[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]

DATA RETENTION AS A TOOL FOR INVESTIGATING INTERNET
CHILD PORNOGRAPHY AND OTHER INTERNET CRIMES
=======================================================================
HEARING

BEFORE THE

SUBCOMMITTEE ON CRIME, TERRORISM,
AND HOMELAND SECURITY

OF THE

COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES

ONE HUNDRED TWELFTH CONGRESS

FIRST SESSION

__________

JANUARY 25, 2011

__________

Serial No. 112-3

__________

Printed for the use of the Committee on the Judiciary

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

Available via the World Wide Web: http://judiciary.house.gov

__________

U.S. GOVERNMENT PRINTING OFFICE
63-873 PDF WASHINGTON: 2011
___________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.

COMMITTEE ON THE JUDICIARY

LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina JERROLD NADLER, New York
ELTON GALLEGLY, California ROBERT C. ``BOBBY'' SCOTT,
BOB GOODLATTE, Virginia Virginia
DANIEL E. LUNGREN, California MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio ZOE LOFGREN, California
DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana MAXINE WATERS, California
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona Georgia
LOUIE GOHMERT, Texas PEDRO PIERLUISI, Puerto Rico
JIM JORDAN, Ohio MIKE QUIGLEY, Illinois
TED POE, Texas JUDY CHU, California
JASON CHAFFETZ, Utah TED DEUTCH, Florida
TOM REED, New York LINDA T. SANCHEZ, California
TIM GRIFFIN, Arkansas DEBBIE WASSERMAN SCHULTZ, Florida
TOM MARINO, Pennsylvania
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona

Sean McLaughlin, Majority Chief of Staff and General Counsel
Perry Apelbaum, Minority Staff Director and Chief Counsel
------

Subcommittee on Crime, Terrorism, and Homeland Security

F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman

LOUIE GOHMERT, Texas, Vice-Chairman

BOB GOODLATTE, Virginia ROBERT C. ``BOBBY'' SCOTT,
DANIEL E. LUNGREN, California Virginia
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
TED POE, Texas HENRY C. ``HANK'' JOHNSON, Jr.,
JASON CHAFFETZ, Utah Georgia
TIM GRIFFIN, Arkansas PEDRO PIERLUISI, Puerto Rico
TOM MARINO, Pennsylvania JUDY CHU, California
TREY GOWDY, South Carolina TED DEUTCH, Florida
SANDY ADAMS, Florida DEBBIE WASSERMAN SCHULTZ, Florida
BEN QUAYLE, Arizona SHEILA JACKSON LEE, Texas
MIKE QUIGLEY, Illinois

Caroline Lynch, Chief Counsel

Bobby Vassar, Minority Counsel
C O N T E N T S

----------

JANUARY 25, 2011

Page

OPENING STATEMENTS

The Honorable F. James Sensenbrenner, Jr., a Representative in
Congress from the State of Wisconsin, and Chairman,
Subcommittee on Crime, Terrorism, and Homeland Security........ 1
The Honorable Robert C. ``Bobby'' Scott, a Representative in
Congress from the State of Virginia, and Ranking Member,
Subcommittee on Crime, Terrorism, and Homeland Security........ 2
The Honorable Lamar Smith, a Representative in Congress from the
State of Texas, and Chairman, Committee on the Judiciary....... 4
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary.................................................. 5

WITNESSES

Mr. Jason Weinstein, Deputy Assistant Attorney General, United
States Department of Justice, Washington, DC
Oral Testimony................................................. 6
Prepared Statement............................................. 9
Mr. John M. Douglass, Chief of Police, Overland Park, KS;
International Association of Chiefs of Police, Alexandria, VA
Oral Testimony................................................. 16
Prepared Statement............................................. 18
Ms. Kate Dean, Executive Director, United States Internet Service
Provider Association, Washington, DC
Oral Testimony................................................. 23
Prepared Statement............................................. 25
Mr. John B. Morris, Jr., General Counsel, Center for Democracy
and Technology, Washington, DC
Oral Testimony................................................. 34
Prepared Statement............................................. 36

LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Prepared Statement of Ernie Allen, President and CEO, The
National Center for Missing & Exploited Children, submitted by
the Honorable F. James Sensenbrenner, Jr., a Representative in
Congress from the State of Wisconsin, and Chairman,
Subcommittee on Crime, Terrorism, and Homeland Security........ 56

APPENDIX
Material Submitted for the Hearing Record

Prepared Statement of the Honorable Henry C. ``Hank'' Johnson,
Jr., a Representative in Congress from the State of Georgia,
and Member, Subcommittee on Crime, Terrorism, and Homeland
Security....................................................... 77
Prepared Statement of the Honorable Ted Deutch, a Representative
in Congress from the State of Florida, and Member, Subcommittee
on Crime, Terrorism, and Homeland Security..................... 81

DATA RETENTION AS A TOOL FOR INVESTIGATING INTERNET CHILD PORNOGRAPHY
AND OTHER INTERNET CRIMES

----------

TUESDAY, JANUARY 25, 2011

House of Representatives,
Subcommittee on Crime, Terrorism,
and Homeland Security,
Committee on the Judiciary,
Washington, DC.

The Subcommittee met, pursuant to notice, at 10 a.m., in
room 2141, Rayburn House Office Building, the Honorable F.
James Sensenbrenner, Jr. (Chairman of the Subcommittee)
presiding.
Present: Representatives Sensenbrenner, Smith, Gohmert,
Goodlatte, Lungren, Poe, Griffin, Marino, Adams, Quayle, Scott,
Conyers, Johnson, Chu, Deutch, Wasserman Schultz, and Quigley.
Staff Present: (Majority) Caroline Lynch, Subcommittee
Chief Counsel; Arthur Radford Baker, Counsel; Sam Ramer,
Counsel; Lindsay Hamilton, Clerk; (Minority) Bobby Vassar,
Subcommittee Chief Counsel; Liliana Coronado, Counsel; Ron
LeGrand, Counsel; and Veronica Eligan, Professional Staff
Member.
Mr. Sensenbrenner. The Subcommittee will come to order.
Welcome to the first hearing in the 112th Congress of the
Subcommittee on Crime, Terrorism and Homeland Security.
I would especially like to welcome our witnesses and thank
you for joining us today.
I am joined today by my colleague from Virginia, the
distinguished Ranking Member of the Subcommittee, Bobby Scott;
by the Chairman of the full Committee, Lamar Smith from Texas;
and the Chairman emeritus, John Conyers of Michigan.
Today's hearing examines the role of data retention as a
law enforcement tool to investigate the distribution of child
pornography on the Internet and other online crimes. Many
Internet Service Providers, ISPs currently retain data that can
be used to identify the operator or user of an illegal Web
site. But not all ISPs retain this important data, and the
length of time such data is retained often varies from one
provider to the next.
The issue of data retention is not new. In 1999, then
Deputy Attorney General Eric Holder said that certain data must
be retained by ISPs for reasonable periods of time so that it
can be accessible to law enforcement. In the 12 years since Mr.
Holder's endorsement of data retention by ISPs, the size, scope
and accessibility of the Internet has increased exponentially.
The criminals can now use the Internet to facilitate almost any
crime, including illegal gambling, cigarette and prescription
drug distribution, and child exploitation. These criminals have
the luxury of cloaking themselves in the anonymity that the
Internet provides, making their apprehension significantly more
difficult.
When law enforcement officers begin an investigation and
develop information that will assist in identifying an
offender, they are often frustrated to find that information
relating describer information or information that would
otherwise identify the perpetrator is not retained in a uniform
manner. Current law already requires providers to preserve such
data upon the request of law enforcement, but the preservation
of data only works if the data has been retained.
Internet crimes are often complex, multi-jurisdictional and
international. This can result in protracted investigations
before law enforcement officers are in a position to request
data from the providers. When the information is developed
sufficiently to point investigators to the records they need,
it may be too late. Without uniform retention, the records that
are desperately needed to attribute communications to a certain
person or computer may be lost forever.
This issue not only impacts Federal investigations of
online crimes and national security matters but State and local
law enforcement investigations as well.
The International Association of Chiefs of Police adopted a
resolution in 2006 expressing its support for data retention to
aid in the investigation of crimes facilitated or committed
through the use of the Internet and telephony-based
communication services. Providing law enforcement officers with
an expectation that certain data will be available ensures that
our very limited police resources are properly assigned and are
not sent on wild goose chases for information that no longer
exists.
Simply put, no matter what type of investigation it is,
investigators ultimately have to identify the person at the
keyboard. The service providers hold the key to identifying the
person behind the screen name, an e-mail address or an Internet
protocol address. Retention of their records is paramount to
fighting crime in an Internet age.
It is now my pleasure to recognize for his opening
statement, the Ranking Member of the Subcommittee, the
gentleman from Virginia, Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman, and I look forward to
working with you, as the new Chairman of the Subcommittee.
Today's hearing is meant to be an informational and fact-
finding proceeding to help us begin the conversation about the
desirability, feasibility and consequences of retaining data
regarding a consumer's Internet use.
No one disputes that mandated data retention can help the
identification and prosecution of those who engage in
trafficking of child pornography on the Internet. The question
is whether we--the question we should seek to answer however is
how we can best investigate such crimes, consistent with the
rights and liberties of all in society and consistent with the
cost-benefits of such a policy.
While we want to ensure the legitimate needs of law
enforcement are met to allow to investigate and prosecute
offenders who use the Internet to commit crimes, particularly
those who use it to commit sex crimes against children, it is
critical to understand the nature and scope of any problem
under current law before we purport to fix it.
Currently many companies already retained significant
amounts of subscriber data, some up to 12 months. Nonetheless
there is lack of empirical research about law enforcement's
requests under current law and the instances in which data is
not available.
We should also review what law enforcement is doing with
information that they presently have. I have been informed that
the private industry already forwards over 100,000 leads a year
to law enforcement, and less than 10,000 prosecutions have been
brought in the last 3 years. If we are looking for the
proverbial needle in a haystack, the last thing we need is more
hay.
As we review the current situation, we should also
recognize that there is a lack of clarity about the types
requests that law enforcement is presently making and whether
much of the desired information is already available.
For these reasons, we should consider whether we need a
comprehensive study of data retention, including current
practices and the costs associated with the various proposals
of data retention policy, among other questions. Some of the
questions are, what kind of data we are talking about
retaining, whether it is all the content or just the site
information? This way we will ensure that the public policy
ultimately adopted will be an evidence-based, cost-effective
policy.
But apart from technological and practical issues that must
be addressed, if we are to consider such policy, there are
other costs, societal costs, associated with data retention.
There are approximately 230 million Americans who use the
Internet, and there are serious privacy and First Amendment
concerns that are implicated in this discussion. We must ask
ourselves whether it is prudent to require telecommunications
companies to retain large amounts of personal and sensitive
information, which would be attractive targets for computer
hackers, about millions of Internet users in order to get a
miniscule number of users who engage in crimes against children
online. We need to consider alternative policies that
specifically target those suspected of wrongdoing without
requiring that innocent consumers compromise their rights to
privacy and free speech when they choose to use the Internet.
The notion of preserving large amounts of what amounts to
be virtual potential crime scenes is a backward and possibly
ineffective way to go about going about the important business
of protecting our children. This is particularly true when the
unintended collateral consequences of such a policy on
industry, private interests, and on free speech may be
substantial, as some of the witnesses will explain today.
And when we consider the rights of privacy about retained
data, we should also consider--we should also take the
opportunity to consider retaining information on gun purchases
by those enjoying their Second Amendment rights.
Final point to keep in mind in our discussion is that
several aspects of the mandated data retention policy run
counter to the idea that we should always consider the cost-
benefit implications of any new regulations. Data retention
policy can be expensive. This is a huge government expense. And
just to get a sense of the possible costs, Congress
appropriated $500 million to implement the Communications
Assistance Law Enforcement Act a few years ago. This did not
involve ongoing costs such that data retention will. Should the
industry be expected to absorb some of the costs, we should be
clear about what the costs are and what the benefits will be.
So I look forward to hearing testimony from our witnesses
and hope we can have a productive conversation about the
complexities of data retention policies.
Thank you, Mr. Chairman, for holding the hearing today.
Mr. Sensenbrenner. Thank you, Mr. Scott.
The Chair now recognizes the distinguished Chairman of the
Committee, the gentleman from Texas, Mr. Smith.
Mr. Smith. Thank you, Mr. Chairman.
Mr. Chairman, like you, I thank our witnesses for being
here today, and it is nice to be on the same side as the
Administration, or maybe I should say, I am glad they are on
our side, but it works well regardless.
Also I want to mention, Mr. Chairman, that I heard Mr.
Scott's remarks right now, and I am absolutely confident that
we will be able to find that balance between protecting privacy
and also protecting children. Mr. Scott mentioned having a
productive conversation on that subject, and I look forward to
that as well.
Mr. Chairman, it may be difficult to believe, but according
to the U.S. Justice Department, trafficking of child
pornography images was almost completely eradicated in America
by the mid-1980's. Purchasing or trading child pornography
images was risky and almost impossible to undertake.
The advent of the Internet reversed this accomplishment.
Today child pornography images litter the Internet, and
pedophiles can purchase, view or exchange this disgusting
material with virtual anonymity.
Parents who once relied on the four walls of their homes to
keep their children safe are now faced with a new challenge.
The Internet has unlocked the doors and opened windows into our
homes. FBI Director Robert Mueller told this Committee in April
2008 that, ``Just about every crime has gravitated to the
Internet, and in certain cases the Internet has provided the
vehicle for expansion that otherwise would not be there, and
this is certainly true with child pornography.''
The statistics reflect just how serious the problem of
child exploitation has become. Since the National Center for
Missing & Exploited Children, NCMEC, created the cyber tip line
12 years ago, electronic service providers have reported almost
8 million images and videos of sexually exploited children.
According to that organization, child porn images increased
1,500 percent between 1995 and 2005, an average increase of
over 100 percent a year. The number of reports to a cyber tip
line of child pornography, child prostitution, child sex
tourism, child sexual molestation, and online sex enticement of
children increased from 4,500 in 1998 to 102,000 in 2008. An
average increase of over 200 percent per year.
As many as one in three kids have received unsolicited
sexual content online, and one in seven children has been
solicited for sex online. More robust data retention will
certainly assist law enforcement investigators on a wide array
of criminal activity, but such a requirement would be
especially helpful in the investigation of child pornography
and other child exploitation matters. The investigation of
these types of cases has become increasingly more complicated,
and perpetrators have become increasingly more sophisticated in
their methods of concealing their activities.
When law enforcement officers do develop leads that might
ultimately result in saving a child or apprehending a
pornographer, their efforts should not be frustrated because
vital records were destroyed simply because there was no
requirement to retain them. Every piece of discarded
information could be the footprint of a child predator.
Last Congress I introduced the Internet Stopping Adults
Facilitating the Exploitation of Today's Youth, SAFETY, Act of
2009. Among other things, the bill required providers to retain
records pertaining to the identity of an IP address user for at
least 2 years. It ensures that the online footprints of
predators are not erased.
Data retention preserves critical evidence from the online
crime scene so that investigators can apprehend the predator
and potentially save a child from further exploitation.
The Internet has proved to be of great value in many
aspects of our lives, but it has also evolved into a virtual
playground for sex predators and pedophiles, and facilitated
nearly effortless trafficking of child pornography. The loss of
a child's innocence or, even worse, their life is simply too
high a price to pay for not retaining certain data for a
reasonable amount of time.
I look forward to hearing from our witnesses and working
with them to combat one of fastest growing crimes in America.
Thank you, Mr. Chairman, I yield back.
Mr. Sensenbrenner. The Chair now recognizes the
distinguished new Chairman emeritus of the full Committee, the
speaker being the old Chairman emeritus, the gentleman from
Michigan, Mr. Conyers.
Mr. Conyers. Thanks, Chairman Sensenbrenner.
It is with some reluctance that I join the rank of ex-
Chairmen like you, but here we are all together, working.
This bipartisan thing is really getting frightening because
we are all waiting with anticipation tonight at 8 o'clock to
find out just how far the 44th is carrying this thing.
Already Chairman Smith and the Department of Justice have
hooked up people like the Constitution Project, ACLU, and David
Cole; I won't mention myself, because I will be sitting next to
a Republican tonight, and I don't want to get any flack. But I
suppose this hearing is very necessary, but I am impressed with
what the Center for Democracy and Technology is doing, along
with the other dissidents that I have listed.
I am worried about privacy rights. And data retention
creates, as Bobby Scott has said, it creates some big problems,
including identity theft. I think the Internet industry ought
to be concerned about this, and let's see where we can go on
it.
Now if this cooperation continues in the Committee, this
Subcommittee, we have got to look at the Federal prison system.
There are a number of other projects that perhaps the
Department of Justice and the Subcommittee on Crime can be
working on. I look forward to working with all of you on this
subject.
Thanks, Chairman Sensenbrenner.
Mr. Sensenbrenner. Thank you very much.
Without objection, other Members' statements will be made a
part of the record.
And without objection, the Chair will be authorized to
declare recesses during votes in the House.
It is now my pleasure to introduce today's witnesses.
Jason Weinstein serves as deputy assistant attorney general
with the Department of Justice. He has also served as a special
investigative counsel in the Justice Department's Office of the
Inspector General and as assistant U.S. attorney in the
southern district of New York. Mr. Weinstein previously served
as chief of the Violent Crime Section in the U.S. Attorney's
Office in Baltimore where he developed Project Exile, a multi-
agency effort to curb violent crime in that state. He received
has Bachelors of degree in politics from Princeton and his J.D.
From George Washington University Law School in 1994.
Without objection, Mr. Weinstein's statement and the other
witness's statements will appear in the record.
Each witness will be recognized for 5 minutes to summarize
their written statement, and the Chair recognizes Mr.
Weinstein.

