Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  September 18, 2015 11:00pm-12:01am EDT

11:00 pm
communications in appropriate circumstances from isps. such a judicial proceeding would offer greater protection to subscribers than a criminal warrant in which subscribers receive no opportunity to be heard before communications are provided. thank you again for the opportunity to be here today. we look forward to working with the committees on ways to modernize ecpa. without putting investors at risk and impairing the fcc from enforcing the federal securities laws. the i'm happy to answer any questions that you have. >> thank you, andrew. daniel? >> chairman grassley, ranking member leahy, and members of the committee, thank you. let me begin by noting that my oral statements and responses to questions are my own and they don't necessarily reflect the views of the commission or any commissioner. having said that, i very much appreciate the opportunity to represent the ftc's testimony. and explain how proposals to reform ecpa could reform the mission.
11:01 pm
the the ftc supports the objectives of ecpa reform and understands the need to update it to account for technological advances. and to protect consumers' privacy. in bringing actions, we rely heavily on our ability to conduct thorough investigations. of companies' business practices. as a civil law enforcement agency, the fcc's concerned that recent proposals to update ecpa could impede our ability to obtain certain information from ecpa service providers. in proposals, to obtain content from a service provider, the government could need to obtain a criminal warrant. which is not available to the ftc. the proposals would require a warrant for all forms of content, even those in which a subscriber has no reasonable expectation to privacy. we are concerned that requiring a criminal warrant in three situations would impede effectiveness.
11:02 pm
we're talking about things like no longer running advertisements, previously sent spam, and ads on a mobile device. this content is critical to ftc investigations. before determining whether a target has made a false representation, we need to find the advertising or promotional material that contains the representation. the in many instances, the scam artist change websites and electronic marketing materials frequently. when commission staff investigates complaints about a website, the website currently viewable to the public may be different from the one that the consumer complained about. kucht ec we have not used the tool often. most of time our investigators are able to track down a target's old marketing materials without needing to seek the materials from the provider. but the increasingly fleeting
11:03 pm
nature of advertisements, makes it quite likely we will need to compel advertising materials more often. an exception from the criminal warrant requirement in proposed legislation from commercial content that promotes a product or service would enable to the commission to obtain such commercial content. at the same time, such an exception would have no impact on privacy rights, because the materials would be purely commercial and have been affirmatively published by the target. as a result, the target would not have a reasonable expectation of privacy with respect to government access. the second situation which should be exempted from the criminal warrant requirement is content with the consent of the customer. as cloud computing becomes more widespread, it will be increasingly important for civil
11:04 pm
law enforceme menment agencies compel an ecpa provider. for example, manipulation schemes where if we had the authority, we would certainly do that. when a customer consents to disclosure to the government, the customer has no reasonable expectation of privacy. third, a criminal warrant should not be needed when the ftc has compelled a target to produce content held by a cloud service provider. under these circumstances, the ftc should be able to seek a court order directing the target's provider to release the content. in conclusion, thank you for
11:05 pm
giving the commission an opportunity to describe the importance of electronic communications in our investigations and the ways in which proposed updates to ecpa while important could hinder our law enforcement actions. thank you all for your testimony. i'll start and senator leahy will be next with our questions. chair woman white has told us that the fcc's ability to carry out enforcement responsibilities and conduct investigations has been significantly curtailed as a result of the warsaw decision, but we've been told that the fcc has not provided any examples of cases where access to electronic communications have been cut off due to that decision or would be impacted if the pending reform bills were enacted.
