Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  September 19, 2015 4:00am-6:01am EDT

4:00 am
new system because the u.s.-based importer is legally directly accountable to us. we can hold them legally accountable for doing that job problemerly so that's where we have the direct legal handle but we can go over and inspect foreign to facilities. if we see a problem we can keep the food from coming in. we can work with foreign governments to foster good practices and rely on their inspection activity but the direct legal accountability for imports in terms of private sector responsibility is on that u.s.-based importer. that's why the foreign supplier rule and its proper implementation is so foundational. >> what does that mean the importer is most likely to do to sign that certification? what is that company going to do in a foreign country to make certain when they attest that standards are being met that they're being senate. >> so under the regulation we proposed and you'll see coming forward and i'm not here announcing the final content of the regulation but the elements of it are evident from the proposals we've put out in a
4:01 am
supplemental proposal we put out last year. but the whole idea is -- and this is following the congressional mandate -- the importer must have a program, a documented program where they have identified their suppliers, they've come to understand their suppliers' capability for food safety, they've approved the suppliers, they know the practices is supplier is under taking and they look at records and they -- and under some circumstance, when justified by risk -- because it's intended to be a risk-based foreign supply verification program -- we would envision the u.s.-based importer doing an audit. having an audit conducted -- an on site audit of that foreign producer. so it's having a real program that we can then audit and obviously go behind that and sample product when it's coming in, go behind that and actually inspect the foreign facility if we choose to. but it that's accountability for the importer that's the new feature. >> the word "audit" has a different meaning than
4:02 am
"inspect," isn't that true? so when they're auditing they would not be doing the same thing an inspector, an fda inspector would be doing in a foreign country. is that -- we >> well, it's different. when you talk about inspection we're used to looking at facilities and conducting a physical exam of a physical place. the aud did term applies to looking at auditing the program, checking the records, being able to get confidence from examining the records and talking to the importer that they are, in fact -- they know what they're doing rand doing the right thing. so it's a records-intensive audit activity that will be a major component of ensuring this is being done properly. >> mr. taylor, thank you. i have more questions but maybe a way to accommodate your schedule is to to to you, and if you're unable to stay for my final round i wouldn't be offended. >> thank you very much, mr.
4:03 am
chairman. i wanted to draw attention to the report tt you've all displayed, the 2014 food safety progress report for folks who are numerically challenged, you've boiled it down to happy faces, grim faces and very unhappy faces and the unhappiest of all is the face representing vibrio. and over on the other chart you've provided by you've showed that while every other disease has decreased since the 1998 till now time period, there's one disease that has increase in incidents and this's i have been reel. what is the story? what in particular should we know about the challenge this disease represents? >> well, i have been rio can also be a significant disease. it comes in a couple of different forms. there are several different pathogens that are encompassed under the label of vibrio and
4:04 am
they are in general associated with sea foot products. we have seen now -- i think it's important to put into context that in terms of the overall numbers, the number of illnesses associated with vibrio was actually quite small and certainly a very small fraction of what we see in the united states from either salmonella or camp low back or the. some of this was largely confined to certain areas of the country and because of movements that occur we merging diseases it spread to other areas where it traditionally hasn't been, but it is a trent we've been seeing along the east coast. >> i was reading the article recently about ponds where shrimp are farmed on land in asia and where massive amounts of antibiotics are used to
4:05 am
control the various diseases that are ram nant those ponds. is that import of shrimp from these a farms contributing to the vibrio expansion? >> i would have to get you specific information about whether or not that's contributing but by and large to my knowledge most of the vibrio related illnesses are not associated specifically with imported shrimp. >> thank you. back when we were working on this bill a young man and his father came out from oregon to testify. the father was a police officer, the son when he was three, his name is jacob hurley, he had experienced a life-threatening case of salmonella from contaminated peanut butter and he was one of among more than 700 who were sickened by
4:06 am
contaminated peanut products in 2009 i believe the company involved in that was the peanut corporation of america. if we look back on that particular well. publicized incident how would the preventative controls rule that we just passed made a potential significance difference in the risk of that disease? >> so that's an unusual case in many respects. in part because of the vast scale of the damage that it did and the thousands of products that had to be recalled because this firm was selling not only peanut butter in bulk but peanut ingredients that went into thousands of processed foods. it was a catastrophic event for the food system. it also involved intentional conduct by the&m9j÷ owner and operator of that facility and the well-publicized subsequent criminal prosecution and
4:07 am
conviction. the -- what fsm larks do even in that situation is provide a much stronger basis for inspectors when they go in to facilities to not just look on the facility conditions, and pre-fsma with no access to the records of the a facility, under fsma, we'll be able to go in and make assessments of the system and detect and find records that might document positive inliteral results such as occurred in this case that would reveal a problem that needs to be addressed. so there will be the rare incident where purposeful criminal behavior happens and there needs to be swift remedies for that but i think even in these cases we will be more effective in our investigatory role in investigating and whether this goes on in facile thes that needs to be addressed
4:08 am
forcefully and fsma gives us rules to address that forcefully. if we identify this problem through inspection, under fsma, we can suspend the registration of that facility and shut the facility down administratively and that's important in these extreme cases. >> as you note, there were exceptional circumstances, roof, mold, animal contamination, so on and so forth. kind of egregious behavior of some known problems. in terms of the inspections you mentioned and the ability to have teeth, that matters. but there's another element of the preventative control rules that involves developing a tracking system for ingredients that go into processed foods. can you comment on whether that you believe will make a difference? >> so fda has historically since the bioterrorism act in 2001 was enacted it's had authority to
4:09 am
require firms to keep records of where their incoming materials came from and where their finished producted have gone one up one down recordkeeping. fsma adds somewhat to our authority in this area by giving us the authority to set stan dads for how that firm connects the dots between the incoming and outgoing so that will be a step and that's a rule making that is under way to put that in place. fsma, frankly, puts constraints on fda in terms of traceability because it precludes us from requiring essentially a farm-to-table pedigree, or the kind of tracing that is done by u.p.s. and fedex. we're precluded from acquiring that sort of use of technology to improve traceability. so from our standpoint traceability is crucial. it's how we can investigate outbreaks more expeditiously, get to the cause of problems and solve them but traceability will have to come into the modern era
4:10 am
fully through public/private collaboration, finding ways to harness industry, innovation with the support and dialogue so we can be sure whatever they do helps our investigators as well as the firms themselves but there's work to be done in that area. >> thank you very much. appreciate it. >> the mumbling here was i will not take advantage of senator merkley's absence. i ask unanimous consent as soon as he leaves to -- [ laughter ] one of the things i read in your testimony that i wanted to highlight and ask you to confirm to me how serious you are about this and how confident i can be that it will remain the policy and that is you indicate approach to inspection is aimed first at fostering and facilitating compliance rather
4:11 am
than finding and penalizing regulatory violations. that is a policy in my view that every regulatory federal agency should adopt. the goal is to make improvements in cooperation with the regulated and it seems to me and we've had this in other agencies previously in which they seemed to be that was the direction they were going but over time the joy of penalizing became too great and the attitude of cooperation disappeared. is there some assurance that you mean what you say in your testimony and that it will last as part of the nature of the food and drug administration as it implements and enforces fis ma? fsma? >> all i can say is that we do believe that the approach that is expressed in fizz ma which is to work collaboratively with
4:12 am
regulated industry -- and when i say regulated industry we mean from the farm to the transportation into people's homes that we work collaboratively to encourage them and to work with them to do it right. and we know that ultimately doing it right has tremendous impact. that is not to say because you always have to -- and i'm sure you're quite aware there's the carrot and the stick and we though that the skerrit quite an effective way to promote improvements in food safety but that does not mean that we are not going to use the stick when we need to use the stick. >> if i could just add why i believe this will remain the policy over time regardless of who happens to be sitting in these chairs. partly we've put in the writing. we've made this commitment to the industry and the public and people support this.