TESTIMONY OF JASON WEINSTEIN, DEPUTY ASSISTANT ATTORNEY
GENERAL, UNITED STATES DEPARTMENT OF JUSTICE, WASHINGTON, DC

Mr. Weinstein. Good morning, Chairman Sensenbrenner,
Chairman Smith, Chairman Emeritus Conyers, and Ranking Member
Scott, and Members of the Subcommittee.
And Mr. Chairman, although I was rooting for the Bears, let
me congratulate you on the Packers making the Super Bowl.
Mr. Sensenbrenner. You are forgiven.
Mr. Weinstein. As we all know, the explosive growth of the
Internet and other modern forms of communication has
revolutionized nearly every aspect of our lives, but at the
same time, it has also revolutionized crime.
Increasingly the Internet and other forms of electronic
communication are exploited by criminals to commit a staggering
array of crimes, from hackers who steal tens of millions of
bank card numbers to gang members who issue orders to murder
their rivals to predators who sexually abuse children and post
images of that abuse online and, of course, to terrorists.
These criminals take advantage of the Internet because of
its global nature and because of the speed with which it allows
them to operate. Unfortunately, as an added benefit to them,
the Internet also affords them a kind of anonymity.
Federal, State and local law enforcement officers who
investigate and prosecute these crimes need to have certain
information about the identities and the activities of these
criminals who commit them in order to identify and arrest the
perpetrators. That information is noncontent data; that is, it
is data about the criminals and their communications with
others as opposed to the content of those communications.
The government, under current law, is allowed to use lawful
process, which is typically a subpoena, a court order or search
warrant, to require providers to furnish that data. But those
authorities are only useful if the data is still in existence
at the time the government seeks to obtain it. And for that
reason, data retention by companies that provide the public
with Internet and other communication services is fundamental
to our ability to protect public safety.
Currently, despite the diligent and efficient work by law
enforcement officers at all levels, critical data has too often
been deleted by providers before law enforcement can obtain
that lawful process. This gap between providers' retention
practices and the needs of law enforcement can be extremely
harmful to investigations that are critical to protecting the
public from predators and other criminals.
And the problem is exacerbated by the complexity of
investigating crimes committed using online means. These crimes
are difficult to detect, and they may not be discovered or
reported to law enforcement until months and months have gone
by.
And they are even more difficult to investigate. They often
involve the time-consuming process of obtaining evidence from
overseas. They often require months and months of work
obtaining records from a series of providers as agents attempt
to follow the trail of steps used by criminals to try to cover
their tracks and render themselves anonymous.
Unfortunately, when providers have not retained the data
that is needed for a sufficient period of time, important
investigations of serious crimes may come to a dead end. To be
sure, most providers are cooperative with law enforcement, and
for that, we are appreciative. Many providers, in fact, already
collect the types of data that we need to solve crimes, because
they use that data to operate their networks or for other
commercial purposes. The problem is often simply that that data
is not retained long enough to meet the needs of public safety.
However, some providers simply don't retain the needed data
at all. Provider retention policies that are in place vary
widely across the industry, and they are subject to change at
will. In short, the lack of adequate, uniform and consistent
data retention policies threatens our ability to use the legal
tools Congress has provided to law enforcement to protect
public safety.
Now, in setting the retention policies and practices,
companies are often motivated by a completely understandable
desire to control costs and to protect the privacy of their
users. But those factors must be balanced against the cost to
public safety of allowing criminals to go free. And truly
protecting privacy requires not only that we keep personal
information from the criminals who seek to steel it but also
that we ensure that law enforcement has the data that it needs
to catch and prosecute those same criminals.
Developing an appropriate and effective data retention
requirement will mean balancing all of the interests involved:
balancing the impact on privacy, the provider costs associated
with retaining data for longer periods, and the cost to public
safety when critical data noncontent data has been deleted.
Congress has a critical role to play in fostering that
discussion and in balancing those interests, and today's
hearing is an important step in that process.
As we embark on this discussion, it is important to be
clear that this debate is not about giving the government, not
about giving law enforcement new authorities. It is simply
about making sure that data is available when law enforcement
seeks to use the authorities that Congress has already
provided.
My primary goal here today is to explain the nature of the
public safety interest in data retention. Today I am not in a
position to propose a particular solution, but the Justice
Department looks forward to working with Congress, with
industry, and with other interested groups as we seek to
develop just such a solution.
I thank you for the opportunity to discuss this important
issue with you this morning, and I would be pleased to answer
your questions at the appropriate time.
[The prepared statement of Mr. Weinstein follows:]
Prepared Statement of Jason Weinstein
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
__________

Mr. Sensenbrenner. Thank you, Mr. Weinstein.
John M. Douglass serves as the chief of police for the
Overland Park Police Department in Kansas. He began his law
enforcement career with the Overland Park Police Department in
1973. He currently serves as cochair of the National Advisory
Committee for the Regional Computer Forensic Lab System. He has
served in numerous positions during his tenure with the
Overland Park Police Department as well as other various
professional positions, including the past president of the
Kansas Association of Chiefs of Police. Chief Douglass has
received numerous awards, including the Clarence M. Kelly Award
For Excellence in Criminal Justice Administration in 2000, the
Evelyn Wasserstrom Award and Clarence Barrow Peacekeeper Award.
Chief Douglass received his Bachelor's degree from the
University of Kansas and his Masters degree in public
administration also from the University of Kansas.
Mr. Douglass.

