September 17, 2010

Memorandum
To: SJC Minority Staff
Subject: “The Electronic Communications Privacy Act:
Promoting Security and Protecting Privacy in the
Digital Age”

On Wednesday, September 22, 2010, at 10:00 a.m. in Dirksen 226, Chairman Leahy has
scheduled a hearing entitled, “The Electronic Communications Privacy Act: Promoting Security
and Protecting Privacy in the Digital Age.” This is likely intended to be a follow-up to a House
hearing earlier this year, where so-called privacy advocates such as the ACLU argued for the
imposition of a search warrant standard in the Electronic Communications Privacy Act (hereafter
“ECPA”) for obtaining certain key classes of electronic information. House Republicans
generally contended that the imposition of such a draconian standard was not justified by a
demonstrated need, such as a record of ECPA abuses, and would negatively impact law
enforcement efforts to detect and apprehend serious criminals that use the internet.

We anticipate that this hearing has been called by the Chairman as a driver for potential
legislation to reform ECPA in an ACLU-endorsed manner. The first panel will feature two
government witnesses. In the second panel, a representative from the Center for Democracy &
Technology (“CDT”) and Microsoft’s general counsel will testify for such ECPA reform; a
minority witness will testify to discuss the ways the proposed reforms will negatively impact law
enforcement. During the second panel, your Member may want to direct your questions to the
minority witness, focusing on the issue of the ways in which the changes proposed by the ACLU
would negatively impact law enforcement and indirectly benefit child pornographers and others
who use the internet as a means of committing serious crimes.

Below you will find descriptions of some of the issues that may arise at Wednesday’s hearing,
and brief summaries of the three hearings that took place in the recent past.

I. BACKGROUND

A. ECPA: A carefully-balanced political compromise

Congress initially responded to the emergence of wireless communication services and the
digital era by enacting ECPA in 1986.1 The federal wiretap statute had been limited to voice
communications. ECPA extended the wiretap provisions to include wireless voice
communications and electronic communications such as email or other computer-to-computer
transmissions.

1
See Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified in various
sections of Title 18 including 2510-21, 2701-10, and 3121-26).
Under the Fourth Amendment, an individual generally has no reasonable expectation of privacy
in information that he had already furnished to a third party.2 Courts have now extended this
analysis to network accounts, holding that individuals retain no Fourth Amendment privacy
interest in subscriber information and transactional records.3 Therefore, as a general rule,
ECPA’s current provisions (set forth below) go far beyond those required by the Fourth
Amendment to protect the privacy interests of users of telecommunications services, a point
which is rarely acknowledged by supporters of ECPA “reforms.”

ECPA was intended to reestablish the balance between privacy and law enforcement, which
Congress found had been upset to the detriment of privacy by the development of
communications and computer technology and changes in the structure of the
telecommunications industry. Among the developments noted by Congress were “large-scale
electronic mail operations, cellular and cordless phones, paging devices, miniaturized
transmitters for radio surveillance, and a dazzling array of digitized networks.”4 Privacy,
Congress concluded, was in danger of being gradually eroded as technology advanced.5

ECPA’s provisions, taken as a whole, can at first glance seem confusing and byzantine.
However, as the years have gone by, courts have been able to apply ECPA’s provisions to
evolving technological advances to the point that ECPA’s standards are generally clear and
settled. In a nutshell, under ECPA, so-called “public providers”6 (almost all major Internet and
communications service providers) cannot give customer information to the government except
under certain exceptions or through being served proper legal process.

