cftc. mr. salsburg received his undergraduate and law degree from the university of pennsylvania. i want to thank all of you for testifying. >> chairman grassley, ranking member leahy, and members of the committee, thank you for the opportunity to testify on behalf of the department of justice regarding the electronics communications privacy act or ecpa. i look forward to discussing with the committee how the department uses ecpa and how the statute might be updated and improved. ecpa has always sought to improve -- while safe guarding individual privacy. it is important that ecpa reform efforts remain focused on maintaining both goals. electronic communications play a vital role in government investigations. indeed as technology has

advanced and as electronic data and storage have augmented traditional means of communicating and storing information, governmental access to data is more important. ecpa is critical to tracking down criminals in investigations into murder, kidnapping, organized crime, child exploitati exploitation, identity theft, terrorism, and more, but criminal investigations are only a subset of the circumstances in which ecpa applies. the statute applies when the government acts as a civil litigant. we agree that notwithstanding several updates to ecpa the statute draws some lines that do not account for the development of technology and the ways in which we use electronic and stored communications today. for example, there's no

principled basis to treat e-mail less than 180 days old different from e-mail more than 180 days old. there's no lesser protection to e-mails that have been opened to e-mails that remain unopened. how to account for changes the technology while maintaining privacy protections and providing for public safety and law enforcement imperatives remains a central challenge of ecpa reform efforts. personal privacy is critical important to everyone. all of us use e-mail to share personal information and we want it to be appropriately protected. many discusses about enhancing privacy focus on a proposal that would require law enforcement to obtain a criminal search warrant based on probable cause to compel disclosure of stored content from a public service provider. this is a sensible approach provided that congress consider crafting limited alternatives for certain investigative

functions. for example, civil regulators and lit gators typically investigate conduct that while unlawful is not a crime, but criminal search warrants are only available if an investigator can show probable cause that a crime has occurred. lacking warrant authority, civil investigators enforcing civil rights, environmental, anti-trust and a host of other laws will be unable to obtain content from storage providers. as wrongdoers take steps to shield that information from civil investigators, the amount of critical information that is offlimits to government will only increase. efforts to update ecpa can reflect these considerations and ensure appropriate judicial oversight to communications. any proposals to changes should address the ability to civil lit

gators and -- the department also has several more technical yet important concerns that we believe merit consideration. although discussions about updating ecpa have often focused on this content information, there are other parts of the statute that would benefit from further examination. the administration is studying these proposals, but the department has significant concerns about aspects of these proposals. the department of justice appreciates the opportunity to discuss all of these issues with the committee, and i look forward to your questions today. >> thank you. andrew? >> thank you, chairman grassley, ranking member leahy, and members of the committee. thank you for inviting me to

testify today on behalf of the fcc. i share the bill's goal of updating ecpa's collection procedures, but the bill in its current form proposes significant risk to the american public by allowing law enforcement agencies to investigate and uncover final fraud and other unlawful conduct. i firmly believe there are other ways to update that offer stronger privacy protections without frustrating the civil ends of law enforcement. the mission is to protect investors, maintain orderly efficient markets. our division of enforcement furthers this mission by investigating potential violations to the federal securities laws. a strong enforcement program is

critical to the fcc's effort to protect investors from fraudulent schemes. electronic commune cases often provide critical evidence in fcc investigations as e-mail and other message content can establish timing, knowledge, or relationships or awareness that certain statements to investors were false or misleading. when we conduct investigations, we seek e-mails through the key actors through an administrative subpoena. the subpoena recipient may have erased e-mails, inserted damaged hardware, or refused to respond. individuals who violate the law are reluctant to produce evidence of their own misconduct. it is at this point in this an investigation that we may need to seek information from an internet service provider or isp.

the bill at issue would require government entities to procure a criminal warrant when acquiring e-mail content. we would effectively not be able to gather electronic evidence directly from an isp regardless of the circumstances, even in instances where a subscriber deleted his e-mails or fled to another jurisdiction. it would also incentive subpoenaed individuals to be less forthcoming. they may be emboldened to destroy or not produce them. among the type of scams we investigate are ponzi and pump and dump market schemes. in these types of frauds,

illegal acts are likely to be communicated through personal e-mail accounts. technology has evolved since ecpa was passed. there's no question the law should evolve to protect privacy interests, even when significant law enforcement interests are also implicated. as part of that balance, any ecpa reform can and should afford a party's information that is sought from an isp in a civil investigation notice and an opportunity to participate in judicial proceedings before the isp is compelled to produce the information. indeed when seeking e-mail content from isps in the past, the division provided notice to e-mail account holders in keeping with long standing supreme court precedent. in the legislation was so structured, the individual would have the ability to raise with

the court any privilege or concern before the communications are provided to an isp. while civil law enforcements may have a limited avenue. such a judicial proceeding would offer greater protection to subscribers than a criminal warrant in which subscribers receive no opportunity to be heard before communications are provided. thank you again for the opportunity to be here today. we look forward to working with the kbhcommittees on ways to modernize ecpa. i'm happy to answer any questions that you have. >> thank you, andrew. daniel? >> chairman grassley, ranking member leahy, and members of the committee, thank you. let me begin by noting that my oral statements and responses to questions are my own and they don't necessarily reflect the views of the commission or any

commissioner. having said that, i very much appreciate the opportunity to represent the ftc's testimony. the ftc supports the objectives of ecpa reform and understands the need to update it to account for technological advances. we rely heavily on our ability to conduct thorough investigations. recent proposals to update ecpa could impede our ability to obtain certain information from ecpa service providers. to obtain content from a service provider, the government could need to obtain a criminal warrant. the proposals would require a warrant for all forms of content, even those in which a

subscriber has no reasonable expectation to privacy. requiring a criminal warrant in three situations would impede effectiveness. we're talking about things like no longer running advertisements, previously sent spam, and ads on a mobile device. this content is critical to ftc investigatio investigatio investigations. we need to find the promotional material that contains the representation. the scam artist change websites and electronic marketing materials frequently. when commission staff investigates complaints about a website, the website currently viewable to the public may be different from the one that the consumer complained about.

we have not used the tool often. most of time our investigators are able to track down a target's old marketing materials without needing to seek the materials from the provider. but the increasingly fleeting nature of advertisements a, mak it kwiquite likely we will need do that more often. an exception from the criminal warrant requirement in proposed legislation from commercial content that promotes a product or service would enable to commission to obtain such commercial content. at the same time, such an exception would have no impact on privacy rights because the materials would be purely commercial and have been affirmatively published by the target. as a result, they would not have a reasonable expectation to p f privacy. the second situation is content

with a consent of the customer. as cloud computing becomes more widespread. it will be increasingly important for a civil law enforcement agency to compel an provider to expose content with a customer's consent. for example, a consumer victim who deleted a message from a scam may want the ftc to obtain that information from the service provider. even if the customer or subscriber has consented, we cannot compel the cloud computing service to disclose that content. third, a criminal warrant should not be needed when the fdc has compelled a target to produce content that is held by a cloud service provider and the target

has failed to comply with the fdc's command. we should be able to seek a court ordering directing the target's provider to produce the content. in conclusion, thank you for giving the commission the opportunity to discuss the importance of electronics communications. the fdc looks forward to working with the committee to address the committee's concerns. >> thank you all for your testimony. i'll start and then senator leahy will be next with our questions. andrew, we're going to start with you. the fcc's ability to carry out enforcement responsibilities and conduct investigations has been significantly curtailed as a result of the decision, but

