to publish these statistics, it it's going to simply provide additional information out there as new companies come online and pop up you may have a company that for a period of years shows no orders and then all of a sudden starts showing orders and that conveys a message that says, we have the capability to collect this now. the more detail we provide out there and the more we break this down by authorities and companies, the more easy it becomes for our adversaries to know where to talk and where not to talk. what we have agreed to allow the companies to do is to report the aggregate number of times in which they provide information to the government and that seems to me is an adequate way of providing the public the information they need to know about the minuscule proportion of times in which that actually happens and breaking it down nurt in our view crosses the

line of the balance between transparency and national security. >> we'll have to have testimony from privacy people and google to talk about thatting a gra gags. i don't think that is all that helpful because you really are not giving people an idea of how much is -- you're mixing apples and oranges. how many wiretaps and mobsters. to me it it doesn't create the kind of transparency that creates the kind of knowledge the american people. i have some time. >> i guess i can go. over my own time. i have seconds and will try to answer a question. i understand that you think that my bill would require too much e detail. i'm going to weigh that feedback very carefully. but i do want to point out that when i drafted the government

reporting requirements and the bill i modelled them after the wiretap report that they release every year. if you look at last year's report it breaks down the number of wiretaps by specific jurisdiction and breaks down those numbers by the nature of the wiretap. last year's wiretap report shows that federal prosecutors in manhattan secured wiretap orders for mobile phones 48 times in 201 while their colleagues only broke them five times in the same period. the wiretap report contains a wealth of information and nobody is arguing that they are reading the wiretap report in brooklyn because they are less likely to get their phones tapped there. my bill wouldn't even require anything near this level of reporting. it would require the report

national statistics and any time the number of americans factor is lower than 50, it it would just say fewer than 500. why would the reporting requirements in my bill raise national security concerns if the far more detailed reporting requirements in doj's wiretap reports don't raise public safety. >> so that's a good question. the regular wiretaps under the wiretap act don't involve classified techniques. there are platforms that we use in the intelligence context that it's unknown to the outsiders or anyone outside the executive branch as to whether we can collect on a particular communications technology. >> the disclosure when we talk about technology other than it's on the internet or phone.

>> we think that our adversaries -- let's say in year one we no that there's a company that has a particular number of surveillance requests and that number is published. they then introduce a new capability, a new service that they provide and then all of a sudden that number goes up dramatically in the following year. that's something that our adversaries could glean information from that. that's the type of thing i'm talking about that's different than in the wiretap context where everyone knows a basic wiretap is something you can do. i'd also like to address the latest question. the reason it's different than other collection methods is that's just collecting business records. it's not an interception capability. you're not intercepting communications in realtime. you're just collecting business records that the companies have and so that's a distinction that we don't have the same concerns

about revealing the numbers that we would with intercept capabili capabilities. >> thank you. i thank you the ranking member for his indulgence. i have gone way over my time. >> thank you. it's been useful questions. but if you could kind of drill down a bit in terms of increased man power and what it would take to actually make some determination of the percentage of individual who is are surveilled. what would that look like without revealing more than you need to reveal here? what would that take to determine what percentage? >> so i can offer an example in that regard. the chairman made reference to the f circumstances a court

opinion that we have released from 2011 which involved a compliance violation under the collection under section 702. in connection with that, nsa did do a statistical sample to try to determine how many holy domestic communications may have been intercepted through this portion. they did a statistical sample where they reviewed 50,000 communications, which was a very small percentage of that. my understanding is that it took a number of nsa analysts about two months to do that. and that even in that regard, there were a number of instances where they couldn't come up with the necessary information that the actual information was ended up with numbers in a wide range based on a lot of atumgss.

the last point icht to make is that was an easier task than the one being asked here. they were looking for a holy domestic communications. any time they found a communication where there was one nonu.s. person they could immediately throw it out and not look any further. they never did look at every single party to every single communication to determine whether or not it was a u.s. person. so i think that that example gives a sense of the resource intensiveness that would be required and the difficulty even if you apply all those resources in coming up with reliability numbers at the end of the process. >> so you maintain that it would take probably a lot of resources away from the main task just to comply with this provision. >> yeah, i think those thousand mathematicians have other things they could be doing in protecting the nation rather than count u.s. persons. >> you mentioned it may have a

