The the ftc supports the objectives of ecpa reform and understands the need to update it to account for technological advances. And to protect consumers privacy. In bringing actions, we rely heavily on our ability to conduct thorough investigations. Of Companies Business practices. As a civil Law Enforcement agency, the fccs concerned that recent proposals to update ecpa could impede our ability to obtain certain information from ecpa Service Providers. In proposals, to obtain content from a Service Provider, the government could need to obtain a criminal warrant. Which is not available to the ftc. The proposals would require a warrant for all forms of content, even those in which a subscriber has no reasonable expectation to privacy. We are concerned that requiring a criminal warrant in three situations would impede effectiveness. Were talking about things like no longer running advertisements, previously sent spam, and ads on a mobile device. This content is critical to ftc investigations. Before determining whether a target has made a false representation, we need to find the advertising or promotional material that contains the representation. The in many instances, the scam artist change websites and electronic marketing materials frequently. When Commission Staff investigates complaints about a website, the website currently viewable to the public may be different from the one that the consumer complained about. Kucht ec we have not used the tool often. Most of time our investigators are able to track down a targets old marketing materials without needing to seek the materials from the provider. But the increasingly fleeting nature of advertisements, makes it quite likely we will need to compel advertising materials more often. An exception from the criminal warrant requirement in proposed legislation from commercial content that promotes a product or service would enable to the commission to obtain such commercial content. At the same time, such an exception would have no impact on privacy rights, because the materials would be purely commercial and have been affirmatively published by the target. As a result, the target would not have a reasonable expectation of privacy with respect to government access. The second situation which should be exempted from the criminal warrant requirement is content with the consent of the customer. As Cloud Computing becomes more widespread, it will be increasingly important for civil Law Enforceme menment agencies compel an ecpa provider. For example, manipulation schemes where if we had the authority, we would certainly do that. When a customer consents to disclosure to the government, the customer has no reasonable expectation of privacy. Third, a criminal warrant should not be needed when the ftc has compelled a target to produce content held by a Cloud Service provider. Under these circumstances, the ftc should be able to seek a court order directing the targets provider to release the content. In conclusion, thank you for giving the commission an opportunity to describe the importance of Electronic Communications in our investigations and the ways in which proposed updates to ecpa while important could hinder our Law Enforcement actions. Thank you all for your testimony. Ill start and senator leahy will be next with our questions. Chair woman white has told us that the fccs ability to carry out enforcement responsibilities and conduct investigations has been significantly curtailed as a result of the warsaw decision, but weve been told that the fcc has not provided any examples of cases where access to Electronic Communications have been cut off due to that decision or would be impacted if the pending reform bills were enacted. Can you provide any examples of the type of case or investigations that have been affected since that case decision due to providers requiring a warrant when the government seeks to collect chronic content in a civil investigation . Yes, senator, obviously, i cant talk about the details of ongoing investigations, but i can say that there are an um in of investigations in which, if we, if we were exercising our authority under ecpa, we would do that. For example, manipulation, touting schemes. I cant necessarily say it would produce emails that would dramatically further the investigation because right now im not able to know what it is that emails we would obtain through that kind of process, but i can definitively say that there are investigations ongoing and there were investigations even prior to the warshack case where we were exercising authority that were advanced by obtaining isp emails. Along those same lines in your written testimony you suggest that a warrantonly requirement for obtaining Electronic Communications from an Internet Service provider, quote, could create some obstacles in further civil raw enforcement cases. Would you provide us examples of the type of cases and situations the ftc is concerned about that would create obstacles to future civil Law Enforcement cases . Of course, senator. The types of cases were talking about are those instances where the target or the defendant is trying to be evasive, is not responding to discovery or to our civil investigative demands. T the, so thats one classification. The other class of cases are where the target is an outright fraud, like a flybynight scam. And we dont want to contact them directly. You know, if we contact them directly, they may flee. They may destroy evidence, destroy records and hide assets and keep us from being able to get money back for consumers. Okay. Theres a, this would