[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




 
                  DATA STORED ABROAD: ENSURING LAWFUL
                     ACCESS AND PRIVACY PROTECTION
                           IN THE DIGITAL ERA

=======================================================================

                                HEARING

                               BEFORE THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 15, 2017

                               __________

                           Serial No. 115-36

                               __________

         Printed for the use of the Committee on the Judiciary
         
         
         
         
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       
         


      Available via the World Wide Web: http://judiciary.house.gov
      
      
                             _________ 

                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 31-564                  WASHINGTON : 2018         
 
 
      
      
                       COMMITTEE ON THE JUDICIARY

                   BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        JERROLD NADLER, New York
LAMAR SMITH, Texas                   ZOE LOFGREN, California
STEVE CHABOT, Ohio                   SHEILA JACKSON LEE, Texas
DARRELL E. ISSA, California          STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr., 
TRENT FRANKS, Arizona                    Georgia
LOUIE GOHMERT, Texas                 THEODORE E. DEUTCH, Florida
JIM JORDAN, Ohio                     LUIS V. GUTIERREZ, Illinois
TED POE, Texas                       KAREN BASS, California
JASON CHAFFETZ, Utah                 CEDRIC L. RICHMOND, Louisiana
TOM MARINO, Pennsylvania             HAKEEM S. JEFFRIES, New York
TREY GOWDY, South Carolina           DAVID CICILLINE, Rhode Island
RAUL LABRADOR, Idaho                 ERIC SWALWELL, California
BLAKE FARENTHOLD, Texas              TED LIEU, California
DOUG COLLINS, Georgia                JAMIE RASKIN, Maryland
RON DeSANTIS, Florida                PRAMILA JAYAPAL, Washington
KEN BUCK, Colorado                   BRAD SCHNEIDER, Illinois
JOHN RATCLIFFE, Texas
MARTHA ROBY, Alabama
MATT GAETZ, Florida
MIKE JOHNSON, Louisiana
ANDY BIGGS, Arizona
          Shelley Husband, Chief of Staff and General Counsel
       Perry Apelbaum, Minority Staff Director and Chief Counsel
       
                            C O N T E N T S

                              ----------                              

                             JUNE 15, 2017
                           OPENING STATEMENTS

                                                                   Page
The Honorable Bob Goodlatte, Virginia, Chairman, Committee on the 
  Judiciary......................................................     1
The Honorable John Conyers, Jr., Michigan, Ranking Member, 
  Committee on the Judiciary.....................................     3

                               WITNESSES

Mr. Richard Downing, Acting Deputy Assistant Attorney General, 
  Criminal Division, U.S. Department of Justice
    Oral Statement...............................................     6
Mr. Paddy McGuinness, UK Deputy National Security Advisor, 
  Oxford, UK
    Oral Statement...............................................     7
Mr. Richard Salgado, Director, Law Enforcement and Information 
  Security, Google
    Oral Statement...............................................    48
Mr. Richard Littlehale, Special Agent in Charge, Technical 
  Services Unit, Tennessee Bureau of Investigation
    Oral Statement...............................................    49
Mr. Chris Calabrese, Vice President, Policy Center for Democracy 
  and Technology
    Oral Statement...............................................    51
Professor Andrew Keane Woods, Assistant Professor of Law, 
  University of Kentucky College of Law
    Oral Statement...............................................    53

                        OFFICIAL HEARING RECORD

Questions for the record submitted to Mr. Paddy McGuinness.......    62
Questions for the record submitted to Mr. Richard Downing........    64

              Additional Material Submitted for the Record

Material submitted by the Honorable Tom Marino, Pennsylvania, 
  Committee on the Judiciary. This material is available at the 
  Committee and can be accessed on the committee repository at:

    https://docs.house.gov/meetings/JU/JU00/20170615/106117/HHRG-
      115-JU00-20170615-SD002.pdf


 DATA STORED ABROAD: ENSURING LAWFUL ACCESS AND PRIVACY PROTECTION IN 
                            THE DIGITAL ERA

                              ----------                              


                        THURSDAY, JUNE 15, 2017

                        House of Representatives

                       Committee on the Judiciary

                             Washington, DC

    The committee met, pursuant to call, at 10:12 a.m., in Room 
2141, Rayburn House Office Building, Hon. Bob Goodlatte 
[chairman of the committee] presiding.
    Present: Representatives Goodlatte, Chabot, Issa, King, 
Gohmert, Jordan, Chaffetz, Marino, Farenthold, Collins, Buck, 
Ratcliffe, Roby, Gaetz, Biggs, Rutherford, Conyers, Nadler, 
Lofgren, Jackson Lee, Johnson of Georgia, Deutch, Cicilline, 
Lieu, Raskin, Jayapal, and Schneider.
    Staff Present: Shelley Husband, Staff Director; Branden 
Ritchie, Deputy Staff Director; Zach Somers, Parliamentarian 
and General Counsel; Ryan Breitenbach, Counsel, Subcommittee on 
Crime, Terrorism, Homeland Security, and Investigations; Aaron 
Hiller, Minority Chief Oversight Counsel; Joe Graupensperger, 
Minority Chief Counsel, Subcommittee on Crime, Terrorism, 
Homeland Security, and Investigations; Veronica Eligan, 
Minority Professional Staff Member; Sandy Alkoutami, Minority 
Intern, Judiciary Committee; and Monalisa Dugue, Minority 
Deputy Chief Council, Subcommittee on Crime, Terrorism, 
Homeland Security, and Investigations.
    Chairman Goodlatte. Good morning. The Judiciary Committee 
will come to order, and without objection, the chair is 
authorized to declare recesses of the committee at any time. We 
welcome everyone to this morning's hearing on data stored 
abroad: ensuring lawful access and privacy protection in the 
digital era. I will recognize myself for an opening statement.
    Today's hearing will examine various issues related to 
digital data, including international conflicts of law; storage 
and transmission practices; governmental acquisition 
challenges; and protection of consumer information.
    This hearing brings together a diverse array of interests, 
including law enforcement, technology companies, the economy, 
and the importance of individual privacy and civil liberties 
throughout the world. In the digital age, U.S. technology 
companies have flourished and provide services to customers 
across the globe. However, the rapid growth of international 
communications infrastructure has presented challenges as well 
as opportunities.
    For example, there is a growing tension between U.S. law 
and foreign law, often with U.S. technology companies at the 
center. U.S. law restricts access to data by foreign countries 
making it difficult, if not impossible, in some instances, for 
foreign governments to obtain evidence of crimes or terror 
plots carried out by their own citizens. This has resulted in 
foreign governments enacting their own legislation to address 
the problem, including laws requiring U.S. companies, as a 
prerequisite for doing business, to comply with foreign 
government requests for data.
    Others are considering legislation that would require U.S. 
providers to locate servers in the foreign country to ensure 
foreign jurisdiction over the U.S. provider. This is sometimes 
referred to as data localization. Moreover, certain foreign 
countries prohibit the removal of data from their boundaries.
    U.S. law, by contrast, makes no distinction between data 
stored domestically and data stored abroad, nor with regard to 
the nationality or location of the customer. The result of 
these conflicts is that U.S. technology companies find 
themselves having to comply with either U.S. law or foreign 
law, as it is often impossible to comply with both.
    This is an untenable situation. The last time this 
committee considered these important issues was prior to the 
Second Circuit's 2016 decision in Microsoft v. United States, 
where the court ruled that the Stored Communications Act does 
not authorize courts to issue and enforce against U.S.-based 
service providers warrants for the seizure of customer email 
content that is stored exclusively on foreign servers.
    Microsoft had refused to comply with a search warrant for 
email content on the basis that Microsoft stored the email data 
on a server in Ireland, rather than in the United States. In 
the wake of the Microsoft decision, other providers have 
refused to comply with warrants on the basis that some or all 
of the data pertaining to the subject of an investigation is 
stored on servers located outside of the United States.
    In the courts, however, five recently-issued opinions 
diverged from the Second Circuit's ruling concluding that data 
must be disclosed pursuant to lawful process, regardless of the 
location of the data being sought.
    It is clear that Congress must find a contemporary solution 
that embraces the modern manner in which data is stored and 
acquired internationally. A legislative fix to the Stored 
Communications Act is necessary to remedy the problem made 
clear by the Microsoft decision.
    Furthermore, Congress should take additional steps to 
resolve the conflict of laws issues. Various options exist on 
this score. A formal, multilateral treaty could result in 
broadly raising international privacy standards to more closely 
match the United States' rigorous probable cause standard and 
would comport, to the Founder's insistence, that broad, 
international agreements affecting many parties require Senate 
consent and ratification.
    Another option is bilateral agreements. The United States 
and the United Kingdom are currently engaged in negotiations on 
a bilateral agreement that would authorize the U.K. Government 
to request data directly from U.S. companies in criminal and 
national security investigations not involving U.S. persons.
    To ensure clarity on this point, any international 
agreement that provides access by a foreign government to 
communications stored or flowing through the United States will 
not authorize that foreign government to wiretap or target U.S. 
persons or those located in the United States. This restriction 
applies even to our closest ally in the United Kingdom. Such an 
agreement could only be used to obtain evidence on non-U.S. 
persons located abroad.
    The potential U.S.-U.K. bilateral agreement may serve as a 
model for future agreements, relieve some of the international 
pressure on U.S. tech companies, and help to alleviate any 
conflicts of law related to requests by the U.S. for data 
stored abroad by U.S. companies. In order for an international 
agreement of this kind to take effect, Congress must first 
change U.S. law to grant specific authority for U.S. companies 
to respond to direct requests by foreign authorities and 
prescribe the criteria that must be met by the foreign 
government.
    These are not the only options available to Congress. In 
addition, there are legislative proposals that would attempt to 
resolve conflicts by basing the authority to obtain information 
on the nationality of the targeted individual. The committee 
will continue to explore all of these aforementioned options.
    Once again, House Judiciary Committee finds itself at the 
forefront of a pressing issue that impacts personal privacy, 
national security, and public safety, economic viability, and 
the rule of law. Members of this committee will continue to 
examine all options for a thoughtful and balanced resolution to 
this problem.
    I appreciate our distinguished witnesses testifying today. 
I want to particularly thank one of our first witnesses, Mr. 
Paddy McGuinness, for agreeing to travel to our country during 
such a difficult period in the United Kingdom, which has 
suffered multiple terrorist attacks in recent weeks. We greatly 
appreciate your presence and your vital perspective on the 
challenges with new forms of digital data storage and 
transmission.
    I want to thank all of our witnesses and I look forward to 
their testimony. And I now turn to the ranking member of the 
committee, the gentleman from Michigan, Mr. Conyers, for his 
opening statement.
    Mr. Conyers. I thank you, Chairman Goodlatte. To our 
colleagues and to our distinguished witnesses in the first 
panel, it seems we keep returning to the same theme; the 
statutes that protect our privacy and regulate government 
access to our communications were written decades ago before 
the invention of the internet and are in urgent need of an 
overhaul. Under your leadership, Chairman Goodlatte, we have 
already worked together to address one aspect of this problem.
    The Email Privacy Act has passed unanimously in the House 
twice. That measure allows us to move to a clear, uniform 
domestic standard for law enforcement agencies to access the 
content of communications namely, a warrant based on probable 
cause. There is no reason that the Senate should not pass the 
same bill that the House has approved in the past, so that we 
can turn to the important work before us on additional related 
issues without delay.
    In this hearing, we will examine a framework that seems 
inadequate to the 21st century: our existing system of mutual 
legal assistance treaties, and the overseas application of the 
Electronic Communications Privacy Act. The mutual legal 
assistance treaty system was written for a different era, quite 
frankly. I agree with the long-held view of the British 
Government that it is absurd for a police officer investigating 
routine crime in London to have to wait months, sometimes 
years, to access digital evidence stored in the United States, 
evidence that relates entirely to their citizens and not to 
ours.
    I also agree with the Department of Justice that we are now 
facing a reciprocal problem. The recent decision of the Second 
Circuit appears to limit the application of the Electronic 
Communications Privacy Act to the United States, which means 
that, while investigating crimes in the United States, even 
with a warrant, our government may not be able to access 
communications that are now stored around the globe.
    These are both real problems, and I believe that Congress 
should act quickly to update our statutes accordingly. But I 
also believe that we must carefully evaluate the 
administration's legislative proposal. For example, I am not 
convinced that simply reversing the Second Circuit solves the 
problem presented to us by the Microsoft decision. We should 
address law enforcement's need to access the content of 
communications with proper legal process. But a straight 
reversal does little to address the challenges that face 
companies operating internationally or to accommodate the 
interests that foreign governments may have in protecting the 
privacy of their own citizens. We can achieve a better balance 
here.
    Similarly, the proposed bilateral agreement framework is 
full of promise, but only if we get the details right. 
Implemented correctly, these agreements could counter the trend 
towards data localization, incentivize our partners to set 
better standards for data protection, and help our closest 
allies investigate serious crimes.
    I am not yet convinced, however, that we have landed on the 
right criteria for determining which countries we should 
partner with under such a framework and under what criteria. I 
understand the need to be flexible in order to accommodate 
different legal regimes. But too much flexibility renders the 
criteria meaningless.
    I am also not yet convinced that it is necessary to give 
foreign government access to live wiretap information as part 
of a package that focuses largely on stored communications. It 
is imperative that both the Congress and the public have a 
meaningful opportunity to comment on these agreements before 
they take effect.
    Under the administration's proposal, the Attorney General 
is to give Congress notice 60 days before he or she intends to 
give a foreign government access to communications stored in 
the United States.
    The proposal includes no mechanism for Congress to respond 
or for the public to weigh in before the new agreement takes 
effect. I am certain that we can do better to ensure confidence 
in the decisions of the Department of Justice. I appreciate 
that time is of the essence and that this committee, the 
Judiciary Committee, must begin grappling with these issues 
without delay. I am confident that, working together, we are 
prepared to do so. And I thank the chairman for convening this 
important hearing, and we are ready to go. Thank you.
    Chairman Goodlatte. Thank you, Mr. Conyers. Without 
objection, all other members opening statements will be made a 
part of the record.
    Chairman Goodlatte. Now, we welcome our distinguished 
witnesses, and if you would both please rise, I will begin by 
swearing you in.
    Do you and each of you solemnly swear that the testimony 
that you are about to give shall be the truth, the whole truth, 
and nothing but the truth, so help you God?
    Thank you. Let the record show that the witnesses answered 
in the affirmative.
    Mr. Richard Downing is the Acting Deputy Assistant Attorney 
General in the Criminal Division of the Department of Justice. 
Previously, Mr. Downing served as Deputy Chief of the Computer 
Crime and Intellectual Property Section of the DOJ. During his 
tenure there, he supervised the prosecution of hacking, 
identity theft, and intellectual property crimes; oversaw 
policy and litigation governing the constitutional and 
statutory rules for the collection of electronic evidence; and 
supervised the development of international law enforcement 
cooperation related to cybercrime and intellectual property 
crime.
    Before joining the Department of Justice in 1999, Mr. 
Downing served as an assistant district attorney in 
Philadelphia. He is a graduate of Stanford Law School and 
received his bachelor of arts from Yale University.
    Mr. Paddy McGuinness is the United Kingdom's Deputy 
National Security Adviser for Intelligence, Security, and 
Resilience at the Cabinet Office. In this role, he supports the 
Prime Minister and National Security Adviser on all aspects of 
counterterrorism, cybersecurity, national resilience, and 
crisis management and security policy; as well as the 
governance, resourcing, and policies surrounding the U.K.'s 
intelligence agencies.
    Mr. McGuinness has had an expansive career in Foreign 
Service since joining the Foreign & Commonwealth Office in 
1985. He has served in Yemen, United Arab Emirates, Egypt, and 
Italy, holding leadership positions covering the Middle East, 
counterterrorism, and all aspects of cybercrime. Mr. McGuinness 
attended Ampleforth College and the University of Oxford.
    I want to, again, thank the witnesses. Your written 
statements will be made a part of the record in their entirety. 
We ask that you summarize your testimony in 5 minutes. To help 
you stay within that time, there is a timing light on your 
table. When the light switches from green to yellow, you have 1 
minute to conclude your testimony. When the light turns red, it 
signals your 5 minutes have expired. And Mr. Downing, you may 
begin. Welcome.

STATEMENTS OF RICHARD DOWNING, ACTING DEPUTY ASSISTANT ATTORNEY 
  GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE; AND 
   PADDY MCGUINNESS, U.K. DEPUTY NATIONAL SECURITY ADVISER, 
                          OXFORD, U.K.

                  STATEMENT OF RICHARD DOWNING

    Mr. Downing. Good morning, Chairman Goodlatte, Ranking 
Member Conyers, and members of the committee. Thank you very 
much for the opportunity to testify on behalf of the Department 
of Justice concerning a significant impact on public safety and 
national security.
    We are, unfortunately, living in a world where criminals, 
both in the U.S. and abroad, prey on Americans. Cybercriminals 
steal our intellectual property and empty our bank accounts; 
terrorists threaten us with brutal attacks; and pedophiles seek 
to sexually exploit our young children. Never before have we 
had as a great a need for access to electronic evidence in 
order to solve crimes, bring criminals to justice, and to 
project public safety.
    Today, U.S. communication service providers often store 
customers' data, including the data of American customers in 
data centers in foreign countries. Some providers constantly 
move that data in and out of the United States and around the 
world, sometimes minute by minute, for business efficiency and 
other purposes.
    It is against this backdrop that I want to deliver two 
important messages. The first is this: the rule announced in 
last year's Second Circuit decision in Microsoft v. United 
States is undermining the public safety of the American people. 
We believe the case was wrongly decided. That decision and the 
choice by major U.S. providers to provide its ruling across the 
country is preventing effective and efficient access to 
critical evidence where the provider has chosen to store that 
data overseas.
    And the remarkable thing is that it sometimes prevents us 
from using a warrant, even when the crime, the victim, the 
offender, the account holder are all inside the United States. 
These developments are affecting law enforcement efforts in 
just about every kind of case that we investigate.
    Let me give you a couple of examples. In one case, a U.S. 
defendant was arrested for sexually assaulting children, and a 
search warrant was issued and served on Google for the content 
of that offender's account. Google did not produce photo 
attachments in that account, and investigators need those 
photos in order to identify and locate other child victims.
    In a drug trafficking investigation involving targets in 
the United States, Canada, and China, a search warrant was 
issued to Microsoft. Microsoft did not produce any email 
content. Investigators need that content to identify the 
members of the drug trafficking organization.
    We need swift action by Congress to correct this problem. 
The Department recommends a clarifying amendment that would 
explicitly require providers subject to the jurisdiction of the 
United States to disclose data, pursuant to legal process, no 
matter where the provider has chosen to store the data.
    This brings me to the second message. The amendment should 
be passed as part of a package that would also improve cross-
border access by foreign law enforcement to data stored within 
the United States, a so-called U.S.-U.K. framework. We are, of 
course, not alone in facing challenges in protecting our 
citizens due to the globalization of the U.S. service 
providers.
    Our foreign law enforcement partners also face obstacles in 
obtaining electronic evidence stored outside their territory. 
Increasingly, those countries have issued their own legal 
process for evidence from U.S. providers. And, at times, the 
providers have to decide whether to follow the foreign laws and 
obligations or the restrictions on the disclosure found in the 
Electronic Communications Privacy Act.
    That is why a group of large U.S. providers came to the 
Department of Justice and asked us to help develop a new 
bilateral framework for cross-border data access. These U.S. 
providers want to be able to comply with foreign court orders, 
without violating U.S. law, in situations where the U.S. 
interest in protecting the information from such disclosure is 
at a minimum.
    Consider the investigation of a homicide in the U.K.: 
Scotland Yard opens an investigation, questions witnesses, 
searches houses, seizes phones. Everything to do with the case, 
the victim, the crime, the suspects, is in the U.K. except, 
that is, for the victim's email and social media accounts, 
which are stored in the United States. It is pure happenstance 
that the data is stored here, and there is no meaningful U.S. 
nexus to the case.
    This is a prime example of where it makes sense for U.K. 
law to control. Congress should enact legislation to lift the 
restrictions in U.S. law where a bilateral agreement exists 
between the two countries. We have explored how such an 
agreement would work with the U.K., and if the approach proves 
successful, we would consider it for other like-minded 
governments who respect the rule of law and have robust privacy 
safeguards.
    Thank you again for the opportunity to testify on this 
important issue, and I look forward to answering your 
questions.
    [The statement of Mr. Downing follows:]

                     ********** INSERT 1 **********

    Chairman Goodlatte. Thank you, Mr. Downing.
    Mr. McGuinness, welcome. We are especially pleased that you 
have made a long trip to be with us today to testify about the 
importance of this issue. So, welcome.

