[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]






  THE ENCRYPTION TIGHTROPE: BALANCING AMERICANS' SECURITY AND PRIVACY

=======================================================================

                                HEARING

                               BEFORE THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 1, 2016

                               __________

                           Serial No. 114-78

                               __________

         Printed for the use of the Committee on the Judiciary



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






      Available via the World Wide Web: http://judiciary.house.gov
                                     ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

98-899 PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001    
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
                       COMMITTEE ON THE JUDICIARY

                   BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        JERROLD NADLER, New York
LAMAR S. SMITH, Texas                ZOE LOFGREN, California
STEVE CHABOT, Ohio                   SHEILA JACKSON LEE, Texas
DARRELL E. ISSA, California          STEVE COHEN, Tennessee
J. RANDY FORBES, Virginia            HENRY C. ``HANK'' JOHNSON, Jr.,
STEVE KING, Iowa                       Georgia
TRENT FRANKS, Arizona                PEDRO R. PIERLUISI, Puerto Rico
LOUIE GOHMERT, Texas                 JUDY CHU, California
JIM JORDAN, Ohio                     TED DEUTCH, Florida
TED POE, Texas                       LUIS V. GUTIERREZ, Illinois
JASON CHAFFETZ, Utah                 KAREN BASS, California
TOM MARINO, Pennsylvania             CEDRIC RICHMOND, Louisiana
TREY GOWDY, South Carolina           SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho                 HAKEEM JEFFRIES, New York
BLAKE FARENTHOLD, Texas              DAVID N. CICILLINE, Rhode Island
DOUG COLLINS, Georgia                SCOTT PETERS, California
RON DeSANTIS, Florida
MIMI WALTERS, California
KEN BUCK, Colorado
JOHN RATCLIFFE, Texas
DAVE TROTT, Michigan
MIKE BISHOP, Michigan

           Shelley Husband, Chief of Staff & General Counsel
        Perry Apelbaum, Minority Staff Director & Chief Counsel
        
        
        
        
        
        
        
        
        
        
        
        
                            C O N T E N T S

                              ----------                              

                             MARCH 1, 2016

                                                                   Page

                           OPENING STATEMENTS

The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Committee on the Judiciary     1
The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, and Ranking Member, Committee on 
  the Judiciary..................................................     4

                               WITNESSES

Honorable James B. Comey, Director, Federal Bureau of 
  Investigation
  Oral Testimony.................................................     6
  Prepared Statement.............................................     9
Bruce Sewell, Senior Vice President and General Counsel, Apple, 
  Inc.
  Oral Testimony.................................................    98
  Prepared Statement.............................................   101
Susan Landau, Ph.D., Professor of Cybersecurity Policy, Worcester 
  Polytechnic Institute
  Oral Testimony.................................................   104
  Prepared Statement.............................................   106
Cyrus R. Vance, Jr., District Attorney, New York County
  Oral Testimony.................................................   131
  Prepared Statement.............................................   133

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Material submitted by the Honorable Steve Chabot, a 
  Representative in Congress from the State of Ohio, and Member, 
  Committee on the Judiciary.....................................    18
Material submitted by the Honorable Darrell E. Issa, a 
  Representative in Congress from the State of California, and 
  Member, Committee on the Judiciary.............................    31
Material submitted by the Honorable Zoe Lofgren, a Representative 
  in Congress from the State of California, and Member, Committee 
  on the Judiciary...............................................    43
Material submitted by the Honorable Cedric Richmond, a 
  Representative in Congress from the State of Louisiana, and 
  Member, Committee on the Judiciary.............................    68
Material submitted by the Honorable Bob Goodlatte, a 
  Representative in Congress from the State of Virginia, and 
  Chairman, Committee on the Judiciary...........................    87

                                APPENDIX
               Material Submitted for the Hearing Record

Material submitted by the Honorable Bob Goodlatte, a 
  Representative in Congress from the State of Virginia, and 
  Chairman, Committee on the Judiciary...........................   180
Material submitted by the Honorable Doug Collins, a 
  Representative in Congress from the State of Georgia, and 
  Member, Committee on the Judiciary.............................   183
Questions for the Record submitted to the Honorable James B. 
  Comey, Director, Federal Bureau of Investigation...............   186
Response to Questions for the Record from Bruce Sewell, Senior 
  Vice President and General Counsel, Apple, Inc.................   189
Response to Questions for the Record from Susan Landau, Ph.D., 
  Professor of Cybersecurity Policy, Worcester Polytechnic 
  Institute......................................................   201
Response to Questions for the Record from Cyrus R. Vance, Jr., 
  District Attorney, New York County.......................209
                       deg.OFFICIAL HEARING RECORD
          Unprinted Material Submitted for the Hearing Record

Material submitted by the Honorable Zoe Lofgren, a Representative in 
    Congress from the State of California, and Member, Committee on the 
    Judiciary. This submission is available at the Committee and can 
    also be accessed at:

    http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104573

Material submitted by Bruce Sewell, Senior Vice President and General 
    Counsel, Apple, Inc. This submission is available at the Committee 
    and can also be accessed at:

    http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104573
 
  THE ENCRYPTION TIGHTROPE: BALANCING AMERICANS' SECURITY AND PRIVACY

                              ----------                              


                         TUESDAY, MARCH 1, 2016

                        House of Representatives

                       Committee on the Judiciary

                            Washington, DC.

    The Committee met, pursuant to call, at 1:05 p.m., in room 
2141, Rayburn House Office Building, the Honorable Bob 
Goodlatte (Chairman of the Committee) presiding.
    Present: Representatives Goodlatte, Sensenbrenner, Chabot, 
Issa, King, Jordan, Poe, Chaffetz, Marino, Gowdy, Labrador, 
Collins, DeSantis, Walters, Buck, Conyers, Nadler, Lofgren, 
Cohen, Johnson, Chu, Deutch, Gutierrez, Bass, Richmond, 
DelBene, Jeffries, Cicilline, and Peters.
    Staff Present: (Majority) Shelley Husband, Chief of Staff & 
General Counsel; Branden Ritchie, Deputy Chief of Staff & Chief 
Counsel; Zachary Somers, Parliamentarian & General Counsel; 
Kelsey Williams, Clerk; Caroline Lynch, Chief Counsel, 
Subcommittee on Crime, Terrorism, Homeland Security, and 
Investigations; Ryan Breitenbach, Counsel, Subcommittee on 
Crime, Terrorism, Homeland Security, and Investigations; 
(Minority) Perry Apelbaum, Staff Director & Chief Counsel; 
Danielle Brown, Parliamentarian & Chief Legislative Counsel; 
Aaron Hiller, Chief Oversight Counsel; Joe Graupensperger, 
Chief Counsel, Subcommittee on Crime, Terrorism, Homeland 
Security, and Investigations; James Park, Chief Counsel, 
Subcommittee on the Constitution; David Greengrass, Counsel; 
Eric Williams, Crime Detailee; and Veronica Eligan, 
Professional Staff Member.
    Mr. Goodlatte. We'd ask all the members of the media that 
are taking thousands of pictures here, I'm sure they got some 
excellent ones of the Director, but we ask you to please clear 
aside so we can begin the hearing.
    The Judiciary Committee will come to order. And without 
objection, the Chair is authorized to declare recesses of the 
Committee at any time. We welcome everyone to this afternoon's 
hearing on The Encryption Tightrope: Balancing Americans' 
Security and Privacy. And I will begin by recognizing myself 
for an opening statement.
    We welcome everyone today to this timely and important 
hearing on encryption. Encryption is a good thing. It prevents 
crime, it prevents terrorist attacks, it keeps our most 
valuable information safe, yet it is not used as effectively 
today as is necessary to protect against the ever-increasing 
sophistication of foreign governments, criminal enterprises, 
and just plain hackers.
    We see this manifest almost every week in the reports of 
losses of massive amounts of our most valuable information from 
government agencies, retailers, financial institutions, and 
average Americans. From identity theft, to the compromising of 
our infrastructure, to our economic and military security, 
encryption must play an ever-increasing role, and the companies 
that develop it must be encouraged to increase its 
effectiveness.
    Encryption is a topic that may sound arcane, or only the 
province of techies, but, in fact, it is a subject whose 
solutions will have far-reaching and lasting consequences. The 
Judiciary Committee is a particularly appropriate forum for 
this congressional debate to occur. As the Committee of 
exclusive jurisdiction over the United States Constitution, the 
Bill of Rights, and the Federal Criminal Laws and Procedures, 
we are well-versed in the perennial struggle between protecting 
Americans' privacy and enabling robust public safety.
    This Committee is accustomed to addressing many of the 
significant legal questions arising from laws that govern 
surveillance and government access to communications, 
particularly the Wiretap Act, the Electronic Communications 
Privacy Act, the Foreign Intelligence Surveillance Act, and the 
Communications Assistance to Law Enforcement Act, otherwise 
known as CALEA.
    Today's hearing is a continuation of the Committee's work 
on encryption, work that Congress is best suited to resolve. As 
the hearing title indicates, society has been walking a 
tightrope for generations in attempting to balance the security 
and privacy of Americans' communications with the needs of our 
law enforcement and intelligence agencies. In fact, the entire 
world now faces a similar predicament, particularly as our 
commerce and communications bleed over international boundaries 
on a daily basis.
    Encryption in securing data in motion, and in storage, is a 
valuable technological tool that enhances Americans' privacy, 
protects our personal safety and national security, and ensures 
the free flow of our Nation's commerce. Nevertheless, as 
encryption has increasingly become a ubiquitous technique to 
secure communications among consumers, industry, and 
governments, a national debate has arisen concerning the 
positive and negative implications for public safety and 
national security.
    This growing use of encryption presents new challenges for 
law enforcement seeking to obtain information during the course 
of its investigations, and, even more foundationally, test the 
basic framework that our Nation has historically used to ensure 
a fair and impartial evaluation of legal process used to obtain 
evidence of a crime.
    We must answer this question: How do we deploy ever 
stronger, more effective encryption without unduly preventing 
lawful access to communications of criminals and terrorists 
intent on doing us harm? This now seems like a perennial 
question that has challenged us for years. In fact, over 15 
years ago, I led congressional efforts to ensure strong 
encryption technologies, and to ensure that the government 
could not automatically demand a backdoor key to encryption 
technologies. This enabled the U.S. encryption market to thrive 
and produce effective encryption technologies for legitimate 
actors rather than see the market head completely overseas to 
companies that do not have to comply with basic protections. 
However, it is also true that this technology has been a 
devious tool of malefactors.
    Here is where our concern lies: Adoption of new 
communications technologies by those intending harm to the 
American people is outpacing law enforcement's technological 
capability to access those communications in legitimate 
criminal and national security investigations.
    Following the December 15 terrorist attack in San 
Bernardino, California, investigators recovered a cell phone 
owned by the County government, but used by one of the 
terrorists responsible for the attack. After the FBI was unable 
to unlock the phone and recover its contents, a Federal judge 
ordered Apple to provide reasonable technical assistance to 
assist law enforcement agents in obtaining access to the data 
on the device, citing the All Writs Act as its authority to 
compel.
    Apple has challenged the court order, arguing that its 
encryption technology is necessary to protect its customers' 
communications, security, and privacy, and raising both 
constitutional and statutory objections to the Magistrate's 
order.
    This particular case has some very unique factors involved, 
and, as such, may not be an ideal case upon which to set 
precedent. And it is not the only case in which this issue is 
being litigated. Just yesterday, a magistrate judge in the 
Eastern District of New York ruled that the government cannot 
compel Apple to unlock an iPhone pursuant to the All Writs Act.
    It is clear that these cases illustrate the competing 
interests at play in this dynamic policy question, a question 
that is too complex to be left to the courts and must be 
answered by Congress. Americans surely expect that their 
private communications are protected. Similarly, law 
enforcement's sworn duty is to ensure that public safety and 
national security are not jeopardized if possible solutions 
exist within their control.
    This body, as well, holds its own constitutional 
prerogatives and duties. Congress has a central role to ensure 
that technology advances so as to protect our privacy, help 
keep us safe, and prevent crime and terrorist attacks. Congress 
must also continue to find new ways to bring to justice 
criminals and terrorists. We must find a way for physical 
security not to be at odds with information security. Law 
enforcement must be able to fight crime and keep us safe, and 
this country's innovative companies must, at the same time, 
have the opportunity to offer secure services to keep their 
customers safe.
    The question for Americans and lawmakers is not whether or 
not encryption is essential, it is; but instead, whether law 
enforcement should be granted access to encrypted 
communications when enforcing the law and pursuing their 
objectives to keep our citizens safe.
    I look forward to hearing from our distinguished witnesses 
today as the Committee continues its oversight of this real-
life dilemma facing real people all over the globe.
    It's now my pleasure to recognize the Ranking Member of the 
Committee, the gentleman from Michigan, Mr. Conyers, for his 
opening statement.
    Mr. Conyers. Thank you, Chairman Goodlatte. Members of the 
Committee and our first and distinguished guest, I want to 
associate myself with your comments about our jurisdiction. It 
is not an accident that the House Judiciary Committee is the 
Committee of primary jurisdiction with respect to the legal 
architecture of government surveillance.
    In times of heightened tension, some of our colleagues will 
rush to do something, anything, to get out in front of an 
issue. We welcome their voices in the debate, but it is here, 
in this Committee room, that the House begins to make decisions 
about the tools and methods available to law enforcement.
    I believe that it is important to say up front, before we 
get into the details of the Apple case, that strong encryption 
keeps us safe, even as it protects our privacy. Former National 
Security Agency Director, Michael Hayden, said only last week 
that America is more secure with unbreakable end-to-end 
encryption. In this room, just last Thursday, former Secretary 
of Homeland Security, Michael Chertoff, testified that in his 
experience, strong encryption laws help law enforcement more 
than it hinders any agency in any given case.
    The National Security Council has concluded that the 
benefits to privacy, civil liberties, and cybersecurity gained 
from encryption outweigh the broader risks created by weakening 
encryption. And Director Comey himself has put it very plainly: 
universal, strong encryption will protect all of us, our 
innovation, our private thoughts, and so many other things of 
value, from thieves of all kinds. We will all have lock boxes 
in our lives that only we can open, and in which we can store 
all that is valuable to us. There are lots of good things about 
this.
    Now for years, despite what we know about the benefits of 
encryption, the Department of Justice and the Federal Bureau of 
Investigation have urged this Committee to give them the 
authority to mandate that companies create backdoors into their 
secure products.
    I have been reluctant to support this idea for a number of 
reasons. The technical experts have warned us that it is 
impossible to intentionally introduce flaws into secure 
products, often called backdoors, that only law enforcement can 
exploit to the exclusion of terrorists and cyber criminals. The 
tech companies have warned us that it would cost millions of 
dollars to implement and replace them at a competitive 
disadvantage around the world. The national security experts 
have warned us that terrorists and other criminals will simply 
resort to other tools entirely outside the reach of our law 
enforcement and intelligence agencies.
    And I accept that reasonable people can disagree with me on 
each of these points, but what concerns me, Mr. Chairman, is 
that in the middle of an ongoing congressional debate on this 
subject, the Federal Bureau of Investigation would ask a 
Federal magistrate to give them the special access to secure 
products that this Committee, this Congress, and the 
Administration have so far refused to provide.
    Why has the government taken this step and forced this 
issue? I suspect that part of the answer lies in an email 
obtained by The Washington Post and reported to the public last 
September. In it, a senior lawyer in the intelligence community 
writes that although the legislative environment toward 
encryption is very hostile today, it could turn in the event of 
a terrorist attack or a criminal event where strong encryption 
can be shown to have hindered law enforcement. He concluded 
that there is value in keeping our options open for such a 
situation.
    I'm deeply concerned by this cynical mind-set, and I would 
be deeply disappointed if it turns out that the government is 
found to be exploiting a national tragedy to pursue a change in 
the law.
    I also have doubts about the wisdom of applying the All 
Writs Act, enacted in 1789, codified in 1911, and last applied 
to a communications provider by the Supreme Court in 1977, to a 
profound question about privacy and modern computing in 2016. I 
fear that pursuing this serious and complex issue through the 
awkward use of an inept statute was not, and is not, the best 
course of action, and I'm not alone in this view.
    Yesterday, in the Eastern District of New York, a Federal 
judge denied a motion to order Apple to unlock an iPhone under 
circumstances similar to those in San Bernardino. The court 
found that the All Writs Act, as construed by the government, 
would confer on the courts an overbroad authority to override 
individual autonomy. However, nothing in the government's 
argument suggests any principal limit on how far a court may go 
in requiring a person, or company, to violate the most deeply 
rooted values.
    We could say the same about the FBI's request in 
California. The government's assertion of power is without 
limiting principle, and likely to have sweeping consequences, 
whether or not we pretend that the request is limited to just 
this device or just this one case.
    This Committee, and not the courts, is the appropriate 
place to consider those consequences, even if the dialogue does 
not yield the results desired by some in the law enforcement 
community. I'm grateful that we are having this conversation 
today back in the forum in which it belongs, the House 
Judiciary Committee. And so I thank the Chairman very much. And 
I yield back.
    Mr. Goodlatte. Thank you, Mr. Conyers.
    And without objection, all other Members' opening 
statements will be made a part of the record.
    We welcome our distinguished witness of today's first 
panel. And if you would please rise, I'll begin by swearing you 
in.
    Do you swear that the testimony that you are about to give 
shall be the truth, the whole truth, and nothing but the truth, 
so help you God?
    Mr. Comey. I do.
    Mr. Goodlatte. Thank you very much. Please be seated.
    I'll now begin by introducing our first distinguished 
witness today, Director James Comey of the Federal Bureau of 
Investigation. Director Comey began his career as an Assistant 
United States Attorney for both the Southern District of New 
York and the Eastern District of Virginia. After the 9/11 
terrorist attacks, Director Comey returned to New York to 
become the United States Attorney for the Southern District of 
New York. In 2003, he was appointed deputy attorney general 
under the United States Attorney General, John Ashcroft.
    Director Comey is a graduate of the College of William & 
Mary and the University of Chicago Law School.
    Director, welcome. Your entire written statement will be 
made a part of the record. And I ask that you summarize your 
testimony in 5 minutes. And we have the timing light that 
you're well familiar with on the table. Again, welcome. We're 
pleased that you are here, and you may begin your testimony.

TESTIMONY OF HONORABLE JAMES B. COMEY, DIRECTOR, FEDERAL BUREAU 
                        OF INVESTIGATION

    Mr. Comey. Thank you so much, Mr. Chairman, Mr. Conyers. 
Thank you for hosting this conversation, and for helping us all 
talk about an issue that I believe is the hardest issue I've 
confronted in government, which is how to balance the privacy 
we so treasure, that comes to us through the technology that we 
love, and also achieve public safety, which we also all very 
much treasure.
    I worry a little bit that we've been talking past each 
other, both folks in the government and folks in the private 
sector, when it comes to this question of encryption, which we 
in the government call ``going dark.'' What I'd like to do is 
just take 3 or 4 minutes and try to frame how I think about it, 
in a way I hope is fair, fair-minded, and if it's not, I hope 
you'll poke at me and tell me where you think it's not, but 
these are the things I believe to be true:
    First, that the logic of encryption will bring us, in the 
not-too-distant future, to a place where all of our 
conversations and all of our papers and effects are entirely 
private; that is, where no one can listen to our conversations, 
read our texts, read our emails unless we say so, and no one 
can look at our stuff, read our documents, read things we file 
away without our agreement. That's the first thing I believe, 
that the logic of encryption is taking us there.
    The second thing I believe is, as both you and Mr. Conyers 
said, there's a lot of good about this, a lot of benefits to 
this. All of us will be able to keep private and keep protected 
from thieves of all kinds, the things that matter most to us, 
our ideas, our innovation, our secret thoughts, our hopes, our 
dreams. There is a lot to love about this. We will all be able 
to have storage spaces in our life that nobody else can get 
into.
    The third thing I believe is that there are many costs to 
this. For the last two centuries, public safety in this country 
has depended, in large measure, on the ability of law 
enforcement agents going to courts and obtaining warrants to 
look in storage areas or apartments, or to listen with 
appropriate predication oversight to conversations. That is the 
way in which law enforcement brings us public safety. It is 
very, very important, and it's been part of the balance in 
ordered liberty, that sometimes the people's stuff can be 
looked at, but only with predication and only with oversight 
and approval by an independent judiciary.
    The fourth thing I believe is that these two things are in 
tension in many contexts, increasingly in our national security 
work, and in law enforcement work, generally across the 
country. We see it obviously in ISIL's efforts to reach into 
this country, and using mobile messaging apps that are end-to-
end encrypted, task people to kill innocent people in the 
United States. That is a huge feature of our national security 
work and a major impediment to our counterterrorism work, 
because even with a court order, what we get is unreadable; to 
use a technical term, it's gobbledygook. Right? We cannot 
decrypt that that which is covered by strong encryption.
    We also see it in criminal work across the country. We see 
very tragically last year in Baton Rouge where a pregnant woman 
8 months pregnant was killed by somebody she opened the door 
to. And her mom says she kept a diary, but it's on her phone, 
which is locked, and so the case remains unsolved.
    And most recently and most prominently, as both Mr. Conyers 
and the Chairman mentioned, we see it in San Bernardino, a case 
where two terrorists, in the name of ISIL, killed 14 people and 
wounded 22 others at an office gathering and left behind three 
phones, two of which, the cheaper models, they smashed beyond 
use, and the third was left locked.
    In any investigation that is done competently, the FBI 
would try to get access to that phone. It's important that it's 
a live, ongoing terrorism investigation, but in any criminal 
investigation, a competent investigator would try and use all 
lawful tools to get access to that device, and that's what you 
see happening in San Bernardino.
    The San Bernardino case is about that case. It obviously 
highlights the broader issue and, of course, it will we looked 
upon by other judges and other litigants, but it is about the 
case and trying to do a competent job of understanding, is 
there somebody else? And are there clues to what else might 
have gone on here? That is our job.
    The fifth thing I believe is that democracies resolve these 
kind of really hard questions through robust debate. I think 
the FBI's job is very, very limited. We have two jobs. The 
first is to investigate cases like San Bernardino, and to use 
tools that are lawful and appropriate. The second thing, it's 
our job to tell the American people, the tools you are counting 
on us to use to keep you safe are becoming less and less 
effective.
    It is not our job to tell the American people how to 
resolve that problem. The FBI is not some alien force imposed 
upon America from Mars. We are owned by the American people, we 
only use the tools that are given to us under the law. And so 
our job is simply to tell people there is a problem. Everybody 
should care about it, everybody should want to understand if 
there are warrant-proof spaces in American life. What does that 
mean? And what are the costs of that and how do we think about 
that?
    I don't know what the answer is. It may be the American 
people, through Congress and the courts, decide it's too hard 
to solve, or law enforcement can do its job well enough with 
strong encryption covering our communications and our papers 
and effects, or that it's something that we have to find a way 
to fix to achieve a better balance. I don't know. My job is to 
try to offer thoughtful explanations about the tools the FBI 
has, and to bring them to the attention of the American people, 
and then answer questions about that.
    So I'm very, very grateful for this forum, very, very 
grateful for this conversation. There are no demons in this 
debate. The companies are not evil, the government's not evil. 
You have a whole lot of good people who see the world through 
different lenses, who care about things, all care about the 
same things, in my view. The companies care about public 
safety, the FBI cares about innovation and privacy. We devote 
our lives to try to stop people from stealing our innovation, 
our secrets, and hacking into our devices. We care about the 
same things, which should make this in a way an easier 
conversation, which I very much look forward to. Thank you.
    [The prepared statement of Mr. Comey follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
      
                               __________
                               
    Mr. Goodlatte. Thank you, Director Comey. We'll now proceed 
under the 5-minute rule with questions for the witness, and 
I'll begin by recognizing myself.
    Director, there has been quite a bit of debate on the 
government's reliance on the All Writs Act, which most people 
had never heard of until the last week or so. That is being 
used in this case to try to compel Apple to bypass the auto 
erase functions on the phone. It has been characterized as an 
antiquated statute dating back to 1789, that was never intended 
to empower the courts to require a third party to develop new 
technology.
    How do you respond to that characterization? Has the FBI 
relied on the Act in the past to gain access to iPhones or 
other similar devices, and is the Act limited to the 
circumstances in which Congress has already imposed a statutory 
duty on a third party to provide assistance?
    Mr. Comey. Thank you, Mr. Chairman. I smile a little bit 
when I hear that, because old doesn't mean bad, at least I hope 
it doesn't, because I'm rapidly approaching that point. The 
Constitution is as old or older than the All Writs Act, and I 
think that's still a pretty useful document.
    It's a tool that I use. I think there's some Members of the 
Committee who are former Federal prosecutors. Every assistant 
U.S. Attorney knows it. I used it when I started as an AUSA in 
1987. It is an Act that Congress passed when the Constitution 
was a baby, so there was a vehicle for judges to get their 
orders complied with. And it's been used many, many, many 
times, and interpreted by the courts many times, including by 
the Supreme Court.
    The cases at hand are simply about, as I understand it, 
what is the reach of the All Writs Act. It's still good law, 
but how far does it extend, especially given how technology has 
changed. And I think the courts are going to sort that out. 
There was a decision yesterday in New York, there will be 
decisions in California. There will probably be lots of others, 
because this is a problem law enforcement is seeing all over 
the country.
    Mr. Goodlatte. Let me ask you about that decision in New 
York, because in its brief in the California case, Apple argues 
that a provision of CALEA, another Federal statute, actually 
prohibits the magistrate from ordering it to design a means to 
override the auto erase functions on the phone. Just yesterday, 
a magistrate in New York upheld that argument. Can you comment 
on that?
    Mr. Comey. Not in an intelligent way, because I haven't 
read the decision out of New York. I understand the basic 
contours of the argument. I don't fully get it, honestly, 
because CALEA is about data in motion, and this is about data 
at rest, but I also think this is the kind of thing judges do. 
They take acts of Congress and try to understand, so what does 
it mean, especially given changing circumstances. So I expect 
it'll be bumpy, there will be lots of lawyers paid for lots of 
hours of work, but we will get to a place where we have the 
courts with an understanding of its reach.
    Mr. Goodlatte. Now, if the FBI is successful in requiring 
Apple to unlock this phone, that won't really be a one-time 
request, correct?
    Mr. Comey. Well, the issue of locked phones certainly not, 
because it's become a----
    Mr. Goodlatte. It will set a precedent for other requests 
from the Federal Bureau of Investigation and any other law 
enforcement agency to seek the same assistance in many, many, 
many other cases?
    Mr. Comey. Sure, potentially, because any decision of a 
court about a matter is potentially useful to other courts, 
which is what a precedent is. I happen to think, having talked 
to experts, there are technical limitations to how useful this 
particular San Bernardino technique will be, given how the 
phones have changed, but sure, other courts, other prosecutors, 
other lawyers for companies will look to that for guidance or 
to try and distinguish it.
    Mr. Goodlatte. So that technology once developed, which I 
presume they could destroy again, but then will have to 
recreate hundreds of times, how confident are you--whichever 
procedure Apple decided to pursue, how confident are you that 
what you are requesting, which is the creation effectively of a 
key, a code, how confident are you that will remain secure and 
allow all the other customers of Apple, and when this is 
applied to other companies' technology as well, how confident 
are you that it will not fall into the wrong hands and make 
everyone's communication devices less secure, not more secure?
    Mr. Comey. First, I've got to quibble a little bit with the 
premise of your question. I hear people talk about keys or 
backdoors. I actually don't see that this way. I mean, there 
are issues about backdoors. This is about--there's already a 
door on that iPhone. Essentially we're asking Apple, take the 
vicious guard dog away; let us try and pick the lock. The later 
phones, as I understand the 6 and after, there aren't doors, so 
there isn't going to be, can you take the guard dog away and 
let us pick the lock.
    But, look, I have a lot of faith, and maybe I don't know 
them well enough, in the company's ability to secure their 
information. The iCloud, for example, is not encrypted, right, 
but I don't lie awake at night worrying about whether they're 
able to protect the contents of the iCloud. They are very, very 
good at protecting their information and their innovation. So 
no thing is for certain, but I think these folks are pros.
    Mr. Goodlatte. Thank you very much. The Chair recognizes 
the Ranking Member, Mr. Conyers, for his questions.
    Mr. Conyers. Thank you, Chairman Goodlatte. And welcome, 
again, to our forum here, a very regular visitor to the 
Judiciary Committee.
    Director Comey, it's been suggested that Apple has no 
interest in helping law enforcement in any criminal case and 
that the company cares more about marketing than about 
investigating a terrorist attack. In your view, are companies 
like Apple generally cooperative when the FBI asks for 
assistance accompanied by appropriate legal process? Did Apple 
assist with this particular investigation?
    Mr. Comey. I think, in general, all American companies, and 
I can't think of an exception sitting here, want to be helpful, 
especially when it comes to public safety, because they have 
families and children just as we do, so that's the attitude 
we're met with.
    And in this particular case, as in many others, Apple was 
helpful to us. We had lots of good conversations about what we 
might be able to do to get this device open, and we got to 
place where they said, for reasons that I don't question their 
motive, we're not willing to go further, and the government 
made a decision, we still have an avenue to pursue with the 
judge. We'll go to the judge. But I don't question their 
motives.
    Mr. Conyers. All right. Thank you. I sense that you're 
still reluctant to speak about how your success in this case 
might set a precedent for future actions. You indicated last 
week that this litigation may guide how other courts handle 
similar requests. Could you elaborate on that, please?
    Mr. Comey. Sure. There's no--first of all, let me say this. 
I've been trying to explain to people, this case in San 
Bernardino is about this case. And the reason I've tried to say 
that so much publicly is, I worry very much about the pain, 
frankly, to the victims in this case when they see this matter 
that's so important to them becoming a vehicle for a broader 
conversation. So I want to make sure that everybody, especially 
the FBI, remains grounded in the fact this is about that case. 
My wife has a great expression she uses to help me be a better 
person, which is, ``It's not about you, Dear.''
    This case in San Bernardino is not about the FBI, it's not 
about Apple, it not about Congress, it's not about anything 
other than trying to do a competent investigation in an 
ongoing, active case. That said, of course, any decision by a 
judge in any forum is going to be potentially precedential in 
some other forum; not binding, but guidance, either positive or 
against. The government lost the case yesterday in Brooklyn. We 
could lose the case in San Bernardino, and it will be used as 
precedent against the government. That's just the way the law 
works, which I happen to think is a good thing.
    Mr. Conyers. Thank you. If you succeed in this case, will 
the FBI return to the courts in future cases to demand that 
Apple and other private companies assist you in unlocking 
secure devices?
    Mr. Comey. Potentially, yes. If the All Writs Act is 
available to us and the relief under the All Writs Act as 
explained by the courts fits the powers of the statute, of 
course.
    Mr. Conyers. And, finally, I think we can acknowledge, 
then, that this case will set some precedent, and if you 
succeed, you will have won the authority to access encrypted 
devices, at least for now. Given that you've asked us to 
provide you with that authority since taking your position at 
the Bureau, and given that Congress has explicitly denied you 
that authority so far, can you appreciate our frustration that 
this case appears to be little more than an end run around this 
Committee?
    Mr. Comey. I really can't, Mr. Conyers. First of all, I 
don't recall a time when I've asked for a particular 
legislative fix. In fact, the Administration's position has 
been they're not seeking legislation at this time. But I also--
we're investigating a horrific terrorist attack at San 
Bernardino. There's a phone that's unlocked that belonged to 
one of the killers. The All Writs Act that we've used since I 
was a boy, we think is a reasonable argument to have the court 
use the All Writs Act to direct the company to open that phone. 
That's what this is about. If I didn't do that, I ought to be 
fired, honestly.
    I can also understand your frustration at the broader 
conversation, because it goes way beyond this case. This case 
will be resolved by the courts. It does not solve the problem 
we're all here wrestling with.
    Mr. Conyers. I thank the Director, and I yield back any 
unused time. Thank you, Mr. Chairman.
    Mr. Goodlatte. Thank you. And the Chair recognizes the 
gentleman from Ohio, Mr. Chabot, for 5 minutes.
    Mr. Chabot. Thank you, Mr. Chairman. I have a statement 
from the Application Developers Alliance here that I'd like to 
have included in the record.
    Mr. Goodlatte. Without objection, it will be made a part of 
the record.
    [The information referred to follows:]
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
      