we've been told the fcc has not provided any examples of cases where access to electronic communications have been cut off due to that decision or would be impacted if the pending reform bills were enacted. can you provide any examples of the types of cases or investigations that have been effected since that case decision due to providers requiring a warrant when the government seeks to collect electronic content in a civil investigation? >> yes, senator. obviously, i can't talk about the details of ongoing investigations, but i can say there are a number of investigations in which if we were exercising our authority under ecpa to obtain e-mails through isps, we would do that in furns of the investigation for example, manipulation schemes where if we had the authority, we would certainly do that. i can't necessarily say it would produce e-mails that would dramatically further the investigation because right now

i'm not able to know what e-mails we would obtain through that kind of process, but i can say there are investigations that are ongoing and there were investigations prior to the warshack case where we were exercising the authority that were significantly advanced by obtaining isp e-mails. >> you suggest that a warrant only requirement for obtaining electronic communications from an internet service provider could create obstacles in civil cases. can you provide examples in which the fdc is concerned about that would create obstacles to civil law enforcement cases? >> of course, senator. the types of cases we're talking about are those instances where the target or the defendant is trying to be evasive, is not

responding to discovery or to our civil investigative demands, so that's one classification. we can't get the information directly from the target. the other class of cases are where the target is an outright fraud, a fly by night scam, and we don't want to contact them directly. if we contact them directly, they may flee. they may destroy evidence, hide assets. >> this would be to any or all of you. there's a perception from the privacy and tech community that what you're really asking for a mechanism that lacks judicial oversight and sidesteps the target of a civil investigation without any notice or hearing. in fact, the written testimony provided to us from google states that you're proposing to,

quote, amendment ecpa so agencies can bypass the target of or even potential witnesses in civil investigations, end of quote. is this a fair characteristic of what you're really proposing? >> senator, no, it is not. we are asking for a mechanism to allow courts to compel this information from providers where necessary and has been mentioned, this is information that we try to get from subscribers where we can't get it from subscribers, we really do need it. there are ways of protecting privacy and ensuring there is a appropriate safeguard for civil liberties and privacy. >> we would give notice to the

subscriber and allow them to come in and offer objections. from our perspective, that's more protection than a warrant proceeding where it's ex parte where the subscriber is not present. >> do you have anything to add? >> i would agree the judicial mechanism we're proposing would require two things. one, we would have to go to the subscriber first. only when we're unable to get the information could we then seek a court order. it's two additional protections. first there would be the subscriber and then the judicial intervention. >> thank you, mr. chairman. we are putting things on the record. a great deal of consensus on the need to update ecpa. can these letters be placed in the record? >> yes.

>> thank you. ms. tyrangiel, the fbi uses warrants when it seeks the contents of e-mail in criminal investigations regardless of the age of the e-mail. is that correct? >> that is correct. >> so this bill would not change the fbi procedure in that regard. >> the bill would not change the procedure for criminal -- obtaining disclosure through a third party or public provider soph store e regardless of age. >> privacy protection is afforded to e-mail or text messages, should that change if they're older than six months or if they've been opened?

>> no. we don't think there's a principled reason to treat e-mail differently. we don't think there's a reason to treat e-mail differently dependent on the age. >> no, i don't think we see any distinction there. >> salsburg? >> we agree with that. >> thank you. five years ago, we talked about the united states versus warshack. i'll ask the same question of both mr. ceresney and mr. salsburg. since that ruling, has the fcc or the ftc obtained e-mail content through a subpoena issued to a third-party provider? >> we have not, senator leahy, but we've done so in an excess of caution and in deference to the reform discussions that have been ongoing in congress. >> and in deference to

five-year-old six circuit case which has not been overturned? >> our view is warshack does not deny us the authority to obtain e-mails through an administrative subpoena. we have always given notice to subscribers. there's a long line of supreme court and other circuit cases that says an administrative subpoena complies with the fourth amendment. >> we have not sought e-mail content after the warshack decision or since. >> you have sought a legislative solution from congress in the past five years? >> no, we have not sought a solution until now. >> we have obviously offered over the last few years to have ongoing discussions, and we have had discussions. >> have you made a proposal?

>> we have. >> have you given me a copy of the proposal you made? i don't seem to recall that. >> we've had discussions with staff about this issue over time. >> beginning five years ago or just since it looks like me might get something passed here? >> i can only speak to the two and a half years i've been director of enforcement. >> you set up a concrete proposal? >> we've been discussing proposals -- >> you've set up a concrete proposal for your agency? >> our view is we want to be responsive to proposals that congress is providing. to the extent that staff or particular senators or congressman have offered us what they're thinking about, we have offered them our thoughts on those proposals. >> are you seeking wiretap authority for your civil

investigations? >> no, we're not. >> you do want to be able to read e-mails without a warrant? >> what we're proposing, senator, is some sort of judicial proceeding that would find some sort of standard whether it be a standard that would allow us then to obtain e-mails with notice to the subscriber as part of the proceedings so that the subscriber can raise any concerns that they have. >> what about listening to your targets phone calls? >> no, we're not proposing that. >> wouldn't that be more efficient and more effective? >> senator, we are not seeking wiretap authority. that is something that the criminal authorities have that we do not. that is not something we're seeking. >> all right. how many federal, state, and

local agencies have civil regulatory authority that allows them to issue subpoenas for records? >> thank you for that question. certainly, the department of justice there are a number of civil enforcement functions, including anti-trust, tax, environment, civil rights. since warshack, they've been unable to get stored content from providers, and this has hurt their investigations and made it difficult in instances where they couldn't obtain information from subscribers. >> my time is up. i'm going to have a couple of questions for the record on that. thank you. >> let me read here -- then it would be perdue and then i assume it would go to the democrat, senator franken.

that's the way it'll end up being. >> ms. tyrangiel, am i pronouncing your name right? >> tyrangiel. >> you stated that the department had concerns about legislative proposals and safeguarding data stored abroad from improper government access. the electronic communications privacy act is silent on the privacy standard u.s. officials must satisfy in order to access data stored abroad. and yet the federal government has taken advantage of the statutory silence to apply its own standard. >> thank you for that question, senator. there is long standing legal framework that allows the government to serve compulsory

league process on united states companies to require them to bring back information that is stored abroad, and the concern with proposals that would change that framework is that it would take away an option that has long been available under that framework and would replace it with international cooperation, which is not an adequate solution because those agreements that that kind of cooperation doesn't exist everywhere. only half of the countries we have agreements with. and because even when we can use those agreements, it takes a really long time and can delay investigations in times when we really need it to be fast. >> i don't agree with you on that point. that's why i introduced the leeds act to establish a legal framework for law enforcement to access data stored establishment a legal framework for law enforcement to access data abroad or overseas.

i'd appreciate any suggestions you have that might make a more workable bill or that might approve it or help you in your work. >> we look forward to working with you. >> thank you. the federal officials can obtain e-mails anywhere in the world simply by providing a warrant on a provider subject to u.s. process. nothing stops governments in other countries, including china and russia from seeking e-mails of americans stored in the u.s. from providers subject to chinese and russian process. in fact, the lawyer who is litigating the microsoft case on behalf of the government acknowledged last week that the ability for a foreign government to require disclosures of a u.s. provider, quote, should be of some concern, unquote. are you concerned about the far reaching or reciprocal consequences of government's current position on the extra territorial reach of u.s.