be to any or all of you. Theres a perception that what youre really asking for is a mechanism that lacks judicial oversight and sidesteps the target of a civil investigation without any notice or hearing. In fact, the written testimony provided to us from Google States that you are proposing to quote, amend ecpa so that agencies can bypass the target of or witnesses in civil investigations. End of quote. For any or all of you. T is this a fair characteristic of what youre really proposing . Senator, it is not. We are asking for a mechanism to allow courts to compel this information from providers where necessary and has been, as has been mentioned, this is information that we try to sdet from subscribers. Where we cant get it from subscribers, we really do need it, and there are ways of protecting privacy in ensuring there is a certain process. Andrew . And i would add that the mechanism that we are proposing is judicial procedure, we would give notice to the subscriber and allow them to come in and offer objections. And from our perspective, thats more protection than a warrant proceeding thats ex parte where the subscriber is not present. Do you have anything to add . I would agree that the judicial mechanism that we are proposing would require two things. Wed have to go to the subscriber first, and only when we are unable to get the information from the subscriber could we then go and seek a court order. So its two additional protections. Wed have to first get it from the subscriber, and then there would be judicial intervention. Senator leahy . Thank you. First off, theres a great deal of consensus for the need to update ecpa. I would ask consent that these letters be placed in the record in support. Thank you. They range from the chamber of commerce, former director of the fbi sessions, civil rights and many others. Let me ask you a question. The fbi now use warrants when it seeks the content of email communications in criminal investigations. Regardless of the agency email, is that correct . That is correct. So this bill that senator lee and i have would not change the fbi procedure in that regard. The bill would not change the procedure for criminal, obtaining disclosure through a Third Party Provider of stored email regardless of the age. Thank you. Should a Privacy Protection thats afforded to email or text messages, should that change . If theyre older than six months . Or if theyve been opened . No, we dont think theres a principle reason to treat email differently depending on the age. No, i dont think that we see any distinction there. Mr. Salisbury . We agree. Thank you. You know, we talked about the United States versus warshack. Ill ask the same question to both of you. Since that ruling, has the fcc or the ftc obtained email content through a subpoena issued to a thirdparty provider . We have not, senator leahy, but weve done so in an excess of caution, and i think in deference to the rye form discussions that have been going on in congress. Our view and in deference of a fiveyearold sixth circuit case which has not been overturned . No, our view is that warshack does not deny us the authority to obtain emails through an admin stradministrative speubpo. Mr. Salzburg . We have not sought email content either before the warshack decision or since. And you have permanently sought a legislative solution or change from congress in the past five years . No, we have not sought a solution until now. Weve obviously offered over the last few years to have op goig ongoing discussions. Have you made a proposal . We have. Can you give me a copy of the proposal you made . I dont seem to recall that. Weve had discussions with staff about this issue over time. Beginning five years ago . Or just since, or just since senator lee and i looked like we might actually get something passed here . No, i can only speak to the two and a half years i have been director of enforcement. Weve had discussions with the staff throughout that period of time. And you sent up a concrete proposal . Weve been discussing proposals that the staff have you sent a concrete proposal from your agency . Our view is we want to be responsive to proposals that congress is providing. So to the extent that staff or particular senators or congress men have offered us what they are thinking about, we have offered them our thoughts o n those proposals. Are you seeking wire tap authority for your civil investigations . No, were not. You do want to be able to read emails without a warrant. What were proposing, senator, its some sort of judicial proceeding that would find some sort of standard, whether it would be some sort of standard that would allow us to obtain emails with notice to that subscriber with notice of the proceedings so that the sub describer can raise any concerns that they have. What about listening to your targets phone calls . No, we are not proposing that. Wouldnt that be more efficient, more effective . Senator, we, we are not seeking wire tap authority. That is something that the criminal authorities have that we do not. That is not something were seeking. All right. How many, how many federal, local and state agencies have Civil Authority to allow them to issue subpoenas for records . Thank you for that question. Certainly at the department of justice, there are a number of Civil Enforcement functions, including antitrust, tax and environment, civil rights. Since warshack, they have been unable to get stored content from providers, and this has hurt their investigations and sort delay and make it difficult in instances where they couldnt