                               __________
                               
    Mr. Chabot. Thank you, Mr. Chairman.
    And, Director Comey, like yourself, I happen to be a 
graduate of the College of William & Mary, so I'm going to 
start off with a tough question. Anything nice you'd like to 
say about the College of William & Mary?
    Mr. Comey. I could tell there with glow coming from your 
seat. That's explained by your being a member of the Tribe. 
Best thing ever happened to me besides--I actually met my wife 
there. That's the best thing that ever happened to me. Second 
best is that I was there.
    Mr. Chabot. Excellent. Yes, it's a great place to go. There 
are two members currently. Ms. Titus of Nevada is also a 
graduate.
    Now, this hearing is about electronic data security, or as 
you describe it----
    Mr. Goodlatte. The Chair is happy to extend additional time 
to the gentleman for recognizing an important Virginia 
educational institution.
    Mr. Chabot. I appreciate the Chairman.
    And as is already indicated, this is about electronic data 
security or, as you described it, keeping our stuff online 
private. So I'd like to ask you this, and it may seem a little 
off topic, but I don't think it is.
    A few weeks back, the FBI's general counsel, James Baker, 
acknowledged that the FBI is ``working on matters related to 
former Secretary of State Hillary Clinton's use of a private 
email server.'' And then the White House press secretary, Josh 
Earnest, stated that ``some officials over there,'' referring 
to the FBI, ``had said that Hillary Clinton is not a target of 
this investigation, and that it's not trending in that 
direction.'' And the President then weighed in, even though he 
apparently had never been briefed on the matter, commenting 
that he didn't see any national security implications in 
Hillary's emails, and obviously, this is a matter of 
considerable import.
    Is there anything that you can tell us as to when this 
matter might be wrapped up one way or the other?
    Mr. Comey. I can't, Congressman. As you know, we don't talk 
about our investigations. What I can assure you is that I am 
very close personally to that investigation to ensure that we 
have the resources we need, including people and technology, 
and that it's done the way the FBI tries to do all of its work: 
independently, competently, and promptly. That's our goal, and 
I'm confident it's being done that way, but I can't give you 
any more details beyond that.
    Mr. Chabot. I certainly understand, and I appreciate that. 
I thought you might say that, but you can't blame me for 
trying. Let me move on.
    If Apple chose to comply with the government's demand, 
maybe it does have the technical expertise and time and 
finances to create such a vulnerability so we can get in and 
get that information. But let me ask you, what about a small 
business? I happen to be the Chairman of the House Small 
Business Committee. Wouldn't such a mandate to, say, a small 
company, a startup, say, with, you know, four or five, six 
employees, wouldn't that be a huge burden on a small business 
to have to comply with this sort of thing?
    Mr. Comey. I think it might be, and that's one of the 
factors that I understand the courts consider in passing on an 
All Writs Act request, the burden to the private actor, how 
much it would cost them, how much time and effort? And I think 
Apple's argument in this case is, it would take us a ton of 
effort, time, and money to do it, and so that's one of the 
reasons we shouldn't be compelled to do it. So it's a 
consideration built into the judicial interpretations of the 
Act.
    Mr. Chabot. Thank you. As the Chair of the Committee, we'd 
ask you certainly to consider how this could affect--you know, 
seven out of 10 new jobs created in the economy are small 
business folks; half of the people employed in this country in 
the private sector are small businesses, and I think we should 
always consider them. Let me move on to something else.
    In his testimony from our December 2015 hearing about H.R. 
699, the Email Privacy Act, Richard Littlehale, the Assistant 
Special Agent in charge of Criminal Investigation Division of 
the Tennessee Bureau of Investigations, voiced a frustration 
with the increasing technological capabilities of both 
criminals and noncriminals.
    Rather than trying to arguably infringe on the Fourth 
Amendment rights of all Americans, would it be possible to 
better train our law enforcement officers and equip them to 
keep up with this changing world that we're discussing today?
    Mr. Comey. Well, there's no doubt that we have to continue 
to invest in training so that all of our folks are digitally 
literate and able to investigate in that way. The problem we 
face here is all of our lives are on these devices, which is 
why it's so important that they be private, but that also means 
all of criminals' and pedophiles' and terrorists' lives are on 
these devices, and if they can't--if they're warrant-proof, 
even a judge can't order access to a device, that is a big 
problem. I don't care how good the cop is, I don't care how 
good the agent is, that is a big problem. So that, we can't 
quite train our way around.
    Mr. Chabot. Thank you very much. I'm always almost out of 
time so let me concludes with, go Tribe. Thank you.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from New York, Mr. Nadler, for----
    Mr. Nadler. Thank you. Since we've gone a little far afield 
here, let me do so again very briefly to point out that, among 
others, Thomas Jefferson, who, among his minor accomplishments, 
was the Founder of the Democratic Party, was also a graduate of 
William & Mary.
    Mr. Chabot. True.
    Mr. Nadler. Mr. Comey, Director Comey, the attack--well, 
we're all certainly very condemning of the terrorist attack in 
San Bernardino, and we all--our hearts go out to the families 
and victims of that. I commend the FBI for everything you've 
done to investigate this matter. Now, the two terrorists are 
dead and another coconspirator, the neighbor, is in jail. You 
have used the USA Freedom Act to track their phone calls and 
invest--which this Committee wrote last year--to track their 
phone calls and investigate everyone they ever spoke to on that 
phone. The FBI has done a great job already. Now, let me ask a 
few questions.
    It's my understanding that the--that we have found that the 
attack in San Bernardino was not, in any way, planned or 
coordinated by ISIS. Is that correct? It may have been inspired 
by, but not directed or planned by.
    Mr. Comey. Right. So far as we know, correct.
    Mr. Nadler. And have you eliminated any connection between 
the two suspects and any overseas terrorist organization?
    Mr. Comey. Eliminated any? We have not----
    Mr. Nadler. Have you seen any evidence of any, is a better 
way of putting it?
    Mr. Comey. We have not seen any evidence of that.
    Mr. Nadler. Okay. Now, given those facts--so there's no 
evidence of any coordination with anybody else, that's the two 
homegrown, self-motivated, perhaps inspired-by-ISIS terrorists. 
Now, the investigators seized the iPhone in question on 
December 3; the FBI reached out to Apple for assistance on 
December 5. Apple started providing the FBI with information, 
with account information, I gather, the same day, but then the 
next day, on December 6, at the instruction of the FBI, San 
Bernardino County changed the password to the iCloud account 
associated with that device. They did so without consulting 
Apple, at the instruction or suggestion of the FBI. And 
changing that password foreclosed the possibility of an 
automatic backup that would allowed Apple to provide you with 
this information without bypassing its own security, and thus 
necessitating, in the first place, the application to the court 
that you made and that we're discussing today. In other words, 
if the FBI hadn't instructed San Bernardino County to change 
the password to the iCloud account, all of this would have been 
unnecessary, and you would have had that information. So my 
question is, why did the FBI do that?
    Mr. Comey. I have to--first of all, I want to choose my 
words very, very carefully. I said there is no evidence of 
direction from overseas terrorist organizations. This is a live 
investigation. I can't say much more beyond that. This 
investigation is not over, and I worry that embedded in your 
question was--and that you understood me to be saying that.
    Second, I do think, as I understand it from the experts, 
there was a mistake made in that 24 hours after the attack 
where the County, at the FBI's request, took steps that made it 
hard--impossible later to cause the phone to back up again to 
the iCloud. The experts have told me I'd still be sitting here, 
I was going to say unfortunately, not unfortunately, 
fortunately, I'm glad I'm here, but we would still be in 
litigation, because, the experts tell me, there's no way we 
would have gotten everything off the phone from a backup. I 
have to take them at their word. But that part of your premise 
of your question is accurate.
    Mr. Nadler. Okay. So the second part of my question is, it 
wasn't until almost 50 days later on January 22 when you served 
the warrant. Given the allegedly critical nature of this 
information, why did it take the FBI 50 days to go to court?
    Mr. Comey. I think there were a whole lot of conversations 
going on in that interim with companies, with other parts of 
the government, with other resources to figure out if there was 
a way to do it short of having to go to court.
    Mr. Nadler. Okay. Thank you. Now, can you offer a specific 
case, because I do think we all understand that it's not just a 
specific case, it will have widespread implications in law, and 
however the courts resolve this, which is essentially a 
statutory interpretation case, the buck is going to stop here 
at some point, we're going to be asked to change the law.
    So encryption software is free, open source, and widely 
available. If Congress were to pass a law forcing U.S. 
companies to provide law enforcement with access to encrypted 
systems, would that law stop bad actors from using their own 
encryption?
    Mr. Comey. It would not.
    Mr. Nadler. It would not. So the bad actors would just get 
around it?
    Mr. Comey. Sure. Encryption's always been available to bad 
actors, nation states----
    Mr. Nadler. So if we were to pass a law saying that Apple 
and whoever else had to put backdoors, or whatever you want to 
call them, into their systems, the bad actors that were--and 
with all the appropriate--with all the--not appropriate, all 
the concomitant surrenders of privacy, et cetera, et cetera, 
the bad actors could easily get around that by making their own 
encryption systems?
    Mr. Comey. The reason I'm hesitating is I think we're 
mixing together two things: data in motion and data at rest. 
The bad guys couldn't make their own phones, but the bad guys 
could always try and find a device that was strongly encrypted.
    The big change here happened in the fall of 2014 when the 
company split from available encryption to default, and 
that's----
    Mr. Nadler. Yeah. But couldn't----
    Mr. Comey [continuing]. That's the shadow of going dark 
and----
    Mr. Nadler. But couldn't foreign companies and bad actors 
generally do that, whatever we said?
    Mr. Comey. Sure. Potentially people could say, I love this 
American device, but because I worry about a judge ordering 
access to it, I'm going to buy this phone from a Nordic country 
that's different in some way. That could happen. I have a hard 
time seeing it happen a lot, but it could happen.
    Mr. Nadler. My time has expired. Thank you.B1 
first Issa submission deg.
    Mr. Issa. Mr. Chairman, I'd like to ask unanimous consent 
some documents be placed in the record at this time. I'd like 
to ask unanimous consent that Patent Number 0240732, patent----
    Mr. Goodlatte. Without objection.B2, B3, B4, B5 
Issa submissions deg.
    Mr. Issa. Thank you. Additionally, B2 deg.27353, 
another patent; additionally, a B3 deg.copy of the USA 
Today entitled, ``Ex-NSA Chief Backs Apple On iPhone;'' 
additionally, from B4 deg.Science and Technology, an 
article that says, ``Department of Homeland Security awards 
$2.2 million to Malibu, California, company for mobile security 
research and, in other words, an encryption-proof, unbreakable 
phone;'' additionally and lastly, the B5 deg.article 
in Politico today on the New York judge's ruling in favor of 
Apple.
    Mr. Goodlatte. Without objection, they will all be made a 
part of the record.
    [The information referred to follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
                                 __________
                                 
                                 
                                 
    Mr. Issa. Thank you, Mr. Chairman. Am I recognized?
    Mr. Goodlatte. The gentleman is recognized for 5 minutes.
    Mr. Issa. Thank you, Mr. Chairman.
    Justice Scalia said, it's best--said best what I'm going to 
quote almost 30 years ago in Arizona v. Hicks in which he said, 
``There is nothing new in the realization that the Constitution 
sometimes insulates the criminality of a few in order to 
protect the privacy of all of us.''
    I think that stands as a viewpoint that I have to balance 
when asking you questions. As I understand the case, and 
there's a lot of very brilliant lawyers and experienced people 
that know about All Writs Act, but what I understand is that 
you, in the case of Apple in California, are demanding, through 
a court order, that Apple invent something, fair to say, that 
they have to create something.
    And if that's true, then my first question to you is the 
FBI is the premier law enforcement organization with 
laboratories that are second to none in the world. Are you 
testifying today that you and/or contractors that you employ 
could not achieve this without demanding an unwilling partner 
do it?
    Mr. Comey. Correct.
    Mr. Issa. And you do so because you have researched this 
extensively?
    Mr. Comey. Yes. We've worked very, very hard on this. We're 
never going to give up, but we've worked----
    Mr. Issa. Did you receive the source code from Apple? Did 
you demand the source code?
    Mr. Comey. Did we ask Apple for their source code? I 
don't--not that I'm aware of.
    Mr. Issa. Okay. So you couldn't actually hand a software 
person the source code and say, can you modify this to do what 
we want, if you didn't have the source code. So who did you go 
to, if you can tell us, that you consider an expert on writing 
source code changes that you want Apple to do for you? You want 
them to invent it, but who did you go to?
    Mr. Comey. I'm not sure I'm following the question.
    Mr. Issa. Well, you know, I'm going to assume that the 
burden of Apple is X, but before you get to the burden of Apple 
doing something it doesn't want to do, because it's not in its 
economic best interests, and they've said that they have real 
ethical beliefs that you're asking them to do something wrong, 
sort of their moral fiber, but you are asking them to do 
something, and there's a burden, no question at all, there's a 
burden, they have to invent it. And I'm asking you, have you 
fully viewed the burden to the government? We have--we spend 
$4.2 trillion every year. You have a multi-billion dollar 
budget. Is the burden so high on you that you could not defeat 
this product, either through getting the source code and 
changing it or some other means? Are you testifying to that?
    Mr. Comey. I see. We wouldn't be litigating if we could. We 
have engaged all parts of the U.S. Government to see does 
anybody that has a way, short of asking Apple to do it, with a 
5C running IOS 9 to do this, and we do not.
    Mr. Issa. Okay. Well, let's go through the 5C running IOS 
9. Does the 5C have a nonvolatile memory in which all of the 
encrypted data and the selection switches for the phone 
settings are all located in that encrypted data?
    Mr. Comey. I don't know.
    Mr. Issa. Well, it does.
    Mr. Comey. Okay.
    Mr. Issa. And take my word for it for now. So that means 
that you can, in fact, remove from the phone all of its memory, 
all of its nonvolatile memory, its disk drive, if you will, and 
set it over here and have a true copy of it that you could 
conduct infinite number of attacks on. Let's assume that you 
can make an infinite number of copies once you make one copy, 
right?
    Mr. Comey. I have no idea.
    Mr. Issa. Well, let's go through what you asked. And I'm 
doing this, because I came out of the security business, and 
this befuddles me that you haven't looked at the source code, 
and you don't really understand the disk drive, at least to 
answer my rather, you know, dumb questions, if you will.
    If there's only a memory, and that memory, that nonvolatile 
memory sits here and there's a chip, and the chip does have an 
encryption code that was burned into it, and you can make 
10,000 copies of this chip, this nonvolatile memory hard drive, 
then you can perform as many attacks as you want on it.
    Now, you've asked specifically Apple to defeat the finger 
code so you can attack it automatically, so you don't have to 
punch in codes. You've asked them to eliminate the ten and 
destroy, but you haven't, as far as I know, asked them, okay, 
if we make 1,000 copies, or 2,000 copies of this, and we put it 
with the chip, and we run five tries, 00 through 04, and then 
throw that image away and put another one in and do that 2,000 
times, won't we have tried, with a nonchanging chip and an 
encryption code that is duplicated 2,000 times, won't we have 
tried all 10,000 possible combinations in a matter of hours?
    If you haven't asked that question, the question is, how 
can you come before this Committee and before a Federal judge, 
and demand that somebody else invent something, if you can't 
answer the questions that your people have tried this?
    Mr. Comey. First thing, I'm the Director of the FBI. If I 
could answer that question, there would be something 
dysfunctional in my leadership.
    Mr. Issa. No. I only asked if your people had done these 
things. I didn't ask you if that would work. I don't know if 
that work. I asked you, who did you go to, did you get the 
source code? Have you asked these questions, because you're 
expecting somebody to obey an order to do something they don't 
want to do, and you haven't even figured out whether you could 
do it yourself. You just told us, well, we can't do it, but you 
didn't ask for the source code, and you didn't ask the 
questions I asked here today, and I'm just a--I'm just a guy 
that----
    Mr. Goodlatte. The time of the gentleman has expired, and 
the Director is permitted to answer the question.
    Mr. Issa. Thank you, Mr. Chairman.
    Mr. Comey. I did not ask the questions you're asking me 
here today, and I'm not sure I fully even understand the 
questions. I have reasonable confidence, in fact, I have high 
confidence that all elements of the U.S. Government have 
focused on this problem and have had great conversations with 
Apple. Apple has never suggested to us that there's another way 
to do it other than what they've been asked to do in the All 
Writs Act. It could be when the Apple representative testifies, 
you'll ask him and we'll have some great breakthrough, but I 
don't think so. But I'm totally open to suggestions. Lots of 
people have emailed ideas. I've heard about mirroring, and 
maybe this is what you're talking about. We haven't figured it 
out, but I'm hoping my folks are watching this, and if you've 
said something that makes good sense to them, we'll jump on it 
and we'll let you know.
    Mr. Issa. Thank you.
    Mr. Goodlatte. The Chair recognizes the gentlewoman from 
California, Ms. Lofgren, for 5 minutes.
    Ms. Lofgren. Thank you, Mr. Chairman. And thank you, 
Director Comey, for your service to our country and your 
efforts to keep us safe. It is appreciated by every member of 
this Committee. And along with your entire agency, we do value 
your service and appreciate it.
    I remember in law school the phrase ``bad cases make bad 
law.'' I'm sure we all heard that, and I think this might be a 
prime example of that rule. We can't think of anything worse 
than what happened in San Bernardino, two terrorists murdering 
innocent people. It's outrageous. It sickens us, and it sickens 
the country. But the question really has to be, what is the 
rule of law here? Where are we going with this?
    And as I was hearing your opening statement talking about a 
world where everything is private, it may be that the 
alternative is a world where nothing is private, because once 
you have holes in encryption, the rule is, it's not a question 
of if, but when those holes will be exploited and everything 
that you thought was protected will be revealed.
    Now, the United States law often tends to set international 
norms, especially when it comes to technology policy. And, in 
fact, China removed provisions that required backdoors in its 
counterterrorism law passed in December because of the strong 
international norm against creating cyber weaknesses, but last 
night, I heard a report that the ambassadors from America, the 
United States, Canada, Germany, and Japan, sent a joint letter 
to China, because they're now thinking about putting a hole in 
encryption in their new policy.
    Did you think about the implication for foreign policy, 
what China might do, when you filed the motion in San 
Bernardino, or was that not part of the equation?
    Mr. Comey. Yeah. I don't think--I don't remember thinking 
about it in the context of this particular investigation, but I 
think about it a whole lot broadly, which is one of the things 
that makes it so hard. There are undoubtedly international 
implications, actually, I think less to the device encryption 
question and more to the data in motion question, but, yeah, I 
have no doubt that there's international implications. I don't 
have good visibility into what the Chinese require from people 
who sell devices in their country. I know it's an important 
topic.
    Ms. Lofgren. Before I forget, Mr. Chairman, I'd like to ask 
unanimous consent to put in the record an op-ed that was 
printed in The Los Angeles Times today authored by myself and 
my colleague, Mr. Issa, on this subject.
    Mr. Goodlatte. How could anyone object to that being a part 
of the record?
    [The information referred to follows:]
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
          
