[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
ECPA (PART I): LAWFUL ACCESS
TO STORED CONTENT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
HOMELAND SECURITY, AND INVESTIGATIONS
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MARCH 19, 2013
__________
Serial No. 113-16
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
80-065 PDF WASHINGTON : 2013
COMMITTEE ON THE JUDICIARY
BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin JERROLD NADLER, New York
HOWARD COBLE, North Carolina ROBERT C. ``BOBBY'' SCOTT,
LAMAR SMITH, Texas Virginia
STEVE CHABOT, Ohio MELVIN L. WATT, North Carolina
SPENCER BACHUS, Alabama ZOE LOFGREN, California
DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona Georgia
LOUIE GOHMERT, Texas PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio JUDY CHU, California
TED POE, Texas TED DEUTCH, Florida
JASON CHAFFETZ, Utah LUIS V. GUTIERREZ, Illinois
TOM MARINO, Pennsylvania KAREN BASS, California
TREY GOWDY, South Carolina CEDRIC RICHMOND, Louisiana
MARK AMODEI, Nevada SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho JOE GARCIA, Florida
BLAKE FARENTHOLD, Texas HAKEEM JEFFRIES, New York
GEORGE HOLDING, North Carolina
DOUG COLLINS, Georgia
RON DeSANTIS, Florida
KEITH ROTHFUS, Pennsylvania
Shelley Husband, Chief of Staff & General Counsel
Perry Apelbaum, Minority Staff Director & Chief Counsel
------
Subcommittee on Crime, Terrorism, Homeland Security, and Investigations
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
LOUIE GOHMERT, Texas, Vice-Chairman
HOWARD COBLE, North Carolina ROBERT C. ``BOBBY'' SCOTT,
SPENCER BACHUS, Alabama Virginia
J. RANDY FORBES, Virginia PEDRO R. PIERLUISI, Puerto Rico
TRENT FRANKS, Arizona JUDY CHU, California
JASON CHAFFETZ, Utah LUIS V. GUTIERREZ, Illinois
TREY GOWDY, South Carolina KAREN BASS, California
RAUL LABRADOR, Idaho CEDRIC RICHMOND, Louisiana
Caroline Lynch, Chief Counsel
Bobby Vassar, Minority Counsel
C O N T E N T S
----------
MARCH 19, 2013
Page
OPENING STATEMENTS
The Honorable F. James Sensenbrenner, Jr., a Representative in
Congress from the State of Wisconsin, and Chairman,
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations................................................. 1
The Honorable Robert C. ``Bobby'' Scott, a Representative in
Congress from the State of Virginia, and Ranking Member,
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations................................................. 2
The Honorable Bob Goodlatte, a Representative in Congress from
the State of Virginia, and Chairman, Committee on the Judiciary 3
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary.................................................. 5
WITNESSES
Elana Tyrangiel, Acting Assistant Attorney General, Office of
Legal Policy, Department of Justice
Oral Testimony................................................. 13
Prepared Statement............................................. 16
Richard Littlehale, Assistant Special Agent in Charge, Technical
Services Unit, Tennessee Bureau of Investigation
Oral Testimony................................................. 24
Prepared Statement............................................. 27
Orin S. Kerr, Fred C. Stevenson Research Professor, George
Washington University Law School
Oral Testimony................................................. 36
Prepared Statement............................................. 38
Richard Salgado, Director, Law Enforcement and Information
Security, Google, Inc.
Oral Testimony................................................. 45
Prepared Statement............................................. 47
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Material submitted by the Honorable John Conyers, Jr., a
Representative in Congress from the State of Michigan, and
Ranking Member, Committee on the Judiciary..................... 6
APPENDIX
Material Submitted for the Hearing Record
Letter from the Federal Law Enforcement Officers Association
(FLEOA)........................................................ 66
Prepared Statement of the American Civil Liberties Union (ACLU).. 69
ECPA (PART I): LAWFUL ACCESS
TO STORED CONTENT
----------
TUESDAY, MARCH 19, 2013
House of Representatives
Subcommittee on Crime, Terrorism,
Homeland Security, and Investigations
Committee on the Judiciary
Washington, DC.
The Subcommittee met, pursuant to call, at 10:02 a.m., in
room 2141, Rayburn Office Building, the Honorable F. James
Sensenbrenner, Jr. (Chairman of the Subcommittee) presiding.
Present: Representatives Sensenbrenner, Goodlatte, Coble,
Gohmert, Labrador, Scott, Conyers, Bass, Richmond, and Chu.
Staff present: (Majority) Caroline Lynch, Chief Counsel;
Anthony Angeli; Counsel; Alicia Church, Clerk; (Minority) Bobby
Vassar, Minority Counsel; Joe Graupensperger, Counsel.
Mr. Sensenbrenner. The Subcommittee on Crime, Terrorism,
Homeland Security, and Investigations will come to order.
The Chair recognizes himself for 5 minutes for an opening
statement.
The Electronic Communications Privacy Act of 1986, or ECPA,
is complicated, outdated, and largely unconstitutional. ECPA
made sense when it was drafted, but the role of the Internet
and electronic communications in our daily lives is vastly
different now than it was during the Reagan administration.
Needed reforms can better protect privacy and allow the growth
of electronic communications in the economy without
compromising the needs of law enforcement.
ECPA was drafted in 1986, the same year Fox News was
launched. That year, President Reagan ordered a strike against
Muammar Qaddafi. Arnold Schwarzenegger married Maria Shriver,
and at this time in 1986, Mark Zuckerberg was 1 year old. The
world is a different place. I think we all can agree on that.
The 1986 law governing the Internet is like having a national
highway policy drafted in the 19th century.
Today's hearing is the first in a series the Subcommittee
will hold to examine ECPA. Today we will explore the needs of
Government to access the contents of stored electronic
communications and the level of judicial review currently
required to obtain them.
ECPA was the necessary response to the emergence and rapid
development of wireless communications services and electronic
communications in the digital era. At that time, electronic
mail, cordless phones, and pagers were in their infancy.
The Federal wiretap statute has been limited to voice
communications and addressed an area of communications for
which there is a Fourth Amendment right to privacy. ECPA
extended the wiretap provisions to include wireless voice
communications and electronic communications such as e-mail and
other computer-to-computer transmissions. It established a
framework for law enforcement to obtain the content of
communications.
The evolution of the digital age has given us devices and
capabilities that have created conveniences for society and
efficiencies for commerce, but they also have created
convenience and efficiencies for criminals, as well as
innovative new ways to commit crimes. Fortunately, new ways to
detect and investigate crimes and criminals have also evolved.
At the intersection of all of these developments and
capabilities are the privacy rights of the public, economic
interests in expanding commerce, public policy of encouraging
the development of even better technologies, and the legitimate
investigative needs of law enforcement professionals.
We are eager to hear about the constitutional
considerations that would require changes to the level of
judicial review for access to stored communications. We must
also consider the lawful access to stored content by the
Government in civil litigation, particularly when the
Government is a defendant.
Lastly, we must examine the effect that ECPA reform would
have on investigations at the State and local levels.
Today's hearing will focus on the actual contents of
electronic stored communications. Email content is the body of
a private electronic communication transmitted from the sender
to one or more recipients. The primary question is whether the
Fourth Amendment protections apply and to what type of stored
communications. Our ultimate goal is to enact reforms that will
endure for decades. This will give everyone the certainty they
need to move forward in the digital age.
It is no secret in the digital age privacy is harder to
maintain, but Americans should not have to choose between
privacy and the Internet. In 1986, if you wanted privacy, you
might keep a personal document in the filing cabinet instead of
posted on a cork bulletin board. Today, you would probably save
the same document behind the password in the Google account
rather than to post it on your Facebook wall.
But our expectations of privacy have not changed. The
Fourth Amendment protects more than just Luddites. If our laws
fail to recognize this, we needlessly risk stunting
technological progress and economic growth.
I look forward to hearing from all of our witnesses today.
And I now recognize the Ranking Member, the gentleman from
Virginia, Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman.
Today the Subcommittee follows last week's hearing about
cyberthreats and our computer crime laws with a hearing about
privacy of stored electronic communications content. Whether
the issue is countering the use of computers to commit crime or
setting standards for law enforcement's access to stored
electronic information in order to investigate crime, the pace
of the technology change has exceeded the limits of our
statutes in these areas.
