[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]









                           EMAIL PRIVACY ACT

=======================================================================

                                HEARING

                               BEFORE THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                                   ON

                                H.R. 699

                               __________

                            DECEMBER 1, 2015

                               __________

                           Serial No. 114-53

                               __________

         Printed for the use of the Committee on the Judiciary



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





      Available via the World Wide Web: http://judiciary.house.gov
      
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

97-726 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001      
      
      
      
      
      
      
      
      
      
      
                       COMMITTEE ON THE JUDICIARY

                   BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        JERROLD NADLER, New York
LAMAR S. SMITH, Texas                ZOE LOFGREN, California
STEVE CHABOT, Ohio                   SHEILA JACKSON LEE, Texas
DARRELL E. ISSA, California          STEVE COHEN, Tennessee
J. RANDY FORBES, Virginia            HENRY C. ``HANK'' JOHNSON, Jr.,
STEVE KING, Iowa                       Georgia
TRENT FRANKS, Arizona                PEDRO R. PIERLUISI, Puerto Rico
LOUIE GOHMERT, Texas                 JUDY CHU, California
JIM JORDAN, Ohio                     TED DEUTCH, Florida
TED POE, Texas                       LUIS V. GUTIERREZ, Illinois
JASON CHAFFETZ, Utah                 KAREN BASS, California
TOM MARINO, Pennsylvania             CEDRIC RICHMOND, Louisiana
TREY GOWDY, South Carolina           SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho                 HAKEEM JEFFRIES, New York
BLAKE FARENTHOLD, Texas              DAVID N. CICILLINE, Rhode Island
DOUG COLLINS, Georgia                SCOTT PETERS, California
RON DeSANTIS, Florida
MIMI WALTERS, California
KEN BUCK, Colorado
JOHN RATCLIFFE, Texas
DAVE TROTT, Michigan
MIKE BISHOP, Michigan

           Shelley Husband, Chief of Staff & General Counsel
        Perry Apelbaum, Minority Staff Director & Chief Counsel
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
                            C O N T E N T S

                              ----------                              

                            DECEMBER 1, 2015

                                                                   Page

                                THE BILL

H.R. 699, the ``Email Privacy Act''..............................     2

                           OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Committee on the Judiciary     1
The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, and Ranking Member, Committee on 
  the Judiciary..................................................    20

                               WITNESSES

Andrew Ceresney, Director, Division of Enforcement, United States 
  Securities and Exchange Commission
  Oral Testimony.................................................    23
  Prepared Statement.............................................    25
Steven H. Cook, President, National Association of Assistant 
  United States Attorneys
  Oral Testimony.................................................    31
  Prepared Statement.............................................    33
Richard Littlehale, Assistant Special Agent in Charge, Tennessee 
  Bureau of Investigation
  Oral Testimony.................................................    47
  Prepared Statement.............................................    49
Chris Calabrese, Vice President, Policy, Center for Democracy and 
  Technology
  Oral Testimony.................................................    58
  Prepared Statement.............................................    60
Richard Salgado, Director, Law Enforcement and Information 
  Security, Google Inc.
  Oral Testimony.................................................    75
  Prepared Statement.............................................    77
Paul Rosenzweig, Visiting Fellow, The Heritage Foundation, 
  Founder, Red Branch Consulting
  Oral Testimony.................................................    89
  Prepared Statement.............................................    91

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Prepared Statement of the Honorable Jared Polis, a Representative 
  in Congress from the State of Colorado, submitted by the 
  Honorable John Conyers, Jr., a Representative in Congress from 
  the State of Michigan, and Ranking Member, Committee on the 
  Judiciary......................................................   102

                                APPENDIX
               Material Submitted for the Hearing Record

Prepared Statement of the Honorable Doug Collins, a 
  Representative in Congress from the State of Georgia, and 
  Member, Committee on the Judiciary.............................   129
Prepared Statement of the Honorable Sheila Jackson Lee, a 
  Representative in Congress from the State of Texas, and Member, 
  Committee on the Judiciary.....................................   131
Prepared Statement of the Honorable Kevin Yoder, a Representative 
  in Congress from the State of Kansas...........................   133
Letter from the Honorable Brad R. Wenstrup, a Representative in 
  Congress from the State of Ohio..........................136
                       deg.OFFICIAL HEARING RECORD
          Unprinted Material Submitted for the Hearing Record

Material submitted by the Honorable Bob Goodlatte, a Representative in 
    Congress from the State of Virginia, and Chairman, Committee on the 
    Judiciary. This material is available at the Committee and can also 
    be accessed at:

    http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104232.

 
                           EMAIL PRIVACY ACT

                              ----------                              


                       TUESDAY, DECEMBER 1, 2015

                        House of Representatives

                       Committee on the Judiciary

                            Washington, DC.

    The Committee met, pursuant to call, at 10:12 a.m., in room 
2141, Rayburn House Office Building, the Honorable Bob 
Goodlatte (Chairman of the Committee) presiding.
    Present: Representatives Goodlatte, Sensenbrenner, Chabot, 
Issa, King, Gohmert, Jordan, Poe, Chaffetz, Marino, Gowdy, 
Collins, DeSantis, Walters, Buck, Ratcliffe, Trott, Bishop, 
Conyers, Nadler, Lofgren, Jackson Lee, Johnson, Chu, DelBene, 
Jeffries, and Cicilline.
    Staff Present: (Majority) Shelley Husband, Chief of Staff & 
General Counsel; Branden Ritchie, Deputy Staff Director & Chief 
Counsel; Allison Halataei, Parliamentarian & General Counsel; 
Kelsey Williams, Clerk; Caroline Lynch, Chief Counsel, 
Subcommittee on Crime, Terrorism, Homeland Security, and 
Investigations; (Minority) Perry Apelbaum, Staff Director & 
Chief Counsel; Aaron Hiller, Chief Oversight Counsel; Joe 
Graupensperger, Chief Counsel, Subcommittee on Crime, 
Terrorism, Homeland Security, and Investigations; Tiffany 
Joslyn, Deputy Chief Counsel, Crime, Terrorism, Homeland 
Security, and Investigations; and Veronica Eligan, Professional 
Staff Member.
    Mr. Goodlatte. Good morning. The Judiciary Committee will 
come to order, and without objection, the Chair is authorized 
to declare recesses of the Committee at any time. We welcome 
everyone to this morning's legislative hearing on H.R. 699, the 
``Email Privacy Act,'' and I'll begin by recognizing myself for 
an opening statement.
    [The bill, H.R. 699, follows:]
    
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    
    
                               __________
    Mr. Goodlatte. Today's hearing examines H.R. 699, the 
``Email Privacy Act,'' and the need to modernize the Electronic 
Communications Privacy Act, or ECPA. In enacting ECPA nearly 30 
years ago, Congress declared that the law's purpose was to 
achieve a fair balance between the privacy expectations of 
American citizens and the legitimate needs of law enforcement 
agencies. Reforming this decades old outdated law has been a 
priority for me as Chairman of this Committee, and I've been 
working with Members of Congress, advocacy groups, and law 
enforcement for years on many complicated nuances involved in 
updating this law.
    I am pleased to now hold this important hearing to examine 
the leading reform proposal in the House, H.R. 699, and to 
examine in more detail the nuances Congress must consider in 
updating this law. While technology has undoubtedly outpaced 
the law in the last three decades, the purpose of the law 
remains steadfast. I am confident that Congress will once again 
strike that balance and do so in a way that continues to 
promote the development and use of new technologies and 
services, and create a statutory framework that will modernize 
the law to reflect how people communicate with one another 
today and in the future.
    ECPA reform has broad sweeping implications. ECPA, and more 
specifically, the Stored Communications Act, governs Federal, 
State, and local government access to stored email, account 
records, and subscriber information from telephone, email, and 
other service providers. ECPA not only applies when law 
enforcement seeks information in a criminal investigation, but 
also in civil investigations and for public safety emergencies.
    H.R. 699, at its core, establishes for the first time, in 
Federal statute, a uniform warrant requirement for stored 
communications content in criminal investigations, regardless 
of the type of service provider, the age of an email, or 
whether the email has been opened. I support the core of H.R. 
699, which would establish a standard that embodies the 
principles of the Fourth Amendment and reaffirms our commitment 
to protecting the privacy interests of the American people.
    However, our adherence to the Fourth Amendment should not 
end there. Congress can ensure that we are furthering the 
legitimate needs of law enforcement through ECPA reform by 
joining with the warrant requirement recognized exceptions and 
procedures designed to further the legitimate needs of law 
enforcement. One of the goals of this legislation is to treat 
searches in the virtual world and the physical world equally, 
so it makes sense that the exceptions to the warrant 
requirement and the procedures governing service of warrants 
should also be harmonized.
    It is well settled law that the government may conduct a 
search in the absence of a warrant in certain instances, 
including when the government determines that an emergency 
exists requiring the search, or when the government obtains the 
consent of the owner of the information. The Stored 
Communications Act, however, created a framework unique to the 
electronic world in which even in an emergency or with a 
consent of the customer, disclosure of email content or even 
noncontent records is voluntary at the discretion of the 
provider. It is also well established law that a search warrant 
must be served at the place where the search or seizure occurs.
    For 3 decades, ECPA warrants have been executed with the 
provider because, as with any other third-party custodian, the 
information sought is stored with them. H.R. 699 would now 
require the government to also serve the warrant directly on 
the criminal suspect, a proposal which has raised serious 
public safety and operational concerns across the law 
enforcement community.
    Congress should also continue to ensure that civil 
investigative agencies are able to obtain electronic 
communication information for civil violations of Federal law. 
Courts have routinely held that subpoenas satisfy the 
reasonableness requirement of the Fourth Amendment. Unlike a 
warrant, which is issued without prior notice, and is executed 
often by force with an unannounced and unanticipated physical 
intrusion. A subpoena commences an adversarial process during 
which the person served with the subpoena may challenge it in 
court before complying with its demands.
    The Stored Communications Act currently authorizes the 
issuance of a subpoena directly to the provider, albeit with a 
requirement that the government notify the customer. But 
Congress can go further to ensure that ECPA satisfies the 
Fourth Amendment by requiring that any civil process authorized 
by the law begin with service of a subpoena directly on the 
customer.
    In this context, the customer is provided notice and the 
opportunity to contest the subpoena. Enforcement of the 
subpoena through a court order issued by a Federal judge that 
protects the rights and privileges of the customer, while 
ensuring that evidence of illegal activity is not insulated 
from investigators, would afford heightened protections beyond 
that which the courts have deemed necessary to comport with the 
Fourth Amendment.
    Congress has enacted laws that impose penalties for certain 
conduct, sometimes criminal penalties and sometimes civil. We 
have established Federal agencies to enforce these laws with 
the tools necessary to carry out that enforcement. Congress 
should ensure that, in its efforts to modernize ECPA, we do not 
eliminate access to evidence of violations of Federal law 
simply because Congress chose to make those violations 
punishable by civil penalties.
    I want to thank our distinguished witnesses for being here 
today, and I look forward to hearing from each of you on H.R. 
699 and how to properly balance the privacy expectations of 
American citizens and the legitimate needs of law enforcement. 
And I look forward to working with all Members on both sides of 
the aisle to modernize the Electronic Communications Privacy 
Act. It is worth noting today that we also plan to hold a 
separate hearing in the future on the issue surrounding law 
enforcement access to information located on servers outside 
the U.S. As with the broader topic of ECPA reform, that is an 
issue with many nuances that we should carefully examine.
    I would now like to ask unanimous consent to enter the 
following items into the record: a statement dated 
1 deg.December 1, 2015, from the Department of 
Justice; a 2 deg.letter from the Federal Bureau of 
Investigation Agents Association dated November 24, 2015; a 
3 deg.letter from the National Association of Police 
Organizations dated November 30, 2015; a 4 deg.letter 
from the Association of Prosecuting Attorneys dated November 
24, 2015; a 5 deg.letter from the Virginia Association 
of Commonwealth Attorneys dated July 10, 2015; a 
6 deg.letter from the Technology Councils of North 
America dated November 30, 2015; a 7 deg.statement 
from Americans for Tax Reform dated December 1, 2015; and a 
8 deg.coalition letter signed by Tech Freedom and 
other coalition members dated November 30, 2015.*
---------------------------------------------------------------------------
    *Note: The material submitted by Mr. Goodlatte is not printed in 
this hearing record but is on file with the Committee. See also ``For 
the Record Submission--Rep. Goodlatte'' at:

      http://docs.house.gov/Committee/Calendar/
      ByEvent.aspx?EventID=104232.
    Without objection, the items have been entered into the 
record.
    It's now my pleasure to recognize the Ranking Member of the 
Judiciary Committee, the gentleman from Michigan, Mr. Conyers 
for his opening statement.
    Mr. Conyers. Thank you, Chairman Goodlatte, Members of the 
Committee, and our honored witnesses here for the hearing, and 
those who are in 2141 to participate in the listening of this 
very important measure.
    H.R. 699, the ``Email Privacy Act,'' enjoys I'm pleased to 
say, the overwhelming bipartisan support in the House. As of 
this morning, the bill has earned 304 cosponsors; 191 
Republicans, 113 Democrats; and 27 Members of the House 
Judiciary Committee.
    Now, what do all of these Members have in common? First of 
all, we agree that the Electronic Communications Privacy Act is 
outdated and provides unjustifiably inconsistent standards for 
government access to our stored communication. This statute 
continues to serve as one of the main guarantees of our digital 
privacy, but the law was designed in 1986, when few of us used 
email, and even fewer imagined a world in which we could so 
freely share information online.
    The consequences of applying a 30-year-old understanding of 
technology to modern communications are inconsistent, at best. 
For example, the law seems to apply different standards for 
government access to the same email at different points in its 
lifecycle, when it's drafted, when it's transmitted, when it's 
opened by its recipient, and when it is archived in the cloud. 
We are not well served by a law whose application is 
unpredictable and that the courts have had great difficulty in 
interpreting. Because of the rapid pace of technological 
change, this situation will only get worse if we do not act.
    Secondly, the sponsors of this bill agree that the 
government should be obligated to show probable cause before it 
can require a provider to disclose the content in its 
customer's mail, no matter how old the message is. This 
standard is consistent with the holding of the Sixth Circuit 
court in the Warshak case in 2010. That case motivated the 
Department of Justice to voluntarily adopt a warrants for email 
standard. It also effectively ended the unconstitutional use of 
subpoenas to compel third parties to produce content in civil 
enforcement actions.
    Current law requires the government to show probable cause 
and obtain a warrant only for email that has been in storage 
for 180 days or less. But the government can use and subpoena 
for the same email if it's stored for 1 day longer. This is no 
longer acceptable to most Americans. As the Sixth Circuit 
rightly observed, citizens have the same reasonable expectation 
of privacy in their email before and after the 180-day mark, 
and as the Department of Justice testified soon thereafter, 
there is no principal basis to treat email less than 180 days 
old differently than email more than 180 days old.
    Thirdly, the sponsors of H.R. 699 all agree that current 
law is not adequate to protect new forms of digital 
communication. Content is content. Our expectation of privacy 
does not diminish merely because Congress didn't think of the 
medium when it last visited the statute. The law should protect 
electronic communications across the board, email, text 
messages, private messages of all sorts, and other forms of 
digital information stored in the cloud.
    Finally, the sponsors of this bill agree that we must act 
without delay. We have an obligation to provide clear standards 
to law enforcement with respect to emerging technologies. We 
should also recognize that American businesses cannot sustain 
these new technologies if consumers cannot trust them.
    As the Committee takes up this bill, we should ensure that 
it does not conflict with the basic notion that the 
government's seizure of our email without a warrant violates 
the Fourth Amendment, but we should note that this principle 
has already taken hold across the Federal Government. The 
Department of Justice already uses warrants for email in 
criminal cases. The government stopped using lesser process in 
the civil context years ago.
    In short, Mr. Chairman and Members, this legislation 
accomplishes two vital tasks. It updates the statute for modern 
use, and it does so without any significant interruption to law 
enforcement. We should all come together on this bill as soon 
as possible, and I want to personally thank the witnesses for 
being with us today and for their testimony, and I urge my 
colleagues to give this measure their full support, and I thank 
the Chairman.
    Mr. Goodlatte. Thank you, Mr. Conyers. And before we swear 
in the witnesses, I'd like to recognize the presence of the 
chief sponsor of the legislation, the gentleman from Wisconsin, 
Mr. Yoder. Thank you for being with us today. Kansas, Kansas, 
Kansas. The gentleman from Wisconsin says he'll take you.
    We welcome our distinguished witnesses today, and if you 
would all please rise, I'll begin by swearing you in. If you'd 
please raise your right hand.
    Do you and each of you swear that the testimony that you 
are about to give shall be the truth, the whole truth, and 
nothing but the truth, so help you God?
    Thank you very much. You may please be seated, and let the 
record reflect that the witnesses have responded in the 
affirmative.
    Mr. Andrew Ceresney is the director of the enforcement 
division at the United States Securities and Exchange 
Commission, where he has served since 2013. Prior to joining 
the SEC, Mr. Ceresney served as the assistant United States 
Attorney in the U.S. Attorneys Office for the Southern District 
of New York where he was a deputy chief appellate attorney and 
a member of the Securities and Commodities Fraud Task Force in 
the Major Crimes Unit. As a prosecutor, Mr. Ceresney handled 
numerous white-collar criminal investigations, trial and 
appeals, including matters related to securities fraud, mail 
and wire fraud, and money laundering. He is a graduate of 
Columbia College and Yale law school.
    Mr. Steven Cook is president of the National Association of 
Assistant U.S. Attorneys. He currently serves as the chief of 
staff of the criminal division of the U.S. Attorney's Office 
for the Eastern District of Tennessee. He has been an assistant 
U.S. Attorney for 29 years. In this capacity, he has worked in 
the Organized Crime Drug Enforcement Task Force and the General 
Crimes Section where he handled white-collar crime, fraud, and 
public corruption. He also served as the deputy criminal chief 
in the narcotics and violent crime section. Prior to joining 
the U.S. Attorney's Office, Mr. Cook was a police officer for 7 
years in Knoxville, Tennessee. He earned a JD from the 
University of Tennessee.
    Mr. Richard Littlehale is the assistant special agent in 
charge at the Tennessee Bureau of Investigation. In addition to 
his duties as an investigative supervisor, Mr. Littlehale 
serves as an advisor and trainer in criminal law and procedure, 
as well as the Bureau's chief firearms instructor. Mr. 
Littlehale is a frequent presenter to community organizations 
on ways to protect children online. He is active in engaging 
the legal community on better ways to protect children from 
victimization. Mr. Littlehale received a bachelor's degree from 
Bowdoin College and JD from Vanderbilt University.
    Mr. Chris Calabrese is the vice president for policy at the 
Center for Democracy and Technology where he oversees the 
center's policy portfolio. Before joining CDT, Chris served as 
legislative counsel at the American Civil Liberties Union 
legislative office where he led advocacy efforts relating to 
privacy, new technology, and identification systems. Prior to 
joining the ACLU, Chris served as legal counsel to the 
Massachusetts Senate majority leader. Chris is a graduate of 
Harvard University and holds a JD from the Georgetown 
University Law Center.
    Mr. Richard Salgado is the director of law enforcement and 
information security at Google. Mr. Salgado oversees Google's 
global law enforcement and national security efforts and legal 
matters relating to data, security, and investigations. 
Previously, Mr. Salgado worked with Yahoo and also served as 
senior counsel in the computer crimes section of the U.S. 
Justice Department. As a prosecutor, he specialized in computer 
network crime, such as hacking, wiretaps, denial of service 
attacks, malicious code, and other technology driven privacy 
crimes. In 2005, he joined Stanford law school as a legal 
lecturer on computer crime, Internet business legal and policy 
issues, and modern surveillance law. He received his JD from 
Yale law school.
    Mr. Paul Rosenzweig is the founder of Red Branch 
Consulting, a homeland security consulting company and a senior 
advisor to the Chertoff Group. Mr. Rosenzweig formerly served 
as deputy assistant secretary for policy in the Department of 
Homeland Security. He is a distinguished visiting fellow at the 
Homeland Security Studies and Analysis Institute. He also 
serves as a lecturer in law at George Washington University and 
adjunct professor at the National Defense University, a senior 
editor of the Journal of National Security Law and Policy, and 
is a visiting fellow at the Heritage Foundation. He earned a 
bachelor's degree from Haverford College, a master's from 
Scripps Institution of Oceanography, and a JD from the 
University of Chicago law school.
    Your written statements will be entered into the record in 
their entirety, and we ask that each of you summarize your 
testimony in 5 minutes. To help you stay within that time, 
there's a timing light on your table. When the light switches 
from green to yellow, you have 1 minute to conclude your 
testimony. When the light turns red, that's it, time's up, and 
it signals that your time has expired.
    Mr. Ceresney, am I pronouncing your name correctly?
    Mr. Ceresney. You are.
    Mr. Goodlatte. Thank you very much, and you may begin.