                               __________
                               
    Ms. Lofgren. I just note that in terms of the--you 
mentioned that the code at Apple, that they've done a pretty 
good job of protecting their code and you didn't remember 
anything getting out loose, but I do think, you know, if you 
take a look, for example, at the situation with Juniper 
Networks, where they had--their job is cybersecurity, really, 
and they felt that they had strong encryption, and yet, there 
was a vulnerability, and they were hacked and it put 
everybody's data, including the data of the U.S., I mean, of 
the FBI and the State Department and the Department of Justice 
at risk, and we still don't know what was taken by our enemies.
    Did you think about the Juniper Networks issue when you 
filed the All Writs Act report, you know, remedy in San 
Bernardino?
    Mr. Comey. No. But I think about that and a lot of similar 
intrusions and hacks all day long, because it's the FBI's job 
to investigate those and stop those.
    Ms. Lofgren. I was struck by your comment that Apple hadn't 
been hacked, but, in fact, iCloud accounts have been hacked in 
the past. I think we all remember in 2014, the female celebrity 
accounts that were hacked from the cloud, from iCloud, and CNBC 
had a report that China likely attacked iCloud accounts. And 
then in 2015, last year, Apple had to release a patch in 
response to concerns that there had been brute force attacks at 
iCloud accounts.
    So I am anticipating, we'll see, that Apple will take 
further steps to encrypt and protect not only its operating 
system that it has today, but also the protection as well as 
the iCloud accounts.
    And I'll just close with this. I have on my iPhone all 
kinds of messaging apps that are fully encrypted, some better 
than others. Some were designed in the United States, a bunch 
of them were designed in other countries. And I'm not--I 
wouldn't do anything wrong on my iPhone, but if I were a 
terrorist, I could use any one of those apps and communicate 
securely, and there wouldn't be anything that the U.S. 
Government, not the FBI, not the Congress, or the President 
could do to prevent that from occurring. So I see this as, you 
know, the question of whether my security is going to be 
protected, but the terrorists' will continue abate.
    And I thank you, Mr. Comey, for being here. I yield back, 
Mr. Chairman.
    Mr. Goodlatte. The Chair thanks the gentlewoman.
    And the Chair recognizes the gentleman from Texas, Mr. Poe, 
for 5 minutes.
    Mr. Poe. Thank you, Director. I appreciate you being here.
    Start with a little--some basics. The Fourth Amendment 
protects citizens from government. Citizens have rights; 
government has power. There is nowhere I see in the Fourth 
Amendment that there is an except-for-terrorists-cases 
exception or fear cases, that the Fourth Amendment should be 
waived. I signed lots of warrants in 22 years from everybody, 
including the FBI. Four corners of the warrant, what is to be 
searched, and law enforcement typically would fulfill the duty 
or ability in that warrant as far as they could, which is a 
good thing, and return the warrant.
    Now we have a situation where the issue is not lawful 
possession. FBI is in lawful possession of the San Bernardino 
phone; lawful possession of the phone in New York. Do you agree 
with me on that?
    Mr. Comey. Yes.
    Mr. Poe. So we're not talking about whether the phones are 
in lawful possession. The issue is whether--the specific issue 
is whether government can force Apple, in this case, to give 
them the golden key to unlock the safe because they can't 
develop the key. I know that's kind of simplistic, but is that 
a fair statement or not?
    Mr. Comey. No.
    Mr. Poe. Not? Let me ask you this--okay, you say it is not. 
Apple develops the software and gives it to--and unlocks the 
phone, but this is not the only phone in question. Is that 
correct? There are other phones that FBI has in lawful 
possession that you can't get into.
    Mr. Comey. Sure. Law enforcement increasingly encounters 
phones, investigations all over the place that can't be 
unlocked. I would mention the Baton Rouge case too.
    Mr. Poe. All right. There's several. How many cases do you 
have in lawful possession that you want to get into the phone 
but you can't get into it because you don't have the software 
to break into it or to get into it?
    Mr. Comey. I don't know the number. A lot.
    Mr. Poe. A lot.
    Mr. Comey. And they are all different, which is what makes 
it hard to talk about any one case without being specific about 
what kind of phone it is.
    Mr. Poe. But you are in lawful possession of all these 
phones. This is not the issue of whether FBI lawfully possesses 
them. You have these phones. You can't get into them. Here is a 
specific phone. You want iPhone--Apple to develop software to 
get into this phone.
    My question is, what would prevent the FBI from then taking 
that software and going into all those other phones you have 
and future phones you seize?
    Mr. Comey. I see. This seems like a small difference, but I 
think it's actually kind of a big difference. The ask, the 
direction from the judge is not to have Apple get us into the 
phones; it's to have Apple turn off by developing software that 
will tell the phone to turn off the auto erase and the delay 
features so that we can try and guess the password.
    And so, in theory, if you had another 5C running iOS 9, 
which is what makes this relief possible--I mean it when I say 
it's obsolete, because I understand the 6s--there is no door 
for us to even try and pick the lock on, so it wouldn't work. 
But if there were phones in the same circumstances, sure, you 
could ask for the same relief from a court to try and make 
effective the search warrant.
    Mr. Poe. So, rather than giving you the key, it's really 
you want Apple to turn the security system off so they can get 
into the phone or you can get into the phone?
    Mr. Comey. Yeah. My homely metaphor was: take away the 
drooling watchdog that is going to attack us if we try and open 
it. Give us time to pick the lock.
    Mr. Poe. Or like the Viper system that Mr. Issa developed. 
Turn off the Viper system so you can get into the phone.
    And it boils down to the fact of whether or not government 
has the ability to demand that occur. We have two court 
rulings. They are different. I have read the opinions. They are 
different, a little different cases. Would you agree or not, 
Congress has to resolve this problem? We shouldn't leave it up 
to the judiciary to make this decision. Congress should resolve 
the problem and determine exactly what the expectation of 
privacy is in these particular situations of encryption or no 
encryption; key, no key? Do you agree or not?
    Mr. Comey. I think that the courts are competent--and this 
is what we've done for 230 years--to resolve the narrow 
question about the scope of the All Writs Act. But the broader 
question we're talking about here goes far beyond phones or far 
beyond any case. This collision between public safety and 
privacy, the courts cannot resolve that.
    Mr. Poe. And only--the Congress should then resolve, what 
is the expectation of privacy in this high-tech atmosphere of 
all this information stored in many different places on the 
cloud, on the phone, wherever it's stored, and--would you agree 
or not? I am just asking, should Congress resolve this issue of 
expectation of privacy of the American citizens?
    Mr. Comey. I think Congress certainly has a critical role 
to play. Like I said, since the founding of this country, the 
courts have interpreted the Fourth Amendment and the Fifth 
Amendment, so they are competent. That's an independent branch 
of government. But I think it is a huge role for Congress to 
play, and we're playing it today, I hope.
    Mr. Poe. I agree with you. I think it's Congress' 
responsibility to determine the expectation of privacy in this 
high-tech world.
    And I yield back, Mr. Chairman.
    Mr. Goodlatte. The time of the gentleman has expired.
    The gentleman from Tennessee is recognized for 5 minutes. 
There's 9 minutes and 45 seconds remaining in this vote. I will 
take a chance if the gentleman from Tennessee will.
    Mr. Cohen. If you want to go, I will go, or I will come 
back.
    Mr. Goodlatte. I am trying to move it along and not keep 
the Director any longer than we have to, so go ahead.
    Mr. Cohen. Thank you.
    Director Comey, are there limitations that you could see in 
permitting the FBI or government in a court to look into 
certain records, certain type of cases, certain type of 
circumstances that you could foresee, or do you want it open 
for any case where there could be evidentiary value?
    Mr. Comey. I am not sure I am following you. I like the way 
we have to do our work, which is go to a judge in each specific 
case and show lawful authority and a factual basis for access 
to anybody's stuff.
    Mr. Cohen. But if we decided to pass a statute and we 
thought it should be limited in some way, maybe to terrorism or 
maybe to something where it's a reasonable expectation that a 
person's life is in jeopardy or that you could apprehend 
somebody who has taken somebody's life, have you thought about 
any limits?
    Because, you know, under what you are saying, you go to a 
court, I mean, you could go to a court for cases that are not 
capital cases, and that's--I don't think anybody here--what the 
public is fascinated or riveted on is the fact that what 
happened in San Bernardino was so awful, and if we can find 
some communication or some list that was in the cloud that 
these people contacted, you know, Osama bin Laden's cousin and 
that they get--and find out that he has something to do with 
it, then that's important. But if you are talking about getting 
into somebody's information to find out who they sold, you 
know, 2 kilos or two bags or whatever is a whole different 
issue.
    Where would you limit it if you were coming up with a 
statute that could satisfy both your interest in the most 
extreme, important cases and yet satisfy privacy concerns?
    Mr. Comey. Yeah, I see. I am sorry. I misunderstood the 
question.
    I don't know and haven't thought about it well enough. And, 
frankly, I don't think that ought to be the FBI making that--
offering those parameters to you. There is precedent for that 
kind of thing. We can only seek wire taps, for example, on 
certain enumerated offenses in the United States, so it has to 
be really serious stuff before a judge can even be asked to 
allow us to listen to someone's communications in the United 
States. It can't just be any offense. So there's precedent for 
that kind of thing, but I haven't thought about it well enough.
    Mr. Cohen. Thank you. Because I am slow in getting up there 
to vote and the Republicans hit the--real quickly, I am going 
to yield back the balance of my time and start to walk fast.
    Mr. Goodlatte. The Chair thanks the gentleman.
    The Committee will stand in recess. We have two votes on 
the floor, with 7 minutes remaining in the first vote.
    Mr. Director, we appreciate your appearance. We will come 
back soon.
    [Recess.]
    Mr. Goodlatte. The Committee will reconvene and continue 
with questions for Director Comey.
    And the Chair recognizes the gentleman from Utah, Mr. 
Chaffetz, for 5 minutes.
    Mr. Chaffetz. Thank you, Mr. Chairman.
    And to the Director, thank you so much for being here.
    As I have mentioned before, my grandfather was a career FBI 
agent, so I have great affinity for the agency and what you do 
and how you do it. They almost always make us proud.
    But the big question for our country is, you know, how much 
privacy are we going to give up in the name of security? And as 
you said, there is no easy answer to that.
    But when, historically, with all the resources and assets 
of the Federal Government, all the expertise, all the billions 
of dollars, when has it been the function of government to 
compel or force a private citizen or a company to act as an 
agent of the government to do what the government couldn't do?
    Mr. Comey. That's a legal question. In lots of different 
circumstances, private entities have been compelled by court 
order to assist, again through the All Writs Act. New York 
Telephone is the Supreme Court case, the seminal case on the 
topic.
    Mr. Chaffetz. So let's talk for a moment about what you can 
see and what you can do. With all due respect to the FBI, they 
did--they didn't do what Apple had suggested they do in order 
to retrieve the data, correct? I mean, when they went to change 
the password, that kind of screwed things up. Did it not?
    Mr. Comey. Yeah, I don't know that that's accurate 
actually. I wasn't there. I don't have complete visibility. But 
I agreed with the questioner earlier: there was an issue 
created by the effort by the county at the FBI's request to try 
and reset it to get into it quickly.
    Mr. Chaffetz. And if they didn't reset it, then they could 
have gone to a WiFi, local WiFi, a known WiFi access, and 
performed that backup so they could go to the cloud and look at 
that data, correct?
    Mr. Comey. Right. You could get in the cloud through that 
mechanism anything that was backup-able--to make up a word--to 
the cloud, but that does not solve your full problem. I think I 
would still be sitting here talking about it otherwise.
    Mr. Chaffetz. But let's talk about what the government can 
see on using a phone, and it's not just an iPhone. But you can 
look at metadata, correct?
    Mr. Comey. Yes.
    Mr. Chaffetz. The metadata is not encrypted, correct? If I 
called someone else or that phone had called other people, all 
of that information is available to the FBI, correct?
    Mr. Comey. In most circumstances, right. Metadata----
    Mr. Chaffetz. In this case--let's talk about this case. You 
want to talk about this case. You can see the metadata, 
correct?
    Mr. Comey. My understanding is we can see most of the 
metadata.
    Mr. Chaffetz. How would you define metadata?
    Mr. Comey. I was just going to say that. Metadata, as I 
understand it, is records of time of contact, numbers assigned 
to the particular caller or texter. It's everything except 
content. You can't see what somebody said, but you can see that 
I texted to you in theory.
    My understanding is with text in particular, that's tricky. 
Particularly texting using iMessage, there's limitations on our 
ability to see the metadata around that. Again, I am not an 
expert, but that's my understanding.
    Mr. Chaffetz. And do you believe that geolocation, if you 
are tracking somebody's actual--where they are, is that content 
or is that metadata?
    Mr. Comey. My understanding is it depends upon whether you 
are talking historical or real time when it comes to 
geolocation data, but it can very much implicate the warrant 
requirement and does in the FBI's work a lot.
    Mr. Chaffetz. So that's what we're trying to--what's 
frustrating to me, being on Judiciary, being the Chairman of 
the Oversight Committee, there is nobody on the this panel as 
in a republic and representative of the people that have been 
able to see what the guidance is post-Jones in understanding 
how you interpret and what you are actually doing or not doing 
with somebody's geolocation.
    Mr. Comey. You have asked that of the FBI and not been able 
to get it?
    Mr. Chaffetz. Department of Justice, they have been asking 
for this for years. What's frustrating is the Department of 
Justice is asking for more tools, more compulsion, and we can't 
even see what you are already doing. We can't even see to the 
degree you are using stingrays and how they work. I mean, I 
think I understand how they work, but what sort of requirements 
are there? Is it articulable suspicion? Is there a probable 
cause warrant that's being used or needed?
    And it's not just the FBI. I mean, you have got the IRS and 
Social Security and others using stingrays, again, other tools 
that I would argue are actually content into somebody's life 
and not just the metadata that you are able to see.
    So how do we get exposure? How do we help you if we can't--
if you routinely refuse--and I say ``you,'' meaning the 
Department of Justice--access in explaining to us what tools 
you already do have and what you can access? How do we solve 
that?
    Mr. Comey. Yeah, I don't have a great answer sitting here. 
I will find out what's been asked for and what's been given. I 
like the idea of giving as much transparency as possible. I 
think people find it reassuring, at least with respect to the 
FBI. To take cell phone tower simulators, we always use search 
warrants. And so that shouldn't be that hard to get you that 
information.
    Mr. Chaffetz. What I worry about, you may be responsible, 
but I don't know what the IRS is doing with them, and I have a 
hard time figuring out when that is responsible.
    Last comment, Mr. Chairman. To what degree are you able to 
access and get into, either in this case or broadly, are you 
able to search social media in general, and are you using that 
as an effective tool to investigate and combat what you need to 
do?
    Mr. Goodlatte. The time of the gentleman has expired. The 
witness can answer the question.
    Mr. Comey. Social media is a feature of all of our lives, 
and so it's a feature of a lot of our investigations. Sometimes 
it gives us useful information; sometimes not. It's hard to 
answer in the abstract, but it's a big part of our work.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from Georgia, Mr. Johnson, for 5 
minutes.
    Mr. Johnson. Thank you, Director Comey.
    The Framers of our Constitution recognized a right to 
privacy that Americans would enjoy. The Fourth Amendment pretty 
much implies that right to privacy. Does it not?
    Mr. Comey. I am not a constitutional scholar. I think a 
scholar, if he were sitting here, might say it's not the Fourth 
Amendment that's the source of the right to privacy; it's other 
amendments of the Constitution. But that's a technical answer. 
The Fourth Amendment is critically important because it's a 
restriction on government power. You may not look at the 
people's stuff, their houses, their effects without a warrant 
and without an independent judiciary.
    Mr. Johnson. But it also grants impliedly to the 
government, the Fourth Amendment, the authority to search and 
seize when the search or seizure is reasonable. Is that 
correct?
    Mr. Comey. Again, to be technical, I think the answer is 
Congress has given the government that authority through 
statute. The Fourth Amendment is a restriction on that 
authority.
    Mr. Johnson. The Fourth Amendment says that the right of 
the people to be secure in their place, in their persons, 
housings, papers, and effects against unreasonable searches and 
seizures shall not be violated and no warrant shall issue but 
upon probable cause, supported by oath or affirmation.
    And what I am reading into the Fourth Amendment is that the 
people do have a right to privacy, have a right to be secure in 
their persons, housings, papers, and effects, but I am also 
reading into it an implied responsibility of the government to, 
on occasion, search and seize. Would that be your reading of it 
also?
    Mr. Comey. Yes.
    Mr. Johnson. And, of course, upon probable cause. But there 
are some circumstances where, in a hot pursuit or at the time 
of an arrest, there's some exceptions that have been carved out 
to where a warrant is not always required to search and seize. 
Is that correct?
    Mr. Comey. Yes. You mentioned one, the so-called exigent 
circumstances doctrine, where if you are in the middle of an 
emergency and you are looking for a gun that a bad guy might 
have hid, you know, in a car or something, you don't 
necessarily have to go get the warrant. If you have the factual 
basis, you can do the search and then have the judge look at it 
and validate it.
    Mr. Johnson. Now, even in a situation where exigent 
circumstances exist, technology has now brought us to the point 
where law enforcement or the government is preempted from being 
able to search and seize. Is that correct? Technology has 
produced this result.
    Mr. Comey. Yeah, I think technology has allowed us to 
create zones of complete privacy, which sounds like an awesome 
thing until you really think about it. But those zones prohibit 
any government action under the Fourth Amendment or under our 
search authority.
    Mr. Johnson. Well, it's actually a zone of impunity, would 
it not be, a zone where bad things can happen and the security 
of Americans can be placed at risk?
    Mr. Comey. Potentially, yes, sir.
    Mr. Johnson. And that is the situation that we have with 
end-to-end encryption. Is that not correct?
    Mr. Comey. I think that's a fair description, where we have 
communications where, even with the judge's order, can't be 
intercepted.
    Mr. Johnson. Now, you said that you were not a 
constitutional scholar, and neither am I, but does it seem 
reasonable that the Framers of the Constitution meant to exempt 
any domain from its authority to be able to search and seize if 
it's based on probable cause or some exigent circumstance 
allows for a search and seizure with less than a warrant and a 
showing of probable cause?
    Mr. Comey. Yeah, I doubt that they--obviously, I doubt that 
they imagined the devices we have today and the ways of 
communicating. But I also doubt that they imagined there would 
be any place in American life where law enforcement with lawful 
authority could not go. And the reason I say that is, the First 
Amendment talks about the people's homes. Is there a more 
important place to any of us than our homes?
    So from the founding of this country, it was contemplated 
that law enforcement could go into your house with appropriate 
predication and oversight. So, to me, the logic of that tells 
me they wouldn't have imagined any box or storage area or 
device that could never be entered.
    Mr. Johnson. So, from that standpoint, to be a strict 
constructionist about the Constitution and the Fourth 
Amendment, it's ridiculous that anyone would think that we 
would not be able to take our present circumstances and shape 
current law to appreciate the niceties of today's practical 
realities. I know I am rambling a little bit. But did you 
understand what I just said?
    Mr. Comey. I understand what you said, sir.
    Mr. Johnson. Would you agree or disagree with me?
    Mr. Goodlatte. The time of the gentleman has expired. The 
Director may answer the question.
    Mr. Comey. I think it's the kind of question that 
democracies were built to wrestle with and that the Congress of 
the United States is fully capable of wrestling with in a good 
way.
    Mr. Johnson. Well, in prior times, we have been.
    Mr. Goodlatte. The time of the gentleman has expired.
    Mr. Johnson. Thank you.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
Pennsylvania, Mr. Marino, for 5 minutes.
    Mr. Marino. Thank you, Mr. Chairman.
    Mr. Director, it's always a pleasure.
    Mr. Comey. Same, sir.
    Mr. Marino. I am going to expand a little bit on one of 
Judge Poe's questions. Is the Bureau asking Apple to simply 
turn over the penetration code for the Bureau to get into or 
that you want the penetration code at your disposal? Do you 
understand what I am saying?
    Mr. Comey. As I understand the judge's order, the way it 
could work out here is that the maker of the phone would write 
the code, keep the phone and the code entirely in their office 
space, and the FBI would send the guesses electronically. So we 
wouldn't have the phone. We wouldn't have the code. That's my 
understanding of it.
    Mr. Marino. That's good point to clarify, because there's 
some--there's a lot of rumors out there.
    I am going to switch to the courts a little bit here. Do 
you see the Federal court resolving the warrant issue that the 
Bureau is presently faced with, whatever way that decision 
eventually comes down, or should Congress legislate the issue 
now, if at all?
    Mr. Comey. I don't--I appreciate the question. I don't 
think that's for me to say. I do think the courts--because some 
people have said so in the middle of this terrorism 
investigation, why didn't you come to Congress? Well, because 
we're in the middle of a terrorism investigation. And so I 
think the courts will sort that out faster than any legislative 
body could, but only that particular case.
    The broader question, as I said earlier, I don't see how 
the courts can resolve this tension between privacy and public 
safety that we're all feeling.
    Mr. Marino. Another good point.
    Given that most of our social, professional, and very 
personal information is on our desktop computers, on our 
laptops, on our pads, and now more than ever on these things, 
what is your position on notching up the level at which members 
of the Federal judiciary can approve a warrant to access 
critically valuable evidence to solve a horrific felony, 
particularly when fighting terrorism?
    Mr. Comey. Do you mean making the threshold something above 
probable cause?
    Mr. Marino. No, no, not the threshold, the Federal judicial 
individuals making this decision. Right now, I understand it's 
a magistrate. When I was at the State level, we could do some 
things at sort of the magistrate level or the district court, 
but then we had to go to the superior court, and working in the 
Federal system with you, we had to go to one or two different 
levels. What's your position on that?
    Mr. Comey. I see what you are saying. So, instead of having 
magistrate judges decide these questions, the district court 
might?
    Mr. Marino. Yeah. And no disrespect to magistrate courts. I 
am very good friends with a lot of those brilliant people who 
will eventually, I know, go to the bench. But from a 
perspective of the public that a more narrowly defined, limited 
number of people making that decision concerning the 
electronics that we have.
    Mr. Comey. Honestly, Congressman, I haven't thought about 
that. I agree with you. I have a number of friends who are 
magistrate judges, and they are awesome. And they think well, 
and they rule well. I think they are fully capable of handling 
these issues, but I haven't thought about it well enough to 
react, other than that.
    Mr. Marino. Okay. And just for the record, I have managed a 
couple of prosecution offices, and I have never gone to the 
experts, whether it's in DNA or whether it's in these 
electronics, and ask them, did you complete everything that you 
should have completed?
    Mr. Comey. Thank you, Mr. Marino.
    Mr. Goodlatte. The Chair recognizes the gentlewoman from 
California, Ms. Chu, for 5 minutes.
    Ms. Chu. Director Comey, my district is next to San 
Bernardino. After the terror attack, we mourned the loss of 14 
lives and empathized with the 22 wounded, and there is indeed 
fear and anxiety amongst my constituents. So our discussion 
here today is particularly important to the people back home. 
There are many in our area that want answers, but there are 
also many that feel conflicted about putting their own privacy 
at risk.
    So my first question to you is: Under Federal law, we do 
not require technology companies to maintain a key to unlock 
encrypted information in the devices they sell to customers. 
Some of the witnesses we will hear from today argue that if 
such a key or software was developed to help the FBI access the 
device used by Syed Farook, it would make the millions of other 
devices in use today vulnerable. How can we ensure that we're 
not creating legal or technical backdoors to U.S. technology 
that will empower other foreign governments in taking advantage 
of this loophole?
    Mr. Comey. It's a great question. I think what you have to 
do is just talk to people on all sides of it who are true 
experts, which I am not, but I have also talked to a lot of 
experts. And I am an optimist. I actually don't think we've 
given this the shot that it deserves. I don't think the most 
creative and innovative people in our country have had an 
incentive to try and solve this problem.
    But when I look at particular phones, in the fall of 2014, 
the makers of these phones could open them. And I don't 
remember people saying the world was ending at that point and 
that we're all exposed. And so I do think judgments have been 
made that are not irreversible. But I think the best way to get 
at it is talk to people about, so why do you make the phone 
this way, and what is the possibility?
    The world I imagine is a world where people comply with 
warrants. How they do it is entirely up to them. Lots of phone 
makers and providers of email and text today provide secure 
services to their customers, and they comply with warrants. 
That's just the way they have structured their business. And so 
it gives me a sense of optimism that this is not an impossible 
problem to solve. Really, really hard, and it will involve you 
all talking to the people who really know this work.
    Ms. Chu. Well, I would like to ask about law enforcement 
finding technical solutions. I understand that there may be 
other methods or solutions for law enforcement when it comes to 
recovering data on a smartphone. Professor Landau argues in her 
testimony later today that solutions to accessing the data 
already exist within the forensic analysis community, solutions 
which may include jail breaking the phone, amongst others. Or 
she says other entities within the Federal Government may have 
the expertise to crack the code.
    Has the FBI pursued those other methods or tried to get 
help from within the Federal Government, such as from agencies 
like the NSA?
    Mr. Comey. Yes is the answer. We've talked to anybody who 
will talk with us about it, and I welcome additional 
suggestions. Again, you have to be very specific: 5C running 
iOS 9, what are the capabilities against that phone. There are 
versions of different phone manufacturers and combinations of 
model and operating system that it is possible to break a phone 
without having to ask the manufacturer to do it. We have not 
found a way to break the 5C running iOS 9.
    And, as I said, in a way, this is kind of yesterday's 
problem because the 5C, although I am sure it's a great phone, 
has been overtaken by the 6 and will be overtaken by others 
that are different in ways that make this relief yesterday.
    Ms. Chu. So let me ask you this: Like smart phones, safes 
can be another form of storage of personal information. 
Similarly to how technology companies are not required to 
maintain a key to unlock encryption, safe manufacturers are not 
required to maintain keys or combinations to locks.
    Given this, law enforcement has been able to find a way to 
get into safes under certain circumstances or obtain critical 
information through other avenues. So how does this differ from 
unlocking a smartphone? It's clear that technology is outpacing 
law enforcement's ability to get information from devices like 
the iPhone, even with a proper warrant, but isn't it the FBI or 
the law enforcement agency who bears the responsibility to 
figure out the solution to unlock the code?
    Mr. Comey. I will take the last part first. Sure, if we can 
figure it out. The problem with the safe comparison is there's 
no safe in the world that can't be opened. And if our experts 
can't crack it, we will blow it up. We will blow the door off. 
And so this is different. The awesome, wonderful power of 
encryption changes that and makes that comparison, frankly, 
inept.
    And so, sure, where law enforcement can appropriately 
lawfully figure out how to do it, we will and should. But there 
will be occasions, and it's going to sweep across--again with 
the updating of phones and the changing of apps where we 
communicate end-to-end encrypted--it's going to sweep across 
all of our work and outstrip our ability to do it on our own.
    Ms. Chu. Thank you. I yield back.
    Mr. Goodlatte. The Chair thanks the gentlewoman.
    The gentleman from South Carolina, Mr. Gowdy, is recognized 
for 5 minutes.
    Mr. Gowdy. Thank you, Mr. Chairman.
    Director, thank you for your service to the country.
    And I do appreciate your acknowledgment and that of my 
colleagues of the difficulty in reconciling competing binary 
constitutional principles like public safety, national 
security, and privacy. And I confess upfront: my bias is toward 
public safety.
    Because of this loosely held conviction I have that the 
right to counsel, the right to free speech, the right to a jury 
trial just isn't of much use if you are dead, so I reconcile 
those competing principles in favor of public safety.
    And my concern as I hear you testify is that I have 
colleagues and others who are advocating for these evidence-
free zones. They are just going to be compartments of life 
where you are precluded from going to find evidence of 
anything.
    And I am trying to determine whether or not we as a society 
are going to accept that, that there are certain--no matter how 
compelling the government's interest is in accessing that 
evidence, we are declaring right now this is an evidence-free 
zone; you can't go here no matter whether it's a terrorist 
plot--and I am not talking about the Feng case. That's a drug 
case. The case the magistrate decided yesterday in New York is 
a drug case. Those are a dime a dozen.
    National security, there's nothing that the government has 
a more compelling interest in than that, and we're going to 
create evidence-free zones? Am I missing something? Is that how 
you see it? You just can't go in these categories unless 
somebody consents?
    Mr. Comey. That's my worry, and why I think it's so 
important we have this conversation. Because even I on the 
surface think it sounds great when people say: Hey, you buy 
this device; no one will ever be able to look at your stuff. 
But there are times when law enforcement saves our lives, 
rescues our children, and rescues our neighborhoods by going to 