obtain information from subscribers. Ply time is up. Im going to have a couple questions for the record on that. Thank you. Now senator hatch, let me read here, it would be hatch, whitehouse. And then it would be purdue, and id assume wed go to the democrat senator franken, and tillis of hose wthose who are h now. In your written testimony, youve stated that the department had concerns about legislative proposals aimed at safe guarding data stored abrought from improper government access. As you know, the Electronic Communications privacy act is silent on the privacy standard. U. S. Officials must satisfy in order to access data stored abroad. And yet the federal government has taken advantage of the statutory silence to apply its own standard. What is the legal basis for Law Enforcement agents to use ecpa warrants to obtain data stored overseas . Thank you for that question. Thank you for that question, senator. Theres longstanding Legal Framework that allows the government to serve compulsory Legal Process on United States companies to require them to bring back information that is stored abroad. And the concern with proposals that would change that framework is that it would take away an option that has long been available under that framework and would replace it with International Cooperation, which is not an adequate solution, because those, those agreements, that kind of cooperation doesnt exist everywhere. Only about half the country, as we have agreements with. And because even when we can use those agreements, it takes a really long time and can delay investigations in times when we really need it. I disagree with you, thats why i introduced the leans act, for Law Enforcement to access data stored abroad or overseas. My bills trying to help your efforts, and id appreciate any suggestions you have that might make it a more workable bill or might improve it or help you in your work. We look forward to working with you. Thank you. If federal officials can obtain emails stored anywhere in the world simply by serving a warrant on a provider subject to u. S. Process, nothing stops governments in other countries, including china and russia, from seeking emails of americans stored in the u. S. From providers subject to chinese and russian process. In fact, the lawyer who has litigating the Microsoft Case on behalf of the government acknowledged last week that the ability for a Foreign Government to require disclosures of a u. S. Provider, quote, should be of some concern. Unquote. Now, are you concerned about the far reaching or reciprocal consequences of governments current position on the extra territorial reach of u. S. Warrants . Thank you for that question. This is a challenging issue, one that the department is actively considering. Whatever the solution is, we dont think that the solution should involve deciding conflicts of laws in a way that always works against the United States. Historical historically, courts have been able to weigh government interest in other factors in coming to decision on these issues. And the concern is any regime that would decide all matters of conflicts of law against the u. S. In every case. Well, the mutual process facilitates formal agreement for sharing evidence between the United States and foreign countries. Do you agree the process has proven slow and cumbersome to use . It certainly is slow and cumbersome for us to get information from other countries, which is part of our concern. And the incoming process, we agree that there needing to be progress made and are working on progress technological and otherwise, and the department has requested resources to improve things further. In your view, what can congress do to improve the process, and how does another Country Access data stored here in the United States . So, again, these are really challenging issues, and we look forward to working with you on them. One thing that, if clear, with the process, it is not a onesizefitsall process. And because it is so complicated it requires an approach that takes into account the way it is operating now, and we very much look forward to working with you to streamline the process. I look forward to working with you as well. And i hope we can streamline this process and make it work not only for you but for businesses and others as well. Thank you. Senator whitehouse . Thank you, chairman. In evaluating in question of civil access to content maintained by the Service Provider, i take a step back to the question of a criminal warrant. A criminal warrant is obtained by a Government Official going before a federal judge on an ex parte basis. And getting the judges consent to get access to the material involved. That protection is there,s understand it, because of the immense power that criminal Law Enforcement gives to the government, power for instance of incarceration. We even have a federal death penalty. So, from the very beginning, the founders constructed a process that limited arbitrary access by the government when it had those terrible powers in its hands. Doings the government have any such powers with respect to Civil Enforcement . It does not. Civil enforcement lacks warrant authority. And what youre proposing is that just like a warrant, the government would have to go before a federal judge in order to get access to the data for Civil Enforcement purposes. There are a number of ways to do it, but yes, having a court be able to compel that evidence. A court order would satisfy you . Yes. And in a number of circumstances, your colleagues here on the panel have suggested that the subject