warrants? >> thank you for that question. this is a challenging issue, one that the department is actively considering. whatever the solution is, we don't think that the solution should involve deciding conflicts of laws in a way that always works against the united states. historically courts have been able to weigh sovereignty interest, the interest of u.s. victim, governmental issues and other factors in decisions oncoming to the issues and any concern that would resolve all matters of conflicts of law in matters of every case. >> the treaty process facilitates formal agreements for sharing evidence between the united states and foreign countries. do you agree the process has proven slow and cumbersome to use in. >> it certainly is slow and cumbersome for us to get information from other

countries, which is part of our concern in the incoming process. we agree that there needs sob progress made and we're working on process technological and otherwise. i know that the administration requested resources in aid of that effort to improve things better. >> what can congress do to improve the process and how does another country access data stored here in the united states? >> so, again, these are really challenging issues and we look forward to working with you on them. one thing that is clear with the process is it is not a one size fits all kind of issue and people work differently all around the world. because it is so complicated, it requires an approach that takes into account the way that is operating now. and we very much look forward to working with you to streamline the process. >> i look forward to working with you as well and i hope we can streamline the process and make it work not only for you but for businesses and others as

well. thank you. >> senator whitehouse. >> thank you, chairman. in evaluating this question of civil access to content maintained by the service provider, i take a step back to the question of a criminal warrant. a criminal warrant is obtained by a government official going before a federal judge on an ex parte basis and getting the judge's consent to get access to the material involved. that protection is there, as i understand it, because of the immense power that criminal law enforcement gives to the government, hower of, for instance, incarceration. we have a federal death penalty. so from the very beginning, the founders constructed a process

that limited arbitrary access to information on the part of the government when it had those terrible powers in its hands. ms. tearian geel, does that have anything in regard to civil enforcement. >> it does not. >> the warrant would have to go before a federal judge to get access to the data for civil ebb forcement purposes? >> there are a number of way to do it. but having a court compel that evidence -- >> a court order would satisfy you? >> yes. >> in a number of circumstances your colleagues here on the panel have suggested that the subject might actually be -- the subscriber might actually be notified first or that there might be notice to the subscriber so it would no the be an ex parte proceeding, it would be a proceeding where the person

had ever right to appear, correct? >> that's correct. >> now what happens, mr. salsburg in the case that you talked about where for a variety of reasons you don't want to reveal to misbehaving party that this investigation is under way because they're likely to abscond or hide assets or whatever. do you want some form of exparty process like a warrant provides where the civil agency could say, look, these are extraordinary circumstances, this is why we need access ex parte to this information and try to convince the judge of that? >> we're not actually asking for that authority. >> why are you talking about the -- why did you use that example of the importance of it? >> well, i suppose i conflated the previously public content argument that we have where we would still want to get the content from a provider when talking about content where

there's no reasonable expectation of privacy. >> do any of you seek a proposal under which the government would be able to make a showing that an ex parte provision is necessary and go forward without notice to the subscriber? >> we are not. from our perspective, in fact we're seek the e-mails from the subscriber first. and if we're not able to obtain or don't believe we've received them, then we'll go to the isp. >> one requirement that we're r relying on so much to be ex parte, you're not requesting that? >> we're not. we're looking for a limited availability to obtain -- >> through a court order. >> through a -- >> through perhaps the same judge you may have to go through to get the warrant? >> the same judge. >> in this case they would be there to -- >> that's more protection than a

warrant provides, yes. >> sure is. thank you very much, plrmr. chairman. i have a minute left before i yield back my time. i think chairman grassley asked you this. but just in case it doesn't come through as clearly to you as it did to me, i would be interested in looking back to cases that have come to a conclusion and where there is a public disclosure of the case where you can take a look at the case and say, this piece of evidence actually helped make that case and we got it because we were able to have access through the service provider to that information, not an on going case which i know is a very delicate circumstance for all of you. but closed cases looking back just so we can see whether or not this has made a difference in real life in the past. and with that i yield back my time, mr. chairman. thank you for holding this hearing. >> thank you.

now senator -- >> thank you, mr. chairman. thanks to all of you for being here. updating the electronics privacy angt has been a priority of mine ever since i arrived in the senate a. and now that i've been here four and a half years, i appreciate more fully how difficult it can be to bring about a change of law that basically everyone agrees on. the overwhelming majority of the american people -- and by that i mean 99.9% of anyone you can ask agree that a government ought to have a warrant before it goes after your e-mail, the content of your e-mails. number two, the same number of people would agree, i think by about the same ratio, that it ought not make any difference with whether that e-mail is 179 days old or 181 days old. whether or not the government has to get a warrant. and so, you know, this is a very simple principle that ought not be all that difficult to

legislate. but i've been honored to work on that legislation and i introduced senate bill 356, along with ranking member lay hooe in what seems to be a widely followed practice today. to start out with, i want to ask each of you a simple yes or no question. does your agency believe that it should, under normal circumstances, meaning in the absence of a generally applicable widely recognized exception of a warrant requirement, should it be required to get a warrant in order to get the content of people's e-mails regardless of the age of the e-mail? we'll start with you, mr. teern gill. >> we do not impose a criminal warrant for our criminal entities when they're obtaining information from a third party

provider to the public but notes concerns about that rule where there is no warrant authority available, like in our civil investigations. >> the answer is no. it allows the subject to object is an appropriate mechanism for obtaining e-mails. >> do we agree with the s.e.c. position? >> we do agree with the s.e.c.'s position. >> why there are a few people in washington, d.c. who can understand what you're saying, i think the overwhelming majority of the american people would be disturbed to hear that that question can't be answered with a simple no, that the government should not be able to get at people's e-mails. the content of their e-mail without a warrant. now, let me direct a question

your way, mrs. tyrangiel. i'm concerned that the department of justice, once it's obtained e-mails, it may use those e-mails for any investigation related to the initial reason for the acquisition or not. so if you obtained e-mails on a mrsa pena in a civil investigation, what if anything would prevent those same e-mails that you obtained without a warrant in the context of a civil investigation with the subpoena, what would prevent the department from using that in a criminal prosecution? >> so, certainly it would not be acceptable for things to be obtained on the civil side for the purposes of trying to use it on the criminal side. when things are in use, they should be done according to the authorities that are available. however, when criminal evidence becomes apparent, that information can be shared and we

are not proposing a way to get around the warrant requirement without any privacy protections. and there are ways of protecting privacy both by standard and process. what we're talking about on the civil side is a process protection. >> what kinds of safeguards would the d.o.j. propose in order to prevent a civil agency carve out from being used to avoid the warrant requirement? you can understand how that could easily be manipulated in order to avoid the warrant requirement. >> thank you for that question. i don't believe this instance is really any different than the other sorts of evidence that can be obtained in other ways. these are issues that exist as to all investigations, prosecutors and civil litigators and investigators are held to a standard, obey the rules, hold to the rules and follow the

process that the law requires. i'm happy to get back to you if there are further questions, to answer further questions. >> okay. thank you. i see my time has expired, mr. chairman. [ inaudible ] >> since senator lay hooe asked me to be here as ranking member, i have to be here. can senator blumenthal go next? because i'm forced to be here. next to you i am required. >> go ahead. >> yeah, okay. >> thank you. i want to thank senator franken for his courtesy. i am curious, mr. salsburg, in your testimony you express concern about what would happen if a customer consents to having her service provider turn over e-mails but the service provider

nonetheless refuses. can you give us some examples of how and when that might occur, if a customer says okay but the service provider says no. when and how would that occur? >> sure. let me give you two examples. the first is we're investigating a business and the business is readily willing to turn over information to us. but it maintains it all in the cloud. and the cost of that customer -- of that target, getting the information from the cloud provider is significant. where if they were to authorize us to go to the cloud service provider and use it and use our litigation support folks, they would rather have that happen. is that going to happen owl of the time that a target is willing to turn over its information en masse to the government? no. but if that so scenario arises, we should be able to use the compulsory process to get the information from the provider.