a judge and getting permission by looking at our stuff.
    And so, again, I come to the case of a Baton Rouge 8-month 
pregnant woman, shot when she opens her door. Her mom says she 
keeps a diary on her phone. We can't look at the diary to 
figure out what might have been going on in her life. Who was 
she texting with? That's a problem. I love privacy. But all of 
us also love public safety, and it's so easy to talk about. Buy 
this amazing device; you will be private. But you have to take 
the time to think: Okay. There's that, and what are the costs 
of that? And that's where this collision is coming in.
    Mr. Gowdy. Well, I love privacy too, but I want my fellow 
citizens to understand that most of us also, in varying 
degrees, also love our bodies and the physical integrity of our 
body. But since Schmerber, the government has been able to 
access orders for either blood against the will of the 
defendant or, in some instances, surgical procedures against 
the will of the defendant.
    So when I hear my colleagues say, have you ever asked a 
nongovernment actor to participate in the securing of evidence, 
absolutely. That's what the surgeon does. If you have a bullet 
from an officer who was shot in a defendant, you can go to a 
judge and ask the judge to force a nurse or surgeon to 
anesthetize and remove that bullet. So if you can penetrate the 
integrity of the human body in certain categories of cases, how 
in the hell you can't access a phone, I just find baffling.
    But let me ask you this: If Apple were here--and they are 
going to be here--how would they tell you to do it? If there 
were a plot on an iPhone to commit an act of violence against, 
say, hypothetically, an Apple facility, and they expected you 
to prevent it, how would they tell you to access the material 
on this phone?
    Mr. Comey. I think they would say what they have said, 
which I believe is in good faith, that we have designed this in 
response to what we believe to be the demands of our customers 
to be immune to any government warrant or our, the 
manufacturer's, efforts to get into that phone. We think that's 
what people want.
    And that may be so, except I would hope folks will look at 
this conversation and say, ``Really, do I want that?'' and take 
a step back and understand that this entire country of ours is 
based on a balance. It's a hard one to strike, but it's so 
seductive to talk about privacy as the ultimate value. In a 
society where we aspire to be safe and have our families safe 
and our children safe, that can't be true. We have to find a 
way to accommodate both.
    Mr. Gowdy. So Apple, on the one hand, wants us to kind of 
weigh and balance privacy, except they have done it for us. 
They have said at least as it relates to this phone, we've 
already done that weighing and balancing, and there is no 
governmental interest compelling enough for us to allow you to 
try to guess the password of a dead person's phone that is 
owned by a city government. There's no balancing to be done. 
They have already done it for us.
    I would just--I will just tell you, Director, in 
conclusion: We ask the Bureau and others to do a lot of things, 
investigate crime after it's taken place, anticipate crime, 
stop it before it happens. And all you are asking is to be able 
to guess the password and not have the phone self-destruct. And 
you can go into people's bodies and remove bullets, but you 
can't go into a dead person's iPhone and remove data. I just 
find it baffling.
    But I am out of time.
    Mr. Goodlatte. The gentleman's time has expired.
    The Chair recognizes the gentleman from Florida, Mr. 
Deutch, for 5 minutes.
    Mr. Deutch. Thank you, Mr. Chairman.
    Director Comey, thank you for being here. Thank you for 
your service and that of the men and women who work for you. 
We're all grateful for what they do.
    And I just wanted to take a moment before I ask you a 
couple questions here to let you know that Bob Levinson, who 
was an agent for over 20 years, 28 years, at the Justice 
Department, continues to be missing. I want to thank you for 
what you have done. I want to thank you for the Facebook page 
in Farsi that you have put up. I would love a report on the 
effectiveness and what you have heard from that.
    And I want to, more than anything else, on behalf of Bob's 
family, I want to thank you for never forgetting this former 
agent, and I am grateful for that.
    Mr. Comey. Thank you, sir. He'll never be forgotten.
    Mr. Deutch. Now, I want to agree with Mr. Gowdy that if 
this were as easy as public safety or privacy, I think most of 
us, probably all of us, if we had to make the choice, we're 
going to opt for public safety for the very reason that Mr. 
Gowdy spoke of.
    I have some questions. What I am confused about is this: 
The tool that you would need to take away the dogs, take away 
the vicious guard dogs, it's a tool that would disable the 
auto-erase. There's some confusion as to whether there's an 
additional tool that you are seeking that would allow you to 
rapidly test possible passcodes. Is there a second tool as 
well?
    Mr. Comey. Yeah. I think there's actually three elements to 
it. And I have spoken to experts. I hope I get this right. The 
first is what you said, which is to disable the self-destruct, 
auto-erase type feature. The second is to disable the feature 
that, between successive guesses--as I understand iOS 9, it 
spreads out the time, so even if we got the ability to guess, 
it would take years and years to guess. So do away with that 
function. And the third thing, which is smaller, is set it up 
so that we can send you electronic guesses so we don't have to 
have an FBI agent sit there and punch in 1-2-3-4, like that.
    Mr. Deutch. And once they created that, would you expect 
them, after this case, would you expect them to preserve that 
or destroy it?
    Mr. Comey. I don't know. It would depend on what the 
judge's order said. I think that's for the judge to sort out. 
That's my recollection.
    Mr. Deutch. So here is the issue: I think that vicious 
guard dog that you want to take away so you can pick the lock 
is one thing. But in a world where we do--I mean, it's true: 
there are awful people, terrorists, child predators, molesters 
who do everything on here. But so do so many of the rest of us, 
and we would like a pack of vicious guard dogs to protect our 
information to keep us safe, because there's a public safety 
part of that equation as well.
    And the example of surgical procedures, the reason that 
that I don't think applies here is because, in that case, we 
know the only one doing the surgical procedure is the doctor 
operating on behalf of law enforcement. But when this tool is 
created, the fear, obviously, is that it might be used by 
others, that there are many who will try to get their hands on 
it and will then put at risk our information on our devices.
    And how do you balance it? This is a really hard one for 
me. This isn't an either/or. I don't see it as a binary option. 
So how do you do that?
    Mr. Comey. I think it's a reasonable question. I also think 
it's something the judge will sort out. Apple's contention, 
which, again, I believe is made in good faith, is that there 
would be substantial risk around creating this software. On the 
government side, count us skeptical, although we could be 
wrong, because I think the government's argument is that's your 
business to protect your software, your innovation. This would 
be usable in one phone. But, again, that's something the judge 
is going to have to sort out. It's not an easy question.
    Mr. Deutch. If it's the case, though, that it's usable in 
more than one phone and that it applies beyond there, then the 
public safety concerns that we may have, that a lot of us have 
about what would happen if the bad guys got access to our 
phones and our children's phones, in that case, those are 
really valid. Aren't they?
    Mr. Comey. Sure. The question that I think we're going to 
have litigation about is how reasonable is that concern. And, 
you know, slippery-slope arguments are always attractive, but I 
mean, I suppose you could say, well, Apple's engineers have 
this in their head. What if they are kidnapped and forced to 
write software? That's why the judge has to sort this out 
between good lawyers on both sides making all reasonable 
arguments.
    Mr. Deutch. And, finally, Mr. Chairman, I just worry, when 
we talk about the precedential value, the discussion is taking 
place wholly within a domestic context. There are countries 
around the world where we know very well that the governments 
do their best to monitor what happens in their country and, 
through people's cell phones, are able to squash dissent, are 
able to take action to throw people in jail and to torture 
people.
    And I think that precedential value is something else that 
we have to bear in mind as we engage in this really important 
and really difficult debate.
    And I yield back, Mr. Chairman.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from Florida, Mr. DeSantis for 5 
minutes.
    Mr. DeSantis. Good afternoon, Director Comey. When you are 
looking at a case like the Apple case, and you want to be able 
to, as you said, remove the guard dogs and the FBI go in, are 
you concerned about preserving the evidentiary value that can 
then be used, or are you more interested in just getting the 
information for intel purposes so that you can use that for 
counterterrorism?
    Mr. Comey. Our hope is to do both, but if we have to 
choose, we want the information first, and then we would like 
it, obviously, to be in a form that could be used if there was 
a court proceeding against somebody someday.
    Mr. DeSantis. I guess, are there instances in which maybe a 
company would provide the data but would provide it to you in a 
way that you would not necessarily be able to authenticate that 
in court?
    Mr. Comey. Sure. That happens all the time.
    Mr. DeSantis. And that's something that the FBI, if that's 
what you get, then you are fine with that?
    Mr. Comey. Depends upon the case, but in general, that's a 
tool that we use, private cooperation where we may not be able 
to use the information in court.
    Mr. DeSantis. And in terms of the guy in San Bernardino, it 
wasn't even his phone, and then the owner of the phone has 
consented for the FBI to have the information. Is that correct?
    Mr. Comey. Right. We have a search warrant for the phone. 
The guy who was possessing it is obviously dead. And the owner 
of the phone has consented.
    Mr. DeSantis. What's the best analogous case to what you 
are trying to do here? Because people will look at it and say: 
Well, you are basically commandeering a company to have to do 
these things. That's typically not the way it works. So what 
would you say is--outside of the technology context, what would 
be an analogous case?
    Mr. Comey. Well, everyone in the United States, to some 
degree, has an obligation to cooperate with appropriate 
authority. The question that the court has to resolve under the 
All Writs Act is, what are the limits of that? Apple's argument 
is that might be okay if it requires us to hand you something 
we've already made to open a phone, but if we're going to make 
something new, that's beyond the scope of the law.
    As you know, that's something the courts do every day in 
the United States, trying to understand the law and interpret 
its scope based on a particular set of facts. So that's what 
will be done in San Bernardino in a different context. It's 
being done in Brooklyn, in the drug case in Brooklyn. I think 
it's being done in different stages all over the country, 
because in investigation after investigation, law enforcement 
is encountering these kinds of devices.
    Mr. DeSantis. In your cases, have you gotten an order under 
the All Writs Act to just have a defendant, if you have a 
search warrant, produce the code?
    Mr. Comey. I don't know of a--I don't know of a similar 
case.
    Mr. DeSantis. In terms of, I know some of the technology 
companies are concerned about if they are creating ways to, I 
guess, penetrate their systems, that's creating like a back 
door. And I guess my concern is terrorists, obviously, when 
operating in a variety of spheres, one of the ways that they 
get a lot of bang for their buck is cyber attacks.
    And so if companies were creating more access for law 
enforcement in some of these situations, would that create more 
vulnerability for people and be more likely that they were 
subjected to a potential cyber attack?
    Mr. Comey. Potentially, sure. If there were access tools 
that got loose in the wild or that could be easily stolen or 
available to bad people, it's a concern. As I said, a huge part 
of the Bureau's work is protecting privacy by fighting against 
those cybercriminals. So it's something we worry about every 
day.
    Mr. DeSantis. Well, how would you then provide a 
assurances, if you are requesting a company to work with you, 
that this doesn't get out into the wild, so to speak?
    Mr. Comey. I think in the particular case, we have 
confidence--and I think it is justified--that Apple is highly 
professional at protecting its own innovation, its own 
information. So the idea here is: You keep it. You figure out 
how to store it. You figure--you even take the phone and 
protect it. I think that's something they do pretty well, but, 
again, that is something the judge will sort out.
    Apple's argument, I think, will be that's not reasonable 
because there are risks around that. Even though we're good at 
this, it could still get away from us. And the judge will have 
to figure that out, what's reasonable in that circumstance.
    Mr. DeSantis. Thank you.
    I yield back the balance of my time.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from Illinois, Mr. Gutierrez.
    Mr. Gutierrez. Thank you, Mr. Chairman.
    And thank you, Director Comey, for coming and being with us 
here this afternoon. I won't take my 5 minutes, so I will make 
a couple of comments and beginning by saying that I hope that 
all of the Members of the Committee would take note that the 
Director is actually answering our questions, and that is 
obviously very refreshing in that we get a lot of witnesses 
here. And if they bring them, we might not like them; if we 
bring them, they don't seem to like them. And it's good to get 
information without passing judgment.
    And I think that's what you have done very well here today. 
You are not passing judgment on Apple and their motivation. And 
I think in not questioning people's motivation, it's easier to 
get a solution, because once you do that, everybody kind of 
says: ``Okay, let's get all our defenses up.'' And, really, 
what we need to be doing is defending the American people, not 
Apple or any company or the FBI for that matter, but defending 
the American people. So I want to thank you for that.
    And I just want to suggest that we continue these 
conversations. I buy a house. I have no reasonable expectation 
that if you get a warrant, you are going to go into my--any 
drawer in my bedroom. When I buy the house, I don't have any 
expectation of privacy once you get a warrant to come. I do 
expect you to get one.
    I come from a time when I wasn't quite sure the Chicago 
Police and law enforcement was actually getting warrants in the 
city of Chicago in the 1960's to get that, so we want to be a 
little careful and make sure. I am trusting of you. If you were 
the FBI agent, I would say, no problem, Director Comey, come on 
in.
    But, unfortunately, there are human beings at all the 
different levels of government, and I just want to say that I 
am happy you came because I don't have that expectation in my 
car. I don't have that expectation--I don't use the computer a 
lot to--I still write. I don't have any expectation.
    But the difference is--and I think you have made and I 
think this Committee should take it into consideration--we do 
put a lot of information in these contraptions, and the reason 
we put them there is because we don't want to put them on a 
notebook; we want to keep them private. But I really don't have 
any expectation that once I put this, if you have a lawful 
warrant, that you should be able to get it, even from my 
computer. I think that's where you are going.
    Could you--is that where you think--have I heard you right?
    Mr. Comey. I do. I agree with you, except I think the case 
for privacy is even stronger than you said. You do have a 
reasonable expectation to privacy in your home, in your car, 
and in your devices. The government, under our Constitution, is 
required to overcome that by going to an independent judge, 
making a showing of probable cause, and getting a warrant.
    What we need to talk about as a country is we're moving to 
a place where there are warrant-proof places in our life, and 
yes, these devices are spectacular, because they do hold our 
whole lives. They are different than a briefcase. They are 
different than a drawer. So it is a source with--a place with a 
tremendous reasonable expectation of privacy.
    But if we're going to move to a place where that is not 
possible to overcome that, that's a world we've never lived in 
before in the United States. That has profound consequences for 
public safety. And all I am saying is we shouldn't drift there, 
right? Companies that sell stuff shouldn't tell us how to be. 
The FBI shouldn't tell us how to be. The American people should 
say: ``The world is different. How do we want to be?'' And 
figure that out.
    Mr. Gutierrez. Yeah, I think we're in the same place then, 
because I do have a reasonable expectation of privacy in my 
home. But if you go to court, you convince the judge, and you 
overcome it, I have never had any expectation that a court 
order, because I bought something, I am going to be able to 
overcome a court order. So I think we're in the same place.
    So thank you so much, Director, for coming and sharing 
time. I hope to share more time with you so we can talk some 
more. Thank you.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
Iowa, Mr. King, for 5 minutes.
    Mr. King. Thank you, Mr. Chairman.
    Director, thanks for your testimony here and your 
leadership with the FBI.
    I am curious about this from a perspective that has to do 
with our global war against radical Islamic terrorists. And I 
have laid out a strategy to defeat that ideology. I would take 
it back to our ability some years past to be able to identify 
their cell phones and get into their cell phones in such a way 
that we also got into their heads, which drove them into the 
caves and really diminished a lot of their otherwise robust 
activity that Al Qaeda might have carried out against us. I 
think that was a successful effort.
    Now we have global cyber operations going on with, I think 
by your numbers from a previous report I read, well over 
100,000 ISIS activities on Twitter and other cyber activity in 
a single day. And so I am interested in how the parameters that 
have been examined thoroughly by a lot of the lawyers on this 
panel might apply to an all-out cyber warfare against ISIS and 
any of their affiliates or subordinates that I think is 
necessary if we're going to defeat that ideology.
    And so I am thinking in terms of if this Congress might 
diminish, slow down, or shut down access to this phone, that 
also means access to any other phone that they might be using; 
they would have a high degree of confidence that they could 
operate with a level of impunity in the cyber world out there.
    Do you have any comments you would like to make on the 
implications that being locked out of an opportunity to unlock 
this phone might mean to the global war on terror that could be 
prosecuted in the next Administration aggressively across the 
fields of cyber warfare? And I would just add to that for the 
sake of enumerating them: financial warfare, educational 
warfare, and human intelligence, and the network that would be 
necessary, not just the kinetic activity, to defeat radical 
Islamic terrorism.
    Mr. Comey. Thank you, Mr. King.
    This conversation we're having today and that I hope will 
continue is really important for domestic law enforcement, but 
it has profound implications for, among other things, our 
counterterrorism work. Because since Mr. Snowden's revelations, 
terrorist tradecraft changed, and they moved immediately to 
encrypted apps for their communication in trying to find 
devices that were encrypted, wrap their lives in encryption, 
because they understand the power of encryption.
    And so there's no place we see this collision between our 
love for privacy and the security of encryption and public 
safety than in fighting terrorism, especially ISIL. Because for 
the FBI's responsibility, which is here in the United States, 
every day we're looking for needles in a hay stack. And, 
increasingly, the most dangerous needles go invisible to us, 
because that's when ISIL moves them to an encrypted app that's 
end-to-end encrypted and a judge's order is irrelevant there.
    That's why this is such an urgent feature of our work. It 
has huge implications for law enforcement overwhelmingly, but 
it has profound implications in the fight against terrorism.
    Mr. King. Do you get any signals that the American public 
or the United States Congress is contemplating some of the 
things that you discussed here to the depth that it would be a 
component in the decisionmaking?
    Mr. Comey. I don't know. I know everybody's interested in 
this and everybody, all thoughtful people see both sides of 
this and are trying to figure out how to resolve it, how to 
resolve it practically, how to resolve it technically. And the 
other challenge is--not to make it harder--there is no it. 
There isn't a single it. There's all different kinds of 
manifestations of this problem we call going dark.
    So what I see is people of good will who care about privacy 
and safety wrestling with this. Court cases are important, but 
they are not going to solve this problem for us.
    Mr. King. Let me suggest that--I will just say: I think 
it's a known and a given that ISIS or ISIL is seeking a nuclear 
device and has pretty much said that publicly. If we had a high 
degree of confidence that they had--that they were on the cusp 
of achieving such capability and perhaps capability of 
delivering it, if that became part of the American 
consciousness, do you think that would change this debate that 
we're having here today?
    Mr. Comey. I do worry that it's hard to have nuanced, 
complicated conversations like this in an emergency and in the 
wake of a disaster, which is why I think it's so important we 
have this conversation now, because in the wake of something 
awful happening, it will be hard to talk about this in a 
thoughtful, nuanced way. And so I think that's why I so welcome 
the Chairman having this hearing, and having further 
conversations about it.
    Mr. King. Thank you, Director. And I will just state that 
my view is that I want to protect the constitutional rights of 
the American people, and I would like to be able to have this 
framed in law that reflects our constitutional rights. But I 
would like to have us consider how we might keep a nation safe 
in the face of this and how we might prosecute a global war 
against radical Islam, even in the aftermath of a decision that 
might be made by either a judge or the United States Congress.
    I thank you, Mr. Chairman, and I yield back the balance of 
my time.
    Mr. Goodlatte. The Chair thanks the gentleman.
    The gentlewoman from California, Ms. Bass, is recognized 
for 5 minutes.
    Ms. Bass. Thank you, Mr. Chair.
    And thank you, Director Comey, for your time and your 
patience with us today.
    I had a townhall meeting in my district on Sunday, and 
actually a couple hundred people showed up, and it was a 
general townhall meeting talking about issues that Congress is 
dealing with, and much to my surprise, this was a burning 
issue. And many of my constituents came to ask me questions, 
and I told them that they could suggest some questions and I 
would ask you. So maybe you could speak to some of my 
constituents today so I can send them a clip of your testimony.
    Basically, in general, they had a hard time believing--I 
mean, they were not supportive. They don't want, you know, 
Apple to comply. But they had a hard time believing that the 
FBI couldn't already do this. And so a couple of the questions 
were: How have so many others cracked iPhones and shared their 
findings with videos and how-to articles?
    And given that you described it, not as a back door but 
getting the dogs, you know, away so that you can pick the lock, 
their question was: What other intelligence community agencies 
has the FBI worked with, considering there's at least 12 in the 
government? Between all of these agencies, how is it that you 
haven't been able to call the dogs off and pick the lock?
    Mr. Comey. There are actually 16 other members of the U.S. 
intelligence community. It pains me to say this, because I--in 
a way we benefit from the myth that is the product of maybe too 
much television. The only thing that's true on television is we 
remain very attractive people, but we don't have the 
capabilities that people sometimes on TV imagine us to have. If 
we could have done this quietly and privately, we would have 
done it.
    Ms. Bass. Right.
    Mr. Comey. This litigation is difficult. It's especially 
difficult, as I said, for the people who were victimized in San 
Bernardino, and so we really can't. As I said, there may be 
other models, other permutations and combinations where we have 
different capabilities, but I'm here to tell you here--and, 
again, maybe tonight someone will call us and say: I've thought 
of something. Apple is very good at what it does. It's a 
wonderful company. It makes wonderful products, right? They 
have set out to design a phone that can't be opened, and 
they're darn near succeeding. I think with the 6 and beyond, 
they will have succeeded. That doesn't make them bad people, 
that just poses a challenge for us that we're not yet up to 
meeting without intervention from courts.
    Ms. Bass. Since you can clone iPhone contents to compatible 
hardware and test passwords on the clones without putting the 
original at risk, can't you use so-called brute force methods 
to guess the passcode?
    Mr. Comey. Not with the--I think this is what Mr. Issa was 
asking about. I think a lot of tech experts ask, why can't you 
mirror the phone in some way and then play with the mirror? For 
reasons I don't fully understand, not possible in this 
circumstance. So we do want to try and brute force the phone; 
that is the multiple guesses. But we need first--we'll do that 
ourselves, but we need removed the auto-erase function and the 
delay-between-guesses function, which would make us take 10 
years to guess it. If we have those removed, we can guess this 
phone's password with our computing power in 26 minutes, is 
what we're told, because we have enormous computing power in 
the U.S. Government, but we need to be able to bring it to bear 
without the phone killing itself.
    Ms. Bass. Thank you. I yield back the balance of my time.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
Idaho, Mr. Labrador, for 5 minutes.
    Mr. Labrador. Thank you, Mr. Chairman.
    And thank you, Director, for being here. Thank you for what 
you're doing. I know you have a very difficult job as you're 
trying to balance both security and privacy.
    I do have a few questions. As you're looking at the laws 
that are in place, like CALEA and FISA, or the other different 
avenues that we're talking about, something that concerns me is 
that this is very different than some of the examples that have 
been given here. For example, when you have--when you're going 
into a home, if you're asking for a key, if you go to the 
landlord, that key's already made, and you can go to the 
landlord and you can say, ``I have a warrant here,'' and that 
key is made, ``Can you please give me a key for that,'' where 
the method of creating that key, even if the key does not 
exist, is already--does already exist. This is very different 
than that. Would you agree?
    Mr. Comey. Yes. You're exactly right. There's a difference 
between, ``Hey, landlord, you have this spare key; the judge 
directs you to give it to us,'' and, ``Hey, landlord, we need 
you to make a key for this lock.''
    Mr. Labrador. Yeah.
    Mr. Comey. And that's a legal question as to whether the 
particular statutory authority we're using here, the All Writs 
Act, extends to that.
    Mr. Labrador. Correct.
    Mr. Comey. We think in the government there's a reasonable 
argument to be made it does and should, and on the other side, 
lawyers for Apple argue it doesn't, and that's what the judge 
will sort out.
    Mr. Labrador. But this goes even one step further. In this 
scenario, the landlord can create the key, has the ability to 
create the key, and the technology to create the key already 
exists. In the Apple case, that's not the case. They have never 
created the key that you're asking for. Isn't that correct?
    Mr. Comey. I don't know whether that's correct or not.
    Mr. Labrador. Well, as far as we know, as far as they're 
letting us know, there's no way for them, as they're telling 
us--because if not, I think they would be violating the judge's 
order. If they have an ability to do this, I do agree with you 
that they would be violating the judge's order, but what 
they're telling us is that ability does not exist. Isn't that 
correct?
    Mr. Comey. I think that's right. I think, obviously, their 
general counsels are very smart guys here; he can talk about 
this. But I think what they're saying is: We can do it, but it 
would require us to sit at a keyboard and write new code that 
doesn't currently exist.
    Mr. Labrador. Correct.
    Mr. Comey. Whether there's a meaningful distinction between 
that, and someone who already has a key legally is something a 
judge will have to sort out.
    Mr. Labrador. So what concerns me is the old legal maxim 
that, you know, bad cases make bad law. This is clearly a bad 
case. We all want you to get access to this phone through legal 
means, because maybe it would uncover some of the problems that 
we have in the Middle East; maybe there's some evidence in 
there that could really lead us to take some terrorists down. I 
think we are all there, but the problem is that this is a bad 
case. This is a person who, obviously, is dead, who has never 
given his code to somebody else.
    And I'm concerned that, as we're looking down this road, 
what we're doing is we're opening the door for other things 
that could actually be detrimental to our safety and security. 
For example, I think you've testified many times that we're 
getting hacked all the time. Isn't that correct?
    Mr. Comey. Yes.
    Mr. Labrador. So maybe one of the reasons that Apple is 
refusing to do this or is hesitant to do something like this, 
because they know that even they get hacked, and when you 
open--when you create that key that doesn't exist at all right 
now, you're actually opening up every other phone that's out 
there. Do you see how that could be a concern?
    Mr. Comey. I see the argument. The question the judge will 
have to decide is, is that a reasonable argument?
    Mr. Labrador. Because you----
    Mr. Comey. Sorry.
    Mr. Labrador. No. I'm sorry.
    Mr. Comey. Go ahead.
    Mr. Labrador. You said that Apple is highly--they are 
highly professional in keeping secrets. Would you say that the 
Federal Government also has very good people that are highly 
professional in keeping secrets?
    Mr. Comey. Parts of it.
    Mr. Labrador. Me too.
    Recently, we've learned that there's been a hacking 
incident at the IRS. Are you familiar with that?
    Mr. Comey. Yes.
    Mr. Labrador. So that's what I'm concerned about. The 
moment that you open up that door, the moment that you open up 
that key that doesn't currently exist, you're actually allowing 
all these hackers that are out there--and some of them are our 
enemies that are trying to do us harm, whether it's economic 
harm or whether it's actual terrorism. They're out there 
looking for ways to actually get into your iPhone, into my 
iPhone, into everybody else's iPhone, and at some point--that's 
why you have such a difficult job--is we have to balance that 
safety and security.
    Do you think that this capability that you're asking for 
can only be used pursuant to a warrant?
    Mr. Comey. The capability that the judge has directed Apple 
to provide?
    Mr. Labrador. Correct.
    Mr. Comey. I think that's the way it's--that's the 
procedural posture of it. There's a warrant and the judge has 
issued an order.
    Mr. Labrador. That's how it is issued right now, but do you 
think that that can only be obtained through a warrant? Are you 
seeking to obtain it later through other means other than 
warrants?
    Mr. Comey. I don't know how we would if it's in Apple's 
possession. Unless they voluntarily gave it to someone, there 
would have to be a judicial process----
    Mr. Labrador. Okay.
    Mr. Comey [continuing]. If they maintained it afterwards.
    Mr. Labrador. Thank you very much. I've run out of time. 
Thank you.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from Louisiana, Mr. Richmond, for 5 
minutes.
    Mr. Richmond. Thank you, Mr. Chairman.
    Before I start, I'd like to enter into the record two 
articles. One is from the Toronto Star, titled 
D1 deg.``Encrypted Evidence Is Increasingly Hampering 
Criminal Investigations, Police Say.'' And another one is from 
the Baton Rouge Advocate, which says, D2 deg.``The 
Brittney Mills Murder Case Has Put Baton Rouge in the Middle of 
the National Cell Phone Encryption Debate.''
    Mr. Goodlatte. Without objection, they will be made part of 
the record.
    [The information referred to follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
                                  