                 STATEMENT OF PADDY McGUINNESS

    Mr. McGuinness. Chairman Goodlatte, Ranking Member Conyers, 
members of the committee, it is an honor to appear before you 
on behalf of Her Majesty's government. Before I turn to the 
substance of my remarks, I would like to express my sympathy 
for yesterday's shocking attack against this Congress, its 
staff, friends, and your police service.
    We wish Congressman Scalise and all those injured a speedy 
recovery; they and their families are in our thoughts and 
prayers. It is a symbol of the resilience of this House that 
you are pressing ahead with business and tonight's baseball 
game as well.
    I had the honor of appearing before the Senate Judiciary 
Committee on the 24th of May, 2 days after the cowardly attack 
in Manchester, which killed 22 people and injured many more. I 
now return to Congress in the wake of the attack on London 
Bridge on 3rd of June, during which eight innocents were killed 
and 48 were wounded. Five other attack plots have been filed 
since our parliament at Westminster was attached on the 22nd of 
March.
    Put simply, the scale of the threat against the United 
Kingdom, its citizens, and the foreign citizens who live there 
is unprecedented. It is a matter of pride to us that we are 
resilient. We reacted fast to the attacks and have quickly 
returned to normality. Manchester and London are safe and open 
for business.
    But our returned Prime Minister has also caught our mood 
when she said, ``Enough is enough.'' That is why she sent me to 
appear before you today to explain why Congress should, in our 
view, amend U.S. law to permit a bilateral agreement on data 
access.
    As Deputy National Security Adviser, my responsibilities 
are made more complex by a world connected by the internet. 
Serious crimes like human trafficking, child sexual 
exploitation, drug traffic, and money laundering do not respect 
borders. A British citizen who has joined Islamic state can 
cause untold havoc through a cellular phone, a laptop, and a 
Wi-Fi connection.
    I am not a lawyer, but I know that we share an 
extraordinary legal heritage derived from the common law with 
respect for freedom of speech, privacy, and the rule of law. 
Law is the bedrock of our mutual prosperity. It has enabled 
America's ingenuity and entrepreneurial spirit to flourish, 
and, thus, all to benefit. Nowhere is this more evident than in 
the success of American technology companies. And the people of 
the United Kingdom are amongst the most enthusiastic users of 
the services of those companies. Unfortunately, through no 
fault of the companies, that includes criminals and terrorists.
    Today, a British police officer investigating serious 
crimes taking place in London can get a warrant for the 
communications between criminals. If those criminals 
communicate using the services of the U.K. company that warrant 
can be executed, the crime investigated, and citizens kept 
safe. When those same criminals communicate, as 90 percent do, 
through an American tech company, the current law of the United 
States can prevent that company from providing the content of 
those communications to the U.K. police officer.
    Crimes go on with the criminals unpunished as a result. 
This cannot be right. It is arbitrary. It places U.S. companies 
in an impossible position, stuck between the laws of two close 
partner countries. It constrains law enforcement, and it makes 
us all less safe. The need to resolve this is urgent. That is 
why I have come before you today to ask that you make a 
technical adjustment to U.S. law to remove the restriction on 
U.S. companies providing date in tightly defined circumstances. 
This will enable a U.K.-U.S. bilateral agreement to be signed.
    You will rightly be concerned, as our lawmakers have been, 
that privacy, freedom of speech, and other freedoms be 
protected. Let me, therefore, make clear what this proposal is 
not an expansion of U.K. investigatory powers. It does not 
impact the privacy rights of U.S. citizens and residents, any 
agreement would not permit the U.K. to target U.S. persons or 
anyone in the U.S.
    It is not about encryption; it is entirely encryption 
neutral. It is not about obtaining communications in bulk. The 
orders under our agreement would be for individual targets. It 
is not compulsory; it simply removes the current legal bar to 
U.S. companies responding to U.K. orders. It is not one-sided; 
it is reciprocal. The U.K. law permits the U.S. use of the 
agreement's provisions in the U.K.
    This present conflict of laws is unsustainable. Some 
countries are requiring data to be stored in their territories. 
Others are arresting or threatening company employees. This is 
not good for our mutual prosperity or security. Now, Congress 
has the opportunity to create a solution to set the standard 
for transparency, privacy, and legality for the rest of the 
world to follow. Thank you for the opportunity to appear here 
before you today. I look forward to answering your questions.
    Chairman Goodlatte. Thank you, Mr. McGuinness. And I will 
begin the questioning under the 5-minute rule. Mr. Downing, the 
Department of Justice is engaged in talks with the U.K. 
Government about a bilateral agreement that would allow the 
U.K. Government to go directly to U.S. technology providers to 
obtain stored data, such as emails or to serve wiretap orders 
for real-time intercepts of communications in criminal and 
national security investigations not involving U.S. persons. 
Why is this necessary?
    Mr. Downing. This sort of agreement has a number of 
benefits. We have already touched on several of them in a 
variety of different ways. It is very important for us to help 
our colleagues and allies to solve the domestic security 
problems that they have, and it also helps the U.S. companies 
to make sure that they are avoiding any conflicts of law. It 
reduces incentives for data localization and creates incentives 
for countries to raise their own standards of protecting 
privacy and civil liberties. And as it has been mentioned, it 
is very important that we have the ability to get access to 
data in foreign countries for our needs when that data happens 
to be stored there in appropriate cases.
    Chairman Goodlatte. Is a formal treaty instead a better 
mechanism that would raise international standards more broadly 
while accomplishing the stated goal with multiple signatories 
at once?
    Mr. Downing. It is an interesting question about what the 
correct or the best mechanism would be for accomplishing this 
kind of a goal. Let me begin by saying though, that we very 
much expect that we would have close collaboration with 
Congress as we begin to think through these questions, to work 
with the U.K. and potentially with further countries down the 
road.
    We also have to think about how it would be most efficient 
in order to be able to build out this idea to further countries 
as well. We think that the proposal that we put forward really 
does accomplish a good balance there. It has a very strong role 
for Congress at the beginning, of course, by setting up the 
rules, the baseline, the requirements.
    And then, of course, as was mentioned, there is a 
traditional role in the back end where Congress would be 
notified before anything was entered into. And, of course, that 
would give an opportunity for Congress to weigh in at that 
point if it chose to do so. So, we think that a bilateral 
executive agreement rather than a treaty is probably a more 
efficient and effective way to get the job done and to help all 
the benefits that I have just mentioned.
    Chairman Goodlatte. Thank you. Mr. McGuinness, under the 
bilateral proposal there would be absolutely no bulk collection 
of data and no investigations of Americans. Is that correct?
    Mr. McGuinness. Absolutely.
    Chairman Goodlatte. And what mechanisms would be in place 
to ensure that American's privacy is protected while also 
allowing for lawful access by British authorities to British 
citizens' email content that resides in the United States?
    Mr. McGuinness. So, in order to protect U.S. citizens and 
U.S. persons, we should be clear at the outset that this 
agreement specifically excludes U.S. citizens and anybody in 
the United States. That is not the purpose of the access to 
data. So, that is excluded. We have equivalent high standards 
to the United States in the way in which we oversee and manage 
inception of communications.
    We monitor closely what is being done, train, study, and 
have oversight regimes, which means that we have a degree of 
confidence in what we are able to do. Having said, we will not, 
even inadvertently, intercept the communications of Americans. 
We are confident that we can put in place systems and processes 
that will protect their rights.
    Chairman Goodlatte. What is the standard that British 
authorities must meet in order to obtain the email content of 
British citizens in the United Kingdom when the content resides 
in the U.K.?
    Mr. McGuinness. So, we have a concept that we use, which is 
established and proven and tested in judicial process in the 
United Kingdom, which is necessity and proportionality. This is 
a high bar for gaining access. Necessity relates to statutes. 
So, there are only certain statutory reasons where you might be 
able to gain access. That would be national security, serious 
and organized crime, threats to economic well-being.
    So, those would be covered. Certain restricted set of 
organizations can apply for warrants to intercept 
communications. Necessity means, also, that the individual or 
entity being targeted; there must be a basis for targeting to 
them. So, they must have been in dialog with Islamic state. 
They must have come up in searches relating to child sexual 
exploitation or whatever it might be.
    And then we have proportionality and proportionality tells 
us that we must use the least intrusive means to enable the 
investigation. And if a less intrusive means is available we 
should use that. So, it is possible that you will have a 
necessity justification, but proportionality will mean that a 
warrant is not agreed. Proportionality is a critical concept 
when we have judicial review of these warrants.
    Chairman Goodlatte. And how often do British authorities 
face obstacles to obtaining lawful access to information held 
by U.S. companies when conducting investigations?
    Mr. McGuinness. So, as I said in my opening statement. 
Happily, there is an enormous penetration of the British market 
by U.S. tech companies. Everybody, myself included, makes 
extensive use of multiple apps when they wish to go about their 
daily life. What that means is in almost every case that we 
look at there is extensive use by the target of investigation 
of U.S. applications provided by U.S. companies. And that means 
that in almost every case there is a basis to potentially to 
ask for data if that particular communication use is relevant.
    Chairman Goodlatte. And, finally, could you explain the new 
judicial system in the U.K. under the investigatory powers 
regime? In which ways did passage of the Investigatory Powers 
Act strengthen and bring more accountability to the U.K.'s 
judicial system?
    Mr. McGuinness. Certainly. So, in everything I say today I 
am going to be talking about the system that will operate under 
the Investigatory Powers Act, which you mentioned, which was 
passed in November 2016. They are being introduced through this 
year progressively and that is what I will be talking about.
    We are having a double lock. So, an intercepting agency, 
the police service or security service, will write a warrant. 
They will submit it to a certain defined set of senior 
Ministers who will either agree or disagree with the warrant. 
If it is agreed, it then goes to a Judicial Commissioner.
    And that Judicial Commissioner will review the warrant in 
particular on these issues of necessity and proportionality, 
but also the public interest and privacy and the need to 
maintain the security of telecommunication systems. And, if 
satisfied, will also sign the warrant. So, what you get is a 
double lock. The Minister signs it, and then the judge signs 
it. If the Minister refuses, it does not go to the judge; and 
if the judge refuses, it does not go through.
    Chairman Goodlatte. Thank you. The gentleman from Michigan 
is recognized.
    Mr. Conyers. Thank you, Mr. Chairman. If you do not mind, 
Mr. Downing, I am going to ask one question of our visitor and 
guest here. Welcome to the Congress, to the House Judiciary 
Committee. We are honored that you would travel as long as you 
did to join us. And I wanted to just ask you one: criticism of 
the administration's proposal is that it does not reflect one 
of our legal traditions that warrants should issue only with 
probable cause. I understand that the British system works 
differently, but would there be a problem with tightening the 
reasonable justification standard reflected in the current 
proposal, in your judgment?
    Mr. McGuinness. So, thank you for the question, and, 
indeed, thank you for hearing me today. The British Parliament 
passed the Investigatory Powers Act in November 2016 with a 
very large majority. It is more than bipartisan, and it is very 
much the will of the British Parliament that this is the way in 
which we should manage intrusive powers of this kind. It is 
founded on established British legal mechanisms, whether that 
be judicial review or necessity and proportionality.
    It was considered on the floor of the House of Commons 
whether or not we should introduce a new and different 
standard, a new and different standard. And it was concluded 
that a new and different standard would contain risk because we 
could not be sure how it would be implemented, and it would not 
have been tested as necessity and proportionality have been 
tested.
    So, I think my answer to you is we have very high standards 
in the United Kingdom. We come from the same legal rootstock 
that you do. And we have established protections for freedoms, 
for privacy, for freedom of speech. And that is at the very 
heart of British life. And we have legal mechanisms that are 
proven to deal with that and those are the ones that should 
apply to any application for data.
    Mr. Conyers. Thank you. Turning now to the Department of 
Justice representative, Mr. Downing, and thank you for your 
cooperation. Let's compare two different proposals to solve the 
problem presented by the Microsoft decision.
    The International Communications Privacy Act, as introduced 
by Mr. Marino, which allows the government access to 
communications stored overseas, but also requires the court to 
consider the nationality of the targeted user, as well as any 
concerns our allies might register about the privacy of their 
own citizens. It recommends a simple reversal of the Second 
Circuit. Why should we simply reverse Microsoft? Does it matter 
that litigation is ongoing? And should we not make some 
accommodation for our foreign partners?
    Mr. Downing. Thank you very much for the question. We 
believe that a clean reversal of the Microsoft decision makes 
the most sense because of the very real and significant harms 
that are being caused by that decision along the lines that I 
have outlined already. Litigation is ongoing. That is actually 
a symptom of the fact that we feel very strongly about this and 
the significance of the problem. We are seeking every means 
that we have available to try to get that situation solved, 
including in the courts where we have that right to bring those 
cases. And, of course, that is why we proposed to Congress a 
way of fixing it.
    To your last question: what is the issue with respect to 
notifying foreign governments? There is a number of aspects to 
that situation that I would highlight for you. First of all, it 
is extremely unusual that we would notify a foreign government 
when we take investigative steps against one of their citizens. 
We might search the home of a Russian organized crime figure or 
a Mexican drug dealer inside the U.S., and we would not give 
those governments notice. And we would not do it even when we 
did use a mutual legal assistance treaty request.
    So, if we sought information from France about a Spanish 
citizen, we would not turn around and tell Spain that we had 
done that.
    But more practically speaking, there are a number of 
concerns that we have about a system of notice to foreign 
governments. We are concerned about notifying a foreign 
government, which might tip off the target of the 
investigation. It does not make much sense to notify the 
Chinese about a Chinese hacking investigation that we are doing 
or a Syrian terrorist about a terrorist investigation. We are 
concerned about the reciprocity. Are they granting the same 
rights to Americans?
    It does not make much sense to give rights to foreign 
citizens that they are not willing to give to us. We often do 
not know the nationality of the target. So, how do we deal with 
the situation where somebody is distributing child pornography 
but using the anonymity of the internet to prevent it? And, 
perhaps, most importantly, we need a system that is going to 
work swiftly and efficiently in order to get us the evidence 
that we need in order to protect Americans.
    So, a lot of steps and confusion and notification and 
delay. It is not what we would favor in our position.
    Mr. Conyers. I thank the witnesses, and I thank the 
chairman.
    Mr. Issa [presiding]. Thank you, sir. I will now recognize 
myself for a round. I picked up on your statement you did not 
think we should have a treaty. We have an extradition treaty 
with the United Kingdom, right, Mr. McGuinness?
    Mr. McGuinness. Yes, you do.
    Mr. Issa. And why is this not an extradition of an asset of 
an entity? Why is it so different, particularly when our laws 
are not harmonized and not likely to be harmonized as to 
privacy?
    Mr. McGuinness. So, the reason why we have come to this is 
because of an important dialogue.
    Mr. Issa. No, no, no. That was not the question. I 
apologize. The question is, why not a treaty? The bar is 
higher. The standard is higher. It has to be ratified. But, you 
know, there are about 214 ambassadors. But let's call it 194 
countries that the United Nations more or less deals with, 80 
or so of which we have no extradition treaties with.
    So, slightly more than half the world, at least relative to 
the United States, has agreed to a procedure for extradition. 
And I will just briefly go through Mexico. In Mexico, we waive 
the death penalty when we want somebody who has fled who is 
accused of a capital crime. We waive it in order to get them 
back. It is part of our treaty process.
    So, when we look at the likelihood that European Union and 
Britain collectively and now separately will have different 
standards sooner or later, always almost, in some way for the 
nuances of how you have to treat data both of U.S. persons and 
British persons. Are not we in a situation in which a treaty is 
a better binding and more appropriate bilateral agreement? And 
I do not want to belabor it. It is the Senate's job. But, you 
know, is there any particular justification other than not 
doing a treaty is quicker and easier?
    Mr. McGuinness. So, I do not believe this is analogous with 
extradition. It is absolutely not that.
    Mr. Issa. OK, well, let's go through that. The data that is 
being sought can put somebody in the gas chamber in this 
country. The data being sought can cause people to be asked for 
extradition. Often, the information that is being looked for 
will lead to extradition. Let's put it this way: the Fourth 
Amendment looks to unreasonable search and seizure. It is 
specific and it has the same power as the other nine in our 
country.
    So, when I look at these inherent protections, and I will 
get past treaty for a moment, but when we look at a bilateral 
agreement of any sort between our two Nations you are going to 
want to protect British persons at a level that you 
specifically protect British persons. And we are going to want 
to protect U.S. persons at a level that we want to protect 
them. And then, we are going to agree based on disparate 
standards in all likelihood that we are going to exchange data 
under certain circumstances, correct?
    Mr. McGuinness. It sounds right.
    Mr. Issa. And you did a great job of explaining in detail 
how you would come to produce this subpoena or warrant and send 
it to us. But I can tell you from this committee, that there 
are processes in this country that are virtually invisible that 
are done administratively that could lead to a request for data 
that currently we are not comfortable with sometimes in the 
U.S.
    So, let me ask you a real question. Britain and the United 
States could not be closer, probably than any other two 
countries when it comes to our general view of what is right 
and wrong in the world. But are we not held to whatever we do 
between our two countries, to be, if you will, the form. The 
block on which we are supposed to build other bilateral 
agreements.
    And so, when I look at nations like Cuba, North Korea, 
Afghanistan, the list is long that we do not have extradition 
with. What am I going to do when they want data for their 
persons? How am I going to look at countries who do not 
necessarily have the same standards and the same rule of law 
and yet will insist that they have gone through a process, and 
I need to give them the information they want?
    Mr. McGuinness. If I may, you are going to hold them to the 
very high standards that are proposed in this proposal that 
have come to you here in Congress. And I long to see the day, 
when in North Korea, or Cuba, or any of the States you mention, 
they have the kind of protections you have in the United 
Kingdom.
    So, there absolutely is a mechanism for leading States 
along the road. And I would observe that one of the drivers for 
the revision of the judicial oversight of our warranty where we 
had a different system prior to the November 2016 Act, was the 
fact that we knew that it would satisfy the companies who are 
advocates of this agreement and the United States.
    Mr. Issa. By the way, the Vatican is on that list that we 
do not have extradition with.
    So, I will close by saying I am deeply concerned that we do 
have to be cognizant that, with 80 countries that we cannot 
agree to extradition with, the question of whether those 80 
countries, if we fail to reach a more common standard, one that 
we could reciprocate with everyone on, they are going to tend 
to say, ``Gee, it is a wonderful world. We want our data 
located in our country.'' And it will be an excuse for China, 
Libya, the Vatican to each have their own servers. And, 
although I trust the Vatican's business model is such that the 
server data will be limited, I cannot say so of China. Thank 
you.
    And we now go to the ranking member of the Intellectual 
Property Subcommittee, Mr. Nadler.
    Mr. Nadler. Thank you very much, Mr. Chairman. Mr. Downing, 
before I get to the specifics here, I want to have a couple of 
preparatory questions. It has been reported recently that it is 
now the policy of the executive branch not to answer questions 
from minority party members of Congress on any subject 
whatsoever and to routinely ignore them. So, my question is, is 
it the policy of your Department, the Department of Justice, 
not to respond to congressional inquiries from Democratic 
members?
    Mr. Downing. I am afraid I do not have an answer for you 
either way on that. I do not know whether that would be binding 
on us or where our position is on that.
    Mr. Issa. If the gentleman would yield?
    Mr. Nadler. Sure.
    Mr. Issa. I would be pleased to say that, in fact, in 
parliamentary systems, including Great Britain, the minority 
right is extensive.
    Mr. Nadler. I am glad to hear that, but I am concerned 
right now with the congressional system designed by Mr. 
Madison. Mr. Downing, if I ask you a question today, which I 
will do in a moment, you will presumably answer it.
    Mr. Downing. I will.
    Mr. Nadler. Thank you. But if I put the same question in 
writing and send it to you, will you answer it?
    Mr. Downing. I will do my best to answer all the questions 
for the record that come forward from the committee.
    Mr. Nadler. Despite what we hear is the new policy of the 
administration?
    Mr. Downing. I, as I said, do not have a strict answer for 
you on that particular question.
    Mr. Nadler. OK. Let the record reflect that that was not 
answered, and that is very disturbing that you cannot answer 
the question in the negative, to put it mildly.
    Let me ask Mr. McGuinness, you described the system in 
Britain of proportionality and necessity. We have the system of 
probable cause. Could you tell us how they would differ in a 
given case, I mean how you would look at proportionality and 
necessity in a different way than we might look at probable 
cause? I mean, what is the practical impact of this?
    Mr. McGuinness. So, as I said in my opening statement, I am 
not a lawyer, and I am certainly not an academic lawyer. And my 
ability, frankly, to compare between different legal systems 
and the standard within them is somewhat limited.
    So, I am going to just reflect that necessity and 
proportionality are a very high standard analogous, I believe, 
to much that is in probable cause, and, certainly, established 
in the British legal system and a basis for testing and 
sometimes refusing proposals for warranty and for action by the 
State.
    Mr. Nadler. Well, since you are not a lawyer, I cannot ask 
you the next question, which I will simply state for the record 
as a matter of curiosity. And that is, what happened to 