4:13 am
externally but equally important for your purpose, the people at fda embrace this wholeheartedly. the people at the front line in our agency are public health people. that's a cool. and that's been the culture of our agency given the framework for food safety which has been a statute and program but with fsma, we're public health at the front line and our front-line people love that. they would much rather be getting good food safety outcomes and doing public health than trying to wrack up enforcement numbers. that's not the fundamental mentality of that cadre of people, including the young people coming into the agency. it's an extraordinarily exciting time for them and the agency. so i think the future is here in terms of the culture change going on and we're working to institutionalize that and embed that in the practices of the agency. >> i recognize when i asked that question it may sound as if you're trying to take care of
4:14 am
business or formers but isn't the reality that we end up with a safer food supply system when this is the attitude? >> what we know and you know and if you talk to the people in the food business it's obvious. the vast majority want to produce safe food. at a personal level and in their intense business interest to do that. so our whole strategy is based upon that assumption. we need to work with that vast majority who want to comply, support that compliance, verify that it's happening and for those who aren't complying we will act swiftly and take whatever action is needed to protect consumers and in these extreme cases like peanut corporation of america, invoke punitive remedies as a deterrent. but i think working with those whose interests is aligned with ours on foot safety is how we'll get the best public health. >> if i can respond that before dr. ostroff speaks, the world i from in kansas, the rumor of food disease or animal-born diseases causes dramatic
4:15 am
consequences to farmers, to ranchers. it doesn't taken a actual case, just the thought something may be wrong. so i'm not opposed to strictly, strongly enforsing penalties and putting bad actors out of business because they have a huge consequence to the consumer and safety of our food supply. but for those same businessmen and women, the same farmers and ranchers, they can't afford financially to have the rumor or reality that there's something wrong what they produce. >> and our strategic interests are fully aligned on that. >> i think you're right. we know the ramifications from food-borne outbreaks that occur years ago still ripple through certain kmot tease. the other thing i say is that the approach that we will be taking under fsma is a fundamentally significant change to the way we approach food
4:16 am
safety and it's really critical because a number of things encompassed in the funding request that we have made to congress is designed to ensure that up and down the system we can reorient the work force be able to implement the things that you were saying in terms of being able to work collaboratively with industry, being able to educate industry and being able to oversee and ensure what they are doing is up to standards takes resources and i don't know any other way to say it. we do know without question that unless we receive the total amount of the request that something is going to have to give in some aspect of what we're doing. >> you couldn't help yourself. [ laughter ] and i'll be happy to visit about that topic. let me finish up a couple other
4:17 am
items. when it comes to the state of kansas, the state of oregon, the state of california, what will the role be for those states as a result of fsma and its implementation? what happens different at the kansas department of health and environment? >> well, you know, the approaches that are being taken at the federal level, those same types of changes will also occur at the state level. the states and localities are very critical partners in implementing fsma as it's designed to be implemented. they are our front line eyes and ears. they carry a lot of the workload in not only working with their regulated industries at the state and local level but particularly in certain areas and the one that comes to mind most is the produce rule that we will look very much towards
4:18 am
working with the states to be able to provide the type of front line support to the farmers within their states to be able to appropriately implement the new requirements for fsma. so they are critical to the success of this endeavor. >> let me ask one question related to the animal feed rule and contract farmers, doctor you indicated to me and commissioner you indicated to me in advance of this hearing that what i was going to hear from folks throughout in that world would be all requests to make sure congress appropriated sufficient funds to implement fsma and that you had worked your way through many of the challenges and had imput from the stakeholders and i appreciate that and it seems that that is in large part the reality. one area i've heard concern about is the definition of what a farm or farmer is and you're shaking your head so maybe i don't need to describe the
4:19 am
issue. is there something afoot that i ought to know about the direction that you're going? what i have heard is that there is concern from farmers who have no involvement in anything other than raising the livestock, the animal that this will come -- that fsma will affect their operations as well when all the processing and everything occurs downstream and, in fact, the feed, most importantly, is not grown or provided by by them, it's provided by upstream, buyers of contract, those they have contracted with. this -- is this an issue -- have i described it atdequately? you were once smiling, now you're frowning. [ laughter ] >> the specific way a farm is defined is critical to these rules, not only preventative controls but also the produce
4:20 am
rule. so we have worked quite closely with those that will be impacted by this rule to make sure we can get it as right as we can. i will ask mike, he's been immersed in this issue for the last several years. >> i do know the issue very well and the fact that there's presumably still folks who have concerns shows there's an exception to every rule about stakeholder support. but i think what you're talking about is the situation in which they are vertically integrated poultry operations where a purdue or tyson will own the chickens, manufacture and own the feet, provide it to contract growers who -- >> growers only grow. >> growers only grow. if growers have a concern i need to hear. that the affected party is the
4:21 am
operator of the foo t feed mill that's not being managed on or buy farm operation but rather by this big vertically integrated poultry enterprise. that feed mill is subject to the animal feed preventative control rule. the environment is very practical and are risk-based and don't address issues that don't need to be addressed in terms of ensuring the safety of animal feed but those feed mills are subject to preventative controls. if the common farmer is growing or processing their own feed on their farm in their feed mill for their animals, that's part of the farm operation and would not be subject to the preventative controls rule. so i would be happy to engage whoever that has concern and connect them with our center for veterinary medicine and work through whatever the question is. that's -- >> you answered the question better than ski it and that's
4:22 am
the assurance they were hoping to hear. >> again, happy to talk to them if that would help. >> let me talk just a moment about the appropriations process. as i indicated in my opening statement, this will continue to be a priority certainly of mine and i think of this subcommittee and you mentioned specifically the amount of money the president's budget request and our ability to meet that at this point hasn't occurred but we worked hard to put more money into fsma implementation as we prioritize within the dollars that we have within our jurisdiction and if those dollar amounts change, we're interested in have viewing and reprioritizing based on what the needs are of fda and others to make certain we make the right priority decisions. but let me ask a couple of things about how the money has been spent in the past.
4:23 am
as i indicated in my opening statement, the number able is 8% increase for implementation of fsma at fda. am i saying that correctly? of course you do. let me ask how that money has been spent in implementation and how has the -- how has it been allocated? is it across food safety inspections? food born disease surveillance? detecti detection? how do you decide how to spend that money over the past five years? and i'll consult with my expert. >> so the total amount since 2010 that's been implemented -- that's been allocated specifically for fsma, i believe the number is approximately $162 million over that time period. it has been used in a whole
4:24 am
variety of ways but as you probably recognize, there has been a tremendous effort on our foort appropriately lay the ground work to get these rules to a place where those rules are both implementable and will work and that's no mean task. as you know we have had tremendous numbers of outreach activities to the various stakeholder groups, there have been somewhere in the range of 600 or so meetings that have occurred, either public meetings, interactions with regulated industries, various strayed association trade associations. we've walked facilities and farms from one coast to the other. there has been a significant effort to actually do all the writing that it takes to get these rules to the place where
4:25 am
they were. as you know we issued a number of supplemental rules, so that has heavily contributed to a lot of resources we have used to get to the point where we can actually get to where we are now which is to start implementing. >> in addition, there are a number of programmatic and capacity investments that we've made that i think are very significant as well. some of it includes increasing technical staffing so we can support the industry, our state partners, our own inspectors as they implement this so this is at our center for food safety and applied nutrition principally. we've doubled the investment in the states to close to $50 million over the last few years: we've been able with the resources we've got, including these increases, to meet the fsma mandate for high-risk inspections, the frequency mandate and exceed that and do that earlier than expected. we think that's been an important part of getting
4:26 am
ourselves in a position to succeed under fsma. then the airport area has been an area of investment. we've significantly increased the number of inspections as i mentioned. we've expanded foreign offices. so there've been significant programmatic investments in capacity for ourselves and the states to implement fsma so we can succeed going forward. >> thank you. it's apparently one of those circumstances in which both are right. the desired outcome has been achieved. food has increased by 8%, fsma by 4%. finally, i think this is my final question. is there any opportunities -- let me ask that differently because there has to be. as you implement fsma, are their there opportunities for reprioritizing existing spending that are -- that that spending is no longer necessary because
4:27 am
you're headed down a different path than the nature of the way fda operated in the past? so where did the -- are there any savings to occur as a result of the implementation of fsma? >> i think -- my commissioner is looking at me so i will stay something. yes, that's a no. because i want to try to explain. if you look at the overall funding of the foods program, about three quarters of it pre-fsma goes into field based activities that relate to food safety but doing it the old way. what we're talking about is adding incrementally to that base source to so we can redeploy that resource to doing food safety in the way envision bid by fsma. i want to get credit for the fact we're not continuing to do
4:28 am
the old stuff and add on the new thing. >> that's the nature of my question. >> to so the answer is we're redeploying but it doesn't mean we can stop spending the money needed to support the work force. we have to invest in it so it can work in this modern prevention-oriented way in a more sophisticated rell tear framework. so it's redeplace of employment as opposed to adding resources on top of resources that are still deployed doing their own thing. th >> that's what i wanted to hear. so since you, dr. ostroff, wanted to answer no, i'll give you the opportunity to answer yes. isn't the truth that we can now as we do things differently you redeploy assets, resources directed in the old way of doing business to the new way of doing business? >> so this is not going to require fewer people to be successful. it's just going to require that