In order for the government to obtain unread email less than 180 days old, the government must
obtain a search warrant under a probable cause standard.7 For it to obtain any other content
(including read email and unread email older than 180 days), it must either (1) obtain a search
warrant or (2) a court order authorized by 18 U.S.C. § 2703(d), which requires the showing that
“specific and articulable facts showing that there are reasonable grounds to believe that the
contents of a wire or electronic communication … are relevant and material to an ongoing

2
See United States v. Miller, 425 U.S. 435 (1976) (holding that individual’s rights were not violated when his bank
transmitted information that he had entrusted them with to the government); Smith v. Maryland, 442 U.S. 735
(1979) (holding that the installation and use of the pen register was not a ‘search’ within the meaning of the Fourth
Amendment, and hence no warrant was required, because telephone users know that they must convey phone
numbers to the telephone company and that the company has facilities for recording this information and does in
fact record it for various legitimate business purposes).
3
See United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008) (“Every federal court to address this issue has
held that subscriber information provided to an internet provider is not protected by the Fourth Amendment's
privacy expectation.”); United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (email and Internet users have
no reasonable expectation of privacy in source or destination addresses of email or the IP addresses of websites
visited); Guest v. Leis, 255 F.3d 325, 336 (6th Cir. 2001) (finding no Fourth Amendment protection for network
account holders’ subscriber information obtained from communication service provider).
4
H.R. Rep. No. 99-647, at 18 (1986).
5
S. Rep. No. 99-541, at 2-3, 5 (1986); H.R. Rep. No. 99-647, at 16-19 (1986). See also H.R. Rep. No. 99-647, at 18
(stating that “[l]egal protection against the unreasonable use of newer surveillance techniques has not kept pace with
technology. “).
6
These are providers those who make “remote computing services” available “to the public,” even if for a fee.
See18 U.S.C. § 2510(14).
7
See 18 U.S.C. § 2703(a).

2
criminal investigation,” accompanied by notice to the user.8 The government can obtain most
non-content transactional records (including historical cell phone location records9) the same
way, except that it does not need to provide notice to the user if it goes the 2703(d) route.10
Finally, basic subscriber information, akin to that found in all sorts of other business records, can
be obtained via grand jury subpoena without court involvement.11

The idea that ECPA is a thoughtless mess of rules and standards ignores the fact that the
structure of the law reflects a series of classifications that indicate the drafters’ judgments about
what kinds of information implicate greater or lesser privacy interests. For example, the drafters
saw greater privacy interests in the content of stored emails and content than in subscriber
account information. Similarly, the drafters believed that computing services available “to the
public” required more strict regulation than services not available to the public. Even the much-
derided “180 day” standard was serious contemplated: Congress believed that the storage of
email past 180 days is more akin to that of business records maintained by a third party,12 which
are accorded less protection under decades of court precedent.

ECPA was designed to provide rules for government surveillance in the modern age. However,
technology has evolved in unanticipated ways. The interactive nature of the Internet, now
including elements such as home banking and telecommuting, has produced an environment in
which many people may spend hours each day “online.” That said, not only have courts
generally kept up in interpreting ECPA to evolving technologies, but the argument that the
language of ECPA needs updating does nothing to advance the second part of the privacy
groups’ agenda: ratcheting-up the underlying standards (“probable cause,” “specific and
articulable facts”) at the heart of ECPA that were agreed to back in 1986 after significant
political compromise on both sides.

B. The CDT/ACLU/EFF proposals

The Center for Democracy & Technology bills itself as “a non-profit public interest organization
working to keep the Internet open, innovative, and free.”13 It is, by any fair reading, a liberal
advocacy group; for example, it has lobbied heavily for weakening the PATRIOT Act, aligning
itself with organizations such as the ACLU, Electronic Frontier Foundation (“EFF”), Human
Rights Watch, the National Association of Criminal Defense Lawyers, and People For the