greater impact on prooivacy to actually have to drill down and determine who was u.s. person and who was not. what level of detail do you typically have to have? do you have to search what other communications have come to this? you kind of explained what you mean by saying that you impact more on people's privacy by drilling down and complying with this law than are currently out there? >> yeah, that's exactly right. nsa's mission is to collect foreign intelligence. they are looking for the foreign side. it's mot what they ordinarily do to go out and try to find u.s. persons. so if you impose upon them some sort of obligation to identify u.s. persons, they are going to take an e-mail address that may be joe@hotmail.com and have to dig to find out what else we know. that's going to require learning more about that person than nsa

would otherwise learn. >> when we allow companies out there to reveal more than they were able to reveal before, google has procedures that they follow. what other companies have taken advantage of the opportunity they have to reveal more information about what is surveilled and what is not. is it all of them taking advantage of this or some of them or what? >> i'd have to get back to you and give you the list of companies. i believe microsoft has issued a report about with certain data. facebook, i believe. i'd have to get you the complete list. i don't want to give you the wrong list, but i can give you informati

information. >> how universal is the request to give more information about what is being surveilled and what is being collected. >> i think it's fair to say that a lot of of the providers want to provide more information about their -- how their users are affect ed. the number of them in the initial stages in the wake of the snowden disclosures came to us. we worked with them on the proposal that bob described, which was that we would release the aggregate number of law enforcement plus national security demands in the aggregate for those companies. i think they found that useful at the time. when they put out press statements identifying the numbers and showing that was a tiny frank in most cases less than a small percent of their

base was affected. so whether you include the law enforcement, it's a tiny fraction and that's what they want to be able to show to debunk that surveillance. the opposite is true. and they were able to do that with the disclosures that we offered at that time. >> getting back to what we're talking about before. in order to comply with the visions of this legislation, would you sometimes require more of companies in drilling down how many u.s. persons were affected here. might there be additional concerns from the private providers that were -- might they be more uncomfortable with additional requests to try to determine? we already have procedures that

apply in order to exclude u.s. persons but this would seem to be a lot more drilling down, as you mentioned before. what concerns did others have about this and should they be concerned about more intrusiveness on the part of the government to determine who is a u.s. person and who is not just for the person of complying with the act. >> i do think that people should be concerned about the greater intrusiveness. i'm not sure technically it would require anymore of the companies or not. i think more likely nsa would simply rely on its own internal resources. they need some additional authority to go back to the companies to get subscriber information or whatever. so i'm not sure that it would impose an additional burden on the companies, which does not mitigate the intrusion on the individual. >> but you don't anticipate having to go back to the

companies and say iing we need additional information to determine or comply with the law. >> i wouldn't say that i don't anticipate it, but i'm not sure it it would happen or frankly there would be a way we could do it legally to get that information. >> thank you, mr. chairman. >> thank you. i will say that we are going to have testimony from google and they have signed on to this. so we'll hear from them. senator blumenthal. >> thank you, mr. chairman. thank you for your leadership on this bill. thank you to our ranking member and senator heller. i'm a co-sponsor of this measure and want to express my gratitude to you, senator franken, for spear heading this effort, but really it it embodies the general truth that what you don't know can't hurt you. what the american people don't

know about much of what you do and it is important and essential to our national security can create misinformation and deception and undermine the trust and dead kred blt blt of the entire program of surveillance and intelligence by the national security. what the american people don't know can hurt them if it becomes a source of mistrust and loss of credibility here and around the world. so i think that this bill is very important al bee it only a first step. i proposed other measures such as a constitutional that fits with the con secht of the bill in terms of preserving accountability measure as well as greater transparency and accountability in other ways. i would like to focus on the

technical issues that you have raised. don't these pail compared to the importance and aren't they surmountable with relatively few resources if we define narrowly what those technical problems are? >> well, i mean i guess i would say no and no. taking your second point first. the judgment of people who have looked at this, two inspectors general who also looked at it is this is not surmountable with a relatively modest application of resources that it would be very resource intensive and particularly with respect to the u.s. persons very require additional intrusions on privacies. our judgment is that this is not

the best way to try to strike the balance between privacy and national security. i understand that the view that there's important information out there, but one of the necessities of conducting intelligence operations is that not all the information that might be of use to the public is going to come out in the public. i think that our view is that the steps that we have taken are appropriate ones and we are prepared to work with the committee and the congress on additional steps that might be taken. >> i don't understand, and forgive me for interrupting, but my time is limited. i don't understand what resource -- that's a code word. it's a term that's used to say it looks pretty difficult to do. it looks like it's going to cost a lots. how resource intensive really is it to accomplish these purposes?