4:29 am
those people do things differently than they've been doing them but the people that we need to be successful for fsma, we're not going to have people go away. in point of fact, given the various responsibilities we have under these rules that we need every single one of those people to be successful in implementing this. so from the standpoint of what we've been doing with our field force and what we have been doing with our laboratories, those responsibilities don't disappear under fsma. >> dr. ostroff, thank you for your testimony. mr. tootle, anything you'd like to make certain is included in the record before we close this hearing? >> i will close by saying i'm the eternal optimist. you know, we -- the question that we made for this fiscal
4:30 am
year for fsma implementation is critical to its suck said and to name have its maximal impact which we hope that it will have to change these graphs that you see here on the right and the left. every component of that request is vitally important to the success of this endeavor so we will have incredibly difficult choicing to make if wick not get that particular request so i recognize that you have been an ardent supporter of the success of fsma and we certainly are totally appreciative of the efforts that you've made at this point and we're very, very appreciative of the resources that did show up in the
4:31 am
subcommittee and the full appropriation for fsma implementation. all i can say is there will be significant shortfalls that will result with that particular number which will make it very challenging for us to be able to put in place fright the get-go what we need to do to be successful in this endeavor. >> doctor, thank you very much. appreciate your testimony. thank you for being here. i appreciate the presence of my colleagues and for members of the subcommittee, either those here or not, any questions that they'd like to submit for the record should be turned into the subcommittee staff within one week which is wednesday, september 23, and we would appreciate having a response back from fda within four weeks spent to that point in time and, again, thank you for your testimony, thank you for the way that you have answered questions today and that presented testimony and please express my gratitude to the folks at fda for the outreach that has
4:32 am
occurred in the development of these orders of control. with that, the committee stands adjourned. >> thank you, senator. the c-span networks feature weekends full of politics, books, and american history. saturday morning, beginning at
4:33 am
9:30 on c-span, we're live from manchester for the new hampshire democratic marty convention. speakers include five presidential candidates, former secretary of state hillary clinton, vermont senator bernie sanders, former governor of rhode island lincoln chafee, former maryland governor martin o'malley and harvard professor lawrence lessig. on sunday, a conversation with jimmy and roselyn carter on current events and the carter center's peace and health initiatives around the world. on c-span 2's book tv, supreme court justice stevphen breyer talks about his recent book and the challenges facing the american judiciary, including the application of american law in international contexts. saturday night at 11:00, former vice president dick cheney and his daughter former deputy assistant secretary of state liz cheney on their book "exceptional" which looks at america's foreign policy and national security. on american history tv on c-span 3, saturday starting at noon eastern we're live from georgia for a commemoration for the 13,000 union soldiers who died
4:34 am
during the civil war at the confederate military prison camp at andersonville. speakers include sergeant major daniel daily and historian leslie gordon. we'll take your questions before and after the ceremony by phone, if and twts twitter. sunday afternoon at 4:00 on real america, archival video of pope paul vi in 1955 and pope paul ii in 1979 as they address the united nations. get our complete schedule at cspan.org. the pope's upcoming visit to the u.s. c-span has live coverage from washington, the first stop on the pope's tour. on wednesday, september 23, pope francis will visit the white house starting with a welcoming ceremony on the south lawn followed by a meeting with president obama. on thursday, september 24, the pope makes history on capitol hill, becoming the first pontiff to address both the house of representatives and the senate during a joint meeting.
4:35 am
follow all of c-span's live coverage of the pope's visit to washington. watch live on tv or online at cspan.org. next, a senate judiciary committee hearing on electronic privacy with government officials and representatives from the tech industry. they testified about proposals aimed at protecting e-mail and other data information online. this is about two and a half hours. >> today's hearing is intended to help inform the committee about the most recent views of a wide variety of stakeholders concerning the need to reform the electronic communication privacy act or, as we know it around here, ecpa and various ways of fixing it. the committee's last hearing on the topic was four and a half years ago. since then, numerous proposals have been advanced by members of
4:36 am
the committee. in 1986, congress enacted ecpa to both protect the privacy of americans' electronic communication and to provide the government with a means to access these communications and related records in certain circumstances. however, dramatic changes in the use of communication technology have occurred since 1986. americans now depend on e-mail, text messages, social networking web site, web-based apps and countless other electronic communication methods on a daily basis. and more than ever these communications are bei retained in some form due to dramatic reduction in the costs of storing data in the cloud. these communication dodges are enriching all of our lives. they're of great help to me in
4:37 am
keeping in touch with my constituents in iowa and, for the most part, we have american technology companies to thank for this digital revolution. these companies are now a significant engine of growth for our economy by creating an increasingly global market for these communication technologies. but, of course, these technologies are also being used everyday by those who intend to do our society great harm -- terrorists, violent drug dealers, child predators, environmental criminals and you can go on and on. these technologies create a digital trail that is often essential to bringing these offenders to justice in light of these changes, there's a grange consensus that ecpa must be modernized to adapt to this new landscape and whatever updates to the law we make, of course,
4:38 am
must be consistent with people's protections under the fourth amendment. the privacy and technology communities have criticized ecpa for failing to provide sufficient privacy safeguards for individuals' stored electronic communications. indeed, given the way americans use e-mail today, it hardly makes sense that the privacy protections for an e-mail should urn on whether it's more than 180 days old or whether it's been opened. at the same time, law enforcement officials have expressed concern with certain aspects of the current ecpa framework and how it currently works in practice and they are concerned that reform efforts to a statute they use everyday do not unduly hamper the ability to
4:39 am
investigate violations of law. an example. the department of justice has expressed concerns about efforts to exchange ecpa notice requirements to provide targets with unprecedented amount of information that could compromise ongoing investigations. both the department and civil law enforcement agencies have expressed the need to address an emerging gap in their authority if the target of an investigation fails to respond to lawful civil process for e-mail evidence in the targets' possession. they con end that this gap could law offenses such as civil rights violation, security fraud and consumer fraud to go unpunished. in addition many state and local law enforcement officials are frustrated with the current timeliness and quality of responses by providers.
4:40 am
unlike traditional search warrants, law enforcement agencies can not control how quickly they obtain evidence through ecpa warrants. they rely on the providers to conduct the searches for them. to these officials, any heightening of ecpa's legal standards should be accompanied by changes to the law that ensure that they receive the information they need timely. in addition, some officials have expressed concern that the voluntary nature of ecpa's emergency exception can result in unacceptable delay in important cases. for example, when a child is abducted. closely related to these concerns is the on going issue of encryption and the going dark problem which the committee recently held a hearing on. this is another example of a situation where agents may
4:41 am
immediate the legal standards to obtain critical evidence but are not able to access it quickly enough or even at all. as i said at our last hearing on ecpa, the reform we discussed in 2011, if we're considering changes to legal standard under ecpa we should also be working to ensure these same problems are granding law enforcement the necessary access to address the going dark issue. i sent a letter to deputy attorney general last week to get an update from the department about how that process is proceeding. reforming ecpa's treatment of stored electronic communications therefore is a complicated and potentially far-reaching endeavor that sits at the intersection of privacy -- [ phone ringing ] that's bad, i'm sorry.
4:42 am
stored electronic communications therefore is a complicated and potentially far-reaching endeavor that sits at the intersection of privacy rights to the public, the investigative need of law enforcement professionals, society's interest in encouraging and expanding commerce and the dictates of our important constitution. the key is to strike the right balance between these interests as ranking is member lahey declared at our last hearing on the topic, 2011, "meaningful ecpa reform must carefully balance privacy rights public safety and security i agree. i'm grateful for the presence of all the witnesses and i recognize senator lahey. >> thank you, mr. chairman. i remember when our foreign
4:43 am
communications act was passed nine years ago. in fact, the final -- i was talking with a form er direct o of the fbi last month vermont when we worked out the very final parts of it in my capital office about 10:00, 11:00 at night, trying to bring law enforcement. but keep in mind, those calls were on land lines at that time. call waiting was novel. few had heard of e-mail but we did figure there would be new electronic communications and we thought ecpa could provide that but there are now many ways that nobody could have anticipated of communicating. and the privacy rules concerning
4:44 am
this are simply outdated government agencies can obtain the contents without a fwarnt that e-mail is more than 180 says old well, we don't expect our private letters or photos that we store at home to lose fourth amendment protections simply because they're more than six months old neither should our text documents. now, tomorrow is a major historical date in iowa. it's senator grassley's birthday. [ laughter ] i think they declared it as a day of public rejoicing [ laughter ] but if i sent him a note -- which i've actually written -- to him and he puts that note in
4:45 am
his desk, handwritten note in his desk, somebody's going to have to have a warrant to go and get it. i didn't put anything in there that justifies that warrant. [ laughter ] but if i sent him a text that's stored in the cloud, why should bit any different? why should somebody just be able to take it out. senator leahy and i introduced the ecpa protection act to bring the digital world inline with the physical world. patrick leahy. there are nine of them on this committee. in the house even more, 300 co-sponsors, both parties support the bill. an extraordinary coalition of industry and civil society support this is bill. americans for tax reform, the center for democracy and technology. heritage act. aclu.