11:06 pm
can you provide any examples of the type of case or investigations that have been affected since that case decision due to providers requiring a warrant when the government seeks to collect chronic content in a civil investigation? >> yes, senator, obviously, i can't talk about the details of ongoing investigations, but i can say that there are an um in of investigations in which, if we, if we were exercising our authority under ecpa, we would do that. for example, manipulation, touting schemes. i can't necessarily say it would produce e-mails that would dramatically further the investigation because right now i'm not able to know what it is that e-mails we would obtain through that kind of process, but i can definitively say that there are investigations ongoing and there were investigations even prior to the warshack case
11:07 pm
where we were exercising authority that were advanced by obtaining isp e-mails. >> along those same lines in your written testimony you suggest that a warrant-only requirement for obtaining electronic communications from an internet service provider, quote, could create some obstacles in further civil raw enforcement cases. would you provide us examples of the type of cases and situations the ftc is concerned about that would create obstacles to future civil law enforcement cases? >> of course, senator. the types of cases we're talking about are those instances where the target or the defendant is trying to be evasive, is not responding to discovery or to our civil investigative demands. t
11:08 pm
the, so that's one classification. the other class of cases are where the target is an outright fraud, like a fly-by-night scam. and we don't want to contact them directly. you know, if we contact them directly, they may flee. they may destroy evidence, destroy records and hide assets and keep us from being able to get money back for consumers. >> okay. there's a, this would be to any or all of you. there's a perception that what you're really asking for is a mechanism that lacks judicial oversight and sidesteps the target of a civil investigation without any notice or hearing. in fact, the written testimony provided to us from google states that you are proposing to quote, amend ecpa so that agencies can bypass the target of or witnesses in civil
11:09 pm
investigations. end of quote. for any or all of you. t is this a fair characteristic of what you're really proposing? >> senator, it is not. we are asking for a mechanism to allow courts to compel this information from providers where necessary and has been, as has been mentioned, this is information that we try to sdet from subscribers. where we can't get it from subscribers, we really do need it, and there are ways of protecting privacy in ensuring there is a certain process. >> andrew? >> and i would add that the mechanism that we are proposing is judicial procedure, we would give notice to the subscriber and allow them to come in and offer objections. and from our perspective, that's more protection than a warrant proceeding that's ex parte where the subscriber is not present.
11:10 pm
>> do you have anything to add? >> i would agree that the judicial mechanism that we are proposing would require two things. we'd have to go to the subscriber first, and only when we are unable to get the information from the subscriber could we then go and seek a court order. so it's two additional protections. we'd have to first get it from the subscriber, and then there would be judicial intervention. >> senator leahy? >> thank you. first off, there's a great deal of consensus for the need to update ecpa. i would ask consent that these letters be placed in the record in support. thank you. they range from the chamber of commerce, former director of the fbi sessions, civil rights and many others. let me ask you a question.
11:11 pm
the fbi now use warrants when it seeks the content of e-mail communications in criminal investigations. regardless of the agency e-mail, is that correct? >> that is correct. >> so this bill that senator lee and i have would not change the fbi procedure in that regard. >> the bill would not change the procedure for criminal, obtaining disclosure through a third party provider of stored e-mail regardless of the age. >> thank you. should a privacy protection that's afforded to e-mail or text messages, should that change? if they're older than six months? or if they've been opened? >> no, we don't think there's a principle reason to treat e-mail differently depending on the
11:12 pm
age. >> no, i don't think that we see any distinction there. >> mr. salisbury? >> we agree. >> thank you. you know, we talked about the united states versus warshack. i'll ask the same question to both of you. since that ruling, has the fcc or the ftc obtained e-mail content through a subpoena issued to a third-party provider? >> we have not, senator leahy, but we've done so in an excess of caution, and i think in deference to the rye form discussions that have been going on in congress. our view -- >> and in deference of a five-year-old sixth circuit case which has not been overturned? >> no, our view is that warshack does not deny us the authority to obtain e-mails through an
11:13 pm
admin stradministrative speubpo. >> mr. salzburg? >> we have not sought e-mail content either before the warshack decision or since. >> and you have permanently sought a legislative solution or change from congress in the past five years? >> no, we have not sought a solution until now. >> we've obviously offered over the last few years to have op goig -- ongoing discussions. >> have you made a proposal? >> we have. >> can you give me a copy of the proposal you made? i don't seem to recall that. >> we've had discussions with staff about this issue over
11:14 pm
