[Senate Hearing 112-662]
[From the U.S. Government Printing Office]
S. Hrg. 112-662
STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE
TIMES?
=======================================================================
HEARING
before the
OVERSIGHT OF GOVERNMENT MANAGEMENT,
THE FEDERAL WORKFORCE, AND THE
DISTRICT OF COLUMBIA SUBCOMMITTEE
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
JULY 31, 2012
__________
Available via the World Wide Web: http://www.fdsys.gov
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
76-066 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office, http://bookstore.gpo.gov. For more information, contact the
GPO Customer Contact Center, U.S. Government Printing Office.
Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska JERRY MORAN, Kansas
Michael L. Alexander, Staff Director
Nicholas A. Rossi, Minority Staff Director
Trina Driessnack Tyrer, Chief Clerk
Joyce Ward, Publications Clerk and GPO Detailee
OVERSIGHT OF GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE
DISTRICT OF COLUMBIA SUBCOMMITTEE
DANIEL K. AKAKA, Hawaii, Chairman
CARL LEVIN, Michigan RON JOHNSON, Wisconsin
MARY L. LANDRIEU, Louisiana TOM COBURN, Oklahoma
MARK BEGICH, Alaska JERRY MORAN, Kansas
Eric M. Tamarkin, Counsel
Rachel R. Weaver, Minority Staff Director
Lauren Corcoran, Chief Clerk
C O N T E N T S
------
Opening statement:
Page
Senator Akaka................................................ 1
Senator Johnson.............................................. 3
Prepared statement:
Senator Akaka................................................ 35
Senator Carper............................................... 37
WITNESSES
Tuesday, July 31, 2012
Mary Ellen Callahan, Chief Privacy Officer, U.S. Department of
Homeland Security.............................................. 4
Greg Long, Executive Director, Federal Retirement Thrift
Investment Board............................................... 6
Greg C. Wilshusen, Director, Information Security Issues, U.S.
Accountability Office.......................................... 8
Peter Swire, C. William O'Neill Professor of Law at Ohio State
University..................................................... 19
Chris Calabrese, Legislative Counsel, American Civil Liberties
Union.......................................................... 21
Paul Rosenzweig, Visiting Fellow, Heritage Foundation............ 23
Alphabetical List of Witnesses
Calabrese, Chris:
Testimony.................................................... 21
Prepared statement........................................... 84
Callahan, Mary Ellen:
Testimony.................................................... 4
Prepared statement........................................... 38
Long, Greg:
Testimony.................................................... 6
Prepared statement........................................... 46
Rosenzweig, Paul:
Testimony.................................................... 23
Prepared statement........................................... 99
Swire, Peter:
Testimony.................................................... 19
Prepared statement........................................... 69
Wilshusen, Greg C.:
Testimony.................................................... 8
Prepared statement........................................... 52
APPENDIX
Questions and responses for the Record from:
Ms. Callahan................................................. 117
Mr. Long..................................................... 119
Mr. Wilshusen................................................ 124
Mr. Swire.................................................... 126
Mr. Calabrese................................................ 127
Mr. Rosenzweig............................................... 131
STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE
TIME?
----------
TUESDAY, JULY 31, 2012
U.S. Senate,
Subcommittee on Oversight of Government
Management, the Federal Workforce,
and the District of Columbia,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 10:03 a.m., in
Room SD-628, Dirksen Senate Office Building, Hon. Daniel K.
Akaka, Chairman of the Subcommittee, presiding.
Present: Senators Akaka and Johnson.
OPENING STATEMENT OF SENATOR AKAKA
Senator Akaka. I call this hearing of the Subcommittee on
Oversight of Government Management, the Federal Workforce, and
the District of Columbia to order.
I want to say Aloha and welcome our guests and all those
who are here and interested in this hearing, and I just want to
thank all of you for being here.
Today, the Subcommittee will examine the foundation for our
Federal privacy and data security laws. Unfortunately, key
pieces of this foundation have serious cracks that need to be
fixed.
The Privacy Act, a cornerstone of Federal privacy
protection, was enacted way back in 1974 to respond to the
increasing ease of collecting and storing personal information
in computer databases. It governs how the Federal Government
gathers, shares, and protects Americans' personal information.
Despite dramatic technological change over the last four
decades, much of the Privacy Act remains stuck in the 1970s.
Many of the definitions in the Act are simply out of date and
do not make sense in the current data environment. As a result,
the Act is difficult to interpret and apply, and it provides
inconsistent protection to the massive amount of personal
information in the hands of the government. I want to highlight
a few specific concerns.
Earlier this year, the Supreme Court restricted Privacy Act
remedies. In Federal Aviation Administration v. Cooper, the
Social Security Administration violated the Privacy Act by
sharing the plaintiff's HIV status with other Federal agencies.
The Court concluded that he could not be compensated for
emotional distress, because Privacy Act damages are limited to
economic harm. By many experts' accounts, this decision
rendered the Act toothless, and scholars across the political
spectrum have called for Congress to amend the Privacy Act to
fix this decision.
Additionally, agencies frequently use private sector
databases for law enforcement and other purposes that affect
individuals' rights. This is not covered by Federal privacy
laws, which creates a loophole that allows agencies to avoid
privacy requirements. We should require privacy impact
assessments (PIA) on agencies' use of commercial sources of
Americans' private information. This would provide basic
transparency of the use of commercial databases so that
individuals have appropriate protections such as access,
notice, correction, and purpose limitations.
Strong Executive Branch leadership is also essential to
effectively enforcing the privacy protections we do now have.
Over time, Congress has statutorily required Chief Privacy
Officers (CPOs) in many agencies across the Federal Government,
and the Office of Management and Budget (OMB) mandated in 1999
that all agencies designate a senior privacy official to assume
responsibility for privacy policy. My Privacy Officer With
Enhanced Rights (POWER) Act--included in the Implementing
Recommendations of the 9/11 Commission Act of 2007--
strengthened the authorities of the Department of Homeland
Security (DHS) Chief Privacy Officer, and I would say with
positive results.
Despite OMB's mandate to oversee privacy policies
governmentwide, it has not named a chief privacy official since
the Clinton Administration. As a result, responsibility for
protecting privacy is fragmented and agencies' compliance with
privacy requirements is inconsistent.
Widespread agency data breaches, and inconsistent responses
when they occur, are symptoms of this problem. We all remember
the massive data breach at the Department of Veterans Affairs
in May 2006 where the personal information of more than 26
million veterans and active duty members of the military was
exposed. After that breach, OMB issued guidance requiring
agencies to strengthen safeguards for personal information and
implement data breach notification policies. But implementation
of the guidance has been uneven, and the number of Federal data
breaches has only grown.
Recently, a contractor to the Federal Retirement Thrift
Investment Board (FRTIB) was the subject of a cyber attack that
compromised the personal information of over 123,000
participants in the Thrift Savings Plan (TSP). This included 43
current and former Members of Congress. I was one of them. I
was concerned to learn that the Board had not followed the 2007
OMB guidance and did not have a data breach notification policy
in place when they learned of the breach. I am working with the
Government Accountability Office (GAO) to determine how many
other agencies have not followed this guidance and determine
whether there is sufficient oversight of agencies that have
complied.
This builds on the substantial work GAO has completed in
response to my nine previous requests on privacy and data
security. I have also worked closely with GAO in drafting my
Privacy Act Modernization for the Information Age Act, S. 1732,
which would make the OMB guidance mandatory for agencies and
fix many of the other cracks in the privacy and data security
foundation.
Promoting privacy and civil liberties has been a priority
during my tenure in the U.S. Senate, and I will continue
focusing on this issue until the end of the year. I hope my
colleagues will join me in two current efforts to address the
problems raised at this hearing: S. 1732 and my amendment to
the cybersecurity bill we are currently considering on the
floor. Protecting Americans' privacy is a bipartisan issue that
I hope my colleagues will continue to advance in the years to
come.
And so, I would like to call on my brother here for any
opening statement that he may have. Senator Johnson.
OPENING STATEMENT OF SENATOR JOHNSON
Senator Johnson. Thank you, Mr. Chairman, witnesses. I want
to thank you for taking time and not only being here today but
also for preparing your thoughtful testimony.
Aloha. Mr. Chairman, before I start, I am not quite sure
whether we are going to have another hearing. We may, but in
case we do not, I just want to say what a pleasure it has been
serving with you as your Ranking Member on the Subcommittee.
I mean, you are a kind, gentle, honorable soul; and for
somebody new to the Senate, this is a very nice start for me to
be able to serve with someone like you. So, it has really been
a pleasure. I just wanted to say that.
I want to thank you for having this hearing. I think this
is very timely. The full Senate now is taking up the
cybersecurity bill. One of the primary issues that we are
having to deal with is the privacy aspect, and all the effects
of cybersecurity, trying to maintain security within our
Internet network, certainly privacy is a real consideration
there. It is a serious issue. It is an important issue. It is
also highly complex.
Back in February I read a book review in the Wall Street
Journal on a book called Abundance by Peter Dimandis and Steven
Kotler, and just to put the issue in perspective how complex
this is, I just want to start reading the very beginning of
this book review.
It says, ``If every image made and every word written from
the earliest string of civilization to the year 2003 were
converted to digital information, the total would come to five
exabytes.''
We cannot even comprehend what an exabyte is. It is one
followed by 18 zeros. So again, everything from the dawn of
civilization to the year 2003, five exabytes. From the year
2003 to 2010, we were producing five exabytes of information
every 2 days. Next year the authors project that we will be
producing five exabytes of information every 10 minutes.
So, in the age of Facebook and Google where people are
voluntarily and willingly providing all kinds of information to
private companies, I think we really have to ask some very
serious questions.
With technology advancing at such a rapid rate, certainly
the types of questions I will be asking in this hearing are
going to be pretty basic. I am new here. I was not around in
1974 when the Privacy Act was, I was around but not here, when
it was enacted.
So, I am just going to be asking basic questions about what
was the purpose of that, what is the purpose moving forward,
how do we grapple with just this exponential growth in
information and the serious threat to our cyber networks of
attack from criminals, from foreign sources, and we need to
take a look at what the purpose, what the cost and benefit of
governmental actions, and is there potentially a better way.
So, that will kind of be the thrust of my questions. I am
really looking forward to the testimony. Again, it is very
timely and, Mr. Chairman, I again want to thank you for holding
the hearing.
Senator Akaka. Thank you very much, Senator Johnson.
Now, I would like to welcome our witnesses to the hearing
in the first panel. Ms. Mary Ellen Callahan, Chief Privacy
Officer, at the Department of Homeland Security.
I know today is your last day at DHS. So, I want to thank
you so much for your service and what you have brought to that
particular office of Chief Privacy Officer, and we have so much
to learn from you and your experiences that you have had thus
far.