8
See 18 U.S.C. § 2703(b).
9
Courts are divided as to whether the government needs a search warrant or a 2703(d) order to obtain prospective
cell phone location data, as discussed below. But courts are nearly unanimous that the 2703(d) standard is all that
applies for retrospective data. See, e.g., In RE U.S., 622 F. Supp. 2d 411 (S.D. Tex. 2007); In RE Applications of
U.S. for Orders Pursuant to Title 18, U.S. Code Sec. 2703(d), 509 F. Supp. 2d 76 (D. Mass. 2007); In RE
Application of U.S. for an Order for Prospective Cell Site Location Information on a Certain Cellular Telephone,
460 F. Supp. 2d 448 (S.D. N.Y. Oct. 23, 2006); In RE Application of U.S. for an Order for Disclosure of Telecomm.
Records and Authorizing the Use of a Pen Register, 405 F. Supp. 2d 435 (S.D. N.Y. Dec. 20, 2005); In RE U.S. for
an Order Authorizing Monitoring of Geolocation and Cell Site Data for a Sprint Spectrum Cell Phone Number, 2006
WL 6217584 (D. D.C. Aug. 25, 2006).
10
See 18 U.S.C. § 2703(c)(1)(B).
11
See 18 U.S.C. § 2703(c)(1)(E) and (c)(2).
12
See H.R. Rep. No. 99-647, at 68 (1986).
13
See “About” (webpage), Center for Democracy and Technology, available at http://www.cdt.org/about (accessed
Sept. 14, 2010).

3
American Way.14 CDT has convened internet companies, other communications companies,
privacy advocates, and other individuals and groups with an interest in updating ECPA (but
notably, no representatives from law enforcement). This group evolved into a “coalition” called
Digital Due Process. Members of Digital Due Process include the ACLU, EFF, American
Library Association, and Citizens Against Government Waste. Industry members include
Google, AOL, AT&T, and Microsoft.

Digital Due Process believes that since enactment of ECPA, there have been fundamental
changes in communications technology and the way people use it, including:

• “Email: Most Americans have embraced email in their professional and personal lives
and use it daily for confidential communications of a personal or business nature.
Because of the importance of email and unlimited storage capabilities available today,
most people save their email indefinitely, just as they previously saved letters and other
correspondence. The difference, of course, is that it is easier to save, search and retrieve
digital communications ….”15

• “Mobile location: Cell phones and mobile Internet devices constantly generate location
data that supports both the underlying service and a growing range of location-based
services of great convenience and value. This location data can be intercepted in real-
time, and is often stored in easily accessible logs files. Location data can reveal a
person’s movements, from which inferences can be drawn about activities and
associations. Location data is augmented by very precise GPS data being installed in a
growing number of devices.”16

• “Cloud computing: Increasingly, businesses and individuals are storing data ‘in the
cloud,’ with potentially huge benefits in terms of cost, security, flexibility and the ability
to share and collaborate.”17

• “Social networking: One of the most striking developments of the past few years has
been the remarkable growth of social networking. Hundreds of millions of people now
use these social media services to share information with friends and as an alternative
platform for private communications.”18

14
See Letter to Members of the Senate Select Committee on Intelligence by National Groups, April 18, 2005,
available at http://www.cdt.org/security/usapatriot/20050418letter.pdf (“[O]pposition to the USA Patriot Act reflects
a more general discomfort over the government’s actions. . . . We urge the Congress to examine the many rights and
liberties issues that have arisen since 9/ll, including the following: . . . . Mass secret arrests of Arabs and Muslims
followed by detention for extended periods; . . . . Discriminatory enforcement of the immigration laws, leading to
arbitrary detentions and deportations; . . . . Detentions of Americans incommunicado as “enemy combatants”
without access to lawyers or the courts; . . . . Expanded use of secret wiretaps and secret searches of Americans’
homes and offices; . . . . Massive growth in surveillance technologies and authority . . . .”
15
Digital Due Process, “ECPA Reform: Why Now,” available at http://www.digitaldueprocess.org/index.cfm?
objectid=37940370-2551-11DF-8E02000C296BA163 (accessed Sept. 14, 2010).
16
Id.
17
Id.
18
Id.

