September 17, 2010 To: Subject

:

Memorandum
SJC Minority Staff “The Electronic Communications Privacy Act: Promoting Security and Protecting Privacy in the Digital Age”

On Wednesday, September 22, 2010, at 10:00 a.m. in Dirksen 226, Chairman Leahy has scheduled a hearing entitled, “The Electronic Communications Privacy Act: Promoting Security and Protecting Privacy in the Digital Age.” This is likely intended to be a follow-up to a House hearing earlier this year, where so-called privacy advocates such as the ACLU argued for the imposition of a search warrant standard in the Electronic Communications Privacy Act (hereafter “ECPA”) for obtaining certain key classes of electronic information. House Republicans generally contended that the imposition of such a draconian standard was not justified by a demonstrated need, such as a record of ECPA abuses, and would negatively impact law enforcement efforts to detect and apprehend serious criminals that use the internet. We anticipate that this hearing has been called by the Chairman as a driver for potential legislation to reform ECPA in an ACLU-endorsed manner. The first panel will feature two government witnesses. In the second panel, a representative from the Center for Democracy & Technology (“CDT”) and Microsoft’s general counsel will testify for such ECPA reform; a minority witness will testify to discuss the ways the proposed reforms will negatively impact law enforcement. During the second panel, your Member may want to direct your questions to the minority witness, focusing on the issue of the ways in which the changes proposed by the ACLU would negatively impact law enforcement and indirectly benefit child pornographers and others who use the internet as a means of committing serious crimes. Below you will find descriptions of some of the issues that may arise at Wednesday’s hearing, and brief summaries of the three hearings that took place in the recent past. I. BACKGROUND A. ECPA: A carefully-balanced political compromise

Congress initially responded to the emergence of wireless communication services and the digital era by enacting ECPA in 1986.1 The federal wiretap statute had been limited to voice communications. ECPA extended the wiretap provisions to include wireless voice communications and electronic communications such as email or other computer-to-computer transmissions.
1

See Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in various sections of Title 18 including 2510-21, 2701-10, and 3121-26).

Under the Fourth Amendment, an individual generally has no reasonable expectation of privacy in information that he had already furnished to a third party.2 Courts have now extended this analysis to network accounts, holding that individuals retain no Fourth Amendment privacy interest in subscriber information and transactional records.3 Therefore, as a general rule, ECPA’s current provisions (set forth below) go far beyond those required by the Fourth Amendment to protect the privacy interests of users of telecommunications services, a point which is rarely acknowledged by supporters of ECPA “reforms.” ECPA was intended to reestablish the balance between privacy and law enforcement, which Congress found had been upset to the detriment of privacy by the development of communications and computer technology and changes in the structure of the telecommunications industry. Among the developments noted by Congress were “large-scale electronic mail operations, cellular and cordless phones, paging devices, miniaturized transmitters for radio surveillance, and a dazzling array of digitized networks.”4 Privacy, Congress concluded, was in danger of being gradually eroded as technology advanced.5 ECPA’s provisions, taken as a whole, can at first glance seem confusing and byzantine. However, as the years have gone by, courts have been able to apply ECPA’s provisions to evolving technological advances to the point that ECPA’s standards are generally clear and settled. In a nutshell, under ECPA, so-called “public providers”6 (almost all major Internet and communications service providers) cannot give customer information to the government except under certain exceptions or through being served proper legal process. In order for the government to obtain unread email less than 180 days old, the government must obtain a search warrant under a probable cause standard.7 For it to obtain any other content (including read email and unread email older than 180 days), it must either (1) obtain a search warrant or (2) a court order authorized by 18 U.S.C. § 2703(d), which requires the showing that “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication … are relevant and material to an ongoing
2