I appreciate your outstanding leadership on privacy and
really wish you the best of luck in your future endeavors.
Thank you so much for your service.
Mr. Greg Long, Executive Director of the Federal Retirement
Thrift Investment Board, and Mr. Greg Wilshusen, Director,
Information Security Issues at the U.S. Government
Accountability Office.
As you know, it is the custom of the Subcommittee to swear
in all witnesses. So, will you please rise and raise your right
hand.
Do you solemnly swear that the testimony you are about to
give this Subcommittee is the truth, the whole truth, and
nothing but the truth so help you, God.
Ms. Callahan. I do.
Mr. Long. I do.
Mr. Wilshusen. I do.
Senator Akaka. Thank you.
Let it be noted in the record that the witnesses answered
in the affirmative.
Before we start, I want you to know that your full written
statement will be made a part of the record. I would also like
to remind you to please limit your oral remarks to about 5
minutes.
Ms. Callahan, will you please proceed with your statement.
TESTIMONY OF MARY ELLEN CALLAHAN,\1\ CHIEF PRIVACY OFFICER,
U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Callahan. Thank you very much, sir. Good morning,
Chairman Akaka, Ranking Member Johnson.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Callahan appears in the appendix
on page 38.
---------------------------------------------------------------------------
Thank you for the opportunity to appear before you today to
discuss my role as the Department of Homeland Security's Chief
Privacy Officer, the Privacy Act, and the collaborative
achievements of the Privacy Committee of the Federal Chief
Information Officers Council.
As you know, the Department of Homeland Security is the
first department in the Federal Government to have a
statutorily mandated privacy officer, and for that I am
eternally grateful. I have had the privilege of serving in that
role since March 2009. The Homeland Security Act and the POWER
Act grants the Chief Privacy Officer the primary responsibility
for ensuring that privacy considerations and protections are
comprehensively integrated into all DHS programs, policies, and
procedures.
I also ensure that personal information contained in
Privacy Act system of record is handled in full compliance with
fair information practices. Many of my authorities are similar
to those of Federal Chief Privacy Officers; but I am unique,
however, in that my statutory mandate includes the authority to
investigate department programs and operations.
During my tenure, I have led three major investigations of
significant non-compliance with departmental privacy policy.
Consistent with the office's unique position as both an adviser
and an oversight body for the Department's privacy sensitive
programs and systems, I recently approved the creation of a
privacy oversight group within the DHS privacy office.
In addition to conducting investigations, the privacy
oversight team has instituted a series of privacy compliance
reviews to improve a program's ability to comply with privacy
assurances.
One specific example of my office's privacy efforts is the
response to the OMB guidance on safeguarding personally
identifying information (PII). OMB guidance required agencies
to develop and implement a policy on breach notifications which
in DHS refers to as privacy incidents. In September 2007 and
then updated again in early 2012, the DHS privacy office
distributed its Privacy Incident Handling Guidance throughout
the Department to inform employees of their responsibilities to
safeguard PII. The guidance provides detailed information on
how to handle all stages of privacy incidents.
To ensure that staff are cognizant of PII protections, we
also recently updated our annual online training which is
mandatory for all DHS employees and contractors.
One of the topics of this hearing today is the Privacy Act
of 1974. The Privacy Act was passed in an era before electronic
communications and databases were the norms in Federal
agencies.
Nonetheless, many of the concepts embedded in the original
Act are flexible enough to permit similar records to be treated
consistently regardless of where they are located.
One method to address modern challenges of implementing the
Privacy Act is to share best practices among Federal privacy
officials. Formal council-level bodies exist for many Federal
chief officers. There is no formal council-level body that
exists for Chief Privacy Officers. I am, however, proud to
serve as the co-chair of the privacy committee of the Chief
Information Officer (CIO) Council. The privacy committee was
initially formed in response to the need to coordinate on
shared challenges such as information sharing and protection of
personally identifiable information.
Since its formal establishment in 2009, the committee has
successfully functioned as a consensus-based forum for the
development of privacy policy and protections throughout the
Federal Government and is thoroughly integrated into the
technology initiatives occurring within the Federal CIO
Council. It provides an important venue in which to share
experiences, training, innovative approaches, and best
practices. The committee has also led the development of
privacy standards and safeguards for emerging technologies such
as cloud computing and social media.
In addition, the privacy committee this year has gathered
the uniform resource locators (URLs) or the Web sites for all
the privacy impact assessments and system of records notices
for each of the 55 participating Federal agencies. That list of
privacy impact assessments and systems of records notice are
available on CIO.com. The achievements of the privacy committee
indicate the vital role it serves in promoting consistent
Federal privacy policy, and it has been an honor to serve as
one of the committee's co-chairs.
The men and women who serve in the privacy offices
throughout the Federal Government are really unsung heroes.
Located in various parts of organizational structures, they
strive every day to apply the spirit and the law of the Privacy
Act, the E-Gov Act and related privacy laws and policies.
It has been my pleasure to serve with these colleagues as
their co-chair for the last 3\1/2\ years. I want to acknowledge
all the hard work that they have performed throughout my
Federal service.
Going forward, I am confident the Department will continue
to embed privacy protections throughout its programs and
services. I am happy to answer any of your questions. Thank
you, sir.
Senator Akaka. Thank you very much, Ms. Callahan.
Mr. Long, will you please proceed with your statement.
TESTIMONY OF GREG LONG,\1\ EXECUTIVE DIRECTOR, FEDERAL
RETIREMENT THRIFT INVESTMENT BOARD
Mr. Long. Good morning, Chairman Akaka and Members of the
Subcommittee. My name is Greg Long and I am the Executive
Director of the Federal Retirement Thrift Investment Board. The
five members of the Board and I serve as fiduciaries of the
Thrift Saving Plan. As fiduciaries, the law directs that we act
solely in the interest of the TSP participants and
beneficiaries and exclusively for the purpose of providing them
with benefits. Because of this fiduciary duty, Congress
afforded the FRTIB significant independence. The FRTIB does not
receive appropriated funds for its operations. We are funded
through participant monies and our budget is not subject to
review or approval by Congress or the President.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Long appears in the appendix on
page 46.
---------------------------------------------------------------------------
The TSP maintains individual accounts for more than 4.5
million Federal and Postal, members of the uniformed services,
retirees, and spousal beneficiaries. As of June 30, the TSP
held approximately $313 billion in retirement savings.
I have been asked to discuss a number of issues, including
the cyber attack that resulted in the unauthorized access of
the personally identifiable information of roughly 123,000 TSP
participants and payees. In July 2011, a desktop computer used
by an employee of Serco, an agency contractor, was subjected to
a sophisticated cyber attack. Neither Serco nor the FRTIB was
aware of the attack at the time it occurred.
In April 2012, the Federal Bureau of Investigation (FBI)
notified Serco that the they had discovered data that appeared
to be stolen from Serco. Serco then notified us of the cyber
attack. At that time, it was unclear whether agency data had
been accessed.
On April 13, we determined that personally identifiable
information of TSP participants had been compromised. Within 1
hour, we notified U.S. Computer Emergency Readiness Team (U.S.
CERT).
The FRTIB and Serco then worked to analyze numerous files
to determine what data was accessed and which participants were
affected.
On May 20, an independent verification and validation
concluded that the various files that had been correctly
analyzed.
On May 25, 5 days after the validated list was produced, we
notified affected participants about the cyber attack. My
agency sent letters to each affected participant notifying them
of the cyber attack and offering them one year of free identity
theft consultation, restoration, and continuous credit
monitoring.
I would like to emphasize the fact that this cyber attack
was made on our contractor's network. Neither the FRTIB's
network nor the TSP participant Web site were affected.
As the fiduciary for a plan charged with protecting the
retirement savings, data security and privacy protection are
priorities for us. Over the past decade, the FRTIB has
undertaken a significant number of changes to its
infrastructure and established information technology (IT)
technical controls to improve our IT security posture.
In addition to those information technology improvements,
the FRTIB has successfully added new services for its
participants. Most recently in May, we rolled out the Roth TSP
option which allows for after-tax contributions to the TSP.
Many of these changes added significant complexity to the
plan. The need to implement these new funds and services, in
large part, mandated how we assigned our personnel and
allocated funding. For example, rolling out the Roth TSP
initiative was a 2-year project that required staffing from
every office within the Agency.
The FRTIB has security controls in place. Completing all of
the documentation and accreditation that is required in the
Federal Information Security Management Act (FISMA), however,
is an on-going area of focus for our Agency.
In September 2011, I approved an Enterprise Information
Security and Risk Management (EISRM) Directive. Last month, I
approved policies covering 18 families of management,
operational, and technical security controls.
To ensure that our privacy and data security policies are
appropriate, I have commissioned a ``Tiger Team'' to develop a
plan to improve the security posture of agency information
systems.
Mr. Chairman and Members of the Subcommittee, helping
people retire with dignity is what drives the employees of the
FRTIB. I deeply regret the cyber attack and the concern that it
has caused our participants.
I want to assure all of our participants that we will
continue to pursue all new avenues to ensure the safety and
security of their personal data and their retirement funds.
I would be pleased to take any questions.
Senator Akaka. Thank you very much, Mr. Long.
Now, we will have a statement of Mr. Wilshusen. Will you
please proceed.
TESTIMONY OF GREG C. WILSHUSEN,\1\ DIRECTOR, INFORMATION
SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Akaka, Ranking Member Johnson,
thank you for the opportunity to testify at today's hearing on
the State of Federal privacy and data security laws.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Wilshusen appears in the appendix
on page 52.
---------------------------------------------------------------------------
Two key laws, the Privacy Act and E-Government Act are
intended to protect the privacy of Americans personal
information and to specify measures that Federal agencies can
take to reduce the risk of data breaches.
The increasingly sophisticated ways in which personal
information is obtained and used by the Federal Government has
the potential to assist in performing critical functions such
as helping to detect and prevent terrorist threats and
enhancing online interactions with citizens. But, they can also
pose challenges in ensuring the protection of citizens privacy.
Today, I will describe the impact of recent technology
developments on key laws for privacy protection and actions
agencies can take to protect against and respond to data
breaches involving personal information.
But, first, if I may, Mr. Chairman, I would like to
recognize several colleagues of mine who were instrumental in
developing my statement and who work very well in this area.
Behind me is John de Ferrari and David Plocher; and also
Jeff Woodward, Lee McCracken, and Melina Asencio made
significant contributions to this effort.
Senator Akaka. Thank you.
Mr. Wilshusen. Mr. Chairman, technological advances since
the Privacy Act became law in 1974 have radically changed the
way information is organized and shared among organizations and
individuals.
Federal agencies use social media services, data mining,
electronic databases, and other technologies to collect, use,
and maintain personally identifiable information.
These advances have rendered some of the provisions of the
Privacy Act and E-Government Act inadequate to fully protect
all personal information collected, used, and maintained by the
Federal Government.