might actually be, the subscriber might actually be notified first or that there might be notice to the subscriber so it would not be an ex parte proceeding. It would be a proceeding in which the individual whose privacy interest was involved would have a right to appear, correct . Thats correct. All right, now what happens in the case where you talked about where for a variety of reasons you dont want to reveal to the misbehaving party that this investigation is under way, because theyre likely to abscond or hide assets or destroy evidence or whatever . Do you want some form of ex parte process like a warrant provides . Where the civil agency could say, look, these are extraordinary circumstances. This is why we need access ex parte to this information and try to convince the judge of that . Were not actually asking for that authority. So why are you at that uk about the why did you use that example of the importance of it. I suppose i conflated the previous content argument that we have, where we would still want to be able to get the content from a provider when were talking about content where theres no reasonable expectation of privacy. Do any of you seek a proposal under which the government would be able to make a showing that an ex parte provision is necessary and go forward without notice to the subscriber . We are not. From our perspective, in fact, we typically will seek the email from the subscriber first, and if were not able to obtain or dont believe weve received full emails well go to the isp. So youre not requesting that. We are not. What were looking at is for a he limited ability to obtain isp emails in cases where we just cant get them. Through a court order. Through a court order. From perhaps the very same judge who youd have to go through to get the warrant. From the very same judge. And the person would be present. Thats right. Thats more protection than a warrant provides. Sure is. Thank you very much mr. Chairman, oh, may i ask, i have a minute left before i yield back my time. Just to be clear, i think chairman grassley asked you this. But just in case it didnt come through as clearly to you as it did to me, id be interested in looking back at cases that have come to a conclusion and where there is a Public Disclosure of the case where you can take a look at the case and say this piece of evidence actually helped make that case. And we got it because we were able to have access through the Service Provider to that information. Not an ongoing case, which i know is a very delicate circumstance for all of you. But closed cases looking back just so we can see whether or not this has made a difference in real life in the past. And with that, i yield back my time, mr. Chairman. Thank you for holding this hearing. Thank you. Thank you, mr. Chairman. Thanks to all of you for being here. You know, updating the electronics Communications Privacy act has been a priority of mine ever since i arrived in the senate. Now that ive been here for about four and a half years i appreciate more fully how difficult it can be to bring about a change of law that basically everyone agrees on. Now the overwhelming majority of the American People, and by overwhelming majority i mean 99. 9 of anyone you ask can agree that the government ought to have a warrant before it goes after your email. The content of your email. Number two, the same number of people would agree, i think, by about the same ratio that it ought not make any difference whether that email is 179 days old or 181 days old. Whether or not the government has to get a warrant. And so, you know, this is a very simple principle that ought not be all that difficult to legislate. But ive been honored to work on this legislation. I introduced senate bill 356. The ecpa amendments act along with senator leahy to update our law in expectations of the public and what seems to be widely followed practice today. To start out with, i want to ask each of you a simple yes or no question. I want to ask you, does your agency believe that it should, under normal circumstances, meaning in the absence of a generally applicable widely accepted exception to the warrant, should it be required to get a warrant in order to get at the content of a persons emails, regardless of the afrnl the email . The department has indicated that we do not oppose a warrant requirement for our criminal entities when they are obtaining information from a Third Party Provider to the public. But note some concerns about that rule where there is no warrant Authority Available like in our civil investigations. If i understood your question correctly, the answer is no. We believe that a judicial proceeding that weve been discussing that allows the subscriber to object is an appropriate mechanism for obtaining emails. We agree with the fccs position. We agree with the fcc. Got it. Okay i do think that while there are a few people in washington, d. C. Who can understand what youre saying, i think the overwhelming majority of the American People would be very disturbed to there that that question cant be answered with a simple, with a simple no. That the government should not be able to get at peoples emails. The content of their email without a warrant. Now let me, let me direct the question your way. Im concerned that the department of justice once it has obtained emails, it may use those emails for any investigation related to the initial reason for the acquisition or not. So if you obtained emails on subpoena, what would prevent those emails, what would prevent the department from using that in a criminal