probably cause in British legal history since I thought it was 
there in the 1760s? But we will worry about that at a different 
time. I am concerned the proposed legislation would allow 
foreign governments to request assistance from the U.S. 
providers to intercept communications in real time without 
requiring compliance with Wiretap Act standards. Mr. Downing, 
could you comment on that and the implications of that?
    Mr. Downing. Absolutely. I think it is important to start 
with a baseline that has been discussed, these kinds of orders 
would not be targeting U.S. persons. So, you have got to 
picture the paradigm case here as a----
    Mr. Nadler. Excuse me. It would not be targeting, but if 
information was collected on U.S. persons, that could be given 
back as a section 702 problem?
    Mr. Downing. It is possible that U.S. person information 
could be intercepted. But if you think about the paradigm case 
of an organized crime boss who is setting up a hit and is 
talking to people, and the U.K. needs that information, it is 
pure fortuity that the data happens to be stored in the U.S. 
And so, the U.S. interest in the application of our law is at a 
minimum.
    Nevertheless, the agreement that we have proposed would 
create strong baseline rules. There would have to be 
articulable and credible facts and particularity, which are 
ideas, which are another way in some ways of saying probable 
cause. There have to be the exhaustion of alternatives. The 
necessity idea. There has to be for a limited duration. So, all 
these things are in play and I think it is important that we 
understand that there are real restrictions as well. And I 
think, if I may, one final point. The U.K., like the U.S., 
believes that wiretapping is a critical part of being able to 
protect our public safety. If we do not address this problem as 
part of this----
    Mr. Nadler. Yeah, we have clearly got to address the 
problem just looking at these standards. In my little time 
left, might you be better qualified to answer the question I 
asked Mr. McGuinness about the difference between the British 
concepts of proportionality and what did he say? 
Proportionality and----
    Mr. Downing. Probable cause?
    Mr. Nadler. Proportionality and necessity on the one hand 
versus probable cause on the other.
    Mr. Downing. I am afraid I am, of course, steeped in the 
U.S. legal system and not so much on the U.K. side. However, I 
would agree with Mr. McGuinness that I think those ideas 
achieve the same kinds of goals. They need to be real problems, 
real faced with proportional consequences. They are analogous, 
if not identical. But I do think it is important to recognize 
that we cannot have a system where every country has to have 
exactly the U.S. rules, or we are never going to get anywhere 
with this. It is important that we have baseline rules; 
everybody is respecting of privacy and we have rules.
    Mr. Nadler. In other words, we can be imperialistic, but 
not that imperialistic.
    Mr. Downing. That is right. We would not like it very much 
if they imposed their rules on us. I think we need to be at 
least a little bit balanced about it.
    Mr. Nadler. Thank you, my time has expired. Thank you, Mr. 
Chairman.
    Mr. Issa. Thank you. We now go to the chairman of the 
Oversight Committee, Mr. Chaffetz.
    Mr. Chaffetz. Thank you. I do appreciate it, former 
chairman, but----
    Mr. Issa. You will always be a chairman to me, Jason.
    Mr. Chaffetz. All right, thank you. Mr. McGuinness, we 
cherish our relationship with the U.K., and we thank you, 
personally, for what you do and for the relationship between 
the two countries.
    Mr. Downing, I think it is important for us to understand 
sort of the baseline, because if we are going to be trying to 
do things in other countries, I am still concerned about what 
we do and do not do in this country. So, first, help me 
understand geolocation. What does the Department of Justice's 
position on geolocation? My concern is and question for you is 
does the Department of Justice consider that metadata, or is 
that content? How do you view geolocation?
    Mr. Downing. Thank you for the question. Geolocation is a 
difficult and complex topic, as I am sure we understand. And we 
have had discussions about this in the past as well. There are 
different kinds of geolocation that could be content or could 
be non-content. It could be content if it is, say, the location 
data that is embedded inside of a picture file and is being 
passed as part of an attachment to an email.
    It could be non-content if it is simply information that 
the provider is gathering about its customers' use of cell 
towers. It does not actually have any content-full value in 
that situation. It is simply an observation of the company 
about which tower a particular phone is pinging off of when it 
is being used. So, I think----
    Mr. Chaffetz. There are times when geolocation is content, 
correct?
    Mr. Downing. There can be times, yes.
    Mr. Chaffetz. I mean, have you written this out? Is there 
some sort of definition that the Department of Justice is 
taking on the nuances of what geolocation is and is not? 
Because I would argue that, by and large, geolocation is 
content. It is the content of my life. If you can tell where I 
am going with this phone all of the time, you can pretty much 
tell the content of my life. And yet I worry about what you are 
gathering and not gathering, and I do not understand the 
definition.
    Mr. Downing. So, our view of the rules that apply when we 
are gathering geolocation information vary depending on what 
type of geolocation it is. Our position has been that, if we 
are merely talking about what cell tower your phone is pinging 
off of, that that is covered by the Stored Communications Act 
and would require a court order before we are able to obtain 
it. This is an issue, actually, that the Supreme Court has just 
recently decided to serve petition on. And so, it will be very 
interesting to see how they resolve that question.
    There are other kinds of geolocation information such as 
GPS, which is very specific and generally gathered 
prospectively. In those situations, I think as you know, we use 
a warrant for that. So, I think we use a nuanced approach. We 
look at the law that applies and try to do our best to comply 
with that law. It varies.
    Mr. Chaffetz. Well, I do not know that every department and 
agency, even within the Department of Justice, uses that same 
standards. And, certainly, when you start to look at Homeland 
Security and others, they do not necessarily follow those same 
standards. And so, I guess what I am looking for in writing the 
definition of what that is.
    Let me ask you very quickly: on social media, is it the 
position of the Department of Justice, particularly in the 
hiring and the monitoring of existing security clearances, to 
look at social media? Is that fair game or not fair game?
    Mr. Downing. You know, I am afraid I do not know the answer 
to that question, but I would be happy to take it back to get 
you an answer.
    Mr. Chaffetz. I think it is important. It has been a 
struggle, particularly in the realms of security clearances, 
even to get our own Federal employees to be able to look at, 
you know, when they are assessing security clearances, to look 
at their social media and what not. And the last thing I want 
ask you about is facial recognition. We know the Department of 
Justice, specifically the FBI, is building a database of facial 
recognition. What direction is this going? Where are the 
standards? What is happening or not happening in the building 
of the facial recognition database?
    Mr. Downing. So, I am not intimately familiar with what the 
FBI is doing in that regard. My general impression is that they 
are developing a database similar as they would with 
fingerprints and other things of people who were of interest in 
an investigation, who were arrested in order to be able to 
better----
    Mr. Chaffetz. OK, but please do look at this because that 
is not what they are doing. If they were looking at criminals, 
people who were incarcerated, people who committed crimes, that 
would be one thing. But what they are doing is now more than 
one out of every two members of our society are in the database 
or they have access to that database, I should say, because 
their proactively going and gathering all the pictures that are 
on driver's licenses.
    A lot of States have MOUs with these States. And the FBI 
was supposed to provide some notification. They did not do 
that. I have a fundamental problem and challenge in taking 
innocent, suspicion-less Americans and building a database 
because we have shown we cannot protect our databases. So, I 
think we need to ferret that out as a committee. I will not be 
here much longer, but I do think that is something the 
committee should take a much closer look at. With that, I yield 
back.
    Mr. Issa. I thank the gentleman. And, Mr. Chaffetz, in case 
we do not get another public opportunity on this committee to 
thank you for your service for so many years and for your 
championing peoples' privacy rights including geolocation. It 
is something that on this side of the day is center and left. 
We are all noting that someone is going to have to pick up that 
chalice on your behalf.
    Mr. Chaffetz. Well, thank you. I am honored to serve. So, 
thank you. I appreciate it.
    Mr. Issa. Thank you. And with that, we go to the gentlelady 
from San Jose, Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chairman, and thanks to the two 
witnesses, especially our friend from Great Britain for his 
long travel to be here this morning. And it is a pleasure to 
hear your viewpoint.
    Obviously, our country and yours are close partners in the 
fight against crime as well as the fight against terrorism. So, 
your words mean a lot to us, and we weigh them carefully as 
well as, of course, our own Department of Justice. You come 
here at a time, however, when we are very much reviewing our 
own due process rules, and also some of the other issues that 
are post challenges, not only to our government but to our 
people.
    One of the things I wanted to raise, I understand that you 
are here for the best of motives, but we have a new General 
Data Protection Regulation that the European Union passed in 
April of last year, not of last year; it was 2016. It goes into 
effect in May 2018. And here is my understanding of it, and 
correct me if you think I am wrong.
    The GDPR requirement will be the data stored in the EU can 
only be transmitted to a non-EU country, for example the United 
States, in response to a law enforcement request through a 
process that is ratified in a treaty. In fact, we would not use 
an MLAT, which we all agree is inadequate, due to it is 
complexity and the time.
    But I think we are going to have to have a situation next 
year where American companies are going to violate the law no 
matter what they do. And I am concerned about that, that you 
are here for this matter, but this is going to hit the fan next 
spring. And I do not think it is fair to set up a situation 
that great American companies are going to be in violation of 
the law no matter what they do, and we just ignore that.
    So, could either one of you comment on that?
    Mr. Downing. Do you want to go first?
    Mr. McGuinness. So, I should say that that is not our 
understanding of the GDPR, the General Data Protection 
Regulation. And the implementation of it is being worked 
through, at the moments at European Union level and in 
individual member States. So, we are working on that at the 
moment. And when we look at Article 48, which would appear to 
have that effect, we see that it has been nuanced.
    And it is our belief, both that the provisions we have, 
and, I think it is clause 53 of our Investigative Panels Act, 
which allows for the reciprocity, which I described. Both that, 
and the GD pair itself would allow for transfer under the kind 
of agreement that we are working on here. That is our belief.
    Mr. Downing. If I could just add, I concur with that. We 
have been having some discussions with your national data 
privacy experts and with the European Commission, and as a 
result of those discussions, the Department believes that the 
concerns that have been raised are inaccurate and over stated. 
We do not believe that the GDPR will pose significant conflicts 
for U.S. companies to comply with U.S. demands.
    Ms. Lofgren. Well, you know what I would really like from 
both of you following this hearing? I would like a statement 
that is definitive on that, that companies could take to the 
bank and that they could give to a court and as a shield, that 
they have relied on in good faith, the representations.
    I, personally, think we ought to do a treaty that clarifies 
this, but I do not think there is much activity on that more 
that there should be. I am, actually, I will be honest, a 
little bit reluctant to take action until this other matter is 
addressed. And I do not think the administration, from what I 
have heard, is actively pursuing it which I think is a mistake. 
I will just lay that out. And I think I am not the only member 
who has that concern.
    But if you could provide those definite statements from the 
highest levels of your government, that would be very helpful I 
think to all of us. And certainly, to American companies that 
feel really kind of stuck at this point. Mr. Chairman, I see my 
time has expired.
    Mr. Issa. If the gentlelady would let me have her 14 
seconds. Mr. Downing, I am going to ask you the follow-up 
question to hers. If I were the Attorney General and I asked 
you to make the case based on the European Union order, that 
you did have that authority, would you not be able to make that 
case or at least in good conscience you would plead it? Because 
the ordinary reading, certainly, would allow you to make that 
case.
    Mr. Downing. Make the case? I am sorry, I am not following 
you.
    Mr. Issa. Make the case that you could not transfer to the 
U.S. that data as a non-U.S. entity based on the simple reading 
that the gentlelady from San Jose alluded to.
    Mr. Downing. Well, I cannot say that I know the intimate 
details of the different articles of the GDPR. But in speaking 
with people it seems fairly clear that there are a number of 
exceptions and loopholes, and changes, and whatnot, that apply 
in this kind of situation----
    Mr. Issa. There is always fertile ground for attorneys to 
make a case in a court.
    Mr. Downing. Well, I certainly agree that having a clear 
and definitive from the European Union about this would be 
helpful. But I just want to be clear, we have to be careful 
about basing our legislation on concerns which may be 
completely empty.
    Mr. Issa. Well, I join with the gentlelady in making the 
belief that, until it is clear, crystal clear, it would be a 
fool's errand to create a situation in which companies would be 
damned if they do and damned if they do not.
    Ms. Lofgren. If I reclaim my 14 seconds, Mr. Chairman?
    Mr. Issa. Of course. Yes, ma'am.
    Ms. Lofgren. I just think that we ought to have some 
further discussion on this point. And perhaps we could 
stimulate some useful activity on the part of the 
administration to get something positive done here.
    Mr. Issa. I would be happy to join with the gentlelady in 
that. We now go to the gentleman from Ohio, who has been 
patiently waiting, Mr. Jordan.
    Mr. Jordan. I thank you, Mr. Chairman. Mr. Downing, how 
long have you been at the Department of Justice?
    Mr. Downing. Coming up on 18 years.
    Mr. Jordan. OK, 18 years. We appreciate your service. A 
week ago, former FBI Director, Mr. Comey, testified that then 
Attorney General Loretta Lynch told him when he discussed the 
Clinton investigation to call it a matter not an investigation. 
Do you recall that testimony from Mr. Comey?
    Mr. Downing. I have heard news reports of that.
    Mr. Jordan. OK, were you a part of the discussion and 
decision at the Justice Department to instruct the FBI Director 
not to call an investigation an investigation?
    Mr. Downing. No, sir. I am a career employee of the Justice 
Department, and I was not involved in any of that level.
    Mr. Jordan. Do you agree with that decision that was made 
and, frankly, implemented by the FBI Director?
    Mr. Downing. I am afraid, sir, I do not have an opinion one 
way or the other on that.
    Mr. Jordan. Do you know if that has ever happened before, 
where the Attorney General tells the FBI Director to portray 
something differently than what is actually happening, i.e. not 
to call an investigation an investigation?
    Mr. Downing. I am afraid I have no information for you on 
that.
    Mr. Jordan. Were you part of any decision by the Justice 
Department to allow the perception to continue that President 
Trump was under investigation, when, in fact, he was not and 
was told three times by the FBI Director that he was not?
    Mr. Downing. I am trying to make clear, I am not involved 
in decisions of that level, and I have no information about it.
    Mr. Jordan. Do you think it is wise for the Justice 
Department to mislead the American people?
    Mr. Downing. Of course, the Justice Department should do 
its best not to mislead anyone.
    Mr. Jordan. And you would agree that, in both situations, 
the American people were misled?
    Mr. Downing. I have no basis to answer that question.
    Mr. Jordan. Well, think about it. In one situation, it was 
an investigation and the FBI Director was instructed to call it 
something different, to call it a matter. And the other 
situation, the President of the United States was not under 
investigation and yet that would not be confirmed, not be 
stated. And the perception was allowed to exist that he was. 
Twice the American people were misled by the head of the 
Federal Bureau of Investigation. That is probably not a good 
thing, is it?
    Mr. Downing. I have no opinion for you on that.
    Mr. Jordan. I mean, but, you know, you have served 18 years 
at the Justice Department. You went to Stanford Law School; you 
are a smart guy, a good lawyer. Is that normally how it 
operates at the Department of Justice? Well, let me ask you 
this, do you know of any other occasion where the Attorney 
General has instructed someone with an important job, like 
running the FBI, to mislead the American people?
    Mr. Downing. I have no basis to believe that, no.
    Mr. Jordan. You do not think it has ever happened before? 
You do not know of any other time it has happened?
    Mr. Downing. I do not have any opinion on that, no.
    Mr. Jordan. What about the leak? What about the idea that 
the head of the FBI decides to give information to a friend who 
is then going to pass it to The New York Times? Should that be 
something that actually takes place, even though, at the time, 
he was a former FBI Director? Is that appropriate for someone 
who has held that position to engage in that kind of activity?
    Mr. Downing. I am afraid I also do not have an opinion on 
that.
    Mr. Jordan. But, again, as someone who has worked at the 
Department of Justice for 18 years, Stanford Law degree, you 
think that is the appropriate kind of conduct for someone who 
has served in the Justice Department? Not even as high level as 
you, but someone who has been head of the FBI?
    Mr. Downing. I think I could say that the FBI Director is a 
higher level than me. No, I am sorry, sir, I do not have an 
opinion about these kinds of questions. I understand the 
motivation and the need to try to get to answers on these 
questions, but I am not the right person to be in a position to 
answer them for you, sir.
    Mr. Jordan. I appreciate you trying to respond, Mr. 
Downing. But what I also think the American people would 
appreciate is the highest officials at the Department of 
Justice should be straight with the American people. And that 
did not happen. No, if, and, buts about it. It did not happen. 
And they were misled at the direction of the Attorney General.
    Mr. Comey's testimony was real clear. He even questioned, 
he said, do we really want to do that? Do we not want to tell 
the American people the truth? And yet he carried out the order 
from the Attorney General to mislead the American people and 
say it was a matter, not an investigation. And, of course, as I 
have said a couple of times, he allowed the perception to 
continue that our current President of the United States was 
under investigation when, in fact, he was not. And with that, 
Mr. Chairman.
    Mr. Issa. Will the gentleman yield?
    Mr. Jordan. I would be happy to yield to the chairman.
    Mr. Issa. Mr. Downing, I understand you cannot always speak 
about things that are your main wheelhouse, if you will. Have 
you ever spoken to the press off the record? Provided any 
information about an ongoing case to a press person?
    Mr. Downing. I have certainly spoken to the press off the 
record, sir. Of course, we are very careful about what we 
disclose, and we try to do our best to stay within the lines, 
certainly at my level.
    Mr. Issa. OK. So, I will take that as a yes. Thank you. We 
now go to the gentlelady from Texas, Ms. Sheila Jackson Lee.
    Ms. Jackson Lee. We welcome both Mr. Downing and Mr. 
McGuinness and add my appreciation for coming across the pond 
to visit with us. Let me just take a moment to applaud my two 
colleagues from California and from Ohio. We have just seen, 
and I will not take long on this moment, but we have just seen 
an opening to begin an investigation into the President of the 
United States and the questions of the Russian collusion, 
obstruction of justice by the Judiciary Committee.
    And I think we have been speaking about that for a very 
long period of time. And so, I would ask Mr. Jordan to convey 
to the leadership chairman and ranking member of this 
committee, so that we can begin to open these investigations 
that the gentleman from California seems to want to answer 
about leaks and individuals speaking off the record. Mr. 
Downing, you answered appropriately; you are here for a 
particular topic. And thank you for your courtesies in 
responding to my colleague.
    But I think now that we have now put on record that 
Republicans are interested in getting to the truth of what has 
happened and restoring the integrity of our government. And 
certainly, the number of witnesses are beyond even our 
imagination that could come before the Judiciary Committee to 
ensure that all of us have that chance to have questions asked 
and answered.
    I would hope that that we can begin that post haste, and 
also I hope that we can secure from the Justice Department the 
many documents that we have asked for. And I hope that we can 
do that.
    Let me indicate my interest in this topic and ask unanimous 
consent to put into the record, to the chairman, a letter from 
EPIC, Electronic Privacy Information Center, which is an 
organization that routinely files Amicus briefs in Federal 
courts regarding government cases, defends consumer privacy, 
organizes conferences for NGOs, but generally just understands 
the burdens of our providers and the whole question of 
releasing data.
    Even though this does not have anything to do particularly 
with the PATRIOT Act, I remember that discussion after 9/11. 
And the bill was rejected initially because we did not secure 
the privacy rights of Americans sufficiently. I maintain that 
this is my position continuously, even as we move into enormous 
levels of data seemingly everywhere. And so, I ask consent to 
put this letter into the record.
    Mr. King [presiding]. Hearing no objections, so ordered.
    Ms. Jackson Lee. Thank you. So, I have two questions. One 
deals with the negotiations between the U.S. and U.K. The rules 
are different; I just came back from a Malta meeting with the 
European Union, Parliamentarians, and we always discuss issues 
addressing cybersecurity data. And we know that, collectively, 
obviously Great Britain is in the middle of Brexit. But, the 
point is that the rules were different, and that means that our 
companies here in the United States, in this agreement between 
the U.S. and U.K., may have some difficult obligations to meet 
with.
    So, my first question is, why the secrecy and when will the 
U.S.-U.K. surveillance agreement be made public or aspects of 
it? And the second part is, what role of oversight do you 
believe the Congress of the United States, particularly, that 
is, in fact, the peoples' representatives, should engage with 
this agreement? Obviously, there are oversight and approvals 
that will come through, but ongoing responsibilities. So, 
first, when is this agreement going to be made public?
    Mr. Downing. So, I do not have a particular deadline or 
timeline for you for when it would be made public. Frankly, we 
are in a bit of a hiatus in any discussions around it because 
we are waiting to see what action Congress may take on the 
legislation that would enable and authorize this kind of 
agreement. We expect close collaboration though with Congress. 
That is our goal.
    We view this as an important piece of this. We have been 
working, of course, with the committee staff on both the Senate 
and the House and on the Foreign Relations Committee, and the 
Judiciary Committee, to try to make clear what we are doing. 
And we want to make sure that congressional role is strong.
    Indeed, in passing of legislation, would set all of the 
guidelines and the floor for what could be done under these 
agreements. And, as I mentioned before, also, an additional 
role at the end of the process if we were to conclude with an 
agreement with the U.K., there would be a waiting period at the 