4:46 am
usually representatives of those people have to have an orb traitor to get on an elevator with them if they're all in there together but they all agree with this but the bill has been reported by a judiciary committee by a voice vote in each of the last two congress. i think to use a technical term, passing this is a no brainer. five years ago the u.s. court of appeals for the sixth circuit found the contents of e-mail as fully protected by the fourth amendment regardless of its age. that's effectively become the rule nationwide. major service providers no longer turn over the contents of e-mails or texts without a warrant or legitimate warrant exception. the ecpa amendments act simply as senator lee knows we simply codify current practice. now, some have raised concerns the bill would have for civil regulatory agencies such as the s.e.c. well, we want these agencies to be affected but there's nothing in our constitution that says
4:47 am
only certain agencies have to follow the constitution and others don't have to. s.e.c. has not been able to obtain e-mails without a warrant because of the 2010 federal court ruling and our bill doesn't change that. so i'm disappointed the commerce department was not asked to join the administration panel given its important perspective but i thank the chairman for having this, a bipartisan number of senators and house members have that joined on this tells us this is an important issue. thank you and happy birthday a day early. >> thank you. before i introduce the panel i would want to put some letters that we received outlining concerns of the current ecpa reform proposals from law enforcement agencies so fively
4:48 am
name -- the national association of assistant u.s. attorneys, federal law enforcement officers association, the major county sheriff's association, the national district attorney's association. the iowa county's attorneys association. so i would ask without objection that these and i diggsal letters be entered into the record. our first witness is principal deputy assistant attorney general elena tirangel. she also serves as the heads of department of justice legal counsel. prior to joining justice she worked in the office of white house counsel and served as assistant u.s. attorney d.c. before that she was with the national partnership for women and families. she has an underground watt sto
4:49 am
undergraduate degree from brown. our second witness, andrew ciranzi currently serves as director of the division of enforcement security and exchange commission. before joining s.e.c. he was a partner at has practiced white collar criminal investigations. prior to that, he served as assistant district attorney in new york. he received his undergraduate degree columbia. third witness, daniel salsburg is the chief council of the office o technology, research, and investigation. bureau of consumer protection at the ftc. previously he served at the bureau of consumer protection. before that, he was a senior trial attorney for commodity cftc. mr. salsburg received his undergraduate and law degree from the university of pennsylvania.
4:50 am
i want to thank all of you for testifying. we'll do it in the order we did. so proceed, elena. >> thank you. >> chairman grassley, ranking member leahy, and members of the committee, thank you for the opportunity to testify on behalf of the department of justice regarding the electronics communications privacy act or ecpa. we appreciate the opportunity to engage with the committee on this topic, which is of particular importance to the department. i look forward to discussing with the committee how the department uses ecpa and how the statute might be updated and improved. ecpa has always sought to ensure that the government can perform its safety and criminal enforcement mission while safeguarding individual privacy. it is important that ecpa reform efforts remain focused on maintaining both goals. electronic communications play a vital role in government investigations. indeed as technology has advanced and as electronic data and storage have augmented
4:51 am
traditional means of communicating and storing information, appropriate governmental access to data is more important. ecpa is critical to tracking down criminals in investigations into murder, kidnapping, organized crime, child exploitation, identity theft, terrorism, and more, but criminal investigations are only a subset of the circumstances in which ecpa applies. the statute applies when the government acts as a civil regular later, or even as a regular civil litigant. the we agree that notwithstanding several updates to ecpa the statute draws some lines that do not account for the development of technology and the ways in which we use electronic and stored communications today. for example, there's no principled basis to treat e-mail less than 180 days old different from e-mail more than 180 days
4:52 am
old. similarly, there's no reason for the statute to give lesser protection to e-mail that have been opened than to emmails that remain unopened. personal privacy is critically important to everyone. all of us use e-mail, and we want it to be appropriately protected. and many discussions on enhancing privacy focus on a proposal for law enforcement to receive a warrant from a public service provider.
4:53 am
criminal search warrants are only available if an investigator can show probable cause that a crime has occurred. the lacking warrant authority, civil investigators enforcing civil rights, environmental, anti-trust and a host of other laws will be left unable to obtain store content of communication providers. as information is increasingly stored electronically, the amount of critical information that is off limits to government regulators and litigators will only increase. efforts to update ecpa can reflect these considerations and ensure appropriate judicial oversight to communications. any proposals to changes should address the ability of civil
4:54 am
litigators. the department also has several more technical yet important concerns that we believe merit consideration. although discussions about updating ecpa have often focused on this content information, there are other parts of the statute that would benefit from further examination. i would also like to speak briefly about government access to data stored abroad. the administration is studying these proposals, but the department has significant concerns about aspects of these proposals. the department of justice appreciates the opportunity to discuss all of these issues with the committee, and i look forward to your questions today. >> thank you. andrew? >> thank you, chairman grassley, ranking member leahy, and members of the committee. good morning. thank you for inviting me to testify today on behalf of the fcc. i share the bill's goal of updating ecpa's collection
4:55 am
procedures, but the bill in its current form proposes significant risk to the american public by impeding the afblt the fcc and other civil law enforcement agencies to investigate and uncover fraud and other unlawful conduct. i firmly believe there are other ways to update that offer stronger privacy protections without frustrating the civil ends of law enforcement. the fcc's mission is to protect investors, maintain fair, orderly and efficient markets and to facilitate capital formation. our division of enforcement furthers this mission by investigating potential violations to the federal securities laws. a strong enforcement program is critical to the fcc's effort to protect investors from fraudulent schemes.
4:56 am
and promotes investor trust and confidence in the integrity of our securities markets. electronic commune cases often provide critical evidence in fcc investigations as e-mail and other message content can establish timing, knowledge, or relationships or awareness that certain statements to investors were false or misleading. when we conduct investigations, we generally seek e-mails through the key actors through a an admin stistrative spina. the subpoena recipient may have erased e-mails, inserted damaged hardware, or refused to respond. individuals who violate the law are reluctant to produce evidence of their own misconduct. in still other cases, e-mail holders are not able to respond. it is at this point in this an investigation that we may need to seek information from an internet service provider or isp. the bill at issue would require government entities to procure a criminal warrant when acquiring e-mail content.
4:57 am
because the fcc and other several law enforcement agencies cannot obtain criminal warrants, we would effectively not be able to gather electronic evidence directly from an isp regardless of the circumstances, even in instances where a subscriber deleted his e-mails or fled to another jurisdiction. depriving the fcc of authority to receive e-mail content from an isp would also incentive ize subpoenaed individuals to be less forthcoming. they may be emboldened to destroy or not produce them. these are not abstract concerns for the fcc or the investors we protect. among the type of scams we investigate are ponzi and pump and dump market schemes. as well as yep cider trading violations. in these types of frauds, illegal acts are likely to be communicated through personal e-mail accounts.
4:58 am
parties are more likely to be noncooperative in their document productions. technology has evolved since ecpa was passed. there's no question the law should evolve to protect privacy interests, even when significant law enforcement interests are also implicated. but there are various ways to strike an appropriate balance between these interests as the committee considers advancing this important legislation. as part of that balance, any ecpa reform can and should afford a party's information that is sought from an isp in a civil investigation notice and an opportunity to participate in judicial proceedings before the isp is compelled to produce the information. indeed when seeking e-mail content from isps in the past, the division provided notice to e-mail account holders in keeping with long standing and recently reaffirmed supreme court precedent. in the legislation was so structured, the individual would have the ability to raise with the court any privilege or concern before the communications are provided to an isp. while civil law enforcements may
4:59 am
have a limited avenue. to abscess existing electronic communications in appropriate circumstances from isps. such a judicial proceeding would offer greater protection to subscribers than a criminal warrant in which subscribers receive no opportunity to be heard before communications are provided. thank you again for the opportunity to be here today. we look forward to working with the committees on ways to modernize ecpa. without putting investors at risk and impairing the fcc from enforcing the federal securities laws. the i'm happy to answer any questions that you have. >> thank you, andrew. daniel? >> chairman grassley, ranking member leahy, and members of the committee, thank you. let me begin by noting that my oral statements and responses to questions are my own and they don't necessarily reflect the views of the commission or any commissioner. having said that, i very much appreciate the opportunity to represent the ftc's testimony.