See United States v. Miller, 425 U.S. 435 (1976) (holding that individual’s rights were not violated when his bank transmitted information that he had entrusted them with to the government); Smith v. Maryland, 442 U.S. 735 (1979) (holding that the installation and use of the pen register was not a ‘search’ within the meaning of the Fourth Amendment, and hence no warrant was required, because telephone users know that they must convey phone numbers to the telephone company and that the company has facilities for recording this information and does in fact record it for various legitimate business purposes). 3 See United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008) (“Every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment's privacy expectation.”); United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (email and Internet users have no reasonable expectation of privacy in source or destination addresses of email or the IP addresses of websites visited); Guest v. Leis, 255 F.3d 325, 336 (6th Cir. 2001) (finding no Fourth Amendment protection for network account holders’ subscriber information obtained from communication service provider). 4 H.R. Rep. No. 99-647, at 18 (1986). 5 S. Rep. No. 99-541, at 2-3, 5 (1986); H.R. Rep. No. 99-647, at 16-19 (1986). See also H.R. Rep. No. 99-647, at 18 (stating that “[l]egal protection against the unreasonable use of newer surveillance techniques has not kept pace with technology. “). 6 These are providers those who make “remote computing services” available “to the public,” even if for a fee. See18 U.S.C. § 2510(14). 7 See 18 U.S.C. § 2703(a).

2

criminal investigation,” accompanied by notice to the user.8 The government can obtain most non-content transactional records (including historical cell phone location records9) the same way, except that it does not need to provide notice to the user if it goes the 2703(d) route.10 Finally, basic subscriber information, akin to that found in all sorts of other business records, can be obtained via grand jury subpoena without court involvement.11 The idea that ECPA is a thoughtless mess of rules and standards ignores the fact that the structure of the law reflects a series of classifications that indicate the drafters’ judgments about what kinds of information implicate greater or lesser privacy interests. For example, the drafters saw greater privacy interests in the content of stored emails and content than in subscriber account information. Similarly, the drafters believed that computing services available “to the public” required more strict regulation than services not available to the public. Even the muchderided “180 day” standard was serious contemplated: Congress believed that the storage of email past 180 days is more akin to that of business records maintained by a third party,12 which are accorded less protection under decades of court precedent. ECPA was designed to provide rules for government surveillance in the modern age. However, technology has evolved in unanticipated ways. The interactive nature of the Internet, now including elements such as home banking and telecommuting, has produced an environment in which many people may spend hours each day “online.” That said, not only have courts generally kept up in interpreting ECPA to evolving technologies, but the argument that the language of ECPA needs updating does nothing to advance the second part of the privacy groups’ agenda: ratcheting-up the underlying standards (“probable cause,” “specific and articulable facts”) at the heart of ECPA that were agreed to back in 1986 after significant political compromise on both sides. B. The CDT/ACLU/EFF proposals

The Center for Democracy & Technology bills itself as “a non-profit public interest organization working to keep the Internet open, innovative, and free.”13 It is, by any fair reading, a liberal advocacy group; for example, it has lobbied heavily for weakening the PATRIOT Act, aligning itself with organizations such as the ACLU, Electronic Frontier Foundation (“EFF”), Human Rights Watch, the National Association of Criminal Defense Lawyers, and People For the
8 9

See 18 U.S.C. § 2703(b). Courts are divided as to whether the government needs a search warrant or a 2703(d) order to obtain prospective cell phone location data, as discussed below. But courts are nearly unanimous that the 2703(d) standard is all that applies for retrospective data. See, e.g., In RE U.S., 622 F. Supp. 2d 411 (S.D. Tex. 2007); In RE Applications of U.S. for Orders Pursuant to Title 18, U.S. Code Sec. 2703(d), 509 F. Supp. 2d 76 (D. Mass. 2007); In RE Application of U.S. for an Order for Prospective Cell Site Location Information on a Certain Cellular Telephone, 460 F. Supp. 2d 448 (S.D. N.Y. Oct. 23, 2006); In RE Application of U.S. for an Order for Disclosure of Telecomm. Records and Authorizing the Use of a Pen Register, 405 F. Supp. 2d 435 (S.D. N.Y. Dec. 20, 2005); In RE U.S. for an Order Authorizing Monitoring of Geolocation and Cell Site Data for a Sprint Spectrum Cell Phone Number, 2006 WL 6217584 (D. D.C. Aug. 25, 2006). 10 See 18 U.S.C. § 2703(c)(1)(B). 11 See 18 U.S.C. § 2703(c)(1)(E) and (c)(2). 12 See H.R. Rep. No. 99-647, at 68 (1986). 13 See “About” (webpage), Center for Democracy and Technology, available at http://www.cdt.org/about (accessed Sept. 14, 2010).