end where Congress would have an opportunity to consider it and 
to weigh in if it chose to.
    So, I think you have my commitment that we are very 
interested in working carefully with Congress and that we are 
not going to be out doing crazy things by ourselves. This is 
very much a collaborative effort.
    Ms. Jackson Lee. Mr. McGuinness, though you come from 
across the pond you understand the vital role of Congress and 
the protection of the privacy rights of the American people.
    Mr. McGuinness. Yeah, I have the upmost respect for the 
U.S. Constitution and its protection of U.S. citizens. And of 
the role of the Congress in that. I have observed, in this 
case, we have something which the companies have come to us and 
said, this is a potential solution to a problem we face. And on 
that basis, we have gone forward. This is not going to work if 
it is just done between governments. Tech companies, which have 
brought us such wonders are critical partners in this and they 
have been good partners in preparing it.
    Ms. Jackson Lee. That is my very point. Mr. Chairman, I 
want to conclude. That is my very point the burden that the 
tech companies will have to face. But, Mr. Chairman, I would 
think that it might be appropriate that we have, as we move 
forward, a classified briefing or opportunity to have the 
Justice Department back and begin to hear about just the levels 
of data that might be subject to the treaty as they are going 
forward.
    I would like to ask more pointed questions, and probably, 
it would be necessary in a classified setting. I would like to 
put that on the record. With that, I yield back. Thank you for 
your answers. Thank you.
    Mr. King. The gentlelady's observation or request is duly 
noted. And since she has yielded back the balance of her time, 
the chair will now recognize the gentleman from Pennsylvania, 
Mr. Marino.
    Mr. Marino. Thank you, Mr. Chairman. Gentlemen, welcome. As 
a former district attorney and a United States attorney, I 
personally understand the complexities of modern day 
investigation and criminal prosecutions. I understand the need 
for law enforcement to be able to get timely access to 
important information, particularly in the abduction of 
children.
    For the past several years, I have introduced legislation 
addressing the issue of law enforcement being able to legally 
access information that is stored overseas. This year, I have 
been working with my colleague, Mr. Jeffries, to continue 
improving this legislation framework.
    Current legal framework, the Electronic Communications 
Privacy Act, more commonly known as ECPA, is insufficient for 
addressing the need of the technology and society of the 21st 
century. ECPA is over 30 years old, and the original drafters 
on ECPA could not have envisioned the interconnected lives we 
live in today's digital world. And the Second Circuit said as 
much in its ruling in Microsoft, you know.
    Deputy Attorney General, and I do not mean to put you on 
the spot here because I just happen to glance at some of the 
opinions also, could you expand on the DOJ's opposition to the 
Second Circuit's decision in Microsoft, the Second Circuit 
Appellate Court, and your legal basis of, I think it has been, 
two and maybe three Federal Magistrates Courts' opinions that 
appear to me to be disagreeing with the Second Circuit's 
decision in Microsoft v. U.S.?
    Mr. Downing. Certainly, sir. There are actually five, now, 
lower court decisions in different circuits that disagree with 
that opinion. Our position is a fairly simple one: we believe 
that the execution of a warrant by a U.S. provider, inside the 
U.S. is a domestic application of the Stored Communication Act.
    That is, the order is issued by a U.S. court; it is served 
on the U.S. provider; and a person inside the United States 
maintains that data, even it is stored outside. And the moment 
of disclosure, which is where the privacy issue may be 
involved, is inside the United States. It is then reviewed by 
officers inside the United States.
    So, our position is that this is not an extra territorial, 
under the rules of the legal doctrine of extraterritoriality. 
And, therefore, it is perfectly proper for the companies to do 
it, to disclose that information to us. And, of course, as I 
have mentioned, it is so critical that we get this information 
in order to solve very real crimes, as you yourself pointed 
out.
    Mr. Marino. Thank you. Deputy McGuinness, welcome. I have 
had the opportunity to be a guest in England, in London, of 
Scotland Yard. And I was out on the street with the agents, and 
it was quite exciting, very similar to our legal system here of 
prosecution. But it is good to see you here. We have about 196 
countries in the world, and many of them will not cooperate 
with a democracy like yours and ours. Would you agree with me 
that it would be virtually impossible to have one universal 
treaty and are bilaterals more realistic and less complex to 
achieve however cumbersome because of the numbers that would be 
required? Do you understand my question?
    Mr. McGuinness. I would strongly agree with that.
    Mr. Marino. What approach would you, specifically, if you 
would not mind expanding on it, because I know we have been 
working on one together? Do you see a large portion of that 
bilateral agreement that would fit concerning other countries? 
And do you see many objections coming forward from those other 
countries, based on what we have been working on? The Justice 
Department, I might add, Justice has been working on us on 
this.
    Mr. McGuinness. So, the work we have been doing, building 
on advice from the tech companies about what they felt would be 
workable and would provide a root to solve this problem of 
conflict of laws. The work we have been doing has both the 
effect of resolving the immediate issue with States that have 
shared standards, shall we say. But also roots to improve the 
behavior of other States. Now, that, clearly, is a matter 
ultimately for the United States, which is to use agreements to 
do that. But the United Kingdom is strongly supportive of it. 
And we are also most wary of data localization which we see as 
a really pernicious effect. So, we do see a way through this.
    It is hard to say, it is hard to exaggerate just how 
significant this data is for keeping citizens safe. And that 
provides a very powerful driver in any jurisdiction for a 
changing behavior and a compliance with the terms that should 
be laid in something like this bilateral agreement. It is 
striking to me that in the exchanges that newly elected 
President Macron and newly elected Prime Minister May had in 
Paris only 2 nights ago.
    That in the very front of their mind was this question of 
what is to be done about securing data in order to secure 
citizens. So, there is an enormous urgency to resolve this 
issue and to get onto a proper footing. And I think I put that 
urgency before you as being one of the reasons to choose one 
vehicle over another for seeing through this business.
    Mr. Marino. And I am glad to see that we all agree that the 
tech industry has to be a part of this. You know, they have a 
dog in this hunt just as well as we do. But I do want to add, 
in conclusion, I see I have run over the time now, that many of 
the most serious cases that I prosecuted and where we reached 
convictions were based on using the 21st century technology 
that we have today. Thank you, and I yield back.
    Mr. King. The gentleman returns his time. The chair will 
now recognize the gentleman from Georgia, Mr. Johnson.
    Mr. Johnson of Georgia. Thank you, Mr. Chairman. Mr. 
Downing, Mr. McGuinness, welcome. Mr. McGuinness, welcome from 
across the pond, as has been stated. And we do value the 
historic relationship that we have maintained with Great 
Britain and want that relationship to remain as strong as it 
has always been and actually strengthen it in this time of 
mutual threat, or threats that affect us mutually. As well as 
the rest of the world, but these two countries have led the 
world, and we need to continue to do that.
    I want to ask a question Mr. Downing, in the event of a 
bilateral agreement between the U.K. and the U.S. that would 
permit U.S. companies to provide electronic data in response to 
U.K. orders targeting non-U.S. persons located outside of the 
United States, while affording the United States reciprocal 
rights regarding electronic data of companies storing data in 
the United Kingdom, what role do you foresee that Congress 
would have in approving, rejecting, or amending such an 
agreement?
    Mr. Downing. As I mentioned before, I see a close 
collaboration between the Department and Congress as being an 
important part of this process. And, in particular, Congress' 
role at the very beginning in passing the enabling legislation 
is a particularly strong rule since it sets the framework and 
the guidelines, the requirements, of any sort of agreement that 
comes forward. There is also an important role under our 
proposal for Congress on the back end.
    That is, that once an agreement has been worked out it 
would be provided to Congress for notice and, of course, at 
that point, Congress could take steps if it chose to. But it is 
very much our expectation that we would be in close 
collaboration with Congress as these kinds of agreements begin 
to be worked out, assuming that we move beyond the first one 
with the United Kingdom.
    Mr. Johnson of Georgia. So, under the framework submitted 
by the Department to Congress for this proposed bilateral 
agreement to be negotiated: do you see a role of Congress in 
terms of vetoing the agreement once it is reached possibly? 
Would Congress have that authority under the terms of the 
legislation that you have submitted to us?
    Mr. Downing. So, I may not be the best expert on 
congressional vetoes, but it is my understanding that we cannot 
write into the legislation an explicit veto. That that has been 
found to be not constitutional. However, Congress would have 
the ability at the conclusion of such an agreement to pass a 
law, if it chose to. That could obviate that agreement. So, 
Congress has an option, a decision that could be made, you 
could think of it a little bit like the way the Rules Enabling 
Act works where there is a period of time when Congress can 
choose to negate what has happened. But it is not an explicit 
veto you know written into the agreement. Because I believe 
that is not a permissible use of a statute.
    Mr. Johnson of Georgia. All right. With that Mr. Chairman, 
I will yield back. Thank you.
    Mr. King. The gentleman from Georgia yields or returns his 
time. The chair will now recognize the gentleman from Florida, 
Mr. Rutherford for 5 minutes. And welcome to the committee, Mr. 
Rutherford.
    Mr. Rutherford. Thank you, Mr. Chairman. I appreciate that. 
Mr. Downing, if I could go back just a moment to something you 
said earlier. You talked about U.K. law should control when the 
elements are in the U.K. and only the data is stored in the 
U.S. And then, you talked about some standards that the U.K. 
has. Mr. McGuinness talked about necessity proportionality, the 
double lock process.
    If we are going to use a bilateral agreement as kind of a 
template for other agreements down the road, could you talk 
about some of the other standards that you think should be met 
before the U.S. should consider entering into a bilateral 
agreement with other countries? Particularly, surrounding 
privacy rights.
    Mr. Downing. Certainly, sir. The legislation that we have 
proposed would create a number of these kinds of restrictions 
that I think set a very robust standard for privacy 
protections. They include things like orders have to be for 
specific persons; you cannot do bulk collection under the 
agreement. It would require that any order be based on 
particularity and legality and credible evidence, for example. 
It has to be approved or supervised by a judge.
    There are a number of different types of rules like that we 
tried to make sure that this would only apply to those kinds of 
countries that have a really robust system that respects 
privacy, civil liberties, and rule of law. And, frankly, would 
not be available probably to every country in the world by any 
stretch. It is going to be a strong system that only countries 
that have similar, not identical, but similar kinds of 
procedures and processes in their legal systems as we do.
    Mr. Rutherford. So, would you envision that through these 
negotiations we would, you know, meet the standard of probable 
cause for a warrant by agreeing that you know maybe a necessity 
and proportionality do qualify as probable cause? Is that kind 
of how you see this going forward?
    Mr. Downing. Well, I guess I would not characterize it as 
that there is a requirement that other countries use the words 
``probable cause'' or to have that exact concept. Frankly, I do 
not know of any other country in the world that uses that exact 
wording.
    Mr. Rutherford. No, but I mean within the body of the 
bilateral agreement, we would have some firm that would be 
necessity and proportionality and probable cause and we would 
all agree that meets the law of both parties in the bilateral 
agreement. Is that your intention?
    Mr. Downing. Yeah. No, in the enabling legislation it 
actually set out those kinds of rules. And one of the 
requirements, for example, is that the orders be based on 
articulable and credible facts or evidence. So, it is not 
exactly the wording of probable cause, nor is it exactly the 
wording in that. But it is the idea that you have to have a 
justification that is based on objective evidence.
    Mr. Rutherford. I want to get back also to the issue that 
was brought up earlier. Would you make clear the difference 
between the requested data that requires a court order versus 
the type of data that requires a warrant and probable cause?
    Mr. Downing. For, I am sorry, under U.S. law?
    Mr. Rutherford. Yes.
    Mr. Downing. So, under the Stored Communications Act, there 
is a range of different kinds of data that can be obtained. For 
the more sensitive information, like the content of 
communications, the Department of Justice generally uses a 
warrant when obtaining that kind of information.
    On the other end of the spectrum, there might be just the 
name and the address of the person who registered the account. 
That kind of information generally does not require a warrant, 
instead you could use a subpoena or perhaps a lesser court 
order to obtain it. So, there is actually a range under U.S. 
law, but it is loosely based on the idea that more sensitive 
information gets better protection.
    Mr. Rutherford. And law enforcement has been using that 
difference for a long time.
    Mr. Downing. Since 1986, yes.
    Mr. Rutherford. Mr. McGuinness, we have talked about it a 
little bit, but the incidentally collected communications that 
involve foreign persons. Can you talk a little bit more about 
that? You have not said really specifically, for example, if a 
U.K. subject communicates via e-mail with a U.S. person, what 
is done to safeguard the privacy concerns of the U.S. person's 
communications?
    Mr. McGuinness. So, under the proposals that you have here, 
you can see the stub, the beginning of what will be negotiated 
between us should Congress agree that there should be such an 
agreement. And what is clear there is that there will be 
protections for U.S. persons, whether than be a U.S. citizen or 
a person in the United States, physically in the United States.
    A U.S. citizen wherever they maybe and any person within 
the United States and there shall not be collection of them. 
And if we come across incidental collection, we will stop 
collections and delete the data. So, that is the conception. 
That this is not aimed, in any way, at U.S. citizens, wherever 
they may be and U.S. persons in the sense of anybody in the 
United States.
    Mr. Rutherford. Mr. Downing, I assume the retention laws 
all still apply?
    Mr. Downing. I am sorry, the retention laws?
    Mr. King. The allotted time has expired. The gentleman will 
be allowed to answer the question.
    Mr. Rutherford. Thank you, Mr. Chairman.
    Mr. Downing. So, yes, as Mr. McGuinness pointed out the 
data would be minimized and not used. And I would also point 
out that we as part of the agreement would have the ability to 
audit the U.K.'s practices as they would have the ability to 
audit ours. And we expect that to be a robust process to make 
sure that both parties are complying with their obligations 
under the agreement.
    Mr. Rutherford. Thank you.
    Mr. King. The gentleman yields back. The chair will now 
recognize the gentleman from Florida, Mr. Deutch for 5 minutes.
    Mr. Deutch. And I thank the chairman. Mr. Chairman, I would 
start just by reflecting upon the comments of my friend from 
Ohio a little earlier. Where he asked Mr. Downing some 
questions that were not appropriately to be asked of you and 
were not appropriately to be asked in this particular hearing.
    But I hope that my friend from Ohio and my other friends on 
the other side of the aisle in this committee, will seize upon 
the questioning that Mr. Jordan started this morning, and will 
recognize that it is, in fact, the House Judiciary Committee 
that provides oversight of the Department of Justice. It is the 
House Judiciary Committee that provides oversight of the 
administration of justice in this country. It is the House 
Judiciary Committee that, in fact, historically has waded into 
important matters where obstruction of justice claims have 
arisen with respect to the President of the United States.
    And so, I hope while this is a terribly important issue and 
I hope I get to my questions, I wanted to follow up on my 
friend from Ohio to simply suggest, that it is appropriate for 
him to ask those questions.
    I know we have a lot of questions that we would like to ask 
as well and, in fact, should be asking. As members of the 
Judiciary Committee, of former Director Comey, of Attorney 
General Sessions, of the Deputy Attorney General, Deputy 
Attorney General Rosenstein, of the Acting FBI Director. All of 
the sorts of questions that arise following just yesterday's 
headlines, last evening headlines that the Special Council is 
now looking at obstruction of justice claims.
    This committee, Mr. Chairman, has a responsibility to the 
American people to hold hearings. Yes, it is important for the 
investigation being conducted by the Intelligence Committee and 
the House and Senate to continue, vitally important. Yes, it is 
important for the Special Council to pursue his investigation.
    But when it comes to the administration of justice in the 
United States, that falls squarely within the purview of the 
United States House Judiciary Committee. And my hope, Mr. 
Chairman, is that we will be able to come together to hold that 
hearing that the American people so desperately want us to 
hold.
    With that said, I thank you for your participation here 
today, to our witnesses. And while a lot has happened between 
today and last February Congress still has not sorted out what 
is a nationally complex issue, and I appreciate the chance that 
we have here to restart that work today.
    As I said before, we have a long overdue and hugely 
important set of questions that we have to resolve as a country 
about how continuing evolving technology and privacy interact 
with the needs of law enforcement. And when we expand out these 
issues for our interconnected world, it only serves to 
highlight how many more questions we have than answers, that is 
what we are getting at today. And I think that really needs to 
change, and we have to do it fast.
    In my mind, there are two distinct problems here. First, 
how do we increase efficiency in cross-border data flow where 
the laws of the relevant countries are in agreement? That looks 
like either a patchwork of bilateral agreements to shortcut the 
MLAT process or comprehensive reform of MLAT's or doing both. 
We have been talking about some of that this morning.
    Second is what do we do where the laws are in direct 
conflict or where it is not clear which countries are the 
relevant ones in a given case? It is all too easy to envision a 
scenario where data stored in one country is requested by law 
enforcement in another regarding the information of a national 
of a third country. And while there is much more that I would 
like to say, let me start with that and ask our witnesses to 
respond. What would you do in that situation?
    Mr. Downing. I am sorry, in the situation where there is 
data of a third party?
    Mr. Deutch. It is one country, the law enforcement in a 
second country, and the national in a third county.
    Mr. Downing. So, that is unfortunately quite common. In the 
case of Ireland, Microsoft stores data in Ireland, but much of 
the data there is not going to be about Irish citizens it is 
going to be about many people, including Americans who might 
have their data stored there. Our view is that we need to have 
robust authority to get that data. It is critical for solving 
terrorism cases, solving child exploitation cases. Having quick 
and efficient means of getting it is particularly critical 
after the Microsoft decision. And we are seeking quick 
congressional action to try to deal with that problem.
    Mr. Deutch. And before I wrap up: I just asked the 
question, so, department decisions that the government should 
be able to obtain data stored abroad by applying ECPA to 
companies based in the United States. What would the position 
be if another country made the argument? How would the 
Department react if the Chinese government required a Chinese 
company, like Ali Baba for example, which maintains a data 
center in the United States, to produce account information 
that belongs to U.S. citizens?
    Mr. Downing. So, I think it is important to understand, 
sir, that it is in some sense the norm that countries claim the 
authority to gather data even it is stored outside of the 
country. If there is a person within the country who has access 
to it.
    So I have read a report, for example, that showed that 
countries as diverse as Canada and Mexico, Ireland, and France, 
Australia, and Norway, they all, like the United States, claim 
the right to obtain information if it is stored outside of the 
borders as long as there is a person, like, the company is 
based inside the country. So, it is not the case that the 
Chinese are going crazy. This is actually kind of the norm. And 
how to deal with it is an important problem.
    Of course, ECPA, our rules, would prevent China in many 
cases from getting that. And it is that conflict which is, 
unfortunately, causing problems for our providers. That is why 
we look to situations like an agreement under the U.S.-U.K. 
framework, which would ease that burden. And to make sure that 
we are doing it with appropriate countries we have safeguards 
in place to make sure that that is the case.
    Mr. Deutch. That is an important discussion. Thank you, Mr. 
Chairman.
    Mr. King. Thank you. The gentleman's time has expired. The 
chair will now recognize the gentleman from Arizona, Mr. Biggs, 
for 5 minutes.
    Mr. Biggs. Thank you, Mr. Chairman. Thank you, gentlemen. I 
was reading, Mr. Downing, your statement and listening to your 
comments today. And I want to take you to one particular 
paragraph that you wrote in here, it says, ``in particular we 
recommend enacting and implementing legislation for this 
framework.'' And you talk about as long as there is an adequate 
protection of privacy and civil liberties, right. And so, and 
you alluded to a term in kind of the framework that you have 
proposed, and I believe you used the term articulable suspicion 
or something.
    Mr. Downing. Articulable and creditable facts, I think is 
the word.
    Mr. Biggs. Yes, articulable, and creditable facts. OK, so, 
it led me back to this idea: that seems distinctive from the 
apparently American notion of probable cause. And it seems like 
a lesser standard. Tell me about that. And I think of the 
interesting term reasonable articulable suspicion which is used 
in law enforcement in terms of probable cause. And in this kind 
of unique term that you have couched here, tell me about that 
and how that protects rights and how that would adequately 
protect privacy and civil liberties.
    Mr. Downing. So, I think as I mentioned before, we are 
seeking to figure out what an appropriate baseline level is, 
not to exactly mirror the way U.S. law works. To start with the 
premise here that we are not targeting Americans, that is, that 
this is an event, for example, of a murder investigation in the 
U.K.
    So, having some deference to the other countries laws, I 
think, is appropriate here where it is really only the fortuity 
of where the data is located that cause us to have any interest 
at all in the case. If it were not stored here, U.K. law would 
straight apply.
    So, I think it is important that we have appropriate 
safeguards, but they should not be so stringent or frankly so 
requiring that they mimic ours. That we end up with a situation 
where no other country can seem to qualify. I think we should 
find an appropriate level. I think we have created a really 
robust level of protections.
    I notice one of the statements for the record of the second 
panel here, says, we should not have any rules there should 
just be any countries involved. I think we have come to the 
conclusion that it is valuable to have a robust level of 
standards. Not identical to ours, but ones that I think would 
be appropriate and that we would have faith in as well.
    Mr. Biggs. A U.S.-U.K. bilateral agreement has been 
described as allowing wiretaps; I do not know if we have 