The Electronic Communications Privacy Act, a statute
designed in 1986 to govern law enforcement's access to the then
emerging electronic and wireless technologies, is now outdated.
Because of the growth of the Internet and related technologies,
most of our private communications and other sensitive
information are transmitted online and are stored in computer
networks. To the extent that this has taken place and the ways
in which technologies have evolved, that was not envisioned by
Congress when we adopted the current statute. The result is
that the standards for compelled disclosure under the statute
are not adequate and their application is inconsistent.
For example, under the statute a single e-mail or
electronic document could be subject to multiple legal
standards in its lifetime from the moment it is typed to the
moment it is opened by the recipient or uploaded into a user's
account in the cloud where it may be subject to an entirely
different standard. This occurs because content may be stored
in places governed by different statutory definitions from
moment to moment.
While a warrant is required to access the content of e-
mails while it waits in electronic communications service
storage to be read by the recipient, the instant the e-mail is
opened by the recipient, it may lose that high standard of
protection and become accessible by subpoena rather than by a
warrant.
Also, following the disclosure rules can prove difficult if
the service provider is unsure whether the data is stored by an
electronic communications service or a remote computing
service. Indeed, the distinction is made somewhat confusing
because most network services are multi-functional. They can
act as providers of a communications service in some context or
a remote service in others and neither in still others. And to
address these concerns, we need clarity, fairness of
application, and appropriate protection of the privacy rights
expected by our citizens.
So I look forward to our discussion today from the various
people who have an interest in this, and I thank you for
holding the hearing.
Mr. Sensenbrenner. Thank you, Mr. Scott.
The Chair now recognizes the gentleman from Virginia, Mr.
Goodlatte, the Chair of the full Committee.
Mr. Goodlatte. Thank you, Chairman Sensenbrenner. I
appreciate your holding this hearing.
The dawn of the digital age and the explosive development
of communication methods have brought with it faster ways to
compile, transmit, and store information. These developments
have produced faster and more efficient ways to do everything
from conducting commerce to connecting with friends.
Unfortunately, criminals have found ways to convert the
benefits offered by new technology into new ways to commit
crimes. At the intersection of these activities are the privacy
rights of the public, society's interest in encouraging and
expanding commerce, the investigative needs of law enforcement
professionals, and the demands of the United States
Constitution.
The Electronic Communications Privacy Act was designed to
provide rules for Government surveillance in the modern age.
The technology of 1986 now seems ancient in comparison to
today's. The interactive nature of the Internet now, including
elements such as home banking and telecommuting, has produced
an environment in which many people spend many hours each day
online. In this context, a person's electronic communications
encompass much more than they did in 1986. Indeed, in 2013, a
person's electronic communications encompass much more than
they did in 2000 when Congress acknowledged that much had
changed since the original ECPA of 1986.
ECPA reform must be undertaken so that despite the
evolution of technology and its use in the world, the
constitutional protections reinforced by ECPA will endure. ECPA
was intended to establish a balance between privacy and law
enforcement. In addition, ECPA sought to advance the goal of
supporting the development and use of new technologies and
services. Those original tenets must and will be upheld as this
law is improved.
There are many investigations in which ECPA is working and
working well. Pedophiles who sexually assault children and
distribute video recordings over the Internet have become
increasingly savvy. They encrypt their communications and use
technologies to hide their identities and whereabouts.
Investigators routinely use court orders under ECPA to identify
these offenders, uncover caches of child pornography that has
been stored remotely in the cloud, and develop probable cause
to execute warrants and arrest them.
ECPA reform is one of the top priorities of the House
Judiciary Committee. Technology will help us solve many of the
pressing problems our Nation currently faces. We need to make
sure that the Federal Government's efforts are focused on
creating incentives that encourage innovation and eliminating
policies that hinder it. In updating a law passed before the
creation of the Internet, the modernization of ECPA needs to
provide electronic communications with protection comparable to
their more traditional counterparts and take into account the
recent boom in new technologies like cloud computing, social
networking sites, and video streaming.
That is why we will modernize the decades' old Electronic
Communications Privacy Act to reflect our current digital
economy while preserving constitutional protections.
This particular hearing focuses on issues related to the
lawful access to stored communications under the current law.
It is becoming clear that some reforms are necessary, but this
Committee will move toward modernization and reform after a
thorough review and with input from all stakeholders.
I look forward to working with all Members on both sides of
the aisle to modernize the Electronic Communications Privacy
Act.
And I yield back to the Chairman.
Mr. Sensenbrenner. Thank you, Mr. Goodlatte.
The Chair now recognizes the Chairman emeritus and Ranking
Member of the full Committee, the gentleman from Michigan, Mr.
Conyers.
Mr. Conyers. Chairman Sensenbrenner, Members of the
Committee, we have heard in opening statements that we are all
for modernizing. This hearing could be very important with our
witnesses telling us what kind of modernization do we want.
That is where this is all going, and I am glad to hear both the
Chairman of the Committee and the Chairman of the Subcommittee
hit those points along, of course, with our Ranking minority
Member, Mr. Scott.
I have a list of Digital Due Process Coalition members,
some 80 or more organizations that are with us on this, and I
would like unanimous consent to include this in the record.
Mr. Sensenbrenner. Without objection.
[The information referred to follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Conyers. Thank you.
And I conclude by raising the two issues that I will be
looking at most carefully, one, that the standard of probable
cause should apply to the Government's ability to compel a
communications provider to disclose the customer's e-mail
message no matter how old the message is. And we have got the
Warshak case that has now come down. It makes no sense for the
Government to need a subpoena to obtain e-mail messages that
are older than 180 days.
And finally, the law does not adequately protect
communications stored in the cloud by third parties on behalf
of consumers. And a probable cause warrant should be required
for Government access.
These are very important considerations, and I think we
will be observing the Fourth Amendment, the right to be free
from unreasonable searches and seizures, and still move into
the 21st century.
I thank the Chairman, and I return any unused time.
Mr. Sensenbrenner. Thank you, Mr. Conyers.
We have a very distinguished panel today, and I will begin
by swearing in our witnesses before introducing them. So could
all of you please stand and raise your right hands?
[Witnesses sworn.]
Mr. Sensenbrenner. Let the record show that each of the
witnesses answered in the affirmative.
The first witness is Ms. Tyrangiel who currently serves as
the Assistant Attorney General for the Office of Legal Policy.
She joined OLP in 2009 and has served in various roles since
then, including chief of staff, deputy assistant attorney
general, and principal deputy. Ms. Tyrangiel worked in the
Office of White House Counsel before joining OLP. From 2000 to
2009, she was an assistant United States attorney in the U.S.
Attorney's Office for the District of Columbia where she served
as deputy chief of the Sex Offense and Domestic Violence
Section.
Ms. Tyrangiel graduated from Brown University and received
her law degree from the University of Michigan Law School.
Mr. Richard Littlehale, currently serves as the Assistant
Special Agent in charge of the Tennessee Bureau of
Investigations Technical Service Unit. He coordinates and
supervises the use of a wide range of advanced technologies in
support of law enforcement operations. This includes
supervision of TBI's Internet Crimes Against Children Task
Force and TBI's Joint Cybercrime and Child Exploitation Task
Forces with the FBI.
Mr. Littlehale and the TBI agents he supervises developed
intelligence and evidence from communications records in a wide
range of cases, including homicide investigations, the search
for dangerous fugitives, Internet crimes against children,
computer intrusions, and child abduction responses.
He ensures that TBI agents are trained to use electronic
surveillance techniques in strict compliance with State and
Federal law. He also provides instruction to law enforcement
officers at all levels of government in techniques for
obtaining and using communications evidence in support of
criminal investigations and is active in national groups of law
enforcement technical and electronic surveillance specialists.
He graduated from Bowdoin College and received his law
degree from Vanderbilt Law School.
Professor Orin Kerr is a professor of law at George
Washington University where he teaches criminal law, criminal
procedure, and computer crime law. Before joining the faculty
in 2001, Professor Kerr was an honors program trial attorney in
the Computer Crime and Intellectual Property Section of the
Criminal Division of the U.S. Department of Justice, as well as
a special assistant U.S. attorney for the Eastern District of
Virginia.
