[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



 
    PRIVACY AND CIVIL LIBERTIES IN THE HANDS OF THE GOVERNMENT POST-
SEPTEMBER 11, 2001: RECOMMENDATIONS OF THE 9/11 COMMISSION AND THE U.S. 
    DEPARTMENT OF DEFENSE TECHNOLOGY AND PRIVACY ADVISORY COMMITTEE

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                   COMMERCIAL AND ADMINISTRATIVE LAW

                                AND THE

                    SUBCOMMITTEE ON THE CONSTITUTION

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                            AUGUST 20, 2004

                               __________

                             Serial No. 113

                               __________

         Printed for the use of the Committee on the Judiciary




    Available via the World Wide Web: http://www.house.gov/judiciary

                                     ______


                 U.S. GOVERNMENT PRINTING OFFICE

95-498                 WASHINGTON : 2005
_________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, 
Washington, DC 20402-0001
















                       COMMITTEE ON THE JUDICIARY

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois              JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina         HOWARD L. BERMAN, California
LAMAR SMITH, Texas                   RICK BOUCHER, Virginia
ELTON GALLEGLY, California           JERROLD NADLER, New York
BOB GOODLATTE, Virginia              ROBERT C. SCOTT, Virginia
STEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina
WILLIAM L. JENKINS, Tennessee        ZOE LOFGREN, California
CHRIS CANNON, Utah                   SHEILA JACKSON LEE, Texas
SPENCER BACHUS, Alabama              MAXINE WATERS, California
JOHN N. HOSTETTLER, Indiana          MARTIN T. MEEHAN, Massachusetts
MARK GREEN, Wisconsin                WILLIAM D. DELAHUNT, Massachusetts
RIC KELLER, Florida                  ROBERT WEXLER, Florida
MELISSA A. HART, Pennsylvania        TAMMY BALDWIN, Wisconsin
JEFF FLAKE, Arizona                  ANTHONY D. WEINER, New York
MIKE PENCE, Indiana                  ADAM B. SCHIFF, California
J. RANDY FORBES, Virginia            LINDA T. SANCHEZ, California
STEVE KING, Iowa
JOHN R. CARTER, Texas
TOM FEENEY, Florida
MARSHA BLACKBURN, Tennessee

             Philip G. Kiko, Chief of Staff-General Counsel
               Perry H. Apelbaum, Minority Chief Counsel
                                 ------                                

           Subcommittee on Commercial and Administrative Law

                      CHRIS CANNON, Utah Chairman

HOWARD COBLE, North Carolina         MELVIN L. WATT, North Carolina
JEFF FLAKE, Arizona                  JERROLD NADLER, New York
JOHN R. CARTER, Texas                TAMMY BALDWIN, Wisconsin
MARSHA BLACKBURN, Tennessee          WILLIAM D. DELAHUNT, Massachusetts
STEVE CHABOT, Ohio                   ANTHONY D. WEINER, New York
TOM FEENEY, Florida

                  Raymond V. Smietanka, Chief Counsel
                        Susan A. Jensen, Counsel
                        Diane K. Taylor, Counsel
                  James Daley, Full Committee Counsel
          Stephanie Moore, Minority Counsel


                    Subcommittee on the Constitution

                      STEVE CHABOT, Ohio, Chairman
STEVE KING, Iowa                     JERROLD NADLER, New York
WILLIAM L. JENKINS, Tennessee        JOHN CONYERS, Jr., Michigan
SPENCER BACHUS, Alabama              ROBERT C. SCOTT, Virginia
JOHN N. HOSTETTLER, Indiana          MELVIN L. WATT, North Carolina
MELISSA A. HART, Pennsylvania        ADAM B. SCHIFF, California
TOM FEENEY, Florida
J. RANDY FORBES, Virginia

                     Paul B. Taylor, Chief Counsel
                      E. Stewart Jeffries, Counsel
                          Hilary Funk, Counsel
                  Mindy Barry, Full Committee Counsel
           David Lachmann, Minority Professional Staff Member