4
To address these concerns, the groups propose the enactment of laws based on four guiding
“principles,” which they believe nonetheless “preserv[e] the legal tools necessary for government
agencies to enforce the laws, respond to emergency circumstances and protect the public”:19

1. “A governmental entity may require an entity covered by ECPA … to disclose

communications that are not readily accessible to the public only with a search warrant
issued based on a showing of probable cause, regardless of the age of the
communications, the means or status of their storage or the provider’s access to or use of
the communications in its normal business operations.”20

2. “A governmental entity may access, or may require a covered entity to provide,

prospectively or retrospectively, location information regarding a mobile
communications device only with a warrant issued based on a showing of probable
cause.”21

3. “A governmental entity may access, or may require a covered entity to provide,

prospectively or in real time, dialed number information, email to and from information
or other data currently covered by the authority for pen registers and trap and trace
devices only after judicial review and a court finding that the governmental entity has
made a showing at least as strong as the showing under 2703(d).”22

4. “Where [ECPA] authorizes a subpoena to acquire information, a governmental entity

may use such subpoenas only for information related to a specified account(s) or
individual(s). All non-particularized requests must be subject to judicial approval.”23

II. CONCERNS WITH THE DIGITAL DUE PROCESS APPROACH

A. Overarching concerns

There are a variety of concerns with the general approach taken by the Digital Due Process
coalition and, specifically, their four proposals:

• Impact on child exploitation cases. Although there is no data collected on this subject,
anecdotally, it is the experience of the former federal prosecutors on Committee staff that
the largest group of cases, by far, where ECPA authority is used is in child exploitation
investigations and prosecutions. If Congress makes follows Digital Due Process’s
recommendations, the largest impact of such changes might be to protect those who harm
children behind a wall of “privacy protections” (i.e., these changes will make it more
difficult and time-consuming for law enforcement to use ECPA to bring these offenders
to justice).

19
Digital Due Process, “Our Principles,” available at http://www.digitaldueprocess.org/index.cfm?
objectid=99629E40-2551-11DF-8E02000C296BA163 (accessed Sept. 14, 2010).
20
Id. (emphasis added).
21
Id. (emphasis added).
22
Id. (emphasis added).
23
Id.

5
 This issue is of specific concern in light of the fact that the Justice Department reported to
Congress just last month that the distribution of child pornography, the number of images
being shared online, and violence against child victims all have increased.24 “Tragically,
the only place we’ve seen a decrease is in the age of victims,” Attorney General Holder
elaborated in a recent speech to the National Center for Missing and Exploited Children.25
The report also stated that the market for child pornography continues to grow rapidly
and determining its size is impossible. “The number of offenders accessing the images
and videos and the quantity of images and videos being traded is unknown,” the report
said.26 In light of the extraordinary challenges facing law enforcement in fighting child
exploitation, a strong argument can be made that ECPA should be changed to lessen the
thresholds required for law enforcement to obtain electronic information (which would
bring ECPA closer to the long-established Fourth Amendment standard). Digital Due
Process is proposing doing the exact opposite.

• Deceptive statements about the scope of Fourth Amendment protection for internet
activity. The ACLU asserts the following in its press release announcing its decision to
join Digital Due Process: “Technology has evolved at a lightning pace, leaving our
privacy protections out of date and ineffective. The Fourth Amendment guarantees us the
right to be secure in our ‘papers and effects’ and that means something entirely different
in the 21st century.”27 However, as noted above, under the Fourth Amendment, an
individual generally has no reasonable expectation of privacy in information that he had
already furnished to a third party. ECPA’s current provisions already go far beyond
those required by the Fourth Amendment to protect the privacy interests of users of
telecommunications services, a point which is rarely acknowledged by supporters of
ECPA changes.

In other words, the Digital Due Process reforms are in no way required by the
Constitution. Congress of course can establish standards that go further than those
required under the Fourth Amendment, but it is in no way required to do so, and should
tread lightly when doing so may negatively impact the ability of law enforcement to
detect and prevent serious crimes.