covered this today by, the U.K. Government. And traditionally 
we think of that as listening into telephone calls and whatnot. 
But here, we are talking about updating to you know live I 
suppose emails, chats, and texting, et cetera; is that a fair 
understanding?
    Mr. Downing. That is right. Well, it would cover any range 
of communications, yes.
    Mr. Biggs. So, Mr. McGuinness, I guess my question for you 
is why is that important in this relationship, in this 
agreement, and yeah?
    Mr. McGuinness. So, thank you, that is a really helpful 
question, and this is a vital area. We are not only talking 
here about crimes that have occurred, investigating them, and 
bringing people to justice. We are also taking about preventing 
crimes, including terrorism, child abuse, and other things. And 
in that context, live interception is a vital part of the 
toolkit.
    I have specific examples. An example would be from our 
National Crime Agency, they cite a gang of people who were 
selling live feed child abuse online. And in order to identify 
both the people doing it and the children and the location 
where it was being done, you needed to be able to cover the 
actual event happening live, because it was not going to be 
stored data. So, in that case live intercept was a vital tool 
to get coverage there.
    The same can be said of terrorism incidents. If one is 
tracking people as they build towards an attack. And one of the 
things that I would say to the committee--very loudly, as an 
experience we have had in the United Kingdom in the last 3 
months--is that speed is an issue. It is about the speed with 
which the internet is exploited by terrorists and that is the 
speed with which people can move from the thought of an attack 
to an attack if they are using knives and a heavy vehicle that 
they hire for cash. And we have seen that in France. We have 
seen that in the United Kingdom.
    So, there is a question about speed and what tool you need 
to deal with speed. I would note that, like the United States, 
we see live intercept as a particularly intrusive power.
    As I take you back to the point I made earlier about 
proportionality. So, if it is possible to gain the 
investigative advantage, if it is necessary, to gain the 
necessary investigative advantage by a less intrusive means, we 
will do so. But live intercept sometimes is vital if we are to 
prevent people being killed or abused.
    Mr. Biggs. And, Mr. Downing, back to you. We are using 
this, effectively, as a template for bilateral arrangements 
with other Nations. And you have discussed it a little bit, but 
as Mr. McGuinness said, we are from the same root ball of civil 
liberties going forward. Can you tell me you know what is going 
to look like, what is Congresses role in your mind going 
forward as we receive perhaps in other bilateral arrangements 
and negotiations?
    Mr. Downing. So, I perceive that we would seek to be in 
close coordination with Congress as we move forward. If it 
works out with the U.K., and we look to do it with other 
countries we would do that. Congress of course has a critical 
role at the beginning of setting up the rules. What are the 
rules? And, in the case of wiretaps, the rules that we are 
proposing Congress pass would include things like an exhaustion 
of alternatives, that you cannot do it if a lesser thing would 
be possible. And to have a bunch of rules in there that would 
set an important floor for that.
    And then, as I mentioned, there is a waiting period at the 
end. If we were to include an agreement with the U.K. or any 
other country, then there would be notification back to 
Congress and a delay before that agreement would go into 
effect. And Congress could act at that time if they chose to. 
So, we see this as an important partnership in getting these 
kinds of frameworks in place. And I think that is sort of an 
appropriate way for us to precede.
    Mr. Biggs. Thank you, my time has expired. Thank you, Mr. 
Chairman.
    Mr. King. The gentleman's time has expired or he has 
returned his time. The chair will now recognize the gentleman 
from Louisiana, Mr. Jeffries for 5 minutes.
    Mr. Jeffries. From New York, Mr. Chairman. I thank the 
distinguished witnesses for their presence here today. And let 
me thank Mr. McGuinness, first of all, for your thoughtful and 
heartfelt words at the beginning of your testimony in terms of 
the calamity that we experienced here in Congress, yesterday. 
And, obviously, those thoughts are felt mutually in terms of 
what you are going through right now throughout Great Britain 
in terms of your citizens.
    In terms of Mr. Downing, I wanted to get your perspective 
on one, this Second Circuit decision: is the Department of 
Justice's position that Congress should take steps to reverse 
the holding in the Second Circuit? It that correct?
    Mr. Downing. That is what we have proposed.
    Mr. Jeffries. And can you explain why you believe that is a 
proper course of action?
    Mr. Downing. You mean, as compared to having the Supreme 
Court settle the matter?
    Mr. Jeffries. Sure.
    Mr. Downing. Yes, we are, as I have mentioned, experiencing 
a very serious problem in gathering critical evidence in a 
whole range of our cases. And so, we have been trying to seek 
whatever course is available to correct this problem, and our 
efforts to litigate it and to get the law changed through 
interpretation in the court continue. Unfortunately, it is a 
slow process. And even in the best of circumstances, the 
Supreme Court would probably take a whole other year before it 
resolved it.
    Therefore, we are also seeking action in Congress. I do not 
see those as mutually exclusive from our perspective this is a 
critical problem that we need solved, and so having Congress 
act would be a perfectly proper solution to the problem.
    Mr. Jeffries. ECPA was first passed in 1986 is that right?
    Mr. Downing. ECPA was first passed, correct.
    Mr. Jeffries. That was 31 years ago. Since that moment the 
United States has sort of emerged as a cradle of innovation 
throughout the world, is that fair to say?
    Mr. Downing. I think that is fair yes.
    Mr. Jeffries. And in the 21st century, we live in a global 
economy, correct?
    Mr. Downing. We do.
    Mr. Jeffries. And there are U.S.-based tech companies that 
operate throughout the world, is that right?
    Mr. Downing. They do, yes.
    Mr. Jeffries. Would you say that is a good thing for the 
American people and our economy?
    Mr. Downing. There have been many benefits for the United 
States as a result of that, yes.
    Mr. Jeffries. So, it is fair to say that these companies, 
in terms of our own national economic interest, can remain 
viable and competitive internationally in the current digital 
landscape that we operate, true?
    Mr. Downing. Yes, that is true. And that is absolutely the 
case.
    Mr. Jeffries. Now, placing United States companies in a 
position where they could be forced to violate the privacy laws 
of another country would also be problematic, correct?
    Mr. Downing. Yes, I have sympathy for the situation that 
companies are in when faced with competing legal demands. It is 
true, actually, of many different kinds of U.S. industry and 
has been true, frankly, for many years outside of the context 
of telecommunications providers. There are, of course, rules to 
try to resolve those questions. But it is a fact of life for 
big multinational companies in any of our industries that they 
may have to deal with conflicting legal demands.
    Mr. Jeffries. And I just want to drill down on this point 
in terms of competitive disadvantage and conflicting legal 
demands. If we place our own companies in an adverse position 
in terms of these competing legal demands and the possibility 
of conflicts of laws and violating privacy laws of other 
countries, are those countries being skeptical of our ability 
to match their privacy standards? Does that not ultimately 
implicate the United States economic interest?
    Mr. Downing. Yes, I think that is true. It ultimately does 
have that impact. But, of course, economic interests are not 
the only ones here. I do not mean to be combative with you, 
but, of course, we also have to take into account our public 
safety interest. And if we are doing things that benefit our 
industry, but that have the impact, like the Microsoft decision 
on the protection of children and the American public, I think 
we have to make sure we are taking both of those things into 
account.
    Mr. Jeffries. Right, no, I just want to establish that 
there is a range of interests that are important in terms of 
what we as Congress should consider moving forward. National 
security interest, privacy interest, abroad and foreign, as 
well as our own competitive economic interests, is that 
correct?
    Mr. Downing. Absolutely, I think looking for a solution 
that meets all of these needs would be the best path forward.
    Mr. Jeffries. And, in fact, I think Article I, Section 8, 
Clause 3 of the Constitution states that it is Congress that 
shall have the power to regulate commerce with foreign 
countries; is that right?
    Mr. Downing. That is true, yes.
    Mr. Jeffries. And so, when you take all of this into 
account, is it not fair to say Congress should be intimately 
involved in whatever framework is developed from a bilateral 
standpoint or multilateral standpoint in terms of dealing with 
data sharing?
    Mr. Downing. Absolutely. As I mentioned before, we see 
close coordination with Congress as important. And, of course, 
setting up the whole framework is a role that we are asking 
Congress to take on in terms of U.S.-U.K., to be able to set up 
the rules that we would have to follow in passing any kinds of 
future agreements with other countries.
    Mr. Jeffries. My time has expired. One, I want to thank 
Congressman Marino for his leadership in this area. And also 
point out that, you know, close coordination is a vague phrase. 
I think we are going to have to drill down on specifics as it 
relates to the power to accept, reject, or amend, and what form 
that takes either in the treaty context or in, you know, the 
administrative review context as it has been used in other 
incidences is going to be important for us to move forward; 
would you agree?
    Mr. Downing. Yeah, no, it certainly----
    Mr. King. The gentleman's time has expired. The gentleman 
will be allowed to answer the question.
    Mr. Downing [continuing]. I will simply say, yes. It is an 
important question that we are going to have to resolve.
    Mr. Jeffries. Thank you. I yield back.
    Mr. King. Thank you. The gentleman from New York has 
returned his time with apologizes to the chairman. Now, I 
recognize the gentleman from Texas, Mr. Ratcliffe, for his 5 
minutes.
    Mr. Ratcliffe. Thank you, Mr. Chairman. I appreciate the 
witnesses being here today. I have been bouncing between 
meetings and other hearings, and so I apologize in advance if I 
am going to ask you something that may seem repetitive to you.
    Mr. Downing, if I understand correctly, certain proposals 
for addressing the issues that we are examining today would be 
to focus less on the location of the data itself and more on 
the citizenship and physical location of the individual about 
whom the information is being sought. Does it concern you, from 
a law enforcement perspective, about a scenario where a U.S. 
company does not know the citizenship or physical location of 
the individual and so declines to turn over the evidence? Or, I 
guess, related to that, feels that the government has not 
sufficiently established the citizenship and still declines?
    Mr. Downing. That is absolutely a concern of ours. If we 
have a rule which is based solely on the citizenship of the 
person, and it does not take into account the very common 
situation where we do not know that person's citizenship, and 
that blocks us from getting evidence, that is a very serious 
problem. We often are in a situation where we have, let's say, 
a hacker or a child sexual exploiter who is hidden from us by 
the anonymity that is provided by the internet. It cannot be we 
do not get to access that information simply because we do not 
know the person is yet.
    Mr. Ratcliffe. OK. I was out walking and someone was asking 
you about wiretaps as a former prosecutor, you know, my 
perspective on wiretaps is they are traditionally thought of as 
listening in to phone calls in real time. The request from the 
U.K. here, with respect to the U.S.-U.K. bilateral agreement, 
would not be to do that, correct?
    Mr. Downing. I am sorry. The rules that we are proposing 
would be that if there is a targeting of an investigation which 
is not a U.S. person, if it is a U.K. person, for example, and 
they need to get a wiretap for that person, but the only place 
that the wiretap could be effectuated is in the United States, 
then it would be part of the agreement that they could use 
their own wiretap law, their own wiretap order, with their own 
restrictions. And then, the U.S. company would comply with that 
foreign legal process.
    Mr. Ratcliffe. OK. And so, would it also apply in the 
context of text messaging and other features like that?
    Mr. Downing. Yes, absolutely, it would be for all kinds of 
communications not just verbal ones.
    Mr. Ratcliffe. OK. So, then, let me ask you, Mr. 
McGuinness. and I appreciate you traveling all the way here and 
I represent east Texas and I have enjoyed listening to your far 
east Texas accent this morning. But one of the topics that is 
the subject of debate and, ultimately, reauthorization here in 
this country will be tools like 702 of our FISA Amendment Act 
that a tool that can result in the incidental collection on 
U.S. persons. So, how does the U.K. treat incidentally-
collected communications that involve foreign persons under 
this?
    Mr. McGuinness. Let me say, first of all, my family in East 
Texas, I hope you are looking after them well, my aunt, and 
uncle, and cousins. So, to be clear, I think we said it, but it 
is worth saying again. The proposed U.K.-U.S. framework that we 
are talking about is not about U.S. citizens and not about 
persons in the United States; categorically, not. When we talk 
about foreign persons and how they are protected in this, it is 
U.S. persons who are protected.
    Other foreign citizens are not. That is because the 
conspiracies that we look at for almost everything that we look 
at under serious crime, unless there is a single actor, 
involved people of multiple nationalities. And that is true if 
we are looking at are known Albanian crime groups, trafficking 
people into the U.K. That is true if we are looking at recent 
conspirators and attackers in the United Kingdom who carried 
out attacks. There are multiple nationalities, multiple 
connections, externally.
    And we covered this a little bit earlier, but it is worth 
repeating; we, within this agreement and within the language 
that has been sent by the administration of the Congress, there 
is a very clear protection for the rights of U.S. citizens and 
U.S. persons; an expectation that, should we inadvertently 
collect the communications of a U.S. person, that as soon as 
that is evident, we will desist, and we will delete the data; 
we will minimize the data. So, that protections are in place. 
That is, obviously, something the exact detail of how we do 
that is to be discussed if you agree there should be an 
agreement. But I am confident that we can set a very high 
standard.
    Mr. Ratcliffe. OK, and my time has expired, but that would 
apply, for instance, if a U.K. subject communicates via email 
with a U.S. person? You are talking about applying those 
privacy safeguards to the U.S. person?
    Mr. McGuinness. Indeed, if I write to my cousins.
    Mr. Ratcliffe. OK. Very good. I appreciate that. Thank you. 
I yield back.
    Mr. King. The gentleman yields back his time. The chair now 
recognizes the gentleman from Rhode Island, Mr. Cicilline.
    Mr. Cicilline. Thank you, Mr. Chairman, and thank you to 
our witnesses. Mr. McGuinness. in particular, welcome. We 
appreciate your long travel and thank you for your thoughtful 
words at the beginning of your testimony. And I hope you feel 
the same prayers and thoughts of all of the American people 
with respect to the citizens of the U.K., in particular, the 
families of the loved ones who were killed or injured in those 
attacks in your own country.
    I think there is broad consensus in our committee that we 
need to urgently respond to the issues that both of the 
witnesses have raised. And I think our committee took up the 
Email Privacy Act in the hope of developing and implementing a 
uniform domestic standard for law enforcement based on probable 
cause, a standard we are familiar with here in the United 
States. But that we also need a uniform standard that provides 
clear guidance to all parties for overseas applications of 
electronic information.
    And I think, as the gentlelady from California mentioned, 
it is of particular concern to American companies. We do not 
want to put them in a position where, despite their best 
efforts to comply with prevailing law, that they are in a 
position of, by any action, either complying with one law and 
inadvertently or unintentionally violating another, and it puts 
them in an impossible position. So, I think it really 
underscores the urgency of our work.
    And so, I guess my first question is kind of what your 
sense is, that is both of you, with respect to the current MLAT 
process, you know, there has been a lot of talk about reform. 
Is it mostly that we have to figure out ways to accelerate the 
decision making and application process? Does it mostly strike 
the right balance, or beyond sort of the speed and efficiency 
of it, are there other reforms that you think are critical?
    And, particularly, your thoughts on the legislation that 
was introduced in the last Congress by Ms. DelBene and Mr. 
Marino. Did that strike the right balance and address all or 
most of your concerns?
    Mr. Downing. So, I want to be clear that the MLAT process 
is an important tool, but I think it is also clear that, as we 
have entered a global and internet-connected world, that it is 
not a sufficient tool that we can use in all the times and 
situations that we need. That is why we are looking at faster 
processes such as the U.S.-U.K. agreement.
    That being said, I think we are not going to ever reach a 
point where we have bilateral agreements with every country in 
the world. And even if we did, there is still going to be the 
need for mutual legal assistance treaty processes, for example, 
when the U.K. needs information about a criminal in the United 
States.
    However, the MLAT process will be benefited, interestingly, 
by bilateral agreements, because it will take some of the 
pressure off of it. Some of the cases could be handled in that 
way.
    You have to think about the MLAT process in two directions. 
One is our outbound requests, how quickly other countries are 
complying with that. Unfortunately, it is often very slow and 
cumbersome, and, of course, we do not have MLATs with some 
countries. As far as the inbound requests, we at the Department 
of Justice are taking a lot of steps to try to do a better job 
of it. Unfortunately, the requests, especially for electronic 
evidence, have just risen massively over the last decade, and 
resources have not necessarily kept pace with that.
    We have done a number of reforms, though. We have created a 
whole cyber team to focus on these kinds of requests in 
particular. We have improved efficiency by focusing our efforts 
by going to the courts here in the District of Columbia rather 
than spreading these out all over the country.
    And we have really made some substantial gains. I had a 
couple of figures prepared. In the 2013 to 2016 timeframe, we 
saw our increase in our requests go up by 175 percent, but the 
number of ones that we were able to resolve went up by 532 
percent. So, we are cutting into the backlog. We are doing a 
better job of it. However, there are still a lot of hurdles.
    In particular, this was partly accomplished by a one-time 
transfer of funding from one pot to another. And without a 
sustainable amount of resources to put into this problem, we 
actually hired a number of attorneys; we need to be able to 
support them if we are going to continue to make progress on 
this. So, I think there are opportunities for improvement. We 
will continue to work hard on that and hopefully we will also 
be able to see improvement when we make our requests going out, 
which is consistently also an issue that we are going to have 
to grapple with as well.
    Mr. Cicilline. Thank you. Mr. McGuinness.
    Mr. McGuinness. So I would strongly endorse what Mr. 
Downing has said about the importance of MLATs, both, actually, 
bilaterally between the U.K. and the U.S., but also as a 
mechanism that will allow us to deal with countries that cannot 
reach the high standards that are being set by this proposal 
here. MLATs are too slow. Well, we need to do work on that. We 
need to relieve the pressure on them, absolutely.
    They also are backward-looking. And I think we would all 
agree that in some of the egregious crimes that we are looking 
at, these terrorist attacks and conspiracies that we have, 
child sexual exploitation, trafficking of human beings, that 
actually, we want to get into stopping it and preventing it. 
And the MLAT will not really allow you to do that except in 
prosecuting some of the people doing it. So, this agreement 
allows us to do more of that preventative work to our mutual 
benefit.
    Mr. Cicilline. Thank you. I see my time has expired. Thank 
you both.
    Mr. Downing. Thank you.
    Mr. King. The gentleman from Rhode Island has returned his 
time. The chair will now recognize himself for 5 minutes. And I 
would first turn to Mr. Downing and thank you for your 
testimony. And I wanted to understand how a section 2703 
warrant is actually issued, the functionality of that. Could 
you explain that to the panel?
    Mr. Downing. Absolutely. 2703 warrants are actually 
executed much more like a subpoena. The officer would swear out 
the warrant before the court, supply probable cause, do all the 
steps, and have the judge sign it. And then, that is simply 
provided to the provider. Under 2703(a) it says that the 
warrant may compel the production. That is, it is a compulsion 
order, not a situation where the officer goes to Google's 
headquarters with a gun and says, ``Stand away from the 
keyboards. I am here to seize the evidence.'' Instead----
    Mr. King. How does it actually arrive, then? How is it 
actually presented to, say, Microsoft in Ireland? How does it 
get there?
    Mr. Downing. So, we would normally not present it to 
Microsoft in Ireland. We would present it to the domestic 
service provider. It varies between providers. In the old days, 
we would fax them. Now, there are electronic means of 
transferring the information. But----
    Mr. King. So, I get that. Then you swear out a warrant; the 
judge approves it; and then the document, perhaps a PDF 
document, is emailed, then, to the company that is in control 
of the information you are seeking?
    Mr. Downing. That is correct.
    Mr. King. And if that company is domiciled in Ireland 
rather than the United States, is there a legal difference?
    Mr. Downing. Domiciled? No. I mean, if the company is in 
the United States doing business in the United States, 
employees in the United States----
    Mr. King. A U.S. presence.
    Mr. Downing [continuing]. We would regard that as being 
under the jurisdiction of the court.
    Mr. King. OK. So, any company domiciled anywhere that has a 
U.S. presence, then, is subject to a 2703 warrant?
    Mr. Downing. Any company that would be inside the 
jurisdiction of the court, yes.
    Mr. King. OK. And if that company then holds that 
information in Ireland, as a topic we are discussing here, and 
you do not review that data until it is back inside the 
domestic boundaries of the United States?
    Mr. Downing. That is true, yes. It would be disclosed to us 
here.
    Mr. King. That is how you qualify that a warrant then is 
valid and can be applied under these circumstances we are 
discussing?
    Mr. Downing. Well, it would have to be that the company not 
only has a presence here, but that there is a person inside the 
United States who has possession or control over the 
information. So, in the case of Microsoft, for example, the 
employees here have----
    Mr. King. Or access to that information that might be held 
in a foreign country.
    Mr. Downing. Or access to? I am sorry.
    Mr. King. Well, as I understand this case with Microsoft, 
the data was in Ireland.
    Mr. Downing. That is true.
    Mr. King. And the warrant was served, we think, to the 
Microsoft officials here in the United States----
    Mr. Downing. That is correct.
    Mr. King [continuing]. Who, then, were compelled by the 
court to access that information and deliver it to justice.
    Mr. Downing. That is correct. They had possession and 
control, those are the sort of legal words of this----
    Mr. King. OK. Let's just say you had a justice official in 
Ireland that could walk into the headquarters in Ireland of 
Microsoft, and that warrant was served electronically and 
emailed over there to Ireland. Under this warrant, could they 
hand them the data off of their hard drive, let's say, in a 
thumb drive condition?
    Mr. Downing. I am sorry; I lost you on that hypothetical. 
It is a----
    Mr. King. I am just intrigued by this legal technicality 
of, if the data is in a foreign country and there is a U.S. 
presence for that company, the warrant can be served in 
America, but you cannot look at the data until it gets back 