                            C O N T E N T S

                              ----------                              

                            AUGUST 20, 2004

                           OPENING STATEMENT

                                                                   Page
The Honorable Chris Cannon, a Representative in Congress From the 
  State of Utah, and Chairman, Subcommittee on Commercial and 
  Administrative Law.............................................     1
The Honorable Melvin L. Watt, a Representative in Congress From 
  the State of North Carolina, and Ranking Member, Subcommittee 
  on Commercial and Administrative Law...........................     3
The Honorable Steve Chabot, a Representative in Congress From the 
  State of Ohio, and Chairman, Subcommittee on the Constitution..     5
The Honorable Jerrold Nadler, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on the 
  Constitution...................................................     6

                               WITNESSES

The Honorable Lee H. Hamilton, Vice Chair, National Commission on 
  Terrorist Attacks Upon the United States
  Oral Testimony.................................................    11
  Prepared Statement.............................................    14
The Honorable Slade Gorton, Commission Member, National 
  Commission on Terrorist Attacks Upon the United States
  Oral Testimony.................................................    12
  Prepared Statement.............................................    14
The Honorable John O. Marsh, Jr., on behalf of the U.S. 
  Department of Defense Technology and Privacy Advisory Committee
  Oral Testimony.................................................    15
  Prepared Statement.............................................    18
Ms. Nuala O'Connor Kelly, Chief Privacy Officer, U.S. Department 
  of Homeland Security
  Oral Testimony.................................................    49
  Prepared Statement.............................................    51

                                APPENDIX

Prepared Statement by the Honorable Chris Cannon, a 
  Representative in Congress From the State of Utah and Chairman, 
  Subcommittee on Commercial and Administrative Law, Commmittee 
  on the Judiciary...............................................    79
Prepared Statement by the Honorable Steve Chabot, a 
  Representative in Congress From the State of Ohio, and 
  Chairman, Subcommittee on the Constitution.....................    80
Prepared Statement by the Honorable Jerrold Nadler, a 
  Representative in Congress From the State of New York, and 
  Ranking Member, Subcommittee on the Constitution...............    81














    PRIVACY AND CIVIL LIBERTIES IN THE HANDS OF THE GOVERNMENT POST-
SEPTEMBER 11, 2001: RECOMMENDATIONS OF THE 9/11 COMMISSION AND THE U.S. 
    DEPARTMENT OF DEFENSE TECHNOLOGY AND PRIVACY ADVISORY COMMITTEE