      TESTIMONY OF ANDREW CERESNEY, DIRECTOR, DIVISION OF 
 ENFORCEMENT, UNITED STATES SECURITIES AND EXCHANGE COMMISSION

    Mr. Ceresney. Good morning, Chairman Goodlatte. Good 
morning, Chairman Goodlatte, Ranking Member Conyers, and 
Members of the Committee. Thank you for inviting me to testify 
today on behalf of the commission concerning Email Privacy Act, 
H.R. 699, pending before your Committee.
    The bill seeks to modernize portions of the Electronic 
Communications Privacy Act, ECPA, which became law in 1986. I 
share the goal of updating ECPA's evidence collection 
procedures and privacy protections to account for the digital 
age, but H.R. 699, in its current form, poses significant risks 
to the American public by impeding the ability of the SEC and 
other civil law enforcement agencies to investigate and uncover 
financial fraud and other unlawful conduct.
    I firmly believe there are ways to update ECPA that offer 
stronger privacy protections and observe constitutional 
boundaries without frustrating the legitimate ends of civil law 
enforcement.
    The SEC's tripartite mission is to protect investors, 
maintain fair, orderly, and efficient markets, and facilitate 
capital formation. The SEC's division of enforcement furthers 
this mission by, among other things, investigating potential 
violations of the Federal securities laws, recommending that 
the commission bring cases against alleged fraudsters and other 
securities law wrongdoers, and litigating the SEC's enforcement 
actions.
    A strong enforcement program is a critical piece of the 
commission's efforts to protect investors from fraudulent 
schemes and promotes investor trust and confidence in the 
integrity of the Nation's securities markets.
    Electronic communications often provide critical evidence 
in our investigations as email and other message content can 
establish timing, knowledge or relationships in certain cases, 
or awareness that certain statements to investors were false or 
misleading. When we conduct an investigation, we generally will 
seek emails and other electronic communications from the key 
actors through an administrative subpoena.
    In some cases the person whose emails are sought will 
respond to our request, but in other cases, the subpoena 
recipient may have erased email, tendered only some emails, 
asserted damaged hardware, or refused to respond. 
Unsurprisingly, individuals who violate the law are often 
reluctant to produce to the government evidence of their own 
misconduct.
    In still other cases, email account holders cannot be 
subpoenaed because they are beyond our jurisdiction. It is at 
this point in the investigation that we may, in some instances, 
need to seek information from an Internet service provider, 
also known as an ISP. The proposed amendment would require 
government entities to procure a criminal warrant when they 
seek the content of emails and other electronic communications 
from ISPs.
    Because the SEC and other civil law enforcement agencies 
cannot obtain criminal warrants, we would effectively not be 
able to gather evidence, including communications such as 
emails directly from an ISP, regardless of the circumstances, 
even in instances where a subscriber deleted his emails, 
related hardware was lost or damaged, or where the subscriber 
fled to another jurisdiction. Depriving the SEC of authority to 
obtain email content from an ISP would also incentivize 
subpoena recipients to be less forthcoming in responding to 
investigatory requests, because an individual who knows that 
the SEC lacks the authority to obtain his emails may thus feel 
free to destroy or not produce them.
    These are not abstract concerns for the SEC, or for the 
investors we are charged with protecting. Among the type of 
scams we investigate are Ponzi schemes and ``pump and dump'' 
market manipulation schemes, as well as insider trading 
activity. In these types of fraud, illegal acts are 
particularly likely to be communicated via personal accounts, 
and parties are more likely to be noncooperative in their 
document productions.
    Technology has evolved since ECPA's passage, and there is 
no question that the law ought to evolve to take account of 
advances in technology and protect privacy interests, even when 
significant law enforcement interests are also implicated. But 
there are various ways to strike an appropriate balance between 
those interests as the Committee considers the best way to 
advance this important legislation.
    Any reform to ECPA can and should afford a party whose 
information is sought from an ISP in a civil investigation an 
opportunity to participate in judicial proceedings before the 
ISP is compelled to produce this information. Indeed, when 
seeking email content from ISPs in the past, the division has 
provided notice to email account holders in keeping with 
longstanding and just recently reaffirmed Supreme Court 
precedent.
    If the legislation were so structured, an individual would 
have the ability to raise with a court any privilege, 
relevancy, or other concerns before the communications are 
provided by an ISP, while civil law enforcement would still 
maintain a limited avenue to access existing electronic 
communications in appropriate circumstances from ISPs. Such a 
judicial proceeding would offer even greater protection to 
subscribers than a criminal warrant in which subscribers 
receive no opportunity to be heard before communications are 
provided.
    We look forward to discussing with the Committee ways to 
modernize ECPA without putting investors at risk, and impairing 
the SEC from enforcing the Federal securities laws. I'm happy 
to answer any questions you may have.
    [The prepared statement of Mr. Ceresney follows:]
    
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
    
    
                               __________
                               
    Mr. Goodlatte. Thank you. Mr. Cook, welcome.

TESTIMONY OF STEVEN H. COOK, PRESIDENT, NATIONAL ASSOCIATION OF 
               ASSISTANT UNITED STATES ATTORNEYS

    Mr. Cook. Chairman Goodlatte, Ranking Member Conyers, and 
Members of the Committee, first of all, thank you very much for 
giving me the opportunity to address you and to give you the 
perspective of career prosecutors with respect to H.R. 699.
    And let me get right to it. The importance of the Stored 
Communications Act or SCA, to the law enforcement community 
simply cannot be overstated. At issue are records of contact 
and communication by Internet and cell service providers. To 
understand the importance of these records to the law 
enforcement world, I'd ask you to pause and think for a minute 
about how these powerful resources are being used in the 
criminal world.
    Child predators troll the Internet 24/7 for children to 
lure them away from their parents and their homes. Purveyors of 
child pornography often, with graphic pictures of children, 
sometimes infants being sexually molested, sell those images 
electronically across the Internet. Terrorists boast of their 
horrific crimes posting pictures of those online, and 
international drug dealers, gangs, and others involved in 
organized crime communicate effectively with coconspirators 
through email and texts.
    When you realize how pervasive this technology is in the 
criminal world, you quickly realize that the evidence covered 
by the SCA, or the Stored Communications Act, is central to our 
ability to solve virtually every type of crime. And our ability 
to access this information covered by the SCA and to access it 
quickly, can literally mean the difference between life and 
death. It can mean the difference between recovering a child 
alive and returning her to her parents, instead of the child 
being a victim of a vicious predator determined to commit 
unspeakable crimes.
    And even beyond the critical role of stopping violent 
crimes in progress and rescuing victims, evidence covered by 
the Stored Communications Act is often central to the search 
for truth in our courts and our ability to bring those most 
dangerous in our community to justice.
    But here are the problems with ECPA, and both the opening 
statements by the Chair and Ranking Member recognize this, ECPA 
and the Stored Communications Act were enacted in 1986. That 
was before much of this technology was in use, before any of us 
had any idea of its capabilities. And to continue to use a 
statutory framework with definitions that were enacted before 
any of this technology was known is just simply not workable. 
It does not fit.
    That brings me back to H.R. 699. The primary goal of this 
bill seems to be to codify, correctly we would submit, Warshak 
and the extension of the Fourth Amendment protections to email 
in storage, and text in storage over 180 days. This is an issue 
on which we can all agree, but the bill goes farther. It goes 
much farther, and we respectfully submit, demonstrates a need 
for a comprehensive, not piecemeal reform. In my written 
testimony, I have addressed a number, but by far, not all of 
the concerns that we have.
    I'd like to highlight two places where this bill creates or 
perpetuates limitations on law enforcement that far exceed 
those imposed, far exceed those imposed anywhere else in the 
law, burdens greater than those related to the search of a 
home, burdens greater than those related to the search of a 
body cavity.
    While the Email Privacy Act expands Fourth Amendment 
protections and imposes a warrant requirement to compel 
disclosure of stored email or text, the statute does not 
recognize any of the well-established exceptions to the warrant 
requirement that would be applicable in every other 
circumstance. I know of no other area of the law where this is 
the case.
    Second, the Email Privacy Act also imposes notice 
requirements unlike those found anywhere else in the law. The 
government has long been required to serve a copy of the search 
warrant on the person at the property being searched, and that 
requirement makes sense. It demonstrates to the homeowner or 
the business operator the authority for the search, and that 
homeowner or property owner is then free, in the usual course, 
to tell whoever they wish about it.
    But the government has never been required and the law has 
never required the government to reach out to third parties and 
notify them of the search. It's not a discovery provision 
designed to alert those who are under criminal investigation of 
the ongoing investigation. And although there are specific, in 
fact, two-and-a-half pages of rules that would control when 
that can be extended, this simply is a rule that has never been 
imposed in any other context.
    In conclusion, I'd just like to say that criminals have, 
and we have seen that they have unlimited access to these 
modern and powerful resources, and they make full use of them. 
For us on the law enforcement side to do our job, access to 
this information is critical. Information covered by the SCA 
has to be accessible to us.
    That access, we respectfully recognize, of course, should 
be consistent with the privacy protections afforded by the 
Constitution, but Congress should not, as this bill proposes, 
impose new unprecedented and unwarranted limitations that will 
tie our hands in doing our jobs. Thank you.
    [The prepared statement of Mr. Cook follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
      
                               __________
                               
    Mr. Goodlatte. Thank you, Mr. Cook.
    Mr. Littlehale, welcome.

  TESTIMONY OF RICHARD LITTLEHALE, ASSISTANT SPECIAL AGENT IN 
           CHARGE, TENNESSEE BUREAU OF INVESTIGATION

    Mr. Littlehale. Chairman Goodlatte, Ranking Member Conyers, 
Members of the Committee, thank you for inviting me to testify. 
I'm a technical investigator in Tennessee, and I serve on the 
technology committee of the Association of State Criminal 
Investigative Agencies. As you know, State and local law 
enforcement agencies work the vast majority of criminal 
investigations in this country. Lawful access to electronic 
evidence is critical for us in those cases every day, and H.R. 
699, in its current form, does not sufficiently protect that 
access.
    To give you some sense of the volume of potential 
electronic evidence in our cases, consider a stranger abduction 
of a 4-day-old infant in Nashville. Over the course of an 
intensive 4-day investigation, my unit processed and explored 
leads on hundreds of telephone numbers, social media accounts, 
computers, and mobile devices. At a time when every second 
counts, my fellow agents and I spend a significant amount of 
time simply trying to make contact with various providers to 
declare an emergency, calling and recalling to make sure that 
our process was received and expedited. We had to process 
hundreds of leads, any one of which could have been the key to 
finding the victim.
    Volume alone isn't the only issue. We must also contend 
with a lack of structure governing responsiveness. In another 
Amber alert investigation, we received a lead that the creator 
of a posting on a social media platform may have information 
about the child's location. When we contacted the provider, 
they noted that ECPA's emergency provision is permissive rather 
than mandatory and demanded legal process before they turn over 
the records.
    We know H.R. 699 has a great deal of support, but we 
believe much of that support is based on only one part of the 
bill, creating a uniform probable cause standard for stored 
content. Advocates for ECPA reform argue that the contents of 
an email or document stored in the cloud should be subject to 
the same protections as a letter in your desk drawer at home. 
H.R. 699 would do that, but it goes farther to create an 
enhanced statutory framework of proof standards, notice 
requirements, and expand the definitions of covered records 
that you would give greater protection for records stored by 
third-party service providers than for that envelope in your 
desk. And it would do this without extending any of the tools 
that law enforcement can use to obtain evidence in the physical 
world after we demonstrate probable cause to a neutral 
magistrate and get a warrant, like law enforcement controlled 
warrant exceptions and warrant execution timelines.
    Bringing ECPA into balance should put the physical and 
digital worlds on the same plane, not favor digital evidence 
over physical evidence. H.R. 699 should be amended to reflect a 
more balanced approach that protects privacy and ensures that 
law enforcement can access the evidence it needs, and when we 
get a warrant, it should behave like a warrant not a subpoena 
with a higher proof requirement.
    Demonstrating probable cause to a neutral magistrate should 
allow us to gather evidence with the same timeliness and 
effectiveness that we would expect in the real world.
    The notice provisions in the bill would require us to 
describe our case to targets of a criminal investigation, even 
as we're pursuing leads. That endangers investigations. We also 
urge the Committee to carefully balance the need for 
notification against the resource burden it places on us. Time 
spent complying with arbitrary timelines means less time 
investigating crimes and could compromise sensitive 
information.
    I urge you to ensure that whatever standard of proof you 
decide is appropriate, you also ensure that law enforcement can 
access the evidence we need reliably and quickly. Speed is 
important in all investigations, and ECPA reform should impose 
structure on service providers' response to legal demands. A 
requirement for automated exchange of legal process and records 
with service providers would help speed access to evidence, 
provide transparency, and authenticate law enforcement process.
    Warrants under EPCA should look like warrants everywhere 
else. That means that standard exceptions to the warrant 
requirement like exigency and consent should exist, and law 
enforcement should control whether or not they are invoked, 
just like we can do when executing warrants in the physical 
world. Everybody agrees that law enforcement should have rapid 
access to communications evidence in a life-threatening 
emergency, but that is not always the reality.
    Industry and privacy groups suggest that some law 
enforcement emergency declarations are unfounded, but those are 
unreviewed unilateral determinations. Isn't law enforcement on 
the ground in the best position to assess the presence or 
absence of defensible exigency in a particular case? We already 
do it in other contexts all the time, and there is an existing 
body of case law in the courts to determine whether or not we 
are correct.
    In closing, I want to re-emphasize how important both 
aspects of ECPA are to our Nation's criminal investigators. We 
agree that ECPA should be updated, but any effort to reform it 
should reflect its original balance between assuring law 
enforcement access to evidence through legal demands and 
protecting customer privacy.
    The balance proposed by H.R. 699 goes too far in extending 
all the burdens of the traditional search warrant scheme to a 
much broader range of records without any of the common law 
exceptions, while requiring us to give unprecedented notice to 
investigative targets just because the evidence we're seeking 
is electronic.
    Thank you for having me here today, and I look forward to 
your questions.
    [The prepared statement of Mr. Littlehale follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
                               __________
                               
                               
    Mr. Goodlatte. Thank you.
    Mr. Calabrese, I think maybe I have your pronunciation 
correct now. Is that right?
    Mr. Calabrese. You actual were right the first time. It's 
Calabrese, but I'll take it however you give it. Thank you.
    Mr. Goodlatte. Thank you. I'm on a losing streak here, but 
go ahead.