TESTIMONY OF JOHN M. DOUGLASS, CHIEF OF POLICE, OVERLAND PARK,
KS; INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE, ALEXANDRIA,
VA

Chief Douglass. Thank you, Mr. Chairman, Members of the
Subcommittee.
As stated, my name is John Douglass, and I serve as the
chief of police in Overland Park, Kansas, a suburb of Kansas
City. I am here today on behalf of the International
Association of Chiefs of Police, representing over 20,000 law
enforcement executives in over 100 countries throughout the
world.
I am pleased to be here this morning to discuss the
challenges currently confronting the U.S. law enforcement
community and our need for further clarity on data retention
issues.
In the United States, there are more than 18,000 law
enforcement agencies and well over 800,000 officers who patrol
our State highways and streets of our communities each and
every day.----
Mr. Scott. Could you pull your microphone?
Chief Douglass. Yes, sir, I am sorry.
A great number of these officers also survey the Internet,
phone and data logs, and other electronic communication as they
investigate crimes. Each day Federal, State, and local tribal
law enforcement agencies are investigating cybercrime cases,
ranging from bank intrusions, to fraud, intellectual property,
terrorism, economic espionage and, unfortunately, innocent
images or child pornography crimes.
Data preservation is a key component in any investigation.
When criminals access the Internet through an ISP or Internet
Service Provider or they send text messages, e-mails and other
data, it creates important records and other information. In
every case where criminal or civil action is envisioned, there
is a clear need to preserve third-party logs and business
records related to these connections which specifically
demonstrate that a suspect's service provider is connecting
with a victim's service provider or through another
infrastructure en route.
When law enforcement suspects that a crime has been
committed, we request a subpoena, court order or search warrant
to obtain critical evidence from the service provider, such as
customer records, connection information or stored data.
Take, for example, a case from southern California which
would not have been solved without the cell phone data from
Verizon Wireless. On July 26th, 2006, 22-year old Tori Vienneau
and her 10-month infant son, Dean, were murdered in their two-
bedroom apartment in San Diego. Tori was found strangled in her
living room, and Baby Dean was found strangled and hung from
his crib in one of the adjoining bedrooms.
This horrifying crime scene triggered an exhaustive 18-
month investigation. The case was ultimately solved exclusively
by the circumstantial evidence, including cell text message
content and cell tower data from Verizon Wireless. The
defendant denied any involvement in the killings and provided
an intricate and extensive alibi.
Investigators focused their attention on Dennis Potts
almost immediately because he was rumored to have had dinner
plans with Tori on the night of her murder. Mr. Potts denied
these rumors of dinner plans, and the victim's cell phone was
examined for any text messages between the two of them
supporting or refuting such rumors.
In a most interesting twist, all incoming and outgoing text
messages prior to 6:30 p.m. on the night of the killings had
been deleted. The victim's cell phone provider was contacted,
but the text message content was not stored by the cell
provider and, therefore, could not be recovered that way.
Over the ensuing months, the victim's phone was subjected
to be extensive forensic analysis in the hopes of recovering
some of these message. The defendant's cell phone carrier,
Verizon Wireless, was also contacted, and investigators were
told incoming text message content, victim-to-defendant text
only, was preserved for only 3 to 5 days. But in a stroke of
good luck, this incoming data still existed and was preserved.
And it later proved to be pivotal in proving the
defendant's guilt. The text message content proved not only
that the defendant lied to investigators and that the two did
in fact have plans to meet that evening, but also that the
defendant was checking to see if the victim and her son were
alone in the apartment.
Verizon also provided the cell tower data from the
defendant's phone. This data, coupled with some additional
testing, showed the defendant's alibi was false, and he was not
where he said he was. Furthermore, at the time of the killings,
his cell phone pinged off a cell tower only 500 yards from the
victim's apartment. This became the single most important piece
of evidence in linking the defendant to the killings.
Clearly, preserving digital evidence is crucial in any
modern day criminal investigation. While law enforcement does
have success obtaining evidence through the appropriate legal
process, because we are extremely aware of spoliation concerns,
we are not always successful. Many times we face obstacles in
our investigations, from the differing locations of victims to
their locations of the perpetrators.
In closing, Federal, State, tribal and local law
enforcement are doing all that we can to protect our
communities from increasing crime rates and the specter of
terrorism both online and in our streets, but we cannot do it
alone. We need the full support and the assistance of the
Federal Government and clear guidance and regulations on data
retention to aid us in successfully investigating and
prosecuting the most dangerous of criminals.
[The prepared statement of Chief Douglass follows:]
Prepared Statement of John M. Douglass
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

__________

Mr. Sensenbrenner. Thank you very much, Chief.
Kate Dean serves as the executive director of the United
States Internet Service Provider Association. Ms. Dean has been
active in telecommunications and Internet policy in Washington,
D.C., for more than 10 years and is a member of the
International Academy of Digital Arts and Sciences. She started
her own firm in 2006, where, in addition to continuing to work
with US ISPA, she volunteers with an organization in Singapore
that brings healthy sanitation solutions to underserved
villages in the developing world. And he received her bachelor
degree in 2000 from American University.
Ms. Dean.

TESTIMONY OF KATE DEAN, EXECUTIVE DIRECTOR, UNITED STATES
INTERNET SERVICE PROVIDER ASSOCIATION, WASHINGTON, DC

Ms. Dean. Chairman Sensenbrenner. Ranking Member Scott.
Mr. Sensenbrenner. Could you pull the mike a little closer
to you?
Ms. Dean. I sure can.
Mr. Sensenbrenner. Thank you.
Ms. Dean. My name is Kate Dean, and I am the executive
director of the United States Internet Service Provider
Association or US ISPA. Since January 2002, our members major
Internet service, network and portal providers, have focused on
policy and legal concerns related to law enforcement compliance
and security matters, including ECPA, CALEA, cyber security and
notably the fight against online child exploitation. For years
US ISPA and our members have participated in efforts to examine
the issue of data retention, particularly in a content of child
exploitation, including past dialogues with the Department of
Justice and with State and local law enforcement.
We welcome the opportunity to continue the discussion
today. Before addressing data retention, I would like to tell
you about our efforts in the child protection arena. In 2005,
we published ``Sound Practices for Reporting Child
Pornography,'' a joint project between US ISPA and the National
Center for Missing & Exploited Children.
We updated those practices to reflect new requirements put
in place by the 2008 passage of the Protect Our Children Act, a
bill US ISPA strongly supported.
Last year we developed sound practices for subpoena
compliance with the National Association of Attorneys General.
We also supported the Online Safety and Technology Working
Group, which reported to Congress in June with their
examination of industry reporting practices and data retention.
US ISPA members have been active in various internet safety
task forces, including the Technology Coalition and the
Financial Coalition Against Child Pornography. Members maintain
24-by-7 response capabilities, offer law enforcement guides,
frequently interact with the ICAC and conduct training for
investigators and prosecutors.
As I hope our actions demonstrate, US ISPA is committed to
the fight against online child exploitation. And we support law
enforcement efforts to bring online criminals to justice,
especially those who harm children. We fully appreciate the
critical role that electronic evidence plays in those efforts.
Service providers report tens of thousands of incidents of
apparent child pornography each year to NCMEC. And because of
the Protect Our Children Act, all providers are now required to
sent robust reports, including subscriber information,
historical and geographic data, and the images themselves
through NCMEC's cyber tip line.
At the time of receipt, providers automatically preserve
the account and hold onto data for 90 days, awaiting legal
process. The novel approach to preservation adopted in the
reporting statute was derived from preservation authority that
has long existed in the Electronic Communications Privacy Act.
ECPA gives law enforcement the authority to require providers
to preserve evidence needed for investigations for up to 180
days without issuing legal process. We believe that effective
use of preservation, a targeted, valuable tool, is key to
addressing law enforcement's needs.
US ISPA has carefully examined past data retention
proposals and each time has concluded that a uniform retention
mandate is certain to present significant challenges to the
communications industry, as well as myriad unintended
consequences. These challenges include the potential conflict
of new obligations and regulatory burdens; new questions about
user privacy and the standards for law enforcement access to
stored data; technical and security risks; and delay when
retrieving data, all which could negatively effect law
enforcement investigations.
Many of these challenges have plagued the European Union's
attempt at implementation of its data retention directive. As
we discuss the issue here today, a similar dialogue is taking
place within the EU as they reassess their approach and
consider alternatives, like preservation.
Unlike preservation, data retention raises tough questions
about breadth, scope, duration, liability and costs, costs that
go well beyond mere dollars. These are all critical
considerations that require close examination by industry and
by Congress.
In closing, US ISPA remains committed to an open dialogue,
but we have concerns about the effectiveness and implementation
of mandatory data retention. We worry about the indirect costs
to innovation, privacy and the speed and accuracy of
investigations. Based on our experiences, we continue to
believe that targeted approaches like preservation are the best
and most effective use of available resources. We appreciate
this opportunity to present our views on this topic and look
forward to working with you and your staff.
[The prepared statement of Ms. Dean follows:]
Prepared Statement of Kate Dean
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

__________

Mr. Sensenbrenner. Thank you, Ms. Dean.
John B. Morris, Jr., serves as general counsel at the
Center for Democracy and Technology in Washington, D.C. He is
director of the Internet Standards Technology and Policy
Project. He is also involved in the Center for Democracy and
Technology's work on cyber security, privacy and neutrality.
Prior to joining the center, Mr. Morris was a partner in the
law firm of Jenner & Block. Additionally, Morris has served as
director of CDT's Broadband Access Project. He received his
Bachelors degree from Yale and his J.D. From Yale Law School.
Mr. Morris.

TESTIMONY OF JOHN B. MORRIS, JR., GENERAL COUNSEL, CENTER FOR
DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC

Mr. Morris. Thank you very much, Chairman Sensenbrenner,
Ranking Member Scott, Chairman Smith and Chairman Emeritus
Conyers and the Members of the Committee.
On behalf of the Center for Democracy and Technology, I
would like to thank you for the opportunity to testify today.
Child pornography is a horrific crime, and we applaud the
efforts by this Congress and this Subcommittee to increase the
resources available to prosecute this crime.
A data retention mandate would raise a number of serious
privacy and free speech concerns. At a time when there is a
growing concern about privacy and identify theft, a growing
concern about the commercial misuse of personal data and a
growing concern about the intrusion of the Federal Government
into the personal lives of American citizens, Congress should
be very hesitant to require service providers create databases
to track the Internet activities of 230 million innocent
Americans.
This morning I would like to set aside briefly the privacy
and free speech concerns that I addressed in my written
testimony and instead focus on the fact that a data retention
mandate would harm innovation and competition on the Internet
and harm the ability of the American Internet industry to
compete in the global online marketplace, which in turn
directly effects the ability of users to be able to participate
and speak on the online market.
Ms. Dean addressed the data retention concerns that the
Internet Service Providers have. Let me look at the other end
of the communication and then address proposals by law
enforcement that source data be retained by any online services
that allow users to communicate with each other. And the
proposal that has been made to have services like Yahoo or
Google or Facebook retain data is truly breathtaking and would
be devastating to the Internet services, both to existing
services and certainly to new innovators and startup services.
The reach of the proposal cannot be underestimated. The
proposed mandate that would reach most Web sites and online
services, including all Web 2.0 sites, all social networking
sites, all blogs, all sites that allow political or other
commentary, the great majority of e-commerce sites and almost
all modern news sites, like the NewYorkTimes.com or
FoxNews.com.
And the scale of what law enforcement is proposing is also
astounding. Looking just at Facebook as an example, Facebook
users post in the neighborhood of 2 billion chat messages every
single day. When combined with other postings, Facebook alone
would have to create and maintain a data retention database
containing more than 1 trillion new records every single year.
The size of Facebook's data retention database alone would be
larger than all of the content that the Library of Congress has
put online to date.
Looking beyond Facebook, in 2009, there were 247 billion e-
mail messages sent every single day. And law enforcement is
asking Congress to order that every single one of these
messages be recorded and tracked. Over the course of a year,
this mandate would require a database of more than 90 trillion
records. And this does not even include chat or instant
messaging, which is supplanting e-mail as a preferred method of
person-to-person communications.
Who would pay for this? Internet users would pay for this.
And what would the impact of this burden be on online services?
Some larger companies might survive, but smaller companies
would likely be run out of business. Imposing an unfunded
Federal mandate on anyone who allows users to communicate
online can only have one result: There will be fewer businesses
able to compete in the online marketplace, this will entrench
the large providers, harm competition, harm innovation and
ultimately harm users. Congress should not mandate the creation
of an Orwellian tracking database with hundreds of trillions of
records tracking innocent citizens wherever they go online.
As a final critical point addressing the child pornography
context, I have worked in this space a fair amount over the
last 10 years, and every task force I serve on, every working
group I serve on, I learned that law enforcement is overwhelmed
with these cases. They don't have enough prosecutorial
resources to prosecute all of the cases that they have. And so
I really urge the Congress to look at the question as to
whether adding more data and more data retention will in fact
lead to more prosecutions of this horrific type of crime.
The voluntary retention and data preservation orders allow
law enforcement to target suspected criminals, and we urge the
Subcommittee not to go down the path of imposing data retention
mandates on this entire industry.
[The prepared statement of Mr. Morris follows:]
Prepared Statement of John B. Morris, Jr.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
__________