3

American Way.14 CDT has convened internet companies, other communications companies, privacy advocates, and other individuals and groups with an interest in updating ECPA (but notably, no representatives from law enforcement). This group evolved into a “coalition” called Digital Due Process. Members of Digital Due Process include the ACLU, EFF, American Library Association, and Citizens Against Government Waste. Industry members include Google, AOL, AT&T, and Microsoft. Digital Due Process believes that since enactment of ECPA, there have been fundamental changes in communications technology and the way people use it, including: • “Email: Most Americans have embraced email in their professional and personal lives and use it daily for confidential communications of a personal or business nature. Because of the importance of email and unlimited storage capabilities available today, most people save their email indefinitely, just as they previously saved letters and other correspondence. The difference, of course, is that it is easier to save, search and retrieve digital communications ….”15 “Mobile location: Cell phones and mobile Internet devices constantly generate location data that supports both the underlying service and a growing range of location-based services of great convenience and value. This location data can be intercepted in realtime, and is often stored in easily accessible logs files. Location data can reveal a person’s movements, from which inferences can be drawn about activities and associations. Location data is augmented by very precise GPS data being installed in a growing number of devices.”16 “Cloud computing: Increasingly, businesses and individuals are storing data ‘in the cloud,’ with potentially huge benefits in terms of cost, security, flexibility and the ability to share and collaborate.”17 “Social networking: One of the most striking developments of the past few years has been the remarkable growth of social networking. Hundreds of millions of people now use these social media services to share information with friends and as an alternative platform for private communications.”18

14

See Letter to Members of the Senate Select Committee on Intelligence by National Groups, April 18, 2005, available at http://www.cdt.org/security/usapatriot/20050418letter.pdf (“[O]pposition to the USA Patriot Act reflects a more general discomfort over the government’s actions. . . . We urge the Congress to examine the many rights and liberties issues that have arisen since 9/ll, including the following: . . . . Mass secret arrests of Arabs and Muslims followed by detention for extended periods; . . . . Discriminatory enforcement of the immigration laws, leading to arbitrary detentions and deportations; . . . . Detentions of Americans incommunicado as “enemy combatants” without access to lawyers or the courts; . . . . Expanded use of secret wiretaps and secret searches of Americans’ homes and offices; . . . . Massive growth in surveillance technologies and authority . . . .” 15 Digital Due Process, “ECPA Reform: Why Now,” available at http://www.digitaldueprocess.org/index.cfm? objectid=37940370-2551-11DF-8E02000C296BA163 (accessed Sept. 14, 2010). 16 Id. 17 Id. 18 Id.

4

To address these concerns, the groups propose the enactment of laws based on four guiding “principles,” which they believe nonetheless “preserv[e] the legal tools necessary for government agencies to enforce the laws, respond to emergency circumstances and protect the public”:19 1. “A governmental entity may require an entity covered by ECPA … to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider’s access to or use of the communications in its normal business operations.”20 “A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause.”21 “A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, email to and from information or other data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under 2703(d).”22 “Where [ECPA] authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All non-particularized requests must be subject to judicial approval.”23 CONCERNS WITH THE DIGITAL DUE PROCESS APPROACH A. Overarching concerns

2.

3.

4.

II.

There are a variety of concerns with the general approach taken by the Digital Due Process coalition and, specifically, their four proposals: • Impact on child exploitation cases. Although there is no data collected on this subject, anecdotally, it is the experience of the former federal prosecutors on Committee staff that the largest group of cases, by far, where ECPA authority is used is in child exploitation investigations and prosecutions. If Congress makes follows Digital Due Process’s recommendations, the largest impact of such changes might be to protect those who harm children behind a wall of “privacy protections” (i.e., these changes will make it more difficult and time-consuming for law enforcement to use ECPA to bring these offenders to justice).

19

Digital Due Process, “Our Principles,” available at http://www.digitaldueprocess.org/index.cfm? objectid=99629E40-2551-11DF-8E02000C296BA163 (accessed Sept. 14, 2010). 20 Id. (emphasis added). 21 Id. (emphasis added). 22 Id. (emphasis added). 23 Id.