5:00 am
and explain how proposals to reform ecpa could reform the mission. the the ftc supports the objectives of ecpa reform and understands the need to update it to account for technological advances. and to protect consumers' privacy. in bringing actions, we rely heavily on our ability to conduct thorough investigations. of companies' business practices. as a civil law enforcement agency, the fcc's concerned that recent proposals to update ecpa could impede our ability to obtain certain information from ecpa service providers. in proposals, to obtain content from a service provider, the government could need to obtain a criminal warrant. which is not available to the ftc. the proposals would require a warrant for all forms of content, even those in which a subscriber has no reasonable expectation to privacy.
5:01 am
we are concerned that requiring a criminal warrant in three situations would impede effectiveness. we're talking about things like no longer running advertisements, previously sent spam, and ads on a mobile device. this content is critical to ftc investigations. before determining whether a target has made a false representation, we need to find the advertising or promotional material that contains the representation. the in many instances, the scam artist change websites and electronic marketing materials frequently. when commission staff investigates complaints about a website, the website currently viewable to the public may be different from the one that the consumer complained about. kucht ec we have not used the tool often. most of time our investigators are able to track down a
5:02 am
target's old marketing materials without needing to seek the materials from the provider. but the increasingly fleeting nature of advertisements, makes it quite likely we will need to compel advertising materials more often. an exception from the criminal warrant requirement in proposed legislation from commercial content that promotes a product or service would enable to the commission to obtain such commercial content. at the same time, such an exception would have no impact on privacy rights, because the materials would be purely commercial and have been affirmatively published by the target. as a result, the target would not have a reasonable expectation of privacy with respect to government access. the second situation which should be exempted from the criminal warrant requirement is content with the consent of the customer.
5:03 am
as cloud computing becomes more widespread, it will be increasingly important for civil law enforceme menment agencies compel an ecpa provider. for example, manipulation schemes where if we had the authority, we would certainly do that. when a customer consents to disclosure to the government, the customer has no reasonable expectation of privacy. third, a criminal warrant should not be needed when the ftc has compelled a target to produce content held by a cloud service provider. under these circumstances, the
5:04 am
ftc should be able to seek a court order directing the target's provider to release the content. in conclusion, thank you for giving the commission an opportunity to describe the importance of electronic communications in our investigations and the ways in which proposed updates to ecpa while important could hinder our law enforcement actions. thank you all for your testimony. i'll start and senator leahy will be next with our questions. chair woman white has told us that the fcc's ability to carry out enforcement responsibilities and conduct investigations has been significantly curtailed as a result of the warsaw decision, but we've been told that the fcc has not provided any examples of cases where access to electronic
5:05 am
communications have been cut off due to that decision or would be impacted if the pending reform bills were enacted. can you provide any examples of the type of case or investigations that have been affected since that case decision due to providers requiring a warrant when the government seeks to collect chronic content in a civil investigation? >> yes, senator, obviously, i can't talk about the details of ongoing investigations, but i can say that there are an um in of investigations in which, if we, if we were exercising our authority under ecpa, we would do that. for example, manipulation, touting schemes. i can't necessarily say it would produce e-mails that would dramatically further the investigation because right now i'm not able to know what it is that e-mails we would obtain through that kind of process,
5:06 am
but i can definitively say that there are investigations ongoing and there were investigations even prior to the warshack case where we were exercising authority that were advanced by obtaining isp e-mails. >> along those same lines in your written testimony you suggest that a warrant-only requirement for obtaining electronic communications from an internet service provider, quote, could create some obstacles in further civil raw enforcement cases. would you provide us examples of the type of cases and situations the ftc is concerned about that would create obstacles to future civil law enforcement cases? >> of course, senator. the types of cases we're talking about are those instances where the target or the defendant is trying to be evasive, is not responding to discovery or to
5:07 am
our civil investigative demands. t the, so that's one classification. the other class of cases are where the target is an outright fraud, like a fly-by-night scam. and we don't want to contact them directly. you know, if we contact them directly, they may flee. they may destroy evidence, destroy records and hide assets and keep us from being able to get money back for consumers. >> okay. there's a, this would be to any or all of you. there's a perception that what you're really asking for is a mechanism that lacks judicial oversight and sidesteps the target of a civil investigation without any notice or hearing. in fact, the written testimony provided to us from google states that you are proposing to
5:08 am
quote, amend ecpa so that agencies can bypass the target of or witnesses in civil investigations. end of quote. for any or all of you. t is this a fair characteristic of what you're really proposing? >> senator, it is not. we are asking for a mechanism to allow courts to compel this information from providers where necessary and has been, as has been mentioned, this is information that we try to sdet from subscribers. where we can't get it from subscribers, we really do need it, and there are ways of protecting privacy in ensuring there is a certain process. >> andrew? >> and i would add that the mechanism that we are proposing is judicial procedure, we would give notice to the subscriber and allow them to come in and offer objections.
5:09 am
and from our perspective, that's more protection than a warrant proceeding that's ex parte where the subscriber is not present. >> do you have anything to add? >> i would agree that the judicial mechanism that we are proposing would require two things. we'd have to go to the subscriber first, and only when we are unable to get the information from the subscriber could we then go and seek a court order. so it's two additional protections. we'd have to first get it from the subscriber, and then there would be judicial intervention. >> senator leahy? >> thank you. first off, there's a great deal of consensus for the need to update ecpa. i would ask consent that these letters be placed in the record in support. thank you. they range from the chamber of commerce, former director of the fbi sessions, civil rights and
5:10 am
many others. let me ask you a question. the fbi now use warrants when it seeks the content of e-mail communications in criminal investigations. regardless of the agency e-mail, is that correct? >> that is correct. >> so this bill that senator lee and i have would not change the fbi procedure in that regard. >> the bill would not change the procedure for criminal, obtaining disclosure through a third party provider of stored e-mail regardless of the age. >> thank you. should a privacy protection that's afforded to e-mail or text messages, should that change? if they're older than six months? or if they've been opened? >> no, we don't think there's a
5:11 am
principle reason to treat e-mail differently depending on the age. >> no, i don't think that we see any distinction there. >> mr. salisbury? >> we agree. >> thank you. you know, we talked about the united states versus warshack. i'll ask the same question to both of you. since that ruling, has the fcc or the ftc obtained e-mail content through a subpoena issued to a third-party provider? >> we have not, senator leahy, but we've done so in an excess of caution, and i think in deference to the rye form discussions that have been going on in congress. our view -- >> and in deference of a five-year-old sixth circuit case which has not been overturned?
5:12 am
>> no, our view is that warshack does not deny us the authority to obtain e-mails through an admin stradministrative speubpo. >> mr. salzburg? >> we have not sought e-mail content either before the warshack decision or since. >> and you have permanently sought a legislative solution or change from congress in the past five years? >> no, we have not sought a solution until now. >> we've obviously offered over the last few years to have op goig -- ongoing discussions. >> have you made a proposal? >> we have. >> can you give me a copy of the
5:13 am
proposal you made? i don't seem to recall that. >> we've had discussions with staff about this issue over time. >> beginning five years ago? or just since, or just since senator lee and i looked like we might actually get something passed here? >> no, i can only speak to the two and a half years i have been director of enforcement. we've had discussions with the staff throughout that period of time. >> and you sent up a concrete proposal? >> we've been discussing proposals that the staff -- >> have you sent a concrete proposal from your agency? >> our view is we want to be responsive to proposals that congress is providing. so to the extent that staff or particular senators or congress men have offered us what they are thinking about, we have offered them our thoughts o n those proposals. >> are you seeking wire tap authority for your civil investigations? >> no, we're not.