prosecution . So certainly, it would not be acceptable for things to be obtained on the civil side fort push purposes of trying to use it on the criminal side. However, when criminal evidence becomes apparent, that information can be shared and we are not proposing a way to get around the warrant requirement without any Privacy Protections and that there should, there are ways of protecting privacy, both by standard and by process. So what we talking about on the civil side is a process protection. And what kinds of safeguard rs was the doj propose in order to prevent a civil agency carve out from being used to avoid the warrant requirement . You can understand how that could easily be manipulated in order to avoid the warrant requirement. Thank you for that question. I dont believe this instance is really any different than the other sorts of evidence that can be obtained in other ways. These are issues that are, that exist as to all investigations, prosecutors and civil litigators and investigators are held to a standard to obey the rules and hold to those rules and hold to the process that the law requires, but i am happy to get back to you if there are further questions or to answer further questions. Okay. Thank you. I see my times expired, mr. Chairman. Well, since i, since senator leahy asked me to be here as ranking member, i have to be here, so ill consider blumenthal go next. Im forced to be here. Fl next to you, i am required. Yeah. Thank you. I want to thank senator franken for his courtesy. I am curious, mr. Salzburg, in your testimony, you express concern about what would happen if a customer consents to having her Service Provider turn over emails but the Service Provider nonetheless refuses. Can you give us some examples of how and when that might occur . If a customer says, okay, but the Service Provider says no. When and how would that occur . Sure, let me give you two examples. The first is, assuming we are investigating a business and the business is readily willing to turn over information to us and it maintains it in the cloud. And the cost of the target getting the information from the cloud provider is significant, whereas if they were just to authorize us to go to the Cloud Service provider and get it and use our Litigation Support folks they would rather have that happen. Is that going to happen all the time . That a target is willing to turn over its information en masse to the government . No. But if that scenario arises the commission should be able to take that consent and use compulsory process to get that information from the provider. The second scenario is the customer is a victim and the victim no longer has access to the content of the claim thats been made to them, and they want the government to go get it. Have those two scenarios actually occurred . They, there have been a couple of instances where this has occurred. But its not common. And what were, what were concerned about is that the move to Cloud Computing gets more ingrained and gets further along, these scenarios might happen more frequently. Does the, does the ftc have any recourse against a target of a subpoena if that target fails to do everything in his or her power to get emails from his Service Provider and get the provider to turn them over . It does. We can file a, if were talking about an investigative demand, we can file an enforcement action, but at the end of the day, if the customer refuses to turn the information over, we would have no ability under the pending legislation to get that information. Under the pending legislation. Right. Under which the under the 356 . 356, yeah. So thats the suggestion that you have for improving it. Yes. And interestingly, the provision that authorizes the provider to voluntarily provide information authorizes it to turn over the content with consent voluntarily to the government. And we just want to make sure that theres a provision that allows the government to compel in circumstances. If the target of the investigation has intentionally used an Internet Provider that wont cooperate with the ftc, so that target can pretend to consent but then in effect use the refusal of the Internet Provider as the barrier, is there anything ftc can do to penalize the target . If you understand my question. Yes. You know, we can seek, we can seek to compel. If were talking about a, an investigative demand, but ultimately, we dont have the authority to penalize anybody. Well, i, i welcome your suggestions for improving this legislation. As you know, im one of the original cosponsors of s356. I think its important to strike that balance between privacy and Law Enforcement, having been in Law Enforcement myself, having been a strong supporter of the work that all three of your agencies do, and very much welcome your suggestions here and any other thoughts that you may have. Thank you, mr. Chairman. Thank you, mr. Chairman, and thanks to the witnesses for your time today. Obviously, this is, weve had similar conversations where were trying to balance privacy and enforcement. Its ongoing and i applaud your efforts and your leadership in that. I look forward to debating both ecpa and the lees act. I have a quick question relating to leads. As we know, and i think youve just explained. Leads would create a rule that government may use ecpa warrants to obtain content data stored outside the u. S. But only if the account holders a u. S. Person. In all other cases involving content data stored abroad, it would require the government to use the mlat process as i understand it. Whats your view of the provision