He is a former law clerk for Justice Anthony M. Kennedy of
the U.S. Supreme Court and Judge Leonard I. Garth of the U.S.
Court of Appeals for the Third Circuit. In the summer of 2009
and 2010, he served as special counsel for Supreme Court
nominations to Senator John Cornyn on the Senate Judiciary
Committee.
He has been a visiting professor at the University of
Chicago Law School and the University of Pennsylvania Law
School.
He received his bachelor of science degree in engineering
from Princeton and his master of science from Stanford. He
earned his juris doctor from Harvard Law School.
Mr. Salgado serves as Google's Director of Information
Security and Law Enforcement Matters. He has also served as
senior counsel in the Computer Crime and Intellectual Property
Section of the U.S. Department of Justice. As a Federal
prosecutor, he specialized in investigating and prosecuting
computer network cases such as computer hacking, illegal
computer wiretaps, denial of service attacks, malicious code,
and other technology-driven privacy crime.
He graduated from the University of New Mexico and received
his law degree from Yale Law School.
Each of you will be recognized for 5 minutes. Without
objection, each of your full written statements will appear in
the record after your statement has been completed.
And also without objection, all Members' opening statements
will be placed in the record as well.
Ms. Tyrangiel, you are first.
TESTIMONY OF ELANA TYRANGIEL, ACTING ASSISTANT ATTORNEY
GENERAL, OFFICE OF LEGAL POLICY, DEPARTMENT OF JUSTICE
Ms. Tyrangiel. Thank you. Chairman Sensenbrenner, Ranking
Member Scott, Chairman Goodlatte, Ranking Member Conyers, and
Members of the Subcommittee, thank you for the opportunity to
testify on behalf of the Department of Justice regarding the
Electronic Communications Privacy Act, or ECPA. This topic is
particularly important to the Department. We are pleased to
engage with the Subcommittee in discussions about how ECPA is
used and how it might be updated and improved.
Since its inception, ECPA has sought to ensure public
safety and other law enforcement imperatives, while at the same
time ensuring individual privacy. It is important that efforts
to amend ECPA remain focused on maintaining both of these
goals.
During any discussions of possible changes to ECPA, it is
important to keep in mind its wide-ranging application and
scope. The typical scenario that comes to mind is a law
enforcement agency conducting a criminal investigation and
seeking a target's e-mail from a service provider that makes
its services available to the public. And indeed, ECPA is
critical to all sorts of criminal investigations into murder,
kidnapping, organized crime, sexual abuse, or exploitation of
children, identity theft, and more.
But the statute applies to all government entities,
Federal, State, and local when they seek to obtain content or
non-content information from a service provider. This means
that the statute applies not only to criminal investigators but
also when the government is acting as a civil litigator or even
as an ordinary civil litigant. Moreover, the statute applies
not only to public and widely accessible service providers, but
also to non-public providers such as companies that provide e-
mail to their employees.
Although ECPA has been updated several times since its
enactment in 1986, many have noted--and we agree--that some of
the lines drawn by the statute have failed to keep up with the
development of technology and the ways in which we use
electronic and stored communications. We agree, for example,
that there is no principal basis to treat e-mail less than 180
days old differently than e-mail more than 180 days old.
Similarly, it makes sense that the statute not accord lesser
protection to open e-mails than it gives to e-mails that are
unopened.
Acknowledging these things is an important first step. The
harder question is how to update the statute in light of new
and changing technologies while maintaining protections for
privacy and adequately providing for public safety and other
law enforcement imperatives.
Personal privacy is critically important to all Americans
and individuals around the world. All of us use e-mail and
other technologies to share personal and private information,
and we want it to be protected appropriately.
Some have suggested that the best way to enhance privacy
under ECPA would be to require law enforcement to obtain a
warrant based on probable cause to compel disclosure of stored
e-mail and similar stored content information from a service
provider. We believe that this approach has considerable merit,
provided that Congress consider contingencies for certain
limited functions for which this may pose a problem.
For example, civil regulators and litigators typically
investigate conduct that, while unlawful, is not a crime. But
criminal search warrants are only available if an investigator
can show probable cause that a crime has occurred. Lacking
warrant authority, civil investigators enforcing civil rights,
environmental, antitrust, and a host of other laws would be
left unable to obtain stored contents of communications from
providers, if they could no longer use a subpoena.
Reform efforts must also account for existing practices as
to entities such as corporations that provide e-mail to their
employees. Investigations of corporate malfeasance, both civil
and criminal, have long been conducted by subpoena. For
example, it is settled law that a government investigator may
use a subpoena to obtain corporate records such as memoranda,
letters, or even printed e-mails. It would be anomalous for
ECPA to afford greater protection to electronic corporate
records than to the identical records in hard copy. To be
clear, it is decidedly not our view that subpoenas are blanket
substitutes for warrants, but in the narrow context of
corporate investigations, it is important to remember that
subpoenas are the norm for obtaining business records, and
creating a different standard for different means of
communications would hamper many such investigations.
Finally, we also believe that there are a number of other
parts of the statute that may merit further examination as you
consider ways to update and clarify the statute, and I have
noted some of them in my written statement.
The Department of Justice appreciates the opportunity to
discuss this issue with the Subcommittee and I look forward to
your questions here today.
[The prepared statement of Ms. Tyrangiel follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Sensenbrenner. Thank you very much.
Mr. Littlehale.
TESTIMONY OF RICHARD LITTLEHALE, ASSISTANT SPECIAL AGENT IN
CHARGE, TECHNICAL SERVICES UNIT, TENNESSEE BUREAU OF
INVESTIGATION
Mr. Littlehale. Chairman Sensenbrenner, Ranking Member
Scott, Chairman Goodlatte, and Ranking Member Conyers, Members
of the Subcommittee, thank you for inviting me to testify. My
name is Richard Littlehale and I am Assistant Special Agent in
Charge of the TBI Technical Services Unit. I also serve on the
Technology Committee of the Association of State Criminal
Investigative Agencies and am representing their position
today.
I will make eight points very briefly, and I welcome your
questions if you would like to explore them further.
First, setting the standard necessary for government to
obtain content is just the first step. We also have to make
sure we can actually get it. To date, much of the attention
given to the question of lawful access to stored content has
focused on the level of proof required for law enforcement to
obtain it. The reality is that legal barriers are not the only
ones that keep communications records out of our hands.
Technological barriers and a lack of a mandatory compliance
framework regarding service provider response slow our efforts
as much or more as a change in the standard of proof might. I
urge you to ensure that whatever standard of proof you decide
is appropriate, you also ensure that law enforcement can access
evidence reliably and quickly.
Second, timeliness and quality of service must be
addressed. There is no requirement in current law that compels
providers to respond in a timely fashion to our legal demands.
Some respond relatively quickly but others do not. In
particular, this sometimes prevents us from efficiently
processing large volumes of leads like cybertips from the
National Center for Missing and Exploited Children. In those
leads, there may be an emergency, but we cannot know about it
until we get the routine response back from the service
provider. Speed is important. A reasonable legal mandate for
responsiveness should be considered as a part of any ECPA
reform proposal.
Third, emergency provisions. Law enforcement must have
rapid access to communications evidence in a life-threatening
emergency, but that is not always the reality. The emergency
provision in today's ECPA is voluntary for the providers, not
mandatory. Even when emergency access is granted, there is no
guarantee we will get the records immediately. In some cases,
there is insufficient service provider compliance staff to
process these requests quickly. In other cases, providers have
chosen never to provide evidence in the absence of legal
process no matter the circumstances, and the current emergency
provision does not preclude this.
Fourth, notification requirements. Requiring law
enforcement to seek additional process to prevent providers
from informing customers of the existence of a demand is a
labor-intensive process. We urge the Committee to carefully
balance the need for notification and reporting against the
practical resource burden it places on law enforcement.
Fifth, records retention. Some cellular service providers
claim they do not retain text messages for any time at all or
retain them for very short periods of time. Millions of texts
are sent every day and some contain key evidence about criminal
activity. I urge you to find a balance on retention policy that
is not overly burdensome to service providers but that ensures
that law enforcement can obtain access to critical evidence
with appropriate legal process.
Sixth, preservation. Preservation under section 2703 has
been offered by some as an alternative to records retention,
but some service providers have a stated policy of notifying
customers of the demand unless a court tells them not to. A
2703 preservation request does not allow law enforcement to
gain access to information but merely ensures it exists when we
serve appropriate process. There should be no customer notice
for preservation.