5

This issue is of specific concern in light of the fact that the Justice Department reported to Congress just last month that the distribution of child pornography, the number of images being shared online, and violence against child victims all have increased.24 “Tragically, the only place we’ve seen a decrease is in the age of victims,” Attorney General Holder elaborated in a recent speech to the National Center for Missing and Exploited Children.25 The report also stated that the market for child pornography continues to grow rapidly and determining its size is impossible. “The number of offenders accessing the images and videos and the quantity of images and videos being traded is unknown,” the report said.26 In light of the extraordinary challenges facing law enforcement in fighting child exploitation, a strong argument can be made that ECPA should be changed to lessen the thresholds required for law enforcement to obtain electronic information (which would bring ECPA closer to the long-established Fourth Amendment standard). Digital Due Process is proposing doing the exact opposite. • Deceptive statements about the scope of Fourth Amendment protection for internet activity. The ACLU asserts the following in its press release announcing its decision to join Digital Due Process: “Technology has evolved at a lightning pace, leaving our privacy protections out of date and ineffective. The Fourth Amendment guarantees us the right to be secure in our ‘papers and effects’ and that means something entirely different in the 21st century.”27 However, as noted above, under the Fourth Amendment, an individual generally has no reasonable expectation of privacy in information that he had already furnished to a third party. ECPA’s current provisions already go far beyond those required by the Fourth Amendment to protect the privacy interests of users of telecommunications services, a point which is rarely acknowledged by supporters of ECPA changes. In other words, the Digital Due Process reforms are in no way required by the Constitution. Congress of course can establish standards that go further than those required under the Fourth Amendment, but it is in no way required to do so, and should tread lightly when doing so may negatively impact the ability of law enforcement to detect and prevent serious crimes. • Failure to include law enforcement at the table. There are no law enforcement groups included as part of Digital Due Process, whether they be governmental or nongovernmental like the National District Attorneys Association, the National Sheriffs Association, the Fraternal Order of Police, or the International Association of Chiefs of Police (all of which, notably, have vigorously opposed CDT/ACLU/EFF efforts in the past, such as proposed changes to the pen register standard).

24

“Justice report says child porn growing,” Associated Press, Aug. 3, 2010, available at http://www.boston.com/ news/nation/washington/articles/2010/08/03/justice_report_says_child_porn_growing/. 25 Id. 26 Id. 27 ACLU, “ACLU Joins AT&T, Google And Privacy Groups To Urge Updates To Privacy Law,” Mar. 30, 2010, available at http://www.aclu.org/technology-and-liberty/aclu-joins-att-google-and-privacy-groups-urge-updatesprivacy-law.

6

No demonstrated need for these changes or record of documented abuses. Digital Due Process cites an alarmingly small number of supposed abuses of ECPA that justify these changes in the law, and those that have been cited are often not on point. One of the so-called abuses most-cited by advocates of ECPA reform is the Ninth Circuit case of Theofel v. Farey-Jones,28 in which the court held that ECPA required the use of a search warrant to recover all email messages less than 180 days old, whether they had been read or not. The Theofel court chastised the “abus[e]” and lack of “reasonableness” of the subpoena at issue in the case, which it found “transformed the access from a bona fide state-sanctioned inspection into private snooping.”29 The problem with citing Theofel, however, is that it was a case between two private parties; law enforcement was not involved. Conflict of interest concerning industry participation. Several big players in industry are members of Digital Due Process, including Google and Microsoft. Completely absent to date in the media coverage of the ECPA debate is the obvious conflict of interest industry has in opining on the appropriate operative standards under ECPA. Simply put, if it is made more difficult for government to obtain information from telecommunications companies, the companies’ compliance costs will drop significantly. Industry has complained about their supposedly onerous compliance costs for years.30 A strong argument can be made that compliance with the reasonable, legal requests of law enforcement is the responsibility of any good corporate citizen. Notably, industry does not even try to argue that even a small number of the requests for information made by law enforcement are improper. It is then a ripe area for inquiry to explore industry’s real motivation for supporting ECPA changes that will ultimately make it more difficult to locate and apprehend criminals, especially those that exploit children. Does industry have a conflict of interest in lobbying for changes in ECPA, when it will directly benefit from those changes in the form of reduced compliance costs? • No substantive difference between this type of information and other records that can be routinely obtained by grand jury subpoena. Prosecutors routinely subpoena business and other records from third-party entities such as businesses under a mere relevance standard without court approval. It is difficult to see how non-content digital information is substantively different from the other types of records that can be easily obtained by law enforcement, like bank records, hotel registers, and the like.