Mr. Sensenbrenner. Thank you, Mr. Morris.
The Chair has written down the approximate order of
appearances of the Members of the Subcommittee and will call on
Members for 5 minutes in the order in which they appeared,
alternatively by side.
And I will start by recognizing myself for 5 minutes.
And I want to direct my question to Ms. Dean. It seems to
me that one of the problems that exists in this area is that
there is not a uniform standard for how long the data has to be
retained. It varies by Internet Service Provider. Would your
association be willing to propose such a voluntary compliance
order, picking a time and cooperation with law enforcement for
the retention of this data in order to eliminate Congress
stepping in?
Ms. Dean. Thank you, Mr. Sensenbrenner, thank you Chairman.
First of all, I guess I should say that we are here today
because we are interested in the conversation, and we are
interested in all opportunities to sit down with law
enforcement and figure out if there is a solution to this
problem that they describe today.
US ISPA is always willing to be part of the dialogue with
law enforcement at all levels. And I think that the questions
that have been raised already today in opening statements are
really what we should have the discussion about. We really need
to learn more from law enforcement about the breadth of this
kind of a requirement. Who do they want to keep data and
specifically what kind of data do they want kept and for how
long?
Mr. Sensenbrenner. Well, let me say that I am a firm
believer in carrots and sticks, and I am tossing you a carrot
now. I think that there is a desire on the part of both the
Administration and Congress to legislate in this area. I am
giving you or tossing an oar for you to put in the water to try
to bring your industry together to deal with this problem on a
voluntary basis.
And Mr. Morris has had a whole long list of questions that
need to be answered. The fact is, is if you aren't a good
rabbit and don't start eating the carrot, I am afraid that we
are all going to be throwing the stick at you. So this is an
opportunity for you to come up with some kind of a solution to
all of the problems that both law enforcement and Mr. Morris
have discussed. Are you on board, or should I take the oar
back?
Ms. Dean. I can tell you that I have heard you, and I am
sure that my members have heard you as well, and they are
dedicated to this issue, and we will absolutely sit down with
law enforcement.
Mr. Sensenbrenner. Okay, we are listening.
I yield back the balance of my time.
The gentleman from Virginia, Mr. Scott.
Mr. Scott. Thank you.
Mr. Morris, you talked about the cost of this data
retention kind of in general, can you give something with a
dollar sign in front of it, percentage of sales? What are we
talking about in terms of cost?
Mr. Morris. Truthfully, Mr. Scott, I can't give you dollar
signs.
Mr. Scott. Well, some of these data retention services
retain huge amounts of data with negligible costs. Are we
talking about anything significant?
Mr. Morris. Yes. I think that simply the challenge of
creating a database that would allow access to literally
trillions of records is an enormous financial cost.
Mr. Scott. Can you give something with a dollar sign in
front of it, some numbers?
Mr. Morris. I can't. One dollar sign I can give is that the
vast majority of content and Web sites on the Internet are
available for free, for $0 to their users. And those sites are
very close to the line on a day-to-day basis as to whether they
will make money or not make money. And the extra cost of any
sort of Federal mandate would be very debilitating to those
sites.
Mr. Scott. Ms. Dean, you have been offered carrots and
sticks. Right now, is it true that your industry is providing
approximately 150,000 leads to law enforcement every year?
Ms. Dean. In terms of the reporting apparent incidences of
child pornography to the national center according to statutory
obligations, I believe the number is somewhere around there.
For the record, we could find out from NCMEC what the precise
number is.
But yes, service providers do report tens of thousands of
reports a year, and they are----
Mr. Scott. Now the way you reported, you have some kind of
mechanism where somebody is sending a picture, and you can
ascertain whether it fits a profile of what is known child
pornography and that goes right to law enforcement; is that
right?
Ms. Dean. Well, the standard that service providers are
required to transmit the images for referral to NCMEC is
apparent. We don't know what is and is not child pornography.
So when we, by either technical means or from user complaints,
come upon such material, we box it up with all of the
information that we have and transmit it to NCMEC.
Mr. Scott. Mr. Weinstein, when you get this information,
what do you do with it? I mean, you have got about 400,000 the
last couple of years; you have hundreds of thousands of leads.
Do you have the staff to follow through on those leads today?
Mr. Weinstein. Ranking Member Scott, let me actually
address both of those in order.
When law enforcement gets referrals from NCMEC, from the
national center, those referrals are distributed to law
enforcement at the Federal level, depending on the part of the
country that the referral comes from.
Under the PROTECT Act of 2008, there is a mandatory 90-day
retention period by ISPs that kicks in when those ISPs actually
discover or become aware of possible child pornography, and
they make a referral to the cyber tip line, as Ms. Dean
indicated.
The problem with that requirement, although it is a useful
tool, is that it is limited in its effectiveness. Number one,
it doesn't apply to other types of crimes beyond child
exploitation, but even just within the realm of child
exploitation, that obligation to retain and to report only
kicks in when the ISP has actually discovered or become aware
of the child pornography. And the statute doesn't impose any
obligation on the ISP to do any monitoring of the network or to
make any affirmative efforts to filed the child porn.
Mr. Scott. Wait a minute. Can you keep up with the tips
that you have coming in today? And you know that with across-
the-board budget cuts, you are looking at a loss of potentially
thousands of FBI agents. Can you keep up with the tips that you
are getting today?
Mr. Weinstein. Well, it is fair to say that the scope of
the problem far outpaces the resources we have available to
fight it.
Mr. Scott. Now you mumbled something about all crimes, if
we pass something of data retention, is it true that this might
be used for all crimes, not just child pornography?
Mr. Weinstein. Well, it is my view that if Congress were to
go down this road and actually create a data retention
requirement, that it makes the most sense for it to apply to
all crimes not just to child exploitation.
Mr. Scott. And all of this information, now is the
information we are talking about just site specific or content
to include the content, because Mr. Douglass pointed out that,
without the content, that information would not have been
particularly helpful.
Mr. Weinstein. Well, it is actually the opposite that is
true, sir. It would not be content information that we would be
taking about. It would be----
Mr. Scott. Are we talking about retained--the policy, we
are kind of vague here because we don't have a bill in front of
us, but are you suggesting that we have content being preserved
or retained as well as just the site information?
Mr. Weinstein. No, I am talking about noncontent
information about Internet communications, so IP addresses that
are assigned to a user at the time of communication.
Mr. Scott. So if we had that, then what Mr. Douglass used
about reading the text messages wouldn't have been available.
Mr. Weinstein. Well, as I understand it, text messages are
generally not retained by providers.
Mr. Scott. Well, that is what we are talking about
retaining.
Mr. Weinstein. Well, the case Mr. Douglass talked about was
one in which text messages were crucial in solving the crime.
Mr. Scott. The content of the message was important.
Mr. Weinstein. Sure. The cases I am talking about, Mr.
Scott, are cases in which an Internet user----
Mr. Scott. Is it your proposal that content not be
retained?
Mr. Weinstein. Well, the Administration doesn't have a
proposal today, but I think that one of the issues that
Congress should engage in a discussion on is whether it should
include content. My own view is that the most useful
information to us in solving crimes is noncontent.
Mr. Scott. Okay. Now, if this information is available,
would it be--sitting up there, would it be available for
private subpoena, like in a divorce case?
Mr. Weinstein. Well, that is another issue that I think is
worth discussing, whether it is only available to law
enforcement or available to private litigants as well. My
primary interest, obviously, is making sure it is available to
law enforcement.
Mr. Scott. Would we need to, if we passed something like
this, turn around and have some regulations to protect privacy?
Mr. Weinstein. Again, I think that sort of--the questions--
there are five or six questions that I think Congress should
ask as we engage in this discussion. Number one--and some of
these have already been alluded to. Number one is, what data
needs to be retained, the issue we have been discussing? Number
two is how long the data should be retained for. Number three
is, who would need to retain it? Number four is, who would have
access to it, the issue you just raised, whether it would be
law enforcement only or private litigants as well? And number
five is whether some additional protections for consumers are
necessary, whether those need to be legislated or something
industry can do on its own to enhance privacy and security of
their networks.
Mr. Scott. And Mrs. Dean is going to be very helpful in
making sure that we follow through and particularly helpful in
continuing to send you more information and more tips that you
can follow through on.
Mr. Sensenbrenner. Time of the gentleman has expired. The
Chair recognizes the gentleman from Texas, Mr. Poe, for 5
minutes.
Mr. Poe. Thank you, Mr. Chairman.
Ms. Dean, did you say that every year your business
supplies law enforcement 190,000 tips?
Ms. Dean. No. There is a statutory obligation under 18
U.S.C. 2258(a), that required ECS and RCS providers--we will
call them service providers today. So it is much broader----
Mr. Poe. How many? Cut to the chase. How many do you
provide?
Ms. Dean. I think last year it was over 140,000.
Mr. Poe. One hundred and forty thousand. Those go to whom,
local, Federal?
Ms. Dean. They go to the National Center for Missing &
Exploited Children, according to statute, and NCMEC are the
experts, and they deal with it from there. They refer it out to
the proper jurisdiction.
Mr. Poe. Mr. Weinstein, how many Federal cases were made on
child pornography in 2010 or 2009? Give me a figure that I can
understand.
Mr. Weinstein. I would be happy to, Congressman, I just
don't have it available. I find as I enter my 40's, my own
personal data retention is not what it should be. But I would
be happy to provide a number to you.
Mr. Poe. I mean, can you give me a ball park figure? It
wasn't 145,000, was it?
Mr. Weinstein. No, I don't believe it was 145,000.
Mr. Poe. How many cases? Do you have any idea?
Mr. Weinstein. I don't and I would also want to be able to
get you that information at the local level, too. As you know,
a great many of these cases are prosecuted by State and local
law enforcement and are pursued by the ICAC task force, which
the Department helps fund and which exists in every State in
the United States.
Mr. Scott. Would the gentleman yield?
Mr. Poe. I will yield.
Mr. Scott. Thank you. There is a report from the Department
of Justice, the list is 8,352 in the last 4 years.
Mr. Poe. Reclaiming my time. So it is about 2,000 a year.
Chief Douglass, how many cases, since you are the chief, do
you know how many cases local law enforcement has made in any
given period of time?
Chief Douglass. Mr. Poe, I can't give you a specific
number. I can tell you, however, that we have--in Overland
Park, it is a city of 170,000 people, and we have a three-man
or three-person unit person working on it full time. And as far
as I know, none of those cases came through the channels we are
talking about. So they are working on their own leads in
significant numbers.
Outside of the arena, we are talking in a Federal sphere.
The exact number I can't give you. But I can tell you we are
working several peer-to-peer cases, two to three to four, every
single month just in Overland Park.
Mr. Poe. Can you supply the Committee with that data?
Chief Douglass. Yes, sir, I will.
Mr. Poe. And Mr. Weinstein, can you as well supply that?
Mr. Weinstein. I will, yes, sir.
Mr. Poe. Appreciate that.
I am concerned about the overbroad idea of Federal
legislation in any area.
Certainly I think people that engage in this type of
criminal activity ought to get their day in court before a jury
as often as possible.
But do you see any Federal concerns, constitutional
concerns, Mr. Weinstein, since you are encouraging us to come
up with some kind of legislation about the overbroad concept of
more storage of personal information?
Mr. Weinstein. Congressman, the way I approach the issue is
this, to the extent that the collection of data creates privacy
risks or creates risks to people's anonymity, those risks exist
today right now. Much of the noncontent data that we are
talking about here today, that law enforcement needs to solve
these crimes is already being retained right now by a large
number of communication providers for their own commercial and
marketing purposes, and that includes ISPs. That includes the
New York Times. That includes a lot of Web sites that you visit
every day.
A mandatory data retention requirement would only extend
that retention time to make sure that it was applied
universally across industry.
To the extent that there are risks to privacy from those
databases existing, those risks exist on day 1 when you open
your account; they exist on day 30, day 60, day 90 day 180, day
365. Whether a provider keeps the data for a day or a year, the
provider has an obligation to protect that data. There is no
system that is foolproof, but responsible providers take steps
to safeguard the networks, and we can always do more.
In terms of the impact on privacy of law enforcement having
access to that data, as I said in my opening remarks, what we
are not talking about, expressly not talking about, is in any
way increasing the authority of law enforcement to get that
data. The authorities Congress has already provided and that we
exercise consistent with statute and constitutional obligations
every day are the same authorities that will govern our access
to these expanded databases or these databases that are kept