                              ----------                              


                        FRIDAY, AUGUST 20, 2004

                  House of Representatives,
                         Subcommittee on Commercial
                            and Administrative Law,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Subcommittee met, pursuant to call, at 10:06 a.m., in 
Room 2141, Rayburn House Office Building, Hon. Chris Cannon 
[Chairman of the Subcommittee on Commercial and Administrative 
Law] presiding.
    Mr. Cannon. The Subcommittee will come to order. I want to 
thank you all for joining us, especially our panel.
    Today, before we formally start our proceedings, Chairman 
Chabot and I wanted to sincerely thank and recognize our 
colleagues on both Subcommittees and on both sides of the aisle 
for taking time out of their really busy schedules--for me, it 
was difficult, but I know that it was for everyone else--so as 
to attend the hearing this morning.
    As many of you know, August is typically when Members of 
Congress return to their districts to catch up on constituent 
matters and spend time with their families. Wait a minute, do 
you guys have families? It is a time when we call it our home 
district work period. We want to thank everyone for coming out.
    In these extraordinary times, we have to undertake 
extraordinary measures to deal with certain pressing issues. It 
also goes without saying that we express our sincere gratitude 
to our esteemed witnesses, each of whom reflects the greatest 
hallmarks of public service. We appreciate your contributions 
to our deliberations today.
    The title of today's hearing, ``Oversight Hearing on 
Privacy and Civil Liberties in the Hands of the Government 
Post-September 11, 2001: Recommendations of the 9/11 Commission 
and the U.S. Department of Defense Technology and Privacy 
Advisory Committee'', which we will refer to as ``TAPAC'', 
clearly explains why we are here.
    As many of you know, the 9/11 Commission filed its final 
report last month. What some of you may not know, however, is 
that the report includes several recommendations intended to 
protect our citizens' privacy and civil liberties. In addition, 
it recommends that the Federal Government set standards for the 
issuance of birth certificates and sources of identification 
such as driver's licenses to promote secure identification 
information.
    While most media headlines have emphasized the Commission's 
antiterrorism proposals, I believe the privacy and civil 
liberties recommendations are among those most critical to our 
Nation's future and which will form part of the focus of our 
hearing.
    Today's proceedings will also focus on certain 
recommendations the TAPAC Committee made regarding safeguarding 
informational privacy. By way of background, TAPAC was 
established by Secretary Rumsfeld as an independent, bipartisan 
committee to examine the privacy ramifications presented by 
data mining activities by the Defense Department. I think we 
all agree that Secretary Rumsfeld is to be commended for taking 
this initiative and for ensuring that TAPAC's membership 
included some of our Nation's most respected experts in the 
fields of constitutional and privacy law. I am informed that 
among the many luminaries who testified before TAPAC was our 
colleague from New York, Mr. Nadler. Thank you.
    Advances in technology have increasingly facilitated the 
collection and dissemination of personally identifiable 
information, but have also correspondingly increased the 
potential for misuse of such information. As the recently 
renamed Government Accountability Office observed, these 
advances bring substantial Federal information benefits, as 
well as increasing responsibilities and concerns.
    Interestingly, TAPAC over the course of its deliberations 
determined that as the Defense Department was not alone in its 
conduct of data mining activities, it was necessary for it to 
address this issue through a series of Government-wide 
recommendations. The purpose of today's hearing is to examine 
the validity of these recommendations and those of the 9/11 
Commission that relate to privacy and civil liberties and to 
determine whether they warrant a legislative response.
    We would especially appreciate any guidance from our 
witnesses about how the Congress, in crafting such legislation, 
can best protect our citizens' privacy without compromising 
legitimate law enforcement and terrorism detection efforts.
    As our witnesses know, it has been 30 years since the 
Privacy Commission was established as part of the Privacy Act 
of 1974. I would be interested in having our witnesses comment 
on whether now is the time to reestablish a privacy commission 
that would specifically focus on Government privacy issues, 
especially given all the technological developments that have 
occurred since the Commission filed its final report in 1977 
and the current state of our Nation's security concerns.
    I should also note that both my Subcommittee, the 
Subcommittee on Commercial and Administrative Law, and Chairman 
Chabot's Subcommittee, the Constitution Subcommittee, have 
played a major role with respect to protecting personal privacy 
and civil liberties in this era of heightened security under 
the leadership and guidance of Mr. Sensenbrenner, the Chairman 
of the full Judiciary Committee.