the second scenario is the customer is a victim and a victim no longer has access to the content of the claim that's been made to them and they want the government to go get >> it have those two scenarios actually occurred? >> there have been a couple of instances where this has occurred. but it's not common. and what we're, what we're concerned about is as the move to cloud computing gets more ingrained and further along, these scenarios may happen for frequently. >> does the ftc have any recourse against the target of a subpoena if that target fails to do everything in his or her power to get e-mails from his service provider and get the provider to turn them over? >> it does. we can file -- if we're talking about an investigative demand, we can file enforcement actions. but at the end of the day, if the customer refuses to turn the information over, we would have

no ability under the pending legislation to get that information. >> under the pending legislation. >> right. >> under which -- >> under the -- >> 356? >> 356, yes. >> that's a suggestion you have for improving it? >> yes. interestingly, the provision that authorizes a provider to voluntarily provide information authorizes it to turn over the content with consent voluntarily to the government. and we want to make sure this's a provision that allows the government to compel it in those circumstances. >> if the target investigation has intentionally used an internet provider that won't cooperate with the ftc, so that target can pretend to consent but then in effect use the refusal of the internet provider as the barrier. is there anything the ftc can do

to penalize the target? if you understand my question. >> yes. you know, we can seek -- we can seek to compel if we're talking about an investigative demand. but ultimately we don't have the authority to penalize anybody. >> well, i welcome your suggestions for improving this legislation. as you know, i'm one of the im the ability of the people of the united states to have order, to avoid multiple frauds and thefts and computer abuses and violations of their privacies and things of that kind. and i ordered a publication not long ago and within a few weeks i get, i don't know how many more, selling me different kinds of publications of a similar nature. so somebody is sharing information all over. president obama was widely

congratulated for his brilliant ability to target voters because they knew all kinds of things about them, whether they went fishing, all of these things somehow is available to private sectors, political candidates. and we have to be sure that we're not placing too much of a burden on law enforcement as they try do their duty to protect us from fraudsteres and sex abuse and child kidnappers and tearrorists. we have to be careful about it. i'm glad that the chairman is looking at this and we're asking it. the law enforcement that i've talked to indicate that they have certain problems that we ought to deal with in the legislation. one is there's often very long delays between the issue of a request, so peen that or an order to the actual production of the documents. two, we ought to consider what happens if you have erase sure

of these documents within hours, a few days. is that appropriate? we don't allow that in phone company records, as i understand it. and third, i think it's critical, anybody who has been involved in law enforcement, i can imagine in a terrorist investigation, particularly, you've got to be able to atech fek tifty not tell the suspect that you're on the to them, have somebody tell them that the fbi just got their records and they flee the country. those are law enforcement requests that need to be considered. ms. is it tyrangiel? >> tyrangiel. >> tyrangiel. so you can issue a subpoena for a telephone toll record that has the person's name, address, the length of their phone calls, the

numbers that they called without any content. you can get that with a subpoena, is that correct?? >> yes, that's correct. >> and actually dea can get it with an administrative subpoena and so can the irs, without even asking a prosecutor's approval. prosecutors issue them routinely also. well, what about getting an e-mail address? it seems to me that's quite a lot -- a huge difference between just getting who the person has been e-mailing, just like you want to know who they called on the telephone, as opposed to the content of the e-mail. can that be obtained? and why should we enhance significantly the ability to get that information? >> thank you for that question. the standard is currently different, as i note in my sfr. the department does support equalizing those standards and bringing them in so you can

actually use the same standard that we have been using for traditional communications like telephone records to obtain the to/from material as well. >> that's a huge ning a lot of investigations. they say i never met this person and they got 50 phone calls. this is a hugely important and actually protecting the american people from criminals. then you've got the standard for content. mr. ceresney mentioned that a court order isn't much different from a search warrant. so you have a little less standard to get the older e-mail contents. is that correct?? is that e-mail contents that you first get through the 120 days

and older? >> under the current statute for more than 180 days we can obtain them through an administrative subpoena with notice to the subscriber. we would support a judicial proceeding with notice to the subscriber that allows us to obtain the e-mail contents. >> and you can request, you can request, ms. tyrangiel, the confidentiality and no notice? >> we're not seeking that authority to obtain them with no notice. our general practice is to first seek them from the subscriber and if we do not obtain the e-mail then to go to this mechanism. we recognize there are important privacy issues here and we're trying to preserve those. but also trying to obtain the contents of the e-mail. >> i think we got to be careful about not having an ability to

protect against disclosure to the person. because i don't -- that's not true in other areas that you can get a nondisclosure order. and i can be critical -- if you're investigating a terrorist, and they know you're on to them, this could be a life and death issue. thank you. >> thanks to this panel. i appreciate it very much and we'll probably be in touch with you with some follow-up questions. i'd like to call the second panel now. and while they're coming, if i can have your attention, i want to introduce them to be efficient. richard littlehale is assistant special agent in charge tennessee bureau of investigations technical service unit, special agent littlehale is responsible for coordinating

the use of a wide range of technology, support of law enforcement operations, including using communication records in support of criminal investigations. he testifies on behalf of the association of state criminal investigative agencies. he received his bachelor's degree from boden college and a law degree at vanderbilt. second is richard salgado. he serves as google's director of law enforcement and information security. before working at google, mr. salgado worked at yahoo!. and prior to that served as special consult in commuter crime and intellectual property section doj. he has also been a law professor at stanford, georgetown, george mason. he received his undergraduate degree university of new mexico,

law degree yale. next is chris sal calla breecy. he worked at the american civil liberties union. before that he was legal council massachusetts senate majority leader. mr. cala bx rese graduated from harvard and a law degree from georgetown. finally victoria espinel, president and ceo software alliance which advocates on software industry before governments. she has previously served for over a decade in the white house under both republican and democrat administrations, including being nominated to be the first intellectual property

enforcement coordinator. graduated from school of foreign service, has an llm from the london school of economics and a law degree from georgetown. i want to thank all of you for appearing. let's do it in the order that you're seated there, left to right, my left to right. >> chairman grassley, ranking member, senator franken and members of the committee thank you for inviting me to testify. i'm a technical investigator in tennessee and i serve on the association of state criminal invest day ty agencies. i'm pleased to speak on behalf of the state and local law enforcement officers and to share a criminal investigators perspective on the challenges that law enforcement faces when working today's digital crime scenes. the challenge of lawful access to electronic evidence is top of mind every day for those of nus the trenches. we agree the law should be updated but any effort should reflect its two-fold aim of

protecting privacy and assuring law enforcement's ability to obtain digital evidence when lawfully thords to do so. vi three points for you consideration. first we have some concerns about the pending legislation, senate 356. it might well be time to protect additional stored content, but this bill creates greater protection for the stored digital content. bringing it into balance should put them on the same plain, not favor digital evidence over physical evidence. the notice provisions also seem one-sided. it's hard for investigators to understand why there are no requirements for how quickly they must respond to our legal demands but we should notify the customers that their records have been retained for three to five days. carefully balance the need of notification. time spent complying with arbitrary time lines for notice means less time investigating crime. we have grave concerns about