For example, we identified issues associated with applying
privacy protections consistently to all Federal collection and
use of personal information, limiting the collection and use of
this information to stated purposes, and establishing effective
mechanisms for informing the public about privacy protections.
Accordingly, we suggested that Congress consider amending
the Privacy Act and E-Government Act to address these issues.
Doing so could provide a number of benefits including: Ensuring
that privacy protections are applied consistently to all
Federal collection and use of personal information; providing a
proper balance between allowing government agencies to collect
and use such information and limiting that collection and use
to what is necessary and relevant; and providing individuals
with pertinent information about what personal data are to be
collected, how they are to be used, and the circumstances under
which they may be shared.
Mr. Chairman, as you know, much of the personal information
collected and maintained by Federal agencies is processed and
stored on computerized systems and networks. Yet, these systems
and networks often do not provide sufficient security
safeguards to protect this information.
To assist agencies in protecting information, we have
reported that they should assess the privacy implications of a
planned information system or data collections prior to
implementation; implement a robust information security
program; and limit the collection of personal information, the
time it is retained, and who has access to it.
Nevertheless, Federal systems remain vulnerable and data
breaches do occur. The number of security incidents reported by
Federal agencies involving personally identifiable information
has risen from about 13,000 in the year 2010 to over 15,500 in
2011, an increase of 19 percent.
Thus, it is important that proper response policies and
procedures be in place. Notifying individuals affected by data
breaches has clear benefits such as allowing people to take
steps to protect themselves from identity theft.
Such notification is consistent with agency's
responsibilities to inform individuals about how their
information is being accessed and used and it promotes
accountability for privacy protection.
In summary, Mr. Chairman, ensuring the privacy and security
of personal information collected by the Federal Government
remains a challenge, particularly in light of the increasing
dependence on networked computer systems that can store,
process, and transfer vast amounts of data.
Updating Federal laws and guidance to reflect current
practices for collecting and using personal information will be
key to meeting this challenge as is the need for agencies to
effectively implement data security controls and privacy
protections.
Without sufficient attention to these matters, American's
personal information will remain at risk.
Chairman Akaka, Ranking Member Johnson, this concludes my
statement. I will be happy to answer any questions.
Senator Akaka. Thank you very much for your statement.
Mr. Long, you testified that the Board did not have a
breach notification plan in place at the time of the cyber
attack because of insufficient resources.
The Board has also informed Committee staff that it does
not consider itself bound by the OMB guidance because the Board
is an independent entity and it decides on a case-by-case basis
which OMB guidance to follow.
Please discuss your view on whether the guidance applies to
the Board as well as whether you would expect any differences
in the Board's approach going forward.
Mr. Long. Senator, thank you very much.
The OMB guidance has been very useful through the data
breach event and the cyber attack. We did not have a breach
notification policy in place. We review every piece of OMB
guidance that comes to us, and we look at it to determine
whether there is anything within that guidance that conflicts
with my status and the Board status as a fiduciary. As a
fiduciary, we have to act solely in the interest of the
participants and beneficiaries.
In this case that guidance followed best practices. It was
the right thing to do. We reviewed it and it is one of the
items that we decided to get to.
However, and I regret that this happened but we did not
have the breach notification policy in place at the time that
the cyber attack occurred.
However, in responding to the cyber attack that guidance
was followed, and it was very useful in crafting our message
and determining the process that we eventually went through.
Senator Akaka. Thank you for that.
As you know, I have offered an amendment to the
cybersecurity bill we are debating on the floor to make breach
notification mandatory. I think it is really critical to make
certain agencies prioritize this before a breach occurs. We
hope that can be done in that way.
Mr. Wilshusen, in my view, agency privacy officers have
been critical to focusing attention and providing leadership on
privacy issues. I advocated the first statutory CPO at DHS and
I have been pleased that this position was expanded to other
agencies.
There have been several proposals over the years to create
a Chief Privacy Officer at OMB to manage privacy policy across
the government. What do you see as the potential benefits of
designating a CPO for the Federal Government as a whole?
Mr. Wilshusen. Well, first, I would say that it would
certainly raise the profile of privacy within the Federal
Government and the importance of implementing privacy
protections throughout the agencies.
In addition, the position could also provide advice to
others within the Executive Office (EO) of the President as
well as help coordinate privacy issues across Federal agencies,
even potentially helping to monitor the implementation of
privacy controls and privacy protections at the Federal
agencies and report on them appropriately.
Senator Akaka. Thank you.
This question is for Ms. Callahan and Mr. Wilshusen. As you
know, the recent STOCK Act requires, among other things, that
the financial disclosure forms of approximately 20,000 senior
Executive Branch employees be posted online, which will make
them available to anyone worldwide with Internet access.
I think government transparency is critical but publishing
employees' personal financial information on the Internet does
raise some concerns.
So, my question to both of you is: Do you feel this is an
unnecessary invasion of employee privacy?
Ms. Callahan. I guess I will go first.
Thank you, Mr. Chairman. The STOCK Act has required that
the financial disclosures that were required for a series of
individuals, both senior status as well as political
appointees, not only be available under a Freedom of
Information Act (FOIA) which it always has been but to be
available electronically online in a searchable fashion.
First, the privacy committee that I spoke about earlier
actually has been trying to figure out some governmentwide
guidance on how to address these issues and how to advise the
20 some thousand individuals whose information is impacted. We
have had a lot of informal conversations with ethics councils
and so on.
As a privacy advocate, I am concerned and I believe there
may be some privacy considerations in two fashions. One is the
potential of identity theft, and we talk about data breaches
and how to protect our information and how to preserve the
information.
The information that is provided on that form, even if all
of the Social Securities and other sensitive information has
been removed, still paints a very detailed picture of an
individual that would be available for somebody to look at and
to investigate.
So, not only is identity theft a possibility but theft in
general could be a possibility if you notice the types of
assets and the protections therein. I also worry about the
chilling effect that it could have on employees or potential
employees in the Federal service.
With that said, as the privacy officer with the privacy
committee, we have tried to put in as many protections and give
as much advice as we can in order to respond to this recent
requirement.
Senator Akaka. Thank you. Mr. Wilshusen.
Mr. Wilshusen. I would just say I also understand the need
to balance government transparency and how government
operations are conducted and by whom. But at the same time, the
information that is being posted is quite personal in nature.
So there are certainly privacy risks and those risks need to be
balanced, as has been decided against the need for open
transparency.
But GAO has not looked at this issue specifically so I
cannot really comment much beyond that.
Senator Akaka. Thank you very much and thanks for those
responses.
I also want to note that a number of influential homeland
security and intelligence community officials recently wrote to
Congress that this requirement will create significant national
security threats and could place certain Federal employees and
their families in harms way.
I think it is important to look closely at these issues and
make any changes that are needed to protect our national
security and employee safety.
Mr. Wilshusen and Ms. Callahan, I have been disappointed
that the Privacy and Civil Liberties Oversight Board (PCLOB)
has been dormant for so long.
Peter Swire, who will be testifying on the second panel,
has argued that the most important short-term action the Senate
can take on privacy is to confirm the five nominees for the
Board.
Do you agree with Mr. Swire's assessment? Mr. Wilshusen.
Mr. Wilshusen. I would say we have not looked at that
particular issue as part of my work so I cannot comment.
Ms. Callahan. As the Chief Privacy Officer at the
Department of Homeland Security, the statute requires that we
work with the PCLOB; and at DHS and throughout the Federal
Government, the Chief Privacy Officers are very much looking
forward to working with the Board once it is confirmed.
Senator Akaka. Thank you very much.
Senator Johnson, your questions.
Senator Johnson. Thank you, Mr. Chairman.
First of all, Ms. Callahan, I also want to thank you for
your service and certainly wish you well in your next endeavor.
As the co-chair of the privacy committee, let us just kind of
start out. I would like to get your assessment of the range of
privacy practices and controls throughout the different
agencies.
Can you just kind of comment on that?
Ms. Callahan. Certainly, sir. Thank you very much.
As noted in my oral testimony, there are privacy officers
throughout the Federal Government. They are in different places
throughout the Federal Government logistically,
organizationally within the Departments.
I have been very fortunate to report directly to the
Secretary thanks to the Homeland Security Act, and I think that
has inured not only to my benefit but to the Department's
benefit.
Federal Chief Privacy Officers are in different places
reporting to different positions, whether it be the general
counsel, the chief information officer, the chief financial
officer; and I worry that consistency and organizational
structure may lead to more inefficiencies in terms of trying to
address privacy considerations.
With that said, the work of the privacy committee and the
work of these individuals is really yeoman's work in that they
are working every day to integrate the privacy elements. It
just depends on where they are in the organizational structure
they have more success or less.
Senator Johnson. Would you say the range in terms of
uniformity of privacy standards is primarily related to what? I
mean, would you say how high profile the privacy officer is in
relationship to the Secretary or are there other factors at
play?
Ms. Callahan. I think that is a factor. I think that the
culture of the agency or Department may also be a factor. There
also may be a factor in the sense that if they had a privacy
consideration or a problem before that may have heightened the
privacy considerations.
The chairman mentioned the Veterans' Affairs Committee and
the Veterans' Affairs Committee CIO is actually one of my co-
chairs on the privacy committee to kind of have that nexus
between technology and privacy.
Senator Johnson. Do you think that probably the best way of
getting uniformity is really through the privacy committee
then? Is that working well? Do you have any other suggestions
on that?
Ms. Callahan. I certainly think that has helped a lot and
that has helped leverage best practices, also to leverage
resources. DHS is the most well-resourced privacy office and
again thank you for that.
To go and use our work to try to go across the less funded
agencies, as I said, we have 55 members who are participating
including, obviously, independent agencies, and I think that
has been very useful.
The attention that privacy gets, including this hearing, I
think will be very beneficial.
Senator Johnson. This might be kind of a hard question but
can you name the top two or three agencies in terms of privacy
compliance and maybe name two or three that really give you
concern or not, probably not?
Ms. Callahan. Well, the No. 1 is obviously the Department
of Homeland Security. [Laughter.]
Beyond that, it probably does not behoove me even on my
last day to comment.
Senator Johnson. Maybe privately you can give it to us.
Ms. Callahan. I would be happy to, sir.
Senator Johnson. Mr. Long, can you give me some sense of
your evaluation of how good these standards are for cyber
protection, let us say, in your agency and maybe even
generalize it throughout the Federal Government in comparison
to the private sector?
Mr. Long. I can comment certainly on our agency. One of the
actions that we have been very busy with over the past decade
has been to focus on IT improvements and architecture and
technical controls.
So, we undertook a significant modernization effort in
terms of hardening our server environment. We made sure that we
had protection built into our new capabilities--that has been a
big focus on what we do going forward.