Seventh, the definition of content. Definitions of content
and non-content information need to be clear and comprehensive.
If Congress determines that any kind of content whatsoever
requires a probable cause standard of access, then ECPA should
define content explicitly and not infer it from less explicit
definitions in other parts of the code.
Finally, the volume of law enforcement legal demands.
Recent media reports have expressed alarm that the number of
law enforcement requests for communications evidence is
growing. Of course, the requests are growing because today a
rapidly growing percentage of the available evidence in any
criminal case exists in the digital world.
Google's transparency initiative puts the volume of law
enforcement demands in perspective. In June of 2012, Google
claimed 425 million individual account holders for its Gmail
service. In the U.S., Google reported just over 16,000
government requests affecting over 31,000 accounts. That means
a tiny fraction of 1 percent of Google's accounts were affected
by government demands, and given that there are 17,000 law
enforcement agencies in the United States, on average there was
less than one request for information per law enforcement
agency per year for Google records. It is hard to conclude from
these numbers that law enforcement demands were excessive.
I will close by reemphasizing the importance of ensuring
that law enforcement concerns about access to evidence become a
central part of this ECPA reform discussion. My fellow
electronic surveillance practitioners and I are well aware of
the need to balance privacy and public safety, and we look
forward to working with the Subcommittee to get ECPA reform
right.
Thank you for having me here and I look forward to your
questions.
[The prepared statement of Mr. Littlehale follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Sensenbrenner. Thank you very much.
Professor Kerr.
TESTIMONY OF ORIN S. KERR, FRED C. STEVENSON RESEARCH
PROFESSOR, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL
Mr. Kerr. Chairman Sensenbrenner, Ranking Member Scott,
Members of the Subcommittee, thank you for the invitation to
testify here this morning.
I wanted to focus on the constitutional issues raised by
the Stored Communications Act.
As several of you noted in your opening statements, the
leading cases so far in the lower courts indicate that the
Fourth Amendment fully protects the contents of e-mail and
other remotely stored files in the cloud, meaning that the
constitutional standards or the standards adopted by the
statute in 1986 are currently below the constitutional
threshold. So one pressing reason to amend the statute is
because the Constitution requires more privacy protection than
current statutory law requires.
The lower court case law is, as of yet, not fully
developed. We have one significant decision from the Sixth
Circuit Court of Appeals. We do not yet have a decision from
the United States Supreme Court, and also we are still in the
beginning stages of getting case law on fact patterns beyond e-
mail. So, for example, in addition to storing contents,
remotely stored contents by e-mail, individuals may have stored
Facebook messages, Google documents stored in the cloud, lots
of information that is available on remote servers that does
not fit the specific category of e-mail. The lower court cases
so far suggest that they are also fully protected by the Fourth
Amendment's warrant requirement, but as of yet, we do not have
a lot of case law in the lower courts to indicate whether that
is the case.
I think it is correct, though. I think it is difficult to
distinguish between e-mail, for example, and Facebook messages
and documents in the cloud. In my view, they are all protected
under the Fourth Amendment under the reasonable expectation of
privacy test.
The difficulty then with the existing statute is not only
that it is below the constitutional threshold, but that because
it is below the constitutional threshold, it actually becomes
significantly harder for the constitutional protections to be
recognized, thanks to the good faith exception under the Fourth
Amendment when the government relies on a statute that allows a
search or seizure. The key case here is another 1986 decision,
Illinois v. Krull, which held that when the government
reasonably relies on a statute that might be considered
constitutional, the exclusionary rule does not apply under the
good faith exception.
What that means as a practical matter is that the existence
of ECPA actually makes it harder to recognize constitutional
rights. It actually cuts constitutional protection rather than
adds privacy protection because the government under current
law can rely on the good faith exception to rely on the statute
to obtain contents with less process than a warrant. As the
case law becomes more established, it will be harder for the
government to do that. But ironically, the existing statute
actually makes it harder for Americans to recognize their
constitutional rights and to get those constitutional rights
recognized in cases than there would be if there were no
statute at all.
Ultimately the ECPA statute was designed to fill in
constitutional protections where at the time in the 1980's it
was not clear how the Fourth Amendment would apply. So it may
be as we get more and more case law establishing those Fourth
Amendment protections, there is less and less of a need for
statutory protections that regulate that same territory, and at
the very least, it is important for those statutory protections
to not be below the threshold of the constitutional protection
in light of the good faith exception.
I also wanted to address a few aspects of the Justice
Department's testimony. I think it is very significant that the
Justice Department is taking the view agreeing generally to the
idea that there needs to be a rewrite of the statute and that
there is merit to the idea of a general warrant requirement.
The Justice Department's testimony suggests that there are
two potential exceptions to that, one of which I think is
justified and one of which I am skeptical about.
The one that I think is justified is allowing a subpoena
authority when the government is investigating a company and
its own e-mail services in the corporate crime context where
traditionally the Justice Department and State prosecutors as
well have relied on subpoena authorities to investigate, say, a
company engaged in some sort of white-collar crime. I think it
makes a lot of sense to have an exception to the general
warrant requirement for that particular context.
On the other hand, I am skeptical about the idea of having
civil discovery subpoenas widely used in the ECPA setting. I do
not think we want to have our service providers turned into
essentially places where anyone who files a civil lawsuit can
go and get somebody else's e-mail to look through in a routine
civil investigation. Maybe there are some reasons to treat
Federal Government investigations differently in some cases,
but I think it is dangerous to allow providers to be used in
this way. In general, in civil litigation, it should be the
people go through the parties not through service providers.
I thank you and I look forward to your questions.
[The prepared statement of Mr. Kerr follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Sensenbrenner. Thank you very much.
Mr. Salgado.
TESTIMONY OF RICHARD SALGADO, DIRECTOR, LAW ENFORCEMENT AND
INFORMATION SECURITY, GOOGLE, INC.
Mr. Salgado. Chairman Sensenbrenner, Chairman Goodlatte,
Ranking Member Scott, Ranking Member Conyers, and Members of
the Subcommittee, thank you very much for the opportunity to
appear before you this morning.
I am Richard Salgado. As Director for Law Enforcement and
Information Security at Google, I oversee the company's
compliance with legal requests for data, including those
submitted under the Electronic Communications Privacy Act of
1986, otherwise known as ECPA.
In the past, I worked on ECPA issues in my capacity as
senior counsel in the Computer Crime and Intellectual Property
Section in the Department of Justice.
In 2010, I appeared before what was then the House
Judiciary Subcommittee on the Constitution, Civil Rights, and
Civil Liberties. When I spoke then, I highlighted the numerous
ways in which the Internet has contributed to our economy and
our society as a whole.
Today, not surprisingly, the impact is greater. In addition
to the millions of jobs that have been created, the Internet
economy accounts for almost 5 percent of our gross domestic
product, according to a recent Boston Consulting Group study.
The Internet has put information and opportunity at the
fingertips of millions of users, and we need updated laws to
allow this ecosystem to continue growing.
On a nearly daily basis, I see the challenges created by
ECPA. In 2010, Google launched a Transparency Report which
details the volume of requests for user data that we receive
from government entities. In the last half of 2012, the number
of requests Google received from government agencies in the
United States in criminal cases more than doubled compared to
the same period in 2009.
ECPA was passed in 1986 when electronic communications
services were in their infancy. With the dramatic changes that
we have seen since then, the statute no longer provides the
privacy protection that user of these services reasonably
expect. And one example that the Committee may already be
familiar with is from the ECPA rules around compelled
disclosure of e-mail. As a general rule, law enforcement under
the statute needs to obtain a warrant to compel an electronic
communications service provider to disclose content that is
held in electronic storage, as that term is defined in the
statute, for 180 days or less. Once that message becomes 181
days old, it loses that level of statutory protection and a
government entity can compel its disclosure with a mere
subpoena which, of course, is issued on a much lower standard
than a search warrant and without any judicial review.
I will also note that the Department of Justice has taken
the position that government can use a subpoena to compel the
production of e-mail that has been opened even if it is younger
than 181 days. It is a position that has been rejected by one
court of appeals in the Federal system.