challenges that we've been vocal about in which the legislation does not address. whatever legal standard congress decide to impose, the public has a powerful interest in law enforcement's ability to actually get the information once we comply with the law. the reality is that legal barriers aren't the only barriers. nontechnical barriers and lack of a consisting framework low our efforts as much or more. i urge you to ensure that whatever standard of proof you decide is appropriate, you ensure that law enforcement can access the evidence we need. there's no requirement before the committee today imposing on how is service provider respond to our legal demands. this is clearly problematic in emergencies and kit prevent us from officially processing large volumes of leads. consider a pool from the missing and exploited children or pages and pages of online ads that

could hide sex trafficking victims. u there may be an emergency in in but we can't know about it until we get response back from the service providers. speed is important in all investigations. not only would this help speed access to evidence, it can provide a great deal of transparency about government's access to records. third, governing law -- governing access to emergency records should be revised. everyone agrees that law enforcement should have rapid access to communications evidence in a life threatening emergency but that is not always the reality. the emergency provision is volunteer today, not mandatoham. even when it's granted, there's no promise that e we'll get the information. in some cases they decided never to provide evidence, no matter the circumstances. in an effort to better inform the committee, i solicited

feedback on these nontechnical barriers from a wide range of law enforcement agencies. the replies underscored the frustrations about the turn around times, the ability to speak to a human being and uneve access to records in emergencies. they staukd about service providers who routinely prelitigate the legal process or who return legal documents without complying because the demand refused to use the specific terms that the provider requires. we appreciate for you to look at those issues. these are the day-to-day realities of professionals working the crime scene. those of us who spend our day and nights gathering digital evidence to find criminals and investigate their crimes need congress to understand and think about the itch occasions and possible solutions. i want to re-emphasize how important this is.

we adepend on it as a critical tool and set of rules that guides how he obtain the digital evidence. we urge the committee to balance both of these goals as we all work to get the reform right for the 21st century. thank you for having me and i look forward to your question. >> chairman grassley, ranking member and members of the committee, thank you for the opportunity to appear before you today. my name is richard salgado. adds director for launch and information security for google, i oversee the company's compliance. in the past i have worked on these issues as senior council in the computer crime and intellectual property section in the department of justice. google strongly supports s-356, the amendments act of 2015 which

currently has 23 co-spon whos, the house companion measure, e-mail privacy act has 292 co-sponsors were machine that any other bill pending in congress. it's undeniable, it's unsurprising that there is strong interest in aligning it with the fourth amendment. and user's reasonable expectations of privacy. the original disclosure rule set out in ecba back in 198 f were foresighted given the technology that existed at the time. in 2015 however, those rules no longer make any sense. users expect that the documents they store online has v the same fourth amendment protections as they do when the government wants to enter the home, seize the documents stored in a desk drawer. there's no compelling policy. there's no compelling legal rationale for there to be different rules. in 2010 the sixth circuit opined

that ecba violates the fourth amendment to the extent it does not require law enforcement to obtain a warrant in obtaining e-mail content. in doing sob it struck down the 180-day rule and the distinction between opened and unopened e-mails as ir reck siebl with protections of the fout amendment. google believed that the interpretation in warshack is correct and we require a search warrant in all instances when the law enforcement seek to compel us to disclose the contents of gmail accounts and other services. warshack underscores the purposes of updating ecba to ensure that a warrant is required when governmental agencies seek to compel service providers. warshack is effectively the law of the land today. it's observed by governmental entities and companies along.

in many ways want s 356 is a modest codification of the status quo and the sixth kir suit's conclusion. between the last time i testified in support of updating this in march of 2013 and now, the supreme court issued a landmark decision in riley versus california where it unanimously held that generally officers must obtain a warrant before searching the content of a cell phone incident to arrest. chief justice roberts noted that a radio jet stream with various exceptions contravenes our general preference to provide clear guidance to law enforcement through categorical rules. close quote. to reinforce this, chief justice roberts concluded his opinion with unam big jous direction to law enforcement. he wrote, the fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for

which which the founders fought. our answer to the question of what police must do before seizing a cell phone is simple, get a warrant. close quote. this committee is being asked by some to jettyson these rules. it would encroach upon the core privacy protections afforded by the fourth amendment. we urge the committee to reject such pleas and to codify the amendment that's reflected in the bill sponsored by senators lee and lay hooe. ecba no longer comports with the fourth amendment. s-356 represents an overdue update that woulz ensure that the content is treated in a manner commiserate. it's long past time for congress to pass a clean version of s 356. thank you for your time and

consideration and i'd be happy to answer any questions you have. >> thank you, chairman grassley, ranking member, ranking member franken, members of the committee. thank you for the opportunity to testify on behalf of the center for democracy entechnology. it's a nonpartisan nonprofit association dedicated to protecting civil liberties and human rights including privacy, free speech and access to information. we applaud the committee on holding a hearing on the electronics privacy act and urge the committee to speedily approve s 356. senator lee and lay hooe's electronic privacy act. every day people reach out to journalists and this committee, advocates plan protests against injustice and ordinary citizens

complain about their government. all of these activities are crucial to our democracy. they also rely on the long held constitutional guarantee of private communications secure from arbitrary access by the government. this is true whether the communication happens in the form of a letter, a phone call or increasingly an e-mail, text message or over a social network. but as the technology changed, the legal underpinnings that protect our privacy have not kept up. when it was enacted in 198, it relied on three policy pillars. changes in technology have eroded this balance. the e lines on trusted third parties for long term storage of our communications have left those communications with the limited statutory protection. this void has created legal uncertainty for cloud computing,

one of the major business innovations of the 2 ist century and one at which u.s. companies excel. at the same time, information accessible to the government has increased dramatically. e-mails and text messages provide invaluable leads, insight into criminal activities and plans and demonstrate motive and intent. most if not all of this information would not have been available in 1986. in combination with the vast new stores of metadata, it's clear that for law enforcement, this is a golden age of surveillance. in the face of an outdated statute, courts have acted, recognized in cases like warshack that people have a reasonable expectation of privacy in their e-mail and at the same time invalidating key parts of ecpa. but that is not enough on its own. it continue to lag behind technological change and harm smaller businesses that lack an

army of lawyers. it creates uncertainty about new technologies that rely on the use and storage of the contents of communication. reform efforts also face a concerted assault from civil agencies that seek to gain new powers and blow a huge privacy hole in the bill. agencies of blocked reform, in spite of the fact that the sechlt s.e.c. confessed to never using subpoena powers post warshack. in regard to ecpa, a change wouldn't have any effect on our practice. criminal investigators have also suggested that changing be enacted so that companies turn over the entire contents of user inboxes whenever an emergency is asserted. however it's not clear this is a problem. major companies report only a few hundred of these requests every year. more troubling, approximately 20% of them must be rejected

because they failed to meet the emergency standard. support for privacy reform is deep and abiding. more than so 0 technolo100 tech signed on the reform principles. it includes the entire tech industry, span the political spectrum and represent privacy rights, consumer interests and free market values. the companion bill in the house has more than 290 cosponsors, including a majority of republicans and democrats. the committee has consistently sought to solve these problems through strong reform measures passing nearly identical legislation to s 356 in both 2012 and 2013. post-warshack a warrant for content has become the status quo. nonetheless, it is critical for the committee to approve s 356 in order to cure a constitutional defect in ecpa,