That said, we certainly have to focus on the FISMA
documentation that is required. Even with all of this, we know
that there are sophisticated attackers out there. We have been
a victim. Our contractor was the victim and we felt the effects
of that attack.
So, we need to go back and re-double our efforts and that
is exactly one of the efforts that we are going through right
now. We have felt that we have focused on IT security but this
is a wake-up call and we are going to look at it and look at it
closely.
Senator Johnson. Who do you rely on in terms of advising
and trying to set up your IT security?
Mr. Long. We have internally our chief technology officer.
We will focus on the chief technology person as well as the
chief information security officer that reports to the head of
technology.
We recently established an office that reports directly to
me for enterprise risk management. In addition, we will reach
out to the third-party providers of services and now we are
actually reaching out to DHS to figure out whether we can learn
things from different councils and then through other
government bodies.
Senator Johnson. Are you finding DHS to be very helpful
from that standpoint? I mean, is that a really good core group
to go to or would you be better off going to potentially other
agencies that may have, I mean, do you have a clue in terms of
which agencies are hardened in terms of cybersecurity? Which
ones lead the way?
Mr. Long. In terms of our outreach to DHS prior to this
event and to other agencies, it was limited. We certainly
participated on the small agency counsel. We participated on
multiple groups, the chief information security council.
So, we would rely on small government groups on an ad hoc
basis. Now, as reaction to a cyber attack on our vendors
network, we are now trying to figure out how we can formalize
that better, whether it is through DHS or other groups within
the government.
And then second, in forming a team to look at these issues,
to figure out whether we need to go to third-party, private
institutions to assist us with remediation and best practices
on technology.
Senator Johnson. OK. Thank you. I am almost out of time.
Are we going to do a second round?
Senator Akaka. Yes.
Senator Johnson. OK. I will wait.
Senator Akaka. Thank you very much, Senator Johnson.
Ms. Callahan, I am interested in hearing more about your
experience as the only Chief Privacy Officer with the
strengthened investigative authorities granted by the 9-11
Commission Act of 2007.
In my view, extending these authorities to DHS was
critical, given the Department's broad homeland security
authorities, but I believe these investigative powers also
could provide an important check against abuses in other
agencies.
So, my question has two parts. Will you please elaborate on
how your work has benefited from these authorities and also
discuss whether you believe they should be extended to Chief
Privacy Officers across the government?
Ms. Callahan. Thank you, sir.
My investigatory authority has benefited my position in the
Department quite a lot. As I mentioned earlier, the
investigatory authority kind of helps me have the life cycle of
privacy compliance in terms of how we announce what we are
going to do beforehand, how we go and have the privacy
compliance reviewed to make sure that our assurances are,
indeed, consistent with what we have done, and if we have had a
deviation, that we have the ability to have the investigation
to go and look at what went wrong and how we can help
ameliorate it and mitigate it for the entire Department.
I have had three major investigations of Department
noncompliance with privacy policy. In each of those, it was not
just a data breach, although a data breach was involved in at
least one of them.
But, it was more of a systemic circumstance where the
Department as a whole could learn from it, and I will use as an
example, my first investigation was actually of the Inspector
General (IG) which I took a slight bit of glee about.
But what had happened was the Inspector General using
financial information for their financial audits that are
required, their contractor used an unencrypted Universal Serial
Bus (USB) drive and passed it among each other because the DHS
system was too hard to use and to utilize. So, they had it as
kind of the team USB drive. That had information from the U.S.
Immigration and Customs Enforcement (ICE), the United States
Citizenship and Immigration Services (USCIS), the Customs and
Border Protection (CBP) and other components on it because it
was part of the financial concerns.
The USB drive was lost; and so, the Inspector General,
consistent with his authority, did the fact-finding of what
happened and kind of the facts associated therein.
I then applied a privacy analysis to the circumstances, to
the noncompliance with DHS policy and also looked at avenues
and ways for recommendations for the entire Department to
ameliorate both the contractor use of DHS information but also
when people hold other component information, what is the data
breach process, what is the notification process, and the
mitigation process. And, I think that was a successful example
of using my investigatory authority to help further the goals
of the Department.
Relatedly, I had an investigation associated with social
media use which has then resulted in the management directive
on the operational use of social media for the entire
Department.
And, I think that those are good examples. Investigations
are a significant resource drain but at the same time they
really help to shape the direction of the Department, and I
think that my office and the Department and its maturation in
privacy policy has benefited extraordinarily from that process.
Senator Akaka. Thank you.
Mr. Long, you testified that Serco, a contractor that
assists TSP with recordkeeping was the subject of the cyber
attack that we are discussing today.
How do you intend to work with current and future
contractors to ensure that TSP personal information is properly
secured?
Mr. Long. Senator, thank you.
The contract in question, the one with Serco, is actually
currently in the process of being designed for rebid. So, we
have put out a public announcement a couple of months ago. We
are in the process of designing the procurement action. We
anticipate rolling that out on the street by the end of this
calendar year and then awarding it the next fiscal year.
That contract, I can assure you, will have very stringent
IT security restrictions built into it.
Senator Akaka. Further, do you think Serco will continue to
provide recordkeeping services for TSP in the future?
Mr. Long. I anticipate that it will be a full and open
competition. We are seeking robust competition from all
parties.
Senator Akaka. Yes.
Mr. Long, you testified that TSP has an extraordinary
record retention burden. I agree that some data breaches could
be prevented by limiting the time agencies retain personal
information.
Will you please elaborate further on your recommendation?
Mr. Long. Yes. One of the comments that I think you see
going through the testimony is a recommendation on limiting the
time that personally identifiable information is retained and
that relates to one of the recommendations that we made in that
currently the statute that governs what we do at FRTIB does not
contain a statute of limitations for judicial review of a claim
for benefits brought by a TSP participant or beneficiary.
This is an indefinite exposure to potential litigation for
an unlimited period of time even after a participant takes all
their accounts and is gone for years.
Therefore, we have advocated for a statute of limitations
that would limit the amount of time the benefits claim is open,
therefore, limiting the amount of time we would have to retain
personally identifiable information. A 5-year statute of
limitations is what we recommend and that is typically longer
than what is generally seen within other Employee Retirement
Income Security Act (ERISA), 401(k) plan type designs.
Senator Akaka. Thank you.
My last question. Mr. Wilshusen, you testified that the
Privacy Act is ineffective in informing the public about
privacy practices and policies.
For example, system of records notices published in the
Federal Register often are difficult to find and to understand.
Will you please elaborate on why establishing a centralized
Federal Government privacy Web site as proposed in my bill, S.
1732, will help address this concern?
Mr. Wilshusen. Well, I think because it will provide a
central location and one that is readily accessible. If it is
on a Web site that users and the public can access in order to
find information about the Systems of Records Notices (SORNs)
or PIAs as well as other privacy protections that are available
to information that is collected and used by the Federal
Government that will be certainly helpful in meeting the
openness principle as well as the notification of government
activities for the public.
Senator Akaka. Thank you very much. Senator Johnson.
Senator Johnson. Thank you, Mr. Chairman.
Mr. Wilshusen, you testified about the concept of limiting
the information the Federal Government obtains and basically
limiting the time that it is kept.
Can you elaborate on that point?
Mr. Wilshusen. Well, certainly. If Federal agencies are
collecting personally identifiable information for a stated
purpose, once that purpose has been achieved, if they continue
to retain that information indefinitely for no other particular
use, then potentially if appropriate security controls are not
placed over that information, it could be subject to risk of
unauthorized disclosure to someone who might be able to break
into their systems or gain access to that information.
So, the principle is just for as long as you need the
information, keep it, protect it. Once that need no longer
exists, then get rid of it, delete it, subject to Federal
records retention schedules.
Senator Johnson. Does any agency in the Federal Government
employ that practice right now?
Mr. Wilshusen. I think probably in certain circumstances
they might. I know, for example, that OMB had a requirement, in
terms of safeguarding personally identifiable information, that
if personal information is placed on agency laptop computers
which are then taken out of the building and the agency
determines that it no longer needs that information on those
laptops, then it needs to delete it within 30 days.
To the extent that is being implemented and followed is
something we have not expressly examined to date.
Senator Johnson. Ms. Callahan, picking up on that same
point, in your privacy committee is this something that is
being discussed.
Ms. Callahan. In the privacy committee, we are not
discussing necessarily retention periods. We are having that
conversation more intra-department in terms of looking at how
long we retain information and what is the nexus between the
different data retention periods and how do they impact both
our mission but also the other information that is collected.
Mr. Wilshusen mentioned if there is an extract of
information and put on a laptop or a USB drive, hopefully an
encrypted one, we do have requirements associated with that.
But, that is just an extract of the information. The
database at large, we are governed by the data retention
periods. We do look at them every time the Department of
Homeland Security does the statutorily required biennial review
of SORNs to make sure the retention period should remain, and
we do consider those issues as we renew the SORNs.
Senator Johnson. Are there within agencies, though, are
there actually processes for deleting information?
Ms. Callahan. Oh, I am sorry. There are processes for
deleting information before the period, before the retention
period is up.
Officials are often reticent to do that for two reasons.
One because they already have an approved retention period from
the National Archives and you do not want to go counter to
that.
The second, there is also the question about whether or not
it affects operations if you delete information on a more
subjective standard as Mr. Wilshusen had argued. That is a
discussion within the privacy community a lot in terms of what
is the proper retention period. As I said, within the
Department we have those conversations frequently.
Senator Johnson. You just used a word that I want to try
and pick up and question you about. Counter. How many different
rules, regulations, laws in the Federal Government run counter
to each other when it comes to privacy?
I realize that is a really large question. But, do you have
a relatively succinct answer for that or can you hit on that?
Ms. Callahan. I think the tension is that the goal of the
privacy officer is to support the missions and to support
privacy, and retention is one element of that. I think all of
the fair information practice principles are ones that you have
to analyze.
And so, I think that, if you look at statutes throughout
the government, the Privacy Act, 40 years old, has some
elements that may be logically inconsistent with some of the
other more recent statutes. Yes.
Senator Johnson. Let us go to the other elements that Mr.
Wilshusen had talked about in terms of limiting the
information. Is there any kind of robust effort, or any effort,
ongoing in any agency about really taking a look at what
information is really required so we do not ask for more than
we really need?
Ms. Callahan. I can answer that question for the Department
of Homeland Security which is, yes, we are looking into ways to
not collect the same information over and over from the same
people if we do not have to.
One of the things that surprised me when I came to the
Department was how we had a lot of the same information in 47
or however many different databases and the databases were not
necessarily federated or integrated with each other. That could
have privacy risks in and of itself because you have different
people logging on. You may not have auditing accountability.
We are working within the Department to find an
infrastructure that will allow us to be more efficient, more
effective, maybe collect less information from the public, and
I think that they may all cheer for that, but also to have a
system that has more privacy controls and more privacy
protections in terms of a way to have the databases interact.