    As both the 9/11 Commission Report and the TAPAC concluded, 
it is no easy task to balance the competing goals of keeping 
our Nation secure and protecting the privacy rights of our 
Nation's citizens. I believe that our respective Subcommittees 
of the Judiciary Committee are uniquely and best suited to 
study and resolve these issues.
    Our accomplishments, to date, include the establishment of 
the first statutorily-created privacy office in a Federal 
agency, namely the Department of Homeland Security. We have 
also spearheaded the creation of a similar office in the 
Justice Department, which is contained in the legislation now 
pending in the Senate. In addition, both my Subcommittee and 
the Constitution Subcommittee have considered and supported 
legislation requiring a Federal agency to prepare a privacy 
impact analysis for proposed and final rules, and to include 
this analysis in the notice of public comment issued in 
conjunction with the publication of such rules.
    I will conclude my opening remarks with a quote from one of 
our Founding Fathers. As I think you will agree, Mr. Hamilton's 
observations and warnings--and here we are dealing with the 
earlier Mr. Hamilton--are as meaningful today as they were when 
he wrote them more than 200 years ago. ``Safety from external 
danger is the most powerful director of national conduct. Even 
the ardent love of liberty will, after a time, give way to its 
dictates. The violent destruction of life and property incident 
to war, the continual effort and alarm attendant on a state of 
continual danger, will compel nations the most attached to 
liberty to resort for repose and security to institutions which 
have a tendency to destroy their civil and political rights. To 
be more safe, they at length become willing to run the risk of 
being less free.''
    I will now turn to my colleague, Mr. Watt, the 
distinguished Ranking Member of my Subcommittee and ask him if 
he has any opening remarks.
    [The prepared statement of Mr. Cannon follows in the 
Appendix]
    Mr. Watt. Thank you, Mr. Chairman. I thank the Chairman of 
this Committee and the Chairman of the Constitution 
Subcommittee for deciding to have a hearing on the issues 
involved today and to do it jointly so that we do not end up 
duplicating efforts and pulling in different directions 
possibly.
    I would like to start really by expressing thanks to the 
witnesses for being here today. And by expressing a special 
thanks to Lee Hamilton and Slade Gordon, the members of the 
Commission, for the outstanding job that they did under some 
very, very, very difficult circumstances; and getting through 
the process without any appearance of partisanship, and being 
single-focused on the issue at hand, which was protecting 
American citizens and others from terrorism.
    Who knows where the recommendations of the Commission will 
go? And it is hard to even contemplate where they may go 
legislatively or administratively. But the thing that I think 
is most important is that before they go anywhere, we 
understand exactly what the recommendations are and have a 
better understanding of all of the implications of the 
recommendations.
    I sense that several Committees have headed off in the 
direction of dealing only with the security side of the balance 
that must be struck. And I think it is our obligation in this 
Committee not only to look at the security side, but to be ever 
cognizant of the privacy implications and the personal liberty 
implications of what is being done. And the only way we can do 
that is to really have hearings about what is being proposed 
and what we should be implementing.
    I am extremely encouraged that the Commission recognize 
this delicate balance itself in its recommendations, making 
three specific recommendations pertaining to the protection of 
civil liberties. First, the report calls for the President to 
``safeguard the privacy of individuals about whom information 
is shared among intelligence and investigation agencies.''
    Second, the report requires that in order to retain a 
particular governmental power, the executive first demonstrate 
that the ``power actually materially enhances security,'' and 
that adequate oversight exist ``to ensure protection of civil 
liberties.'' so it is very apparent that the Commission is 
already wrestling with what the appropriate balance should be 
between safeguarding our citizens by protecting them from 
terrorism and, on the other hand, safeguarding our citizens by 
protecting them against overstepping by governmental agencies 
who say that they have our interests at heart.
    So that is a very delicate balance which I think this 
hearing can only enlighten the American public on and enlighten 
the Members of this Committee on as we move forward, and 
enlighten our colleagues in the broader House and Senate as we 
move forward.
    Finally, the report recommends the creation of a board 
within the executive branch to oversee adherence to the 
guidelines, and it recommends the commitment the Government 
makes to defend civil liberties. So that board is again 
supposed to walk that delicate balance between adhering to the 
guidelines and recommending a commitment to defend civil 
liberties. And I think that is absolutely critical as we move 
forward.
    So I am delighted that the Chairman has convened this 
hearing for the purpose of discussing, and I hope nobody takes 