time. >> beginning five years ago? or just since, or just since senator lee and i looked like we might actually get something passed here? >> no, i can only speak to the two and a half years i have been director of enforcement. we've had discussions with the staff throughout that period of time. >> and you sent up a concrete proposal? >> we've been discussing proposals that the staff -- >> have you sent a concrete proposal from your agency? >> our view is we want to be responsive to proposals that congress is providing. so to the extent that staff or particular senators or congress men have offered us what they are thinking about, we have offered them our thoughts o n those proposals. >> are you seeking wire tap authority for your civil investigations? >> no, we're not. >> you do want to be able to read e-mails without a warrant. >> what we're proposing,
11:15 pm
senator, it's some sort of judicial proceeding that would find some sort of standard, whether it would be some sort of standard that would allow us to obtain e-mails with notice to that subscriber with notice of the proceedings so that the sub describer can raise any concerns that they have. >> what about listening to your target's phone calls? >> no, we are not proposing that. >> wouldn't that be more efficient, more effective? >> senator, we, we are not seeking wire tap authority. that is something that the criminal authorities have that we do not. that is not something we're seeking. >> all right. how many, how many federal, local and state agencies have civil authority to allow them to issue subpoenas for records? >> thank you for that question. certainly at the department of
11:16 pm
justice, there are a number of civil enforcement functions, including anti-trust, tax and environment, civil rights. since warshack, they have been unable to get stored content from providers, and this has hurt their investigations and sort delay and make it difficult in instances where they couldn't obtain information from subscribers. >> ply time is up. i'm going to have a couple questions for the record on that. thank you. >> now senator hatch, let me read here, it would be hatch, whitehouse. and then it would be purdue, and i'd assume we'd go to the democrat senator franken, and tillis of hose wthose who are h now. >> in your written testimony,
11:17 pm
you've stated that the department had concerns about legislative proposals aimed at safe guarding data stored abrought from improper government access. as you know, the electronic communications privacy act is silent on the privacy standard. u.s. officials must satisfy in order to access data stored abroad. and yet the federal government has taken advantage of the statutory silence to apply its own standard. what is the legal basis for law enforcement agents to use ecpa warrants to obtain data stored overseas? >> thank you for that question. thank you for that question, senator. there's longstanding legal framework that allows the government to serve compulsory legal process on united states companies to require them to bring back information that is stored abroad. and the concern with proposals that would change that framework is that it would take away an
11:18 pm
option that has long been available under that framework and would replace it with international cooperation, which is not an adequate solution, because those, those agreements, that kind of cooperation doesn't exist everywhere. only about half the country, as we have agreements with. and because even when we can use those agreements, it takes a really long time and can delay investigations in times when we really need it. >> i disagree with you, that's why i introduced the leans act, for law enforcement to access data stored abroad or overseas. my bill's trying to help your efforts, and i'd appreciate any suggestions you have that might make it a more workable bill or might improve it or help you in your work. >> we look forward to working with you. >> thank you.
11:19 pm
if federal officials can obtain e-mails stored anywhere in the world simply by serving a warrant on a provider subject to u.s. process, nothing stops governments in other countries, including china and russia, from seeking e-mails of americans stored in the u.s. from providers subject to chinese and russian process. in fact, the lawyer who has litigating the microsoft case on behalf of the government acknowledged last week that the ability for a foreign government to require disclosures of a u.s. provider, quote, should be of some concern. unquote. now, are you concerned about the far reaching or reciprocal consequences of government's current position on the extra territorial reach of u.s. warrants? >> thank you for that question. this is a challenging issue, one that the department is actively considering. whatever the solution is, we don't think that the solution
11:20 pm
should involve deciding conflicts of laws in a way that always works against the united states. historical historically, courts have been able to weigh government interest in other factors in coming to decision on these issues. and the concern is any regime that would decide all matters of conflicts of law against the u.s. in every case. >> well, the mutual process facilitates formal agreement for sharing evidence between the united states and foreign countries. do you agree the process has proven slow and cumbersome to use? >> it certainly is slow and cumbersome for us to get information from other countries, which is part of our concern. and the incoming process, we agree that there needing to be progress made and are working on progress technological and
11:21 pm
otherwise, and the department has requested resources to improve things further. >> in your view, what can congress do to improve the process, and how does another country access data stored here in the united states? >> so, again, these are really challenging issues, and we look forward to working with you on them. one thing that, if clear, with the process, it is not a one-size-fits-all process. and because it is so complicated it requires an approach that takes into account the way it is operating now, and we very much look forward to working with you to streamline the process. >> i look forward to working with you as well. and i hope we can streamline this process and make it work not only for you but for businesses and others as well. thank you. >> senator whitehouse? >> thank you, chairman. in evaluating in question of civil access to content