So, we are thinking about it in the fledgling stages but
that is definitely something that I think the Department is
going to move forward with.
Senator Johnson. Mr. Wilshusen, we are debating a
cybersecurity bill which, depending upon how it all turns out,
might impose certain requirements, regulations on the private
sector.
I just kind of want to get your feel in terms of the
government's ability to meet those same types of standards. I
realize that is very difficult to answer because we really do
not know what those standards might be.
But can you just in general speak to the level of technical
competency within most agencies, how broad that technical
competency is versus the private sector?
Mr. Wilshusen. I would be glad to. We do quite a bit of
work examining the information security controls at Federal
agencies, and we look at it from different levels. One, across
the Federal Government in terms of how agencies are reporting
the implementation of the various different controls as part of
the FISMA reporting process.
As part of GAO's responsibility to audit the government
consolidated financial statements, we work with the agency's
IGs to assess the effectiveness of their controls in protecting
information security controls over the financial information.
Then, we do other tests of agency's information security
controls as requested by Members of Congress. We have been
reporting that Federal information security has been a high
risk area, a governmentwide high risk area since 1997.
Just most recently, the work that we have done and in
reviewing the work also of the IGs, the majority of the 24
major CFO Act agencies have weaknesses in most of the
information security controls that we review.
And, these would include access controls or those controls
are designed to restrict, limit, and detect unauthorized access
to resources as well as other security management programs and
their procedures for managing the configurations of their
devices.
By and large most of those agencies have weaknesses in
those areas.
Senator Johnson. Just one quick followup.
Can you access or make an evaluation in terms of the
competency between the Federal Government and those agencies in
the private sector? Because you are going to see the weaknesses
in the private sector as well.
Mr. Wilshusen. In the few instances where we have examined
the security controls at private sector organizations that are
performing services for the Federal Government, we have found
the same types of security weaknesses in those systems as we do
in the Federal systems.
Senator Johnson. OK. Thank you very much.
Senator Akaka. Thank you very much, Senator Johnson.
I want to thank our first panel very much for your
responses, your statements, and your valuable offering here. I
would like to wish you well in your work and hope we can
continue to work together on privacy and security issues as
well.
So, thank you very much for being here.
I would ask that our second panel come forward. I want to
welcome our second panel.
Mr. Peter Swire, C. William O'Neill Professor of Law at
Ohio State University. Mr. Swire had a previous engagement in
Seattle, Washington, he will be testifying by teleconference
this morning.
Mr. Chris Calabrese, Legislative Counsel at the American
Civil Liberties Union (ACLU). And, Mr. Paul Rosenzweig, who is
a visiting fellow at the Heritage Foundation. Thank you all so
much for being here.
As you know, it is the custom of this Subcommittee to swear
in all witnesses. So, will you please rise and raise your right
hand.
Do you swear that the testimony you are about to give this
Subcommittee is the truth, the whole truth, and nothing but the
truth so help you, God?
Mr. Swire. I do.
Mr. Calabrese. I do.
Mr. Rosenzweig. I do.
Senator Akaka. Thank you very much all of you.
Let it be noted for the record that the witnesses have
answered in the affirmative.
Before we start, I want to remind you that your full
written statements will be a part of the record. We ask you to
please limit your oral remarks to 5 minutes.
Mr. Swire, please proceed with your statement.
TESTIMONY OF PETER SWIRE,\1\ C. WILLIAM O'NEILL PROFESSOR OF
LAW AT OHIO STATE UNIVERSITY
Mr. Swire. Mr. Chairman, and Ranking Member Johnson, thank
you for asking me to testify here today for this hearing on
Federal privacy, and thank you also letting me testify
remotely. I was unable to be in Washington today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Swire appears in the appendix on
page 69.
---------------------------------------------------------------------------
I would like to congratulate Mary Ellen Callahan for her
service at DHS and the leadership she has shown to the Federal
agency privacy community over time.
In this testimony, there are a lot of issues we could talk
about. I am going to briefly talk about four issues.
Chairman Akaka, as you said, I think that the Senate should
promptly confirm the five nominees for the Federal Privacy and
Civil Liberties Oversight Board. This is the most important
short-term action the Senate can take on privacy.
With the cybersecurity legislation, we are going to have
potentially a lot more information sharing and the PCLOB is the
way to have the oversight to go with that. All five nominees
for the PCLOB have been voted out of the Judiciary Committee
and all five have been supported by the 9/11 commission
cochairs, Kean and Hamilton.
There were some dissenting votes in the Committee for the
proposed chairman, David Medine. He is an outstanding nominee.
He was a senior civil servant at the Federal Trade Commission
(FTC) on privacy for many years. He has done work at the law
firm of WilmerHale with compliance. He really has a workable
realistic sense of things.
It is important to confirm the chairman as a part of the
slate because only the chairman can hire staff by statute. So,
unless we confirm the full slate, we will not have an oversight
Board.
The second topic I am going to discuss is the idea of
having a Federal Chief Privacy Officer. Senator Akaka in S.
1732 would create this by statute.
I had a role similar to that when I was chief counselor for
privacy in the Office of Management and Budget under President
Clinton and that has not been repeated as a position.
I think such a position has three advantages. It can
coordinate across agencies, and new issues come up all the time
as we were hearing. Here is one example. Drones is an issue
that hits the Federal Aviation Administration (FAA) but up
until now drones have not had to deal with privacy; but if they
come through out the U.S. airspace, we have new privacy issues
and we should have a sort of coordinated Federal response to
the privacy issues there.
Second, a Federal Chief Privacy Officer could help with
clearance across agencies so we have coordinated policy. And
third, increasingly there are international issues, transborder
issues for privacy, and so having that work correctly overseas
is, I think, very important.
In doing this, I think it helps to have a statute. We have
seen the DHS have the outstanding agency privacy activities in
large part because your Committee put that into the statute and
has supported the position that Mary Allen Callahan has been
in. And I think that without a statute, it is easy for OMB not
to move forward and really create the office.
My testimony suggests that the Chief Privacy Officer might
take the lead on nonclassified information systems whereas the
PCLOB perhaps would take the lead on oversight for classified
information systems.
So, the third point I would like to get to is some
loopholes in the Privacy Act as written. And, the proposed S.
1732 correctly recognizes there is a loophole in the Privacy
Act for the definition of system of records.
The current definition applies only to records that are
retrieved by name; but with modern search engines, we often
retrieve things in lots of other ways and then turned up the
names.
So, the proposed amendment would close the loophole and it
would have the effect of requiring a much greater number of
system of record notices for Federal agencies.
In my view having more of these SORNs, would create
compliance burdens for agencies but not necessarily give us the
biggest pay off in terms of privacy.
So, my testimony suggests a more promising approach might
be to improve the privacy impact assessments under the E-Gov
Act. For instance, we could post these PIAs to a unified Web
site. We could have public comments on the PIAs, and agencies
could be required to respond to these public comments and I
think this might be a more effective way to put attention on
the most important privacy related systems.
The fourth in my four points is that the oversight process
for this Committee could focus more attention on the line
between what is identified and de-identified data in Federal
agencies.
De-identification is a way where we can get uses from the
data. We can look for patterns and all of that but still have
privacy protection. Recently, the Federal Trade Commission has
proposed a promising approach for de-identifying data for the
private sector.
I think we can learn from that initiative, and also I will
be working with the future privacy forum this year on a project
on how to do de-identified data better.
So, in conclusion, I thank the Committee for the service of
drawing attention back to these issues of Federal agency
privacy policies and I look forward to trying to help with any
questions. Thank you.
Senator Akaka. Thank you very much, Mr. Swire.
Mr. Calabrese, would you please proceed with your
statement.
TESTIMONY OF CHRISTOPHER R. CALABRESE,\1\ LEGISLATIVE COUNSEL,
AMERICAN CIVIL LIBERTIES UNION
Mr. Calabrese. Good afternoon, Chairman Akaka, Ranking
Member Johnson. Thank you for the opportunity to testify on
behalf of the American Civil Liberties Union on the Privacy
Act, a landmark statute that now requires a major update from
Congress.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Calabrese appears in the appendix
on page 84.
---------------------------------------------------------------------------
The Privacy Act lays out citizens rights and Federal agency
responsibilities for the handling of personal information. The
Act controls when records can be collected and how they can be
disclosed, provides notice and mandates agencies keep secure,
accurate, and accessible records.
But, the Act has always had some major loopholes and has
become even more outdated over time. Agencies often sidestep
access, accuracy, and relevance requirements by taking the many
permissible exceptions under the Privacy Act. They also avoid
the Privacy Act's prohibitions on disclosure by labeling any
and all sharing as routine.
Additionally, the Act only protects systems of records when
an agency retrieves information about a specific individual or
information tied to that individual. Hence, it does not apply
to techniques such as data mining which use pattern-based
searches not tied to an individual.
Finally, the Federal Government often uses commercial
databases which frequently contain incorrect information and
are outside the protections of the Privacy Act.
Major steps toward fixing these problems can be found in
Senator Akaka's legislation.
As we have heard, agency notice when personal information
is lost or stalled in is a serious and ongoing problem. The
ACLU believes that existing OMB guidance is inadequate. It
gives far too much discretion to individual agencies as to
whether to disclose these embarrassing breaches.
The Supreme Court has also weakened the remedies under the
Act. In a case called FAA v. Cooper, decided in March, the
court held that when an agency disclosed an individual's HIV
status, he could not recover damages for mental or emotional
distress the matter how severe because he did not suffer
financial harm as a result of the violation.
This decision is particularly harmful because the damage
from privacy disclosures is often an embarrassment, anxiety,
and emotional distress, precisely what the court forecloses.
Finally, despite improvements from some agencies, oversight
remains inadequate. This reality is as we have heard troubled
times already embodied by the PCLOB, which is tasked with
monitoring agency information sharing practices related to
terrorism.
As we have heard, it existed in its current form since 2007
but a full slate of nominees was not put forward by either
President Bush or President Obama until late last year and the
Board is still vacant.
Significant misuse of personal information has resulted
from these erosions of Federal privacy protections. The most
recent example of this trend is the sweeping changes the
National Counterterrorism Center (NCTC), made to its guidelines
on the collection and use of information about U.S. persons not
suspected of wrongdoing.
Previously, NCTC discarded information on U.S. persons not
connected to terrorism within 180 days. However, under its new
guidelines, NCTC keeps this information for up to 5 years.
This collection may be happening as a so-called routine use
under the Privacy Act. This change, along with others affecting
how NCTC analyzes and shares information, now allows the agency
to perform searches on people with no connection to terrorism
and shares the results for a wide variety of purposes with
almost anyone.
By fully exploiting loopholes in the Privacy Act, NCTC can
turn the vast power of the U.S. intelligence community on
innocent Americans. Using personal information for different
purposes, and sharing it broadly are precisely the type of harm
the Privacy Act was enacted to prevent.