If one could discern a policy rationale for this 180-day
rule in 1986, it is not evident any longer and contravenes
users' reasonable expectations of privacy. We are encouraged to
hear that the Department of Justice seems to acknowledge this
as well.
In fact, the Sixth Circuit in the latter part of 2010 held
that ECPA violates the Fourth Amendment to the extent that it
allows government to use legal process less than a warrant to
compel the production of content from a service provider.
Google believes this is correct, and to the extent ECPA
provides otherwise, it is unconstitutional.
The 180-day rule reveals the gap between where the statute
is and where users' reasonable expectations of privacy lie. The
privacy protection afforded to e-mail content from law
enforcement should not vary based on a communication's age or
its opened state. ECPA should be updated to require a warrant
to compel the production of any content. Updating ECPA should
be a top privacy priority for the 113th Congress.
And Google is not alone in taking this view. More than 80
companies and organizations that span the political spectrum
are now members of the Digital Due Process Coalition which
supports updating ECPA. And these include Americans for Tax
Reform, the American Civil Liberties Union, the Center for
Democracy & Technology, the Competitive Enterprise Institute,
and the U.S. Chamber of Commerce. Notably, these organizations
do not always agree on other privacy issues, but they are
united in the effort to support updated provisions in ECPA for
the requirement of a warrant for the production of content.
As the benefits of Internet computing become more obvious,
including the data security benefits, the growth of the
Internet should not be artificially slowed by outdated
technological assumptions that are currently baked into part of
ECPA. And the progression and innovation in technology should
not be hobbled by pre-Internet ECPA provisions that no longer
reflect what users should expect.
We look forward to working with the Subcommittee and the
full Judiciary Committee and Congress as a whole to update the
statute.
Thank you for your time and consideration. I would be happy
to answer any questions.
[The prepared statement of Mr. Salgado follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Sensenbrenner. The time of the gentleman has expired.
The Chair will withhold his questions until the end and now
recognizes the gentleman who is the Chairman of the full
Committee, the gentleman from Virginia, Mr. Goodlatte.
Mr. Goodlatte. Thank you, Mr. Chairman.
Let me direct this question to each of you. To obtain a
document from someone's home requires a warrant. When the same
person gives and stores that document with another person or a
company, a subpoena can be used to obtain it.
What is an individual's expectation of privacy when
electronic documents are stored with third parties? Why should
stored electronic communications be treated any differently
under the Fourth Amendment?
We will start with you, Ms. Tyrangiel. Is that how you
pronounce your name?
Ms. Tyrangiel. Tyrangiel.
Mr. Goodlatte. Sorry. Thank you.
Ms. Tyrangiel. That is okay.
So as to what can be obtained in what circumstances, the
Fourth Amendment is very fact-specific and dependent on
circumstances. So with that caveat, in obtaining documents from
someone's home, certainly if there is a desire to go in and
compel that document, there can be a search warrant used. You
can also subpoena people to bring you documents that they have
in their home. So depending on the circumstances, even in the
paper world, there can be permutations of what rules apply.
With respect to what the standard should be for electronic
communications, we have suggested that many have advocated on
behalf of a warrant requirement for the government to compel
stored communications from providers. And in those
circumstances, as a general matter, we think that idea has some
merit, and we understand the appeal of that.
Mr. Goodlatte. Let me interrupt because I have got a lot of
people and a couple more questions.
Mr. Littlehale.
Mr. Littlehale. Mr. Chairman, I welcome the question, and I
would suggest that it suggests that even beyond ECPA, search
warrant law, statutory search warrant law, in general is also a
little bit behind the times in terms of technology. For
example, if I serve a search warrant on a residence, then it is
up to me and the fellow agents to determine what we are going
to take. We decide what we are going to get and we get it and
we leave in a quick fashion or as quick as we choose to, as
quick as we choose to expedite that warrant.
On the other hand, even if the Committee chooses that law
enforcement needs probable cause to obtain these records, we
are at the mercy of the service providers to determine how long
it is going to take them to comply with that request.
So in keeping with my testimony, I would suggest that
whatever the level of standard of proof, the thing that really
matters most to those of us in State and local law
enforcement----
Mr. Goodlatte. Is prompt response.
Mr. Littlehale [continuing]. Is prompt response.
Mr. Goodlatte. Professor Kerr?
Mr. Kerr. Mr. Goodlatte, the answer in the physical world
would really depend on whether the documents that you handed to
the other person were sealed or not. If it is an open set of
documents, you would be relinquishing your expectation to
privacy. The government could get that information from the
other person without a warrant. If it is sealed documents, for
example, in a sealed envelope or a sealed box, then it would be
protected.
Mr. Goodlatte. So if it is stored in the cloud but no one
else--is that the equivalent of a sealed document?
Mr. Kerr. Yes, I think it is the equivalent of a sealed
document, and that is the right analogy that the Warshak court
adopted.
Mr. Goodlatte. Thank you.
Mr. Salgado.
Mr. Salgado. Mr. Chairman, we do not see a distinction
there. There needs to be Fourth Amendment protection to
documents that a user stores in the cloud just the same as if
they had stored them in their office or their home. The
reasonable expectation to privacy of the Fourth Amendment
requires that result, and we would like to see ECPA updated to
reflect that.
Mr. Goodlatte. All right.
And then to follow up on Professor Kerr's statement, we
will ask both of you. So is there a diminished expectation of
privacy when a document is stored in the cloud but multiple
people have access to it for editing purposes or for whatever
purpose?
Mr. Kerr. No, there is no diminished expectation of privacy
in the same way that there would be in--if you live with
several other people in your home, there is still warrant
protection for the home. In the physical world, the slight
exception to that would be that other people who share the
space can consent to the government going in and looking at
your stuff.
And where ECPA plays an important role is in section 2702,
limiting the ability of the provider--that is the sort of third
party there--from voluntarily disclosing information to the
government. So it is a very important protection that
effectively recognizes the fact that in the cloud, it is the
provider who has access to the information and also the user
who has access.
Mr. Goodlatte. Very good.
And, Mr. Salgado, would you elaborate on some of the ``in
the cloud'' services that are currently being marketed by
Google and by others? And will a higher standard for law
enforcement to access the information stored in the cloud make
such a service more attractive to consumers? And similarly,
will it make it more attractive to criminals?
Mr. Salgado. Thank you, Mr. Goodlatte.
The answer is yes. The services that we offer are very
popular. But the failure of current law to keep up with the
reasonable expectation of privacy has been a drag on the
adoption of these services, and there is certainly resistance
to it both in the United States but also from markets outside
of the United States where customers may be concerned that the
U.S. Government has access to the materials with a standard
that is lower than what they ought to expect--the users ought
to expect.
Some of the services that we can point to as examples of
this include, of course, the Gmail product, but there are also
other services like our YouTube video upload and viewing
service; Docs, which allows users to collaborate on the
drafting and editing of documents; Blogger, which is a very
popular site for the publication of blogs which can at times be
private or shared among a limited group of people.
Mr. Goodlatte. What about criminals?
Mr. Salgado. I am sorry?
Mr. Goodlatte. Criminals, the other part of my question.
Mr. Salgado. Well, we have certainly recognized that the
services we offer can be misused. There are some miscreants out
there who will, whatever communications service is available,
find ways to turn it against the good. And we are very much in
favor of an amendment to ECPA that still allows law enforcement
to conduct the investigations it needs and to fulfill its
important responsibilities.
Mr. Sensenbrenner. The gentleman from Virginia, Mr. Scott.
Mr. Scott. Thank you, Mr. Chairman.
I would like to follow up on this, Mr. Salgado. Do people
generally know where the e-mail is physically stored and should
that make a difference in terms of the privacy expectations?
Mr. Salgado. Mr. Chairman, I do not think people
necessarily know where their e-mail is stored. Part of the
reason for that, of course, is the, if you will, magic of the
cloud as it is, which is by having data spread throughout lots
of data centers in different locations, even the existence of a
single e-mail may itself have been scattered among different
data centers to provide for security, for robust services, to
reduce latency. The rules around disclosure of the data should
not have anything to do with the location of it, which is, in
some sense, driven by the physics and architecture of the
Internet and not by choice of users or companies. It is more to
make----
Mr. Scott. And should that affect the expectation of
privacy? I mean, you would expect the e-mail to be private,
whatever Google does with it.