5:14 am
>> you do want to be able to read e-mails without a warrant. >> what we're proposing, senator, it's some sort of judicial proceeding that would find some sort of standard, whether it would be some sort of standard that would allow us to obtain e-mails with notice to that subscriber with notice of the proceedings so that the sub describer can raise any concerns that they have. >> what about listening to your target's phone calls? >> no, we are not proposing that. >> wouldn't that be more efficient, more effective? >> senator, we, we are not seeking wire tap authority. that is something that the criminal authorities have that we do not. that is not something we're seeking. >> all right. how many, how many federal, local and state agencies have
5:15 am
civil authority to allow them to issue subpoenas for records? >> thank you for that question. certainly at the department of justice, there are a number of civil enforcement functions, including anti-trust, tax and environment, civil rights. since warshack, they have been unable to get stored content from providers, and this has hurt their investigations and sort delay and make it difficult in instances where they couldn't obtain information from subscribers. >> ply time is up. i'm going to have a couple questions for the record on that. thank you. >>ow senator hatch, let me read here, it would be hatch, whitehouse. and then it would be purdue, and i'd assume we'd go to the democrat senator franken, and tillis of hose wthose who are h
5:16 am
now. >> in your written testimony, you've stated that the department had concerns about legislative proposals aimed at safe guarding data stored abrought from improper government access. as you know, the electronic communications privacy act is silent on the privacy standard. u.s. officials must satisfy in order to access data stored abroad. and yet the federal government has taken advantage of the statutory silence to apply its own standard. what is the legal basis for law enforcement agents to use ecpa warrants to obtain data stored overseas? >> thank you for that question. thank you for that question, senator. there's longstanding legal framework that allows the government to serve compulsory legal process on united states companies to require them to
5:17 am
bring back information that is stored abroad. and the concern with proposals that would change that framework is that it would take away an option that has long been available under that framework and would replace it with international cooperation, which is not an adequate solution, because those, those agreements, that kind of cooperation doesn't exist everywhere. only about half the country, as we have agreements with. and because even when we can use those agreements, it takes a really long time and can delay investigations in times when we really need it. >> i disagree with you, that's why i introduced the leans act, for law enforcement to access data stored abroad or overseas. my bill's trying to help your efforts, and i'd appreciate any suggestions you have that might make it a more workable bill or
5:18 am
might improve it or help you in your work. >> we look forward to working with you. >> thank you. if federal officials can obtain e-mails stored anywhere in the world simply by serving a warrant on a provider subject to u.s. process, nothing stops governments in other countries, including china and russia, from seeking e-mails of americans stored in the u.s. from providers subject to chinese and russian process. in fact, the lawyer who has litigating the microsoft case on behalf of the government acknowledged last week that the ability for a foreign government to require disclosures of a u.s. provider, quote, should be of some concern. unquote. now, are you concerned about the far reaching or reciprocal consequences of government's current position on the extra territorial reach of u.s. warrants? >> thank you for that question. this is a challenging issue, one
5:19 am
that the department is actively considering. whatever the solution is, we don't think that the solution should involve deciding conflicts of laws in a way that always works against the united states. historical historically, courts have been able to weigh government interest in other factors in coming to decision on these issues. and the concern is any regime that would decide all matters of conflicts of law against the u.s. in every case. >> well, the mutual process facilitates formal agreement for sharing evidence between the united states and foreign countries. do you agree the process has proven slow and cumbersome to use? >> it certainly is slow and cumbersome for us to get information from other countries, which is part of our concern. and the incoming process, we
5:20 am
agree that there needing to be progress made and are working on progress technological and otherwise, and the department has requested resources to improve things further. >> in your view, what can congress do to improve the process, and how does another country access data stored here in the united states? >> so, again, these are really challenging issues, and we look forward to working with you on them. one thing that, if clear, with the process, it is not a one-size-fits-all process. and because it is so complicated it requires an approach that takes into account the way it is operating now, and we very much look forward to working with you to streamline the process. >> i look forward to working with you as well. and i hope we can streamline this process and make it work not only for you but for businesses and others as well. thank you. >> senator whitehouse? >> thank you, chairman.
5:21 am
in evaluating in question of civil access to content maintained by the service provider, i take a step back to the question of a criminal warrant. a criminal warrant is obtained by a government official going before a federal judge on an ex parte basis. and getting the judge's consent to get access to the material involved. that protection is there,'s understand it, because of the immense power that criminal law enforcement gives to the government, power for instance of incarceration. we even have a federal death penalty. so, from the very beginning, the founders constructed a process that limited arbitrary access by
5:22 am
the government when it had those terrible powers in its hands. doings the government have any such powers with respect to civil enforcement? >> it does not. civil enforcement lacks warrant authority. >> and what you're proposing is that just like a warrant, the government would have to go before a federal judge in order to get access to the data for civil enforcement purposes. >> there are a number of ways to do it, but yes, having a court be able to compel that evidence. >> a court order would satisfy you? >> yes. >> and in a number of circumstances, your colleagues here on the panel have suggested that the subject might actually be, the subscriber might actually be notified first or that there might be notice to the subscriber so it would not be an ex parte proceeding. it would be a proceeding in which the individual whose privacy interest was involved would have a right to appear, correct? >> that's correct. >> all right, now what happens
5:23 am
in the case where you talked about where for a variety of reasons you don't want to reveal to the misbehaving party that this investigation is under way, because they're likely to abscond or hide assets or destroy evidence or whatever? do you want some form of ex parte process like a warrant provides? where the civil agency could say, look, these are extraordinary circumstances. this is why we need access ex parte to this information and try to convince the judge of that? >> we're not actually asking for that authority. >> so why are you at that uk about the -- why did you use that example of the importance of it. >> i suppose i conflated the previous content argument that we have, where we would still want to be able to get the content from a provider when we're talking about content where there's no reasonable expectation of privacy. >> do any of you seek a proposal under which the government would
5:24 am
be able to make a showing that an ex parte provision is necessary and go forward without notice to the subscriber? >> we are not. from our perspective, in fact, we typically will seek the e-mail from the subscriber first, and if we're not able to obtain or don't believe we've received full e-mails we'll go to the isp. >> so you're not requesting that. >> we are not. what we're looking at is for a he limited ability to obtain isp e-mails in cases where we just can't get them. >> through a court order. >> through a court order. >> from perhaps the very same judge who you'd have to go through to get the warrant. >> from the very same judge. >> and the person would be present. >> that's right. that's more protection than a warrant provides. >> sure is. >> thank you very much mr. chairman, oh, may i ask, i have
5:25 am
a minute left before i yield back my time. just to be clear, i think chairman grassley asked you this. but just in case it didn't come through as clearly to you as it did to me, i'd be interested in looking back at cases that have come to a conclusion and where there is a public disclosure of the case where you can take a look at the case and say this piece of evidence actually helped make that case. and we got it because we were able to have access through the service provider to that information. not an ongoing case, which i know is a very delicate circumstance for all of you. but closed cases looking back just so we can see whether or not this has made a difference in real life in the past. and with that, i yield back my time, mr. chairman. thank you for holding this hearing. >> thank you. thank you, mr. chairman. thanks to all of you for being here.
5:26 am
you know, updating the electronics communications privacy act has been a priority of mine ever since i arrived in the senate. now that i've been here for about four and a half years i appreciate more fully how difficult it can be to bring about a change of law that basically everyone agrees on. now the overwhelming majority of the american people, and by overwhelming majority i mean 99.9% of anyone you ask can agree that the government ought to have a warrant before it goes after your e-mail. the content of your e-mail. number two, the same number of people would agree, i think, by about the same ratio that it ought not make any difference whether that e-mail is 179 days old or 181 days old. whether or not the government has to get a warrant. and so, you know, this is a very simple principle that ought not be all that difficult to legislate. but i've been honored to work on this legislation. i introduced senate bill 356.