The Federal Government collects an enormous amount of
personal information so people can receive benefits and
services, exercise fundamental rights like voting or
petitioning the government, getting licenses for everything
from purchasing a handgun to businesses and industry, for
employment, education, and for many types of health care.
This information collection is nearly ubiquitous in
American life. None of this would have been a surprise in 1974.
According to the congressional findings from the Privacy Act,
the use of information technology can greatly magnify the harm
to the individual; and so, in order to protect privacy, it is
necessary and proper for the Congress to regulate the
collection, maintenance, use, and dissemination of information
by such agencies.
Congress must once again take up that duty and protect
personal information on all of us by updating the Privacy Act.
Thank you.
Senator Akaka. Thank you very much Mr. Calabrese for your
statements.
Mr. Rosenzweig, please proceed with your statement.
TESTIMONY OF PAUL ROSENZWEIG,\1\ VISITING FELLOW, HERITAGE
FOUNDATION
Mr. Rosenzweig. Thank you very much, Mr. Chairman, Senator
Johnson. I appreciate the opportunity to be with you today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Rosenzweig appears in the
appendix on page 99.
---------------------------------------------------------------------------
I take a very different perspective, I think, on the
Privacy Act. I think I share the view of almost everybody who
has spoken that the Privacy Act is outdated. Any act that was
passed at a time when the personal computer did not exist
cannot hope to match the current technological structures we
have.
Where I think I differ is in thinking that we can fiddle
around at the edges with modifications and extensions of older
conceptions. To my mind, the technological revolution is so
great that it is really time for a wholesale
reconceptualization of what the Privacy Act is and how we deal
with privacy.
We stand at the cusp of a technological revolution, indeed,
not at the cusp but in the midst of it. We are not just doing
exabytes but yottabyte and zettabytes of data every day, all of
it in unstructured formats, but that is being matched by
massive increases both in processing capacity and data storage
capacity that allow people to make sense of this data in new
and different ways.
The new sense making that we are doing is of great value.
It is of value commercially to people who want to sell things;
but as relevant to this Committee, it is of value to the
government. It is of value to the government in
counterterrorism and in law enforcement.
It brings with it acknowledgedly the threat that it may
also be put to purposes which we would not want the government
to do, things like targeting people because of their political
beliefs or something like that but we can no longer maintain
the artificial categories of use distinctions, purpose
distinctions, data retention rules that are being destroyed
essentially by the technological changes that are happening
around us.
We retained data in the NCTC for an increased amount of
time not because we want to target America's political beliefs
but because we have come to learn that we cannot predict today
how much value there will be in this information 5 years from
now and what particular pieces of information will be of value
to, say, a new terrorist investigation.
We have seen in counterterrorism investigations, at least
when I was in the Department 5 years ago, data searches that go
back 8, 10, 12 years. This is the type of reality that we must
deal with while at the same time recognizing that there is the
threat of misuse.
To my mind, the best way to ensure the privacy of citizens
in America today, the reasonable privacy of citizens, is to no
longer tie our conceptions to older technological constructs of
word searches by name or by date.
Rather, we should focus instead on use and purpose
limitations that are inconsistent with those current
capabilities and the threat environment.
We should better focus the privacy rules on what I think
are, and I will admit this, much more difficult questions of
defining what is and is not an appropriate consequence that can
be imposed from the use of data, that is, structuring when we
can take that data and impose an adverse consequence on an
American citizen.
That requires a much finer degree of analysis at the back
end rather than categorical imperatives at the front end: use
only for this purpose, keep only for this long, when you
cannot, in any way, define those in advance with any degree of
clarity.
To my mind, while many of the improvements that are
proposed for the Privacy Act will certainly work marginal
increases in the benefits that we would gain to privacy in the
system, in the end they are going to be overtaken by technology
and we will wind up, if we do not take this task on, with a
government use of data analytics and a privacy rule that
restricts us to a locked-in technology that is where we are
today while both the commercial sector in America, and more
important from my perspective, our peer competitors outside of
the United States rush ahead with technological advancements
that we have denied ourselves because of fears of technology.
That does not suggest that we cannot ignore the possibility
of misuse. Indeed, as my testimony suggests, I think that
enhanced oversight and audit are the key ways to go forward in
doing that; but categorical rules are, in my judgment, a
straight jacket and should be eschewed.
With that, I look forward to answering your questions.
Thank you.
Senator Akaka. Thank you very much for your statement, Mr.
Rosenzweig.
Mr. Swire, you testified forcefully about OMB's leadership
void in Federal privacy policy and the need for a Federal Chief
Privacy Officer to spearhead the interagency clearance process
and represent the Administration on international privacy
matters.
Why, in your view, has OMB not taken on a stronger
leadership role in privacy and what steps should OMB be taking?
Mr. Swire. So, Senator, I would say that one thing I did
see when I was in OMB is that the headcount in the Executive
Office of the President is closely guarded. There is a very
strict limit on how many people can be employed within OMB.
And so, when they are making choices about working on the
Federal budget and doing all of the management tasks that they
are doing, they are very cautious about adding staff.
At the peak of my time there, I had myself, two full-time
people, and a detailee, and that was with a lot of work to get
up to the staff at that level.
I think what we see, and this is what happened with Howard
Schmidt in the cybersecurity czar position is that there needs
to be a way where OMB and the Executive Office of the President
work with the agencies to provide more staffing.
That is just a lot of work to set up and I really do think
that having a pretty good nudge from Congress will help put
that in place; and without it, it just seems like a large
challenge that is hard for them to put together
bureaucratically.
Senator Akaka. Thank you.
Mr. Calabrese, you testified that the Privacy Act does not
extend to the Federal Government's use of commercial databases.
Some of these databases may have a high level of inaccuracies.
Even though their use may affect Americans' rights, there is no
notice about their use and no process for individuals to
correct their records.
Will you please elaborate on this problem and how we could
achieve better transparency of the Federal Government's use of
commercial databases?
Mr. Calabrese. Thank you, Senator Akaka.
Well, of course, the first answer is we could adopt your
amendment as part of the cybersecurity bill. It has in it a
provision that says that commercial databases will be required
to comply with the E-Government Act which is, of course, a
close companion to the Privacy Act which requires agencies to
disclose how they are using databases, where the information
comes from, the sources of it, and that is a very important
transparency tool.
Right now, we really do not have a feel even for how
agencies are accessing these records, where they are coming
from, what they are relying on. Many of these databases started
as marketing databases.
So, if you were compiling a database to sell magazine
subscriptions, 80 percent accuracy or 90 percent accuracy was
great. If you got a few wrong, it was just a few wrong
subscriptions. Obviously, that same standard cannot apply when
agencies are performing vital functions.
So, I think we start with the transparency provision. We
learn where this information is coming from, what they are
using with it, then we can begin to figure out how it should be
properly regulated.
Senator Akaka. Thank you, Mr. Calabrese.
Mr. Rosenzweig, the Supreme Court's ruling in FAA v. Cooper
earlier this year restricted Privacy Act remedies; and by many
experts' accounts, rendered the Act, as I mentioned, in my
statement, toothless.
Experts including Jim Harper at Cato have urged Congress to
amend the Privacy Act so it is clear that individuals are
compensated for proven mental and emotional distress.
Do you agree that we should amend the Privacy Act to
restore these remedies?
Mr. Rosenzweig. Senator, I think that the much superior way
of ensuring Federal compliance with the Privacy Act is through
the mechanisms that we established, the privacy officers in the
various communities, the oversight of Inspectors General of
this Committee.
Those deal much more effectively, in my judgment, with
systematic errors. The oversight you had today of the thrift
board is a perfectly good example.
To my mind, in general, the private litigation system is a
less efficient and effective way of creating systematic change.
That is not to say that I disagree that most of the privacy
harm is psychic in nature because most of privacy is about our
own senses of personal value, shame, whatever it is that you
are protecting rather than economic harm.
But at the same time, I think that enhancing litigation
over individual Privacy Act violations would actually be a
diversion of resources from a much more effective and
systematic way of addressing the real privacy failures that do
happen in the government that should be addressed through
privacy officers, Inspectors General, the PCLOB if it ever gets
started, this Committee, that sort of thing.
Senator Akaka. Thank you.
After that answer, let me ask Mr. Swire and Mr. Calabrese
whether you can reflect on this or what do you think about
this? Mr. Swire.
Mr. Swire. On the Privacy Act damages question, I would
support putting back in place the way I thought the law was
before. I think that the interpretation by the courts was more
narrow than was intended by the Privacy Act. I think emotional
harms that are proven to a jury, or to a judge are real harms
here and we should put that back in the law.
Senator Akaka. Thank you.
Mr. Calabrese. And I would simply note that I do not think
this is a diversion of resources but a supplement of resources.
We already have oversight by Federal agencies and I agree that
is appropriately systematic and necessary; but individuals are
still harmed by these disclosures, and the harm goes far beyond
the economic arm.
As such, it should be recognized. Individuals should be
compensated. The Federal agencies and the Federal Government is
requiring this information. So, hence, it is also required to
protect the people and that information when it is lost or
misused.
Senator Akaka. Thank you very much. Senator Johnson, your
questions.
Senator Johnson. Thank you, Mr. Chairman.
Let me start with the more philosophical question. Since
1974, or quite honestly even prior to that, versus 2012 has the
definition or maybe I should state it, has the expectation of
privacy changed?
I will start with you, Mr. Rosenzweig.
Mr. Rosenzweig. I think it changes all the time. I think
that we live in a society now in which people go on Jerry
Springer and meet their ex-wife's new boyfriend and have a
fight with him on public TV.
I think that the expectation changes with catastrophic
events. We have a different expectation of what is an
acceptable privacy intrusion at airports today than we did
before. Many people do not like that but the expectation is
changing nonetheless.
I think that what we are really talking about in many
contexts is kind of not privacy so much as an expectation of
anonymity or lack of governmental scrutiny without
justification, and that too seems to be changing.
But, by that, I mean that we are now in a time where people
have come to understand that so much of their life is out there
on Facebook, on twitter voluntarily or involuntarily because
the credit card systems have changed.
But, where we are right now is that people expect that the
gaze of law enforcement, for example, will not turn on them
without a good justification or reason. That is a pretty
different change from what it used to be which was that we
expected that we were totally obscure and that the government
did not even know anything about us. Now, we think that it
knows about us; we just do not want it to pay attention.
Senator Johnson. Mr. Calabrese, do you want to add to that
or challenge it?
Mr. Calabrese. Yes, I would actually disagree candidly. I
think that while people have different interpretations of
privacy, I think the values that underlie privacy are really
the bedrock of this country.
I mean, they start with a Fourth Amendment. They start,
essentially, with the right to be left alone. People interpret
that in different ways.