Mr. Salgado. That is right. We agree with that, that the e-
mail ought to be private regardless of where it is located and
the state of its storage or the age of the message itself.
Mr. Scott. Professor Kerr, you mentioned the case law as
being worked on through the courts. How much of that case law
is statutory interpretation, which we could clearly clarify,
and how much of it is constitutional law that we would have no
control over?
Mr. Kerr. Well, the case law that I was referring to was
constitutional case law. So we have the Sixth Circuit Court of
Appeals, a few district courts, a few State intermediate
courts. Those are Fourth Amendment interpretations governing e-
mail which, of course, Congress could not change.
Mr. Scott. Thank you.
Mr. Littlehale, you referred to content and said you might
want to say a little bit more about it. Are there different
levels of information that we are talking about whether it is
the fact that the e-mail was sent or the content of the e-mail
and there ought to be possible different standards for that?
Mr. Littlehale. Well, the first level of categories that I
would suggest we need to be cautious of, as we reform ECPA, is
making a clear distinction between the actual content of a
communication, the substance of the communication, and
signaling and routing information, stored transactional
information, that law enforcement can use, we believe, at a
lesser standard whether it is determined the pattern of contact
between two individuals, what communications technologies they
are using, use that as a component of probable cause to further
our investigation. So in my oral remarks, I was referring to
clarifying the standard of content so whatever the level of
access we determine for content, we are sure what content is.
Mr. Scott. Ms. Tyrangiel, is there a problem now with the
emergency provisions in getting information?
Ms. Tyrangiel. That is not something on which we have an
Administration position here today. We are certainly happy to
talk further with you about the robustness of the emergency
provisions and whether any situation----
Mr. Scott. You have access to information on an emergency
basis now. You can skip a couple of steps if there is, in fact,
an emergency. Has that been a problem?
Ms. Tyrangiel. So currently the law allows for an exception
for life and limb, essentially when there is physical harm or
danger to physical life. With respect to Mr. Littlehale and the
additional emergencies that might be necessary, we do not have
a position on that right now, but we are eager to discuss the
matter with Congress and with the Subcommittee and find a way
forward.
Mr. Scott. Is there any problem with--in civil litigation
you can get a lot of information that may not have been able to
be obtained on a criminal warrant. If someone obtains
information through civil litigation, can that be converted
into criminal evidence?
Ms. Tyrangiel. So with respect to what we are suggesting
that Congress consider, there would be much opportunity--and,
in fact, there would need to be an opportunity--to consider the
means by which information could be used between civil and
criminal; that is, in suggesting that there be an opportunity
for civil components to obtain contents of e-mail, there would
still need to be discussions about how the practicalities of
that would play out. So there are currently--and it depends on
context--ways in which information is passed from civil to
criminal, but it need not always be the case depending on the
situation.
Mr. Scott. Thank you, Mr. Chairman.
Mr. Sensenbrenner. Thank you.
The gentleman from North Carolina, Mr. Coble.
Mr. Coble. Thank you, Mr. Chairman, and thank you for
calling this hearing, Mr. Chairman.
I thank the witnesses for appearing.
I was going to start with Chairman Goodlatte's first
question. So you beat me to the punch, Bob. Let me go to
another.
Mr. Littlehale, is there any evidence at all that even
hints that the current law in place since 1986 has in any way
inhibited either the development or the use of the Internet or
other technologies?
Mr. Littlehale. I am not aware of any, no, sir.
Mr. Coble. Any other witnesses? Professor?
Mr. Kerr. I think it is a difficult question to answer
because, of course, it is a counter-factual issue. We do not
know what the world would look like if the statute were
different. So I think it is just a difficult question to answer
one way or the other.
Mr. Coble. Thank you, sir.
Anybody else want to be heard on it?
Mr. Salgado. For companies like Google--and there are
others--that have been following Warshak for a couple of years,
we actually have seen what the world looks like where there is
a warrant requirement for content. So we have had that for a
couple years now. I am not aware of this presenting any
difficulties in any context.
Mr. Coble. I thank you for that.
Mr. Littlehale, this may have been discussed, but let me
try it again if it has. Do heightened legal standards result in
a slower police response which may have real life or death
consequences? And if so, give me an example.
Mr. Littlehale. Well, sir, let me begin by saying that the
case that was discussed earlier--Tennessee is in the Sixth
Circuit. So for us now we live under a probable cause standard
for all stored content.
Having said that, in talking with practitioners across the
country, there are some who believe that the 180-day
distinction is appropriate and should remain and others who do
not.
I will say that, again returning to my earlier point,
anytime you talk about raising the level of proof, in some
cases you do reduce the number of leads we can process in the
same amount of time. If that is the will of Congress, certainly
we will operate within those parameters, but we also would urge
you that if there are going to be proof--you know, the levels
of proof are going to be raised and we are going to be able to
process a large number of leads a little bit slower in that
context, that if you can give us assistance in these other
areas, timeliness of service provider respond, records
retention, and so on, then that will allow us to contract the
investigative timeline and make sure that we are able to
perform our responsibilities even with a higher standard.
Mr. Coble. I thank you, sir.
Anyone else want to be heard on that?
Thank you all for being with us today.
Thank you, Mr. Chairman. I yield back.
Mr. Sensenbrenner. Thank you.
The gentleman from Louisiana, Mr. Richmond.
Mr. Richmond. Thank you, Mr. Chairman and Ranking Member,
especially for calling this meeting today.
And I would just pick up where you left off because, Mr.
Littlehale, I have heard you mention timeliness of response a
number of times. So I guess my question would be if we went to
almost like a subpoena-type model for some things, would it not
be up to you all to request the return or a judge to give that
date by which the provider has to respond to the subpoena?
Mr. Littlehale. Well, sir, partly that depends on which
statute we are proceeding under. Under ECPA, there are
provisions for State orders to have federally expansive effect.
That is going to vary from State to State, whether we are
permitted to require a certain response or not. I am certainly
aware of a number of instances over the course of my career
where, regardless of what the court order said on it or what
the subpoena said on it, the response was still delayed. And
frankly, again as a practical matter as a practitioner, is it
worth my taking my time and prosecutors' time away from
investigations in order to seek a motion for a show cause
hearing and try to bring a provider into town? Very often we
just do not have the time to do that. So often we just live
with what we can get. So regardless of the level of process, a
universal mandate for some more structured form of service
provider response is critical to our effectiveness.
Mr. Richmond. Right, but it would still have to have teeth
in it. I mean, we can have a mandated time that they have to
respond, but if you are telling me that if they ignore it, you
have to make a decision whether it is worth your time and
energy and using an agent to go to court to do a motion to
compel or a contempt hearing, then whether we put a date in or
not, you would still have to make that decision.
Mr. Littlehale. Yes, sir. I think a mandate would have
several benefits. First, it would allow all service providers
to build to the same standard as opposed to the situation we
have now where some make different corporate choices than
others and may be penalized because of it.
The truth is we would prefer to work with the service
providers and, of course, the law enforcement electronic
surveillance community has historically. We would rather
resolve this in a cooperative manner and find a mandate that
they could all build to rather than making an adversarial
situation because the truth is we depend on these people every
day to partner with us, save the victims, and get us the
information we need.
Mr. Richmond. Now, anyone can answer this question because,
in fact, we are talking about the subpoena aspect of it now.
One thing that I like about subpoenas, at least in my
practice, is that if the person whose records you are asking
for feels that it is just a fishing expedition or some other
violation of their rights, they have an option to file a motion
to quash or go see a judge or a court of jurisdiction to say,
you know, this is just a fishing expedition and I do not want
to do it, and then have a judge make a determination. How do
you all envision encompassing that same protection, the same
right, in what we are talking about now? Mr. Kerr.
Mr. Kerr. I think it depends on whether we are discussing a
probable cause-like regime, a traditional warrant approach, or
a subpoena that is not based on probable cause. If it is a
subpoena approach, then generally there would need to be some
prior notice. The current ECPA statute allows for prior notice,
requires prior notice when the government is pursuing a
subpoena, but then allows for delayed notice which,
unfortunately, is obtained in the routine case. As a result,
nobody ever finds out that their e-mails are being accessed or
at least does not find out until much later if they are
ultimately notified. As a result, you do not see those
challenges which should be available.