         TESTIMONY OF CHRIS CALABRESE, VICE PRESIDENT, 
          POLICY, CENTER FOR DEMOCRACY AND TECHNOLOGY

    Mr. Calabrese. Well, thank you, Mr. Chairman, for having me 
testify. That's the thing we appreciate the most.
    Ranking Member Conyers, Members of the Committee, thank you 
for the opportunity to testify on behalf of the Center for 
Democracy and Technology. CDT is a nonpartisan advocacy 
organization dedicated to protecting privacy, free speech, and 
innovation online. We applaud the Committee for holding a 
hearing on the Electronic Communications Privacy Act, ECPA, and 
urge the Committee to speedily approve H.R. 699, the ``Email 
Privacy Act.''
    When ECPA was passed in 1986, it relied on balancing three 
policy pillars: Individual privacy, the legitimate needs of law 
enforcement, and support for innovation. Changes in technology 
have eroded this balance. The reliance on trusted third parties 
for long-term storage of our communications have left those 
communications with limited statutory protections. This void 
has created legal uncertainty for cloud computing, one of the 
major business innovations of the 21st Century and one at which 
U.S. companies excel.
    At the same time, information accessible to the government 
has increased dramatically from emails and text messages to 
social networking posts and photos. Most if not all, of this 
information would not have been available in 1986. The 
technology has changed but the law has not, creating a major 
loophole for Americans' privacy protections.
    In the face of this outdated statute, courts have acted, 
recognizing in cases like U.S. v. Warshak that people have a 
reasonable expectation of privacy in email and invalidating key 
parts of ECPA. But that patchwork is not enough on its own. It 
continues to lag behind technological change and harms smaller 
businesses that lack an army of lawyers. It also creates 
uncertainty around new technologies that rely on the use and 
storage of the contents of communications.
    Reform efforts face a concerted assault from civil agencies 
that seek to gain new powers and blow a huge privacy loophole 
in the bill. Agencies have blocked reform in spite of the fact 
that the SEC has confessed to never subpoenaing an ISP post-
Warshak. No less than FBI Director Comey told this Committee 
that in regard to ECPA, a change wouldn't have any effect on 
our practices.
    In fact, new civil agency powers would harm the privacy of 
ordinary citizens. Imagine if the IRS had had these powers back 
from 2010 to 2012 when they were improperly investigating the 
tax status of Tea Party organizations. During that 
investigation, the IRS sent lengthy time-consuming 
questionnaires seeking information on what members were 
reading, their Facebook posts, donor lists, and copies of the 
materials they were disseminating. While the IRS' targeting of 
conservative groups was limited to these lengthy 
questionnaires, their subpoena authority is extremely broad and 
likely could have been used here.
    If the IRS had had the power that the SEC proposal 
recommends be granted to all Federal agencies, they would have 
been able to go beyond gathering information directly from the 
target of the investigation. The IRS would have been able to go 
to court and enforce an order allowing them to go directly to 
the ISP and seek the subject's email. While under the SEC 
proposal, the subject in the investigation would have been able 
to contest that order in court, civil standards are very low, 
and it's clear that the IRS had a very expansive idea of the 
information they could seek. This type of agency overreach is 
exactly why we can't grant agencies unjustified new 
authorities.
    Support for privacy reform is deep and abiding. More than 
100 tech companies, trade associations, and public interest 
groups have signed onto ECPA reform principles. Signatories 
include nearly the entire tech industry, span the political 
spectrum, and represent privacy rights, consumer interests, and 
free market values.
    The Email Privacy Act has more than 300 cosponsors, 
including a majority of Republicans and Democrats. Post-
Warshak, a warrant for content has become the status quo. 
Nonetheless, it is critical for the Committee to approve H.R. 
699 in order to cure a constitutional defect in ECPA, protect 
individual privacy, and assure that new technologies continue 
to enjoy robust constitutional protections. Thank you.
    [The prepared statement of Mr. Calabrese follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
                               __________
                               
                               
                               
    Mr. Goodlatte. Thank you, Mr. Calabrese.
    And Mr. Salgado, welcome.

  TESTIMONY OF RICHARD SALGADO, DIRECTOR, LAW ENFORCEMENT AND 
               INFORMATION SECURITY, GOOGLE INC.

    Mr. Salgado. Chairman Goodlatte, Ranking Member Conyers, 
and Members of the Committee, thank you for the opportunity to 
appear before you today. My name is Richard Salgado. As 
director----
    Mr. Goodlatte. Mr. Salgado, would you pull your microphone 
a little closer to you.
    Mr. Salgado. Sure. Thank you. My name is Richard Salgado. 
I'm director for law enforcement and information security for 
Google. I oversee the company's compliance with government 
requests for users' data, including requests made under the 
Electronic Communications Privacy Act of 1986, otherwise known 
as ECPA.
    In the past, I have worked on ECPA issues as a senior 
counsel in the computer crime and intellectual property section 
in the U.S. Department of Justice. Google strongly supports 
H.R. 699, the ``Email Privacy Act,'' which currently has 304 
cosponsors, more than any other bill currently pending in 
Congress. It's undeniable and it's unsurprising that there is 
strong interest in aligning ECPA with the Fourth Amendment and 
users' reasonable expectation of privacy.
    The original disclosure rules set out in ECPA back in 1986 
were foresighted given the state of technology back then. In 
2015, however, those rules no longer make sense. Users expect, 
as they should, that the documents they store online have the 
same Fourth Amendment protections as they do when the 
government wants to enter the home to seize the documents 
stored in a desk drawer. There is no compelling policy or legal 
rationale for there to be different rules.
    In 2010, the Sixth Circuit opined in United States v. 
Warshak that EPCA violates the Fourth Amendment to the extent 
it does not require law enforcement to obtain a warrant for 
email content. In doing so, the Sixth Circuit effectively 
struck down ECPA's 180-day rule and the distinction between 
opened and unopened emails as irreconcilable with the 
protections afforded by the Fourth Amendment.
    Warshak is effectively the law of the land today. It's 
observed by governmental entities and companies like Google and 
others. In many ways, H.R. 699 is a modest codification of the 
status quo and implementation of the Sixth Circuit's 
conclusions in Warshak.
    Two important developments have occurred since I last 
testified before the House Judiciary Committee in support of 
updating ECPA back in March of 2013, both of which have a 
significant bearing on efforts to update the statute.
    First, the Supreme Court issued a landmark decision in 
Riley versus California where it unanimously held that, 
generally, officers must obtain a warrant before searching the 
contents of a cell phone seized incident to arrest.
    Chief Justice Roberts noted that a regime with various 
exceptions and carve outs would ``contravene our general 
preference to provide clear guidance to law enforcement through 
categorical rules.'' To reinforce the constitutional imperative 
for clear rules in this area, Chief Justice Roberts concluded 
his opinion with unambiguous direction to law enforcement. He 
wrote, ``The fact that technology allows an individual to carry 
such information in his hand does not make the information any 
less worthy of the protection for which the Founders fought. 
Our answer to the question of what police must do before 
searching a cell phone seized incident to arrest is accordingly 
simple, get a warrant.''
    Notably, this Committee is being asked by some today to 
jettison precisely the type of categorical rules that the 
Supreme Court held were imperative in Riley. Doing so would 
undermine the user's reasonable expectations of privacy and 
encroach on core privacy protections afforded by the Fourth 
Amendment. We urge the Committee to reject such pleas.
    Second, many States have enacted bright-line rules to bring 
their State versions of ECPA in line with the Fourth Amendment. 
Hawaii, Texas, and Maine have all done this. In addition, 
earlier this year, the California legislature overwhelmingly 
approved landmark legislation to update California's version of 
ECPA, referred to as Cal-EPCA. Not only does Cal-EPCA require 
the government to obtain a warrant before it can compel third-
party service providers to disclose content, but it also 
extends the warrant requirement to communications metadata and 
data seized that's stored on electronic devices.
    States are appropriately recognizing that the Fourth 
Amendment protections ought to extend to the sensitive data 
that's stored in the cloud. H.R. 699 represents an overdue 
update to ECPA that would ensure electronic communications 
content is treated in a manner commensurate with other papers 
and effects that are protected by the Fourth Amendment. It's 
long past time for Congress to pass a clean version of H.R. 
699.
    Thank you for your time and consideration, and I'd be happy 
to answer any questions you may have.
    [The prepared statement of Mr. Salgado follows:]
    
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    
                               __________
                               
                               
                               
                               
    Mr. Goodlatte. Thank you, Mr. Salgado.
    Mr. Rosenzweig, welcome.

  TESTIMONY OF PAUL ROSENZWEIG, VISITING FELLOW, THE HERITAGE 
           FOUNDATION, FOUNDER, RED BRANCH CONSULTING

    Mr. Rosenzweig. Thank you very much, Mr. Chairman, Ranking 
Member Conyers. I appreciate very much the opportunity to come 
before you today to testify about the Email Privacy Act and the 
underlying principles of balancing privacy and law enforcement 
needs that are inherent here.
    As you know, I am a former prosecutor, having spent 12 
years in various roles throughout government. I then became a 
deputy assistant secretary for the Department of Homeland 
Security with significant responsibility for our 
counterterrorism efforts, and today I operate a small 
consulting company, and I serve as a visiting fellow at the 
Heritage Foundation. From this perspective, I am pleased to 
acknowledge that everybody on this panel agrees that a warrant 
requirement for content of email is an appropriate response to 
changing technology.
    It seems to me almost beyond belief that notwithstanding 
the uniform agreement of that principle, we have been unable to 
work out the details of how to implement that as a matter of 
statutory law. To my mind, that principle has its roots not in 
our agreement here, but rather in the longstanding 
understanding of the privacy of one's personal papers and 
effects that goes back to the very foundings of this Nation.
    The most famous case of which was the Wilkes versus Wood 
case. Wilkes was a protestor, much like some of the people in 
America today, whose papers and effects were the subject of a 
general warrant. That search by the Crown at that time was one 
of the most salient effects that drove the Revolutionary 
movement. Likewise, the Writs of Assistance case, which James 
Otis famously lost, unfortunately, in Massachusetts, was what 
John Adams said was the spark that lit the flame of the 
Revolution.
    Today, email are our private papers. The ISPs that transmit 
my email to you are the equivalent, functional equivalent of 
the post office, and the cloud storage system that I use to 
store that information is the functional equivalent of the file 
cabinet in my office. There is no ground that I can see that is 
consistent with what the Framers understood our personal 
privacy and papers to be to exclude that information from the 
full protection of the warrant.
    And I would add that our history of Fourth Amendment 
understanding has followed the development of technology by 
consistently applying that same principle. When the Supreme 
Court was faced with the idea of telephones in the Katz case 
back in the 1960's, they saw that those types of personal 
communications ought to be subject to the exact same sorts of 
constitutional protections. This notwithstanding the fact that 
of course telephones were unknown to the Founders, and over the 
dissent of Justice Black who said, you know, history says there 
are no telephones, if it's not in the Fourth Amendment, it 
shouldn't be in the Fourth Amendment.
    Likewise, as Mr. Salgado has said, we've recently come to 
understand that the cell phones in our pockets are not just 
telephones. They are now mini-computers that contain the stuff 
and substance of everything that we know and understand, so, 
too, I would submit, with the content of our email 
communications and our stored data in cloud service providers, 
whether it's Google, or Microsoft, or Yahoo, or Dropbox, this 
is where we store our data today.
    So what's the debate? What's left? All that I hear that is 
left is the application of exceptions that are carve outs and 
restrictions on this general warrant requirement. And to some 
degree, that has an intellectual appeal to it, doesn't it, 
because we've had exceptions to the Fourth Amendment for 
awhile, but I doubt that that's really what the advocates for 
the exceptions are suggesting, because I certainly have not 
heard any of them suggest that we should adopt as well the 
Fourth Amendment suppression rules for when evidence is 
wrongfully collected in violation of these exception 
requirements.
    The truth is that we've had no--when ECPA was first passed 
in the 1980's, no exception for an emergency at all. The 
current statute was added in 2001, post 9/11 at the suggestions 
of the Department of Justice. So it's kind of passing strange 
that we would see that exception and expansion of it held out 
now as a reason to oppose the fundamental changes that are 
necessary in light of technology.
    I would submit to you that the time is ripe for change and 
the principle is clear. In the normal law enforcement context, 
police, FBI, and law enforcement officers should have no more 
access to stored email than they do to our stored private 
letters. I would urge this Committee to give the bill before 
you plenary consideration in a markup and move it to the floor 
for consideration where these issues can be hashed out. And 
with that, I thank you very much. I look forward to answering 
your questions.
    [The prepared statement of Mr. Rosenzweig follows:]
    
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
     
                               __________
                               
                               
                               