>> i don't know that we have done an actual cost estimate. the only yardstick i can give you is what was required to do the smaller and easier task that was done in connection with the fisa court opinion that required a half done analysts two months to do and still come up with it with an estimate that had wide ranges in it. >> maybe you can give us an idea of what those ranges are. >> if you give me a second. >> this will not come out of the senator's time. >> it's a long opinion and it's going to take me a second to find the right place. i'm sorry. i should have marked this in

advance. so as i said, the issue was to determine what were holy domestic communications, which is a different task. and vul of this review, they determined that there were between 996 -- 1,000 and 5,000 communications that met that task. so you have a five-fold range there. and there are other estimates in here that say, well, i wouldn't be any greater than this number. but they are all based on assumptions and estimates and i don't know that there's any comfort that we could accomplish this with any degree of reliability. >> but you have given me a number for the communications but not for the dollars. how do you measure resource intensity?

>> i mean you'd have to look at the number of people who would be requiring the amount of time skblp can you give us some idea? >> as i said, the only metric that i have is what was required to get this number. and my understanding is that that was, i believe, six analysts for a two-month period. you'd have to multiply that across a much larger sample, a much more difficult task and additional fisa authorities. so you're talking some number of man years that would be required to do this. >> thank you. let me just move on in the interest of perhaps anticipating the testimony we're going to receive from the next panel. i don't know whether you've had a chance to review that testimony, but for example, a lot of it concerns the impact on communications internationally and i wonder if you could comment in particular on the

testimony very compelling testimony salgado about the need for transparency to enable the trust and credibility that is important for communications worldwide. >> so i haven't had a chance to review the other testimony. i'm generally familiar with the company's position. i think we have a lot of sympathy for their position. the unauthorized disclosures that have come out here put them in a difficult position. it's one of the many things we regret about these disclosures. having said that, as brad mentioned earlier, we're authorizing -- we're prepared to authorize companies to release the total number of orders they get to disclose customer information and the total number of accounts affected by those orders. that's going to be a minuscule number. as brad said, it's something like -- it's a fraction of 1%. and that covers all authorities.

and it seems to me that that minuscule number is sufficient to meet the company's needs and it really doesn't advance things anyway. when they're allowed to disclose that .0001% of their customer accounts are affected by orders to provide information to the government, it doesn't really advance their needs to say, well, .000001% of those were pursuant to this authority and .00003% were pursuant to that authority. the relevant statistic is that any customer of google or of any other company, there's only an infinitesimal likelihood that that person's information is ever going to be kd for by the government. >> thank you. my time has expired. thank you very much. thanks, mr. chairman. >> thank you, senator blumenthal. and i am a co-sponsor of your constitutional advocate. >> right. >> bill. >> senator lee. >> thank you, mr. chairman. thanks to you for being with us

here today. . of the testimony that we've received today highlights the consequences of unchecked government intrusion into the private lives of citizens. and their interactions with private businesses. senator franken's bill would take important steps to increase the transparency of government requests for information. and i very much applaud those efforts. in fact, senator leahy and i have incorporated the vast majority of senator franken's provisions into our bill. s-1215. the fisa accountability privacy and protection act. which makes broader reforms to the privacy protections within the fisa program. our bill would tighten statutory authorities governing surveillance, would increase oversight and accountability, and would ensure that americans' constitutional rights under the fourth amendment are protected. the reporting provisions in these bills guarantee that we have an accurate understanding of the scope of these

information collection activities and allow businesses to regain the trust of the public through the reasonable disclosure of their interactions with government agencies as they provide information. it's time we started requiring a little more sunlight in this fairly shadowy space. mr. litt, in your written testimony you expressed support for the majority of the disclosure requirements in this bi bill. i was wondering, is your support a direct result of formerly covert collection programs having become public or do you think that nationwide aggregate disclosures are inherently beneficial and should be sought out? >> i think the answer to that is that aggregate disclosures are a good thing provided they don't compromise our ability to collect important information. i think in the situation where we're in right now, whatever the appropriate result might have