5:27 am
the ecpa amendments act along with senator leahy to update our law in expectations of the public and what seems to be widely followed practice today. to start out with, i want to ask each of you a simple yes or no question. i want to ask you, does your agency believe that it should, under normal circumstances, meaning in the absence of a generally applicable widely accepted exception to the warrant, should it be required to get a warrant in order to get at the content of a person's e-mails, regardless of the afrnl the e-mail? >> the department has indicated that we do not oppose a warrant requirement for our criminal entities when they are obtaining information from a third party provider to the public. but note some concerns about
5:28 am
that rule where there is no warrant authority available like in our civil investigations. >> if i understood your question correctly, the answer is no. we believe that a judicial proceeding that we've been discussing that allows the subscriber to object is an appropriate mechanism for obtaining e-mails. >> we agree with the fcc's position. we agree with the fcc. >> got it. okay i do think that while there are a few people in washington, d.c. who can understand what you're saying, i think the overwhelming majority of the american people would be very disturbed to there that that question can't be answered with a simple, with a simple no. that the government should not be able to get at people's e-mails. the content of their e-mail without a warrant. now let me, let me direct the question your way. i'm concerned that the
5:29 am
department of justice once it has obtained e-mails, it may use those e-mails for any investigation related to the initial reason for the acquisition or not. so if you obtained e-mails on subpoena, what would prevent those e-mails, what would prevent the department from using that in a criminal prosecution? >> so certainly, it would not be acceptable for things to be obtained on the civil side fort push purposes of trying to use it on the criminal side. however, when criminal evidence becomes apparent, that information can be shared and we are not proposing a way to get around the warrant requirement
5:30 am
without any privacy protections and that there should, there are ways of protecting privacy, both by standard and by process. so what we talking about on the civil side is a process protection. >> and what kinds of safeguard rs was the doj propose in order to prevent a civil agency carve out from being used to avoid the warrant requirement? you can understand how that could easily be manipulated in order to avoid the warrant requirement. >> thank you for that question. i don't believe this instance is really any different than the other sorts of evidence that can be obtained in other ways. these are issues that are, that exist as to all investigations, prosecutors and civil litigators and investigators are held to a standard to obey the rules and hold to those rules and hold to the process that the law requires, but i am happy to get back to you if there are further questions or to answer further
5:31 am
questions. >> okay. thank you. i see my time's expired, mr. chairman. >> well, since i, since senator leahy asked me to be here as ranking member, i have to be here, so i'll consider blumenthal go next. i'm forced to be here. fl next to you, i am required. yeah. >> thank you. i want to thank senator franken for his courtesy. i am curious, mr. salzburg, in your testimony, you express concern about what would happen if a customer consents to having her service provider turn over e-mails but the service provider nonetheless refuses. can you give us some examples of how and when that might occur?
5:32 am
if a customer says, okay, but the service provider says no. when and how would that occur? >> sure, let me give you two examples. the first is, assuming we are investigating a business and the business is readily willing to turn over information to us and it maintains it in the cloud. and the cost of the target getting the information from the cloud provider is significant, whereas if they were just to authorize us to go to the cloud service provider and get it and use our litigation support folks they would rather have that happen. is that going to happen all the time? that a target is willing to turn over its information en masse to the government? no. but if that scenario arises the commission should be able to take that consent and use compulsory process to get that information from the provider. the second scenario is the customer is a victim and the victim no longer has access to the content of the claim that's
5:33 am
been made to them, and they want the government to go get it. >> have those two scenarios actually occurred? >> they, there have been a couple of instances where this has occurred. but it's not common. and what we're, what we're concerned about is that the move to cloud computing gets more ingrained and gets further along, these scenarios might happen more frequently. >> does the, does the ftc have any recourse against a target of a subpoena if that target fails to do everything in his or her power to get e-mails from his service provider and get the provider to turn them over? >> it does. we can file a, if we're talking about an investigative demand, we can file an enforcement action, but at the end of the day, if the customer refuses to turn the information over, we would have no ability under the pending legislation to get that information. >> under the pending
5:34 am
legislation. >> right. >> under which the -- >> under the -- >> 356? >> 356, yeah. >> so that's the suggestion that you have for improving it. >> yes. and interestingly, the provision that authorizes the provider to voluntarily provide information authorizes it to turn over the content with consent voluntarily to the government. and we just want to make sure that there's a provision that allows the government to compel in circumstances. >> if the target of the investigation has intentionally used an internet provider that won't cooperate with the ftc, so that target can pretend to consent but then in effect use the refusal of the internet provider as the barrier, is there anything ftc can do to penalize the target? if you understand my question. >> yes. you know, we can seek, we can
5:35 am
seek to compel. if we're talking about a, an investigative demand, but ultimately, we don't have the authority to penalize anybody. >> well, i, i welcome your suggestions for improving this legislation. as you know, i'm one of the original co-sponsors of s-356. i think it's important to strike that balance between privacy and law enforcement, having been in law enforcement myself, having been a strong supporter of the work that all three of your agencies do, and very much welcome your suggestions here and any other thoughts that you may have. thank you, mr. chairman. >> thank you, mr. chairman, and thanks to the witnesses for your time today. obviously, this is, we've had similar conversations where we're trying to balance privacy and enforcement. it's ongoing and i applaud your efforts and your leadership in that. i look forward to debating both
5:36 am
ecpa and the lee's act. i have a quick question relating to leads. as we know, and i think you've just explained. leads would create a rule that government may use ecpa warrants to obtain content data stored outside the u.s. but only if the account holder's a u.s. person. in all other cases involving content data stored abroad, it would require the government to use the mlat process as i understand it. what's your view of the provision of the bill that seeks to improve and streamline the mlat process? >> thank you for that question. improving the mlat process on an incoming basis, which is what that proposal is talking about is difficult and complicated, and we very much look forward to working with the committee on that. we do think it's not a one size
5:37 am
fits all kind of solution, and having provisions that apply, for instance, to require sort of an online intake when not all countries actually use government e-mail to send in their requests is the sort of thing that makes this hard. so we very much look forward to working with you to address those issues. >> can you explain the doj's concerns that i think doj has expressed regarding the leads act on domestic investigations, technically those involving a non-citizen who's in the u.s.? >> thank you. the department would be concerned with any proposal that would unilaterally take away a tool that we have in order to be able to obtain information about a u.s. crime affecting u.s. victims that historically has been in place for a long time and replace it with something that would take a really long time through international cooperation alone, and it would,
5:38 am
proposals that would also make it more difficult to get information about non-u.s. persons committing crimes in the u.s. than it would u.s. persons is also a concern for us. >> i see. one last quick question. i want to go into the subpoena issue that was raised a minute ago about your i agency's ability to raise warrants on an enforcement action. i ask that because a person can be compelled to comply. can you give me your views and let's clarify that just a little further. >> sure, our subpoenas are not self-executing. if somebody objects to our
5:39 am
subpoena, we need to go to court. that person in that proceeding can raise whatever objections they have, whether it be privilege or other relevancy objections. if we show a proper purpose and the subpoena is properly tailored, it will be upheld. the problem we've been talking about is the subscriber will often not provide you with full e-mail because they're incentivized not to. and if they know we can't obtain it through the isp that further incentivizes them. >> when you have to go to the second step of getting the information. >> we have frequently brought subpoena enforcement actions. in many cases we make a judgment. there are resource constraints about subpoena actions and
5:40 am
obviously we make a judgment about whether to dmel a particular case. i will say in our experience, in certain cases subscribers provide full e-mails. in others they don't. that becomes clear. because as you spubpoena others you find that other people supply you with e-mails. and that tills you the original production was not sufficient. >> we have a similar process through the ftc where they are not self-executing. we have to go to a court to enforce them as well. in our experience, i think most targets usually comply with our cids. if they don't, we have to make a resource call. is it worthwhile to pursue an action that is lengthy, or do we forego the information and try to find the necessary information in another way. >> thank you. thank you, mr. chairman.
5:41 am
>> thank you, mr. chairman. mr. salzburg, the ftc plays a key role in protecting americans' privacy and americans understandably care deeply about the privacy of their e-mails and other online documents. since the warshack decision, their expectations have largely been met, and the ecpa amendments act would ensure that those expectations continue to be met, and i applaud senators lee and leahy for their efforts. i guess more senator leahy, because he's my ranking member. so i do find, mr. salzburg, that the final portion of your testimony a little surprising. i did not expect to hear the
5:42 am
ftc's bureau of consumer protection suggesting that the ecpa amendments act be significantly rewritten to give ftc broad authority to obtain via simple court order americans' e-mail contents from third-party service providers. and then, this morning we received commissioner brill's statement expressing her concern about this proposal, commissioner brill notes that it is, quote, exceedingly rare that it would be useful for the ftc to seek content through ecpa and she highlights the cost for americans' privacy as well as the question of constitution constitutionality or potential unconstitutionality of obtaining content with just such a court order or with just a court
5:43 am
order. i realize your oral presentation today reflects only your views. but i'm interested in your, in your views and data that you may have setting aside potential constitutional concerns for the moment. do you have any data, any case statistics to support your claim that a new expansion of ftc authority to obtain mail content is needed? let me first note that we have not sought e-mail contents in the past. and the question is whether the economy's changing in a way with data moving to the cloud computing that we can see it being foreseeable in the future. i don't have any impeer cal evidence of this, but i think one of the major drivers of this is that data is being kept in
5:44 am
the cloud with third-party service providers and no longer being maintained locally on people's computers. >> okay. thank you. i'm sorry i wasn't here for the beginning. is it ceresny? >> yes. >> under ecpa as it was written in 1986, subpoenas could be used to disclose a contents of a customer's e-mails if the e-mails were relatively old, more than 180 days old. now courts have taken issue with that, and personally, i think that is not what the american people expect when it comes to the privacy of their e-mails. we've been discussing that. but if i'm understanding your testimony correctly, you're not satisfied with even the ecpa standard. you're lacking fooking for new d authority for federal regulatory
5:45 am
agencies like ftc and irs to be able to obtain content without a warrant without regard to the age of the information. in the last five years, has the ftc sought to take action against providers who refuse to comply with requests because of warshack? >> senator, we have not, in deference to the ongoing discussions in congress about ecpa reform, but i would say that what we are seeking are more protections than in the current ecpa. the current, we are proposing that a court order, and i think you used the term just a court order. but it is what a warrant is, a judge signing off on an order that allows us to obtain e-mail, and in our case, we're proposing with notice to the subscriber so that the subscriber, unlike a
5:46 am
warrant which is ex parte, the subscriber could come in and assert any objections that they have. what we're proposing is more protection first of all than in the first protection. >> so you take issue with my saying "just a court order." >> yes, with all due respect. >> i appreciate the respect. >> thank you. thank you mr. chair and mr. acting ranking member. mr. chair, i also want to wish happy birthday in advance. i think you're celebrating the, maybe the 32nd anniversary of your 50th birthday tomorrow. [ laughter ] >> that would be 82, i think. >> now i'm 55 i started celebrating anniversaries about five years ago. i want to ask a question that may also be appropriate for the second panel. i've got to go back to an armed services committee, so i'll start the discussion here. i'm concerned with your efforts
5:47 am
when it involves an isp that's not within u.s. jurisdiction. and efforts that we would have here to strengthen our ability to get to information for u.s. domiciled isps and the potential risk that could have for people who may intend to use those for the kinds of purposes that you're going after. some may or may not be. what risk do we have going just beyond the 180-day retention requirement and clarifying the obligations of the isps with respect to their warrant requirements. what risk do we have of just having the snakes go to another pasture and still be able to do what they want to accomplish or still be able to fall under that veil and put our isps at risk? and i'll open that up to the panel. we'll start down there. >> thank you for that question.