11:22 pm
maintained by the service provider, i take a step back to the question of a criminal warrant. a criminal warrant is obtained by a government official going before a federal judge on an ex parte basis. and getting the judge's consent to get access to the material involved. that protection is there,'s understand it, because of the immense power that criminal law enforcement gives to the government, power for instance of incarceration. we even have a federal death penalty. so, from the very beginning, the founders constructed a process that limited arbitrary access by the government when it had those terrible powers in its hands. doings the government have any such powers with respect to
11:23 pm
civil enforcement? >> it does not. civil enforcement lacks warrant authority. >> and what you're proposing is that just like a warrant, the government would have to go before a federal judge in order to get access to the data for civil enforcement purposes. >> there are a number of ways to do it, but yes, having a court be able to compel that evidence. >> a court order would satisfy you? >> yes. >> and in a number of circumstances, your colleagues here on the panel have suggested that the subject might actually be, the subscriber might actually be notified first or that there might be notice to the subscriber so it would not be an ex parte proceeding. it would be a proceeding in which the individual whose privacy interest was involved would have a right to appear, correct? >> that's correct. >> all right, now what happens in the case where you talked about where for a variety of reasons you don't want to reveal to the misbehaving party that
11:24 pm
this investigation is under way, because they're likely to abscond or hide assets or destroy evidence or whatever? do you want some form of ex parte process like a warrant provides? where the civil agency could say, look, these are extraordinary circumstances. this is why we need access ex parte to this information and try to convince the judge of that? >> we're not actually asking for that authority. >> so why are you at that uk about the -- why did you use that example of the importance of it. >> i suppose i conflated the previous content argument that we have, where we would still want to be able to get the content from a provider when we're talking about content where there's no reasonable expectation of privacy. >> do any of you seek a proposal under which the government would be able to make a showing that an ex parte provision is necessary and go forward without
11:25 pm
notice to the subscriber? >> we are not. from our perspective, in fact, we typically will seek the e-mail from the subscriber first, and if we're not able to obtain or don't believe we've received full e-mails we'll go to the isp. >> so you're not requesting that. >> we are not. what we're looking at is for a he limited ability to obtain isp e-mails in cases where we just can't get them. >> through a court order. >> through a court order. >> from perhaps the very same judge who you'd have to go through to get the warrant. >> from the very same judge. >> and the person would be present. >> that's right. that's more protection than a warrant provides. >> sure is. >> thank you very much mr. chairman, oh, may i ask, i have a minute left before i yield back my time. just to be clear, i think chairman grassley asked you
11:26 pm
this. but just in case it didn't come through as clearly to you as it did to me, i'd be interested in looking back at cases that have come to a conclusion and where there is a public disclosure of the case where you can take a look at the case and say this piece of evidence actually helped make that case. and we got it because we were able to have access through the service provider to that information. not an ongoing case, which i know is a very delicate circumstance for all of you. but closed cases looking back just so we can see whether or not this has made a difference in real life in the past. and with that, i yield back my time, mr. chairman. thank you for holding this hearing. >> thank you. thank you, mr. chairman. thanks to all of you for being here. you know, updating the electronics communications privacy act has been a priority of mine ever since i arrived in the senate.
11:27 pm
now that i've been here for about four and a half years i appreciate more fully how difficult it can be to bring about a change of law that basically everyone agrees on. now the overwhelming majority of the american people, and by overwhelming majority i mean 99.9% of anyone you ask can agree that the government ought to have a warrant before it goes after your e-mail. the content of your e-mail. number two, the same number of people would agree, i think, by about the same ratio that it ought not make any difference whether that e-mail is 179 days old or 181 days old. whether or not the government has to get a warrant. and so, you know, this is a very simple principle that ought not be all that difficult to legislate. but i've been honored to work on this legislation. i introduced senate bill 356. the ecpa amendments act along with senator leahy to update our
11:28 pm
law in expectations of the public and what seems to be widely followed practice today. to start out with, i want to ask each of you a simple yes or no question. i want to ask you, does your agency believe that it should, under normal circumstances, meaning in the absence of a generally applicable widely accepted exception to the warrant, should it be required to get a warrant in order to get at the content of a person's e-mails, regardless of the afrnl the e-mail? >> the department has indicated that we do not oppose a warrant requirement for our criminal entities when they are obtaining information from a third party provider to the public. but note some concerns about that rule where there is no warrant authority available like in our civil investigations.