protect individual privacy and ensure that new technologies continue to enjoy robust constitutional protections. thank you. >> thank you. good morning, chairman grassley and members of the committee. i want to change the chairman anne ranking member for having this hearing. my name is victoria espinel. i appreciate the opportunity to testify today on behalf of bsf. bsa members have a keen interest in today's data privacy hearing. we support efforts to update ecpa and we commend senators lee and lay hooe for their leadership. it would better protect the privacy in the 21st century. we long worked with the members of the due process digital convention in support of this reform. our board of directors sent a

letter to congressional leadership this week highlighting day that issues. and at the top of the list is ecpa reform. when it was enacted in 1986 most people have no con sengs of the e-mail or internet. congress gave law enforcement access to data while protecting privacy. for reasons that made since in 1986 but not today, the law makes it easier for the law enforcement to obtain access the your old e-mail than it is a letter in your desk. this reform would close that loophole. this is important to us because customer trust is important to us. ensuring that customers have faith in the security and privacy of their e-mail and other online data is vital to ensuring their trust in digital services. simply put, in consumers do not trust technology, they will not use it. bsa supporting the amendments act because it will aid in

restoring the balance and the trust equation. and to quote ranking member from earlier this morning, we believe this is a in addition to the inconsistent requirements of ecpa, the lass laup is unclear how to govern data requests that is cross international borders. the lack of clear rules creates unhelpful confusion and has opened the door to u.s. law enforcement demands that could undermine user trust around the world. argued last week in the second court of appeals could set a significant and damaging precedent. in that case, the department of justice is seeking to compel most to turn over the contents of one customer's inbox. the problem in the case is this, that the customer's e-mails are stored in ireland. and the same way that u.s. police can't simply fly to ireland and knock down a suspect's door to raid their home, law enforcement's jurisdiction online must be respectful of boarders, as well. barging into an irish data center however done would be an obvious invasion of irish sovereignty and imagine the uproar if foreign police tried

such a move in the united states. law enforcement agencies from different countries must and do work together to provide mutual assistance. the bipartisan leads act led by senators hatch, consequence and heller with 12 bipartisan coexperiences provides a way of addressing this issue. we commend them for their attention to these important questions. in sum, bsa supports the ecpa amendments act and the leads act because we believe it is critical to modernize u.s. privacy protections in order to address three important goals. first, protecting global privacy by setting strong consistent standards. we should require a warrant for all digital content and we needed to create a framework for international cross border requests. we'll be in a better position to protect the privacy of american citizens if we are not setting an example for foreign governments to reach back into the united states. second, increasing transparency and predictability. for consumers, for companies, and for law enforcement.

we should help bolster consumer prust by enabling companies to clearly communicate the rules around the privacy and the security of their data. and third, enhancing the ability of law enforcement to work together across international borders. we need a new forward looking framework to address these cross border requests and need to improve the em lat system. there is a misperception that u.s. law enforcement has unfettered access to data stored by u.s. companies. it is only in this perception but that misperception is doing real harm to user trust. the to fix that should begin here with the legislation pending before this committee. if i may, i would like to close by wishing an early happy birthday to the chairman, as well. thank you very much. i look forward to your questions. >> thank you very much. i'm going to ask my questions last because i want to accommodate senator sessions. then after that, it would be whitehouse and then hatch and

then senator from minnesota. >> i think i'll put mine on on the record, mr. chairman. but thank you. >> go ahead, senator sessions. >> thank you very much. i do have a commitment at lunch. well, you introduced a federal law enforcement offices association letter. which notes that law enforcement relies on electronic information "to generate leads, identify suspects, exonerate the innocent, obtain justice for the victims of crime who often suffer violations of their civil rights, and privacy by individuals and terrorists." so i would offer that and note that many others are sharing the same comments including the fbi agents association fraternal order of police, the national sheriff's association, the national district attorneys's association and the major cities chiefs association to name a few. well, i do believe that if you

obtain a subpoena to after individual file in a bank and there's a letter in that file from the customer, then you can obtain that i believe under current law based on a subpoena and that's been part of the history of the country. however, i will acknowledge that the ability to obtain all e-mail traffic as it goes to another level. so i think it's right for us to consider how to restrict that and to be consistent with the supreme court and the reality that people entitled to a degree of privacy and expectation of privacy in the contents of those e-mails. so i don't know that that's required by the constitution. maybe the supreme court says it is, but as a practical matter, i can understand that and i think

we can work with that. mr. littlehale, on this panel, you're i believe the only law enforcement strong advocate. but let me ask you, is there a problem, a realistic problem briefly with computer companies and so for the delaying answers to legitimate requests from law enforcement? and does that at time place people at risk? >> thank you for the question. yes, indeed. an example that mr. salgado offered was the riley decision requiring a search warrant for a cell phone. if i get it, i determine how quickly i execute it. once i have the warrant under the decision, i can execute the search right away. in the instance of a search warrant for a service provider, we are dependent on the service provider to process that warrant as they see fit under existing law and we suggest that that should change. >> and you as a practical experience, you've had what you

consider law enforcement what they consider inordinate delays and responses on occasions? >> that is the sense of us that do this every day for a living, senator, yes. >> you've worked with child exploitation experiences and the need oftentimes for the most swift response. are you concerned that we may be moving into a world where everything is erased very quickly from the time it's happening and what impact would that have? >> the concern that even when we get the process that's required, the rods rds are no longer there is a concern partially because of the limits of the technology and the absence of requirements that govern how long those records live on those servers. they may disappear. there's also in some instances now a commercial incentive for providers of service to remove those records in a timely fashionings to assure their customers that the records are private. >> and so the legislation is as

written has nothing on either one of those two issues to improve them? >> that's correct, senator. it doesn't. >> and briefly, are you concerned about the ramifications of customer notification and the dangers and problems that could pose for law enforcement? >> we are indeed, senator, both because of the dangers it may pose to our investigation and also because of the administrative burden that a scheme whereby we must go every 90 or 180 days and obtain delay and notification order after delay and notification order in a world where a unit like mine has tens or hundreds of legal demands outstanding at any different time. >> cases, some of them are life and death investigations. finally,ing to what extent does this preempt state law and are

we dealing just with federal law enforcement or are we impacting every police officer, sheriff and prosecutor in the america? >> you are indeed. federal law will set a bar. certainly states are free to offer more protection but we must conform with federal law where it supersedes state law. >> thank you all. it's an important issue we need to wrestle through it and try not to the do any damage because people should not treat lightly the difficulties of investigating criminal activity and how you prove a case. and the idea that you can just get it by more police officer shoe leather is always been false and some of these information so gathered could be critical in saving lives and stopping crime. thank you, mr. chairman. >> senator whitehouse and then senator hatch. >> thank you. miss is pinnell, have you done a

terrific job for the administration. you've always been a great witness before this committee. why a warrant requirement and not a court order requirement when a warrant such a court order? and it's actually a court order of a particularly pro government kind because it is ex parte and has quite a low standard revelcy standard likely to lead to the production of information? >> just to be clear, i assume your question is not about the 1 0 day distinction. >> no the access, wouldn't the companies can you represent if they're willing to comply with a warrant, why would they not be willing to comply with a court order? >> so i wouldn't want to imply that our companies are not willing to comply with any type of appropriate legal process. >> from a legislative point of view, they're as opposed to being asked to apply with a court order.