this as any indication that we in this Committee are not as 
committed to the defense of our citizens from terrorism, rather 
that they take it as an equal commitment that we understand the 
historical imperative, the constitutional imperative of also 
safeguarding the security and individual rights and privacy of 
citizens as we authorize the Government to take the actions 
that are necessary to safeguard us against terrorism.
    That is going to be a very, very delicate balance to walk. 
And if we are going to do it, this is the place to start, right 
here in the Committee on the Judiciary, in the Constitution 
Subcommittee, in the Commerce and Administrative Law 
Subcommittee where it is our responsibility to look at these 
issues and make some very difficult choices.
    I thank the Chairman and the members of the Commission and 
our other witnesses for being here to enlighten us on where 
that delicate balance should be.
    Thank you, Mr. Chairman.
    Mr. Cannon. Thank you, Mr. Watt.
    Mr. Cannon. Mr. Watt and I have, on occasion, disagreed 
very sharply, and by ``sharply,'' meaning he has a very sharp 
mind and it is hard to disagree with him.
    On the other hand, there are many issues where we do not 
disagree at all and this is one of those areas where we have 
difficult issues and we may differ on some points, but we will 
come up with, I hope, some thoughtful resolutions. So I want to 
thank the minority Ranking Member.
    I would also like to thank Mr. Chabot for being here today 
and his Ranking Member, Mr. Nadler.
    Mr. Chabot, would you like to make a statement?
    Mr. Chabot. Thank you, Mr. Chairman. I first of all want to 
thank you for holding this hearing, as well as Mr. Watt, Mr. 
Nadler, the Ranking Member on the Subcommittee that I have the 
good fortune to chair; and I want to thank all of my Committee 
Members who are in attendance today. And I want to offer a 
special welcome to all of the witnesses, but especially the 
Honorable Congressman Hamilton whose district in Indiana 
abutted mine in the southwest corner of Ohio, in the time that 
I have been in Congress, for a number of years.
    Lee was also the Chairman of the Committee on International 
Relations and served for many years with distinction. When my 
party took over in 1994, he was the Ranking Member for the time 
that I served here, but nonetheless he served with great 
distinction. He was really a role model for many of us, 
especially in the area of international affairs. So I want to 
thank him for his leadership in that respect.
    Also, Senator Gorton, who served the people of Washington 
for so many years so well. I want to thank all of the witnesses 
for being here today.
    I want to thank especially Senator Gorton and Senator 
Hamilton for the last 20 months that they have served on the 9/
11 Commission. Our Nation owes you a great debt of gratitude 
for your work, and I am confident that we will all benefit from 
your expertise here this morning and in the future as we 
implement all or most of the recommendations that you have 
made.
    As we know far too well, September 11 changed our world. It 
changed the way in which we must deal with terrorism and the 
way in which we as a country must protect ourselves. Since that 
tragic day, Congress and the Administration have taken steps to 
help better protect our Nation at home and abroad. Through 
passage of the PATRIOT Act and the creation of the Department 
of Homeland Security, we have provided law enforcement with 
enhanced investigative tools and improved our ability to 
coordinate abilities designed to protect against the future 
threat of terrorism. And make no mistake, that threat continues 
to face our Nation.
    Through the heroic actions of the brave men and women 
serving in our Armed Forces, we have also pursued the 
terrorists and those who assist them in places like Afghanistan 
and Iraq. Yet these actions are not enough to guarantee our 
Nation's security or freedom. This can only be accomplished 
through continued vigilance and willingness to challenge 
conventional wisdom. We must continue to improve our 
intelligence capability, strengthen our defenses and always be 
a step ahead of our enemies.
    To help accomplish these critical goals, it is imperative 
that Congress provide a comprehensive and expeditious review of 
the 9/11 Commission recommendations and then move forward with 
initiatives that will further improve our ability to combat 
terrorism and defend our citizens.
    As the Commission notes, we must also be mindful of the 
protections afforded by our Constitution and our need to guard 
those protections as we work to better protect our country. 
Ignoring important civil liberties will not only erode our 
freedoms, but will undermine efforts to increase our security. 
These challenges are not new, and our two Subcommittees have 
been extensively involved in these issues over the last couple 
of years.
    In the PATRIOT Act, for example, we worked to include 
protective measures such as a sunset provision to strengthen 
congressional oversight. When authorizing the Department of 
Homeland Security, a privacy officer position was established 
to examine the implications of the agency's rules and 
regulations on privacy and to address any issues that may 
result.
    I look forward, as I know the other Members do, to 
discussing the Commission's recommendations with our witnesses 