11:29 pm
>> if i understood your question correctly, the answer is no. we believe that a judicial proceeding that we've been discussing that allows the subscriber to object is an appropriate mechanism for obtaining e-mails. >> we agree with the fcc's position. we agree with the fcc. >> got it. okay i do think that while there are a few people in washington, d.c. who can understand what you're saying, i think the overwhelming majority of the american people would be very disturbed to there that that question can't be answered with a simple, with a simple no. that the government should not be able to get at people's e-mails. the content of their e-mail without a warrant. now let me, let me direct the question your way. i'm concerned that the department of justice once it has obtained e-mails, it may use those e-mails for any
11:30 pm
investigation related to the initial reason for the acquisition or not. so if you obtained e-mails on subpoena, what would prevent those e-mails, what would prevent the department from using that in a criminal prosecution? >> so certainly, it would not be acceptable for things to be obtained on the civil side fort push purposes of trying to use it on the criminal side. however, when criminal evidence becomes apparent, that information can be shared and we are not proposing a way to get around the warrant requirement without any privacy protections and that there should, there are ways of protecting privacy, both by standard and by process.
11:31 pm
so what we talking about on the civil side is a process protection. >> and what kinds of safeguard rs was the doj propose in order to prevent a civil agency carve out from being used to avoid the warrant requirement? you can understand how that could easily be manipulated in order to avoid the warrant requirement. >> thank you for that question. i don't believe this instance is really any different than the other sorts of evidence that can be obtained in other ways. these are issues that are, that exist as to all investigations, prosecutors and civil litigators and investigators are held to a standard to obey the rules and hold to those rules and hold to the process that the law requires, but i am happy to get back to you if there are further questions or to answer further questions. >> okay. thank you. i see my time's expired, mr.
11:32 pm
chairman. >> well, since i, since senator leahy asked me to be here as ranking member, i have to be here, so i'll consider blumenthal go next. i'm forced to be here. fl next to you, i am required. yeah. >> thank you. i want to thank senator franken for his courtesy. i am curious, mr. salzburg, in your testimony, you express concern about what would happen if a customer consents to having her service provider turn over e-mails but the service provider nonetheless refuses. can you give us some examples of how and when that might occur? if a customer says, okay, but the service provider says no.
11:33 pm
when and how would that occur? >> sure, let me give you two examples. the first is, assuming we are investigating a business and the business is readily willing to turn over information to us and it maintains it in the cloud. and the cost of the target getting the information from the cloud provider is significant, whereas if they were just to authorize us to go to the cloud service provider and get it and use our litigation support folks they would rather have that happen. is that going to happen all the time? that a target is willing to turn over its information en masse to the government? no. but if that scenario arises the commission should be able to take that consent and use compulsory process to get that information from the provider. the second scenario is the customer is a victim and the victim no longer has access to the content of the claim that's been made to them, and they want the government to go get it. >> have those two scenarios actually occurred?
11:34 pm
>> they, there have been a couple of instances where this has occurred. but it's not common. and what we're, what we're concerned about is that the move to cloud computing gets more ingrained and gets further along, these scenarios might happen more frequently. >> does the, does the ftc have any recourse against a target of a subpoena if that target fails to do everything in his or her power to get e-mails from his service provider and get the provider to turn them over? >> it does. we can file a, if we're talking about an investigative demand, we can file an enforcement action, but at the end of the day, if the customer refuses to turn the information over, we would have no ability under the pending legislation to get that information. >> under the pending legislation. >> right. >> under which the -- >> under the -- >> 356?
11:35 pm
>> 356, yeah. >> so that's the suggestion that you have for improving it. >> yes. and interestingly, the provision that authorizes the provider to voluntarily provide information authorizes it to turn over the content with consent voluntarily to the government. and we just want to make sure that there's a provision that allows the government to compel in circumstances. >> if the target of the investigation has intentionally used an internet provider that won't cooperate with the ftc, so that target can pretend to consent but then in effect use the refusal of the internet provider as the barrier, is there anything ftc can do to penalize the target? if you understand my question. >> yes. you know, we can seek, we can seek to compel. if we're talking about a, an
11:36 pm
investigative demand, but ultimately, we don't have the authority to penalize anybody. >> well, i, i welcome your suggestions for improving this legislation. as you know, i'm one of the original co-sponsors of s-356. i think it's important to strike that balance between privacy and law enforcement, having been in law enforcement myself, having been a strong supporter of the work that all three of your agencies do, and very much welcome your suggestions here and any other thoughts that you may have. thank you, mr. chairman. >> thank you, mr. chairman, and thanks to the witnesses for your time today. obviously, this is, we've had similar conversations where we're trying to balance privacy and enforcement. it's ongoing and i applaud your efforts and your leadership in that. i look forward to debating both ecpa and the lee's act.