of the bill that seeks to improve and streamline the mlat process . Thank you for that question. Improving the mlat process on an incoming basis, which is what that proposal is talking about is difficult and complicated, and we very much look forward to working with the committee on that. We do think its not a one size fits all kind of solution, and having provisions that apply, for instance, to require sort of an online intake when not all countries actually use government email to send in their requests is the sort of thing that makes this hard. So we very much look forward to working with you to address those issues. Can you explain the dojs concerns that i think doj has expressed regarding the leads act on domestic investigations, technically those involving a noncitizen whos in the u. S. . Thank you. The department would be concerned with any proposal that would unilaterally take away a tool that we have in order to be able to obtain information about a u. S. Crime affecting u. S. Victims that historically has been in place for a long time and replace it with something that would take a really long time through International Cooperation alone, and it would, proposals that would also make it more difficult to get information about nonu. S. Persons committing crimes in the u. S. Than it would u. S. Persons is also a concern for us. I see. One last quick question. I want to go into the subpoena issue that was raised a minute ago about your i agencys ability to raise warrants on an enforcement action. I ask that because a person can be compelled to comply. Can you give me your views and lets clarify that just a little further. Sure, our subpoenas are not selfexecuting. If somebody objects to our subpoena, we need to go to court. That person in that proceeding can raise whatever objections they have, whether it be privilege orther relevancy objections. If we show a proper purpose and the subpoena is properly tailored, it will be upheld. The problem weve been talking about is the subscriber will often not provide you with full email because theyre incentivized not to. And if they know we cant obtain it through the isp that further incentivizes them. When you have to go to the second step of getting the information. We have frequently brought subpoena enforcement actions. In many cases we make a judgment. There are resource constraints about subpoena actions and obviously we make a judgment about whether to dmel a particular case. I will say in our experience, in certain cases subscribers provide full emails. In others they dont. That becomes clear. Because as you spubpoena others you find that other people supply you with emails. And that tills you the original production was not sufficient. We have a similar process through the ftc where they are not selfexecuting. We have to go to a court to enforce them as well. In our experience, i think most targets usually comply with our cids. If they dont, we have to make a resource call. Is it worthwhile to pursue an action that is lengthy, or do we forego the information and try to find the necessary information in another way. Thank you. Thank you, mr. Chairman. Thank you, mr. Chairman. Mr. Salzburg, the ftc plays a key role in protecting americans privacy and americans understandably care deeply about the privacy of their emails and other online documents. Since the warshack decision, their expectations have largely been met, and the ecpa amendments act would ensure that those expectations continue to be met, and i applaud senators lee and leahy for their efforts. I guess more senator leahy, because hes my ranking member. So i do find, mr. Salzburg, that the final portion of your testimony a little surprising. I did not expect to hear the ftcs bureau of Consumer Protection suggesting that the ecpa amendments act be significantly rewritten to give ftc Broad Authority to obtain via simple court order americans email contents from thirdparty Service Providers. And then, this morning we received commissioner brills statement expressing her concern about this proposal, commissioner brill notes that it is, quote, exceedingly rare that it would be useful for the ftc to seek content through ecpa and she highlights the cost for americans privacy as well as the question of constitution constitutionality or potential unconstitutionality of obtaining content with just such a court order or with just a court order. I realize your oral presentation today reflects only your views. But im interested in your, in your views and data that you may have setting aside potential constitutional concerns for the moment. Do you have any data, any case statistics to support your claim that a new expansion of ftc authority to obtain mail content is needed . Let me first note that we have not sought email contents in the past. And the question is whether the economys changing in a way with data moving to the Cloud Computing that we can see it being foreseeable in the future. I dont have any impeer cal evidence of this, but i think one of the major drivers of this is that data is being kept in the cloud with thirdparty Service Providers and no longer being maintained locally on peoples computers. Okay. Thank you. Im sorry i wasnt here for the beginning. Is it ceresny . Yes. Under ecpa as it was written in 1986, subpoenas could be used to disclose a contents of a customers emails if the emails were relatively old, more than 180 days old. Now courts have taken issue with that, and personally, i think that is not what the American People expect when it comes to the privacy of their emails. Weve been discussing