for longer periods of time. We cannot--law enforcement cannot
obtain that data unless lawful process is used, and that would
continue to be the case.
The ultimate safeguard against law enforcement abuse is
that we are subject to be supervision of Congress, of the
courts, of the Department of Justice, and prosecutors' ethical
obligations to make sure that they use the lawful authorities
properly and in accordance with the Constitution.
Mr. Poe. Thank you, Mr. Chairman.
Mr. Sensenbrenner. The gentleman from Michigan, Mr.
Conyers.
Mr. Conyers. Thank you, Mr. Chairman.
This has been a very useful hearing and what I want to
propose to you, Chairman Sensenbrenner, why don't we--the
question is always, where do we go from here? Why don't we get
the Smith proposal and my proposal and meet with Eric Holder
and the deputy assistant attorney general and come up with a
bill and let's just move it along.
We can study this, you know. We are pretty good at studying
things, but----
Mr. Sensenbrenner. Would the gentleman yield?
Mr. Conyers. Of course.
Mr. Sensenbrenner. I would be happy to participate in that
meeting, but it seems to me you are yanking the carrot away
from Ms. Dean.
Mr. Conyers. Well, the Humane Society may be looking for
you pretty soon anyway with this carrot and stick approach. It
has raised some very interesting questions, Mr. Chairman.
But I think we all see where we are going here. It is not
like this hasn't been worked on before. So I offer that
proposal for your examination and, hopefully, action.
Now John Morris, were you shocked as I was when the deputy
assistant attorney general began to theorize about how far we
could carry this business? I mean, I thought he would be a
little bit more restrained in trying to get us on board, but he
has left the door open for this to go all the way.
Mr. Morris. Well, certainly there have over the years been
a number of proposals for data retention that have always been
targeted at child exploitation cases, which are certainly, I
agree, among the worst of the worst cases out there. But I
think that is one concern we have always had about those
proposals, is that that simply would open the door to broad
data retention applying to even, you know, to the broad range
of cases. So, yes, it is a very serious concern that I have
that we are talking about.
Mr. Conyers. So he didn't surprise you?
Mr. Morris. I am afraid it didn't surprise me that that is
the direction that law enforcement is going, yes.
Mr. Conyers. Do you have any defense at all to offer,
Weinstein?
Mr. Weinstein. Well, I must say, I don't think I have ever
been referred to as ``unrestrained'' before. So I apologize if
I gave that impression, Mr. Chairman Emeritus.
To be clear, the government doesn't have a specific
proposal. My purpose here today is to emphasize to you law
enforcement's concern about the lack of the data and to flag
the issues----
Mr. Conyers. So when are you going to get a proposal? How
many years is this going to take?
Mr. Weinstein. I don't know where we are exactly in the
process of developing a proposal, but we are here today and we
are committed to engaging in this conversation with you and
with the entities represented by the other people on the panel.
Mr. Conyers. Well, I am going to call Eric Holder right
after this hearing and see if we can get this moving. I mean
there are a lot of things to study in the Crime Subcommittee,
but I don't think we need a whole lot of time on this. And
besides, why don't you take advantage of the bipartisanship
that is raging all over the 112th Congress?
Mr. Weinstein. I certainly think that in a lot of areas, we
should take advantage of that bipartisanship.
If I could, just to be clear, there are a number of
permutations of this that could be done in terms of the type of
providers that are covered, the type of information that is
covered, the length of time, whether it is 30 days, 60 days, 6
months, a year or more. As you know, the European Union has a
data retention directive that its member states have been
ordered to implement where data is retained for a minimum of 6
months and maximum of 2 years. Within that range there are a
number of possibilities, and also in terms of the scope of the
crimes covered, there are a number of possibilities. We don't
endorse any particular one of them, although, as I said, we are
eager to participate in this process going forward and to come
up with a proposal that we think balances all those costs.
I should also be clear, we completely understand that there
are costs imposed. While data storage costs are dropping
dramatically, there will be costs imposed if data has to be
retained longer than it currently is being retained. There is
no doubt about that. And one of the greatest costs will be data
retrieval in response to requests from law enforcement,
although if we follow the practice that we do currently those
costs will to a large extent be reimbursed.
At the same time, I didn't mean in my remarks earlier to
suggest that we don't think privacy is an issue. My only point
is only that the privacy risk exists currently. The point here
is to try to find a balance among all three interests, and I am
confident we can do that.
Mr. Sensenbrenner. The gentleman from Virginia, Mr.
Goodlatte.
Mr. Goodlatte. Thank you, Mr. Chairman, and thank you for
holding this hearing. This is an issue that is of keen interest
to me. I have long worked with Chairman Smith and Chairman
Sensenbrenner and others on the issue of child pornography and
other related issues on the Internet. Sometimes we have had
successes. Sometimes the Court has set us back, but it is a
concern and an ongoing effort.
I have also spent a lot of time meeting with leaders over
the years from the European Union and urged them not to impose
a hard 2-year data retention requirement. The European Union
sort of found not quite a 2-year requirement. It requires that
the ISPs retain data for a period of between 6 months and 2
years, and the EU has faced a great deal of difficulty in
implementing this requirement.
So it seems to me that if there is a lot of interest in
this issue--and I share some of the concerns expressed by Ms.
Dean and Mr. Morris and the problems that will ensue--it seems
to me that the first place we ought to look is what the
experience of the European Union is. And Ms. Dean, would you
care to comment on that? And I will ask Mr. Weinstein, too.
Ms. Dean. Well, I think that the experience in the European
Union and the fact that they have had to come back to the table
recently and they are reassessing their original approach begs
that maybe we should look to a different approach for the
United States. Certainly in different member states, the
implementing legislation in the EU has been ruled
unconstitutional, and I think that asks us to really come back
to the table and look at innovative approaches, things like
preservation.
Mr. Goodlatte. Thank you. Mr. Weinstein?
Mr. Weinstein. Yes, Congressman. My understanding--although
I must say I can't speak with expertise about the state of
affairs in the EU--but my understanding is that the European
Court of Justice in 2009 ruled that the directive I referred to
earlier was legal. There have been some issues with the
implementing legislation, as Ms. Dean just indicated. And my
understanding is that the process that is underway now is a
process to harmonize and fix some problems with the
implementation of the directive but that it is only a minority
of the member states who have failed to comply; that is, that a
majority of the states have complied. And so to the extent that
they have, I think, as you suggested, there are some lessons to
be gleaned from studying the way that the directive has been
implemented in those places where it has been.
Mr. Goodlatte. Mr. Morris?
Mr. Morris. One lesson I think we can look at in Europe is
what has the impact been? And studies have begun to show that
data retention mandates in Germany, just to take one study,
have reduced the willingness of citizens to go online for
mental health services. And that, I think, is something--that
is precisely the kind of very sensitive information that I
think that Congress should be very concerned about, chilling
the access that citizens have and the comfort that citizens
have in going online.
So I think there are at lot of lessons one can take from
Europe, and certainly in Europe, there is a move to revisit
data retention. And certainly I have heard many of the European
politicians say that, you know, at the maximum one would say,
you know, 6 months. Clearly that is the direction that they are
going, to reduce the length of time. But there are serious
concerns that are raised in Europe.
Mr. Goodlatte. Thank you. Ms. Dean, what would a blanket
data retention requirement have on smaller ISPs?
Ms. Dean. This is a serious concern because we don't quite
understand at this point what the breadth is. I mean, you could
take some of the earlier comments made and assume that this is
meant to apply to Web sites. And just because it is noncontent
data does not mean that that data is not revealing and very
interesting about people's behavior online. And it is not clear
exactly what it is that companies will be called upon to
retain. Are we looking at, you know, what Web sites they go to?
And this all brings us back to the scope and the breadth and
the duration of time. For small companies, I guess it is really
up to the Subcommittee to consider whether these kinds of
mandates could really be stomached by smaller companies. I can
say that within my membership, I have large companies, but I
also have small companies who provide services to rural areas
and to lower-income Americans. And their services, because they
are low-cost or free, would be greatly affected by a data
retention mandate.
Mr. Goodlatte. Thank you, Mr. Chairman.
Mr. Sensenbrenner. The gentlewoman from California, Ms.
Chu.
Ms. Chu. Chief Douglass, internetworldstats.com, which is a
Web site for international Internet usage statistics, said that
as of 2007, there were 66 million Internet broadband
subscribers in the U.S., which is about 22 percent of our
population. Is it law enforcement's belief that we should
retain all these subscribers' data? Or is it possible to do
something that is more targeted? How would you determine which
subscribers' data should be retained? And are you actually
saying that all of those 66 million's information should be
retained?
Chief Douglass. Well, ma'am, essentially there is no way to
specifically target it because if we knew who the bad guy was,
we could just target them. But unfortunately we don't. And what
we have to do is to assume that this information is like a bank
that has a vault full of safety deposit boxes. Those safety
deposit boxes remain totally sealed, totally inaccessible to
the law enforcement until something happens and we are given
direction to open one particular box. That is how this
particular system would work.
I would point out that there is a lot of information there.
But in my own history in the last 2 weeks I applied for a loan.
And when I applied for a loan, they pulled up my credit report
and my credit report knew everything about me. That is on the
Internet and that is maintained for 7 years. So my point being
is, we all have to sacrifice to a certain extent for those
particular component parts that require addressing. In this
particular case with the credit report, my credit is good, but
we had to sacrifice that access because some people's credit
isn't so good. In this case, all of us would have to contribute
to a certain balance of that sacrifice and privacy so that the
criminal element can be addressed. And there is no way to
target it or narrow it or move it down because we are dealing
with the unknown.
Ms. Chu. Mr. Morris, how do you respond to that? And also,
how would the retention of the data of the 66 million people
harm Americans' privacy rights and aggravate the problem of
identity theft?
Mr. Morris. Thank you, Congresswoman. Let me first respond,
to take the credit reporting example, credit reporting, you
know, Congress has passed very, very strong legislation to
protect the privacy of that information. It is very strongly
controlled. In contrast, data held by service providers has
extremely little protection. The Electronic Communications
Privacy Act was enacted in 1986. It is woefully out of date.
Law enforcement can obtain the data that we are talking about,
the noncontent data that we are talking about, with very, very
minimal process or protection. And so, I mean, there are some
very, very serious privacy concerns.
I believe the Internet usage in the United States has now
risen to about 70 percent. I think we are now talking about 230
million Americans who would be covered by this. And the
proposals that all of their access everywhere they go, all of
their e-mails be monitored and tracked is really breathtaking.
In the context of call records, telephone call records that
were kept by telephone companies, we have seen very broad use
of civil subpoenas by divorce attorneys and other civil uses.
And my understanding--I am not sure if Ms. Dean may be able to
tell me--but my understanding is that actually civil use,
noncriminal use of data that is held by service providers
represents one of the largest types of demands and requests
that companies receive for this data.
So it is clear if the data is required to be held, it will
be used in a broad context.
Ms. Chu. You are saying that there are far less protections
that are provided by the Electronic Communications Privacy Act
than for, say, credit reports.
Mr. Morris. Right.
Ms. Chu. Should that be updated first?
Mr. Morris. Absolutely. The need to update ECPA is really
critical. I mean, it is critical for privacy grounds. It is
also critical for business grounds because it really is harming
the American industry's ability to compete in the global
marketplace, given the low standards of protection that ECPA
affords.
Ms. Chu. Is there a way to have a more effective use of
existing data preservation requirements rather than having
mandatory data retention?
Mr. Morris. Well, Congress in 2008 authorized the
appropriation of additional resources for both prosecution and
also for the technical investigation of child obscenity crimes,
which would allow law enforcement to get access to the
information they need sooner, which would reduce the need or
the argued need for a data retention mandate. If law
enforcement is able to more promptly investigate these cases
instead of being overwhelmed with other cases, then there is
really not such an issue that data retention would be needed to
address.
Ms. Chu. Thank you.
Mr. Sensenbrenner. At this point, the Chair asks unanimous
consent that a statement by Ernie Allen of the National Center
for Missing & Exploited Children be inserted in the record.
[The prepared statement of Mr. Allen follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