                               
    Mr. Goodlatte. Thank you. And we'll now proceed under the 
5-minute rule with questioning of the witnesses, and I'll begin 
by recognizing myself.
    Mr. Salgado, if Congress were to issue a subpoena to Google 
for the contents of a customer's emails, would that subpoena 
violate the Fourth Amendment?
    Mr. Salgado. That's a question I would have to look into as 
to how the Fourth Amendment applies to Congress, so I've not 
done enough research to be able to answer that with much 
confidence. I would say that the changes we're talking about 
today to ECPA would not in any way affect the investigative 
powers of Congress.
    Mr. Goodlatte. I think it's a very important question, 
however, because if you can't answer that question from me 
right now, answer this question. What's the constitutional 
distinction between congressional and executive subpoenas?
    Mr. Salgado. Again, I'd probably have to investigate that. 
The Fourth Amendment is what the Fourth Amendment is, so if 
there is a restriction there that's based on the Constitution, 
that exists regardless of what we do with ECPA.
    Mr. Goodlatte. If the subpoena issued to Google for the 
contents of a customer's emails, the customer might be a 
government employee who is acting outside of the government's 
servers and email system and is storing data on Google's cloud, 
what ability would the Congress have to conduct oversight if 
your finding is that it violates the Fourth Amendment?
    Mr. Salgado. I don't know that it would, but I do note that 
Congress would have all the authority it does now to direct the 
subpoena to the user to get the information directly from the 
user.
    Mr. Goodlatte. We would very much appreciate your taking 
some time to think about the answer to that question because 
it's a very important question with regard to how we address 
this. Because there either is not a violation, in which case 
the question arises what's the constitutional distinction 
between congressional and executive subpoenas, or there is a 
constitutional violation, in which case the Congress' ability 
to conduct proper oversight of the executive branch is a very 
significant one.
    Mr. Salgado. I'd be happy to answer the question. I don't 
think it touches on the question of this particular step, this 
particular bill, but I'd be very happy to look into that for 
you.
    Mr. Goodlatte. Thank you.
    Mr. Ceresney, critics of a civil mechanism cite to the fact 
the SEC has not sought to serve a subpoena on a commercial 
provider in the 5 years since the Sixth Circuit's decision in 
U.S. v. Warshak. You've heard some of those criticisms right 
here on this panel today.
    They say it's not really a problem that needs to be solved 
because of that fact. Is this true? And if so, why hasn't your 
agency sought to challenge the warrant only policy adopted by 
many providers following Warshak?
    Mr. Ceresney. So Congressman, the decision was made at the 
time. I wasn't at the SEC at the time, but after Warshak, a 
decision was made in excess of caution not to issue subpoenas 
to ISPs without consent of the subscriber. And since I've been 
at the SEC, we have held off on doing that in deference to the 
discussions have have been ongoing in Congress about amending 
ECPA.
    At the same time, we have never felt like Warshak precluded 
us from obtaining email under the Constitution pursuant to a 
subpoena with notice to the subscriber. Warshak dealt with a 
grand jury subpoena with no notice to a subscriber, and it did 
not undermine a long line of case law that exists, that holds 
that where a subscriber or the party you're seeking email from 
or seeking material from has precompliance review before a 
court that that satisfies the Fourth Amendment. It is true that 
we have not done it, but I can tell you there are cases ongoing 
which----
    Mr. Goodlatte. I know that you haven't done it. I want to 
know why.
    Mr. Ceresney. Right. And that is because in an excess of 
caution at the time and in deference to these discussions, you 
know, in deference to the discussions that have been ongoing 
before Congress about the decision of what to do to reform 
ECPA. From our perspective, there are ongoing investigations 
that would definitely benefit from ISP subpoenas where we have 
not obtained email from a subscriber that we do know exists, 
but we're not able to obtain it because we have not been 
issuing subpoenas to ISPs.
    Mr. Goodlatte. So how has that affected your ability to 
conduct investigations?
    Mr. Ceresney. I think it has affected our ability to 
conduct investigations. We issue subpoenas to individuals all 
the time for their email, and all the time there is instances 
where those individuals either don't produce----
    Mr. Goodlatte. And before Warshak, you would then issue a 
subpoena to a third-party holder of those emails. Is that 
correct?
    Mr. Ceresney. That's correct.
    Mr. Goodlatte. And since then, you haven't felt the need to 
attempt to do that, and have the courts clarify this issue, 
which now the Congress is being asked to clarify?
    Mr. Ceresney. We have felt the need, Congressman, but we 
have, in deference to these ongoing discussions in Congress 
about reforming ECPA, determined not to do that. But we 
certainly have identified cases where it would have been 
helpful to do that to our efforts.
    Mr. Goodlatte. All right. Let me ask one more question to 
Mr. Littlehale. In addition to serving the warrant on the 
customer, H.R. 699 also requires law enforcement to provide 
notice to the customer of the nature of the law enforcement 
inquiry with reasonable specificity.
    Is law enforcement required to provide such information to 
a person when they serve a search warrant on their home? What 
is the harm if law enforcement is required to inform the 
subject of investigation of the nature of the law enforcement 
inquiry with reasonable specificity?
    Mr. Littlehale. Mr. Chairman, in traditional search warrant 
practice on the premises to be to served----
    Mr. Goodlatte. Turn your microphone on, please.
    Mr. Littlehale. Sorry, Mr. Chairman. In traditional search 
warrant practice, the requirement is simply that law 
enforcement leave a copy of the warrant and an inventory of 
items seized on the premises to be searched.
    And in the analogy to a service provider, an entity that is 
in possession of evidence, we serve a copy of the warrant on 
them, and we give them notice of the fact that we're requiring 
them to produce the records.
    H.R. 699 imposes an additional set of requirements that we 
actually discuss something about the nature of our 
investigation that goes beyond what's required in traditional 
search warrant practice.
    Mr. Goodlatte. Thank you very much. The gentleman from 
Michigan, Mr. Conyers is recognized for 5 minutes.
    Mr. Conyers. Thank you, Mr. Chairman. Before I begin my 
questioning, I'd like to ask unanimous consent to introduce a 
statement from the gentleman from Colorado, Mr. Jared Polis, 
into the record. He's the lead Democratic Member on this bill, 
and his views are worth consideration by the Committee. Can I 
get a unanimous consent request approved?
    Mr. Goodlatte. Without objection, it will be made a part of 
the record.
    [The information referred to follows:]
           Prepared Statement of the Honorable Jared Polis, 
        a Representative in Congress from the State of Colorado
    Chairman Goodlatte, Ranking Member Conyers, and Members of the 
Committee:
    Thank you for convening this important hearing on H.R. 699, the 
Email Privacy Act. The Email Privacy Act is the most cosponsored bill 
in Congress awaiting floor action, and the problem it addresses is one 
of the most pressing constitutional concerns of our modern age: How can 
we stop the advancement of technology from eroding our fundamental 
right to privacy?
    In the broadest possible terms, the obvious answer is that we need 
to update our laws. Many of the laws governing the use of the 
technology Americans most frequently use today were written long before 
any of that technology existed or was even conceived of. Congress 
simply cannot purport to protect Americans' constitutional rights while 
leaving the federal government to enforce laws designed for a world 
that doesn't exist anymore.
    Today, the law governing many of our online privacy rights is the 
Electronic Communications Privacy Act (ECPA) of 1986. In 1986, for the 
vast majority of Americans, ``electronic communications'' meant a phone 
call placed from a landline. In 1986, Apple had just released the 
Macintosh Plus--a cutting-edge personal computer that provided users 
with an entire megabyte of memory. Today, iPhone 6 users walk around 
with 16,000 times that amount in their pockets. In 1986, the ``World 
Wide Web'' was years away from taking off. Today, that term is already 
a relic of the past.
    As a result of Congress's failure to keep up with the pace of 
technology, every American's email can be subject to warrantless 
searches thanks to a 29-year-old legal loophole. Under ECPA, the 
government has the ability to search through any digital communications 
stored on a third-party server--such as your emails and instant 
messages--without a warrant, as long as they are more than 180 days 
old. In 1986, this loophole may have seemed reasonable because 
individuals simply didn't leave their emails stored on a server for 
months at a time. That kind of digital storage space just didn't exist, 
so authorities considered emails not deleted after six months to be 
abandoned. In 2015, however, consumers routinely store emails digitally 
for months or even years at a time.
    Most Americans have no idea that a law written 29 years ago allows 
the government to open their old emails without probable cause. And 
when they find out, they're shocked--because that reality is simply 
impossible to square with the basic liberties guaranteed in our 
Constitution. It simply makes no sense that our homes, cars, and 
mailboxes are protected from unwarranted government searches but the 
government can sift through our email inboxes with impunity.
    Congress has the power to change that. The Email Privacy Act has 
304 cosponsors in the House--a bipartisan, veto-proof supermajority of 
Members of this body--and far-reaching support across all sectors of 
the economy and across the political spectrum, from groups like the 
Heritage Foundation and the American Civil Liberties Union to tech 
startups, Fortune 500 companies, and Chambers of Commerce.
    There are some federal officials calling for special carve-outs and 
lower burdens of evidence in order to access Americans' old emails. I 
urge the committee to resist these efforts to undermine the bill for 
several reasons.
    First, the sheer volume of support for this bill suggests that 
Americans and their representatives in Congress overwhelmingly support 
the legislation as written and do not believe electronic correspondence 
should be subject to a lower standard of evidence than physical 
documents when it comes to government searches.
    Second, the authors of ECPA clearly did not anticipate a future in 
which Americans have access to nearly unlimited storage space that 
allows us to store our emails on the cloud in perpetuity. In asking for 
a special carve-out from warrant requirements, these federal agencies 
are asking for broad new search authorities that go far beyond the 
intent of the 1986 legislation and that would significantly undercut 
the intended reforms of the Email Privacy Act.
    Third, the federal officials asking for these broad new authorities 
have not put forward compelling evidence that the 180-days loophole has 
served a legitimate law-enforcement purpose.
    And finally, it is impossible to square a lower standard of 
evidence for emails older than 180 days with the Constitution's 4th 
amendment protections against unreasonable search and seizure. There is 
simply no constitutional basis for exempting digital correspondence 
from our privacy laws, and there is no compelling safety or crime-
prevention reason for doing so either.
    The 180-days loophole is a longstanding problem with a simple, 
bipartisan, broadly popular, noncontroversial solution at the ready. 
With 304 cosponsors in the House, the Email Privacy Act is the most-
cosponsored bill of the 114th Congress not to receive a floor vote. I 
urge the Committee to favorably report H.R. 699 so that it can finally 
get a vote on the House floor, where I am confident it would pass with 
overwhelming bipartisan support.
    Thank you.
                               __________