into America. That seems to me a very finely-split legal hair, 
and I am trying to understand that rationale. We have seen some 
of these finely-split legal hairs rationale in the past before 
this committee, and they do not always hold up.
    Mr. Downing. I guess I do not see it as a legal hair. Over 
the last many decades, we have had situations where we serve a 
subpoena on a company and the paper documents might be located 
overseas; perhaps they are bank records, and we have required 
the company to comply with that subpoena. And we have a whole 
doctrine to deal with the potential conflicts of law.
    If the company comes forward and says, ``I cannot do it 
because there is a real conflict,'' then the courts would 
balance that kind of conflict. I would expect that kind of 
analysis would be what would happen in this situation as well.
    Mr. King. Mr. Downing, my time is clicking down. But I just 
was caught by perfectly proper, and I will dig into that 
perhaps a little later. But I wanted to take this opportunity 
to thank Mr. Paddy McGuinness for his presence here, and I want 
the committee to know that you rolled out significant 
hospitality to myself and Chairman Goodlatte and several others 
almost a year ago, around June 25 or so last year, shortly 
after the Brexit vote.
    We had a deep and engaging discussion and were very well-
informed by yourself and a number of other persons that were 
there in the briefing table. And the intent that flowed from 
that discussion seems to also flow from your testimony here 
today. And I want to thank you formally for your efforts on 
this. And my sense of what we have negotiated so far is in 
keeping with those things that we saw and discussed in London 
almost a year ago, and any final words you would like to say, 
Mr. McGuinness, I would like to hear them.
    Mr. McGuinness. Thank you very much. Can I say, first of 
all, I am most grateful for the engagement of this committee in 
this business? This is vital interest to the United Kingdom. 
This will enable us to keep ourselves and our American allies 
safer, and so I am most grateful for it.
    I am also really grateful, and we have been heartened and 
our resolve strengthened, by the practical support we have 
received from the United States, but also the moral support, 
and I heard some of it here today, in the face of what has 
happened to us over the recent months. And I suppose my last 
message, apart from being grateful, is simply to say that we 
are resilient and are confident to our ability to see through 
this slightly difficult period and get to a better place, not 
least with your help.
    Mr. King. We have fought together through much more 
difficult endeavors in the past. We will demonstrate that to 
the world, Mr. McGuinness. Thank you very much. And I see my 
time has expired. Now, I would recognize the gentleman from 
Maryland, Mr. Raskin, for 5 minutes.
    Mr. Raskin. Mr. Chairman, thank you very much. And Mr. 
Downing, Mr. McGuinness, welcome. Thank you for your excellent 
testimony. Mr. McGuinness, let me just echo my colleagues in 
saying we thank you for your words of solidarity and 
encouragement, and we return them to you and the people of the 
United Kingdom as you deal with the violence and terror that 
have beset the people of your country.
    I am persuaded, very much, by the testimony that the laws 
governing law enforcement access to data across borders are in 
critical need of revision and modernization at this point. And 
because of the Second Circuit decision in Microsoft Ireland, 
the U.S. law enforcement is blocked from accessing data in 
legitimate investigations based simply on the fortuity of where 
the data happens to be held. And the mirror image problem 
applies to foreign countries in trying to access data that you 
need in order to solve and prevent crimes. So, the suggestion, 
as I understand it, is for a bilateral agreement between the 
U.S. and the U.K., and then perhaps a series of bilateral 
agreements with other countries.
    I want to make sure that both of you agree that such 
agreements should only be undertaken where both sides respect 
basic rule of law principles and basic human rights principles. 
Am I correct in saying that?
    Mr. Downing. Absolutely, yes.
    Mr. Raskin. And, Mr. McGuinness, you agree?
    Mr. McGuinness. Strongly so.
    Mr. Raskin. In other words, we are very happy to guarantee 
the mutual transmission of law enforcement data when we know it 
is not going to be abused, when we know that the government 
that obtains it will respect the rule of law, the ability of 
people to defend themselves, have notice and opportunity to be 
heard and so on, and where basic human rights norms are, in 
fact, being observed.
    Does it follow, then, that the countries with which we 
engage in such mutual bilateral agreements themselves should 
also not turn over any law enforcement data to authoritarian 
regimes or regimes that fall outside of a rule of law or human 
rights framework? Does that follow?
    Mr. Downing. I think I would not be quite so categorical 
about that. It is also possible that authoritarian regimes have 
their own perfectly legitimate crime and security problems, and 
there may be situations where evidence lawfully gathered could 
be used to prevent a serious terrorist attack in another 
country.
    Nevertheless, your basic premise is right, that there 
should be appropriate restrictions on the sharing of 
information and that it should not be used as a free ride or a 
way of getting any benefit that would not normally be there.
    Mr. McGuinness. So, if I may, so far, clearly we have been 
having, in principle, discussions of what an agreement might be 
like rather than what an agreement will be, because we do not 
have your agreement that there should be an agreement. But our 
understanding has been, our expectation is, that there will not 
be onward passage of data that is provided through this 
reciprocal agreement.
    So, let us say we are investigating an Albanian crime 
group. We get coverage of it and we learn of a harm that is 
occurring in a third country that does not have appropriate 
human rights standards or privacy respect, or whatever it is. 
We would still want to tell them of the harm and enable them to 
deal with it, and we would go and do that. We just simply would 
not give them the data. So, we would give them the result of 
the investigation, and I think that provides us with some 
protection.
    Mr. Raskin. And that is for the purposes of crime 
prevention?
    Mr. McGuinness. Yeah, for the purposes of crime prevention, 
for instance.
    Mr. Raskin. What is the scope of the agreement in terms of 
which crimes are incorporated within it? I think I saw 
someplace that serious crimes. But is there any definition of 
that? Is that what we call felonies in the United States?
    Mr. McGuinness. So, the definition we have been working on 
in the United Kingdom is a crime which gets a mandatory 
sentence of three years or more. So, that provides us with a 
baseline, and then we go above that, and that covers the range 
of crimes that we have been using in our testimony today.
    Mr. Raskin. Got you. And to what extent do we need a 
multilateral treaty to deal with this? And could such a 
multilateral treaty actually advance rule of law and due 
process concerns in countries where it is in danger?
    Mr. Downing. So, I think the idea that other countries may 
be willing to raise their standards in order to meet the 
obligations under this in order to get access to this type of 
agreement is very much one thing that we have given some 
thought to and, I think, an advantage of the system that we 
have. We are open to all sorts of ways of thinking about this 
and doing it efficiently.
    So, having a multilateral agreement could be a way forward, 
so long as all the countries that were in that group met the 
basic rules that we are setting out, that Congress would set 
out if they were to pass the proposal as we suggested it. So, 
it would have to be that they all meet that robust standard, 
but having a more efficient way of doing it on a faster basis, 
that is something we would certainly be open to.
    Mr. Raskin. OK. I have gone over, Mr. Chairman. I yield 
back. Thank you.
    Chairman Goodlatte. The gentleman from Georgia, Mr. 
Collins, is recognized for 5 minutes.
    Mr. Collins. Thank you, Mr. Chairman. I think one of the 
things we have seen here, and, Mr. McGuinness, thank you for 
being a part of this. I want to start with you and then I am 
going to come to Mr. Downing. In the treaty perspective, and I 
know there has been some discussion and we just handle this 
sort of in a treaty mode if we do it bilaterally, which I think 
with one of our greatest friends, you know, the U.K., would be 
not a problem. But the reality here is that this is a subject 
that spans far more borders than just this.
    And I think following up a little bit on my friend from 
Maryland's question, is how do we see this with other players, 
China, others, you know, where these markets or even in the EU, 
working to that? Really, bilateral is a good step, but it is 
not really addressing completely this issue, would you think?
    Mr. McGuinness. So, if I may, I think I have a couple of 
thoughts for you. The first thought I have is that this way 
forward is one we have worked up with the close support of the 
major U.S. tech companies who see this as a way out of the bind 
that they are in. And they see it as a way we can build 
incrementally into a better space. First thought.
    Second thought, when I go and talk to European colleagues, 
as I do regularly, they are, like, people in a closed room with 
no exit, where they are suffering from crime, or in the case 
particularly of northwestern Europe, they are facing terrorism 
of a kind that they find it very hard to deal with, and they 
have not got the data that they need. And they are thinking of 
solutions within their national boundaries, data localization 
and the rest, and this agreement is a way out of that position.
    And so, it may be that you do it individually with them. It 
may be eventually you are able to do it more broadly. But what 
we need, as I think the Justice Department have said, is we 
show there is a way of doing this. If we show there is a way of 
doing it, we will see it through.
    Lastly, in terms of China, I think, as we had a question 
earlier about standards in North Korea and Cuba and various 
other states, it will be a wonderful thing if we can get them 
to raise their respect for freedom of expression and privacy 
and the rights of the citizen. There are other mechanisms for 
providing data to them, and we talked about MLAT here, and I 
think we are just going to have to have a multiplicity of ways 
of dealing with the more difficult jurisdictions. But, 
actually, we have that anyway in our interactions with them.
    Mr. Collins. Well, look, I am very sympathetic. Our tech 
companies especially here in the U.S. are outstanding, and they 
have, you know, they model and they go around the world. I 
think there is some issues, I think not only raising security, 
privacy, but also protection and content. There is a lot of 
other issues here that we could get into with this situation.
    Mr. Downing, though, I do believe there is an issue here, 
and it has been addressed here and we are looking at from a 
legislative standpoint, and then based on the written 
testimony, it is safe to assume that your belief is the 
government should be able to obtain this information 
regardless, correct? In the United States, regardless of the 
data's location.
    Mr. Downing. That is correct. That is our proposal.
    Mr. Collins. OK. Well, and just hypothetically here, if so, 
how would we, I guess, as a country, react if we adopted this 
position? For example, if the Chinese government required a 
Chinese company, like Alibaba, which maintains data centers in 
the U.S., to produce information that belongs to a U.S. 
citizen? Would that not jeopardize individual's interest here 
in companies here in the U.S.?
    Mr. Downing. It is already the case that the Chinese 
government claims that right, as do, frankly, as I mentioned, 
many countries around the world: Canada, Mexico, Ireland, 
Australia----
    Mr. Collins. But we are sort of the buffer at this point to 
say, ``Hang on a second.'' That is why this Congress 
legislatively should be looking at this, because, you know, 
again, I think that is the question I am saying is, are we 
tactically going down a road that is not, at this point, lining 
up with the privacy needs and privacy interests with our 
companies and with our citizenry in regard to regimes that we 
would never agree to this on any circumstance?
    Mr. Downing. So, with respect to, say, a country that we 
would not be willing to enter into a bilateral agreement: for 
them, the restrictions on disclosure under ECPA would not be 
lifted, and therefore, the Chinese court orders would likely 
not be complied with by the U.S. companies. So, we are 
interested in reducing those conflicts of law for our 
companies, but doing it in a selective and positive way with 
countries that we can agree have a respect and a robust 
protection for civil liberties and the rights of their people.
    Mr. Collins. And I think that is, you know, as we get to do 
here in hearings and even with the second panel and others 
which I will be in and out of a lot, that is the ideal. But we 
also have to reel in the realities of data in companies in the 
U.S. and others and where they store the data and how they move 
their data and how some of these are applicable interests, and 
I think that has to be given some deference to these tech 
companies.
    And the growth: we are still even in their expansion that 
we have seen in the last little bit are still at that area of 
growth that people more and more depend on this privacy, more 
and more expect this privacy, and I think that has been said 
even 10 years ago.
    This is the next big debate that we have to have, and I 
think it is something that I am very concerned about, 
especially dealing with our companies who are providing this. 
And it is a balance.
    And so, for me, it is just really a concern here that the 
DOJ look at it also from our perspective as well, and when we 
legislatively fix this, it is not just a, ``We are not going to 
go here. We believe this,'' but there is a balance that we need 
to strike. And that is the thing I believe. And I think our 
tech companies deserve that, but more importantly, the American 
people deserve it, and then from a citizenry and citizenry of 
the world with our friends across Europe and other places. So, 
with that, Mr. Chairman, I yield back.
    Chairman Goodlatte. The chair thanks the gentleman and 
recognizes the gentlewoman from Washington, Ms. Jayapal for 5 
minutes.
    Ms. Jayapal. Thank you very much, Mr. Chairman. And I just 
want to again extend my thanks to both of you, and, 
specifically, to Mr. McGuinness for making the journey at a 
very difficult time. You know that the United States stands in 
firm alliance and solidarity with the United Kingdom.
    I absolutely agree that we need a comprehensive framework 
that takes into account our very global, interconnected economy 
and, at the same time, balances our many needs. And, of course, 
we are very proud in Washington State of our extremely 
innovative tech sector. We want to make sure that the economic 
benefits of our digital economy continue to come to the United 
States and benefit the United States.
    We also want to make sure that we are protecting the 
global, national, and domestic security, and protecting our 
civil liberties and privacy rights of U.S. citizens. And I 
agree with our ranking member when he said at the very 
beginning that we do need to make sure that we get our details 
right.
    Mr. Downing, I wanted to just follow up on Mr. Raskin's 
question about what constitutes serious crimes, because 
obviously, public discussion is centered around investigations 
into serious crimes. I know Mr. McGuinness defined it as 
anything that gives you three years or more. But can you give 
me a little bit more detail in terms of how we would assess 
what is truly serious crime?
    And would these agreements also apply to less-specific 
national security threats? And with regard to the serious 
crimes, because of the way our justice system works, we have a 
lot of mandatory minimums, we have other things that put 
certain crimes into a framework that may not comport with the 
United Kingdom. Can you just give a little bit of insight into 
that?
    Mr. Downing. So, we were choosing the framing of serious 
crime in order to provide at least a little bit of flexibility 
as different countries, as you correctly point out, have 
slightly different approaches to sentencing in their different 
countries, and what might constitute a particularly severe 
sentence in the U.K., may not be quite regarded in the same 
way.
    I would see, for our law, it would be, you know, felony 
crimes would be probably a rough-and-ready way of looking at 
it. But the reason we did not try to specify it with even 
greater specificity in the proposed framework is that there may 
be a need for some flexibility.
    With respect to national security threats, I want to be 
clear, this is not an intelligence-gathering tool. The 
agreement is aimed at the investigation and prevention of 
crime. Of course, there are some national security threats such 
as terrorist threats that also are crimes, and so would be 
covered here. But it is not intended as a sort of 
counterintelligence or other national security work. It is a 
provision oriented toward solving and preventing crime.
    Ms. Jayapal. That is helpful. Thank you. And in the 
proposed legislation from the department, you talk about orders 
issued by a foreign government must be subject to review or 
oversight. Can you clarify exactly what you mean by oversight? 
What would Congress's role be in that? How do you foresee 
Congress having that very active role in oversight that I 
believe we should have?
    Mr. Downing. So, I think the provision that you are 
referring to talks about the oversight of legal process that is 
issued within one of the two parties. That is, when the British 
police officer is investigating an organized crime group, there 
needs to be oversight of the application for that court order.
    Slightly different question, I think, is what is Congress' 
role in overseeing this entire process of developing a 
framework and an agreement? And as I have said, I think our 
expectation is that there will be close collaboration with 
Congress. We certainly worked hard over the last year to try to 
be involved with committee staff on both sides of the House and 
the Senate.
    We also see a strong congressional role in setting up this 
whole framework. It is very much a congressional choice to be 
able to figure out what the rules ought to be for these 
agreements going forward. And then, there would be notice to 
Congress before any agreement goes into effect to make sure 
that Congress has a role at that stage as well.
    Ms. Jayapal. And so, you would be willing to subject these 
agreements to a vote by Congress?
    Mr. Downing. So, the proposal does not formally create a 
requirement that there be a vote by Congress. This is more 
like, I suppose----
    Ms. Jayapal. But would you be willing to agree to that, 
though?
    Mr. Downing. I am not sure what you mean, a vote by 
Congress. I think Congress is, of course, always able to pass a 
law that would block this kind of thing, so that does not need 
to be said, I suppose, if you like, that Congress has that 
authority to do so.
    Ms. Jayapal. Thank you. Mr. McGuinness, one of the chief 
concerns underlying this discussion has been the move towards 
data localization, and I know my time has expired, but if you 
could just quickly say, economically and politically, what are 
some of the harms of data localization laws?
    Mr. McGuinness. So, the United Kingdom, Her Majesty's 
government, is opposed to data localization. And we are opposed 
to it because we think it undoes the good that has been done 
economically and in terms of our ability finally to live our 
lives that we get from network systems that are agnostic about 
where data is and where it goes. So, we are opposed to it.
    We see data localization, and the companies are better to 
speak to this, and I think you have colleagues from Google 
coming afterwards, but we see it as, frankly, slowing down the 
functioning of the internet in itself, perhaps technically, but 
also, frankly, potentially limiting the value of commerce 
through the internet. And also, frankly, it is going to lead to 
many more difficulties about ownership of data and the working 
system, so we are opposed to it. It is a matter of policy.
    Chairman Goodlatte. Well, I want to thank both of you for 
your participation and forbearance. We have been going for over 
2 hours, and we thank you both for very interesting testimony 
and very important issue.
    So, thank you, Mr. McGuinness, for coming across the pond, 
as they say, to join us today, and Mr. Downing, you did not 
have to travel quite as far, but it is important that the two 
of you be working together on finding ways to solve this 
problem. And we will definitely be playing a role up front and 
as we move forward. So, thank you both and we will excuse you--
--
    Mr. Downing. Thank you very much. We look forward to 
working with you.
    Chairman Goodlatte. We excuse you and move to our second 
panel. And for those of you who may be wondering, we are going 
to go right into this second panel. So, if Mr. Salgado and Mr. 
Littlehale and Mr. Calabrese and Mr. Woods would come forward, 
we will get started right away.
    While you are still standing, why not remain standing so I 
can swear you in? And then, I will introduce all of you. So, if 
you would raise your right hand.
    Do you and each of you solemnly swear that the testimony 
that you are about to give shall be the truth, the whole truth, 
and nothing but the truth, so help you God?
    Let the record reflect that all of the witnesses responded 
in the affirmative.
    And I will begin by introducing Mr. Salgado. Mr. Richard 
Salgado is the director of Law Enforcement and Information 
Security for Google. Previously, Mr. Salgado was with Yahoo, 
focusing on international security and compliance work. Mr. 
Salgado has also served as senior counsel in the Computer Crime 
and Intellectual Property Section of the United States 
Department of Justice.
    At the Department of Justice, Mr. Salgado specialized in 
investigating and prosecuting computer network cases that dealt 
with technology-driven privacy crimes. He has served as a legal 
lecturer at Stanford Law School, adjunct law professor at 
Georgetown University Law Center, and George Mason Law School, 
and as a faculty member of the National Judicial College. He is 
a graduate of the University of New Mexico and Yale Law School.
    Mr. Richard Littlehale is the Special Agent in Charge of 
the Technical Services Unit at the Tennessee Bureau of 
Investigation. Mr. Littlehale coordinates and supervises a wide 
range of advanced technologies in support of law enforcement 
operations. Mr. Littlehale, along with TBI special agents, 
specialize in developing evidence from communications records 
in a wide range of cases, including homicides, internet crimes 
against children, and computer intrusions.
    Mr. Littlehale has also served as a legal adviser to the 
Tennessee Bureau's Drug Investigation Division. In this role, 
he was responsible for providing field and office legal support 
for TBI criminal investigators and their supervisors. Mr. 
Littlehale is a graduate of Bowdoin College and Vanderbilt Law 
School.
    Mr. Chris Calabrese is the vice president of Policy at the 
Center for Democracy and Technology. Mr. Calabrese has long 
been an advocate for privacy protections, having testified 
before Congress and appeared in many news media outlets 
discussing technology and privacy issues. Previously, Mr. 
Calabrese served as legislative counsel at the American Civil 
Liberties Union, Washington Legislative Office.
    While at the ACLU, Mr. Calabrese led the office's advocacy 
efforts related to privacy by developing proactive strategies 
on pending Federal legislation concerning privacy and new 
technology. Prior to joining the ACLU, he served as legal 
counsel to the Massachusetts Senate majority leader. As legal 
counsel, Mr. Calabrese helped on legislation pertaining to 
privacy and antidiscrimination laws. He is a graduate of 
Harvard University and Georgetown University Law Center.
    Professor Andrew Keane Woods is an assistant professor of 
law at the University of Kentucky College of Law. His teaching 
and scholarship include cybersecurity and the regulation of 
technology, contract law, international law, and empirical 
legal studies. Previously, Professor Woods was a post-doctoral 
fellow at Stanford University at the Center for International 
Security and Cooperation. Prior to that, he was a fellow at 
Harvard Law School. Professor Woods is a graduate of Brown 
University, Harvard Law School, and was a Gates Scholar at the 
University of Cambridge where he received his Ph.D. in 
politics.
    I want to welcome all of you. Your written statement will 
be entered into the record in its entirety, and we ask that you 
summarize your testimony in 5 minutes. To help you stay within 
that time, there is a timing light on your table. When the 
light switches from green to yellow, you have 1 minute to 
conclude your testimony. When the light turns red, that is it. 
Your time is up. And we will start with Mr. Salgado. Yeah, we 
will start with Mr. Salgado. Welcome.