I think younger people, when I talk to them, believe very
strongly in privacy. They interpret it a little differently.
They think of it more as information control. I decide who sees
what about me rather than the anonymity that we talked about in
previous generations.
But, I think, this bedrock principle that I should be free
from government scrutiny certainly and government interference
in my private life is one that is a fundamental thread in
American values.
Senator Johnson. Mr. Swire.
Mr. Swire. I have a right not to go on Jerry Springer and a
right not to have Federal agencies gather all the data that
Jerry Springer might get out of some of his interviews.
The enduring values goes back to the Fourth Amendment
saying that there should be no unreasonable searches and
seizures. What is reasonable changes with the facts.
But, I think a book by Alan Westin from around 1970 called
Privacy and Freedom goes through the history over time and
shows that the values that are at stake are very enduring.
Technology changes somewhat, the safeguards change somewhat but
the link between privacy and freedom is a very long-standing
one.
Senator Johnson. Thank you. I think most people recognize
the harm of loss of privacy when it comes to theft of either
assets or certainly identity, certainly the harm caused by
disclosure of health circumstances, that kind of stuff, can you
also speak on other types of harm caused by loss of privacy and
exposure of private information? Personal and private
information.
Mr. Calabrese, we will start with you.
Mr. Calabrese. Yes, no, of course.
It is such a wide variety. I think we can begin with the
harm of surveillance. I fear to learn about particular things,
visit particular Web sites because it may muzzle me. I may not
want to visit a Web site that talks about radical Islam in
spite of the fact I am the furthest thing from a radical
Islamic.
I fear that will somehow be connected with me and I will
suffer some investigation or harm because of it.
Then, more general just dignity reasons. I mean there are
plenty of things that we do in our life that we would not want
taken out of context, whether it is just the songs we listen to
or the people we are friends with.
All of these things are sort of the right to a personal
life. That is really the fundamental piece here is that it is
very difficult to explore new ideas, to learn about new
concepts and to just sort of engage in the thought process that
is necessary to be a responsible citizen in a democracy without
the privacy to make mistakes, to explore ideas that you may
want to later discard, all of that really requires privacy. And
if you do not have it, it is sort of a fundamental harm to your
right as a citizen.
Senator Johnson. Mr. Rosenzweig.
Mr. Rosenzweig. I agree that privacy is an enabler of
personal development. And so, it strikes me that is the value
that we want to protect, but it is just an enabler.
What we want to protect is the ability to develop
personally, to speak freely as you will. The problem or the
challenge that we face right now is we might want to protect
the ability to develop personally through privacy protections,
they are going away. Right?
If you engage in any sort of activity on the web today, it
is out there. We can limit what the government does with it but
there is no way that we can limit anything beyond the pieces of
the government that we control, that you control.
We can maybe limit commercial sectors here in the United
States. We cannot limit what happens in Bermuda. We cannot
limit what happens in Mexico.
The challenge, I think, right now is to enable that
personal development not by having to self-edit because of the
fear of going to a Muslim Web site but by being much more
strict about prohibiting adverse consequences on people for
going to look at radical Islamic Web sites.
So, I do not disagree with the end result. My problem is
that the way of doing it by deliberately making the government
or the commercial sector dumb about what people are doing is
the wrong way to go about it.
The right way to go about it is let us be smart but then
make us do smart things with the smart data, not stupid things
like challenging people just because they are going to Muslim
Web site.
Senator Johnson. Mr. Swire, would you like to comment on
that?
Mr. Swire. A lot of good things have been said. One other
part of the privacy fair practice is accessing your data and
correcting mistakes.
So, if you are on the no-fly list and you should not be or
your credit history is wrong, they have the wrong person with
your name, having good procedures around that is another part
of what we consider as privacy protection that I think we
surely want to build into our information society.
Senator Johnson. Thank you.
Thank you, Mr. Chairman.
Senator Akaka. Thank you very much, Senator Johnson.
Mr. Calabrese, you testified that the exemptions to the
Privacy Act for law enforcement and intelligence activities are
problematic.
Given the many recent privacy concerns about the treatment
of personal information in the national and homeland security
context, I agree that this issue merits further examination.
How can we ensure that these exemptions are not abused
without harming important law enforcement and intelligence
activities?
Mr. Calabrese. Thank you, Senator,
Well, I think in terms of tightening controls, I think we
can begin by acknowledging that the Privacy Act actually has
pretty good disclosure limitations that says, you should not
disclose information unless you have a good reason to do so.
What we need to do is tighten some of the exceptions like
routine use that allows essentially anything to be labeled
routine and hence disclosed.
And, I think that goes to the heart of how we get both a
strong national security and also good privacy is we need to
focus our investigations on people we suspect of wrongdoing,
who are criminals, who are terrorists.
When we have a basis for that investigation, we pursue it.
There are plenty of mechanisms for doing so. That does not mean
compiling a database of all the innocent people in advance in
case they may some day be needed for this.
When we have an investigation we pursue it. We do not put
every American in what amounts to a lineup on the assumption
that someday that lineup may prove valuable.
One of our enduring rights in this country is that we are
innocent until proven guilty. We need to hold onto that bedrock
principle. Thank you.
Senator Akaka. Thank you.
Mr. Rosenzweig and Mr. Calabrese, I agree with Mr. Swire
that approving the nominees for the Privacy and Civil Liberties
Oversight Board is a critical priority, particularly as the
Senate considers cybersecurity legislation.
As you know, the Board is supposed to be a key check on the
new information sharing authorities in the bill. I would like
to hear your views on this issue.
Let me call on Mr. Swire first.
Mr. Swire. I think I spoke to it, sir. I am not sure I have
more to add to the idea that we should get these folks
confirmed.
Senator Akaka. Thank you. Mr. Rosenzweig.
Mr. Rosenzweig. I do not know all of the nominees. The
three that I know are quite able. I would have hoped that the
Senate would have acted with President Bush in 2007 to fill the
Board and I would have hoped that President Obama, if he had
acted with more alacrity and presented these nominees well
before the near end of this session, we would have had a Board
in place.
I agree completely that at some point a Board needs to be
put in place because, as I said, I think that the oversight and
audit functions are critical to my vision of the best ways to
enhance privacy. I just regret that the political dimension of
this has brought us to the point where we are, what, 98 days
out from an election and still trying to find a Board.
Senator Akaka. Thank you. Mr. Calabrese.
Mr. Calabrese. I agree obviously. We want to confirm these
nominees tomorrow, if possible.
I want to just caution, though, it is not a panacea. I mean
PCLOB is relatively small, even if it was fully staffed, it is
something like 10 full-time staff under its current budget
allotment. A part-time Board with a full-time chairman.
The agencies and the bureaucracies that it is supposed to
oversee are quite literally massive. They are the size of small
towns. So, there is no way that this Board is going to be able
to provide any level of complete oversight.
It is a piece. It is necessary to fill it but no one should
believe that simply filling the PCLOB is going to answer all
our oversight concerns.
Senator Akaka. Thank you.
Mr. Swire, if we create a Federal Chief Privacy Office,
should that individual also review the information sharing
provisions of the cybersecurity bill?
Mr. Swire. So, how to work the CPO with the PCLOB is
something that would take some work. I suggest in my testimony
that we have a long-held decision between unclassified commuter
systems in the Federal Government and the classified systems.
The Privacy and Civil Liberties Oversight Board is
specifically focused on classified and anti-terrorism
activities. It makes sense I think for them to take the lead
there and for the Federal Chief Privacy Officer to take the
lead on unclassified systems. That is my best guess at how to
proceed.
Senator Akaka. Thank you.
This is my final question for the entire panel. What key
privacy protection issues that we have not yet discussed also
warrant the attention of Congress? Mr. Calabrese.
Mr. Calabrese. There are so many. I would say that it is
really crucial to update our electronic communications privacy
laws (ECPA). For example, ECPA was passed in 1986. It governs
law enforcement access to electronic communications.
It is woefully out of date. 1986 was an awful long time
ago. Similarly location privacy, as the court weighed in US v.
Jones this term, is a huge issue. Our cell phones have become
portable tracking devices, and reining in that tracking so it
only happens appropriately I think is a very important job.
I could go on and on but I will stop at those two.
Senator Akaka. Thank you. Mr. Rosenzweig.
Mr. Rosenzweig. Those two are both worth thinking about. I
guess I would add to that a consideration of whether or not the
intelligence community's approach to privacy is sufficiently
unified. I think there is divergency in views within that
community.
And, wow, I could probably think of a half dozen more but I
will just stop with that.
Senator Akaka. Mr. Swire.
Mr. Swire. So, just two observations. One is that the Jones
case about tracking the location I think is a very important
moment for the Supreme Court but Congress can followup there.
I did a project with some other groups at U.S. v. Jones.com
which surveys ways to sort of get out the next generation of
surveillance and civil liberties here. I think I would focus on
that, how to do the electronic searches, how to update ECPA,
and how to do some of the things discussed at US v. Jones.com.
Senator Akaka. Thank you. Let me ask Senator Johnson for
further questions.
Senator Johnson. Thank you, Mr. Chairman.
Let me just address the very real conundrum facing
government. As we watch every terrorist act, the aftermath of
that, people start doing a postmortem on that, and they go,
well, we had this information, why did we not put two and two
together and prevent the attack.
A very real concern, and it is just that natural tension
between privacy and the security that the American people
expect. I guess I would like all three of you to, first of all,
address that very real concern to me. How do we navigate that
very fine line?
I guess we will start with Mr. Swire.
Mr. Swire. Thank you, Senator.
So, I wrote a law review article around 2006 called Privacy
and Information Sharing in the War Against Terrorism. It is
online and law professors always love it if anybody ever reads
a law review article.
But I think that is a checklist of seven or eight questions
that I think should be asked as you are building a new
information system. And, it actually is similar to what Mr.
Rosenzweig is saying about audit and accountability and setting
it up so someone is looking at it carefully when you built it
at the front and then auditing it once you have it in place.
And, I think if you do that, then you do use information
intensively but you have some safeguards in place.
Senator Johnson. Thank you. Mr. Calabrese.
Mr. Calabrese. Well, I think one of the biggest problems
with information sharing today is that there is so much
information that it overwhelms the ability of any analyst to
essentially process it.
I mean, you cannot connect the dots when it is millions of
dots being given to you every day. I mean, Secretary Leiter,
when he was the Director of the NCTC, talked about an amazing
amount of leads and tips that they get every day.
And so, I think that we need to try to weed out the
innocent person chaff and focus more on actual leads, actual
people who, when Abdulmutallab's father came in to the Embassy
and said, please investigate my son, it certainly seems
possible to me that lead became lost because there was so much
information pouring in that a good lead was lost amongst all
the chaff.
I think we need to focus on narrowing our information
sharing to the right information, and that is a difficult task
but I think one that will bear the most fruit.