today in determining what Congress can do to better protect the 
privacy of our citizens. I particularly look forward to hearing 
from our panel their views on the Federal Agency Privacy 
Protection Act of 2004, which passed the House during the 107th 
Congress and was recently voted out of the full Judiciary 
Committee. It was back on, I believe, July 7.
    I believe that this, which was formerly known as the 
Defense of Privacy Act, would require Federal agencies to 
publish privacy impact analyses when promulgating rules and 
regulations. I believe it would be an effective step forward in 
our efforts to protect our country and our privacy rights.
    As we move forward, it is important to remember that having 
effective antiterrorism measures does not necessarily 
compromise the protections afforded by our Constitution, as one 
is not the enemy of the other. The enemy is terrorism.
    I yield back my time and thank the Chairman once again for 
holding this hearing.
    Mr. Cannon. Thank you, Mr. Chairman. I thank you for that 
opening statement.
    [The prepared statement of Mr. Chabot follows in the 
Appendix]
    Mr. Cannon. Mr. Nadler, would you like to make an opening 
statement?
    Mr. Nadler. Thank you, Mr. Chairman. Mr. Chairman, given 
the importance of this matter and the fact that nearly 3 years 
have elapsed since the attacks of September 11, I am pleased 
that we have returned to consider the recommendations of the 9/
11 Commission now without waiting, as some have suggested, 
until next year.
    I want to welcome our former colleagues Representative 
Hamilton and Senator Gorton and to thank them for the important 
work they and their colleagues have done.
    I am also pleased that we have Secretary Marsh here today. 
The issues that gave rise to the Secretary's Technology and 
Privacy Advisory Committee are also implicated in the 
Committee's recommendation, so it is important that we have the 
benefit of our work.
    Finally, I want to welcome back Ms. O'Connor Kelly. The 9/
11 Commission has recommended in somewhat general terms that we 
set up a civil liberties oversight board. The TAPAC commission 
has similarly recommended that the Secretary of Defense create 
a policy level privacy officer. Congress will have to work out 
the details.
    I hope that your experience as the privacy officer of the 
Department of Homeland Security can shed some light on how we 
might ensure the independence and effectiveness of the offices 
created pursuant to these recommendations.
    The need to improve capabilities and coordination within 
the intelligence and law enforcement communities was all too 
well demonstrated on September 11. Thousands of innocent 
citizens who did nothing more than board an aircraft or go to 
work were barbarically slaughtered. We ignored our Nation's 
peril, the lesson we can draw from the intelligence failures 
leading up to those crimes and from other recent intelligence 
fiascoes.
    At the same time, increased Government powers carry with 
them increased threats to the rights of all citizens. We expect 
our Government to keep it safe, but we are also a nation with a 
healthy mistrust of unfettered governmental power.
    Our whole system of Government combines limited powers with 
checks and balances that must maintained. Rights sacrificed at 
a time of emergency are often lost forever. Actions taken in 
the heat of the moment are often a source of shame and regret 
to later generations. So our job is to strike an appropriate 
and workable balance.
    That is not easy. As the members of the Commission have 
noted in their report, ``While protecting our homeland, 
Americans should be mindful of threats to vital personal and 
civil liberties. This balancing is no easy task, but we must 
constantly strive to keep it right. This shift of power and 
authority to the Government calls for an enhanced systems of 
checks and balances to protect the precious liberties that are 
vital to our way of life.''
    A little further on the Commission notes, it talks in 
general terms about the provision of the PATRIOT Act and some 
of the beneficial provisions of the PATRIOT Act, and then it 
says, ``Because of concerns regarding the shifting balance of 
power to the Government, we think that a full and informed 
debate on the PATRIOT Act would be healthy.'' The Commission 
then makes three general recommendations for specific measures 
to balance civil liberties and national security.
    Mr. Justice Marshall in a noted decision of the Supreme 
Court 200 years ago in Marbury v. Madison, a decision that has 
been somewhat criticized by one Member of this Committee, 
noted, and I am paraphrasing here because I do not have the 
exact quote before me, ``It is emphatically the province of the 
judiciary to say what the law is.''
    And that is true. It is emphatically the province of the 
Judiciary Committee to begin the process of having Congress 
strike the proper balance between national security, homeland 
security, and protection of our civil liberties. That is our 
job.
    I appreciate the beginning guidance that the Commission has 
given us and recommended that we strike that balance, but we 
have to determine how to strike that balance. And I am glad and 
I appreciate the Chairman calling this hearing as a beginning 
of that process so we can carefully consider all of the things 
we have to consider to strike that balance, and with all 