that. But if im understanding your testimony correctly, youre not satisfied with even the ecpa standard. Youre lacking fooking for new d authority for federal regulatory agencies like ftc and irs to be able to obtain content without a warrant without regard to the age of the information. In the last five years, has the ftc sought to take action against providers who refuse to comply with requests because of warshack . Senator, we have not, in deference to the ongoing discussions in congress about ecpa reform, but i would say that what we are seeking are more protections than in the current ecpa. The current, we are proposing that a court order, and i think you used the term just a court order. But it is what a warrant is, a judge signing off on an order that allows us to obtain email, and in our case, were proposing with notice to the subscriber so that the subscriber, unlike a warrant which is ex parte, the subscriber could come in and assert any objections that they have. What were proposing is more protection first of all than in the first protection. So you take issue with my saying just a court order. Yes, with all due respect. I appreciate the respect. Thank you. Thank you mr. Chair and mr. Acting ranking member. Mr. Chair, i also want to wish happy birthday in advance. I think youre celebrating the, maybe the 32nd anniversary of your 50th birthday tomorrow. [ laughter ] that would be 82, i think. Now im 55 i started celebrating anniversaries about five years ago. I want to ask a question that may also be appropriate for the second panel. Ive got to go back to an Armed Services committee, so ill start the discussion here. Im concerned with your efforts when it involves an isp thats not within u. S. Jurisdiction. And efforts that we would have here to strengthen our ability to get to information for u. S. Domiciled isps and the potential risk that could have for people who may intend to use those for the kinds of purposes that youre going after. Some may or may not be. What risk do we have going just beyond the 180day retention requirement and clarifying the obligations of the isps with respect to their warrant requirements. What risk do we have of just having the snakes go to another pasture and still be able to do what they want to accomplish or still be able to fall under that veil and put our isps at risk . And ill open that up to the panel. Well start down there. Thank you for that question. When there are providers that are doing business in the u. S. , historically, the courts have exercised jurisdiction over those individuals. Whats the variability after you, if you go outside . Or what has your experience been . Well, in order to be able to get something, there needs to be a basis for jurisdiction. So one of the things that concerns us about proposals that talk about data stored abroad is making that data where there are people, even in the u. S. Unable to use traditional Legal Process to compel that information that they may store elsewhere to come back to the United States. This is a very challenging question, and the commission hasnt taken any action on the leads act, and i think its fair to say that we would have difficulties on the civil side as the law is now if we were trying to compel information from a foreign isp that did not have a presence in the United States. So, again, and i do want you to respond, a concern that i have is making sure that whatever we do, as long as theres some other place on the globe, you know, the internet infrastructure is a global infrastructure, subject to several different jurisdictions. How we balance policy to make sure that were not just tying the hands of businesses here to the benefit and to your detriment to isps abroad, and mr. Ceresny, well let you comment. I would just say we share some of the same concerns as the department of justice has about the leads act. And obviously, its a thorny issue and one that needs to be worked carefully. Mr. Ceresny, i think you mentioned that subpoenas frequently fall short of getting the evidence they want because oftentimes the targets either deleted the information or they abscond absconded. Whats at least working through congress right now that you think helps you address that issue, or what kinds of things do we have to look at to help you have that tool avail snbl so what were seeking is some limited Authority Like in the instance you cited, sob ability to obtain those emails from the isps, and what we proposed is some sort of court order, under some sort of standard that we would be able to meet with notice to the subscribers so think could come in and object. And thats limited authority that year seeking here. And the idea is that in circumstances where you just suggested where the individual has deleted the emails were able to obtain it, and that would inventivize people to clie fully, because if they know we can go to the isp, it further incentivizes them to provide us with their full email. And because ive only got 25 seconds, ill just make a comment. I know on the one hand we wand to provide you all and the next panel which will have Law Enforcement on it, to have all the tools that you need to be able to get after people that may be doing things we dont want them to do. On the other hand were extending capabilities to agencies such as the irs, i dont think that was mentioned, but that would extend to agencies like the irs they give us some pause to give them more capabilities than they already have. Weve got to make sure 20weve t the right controls in place in dealing with the policy. Thank you, mr. Chair. Thank