11:37 pm
i have a quick question relating to leads. as we know, and i think you've just explained. leads would create a rule that government may use ecpa warrants to obtain content data stored outside the u.s. but only if the account holder's a u.s. person. in all other cases involving content data stored abroad, it would require the government to use the mlat process as i understand it. what's your view of the provision of the bill that seeks to improve and streamline the mlat process? >> thank you for that question. improving the mlat process on an incoming basis, which is what that proposal is talking about is difficult and complicated, and we very much look forward to working with the committee on that. we do think it's not a one size fits all kind of solution, and having provisions that apply, for instance, to require sort of
11:38 pm
an online intake when not all countries actually use government e-mail to send in their requests is the sort of thing that makes this hard. so we very much look forward to working with you to address those issues. >> can you explain the doj's concerns that i think doj has expressed regarding the leads act on domestic investigations, technically those involving a non-citizen who's in the u.s.? >> thank you. the department would be concerned with any proposal that would unilaterally take away a tool that we have in order to be able to obtain information about a u.s. crime affecting u.s. victims that historically has been in place for a long time and replace it with something that would take a really long time through international cooperation alone, and it would, proposals that would also make it more difficult to get
11:39 pm
information about non-u.s. persons committing crimes in the u.s. than it would u.s. persons is also a concern for us. >> i see. one last quick question. i want to go into the subpoena issue that was raised a minute ago about your i agency's ability to raise warrants on an enforcement action. i ask that because a person can be compelled to comply. can you give me your views and let's clarify that just a little further. >> sure, our subpoenas are not self-executing. if somebody objects to our subpoena, we need to go to court. that person in that proceeding can raise whatever objections they have, whether it be privilege orther relevancy
11:40 pm
objections. if we show a proper purpose and the subpoena is properly tailored, it will be upheld. the problem we've been talking about is the subscriber will often not provide you with full e-mail because they're incentivized not to. and if they know we can't obtain it through the isp that further incentivizes them. >> when you have to go to the second step of getting the information. >> we have frequently brought subpoena enforcement actions. in many cases we make a judgment. there are resource constraints about subpoena actions and obviously we make a judgment about whether to dmel a particular case. i will say in our experience, in certain cases subscribers
11:41 pm
provide full e-mails. in others they don't. that becomes clear. because as you spubpoena others you find that other people supply you with e-mails. and that tills you the original production was not sufficient. >> we have a similar process through the ftc where they are not self-executing. we have to go to a court to enforce them as well. in our experience, i think most targets usually comply with our cids. if they don't, we have to make a resource call. is it worthwhile to pursue an action that is lengthy, or do we forego the information and try to find the necessary information in another way. >> thank you. thank you, mr. chairman. >> thank you, mr. chairman. mr. salzburg, the ftc plays a
11:42 pm
key role in protecting americans' privacy and americans understandably care deeply about the privacy of their e-mails and other online documents. since the warshack decision, their expectations have largely been met, and the ecpa amendments act would ensure that those expectations continue to be met, and i applaud senators lee and leahy for their efforts. i guess more senator leahy, because he's my ranking member. so i do find, mr. salzburg, that the final portion of your testimony a little surprising. i did not expect to hear the ftc's bureau of consumer protection suggesting that the ecpa amendments act be
11:43 pm
significantly rewritten to give ftc broad authority to obtain via simple court order americans' e-mail contents from third-party service providers. and then, this morning we received commissioner brill's statement expressing her concern about this proposal, commissioner brill notes that it is, quote, exceedingly rare that it would be useful for the ftc to seek content through ecpa and she highlights the cost for americans' privacy as well as the question of constitution constitutionality or potential unconstitutionality of obtaining content with just such a court order or with just a court order. i realize your oral presentation today reflects only your views.
11:44 pm
but i'm interested in your, in your views and data that you may have setting aside potential constitutional concerns for the moment. do you have any data, any case statistics to support your claim that a new expansion of ftc authority to obtain mail content is needed? let me first note that we have not sought e-mail contents in the past. and the question is whether the economy's changing in a way with data moving to the cloud computing that we can see it being foreseeable in the future. i don't have any impeer cal evidence of this, but i think one of the major drivers of this is that data is being kept in the cloud with third-party service providers and no longer being maintained locally on people's computers.