__________

Mr. Sensenbrenner. And now the Chair recognizes the
distinguished Vice-Chair of the Committee, the gentleman from
Texas, Mr. Gohmert.
Mr. Gohmert. Thank you, Mr. Chairman.
Mr. Weinstein, you had said in your statement that in some
ways the problems of investigations being stymied by a lack of
data retention is growing worse. Could you elaborate on what
you mean by that?
Mr. Weinstein. Yes, sir, Congressman. Certain types of
providers, principally in the cell phone community, are not
retaining data at all. Increasingly, we are having providers
who are retaining data for shorter and shorter periods of time,
if they retain it really at all. We also have encountered the
problem repeatedly of providers who publish or state that their
retention period is 6 months or some period of time, only to
find that when we submit requests to those providers within the
stated retention period, we are told that the data is no longer
being retained. So in that sense, the problem is growing worse.
As I said before, a great many providers are already
retaining the data that we are talking about here. So the
points that were made over privacy before, I think it is
important to recognize that that data will continue to be
retained by the providers and not by the government; that is,
the government can only obtain it through lawful process. The
data will be retained by providers, as it is currently. The
problem is the inconsistency. The problem is that it is not
held for a sufficient period of time, that it is not consistent
across the board, that the decisions about how long to retain
data for are made unilaterally by the providers and are subject
to change at will and, as I said, are often not even honored.
So what we think is essential is that whatever the decision
is about the scope of the requirement, if Congress goes down
this road, is that it be one that is clear and consistent
across industry.
In 2008, the Electronic Frontier Foundation published a
user guide or a guide that was entitled, Best Practices for
Online Service Providers, which I think is unintentionally the
best argument for Congress to intervene in this space than
anything that I could say today. It advises providers that they
can't be forced to provide law enforcement with data that
doesn't exist. It provides guidance about how to minimize what
they referred to as ``the challenges of law enforcement
compliance.'' It calls upon providers to obscure, delete as
much data as possible. It advises providers to use secure
deletion utilities to scrub the hard drives so that the logs
cannot be obtained. The fact that providers are being guided to
conduct themselves in this way I think speaks to the fact that
the problem is growing worse and that congressional action--or
congressional engagement on the issue is probably as timely as
it has ever been.
Mr. Gohmert. Well, you touched on this perhaps. But the
Electronic Communications Privacy Act currently allows
investigators to request preservation of records. And I would
ask you, Mr. Douglass, if that is not being honored. And if it
is, why is that not adequate?
Chief Douglass. Well, congressman, I have no evidence, but
it is not being honored. The problem is, it is not a question
of honoring our request. The problem is that it is not there
when we ask for it. So if the information has already been
deleted or if it has already been spoiled in some respect, we
can ask all day. But if it is not there, it is not there to
get. And that is why the time requirement of 30 days is onerous
because many cases are not brought to light in 30 days.
Mr. Gohmert. Mr. Weinstein, have you made requests for
preservation that have not been honored?
Mr. Weinstein. Except in the sense that--the largest
problem with preservation is what the Chief said. That is that
the preservation tool, while a useful tool, is only valuable if
the data still exists at the time that the preservation letter
is submitted. For reasons that I alluded to in my oral remarks,
these are extraordinarily complex crimes. In the child
exploitation arena, increasingly they are international and
global investigations. They are investigations that often start
when law enforcement in another country seizes a server or
seizes a computer that is being used by the administrator of a
child sexual abuse distribution network. And it takes time to
go from that seizure in Australia or New Zealand or Germany to
identifying IP addresses of people in the United States who are
engaging in that activity, and then having to follow the trail
of those people here to the U.S. And invariably, really quite
often, too often, by the time we are able to--and no matter how
quickly we work, by the time we are able to find the provider--
--
Mr. Gohmert. My time is running out. Let me ask quickly. We
have talked in generalities. Is there a large ISP that
consistently deletes information to prevent you from having
that information preserved? I am asking specifically.
Mr. Weinstein. Sure. I appreciate why you are asking
specifically. But I would rather not talk about specific
providers. But what I would say is that for the most part the
ISP community is very cooperative.
Mr. Gohmert. Well, pardon me for my background being a
judge, but as a judge, if people weren't willing to get
specific, then obviously it was not legitimate testimony that
would come into evidence. Is there no specific----
Mr. Sensenbrenner. The time of the gentleman has expired.
You don't have to answer that one.
The gentlewoman from Florida, Ms. Wasserman Schultz.
Ms. Wasserman Schultz. Thank you, Mr. Chairman. Mr.
Chairman, some of the Members and the witnesses may know that I
was the House sponsor of the PROTECT Our Children Act of 2008
which was a major effort and continues to be a major effort to
develop a national strategy which has been developed, appoint
the National Coordinator for Child Exploitation Prevention and
Interdiction, which is Francey Hakes, who is actually here with
us today and is in the audience and who has been doing an
excellent job in this area, to finally coordinate the work of
the Internet Crimes Against Children Task Forces and provide
them with the resources that they need because previously they
have really been only able to investigate less than 2 percent
of the cases that occur when it comes to the transmission of
child pornography online and other kinds of sexual predatory
activities on the Internet.
But all the money in the world and the coordination and the
planning isn't going to help at all if we don't have the
assistance from the Internet service providers. And with all
due respect, Ms. Dean, I think we need to be clear that this is
not about watching or tracking people's behavior online, which
is how you described it a couple of minutes ago. It is about
helping law enforcement connect the dots. And one of the things
that I think is extremely important to underscore here is that
that is the difficulty, is that right now, because there are
varying degrees of cooperation, varying degrees of time that
ISPs actually preserve this data--some as short as 7 days,
without naming names, Mr. Chairman, as you suggested--that it
really becomes extremely difficult, if not impossible, for law
enforcement to be able to actually get to the information they
need not about the individuals and their activity but about
specifically the connectivity logs. I mean, that is what really
we need to be able to get at are these connectivity logs.
Because as people know who follow this stuff, an individual ISP
address is not helpful because people have a different one for
every computer that they log on to. So having the ability to
track one individual's connectivity is what is necessary. Law
enforcement already have the pictures. They already have the
ability to lift the digital fingerprints. They lose that
ability if ISPs don't hold onto that information for a
standardized period of time.
So my question to you, Ms. Dean, really is this:
Voluntarily would be a lot better than mandating this. I think
that is what we would all like to see, including law
enforcement. So what are the ISPs willing to do voluntarily?
You should come together and decide on a standard and propose
it. Because that is going to be the best way that we can get
this problem addressed without us being in a situation where we
have to figure out legislatively how to make you do it.
Ms. Dean. Thank you, ma'am. And I have been given some
carrots and sticks today earlier from the Chairman, and I
recognize the need to go back and work with my membership and
to talk about this.
We have been following data retention for many years. We
have been engaged in this conversation. And certainly in the
area of fighting online child exploitation, it is something
that U.S. ISPA and our members are certainly committed to, so I
can guarantee that we will be getting back to you and talking
to your staff about this.
Ms. Wasserman Schultz. Thank you. Mr. Chairman, at some
point, if we could hear from Francey Hakes, who is the person
that is coordinating all of this activity from the Department
of Justice, it would be incredibly helpful. Mr. Weinstein, I
know that you are doing your best, but Francey really is the
person that is responsible in the law for coordinating all of
this activity, and I know that she would be able to give us
some very helpful information, one of which is--I am really not
understanding why you don't have a specific proposal because,
Mr. Weinstein, that is supposed to be in the National Strategy.
So is it in the National Strategy? If it is not, then the
National Strategy is deficient.
Mr. Weinstein. Well, I don't believe that there is a
specific data retention proposal, Congresswoman, in the
National Strategy, although the National Strategy is designed
to do a lot more than just address the issue of data retention,
as you know. It is meant to lay out a framework for
coordinating all of law enforcement's operations to address the
problem.
Ms. Wasserman Schultz. Before I run out of time, that is
just a big concern that I think we need to address. You really
do need to do a better job of giving us a number or a
percentage of cases that have been hindered or reached a dead-
end. The anecdotal information is somewhat helpful, but if you
don't really give us a concrete number.
But the question that I have for you specifically is: In
the Republican budget proposal, which proposes to cut 20
percent across the board, what would that do to your ability to
continue to investigate and solve these cases, if their budget
proposal actually went through?
Mr. Weinstein. Well, if I can address both pieces of that
quickly. In terms of the concrete number, it is a challenge and
it is frustrating to me, to Francey, and to all of us who are
involved in working on this issue that we can't come up with a
concrete number. And there are a number of reasons for that.
But the primary one is that the Justice Department, like all
levels of law enforcement, doesn't typically keep statistics on
cases that do not result in charges. And very often what
happens when an investigation hits a dead-end so that the
investigator or the prosecutor moves on to another case, we
don't log the fact that we tried but were not successful. The
other thing is that law enforcement officers are smart, and
they figure out over time which ISPs will keep data for which
periods of time. And when they obtain a lead and they need to
go to a provider, if it is outside what they understand to be
the data retention period, they won't even bother to submit a
request because they know it is not going to be fruitful, and
they will try--sometimes successful, often not--to obtain the
evidence they need from another source.
So the anecdotal example that we could talk about, some of
which I alluded to in my testimony, are not hypotheticals. They
are illustrations. There are new anecdotal examples we get
every day, every week, every month of cases that were not able
to be made.
Ms. Wasserman Schultz. And can you address my budget
proposal question?
Mr. Weinstein. If I may, Mr. Chairman.
Mr. Sensenbrenner. Go ahead.
Mr. Weinstein. The only thing I would add, this goes beyond
child exploitation because every type of crime that we worry
about is committed through online means now. And so I think
that losing prosecutors and losing agents would seriously
impact our ability to prosecute really virtually any type of
online crime or crime committed through an online means at the
level that we would like to.
Mr. Sensenbrenner. The gentlewoman's time has expired. The
gentleman from Arizona, Mr. Quayle.
Mr. Quayle. Thank you, Mr. Chairman. And thanks to all of
you for coming in today.
My first question is going to be for Ms. Dean. What
specific actions have your members voluntarily taken to combat
child pornography so far?
Ms. Dean. Well, I can speak as an association and as
someone on behalf of the individual members. We have
promulgated a number of sound practices to be more helpful to
law enforcement in the areas of child pornography reporting and
in general subpoena compliance when it deals with child
exploitation cases. The members participate in a number of
important task forces, things like the Technology Coalition and
Financial Coalition Against Child Pornography, which we can get
you more information about in the future. And certainly the
companies interact with the ICACs on a regular basis. And
moreover, they have highly skilled staff that work on these
compliance issues, understand that child exploitation cases are
a priority, and are trained to deal with them in a timely
manner.
Mr. Quayle. And also in your testimony, you spoke about
some of the problems that we are facing with data retention in
terms of it might slow down the process for immediate emergency
situations, such as child abductions and the like. Obviously we
don't want to negatively impact with legislation having these
unintended consequences of maybe we have this increased data
storage issues, but then it actually has some problems with the
speed of recovery. Can you address that and maybe talk about it
a little more?
Ms. Dean. Yes. And thank you. I appreciate that
opportunity. Because as we thought about data retention this
most recent round, one of the things that occurred to the
companies was that, you know, we have a number of concerns
about the cost to innovation and so forth. But the main concern
that we would have with building these massive data bytes--we
are talking exabytes of information--how it would be that we
would be 100 percent accurate in retrieving precisely the