>> in this case we believe the civil agencies have other tools at their disposal and do not believe it is appropriate to extend ear an exemption to the warrant as you know or this type of court order to them. >> you realize that puts you in the position of saying that if the department of justice goes before a judge and in a very pro government ex parte proceeding gets a warrant, you're okay with that if the same doj goes before the same judge and in a contested proceeding where the subscriber actually has the right to be present and litigate the matter and then they obtain a court order, you're as opposed to that? that's the position you're left with you, you are not? >> i think our position is that the civil agencies have the tools that they have. we very much appreciate the job they do every day. i should be clear about saying that. >> except it makes civil frauds and civil racketeering and things like that potentially

unininvestigatable if the target has done a good enough job of hiding his other traces. >> if we believe that be the case, we wouldn't take the position we have. our belief is the civil agencies with the tools they have can veth. it is our belief that the type -- >> you have to be arguing in order for that to be the case, you have to argue there's no case in which access to information by direct request to the service provider contributed in a material way to an investigation? >> i think it's difficult to be categorical in a hypothetical situation. so i would not want to say that. but i will say i think we think on balance, balancing the law -- the needs of law enforcement with the privacy here we believe that the best -- the best outcome to this is that the civil agencies work with the tools they have rather than extending this new power to them. >> but you agree and accept that

a contested court proceeding in open court with the target of the investigation present is a more rigorous judicial safeguard than a warrant application rendered ex parte? >> i would agree it has different types of protection than a warrant does. i don't necessarily say that i would agree that it is a more rigorous standard. >> really? that would be a novelty. okay. >> but i believe -- i would agree with you there are different implications for privacy involved in the different kind of court order. >> mr. cal salgado, who has a reasonable expectation of privacy against court ordered disclosure of information? >> well, we think that the user certainly when issued a court order is going to have the obligation to enter the account, pull the data out and produce it. in that context, the user's expectation of privacy has been satisfied. can control the entry into the

record. >> you don't think anybody has a reasonable expectation of privacy in this country against a court order divulging information, nobody thinks that they have a right to the ignore court orders, do they in terms of the reasonable expectation. >> if the court order it issued to the user compelling the user to take action, and the user has an opportunity, notice an opportunity that's classic rule of law good process. >> so you think the reasonable expectation of privacy on the part of a person with respect to their own information depends on where the request for information is made? >> i think in part it does. >> interesting and novel view of reasonable expectation of privacy. >> i'm not sure it is. you can think about the sec's proposal here in a slightly different way in the physical world and see how it works out. if you had a situation where a user had records secreted in their home and was refusing to comply with the court order, but

it was clear they had these documents or there was at least some reasonable suspicion, whatever the sparnd would be for this civil order, the of sec would have us do is issue an order to allow them to enter the home to go get the records. in fact, it's slightly different than that. the order would be issued not to the sec to go into the home but perhaps a landlord or somebody else who could get the records and produce it to the sec. this is -- i don't think we would stand for this in the physical world. we would say to the user or in this case the homeowner, you have the obligation to comply with this order. your failure to comply with this order meets all sorts of enforcement sanctions some of which the sec witnesses describe. that's it. at no point are you going to have. >> you would be comfortable with a court order in which the owner of the information was present in the courtroom and the court

directed that owner of the information to require you as the custodian of the information to provide it to the -- to law enforcement? >> you just have to take that bank shot off the individual in order to solve the problem that you just described. >> it isn't. remember we're talking about a protected area. the protected area, either it's the home or the account. should be entered only in the civil context for civil infractions by the user. the court ought to order the user to enter a protected area. >> that's what i said. >> but not order the provider to do it on behalf of the agent. >> they could order the user. you would be comfortable with a court order as long as it directed the user to release the information maintained by your company. >> that's right. the user -- that's exactly right. >> as long as you've got the user right there in the courtroom, they could be subject to such an order. >> that's right. this is what's done now. >> long since over and i have other senators waiting.

my apologies for going over my time. >> i thought you asked good questions. thank you. senator hatch. >> thank you, mr. chairman. miss espinel, currently the u.s. government takes the position that it can compel a technology company to turn over data located anywhere. anywhere in the world. belonging to a citizen of any country so long as the data can be accessed in the united states. now, how does our government's position, how has our government's position affected the global competitiveness of the companies you represent? are they losing business? and if so, how? >> thank you. first, i will start off by saying that i'm proud to say i think the u.s. leads in technology. that has. the case and i believe it will continue to be the case and that is the case in part because of policies and laws that our congress has put in place. we do have concerns that the

situation that exists right now the is undermining customer trust around the world and our ability to compete is undermined if customers around the world do not trust the u.s. technology providers. so we do have real concerns that the cases going on and that the outcome of the case will risk customer trust and that that will have a negative on the ability of our company to complete over seas. i think the worst case scenario for this is if we end up in a position where foreign governments are prohibiting companies either their government agencies or their companies to use u.s. technology because of these concerns. >> do you agree that the government's position on the extra territorial reach of u.s. warrants puts our privacy at greater risk of intrusion by foreign governments? >> yes. beat believe that there is a serious risk that this will create an example that other governments will use to reach back into the united states. and in fact, in my testimony i

refer to a case that was argued last week in the second circuit. this issue came up and played out in the arguments in that case. so the -- and that case, the department of justice took the position that the disclosure that ecpa does not regulate the disclosure of contents of e-mail as long as that disclosure takes place overseas. if you take the argument to the logical conclusion, that means that u.s. law would not be able to stop any foreign government from reaching back into the united states and accessing or demanding the data or e-mails of anyone sitting in this room. we have real concerns about that. we think that is an issue that should be dreaddressed. it needs to be a framework that is easy for companies, customers and law enforcement to understand. we believe the congress has a role to play there. this is an issue that can be addressed. and we support the leads acts as

a way to try to address that concern. >> some have questioned whether the act would promote data localization. do you agree? >> so i should say that we, the soft air alliance are categorically as opposed to localization. we have been discouraging governments from putting those policies in place around the world. we would not support this legislation if we believed it would lead to data localization. data localization happens for lots of reasons. many of which are straight up prote protectist, foreign governments trying to keep u.s. technology oo companies out of the market. but we do not believe that the outcome of this bill would be to lead to greater data localization. what we think is a much greater risk is failing to address this issue and set up a clear framework for how to deal with these international requests will lead to a situation where u.s. companies are being locked out of markets or lead to a situation where other

governments are seeing what's happening in the u.s. and using that as a road map to reach back into the united states to get the data of our citizens. we think that is a much greater risk. >> i agree with you. mr. salgado and mr. calabrese, do you agree there's a need for legislation that creates a legal framework for how and when law enforcement can access data stored abroad? >> i can speak for google on this. we think that there is a need for legislation that addresses the access by u.s. law enforcement of users who are not in the united states who are not u.s. citizens. the focus on where the data is stored doesn't make sense to us. we think it's would lead to some bad results. but putting aside that one feature of the leeds act, we think there are ways to structure in that don't take into account and aren't so wed to data localization as the feature that would still satisfy

the spirit and ames of the proposal. >> do you agree with that? >> first, he appreciate your support for the leads leahy bill as underlining and being added to by your leeds act. certainly this is a complicated area. cdt believes that you started an incredibly important conversation. you've created some tools in terms of em lat reform that would be invaluable in speeding law enforcement investigations. and we believe that we can find an answer that gives everyone appropriate access to information overseas and we worry about allowing the chinas and the russias of the world to have access to the information held by u.s. companies and we appreciate your efforts to avoid that. >> thank you. chairman, could i ask one more question? >> yeah, go ahead. >> i don't mean to hold you up. for both of you again, mutually legal assistance treaty or em