• Failure to include law enforcement at the table. There are no law enforcement groups
included as part of Digital Due Process, whether they be governmental or non-
governmental like the National District Attorneys Association, the National Sheriffs
Association, the Fraternal Order of Police, or the International Association of Chiefs of
Police (all of which, notably, have vigorously opposed CDT/ACLU/EFF efforts in the
past, such as proposed changes to the pen register standard).

24
“Justice report says child porn growing,” Associated Press, Aug. 3, 2010, available at http://www.boston.com/
news/nation/washington/articles/2010/08/03/justice_report_says_child_porn_growing/.
25
Id.
26
Id.
27
ACLU, “ACLU Joins AT&T, Google And Privacy Groups To Urge Updates To Privacy Law,” Mar. 30, 2010,
available at http://www.aclu.org/technology-and-liberty/aclu-joins-att-google-and-privacy-groups-urge-updates-
privacy-law.

6
 • No demonstrated need for these changes or record of documented abuses. Digital
Due Process cites an alarmingly small number of supposed abuses of ECPA that justify
these changes in the law, and those that have been cited are often not on point. One of
the so-called abuses most-cited by advocates of ECPA reform is the Ninth Circuit case of
Theofel v. Farey-Jones,28 in which the court held that ECPA required the use of a search
warrant to recover all email messages less than 180 days old, whether they had been read
or not. The Theofel court chastised the “abus[e]” and lack of “reasonableness” of the
subpoena at issue in the case, which it found “transformed the access from a bona fide
state-sanctioned inspection into private snooping.”29 The problem with citing Theofel,
however, is that it was a case between two private parties; law enforcement was not
involved.

• Conflict of interest concerning industry participation. Several big players in industry

are members of Digital Due Process, including Google and Microsoft. Completely
absent to date in the media coverage of the ECPA debate is the obvious conflict of
interest industry has in opining on the appropriate operative standards under ECPA.
Simply put, if it is made more difficult for government to obtain information from
telecommunications companies, the companies’ compliance costs will drop significantly.
Industry has complained about their supposedly onerous compliance costs for years.30

A strong argument can be made that compliance with the reasonable, legal requests of
law enforcement is the responsibility of any good corporate citizen. Notably, industry
does not even try to argue that even a small number of the requests for information made
by law enforcement are improper. It is then a ripe area for inquiry to explore industry’s
real motivation for supporting ECPA changes that will ultimately make it more difficult
to locate and apprehend criminals, especially those that exploit children. Does industry
have a conflict of interest in lobbying for changes in ECPA, when it will directly benefit
from those changes in the form of reduced compliance costs?

• No substantive difference between this type of information and other records that
can be routinely obtained by grand jury subpoena. Prosecutors routinely subpoena
business and other records from third-party entities such as businesses under a mere
relevance standard without court approval. It is difficult to see how non-content digital
information is substantively different from the other types of records that can be easily
obtained by law enforcement, like bank records, hotel registers, and the like.

28
359 F.3d 1066 (9th Cir. 2004).
29
Id. at 1073.
30
For example, law enforcement has advocated for the adoption of data retention requirements, which would compel
communications service providers to routinely capture and archive information detailing the telephone calls, email
messages and other communications of their users. The purpose of these requirements would be to ensure that
evidence of crimes, such as the distribution of child pornography, remain available for retrieval by law enforcement
for a specified period of time (i.e., not deleted by the provider). Industry has objected to these proposals. See, e.g.,
“Microsoft, AOL, Google Asked by U.S. to Keep Records,” Bloomberg, June 1, 2006, available at
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=af87XTpBzphA (quoting Phil Reitinger, Microsoft
senior security strategist, as stating that “data retention is a complicated issue with implications not only for efforts
to combat child pornography but also for security, privacy, safety, and availability of low-cost or free Internet
services.”) (emphasis added).