you, chairman grassley and for your leadership on this and for asking the appropriate questions and having an opportunity to discuss this. Its a very big issue. Those of us whove been involved in Law Enforcement for a long time are very well aware of what sounds like some good theoretical idea can have a major and detrimental impact on the ability of the people of the United States to have order, to avoid multiple frauds and theft the and computer abuses and violations of their privacies and things of that kind. And i have ordered a publication not long ago. And within a few weeks i get i dont know how many more, selling me different publications of a similar nature. So somebodys sharing information all over. President obama was widely congratulated for his brilliant ability to target voters because they knew all kinds of things about them, whether they went fishing. All these things somehow is available to private sectors, political candidates, and we have to make sure that were not placing too much of a burden on Law Enforcement as they try to do their duty to protect us from fraudsters and sex abuse and kidnappers and terrorists. Im glad the chairman is looking at this. And were asking it. The Law Enforcement that ive talked to indicate that they have certain problems that we ought to deal with in the legislation. One of them is very often long dough la delays from a subpoena to the actual production of the documents. Two, we ought to consider what happens if you have erasure of these documents within hours, even. Days. A few days. Is that appropriate . We dont allow that in phone Company Records as i understand it. And third, i think its critical, anybody whos been involved in Law Enforcement, i can imagine in a terrorist investigation particularly, youve got to be able to effectively not tell the suspect that youre on to them. And have somebody call them and say the fbi just subpoenaed your toll records and boom, they flee the country or hide other evidence that may be available. So i just think those are Law Enforcement requests that immediate need to be considered. So you can issue a subpoena for a telephone call record that has the persons name, address, the length of their phone call, the numbers that they called without any content. You can get that with a subpoena, is that correct . Yes. Thats correct. And actually, dea can get it with an administrative subpoena without even asking a prosecutor. Prosecutors ask them routinely also. What about getting an email address . It seems to me thats quite a lot, a huge difference between just getting who the person has been emailing, just like you want to know who they called on the telephone, as opposed to the content of that email. Can that be obtained . And why should we enhance significantly the ability to get that information . Thank you for that question. The standard is currently different as i note in my sfr. The department does support equalizing those standards and bringing them in so that you can actually use the same standard that we have been using for traditional telecommunications, like telephone records to obtain the to from material as well. Thats a huge thing in a lot of investigations. I mean, i never met this person, and theyve got 50 emails to them or 25 phone calls. I didnt talk to them on the day of the killing, and then there are 25 phone calls that day. It is hugely important in actually protecting the American People from criminals. Then youve got the standard for content. Mr. Ceresny mentioned that a court order isnt much different from a search warrant. So you have a little less to get the older email contents, is that correct . That email contents you first get through the 120 days and older . Under the current statute, for more than 180 days we can obtain them through an administrati administrative subpoena with notice to the subscriber. In an amendment we would support some kind of judicial proceeding. That allows us to obtain those email contents. And you can request, you can request the confidentiality and no notice . Were not seeking that authority to obtain them with no notice. In fact, our general practice is to first seek them from the subscriber, and if we do not obtain emails we go to the provider. Were trying to accommodate while preserving ability for us to obtain in appropriate circumstances the contents of email. My time is up. I think we really have to be careful about not having the ability to protect against disclosure to the person. Because i, thats not true in other areas that you can get a nondisclosure order. And it can be critical. If youre investigating a terrorist and they know youre on to them. This could be a life and death issue. Thank you. I want to thank this panel. Appreciate it very much. And well probably be in touch with you for some followup questions. Id like to call the second panel now. And while theyre coming, if i can have your attention, i want to introduce them to be efficient. Richard littlehale, his assistant special agent in charge, Tennessee Bureau of investigations Technical Service unit. Special agent littlehale is responsible for coordinating the use of a wide range of technology, is supportive Law Enforcement operations including using communication records in support of criminal investigations. He testifies on behalf of the social of state criminal investigative agencies. He received his bachelors degree and a law degree from vanderbilt. Second is richard siccardo. He serve as googles information security. Before working at google, mr. Salgado worked at yahoo, and prior to that served ago special counsel