                               __________
                               
    Mr. Richmond. Thank you, Mr. Chairman.
    And let me just say, and Director Comey, you have mentioned 
the Brittney Mills case a number of times, and I just want to 
paint the scenario for everyone in the room and put a face with 
it. This is Brittney Mills, and this is Brittney Mills almost 8 
months pregnant with her daughter. In May of last year, 
Brittney was murdered in my district. She was a mother. She was 
8 months pregnant with her second child at the time. Someone 
came to her door and killed her, and a couple days later, her 
unborn child--or born child also died. And according to her 
family and her friends, she kept a very detailed diary in her 
phone. And her family, who are here today, Ms. Mills, Ms. 
Barbara Mills, will you please stand, and Tia and Roger, her 
family would like the phone opened so that our district 
attorney, who is also here today--thank you for standing--our 
district attorney, who is also here today, Hillar Moore, can 
use that to attempt to find the murderer who committed this 
crime.
    And I guess my question is, we balance privacy, public 
safety, and criminal justice, but are we in danger of creating 
an underground criminal sanctuary for some very disturbed 
people, and how do we balance that?
    Mr. Comey. We are in danger of that. Until these awesome 
devices--and that's what makes it so painful. They're 
wonderful. Until this, there was no closet in America, no safe 
in America, no garage in America, no basement in America that 
could not be entered with a judge's order. We now live in a 
different world, and that's the point we're trying to make 
here. Before we drift to a place where a whole lot of other 
families in incredible pain look at other district attorneys 
and say, ``What do you mean you can't; you have a court 
order,'' before we drift to that place, we've got to talk about 
it, because privacy is awesome, but stopping this kind of 
savagery and murder and pedophilia and all the other things 
that hide in the dark spaces in American life is also 
incredibly important to us.
    That's why this conversation matters so much, but it's also 
why we have to talk to each other. There are no demons in this 
conversation; we care about the same things. But it is urgent, 
and there's no more painful circumstance to demonstrate it than 
in the death of that beautiful woman and her baby.
    Mr. Richmond. Well, and I do appreciate your saying we have 
to talk to each other, because just in the small time that I 
was able to put the representatives of Apple and the district 
attorney in the room, I think we made some progress and maybe 
some alternatives, and maybe we'll get somewhere. But it is a 
very difficult balancing act, and I think the people from Apple 
are very well intentioned and have some real concerns.
    But let me ask you this. I took a congressional delegation 
trip over to the Ukraine. And when we landed our plane, we were 
on the runway, and our security advisors came on to the back 
and said, if you don't want your phone hacked and people to 
have access to your text messages, your pictures, your emails, 
and everything else, we advise you to power your phone off and 
leave it on the plane. And no one is in close enough proximity 
right now to do it, so if you need to make a call, make a call, 
but when we get closer to the terminal, you need to power that 
phone down.
    So does Ukraine have better technology--well, they were 
really worried about Russian hackers. But does Russia have that 
much of a technology advantage over us that they can get into 
my phone while I'm on it and it's in my possession, and we 
can't get into a phone that we have in our possession?
    Mr. Comey. The difference--and I'm going to be careful what 
I say in an open setting--is that some countries have different 
control over their infrastructure and require providers in 
their country to make accommodations that we do not require 
here to give them greater surveillance capabilities than we 
would ever imagine in the United States. That's the first 
thing.
    The second thing is we are a rule of law country. The FBI 
is not cracking into your phone or listening to your 
communications except under the rule of law and going to a 
judge. Those are the two big differences.
    But countries have capabilities and, in part, based on 
accommodations that device makers and providers have made in 
those countries that are different than in this country.
    Mr. Richmond. Thank you, Mr. Chairman. I see my time has 
expired.
    Mr. Goodlatte. The Chair recognizes the gentlewoman from 
Washington State, Ms. DelBene, for 5 minutes.
    Ms. DelBene. Thank you, Mr. Chairman.
    And thank you, Director Comey, for being with us and for 
all of your time.
    I've worked my career in technology on email and mobile 
communications and constantly heard from customers, both 
consumers and businesses and even the government, to make sure 
that information was protected and that devices were secure. 
And in your testimony, you state that you're simply asking to 
ensure that you can continue to obtain electronic information 
and evidence, and you seem to be asking technology companies to 
freeze in place or revert back to systems that might have been 
easier to access, but don't you think in general that that's 
much--an oversimplification of this issue, because we all know 
that bad actors want to exploit vulnerabilities to break in to 
any number of things, from a phone, a personal device, to our 
power grid? These things aren't static. They're changing 
constantly, and they're getting smarter every day. The bad 
actors are getting smarter every day, and we need to be smarter 
every day in terms of protecting information.
    So, in that type of environment, how would you expect the 
technology company not to continue to evolve their security 
measures to keep up with new threats that we see?
    Mr. Comey. First of all, I would expect security companies 
and technology companies to continue to try and improve their 
security. That's why it's important that all of us talk about 
this, because it's not the company's job to worry about public 
safety, right? It's the FBI's job, Congress's job, and a lot of 
other folks in the government, so I don't put that on the 
companies. But the other thing that concerns me a little bit is 
this sense that if we have a world where people comply with 
government warrants, it must be insecure. And I don't buy that, 
because there are lots of providers today of email service, of 
tech service who have highly secure systems who, because of 
their business models, visualize the information in plain text 
on their servers so they comply with court orders. I have not 
heard people say their systems are insecure. They simply have 
chosen a different business model.
    So I actually don't think it's--again, a lot of people may 
disagree with me. I actually don't think in the main it's a 
technological problem. It's a business model problem. That 
doesn't solve it, but that gets us away from this it's 
impossible nonsense.
    Ms. DelBene. But we know more and more, in fact, we're 
seeing--we're talking about phones today, but we are talking 
about the growth in the Internet of things of more and more 
personal devices where security will be even more critical, and 
so it's hard to say--you're talking about a world where it's 
confined to the way the world works today. I think that 
absolutely is not the situation that we're facing. We're seeing 
evolution every day, and these are devices that are connected 
to networks, and information is flowing, and that information 
might be someone's financial information or personal 
information that if it is exploited would create a security 
issue itself.
    Mr. Comey. I agree.
    Ms. DelBene. So don't you believe that encryption has an 
important role to play in protecting security?
    Mr. Comey. Vital.
    Ms. DelBene. So, now, when we've talked about what role 
Congress plays versus what role the courts would play, and 
you've kind of talked about both in different scenarios. You've 
talked about privacy versus security and that Congress should 
play a role there but that the courts should decide whether or 
not there's a security breach if there's a piece of technology 
that breaks into a device and whether or not there's a concern 
that that will be widely available. Yet the tension isn't 
really between just privacy and security. It's between security 
and security and protecting people's information. So how do 
you--where do you think Congress plays a role versus the courts 
when you've talked about both of them in your testimony today?
    Mr. Comey. I think the courts have a job to, in particular 
cases, interpret the laws that Congress has passed throughout 
the history of this country to try and decide: The government 
is seeking this relief; does that fit within the statute? 
That's the courts' job, and they're very, very good at it.
    The larger societal problem we have is this collision--that 
I think you've said well--between privacy and security; very 
difficult to solve it case by case by case. We have to ask 
ourselves, how do we want to govern ourselves? If you are a 
manufacturer of devices in the United States or you provide 
communication services in the United States, what are our, as a 
country, what are our expectations of you and demands of you? 
It's hard for me to see that being worked out on a common law 
basis, honestly, but it's going to be, because the issue is 
joined every single day in our law enforcement work. If nobody 
else gets involved, the courts will have to figure it out.
    Ms. DelBene. This isn't just an issue of U.S. companies 
alone, because clearly there's access to technology that could 
be developed in other countries that we'll not have access to 
and that's widely available today and people can use. But, 
also, then it is important, we have laws that are centuries and 
decades old that have not kept up with the way the world works 
today, and so it is very important that Congress plays a role, 
because if courts are going to be interpreting those laws and 
those laws were written with no awareness of what's happening 
today, then Congress needs to play a role of making sure we 
have laws that are up-to-date and setting that standard so that 
courts can then follow.
    Thank you. I yield back, Mr. Chair.
    Mr. Goodlatte. The Chair thanks the gentlewoman and 
recognizes the gentleman from New York, Mr. Jeffries.
    Mr. Jeffries. Thank you, Mr. Chairman.
    And thank you, Mr. Comey, for your presence here today. And 
as one of my colleagues mentioned, your candor and open 
dialogue and communication is much appreciated, and it's not 
always the case with high-level government witnesses and 
others.
    You testified today that you don't question Apple's motives 
in connection with the San Bernardino case. Is that correct?
    Mr. Comey. Correct.
    Mr. Jeffries. And you also testified that there are no 
demons in this conversation, true?
    Mr. Comey. Correct. I hope not.
    Mr. Jeffries. But the Department of Justice has questioned 
the company's motives in defending the privacy of the American 
people. Isn't that right?
    Mr. Comey. I don't know that they've questioned their 
motives, in the sense that attributed sort of that they're 
acting with evil intent or something. I think they've--I 
remember a filing the department said where they think a lot of 
Apple's position has to do with its market power, which I, 
frankly, is not an illegitimate motive.
    Mr. Jeffries. In fact, in the motion to compel that you 
referred to, I believe the prosecutor said that: ``Apple's 
current refusal to comply with the court's order, despite the 
technical feasibility of doing so, appears to be based on its 
concern for its business model and public brand marketing 
strategy.''
    Is that the statement that you're referring to, sir?
    Mr. Comey. Yeah. And I think that's--that's fair. I bet 
that's accurate. Apple has a legal obligation--because I used 
to be the general counsel of a public company--to maximize 
shareholder value. They're a business, and so I would hope 
that's part of their motivation. And it's not a bad thing if 
it's entirely their motivation. Their job is not to worry about 
public safety. That is our job, all of us in this room who work 
for the government.
    Mr. Jeffries. William Bratton is the police commissioner of 
the New York City Police Department. Is that right?
    Mr. Comey. Yes.
    Mr. Jeffries. That's the largest department in the country?
    Mr. Comey. Yes.
    Mr. Jeffries. And he's one of the most respected law 
enforcement professionals in the country. Would you agree with 
that?
    Mr. Comey. I agree with that very, very much.
    Mr. Jeffries. Now, at a February 18 press conference in New 
York City, publicly accused Apple of corporate 
irresponsibility. Are you familiar with that remark, sir?
    Mr. Comey. I'm not.
    Mr. Jeffries. Okay. Do you agree with that strident 
statement, that Apple is engaging in corporate 
irresponsibility----
    Mr. Comey. I'm----
    Mr. Jeffries [continuing]. By vindicating its----
    Mr. Comey. I don't know that Bill said that, but I'm not 
going to characterize it that way. I don't think they're acting 
irresponsibly. I think they're acting as a corporation in their 
self-interest, which is the way--which is the engine of 
innovation and enterprise in this country.
    Mr. Jeffries. Fundamentally, as it relates to the position 
of those of us who are on the Judiciary Committee, as well as 
Members in the House and in the Senate, guardians of the 
Constitution, this is not about marketing or corporate 
irresponsibility, correct, this debate?
    Mr. Comey. I hope not. I mean, I hope part of it is, and 
that's a voice to listen to, but they sell phones. They don't 
sell civil liberties. They don't sell public safety. That's our 
business to worry about.
    Mr. Jeffries. Right. But in terms of our perspective, this 
is really about fundamental issues of importance as it relates 
to who we are as a country, the Fourth Amendment of the United 
States Constitution, the reasonableness of government 
intrusion, the rule of law, the legitimate centuries-old 
concern as it relates to government overreach and the damage 
that that can do. This is fundamentally a big picture debate 
about some things that are very important to who we are as a 
country, correct?
    Mr. Comey. I agree completely.
    Mr. Jeffries. Okay. Now, in terms of the technology that's 
available today, Americans seem to have the opportunity to 
choose between privacy or unfettered access to data which can 
reveal the far reaches of their life to a third party, to a 
government, to a bad actor. Would you agree that there's an 
opportunity that the technology is providing for Americans to 
choose privacy?
    Mr. Comey. I don't agree with that framing, because it 
sounds like you're framing it as we either have privacy or we 
have unfettered access by bad actors. I don't accept that 
premise.
    Mr. Jeffries. Okay. So let me ask a few questions. One of 
the obstacles to unfettered access is the passcode, correct? 
The passcode.
    Mr. Comey. Yeah.
    Mr. Jeffries. A four-number or a six-number passcode.
    Mr. Comey. I naturally quibble because I'm a lawyer, but 
I'm just stuck on ``unfettered''----
    Mr. Jeffries. Okay.
    Mr. Comey [continuing]. But one of the obstacles to access 
to a device----
    Mr. Jeffries. Let me drop ``unfettered.''
    Mr. Comey. Okay.
    Mr. Jeffries. The passcode is an obstacle, correct?
    Mr. Comey. Correct. Correct.
    Mr. Jeffries. Now, you can choose a passcode or choose not 
to activate a passcode, correct?
    Mr. Comey. I think that's right.
    Mr. Jeffries. Okay. Now, whether you back up your system or 
not is an issue as it relates to access, correct? In other 
words, if you don't back up your system, you don't have access, 
correct, to the cloud?
    Mr. Comey. Yeah. I think if you don't back up your system 
to the cloud, there's nothing in the cloud that could be 
obtained by a warrant.
    Mr. Jeffries. Right. Now, with respect to auto erase, that 
is a choice that's being made. In other words, you have to 
actually affirmatively choose auto erase. If you didn't choose 
it, in this particular case or in any other case, eventually 
your computer is powerful enough to get access to the data, 
correct?
    Mr. Comey. I think that's right for the 5C. I think that's 
right. And folks from Apple could tell you better. I think for 
the later models, it's not a choice, but I think it's a--I'm 
reasonably confident it's a choice for the 5C.
    Mr. Jeffries. My time has expired, but I think it's 
important as we frame this debate to understand that it is 
actually the American citizen that is choosing on at least 
three different occasions in three different ways the value of 
privacy, and that's something that we should respect as 
Congress attempts to craft a solution.
    Mr. Comey. Okay.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from Rhode Island, Mr. Cicilline, for 
5 minutes.
    Mr. Cicilline. Thank you, Mr. Chairman.
    Thank you, Director Comey, for your service to our country. 
Thank you for being here today and for the outstanding work of 
the men and women at the FBI.
    We all, of course, acknowledge the incredible horrors of 
the San Bernardino attack, but I think, in many ways, what 
we're struggling with, as Ms. DelBene said, not necessarily 
security versus privacy, but security versus security. And the 
real argument that the danger that exists for the misuse of 
this new technology by foreign agents, by terrorists, by bad 
actors, by criminals will actually make us less safe in the 
long term. And while it might achieve your objective in the 
short term in this particular case, that the implications in 
terms of our own national security and personal security pose 
greater dangers. I think that's what at least I'm struggling 
with.
    I appreciate you said this is the hardest question you've 
confronted, because I think it is a hard one. But the first 
thing I want to ask is, this is different, would you agree, 
than all the examples that have been used about producing items 
in your custody. This is a different kind of one, because it's 
actually compelling a third party to produce and create 
intellectual property which doesn't exist today.
    Mr. Comey. I understand that to be Apple's argument. I 
don't know enough about the other possible comparisons to give 
you a thoughtful response, but, yes, I understand that.
    Mr. Cicilline. But don't you think it's hard to even 
imagine how a court ultimately enforces that, because you have 
to sort of get into the head of the engineers to figure out did 
they actually comply with what the government order is 
directing them to create.
    I mean, I'm not saying it's not something you're not 
allowed to ask for, but it is different, it seems to me, than 
simply asking people to produce that which they are in 
possession of, custodians of.
    Mr. Comey. I see that. I mean, I heard someone earlier say 
there's a difference between a landlord who has a key in his 
pocket and you say, ``You got to give us the key,'' and, ``You 
don't have one. Go make one for that door.''
    Mr. Cicilline. Well, this will be more than----
    Mr. Comey. And the question for the judge is what's----
    Mr. Cicilline. Not just go make one, because that knowing 
how to make keys exists, but to develop a whole new technology 
and intellectual property. So I just want--I raise that because 
I think we have to acknowledge it's different and then decide 
what to do with it.
    Mr. Comey. Yeah.
    Mr. Cicilline. But in addition to that, you said repeatedly 
that the government doesn't have the ability to do this 
already. And, as you know, there was a decision yesterday by 
Magistrate Judge Orenstein--I'd ask unanimous consent that that 
memorandum and order be made part of the record--in which he 
actually----
    Mr. Goodlatte. It already is part of the record.
    Mr. Cicilline. Okay. Which he--and he goes through and says 
the All Writs Act doesn't apply. CALEA prohibits this by 
omission, and I think in a very clear way. But in addition to 
that, he goes on to say that the government argued in an 
unrelated case that the government actually has the ability to 
do this, the Department of Homeland Security Investigations, 
that they are in possession of technology that would allow its 
forensic technicians to override the passcode security feature 
on the subject iPhone and obtain the data.
    So I think this is a very important question for me. If, in 
fact--is it in fact the case that the government doesn't have 
the ability, including the Department of Homeland Security 
Investigations, and all of the other intelligence agencies to 
do what it is that you claim is necessary to access this 
information?
    Mr. Comey. Yes.
    Mr. Cicilline. Because it is very--the answer's yes?
    Mr. Comey. That is correct. And I don't know. I think--I 
could be wrong, but I think the phone in the case from Brooklyn 
is different, maybe both the model and the IOS, the operating 
system is different, but for this--I can tell you, and, again, 
people know the sound of my voice--if you've got an idea, let 
us know, but 5C IOS 9, we do not have that capability----
    Mr. Cicilline. Okay.
    Mr. Comey [continuing]. Again, to disable. The problem is 
we can get into that phone with our computing power if they 
take off the auto-erase and the delay-between-guesses function. 
We will get into that phone.
    Mr. Cicilline. So do you agree, Director Comey, that if 
there is authority to be given to do what you're asking, that 
that authority has to come from Congress?
    Mr. Comey. No, I don't agree with that.
    Mr. Cicilline. So where do you think the authority comes 
from?
    Mr. Comey. Well, the government's already asked the court 
and made the argument under the court that the All Writs Act 
vests in the judiciary the ability to order this relief. That's 
what the court case is going to be about.
    Mr. Cicilline. So if the ruling made yesterday remains, 
which rejects the notion that the All Writs Act applies and 
that CALEA, in fact, is congressional intention on this, and 
the fact that we didn't act on it means you have authorization 
has not been provided, then would you agree that Congress is 
the only place that can authorize this, and if so, what would 
you recommend we do? What would that look like as we grapple 
with this question? Because I can tell you, for me, having read 
that, I think CALEA is clear; it doesn't authorize it. It's 
clear the All Writs Act doesn't. So if there is to be 
authority, assuming we decide that there should be, it seems it 
must come from Congress. As the Director of the FBI, what do 
you think that would--what would your recommendation be that 
would respond to what you see as your needs but also the 
national security interests of our country?
    Mr. Comey. Yeah. I'm not prepared to make a recommendation, 
but I think I get your question now. If the judges are right 
you that can't use the All Writs Act for this relief, what 
should Congress do to grant the relief? And I'm not prepared to 
tell you specifically what to do. I do think it's something 
that Congress is going to have to wrestle with.
    Mr. Cicilline. Thank you. I yield back. Thank you, Mr. 
Chairman.
    Thank you, Director.
    Mr. Goodlatte. The Chair would ask unanimous consent that 
letters from the E1 deg.Computer Communications 
Industry Association, dated February 29; a 
E2 deg.statement for the record from Reynaldo Tariche, 
President of the FBI Agents Association; and a 
E3 deg.letter, dated February 29, from the American 
Civil Liberties Union all be made a part of the record.
    [The information referred to follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
                               __________
                               
    Mr. Goodlatte. Director Comey, you've given us 3 hour--oh, 
I'm sorry. I'm jumping the gun here.
    The gentleman from California, Mr. Peters, is recognized 
for 5 minutes.
    Mr. Peters. Director Comey--I want to, first of all, thank 
you, Mr. Chairman. I want to thank you for being here. I wanted 
to just conclude by saying that I did hear very--did listen 
carefully to your opening statement. I thought it was very 
constructive. I think you appreciate the two objectives we have 
here, which is to both preserve privacy and to deal with San 
Bernardino. You've heard the comment: hard cases make bad law. 
They're still hard cases, and the problem we see in terrorism 
now is the onesies and the twosies. And the notion that we 
would have invulnerable communications, I think, is something 
that we should all be concerned about.
    I hope that you and the panel to follow you will all be 
part of a constructive discussion to figure out a way to serve 
both objectives and that the lines won't be too hard drawn on 
either side so we can do that.
    And I appreciate, Mr. Chairman, the chance to thank 
Director Comey for being here, and look forward to the next 
panel.
    Mr. Comey. Thank you.
    Mr. Peters. Yield back.
    Mr. Goodlatte. The Chair thanks the gentleman.
    Director, you've donated 3 hours of your time to our 
efforts today, or more, I'm sure, in getting ready, so we thank 
you very much for your participation and for answering a 
multitude of questions. And we are looking for answers, so if 
you have more to add to the record later, we would welcome that 
as well. Thank you very much.
    Mr. Comey. Thank you, sir.
    Mr. Issa. Mr. Chairman, would you entertain a unanimous 
consent while we're changing panels?
    Mr. Goodlatte. I would.
    Mr. Issa. Then I would ask unanimous consent that a letter 
I received late yesterday from a constituent in the technology 
business concerning this case be placed in the record. This is 
Emily Hirsch.
    Mr. Goodlatte. Without objection, that will be made a part 
of the record.*
---------------------------------------------------------------------------
    *Note: The material referred to was not available at the time this 
hearing record was finalized and submitted for printing on August 5, 
2016.
---------------------------------------------------------------------------
    Mr. Issa. Thank you.
    Mr. Goodlatte. We ask the witnesses on the second panel to 
please come forward and be seated.
    And now that Mr. Sewell has been afforded similar attention 
to the attention previously accorded to Director Comey, I'd ask 
that the press move back so we can begin the second panel.
    Ms. Lofgren. Mr. Chairman, I would not assume it was not 
directed to Ms. Landau, this photography.
    Mr. Goodlatte. Thank you.
    We welcome our distinguished witnesses for today's second 
panel. And if you would all please rise, I'll begin by swearing 
you in.
    Do you and each of you swear that the testimony that you 
are about to give shall be the truth, the whole truth, and 
nothing but the truth, so help you God?
    Thank you very much. Let the record reflect that all of the 
witnesses responded in the affirmative. And I will now 
introduce the witnesses.
    Bruce Sewell is senior vice president and general counsel 
of Apple. Mr. Sewell serves on Apple's legal team and oversees 
all legal matters, including global security and privacy. Prior 
to joining Apple, Mr. Sewell was deputy general counsel and 
vice president of Intel Corporation. He received his bachelor's 
degree from the University of Lancaster, and a J.D. From George 
Washington University.
    Dr. Susan Landau is professor of cybersecurity policy at 
Worcester Polytechnic Institute. Originally trained as a 
theoretical computer scientist, Dr. Landau is an expert in 
cryptographic applications. Within cybersecurity policy, her 
work focuses specifically on communications surveillance 
issues. Dr. Landau earned a bachelor's degree from Princeton 
University, a master's from Cornell University, and a Ph.D. 
From the Massachusetts Institute of Technology.
    Our final witness, Mr. Cyrus Vance, Jr., is the district 
attorney of New York County. Mr. Vance is currently serving his 
second term as district attorney after being reelected in 2013. 
He also serves as co-chair of the New York State Permanent 
Commission on Sentencing. Previously, Mr. Vance worked in 
private practice and taught at Seattle University School of 
Law. He's a graduate of Yale University and the Georgetown 
University Law Center.
    All of your written statements will be entered into the 
record in their entirety. And we ask that each of you summarize 
your testimony in 5 minutes or less. To help you stay within 
that time, there's a timing light on the table. When the light 
switches from green to yellow, you have 1 minute to conclude 
your testimony. When the light turns red, that's it; your time 
is up.
    And we'll begin with you, Mr. Sewell. Welcome.

 TESTIMONY OF BRUCE SEWELL, SENIOR VICE PRESIDENT AND GENERAL 
                      COUNSEL, APPLE, INC.

    Mr. Sewell. Thank you very much, Mr. Chairman. Thank you 
Members of the Committee and Ranking Member.
    Mr. Goodlatte. Make sure that microphone is on and pulled 
close.
    Mr. Sewell. Thank you for that technology hint.
    Thank you, Mr. Chairman. It's my pleasure to appear before 
you and the Committee today on behalf of Apple. We appreciate 
your invitation and the opportunity to be part of the 
discussion of this important issue, which centers on the civil 
liberties that are at the foundation of our country.
    I want to repeat something that we've said since the 
beginning, that the victims and the families of the San 
Bernardino attacks have our deepest sympathies. We strongly 
agree that justice should be served. And Apple has no sympathy 
for terrorists.
    We have the utmost respect for law enforcement and share 
their goal of creating a safer world. We have a team of 
dedicated professionals that are on call 24 hours a day, 7 days 
a week, 365 days a year, to assist law enforcement.
    When the FBI came to us in the immediate aftermath of the 
San Bernardino attacks, we gave them all the information we had 
related to their investigation. And we went beyond that by 
making Apple engineers available to advise the FBI on a number 
of investigative alternatives, but now we find ourselves at the 
center of a very extraordinary circumstance.
    The FBI has asked the court to order us to give them 
something that we don't have, to create an operating system 
that does not exist. The reason it doesn't exist is because it 
would be too dangerous. They are asking for a backdoor into the 
iPhone: specifically, to build a software tool that can break 
the encryption system which protects personal information on 
every iPhone.
    As we have told them and as we have told the American 
public, building that software tool would not affect just one 
iPhone. It would weaken the security for all of them. In fact, 
just last week, Director Comey agreed, and I think we heard the 
same here today, that the FBI would likely use this as 
precedent for other cases involving other phones. We've heard 
from District Attorney Vance, who's also said that he 
absolutely plans to use this tool on over 175 phones that he 
has in his possession. We can all agree this is not about 
access to one iPhone.
    The FBI is asking Apple to weaken the security of our 
products. Hackers and cybercriminals could use this to wreak 
havoc on our privacy and personal safety. It would set a 
dangerous precedent for government intrusion into the privacy 
and safety of its citizens.
    Hundreds of millions of law-abiding citizens trust Apple's 
products with the most intimate details of their daily lives: 
photos, private conversations, health data, financial accounts, 
and information about a user's location, and the location of 
that user's family and friends.
    Some of you may have an iPhone in your pocket right now. 
And if you think about it, there's probably more information 
stored on that device than a thief could steal by breaking into 
your house. The only way we know to protect that data is 
through strong encryption.
    Every day, over a trillion transactions occur safely over 
the Internet as the result of encrypted communications. These 
range from online banking and credit card transactions to the 
exchange of healthcare records, ideas that will change the 
world for the better, and communications between loved ones.
    The U.S. Government has spent tens of millions of dollars 
through the Open Technology Fund and other U.S. Government 
programs to fund strong encryption. The Review Group on 
Intelligence and Communications Technology, convened by 
President Obama, urged the U.S. Government to fully support and 
not in any way subvert, weaken, or make vulnerable generally 
available commercial software.
    Encryption is a good thing. We need it to keep people safe. 
We have been using it in our products for over a decade. As 
attacks on our customers' data become more sophisticated, the 
tools we need to use to defend against them need to get 
stronger too. Weakening encryption would only hurt consumers 
and well-meaning users who rely on companies like Apple to 
protect their personal information.
    Today's hearing is entitled ``Balancing America's Security 
and Privacy.'' We believe we can and we must have both. 
Protecting our data with encryption and other methods preserves 
our privacy and keeps people safe.
    The American people deserve an honest conversation around 
the important questions stemming from the FBI's current demand. 
Do we want to put a limit on the technology that protects our 
data and, therefore, our privacy and safety in the face of 
increasingly sophisticated cyber attacks? Should the FBI be 
allowed to stop Apple or any company from offering the American 
people the safest and most secure products it can make? Should 
the FBI have the right to compel a company to produce a product 
it doesn't already make to the FBI's exact specifications and 
for the FBI's use?
    We believe that each of these questions deserves a healthy 
discussion, and any decision should only be made after a 
thoughtful and honest consideration of the facts. Most 
importantly, the decision should be made by you and your 
colleagues as Representatives of the people rather than through 
warrant requests based on a 220-year-old statute. As Judge 
Orenstein concluded yesterday, granting the FBI's request would 
thoroughly undermine fundamental principles of the 
Constitution.
    At Apple, we are ready to have this conversation. The 
feedback and support we're hearing indicate to us that the 
American people are too. We feel strongly that our customers, 
their families, their friends, and their neighbors will be 
better protected from thieves and terrorists if we can offer 
the best protections for their data; at the same time, our 
freedoms and liberties we all cherish will be more secure.
    Thank you for your time, and I look forward to your 
questions.
    [The prepared statement of Mr. Sewell follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
 
                               __________
                               
    Mr. Goodlatte. Thank you, Mr. Sewell.
    Ms. Landau, welcome.

 TESTIMONY OF SUSAN LANDAU, Ph.D., PROFESSOR OF CYBERSECURITY 
                       POLICY, WORCESTER

    Ms. Landau. Thank you. Mr. Chairman and Members of the 
Committee, thank you very much for the opportunity to testify 
today.
    The FBI has pitched this battle as one of security versus 
privacy, but as a number of the Members have already observed, 
it's really about security versus security. We have a national 
security threat going on, and we haven't solved the problem at 
all. What have smartphones got to do with it? Absolutely 
everything. Smartphones hold our photos and music, our notes 
and calendars, much of that information sensitive, especially 
the photos.
    Smartphones are increasingly wallets, and they give us 
access to all sorts of accounts, bank accounts, Dropbox, and so 
on. Many people store proprietary business information on their 
smartphones--their personal smartphones--even though they know 
they shouldn't.
    Now, NSA will tell you that stealing login credentials is 
the most effective way into a system. In fact, Rob Joyce of the 
Tailored Access Operation said so in a public talk a month ago.
    Here's where smartphones are extremely important. They are 
poised to become authenticators to a wide variety of systems--
services. In fact, they're already being used that way, 
including at some high-placed government agencies.
    Now, District Attorney Vance will tell you that law--has 
said that large scale data breaches have nothing to do with 
smartphone encryption, but that's not true. Look at today's New 
York Times, where there's a story about the attack on the 
Ukrainian power grid. How did it start? It started by the theft 
of login credentials of system operators. We've got to solve 
the login authentication problem, and smartphones are actually 
our best way forward to do it, but not if it's easy to get into 
the data of the smartphones.
    Now, the Committee has already observed that there are many 
phones that will go through the process of being unlocked, not 
just the one in San Bernardino. And what that means for Apple 
is that it's going to have to develop a routine to do so.
    Now, what happens when you have--when you sign a piece of 
code to update a phone and you're signing a piece of code 
that's an operating system or firm where you do it once--you do 
it occasionally. It's a whole ritual, and there are very senior 
people involved. But if you're dealing with phones that are 
daily being updated in order to solve law enforcement cases, 
then what happens is you develop a routine. You get a Web page, 
you get a low level employee to supervise it, and then it 
becomes a process that's easy to subvert. I have lots of 
respect for Apple's security, but not when it becomes a routine 
process to build an update for a phone. And what will happen is 
organized crime or a nation-state will do so using an update to 
then hack into a phone, maybe the phone of the Secretary or the 
chief of the Federal Reserve, maybe a phone of an HVAC employee 
who's going to go service a powerplant. What we're going to do 
is decrease our security. That's the security risk that's 
coming from the requests.
    Now, I get that law enforcement wants data protection that 
allows them access under legal authorization, but an NSA 
colleague once remarked to me that, while his agency had the 
right to break into certain systems, no one ever guaranteed 
that that right would be easy to do so.
    The problem is when you build a way in for someone who 
isn't the owner to get at the data, well, you've built a way in 
for somebody else to get in as well.
    Let me go to CALEA for a moment. CALEA is a security 
nightmare. I know that Congress didn't intend it that way, but 
that's what it is. If you ask the signals intelligence people, 
they will tell you: there are many ways for nefarious sorts to 
take advantage of the opening offered by law enforcement.
    Instead of embracing the communications and device security 
we so badly need, law enforcement has been pressing to preserve 
20th century investigative techniques; meanwhile, our enemies 
are using 21st century technologies against us.
    The FBI needs to take a page from the NSA. You may recall 
that, in the late 1990's, the NSA was complaining it was going 
deaf from encrypted calls. Well, they've obviously improved 
their technology a great deal. According to Mike McConnell, 
from that time until now, NSA has had better SIGINT than any 
time in history.
    What we need is law enforcement to develop 21st century 
capabilities for conducting electronic surveillance. Now, the 
FBI already has some excellent people and expertise, but FBI 
investment and capacity is not at the scale and level 
necessary. Rather than asking industry to weaken protections, 
law enforcement must instead development the capability for 
conducting sophisticated investigations themselves. Congress 
can help. The FBI needs an investigative center with agents 
with deep technical understanding of modern telecommunications 
technology and also, because all phones are computers, modern 
computer--deep expertise in computer science. There will need 
to be teams of researchers who understand various types of 
fielded devices. They'll need to know where technology is and 
where it will be in 6 months and where it will be in 2 to 5 
years, communications technology in 2 to 5 years, so that they 
can develop the surveillance technologies themselves.
    Expertise need not be in-house. The FBI could pursue a 
solution where they develop some of their own expertise and 
closely managed contractors to do some of the work, but however 
the Bureau pursues a solution, it must develop modern, state-
of-the-art capabilities. It must do rather than trying to get 
industry to weaken security.
    Your job is to help the FBI build such capabilities, 
determine the most efficient and effective way that such 
capabilities could be utilized by State and local law 
enforcement, for they don't have the resources to develop that 
themselves and to also fund that capabilities. That's the way 
forward that does not put our national security at risk. It 
enables law enforcement investigations while encouraging 
industry to do all it can do to develop better, more effective 
technologies for securing data and devices. That is a win-win 
and where we should be going. Thank you.
    [The prepared statement of Ms. Landau follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
   
                               __________
                               
    Mr. Goodlatte. Thank you, Ms. Landau.
    Mr. Vance, welcome.