Senator Johnson. Mr. Rosenzweig.
Mr. Rosenzweig. I actually have a different perspective on
that which is I agree that we are drowning in a flood of data,
but to a large degree our capacity to analyze it has been
hamstrung by our unwillingness to apply data analytics.
Abdulmutallab was actually a good example because the
father coming in was preceded apparently by a visa application
that would have been in the field of innocent data,
presumptively innocent data that was collected about all of
these applicants.
You cannot know ex-ante which data fields are going to be
the ones that are relevant to an ongoing investigation. Up
until just a couple of years ago, we actually did not have a
coordinated Google-like search functionality within the
intelligence community, not because we could not implement
that, though it does take some money and coordination, but in
part because we were concerned about the linkages between
various databases as eroding privacy concerns.
When you have those concerns at the front end, they
sometimes create artificial limitations. I agree completely
that the right answer is to try to use the analytics to narrow
down leads into the people that we want to devote investigative
resources to. That is precisely what all of these systems are
intended to do.
On the other hand, you cannot actually make them as
effective as you might by limiting the intake on the front-end.
So, my perspective is that we are always going to be doing
too much until the day after an event when we will not have
done enough, and the optimal answer is to try to get the right
structures in place up-front and at least be able to defend
your choices going forward.
Senator Johnson. Mr. Calabrese, I will definitely side with
people who are highly concerned about civil liberties and
government intrusion into our lives.
Can you, describe specific examples of purposeful misuse by
the government of some of the information, personal privacy
information as opposed to hackers getting in and information
being not purposefully but illegally disclosed?
Mr. Calabrese. Yes. Let me address your question first,
Senator. I think we saw with the New York Police Departments
(NYPDs) investigation of Muslim communities where they were,
they began to surveil entire communities, do community mapping
of Muslims, not because they had any particular belief that
there was a particular person who they need to investigate but
just simply to monitor the entire community.
Similarly we have seen reports, and the ACLU has done FOIAs
on this, where FBI agents under the guise of going and doing
community outreach and just getting to know the Muslim
community, something that I think everybody agrees is vital in
terms of building bridges and connections so that they will
feel free to come forward if there is a criminal issue, were
turned into intelligence reports where reports were compiled on
those innocent people who were trying to help the government do
community outreach.
So, when we turn people who are trying to help us into
suspects, it builds exactly kind of distrust that we are trying
to prevent and I would argue hinders investigations going
forward.
So, I think that is the kind of situation that we want to
prevent and that is why we want to preserve some of the lines
that we have been talking about.
Senator Johnson. That is somewhat kind of outside what we
are talking about here, at least what I am talking about in
terms of privacy within the cyber community.
Mr. Rosenzweig, you mentioned Google. I mean, Google has
all the information. If you have a credit card, you have
provided voluntarily all kinds of personal information. And, I
guess, I just want somebody to speak to the disconnect between
what we voluntarily give up to private companies that have a
great deal of latitude, almost primoral latitude for use and
misuse of that information in the Federal Government.
Can you just kind of speak to that disconnect?
Mr. Rosenzweig. Well, there is much to be said about
Google's privacy policies which many people think are not
strong enough in the private sector. I think the best way to
characterize it would be this.
Just this past week in Las Vegas, they had the Black Hat
convention DEFCON which is a convention of hackers. And, one of
the leaders of the audience asked this assembled group of true
cyber experts who they feared more, Google's privacy invasions
or the government's, and Google won hands down, because the
people with the knowledge about this know that Google actually
assembles, processes, and uses personal data much more
efficiently, much more effectively than the Federal Government
does.
So, if you are one who sees in that a threat, as the people
at DEFCON did, they are more afraid of Google than they are of
the government by I think it was like six to one I saw in the
newspapers. I obviously was not there but that kind of speaks
to it.
Senator Johnson. Thank you. I have run out of time again. I
really do want to thank the witnesses for your thoughtful
testimony and taking the time here. This has been a very
interesting discussion and, Mr. Chairman, for holding this
hearing. This is a good hearing.
Senator Akaka. Go ahead.
Senator Johnson. No. I think I am good. Thank you.
Senator Akaka. Well, thank you very much, the second panel.
I would like to thank each of you for your statement and your
responses. This has been a useful and informative discussion
that will help us chart the next steps to strengthen our
Federal privacy and data security framework. I will continue
focusing on these important issues during the rest of my time
in the Senate.
This hearing also will provide a blueprint for the next
Congress on additional areas that must be addressed.
The hearing record will be open for 2 weeks for additional
statements or questions from members of this Subcommittee.
Again, I want to thank you for being with us.
The hearing is adjourned.
[Whereupon, at 11:58 a.m., the Subcommittee adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED] T6066.001
[GRAPHIC] [TIFF OMITTED] T6066.002
[GRAPHIC] [TIFF OMITTED] T6066.003
[GRAPHIC] [TIFF OMITTED] T6066.004
[GRAPHIC] [TIFF OMITTED] T6066.005
[GRAPHIC] [TIFF OMITTED] T6066.006
[GRAPHIC] [TIFF OMITTED] T6066.007
[GRAPHIC] [TIFF OMITTED] T6066.008
[GRAPHIC] [TIFF OMITTED] T6066.009
[GRAPHIC] [TIFF OMITTED] T6066.010
[GRAPHIC] [TIFF OMITTED] T6066.011
[GRAPHIC] [TIFF OMITTED] T6066.012
[GRAPHIC] [TIFF OMITTED] T6066.013
[GRAPHIC] [TIFF OMITTED] T6066.014
[GRAPHIC] [TIFF OMITTED] T6066.015
[GRAPHIC] [TIFF OMITTED] T6066.016
[GRAPHIC] [TIFF OMITTED] T6066.017
[GRAPHIC] [TIFF OMITTED] T6066.018
[GRAPHIC] [TIFF OMITTED] T6066.019
[GRAPHIC] [TIFF OMITTED] T6066.020
[GRAPHIC] [TIFF OMITTED] T6066.021
[GRAPHIC] [TIFF OMITTED] T6066.022
[GRAPHIC] [TIFF OMITTED] T6066.023
[GRAPHIC] [TIFF OMITTED] T6066.024
[GRAPHIC] [TIFF OMITTED] T6066.025
[GRAPHIC] [TIFF OMITTED] T6066.026
[GRAPHIC] [TIFF OMITTED] T6066.027
[GRAPHIC] [TIFF OMITTED] T6066.028
[GRAPHIC] [TIFF OMITTED] T6066.029
[GRAPHIC] [TIFF OMITTED] T6066.030
[GRAPHIC] [TIFF OMITTED] T6066.031
[GRAPHIC] [TIFF OMITTED] T6066.032
[GRAPHIC] [TIFF OMITTED] T6066.033
[GRAPHIC] [TIFF OMITTED] T6066.034
[GRAPHIC] [TIFF OMITTED] T6066.035
[GRAPHIC] [TIFF OMITTED] T6066.036
[GRAPHIC] [TIFF OMITTED] T6066.037
[GRAPHIC] [TIFF OMITTED] T6066.038
[GRAPHIC] [TIFF OMITTED] T6066.039
[GRAPHIC] [TIFF OMITTED] T6066.040
[GRAPHIC] [TIFF OMITTED] T6066.041
[GRAPHIC] [TIFF OMITTED] T6066.042
[GRAPHIC] [TIFF OMITTED] T6066.043
[GRAPHIC] [TIFF OMITTED] T6066.044
[GRAPHIC] [TIFF OMITTED] T6066.045
[GRAPHIC] [TIFF OMITTED] T6066.046
[GRAPHIC] [TIFF OMITTED] T6066.047
[GRAPHIC] [TIFF OMITTED] T6066.048
[GRAPHIC] [TIFF OMITTED] T6066.049
[GRAPHIC] [TIFF OMITTED] T6066.050
[GRAPHIC] [TIFF OMITTED] T6066.051
[GRAPHIC] [TIFF OMITTED] T6066.052
[GRAPHIC] [TIFF OMITTED] T6066.053
[GRAPHIC] [TIFF OMITTED] T6066.054
[GRAPHIC] [TIFF OMITTED] T6066.055
[GRAPHIC] [TIFF OMITTED] T6066.056
[GRAPHIC] [TIFF OMITTED] T6066.057
[GRAPHIC] [TIFF OMITTED] T6066.058
[GRAPHIC] [TIFF OMITTED] T6066.059
[GRAPHIC] [TIFF OMITTED] T6066.060
[GRAPHIC] [TIFF OMITTED] T6066.061
[GRAPHIC] [TIFF OMITTED] T6066.062
[GRAPHIC] [TIFF OMITTED] T6066.063
[GRAPHIC] [TIFF OMITTED] T6066.064
[GRAPHIC] [TIFF OMITTED] T6066.065
[GRAPHIC] [TIFF OMITTED] T6066.066
[GRAPHIC] [TIFF OMITTED] T6066.067
[GRAPHIC] [TIFF OMITTED] T6066.068
[GRAPHIC] [TIFF OMITTED] T6066.069
[GRAPHIC] [TIFF OMITTED] T6066.070
[GRAPHIC] [TIFF OMITTED] T6066.071
[GRAPHIC] [TIFF OMITTED] T6066.072
[GRAPHIC] [TIFF OMITTED] T6066.073
[GRAPHIC] [TIFF OMITTED] T6066.074
[GRAPHIC] [TIFF OMITTED] T6066.075
[GRAPHIC] [TIFF OMITTED] T6066.076
[GRAPHIC] [TIFF OMITTED] T6066.077
[GRAPHIC] [TIFF OMITTED] T6066.078
[GRAPHIC] [TIFF OMITTED] T6066.079
[GRAPHIC] [TIFF OMITTED] T6066.080
[GRAPHIC] [TIFF OMITTED] T6066.081
[GRAPHIC] [TIFF OMITTED] T6066.082
[GRAPHIC] [TIFF OMITTED] T6066.083
[GRAPHIC] [TIFF OMITTED] T6066.084
[GRAPHIC] [TIFF OMITTED] T6066.085
[GRAPHIC] [TIFF OMITTED] T6066.086
[GRAPHIC] [TIFF OMITTED] T6066.087
[GRAPHIC] [TIFF OMITTED] T6066.088
[GRAPHIC] [TIFF OMITTED] T6066.089
[GRAPHIC] [TIFF OMITTED] T6066.090
[GRAPHIC] [TIFF OMITTED] T6066.091
[GRAPHIC] [TIFF OMITTED] T6066.092
[GRAPHIC] [TIFF OMITTED] T6066.093
[GRAPHIC] [TIFF OMITTED] T6066.094
[GRAPHIC] [TIFF OMITTED] T6066.095
[GRAPHIC] [TIFF OMITTED] T6066.096
[GRAPHIC] [TIFF OMITTED] T6066.097
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