been six months ago, in the situation we're in right now where the director of national intelligence has already declassified the fact of certain programs and how they operate, that it's entirely appropriate to have aggregate disclosures of these activities going forward. for other important activity -- intelligence activities i'm not sure that we've reached the same balance. but to the extent that we're talking about these particular disclosures we believe that they do strike the right balance now. if i could just for one thing -- this is perhaps not considered the discreet thing to do. i do want to take issue with your suggestion that we're talking about unchecked intrusions into privacy of americans because in fact they're very checked. we operate within the laws authorized by congress. we operate with extensive oversight from all three branches of government. and they're highly regulated and highly checked. whether or not they are -- whether or not they're appropriate or not i think is a valid question, but nobody should be under the illusion

that we're operating without any checks on what we do. >> that is a fair point. and i understand your position there. one of the concerns is always, of course, that what might well be handled by responsible people today tomorrow might not be. we don't know whether that might happen a week from now, a year from now, or ten years from now. but in a sense we've seen this movie before and we know how it ends. if you give too much power to the government with regard to domestic surveillance, eventually it will be abused and we need to put in place whatever procedures might be necessary. if i understand your answer to my question correctly, part of what you're saying is that prior to the declassification that occurred recently this might have run afoul -- this might have triggered your concerns, this kind of legislation might have triggered your concerns in the sense that it might have compromised ongoing activities. but since those have now been

declassified there's no reason not to do this. am i understanding it correctly? >> yes. i think that's right. >> thank you, sir. and thank you, mr. chairman. >> thank you, senator. i want to thank you gentlemen for -- not just for your testimony but for your service. you made a good point there about there are checks to what you do, and this is part of it. and you made a comment there are checks for what you do but that doesn't mean what you do is always appropriate. and that's what we're trying to get to here. you have made some disclosures that i think have been in good faith. but they aren't permanent. they aren't part of the law. so that's what we're discussing here. again, i want to thank both of you for your testimony. and now i want to call our third

panel. so thank you. >> thank you, mr. chairman. >> thank you. >> kevin bankston is senior counsel and director of the free expression project at the center for democracy and technology. mr. bankston is a long-time advocate and litigator on privacy, civil liberties, and internet policy matters. mr. bankston and the center for democracy and technology organized and led the coalition of companies and civil liberties groups that call for greater transparency and that now is advocating passage of this bill. paul rosensweig is the founder of red branch consulting, a national security consulting company, and a senior adviser to the chertoff group. in 2005 to 2009 he served as deputy assistant secretary for policy in the department of

homeland security. also teaches at george washington university law school. richard salgado is google's director for information security and law enforcement matters. he served as a federal prosecutor in the computer crime and intellectual property section of the department of justice where he specialized in technology-related privacy crimes. he has taught at stanford law school, georgetown university law center, and george mason university law school. thank you all for joining us. your complete written testimony will be made part of the record. you each have five minutes. about five minutes for any opening remarks that you would like to make. mr. bankston, please go ahead. >> chairman franken, ranking member flake, and members of the subcommittee, thank you for the opportunity to testify on behalf of the center for democracy and technology, a non-profit public interest organization dedicated to keeping the internet open, innovative, and free.

i and the broad coalition of internet companies and advocates that cdp brought together this summer to press for greater surveillance transparency are grateful to chairman franken and senator heller for introducing the surveillance transparency act, a bill that would allow companies and require the government to publish basic statistics about how the government is using its national security surveillance authorities. particularly in the wake of recent revelations about the nsa's surveillance programs, we believe this level of transparency about what companies do and don't do in response to government demands is critically important for three reasons. first, the american people and policy makers have a clear right and need to know this information so that they may have a more informed public debate about the appropriateness of the government's use of its authorities and to better ensure those authorities are not misused or abused. second, the company have a clear first amendment right to tell us this information. and the government as tempt to gag them from sharing even this most basic data or even to admit that they have received foreign

intelligence demands at all is clearly unconstitutional. indeed you'll see this prior restraint at work in the room. even though everyone in this room knows and understands that google has received foreign intelligence surveillance act process, google's representative is the one person in the room who cannot admit it. third, greater transparency is urgently necessary to restore the international community's trust in the u.s. government and in our u.s. internet industry, which is projected to lose tens if'll hundreds of billions of dollars in the face of widespread concern from foreign governments and international users. we must take this opportunity to demonstrate that our surveillance practices are necessary and proportionate and respectful of constitutional and human rights. and if the numbers show otherwise we must take this opportunity to reform our surveillance laws as well as better protect our rights and national security. speaking of national security there are two basic arguments why publishing these numbers would threaten it, but neither is persuasive. first there's concern that such