 STATEMENTS OF RICHARD SALGADO, DIRECTOR, LAW ENFORCEMENT AND 
INFORMATION SECURITY, GOOGLE; RICHARD LITTLEHALE, SPECIAL AGENT 
    IN CHARGE, TECHNICAL SERVICES UNIT, TENNESSEE BUREAU OF 
INVESTIGATION; CHRIS CALABRESE, VICE PRESIDENT, POLICY, CENTER 
    FOR DEMOCRACY & TECHNOLOGY; AND ANDREW WOODS, ASSISTANT 
    PROFESSOR OF LAW, UNIVERSITY OF KENTUCKY COLLEGE OF LAW

                  STATEMENT OF RICHARD SALGADO

    Mr. Salgado. Chairman Goodlatte and members of the 
committee, thank you for the opportunity to appear before you 
this afternoon to discuss the issue of cross-border law 
enforcement requests for user data.
    Today, I want to discuss two distinct but related 
challenges that confront law enforcement agencies and service 
providers alike. These challenges arise from the fact that 
ECPA, a statute that has been vital for decades, has become 
antiquated in some key respects. This has left courts to 
interpret the statute in the context of facts that Congress 
could not have anticipated in 1986 when ECPA was passed.
    It also leaves law enforcement agencies around the world 
looking for mechanisms to circumvent the statute. Some of those 
mechanisms are aggressive and even dangerous, but can also be 
made entirely unnecessary if we just modernize the law.
    First, applying well-established rules of statutory 
interpretation, the Second Circuit Court of Appeals last year 
held that warrants issued under ECPA cannot compel service 
providers to search for, seize, and produce data that is stored 
outside the United States.
    This, of course, has presented challenges to law 
enforcement, as you have heard from the Department of Justice. 
Other cases pending around the country that raise the same 
issues have judges working to understand what Congress intended 
in the statute that was enacted well before providers like 
Google and Facebook even existed.
    Courts are being asked to resolve these disputes in ways 
that are divorced from sound policy solutions without the 
opportunity for robust debate among the stakeholders, and 
indeed, potentially entirely in closed courtrooms. This is 
hardly the path for appropriately addressing the equities of 
users, law enforcement agencies, service providers in 
addressing international comity. The source of all of this is a 
statute that needs to be updated to reflect the technical, 
business, and other realities of our time.
    Second, ECPA includes a broad, so-called blocking provision 
that restricts the circumstances in which U.S. service 
providers may disclose the content of users' communications to 
government agencies outside the United States. There are 
legitimate reasons that a country may wish to control how and 
to whom data can be disclosed.
    For example, to prevent disclosure of information to 
countries with poor human rights records. A broad blocking 
statute that is divorced from these sorts of concerns and 
lacking nuance, however, can leave governments that have a 
legitimate need for information looking for alternative means 
of acquisition that unnecessarily redound to the detriment of 
users' privacy and civil liberties.
    The blocking provision in ECPA is a source of enormous 
frustration for democratic countries that respect the rule of 
law and maintain robust, substantive, and procedural 
protections of civil liberties. These countries may be unable 
to obtain timely access to digital evidence, solely because it 
is retained by a U.S. service provider subject to ECPA, even 
for crimes that are wholly domestic in nature. The inability to 
obtain this data creates incentives for these countries to seek 
other unilateral techniques to get the information, including 
enforcement of their surveillance laws extraterritorially, even 
in the face of conflicting U.S. law.
    It also creates incentives for enactment of data 
localization laws and aggressive investigation efforts that can 
undermine security in general. It is quite clear that the 
status quo is unsustainable as technology involves and has 
flourished and services offered by the U.S. internet companies 
are being used by people outside the U.S. Key assumptions 
around ECPA are obsolete. Congress should holistically 
modernize ECPA to address the many challenges that have emerged 
in recent years.
    We respectfully recommend that an effort to update ECPA 
include the following three changes. First, require government 
entities in the U.S. to obtain a search warrant to compel the 
production of communications content from providers.
    Second, provide clear mechanisms for the U.S. Government to 
obtain user data from service providers wherever the data may 
be stored, but with protections built in for certain cases when 
the U.S. Government seeks contents of users who are nationals 
of other countries or located abroad. Third, lift the blocking 
provision in ECPA to permit U.S. providers to disclose data to 
certain foreign governments in response to appropriate legal 
process in serious cases when the domestic laws of those 
foreign countries provide baseline privacy, due process, and 
human rights guarantees.
    There is no panacea for the range of challenges presented 
by aging legal regimes. But we believe that these three steps 
ensure that ECPA's foundational construction is on the basis of 
sound policy principles that reflect the equity of users, law 
enforcement, service providers, and international comity. Thank 
you for your time, and I would be happy to answer questions.
    Mr. Collins. The chair now recognizes Mr. Littlehale.

                STATEMENT OF RICHARD LITTLEHALE

    Mr. Littlehale. Mr. Chairman, Ranking Member Conyers, 
members of the committee, thank you for inviting me to testify. 
I am a technical investigator in Tennessee, and I chair the 
Technology and Digital Evidence Committee of the Association of 
State Criminal Investigative Agencies.
    For more than 20 years, I have helped criminal 
investigators obtain and use communications records for use in 
both technical investigations, like internet crimes against 
children in cyber cases, and in the range of other criminal 
cases that we support.
    My community faces a range of barriers that impede our 
lawful access to digital evidence, and the problem is growing 
as mobile apps and internet-connected devices proliferate. We 
are told it is a golden age of surveillance, but those of us in 
the trenches doing investigations and protecting the public see 
things differently as we are turned away empty-handed from one 
source of critical evidence after another.
    The challenge that brings us here today is the Second 
Circuit's Microsoft/Ireland decision, which is a growing 
problem for the State and local law enforcement community. 
Despite grave concerns expressed by concurring and dissenting 
judges, despite district court judges in five other circuits 
who have declined to follow the ruling, many tech companies 
continue to apply the standard across the board and reject 
legal demands everywhere in the U.S., creating another blind 
spot in State and local law enforcement's ability to access 
digital evidence.
    Let me give a couple of examples to show you why this 
practice is so frustrating for us. In testimony before the 
Senate Judiciary Committee last month, one of my peers from 
Massachusetts described a California case involving the 
disappearance and suspected murder of a young girl.
    The investigators developed information that the contents 
of an account maintained with a cloud service provider could 
help them determine what happened to the girl and where to look 
for additional evidence. A court agreed and issued a search 
warrant. The service provider objected to the production of any 
contents stored outside the U.S., which according to the 
investigators, included the categories of records most likely 
to be useful in that case.
    A second example comes from the State of Mississippi. A 
service provider advised the National Center for Missing and 
Exploited Children that an unknown party had uploaded child 
exploitation images to a cloud account. The investigator, who 
got the case from NCMEC, sought a search warrant for the 
contents of the account. While waiting for the service provider 
to respond, the investigator was able to identify and confront 
a suspect, who confessed that it was his practice to meet 
people online and share child pornography images in order to 
receive similar images in return.
    When asked whether he received any pictures that made him 
think the senders were actively molesting children, he stated 
he did not know, but that he was talking with ``some very bad 
people.'' The investigator received a foreign evidence denial 
as to some of the requested account contents, though everything 
points to the suspect accessing the account from within 
Mississippi. The investigator sent two further requests for 
information on how to obtain the content that might lead to 
unknown minor victims. As of yesterday, the investigator has 
not received a response.
    When investigators face foreign evidence denials like 
these, their only option is to pursue the mutual legal 
assistance treaty process, which is widely regarded in the law 
enforcement community as too cumbersome to be effective. Delays 
run from many months to years.
    This simply does not allow investigators to obtain the 
evidence that they need in a timeframe that is useful. All of 
that assumes, of course, that the service provider tells the 
agency what country to direct the MLAT to, which does not 
always happen.
    Everyone agrees that this situation is problematic. 
Evidence that can help solve crimes committed in the U.S. by 
people in the U.S. against victims in the U.S. is often 
unavailable even after a judge signs an appropriate legal 
demand. In Judge Lynch's concurrence to the Microsoft Ireland 
panel decision, he writes, ``Without any illusion that the 
result should be regarded as a rational policy outcome, let 
alone celebrated as a milestone in protecting privacy.''
    We agree, and we hope that Congress can take quick action, 
carefully weighing public safety needs alongside the business 
interests of providers and the privacy concerns of their 
customers. Public safety should not be an afterthought or side 
issue as technology advances. My peers and I are eager to help 
where we can in collaboration with our fellow Federal partners.
    To wrap up, Mr. Chairman, State and local law enforcement 
investigators see this issue of evidence stored abroad as part 
of a broader policy challenge which includes, among other 
things, the lack of a legal framework around service provider 
response to legal demands, data retention, and a lack of good 
information about what evidence is even available on service 
provider networks. We agree that laws intended to provide law 
enforcement access to digital evidence like ECPA and CALEA need 
to be updated to make sense in the 21st century, but those 
updates must be balanced to address the very real needs of the 
law enforcement community and crime victims to avoid 
unnecessary barriers to investigations. We greatly appreciate 
this committee's ongoing solicitation of our input, and I look 
forward to your questions.
    Mr. Collins. Thank you, sir. Mr. Calabrese.

                  STATEMENT OF CHRIS CALABRESE

    Mr. Calabrese. Thank you, Chairman Goodlatte, Ranking 
Member Conyers, members of the committee. First, let me just 
say how happy I am to see everyone here safe and sound after 
yesterday's tragic events. Our thoughts and prayers go out to 
the victims, but I am just glad to see so many friendly faces 
here safe and well. Thank you.
    We appreciate the opportunity to testify on behalf of the 
Center for Democracy and Technology. CDT is a nonpartisan 
advocacy organization dedicated to protecting privacy, free 
speech, and innovation online. We applaud the committee for 
holding this hearing today. There is no question that the 
system for sharing information across borders is in need of 
reform. Law enforcement is correct that it is slow and 
sometimes frustrating.
    U.S. service providers rightly worry about being caught up 
in a conflict of laws. However, it is worth noting the system 
does have benefits. The most notable is that in many cases, 
citizens around the world are protected by the strong privacy 
guarantees of the U.S. Constitution, specifically the warrant 
requirement of the Fourth Amendment. We must not lose that 
commitment to privacy even as we reform the broken elements of 
the system.
    CDT believes the best way to achieve reform is through a 
package of legislative changes, specifically, passage of the 
Email Privacy Act, adoption of a structure for privacy-
protective bilateral agreements, mutual legal assistance treaty 
reform, and enactment of a version of the International 
Communications Privacy Act, ICPA.
    First, Congress must set a privacy baseline in the U.S. in 
U.S. law by passing the Email Privacy Act. This committee is 
intimately familiar with this bill, having stewarded it through 
unanimous House passage over the last two Congresses. While a 
warrant for content is generally assumed to be the default, 
including by the Department of Justice in its testimony today, 
as the committee knows, that is not what ECPA says.
    Because the law was passed in 1986 and has not been 
substantially updated since, in many cases, it authorizes 
access to content with the use of a simple subpoena with 
notice. Service providers are to be commended for insisting on 
a warrant pursuant to the Sixth Circuit decision in Warshak, 
and DOJ has stated that seeking a warrant is their policy in 
criminal cases. But appellate court decisions and Department 
policies are not a substitute for Federal statutory reform.
    Second, once we have a baseline in U.S. law, we must extend 
it to other rights-respecting Nations through a strong privacy-
protective framework of bilateral agreements between Nations. 
These agreements would be safety valves, allowing speedy access 
for law enforcement, reducing conflicts of law, and reducing 
pressure on the MLAT system. The Department of Justice has made 
a good start in laying out such a framework.
    There are, however, important areas where it must improve, 
including how the proposal handles which Nations will qualify 
as partners, enhancements to legal standards for accessing 
information, and limitations on privacy-invasive techniques 
like the use of metadata and wiretapping. With these 
improvements, bilateral agreements can speed law enforcement 
access, respect national law, and improve privacy.
    Third, since not every Nation will qualify for a bilateral 
agreement, Congress should reform the existing MLAT process. 
ICPA contains important reforms that should be adopted to speed 
the process. In addition, the European Union is developing 
materials to educate their local law enforcement on how to best 
meet the U.S. probable cause standard. Those materials can and 
should be used globally.
    Finally, any proposal should include the principles 
embodied in ICPA when U.S. law enforcement seeks to access 
communications. ICPA rightly moves away from the use of 
location of data as a standard and towards the nationality of 
individuals under investigation. It also respects the interests 
of other Nations by deferring to them in cases where MLAT 
agreements are in place. This framework is not perfect.
    Specifically, it may result in adoption of extraterritorial 
warrants by other Nations or unintentionally allow some Nations 
to slow investigations. CDT is happy to work with the committee 
to address these concerns and is encouraged by the number of 
positive ideas already under discussion, including a mandatory 
comity analysis by courts and reciprocal notice and control 
provisions for other Nations.
    While none of these solutions will be enough on their own, 
CDT believes that collectively, they can safeguard 
international comity, assist law enforcement, and most 
importantly, protect individual privacy.
    Mr. Collins. Thank you, sir. Now, Professor Woods.