7
 • No need for court involvement. Especially in light of the woeful failure on the part of
privacy advocates to document supposed abuses of ECPA, it is unclear why the job of
protecting privacy must fall to the courts. On the federal level, oversight already exists
within the Justice Department and individual U.S. Attorney’s Offices to ensure that
prosecutors do not overreach in their use of ECPA. If that was not enough, a zealous
Inspector General is also on the watch. Similar layers of review also exist in most states
and localities. Further, if necessary, Congress can step-up its oversight efforts, as it has
with the PATRIOT Act. Assuming that abuses exist (and there is no evidence of such),
these less radical steps should be attempted first before Congress steps in and changes in
the law in a manner that will have a pronounced negative effect on law enforcement’s
ability to detect and prevent serious crimes on the internet.

B. Specific concerns

• Recommendation 1 (“A governmental entity may require … a provider of wire or

electronic communication service or a provider of remote computing service to
disclose communications that are not readily accessible to the public only with a
search warrant issued based on a showing of probable cause”): This change would
virtually eliminate the use of ECPA orders for stored communications for investigative
purposes, which are used as building blocks in investigations of criminals like hackers
and those who exploit children. Digital Due Process’s proposal would essentially prevent
investigators from using this ECPA tool to develop evidence at the early stages of an
investigation, which is precisely when this information is the most useful. As noted
above, anecdotally, a substantial majority of ECPA orders are used in child exploitation
cases, meaning that the primary direct beneficiary of the changes proposed by Digital
Due Process will be this class of offenders. In these cases, prosecutors are not usually
interested in the content of communications; they are interested in quickly locating
offenders in order to apprehend them to protect children.

Notably, this recommendation is particularly radical in that it is not limited to the content
of communications (i.e., speech). While the protection of content was the main goal of
privacy advocates in the past, they today aim to protect even “transactional
communications” that do not involve speech.31

• Recommendation 2 (“A governmental entity may access . . . prospectively or

retrospectively, location information regarding a mobile communications device
only with a warrant issued based on a showing of probable cause”): Many courts
today permit the government to prospectively obtain location information under a lesser
standard;32 therefore, a probable cause standard would essentially prohibit the
31
ACLU, supra note 27.
32
See, e.g., In RE Application of the United States for an Order for Prospective Cell Site Location Information on a
Certain Cellular Telephone¸460 F. Supp. 2d 448 (S.D. N.Y. 2006); In RE Application of U.S. for Order Re-
Authorizing Use of a Pen Register and Trap and Trace device with Prospective Cell-Site Information, 2009 WL
1594003 (E.D. N.Y. Feb. 26, 2009); In RE U.S. for an Order Authorizing the Use of Two Pen Register and Trap and
Trace Devices, 632 F. Supp. 2d 202 (E.D. N.Y. Nov. 26, 2008); In RE U.S., 622 F. Supp. 2d 411 (S.D. Tex. Oct. 17,
2007); In RE Application for an Order Authorizing the Extension and use of a Pen Register Device, 2007 WL
397129 (E.D. Cal. Feb. 1, 2007); In RE Application of U.S. for an Order for Prospective Cell Site Location

8
 government from using this technique to track criminal activity. That aside, the
application of a probable cause standard to historical (retrospective) location information
is even more troubling. We are unaware of any court that has held that a person has a
Fourth Amendment right to an expectation of privacy in locations they have been in the
past. A probable cause standard for retrospective information would devastate law
enforcement’s ability to use this data, which is critical for the investigation and
prosecution of serious offenses such as drug smuggling.33

Moreover, it is difficult to see how a probable cause standard would operate in practice.
Generally, a probably cause standard requires the government to show that evidence of a
crime would be found in a search. How the government could ever meet this standard in
most cases, when the purpose of the inquiry is to find out where the target was at a
specific time, is unclear.34 Finally, how is historical cell phone location data any different
from, say, a bank record showing a person making a withdrawal at a specific location at a
time certain, or a hotel register showing that an individual spent a particular night as a
guest? These other types of information, which would presumably implicate the same
ephemeral supposed privacy interests, can be obtained by law enforcement with a mere
grand jury subpoena.