    Mr. Conyers. All right. Thank you. Let me begin my 
questions with Chris Calabrese. I'm trying to find out why this 
bill is so popular from your point of view. The Email Privacy 
Act, 304 sponsors, privacy advocates, civil libertarians 
support it, former prosecutors, Fortune 500 companies, and 
small businesses across the country. More than 100,000 
Americans have signed a petition urging the White House to 
support this measure. How come?
    Mr. Calabrese. Well, I think that Americans believe very 
strongly in the values that underpin this Nation, the 
fundamental idea of privacy and a balance between what 
government can do and having rules around how they can do it. 
All this bill does is the very modest step of bringing our 
privacy protections into the 21st Century, and everybody agrees 
with that.
    A recent poll in the Washington Post said that 86 percent 
of Americans supported reform. This panel is unified in saying 
that we need a warrant for email. Now, we have some minor 
issues around the edges, but honestly, I believe that this is a 
bill that would pass Congress or pass the House of 
Representatives by 300 or 400 votes.
    It is that popular. It is that common sense. I think we 
simply need a markup. We can work out some of these issues 
around the edges, and the American people can get the privacy 
protections that they want and they need. Thank you.
    Mr. Conyers. Thank you. And also in your testimony you 
mention that the bill faces a concerted assault from civil 
agencies that seek to use statutory changes as a tool to gain 
new powers. Some argue the powers are already on the books. Why 
do you refer to the SEC's proposal as a request for new powers?
    Mr. Calabrese. I think that if you don't use an authority 
for 5 years and there is a questionable legal standard about 
whether you can use it at all, it's new authority. That's 
simply put. It simply can't be that you have this existing 
authority and you say it's incredibly valuable but you've held 
off on using it for 5 years. Either what you're doing in your 
investigations aren't important, which we all know is not true, 
or you don't think you have this authority, and to me, there 
are really no other options, and I think that this is new 
authority.
    Mr. Conyers. Thank you.
    Mr. Rosenzweig, the government often conducts parallel 
criminal and civil investigations to the same target. What 
would be the practical consequences if we adopted a warrant 
standard for email in criminal investigations and some lesser 
standard for those in civil investigations?
    Mr. Rosenzweig. There'd be the risk that the exception 
would swallow the rule. I spent much of my early career 
prosecuting environmental criminal cases, a regulatory area 
where the civil regulatory authorities had civil and 
administrative powers for securing evidence. There was a set of 
procedures, parallel proceedings procedures, that were internal 
to the executive branch that governed the circumstances under 
which those civilly collected evidence could be transferred to 
the criminal prosecution side for use in a criminal case. Those 
rules were simply rules of grace at the discretion of the 
executive branch. They were not statutorily mandated and they 
were not expressed in any constitutional limit.
    There would be at least some risk that in an effort to 
evade the warrant requirement that was created by reform of 
ECPA, criminal authorities would solicit the securing of that 
evidence through civil process under a lesser standard. I do 
not mean to ascribe ill motivation to anybody in any part of 
this process. But, nonetheless, the interstitial pressures are 
very real.
    Mr. Conyers. Let me squeeze in one final question here. The 
Sixth Circuit in Warshak held that, to the extent that the 
Stored Communications Act permits the use of subpoenas to 
compel the production of email, the statute is 
unconstitutional. Given that holding, is the mechanism proposed 
by the SEC also unconstitutional? Anybody want to try that in 
addition to you?
    Mr. Rosenzweig. I think it likely is. It hasn't been tested 
in court. There is a history of restricting civil authorities 
for constitutionally protected material. There's also, frankly, 
some law that points to things called administrative searches 
that might be seen as a validation of the SEC's position. If I 
were to judge it, I would probably say--come down against it, 
but nobody makes a lot of money predicting the Supreme Court.
    Mr. Conyers. Could it withstand the Fourth Amendment 
challenge in the courts, do you think?
    Mr. Rosenzweig. I would say no.
    Mr. Conyers. All right. Thank you so much.
    Thank you, Mr. Chairman.
    Mr. Goodlatte. Thank you, Mr. Conyers.
    The Chair now recognizes the gentleman from Wisconsin, Mr. 
Sensenbrenner, for 5 minutes.
    Mr. Sensenbrenner. Thank you, Mr. Chairman.
    In the Warshak case in 2010, the Sixth Circuit ruled the 
content of America's emails is protected by the Fourth 
Amendment. I agree with that holding. Since that decision, the 
SEC has been unable to subpoena email content from service 
providers.
    Now, Mr. Ceresney, I've read your testimony and listened to 
it. Did you write it in 2009?
    Mr. Ceresney. No. I wrote it----
    Mr. Sensenbrenner. Okay, well, thank you very much.
    Now, if the SEC cannot currently subpoena email content 
from service providers, is it truthful to testify that if H.R. 
699 becomes law the SEC will be denied the ability to obtain 
evidence?
    Mr. Ceresney. I don't agree that we're not able to do it 
currently. We have refrained from doing it in deference to 
Congress' ongoing discussions about it.
    Mr. Sensenbrenner. Okay. Well, I guess you kind of ignored 
the Warshak decision on that.
    Now, even under ECPA as it was written almost 30 years ago, 
the SEC could only subpoena email content after it was older 
than 180 days. Aren't you asking this Committee to expand a 
legal authority that was found unconstitutional in a more 
limited form?
    Mr. Ceresney. We are not. I think----
    Mr. Sensenbrenner. Well, then, why aren't you? Because you 
would like to be able to issue subpoenas on email content 
that's less than 180 days old.
    Mr. Ceresney. We would defer. If Congress decided that----
    Mr. Sensenbrenner. No. No. No. No. No. No. No. You know, 
the thing is, is that I think the court has decided and you're 
not happy with the court decision. What your testimony says is 
that you'd like to expand something that's already been held 
unconstitutional.
    Mr. Ceresney. I disagree. Warshak was----
    Mr. Sensenbrenner. Well, I disagree with you.
    Now, let me ask the whole panel, just to ask yes or no. If 
Congress gives civil agencies the authority to subpoena email 
content to service providers, would that law be constitutional? 
I think Mr. Ceresney has already said yes.
    Mr. Ceresney. Yes.
    Mr. Sensenbrenner. Can I get a yes-or-no answer from the 
other five panelists?
    Mr. Cook. I'd love an opportunity to explain the----
    Mr. Sensenbrenner. No. I'm limited on time.
    Mr. Cook. I understand, sir.
    Mr. Sensenbrenner. Yes or no please.
    Mr. Cook. My answer is yes, it would be constitutional.
    Mr. Sensenbrenner. Mr. Littlehale?
    Mr. Littlehale. Yes, it would be.
    Mr. Sensenbrenner. Mr. Calabrese?
    Mr. Calabrese. I believe no, it would not be.
    Mr. Sensenbrenner. Mr. Salgado?
    Mr. Salgado. I believe no, it would not be.
    Mr. Sensenbrenner. Okay. Mr. Rosenzweig?
    Mr. Rosenzweig. No. That's what Warshak said.
    Mr. Sensenbrenner. Uh-huh.
    Now, I think we've heard from Mr. Ceresney. Messrs. Cook 
and Littlehale, since you believe the law would be 
constitutional, how do you square that position with the Sixth 
Circuit court's holding in Warshak?
    Mr. Cook. Well, I think the critical distinction is the one 
that the SEC has already drawn, and that is that the subpoena 
at issue there was a grand jury subpoena, one issued with no 
notice to anybody. The Fourth Amendment to the United States 
Constitution, as we all know, has never imposed a warrant 
requirement without any exceptions or without any other way to 
meet the reasonableness clause.
    Mr. Sensenbrenner. Okay. Mr. Littlehale?
    Mr. Littlehale. Congressman, I believe that the due process 
provided by the SEC proposal offers a significant amount of 
protection, the same sort of protection contemplated by the 
Fourth Amendment, and I believe that the courts would view that 
as sufficient protection.
    Mr. Sensenbrenner. Well, you know, the issue is, is that a 
subpoena--there can't be a motion to quash a subpoena until 
it's served. So even if there's an immediate motion to quash a 
subpoena, isn't there the risk of a constitutional violation 
here?
    Mr. Ceresney. Congressman, there isn't. That's because our 
subpoenas are not self-executing. If we want to enforce our 
subpoena, we need to go to a court and compel production.
    Mr. Sensenbrenner. Okay. Well, except that Warshak seems to 
indicate the opposite. Well, you know, the thing is, is that 
here we're having to balance the fact that apparently the 
position of law enforcement is that they want to expand what is 
currently the law. And the position of those who are privacy 
advocates say the law is the law and codify it.
    I think this is a slam dunk for Congress to make a 
determination, because we already have something that everybody 
seems to think is okay, you know, except a few people that 
would like to expand the dragnet.
    With that, I'll yield back.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentlewoman from California, Ms. Lofgren, for 5 
minutes.
    Ms. Lofgren. Thank you, Mr. Chairman. And I'm glad that 
we're having this hearing today. As had been mentioned at the 
beginning of the hearing, over 300 Members of Congress are 
sponsoring the legislation. So it hasn't been a close call for 
most of us.
    There is a competing--not a competing bill, a bill that 
encompasses the provisions in this bill, but also goes to 
geolocation. And I'm wondering, Mr. Cook, the DOJ recently 
enacted a policy requiring a warrant before deploying a cell 
site simulator, like a Stingray, to locate a suspect using 
their cell phone. Does your association support that policy?
    Mr. Cook. The answer to that, of course, is yes. The use of 
a Stingray or Triggerfish, cell site simulator, under certain 
circumstances would trigger Fourth Amendment protections. That 
is to say that either a warrant or one of the exceptions. And 
there are many occasions when law enforcement uses a Stingray 
and it does so under the emergency aid or exigent circumstances 
exception.
    Ms. Lofgren. If you support this absent the exigent 
circumstance exception, which we're not arguing against, would 
you consider that a warrant for any means of obtaining real-
time geolocation information should also be favorably supported 
by your group?
    Mr. Cook. I'm not sure I understand.
    Ms. Lofgren. For example, you don't need a Stingray to 
actually identify where a person is with a cell phone. But the 
identification issue is the same. So wouldn't that logic extend 
to that?
    Mr. Cook. Well, when law enforcement seeks prospective 
tracking of a suspect, as was the case in Jones, an ongoing 
tracking, then the Fourth Amendment is implicated. And I think 
Jones resolved that for us.
    Ms. Lofgren. I think it did as well. Shouldn't that same 
logic apply also to historical location information?
    Mr. Cook. That's a great question. And of course, as I can 
tell from your questioning, you're fully familiar with the 
court struggling with that issue, the fourth and the fifth 
circuit and other courts divided on that. And so part of the 
division I think is driven by an understanding of the 
technology. The technology with respect to some location 
information is that it's just not as specific as GPS tracking. 
And with respect to that, the courts have recognized that 
there's----
    Ms. Lofgren. If I can, I don't want to run out of time. 
Assuming that the technology issues are resolved, and it's not 
the U.S. Attorneys Association's job to do that, logically 
shouldn't the Fourth Amendment apply to historical records as 
well as prospective records?
    Mr. Cook. The other longstanding doctrine, of course, that 
touches on that is the one that the courts have pointed to, and 
that is the Smith and Miller third-party records doctrine.
    Ms. Lofgren. Right, which has also been not favorably 
received recently by the Congress.
    Let me turn to you, Mr. Salgado, because we have approached 
this whole issue from the point of the Fourth Amendment and the 
Constitution and the right to privacy and the like. But it also 
has an impact on American business. The most important 
technology companies in the world are located in the United 
States. I would like, can you comment on the impact, if any, on 
American business for a perception in other countries that 
privacy is not secure if you use an American product?
    Mr. Salgado. Thank you, yes. I certainly can easily burn up 
the rest of your time with an answer to that question. It is a 
significant impact on American industry that there's a 
perception outside of the United States--Europe, it's no 
secret, certainly holds this perception--that data held by U.S. 
companies is somehow there for the taking for U.S. Government.
    This bill, the Email Privacy Act, is a good step toward 
getting rid of that misperception, making sure our statutes 
reflect the true protections that the Fourth Amendment offers.
    Ms. Lofgren. Now, if I can, and you may not have the answer 
to this, but certainly this is not an issue just for Google, 
but for Facebook and all the ISPs, and Microsoft has a big case 
in Ireland right now, and the like. Has anybody added up the 
dollars at risk to the U.S. economy on this privacy issue?
    Mr. Salgado. You know, that may have been done. I'd need to 
get back to you with that, it's not on the tip of my tongue, to 
be able to answer.
    Ms. Lofgren. Okay. That's fair enough. I would like to just 
mention that the Chief Justice's conclusion in Riley versus 
California is, ``Our answer to the question of what police must 
do before searching a cell phone seized incident to arrest is 
accordingly simple, get a warrant.''
    How does that decision apply to the legislation that we're 
considering today, in your judgment?
    Mr. Salgado. I think it illustrates the point that the 
Supreme Court wants us to have bright rules so that the law 
enforcement officer in the field knows what to do. And when 
we're talking about the Fourth Amendment and our right to 
privacy, we're not messing around with gray areas, that we 
recognize the significance of this right to Americans, we 
recognize the significance of the privacy interest, we have 
clear rules, and the rules should be to default to a warrant.
    Ms. Lofgren. Thank you very much. My time has expired, Mr. 
Chairman.
    Mr. Collins [presiding]. The gentlelady's time has expired.
    The Chair now recognizes the gentleman from Iowa, Mr. King.
    Mr. King. Thank you, Mr. Chairman.
    I thank the witnesses for your testimony.
    First, it was mentioned that there's a general agreement 
among the panel, I believe, and others, that except for a few 
people who would like to expand the dragnet. I would ask Mr. 
Cook and Mr. Littlehale, is there anything in this bill that 
expands the dragnet?
    Mr. Cook?
    Mr. Cook. Well, I'm troubled by the characterization.
    Mr. King. Well, let me define dragnet so that you don't 
have to. And that would be is there anything in this bill that 
expands your ability to do investigations that maybe makes 
innocent citizens more vulnerable?
    Mr. Cook. No, sir. I think that the bill is narrow, in 
fact, expansively limits in a couple of unprecedented ways law 
enforcement's ability to do their job.
    Mr. King. That's my understanding of it as well. Mr. 
Littlehale?
    Mr. Littlehale. Yes, Congressman, I share that concern.
    Mr. King. And you would share the characterization with Mr. 
Cook as well?
    Mr. Littlehale. I believe that the bill imposes additional 
limitations on traditional search warrant practice. And even if 
the standard of proof governing an additional category of 
records as contemplated in the bill is given, we will have less 
authority with respect to those records than we would with 
records in the physical world, yes.
    Mr. King. I thank both gentlemen. I turn to Mr. Salgado. In 
thinking about this from a Google perspective, when I or a 
citizen sign up for an email account, there's a long agreement 
that's there that I have to confess I have not studied that or 
have my attorney look that over, but I say, okay I agree. And I 
sign up for my email. And I'm glad to have the service. And it 
works really good. Am I in that waiving some protection to 
privacy in that agreement?
    Mr. Salgado. Well, not with regard to what we're talking 
about here. The agreements certainly talk about how we use the 
information and where we might be needing to disclose it in 
order to provide the service. So it's meant to describe to you, 
and those who are interested in knowing these things, what's 
happening. But with regard to this bill and the Fourth 
Amendment, we will honor search warrants that are served on us 
in valid legal process.
    Mr. King. Will you honor subpoenas?
    Mr. Salgado. We honor subpoenas but not for content. So we 
will honor subpoenas for what the statute says we honor 
subpoenas for. And it's our preference to let users know when 
we get these requests, unless we are informed by gag order, for 
example, that we're not able to. So we will honor all of those 
rules that Congress has set in place and that the Fourth 
Amendment has established. We also will honor requests to 
preserve information while law enforcement goes through the 
effort of getting a search warrant which may take a period of 
time.
    Mr. King. Are you aware of any ISPs that have a different 
policy than you're describing here with Google's?
    Mr. Salgado. There may be slight differences in how the 
product works or the policies are slightly different. But, no, 
generally I think the sort of pattern I'm describing is one 
that certainly the larger companies here operate under.
    Mr. King. Then practice is pretty close to the mirror of 
the act we're discussing, the legislation we're discussing?
    Mr. Salgado. Yes, sir. I think that's right. I'm not aware 
of providers who are producing content on anything less than a 
search warrant at this point.
    Mr. King. So I would burn more time on that but I 
appreciate your response. And I would like to turn to Mr. 
Rosenzweig because I believe that you gave the clearest 
definition of modern electronics versus the postal service from 
that constitutional--the Founders' era. This is still the 
constitutional era. And I would put it this way, ISP equals 
post office, emails equal your filing cabinet. Is that an 
accurate description of yours?
    Mr. Rosenzweig. ISPs equal the post office, yes. That would 
be my summary or stored email equals letters in my file, right.
    Mr. King. Okay. Yes. Stored emails. And could I have the 
right to, if I had an ISP provider that said we want to waive, 
will you waive your authority, will I waive my constitutional 
protections and hand that data over to an ISP provider, I could 
do that willingly, couldn't I, under the constitution and 
current law?
    Mr. Rosenzweig. Oh, you could consent to anything. Provided 
your consent is voluntary and not coerced, you could. You 
don't, if the police come to your door and say can I get the 
letters in your file cabinet, you don't have to require a 
warrant. You could say sure, come on in.
    Mr. King. You're familiar with California v. Greenwood?
    Mr. Rosenzweig. Yes.
    Mr. King. And so the distinction here between Warshak and 
California v. Greenwood, which is essentially if you take your 
garbage out to the curb, it's not protected by any Fourth 
Amendment right. If I delete my emails, and they're within the 
custody of an ISP, and I've waived my right to privacy, that 
would be open access then to the investigators?
    Mr. Rosenzweig. I would say no. But I would have to think 
about that. My sense is that when I delete the email, I'm 
intending not to throw it to the curb as garbage, but rather to 
eradicate its existence altogether. If I'm aware of the fact 
that a copy is kept, maybe. But I don't think I'm aware.
    Mr. King. So it's actually, we're getting where we need to 
go with this panel, I think is the distinction between 
Greenwood and Warshak on what those emails consist of, are they 
garbage or aren't they, are they access to an investigator by 
subpoena or by a warrant or aren't they. So I appreciate the 
panel. This has been clarifying testimony today. And I thank 
the Chairman. And I yield back the balance of my time.
    Mr. Collins. At this time, the gentlelady from Washington 
State, Ms. DelBene, is recognized.
    Ms. DelBene. Thank you, Mr. Chair. And I just want to thank 
the Chair for holding this hearing and to all of you for taking 
the time to be here with us today. Mr. Ceresney, do you dispute 
the continued availability of preservation orders and court 
interference to enforce administrative subpoenas of targets of 
SEC investigations should the Email Privacy Act pass?
    Mr. Ceresney. So if the question is whether preservation 
requirements should be contained in the statute and the ability 
to obtain from the subscriber, should that also be required.
    Ms. DelBene. Do you think if the Email Privacy Act passes, 
do you think that you're going to continue to have the 
availability of preservation orders and court interference to 
enforce administrative subpoenas?
    Mr. Ceresney. I believe that that is still something that 
one could obtain under the proposed statute. But what that 
wouldn't allow us to do is to then obtain those emails from 
ISPs when the individual doesn't provide them to us.
    Ms. DelBene. So you've argued in your testimony that one 
problem with the Email Privacy Act would be that it leads 
targets of investigations to delete emails, thereby destroying 
evidence. So are you telling this Committee that the Email 
Privacy Act would be to blame if you don't take the commonsense 
step of issuing a preservation order on an ISP from day one of 
an investigation. Is there any reason whatsoever that you 
wouldn't take that step, that very simple step, which can be 
done directly by the SEC without a judge's involvement?
    Mr. Ceresney. We would certainly take that step. The 
problem is the preservation doesn't then allow us to then 
obtain the email from the ISP. So certainly we would do that, 
we would try to preserve the email and make sure that it's 
available. But then the next step, that is obtaining it from 
the ISP, that would not be available to us.
    Ms. DelBene. So your comment that this would lead people to 
delete emails doesn't really hold water. If you have a 
preservation order, the information is going to be saved there.
    Mr. Ceresney. But if the person deleted the email and then 
we subpoenaed the person, they wouldn't have it. The only 
person, the only entity that would have possession, custody, 
and control of the email would be the ISP and we wouldn't have 
an avenue----
    Ms. DelBene. If you have a preservation order, then the ISP 
is going to preserve that information.
    Mr. Ceresney. Yes. But if they preserve it and we can't 
obtain it----
    Ms. DelBene. I don't know about you, but I use email to 
keep in touch with my family, my husband, my friends back home 
in Washington State, all across the country. And I'm sure 
pretty much everyone in this room and this building would tell 
a similar story. As email has gone mobile, it's virtually 
indistinguishable from a phone call or a text message and, no 
doubt, contains very important details of people's personal 
lives and stored in the cloud by companies like Mr. Salgado's, 
and we would all hope to be kept safe from intruders or prying 
eyes.
    I find it highly disturbing in your testimony today that 
seems to suggest that the SEC views email service providers 
more like a witness or an informant that you would be able to 
tap directly for information as opposed to the digital home of 
intimate communications. So let me ask you this: If the SEC 
wants a box of documents sitting in a target's home, can you 
use an administrative subpoena to bring a locksmith to their 
home to open the door, walk in, and take documents?
    Mr. Ceresney. We cannot. What we----
    Ms. DelBene. Then please explain to us why you think we 
should give you the ability to do exactly that with a digital 
equivalent. How that could possibly comport with simple 
expectations of privacy and due process and without a shred of 
meaningful evidence from you so far or anyone else that the 
lack of this authority will have any impact on your ability to 
carry out investigations whatsoever?
    Mr. Ceresney. We view the ISP as a third-party storage 
provider, much like an Iron Mountain provider would be for hard 
copy documents that are kept in a storage facility. And if in 
the circumstance where hard copy documents are kept in a 
storage facility, we could go to that storage facility with 
notice to the person who uses that storage facility and try to 
obtain those documents via subpoena. And that I think is the 
analogy that we would draw that would be appropriate in these 
circumstances.
    And from our perspective, we do have instances in the past 
when we did issue ISP subpoenas where we could show that we 
obtained significant evidence in investigations for that 
purpose. As to the last number of years when we haven't used 
it, we don't know what we have lost. But it's certainly our 
investigations----
    Ms. DelBene. I want to get your view, Mr. Calabrese, on 
this in terms of the role of that third-party provider being 
the home of people's personal communications.
    Mr. Calabrese. Well, it's clearly our digital home. I mean, 
you would find much more sensitive information about me in the 
cloud than you honestly would in my house at this point. If you 
wanted physical documents, they are much more sensitive in my 
house. The thing I would also like to point out that we haven't 
really touched upon here is that the standard for accessing 
information in the civil context is very low. It's mere 
relevance. It's not a high standard of probable cause. Also the 
number of things that a predicate--a civil agency has, sort of 
simply mis-filling out your taxes, for example, are much 
greater than the criminal predicates for a warrant. So we're 
talking about a much lower standard, much greater number of 
ways that we can access information. That means that we're 
potentially opening up the cloud to much greater invasion by 
civil agencies even than we would by criminal agencies. And I 
think that's exactly backwards.
    Ms. DelBene. And, Mr. Ceresney, if you give me just a 
couple more seconds, Mr. Chair, you talked about cases. Can you 
give me the specific names of those cases?
    Mr. Ceresney. We have a number of cases. And we would be 
happy to provide it to your staff. It includes an accounting 
fraud case where an email indicated that somebody was using 
earnings management, an insider trading case where an email 
contained a tip, a microcap fraud case where the emails showed 
control of corporation. And just one last thing to answer Mr. 
Calabrese's point, we would be fine if Congress established a 
probable cause standard as the standard that we would have to 
meet. Whatever standard Congress would like to establish for us 
to have to meet, we are fine meeting that standard. What we 
need is some mechanism in instances where an individual does 
not produce to us email, and has deleted it, or otherwise 
destroyed it----
    Ms. DelBene. And I think we've already discussed that right 
now. Post-Warshak, you have never used that authority. So my 
time has expired. And I just want to yield back.
    Mr. Collins. The gentlelady's time has expired. At this 
time, the gentleman from Texas, Mr. Gohmert, is recognized.
    Mr. Gohmert. Thank you, Mr. Chairman. Thank you to the 
witnesses for being here. For anyone that can answer, if 
someone deletes an email that he or she has already sent out, 
would the ISP be able to retrieve that at some point?
    Mr. Salgado. I would be happy to try to answer that. It may 
vary from company to company. In most cases, I think it's fair 
to say that there would be some short period of time between 
the point of deletion and when the system purges the content 
that has been deleted. So there would be some period of time. 
That time period may vary from provider to provider.
    Mr. Gohmert. Couldn't it be retrieved from the person to 
whom it was sent?
    Mr. Salgado. It certainly could. So there may be many 
communicants involved in it.
    Mr. Gohmert. Right. The issue there, and I'm not one of the 
co-sponsors at this time, even though I am one of the persons 
proudest of the work that Kevin Yoder has done in getting this 
bill to this point. I think it's fabulous. I think it's 
important. My concern has been, is that we have left a 
provision at page 10, for example, that allows the governmental 
entity to apply for a court order so that they can still not 
inform the individual. And that's fine to my mind if there's a 
question of endangering the life or physical safety of an 
individual, like a child that was talked about, flight from 
prosecution. As a former judge, I've signed all kinds of felony 
warrants. But I made sure that there was probable cause. And I 
made sure there was particularity in the description in the 
affidavit, as well as in my warrant.
    And I felt very comfortable in 2005 and 2006 when the Bush 
administration was ensuring us we would never use the national 
security letters for anything unless there was someone who 
actually had contact with an international terrorist or 
terrorist organization, those type of things. And then we find 
out in I think in July of 2007, the IG said there were 
potentially thousands of abuses where there was basically no 
case, they just sent them out. And I'm surprised to hear this 
from me, but in the New York Times, there's a good article by 
Carla Monyhan talking about Nicholas Merrill, how he fought to 
disclose the contents of the NSL. And then we also, with the 
disclosures of Snowden, yes, he committed an act of treason, 
but he also exposed lies by the last Administration and this 
Administration.
    When I saw the order, the affidavit and order regarding 
Verizon's disclosures of all of their metadata, I realized we 
were lied to by both Administrations about what was being 
sought. We were told that, look, you don't have to worry, 
there's a FISA court, a confirmed judicial nominee that's a 
Federal judge, they'll protect the Constitution. There was no 
particularity at all, just give us everything on everybody you 
got. And the judge just signed, oh, okay, you want everything? 
Here's everything. I couldn't believe it.
    And so I'm not as comfortable with providing the exception 
that I'm sure was demanded by governmental entities. And I'm 
wondering if an excuse of destruction of, or tampering with 
evidence or intimidation of potential witnesses, enough to get 
an order saying we can avoid informing whoever sent the email 
or whoever should have possession of the email, we don't have 
to inform them if we're concerned they might delete the emails. 
Really? Well, that would always be a concern. So you could 
always, always, always get some judge somewhere that would sign 
off on that order. I know that now after seeing the disclosures 
by Snowden. So I'm not comfortable that this is really going to 
be that helpful because of that massive gaping hole.
    On page 11, it says that basically the provider would have 
the burden of notifying the government at the end of the 
exclusionary notice time. The provider has the burden of 
notifying the government. The government, okay, my time is 
about up, so I'm going to notify the subject of the warrant, so 
that the government can get, there should be no burden on the 
provider to do that. If the government wants to keep that 
secret, the government should try to extend it. But I'm not 
sure that it wouldn't be extended automatically in virtually 
every case.
    Mr. Rosenzweig, you say that we should not--we've always 
protected a man's documents and we shouldn't change that 
because it's in a cloud. I would agree. But the ISPs require we 
check a box that says these documents aren't yours anymore, 
they're mine. And I'm wondering if maybe we should have some 
legislation that tells ISPs, you know what, these documents, 
they really are the property of the person that created them, 
not the one who holds or provided the safe to put them in.
    Mr. Collins. The gentleman's time has expired. But the 
witness may answer.
    Mr. Gohmert. Anybody care to respond?
    Mr. Rosenzweig. I share, I would respond by saying I share 
your concern about the delayed notification provisions, 
especially the destruction of evidence portion of it. I think 
that other portions, you know, a risk of physical injury and 
harm, those are very good. I would point out that 2705 was 
added in the immediate aftermath of 9/11 as a codification of a 
longstanding common law that had developed in the courts of 
appeals that had adopted these various rules for when they 
would delay notification.
    So to some degree, you're arguing with something that 
preexisted 9/11, preexisted ECPA, preexisted--and destruction 
of evidence has traditionally been one of those possibilities. 
That may be something that should change. As for control of 
one's own personal data in the cloud, I think that there are 
many service providers who offer different degrees of control 
over your information. And so I generally tend to be 
comfortable with the idea that there's competition in the 
marketplace and that if that's something that matters to you, 
there are service providers who will promise that they take no 
interest and will not process, will not examine your data. They 
may be more costly in other ways than service providers who 
provide you. So I'm kind of a free-marketist on that one.
    Mr. Gohmert. Okay. Thank you very much.
    Mr. Collins. The gentleman's time has expired. The Chair 
now recognizes the gentleman, Mr. Cicilline.
    Mr. Cicilline. Thank you, Mr. Chairman. And thank you to 
our witnesses for sharing your expertise and your diverse 
perspectives with us today. I believe that all of us assembled 
here, both those of us on the Committee and our assembled panel 
of witnesses, recognize that technology often evolves much 
faster than the law. This, in part, is a testament to the rapid 
pace of American innovation. But it also presents a gap that 
must be addressed. And the Email Privacy Act represents an 
important step forward to closing this gap and preserving 
privacy protections for Americans. And it's no surprise to me 
that it's broadly supported by the American people.
    I want to begin with you, Mr. Ceresney. In your written 
testimony, you state if the bill becomes law without 
modification, the SEC and other civil law enforcement agencies 
would be denied the ability to obtain critical evidence from 
ISPs. This phrasing suggests to me that you are engaged in some 
activity today that would be blocked by this legislation.
    And so, my first question is, does the SEC currently use 
subpoenas to obtain the content of communications from Internet 
service providers?
    Mr. Ceresney. We do not where we don't have consent of the 
providers.
    Mr. Cicilline. And why not?
    Mr. Ceresney. As I've said earlier, it's because in an 
excess of caution and in deference to the discussions that have 
been ongoing in Congress for a number of years about ECPA 
reform, we determined to hold off on using that. But it does 
not mean we do not believe we have the authority under the 
statute and that it is constitutional to use it.
    Mr. Cicilline. But you do not currently use it?
    Mr. Ceresney. We do not without consent of the subscribers.
    Mr. Cicilline. Your written testimony also acknowledges 
that the SEC ``often conducts investigations in parallel with 
criminal authorities.'' If the FBI needs a warrant to obtain my 
email, but the SEC can obtain my email with something less than 
probable cause, what prevents the SEC from helping the 
government to avoid a warrant requirement by sharing my email 
contents with the FBI?
    Mr. Ceresney. So the first point is whatever standard 
Congress establishes we're willing to abide by, even if it's 
probably cause. But, second, when we issue subpoenas----
    Mr. Cicilline. Let me just, so if the standard is probable 
cause, then your objection is not with the standard, but who 
makes the determination of probable cause? Because a probable 
cause finding with a judicial determination is a warrant.
    Mr. Ceresney. No, what we're seeking is authority to 
achieve a court order with notice to the subscriber, which 
provides additional protections to a warrant. A warrant is ex 
parte, and the subscriber doesn't have an ability to object. 
What we're seeking is an authority to obtain an order from a 
court with notice to the subscriber. And the subscriber would 
have the ability to object and provide whatever objections they 
have, whether they be relevance, whether they be privilege, 
whatever other objections. That provides additional protections 
beyond those with the warrant, which is ex parte.
    But to answer your question about the criminal authorities, 
any subpoena or other orders we'd seek would be in advance of 
our investigation. They would not be at the behest of criminal 
authorities. We do not issue subpoenas or otherwise seek 
evidence at the behest of the criminal authorities. We do it to 
advance our own investigation.
    Mr. Cicilline. Mr. Calabrese, did you want to try that?
    Mr. Calabrese. Yeah, I mean, I think the question that we 
haven't heard an answer to yet is probable cause of what. 
Probable cause of a crime in the criminal context is very 
clear. We know what crimes are. And they're interpreted very 
tightly. Violations of civil law are much broader. I mean, if I 
fill out my tax form incorrectly or I state that this was a 
business expense when maybe it was a vacation, you can say oh, 
I have probable cause to believe that by going through my 
emails, I'm going to find that he was on vacation, not on a 
business trip. So what we really are talking about, no matter 
what the standard is, it's a much broader access to Americans' 
content of their communications.
    Mr. Cicilline. And with respect to that, current law 
provides that the government must show probable cause to obtain 