28 29

359 F.3d 1066 (9th Cir. 2004). Id. at 1073. 30 For example, law enforcement has advocated for the adoption of data retention requirements, which would compel communications service providers to routinely capture and archive information detailing the telephone calls, email messages and other communications of their users. The purpose of these requirements would be to ensure that evidence of crimes, such as the distribution of child pornography, remain available for retrieval by law enforcement for a specified period of time (i.e., not deleted by the provider). Industry has objected to these proposals. See, e.g., “Microsoft, AOL, Google Asked by U.S. to Keep Records,” Bloomberg, June 1, 2006, available at http://www.bloomberg.com/apps/news?pid=newsarchive&sid=af87XTpBzphA (quoting Phil Reitinger, Microsoft senior security strategist, as stating that “data retention is a complicated issue with implications not only for efforts to combat child pornography but also for security, privacy, safety, and availability of low-cost or free Internet services.”) (emphasis added).

7

No need for court involvement. Especially in light of the woeful failure on the part of privacy advocates to document supposed abuses of ECPA, it is unclear why the job of protecting privacy must fall to the courts. On the federal level, oversight already exists within the Justice Department and individual U.S. Attorney’s Offices to ensure that prosecutors do not overreach in their use of ECPA. If that was not enough, a zealous Inspector General is also on the watch. Similar layers of review also exist in most states and localities. Further, if necessary, Congress can step-up its oversight efforts, as it has with the PATRIOT Act. Assuming that abuses exist (and there is no evidence of such), these less radical steps should be attempted first before Congress steps in and changes in the law in a manner that will have a pronounced negative effect on law enforcement’s ability to detect and prevent serious crimes on the internet. B. Specific concerns

Recommendation 1 (“A governmental entity may require … a provider of wire or electronic communication service or a provider of remote computing service to disclose communications that are not readily accessible to the public only with a search warrant issued based on a showing of probable cause”): This change would virtually eliminate the use of ECPA orders for stored communications for investigative purposes, which are used as building blocks in investigations of criminals like hackers and those who exploit children. Digital Due Process’s proposal would essentially prevent investigators from using this ECPA tool to develop evidence at the early stages of an investigation, which is precisely when this information is the most useful. As noted above, anecdotally, a substantial majority of ECPA orders are used in child exploitation cases, meaning that the primary direct beneficiary of the changes proposed by Digital Due Process will be this class of offenders. In these cases, prosecutors are not usually interested in the content of communications; they are interested in quickly locating offenders in order to apprehend them to protect children. Notably, this recommendation is particularly radical in that it is not limited to the content of communications (i.e., speech). While the protection of content was the main goal of privacy advocates in the past, they today aim to protect even “transactional communications” that do not involve speech.31

Recommendation 2 (“A governmental entity may access . . . prospectively or retrospectively, location information regarding a mobile communications device only with a warrant issued based on a showing of probable cause”): Many courts today permit the government to prospectively obtain location information under a lesser standard;32 therefore, a probable cause standard would essentially prohibit the

31 32

ACLU, supra note 27. See, e.g., In RE Application of the United States for an Order for Prospective Cell Site Location Information on a Certain Cellular Telephone¸460 F. Supp. 2d 448 (S.D. N.Y. 2006); In RE Application of U.S. for Order ReAuthorizing Use of a Pen Register and Trap and Trace device with Prospective Cell-Site Information, 2009 WL 1594003 (E.D. N.Y. Feb. 26, 2009); In RE U.S. for an Order Authorizing the Use of Two Pen Register and Trap and Trace Devices, 632 F. Supp. 2d 202 (E.D. N.Y. Nov. 26, 2008); In RE U.S., 622 F. Supp. 2d 411 (S.D. Tex. Oct. 17, 2007); In RE Application for an Order Authorizing the Extension and use of a Pen Register Device, 2007 WL 397129 (E.D. Cal. Feb. 1, 2007); In RE Application of U.S. for an Order for Prospective Cell Site Location