11:45 pm
>> okay. thank you. i'm sorry i wasn't here for the beginning. is it ceresny? >> yes. >> under ecpa as it was written in 1986, subpoenas could be used to disclose a contents of a customer's e-mails if the e-mails were relatively old, more than 180 days old. now courts have taken issue with that, and personally, i think that is not what the american people expect when it comes to the privacy of their e-mails. we've been discussing that. but if i'm understanding your testimony correctly, you're not satisfied with even the ecpa standard. you're lacking fooking for new d authority for federal regulatory agencies like ftc and irs to be able to obtain content without a
11:46 pm
warrant without regard to the age of the information. in the last five years, has the ftc sought to take action against providers who refuse to comply with requests because of warshack? >> senator, we have not, in deference to the ongoing discussions in congress about ecpa reform, but i would say that what we are seeking are more protections than in the current ecpa. the current, we are proposing that a court order, and i think you used the term just a court order. but it is what a warrant is, a judge signing off on an order that allows us to obtain e-mail, and in our case, we're proposing with notice to the subscriber so that the subscriber, unlike a warrant which is ex parte, the subscriber could come in and assert any objections that they have. what we're proposing is more
11:47 pm
protection first of all than in the first protection. >> so you take issue with my saying "just a court order." >> yes, with all due respect. >> i appreciate the respect. >> thank you. thank you mr. chair and mr. acting ranking member. mr. chair, i also want to wish happy birthday in advance. i think you're celebrating the, maybe the 32nd anniversary of your 50th birthday tomorrow. [ laughter ] >> that would be 82, i think. >> now i'm 55 i started celebrating anniversaries about five years ago. i want to ask a question that may also be appropriate for the second panel. i've got to go back to an armed services committee, so i'll start the discussion here. i'm concerned with your efforts when it involves an isp that's not within u.s. jurisdiction.
11:48 pm
and efforts that we would have here to strengthen our ability to get to information for u.s. domiciled isps and the potential risk that could have for people who may intend to use those for the kinds of purposes that you're going after. some may or may not be. what risk do we have going just beyond the 180-day retention requirement and clarifying the obligations of the isps with respect to their warrant requirements. what risk do we have of just having the snakes go to another pasture and still be able to do what they want to accomplish or still be able to fall under that veil and put our isps at risk? and i'll open that up to the panel. we'll start down there. >> thank you for that question. when there are providers that are doing business in the u.s., historically, the courts have
11:49 pm
exercised jurisdiction over those individuals. >> what's the variability after you, if you go outside? or what has your experience been? >> well, in order to be able to get something, there needs to be a basis for jurisdiction. so one of the things that concerns us about proposals that talk about data stored abroad is making that data where there are people, even in the u.s. unable to use traditional legal process to compel that information that they may store elsewhere to come back to the united states. >> this is a very challenging question, and the commission hasn't taken any action on the leads act, and i think it's fair to say that we would have difficulties on the civil side as the law is now if we were trying to compel information from a foreign isp that did not have a presence in the united states. >> so, again, and i do want you
11:50 pm
to respond, a concern that i have is making sure that whatever we do, as long as there's some other place on the globe, you know, the internet infrastructure is a global infrastructure, subject to several different jurisdictions. how we balance policy to make sure that we're not just tying the hands of businesses here to the benefit and to your detriment to isps abroad, and mr. ceresny, we'll let you comment. >> i would just say we share some of the same concerns as the department of justice has about the leads act. and obviously, it's a thorny issue and one that needs to be worked carefully. >> mr. ceresny, i think you mentioned that subpoenas frequently fall short of getting the evidence they want because oftentimes the targets either deleted the information or they abscond
11:51 pm
absconded. what's at least working through congress right now that you think helps you address that issue, or what kinds of things do we have to look at to help you have that tool avail snbl >> so what we're seeking is some limited authority like in the instance you cited, sob ability to obtain those e-mails from the isps, and what we proposed is some sort of court order, under some sort of standard that we would be able to meet with notice to the subscribers so think could come in and object. and that's limited authority that year' seeking here. and the idea is that in circumstances where you just suggested where the individual has deleted the e-mails we're able to obtain it, and that would inventivize people to clie fully, because if they know we can go to the isp, it further incentivizes them to provide us with their full e-mail. >> and because i've only got 25 seconds, i'll just make a comment. i know on the one hand we wand
11:52 pm
