Richard P. Salgado’s Testimony at the House Judiciary Committee ECPA Hearing
Articles Blog

Richard P. Salgado’s Testimony at the House Judiciary Committee ECPA Hearing

November 16, 2019


JERROLD NADLER: I now recognize
Mr. Salgano. RICHARD SALGANO: Thank you,
Chairman Nadler, Ranking Member Sensenbrenner, and
members of the subcommittee. As Google’s senior counsel
for law enforcement and information security, I oversee
Google’s response to government requests for user
information under many authorities, including the
Electronic Communications Privacy Act of 1986. I’ve also worked with ECPA
extensively from a law enforcement perspective as a
senior counsel in the criminal division in the Department
of Justice. ECPA was a forward looking
statute for 1986. And much of it remains
relevant today. But over my many years of
experience in implementing, in trying to interpret, and
frankly, often wrestling with the statute, I’ve seen large
gaps grow between the technological assumptions of
that earlier era and the reality of how electronic
communication works today. As a result of those gaps,
providers, users, law enforcement agents,
investigators, and prosecutors, as well as judges,
often face complex and baffling rules that are
difficult to explain, and challenging to apply. Even more significant,
however, in important respects, ECPA now fails to
provide the privacy protection that people reasonably expect. And that’s why Google helped
found and strongly supports the Digital Due Process
Coalition. The coalition, which many of
you may have heard of, is a broad coalition. It includes telecommunications
companies like AT&T. We have internet companies, many of whom
are represented on the panel today, and other
organizations, including Americans for Tax Reform, and
the ACLU, among many other members that I haven’t
mentioned. The coalition has proposed a set
of common sense principles for updating ECPA. The reforms seek to preserve the
structure of the statute and certainly the tools needed
by law enforcement to perform their important functions, but
are intended to ensure that the protections afforded to data
stored in the cloud are no less than those extended to
data stored in the home or in the office. Cloud computing is a new term,
as has been noted. But most of us use cloud
services every day, even if the label isn’t particularly
familiar to us. When you use the web to send an
email, to edit a document, or to manipulate a calendar–
as Professor Feldman has reflected to us– you’re actually using cloud
computing services. The services now are very robust
and very feature rich. In fact, many companies are
moving their entire IT infrastructure into the internet
based cloud, and getting the functionality
through service providers. Shifting all of these computing
tasks from our desktops to cloud providers
offers tremendous social benefits, tremendous
economic benefits, and security benefits. Today’s technology bears little
resemblance to the mainframe computers
of the 1980s. Back then, remote computing and
storage were rare luxuries for companies, usually used
for bulk processing, like payroll services
or data backup. ECPA has not kept pace with
the rapid technological advances that we’ve enjoyed
in the last few years. And as a result, the problems
are becoming obvious. One example that has been
alluded to already, under ECPA, the government must obtain
a warrant to get the content of an email that is
no older than six months. But for older messages,
the government can simply issue a subpoena– obviously without a
judge’s approval– to compel the production
of the email’s content from a provider. Under the Department of
Justice’s interpretation of ECPA– which has been rejected
by the ninth circuit– opened email, regardless of the
age, can be obtained using that lower subpoena standard. Distinguishing the privacy
protections of the email based on age and by access of the
user makes no sense today. In 1986, perhaps it did. Remote storage was so expensive
that users rarely stored messages for very long. They either downloaded or
deleted the messages soon after receiving them. Today, people often keep
messages and mail for indefinite periods of time,
possibly forever. With Gmail– which is Google’s free
email service– Google offers enough free
storage that space constraints are not a reason ever to
delete an old mail. Many of our users have messages
going back to when Gmail was launched over
six years ago. Gmail accounts have essentially
become the filing cabinets of today. The example reveals how parts of
ECPA need to be updated for the 21st century. The Digital Due Process proposal
would go far towards achieving that goal. Advances in technology depend
not just on smart engineers, but also on smart laws that will
not stand in the way of continued innovation and
adoption of technology. I thank the subcommittee for
giving me attention to this issue, and urge you to
help bring ECPA into the internet age. Thank you.

Only registered users can comment.

  1. GREAT and informative speech! I was not aware of how easily rogue law enforcement could force email providers into turning over it's users' emails without even a warrant. That is appalling and I'm very glad to see Google on the ball defending it's users privacy and safety.

Leave a Reply

Your email address will not be published. Required fields are marked *