deliberate speed, enact legislation to do that.
    So I am glad we are having this hearing and I thank you.
    Thank you, Mr. Chairman.
    Mr. Cannon. I thank the gentleman.
    [The prepared statement of Mr. Nadler follows in the 
Appendix]
    Mr. Cannon. I would like to just point out to my co-Chair 
of this hearing, Mr. Chabot, Ranking Member Watt, and Ranking 
Member Nadler, we have worked together on issues not unlike 
this for some period of time, including the PATRIOT Act and 
other issues. And there is a genuine, I believe, feeling for 
doing the right thing here, and I hope that that will result in 
legislation in an area that is very, very difficult and improve 
that legislation.
    Without objection, the gentlemen's entire statements will 
be placed in the record. Also, without objection, all Members 
may place their statements in the record at this point. Any 
objection?
    Hearing none, so ordered.
    Without objection, the Chair will be authorized to declare 
recesses of the hearing at any point. Hearing none, so ordered.
    I ask unanimous consent that Members have 5 legislative 
days to submit written statements for inclusion in today's 
hearing record. Without objection, so ordered.
    Mr. Cannon. Now I am pleased to introduce our witnesses for 
today's hearing. Our first witness is Lee Hamilton, who is Vice 
Chair of the 9/11 Commission. Former Congressman Hamilton 
currently is President and Director of the Woodrow Wilson 
International Center For Scholars. Before undertaking these 
responsibilities at the Center in 1999, Congressman Hamilton 
served for 34 years in the House, representing Indiana's Ninth 
District. During his tenure, he served as Chairman and Ranking 
Member of the forerunner of the House Committee on 
International Relations and served on the Permanent Select 
Committee on Intelligence and the Select Committee To 
Investigate Covert Arms Transactions with Iran.
    After his tenure in Congress, he served on the Commission 
on National Security in the 21st Century, also known as the 
Hart-Rudman Commission, and was co-Chair with former Senator 
Howard Baker of the Baker-Hamilton Commission to investigate 
certain security issues at Los Alamos. He is currently a member 
of the President's Homeland Security Advisory Council.
    Mr. Hamilton is a graduate of DePauw University and Indiana 
University Law School, as well as the recipient of numerous 
honorary degrees and national awards for public service. And I 
hope I have said privately to Mr. Hamilton what I would like to 
say now and that is that when I came to Congress I looked 
around at the various Members of Congress to decide who I 
wanted to model, he was very clearly one of the people who I 
think did a remarkably good job in a complex institution; and 
he has been an explicit model in my life in my office.
    I welcome you back, Mr. Hamilton.
    Our second witness is former Senator Slade Gorton who also 
appears on behalf of the 9/11 Commission. Senator Gorton is 
currently of counsel at Preston, Gates & Ellis. Prior to 
joining the firm, he represented Washington State in the United 
States Senate for 18 years, from 1982 to 2000. While in the 
Senate, Mr. Gorton served on the Appropriations, Budget, 
Commerce, Science and Transportation, and Energy and Natural 
Resources Committees. He also chaired the Interior 
Appropriations Subcommittee, and was a member of the Republican 
Leadership as Counsel to the Majority Leader.
    Senator Gorton began his political career in 1958 as a 
Washington State representative and then went on to serve as 
the State house majority leader. In 1968, he was elected 
Attorney General for the State of Washington where he argued 14 
cases before the United States Supreme Court. Mr. Gorton also 
served on the President's Consumer Advisory Council, as well as 
on many other Federal and State commissions. Most recently, 
Senator Gorton served on the National Commission on Federal 
Election Reform.
    Senator Gorton received his undergraduate degree from 
Dartmouth College and his law degree from Columbia University.
    We welcome you back and appreciate your service in the 
Senate where we had some very pleasant interactions over a 
period of time.
    Our third witness is John Marsh, who appears today on 
behalf of TAPAC. Secretary Marsh, like his fellow witnesses, 
has served our Nation in a number of distinguished ways, I 
might just say a very different and a remarkable history of 
service, most prominently as Secretary of the Army and as the 
representative of Virginia's Seventh Congressional District. 
After an exemplary period of service with the U.S. Army, 
Secretary Marsh received his law degree in 1951 from Washington 
and Lee University and began his practice of law in Strasburg, 
VA. Thereafter, he was elected to four terms of Congress from 
the Seventh District of Virginia and served on the House 
Appropriations Committee.
    After choosing not to seek a fifth term, Secretary Marsh 
resumed the practice of law. In 1973, however, he returned to 
Federal service as Assistant Secretary of Defense for 
Legislative Affairs. The following year, he became the 
Assistant for National Security Affairs to Vice President Ford, 
and in August 1974 became Counselor, with Cabinet rank, to 
President Ford. He chaired the Presidential Committee for the 
Reorganization of the U.S. Intelligence Community from 1975 to 
