    Professor Swire. Google and Apple both have fabulous 
security engineers, but there has been reporting that Google 
had a data base of the foreign intelligence targets that the 
FISA Court was going after that included a lot of information 
about Chinese nationals, and there has been reporting that the 
Chinese government got into that data base to know who had been 
compromised.
    We have some of the best computer security people in the 
world working at these companies and public reporting about 
breaches, so I do not think it is some abstract worry. It is 
something we have had reporting on.
    Mr. Vance. We should move them to the Phone Division.
    [Laughter.]
    Senator Klobuchar. Okay. Very good. I want to thank all of 
you, and I want to also thank you, Mr. Vance, for your good 
work on sex trafficking and what you have been doing.
    Mr. Vance. Thank you.
    Senator Klobuchar. I really appreciate that. As you know, 
Senator Cornyn and I had a bill that finally passed in the 
Senate that we hope will be helpful, but I want to thank you 
for that as well.
    Mr. Vance. Thank you also.
    Senator Klobuchar. All right. Thank you. I do not need a 
gavel. I will use the water. Did Senator Whitehouse or Senator 
Grassley cover the hearing record being open? Okay. The hearing 
is adjourned. All right. Thanks.
    [Whereupon, at 1:01 p.m., the hearing was adjourned.]
    [Additional material submitted for the record follows.]

                            A P P E N D I X

Miscellaneous submissions:

 Abelove, Joel E., letter.........................................   266

 Alvarez, Anita, letter...........................................   275

 American Civil Liberties Union (ACLU)............................   267

 Application Developers Alliance, July 8, 2015....................   254

 Association of Prosecuting Attorneys.............................   303

 Baker, Brooks T., letter.........................................   280

 Baker, Jean Peters, letter.......................................   279

 Brennan, Bridget G., letter......................................   282

 Brown, Richard A., letter........................................   283

 BSA/The Software Alliance........................................   262

 Budelmann, Jon E., letter........................................   284

 Cannizzaro, Leon A., Jr, letter..................................   285

 Civil Society Organizations, letter..............................   193

 Computer Science and Artificial Intelligence Laboratory Technical 
    Report........................................................   221

 Conley, Daniel F., letter........................................   286

 D'Amico, Joseph A................................................   293

 Farrell, James R., letter........................................   294

 Ferman, Risa Vetri, letter.......................................   295

 Fitzpatrick, William J., letter..................................   296

 Freeman, Michael O., letter......................................   297

 Gardner, Valerie G., letter......................................   298

 Grady, William V., letter........................................   299

 Gunning, Patricia, letter........................................   300

 Harms Caused by Edward Snowden...................................   376

 Hawk, Susan, letter..............................................   301

 Heggen, Karen A., letter.........................................   302

 Information Technology Industry Council and Accelerating 
    Innovation in Technology, Data & Media........................   220

 Intschert, Cindy F., letter......................................   305

 Jordan, J. Anthony, letter.......................................   307

 Kane, Kevin T., letter...........................................   350

 Kaye, David......................................................   199

 Kelly, Raymond W., letter........................................   352

 Kilmartin, Peter F., letter......................................   353

 Lacey, Jackie, letter............................................   354

 LaHood, Nicholas ``Nico'', letter................................   355

 Liberty and Security in a Changing World.........................   164

 Master, Daniel L., Jr., letter...................................   356

 Modafferi, Peter A., letter......................................   357

 Montgomery, Bill, letter.........................................   359

 Moore, Hillar C., III, letter....................................   361

 Moore, Michael, letter...........................................   363

 Murray, R. Andrew, letter........................................   364

 New America, Doomed to Repeat History............................   309

 Pennsylvania District Attorneys Association......................   306

 Purdue, Marsha King, letter......................................   366

 Rich, Ashley M., letter..........................................   367

 Rundle, Katherine Fernandez, letter..............................   368

 Safehorizon, letter..............................................   369

 Sarcone, John P., letter.........................................   372

 Sedita, Frank A., III, letter....................................   373

 Singas, Madeline, letter.........................................   378

 Stone, Isaac McDuffie, III, letter...............................   380

 Thomas, Tammy J, letter..........................................   276

 Thompson, Jonathan F., letter....................................   365

 Thompson, Kenneth P., letter.....................................   381

 Underhill, Rod, letter...........................................   382

 Various organizations, letter....................................   291

 Weirich, Amy P., letter..........................................   383

 Wetmore, Weeden A., letter.......................................   384

 Williams, R. Seth, letter........................................   385

 Wolfson, Steven B., letter.......................................   386

 Wong, Cynthia M..................................................   264

 Wylie, Andrew J., letter.........................................   387

 Zugibe, Thomas P., letter........................................   281
 
 
 
 
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
 
 


                                 [all]