8

government from using this technique to track criminal activity. That aside, the application of a probable cause standard to historical (retrospective) location information is even more troubling. We are unaware of any court that has held that a person has a Fourth Amendment right to an expectation of privacy in locations they have been in the past. A probable cause standard for retrospective information would devastate law enforcement’s ability to use this data, which is critical for the investigation and prosecution of serious offenses such as drug smuggling.33 Moreover, it is difficult to see how a probable cause standard would operate in practice. Generally, a probably cause standard requires the government to show that evidence of a crime would be found in a search. How the government could ever meet this standard in most cases, when the purpose of the inquiry is to find out where the target was at a specific time, is unclear.34 Finally, how is historical cell phone location data any different from, say, a bank record showing a person making a withdrawal at a specific location at a time certain, or a hotel register showing that an individual spent a particular night as a guest? These other types of information, which would presumably implicate the same ephemeral supposed privacy interests, can be obtained by law enforcement with a mere grand jury subpoena. • Recommendation 3 (“A governmental entity may access . . . data currently covered by the authority for pen registers and trap and trace devices only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under [18 U.S.C. §] 2703(d)”): Prosecutors may currently obtain basic session connection records using a grand jury subpoena pursuant to 18 U.S.C. § 2703(c)(2). This proposal would require the government to meet a higher standard and, more importantly, make that showing to a court. This will require prosecutors to spend significantly more time filling out and defending applications for rudimentary information (a § 2703(d) request takes much more time to prepare and obtain than a grand jury subpoena) that will ultimately result in fewer criminals being brought to justice because of an unwise use of resources.

Information on a Certain Cellular Telephone, 460 F. Supp. 2d 448 (S.D. N.Y. Oct. 23, 2006); In RE U.S. for an Order, 433 F. Supp. 2d 804 (S.D. Tex. Apr. 11, 2006); In Matter of Application of U.S. for an Order, 411 F. Supp. 2d 678 (W.D. La. Jan. 26, 2006); In RE Application of U.S. for an Order for Disclosure of Telecommunications Records and Authorizing the Use of a Pen Register and Trap and Trace, 405 F. Supp. 2d 435 (S.D. N.Y. Dec. 20, 2005). 33 Congress recognized the importance of cell phone data in drug investigations by furnishing the DEA with administrative subpoena authority, the use of which is critical in many fast-moving investigations. See 21 U.S.C. §876(a). Such information is not just important in drug cases; for example, historical cell phone data is frequently used as a means to disprove alibi testimony (i.e., a witness testifies that a defendant was elsewhere but cell phone data proves this false). 34 See Hearing on Electronic Communications Privacy Act Reform, U.S. House of Representatives Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, May 5, 2010 (written testimony of Professor Orin S. Kerr) (“[I]f the police have probable cause to arrest someone, and they know his cell-phone number, I would think the law should allow the government some way of locating the suspect pursuant to an appropriate court order. A requirement that location information be obtainable only based on probable cause to believe that the location information is itself evidence of a crime would not seem to allow that.”)

9

Recommendation 4 (“Where the Stored Communications Act authorizes a subpoena to acquire information, . . . all non-particularized requests must be subject to judicial approval”): Digital Due Process claims that “there have been reported cases of bulk requests for information about everyone that visited a particular web site on a particular day, or everyone that used the Internet to sell products in a particular jurisdiction.”35 However, they neglect to point out whether these requests were made under ECPA, how exactly they violated privacy rights, or whether the government was the entity that issued the request. PREVIOUS HEARINGS

III.