the content in an email that has been stored by a provider for 
180 days, but can use a lesser process for an email that has 
been stored for 181 days. Is there consensus that this 180-day 
rule is inconsistent with how we use emails today? Should it be 
eliminated? And in addition to that, Mr. Calabrese, in your 
written testimony you give a good list of the digital content 
we all store online, emails, text messages, photographs, music, 
passwords, calendars, and other forms of social networking.
    Do these forms of media merit protection under the Fourth 
Amendment? And is current law adequate to protect any privacy 
interests in this information?
    Mr. Calabrese. Well, I certainly think that the court in 
Warshak believed that the Fourth Amendment should extend to all 
these types of contents of communication. My worry is that we 
don't know what the next new technology is going to look like. 
We don't know what the next way that we're going to keep our 
communications private and confidential is. And so we shouldn't 
be waiting. And ECPA doesn't have a suppression remedy. So 
these actual determinations don't come up that often. We 
shouldn't be waiting for 5 or 10 or 15 years for a court to 
find a strange case that allows them to say we have a 
reasonable expectation of privacy in communications. We all 
seem to agree that the content of communications should be 
protected by the warrant unless Congress says otherwise.
    Mr. Cicilline. Thank you. I yield back.
    Mr. Collins. The gentleman's time has expired. The Chair 
recognizes the gentleman from Texas, Mr. Poe.
    Mr. Poe. I thank the Chairman. I thank all of you all for 
being here. As my friend Mr. Gohmert was, I used to be a 
criminal court judge in Texas for 22 years, felony cases, 
20,000 cases or more. All that time, constantly I had law 
enforcement officers come to me with a request for me to sign a 
search warrant based upon their affidavits. And I signed a lot. 
And some I did not sign because of the basics of the Fourth 
Amendment.
    The Fourth Amendment makes us different than every other 
country on Earth because of our history. It's uniquely United 
States history, goes back to the British who wanted general 
warrants to kick in doors of warehouses in Boston to see if the 
American colonists were storing demon rum they hadn't paid 
taxes on yet. To me, a general warrant is the same as a court 
order. So we have specific warrants. And like I said, I signed 
a lot of them.
    It makes no sense to me that the right of privacy is 
protected for 6 months but it's not protected more than 6 
months. I send a letter, snail mail. And I put that in an 
envelope. And I send it off to one of my grandkids somewhere. 
It floats around in America from post office to post office and 
who else knows where until it gets to grandson. It's protected. 
Generally it's protected. It's a form of communication.
    When we use emails or store in the cloud, it's a form of 
communication wherever the cloud may be. So I think it's 
Congress' responsibility to determine what the expectation of 
privacy is. It's not, God bless them, Federal judges' 
responsibility. It's Congress' responsibility to say this is an 
expectation of privacy for Americans. And when we enter the 
digital age, I don't buy the argument, well, we're in the 
digital age, you got to give up some of your constitutional 
rights so we can have government investigate things.
    Whether it's civil investigation, whether it's criminal 
investigation, I don't buy it. Because the Fourth Amendment 
gets in the way of that. I think it is one of the most 
important rights that we have. So it's our duty to set up a 
standard. Over 300 Members have signed on to Mr. Yoder's bill. 
It hasn't come up for a vote. Ms. Lofgren and I filed a similar 
bill in 2013. We want to get a vote on, I want to get a vote on 
Mr. Yoder's bill. Three hundred and four Members of Congress 
agreeing on something? Really? And I think most Members, 
Republicans and Democrats, see the importance of the privacy.
    Mr. Calabrese, let me start with you. I have a lot of 
questions. And I know I have only 5 minutes. The Warshak case, 
the SEC lost the Warshak case. They did not appeal that, did 
they?
    Mr. Calabrese. No, the case was not appealed.
    Mr. Poe. It was not appealed. The SEC, the way I get it, 
the SEC wants a carve-out for civil investigations. The way I 
see this legislation, it's to protect us from the SEC and the 
IRS and the EPA. Because without this legislation, they could 
keep doing what they're doing. Would you like to comment on 
that, weigh in on that? Civil agencies snooping around in 
email. And I'm using the word snoop, that's my word.
    Mr. Calabrese. We've already seen agency overreach. We saw 
it in this Tea Party investigation. There was no question there 
was improper investigation that was searching for a much 
broader category of information about people than anyone I 
think here is comfortable with. The idea of looking at what 
people are reading, looking at their donor lists as part of a 
civil investigation into someone's tax status is wrong. And it 
disturbs me that if someone can have a high--a relevant 
standard that is so low that we might bring those kind of 
investigations into play, I think that's a problem. And I think 
that that's why we need to limit this very powerful authority 
to warrants that are supervised by judges under probable cause.
    Mr. Ceresney. Judge, may I respond?
    Mr. Poe. Not yet. You can respond in writing because I have 
the same question for all six of you. The basis of a search 
warrant also requires there be notice. Under the current law, 
let's use the SEC or let's use the IRS, I like to use them 
better, they can do their investigation, their snooping, and 
the person being investigated doesn't know about it. Is that 
correct, Mr. Calabrese?
    Mr. Calabrese. It depends on the circumstances. Sometimes 
notice is delayed.
    Mr. Poe. Notice is delayed.
    Mr. Calabrese. Sometimes notice is delayed. Sometimes they 
do know about it.
    Mr. Poe. But would you agree that it's part of our 
fundamental fairness under the Fourth Amendment that there is a 
search warrant, the search warrant is executed, and that there 
is a return to the judge of what was seized or not seized, and, 
eventually, whoever's house was searched or property was 
searched, they get notice of the results of the search warrant?
    Mr. Calabrese. This is one of the most----
    Mr. Collins. The gentleman's time has expired. But the 
witness can answer.
    Mr. Calabrese. This is one of the most invasive things that 
the U.S. Government or any government can do to its citizens, 
it can investigate them, make them the subject of law 
enforcement scrutiny. So, yes, absent some compelling reason 
not to notify them, I think they absolutely deserve to know 
that they are the subject of government scrutiny.
    Mr. Poe. I ask unanimous consent to submit questions for 
the record, Mr. Chairman.
    Mr. Collins. You have unanimous consent to submit as many 
as you like, Judge.
    Mr. Poe. And we should get the southern rule. If we're from 
the south, we should be able to talk longer than just 5 
minutes.
    Mr. Collins. Well, we just are better expressing ourselves 
in our eloquence and slow southern execution.
    Mr. Poe. Thank you, Mr. Chairman.
    Mr. Collins. With that, the Chair recognizes the gentlelady 
from Texas, Ms. Sheila Jackson Lee.
    Ms. Jackson Lee. I thank you so very much, Mr. Chairman. 
And I thank the witnesses. I want to engage in a give and take 
with Mr. Calabrese, Mr. Salgado, and Mr. Rosenzweig if I might. 
But let me just ask a pointed question to Mr. Cook. Let me 
thank all of you for your service. And acknowledge that the 
Warshak case, Mr. Ceresney, I will not attribute your win or 
loss, I will just take the case as a Sixth Circuit case.
    I just want to ask, since that case, the Warshak case, Mr. 
Cook, do you know whether or not the Department of Justice has 
used anything less than a warrant based on probable cause to 
compel a third-party provider to produce the contents of a 
communications? You all adhere to that?
    Mr. Cook. Yes.
    Ms. Jackson Lee. All right. That's good. Let me move on 
then.
    Mr. Cook. That was easy. Thank you.
    Ms. Jackson Lee. Thank you. To say that I come to this with 
a sense of trust of government not to sense that government is 
unworthy and consistently trying to undermine its citizens. But 
I am an adherent to the Fourth Amendment and its value and its 
value with the Founding Fathers. So let me engage the three of 
you. One, I'm going to go to you, Mr. Rosenzweig, to make it 
clear that issues dealing with terrorism and any elements 
thereof are specifically, pointedly, and appropriately excluded 
under this legislation. Are you comfortable with that?
    Mr. Rosenzweig. Very much so. Indeed, that's part of the 
ground for at least my personal view that this legislation is 
appropriate. Given the post-9/11 changes that have empowered 
our national security apparatus to protect us in ways that I 
think are appropriate, it's important to exclude from the 
coverage of this bill those issues. And I think that's 
something we can agree on. And the construction provision that 
is in section 6, I guess it is, of the bill is perfectly 
appropriate to that end.
    Ms. Jackson Lee. I think it is important to make note of 
that. I'm on Homeland Security as well. America is obviously on 
alert. But we've always said since 9/11 that we would not allow 
fear to instruct and guide our interpretation of the 
Constitution. I want to go to Mr. Salgado.
    Mr. Calabrese, there was a law professor at Yale Law School 
with the same name. Do you have any----
    Mr. Calabrese. Sadly, I don't.
    Ms. Jackson Lee. I had his class. So you'll be favored by 
your very name. But let me engage both of you in the question 
of the value and the sanctity of the Fourth Amendment and 
whether or not in this interpretation of this bill, which I 
understand so many of us are on the bill, but 100,000 petitions 
were sent to the White House to support it, whether it is 
obstructionist in terms of preventing law enforcement from 
doing their job. Can you all just engage? Maybe Mr. Calabrese 
will start and Mr. Salgado will finish.
    Mr. Calabrese. Sure. I don't believe that it is 
obstructionist. You know, we're codifying what amounts to 
existing practice and existing protections under the Fourth 
Amendment. We're also saying that you should have notice when 
someone does a search of your most private electronic home. And 
to be clear, unlike a physical warrant where you get that 
notice immediately, we're actually delaying notice for 10 days 
here so that law enforcement has got a head start.
    Ms. Jackson Lee. Absolutely.
    Mr. Calabrese. And then we're allowing a gag provision 
which says that you, in important circumstances, you'll never 
get that notice. I think these are all pretty basic protections 
for anyone. And, honestly, if there are issues around the 
edges, I'm not sure that there are, but if there are, I think 
that's why we have markups, so that we can bring these issues 
forward, we can take votes on whether there's anything here 
that we should be concerned about, and then we can get this 
bill to the floor.
    Ms. Jackson Lee. Thank you. Mr. Salgado, let me say that I 
too served as a judge and did a lot of PC warrants for police 
officers. And I think this should be a comfort. I had a 
responsibility to the police officer but also to the citizens, 
to be able to inquire what the basis of this warrant was. And 
that layer was placed in my hands.
    I think the American people place their protection in our 
collective hands. What do you think? What is your perspective 
on that? And maybe, Mr. Ceresney, you might want to answer that 
you are not hindered by the present Sixth Circuit 
interpretation. But go ahead, Mr. Salgado.
    Mr. Salgado. Yeah, I agree with that completely. The role 
of the neutral and detached magistrate in American 
jurisprudence is a significant one. It's something that really 
sets America apart from a lot of countries, and gives us a 
layer of protection to make sure that well-meaning but perhaps 
poor judgment in some cases is overridden by the cooler 
judgment of a magistrate who doesn't have a particular interest 
in a case. It's significant for Fourth Amendment, it's no 
accident that that is the standard for valid warrants.
    Ms. Jackson Lee. Quickly. Thank you. Mr. Ceresney, do you 
want to comment on that as Mr. Yoder sits in the room on pins 
and needles wondering how we're going to treat his bill?
    Mr. Collins. The gentlelady's time has expired. But the 
gentleman can answer.
    Ms. Jackson Lee. Thank you, Mr. Chairman.
    Mr. Ceresney. I couldn't agree more that it is important to 
have a role for a judge in this situation to provide objective 
views on the matter. And that's why the order that we are 
proposing would be before a judge with notice to the 
subscriber. And the subscriber would be able to bring before 
that judge whatever objections they have to our seeking the 
email.
    And that is actually the remedy that we are seeking in this 
case. We would try to obtain that email from the subscriber. If 
we couldn't, then we would go before a judge and try to obtain 
the order. And the judge would be the objective factfinder to 
determine whether we've met the standard.
    Ms. Jackson Lee. Mr. Chairman, I like this bill. But I'm 
willing to listen to the gentlemen. But I like our bill before 
us. And I look forward to it going to markup. I yield back.
    Mr. Collins. Thank you. The gentlelady's time has expired. 
The Chair now recognizes the gentleman from Pennsylvania, Mr. 
Marino.
    Mr. Marino. Thank you, Chairman. Good afternoon, gentlemen. 
My question here is going to be directed to Mr. Rosenzweig and 
Mr. Salgado in that order. Please speak to the trends of users 
moving to encrypted services, often hosted overseas in order to 
seek privacy, and how this might make us less safe than if we 
had a clear framework in place. Do you understand my question?
    Mr. Rosenzweig. I do understand your question. I think to 
begin the answer, obviously, the encryption discussion is 
slightly different than the one we're having now about the 
lawful access to content. What I would say about the encryption 
discussion is that it is essentially a reflection of the exact 
same impulse, which is that people are seeing increasingly the 
lack of privacy in their personal effects and papers in their--
I like the idea of a digital home, their electronic home. And 
to the extent that this Congress does not take steps to protect 
that privacy by law, encryption is essentially citizens 
engaging in self help and protecting themselves with their own 
capabilities.
    I would say that, from my perspective, encryption is an 
idea. It's a mathematical proof. It's not suppressible. So if 
we do not regularize access through things like the proposal 
before you that will provide comfort to citizens, they're going 
to engage even more, I think, in self help.
    Mr. Marino. Thank you. Mr. Salgado?
    Mr. Salgado. I agree completely with that statement. And I 
think to the point in your question about the movement of users 
to services overseas, I think that's a natural consequence of 
the misimpression that U.S. Government has such easy access to 
the data providers. And it's not true. And this bill will help 
make it clear. And it will help prevent the fleeing of users to 
other services based on this misperception.
    Mr. Marino. Thank you. Mr. Cook and Mr. Littlehale, I have 
18 years of law enforcement behind me, prosecution, State and 
Federal level. And as far as I'm concerned, what I've seen here 
since I've been in Congress, and this is only my third term, 
the less Federal Government in my life, the better.
    Basically what NSA has done, what the IRS, and there are 
many more that we could get into, the overreaching and what I 
think is criminality that has taken place in these agencies. 
But being a law enforcement guy, and I've prosecuted many child 
abuse cases and pornography cases, if the two of you can 
quickly tell me what the obstacle is to you and how we can fix 
that. Because I know in some investigations that I had, I 
didn't want the person who was looking at and transferring and 
uploading and downloading child pornography to know at this 
point of my investigation that he was the target or she was the 
target. Could you please respond?
    Mr. Cook. Yes, sir. And I'm concerned that we've lost sight 
of that issue and the exigent or emergency aid exception issue, 
so if I could just begin with that. The concern that we have is 
many of these investigations, whether it's child pornography or 
any other type of investigation, many fraud investigations 
involve dozens, sometimes hundreds or thousands sometimes in 
child pornography cases of targets. For us to get the content 
and then have to let the target of the investigation know is a 
new discovery requirement that puts the targets, whether it's 
terrorism or otherwise, on notice that we're looking at them. 
It's unprecedented, I've said that, unprecedented in our law.
    Mr. Marino. What is the change that we can make? And Mr. 
Littlehale, you go, and then collectively tell me what the 
changes are that you would like to see.
    Mr. Littlehale. Thank you, Congressman. If all we were 
interested in is extending and leveling the playing field for 
the 180-day rule and content, this bill would be a page long. 
The notice provisions that you're talking about, along with the 
additional protections that the bill provides, are one of the 
great reasons that we're concerned about it. While I certainly 
think that we would like to have a conversation, I think those 
are a little bit more than issues around the edges.
    I mean, the body of our concern about the bill is that when 
we get a warrant, we want it to mean something. That's true on 
the earlier point with respect to encryption. You know, if I 
serve a search warrant on somebody, I want to have access to 
that evidence. And in many instances now, I don't. Well, I want 
to find that evidence in other places. And if it's denied to me 
because of delays or because of burdensome notice provisions, 
those slow me down. They make me less effective as an 
investigator. And I believe that this Committee should 
undertake a robust review of what this bill is going to do to 
the----
    Mr. Marino. My time has run out. Would the two of you 
please put in writing and get it to me what you think could be 
a remedy for this, and anyone else who wants to address that as 
well.
    Listen, I am just as much a Fourth Amendment advocate as I 
am putting these people behind bars. And I wish I--no one 
should have to look at the photos of the kids that I've looked 
at and you've seen over the years and question as to why we 
need to have some delay before letting that person know that 
they're going to be arrested. I yield back. Thank you.
    Mr. Collins. The gentleman's time has expired. The Chair 
now recognizes the gentleman from New York, Mr. Jeffries.
    Mr. Jeffries. I thank the distinguished Chair. And I thank 
the witnesses for your presence here today.
    I want to follow up on that discussion from my good friend 
from the great State of--the Commonwealth of Pennsylvania. Mr. 
Cook, I know you've expressed concerns as it relates to the 
notice requirement. And I think in your testimony you refer to 
the provisions as a red alert tool that could notify an 
individual that he or she is under investigation. Is that 
right?
    Mr. Cook. That is correct.
    Mr. Jeffries. And if you could just kind of walk me through 
a series of responses as it relates to the particular concern 
that you've got with the notice provision. Because it's my 
understanding that section 4 permits up to 10 days of delayed 
notice. Is that right?
    Mr. Cook. That's correct.
    Mr. Jeffries. And is it your view that the 10 days is 
inadequate?
    Mr. Cook. So I think it's important for me to point out 
that in our discussions already, we have drawn parallels with 
the Fourth Amendment as it applies in other contexts. And 
everybody seems in agreement that that's the goal, is to make 
the bill parallel Fourth Amendment protections.
    But this bill does more than that. And here's why. For 
example, if you have terrorists working out of an apartment, a 
third-party's apartment, and there is evidence in that 
apartment, we get a search warrant, search that apartment, 
there's no obligation for us to tell the terrorists that we've 
gotten evidence out of that apartment that can be used against 
them.
    Mr. Jeffries. Right. But this bill doesn't necessarily 
impose that obligation. It's a default provision, but there are 
steps that the government can take under exigent circumstances. 
I wouldn't think that it would be sound public policy to create 
a law that simply applies in the instance of the terrorist 
context where this is a country of 300-plus million people that 
values their privacy rights, so there has got to be an 
appropriate balance between the legitimate ability of law 
enforcement to help keep us safe and to prosecute wrongdoers to 
the full extent of the law, and the civil rights and civil 
liberties of American citizens. Is that correct?
    Mr. Cook. As an email user, I could not agree more, but I 
think that the Fourth Amendment has already reached that 
balance because in the analogy that I've given you, when we 
search that third-party's home or service provider, that 
homeowner or service provider is within their rights to contact 
whomever they want to notify them.
    There has never been an obligation for the government to 
figure out who the evidence is going to be used against and to 
notify them. That's why I say this is unique in the law, and 
I've never seen it before.
    Mr. Jeffries. Now, as it relates to sort of the 10 days 
delay, if the government concludes that additional delay is 
warranted, this bill, correct, provides for a court to make 
that determination that the notice can be delayed indefinitely. 
Is that right?
    Mr. Cook. Not indefinitely. There's a 180-day limitation, 
and then there's a recurring obligation to reach back to the 
court.
    Mr. Jeffries. Right, but after that 180-day period expires, 
the government can go back to the court and request another 
180-day delay. Is that correct?
    Mr. Cook. That is correct. There are narrow limitations on 
it. For example, one of the limitations is that if we can show 
that there would be harm to another individual, but there are 
many times when the harm could be to a community rather than an 
individual, and I wish I could report to you that all judges 
are reasonable and will always, in the right circumstances, 
limit that new constant--or this new statutory notice rule, but 
the truth is that that just isn't how it works, and expanding 
these obligations on the government will come with great risk 
in serious cases.
    Mr. Jeffries. But there are times that an Article III judge 
can reasonably, or a magistrate that's not an Article III 
judge, but an Article III judge or magistrate could reasonably 
disagree with the government as it relates to privacy 
protections and potential overreach. Is that correct?
    Mr. Cook. Of course. Of course it is, and there are times 
when that will--that this agreement will result in notification 
to--under this newly created rule, to targets of criminal 
investigations and alert them to allow them to flee or 
otherwise destroy evidence or otherwise engage in bad behavior.
    Mr. Jeffries. Mr. Calabrese, could you speak to the 
adequacy of this notice requirement in your view?
    Mr. Calabrese. I believe it's a very strong notice 
requirement and constitutionally appropriate with a very strong 
delay procedure. One of the things I'm struggling with a little 
bit is, we're talking about a circumstance where I am going 
before the judge and getting a search warrant. At that same 
time, I may get a delay of that search warrant, so we're not 
talking about some kind of separate process where I've got to 
go through an additional burden.
    When I get the warrant, I can also make the case that I 
must delay notice. That can happen for 180 days. Before a 
provider or anyone else, you know, notifies the subject, they 
have to tell the government that they are going to do that, 
giving the government an ability to go back to the court and 
say, you know what, the reasons for our delay have not ended 
and we need to expand it. I mean, I think it's a very 
reasonable, very balanced approach that supports a fundamental 
constitutional value, one of notice that's embedded in the 
Fourth Amendment.
    Mr. Jeffries. Thank you. I yield back.
    Mr. Collins. The gentleman's time has expired. At this 
time, the Chair recognizes the gentleman from Texas, Mr. 
Ratcliffe.
    Mr. Ratcliffe. Thank you, Mr. Chairman. As a former U.S. 
attorney, I always appreciate and listen to concerns expressed 
by law enforcement whenever Congress proposes changes to a law 
that may impact your ability to do your job because you're the 
folks that are working so hard to keep us safe, and I want to 
certainly make sure you have the tools and resources and 
capability necessary to do that effectively.
    That being said, I also strongly believe that in an 
increasingly connected, complex, digital society, our laws have 
to be modernized to make sure they reflect the current 
technological landscape. As our technology is evolving, this 
extremely personal information is being stored on our 
computers, on our smartphones, on our Fitbits, where we travel, 
what we eat, what we read, where we shop, who we communicate 
with, all highly personal information, and so we've got to make 
sure we've got robust protections in place for that.
    I certainly don't believe that the Fourth Amendment 
protections that we all hold so dear and the needs of law 
enforcement are mutually exclusive. And I appreciate all the 
witnesses being here today to have a thoughtful discussion 
about that.
    Mr. Ceresney, I want to start with you because, from my 
perspective, it seems like that the SEC has been the most vocal 
civilian agency in expressing concerns about modifying ECPA, 
but the SEC doesn't appear to have served a subpoena on a 
commercial provider in 5 years since the Warshak decision. And 
despite that, the SEC's annual report last year, 2014, touted a 
record year, cutting edge enforcement actions, more cases than 
ever before, a number of first ever cases that span the 
securities industry.
    And I know that Chairman White has testified that the SEC 
isn't issuing subpoenas to third-party service providers for 
content. So given the record number of cases, enforcement 
actions, and first ever cases brought by the SEC, all done 
without encroaching on Fourth Amendment rights of Americans, 
why is the SEC asking Congress to give it the authority to get 
content on something less than a warrant?
    Mr. Ceresney. Well, we certainly have been successful, we 
think, in enforcing the securities laws, but that does not mean 
that there aren't cases that we would benefit tremendously from 
emails that we would be able to obtain from ISPs. And I guess 
the point that I would assert is that the Fourth Amendment is 
not violated by what we are proposing, which would be an order 
before a judge, which a judge could issue, with notice to the 
subscriber after the subscriber has the opportunity to raise 
whatever objections they have under a standard that Congress 
would establish. And from our perspective, that does comply 
with the Fourth Amendment, and it also balances privacy 
protections because you would have an objective factfinder 
reviewing the situation and determining whether it's 
appropriate for us to obtain emails in that circumstance.
    And I can tell you that there are ongoing investigations 
now, which we have refrained from seeking those emails from 
ISPs, which would definitely benefit from such emails.
    Mr. Ratcliffe. When you say what you are proposing, I mean, 
how have you been proposing it?
    Mr. Ceresney. We've had ongoing discussions with Members of 
Congress about these issues for the last couple of years.
    Mr. Ratcliffe. Okay. Well, because, you know, from my 
perspective, it seems like you've been altering your behavior 
for the last few years in response to this opinion rather than 
coming to a committee of jurisdiction, at least from my 
perspective. I know that when FBI has a problem, they come and 
let us know what it is and how we can fix it.
    Mr. Ceresney. We've been having ongoing discussions with 
the staff of both Judiciary Senate and House Judiciary 
throughout this period, certainly since I've been at the SEC, 
which is over----
    Mr. Ratcliffe. That's fair enough. Thanks for that.
    Mr. Salgado, in your testimony, paraphrasing here a little 
bit, but essentially you seem to be saying that H.R. 699 is 
really just a codification of the status quo under Warshak. Is 
that right?
    Mr. Salgado. That's accurate, yes.
    Mr. Ratcliffe. Okay. You don't think that H.R. 699 goes 
beyond the holding in Warshak?
    Mr. Salgado. I don't think it does. I'm happy to hear 
suggestions, but my review of Warshak and the bill suggests 
that they're very consistent.
    Mr. Ratcliffe. Mr. Calabrese, you agree with that?
    Mr. Calabrese. I do.
    Mr. Ratcliffe. Mr. Rosenzweig.
    Mr. Rosenzweig. I think I do. I haven't done--I haven't 
checked precisely, though.
    Mr. Ratcliffe. Okay. I'm going to yield. My time is about 
to expire, so I'm going to yield back the balance of my time. 
Thank you all for being here.
    Mr. Collins. The gentleman yields back. Now the Chair 
recognizes himself for questions.
    Mr. Salgado, there has been an issue, and we brought this 
up here in this emergency issue of provisions, emergency 
disclosure mechanisms, and Mr. Littlehale, actually, in his 
written testimony, that the primary emergency disclosure 
mechanism currently in law are voluntary. He also mentions that 
companies are often--and this is his words--unable or unwilling 
to respond to law enforcement's lawful demands in a timely 
manner.
    Now, I think we all would agree true emergencies are there, 
and as a son of a Georgia State trooper, there's not going to 
be anybody that would deny the need from a law enforcement 
perspective. However, it seems to be implying that there's 
something missing here. So we did a little bit of research in 
our office and with others, and based on the concerns we saw, 
that publishing Google's transparency report, based on that 
report, which we have looked at, it says Google received 171 
emergency disclosure requests and provided at least some data 
in response to 80 percent of emergency disclosure requests.
    One, I think, for most people to understand it, we've 
looked into it, but I'd like to hear your answer. To better 
understand that, can you explain why Google responded to only 
80 percent of these requests, break down those numbers for us, 
and why couldn't the response rate be 100 percent, given what 
has been heard from Mr. Littlehale here.
    Mr. Salgado. Sure. I'd be happy to. I think the statistic 
you're referring to is in our transparency report.
    Mr. Collins. Yes.
    Mr. Salgado. We've been publishing that number for a while 
here so that policymakers and others can get an idea of what 
this work is like. The number is actually relatively low, 171 
compared to the type of legal process we get.
    The 80 percent represents lots of different situations 
where the emergency doesn't justify the disclosure. Often, the 
case is that the identifier that's given to us in the emergency 
request doesn't actually go back to any real account. So there 
are some services out there where you can create an account 
using a Google or any email address, and it's not verified that 
there is such an address. They may use that account to threaten 
a school shooting or engage in other some violent activity.
    The authorities quite legitimately will come to Google and 
ask us for information about this account that was used to 
create the account that made the threat. We look in our system, 
and there is no such account, so the response back is we have 
no data to produce in response to this otherwise legitimate 
emergency request. That gets counted as a nondisclosure, and 
that adds into the 20 percent where there was not a disclosure. 
There was no responsive data.
    That's probably the most common situation in that 20 
percent. There may be other situations where the request is 
coming in and the emergency is over, that the investigation is 
now actually about a historical crime, there is no ongoing 
threat of loss of life or serious physical injury, which means 
it's inappropriate to be using that authority to get the 
information.
    And we are able to, at that point, say this doesn't look 
like an ongoing emergency, we can preserve the information, and 
when you come back to us with the legal process, we can 
promptly disclose.
    Mr. Collins. Okay. And just real quickly, but you went on 
with your answer long enough to bring up a question. Are you 
making that determination if the emergency situation is still 
ongoing?
    Mr. Salgado. That's right. The statute----
    Mr. Collins. Not the law enforcement agency offering?
    Mr. Salgado. The statute says that we are allowed to 
disclose if we have a good faith belief that there's an 
emergency.
    Mr. Collins. Okay. Mr. Littlehale, when you testified 
before House Judiciary Committee in 2013 about the emergency 
disclosure issue, you said that some providers make a decision 
never to provide records in the absence of legal process, no 
matter the circumstance.
    Can you identify the service providers that have a policy 
of categorically rejecting emergency requests in the absence of 
compulsory legal process? If not, why?
    Mr. Littlehale. Congressman, as I stated in response to the 
question at the time, I have made the decision not to identify, 
in the examples that I give, specific providers because I don't 
want to highlight a vulnerability in a public forum. There may 
come a time when we do have to disclose that.
    Mr. Collins. Well, I tell you what. I would like to request 
you can submit that in a nonpublic forum, but I'm really 
concerned here that we're making a categorical statement 
without categorical proof.
    Mr. Littlehale. Well, I can certainly say anecdotally that 
the agents----
    Mr. Collins. No, I want to know--you made a direct 
statement.
    Mr. Littlehale [continuing]. That I work with have been 
told that by providers.
    Mr. Collins. Mr. Littlehale, you made a direct statement. 
It wasn't anecdotally. I didn't start off by saying, 
``Anecdotally, providers make a decision never.'' You said in 
your testimony, providers make a decision never to provide 
records in the absence of legal process, no matter the 
circumstance, and that's a very direct statement against the 
business practices of Internet providers.
    Is it true? Is it not true? Do you have evidence? Or do you 
not have evidence?
    Mr. Littlehale. I have been told that by providers, yes.
    Mr. Collins. But you don't have evidence. You made a 
statement that is not grounded, except anything and 
anecdotally.
    Mr. Littlehale. Well, I'd say I would suggest that I do 
have evidence. I have been told that by providers.
    Mr. Collins. Well, I was told that there was a Santa Claus, 
but I found out real quickly there wasn't. I mean, I'm trying 
to figure out----
    Mr. Littlehale. Congressman, I would suggest that that's 
evidence. If you choose not to believe me, then I suppose I 
can't help you with that, but I have been told and agents that 
work for me have been told that in some cases.
    Mr. Collins. I'll just let that one sit.
    Mr. Ceresney, during an exchange with Senator Leahy in a 
Senate hearing on this topic, you said that with regard to 
phone calls, you're not seeking authority, the criminal--
authority that criminal authorities have that civil agencies do 
not, but in seeking to get access to emails without a warrant, 
you're essentially seeking something more than the authority, 
the criminal authorities have. Isn't that contradictory?
    Mr. Ceresney. I don't think we're seeking more authority 
than the criminal authorities have.
    Mr. Collins. So what are you seeking?
    Mr. Ceresney. I'm sorry?
    Mr. Collins. Then what are you seeking? I'll give you a 
chance to clarify that.
    Mr. Ceresney. Sure. What we're seeking is the ability to 
obtain emails after we try to obtain them from an individual 
subscriber by going to a court and obtaining a court order with 
notice to the subscriber and allowing the subscriber to raise 
whatever objections they have before the court.
    Mr. Collins. Well, I think it's--and like I said, it's 
interesting that some of the testimony that's been given here, 
and I think, you know, it's very concerning from some issues of 
anecdotal evidence and real evidence and discussion, especially 
on the SEC side, when you're, you know, giving the--you know, 
your own report saying you're doing more than you've ever done 
here, yet without this, by choice or decision, however you're 
wanting to do it.
    Mr. Calabrese, one last question for you, as my time is now 
over. But in dissent from the FTC request of civil agency carve 
out, FTC Commissioner Brill wrote, ``I am not convinced that 
this authority is necessary to maintain the commission's 
effectiveness as a law enforcement agency now or in cases that 
we can presently foresee. On the other hand, I am concerned 
that the judicial mechanism for civil law enforcement agencies 
to obtain content from ECPA providers could entrench authority 
that have potential to lead invasions of individual privacy, 
and under some circumstances, may be unconstitutional in 
practice.''
    Could you speak very briefly. Do you agree or disagree with 
his concern?
    Mr. Calabrese. I do worry that we will create an 
unconstitutional or incredibly reckless carve out for civil 
agencies. And my hope is that we continue to push H.R. 699 
forward as is to a markup and we can vote and get it to the 
floor. Thank you.
    Mr. Collins. Well, I appreciate it. In looking around and 
seeing how it's just me and the distinguished Ranking Member, 
this concludes today's hearing. I'd like to thank all the 
witnesses for attending. Without objection, all Members have 5 
legislative days to submit additional written questions for the 
witnesses or additional materials for the record.
    And with that, this hearing is adjourned.
    [Whereupon, at 12:28 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