record that law enforcement requested and doing so in a timely
and efficient manner and doing so in an emergency situation
because we do get frequently emergency requests from law
enforcement and want to be helpful. The reason this is so
important to the companies is because, one, they take their
responsibilities under ECPA and other statutes very seriously.
But secondly, because we are dealing with people's lives and
liberty here. And out of all this data, we have to make sure
that, say, 18 months down the road that tiny particular piece
of information is exactly the right information linking that
exact target, and there is a concern in that area, yes.
Mr. Quayle. Mr. Weinstein, can you give your side on that
issue in terms of how that might affect emergency responses in
slowing down the recovery time?
Mr. Weinstein. Congressman, what I can say is that in those
situations, as I have indicated a number of times, there is
already a substantial number of providers who are keeping the
kind of data that we were talking about and do keep it for a
period of time. So it is not like they are creating systems out
of whole cloth. They just need to figure out a way to keep it
for longer, and there would be some potential additional cost
of storing it for longer. But those same providers who have
that data have to respond to the kind of requests you are
talking about every day. And they manage to do so quite well.
So if they are keeping a larger volume of data, it seems to me
it would be a software engineering problem that is beyond my
expertise. But to the extent that they are able to comply with
those requests today when they have got the data available, I
would expect them to be able to do so in the future.
I do acknowledge, as I said before, that I think the
principal additional cost of a data retention regime would be
in data retrieval, not so much in data storage but in the data
retrieval. But I wouldn't anticipate that there would be a
significant impact on--negative impact, that is, on ISP's
ability to respond to emergency requests. I think what it would
mean though is that the nonemergency requests, there may be
some additional delay in responding to them. But given where we
are now, we are happy if they are being responded to at all.
Mr. Quayle. All right. And further, do you have any
suggestions in terms of retention period? Is it 1 year, 2
years, 3 years, 4 years, keeping it forever? I mean, that is
one thing that I was wondering is that, you know, with the
statute of limitations--I don't know what they are for child
pornography cases, but wouldn't you want to have that match up
to when the statute of limitations expires?
Mr. Weinstein. Well, I think that the statute of
limitations for child sex abuse cases, I think there actually
is none. So that would be keeping it indefinitely. For most
Federal crimes, it is 5 years. I think that if the only
consideration at play here was law enforcement, then I would
think the statute of limitations would be the place to start
the discussion. But that clearly is not the case. And I don't
want to suggest for a second that that is what we would
suggest.
There are clearly other competing interests. The economic
impact on the providers, to some extent privacy. And I think
that when you balance those out, it clearly has to be something
that is much more modest than the statute of limitations
period. Where that number is, I can't say today. Although, as I
have said, I think this is a very useful first step. I know
this is an issue the Subcommittee has worked on for years and
years. And I am hopeful that, working together, we can come to
a place, come to a number that maximizes law enforcement's
chances of solving the crimes it needs to solve without
overwhelming the providers and without creating unintended
consequences.
Mr. Sensenbrenner. The time of the gentleman has expired.
The gentleman from Georgia, Mr. Johnson.
Mr. Johnson. Thank you, Mr. Chairman, for holding this very
important hearing today on using Data Retention As a Tool for
Investigating Internet Child Pornography and Other Internet
Crimes. And this bill, H.R. 1076, is actually cited as the
Internet Stopping Adults Facilitating the Exploitation of
Today's Youth Safety Act of 2009. But it is a fact, isn't it,
that the provisions of H.R. 1076 go far beyond stopping
Internet child pornography; is that a fair assessment, Mr.
Morris? Is that true?
Mr. Morris. Well, certainly H.R. 1076 would very broadly
sweep--the terms of that legislation would very broadly sweep--
--
Mr. Johnson. Yes. I mean, section 5--yes, section 5,
Retention of Records By Electronic Communication Service
Providers is not limited to only investigations or matters
concerning child pornography.
Mr. Morris. Certainly I read that draft bill the same as
you do. Yes, sir.
Mr. Johnson. Okay. So it is kind of like perhaps you could
say--and I don't say this disparagingly--but kind of like a
Trojan horse. And you could have things in that Trojan horse
that come out and surprise you.
Mr. Morris. Yes. Certainly I agree that once the data is
mandated to be retained, it will be used for a broad diversity
of reasons, including civil litigation, perhaps even commercial
use by the service provider, and a range of other things that
concern us.
Mr. Johnson. Well, let's talk about that in just a second.
But let me look down at section 9 of the proposal. It grants
$150 million to the Innocent Images National Initiative, $150
million. Now does anybody have any idea what the Innocent
Images National Initiative is?
Mr. Weinstein. Yes, Congressman. The Innocent Images
Initiative is a law enforcement initiative that was set up by
the FBI and the Justice Department. The Innocent Images Task
Forces are the groups that have primary responsibility on the
Federal level for investigating child exploitation crimes.
Mr. Johnson. Where would this money go to? Who would be the
recipients of the $150 million?
Mr. Weinstein. I can't speak to the specifics of the
proposal, Congressman, because I am not as familiar with it. So
I don't know what the intended use of that $150 million is. My
guess would be that it would be primarily to support
investigative resources, investigators and prosecutors.
Mr. Johnson. But you would not say that there are any
limits on how the money could be spent as provided by section
10, is that correct?
Mr. Weinstein. Well, again, I can't speak to the details of
that specific proposal.
Mr. Johnson. So in other words, can anybody on this panel
tell me where the $150 million and to whom would the $150
million provided under section 9 go to? Yes, Mr. Douglass, do
you want to give it a stab?
Chief Douglass. I will try to do so.
Mr. Johnson. I have limited time now. Just answer me this:
Do you know where the $150 million is going to?
Chief Douglass. I know where a small part of it is going
to.
Mr. Johnson. Well, a small part. I want the big part. And I
find it somewhat disturbing that we are not able to get at that
in this hearing.
So we have got Internet child pornography being the Trojan
horse. And then inside that, we have a data retention
situation, mandatory, that may fall upon the backs of
commercial and private Internet service providers. And then we
have $150 million to boot going to some----
Mr. Sensenbrenner. The gentleman's time has expired.
Mr. Johnson. Thank you, Mr. Chairman.
Mr. Sensenbrenner. Last, but not least, the gentlewoman
from Florida, Ms. Adams, is recognized for 5 minutes.
Ms. Adams. Thank you, Mr. Chairman.
Mr. Weinstein, I was listening. And coming from a law
enforcement background, I am kind of curious. You made a
comment about when your agents get to a point where they just
stop because they have hit a dead-end and they move on, and you
couldn't give us a caseload count. Is it your testimony today
that your caseloads are not counted based on open/closed
caseloads?
Mr. Weinstein. Well, Congresswoman, certainly at the
Federal level--I can't speak to the State and local--but at the
Federal level we do, both the agencies and the Justice
Department, keep track of cases that are open and closed. What
I mean to suggest is that we couldn't look at that data and
figure out how many of those were closed because of a failure
of data retention. There are any number of reasons why a case
is opened and then ultimately not able to be successfully
concluded or result in a charge. It could be that there is a
lack of evidence, it could be that there were other
investigative hurdles. But I couldn't pinpoint within that
gross number of cases how many were a data retention issue
specifically.
Ms. Adams. And so then I am not to be concerned at the fact
that you would base your budget on caseload. You are basing it
on your open caseloads, correct?
Mr. Weinstein. You know, those cases take an extraordinary
amount of time, as you know, especially now. And in the child
exploitation arena, this is particularly true, but it is true
in a lot of others as well, that to the extent that those cases
involve international law enforcement, to the extent that the
criminal is sophisticated and takes steps to try to anonymize
himself or herself, there are a number of steps in the chain
you have to go through that take a long time. You can
investigate a case for years only to find that you are not able
to bring a charge. So I think the fact that the case is open
and how long it is open for reflects the amount of man and
woman hours that are going into it. It is just that sometimes,
for any number of reasons--data retention being one of them--
you can't actually successfully complete the investigation and
indict anyone.
Ms. Adams. And while sometimes it is a lot of man hours
when the case is open or it sits there because you have hit a
dead-end and you haven't closed it quite yet, and I recognize
that. But that goes again to what Mr. Quayle asked you, and
that was, how long then, how long would you recommend that
these providers hold this data?
Mr. Weinstein. Well, as I said to Mr. Quayle, I think the
Administration doesn't have a position at this time on what the
appropriate amount of time is. What I do believe is the case is
that--at least as a starting point for discussion, I think the
EU range of 6 months to 2 years is a useful starting point for
discussion, but I wouldn't suggest, even as I sit here today,
that it should be 6 months or 2 years or 1 year. I do believe
that there is a time period that we could come to that would be
long enough that law enforcement could maximize the chances of
getting the evidence it needs to successfully complete a larger
number of investigations and bring a larger number of criminals
to justice but that wouldn't be so long or that would be
moderated and would not overwhelm, in terms of cost or privacy
impact, the other equities involved.
I mean, ultimately, I think the fact that we haven't come
to a conclusion on this issue successfully over the last 2 or 3
years reflects the fact that it is really a complex exercise to
try to figure out what that time period is; you know, what is
the magic number that gives law enforcement what it needs but
doesn't overwhelm the providers and that moderates the risk to
privacy of having data held for a long period of time? I can't
come up with that number today, but I am pretty confident that
if we work at it, we will come to it.
Ms. Adams. And your earlier testimony is something that I
have had along my law enforcement career is that a lot of times
when you start investigating these you end up going to
different countries, and that adds time to the process, does it
not?
Mr. Weinstein. It does. In fact, I was thinking this
morning about a case that we did that we call Operation
Achilles, which was a multinational law enforcement operation
to take down a network that was producing and distributing
images and videos of child exploitation, and there was a
little, little girl in the Northern District of Georgia who was
rescued as a result of that investigation, but she was rescued
2 years after the video of her being abused was discovered when
a search was done in Australia of one of the members of the
organization's computers. And it took 2 years of work every
single day by the investigators, both in Australia and here in
the U.S., to try to find out where that girl was so they could
rescue her and ultimately capture the abuser, who was her
father. Those cases can inherently take a long period of time.
We are obviously committed to them, and we will investigate
them as long as we humanly can.
Ms. Adams. I hope so.
Ms. Dean, hearing this testimony, I would agree with my
colleagues that you go back to your membership and see if there
is some kind of compromise you can come up with within your
membership and to the law enforcement that doesn't require the
Congress to intervene on this. It is really important that if
there are children being abused, taken advantage of, or worse,
we would like to have that information given to law enforcement
so that the bad guys can be prosecuted.
Mr. Sensenbrenner. The time of the gentlewoman has expired.
The gentleman from Florida, Mr. Deutch.
Mr. Deutch. Thank you, Mr. Chairman. I have a question, Mr.
Weinstein, for you about the way that we investigate. There is
a constituent of mine in my district of south Florida that runs
a business. It is a data fusion program, child protection
systems, which is a program that is used by the vast majority
of ICAC task forces as well as 38 countries free of charge. I
would like to know, since this is a system that enables law
enforcement to track files across the vast expanse of the
Internet and then identify the specific computers that are
responsible, first--actually for you and for Mr. Douglass--are
you aware of this opportunity, this program?
Chief Douglass. I am aware of several programs that allow
us to pinpoint peer-to-peer intersections and gives us a
starting point to start with the subpoenas and search warrants.
I do know this, that they are relatively successful but
somewhat limited at this stage in scope.
Mr. Deutch. Mr. Weinstein.
Mr. Weinstein. Congressman, I am not familiar with that
particular software, but I am familiar with a number of
programs, as the Chief said he is as well. And you should know,
the Department, under section 105 of the PROTECT Our Children
Act, was directed to develop a technological solution known as
the National Internet Crime Data System, and we are in the
process of doing that. We have issued grants I think to the
Massachusetts State Police in relation to the development of
that. And once that system is operational, it will support
efforts by Federal, State, local, and tribal enforcement,