                   STATEMENT OF ANDREW WOODS

    Mr. Woods. Thank you, Chairman Goodlatte, Ranking Member 
Conyers, members of the committee. Thank you for inviting me to 
testify here today.
    ECPA is the single leading cause of conflicts of laws in 
the tech world today, so I am grateful that committee has shown 
great leadership in this context. The good news is that this is 
actually a pretty easy problem to fix.
    ECPA operates, as you have heard, as a blocking statute, 
standing in the way of American tech firms' compliance with 
lawful government requests for data both here and abroad. 
Remove those blocking features, and you solve the bulk of the 
problem. Now, this means two things. First, reverse the Second 
Circuit's recent decision so that a production order under ECPA 
can compel a U.S. firm to comply, regardless of where they 
choose to store their data. And second, allow U.S. firms to 
voluntarily comply with foreign law enforcement requests 
wherever they choose to operate.
    On this second point, I actually think the solution may be 
simpler than DOJ has made it out to be. You need not specify 
which countries can enforce their laws against American tech 
firms, nor the conditions under which they do so. I used to 
think that was a really good idea. After all, if you care about 
privacy, surely you would want to clarify how and when and 
which foreign governments can access internet content.
    But I am less sure about the wisdom of telling other 
countries how to behave today. You do not tell Citibank and 
Costco under what conditions they can comply with British law. 
Why tell Google and Microsoft? Indeed, if you were to propose 
to make it harder for American banks or America's retailers to 
do business in other countries, you would likely never hear the 
end of it. Not only does blocking foreign government interests 
make them mad, with all of the attendant diplomatic fallout, 
but I believe it makes the internet less secure.
    When countries cannot enforce their laws, they do a number 
of unfortunate things, and in particular, three.
    First, they make it hard on U.S. businesses, arresting 
their employees, increasing operating costs, often by demanding 
that data be stored locally.
    Two, they increase their efforts at surveillance, often 
without court supervision.
    And three, they threaten to retaliate against the United 
States by imposing their own ECPA-like blocking statutes. This 
last point is an underappreciated one. In a not-too-distant 
future, many Americans, perhaps most, will be running around 
with a foreign-made app on their phones.
    In the wake of some crime, American law enforcement will 
seek access to data held by the foreign app maker doing 
business here in the U.S. If the app maker is from a country 
that has a blocking statute like ECPA or a country that is 
excluded from the bilateral or multilateral club that DOJ has 
envisioned, our law enforcement agents will be in trouble.
    These foreign government reactions to our blocking statute 
are unfortunate, but they are also understandable. Indeed, it 
is partly American law enforcement's own frustration here that 
has led them to call for back doors on encrypted services, the 
unregulated use of Stingrays, and other desperate and, in my 
view, foolish measures.
    When I speak to prosecutors in Brazil and India and France, 
they ask one question: why should we need to follow American 
rules in order to enforce our own laws on our own soil? The 
answer, of course, is that they should not. The lodestar of 
conflicts of laws has always been the respect for sovereign 
interests, and if we craft a regime that does not do that, I 
fear we will regret it.
    So, to briefly summarize, ECPA is easy to fix at home and 
abroad. The location of data should not matter. Rather, the 
location of the investigation should. Except in extreme 
circumstances, if a service provider is physically present in a 
jurisdiction providing services, making money there, they 
should be in a position to respond to lawful and legitimate law 
enforcement requests.
    That is true here, and that is true abroad. This is the 
position nearly every other American company finds itself in, 
and tech firms should be no different. To make this a reality, 
you need to reverse the Second Circuit's decision, and you need 
to lift ECPA's blocking features.
    Now, I just want to emphasize that I say this as someone 
who cares deeply about privacy and security on the internet. In 
my view, the only way to secure the future of a global internet 
is to provide room for governance differences around the world. 
Either the laws bend, or the technology will be bent and 
broken.
    Keep in mind, we are not talking today about the hard stuff 
like warrantless surveillance, State efforts to weaken 
encryption or force data localization. Rather, we are talking 
about a simple step that you can take today to prevent those 
things. Thank you very much for your time, and I look forward 
to your questions.
    Mr. Collins [presiding]. Thank you, Professor Woods. I will 
start the questioning here as we go.
    Mr. Salgado, I have a question. From your perspective, how 
urgent is this problem? And are we talking only a handful of 
countries here that are enacting data production and data 
localization requirements? What are the impact, you know, if 
you can quickly sort of answer that, the impact of these laws?
    Mr. Salgado. Thank you for the question. I think it is 
quite urgent. The two issues that we are talking about here, 
both the blocking statute question about the ability to comply 
with requests outside the United States as well as being able 
to produce data that is stored outside of the United States to 
U.S. authorities, both of those are urgent matters. They are 
threats to public safety. They are threats to American 
companies.
    Mr. Collins. OK. And also, then, it has been talked about a 
little bit here, some have argued that it should be nationality 
or location of the customer that determines the country's law, 
you know, which one controls. It is sort of a two-part 
question. One, is Google able to definitively determine the 
location of the customer? And number two, are they definitively 
able to determine the nationality of a customer?
    Mr. Salgado. The answer is no. We very unlikely would be 
able to be determinative. We may have information that could 
inform a court that needs to decide whether notice, if that is 
the approach we are taking, needs to be given to the other 
jurisdiction.
    So, a provider may have relevant information to help inform 
a decision like that. Law enforcement itself should probably 
bear the burden of being able to establish that they have at 
least gone through the steps to try to determine the location 
of the user to determine whether they are excused from other 
requirements.
    Mr. Collins. And in some ways, would not the nationality 
actually be a slippery slope question for a tech company, or 
frankly, even law enforcement there, unless there is, you know, 
definitive kind of answers to that question?
    Mr. Salgado. There needs to be a standard. It may be that 
the standard is not definitive. It is something less than that, 
that there is credible evidence, you know, there is a whole 
list of possible standards.
    Mr. Collins. Preponderance?
    Mr. Salgado. Preponderance, it could be----
    Mr. Collins. OK.
    Mr. Salgado. Right, from mere evidence all the way to the 
full more likely than not.
    Mr. Collins. Without doubt.
    Mr. Salgado. So, that would be an issue for debate to come 
up with what is the right level.
    Mr. Collins. Great. Well, I will come back in just a 
second. Professor Woods, what kind of reforms to the MLAT 
process do you believe should be made? And you know, these 
impacts do you think would improve the process it would have on 
international conflict of laws that are being discussed?
    Mr. Woods. Yeah. So, as I say, the easiest way to resolve 
this problem is to allow countries that operate globally to 
respond to lawful requests where they receive them. I would 
emphasize lawful. I agree with my colleagues here that we may 
be able to parse out some countries we think do not operate by 
the rule of law.
    But we want to be in a position where the MLAT system, 
which needs to be reformed in a number of ways, and I have got 
ideas about how to do that, happy to speak to that, but the 
MLAT system should not be the place where cross-border data 
requests are made.
    Mr. Collins. OK.
    Mr. Woods. It is just not built for that.
    Mr. Collins. OK. Granted with that. And again, this is not 
a small subject we can discuss. But I do have a specific maybe 
on this. What effect does data localization laws have on U.S. 
national security, the ability of U.S. intelligence community 
to collect the necessary intelligence to protect the homeland? 
Can you answer that maybe, briefly?
    Mr. Woods. My understanding is that it is considerably 
harder for U.S. law enforcement to get access to data when it 
is stored under a forced localization mandate abroad.
    Mr. Collins. OK. All right. One question, and we have had 
this before when Mr. Littlehale has been here before, and we 
have had questions. But I do want to go back. And I understand 
the balance of law enforcement and the needs here. But in most 
examples, which, of course, would be the problems, Mr. Salgado, 
do you think that every example on a negative light that was 
given is where tech was not cooperating? I would like to at 
least hear the other side, because we have heard this before. 
Tech does cooperate with law enforcement, correct?
    Mr. Salgado. Oh, well, certainly. Speaking for Google, the 
rules are generally pretty clear about what it is we are 
required to do and what the legal process should look like, and 
it works pretty well. There is emergency situations where the 
law enforcement may not have time to go through legal process. 
We respond to those to save lives and to prevent physical 
injury when needed. I think in general, the ecosystem works 
pretty well.
    The statute, though, is pretty aged at this point, and it 
is no longer reflecting what is really happening. And the 
result of that is that law enforcement is getting frustrated 
because of interpretations like what we saw out of the Second 
Circuit, and other jurisdictions are having to adopt to the 
limitations they are facing under U.S. law by engaging in 
sometimes unsavory techniques to try to be able to get the 
information.
    Mr. Collins. So, really, from your perspective, at the end 
of the day, you know, you may have differences of opinion on 
protection of privacy from your business model and other 
standpoints, but at the end of the day, your company, in 
particular, but other tech companies as well who deal in this 
are more than willing to find a solution here that protects not 
only privacy business decisions, but also the needs of our 
security and our law enforcement?
    Mr. Salgado. Absolutely right. And, in fact, this is a 
situation where I think with these recommendations we have made 
today, we can actually increase privacy protections and enhance 
law enforcement access----
    Mr. Collins. Right. So, any broad sweeping discussion, that 
is the more true answer, and there are exceptions to 
everything. But I think we are moving forward on an answer, and 
that is the good part.
    With that, I am honored to turn over the questioning to my 
dear friend, the ranking member of this full committee, Mr. 
John Conyers.
    Mr. Conyers. Thank you, sir. And I appreciate the witnesses 
and their differing views. But let me start with Mr. Calabrese, 
please. Sir, in your view, what are the shortcomings of the 
administration's proposed criteria for admission into the 
bilateral framework?
    Mr. Calabrese. Thank you, Mr. Conyers. So, I think there 
are four. The first is the way the inclusion in the club is 
handled. So, first of all, we should not have factors to 
consider; we should have mandatory standards that have to be 
met. And we should also have a better process for lifting up 
the factual basis for making that determination, an APA-type 
process so we can get facts for whether you meet particular 
standards. The second is improvements to how we handle 
metadata.
    Obviously, this is incredibly sensitive information. And 
ECPA currently allows the voluntary sharing of metadata with 
foreign countries, and I think we need to address that. The 
third is I think we need a bar on wiretapping. Wiretapping is 
among the most sensitive types of invasion we have in our legal 
system, and I do not think we should allow it willy-nilly to be 
done by foreign governments, almost certainly at a lower 
standard.
    And finally, we need to look closely at the substantive 
standards and procedural requirements put in place by the 
bilateral agreement and look to raise them to be closer to a 
probable cause standard.
    Mr. Conyers. Thank you, sir. Let me ask you, in your 
opinion, must we hold other Nations to our Fourth Amendment 
standard for access to content? For example, a warrant based on 
probable cause, even that standard is wholly foreign to legal 
systems that on the whole have decent privacy regimes?
    Mr. Calabrese. It is a very fair question. I think the 
first thing we should do is hold ourselves, of course, to the 
probable cause standard and pass the Email Privacy Act. The 
second thing, I think what we need to look for is comparable 
legal regimes, comparable legal standards. And I do not think 
we should insist on, foreign governments having exactly the 
same rules we have. They need to be comparable privacy 
standards. They need to meet international norms, such as human 
rights standards. And if we can get that kind of normalization 
with our key allies, I think we will have real privacy 
improvements.
    Mr. Conyers. Anyone want to add anything to that? Yes, sir?
    Mr. Woods. It is a great question, and when I have looked 
at the burdens on the MLAT System, there are at least two 
distinct kinds of burdens. One is that foreign countries say, 
``Why should we have to go through this process and make the 
request to the United States, let alone just solve it here 
domestically in our courts?'' If it is a Brazilian murder, a 
Brazilian crime, Brazilian victim, and everything happens in 
Rio, why are we contacting the U.S.?'' That is crazy, right? 
Separate from that, wherever the request happens, whether it is 
international or not, there is a resentment of having to use an 
American standard.
    And I fear that if we adopt a regime that relies, as you 
say, on an American standard like the Fourth Amendment 
standard, although it is the gold standard, we will incentivize 
States who resent being left out of the club or being forced to 
bow to that American standard, that they will do things like 
find ways to enforce their laws without our permission. And 
every single one of those possible ways to do that is worse 
than us negotiating a reasonable way for them to get lawful 
access to data.
    Mr. Conyers. Thank you. Mr. Salgado, has the Microsoft 
decision changed how your company responds to the government's 
demands for information under the Stored Communications Act?
    Mr. Salgado. Yes, sir. It certainly has. As I think the 
chairman said in the opening comments, the Second Circuit 
pointed out that there is a problem in the statute that really, 
until then, had not been pointed out, and that is that it 
appears that the statute does not cover data that is outside 
the United States and not in the United States or that the 
warrant requirement does not reach that far. As a result, that 
means that the warrants we receive, actually, are not effective 
to reach the data that is stored outside the United States. And 
as a result, we do not produce that data in response to those 
warrants.
    Mr. Conyers. Thank you, Mr. Chairman.
    Mr. Collins. Thank you for that. The chair now recognizes 
Mr. Marino. And just for the sake of the meeting, after Mr. 
Marino's question because votes have been called, we will be 
adjourning, in light of the situation, the rest of the day. So, 
Mr. Marino, your line of question.
    Mr. Marino. Thank you. I am going to cut right to the 
chase. First of all, without objection, I would like to 
introduce into the record the testimony of Microsoft's chief 
legal officer, Brad Smith, from the Senate Judiciary 
Committee's hearing on this same topic from May 10, 2017.
    Mr. Collins. Without objection, so ordered.
    This information is available at the Committee and can be 
accessed online at https://docs.house.gov/meetings/JU/JU00/ 
20170615/106117/HHRG-115-JU00-20170615-SD002.pdf.
    Mr. Marino. Thank you. Excuse me, thank you for being here. 
Are you familiar with my legislation from over the last 2 
years, the LEADS Act? Give me your opinion. Ms. DelBene and I, 
from across the aisle, put this together, and it just puts 
together a legal framework for U.S. law agencies to acquire 
evidence from overseas.
    I always think something needs to be tweaked, but can each 
of you take a couple of seconds and address the LEADS Act and 
what might have to be added or taken out? Because I am a law 
enforcement guy, and I do like the idea that we have agreed, so 
far, I think we have agreed, that business and law enforcement 
have to sit down and work this out.
    There has got to be give and take on each side, and from a 
law enforcement perspective, I have been in situations where 
children have been kidnapped. As a prosecutor, we know that we 
have to have evidence almost immediately or else within 48 
hours because the chances of retrieving them after that are 
very small. And we cannot be in a position where we are waiting 
for someone to argue an issue brought before a court saying why 
we should or should not respond to something. So, could you 
please respond to that array of questions?
    Mr. Salgado. I guess we will start on this end. Yes, I 
think that there is an agreement here that we need to do 
something, that we are in an untenable situation, all of the 
stakeholders here, and I would include the courts in that. I 
think that the solution, though, is not in a statutory change 
that doubles down on location of data. I think we need to 
change the focus of the limits of the warrant requirement to 
the user rather than where the user's data is located.
    And hence, the recommendation that we make, which is let's 
change the statute to reflect where the user is or where the 
user is a national, and focus on those equities rather than in 
the case of Google, where the intelligent, modern network has 
selected to store the data for some period of time.
    Mr. Marino. OK. Anyone else care to respond?
    Mr. Calabrese. Yeah. First of all, thank you. You clearly 
started an important debate with your legislation that is 
ongoing today. And I think we are getting closer to a solution, 
and it is a good piece of legislation. I mean, there were a 
couple of things I think concerned CDT. One was the one that 
Rick just mentioned, which is, sort of, you worry about 
embedding a technical solution or, you know, interfering with 
how a technical outcome would happen within an industry's 
systems with a legal standard.
    I think the second one, and one that CDT is worried about, 
is potentially the impetus towards encouraging other countries 
to engage in extraterritorial warrants. And I think that is one 
of the reasons we have talked so much about bilateral 
agreements. I think they are a nice safety valve in this same 
context, right? Because they say, ``That is fine. We want to 
give you the same deal that we have here, and here is how you 
do it. Here is the whole process.'' And I think that is an 
important safety valve, and I think, obviously, clearly be 
coupled with the work that you are already doing.
    Mr. Marino. We have to respect other countries' laws, but 
we cannot be put in a position where those laws are so in 
opposite in law enforcement to what ours are.
    Mr. Woods. I just want to echo Chris' point that you are at 
the forefront in starting to look at this with the LEADS Act, 
and I was excited when it was announced.
    Mr. Marino. I have got to give my staff credit for that. 
They are pretty much the brains of the outfit.
    Mr. Woods. I also want to echo Rick's concern about having 
anything turn on the location of the data. I think at the end 
of the day, the old-school principles of jurisdiction ought to 
apply; and that is to say, I think consistent with what you 
were saying, legitimate State interests.
    When the United States has a legitimate interest in 
resolving a crime that has happened here in the United States, 
if a business is here in the United States, doing business, 
making money, availing itself of this forum, it ought to be 
responsive to law enforcement investigations. That is not about 
where they store their data. That is about where they operate 
and where the crime occurs.
    Mr. Littlehale. I would just very quickly point out that 
from our perspective, the real challenge comes in looking at 
reform in the area of all of these statutes where we are going 
to get the information in order to make the demonstrations that 
we are required to about where the particular, either the data 
is or the person is, nationality, and so forth.
    Very often, in a time-sensitive environment, we are dealing 
with a limited pool of information where we can get information 
because, as was pointed out earlier in the hearing, we do not 
have the ability to go out and gather that evidence ourselves. 
We are dependent on what we can get by service of legal 
demands. So, I think any effort to look at that must take that 
set of realities into account. And we look forward to the 
conversation.
    Mr. Collins. Thank you. This concludes today's hearing. 
Thanks to all the witnesses for attending and sitting through 
what has been a longer hearing. Without objection, all members 
will have 5 legislative days to submit additional written 
questions for the witnesses and additional materials for the 
record. With that, the hearing is now adjourned.
    [Whereupon, at 1:23 p.m., the committee was adjourned.]
    
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]