On May 5, 2010, the House Judiciary Committee’s Subcommittee on the Constitution, Civil Rights, and Civil Liberties, held a hearing entitled, “Electronic Communications Privacy Act Reform.” Majority witness were: James X. Dempsey, Center for Democracy and Technology, Vice President for Public Policy; Albert Gidari, Perkins Coie LLP; and Ms. Annmarie Levins, Associate General Counsel, Microsoft Corporation. The minority witness was Orin S. Kerr, Professor, The George Washington University Law School. IV. WITNESSES

Panel 1: Cameron F. Kerry, Esq., is General Counsel of the United States Department of Commerce. As the General Counsel of the Department of Commerce since May 2009, Kerry is the principal legal advisor to Secretary Locke and third ranking secretarial officer. During his year as General Counsel, Kerry has been engaged in the wide range of issues facing the Department of Commerce as it seeks to lay a new foundation for economic growth. He has worked on patent reform and intellectual property issues, privacy and security, and efforts against transnational bribery. Previously, Kerry was a partner in the Boston office of Mintz Levin, a national law firm. Prior to joining Mintz Levin, Cameron was an associate at Wilmer, Cutler & Pickering and a law clerk for Judge Elbert Tuttle of the United States Court of Appeals for the Fifth Circuit. James A. Baker, Esq., is the Associate Deputy Attorney General of the United States Department of Justice. He has served in that position since July 2009, and is responsible for a range of national security policy issues. Baker has worked on numerous national security matters during his career. A former federal prosecutor, he worked on all aspects of national security investigations and prosecutions, including in particular FISA, during his 17 years as a career official at the U.S. Department of Justice from 1990 to 2007. From 2008 to 2009, Mr. Baker was Assistant General Counsel for National Security at Verizon Business. From 2001 to 2007, Mr. Baker served as Counsel for Intelligence Policy at the Justice Department, where he was head of the Office of Intelligence Policy and Review. In that position, he was responsible for developing, coordinating, and implementing national security policy with regard to intelligence and counterintelligence matters for the Department.
35

Digital Due Process, “Our Principles: Background,” available at http://www.digitaldueprocess.org/index.cfm? objectid=C00D74C0-3C03-11DF-84C7000C296BA163 (accessed Sept. 15, 2010).

10

Panel 2: James X. Dempsey, Esq., is Vice President for Public Policy at The Center for Democracy and Technology. He joined CDT at the beginning of 1997. He became Deputy Director in 2001 and Executive Director in 2003. Prior to joining CDT, Mr. Dempsey was Deputy Director of the Center for National Security Studies. From 1995 to 1996, Mr. Dempsey also served as special counsel to the National Security Archive, a non-governmental organization that uses the Freedom of Information Act to gain the declassification of documents on the U.S. foreign policy. From 1985 to 1994, Mr. Dempsey was assistant counsel to the House Judiciary Subcommittee on Civil and Constitutional Rights. His primary areas of responsibility for the Subcommittee were oversight of the Federal Bureau of Investigation, privacy and civil liberties. From 1980 to 1984, Mr. Dempsey was an associate with the Washington, D.C. law firm of Arnold & Porter, where he practiced in areas of government and commercial contracts, energy law, and anti-trust. He also maintained an extensive pro bono representation of death row inmates in federal habeas proceedings. He clerked for the Hon. Robert Braucher of the Massachusetts Supreme Judicial Court. He graduated from Harvard Law School in 1979 and from Yale College in 1975. Brad Smith, Esq., is Microsoft’s general counsel and senior vice president, Legal and Corporate Affairs. He leads the company’s Department of Legal and Corporate Affairs (“LCA”), which has just over 1,000 employees and is responsible for the company’s legal work, its intellectual property portfolio, and its government affairs and philanthropic work. He also serves as Microsoft’s corporate secretary and its chief compliance officer. Before joining Microsoft in 1993, Smith was a partner at Covington & Burling, having worked in the firm’s Washington, D.C., and London offices. Jamil N. Jaffer, Esq. (minority witness), is currently an associate at the Washington, DC law firm of Kellogg, Huber, Hansen, Todd, Evans & Figel. From 2008 to 2009, he served as Associate Counsel to the President, White House, working primarily on national security issues. From 2007 to 2008, he served as Counsel to the Assistant Attorney General, U.S. Department of Justice, National Security Division, and, prior to that, as Senior Counsel for National Security Law and Policy and as Counsel in the Office of Legal Policy, also at the Justice Department. He also served as a law clerk to Judge Neil M. Gorsuch, U.S. Court of Appeals, Tenth Circuit, and Judge Edith H. Jones, U.S. Court of Appeals, Fifth Circuit.

11