including the ICAC task forces, to more effectively investigate
and deconflict those cases. So we are working very hard on
developing technology that will enhance our ability to pursue
those cases.
Mr. Deutch. I would just suggest that the technology of
this company has been used--their expertise has been used to
catch criminals. They also helped identify the 9/11 terrorists.
I would encourage you to reach out, and I would be happy to
make that happen.
Getting back to something you said earlier this morning,
Mr. Weinstein, moving beyond this issue of data retention. I
would like to ask you about other ways to streamline the
prosecution of these cases and make it more likely that we will
actually catch these people. The Internet, as was just
discussed, is global, and the criminal activity bounces over
local, State, and even national boundaries, borders. Does it
make sense from a national law enforcement perspective to
create a centralized place--at least for the United States--to
subpoena ISP records rather than having to subpoena each
company in a different way?
Mr. Weinstein. Well, I haven't given a lot of thought to a
proposal like that, although my first reaction is that to the
extent people are concerned about privacy from having multiple
databases of Internet activity, I would think that there would
be some significant privacy concerns if there was one
megadatabase of that activity. But I think that ultimately,
Congressman, the challenge in these cases is not just the
ability to get data, of course. They are inherently time
consuming, and they take a long time. I think as our
relationships improve with foreign law enforcement, we are able
to proceed then more quickly and more efficiently. But
ultimately, if providers were able to retain the data we needed
for a reasonable and uniform period of time, we would have
fewer dead-ends and we would be able to move the cases more
quickly. Sometimes the cases take longer than they otherwise
would because, having hit a roadblock when the data is not
available, you have to figure out some other way around it,
some other way around the lack of data, and to try to basically
investigate the case over again from a different angle. If the
data were available, whether it was in one common source, as
you suggested, or maintained by individual providers for a
reliable period of time, I think we would be able to pursue the
cases more expeditiously and in larger numbers to a successful
conclusion.
Mr. Deutch. Mr. Douglass, from your perspective, would a
centralized database help in pursuing these criminals?
Chief Douglass. Well, again, I agree with Mr. Weinstein. A
centralized database would certainly be the most efficient.
However, the tenor of these conversations have been all about
balance, and balance means that we balance out the effects of
privacy and the effects of efficiency at the same time. So
consequently, while it would absolutely be more efficient, I
would also think it would raise a lot more concerns about
concerns over privacy. I think we can work around that. If we
have the locations we can go to that maintain those files, that
is not a big deal.
Mr. Deutch. Finally, Mr. Chair, Mr. Douglass, I appreciate
what you are saying. And certainly we need to balance those
interests, ultimately though being on the front lines of Mr.
Weinstein in trying to catch these guys. I am just trying to
figure out if that is something that we ought to be
entertaining, and it sounds like it is something that could be
helpful.
Chief Douglass. I would have concerns about going that
direction because I don't think that the benefits would
outweigh the risks.
Mr. Sensenbrenner. The gentleman's time has expired. The
gentleman from Arkansas, Mr. Griffin.
Mr. Griffin. Thank you, Mr. Chairman.
Ms. Dean, I wanted to ask you, I was looking through your
testimony, and it may just be a misunderstanding. But it
appears that you make a distinction between data retention and
data preservation. And I apologize for being out if you have
explained that. But could you comment on that?
Ms. Dean. Certainly. I would be happy to.
Data presentation and data retention are--my luck today--
are very different. Data preservation is a targeted request
from law enforcement to a provider to hold on to a specific
person's data. And to be clear, to clear up some of the
conversation from earlier, that is not simply an IP log. That
is a very broad aspect of--it is a snapshot. Think of it as a
snapshot at the exact moment that the request comes in of that
person's account, e-mails, buddy lists, anything that we have
got that is taken, set aside, and it is able to be preserved
for up to 180 days. Now that doesn't go into the future because
then you can get wiretap problems and things like that.
Retention, what we are talking about here today, would be
to hold on to a category of data, a category of providers on
all of their users into the future.
Mr. Griffin. So preservation would include the type of
information that you would get in a subpoena such as method of
payment, credit card records, all of that stuff, and the
retention is just the data that relates to the ISP?
Ms. Dean. Well, to be clear, preservation is so effective
and valuable, we see it as very effective and valuable because
we don't make a distinction as to what kind of process may come
in the future. We simply freeze the account, set it aside, and
it is available to law enforcement, pending the issuance of
process. So they can get whatever it is the order calls for
into the future.
Mr. Griffin. What is your ideal? Are you happy with the
status quo? I know that when I came back in, Mr. Weinstein had
been asked by Representative Quayle about his ideal in terms of
the time frame. I want to ask you what your ideal is.
Ms. Dean. Well, one of the things I want to say is that,
you know, we really do want to be involved in this
conversation. We want to talk to our colleagues in law
enforcement and find out what it is specifically that they
need. We really do want to understand better which providers.
And that is very important. Do you want the Facebooks of the
world? Do you want you know access providers? Do you want the
nytimes.com? It is very important.
Mr. Griffin. I am running out of time. So there is not a
specific time frame. It sounds like you are still sort of
grappling with it. Chief Douglass, do you have an ideal time
frame in mind that you think would capture most of the data
that you would need?
Chief Douglass. Yes, sir. My personal opinion is 6 months
up to a year, maybe up to 18 months. But after that period of
time, there is a point of diminishing returns. Certainly 6
months does not seem to be unreasonable from an investigative
standpoint. We will get quite a bit. That will be six times
more than the best we can get right now. And in that event, I
think that would be logical. But there are other factors to
consider. And when we shape out whatever agreements or
legislation or compromises that take place, those things should
be fleshed out with all parties, understanding exactly where it
goes. But from a law enforcement standpoint, I would think a
minimum of 6 months would be advantageous. More like a year
would probably be the best.
Mr. Griffin. Have you been in any talks with the Department
of Justice on this? Apparently, the Department of Justice has
not settled on a specific time frame.
Chief Douglass. No, sir. We haven't. And, you know, we come
from two different localities with two different things in
mind. The Department of Justice is looking at overall arching
philosophy and policy for the entire country in that regard,
and we are looking at it from how it affects Overland Park,
Kansas and how it affects cities in your State. So we have
common interests, but they are not necessarily parallel
interests.
Mr. Griffin. Maybe you can grab Mr. Weinstein there, and
y'all can talk about that. Thank you. That is all I have, Mr.
Chairman.
Mr. Sensenbrenner. The gentleman's time has expired. And
again, last but not least, the gentleman from Pennsylvania, Mr.
Marino.
Mr. Marino. Thank you, Mr. Chairman.
And if I do ask a question that has already been asked
because I was at another meeting, please tell me that and I
will go on.
Deputy Weinstein and Chief Douglass, I couldn't agree with
you more on your approach, what you have done, and what you
continue to do, particularly in the area of child abuse and
cybercrime. As a prosecutor, as a district attorney for 12
years, the State level, and as an United States attorney for 6
years, I have personally prosecuted both types of cases in both
courts. And on many instances, the evidence that we have
gathered could be as much as 2 years old. So I implore you to
please keep doing what you are doing, bring back to us any
insight that this Committee can do to see that you can carry on
that mission. And I thank you for that.
Director Dean, again, please, I beg you to talk with your
organizations, the individuals with whom you work. I am sure
that you can come to a consensus. But please, please utilize
the frontline law enforcement men and women when asking what
can we do to improve the tools that you need to track down
these child abusers. Many of the cases that I worked on
personally involved photographs and pornography that came into
the United States from other countries. But unfortunately, we
have a fair number of those individuals in this country. So I
implore you, please regulate this to the extent where it is
effective and efficient yourselves because, I can agree with
the Chairman and my colleagues, at one point, we will step in.
And Attorney Morris, let me refer to something in your
statement. And could you please correct me if I am wrong on
this. Maybe it is just written or taken out of context. I am
reading toward the end--actually, the next to the last page of
your statement. It says in bold at the top, In the face of the
serious risk and cost of data retention, Congress should
carefully investigate what benefits there would be, if any, in
the prosecution of child pornography cases.
You are not suggesting that we do not investigate and
prosecute child pornography cases, are you?
Mr. Morris. Not in the least, Congressman. What I am
suggesting is that given the current lack of resources, given
the fact that, as I believe Congresswoman Wasserman Schultz
said, that only 2 percent of the cases that are currently known
do we have resources to prosecute that adding a massive data
retention obligation is not going to increase the ability for
us to put the child pornographers in jail. I certainly very,
very strongly support the goal of putting these people in jail.
Mr. Marino. Thank you. Now I do disagree with the
percentage that was stated as to the cases that a re
prosecuted. As a prosecutor, we could prosecute more crimes in
any situation if the district attorney or the Chief or the
deputy attorney general had more bodies and more investigators.
But with that said, in my experience--and perhaps Deputy
Weinstein and the Chief can respond to this--any case that came
into our offices or series of cases would be investigated and
eventually prosecuted.
Gentlemen, what do you say about this?
Ms. Wasserman Schultz. Would the gentleman yield just for 1
second?
Mr. Marino. Yes.
Ms. Wasserman Schultz. I just want to thank you very much.
I just wanted to clarify in saying that they are investigating
less than 2 percent of the cases. It is not because they are
unwilling to. It was because of the lack of resources, the lack
of individuals, the lack of resources to be able to investigate
more than that. But specifically in among the cases that they
are able to investigate, they rescue a child in about 30
percent of the cases. So it is incredibly important. I just
wanted to make sure I was clear.
Mr. Marino. Thank you. I understood that it is just a
percentage, the 2 percent. I don't mean to brag about it, but
our conviction rates in our office and our investigations and
prosecutions were far more than 2 percent of the cases that
came into the office.
Mr. Weinstein. Congressman, I think, as you know, as a
general matter, we follow the same approach that I know you
followed in your office when you were the U.S. attorney. We
don't turn cases away at the door. If they are there to pursue,
we will pursue them.
I think that it is not just increasing the number of cases.
It is taking the existing cases as far as they can go. I used
the case of the father who was abusing his daughter in northern
Georgia a few moments ago. Because it took 2 years to identify
that man as the abuser, by the time his computer was searched,
the data that would have helped identify the other members of
the group here in the U.S. with whom he was trading videos of
child sexual abuse, we couldn't pursue those people because the
data didn't exist. So a lot of times, it is taking the case
that we have made and making it bigger and making sure that we
are actually dismantling the entire organization so we can
protect more children at the same time.
Mr. Marino. Thank you. I think my time has expired.
Mr. Sensenbrenner. The time of the gentleman has expired.
I want to thank our witnesses for their testimony today.
And, Ms. Dean, I hope you got the message, and I hope you will
get to work with your organization to help us come up with a
way that deals with this problem fairly. It is going to mean
that your members are going to have to do a little bit more,
and I think we all recognize that. But this is going to be a
lot easier if this is worked out. There is a need to deal with
this issue. I always prefer to have it done voluntarily in a
trade organization. But I think you have got the message that
if it isn't being dealt with voluntarily, the train will leave
the station.
So again, thank you all for your testimony today. Without
objection, all Members will have 5 legislative days in which to
submit to the Chair additional written questions for the
witnesses which we will forward and ask them to respond as
promptly as they can so that their answers may be made a part
of the record. Without objection, all Members will have 5
legislative days to submit any additional materials for
inclusion in the record.
And without objection, this hearing is adjourned.
[Whereupon, at 12 p.m., the Subcommittee was adjourned.]
A P P E N D I X

----------

Material Submitted for the Hearing Record

Prepared Statement of the Honorable Ted Deutch, a Representative in
Congress from the State of Florida, and Member, Subcommittee on Crime,
Terrorism, and Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]