 TESTIMONY OF CYRUS R. VANCE, JR., DISTRICT ATTORNEY, NEW YORK 
                             COUNTY

    Mr. Vance. Thank you. Good afternoon, Chairman Goodlatte, 
Ranking Member Conyers, and Members of the House Judiciary 
Committee. Thank you so much for allowing me to participate 
today. I'm testifying as a district attorney but on behalf of 
the National District Attorneys Association. And I'm very 
grateful for you giving us the opportunity to be here, because 
much of the discussion in the prior panel and in the comments 
by the other speakers here has been about the Federal 
Government and about the issue of security and cybercrime in 
the Federal context. But it's important, I think, for all of us 
to recognize that State and local law enforcement agencies 
handle 95 percent of the criminal cases each year around the 
country. So we have a very deep interest in the subject matter 
of this hearing today, and thank you for letting us 
participate.
    Apple and Google's decision to engineer their mobile 
devices to, in essence, be warrant-proof has had a real effect 
on the traditional balance of public safety versus privacy 
under our Fourth Amendment jurisprudence. And I agree with the 
comments. I think of everyone here, including the many Members 
of the House, that we really need Congress to help solve this 
problem for us, and it's why it's so important that you're 
undertaking this effort. But I think in looking at this issue, 
there are some basic facts from the State law perspective that 
really are very important in this debate but are not in 
dispute.
    And, number one, as Tim Cook said in his open letter to his 
customers of Apple of February 16 of this year: Smartphones, 
led by iPhone, have become an essential part of our lives. 
Nothing could be more true. We are all using our cell phones 
for every aspect of our lives.
    Number two, is that smartphones are also essential to 
criminals. Our office investigates and prosecutes a huge 
variety of cases, from homicide to sex crimes, from 
international financial crime, and including terrorism cases, 
and criminals in each of those cases use smartphones to share 
information, to plan and to commit crimes, whether it's through 
text messages, photographs, or videos.
    Number three, criminals know that the iOS 8 operating 
system is warrant-proof. Criminals understand that this new 
operating system provides them with the cloak of secrecy, and 
they are, ladies and gentlemen, quite literally laughing at us. 
And they are astounded that they have a means of communication 
totally secure from government reach. And I don't ask you to 
take my word for it. In one lawfully recorded phone 
conversation from Rikers Island in New York, an inmate, talking 
about the iOS 8 default device encryption, called it, and I'm 
quoting, ``a gift from God.''
    Number four, the encryption Apple provided on its mobile 
devices prior to iOS 8, that is before October 2014, was 
represented to be both secure for its customers and, 
importantly, was amenable to court-authorized searches. We know 
this because Apple told us this. Apple characterized its iOS 7 
operating system as the ultimate in privacy. It touted its 
proven encryption methods and assured its users that iOS 7 
could be used with confidence in any personal or corporate 
environment. During the time when iOS 7 was the operating 
system, Apple also acknowledged, and I think importantly, its 
responsibility to help, again in Apple's own words, ``police 
investigating robberies and other crimes, searching for missing 
children, trying to locate a patient with Alzheimer's disease, 
or hoping to prevent a suicide.'' So Apple's experience, I 
believe, with iOS 7 demonstrated that strong encryption and 
compliance with court orders are not mutually exclusive.
    A default device encryption has had a profound impact on my 
office and others like it. In November of 2015, my office 
published a white paper on public safety and encryption, and at 
that time, there were 111 iPhones from which we were locked 
out, having obtained search warrants for those devices. Now, 
2\1/2\ months later, when we submitted our written testimony 
for this Committee, the number was 175. Today, it is 205, which 
represents more than one out of four of the approximately 700 
Apple devices that have been analyzed by our office's own cyber 
lab since the introduction of iOS 8.
    And, of course, that problem isn't just in Manhattan. 
Prosecutors in Houston have been locked out of more than 100 
iPhones last year, 46 in Connecticut, 36 in Chicago since 
January, and those are just a few of the thousands of phones 
taken into evidence each year around the country.
    So centuries of jurisprudence that have been talked about 
today have held that no item, not a home, a file cabinet, a 
safe, or even a smartphone, is beyond the reach of a court-
ordered search warrant. But the warrant-proof encryption today 
gives two very large companies, we believe, functional control 
over the path to justice for victims of crime, including who 
could be prosecuted and, importantly, who may be exonerated.
    So our point, Mr. Chairman, is that we believe this line 
being drawn between public safety and privacy is extremely 
important. It's affecting our lives. It's affecting our 
constituents' lives. And we believe that you should be drawing 
it, and we ask you to address this problem quickly. Time is not 
a luxury for State and local law enforcement, crime victims, or 
communities can afford. Our laws require speedy trials. 
Criminals have to be held accountable. And victims are, as we 
speak and we know in this audience, asking for justice.
    [The prepared statement of Mr. Vance follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
                               __________
                               
    Mr. Goodlatte. Thank you, Mr. Vance.
    We'll now proceed with questioning of the witnesses under 
the 5-minute rule, and I'll begin by recognizing myself.
    Mr. Sewell, Director Comey created a dichotomy between this 
being a technology problem or a business model problem, and 
said that Apple was addressing this as a business model 
problem. Is that a fair contrast, or is this something else?
    Mr. Sewell. It's by no means a fair contrast, Mr. Chairman. 
I've heard this raised before. It was raised in New York. It's 
been raised in San Bernardino, and every time I hear this, my 
blood boils.
    This is not a marketing issue. That's a way of demeaning 
the other side of the argument. We don't put up billboards that 
talk about our security. We don't take out ads that market our 
encryption.
    We're doing this because we think that protecting the 
security and the privacy of hundreds of millions of iPhone 
users is the right thing to do. That's the reason that we're 
doing this. And to say that it's a marketing ploy or that it's 
somehow about PR really, really diminishes what should be a 
very serious conversation involving this Congress, the 
stakeholders, the American people.
    Just with respect to the New York case, Judge Orenstein 
last night took on this issue head-on, and he said, in footnote 
14 on page 40, he said: I reject the government's claim. I find 
Apple's activities and the position that they are taking 
conscientious and not with respect to PR or marketing.
    Mr. Goodlatte. Director Comey and Mr. Vance seem to suggest 
that the security provided by encryption on prior devices is 
fine, but advancing encryption technology is a problem. What do 
you think about that?
    Mr. Sewell. So it's important to understand that we haven't 
started on a path of changing our technology. We haven't 
suddenly come to the notion that encryption security and 
privacy are important.
    At Apple, this began back in 2009 with our encryption of 
FaceTime and iMessage. We've been on a path from generation to 
generation as the software and the hardware allow us to provide 
greater security and greater safety and privacy to our 
customers.
    What happened between iOS 7 and iOS 8 was that we were able 
to transform the encryption algorithm that is used within the 
software and the hardware of the phone to provide a more secure 
solution.
    Mr. Goodlatte. We are moving to end-to-end encryption on 
many devices and apps, not just Apple iPhones. Why is that 
happening?
    Mr. Sewell. I think it's a combination of things. From our 
perspective at Apple, it's because we see ourselves as being in 
an arms race, in an arms race with criminals, cyberterrorists, 
hackers. We're trying to provide a safe and secure place for 
the users of our devices to be assured that their information 
cannot be accessed, cannot be hacked or stolen. So, from our 
perspective, end-to-end encryption move is an effort to improve 
the safety and security of our phones. From the terrorist's 
perspective, I think it's an effort to communicate in ways that 
cannot be detected, but the terrorists are doing this 
independently of the issues that we're discussing here today.
    Mr. Goodlatte. Now, if the FBI succeeds in getting the 
order that is in dispute that Apple has appealed to a final 
resolution, however long that takes, and they then get Apple to 
develop this device that will allow the 10 times and your--by 
the way, all of us here, we can't turn that off, so----
    Mr. Sewell. Well, we could show you how to do that.
    Mr. Goodlatte. Well, but inside our firewall here, we can't 
do that. So we understand the reason, but that creates a 
separate vulnerability, does it not, for people whose device 
falls in someone else's hands, they could willfully try 10 
times and erase what hasn't been backed up on the device.
    But be that as it may, if they were to get you to develop 
that code and to apply it and then to crack the four-digit code 
to get into the device, once they get in there, they could find 
all kinds of other restrictions that Apple has no control over, 
right, with regard to apps that are on the phone, with regard 
to various other communications features that the consumer may 
have chosen to put on there? Is that correct?
    Mr. Sewell. That's absolutely right, Mr. Chairman. One of 
the most pernicious apps that we see in the terrorist space is 
something called Telegraph. Telegraph is an app that can reside 
on any phone. It has nothing to do with Apple. It can be loaded 
either over the Internet or it could be loaded outside of the 
country. And this is a method of providing absolutely 
uncrackable communications.
    If what happens here is that Apple is forced to write a new 
operating system, to degrade the safety and security in phones 
belonging to tens or hundreds of millions of innocent people, 
it will weaken our safety and security, but it will not affect 
the terrorists in the least.
    Mr. Goodlatte. Thank you very much.
    My time has expired.
    The gentleman from Michigan, Mr. Conyers, is recognized for 
5 minutes.
    Mr. Conyers. Thank you, Mr. Chairman.
    And welcome to the witnesses.
    Let me start off with Professor Landau. Director Comey has 
just testified that until the invention of the smartphone, 
there was no closet, no room, or basement in America that the 
FBI couldn't enter. Did encryption exist before the invention 
of the iPhone?
    Ms. Landau. Encryption has existed--for centuries. And, in 
particular, there have been fights over encryption and the use 
of encryption in the 1970's about publication; in the 1980's 
about whether NIST or the NSA would control the development of 
encryption for nonnational security agencies; in the 1990's 
about whether there would be export controls on devices with 
strong encryption. The White House changed those rules in 2000.
    We expected to see widespread use of strong encryption on 
devices and on applications, and the technologists' response to 
Apple is: What took you guys so long? How, in the face of all 
the cybersecurity problems that we've had, did it take industry 
so very long to do this?
    Well, as our technical expert, let me ask you this: Is 
there any functional difference between asking Apple to break 
its own encryption, and what the FBI has demanded in 
California?
    Ms. Landau. I'm sorry. Asking Apple to break--I don't quite 
understand the question.
    Mr. Conyers. All right.
    Ms. Landau. What Apple is being asked to do is to subvert 
the security controls and go around. So it's not breaking the 
encryption, but it's subverting its own security controls.
    Mr. Conyers. Right.
    Ms. Landau. And is there any functional difference between 
that and----
    Mr. Conyers. And what the FBI has demanded in California.
    Ms. Landau. What it's demanded in California is that Apple 
subvert its own security controls.
    Mr. Conyers. Uh-huh. Let me ask Mr. Bruce Sewell the same 
question: What is the functional difference between ordering 
Apple to break its encryption, and ordering Apple to bypass its 
security so the FBI can break the encryption?
    Mr. Sewell. Thank you, Ranking Member.
    Functionally, there is no difference. What we're talking 
about is an operating system in which the passcode is an 
inherent and integrated part of the encryption algorithm. If 
you can get access to the passcode, it will affect the 
decryption process itself.
    What we're being asked to do in California is to develop a 
tool, a tool which does not exist at this time, that would 
facilitate and enable the FBI, in a very simple process, to 
obtain access to the passcode. That passcode is the 
cryptographic key. So essentially, we are throwing open the 
doors, and we are allowing the very act of decryption to take 
place.
    Mr. Conyers. I was hoping you'd go in that direction. Let 
me ask you this: There has been a suggestion that Apple is 
working against law enforcement, and that you no longer respond 
to legal process when investigators need your assistance. Is 
that accurate?
    Mr. Sewell. It's absolutely false. As I said in my opening 
statement, we care deeply about the same motivations that 
motivate law enforcement. The relationship with law enforcement 
falls within my shop at Apple. The people that we have who 
assist law enforcement every day are part of my team, and I'm 
incredibly proud of the work they do.
    We have dedicated individuals who are available around the 
clock to participate instantly when we get a call. As we've 
discussed a little bit earlier in Director Comey's testimony--
--
    Mr. Conyers. I want to squeeze in one more question before 
my time runs out.
    Mr. Sewell. All right. I'll try to be very quick. We do 
everything we can to assist law enforcement, and we have a 
dedicated team of people who are available 24/7 to do that.
    Mr. Conyers. Why is Apple taking this stand? What exactly 
is at stake in the San Bernardino case?
    Mr. Sewell. This is not about the San Bernardino case. This 
is about the safety and security of every iPhone that is in use 
today.
    And I'd like to address one thing that Director Comey 
raised. This is--there's no distinction between a 5C and a 6 in 
this context. The tool that we're being asked to create will 
work on any iPhone that is in use today. It is extensible; it 
is common; the principles are the same. So the notion that this 
is somehow only about opening one lock or that there's some 
category of locks that can't be opened with the tool that they 
are asking us to create is a misnomer. It's something that we 
needed to clarify.
    Mr. Conyers. Thank you for your responses.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
Wisconsin, Mr. Sensenbrenner, for 5 minutes.
    Mr. Sensenbrenner. Thank you very much.
    Mr. Sewell, I think you know that I have been one of the 
privacy hawks on this Committee. And the whole debate over the 
USA FREEDOM Act was whether the NSA should go to court and get 
some type of an order or a warrant specifically naming the 
person or persons whose data is requested. And here, the FBI, 
you know, has done that.
    Now, in your prepared testimony, you said the questions 
about encryption should be decided by Congress rather than 
through a warrant based on a 220-year-old statute. I point out 
that the Bill of Rights is about the same age. Now, the FBI's 
attempting to enforce a lawful court order. Apple has every 
right to challenge that order, as you have done. But why is 
Congress and not the courts the best venue to decide this 
issue?
    Mr. Sewell. Congressman, I think that, ultimately, Congress 
must decide this issue. So I'm completely in support of the 
position that you're articulating.
    I think we find ourselves in an odd situation in a court in 
California, because the FBI chose to pursue, in an ex parte 
fashion, a warrant that would compel Apple to do something. We 
view that not as an extension of the debate, not as a way to 
resolve this issue; we view that as a way to cut off the 
debate. If the court were to grant the relief that the FBI is 
seeking, we would be forced to do the very thing which we think 
is at issue and should be decided by the American people. We'd 
be forced to create the tool.
    Mr. Sensenbrenner. Okay. Now, what's your proposed 
legislative response? Do you have a bill for us to consider?
    Mr. Sewell. I do not have a bill for you to consider.
    Mr. Sensenbrenner. Okay. Thank you. That answers that.
    Now, the FBI has provided some fairly specific policy 
proposals to ensure that law enforcement can access encrypted 
data with a warrant. What policy proposal would Apple support? 
You don't like what the FBI said. What's your specific 
response?
    Mr. Sewell. What we're asking for, Congressman, is a debate 
on this. I don't have a proposal. I don't have a solution for 
it. But what I think we need to do is to give this an 
appropriate and fair hearing at this body, which exists to 
convene and deliberate and decide issues of legislative 
importance.
    We think that the problem here is we need to get the right 
stakeholders in the room. This is not a security-versus-privacy 
issue. This is a security-versus-security issue, and that 
balance should be struck, we think, by the Congress.
    Mr. Sensenbrenner. Well, you know, let me make this 
observation, you know, having dealt with the fallout of the 
Snowden revelations and the drafting and garnering support of 
USA FREEDOM Act. I can tell you, I don't think you're going to 
like what comes out of Congress.
    Mr. Sewell. Congress, we will follow the law that comes out 
of this process. We certainly understand.
    Mr. Sensenbrenner. Okay. Well, the thing is, I don't 
understand. You don't like what's being done with the lawfully-
issued warrant. And most warrants are issued on an ex parte 
basis, where law enforcement submits an affidavit before a 
magistrate or a judge, and the judge determines whether the 
allegations of the affidavit are sufficient for the warrant to 
issue.
    Now, you're operating in a vacuum. You've told us what you 
don't like. You said that Congress ought to debate and pass 
legislation. You haven't told us one thing about what you do 
like. What are we going to hear what you do like so that Apple 
has a positive solution to what you are complaining about? You 
said it's Congress' job to do it. Now, we won't shirk from 
that. This hearing, you know, is a part of this debate. The FBI 
has provided some policy suggestions on that. You haven't said 
what Apple will support. So all you've been doing is saying, 
no, no, no, no.
    Now, our job in Congress, honestly, you know, as we did 
with the FREEDOM Act, and as we are doing with the Electronic 
Communications Privacy Act update, is to balance our belief 
that there should be privacy for people who are not guilty or 
suspected of terrorist activity, and that there should be 
judicial process, which there has been, in this case.
    And, you know, I guess that while your position is because 
you don't have anything positive, you know, is to simply leave 
us to our own devices. Well, we'll be very happy to do that, 
but I can guarantee you, you aren't going to like the result.
    I yield back.
    Mr. Sewell. Congressman, I do think we have said what we 
stand for and what we believe is the positive place.
    Mr. Sensenbrenner. No. You know, the thing is you've asked 
Congress to do something, and I asked you what Congress should 
do. You said we have nothing. Then I said the FBI has provided 
specific policy proposals to ensure law enforcement is able to 
get this information.
    Now, here we're talking about the iPhone of a dead 
terrorist that was not owned by the terrorist, but was owned by 
San Bernardino County. Now, you know, the thing is is that I 
don't have a government iPhone. I have my own iPhone, which I 
use extensively. But the terrorist had, you know, a government 
iPhone which belonged to the government. I think the 
government, San Bernardino County specifically, would like to 
get to the bottom of this, and you're resisting it.
    I said my peace.
    Mr. Goodlatte. Time of the gentleman has expired.
    The gentleman from New York, Mr. Nadler, is recognized for 
5 minutes.
    Mr. Nadler. Thank you, Mr. Chairman.
    Let me begin by welcoming my constituent and the great 
district attorney of New York County, Cy Vance, by saying that 
I appreciate his enlightenment of the district attorney's views 
of this dilemma that we all face.
    Let me also suggest, in answer to Mr. Sensenbrenner's 
questions, that I assume that Apple may have legislative 
suggestions for us after the courts come out with their 
determinations, and Apple decides they like the determinations 
or they don't like the determinations, at which point Apple, 
and a lot of other people in institutions, I assume, will 
decide on specific legislative proposals. And it may very well 
be that this Congress will wait to see what the courts do, but 
we will see.
    Let me begin my questions. District Attorney Vance, 
Director Comey suggested earlier today that the relief sought 
by the FBI is limited to this one device, running this 
particular operating software in this one case. Now, I gather 
that you've mentioned you have over 200 phones faced with a 
similar problem----
    Mr. Vance. Yes.
    Mr. Nadler [continuing]. That you don't really think that 
this case will be limited to the one device; that, obviously, 
it's going to set a precedent, maybe not the only precedent, 
for a large class of devices, including the ones that you're 
interested in.
    Mr. Vance. There may well be an overlap between action in 
Federal court where the FBI is in litigation and in State 
court. I do believe that what we should be seeking, 
collectively, is not a phone-by-phone-by-phone solution to 
accessing devices and the contents when there's probable cause; 
we should be creating a framework in which there are standards 
that are required to--for a court to authorize access to a 
device and that it's not based upon litigation as to whether 
you can get into a West Coast phone or an East Coast phone.
    Mr. Nadler. Well, I assume that, eventually, either the 
courts will set one standard, or Congress will have to consider 
it.
    Mr. Vance. Right. Yes.
    Mr. Nadler. Professor Landau, several of your colleagues 
recently published the results of a survey of over--and this is 
similar to a question I asked Director Comey. Several of your 
colleagues recently published results of a survey of over 600 
encryption products that are available online. More than 400 of 
these products are open sourced and made or owned by foreign 
entities.
    If Congress would have passed a law, or for that matter, if 
the courts were to impose a requirement, that forcing U.S. 
companies to provide--forcing U.S. companies to provide law 
enforcement with access to encrypted systems, would that law 
stop bad actors from using encryption from open sources or 
foreign sources?
    Ms. Landau. Absolutely not. Absolutely not. And what 
Apple's product does is it makes encryption easy by default. 
And so it means, as I said, the secretary to the Chair of the 
Federal Reserve, the HVAC employee, the chief of staff in your 
office--of course, your office should be protected anyway, but 
the regular person using a phone has the phone secured.
    If Congress were to pass a law prohibiting use of 
encryption on Apple phones or however--you know, you wouldn't 
say it just for Apple, what it would do is it would weaken us, 
but not change it for the bad guys.
    Mr. Nadler. And if someone purchased a phone from a foreign 
company, it could have the encryption that we prohibited an 
American company from creating?
    Ms. Landau. That's--if someone purchased a foreign phone, 
somebody can just download the app from abroad. They don't have 
to buy a foreign phone. They can just download the app from 
anywhere.
    Mr. Nadler. And let's assume that Congress decided to 
prohibit purchase of foreign encryption systems. Is there any 
practical way we can enforce that?
    Ms. Landau. No. I mean, you would have to start inspecting 
so much as it comes over the Internet that it becomes an 
intrusive----
    Mr. Nadler. So what you're saying is that we are really 
debating something that's undoable?
    Ms. Landau. That's right. And we were there 20 years ago, 
which the open-source issue was part of the reason for the U.S. 
Government's change in export controls, which is part of what 
enabled----
    Mr. Nadler. Okay. Let me ask two very quick questions 
before my time runs outs.
    Mr. Sewell, the Eastern District Court yesterday, in its 
ruling that has been referred to, cited no limiting principle 
to the legal theory behind the FBI's request as a reason to 
deny the order. Is there a limiting principle in the San 
Bernardino case?
    Mr. Sewell. Absolutely none, Congressman.
    Mr. Nadler. None. So it can be expanded indefinitely.
    And finally, Mr. Sewell, your brief, Apple's brief to the 
court lays out several constitutional concerns. There's 
computer code speech as protected under the First Amendment. 
What are the First and Fifth Amendment--well, let me just ask, 
what are the First and Fifth Amendment questions does this case 
raise? We've been talking about statute, but let's ask about 
First and Fifth Amendment questions.
    Mr. Sewell. Right. Good question, Congressman. And bear in 
mind that what we're being asked to do is write a brand new 
computer code, write a new operating system. The law, with 
respect to the applicability of computer code to speech, I 
think, is well established. So this is a compelled speech by 
the government for the purpose of the government.
    Mr. Nadler. Which is a First Amendment problem.
    Mr. Sewell. Which is absolutely a First Amendment problem. 
And bear in mind, this is a speech which Apple does not want to 
make. This is our position.
    On the Fifth Amendment, the issue is conscription. The 
issue is forced activity, forced labor.
    Mr. Nadler. Does anybody else on the panel want to comment 
on that question?
    If not, thank you. My time is expired, Mr. Chairman.
    Mr. Goodlatte. The gentleman from California, Mr. Issa, is 
recognized for 5 minutes.
    Mr. Issa. Thank you, Mr. Chairman.
    And I'll pick up where you left off on forced labor. Do you 
know of any place in our history in which, except in time of 
war, when things are commandeered and people are told to do 
that, or when police are in hot pursuit, do you know a time in 
which people were forced to apply their inventive genius 
against their will?
    Mr. Sewell. Congressman, I'm not aware of it. The steel 
cases during the war were the ones that were most applicable.
    Mr. Issa. Sure. And I certainly understand a different time 
and a different set of circumstances.
    Now, I want to do two things: So Ms. Landau, I'm going to 
come to you first. Your expertise is encryption. You were 
probably very young, but you remember 20 years ago the 
argument. Wasn't it the FBI and then the late Mike Oxley and 
others that were championing that if we allowed more than 256-
bit encryption, then the FBI couldn't easily decode it, and 
that would be the ruin of their investigations?
    Ms. Landau. Right. And what you get instead is over the 
last 20 years, the NSA has increasingly supported the secure 
technologies for private sector communications infrastructure, 
including the 256-bit algorithm.
    Mr. Issa. Okay. I'm going to ask a quick question, and it's 
old technology, because I'm very good with analog world. But 
this happens to be a January 29, 2015, patent that's already in 
the record, and it's a patent on basically self-destructing the 
contents inside if someone tries to forcibly open it.
    Now, the funny thing is, I was looking for the old patents 
going back decades and decades, because the military and others 
have used these. They've had acids and even more punitive, if 
you will, responses inside when we wanted to secure it. It's 
not a new technology, but there's a new twist on it.
    Aren't we, in a sense, the equivalent of saying, well, you 
can make something that destroys the documents but then you 
have to tell us how to defeat it?
    Ms. Landau. That's exactly right.
    Mr. Issa. Okay. And I'm looking and saying, there's no 
history in that, but we've had plain safes for a very, very 
long time. This isn't new. Do you know of any shredder company 
that has been told that they have to show you how to reassemble 
what they've shredded?
    Ms. Landau. I don't study shredding companies, but I'd be 
very surprised if there were.
    Mr. Issa. Mr. Vance, have you ever ordered a shredding 
company to put the paper back together, use their inventive 
genius----
    Mr. Vance. Of course I haven't, Congressman, but--but----
    Mr. Issa. So you're asking, in this case, for somebody to 
create a product for your service. And I want to focus on that 
and I'll get to you, I promise.
    But Mr. Sewell, I'm going to look at you as the 
representative of the one of the great technology companies in 
our country. Apple gets its great technology people, I assume, 
from Stanford and MIT and other great universities, right?
    Mr. Sewell. We do, yes, indeed.
    Mr. Issa. And you don't get all the graduates, right?
    Mr. Sewell. No, we don't. We wish we did.
    Mr. Issa. So when I was talking to the Director, and 
saying, well, if you take--and it's a hypothetical. My level of 
knowledge is way less than any of your folks, and probably any 
of the FBI's. But if you take this hard drive, solid-state hard 
drive, you pull it apart--and he even used the word 
``mirroring.'' Obviously, he had some discussion at some 
point--and you make as many images as you want, then you have a 
true original; but even if the self-destruct occurs, that 
original, you throw it away you take another one.
    So that part of what he's asking you to do, they can do 
themselves by pulling the chip out and having it imaged, if you 
will, in all likelihood. We're not saying for sure. But he 
hadn't checked it. So that's a possibility. Is that right?
    Mr. Sewell. I believe so. We don't know what the condition 
of the phone is and we don't know what the condition of the RAM 
is, but yes.
    Mr. Issa. Sure. And of course, we're not really talking 
about one phone. We know that. We're talking about thousands of 
phones.
    And as I understand the technology used in your chip is you 
have burnable traces in your chip. So randomly, or in some way, 
when you're producing each chip, you burn traces which create 
the encryption algorithm, and it's internal. So the chip has 
its algorithm separate from the software.
    But that chip, when interfacing with an image, if you keep 
giving it new images, that's the part that changes. So isn't it 
at least conceivable that as to that phone, and perhaps the 175 
in New York and others, that the FBI, or the NSA could, in 
fact, come up with an elegant brute force attack that would 
work on your phones and also would work on hundreds of other 
types of phones around the world; and that that technology 
with, if you will, those brilliant young minds from Stanford, 
MIT, and Kent State, my alma mater, you know, could, in fact, 
produce something that would not be available to the public; 
they would have control over, and they would be able to make it 
more universal than just trying to go through your source code, 
which, I understand--is it correct--they've never asked for. Is 
that right?
    Mr. Sewell. We've never been asked for our source code.
    Mr. Issa. Okay. Mr. Chairman, if anyone else wants to opine 
on it, I would appreciate they be able to.
    Mr. Goodlatte. Chair thanks the gentleman and recognizes 
the gentlewoman from California, Ms. Lofgren, for 5 minutes.
    Ms. Lofgren. Well, thank you very much. I think this 
hearing is very helpful.
    And just to get it on the record, Mr. Sewell, I mean, 
you're not objecting--let me step back. If you have something, 
and you are served with a warrant, you give that something up. 
Is that correct?
    Mr. Sewell. That's absolutely correct, yes, Congresswoman.
    Ms. Lofgren. So the issue here is you don't have it, you've 
got no way to get it, and, therefore, you can't give it, right?
    Mr. Sewell. That's correct.
    Ms. Lofgren. Now, if it were possible to do something that 
would get just this one thing without opening the door to 
everybody else's stuff, would you have a problem with that?
    Mr. Sewell. Let me----
    Ms. Lofgren. Let me rephrase that, because you're in court.
    Mr. Sewell. Sure.
    Ms. Lofgren. That would be a different issue than breaking 
encryption generally, wouldn't it be?
    Mr. Sewell. The best analogy that I can come up with, and 
I've been struggling with how do we create the right kind of 
analogy for this situation. If Apple had a box somewhere that 
we could guarantee, we could assure 100 percent certainty, that 
anything that was put in that box was not susceptible to 
thievery, to attack, to corruption; if we had such a place in 
the world, we wouldn't be here today----
    Ms. Lofgren. Right.
    Mr. Sewell [continuing]. Because what we would have done is 
gone to our customers and we would have said, give us your 
passwords. We can absolutely 100 percent protect them. And then 
if you lose your phone, if you need our help, we can just give 
you the passcode.
    Ms. Lofgren. But you didn't do that because you can't 
guarantee that, which is why you encrypted this phone.
    Mr. Sewell. Exactly right. And now the bizarre situation is 
that essentially, the FBI is saying, We all realize it's silly 
that everybody would give you your password, but instead, we 
want you to build a tool that will get those passwords, and 
we're telling you, you can put that tool in this box that 
doesn't exist.
    Ms. Lofgren. So let me ask you this: Is it possible, 
theoretically, to create code that would preclude you from 
creating a system that would allow you to defeat the 10-try 
erase function?
    Mr. Sewell. We could write a program that would suppress 
that protective measure.
    Ms. Lofgren. So that you couldn't do what it is you're 
being asked to do?
    Mr. Sewell. Right. We're being asked to do three things, 
but it is capable--we are capable of doing those three things. 
The issue is what's the consequence of doing those?
    Ms. Lofgren. Right. But the question is also, I mean, this 
hearing caused me to go in and turn on the 10-erase function 
which I neglected to do before the hearing, thank you very 
much. But, you know, as you go forward, people are insecure 
about what's safe.
    Mr. Sewell. Absolutely.
    Ms. Lofgren. And, you know, for example, you don't have--
and I think for good reason--what's in iCloud is not encrypted. 
Is it possible to encrypt the data in iCloud?
    Mr. Sewell. Yes, actually, in the iOS 8 and 9 generation, 
we have encrypted the iCloud data. It's encrypted in a 
different way than it was before and we think in a more secure 
way.
    Ms. Lofgren. Right. But you can still provide access to 
that?
    Mr. Sewell. It is encrypted in a different way----
    Ms. Lofgren. But you could change that if you wished?
    Mr. Sewell. Yes.
    Ms. Lofgren. Now, let me ask you this, Dr. Landau: Now, you 
were involved with that paper that was published, I think, last 
year.
    Ms. Landau. Keys under Doormats.
    Ms. Lofgren. Thank you. That was an excellent paper. And I 
think for anybody who has--it's dense. I had to read some pages 
two and three times to understand it. But for anybody--and 
actually, I've asked unanimous consent, Mr. Chairman, to put 
that paper in the record from the cryptographers.**
---------------------------------------------------------------------------
    **Note: The material referred to is not printed in this hearing 
record but is on file with the Committee. Also, see Lofgren Submission 
at:

      http://docs.house.gov/Committee/Calendar/
      ByEvent.aspx?EventID=104573
    Mr. Goodlatte. Without objection, it will be made a part of 
the record.
    Ms. Lofgren. If you just go to the questions at the end, 
you see that this is a fool's errand. We'll never be able to do 
what is being asked of us by the FBI. It's a practical matter; 
it's just not achievable.
    But I'm interested in your take on, you know, Director 
Comey said, you know, they don't want the master key. They just 
want this one bypass on security. Isn't that exactly the same?
    Ms. Landau. It's wrong, and it's just, as Mr. Sewell said, 
once they've built that software, that software works for other 
phones. Of course, it has to have the serial number of the 
particular phone, so Apple has to sign--you know, has to take 
the software, put in a new serial number, sign it so the new 
phone accepts it. And that's where all the security risks comes 
in, because it becomes a routine process, and as I mentioned 
during my remarks, routine processes get subverted.
    Ms. Lofgren. I'll ask the final question. Mr. Sewell, it 
was asked earlier by my colleague, Mr. Richmond, about whether 
these other countries have better security than we do. If I 
take my phone, my iPhone with the current operating system to 
Russia or China, can they break into it?
    Mr. Sewell. With respect to the phone itself, we believe 
the encryption we provided in iOS 8 makes that effectively 
impossible. With respect to the things that are going on at the 
Internet level, there are very sophisticated techniques that 
can be used by malicious actors who have access to the Internet 
itself. There are ways to fool the Internet into thinking that 
something is what it isn't. And so I think there is a 
vulnerability still in that regard. But on the phone, what 
we've tried to do is to remove that possibility with iOS 8 and 
9.
    Ms. Lofgren. Thank you very much, all of you, for your 
testimony.
    Mr. Goodlatte. The Chair thanks the gentlewoman and 
recognizes the gentleman from Texas, Mr. Poe, for 5 minutes.
    Mr. Poe. Thank the Chairman.
    Thank you all for being here. Fascinating, important 
discussion on this issue of, as you say, security/insecurity.
    As you know, I'm a former prosecutor and former judge, and 
dealt with warrants for 30 years, either requesting them or 
signing them. And this particular case, I think we're really 
talking about two cases now. We're talking not just about the 
San Bernardino case, but the New York case as well. Different 
facts, different issues.
    Fourth Amendment, we have discussed--Fourth Amendment 
doesn't really apply too much to this situation, because the 
possession of the item is lawful in the possession of 
government. I do think it's ironic, however, we're talking 
about privacy, United States is supposed to lead on the issue, 
I think, on the issue of privacy. We're the only one that has a 
Fourth Amendment. But we see that other countries seem to have 
more concern about privacy in their technology than maybe we 
do. I find that somewhat ironic.
    Let me ask you a couple questions. You discuss the idea of 
constitutional right, right of privacy. But in one of your 
testimonies, and I think it was Mr. Nadler from New York, he 
and I have a language barrier problem, so I'm not sure I 
understood his question. You mentioned the First Amendment and 
the Fifth Amendment. Is that correct?
    Mr. Sewell. I did, that's correct.
    Mr. Poe. Briefly explain how you see this as a First 
Amendment issue as well as a Fifth Amendment issue. We don't 
need to talk about the Fourth Amendment. We've discussed that.
    Mr. Sewell. The Fifth Amendment issue derives from the fact 
that we're being asked to write code, and code is speech, and 
Supreme Court has held that that speech is protectable. So 
we're being asked to speak by the government. That speech is 
not speech that we want to make. And the First Amendment 
provides us with protections against being compelled to speak 
by the government. So that would be the First Amendment 
argument in a nutshell.
    The Fifth Amendment provides us with protection from 
conscription, protection from being forced into labor at the 
government's will, except under the most extraordinary of 
circumstances, which I discussed with Congressman Issa. But 
that's the Fifth Amendment issue.
    Mr. Poe. All right. Thank you.
    What this request, the results of the request, how would 
that affect Apple worldwide in other countries?
    Mr. Sewell. Well, there are a number of parts of that 
question, Congressman, so thank you. The way that this would 
affect Apple is that it would affect our customers. It would 
affect everyone who owns an iPhone, and it would create a risk 
for everyone who owns a phone that their data could be 
compromised, that their security could be compromised.
    With respect to the international question, I agree with 
you. I think America should be leading on this issue. And I 
think that the world is watching what happens right now in our 
government and what happens, even today, with respect to this 
particular debate.
    Our ability to maintain a consistent position around the 
world, our ability to say that we will not compromise the 
safety and security of any of our users anywhere in the world 
is substantially weakened if we are forced to make that 
compromise here in our own country. So I urge this Congress, 
and I urge the government generally to understand that to take 
a leadership role, give us the strong support that we need to 
resist any effort by other governments to weaken security and 
privacy.
    Mr. Poe. One of the questions that was asked was talking 
about what is your solution, and I actually agree with Mr. 
Nadler. I know this is going to bother him a little bit, that 
there may be, after all this litigation, and there may be a 
solution that we haven't thought of yet, but would not one 
option be Congress taking the position that prohibits the 
backdoor key security system, the Viper system, as I call it, 
from----
    Mr. Issa. Thank you, Mr. Poe.
    Mr. Poe. I said that earlier but you stepped out. The Viper 
system from being imposed, required, prohibit that from 
government requiring that type of system in specific technology 
like an iPhone?
    Mr. Sewell. I think that is certainly one possibility, yes, 
sir.
    Mr. Poe. Prohibit the key.
    Let me ask you something else. If courts rule that you're 
required to develop the technology, develop the software, would 
that software be able to be used on all those other hundreds of 
phones that are out there that the government lawfully has in 
their possession but they can't get into?
    Mr. Sewell. Absolutely. There's nothing that would preclude 
it from being used on any iPhone that is in use today.
    Mr. Poe. And my last question, would other countries then, 
if U.S. takes the position thou shalt give government the key, 
what will other countries, like China, require or request or 
demand of Apple?
    Mr. Sewell. So to date, we have not had demands like that 
from any other country. The only place that we're having this 
debate is in our own country. But as I said before, I think if 
we are ordered to do this, it will be a hot minute before we 
get those requests from other places.
    Mr. Poe. All right. Thank you, Mr. Chairman. I yield back.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentleman from Georgia, Mr. Johnson, for 5 
minutes.
    Mr. Johnson. Thank you, and thank the witnesses for being 
here.
    Mr. Vance, what's the difference between a company being 
ordered to use its best efforts--I think the language is--let's 
see--reasonable--an order--a court order requiring reasonable 
technical assistance. What's the difference between a court 
order requiring reasonable technical assistance to accomplish 
the bypassing or disabling of the auto-erase function versus a 
civil subpoena, or a court order pursuant to a subpoena, a 
motion to compel the delivery of information under that 
person's custody and control? Is there a difference?
    Mr. Vance. I'm not sure, Congressman, there is a 
difference. They're both court orders that are directing an end 
result. One may be in a civil context; one in a criminal 
context.
    But I would say that in this discussion, it's very much a 
part of our history in America that when companies produce 
items or objects, or commerce becomes ubiquitous in a 
particular area, that the company has to have the realization 
that part of a group of people who are using its products are 
using it to commit criminal purposes.
    Take a look at the banking system, currency transaction 
reports. So once it became obvious that criminals were moving 
cash through the banks, the response was you have to create and 
file transaction reports when cash is moved.
    When two companies like these two hugely successful and 
important companies own 96.7 percent of the world's smartphone 
market, and we know that criminals--we know that criminals are 
using the devices to commit crimes--we've heard some of those 
stories--I don't think that it is new in American history, or 
in the context of business ethics or oversight for companies to 
have to adapt to the realities of the product they've created.
    Mr. Johnson. Because they are the only ones that can--a 
bank that received the cash would be the only entity in a 
position to submit a currency transaction with the court?
    Mr. Vance. It would be the only one required to. If someone 
else had information about it, they could submit it, but it 
would be the only one who had firsthand knowledge.
    Mr. Johnson. Okay. Now, Ms. Landau, is it your opinion that 
the government should not have the ability to compel Apple to 
use its best efforts to accomplish a technical feat? Is that 
your opinion?
    Ms. Landau. So there are two answers to that. If you're 
asking me a lawyer question, then I'm not a lawyer and I'll 
dodge; but if you're asking me as a technologist, then I would 
say that it is a security mistake. It's a security mistake 
because that code----
    Mr. Johnson. Because what Apple would do would inherently 
cause an insecurity in their system?
    Ms. Landau. That's right. And it will be the target of 
organized crime and nation states, because it will be very 
valuable for somebody who puts a phone down as they go through 
Customs, for somebody who goes to a business meeting, and 
they're not allowed to bring their phone in because it's a 
meeting under nondisclosure, and the phone is sitting outside 
for a few hours. All sorts of situations. The phone will become 
very interesting. And if there's code that can actually get 
into the phone and get the data, that code is going to be the 
target of nation states----
    Mr. Johnson. So once Apple creates the code, then it makes 
it susceptible to being stolen and misused?
    Ms. Landau. That's right.
    Mr. Johnson. So, therefore, Apple should not be required to 
comply with the court order?
    Ms. Landau. I'm not answering the legal question. I'm 
answering the security question. The security question, it 
makes a real mistake.
    Mr. Johnson. Yeah. Okay. And, Mr. Sewell, you would agree 
with that?
    Mr. Sewell. I would agree that if we're forced to create 
this tool, that it reduces the safety and security not within 
our systems, Congressman, but with our users.
    Mr. Johnson. Let me ask you a question. What about the 
security and the safety of those whose liberty can be taken and 
lives can be taken due to an ongoing security situation which 
the FBI is seeking to get access to information about? Is there 
an interest in the public security that we're talking about 
here?
    Mr. Sewell. Congressman, that's what----
    Mr. Goodlatte. The time of the gentleman has expired, but 
Mr. Sewell may answer the question.
    Mr. Sewell. That's what makes this such a hard issue, 
because we're balancing two different but very similar issues: 
private security, the security of people who use iPhones, the 
location of your children, the ability to prevent your children 
from being kidnapped or harmed, versus the security that's 
inherent in being able to solve crimes.
    So it's about how do we balance these security needs, how 
do we develop the best security for the United States. If you 
read the statements by General--any of the encryption 
specialists today, we'll say that de-featuring or debilitating 
encryption makes our society less safe overall. And so that's 
what we're balancing. Is it the right thing to make our society 
overall less safe in order to solve crime? That's the issue 
that we're wrestling with.
    Mr. Johnson. Thank you.
    I yield back.
    Mr. Goodlatte. The Chair recognizes the gentleman from 
South Carolina, Mr. Gowdy, for 5 minutes.
    Mr. Gowdy. Thank you, Mr. Chairman.
    Now, Mr. Sewell, you just mentioned a balancing. Can you 
give me a fact pattern where Apple would consent to the 
magistrate judge's order in California?
    Mr. Sewell. Congressman, we will follow the law. If we're 
ordered to do this----
    Mr. Gowdy. No, I'm asking for a fact pattern. You mentioned 
balancing. I want you to imagine a fact pattern where you 
balance the interest in favor of what the Bureau is asking you 
to do as opposed to your current position. Give me a fact 
pattern.
    Mr. Sewell. Congressman, what I said was we have to balance 
what is the best security for the country. Not balance when we 
should give law enforcement what they're asking, but balance 
what's the best security for the country.
    Mr. Gowdy. I thought that's what we were balancing is 
public safety versus privacy. You also mentioned the First and 
Fifth Amendment. Can you give me a fact pattern where Apple 
would consent to the order of the magistrate judge?
    Mr. Sewell. Congressman, what I said was privacy, security, 
personal safety.
    Mr. Gowdy. Perhaps I'm being ambiguous in my asking of the 
question. Can you give me a fact pattern where you would agree 
to do what the Bureau is asking you to do in California, 
whether it be nuclear weaponry, whether it be a terrorist plot? 
Can you imagine a fact pattern where you would do what the 
Bureau is asking?
    Mr. Sewell. Where we would create a tool that doesn't 
exist----
    Mr. Gowdy. Yes.
    Mr. Sewell [continuing]. In order to reduce the security 
and safety of our users?
    Mr. Gowdy. Yes.
    Mr. Sewell. I'm not aware of such a fact pattern.
    Mr. Gowdy. So there is no balancing to be done. You have 
already concluded that you're not going to do it.
    Mr. Sewell. No, I've said that we will follow the law. If a 
balance that is struck, if there is an order for us to comply 
with, we----
    Mr. Gowdy. There is an order.
    Mr. Sewell. That order is being challenged at the moment as 
we speak. There's an order in New York that says----
    Mr. Gowdy. I'm glad you mentioned the order in New York. 
That's a drug case. You would agree with me the analysis in 
drug cases is very different from the analysis in national 
security cases. And even if you didn't agree with that, you 
would agree that in footnote 41, the magistrate judge in New 
York invited this conversation about a legislative remedy, 
which brings me back to Chairman Sensenbrenner's question: 
Where is your proposed legislative remedy?
    Mr. Sewell. We don't have legislation to propose today, 
Congressman. What we've suggested----
    Mr. Gowdy. Well, then how will we know whether or not you 
think it strikes the right balance if you don't tell us what 
you think?
    Mr. Sewell. Congressman, where we get to the point where 
it's appropriate for us to propose legislation, not just Apple, 
but the other stakeholders that are engaged in this process, 
I'm sure there will be legislation for Congress to consider.
    Mr. Gowdy. Well, let the record reflect I'm asking you for 
it now. I would like you to tell us what legislative remedy you 
could agree with?
    Mr. Sewell. I don't have an answer for you today. No one's 
had an answer for you today.
    Mr. Gowdy. Can you give me one? I don't know whether Apple 
has a lobbyist. I suspect that you may have a government 
relations department, possibly. Can you submit legislation to 
Chairman Sensenbrenner's question that you could wholeheartedly 
support and lobby for that resolves this conundrum between you 
and the Bureau?
    Mr. Sewell. It is my firm belief that such legislation can 
be drafted. I do not have language for you today.
    Mr. Gowdy. Well, but, see, Mr. Sewell, we draft it and then 
your army of government relations folks opposes it. So I'm just 
trying to save us time. The judge in New York talked about a 
lengthy conversation. Sometimes circumstances are exigent where 
we don't have time for a lengthy conversation. So why don't we 
just save the lobbying and the opposing of whatever, Cedric 
Richmond or Hakeem or Luis and I come up with. Why don't you 
propose it? Tell us what you could agree to?
    Mr. Sewell. Congressman, we're willing to and we've offered 
to engage in that process.
    Mr. Gowdy. The legislative process or the debate process?
    Mr. Sewell. Both, of course.
    Mr. Gowdy. Will you submit legislation to us that you could 
live with and agree with?
    Mr. Sewell. If, after we have the debate to determine what 
the right balance is, then I think that's a natural outcome.
    Mr. Gowdy. Well, how long is the debate going to last?
    Mr. Sewell. I can't anticipate that, Congressman.
    Mr. Gowdy. Well, let me ask you this: You mentioned the 
First Amendment, which I found interesting. Are you familiar 
with voice exemplars?
    Mr. Sewell. I'm sorry. Is that a case, Congressman?
    Mr. Gowdy. No. Voice exemplars are ordered by courts and 
judges for witnesses or defendants to actually have to speak, 
So a witness can see whether or not that was the voice that 
they heard during a robbery, for instance. Because you 
mentioned you have a First Amendment right to not speak. What 
about those who have been immunized and still refuse to 
cooperate with a grand jury, and they are held in contempt and 
imprisoned? So there are lines of cases where you can be forced 
to speak.
    Mr. Sewell. Congressman, we've made an argument, a 
constitutional argument. If the courts determine that that 
argument isn't firm, then we will lose the argument.
    Mr. Gowdy. I'm just asking you whether or not you agree 
that there are exceptions?
    Mr. Sewell. You've given me two examples that I've not 
heard of before.
    Mr. Gowdy. All right. How about back to the Fifth 
Amendment, because I'm out of time. Really quickly, the Fifth 
Amendment, you say you're being conscripted to do something. 
But there's also a line of cases where folks are conscripted to 
perform surgical procedures, or cavity searches or other things 
I won't go into in mixed company, where they are looking for 
contraband. So that's a nurse or a doctor or an 
anesthesiologist that is conscripted by the government, you 
would agree?
    Mr. Sewell. I'm not familiar with these cases. But this is 
what the court will decide.
    Mr. Gowdy. Here's what I'll do. I'm out of time. I'll get 
you the cases I'm relying on, if you'll help me with the 
legislative remedy. Deal?
    Mr. Sewell. I look forward to the cases.
    Mr. Gowdy. Deal. Thank you.
    Mr. Goodlatte. Time of the gentleman has expired.
    The Chair recognizes the gentleman from Florida, Mr. 
Deutch, for 5 minutes.
    Mr. Deutch. Thank you, Mr. Chairman.
    I would start by saying this is really hard. I'm not 
looking to Apple to write the legislation to balance these very 
difficult issues between privacy and public safety. I don't 
expect you to do it. I expect us to grapple with it. And that's 
what we're trying to do here today.
    And I had raised the point earlier, but it's a perfect 
lead-in to the questions I want to ask, that this focus on 
surgical procedures that we can force--that the government can 
force a surgical procedure to be done, sounds like it's somehow 
equivalent. Certainly if we can do that, then we can require 
that a company create a way into its phone.
    Except, as I said earlier with Director Comey, that 
surgical procedure is going to be done by the person that the 
government says should do it. And there is no one from around 
the world who, from their remote location, is going to be able 
to figure out how to conduct surgery on that individual.
    Yet, in this case, and this is why this is so hard for me, 
in this case, there are people all over America and around the 
world who would be trying to figure out how to utilize whatever 
it is that's created here, if this is where this goes, to 
access the phone.
    And Director Comey earlier--Mr. Sewell, Director Comey said 
it's a three step--he believes it's a three-step process that 
they're asking. Can you just speak to that process?
    Mr. Sewell. I absolutely can. Thank you, Congressman.
    First, I agree with you that this is not a problem which--
there are people that are trying to break into these systems. 
There are people who are trying to steal this information, if 
it existed. And their capabilities are increasing every day. So 
this is not a threat which is static. This is a threat which is 
increasing.
    The three parts that we're being asked to develop are, 
first, a method to suppress the data deletion after 10 failed 
attempts. The second thing that we're being asked to suppress 
is the time delay between successive attempts. Both of these 
are specifically tailored to deal with the situation where your 
phone is stolen, or some bad person is trying to break into it, 
and it's specifically designed to defeat the brute force 
attack.
    The third piece is interesting, because the third piece is 
the government asking for us to rewrite the code that controls 
the touch screen, and allow them to put a probe into the phone 
and to bypass the need to enter numeric digits through the 
touch screen. The only reason that that makes sense, 
Congressman, is if you anticipate that this is going to be 
technology used on other phones, and other phones that likely 
have more complicated passcodes.
    Mr. Deutch. Right. So that's the question, and Mr. Sewell, 
it's a question for you, and Mr. Vance, it's a question for 
you. This is one where if I believed--if I understand that 
what's being asked of you is to create this weigh-in to this 
one phone, then I want you to do it. I do. And I can get past a 
lot of these privacy issues, if I believe that it's, once in, 
and then this can then be disposed of, destroyed, and that will 
be the end of it.
    The question is, is that the case? And when you create it 
for this one, is it something that can be used on other phones? 
Director Comey, I don't think, was clear about that, so I'd ask 
you that question, and Mr. Vance, I'd ask you the same 
question.
    Mr. Vance. If I can refer to actually the Doctor's own 
paper. You need the phone physically at Cupertino to open it. 
And I refer you to her----
    Mr. Deutch. I don't have much time. I'm not sure that I 
understand what that means. I just want to know--cutting to the 
chase, I just want to understand, if this is created, is it 
something that not just could be used by you in the pursuit of 
justice, but by the criminal cyber terrorist, hackers, and 
really dangerous people who are looking to do bad things every 
day of the year going forward?
    Mr. Vance. Congressman, my point is simply that if this 
code is created, and you are looking at the risk to other 
devices, other Apple phones in the world, those phones are 
going to have to come to Cupertino to be opened. This is----
    Mr. Deutch. Well, let me ask Mr. Sewell, then. I only have 
a couple seconds left.
    Mr. Sewell. That is incorrect.
    Mr. Deutch. Well, the question is, even if that's correct, 
I'd like you to speak to it. Is it true that the hackers of the 
world, that there will be those who try to find a way to get 
around having to take the phone to Cupertino in order to 
conduct whatever operation is necessary to break in?
    Mr. Sewell. Unquestionably, Congressman, and that's exactly 
the risk and the danger that we foresee.
    With respect to the comment that Mr. Vance just made, in 
fact, the request that we got from the government in this case 
was that we should take this tool and piece--put it on a hard 
drive, and send the hard drive to the FBI. The FBI would then 
load that hard drive into a computer, hook the phone up to the 
computer, and they would perform the entire operation. So that 
this whole tool is transportable on a hard drive. So this is a 
very real possibility.
    Mr. Deutch. So should we be concerned, Mr. Vance? I mean, 
look, I want to get into this phone, but shouldn't we be 
concerned, if that's accurate, that there's something that's 
being created that's transported on a hard drive that winds up 
on another computer, that there is at least the risk that that 
gets stolen and then--and suddenly, there is--that not just a 
bad person and these terrorists that we desperately want to get 
and get this information, but suddenly, all the rest of us who 
are trying to protect ourselves from the bad people and are 
trying to protect our kids from these bad people are 
potentially at risk, too?
    Mr. Vance. Congressman, I respectfully disagree with the 
colleague from Apple, but I will confess that his knowledge of 
the company is great. Apple has created a technology which is 
default disk encryption. It didn't exist before. It exists now. 
Apple is now claiming a right of privacy about a technology 
that it just created. That right of privacy didn't exist before 
Apple created the technology, number one.
    Number two, I can't answer how likely it is that if the 
Federal Government is given a source code to get through the 
front door of the phone, that is at risk of going viral. I 
think it may be overstated to suggest that.
    But I can tell you this: If there's an incremental risk 
that providing the source code creates a vulnerability, what is 
that risk? Don't tell us just millions of phones might be 
affected; tell us--I think they can do better than just giving 
us broad generalizations without specifics.
    But I can tell you this: The consequence, the other side of 
the weight, the consequence is in cases all over the country 
right now, in my jurisdiction, your jurisdiction, everywhere, 
families like the Mills family are not getting justice.
    And the direct consequence of this disk encryption is that 
innocent victims all over the country are not getting their 
cases solved, prosecutors are not doing the job that they have 
been elected and sworn to do, and there is a significant 
consequence to default disk encryption that I think needs to be 
balanced against a speculative claim of increased insecurity.
    Ms. Landau. I'd like to just add a couple of comments. This 
is not about a new right of privacy; it's about a new form of 
security. And if we think about how the phones are used and 
increasingly how the phones are used, I certainly have two-
factor authentication I use through my phone, but there are 
ways of using the phones as the original authentication device.
    And if you make the phone itself insecure, which is what is 
being asked for by law enforcement, you preclude that, and that 
is the best way to prevent stealing of log-in credentials, the 
use of the phone as authenticator.
    In terms of the risk of the disk and so on, it's not the 
risk of the disk going out because the disk is tied to a 
particular phone. The risk is that somebody will come into 
Apple and provide a rogue certificate that, you know, they're 
from law enforcement or wherever and will get the ability to 
decrypt a phone that should not be decrypted, whether it's the 
Chinese Government, or an organized crime group or whatever. 
That's the risk we're facing.
    Mr. Vance. May I, Congressman, with the Chairman's 
permission?
    Mr. Deutch. My time is up. The Chairman has been very 
generous.
    Mr. Goodlatte. Well beyond the time, but briefly.
    Mr. Vance. The professor has not answered what about the 
people, the residents, the citizens, the victims whose cases 
are being put on the side, and not addressed why we have an 
academic discussion, an important one----
    Mr. Goodlatte. Well, it's an important academic discussion 
because before these phones existed, the evidence that you're 
talking about didn't exist in the form that you have had access 
to. Now the technology is moving to a new generation, and we're 
going to have to figure out a different way to help law 
enforcement. But I don't think we say we're not going to ignore 
these vulnerabilities that exist in order to not change the 
fact that law enforcement is going to have to change the way it 
investigates and gathers evidence.
    The time of the gentleman has expired.
    The Chair recognizes the gentleman from Illinois, Mr. 
Gutierrez.
    Mr. Gutierrez. Thank you, Mr. Chairman.
    First of all, I'd like to ask through the Chair if 
Congressman Lofgren has a need for any time, I'd like to yield 
to her first.
    Ms. Lofgren. Well, I thank you very much.
    You know, I don't know you, Mr. Vance. I'm sure you're a 
great prosecutor. I do know Mr. Sewell. He's a great general 
counsel.
    But the person who really knows technology on the panel is 
Dr. Landau. And I'm interested in your comments about the 
vulnerabilities that would be created by complying with the 
magistrate's order. And some have suggested that it's 
speculative and, you know, academic and the like, but is that 
what your take on this is?
    Ms. Landau. Absolutely not.
    Ms. Lofgren. The theory--I mean, we're moving to a world 
where everything is going to be digital, and you could keep 
track of, you know, my--when I'm walking around the house I'm 
in, my temperature, opening the refrigerator, driving my car. 
And if that all is open to a legitimate warrant--I'm not 
downplaying the problem the prosecutors have, but this is 
evidence you currently don't have access to--how vulnerable is 
our country going to be? That's the question for you.
    Ms. Landau. Extremely vulnerable. David Sanger's article in 
today's New York Times about the Ukraine power grid says that 
they got in, as I mentioned earlier, through the log-in 
credentials. It's based on a DHS memorandum that talks about 
locking down various systems.
    I served for a number of years on NIST Information Security 
and Advisory--Security and Privacy Advisory Board, and we used 
to talk to people from the power grid and they would say, oh, 
it's okay. We're not--our systems aren't connected to the 
Internet. Well, they were fully connected.
    We are--whether you're talking about the power grid, the 
water supply, whatever--we're connected in all sorts of the 
disastrously unsafe ways. And as I mentioned earlier, the best 
way to get at those systems is through log-in credentials.
    Phones are going to provide the best way to secure 
ourselves. And so this is not just about personal safety of the 
data that all of you have on your phone, and it's not just 
about the location of where your family is, and it's not just 
about the business credentials, but it's really about the, as 
you say, Congressman Lofgren, it's really about the way we are 
going to secure ourselves in the future.
    And what law enforcement is asking for is going to preclude 
those strong security solutions. It also is very much a 20th 
century way of looking at a 21st century problem. And I didn't 
get a chance to answer Congressman Gowdy, but the FBI, although 
it has excellent people, it hasn't put in the investment.
    So Director Comey said--we talked to everyone who will talk 
to us, but I was at a meeting--I briefed at FCC a couple of 
years ago, and some senior people from DOJ were there. And I 
said, well, you know, NSA has scale X and scale Y, and DOJ said 
they won't share it with the FBI, except in exceptional 
circumstances, they keep it for themselves.
    We're in this situation where I think law enforcement needs 
to really develop those skills up by themselves. And you ask 
about what it is this Committee can do, it's thinking about the 
right way for law enforcement to develop those capabilities, 
the right level of funding. The funding is well below what it 
should be, but they also don't have the skills.
    Mr. Gutierrez. Thank you.
    So, I'm happy I yielded the time to you. I always know it's 
one of the smartest things I do is work with Congressman 
Lofgren in this Committee.
    But I just want to share with you, look, I understand the 
competing interests here. But I think, Mr. Sewell, you should 
understand that I love your products. You know, I used to 
think, you know, house, then a car, now I think technology. 
Between what they charge me for the Internet, all the stuff I 
buy just to get information every day, it's--but don't worry, I 
can afford it. I'm not going into the poorhouse because of it.
    So I'm excited about all of the new things that I get to 
and how it improves my life. And so I'm thankful to men and 
women in technology for doing that. But a lot of times in this 
place, there's adversarial positions taken, and I would hope, 
simply, that we would look for a way in which we put the safety 
interests of the American people.
    I understand that you think that if we find a back door, 
that that causes all kinds of insecurity. But in this 
Committee, I'm going to work with Congressman Lofgren, but I'm 
also going to work with Trey Gowdy. We're going to work--a lot 
of times bipartisanship in this place is many times promoted, 
but very rarely rewarded in this place, because everybody says, 
oh, you should take one position or another.
    I'm going to take a position for the American people. While 
you might dispute, I kind of look at apple as an American 
company. I look at Toyota as a Japanese company, BMW as a 
German. I look at you as an American company, and so that's the 
way I see you. You can dispute that, you may look at yourself 
as an international entity, but I always looked at you as the 
pride. When I take this phone as a member of the Intelligence 
Committee, and I take this phone to China, the Intelligence 
Community of the United States of America, the first thing 
before I get off that plane, they take it away from me. So 
there are bad actors out there already intervening with your 
products, or I don't think the fine people of the Intelligence 
Community would take away one of the things that I need the 
most in my life.
    So having said that, I hope we might find a way so that we 
could balance the security needs and the safety needs of the 
people of the United States and their rights to privacy. I 
think it's essential and important. And I want to thank you 
guys for coming and talking to us, and let's try to figure it 