to provide you all and the next panel which will have law enforcement on it, to have all the tools that you need to be able to get after people that may be doing things we don't want them to do. on the other hand we're extending capabilities to agencies such as the irs, i don't think that was mentioned, but that would extend to agencies like the irs they give us some pause to give them more capabilities than they already have. we've got to make sure 20we've t the right controls in place in dealing with the policy. thank you, mr. chair. >> thank you, chairman grassley and for your leadership on this and for asking the appropriate questions and having an opportunity to discuss this. it's a very big issue. those of us who've been involved in law enforcement for a long time are very well aware of what sounds like some good theoretical idea can have a
11:53 pm
major and detrimental impact on the ability of the people of the united states to have order, to avoid multiple frauds and theft the and computer abuses and violations of their privacies and things of that kind. and i have ordered a publication not long ago. and within a few weeks i get i don't know how many more, selling me different publications of a similar nature. so somebody's sharing information all over. president obama was widely congratulated for his brilliant ability to target voters because they knew all kinds of things about them, whether they went fishing. all these things somehow is available to private sectors, political candidates, and we have to make sure that we're not placing too much of a burden on law enforcement as they try to do their duty to protect us from fraudsters and sex abuse and
11:54 pm
kidnappers and terrorists. i'm glad the chairman is looking at this. and we're asking it. the law enforcement that i've talked to indicate that they have certain problems that we ought to deal with in the legislation. one of them is very often long dough la delays from a subpoena to the actual production of the documents. two, we ought to consider what happens if you have erasure of these documents within hours, even. days. a few days. is that appropriate? we don't allow that in phone company records as i understand it. and third, i think it's critical, anybody who's been involved in law enforcement, i can imagine in a terrorist investigation particularly, you've got to be able to effectively not tell the suspect
11:55 pm
that you're on to them. and have somebody call them and say the fbi just subpoenaed your toll records and boom, they flee the country or hide other evidence that may be available. so i just think those are law enforcement requests that immediate -- need to be considered. >> so you can issue a subpoena for a telephone call record that has the person's name, address, the length of their phone call, the numbers that they called without any content. you can get that with a subpoena, is that correct? >> yes. that's correct. >> and actually, dea can get it with an administrative subpoena without even asking a prosecutor. prosecutors ask them routinely
11:56 pm
also. what about getting an e-mail address? it seems to me that's quite a lot, a huge difference between just getting who the person has been e-mailing, just like you want to know who they called on the telephone, as opposed to the content of that e-mail. can that be obtained? and why should we enhance significantly the ability to get that information? >> thank you for that question. the standard is currently different as i note in my sfr. the department does support equalizing those standards and bringing them in so that you can actually use the same standard that we have been using for traditional telecommunications, like telephone records to obtain the to/from material as well. >> that's a huge thing in a lot of investigations. i mean, i never met this person, and they've got 50 e-mails to them or 25 phone calls. i didn't talk to them on the day of the killing, and then there are 25 phone calls that day. it is hugely important in
11:57 pm
actually protecting the american people from criminals. then you've got the standard for content. mr. ceresny mentioned that a court order isn't much different from a search warrant. so you have a little less to get the older e-mail contents, is that correct? that e-mail contents you first get through the 120 days and older? >> under the current statute, for more than 180 days we can obtain them through an administrati administrative subpoena with notice to the subscriber. in an amendment we would support some kind of judicial proceeding. that allows us to obtain those e-mail contents. >> and you can request, you can
11:58 pm
request the confidentiality and no notice? >> we're not seeking that authority to obtain them with no notice. in fact, our general practice is to first seek them from the subscriber, and if we do not obtain e-mails we go to the provider. we're trying to accommodate while preserving ability for us to obtain in appropriate circumstances the contents of e-mail. >> my time is up. i think we really have to be careful about not having the ability to protect against disclosure to the person. because i, that's not true in other areas that you can get a nondisclosure order. and it can be critical. if you're investigating a terrorist and they know you're on to them. this could be a life and death issue. thank you.
11:59 pm
>> i want to thank this panel. appreciate it very much. and we'll probably be in touch with you for some followup questions. i'd like to call the second panel now. and while they're coming, if i can have your attention, i want to introduce them to be efficient. richard littlehale, his assistant special agent in charge, tennessee bureau of investigation's technical service unit. special agent littlehale is responsible for coordinating the use of a wide range of technology, is supportive law enforcement operations including using communication records in support of criminal investigations. he testifies on behalf of the social of state criminal investigative agencies. he received his bachelor's degree and a law degree from
12:00 am
vanderbilt. second is richard siccardo. he serve as google's information security. before working at google, mr. salgado worked at yahoo, and prior to that served ago special counsel.

14 Views

info Stream Only

Uploaded by TV Archive on