 Prepared Statement of the Honorable Doug Collins, a Representative in 
   Congress from the State of Georgia, and Member, Committee on the 
                               Judiciary
    Mr. Chairman, thank you for holding today's hearing on H.R. 699, 
the Email Privacy Act. I appreciate the chance to discuss this 
important legislation and hear from the witnesses. I hope that today's 
hearing is just the first step towards Committee mark-up and 
consideration of H.R. 699.
    H.R. 699 was introduced by my friend from Kansas, Rep. Kevin Yoder. 
I am a cosponsor and strong supporter of the Email Privacy Act. If 
enacted, the bill would update the Electronic Communications Privacy 
Act to better reflect advances in technology and to ensure that 
Americans' electronic communications are protected from unwarranted 
government intrusion.
    As of today this legislation has 305 cosponsors, earning it the 
distinction of being the most supported piece of legislation in the 
House that has not yet received consideration on the House Floor. 
Twenty-eight of these cosponsors serve on the House Judiciary 
Committee. The majority of each party has cosponsored the legislation. 
It is not often that you see this type of overwhelming bipartisan 
support for legislation, but the numbers speak for themselves that this 
issue is one that deserves and demands consideration.
    I understand that certain Members may have concerns with specific 
provisions of the legislation. While I support the legislation in its 
current form, I think the best way to address these concerns is through 
a markup of the legislation, where amendments can be discussed and 
democratically considered. No one is served by this legislation 
languishing in legislative limbo.
    Law enforcement needs clarity. Internet service providers need laws 
that accurately reflect their technological advances. And most 
importantly, the American people need and deserve privacy protections 
guaranteed to them by the Fourth Amendment of the United States 
Constitution.
    It is past time that our digital privacy laws were updated to 
reflect today's technology and communications climate. The Electronic 
Communications Privacy Act (ECPA) was written in 1986, and intended to 
balance the interests of preserving citizens' privacy rights while 
protecting legitimate law enforcement needs. While the principles 
behind the law are still critically important and it remains a hallmark 
of privacy protections for communications, in practice many parts of 
the law simply have not kept up with the world as it is today. ECPA--
and in particular the Stored Communications Act (SCA) provision of the 
law--must be amended to reflect the realities of the digital era in 
which we live.
    The Email Privacy Act takes critical steps to update ECPA so that 
Americans' Fourth Amendment rights are better protected and so that 
citizens' can communicate on the internet free from unwarranted 
government snooping.
    The bill eliminates the outdated ``180 day'' standard from current 
law. Current law under ECPA does not require law enforcement to obtain 
a warrant to access the content of emails or other forms of online 
communication--such as documents stored on a cloud service--if they are 
more than 180 days old. For messages over 180 days old, only a 
subpoena--rather than a warrant--is required for access. While this 
distinction may have made sense when storage space on personal 
computers was extremely limited and emails were still a fledging and 
rarely used form of communication, it certainly does make sense today. 
Americans deserve the same strong Fourth Amendment protections whether 
their emails are a day old or several months old. The Email Privacy Act 
addresses this issue by instituting a requirement that law enforcement 
obtains a search warrant before accessing the content of Americans' 
private emails and online communications.
    H.R. 699 would essentially codify a decision issued by the Sixth 
Circuit Court of Appeals in 2010 in United States v. Warshak while 
clarifying additional privacy protections. In Warshak the Court held 
that the government's accessing of 27,000 emails directly from a 
suspect's internet service provider (ISP) with a subpoena and an ex 
parte order was unlawful under the Fourth Amendment. Specifically, the 
Sixth Circuit said that subscribers have ``a reasonable expectation of 
privacy in the contents of emails `that are stored with, or sent or 
received through, a commercial ISP''' and ``to the extent that the SCA 
purports to permit the government to obtain such emails warrantlessly, 
the SCA is unconstitutional.'' \1\
---------------------------------------------------------------------------
    \1\ United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).
---------------------------------------------------------------------------
    In light of Warshak and the Email Privacy Act, the Securities and 
Exchange Commission (SEC) and other civil agencies have sought 
exemptions from the warrant requirement, arguing instead that it should 
be allowed to retain subpoena powers. The SEC maintains that subpoena 
authority is critical for their investigations, but that statement has 
been called in question by SEC Chair Mary Jo White's admission that the 
SEC has not used subpoena authority post-Warshak.
    The Federal Trade Commission (FTC) has made similar claims that it 
should be subject to a warrant exemption when seeking content from 
ISPs. However, Commissioner Brill went so far as to file a dissent to 
the FTC's request for a carve out. Commissioner Brill stated, ``I am 
not convinced that this authority is necessary to maintain the 
Commission's effectiveness as a law enforcement agency now or in cases 
that we can presently foresee. On the other hand, I am concerned that a 
judicial mechanism for civil law enforcement agencies to obtain content 
from ECPA providers could entrench authority that have the potential to 
lead to invasions of individuals' privacy and, under some 
circumstances, maybe unconstitutional in practice.''
    I share Commissioner Brill's concerns. Absent much more compelling 
evidence from civil investigative agencies, I do not believe that these 
agencies should be allowed to pry into Americans' personal lives based 
solely on subpoena authority. This kind of change could fundamentally 
harm the important steps taken in H.R. 699 to better protect Americans' 
rights to have their online communications protected.
    Let me make clear that I believe it is critical law enforcement has 
the tools they need to prevent and fight crime. My father was a Georgia 
State Trooper, so I was instilled with respect and admiration for our 
men and women in uniform from a young age. I believe that in true 
emergencies, law enforcement needs to be able to access information 
quickly. I believe there are potentially legitimate reasons that law 
enforcement would seek the content of an individual's online 
communication. However, I do not believe that we should create so many 
carve-outs and exceptions to the law that the purpose of the 
legislation is lost. We must carefully balance the needs of law 
enforcement with the rights of Americans.
    The Email Privacy Act updates ECPA to restore that balance and 
bring our privacy laws into today's world. I look forward to hearing 
from our witnesses, and I hope that today is a step closer towards 
passage of H.R. 699.
    Thank you Mr. Chairman, I yield back.