Under the warrant authority--and this is, I think, a
complex question--if the government proceeds under the warrant
authority, what notice should there be? The current statute
says if the government obtains a probable cause-based warrant,
there is no notice requirement. Of course, there is notice to
the provider, but not to the user.
Mr. Richmond. Right. Well, under a warrant, the theory is
that you have an independent person who has looked at it and
determined that, one, it is reasonable; two, there is probable
cause and it is not a fishing expedition.
So now my question is with the delayed notice, what
standard is there for law enforcement to ask for and receive
the ability or permission to do delayed notice as opposed to
immediate--allowing the provider to immediately notify someone
that their e-mails have been requested, seized, searched, or
whatever.
Mr. Kerr. The exact phrasing of the statute is--I cannot
recall off the top of my head, but it is essentially if it
would interfere with an ongoing investigation. And of course,
notice to a suspect could interfere with a lot of
investigations possibly. So that is obtained, unfortunately,
pretty routinely. And the notice requirement written into the
statute, unfortunately, ends up being a non-notice requirement
in practice.
Mr. Richmond. Well, I see my time has expired.
Ms. Tyrangiel, if you could just, at some point, think
about--and you do not have to answer it now--just how do we do
it in the regulatory scheme in terms of enforcement without
hampering the government's ability.
Thank you, Mr. Chairman.
Mr. Sensenbrenner. If Ms. Tyrangiel, the Justice Department
can answer Mr. Richmond's question promptly, without objection,
we will put that answer in the record because all of us would
like to know that.
The gentlewoman from California, Ms. Chu.
Ms. Chu. Thank you, Mr. Chair.
Ms. Tyrangiel, in your testimony you raise the point that
if ECPA is amended to require the government to get a warrant
to compel a service provider to disclose private
communications, that this would hinder civil investigations.
And you say that since civil regulators and litigators lack
warrant authority, they would be left unable to obtain stored
contents of communications from providers.
I am trying to understand the scope of the problem if this
is the case. Do you know how frequently civil investigators try
to obtain information from third party service providers? Why
could they not just get a subpoena for e-mails directly from
the party? And in fact, would it not be more likely the case
that they would do such a thing? In other words, is the
frequency more or less than the requests for criminal
investigators?
Ms. Tyrangiel. So thank you for that question.
There are a couple of reasons why going to a subscriber
directly is not a reliable way of always getting the content
that is being sought. One is there are times when the
subscriber has gone out of business, is bankrupt, is deceased.
Another reason is that occasionally or with some frequency a
subscriber will deny ownership of the account or of the
communications at issue. And a third is that there are also
those who would violate the law may be tempted to destroy
rather than hand over evidence to the government. So those are
a couple of reasons why going to a subscriber directly does not
solve the problem.
And perhaps a couple of examples would point this out. For
instance, in a civil civil rights investigation, if a landlord
sends racially harassing texts to tenants and the tenants
delete them because they recoil and their first instinct is to
get them off their phone, and the landlord denies having sent
those e-mails and denies ownership of the account, the Stored
Communications Act is going to govern whether the government
can get those e-mails.
In the False Claims Act context, when the civil division is
seeking information about a fraud perpetrated on the government
and wants to get e-mails that it has reason to believe exist
that show the fraud was perpetrated but the corporation says we
do not actually use e-mail for business purposes, the Stored
Communications Act is going to govern that as well.
So I could provide additional examples, but those are the
sorts of ways in which civil investigations and suits would be
impacted.
Ms. Chu. Well, for e-mail in transit, you have to have a
warrant. For e-mail in storage, you have to have a warrant. For
e-mail in remote storage stored for 180 days or less, you have
to have a warrant. So do you not have to have probable cause
anyway?
Ms. Tyrangiel. So the laws of ECPA are somewhat complicated
on this point. That is, with respect to e-mail that is older
than 180 days and opened or unopened, a subpoena under ECPA
would suffice. With respect to e-mail that is unopened and
younger than 180 days, you would need a warrant, and with e-
mail that is opened and younger than 180 days, ECPA provides
for a subpoena.
Now, there is case law that is layered on top of that, but
there are different rules that apply in different scenarios.
And one of the things that we have said in our written
testimony is we recognize that these 180-day rules and the
opened/unopened distinctions have not kept pace with the way
technology is used today.
Ms. Chu. Yes, but my point is you have had to prove
probable cause for these other cases that are 180 days or less.
Ms. Tyrangiel. So in a small category of cases under ECPA,
there is currently a warrant requirement, but in a larger
category of cases under ECPA, there is the subpoena
requirement.
If your question is how, after Warshak, the Department is
operating, the answer in part is that civil components are
already feeling this harm, and it is harmful.
Ms. Chu. Well, do you have a solution to deal with this
disparity between the civil and criminal investigations?
Ms. Tyrangiel. So we are asking that Congress--or
suggesting that Congress could consider formulating a
contingency to ensure that civil regulators and litigators can
do their work effectively. We do not have a specific proposal
on that here today, but we are eager to discuss that further
with you as you move forward.
Ms. Chu. And, Mr. Salgado, do you have a sense for how many
requests received by Google are from civil investigators?
Mr. Salgado. Chairwoman, we do not have a specific breakout
for those types of requests. I can tell you that Google would
not honor subpoenas for the production of content from
government agencies, civil or criminal. Our understanding is
that the civil agencies get the content through other means,
more precisely through the customer directly, after subpoenaing
Google to identify who the subscriber is.
Mr. Sensenbrenner. The gentlewoman's time has expired.
The gentleman from Texas, Mr. Gohmert.
Mr. Gohmert. Thank you, Mr. Chairman.
Thank you to the witnesses. Professor Kerr, nice to see you
back.
Mr. Salgado, I was curious. Does Google not sell
information acquired from e-mails to different vendors so that
they can target certain individuals with their promotions?
Mr. Salgado. Mr. Congressman, no, we do not sell e-mail
content. We do have a system, similar to the system we use for
scanning for spam and malware, that can identify what type of
ads are most relevant to serve on e-mail messages. It is an
automated process. There is no human interaction, and certainly
the e-mail is not sold to anybody or disclosed.
Mr. Gohmert. So how do these other vendors get our e-mail
and think that we may be interested in the products they are
selling?
Mr. Salgado. They do not actually get your e-mail. What
they are able to do is, through our advertising business, be
able to identify key words that they would like to trigger the
display of one of their ads, but they do not get information
about who the user is or----
Mr. Gohmert. Okay. Well, that brings me back. So they get
information about key words in our e-mails that they use to
decide who to send promotions to, albeit it automatically done.
Correct?
Mr. Salgado. The e-mail context is used to identify what
ads are going to be most relevant to the user.
Mr. Gohmert. Do they pay for the right or the contractual
ability to target those individuals that use those key words?
Mr. Salgado. I might phrase that slightly differently, but
the gist is correct, that advertisers are able to bid for the
placement of advertisements to users who our system has
detected might be interested in the advertisement.
Mr. Gohmert. Okay. So what would prevent the Federal
Government from making a deal with Google so they could also
scroogle people and saying I want to know everyone who has ever
used the term ``Benghazi'' or I want everyone who has ever used
a certain term? Would you discriminate against the government
or would you allow the government to know about all e-mails
that included those words?
Mr. Salgado. Sir, I think those are apples and oranges. I
think the disclosure of the identity----
Mr. Gohmert. Well, I am not asking for a fruit comparison.
I am just asking would you be willing to make that deal with
the government, the same one you do with private advertisers,
so that the government would know which e-mails are using which
words.
Mr. Salgado. Thank you, sir. I meant by that that it is not
the same deal that is being suggested there. We certainly would
not----
Mr. Gohmert. But I am asking specifically if the same type
of deal could be made by the Federal Government, heck, the same
Government that will make a commercial and pay for it to air
overseas saying we had nothing to do with the video, which we
know now had nothing to do with Benghazi, but if that same
government will spend tens of thousands of dollars to do a
commercial, they might under some harebrained idea like the
idea of cutting a deal with Google to get all the addresses,
all the e-mail addresses that use certain words. Could they not
make that same kind of deal that private advertisers do?
Mr. Salgado. We would not honor a request from the
Government for such a----
Mr. Gohmert. So you would discriminate against the
Government if they tried to do what your private advertisers
do.
Mr. Salgado. I do not think that that describes what
private advertisers----
Mr. Gohmert. All right. Does anybody here have any--
obviously, you are doing a good job protecting your employer.