• Recommendation 3 (“A governmental entity may access . . . data currently covered

by the authority for pen registers and trap and trace devices only after judicial
review and a court finding that the governmental entity has made a showing at least
as strong as the showing under [18 U.S.C. §] 2703(d)”): Prosecutors may currently
obtain basic session connection records using a grand jury subpoena pursuant to 18
U.S.C. § 2703(c)(2). This proposal would require the government to meet a higher
standard and, more importantly, make that showing to a court. This will require
prosecutors to spend significantly more time filling out and defending applications for
rudimentary information (a § 2703(d) request takes much more time to prepare and
obtain than a grand jury subpoena) that will ultimately result in fewer criminals being
brought to justice because of an unwise use of resources.

Information on a Certain Cellular Telephone, 460 F. Supp. 2d 448 (S.D. N.Y. Oct. 23, 2006); In RE U.S. for an
Order, 433 F. Supp. 2d 804 (S.D. Tex. Apr. 11, 2006); In Matter of Application of U.S. for an Order, 411 F. Supp.
2d 678 (W.D. La. Jan. 26, 2006); In RE Application of U.S. for an Order for Disclosure of Telecommunications
Records and Authorizing the Use of a Pen Register and Trap and Trace, 405 F. Supp. 2d 435 (S.D. N.Y. Dec. 20,
2005).
33
Congress recognized the importance of cell phone data in drug investigations by furnishing the DEA with
administrative subpoena authority, the use of which is critical in many fast-moving investigations. See 21 U.S.C.
§876(a). Such information is not just important in drug cases; for example, historical cell phone data is frequently
used as a means to disprove alibi testimony (i.e., a witness testifies that a defendant was elsewhere but cell phone
data proves this false).
34
See Hearing on Electronic Communications Privacy Act Reform, U.S. House of Representatives Committee on
the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, May 5, 2010 (written testimony
of Professor Orin S. Kerr) (“[I]f the police have probable cause to arrest someone, and they know his cell-phone
number, I would think the law should allow the government some way of locating the suspect pursuant to an
appropriate court order. A requirement that location information be obtainable only based on probable cause to
believe that the location information is itself evidence of a crime would not seem to allow that.”)

9
 • Recommendation 4 (“Where the Stored Communications Act authorizes a subpoena
to acquire information, . . . all non-particularized requests must be subject to
judicial approval”): Digital Due Process claims that “there have been reported cases of
bulk requests for information about everyone that visited a particular web site on a
particular day, or everyone that used the Internet to sell products in a particular
jurisdiction.”35 However, they neglect to point out whether these requests were made
under ECPA, how exactly they violated privacy rights, or whether the government was
the entity that issued the request.

III. PREVIOUS HEARINGS

On May 5, 2010, the House Judiciary Committee’s Subcommittee on the Constitution, Civil
Rights, and Civil Liberties, held a hearing entitled, “Electronic Communications Privacy Act
Reform.” Majority witness were: James X. Dempsey, Center for Democracy and Technology,
Vice President for Public Policy; Albert Gidari, Perkins Coie LLP; and Ms. Annmarie Levins,
Associate General Counsel, Microsoft Corporation. The minority witness was Orin S. Kerr,
Professor, The George Washington University Law School.

IV. WITNESSES

Panel 1:

Cameron F. Kerry, Esq., is General Counsel of the United States Department of Commerce.
As the General Counsel of the Department of Commerce since May 2009, Kerry is the principal
legal advisor to Secretary Locke and third ranking secretarial officer. During his year as General
Counsel, Kerry has been engaged in the wide range of issues facing the Department of
Commerce as it seeks to lay a new foundation for economic growth. He has worked on patent
reform and intellectual property issues, privacy and security, and efforts against transnational
bribery. Previously, Kerry was a partner in the Boston office of Mintz Levin, a national law
firm. Prior to joining Mintz Levin, Cameron was an associate at Wilmer, Cutler & Pickering and
a law clerk for Judge Elbert Tuttle of the United States Court of Appeals for the Fifth Circuit.