                                

       Prepared Statement of the Honorable Sheila Jackson Lee, a 
    Representative in Congress from the State of Texas, and Member, 
                       Committee on the Judiciary
    Thank you, Mr. Chairman. Let me extend my thanks to you and Ranking 
Member Conyers for working together in a spirit of bipartisanship to 
convene this important hearing on H.R. 699, the ``Email Privacy Act.''
    The Fourth Amendment to the United States Constitution states:

          ``The right of the people to be secure in their 
        persons, houses, papers, and effects, against unreasonable 
        searches and seizures, shall not be violated, and no warrants 
        shall issue, but upon probable cause, supported by oath or 
        affirmation, and particularly describing the place to be 
        searched, and the persons or things to be seized.''

    The Fourth Amendment originally enforced the notion that ``each 
man's home is his castle'', secure from unreasonable searches and 
seizures of property by the government.
    The authors of the Constitution had good cause to work to establish 
protections against government overreach, which they themselves 
experienced.
    In our history we can understand the seriousness with which the 
Founding Fathers viewed government authority to search private 
citizens' correspondence or communications.
    The British authorities used writs of assistance, a form of general 
warrant, which permitted house-to-house searches.
    These orders generally failed to allege any illegal activity and 
were not approved by a judge.
    John Adams credited these practices as being ``the spark in which 
originated the American Revolution.''
    As a direct result the founders of this nation drafted the Fourth 
Amendment to the Constitution of the United States.
    However, beginning with the 1967, Supreme Court decision in Katz v. 
United States (establishing the ``reasonable expectation of privacy'' 
test) held that what a person knowingly exposes to the public, even in 
a home or office, is not subject to Fourth Amendment protection.
    This holding began the move to establish what has become known as 
the Third Party Doctrine--such that the Fourth Amendment does not 
prohibit the obtaining of information revealed to a third party and 
conveyed to him by Government authorities, even if the information is 
revealed on the assumption that it will be used only for a limited 
purpose and the confidence placed in the third part will not be 
betrayed.
    The Third Party Doctrine was expanded in two key Supreme Court 
decisions in mid- to late 1970s: U.S. v. Miller, 425 U.S. 435 (1976) 
(holding that one does not have a constitutionally protected privacy 
interest in personal records held by a bank), and Smith v. Maryland, 
442 U.S. 735 (1979) (holding that the installation and use of the pen 
register was not a ``search'' and thus no warrant was required).
    These integral cases came before the Internet and long before the 
use of Cloud based computing services, but their impact are still felt 
today.
The Modern Communication Age
    In possibly the first survey of its kind, in 1983, the polling firm 
Louis Harris & Associates asked U.S. adults if they had a personal 
computer at home and, if so, if they used it to transmit information 
over telephone lines.
    Just 10% of adults surveyed said they had a home computer and, of 
those, 14% said they used a modem to send and receive information.
    The resulting estimate was that 1.4% of U.S. adults used the 
internet in 1983.
    In 2014, the Pew Center for American life found that eight in ten 
U.S. adults (81%) say they use laptop and desktop computers.
    Further, 90% of adults in the United States own a smartphone, 
providing them with instant access to email services.
    While the 1986 enactment of the Electronic Communications Privacy 
Act (ECPA) (which sought to govern how law enforcement agencies and 
private parties may access electronic communications, was meant to be 
forward looking as technologies began to rapidly advance), and various 
lower court decisions such as the 2010 Sixth Circuit case U.S. v. 
Warshak, 631 F.3d 266 (6th Cir. 2010), (which held that subscribers 
have a reasonable expectation of privacy in the content of electronic 
communications and that the government must obtain a warrant to access 
email stored by a third party), have attempted to clarify and govern 
electronic storage on third party servers, constitutional and 
legislative privacy safeguards for electronic communications and other 
forms of developing digital media are wholly inadequate for modern 
times.
    The advent of Cloud Commuting services has only further broadened 
the question of third parties and communications due to the storage of 
not only emails, but digital photos, video, audio, electronic books, 
music preferences, political views, religious beliefs or the lack 
thereof.
    Smart devices in use by tens of millions of Americans allow for the 
collection, and retention of much more information--and that retention 
is outside of the control of the email user.
    The use of email as a primary means of communication is not limited 
to individuals, but obviously extends to businesses.
    The number of worldwide email accounts continues to grow from over 
4.1 billion accounts in 2014 to over 5.2 billion accounts by the end of 
2018.
    The total number of worldwide email users, including both business 
and consumer users, is also increasing from over 2.5 billion in 2014 to 
over 2.8 billion in 2018.
    Email remains the most pervasive form of communication in the 
business world, while other technologies such as social networking, 
instant messaging (IM), mobile IM, and others are also taking hold, 
email remains the most ubiquitous form of business communication.
H.R. 699 a Step in the Right Direction
    H.R. 699, The Email Privacy Act will amend the 29-year-old 
Electronic Communications Privacy Act to prevent the government from 
accessing private electronic communications without a warrant.
    Specifically, the Email Privacy Act will prohibit a provider of 
remote computing service or electronic communication service (including 
email communications) to the public from knowingly divulging to a 
governmental entity the contents of any communication that is in 
electronic storage or otherwise maintained by the provider, subject to 
exceptions.
    H.R. 699 will revise provisions under which the government may 
require a provider to disclose the contents of such communications.
    The bill further clarifies the Electronic Communication Privacy Act 
of 1986 by eliminating the different requirements applicable under 
current law such how communications would be treated if they are:
    o stored for fewer than, or more than, 180 days by an electronic 
communication service; or
    o held by an electronic communication service as opposed to a 
remote computing service.
    Importantly, this bill requires the government to obtain a warrant 
from a court before requiring providers to disclose the content of such 
communications regardless of how long the communication has been held 
in electronic storage by an electronic communication service, or 
whether the information is sought from an electronic communication 
service or a remote computing service.
    FBI Director Comey, has testified that the current practice of the 
FBI is to obtain a warrant for e-mail communications, and that this 
bill would not change their current practices.
    Moreover, this bill would not change any of the existing exceptions 
in the Electronic Communication Privacy Act that allow emergency 
requests for assistance to be processed in a timely manner.
    The bill does require a law enforcement agency, within 10 days 
after receiving the contents of a customer's communication, or a 
governmental entity, within 3 days, to provide a customer whose 
communications were disclosed by the provider a copy of the warrant and 
a notice that such information was requested by, and supplied to, the 
government entity.
    It further allows the government to request delays of such 
notifications.
    H.R. 699 is an important measure that directs the Comptroller 
General to report to Congress regarding disclosures of customer 
communications and records under provisions: (1) as in effect before 
the enactment of this Act, and (2) as amended by this Act.
    The Constitution of the United States is alive and well in the 21st 
Century, and this bill through overwhelming bipartisan support is 
making strides to make sure that citizens are secure in their digital 
records and effects.
    Again, thank you for holding this important hearing and I look 
forward to the testimony of our distinguished panel of witnesses.
    Thank you. I yield back the remainder of my time.
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
 


                                 [all]