out all together. Thanks.
    Mr. Sewell. Thank you, Congressman. And I absolutely--I 
agree with what you said. And I think that--I am proud to work 
for Apple. And I think Apple embodies so many of the most 
valuable characteristics that make up America, make America a 
great place. We stand for innovation, we stand for 
entrepreneurship, we stand for empathy, we stand for all boats 
rise. And so I am very proud. And we are an American company, 
and we're very, very proud of that.
    The point about security outside the United States is 
exactly the point that drives us. We are on the path to try to 
create the very best, most secure, and most private phones that 
we can. That's a path that will probably never end, because the 
people that we're competing with, the bad guys, not just in the 
United States, but all over the world, are on an equally 
aggressive path to defeat everything that we've put into the 
phone. So we will continue from generation to generation to 
improve the technology, to provide our users with a safer 
experience.
    Mr. Gutierrez. Thank you, Mr. Sewell.
    Thank you, Mr. Chairman.
    Mr. Goodlatte. The gentleman from Louisiana, Mr. Richmond, 
is recognized for 5 minutes.
    Mr. Richmond. And I'm happy to follow Luis, because I guess 
we're going to start--I'll start where he left off. And I think 
about a 9-year-old girl who asked, you know, why can't they 
open the phone so we can see who killed my mother, because I 
was there and heard it happen.
    So let me start with this: If the FBI developed the ability 
to brute force open a phone, would you have a position on that?
    Mr. Sewell. Without involving Apple, without having Apple--
--
    Mr. Richmond. Yes.
    Mr. Sewell. - complicit in that. I don't think we have a 
position to object or not object to that. I think if the FBI 
has a method to brute force a phone, we have no ability to stop 
them.
    Mr. Richmond. But are you okay with it?
    Mr. Sewell. Well, I think that privacy and security are 
vitally important national interests. I think that if you 
weaken the encryption on the phone, then you compromise those 
vitally important interests.
    Mr. Richmond. Well, I'm not asking you about the 
encryption. If they could brute force open a phone, do you have 
a problem with that? I think that's just an easy question.
    Mr. Sewell. Then I'm sorry. Perhaps I'm misunderstanding. 
If the FBI had the ability to brute force a phone, I would 
suggest that that's a security vulnerability in the phone. So I 
would have a problem with it, yes.
    Mr. Richmond. Let me ask you another question, because I 
see you're a lawyer, I'm a lawyer, and I would feel awful if I 
didn't ask this. Brittney Mills----
    Ms. Landau. I--can I just say something for a second?
    Mr. Richmond. In a second. Let me get through this 
question.
    Brittney Mills had a 5S phone operating on an 8.2 iOS. Does 
Apple, any employee, subcontractor, subsidiary, or anyone that 
you know of possess the knowledge or the ability to open that 
phone? Or unlock that phone?
    Mr. Sewell. We don't. And I'm glad that you asked about the 
Mills case, because I think it's instructive about the way that 
we do work together cooperatively. I know that we met with 
members of your staff----
    Mr. Richmond. Look, and I'm not suggesting that you all 
don't, but I just want to--I want to know, does anybody have 
the ability to unlock the phone first? And if you tell me no, 
then I get a no in public on the record and I feel a lot better 
about what I'm doing.
    Mr. Sewell. Congressman, let me be clear. We have not said 
that we cannot create the tool that the FBI has asked us to 
create.
    Mr. Richmond. Right. And I'm not asking about creating 
anything. I'm saying does it exist now? Do you know anybody--or 
does anyone have the ability to do it right now?
    Mr. Sewell. Short of creating something new, no.
    Mr. Richmond. Now--and I--oh, I'm sorry. Ms. Landau. I 
promised to let you answer.
    Ms. Landau. I just wanted to add that in security, we have 
an arms race. People build good products, somebody finds a 
vulnerability. It could be the FBI, it could be--now, the FBI 
may not tell anybody about the vulnerability, but we have this 
arms race where as soon as somebody finds a problem, the next 
role of technology comes out, and that's the way we do things.
    Mr. Richmond. So what would be your feeling if the FBI 
developed a technology that they can plug something into the 
iPhone----
    Ms. Landau. I think that the FBI should be developing the 
skills and capabilities to do those kinds of investigations. I 
think it's absolutely crucial. And I think that they have some 
expertise, but it's not at the level that they ought to have. 
And I think we're having this conversation exactly because they 
are--they are really using techniques from--they're using a 
mind-set from long ago, from 20 years ago, rather than the 
present.
    Mr. Richmond. So they're antiquated?
    Mr. Goodlatte. Would the gentleman yield?
    Mr. Richmond. Sure.
    Mr. Goodlatte. I just want to clarify. Both Mr. Sewell and 
Ms. Landau did not say subject to an authorized court-ordered 
warrant.
    Ms. Landau. Well, I certainly----
    Mr. Goodlatte. And you're not suggesting they develop this 
technology and then do what they think is best. They've got to 
do it subject to a warrant.
    Ms. Landau. Of course. Thank you.
    Mr. Richmond. And I'm glad you cleared that up, because I 
want to make sure that everybody understands what I'm saying. I 
don't think any of this should happen without a court order.
    Now, you know, maybe I watch too many movies, and maybe I 
listen to Trey Gowdy too much. Some people would suggest if I 
listen to him at all, that's too much. But in the instance that 
there's a terrorist that has put the location of a nuclear bomb 
on the phone, and he dies, how long would it take Apple to 
develop the technology to tell us where that nuclear bomb was, 
or would Apple not be able to develop that technology to tell 
us in a short period of time?
    Mr. Sewell. The first thing we would do is to try to look 
at all of the data that surrounds that phone. There is an 
enormous change in the landscape over the last 25 years with 
respect to what law enforcement has access to. So when we have 
an emergency situation like that, whether it be a lost child or 
the airplane--when the Malaysia airline went down, within 1 
hour of that plane being declared missing, we had Apple 
operators cooperating with telephone providers all over the 
world, with the airlines, and with local law--well, the FBI, to 
try to find a ping, to try to find some way that we could 
locate where that plane was. So the very first thing that we 
would do in the situation is to bring to bear all of the 
emergency procedures that we have available at Apple to try to 
find them.
    Mr. Richmond. Thank you.
    Mr. Chairman, can I just clarify, because I don't want 
anyone to leave out of here thinking that Apple has not been 
cooperative with our district attorney in the effort to access 
the data, and, in fact, they came up with new suggestions, but 
my questions are just about the government's ability to just 
brute open a phone at any point with a court order. So I don't 
want to suggest that Apple has not been working diligently with 
my DA, who's also been working diligently. So thank you, Mr. 
Chairman. I yield back.
    Mr. Sewell. I appreciate that, Mr. Congressman.
    Mr. Goodlatte. The Chair thanks the gentleman and 
recognizes the gentlewoman from Washington State, Ms. DelBene.
    Ms. DelBene. Thank you for being here and enduring this for 
a while. It's very, very important.
    In the earlier part of the hearing, Director Comey said 
that it is not a company's job to worry about public safety, 
and I think that that is--would be very concerning for a 
company to send that message, given that we have technologies 
that impact people's everyday lives in so many ways. And I 
assume you agree with that, Mr. Sewell.
    Mr. Sewell. I absolutely do. I do not subscribe to the 
position articulated by Director Comey.
    Ms. Landau. I've worked for two Silicon Valley companies, 
Sun Microsystems and Google, and that's certainly not what I 
saw at either one of them.
    Ms. DelBene. In the Brooklyn case decided yesterday, Judge 
Orenstein stated, in his opinion, that the world of the 
Internet of things, all of the connected devices and sensors 
that we see coming forward, the government's arguments would 
lead quickly to a world of virtually limitless surveillance and 
intrusions on personal privacy.
    So I'd like to explore the issue of encryption and securing 
the Internet of things a little bit. We often talk about 
security by design when it comes to the Internet of things. And 
I'm sure we can all imagine the horror stories of insecure 
Internet of things, types of devices, like appliances being 
hacked that could cause a fire, or spying through baby 
monitors, hacking into a car, or tampering with a home security 
system.
    So I'm wondering--Dr. Landau, I'm wondering if you could 
comment on what this means in the encryption context and 
whether directives we've heard from the FTC, for example, to 
adopt security by design in the interests of protecting 
consumers from malicious actors is inherently incompatible with 
what you might call insecurity by design should that be 
mandated by the courts.
    Ms. Landau. Well, here you're in a situation where the 
companies often want to collect the data. So, for example, if 
you're using smart meters, the company wants the data, the 
electric company wants the data to be able to tell your 
dishwasher, no, don't turn on at 4 in the afternoon when air 
conditioning requirements are high in Silicon Valley right now, 
turn it on at 8 at night or 2 a.m. And so, in fact, it actually 
wants the individualized data. And if it has the individualized 
data, then it can certainly share it with law enforcement under 
court order.
    The security by design is often in the Internet of things 
securing data on the device and securing the transmission of 
the data elsewhere.
    The issue in the Apple phone is that the data stays on the 
device, and that's the conflict that we're having. For the 
Internet of things, it's most useful if the data goes off the 
device to somewhere else where it can be used in a certain way.
    Ms. DelBene. And, Mr. Sewell, could companies open 
themselves up to liability if vulnerabilities through law 
enforcement end up being exploited by a bad actor?
    Mr. Sewell. I think that's absolutely true. Somewhat 
ironically, I suppose, we have the FTC at this point actively 
policing the way in which technology companies deal with these 
issues, and we can be liable under the--Section 5 or under the 
authority of the FTC if we fail to close a known vulnerability.
    Ms. DelBene. And, Ms. Landau, you talked about the issue of 
security versus security, and that this really is a debate 
about security versus security. Could you explain a little bit 
more why? And are national security and cybersecurity 
incompatible, in your opinion?
    Ms. Landau. So what we really have here over the last 20 
years, as I mentioned earlier, is you see the NSA, and Snowden 
revelations aside, we don't have time for me to describe all of 
the subtle points there, but you really see the NSA working to 
secure private sector telecommunications infrastructure, many, 
many examples.
    We have moved to a world of electronic devices, you talk 
about the Internet of things, that leak all sorts of data. And 
in order to protect ourselves, whether ourselves, our health 
data, our bank data, the locations of our children and so on, 
we need encryption and so on. But if you think more broadly 
about the risks that our nation faces and the risks of people 
coming in and attacking the power grid, people coming in and 
stealing data from whatever company, and stealing patented 
information and so on, you see a massive national security 
risk. And you've been hearing it from General Keith Alexander, 
we've been hearing it from Hayden, we've been hearing it from 
Mike McConnell, we've been hearing it from Chertoff, all the 
people who have been involved on the DHS and NSA side.
    The only thing that can secure that is security everywhere, 
and the move that Apple makes to secure the phones is one of 
the many steps we need in that direction.
    Ms. DelBene. Thank you. My time's expired. I yield back, 
Mr. Chair.
    Mr. Marino [presiding]. Thank you. I now am going to 
recognize myself for some questions. So welcome to everyone. 
We'd like to start with Mr. Sewell.
    I'm sorry. Mr. Sewell, pronouncing that name correctly?
    Mr. Sewell. You are.
    Mr. Marino. All right. I have some questions for you 
concerning China. In 2014, you moved your--what's referred to 
as your Chinese cloud to China. Is that correct?
    Mr. Sewell. That is correct.
    Mr. Marino. Okay. And can you tell me whose data is stored 
in that Chinese cloud? Is it just people in China? Is my data 
stored in that cloud as well?
    Mr. Sewell. Your data is not stored in that cloud.
    Mr. Marino. Is it strictly limited to Chinese people?
    Mr. Sewell. There are a number of things that are in the 
cloud, so I should probably be clear about what's there.
    Mr. Marino. Okay.
    Mr. Sewell. With respect to personal data, no personal data 
is there unless the individual's data--the individual himself 
has registered as having a Chinese address and having a Chinese 
access point. In addition, we have other data, which has to do 
with film content, movies, books, iTunes music. The reason we 
do that is because of something called latency. If you're 
streaming across the Internet, and you have to bring the data 
from the United States to China, there's a lag time, there's a 
latency piece, whereas if we move that data closer to China, 
either Hong Kong or mainland China, then we can provide a much 
better service to our customers.
    Mr. Marino. Okay. Can you tell me, what was the cost, in a 
ballpark figure, in the time to make the move to--for the 
United States to move Chinese information over to China in 
their cloud?
    Mr. Sewell. Sorry. Did you say in time?
    Mr. Marino. Yeah. Cost and time.
    Mr. Sewell. So the time--the cost is building the 
facilities. I don't have a number for that. It's certainly not 
something that I am aware of, although, of course, the company 
has that information. In terms of the time, once--once the 
server exists, once there is a receptacle for the data, in 
theory, it's instantaneous.
    Mr. Marino. Okay. You may or may not know, but I was a 
prosecutor for a while, both at the State and Federal level. 
And we prosecutors are focused on a case and the crime 
concerned, and we want going to get our hands on anything we 
can to see that justice is served, but on the other side of 
this too, we're talking about privacy issues. And I'm very 
concerned about to what extent, if, for some reason, you were 
to change your mind about working with the FBI, or the court 
ordered that, what does that mean to our privacy?
    Mr. Sewell. I think it means that we have put our privacy 
at risk. The tool that we're being asked to prepare is 
something which could be used to defeat both the safety and the 
privacy aspects of----
    Mr. Marino. Let me get this clear, because there are many 
rumors flying around. And you've probably answered this a 
couple times, and I apologize. I've had to run and do something 
else.
    Are you saying that there is no method that exists now that 
you could unlock that phone and let the FBI know what is in 
there?
    Mr. Sewell. Short of creating the tool that they have asked 
us----
    Mr. Marino. Right.
    Mr. Sewell [continuing]. We are not aware of such a method, 
no.
    Mr. Marino. Now, you talk about the cost is an unreasonable 
burden and the time involved. That's why I asked you what did 
it cost to move the cloud, what was the time. And you're the 
expert, I'm not.
    Mr. Sewell. Congressman, to be fair, we haven't claimed 
that the time that it would take to create the tool is the 
undue burden. Our claim is that the undue burden is to 
compromise the safety and security of all of our customers.
    Mr. Marino. So it's your position that if you do what the 
FBI wants to one phone, could you elaborate on that in the 33 
seconds I have left as to why that would be an undue burden, 
keeping in mind that I'm very critical about our privacy?
    Mr. Sewell. Congressman, the answer is very simple. We 
don't believe this is a one-phone issue. We don't believe that 
it can be contained to one phone or that it would be contained 
to one phone.
    Mr. Marino. Okay. I see that my time has just about run 
out, so I'm going to yield back.
    And who's next? Mr. Jeffries, Congressman Jeffries is next.
    Mr. Jeffries. I thank my good friend from Pennsylvania for 
yielding. I want to thank all of the witnesses for your 
presence here today. It's been a very informative discussion. 
In particular, I want to thank DA Vance for your presence, and 
certainly for the many progressive and innovative programs that 
you have in Manhattan, proving that you can be both tough and 
fair as a prosecutor, and that has not gone unnoticed.
    Let me start with Mr. Sewell. There's an extensive record 
of cooperation that Apple has with law enforcement in the San 
Bernardino case. Isn't that fair to say?
    Mr. Sewell. That's correct. For over 75 days, we've been 
working with the FBI to try to get to more information to try 
to help solve this crime.
    Mr. Jeffries. I think it's useful to put some of this on 
the record. On December 5, the Apple emergency 24/7 call center 
received a call concerning the San Bernardino shooting. Is that 
right?
    Mr. Sewell. That's right. In fact, the call came in to us 
at 2:47 a.m. On a Saturday morning. We have a hotline that 
exists; we have people who are manning that hotline.
    Mr. Jeffries. And you responded with two document 
productions that day, correct?
    Mr. Sewell. By 2:48 that morning, we were working on the 
case, and we responded by giving the FBI all of the information 
that we could immediately pull from our sources, and then we 
continued to respond to subpoenas and to work directly with the 
FBI on a daily basis.
    Mr. Jeffries. Right. In fact, the next day, I think, Apple 
received a search warrant for information relating to at least 
three email accounts. Is that right?
    Mr. Sewell. That's correct.
    Mr. Jeffries. You complied with that request?
    Mr. Sewell. We did comply with that and subsequent 
requests.
    Mr. Jeffries. And so I think also on January 22, you 
received another search warrant for iCloud information related 
to the iPhone that was in possession of the male terrorist. Is 
that right?
    Mr. Sewell. That's right. And it's important that in the 
intervening stage, we had actually sent engineers to work 
directly with FBI technicians in Washington, D.C., and in 
Cupertino, and we provided a set of alternatives, or options 
that we thought should be tried by the FBI to see if there 
might be some possibility that we could get into this phone 
without having to do the tool that we're now being asked to 
create.
    Mr. Jeffries. So the issue here is not really about 
cooperation, as I understand it. Apple has clearly cooperated 
in an extensive fashion as it relates to all of the information 
that you possess.
    The question, I think, that we all, on the Judiciary 
Committee and beyond, have to consider is the notion of you 
being asked, as a private company, to create anti-encryption 
technology that currently does not exist and could jeopardize 
the privacy and security of presumably hundreds of millions of 
iPhone users throughout the country and the world. Is that 
right?
    Mr. Sewell. We're being asked to create a method to hack 
our own phones.
    Mr. Jeffries. Now, Mr. Vance, are you familiar with the 
Arizona v. Hicks Supreme Court case from the late 1980's?
    Mr. Vance. If you give me the facts, I'm sure I have read 
it.
    Mr. Jeffries. Okay. The Supreme Court held that police 
conducted an unconstitutional search of evidence that was not 
in plain view. It was a decision that was written by Justice 
Antonin Scalia. And the most important point that I want you to 
reflect upon is, he stated, in authoring the majority opinion, 
that ``There is nothing new about the realization that the 
Constitution sometimes insulates the criminality of the few in 
order to protect the privacy of us all.''
    Do you agree that embedded in the fabric of our 
Constitution, the Fourth Amendment, and beyond, is the notion 
that we value the privacy rights of Americans so deeply, that, 
at times, it is something that will trump law enforcement 
convenience?
    Mr. Vance. Congressman, I do sincerely believe that. What 
concerns me about the picture we are seeing from the
    State perspective is that Apple has decided that it's going 
to strike that balance now with no access by law enforcement 
for full disk-encrypted devices even with a warrant. So they 
have created their own balance. They now have decided what the 
rules are, and that changes radically the balance that existed 
previously, and it was done unilaterally. So this Committee----
    Mr. Jeffries. Well, I think--if I can----
    Mr. Vance. Yeah.
    Mr. Jeffries [continuing]. Just interject. I mean, I think 
that that is a balance that ultimately the Congress is going to 
have to work out, and also the Article III court systems, 
certainly beyond an individual magistrate, who is not even 
appointed for lifetime tenure, is going to have to work itself 
through the court system, a district court judge, maybe the 
Ninth Circuit, ultimately the Supreme Court, and so the company 
exercising its right in an adversarial system to have all facts 
being aired on both sides of the debate is very consistent, in 
my view, with American democracy and jurisprudence.
    There is just one last question that I wanted to ask as my 
time is expiring, because you raised an interesting point 
earlier in your testimony about an individual who is a 
suspected criminal who claimed that the encryption technology 
was a gift from God. But I also noted, I think, in your 
testimony that this individual communicated that in an 
intercepted phone conversation that presumably your office or 
others were wiretapping. Is that right?
    Mr. Vance. No, it's not right. All phone calls from prison, 
out of Rikers----
    Mr. Jeffries. Right.
    Mr. Vance [continuing]. Are recorded.
    Mr. Jeffries. Right.
    Mr. Vance. There's a sign, when you pick up the phone, if 
you are in Rikers Island, that this is happening. So there's a 
tape, and ultimately that tape was subpoenaed, and it's from 
that tape that that conversation was transcribed.
    Mr. Jeffries. And if I could just, in conclusion, I 
appreciate the Chair's indulgence. I think that illustrates the 
point, presumably, that it's fair to say that, in most 
instances, bad actors will make a mistake, and at the same time 
that he is heralding the availability of encryption technology 
to shield his activity from law enforcement surveillance and 
engagement, he is ignoring a plain-view sign that these 
conversations are being recorded and subjecting himself to 
unfettered government surveillance. And I think that I have 
faith in your ability, in the FBI's ability ultimately to 
outsmart the criminals and the bad actors without jeopardizing 
the privacy and the security of the American people.
    Mr. Vance. And in that case, our challenge is, because of 
our inability to access the phone, our inability to investigate 
further, any evidence of sex trafficking is not made available 
to us.
    So, yes, he did something that was not smart, but the 
greater harm is the inability, in my opinion, of being able to 
get to the true facts, which, in fact, are extremely important 
as a matter of public safety to get access to.
    Mr. Jeffries. My time is expired. I thank you.
    Mr. Marino. I thank the gentleman from New York.
    And the Chair recognizes now the gentleman from Rhode 
Island, Congressman Cicilline.
    Mr. Cicilline. Thank you, Mr. Chairman.
    And thank you to our witnesses for your testimony and for 
this very important discussion.
    I think we all recognize there are few absolutes in the 
law, and so balancing occurs all the time. There are risks in 
developing this software that have been articulated very well 
during this hearing, and indeed, there are risks associated 
with an inability to access critical information. So I think we 
are living in a world there are risks in both ways forward, and 
I guess my first question is: Many people who agree that Apple 
or any other company should not be required and there's no 
authorization to require them to produce a product that doesn't 
exist or to develop an intellectual property that doesn't 
exist, many people who think that that's correct wonder whether 
Apple has considered, in limited circumstances and maybe a 
standard you would set internally, if it in fact is a situation 
that would prevent immediate death or serious bodily injury, 
coupled with a consent of the person or lack of objection--in 
this case, the person is deceased--where there is no privacy 
claim asserted, in some very narrow category, whether there is 
a set of protocols you might voluntarily adopt to provide that 
information or that software with then instruction that it be 
immediately destroyed; it be done in a SCIF, in a secure safe. 
I mean, is that practical, something like that? Should that be 
part of this discussion that we keep hoping that the industry 
and the Justice Department will have in trying to develop 
something, or is that fraught with so many problems that it's--
--
    Mr. Sewell. Thank you for the question, Congressman. We 
have and spend a lot of time thinking about how we can assist 
our customers in the event that they have a problem, if they 
have lost a phone, if they have--they're in a situation where 
they're trying to recover data. We have a number of mechanisms 
to do that, and we will continue to improve those mechanisms as 
we move forward.
    It's very important to us that we try to think about the 
consequences of the devices that we create. In this particular 
case, the passcode unlock is not something that we think lends 
itself to a small usage. The problem with this particular issue 
is that once you take that step, once you create the mechanism 
to unlock the phone, then you have created a back door, and we 
cannot think of a way to create a back door that can only be 
used beneficially and not be used by bad people.
    Mr. Cicilline. So you have, in fact, sort of already 
contemplated other ways in which you could make this 
information available in this case that would not have those 
sorts of broader implications?
    Mr. Sewell. And we have provided information in this case. 
We have provided logs. We have provided iCloud backup. We've 
provided all the things that we have that are available at our 
disposal.
    Mr. Cicilline. Thank you.
    Ms. Landau, you say in your written testimony, the--in your 
written testimony, the point is that solutions to accessing the 
data already exist with the forensic analysis community. We did 
ask Director Comey, and we probably limited our question too 
narrowly because we asked about the intelligence communities of 
the United States. It sounds like you're suggesting that there 
may be capabilities outside the United States Government that 
the Justice Department or the FBI could contract with that are 
capable of doing what it is they're asking a court to order 
Apple to do.
    Ms. Landau. That's right. So I noticed that when Director 
Comey answered the question, he said: We talked to everyone who 
will talk with us.
    And I, as I mentioned earlier, I don't know if you were 
here at that point, I had a conversation with some senior DOJ 
people a few years ago about using NSA tools in law enforcement 
cases, and they said: NSA is very loathe to share, because of 
course, when you share a tool, it can get into a court case, 
and then the tool is exposed.
    And so I don't know in the ``we talked with everyone who 
will talk with us'' how much NSA revealed about what they know 
and what they can do, so that's the first place I would ask. 
Now, I phrased that incorrectly. That's the first place that I 
suspect has some tools for exactly this problem. But, yes, 
there were discussions last week in Silicon Valley. There have 
been discussions I've had with colleagues where people believe, 
as Congressman Issa portrayed various potential solutions, that 
there are ways to break into the phone.
    There is, of course, a risk that the data might be 
destroyed, but I have described both in my testimony--written 
and verbal testimony, the FBI has not tried to develop this 
level of expertise and they should.
    Mr. Cicilline. So it seems as if, you know, we are 
contemplating whether or not Congress should take some action 
to either grant this authority and then figure out what is the 
appropriate standard and test, et cetera. It sounds as if you 
think that is problematic and that, in fact, the real answer is 
a substantial increased investment in the intelligence 
capability, the law enforcement capability to sort of keep pace 
with the advances that companies like Apple are making, that 
that's really the best protection in terms of both law 
enforcement and the long-term security of the United States.
    Ms. Landau. That's right. I don't think actually there 
needs to be more authority, but there needs to be a completely 
different view of how it's done. There probably needs to be 
some authority in terms of how do you handle it for State and 
local, because State and local will not have the resources, and 
so there has to be some sort of sharing of tools. And that's a 
jurisdictional issue and also just a--you know what, an issue 
between bureaucracies that will have to be worked out, and that 
will have to be worked out through law and policy.
    But in terms of creating new authority, the FBI already has 
that authority, but it uses it at a much lower level, and I'm 
sure it's funded at a much lower level. They need to move from 
the situation they're in to dealing with 21st century 
technologies in the appropriate way.
    Mr. Cicilline. Thank you.
    I thank you, Mr. Chairman. I yield back.
    Mr. Marino. You bet.
    The Chair recognizes Ms. Lofgren from California.
    Ms. Lofgren. Could I ask just one quick question, Mr. 
Sewell, because I forgot when it was my turn? And we had asked 
Mr. Comey, somebody asked Mr. Comey about the changing of the 
password, apparently the county did it at the request of the 
FBI. What did that do? Can you explain what happened?
    Mr. Sewell. Certainly. One of the methods that we might 
enable the phone in San Bernardino to do what's called an auto 
backup. That is, the issue that the FBI is struggling with is 
to find data between a certain timeframe, the time of the last 
backup and the time of the horrific incident in San Bernardino.
    If the phone would backup, that evidence, that information 
would become available to the FBI. The way that we can back 
these phones up in an automatic way is we connect them to a 
known WiFi source, a source that the phone has already 
connected to before and recognizes. If you plug the phone in 
and you connect it to a known WiFi source, it will, in certain 
circumstances, auto backup, and so the very information that 
the FBI is seeking would have been available, and we could have 
pulled it down from the cloud.
    By changing the password--this is different than passcode--
but by changing the password, it was no longer possible for 
that phone to auto backup.
    Ms. Lofgren. Thank you, and thank you, Mr. Chairman, for 
letting me get that information out.
    Mr. Marino. Mr. Sewell, I have one more question for you. 
Does China--does the Chinese Government have access to the 
cloud, or is there any indication that they have tried to hack 
the cloud in China to get information on the Chinese people?
    Mr. Sewell. Let me be clear about the question. The 
Chinese, undoubtedly, have the ability to access their own 
cloud.
    Mr. Marino. Yes.
    Mr. Sewell. But with respect to the U.S. cloud, we believe 
that--again, I'm struggling because of the words. The cloud is 
a synonym for the Internet.
    Mr. Marino. Yes.
    Mr. Sewell. So, of course, Chinese people have access to 
the Internet. Are we aware of a Chinese hack through Apple? No. 
But beyond that, I can't say.
    Mr. Marino. You answered my question. Thank you.
    This concludes today's hearing. I want to thank the panel 
very much for being here.
    Without objection, all Members will have 5 legislative days 
to submit additional written questions for the witnesses or 
additional materials for the record. The hearing is adjourned.
    [Whereupon, at 6 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

Material submitted by the Honorable Bob Goodlatte, a Representative in 
  Congress from the State of Virginia, and Chairman, Committee on the 
                               Judiciary
                               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                               
                               


 Material submitted by the Honorable Doug Collins, a Representative in 
   Congress from the State of Georgia, and Member, Committee on the 
                               Judiciary
                               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                               
                              
 
  Questions for the Record submitted to the Honorable James B. Comey, 
               Director, Federal Bureau of Investigation
---------------------------------------------------------------------------
    Note: The Committee did not receive a response to the questions 
submitted to this witness at the time this hearing record was finalized 
and submitted for printing on August 5, 2016.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


        Response to Questions for the Record from Bruce Sewell, 
         Senior Vice President and General Counsel, Apple, Inc.
         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]         
         

    Response to Questions for the Record from Susan Landau, Ph.D., 
   Professor of Cybersecurity Policy, Worcester Polytechnic Institute
   
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
   


    Response to Questions for the Record from Cyrus R. Vance, Jr., 
                   District Attorney, New York County
                   
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                   

                                 [all]