James A. Baker, Esq., is the Associate Deputy Attorney General of the United States
Department of Justice. He has served in that position since July 2009, and is responsible for a
range of national security policy issues. Baker has worked on numerous national security
matters during his career. A former federal prosecutor, he worked on all aspects of national
security investigations and prosecutions, including in particular FISA, during his 17 years as a
career official at the U.S. Department of Justice from 1990 to 2007.
From 2008 to 2009, Mr. Baker was Assistant General Counsel for National Security at Verizon
Business. From 2001 to 2007, Mr. Baker served as Counsel for Intelligence Policy at the Justice
Department, where he was head of the Office of Intelligence Policy and Review. In that
position, he was responsible for developing, coordinating, and implementing national security
policy with regard to intelligence and counterintelligence matters for the Department.

35
Digital Due Process, “Our Principles: Background,” available at http://www.digitaldueprocess.org/index.cfm?
objectid=C00D74C0-3C03-11DF-84C7000C296BA163 (accessed Sept. 15, 2010).

10
Panel 2:

James X. Dempsey, Esq., is Vice President for Public Policy at The Center for Democracy and
Technology. He joined CDT at the beginning of 1997. He became Deputy Director in 2001 and
Executive Director in 2003. Prior to joining CDT, Mr. Dempsey was Deputy Director of the
Center for National Security Studies. From 1995 to 1996, Mr. Dempsey also served as special
counsel to the National Security Archive, a non-governmental organization that uses the
Freedom of Information Act to gain the declassification of documents on the U.S. foreign policy.
From 1985 to 1994, Mr. Dempsey was assistant counsel to the House Judiciary Subcommittee on
Civil and Constitutional Rights. His primary areas of responsibility for the Subcommittee were
oversight of the Federal Bureau of Investigation, privacy and civil liberties. From 1980 to 1984,
Mr. Dempsey was an associate with the Washington, D.C. law firm of Arnold & Porter, where
he practiced in areas of government and commercial contracts, energy law, and anti-trust. He
also maintained an extensive pro bono representation of death row inmates in federal habeas
proceedings. He clerked for the Hon. Robert Braucher of the Massachusetts Supreme Judicial
Court. He graduated from Harvard Law School in 1979 and from Yale College in 1975.

Brad Smith, Esq., is Microsoft’s general counsel and senior vice president, Legal and Corporate
Affairs. He leads the company’s Department of Legal and Corporate Affairs (“LCA”), which
has just over 1,000 employees and is responsible for the company’s legal work, its intellectual
property portfolio, and its government affairs and philanthropic work. He also serves as
Microsoft’s corporate secretary and its chief compliance officer. Before joining Microsoft in
1993, Smith was a partner at Covington & Burling, having worked in the firm’s Washington,
D.C., and London offices.

Jamil N. Jaffer, Esq. (minority witness), is currently an associate at the Washington, DC law
firm of Kellogg, Huber, Hansen, Todd, Evans & Figel. From 2008 to 2009, he served as
Associate Counsel to the President, White House, working primarily on national security issues.
From 2007 to 2008, he served as Counsel to the Assistant Attorney General, U.S. Department of
Justice, National Security Division, and, prior to that, as Senior Counsel for National Security
Law and Policy and as Counsel in the Office of Legal Policy, also at the Justice Department. He
also served as a law clerk to Judge Neil M. Gorsuch, U.S. Court of Appeals, Tenth Circuit, and
Judge Edith H. Jones, U.S. Court of Appeals, Fifth Circuit.

11