lat process facilitates formal agreements for sharing evidence between the united states and foreign countries. unfortunately, the process has proven slow ankum bersome to use. how important is it that congress improve the em lat process to make it more transparent and streamlined, if you will? >> thank you, senator, for that. yes, the -- i think em lat has proven to be a very valuable mechanism. it's critical for keeping good rule of law and sanity on international cooperation around data collection. it is also proven to be very slow and it's hindering legitimate investigations overseas, it has caused nonu.s. governments to take aggressive legislative action because it doesn't -- they don't have good mechanisms to be able to get information they need from u.s. companies can and data that's stored in the united states or

held by u.s. people in an effective way. so certainly i agree with you we've got to find a way to improve the cross border exchange of evidence. it's going to be good for users, it will be good for the internet and good for rule of law. the actual steps that we need to take i think there are some things we can doing around the mutual legal assistance treaty process itself to streamline it. some of them are rather obvious things to do, to do more training how to use the treaty process outside of the united states. certainly the funding being provided to the office of international affairs and the department of justice is going to go a long way. the bureau setting up an em lat unit. there's many very practical steps that can be taken to help improve the treaty process. we also think it might be time to take a look at alternatives to the treaty process. situations where it may not be necessary for the u.s. to exert quite so much control over a data disclosure in situations where it may not actually have

equities in the behavior of u.s. company around a disclosure. lots of discussion to be had there. but we appreciate the leadership, sir, in your part in trying to find ways to make this quicker. >> senator coons? >> thank you, senator grassley. thank you for this hearing and to senator hatch for your questions, as well. to the panel and the first panel plaintiff salgado, we've heard some discussion about the war shack case in 2010, it essentially vindicated your process that the digital due process coalition shares that warrants are required whenever law enforcement seeks a subscriber content under ecpa. while that decision is binding law techly only in the 6th circuit, doj and federal agencies have testified they're following it nationwide. could you just for my benefit speak to why is statutory reform still necessary? >> it is true the constitutional law and the way we're behave agi think does reflect that a

warrant is required by the agencies be them civil agencies or criminal agencies in order to get the content of communications we think that's right. but what we have on our books right now is an unconstitutional provision. we can fix that. we've got a very elegant way in the current bill that takes care of this. quickly, easily. it doesn't actually change the way that agencies are going to be responding and the way they have been for the last five years. we certainly appreciate the concerns that have been raised in the rather long debate over this provision. but i'm afraid these may really just be some distractions around what this committee can do. and can do the right thing and pass this bill without further delay to deal with some of these other issues that are worthy of discussion need not hold up a change that everybody agrees is needed. >> thank you for that answer.

mr. cal bra brees, what should congress be aware of when it considers the international implications of ecpa warrants in terms of any relevant concerns you would have us hold right in front of us when is we move forward? >> senator, i'm going to apologize up front. there's something that's been discussed a great deal i feel needs to be corrected on the record. so i promise to answer your question. if i could have 30 seconds to just -- what has been said here, we have conflated two really important and different things in this committee today. one is a court, some kind of court order based on a subpoena and one is a probable cause warrant. these are not the same thing. a subpoena gives you access to all information that is relevant. as pursuant relevant to a civil investigation, a civil infraction. so you know, if you make a mistake on your taxes, that's a potential civil infraction. nothing that has been put

forward by the sec would do anything but be a dramatic expansion of their authority to get at ordinary people's inboxes, not just the subjects of investigation but ordinary folks who may be witnesses. those people would have their -- everything in their inbox that was relevant to at investigation so a dramatic amount of information as opposed to probable cause of evidence of a crime. that's a really troubling privacy invasion and it's one that has nothing to do with the juntd lying bill. so i apologize for hijacking your question. i felt it was really important for this complete to understand that we would be talking about a huge power grab by civil agencies no matter how they frame it. it's incredibly important that we update the em lat process and update ecpa because we have the strong jest i believe and i'll be paternalistic here, we have the strongest privacy

protections in the world with a warrant based on probable cause by a neutral magistrate. right now, we are seeing companies come to -- excuse me, other countries come to us and essentially meet that standard. it's really important that we keep that. and that they continue to meet that standard and one of the best ways we can do that is by having a quick streamlined em lat process so they can give us the information we need and we can have you know, we can have everybody around the world perhaps bring their standard up to that important probable cause standard. >> thank you. and miss espinel, i'm glad you were able to testify today. i greatly enjoyed working with you and now in your current role at bsa. i'm grateful for your long and effective leadership on intellectual property issues and now on the issues in front of us. i've worked with senator hatch and 11 others to introduce the dleezs act which clarifies that the warrants can't be used to compel searches abroad.

this common sense rule would enhance trust and transparency and our competitiveness. some in law enforcement have argued that an extra territorial ecpa is needed because processes like the em lat are too slow. can you speaking to that concern and how your members stripe to be good partners to law enforcement often without the need to obtain a warrant or go through the em lat process. >> yes, thank you for your leadership on the leeds act. i want to be clear we do not want to make the job of law enforcement any harder. we very much support the critical mission that they have and our companies work every day both what they do and with law enforcement to help support that mission. we've talked a lot about em lats today. we also very much support em lat reform. i'd be happy to elaborate on the reasons why we do and the things we think could be done to help improve the system. but you raise an important point that em lats are not the only

way that u.s. law enforcement can work with foreign law enforcement. so to give a practical example of that on january 7th of this year, the horrific attacks on the charlie heb due office took place in paris. in that case, u.s. law enforcement working with french law enforcement went to one of the companies can i represent, they went to most and asked for e-mail lever information relevant to the manhunt taking place in paris at the time. it was the middle of the night on the west coast within 45 minutes, the e-mails relevant were in the hands of french law enforcement. i raise this as an example that have em lats are a tool we think should be impatrioticed but they are not the only tool law enforcement has to work with foreign law enforcement. we believe that it is important both for us to improve the em lat system and for us to be look can for as many ways as possible to enhance the cooperation between u.s. law enforcement and foreign law enforcement. >> thank you. thank you, miss espinel and

thank you to the entire panel and mr. chairman for convening this important hearing today. >> mr. salgado, advocates for ecpa seek word for content rule. as you know earlier this summer, our judiciary committee held a hearing on going dark issue where we heard from fbi director and others that some of the technology companies are employing sophisticated encryption technology that makes them unable to turn over customer content information including e-mails. and text messages. in effect, this technology made court authorize the warrants not worth the paper they're printed on. i know google is one of the leading technology companies in the world. does google employ this kind of technology that prevents it from responding to court for the content of e-mails or text messages or photographs and if not, do you believe your systems

are fundamentally ip secured or fatally flawed? >> thank you, mr. chairman. we are working towards more encryption on our products and our services. as part of a larger plan to make sure the data services we provide to our users are secure. and the users can use our services knowing that the information that they entrust to us is safe. this is an effort we've been taking on over many years and as the technology improves and processing power increases, it's our intention to continue improving the security of our systems. in many different ways encryption is just one technique to make sure that the data's stored with us is in a secured state. let's lots of different ways to secure data besides encryption. i think there's pretty much a consensus in the security community that encryption is a critical and fundamental way to protect users' data from the very thieves identity theft

cases, privacy intrusions that law enforcement is interested in investigating. the ensipgs prevents those crimes from lapping in the first instance and we think as a net