5:48 am
when there are providers that are doing business in the u.s., historically, the courts have exercised jurisdiction over those individuals. >> what's the variability after you, if you go outside? or what has your experience been? >> well, in order to be able to get something, there needs to be a basis for jurisdiction. so one of the things that concerns us about proposals that talk about data stored abroad is making that data where there are people, even in the u.s. unable to use traditional legal process to compel that information that they may store elsewhere to come back to the united states. >> this is a very challenging question, and the commission hasn't taken any action on the leads act, and i think it's fair to say that we would have difficulties on the civil side as the law is now if we were
5:49 am
trying to compel information from a foreign isp that did not have a presence in the united states. >> so, again, and i do want you to respond, a concern that i have is making sure that whatever we do, as long as there's some other place on the globe, you know, the internet infrastructure is a global infrastructure, subject to several different jurisdictions. how we balance policy to make sure that we're not just tying the hands of businesses here to the benefit and to your detriment to isps abroad, and mr. ceresny, we'll let you comment. >> i would just say we share some of the same concerns as the department of justice has about the leads act. and obviously, it's a thorny issue and one that needs to be worked carefully. >> mr. ceresny, i think you mentioned that subpoenas frequently fall short of getting the evidence they want because oftentimes the targets either
5:50 am
deleted the information or they abscond absconded. what's at least working through congress right now that you think helps you address that issue, or what kinds of things do we have to look at to help you have that tool avail snbl >> so what we're seeking is some limited authority like in the instance you cited, sob ability to obtain those e-mails from the isps, and what we proposed is some sort of court order, under some sort of standard that we would be able to meet with notice to the subscribers so think could come in and object. and that's limited authority that year' seeking here. and the idea is that in circumstances where you just suggested where the individual has deleted the e-mails we're able to obtain it, and that would inventivize people to clie fully, because if they know we can go to the isp, it further
5:51 am
incentivizes them to provide us with their full e-mail. >> and because i've only got 25 seconds, i'll just make a comment. i know on the one hand we wand to provide you all and the next panel which will have law enforcement on it, to have all the tools that you need to be able to get after people that may be doing things we don't want them to do. on the other hand we're extending capabilities to agencies such as the irs, i don't think that was mentioned, but that would extend to agencies like the irs they give us some pause to give them more capabilities than they already have. we've got to make sure 20we've t the right controls in place in dealing with the policy. thank you, mr. chair. >> thank you, chairman grassley and for your leadership on this and for asking the appropriate questions and having an opportunity to discuss this. it's a very big issue. those of us who've been involved in law enforcement for a long
5:52 am
time are very well aware of what sounds like some good theoretical idea can have a major and detrimental impact on the ability of the people of the united states to have order, to avoid multiple frauds and theft the and computer abuses and violations of their privacies and things of that kind. and i have ordered a publication not long ago. and within a few weeks i get i don't know how many more, selling me different publications of a similar nature. so somebody's sharing information all over. president obama was widely congratulated for his brilliant ability to target voters because they knew all kinds of things about them, whether they went fishing. all these things somehow is available to private sectors, political candidates, and we have to make sure that we're not placing too much of a burden on law enforcement as they try to
5:53 am
do their duty to protect us from fraudsters and sex abuse and kidnappers and terrorists. i'm glad the chairman is looking at this. and we're asking it. the law enforcement that i've talked to indicate that they have certain problems that we ought to deal with in the legislation. one of them is very often long dough la delays from a subpoena to the actual production of the documents. two, we ought to consider what happens if you have erasure of these documents within hours, even. days. a few days. is that appropriate? we don't allow that in phone company records as i understand it. and third, i think it's critical, anybody who's been involved in law enforcement, i can imagine in a terrorist
5:54 am
investigation particularly, you've got to be able to effectively not tell the suspect that you're on to them. and have somebody call them and say the fbi just subpoenaed your toll records and boom, they flee the country or hide other evidence that may be available. so i just think those are law enforcement requests that immediate -- need to be considered. >> so you can issue a subpoena for a telephone call record that has the person's name, address, the length of their phone call, the numbers that they called without any content. you can get that with a subpoena, is that correct? >> yes. that's correct. >> and actually, dea can get it with an administrative subpoena
5:55 am
without even asking a prosecutor. prosecutors ask them routinely also. what about getting an e-mail address? it seems to me that's quite a lot, a huge difference between just getting who the person has been e-mailing, just like you want to know who they called on the telephone, as opposed to the content of that e-mail. can that be obtained? and why should we enhance significantly the ability to get that information? >> thank you for that question. the standard is currently different as i note in my sfr. the department does support equalizing those standards and bringing them in so that you can actually use the same standard that we have been using for traditional telecommunications, like telephone records to obtain the to/from material as well. >> that's a huge thing in a lot of investigations. i mean, i never met this person, and they've got 50 e-mails to them or 25 phone calls. i didn't talk to them on the day
5:56 am
of the killing, and then there are 25 phone calls that day. it is hugely important in actually protecting the american people from criminals. then you've got the standard for content. mr. ceresny mentioned that a court order isn't much different from a search warrant. so you have a little less to get the older e-mail contents, is that correct? that e-mail contents you first get through the 120 days and older? >> under the current statute, for more than 180 days we can obtain them through an administrati administrative subpoena with notice to the subscriber. in an amendment we would support some kind of judicial
5:57 am
proceeding. that allows us to obtain those e-mail contents. >> and you can request, you can request the confidentiality and no notice? >> we're not seeking that authority to obtain them with no notice. in fact, our general practice is to first seek them from the subscriber, and if we do not obtain e-mails we go to the provider. we're trying to accommodate while preserving ability for us to obtain in appropriate circumstances the contents of e-mail. >> my time is up. i think we really have to be careful about not having the ability to protect against disclosure to the person. because i, that's not true in other areas that you can get a nondisclosure order. and it can be critical. if you're investigating a terrorist and they know you're
5:58 am
on to them. this could be a life and death issue. thank you. >> i want to thank this panel. appreciate it very much. and we'll probably be in touch with you for some followup questions. i'd like to call the second panel now. and while they're coming, if i can have your attention, i want to introduce them to be efficient. richard littlehale, his assistant special agent in charge, tennessee bureau of investigation's technical service unit. special agent littlehale is responsible for coordinating the use of a wide range of technology, is supportive law enforcement operations including using communication records in support of criminal investigations. he testifies on behalf of the social of state criminal investigative agencies.
5:59 am
he received his bachelor's degree and a law degree from vanderbilt. second is richard siccardo. he serve as google's information security. before working at google, mr. salgado worked at yahoo, and prior to that served ago special counsel.
6:00 am

13 Views

info Stream Only

Uploaded by TV Archive on