But does anybody have any proposed legislation that would
assist us in what we are doing?
I see my time is running out. I would be very interested in
any phrase, any clauses, any items that we might add to
legislation or take from existing legislation to help us deal
with this problem because I am very interested and very
concerned about our privacy in our e-mail.
Mr. Sensenbrenner. If the gentleman will yield, I am sure
as this debate goes on, we will be getting a lot of advice from
a lot of different sources, some of which will be trying to
twist the law in favor of somebody or another. So stay tuned.
Mr. Gohmert. And just so that the simpletons that sometimes
write for Huffington Post understand, I do not want the
Government having all that information.
Thank you. I yield back.
Mr. Sensenbrenner. With a point of personal privilege, my
son writes for the Huffington Post. [Laughter.]
Mr. Gohmert. Well, then maybe he is not one of the
simpletons I was referring to.
Mr. Sensenbrenner. He does have a Ph.D.
The gentlewoman from California, Ms. Bass.
Ms. Bass. Thank you, Mr. Chair.
I wanted to ask a couple of questions, one of Mr. Salgado
from Google. You said that the criminal cases that are
investigated have doubled the requests, and I was wondering if
you could give me some examples of the type of cases and then
also why do you believe that the numbers have doubled.
Mr. Salgado. Thank you, Congresswoman.
The types of cases that we see come in in the form of legal
process are a huge variety of cases. Certainly the cases you
would be very familiar with, you might have seen press reports
on, those types of cases are very common, kidnapping cases,
child exploitation, fraud cases. You could almost open up title
18 of the U.S. Code and walk through it, and at some point in
the history of Google, there will have been some request about
one of those crimes charged there.
I must say that the legal process we receive very rarely
describes the case that is under investigation. So on your
average legal process, we do not actually know what the crime
is that is under investigation.
As to the second part of the question as to why we might
have seen such an increase, it is a little bit speculative. I
think part of that, though, is likely the result of the fact
that our user base has grown, and as a necessary sort of result
of that or inevitable result of that, there is going to be some
more accounts that are used or have evidence relating to
criminal conduct.
Ms. Bass. Thank you. I appreciate this.
And this might be for you or it also might be for Ms.
Tyrangiel. You know, there is the Web site Backpage, and
Backpage everybody knows is involved in sex trafficking and
especially sex trafficking of minors. And I wanted to know how
we can get at that. So, for example, if anybody monitors
Backpage, there are e-mails that go back and forth requesting
the services of the females that are advertised there, and what
role can the Justice Department have in terms of trying to shut
that down where you know it is taking place. And I do not know
if the Federal Government routinely investigates that or what.
I know that Craigslist used to do the same type of advertising
and they stopped after public pressure, but because of First
Amendment rights, of course, it is difficult to shut it down.
But when we know that there is criminal behavior taking place
and it is on display.
Ms. Tyrangiel. Thank you for that question.
I am not sufficiently versed with the specific facts of
Backpage to answer to that circumstance with particularity, and
if there were an ongoing investigation, I would not be able to
speak about it in any event.
But I can tell you with respect to sex trafficking and
other sorts of crimes that the Government is investigating and
trying to learn more about, the Government depends not only on
the kind of content that we have been talking about here today,
but also non-content information that forms the building blocks
of investigations. And part of why ECPA is so important and
part of why all the reform efforts should take into account not
only privacy but also government needs and its law enforcement
needs is because it is used with such breadth and it is used
for non-content, it is used for content, it is used for civil
cases, it is used for criminal cases and then within those
categories for a wide variety of things.
Ms. Bass. What do you mean by non-content?
Ms. Tyrangiel. Non-content can range all the way from basic
subscriber information and things like that to information
about the way people use--sort of the traffic that they use.
And there are different standards that apply to different kinds
of non-content. But these are the sorts of things that can form
the building blocks of investigations that allow us to focus on
the right people, that allow us to free others from suspicion,
and then allow us to build to probable cause to a place where
we can go get a search warrant or where we can make an arrest.
Ms. Bass. One of my concerns about the females or the
girls, I should say, because they are not adults is that many
of them are in the child welfare system. And so that means
technically the government has removed them from a home which
means we are in charge. And so I am wondering if there is any
coordination between the Federal Government and--well, DOJ
rather and child welfare departments.
Ms. Tyrangiel. Certainly I am aware of coordination that
occurs between Federal law enforcement and State jurisdictional
enforcement so that they are talking to each other. So I think
there is some coordination going on with respect to that.
Whether there is direct communication between the Federal
authorities and the child welfare authorities I cannot speak
to, but I am happy to try and find out more and get back to
you.
Mr. Sensenbrenner. The gentlewoman's time has expired.
The Chair will recognize himself for a final series of
questions.
Let me say that to amend ECPA, we are going to need to have
a balancing act, which means that neither law enforcement nor
the service community are going to get everything they want. I
would say let me admonish you and others who may be in the
audience that trying to do a balancing act to come up with
something that protects the privacy of Americans, as well as
allows law enforcement to do their job, particularly against
people who use the Internet for criminal purposes, is going to
be kind of a tough nut to crack. We tried it in the last
Congress, and we were not able to get the ball over the goal
line.
Let me say that I think the different standards between a
warrant and a subpoena is outdated and probably
unconstitutional. And I think we are going to have to require a
warrant with probable cause on most of the stuff that you can
get from a subpoena, at least in criminal investigations, maybe
not so in the civil ones, but at least in the criminal
investigations.
I also think that 180 days is too short to require the
retention of material. And I would like to ask you both, Ms.
Tyrangiel and Mr. Littlehale, what time do you think we ought
to have in terms of requiring a service provider or somebody
who stores e-mails in the cloud to retain that material? And I
recognize that this will just be an arbitrary time just like
the 180 days is.
Ms. Tyrangiel. Well, I will start by saying that data
retention is a very complicated and tricky issue. It is not
something----
Mr. Sensenbrenner. Believe me, we know that. [Laughter.]
Ms. Tyrangiel. And certainly law enforcement's ability to
get data is very important.
The 180-day rule, I might also comment, has frankly in ECPA
to do with sort of the ability to use----
Mr. Sensenbrenner. Can you just give me a time period? At
least we know what we are talking about then.
Ms. Tyrangiel. I cannot today, but we are eager to discuss
with you and understand that part----
Mr. Sensenbrenner. I am sorry that you cannot today.
Mr. Littlehale.
Mr. Littlehale. Let me suggest, Mr. Chairman, that the
answer to that question is linked to service provider
timeliness because in many instances in these cases, for
example, in the commercial and sexual exploitation of children
case that we were just discussing, there are many layers of
service providers that we have to jump through to identify that
child victim. And so if I know that I am going to get those
responses back in 7 days each time or in 3 days each time, then
I do not need the records retained as long because I might not
know, until I get two or three layers of subpoena responses or
search warrant responses back, where I need to send a
preservation request. If, however, those times are allowed to
continue to be a month or 2 months, then my answer would be 6
months or a year in many cases because it might take us that
long to get to the records we need.
Mr. Sensenbrenner. Okay.
Now, I have a question for Ms. Tyrangiel. The Fourth
Amendment recognizes emergency exceptions. Why does DOJ not
have a position on looking at or defining the life or limb
exception? I think that it would be very advisable to codify
that so you do not have a multitude of different court
decisions on what is life or limb and what is not.
Ms. Tyrangiel. I am certainly happy to engage with the
Subcommittee and with Congress to talk about that area and any
others that the Committee would like to explore, certainly an
important exception and one that the government, both at the
Federal and State and local level, makes use of.
Mr. Sensenbrenner. Well, you know, let me express my
discomfort that you do not seem to have any answers to
questions that have been asked, and it is not just by me but by
other Members of the Subcommittee. And this really should not
be any surprise to you that the questions were coming because
this is not a new issue. This is not the first hearing that a
congressional committee has had on the subject of modernizing
ECPA. And I would hope that the Justice Department, when they
come back next time to talk about this subject, can anticipate
the questions and have an answer. You know, I can say that if
this were a trial, there would be a lot of people that would
not be happy about the counsel at the trial being as ill-
prepared as you have been.
So with that admonition, let me say, without objection,
this hearing is adjourned.
[Whereupon, at 11:21 a.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