1976.
    Later sworn in as Secretary of the Army in 1981, Secretary 
Marsh served until 1989 achieving a tenure that was the longest 
of any Secretary of the Army or Secretary of War in American 
history. During 1988, he served concurrently as Assistant 
Secretary of Defense for Special Operations and Low Intensity 
Conflict.
    Secretary Marsh has been awarded numerous honors and 
decorations. He is currently a Distinguished Professor of Law 
at George Mason University concentrating on cyberterrorism and 
national security law. He is also a member of the Special 
Congressional Panel on Terrorism to assess Federal, State and 
local response to weapons of mass destruction, known as the 
Gilmore Commission.
    Our final witness is Nuala O'Connor Kelly, the Chief 
Privacy Officer at the Department of Homeland Security. We 
welcome you back.
    As many of you know, Ms. O'Connor Kelly testified earlier 
this year as part of my Subcommittee's continuing oversight of 
her office. Ms. O'Connor Kelly is especially commended for 
participating in today's hearing as she is currently on 
maternity leave and having difficulty getting enough sleep. So 
we will send someone out for a coffee or a Coke if you need 
that at some point.
    As I previously noted in my remarks, my Subcommittee with 
the support of our Chairman, Mr. Sensenbrenner, played a major 
role in establishing Ms. O'Connor Kelly's office at the 
Department of Homeland Security. The legislation creating her 
office not only mandated the appointment of a privacy officer, 
but specified the officer's responsibilities.
    One of the principal responsibilities of the DHS privacy 
officer, as set out by statute, is the duty to assure that the 
use of technologies sustain and do not erode privacy 
protections relating to the use, collection and disclosure of 
personal information. In addition, the privacy officer must 
assure that personal information is handled in full compliance 
with the Privacy Act and assess privacy impacts with the 
Department's proposed rules.
    Pursuant to this legislation, DHS Secretary Tom Ridge last 
year appointed Ms. O'Connor Kelly to serve as the Department's 
Chief Privacy Officer. Since her appointment, Ms. O'Connor 
Kelly has played a key role in various terrorist detection 
initiatives undertaken by DHS. Prior to her current 
appointment, she served as the Chief Privacy Officer at the 
Commerce Department.
    Before entering public service, Ms. O'Connor Kelly was the 
Vice President for Data Protection and the Chief Privacy 
Officer for DoubleClick, an online media services company that 
made great headlines just prior to her taking that position.
    In that capacity, Ms. O'Connor Kelly established the 
company's first data protection department responsible for 
instituting privacy protection policies and procedures for 
DoubleClick, its clients and partners.
    Ms. O'Connor Kelly received her undergraduate degree from 
Princeton University, a Master's degree in Education from 
Harvard University and a law degree from Georgetown University 
Law Center.
    I extend my warm regards and appreciate your willingness to 
participate in today's hearing. In light of the fact that your 
written statements will be included in the hearing record, I 
request that you limit your oral remarks to 5 minutes. 
Accordingly, please feel free to summarize or highlight the 
salient points of your testimony.
    You will note that we have a lighting system. I think you 
are all familiar with it. It starts at green; when 4 minutes 
have passed, it turns yellow, and then it turns red at 1 
minute. We do not want to cut off your thinking. In fact, I 
would like to say this is undoubtedly the most prestigious 
panel I will ever--we have had two justices from the Supreme 
Court recently testifying on the Administrative Conference of 
the United States, Justices Scalia and Breyer. But there are 
only two of them and their history is fairly narrow compared 
with the experience we have with you.
    So if you would just recognize the 5-minute light, we would 
appreciate it if you would draw to a close. We will have people 
that will have the opportunity to ask questions and expand on 
issues.
    Everyone was here at the beginning of the hearing, so we 
will go by seniority. With Mr. Watts' help, I will try to tap 
the gavel at 5 minutes so all Members have an opportunity to 
ask questions. If there is an interest, we may go to a second 
round of questions.
    Pursuant to the directive of the Chairman of the Committee 
on the Judiciary, I am going to ask the panel to stand and 
raise your right hand and take an oath.
    [Witnesses sworn.]
    Mr. Cannon. Congressman Hamilton, would you proceed with 
your testimony?

    TESTIMONY OF THE HONORABLE LEE H. HAMILTON, VICE CHAIR, 
NATIONAL COMMISSION ON TERRORIST ATTACKS UPON THE UNITED STATES

    Mr. Hamilton. Thank you very much Chairman Cannon, Ranking 
Member Watt, Chairman Chabot, Ranking Member Nadler and the 
other distinguished Members of the two Subcommittees. We are 
very honored to appear before you today.
    I want to say that the chairman of the 9/11 Commission, Tom 
Kean, was not able to be here today. He led the Commission with 
extraordinary skill and deserves much of the credit for the 
Commission's success.
    I am very pleased to be here with Senator Gorton. He made 
extraordinary contributions as a Commission member. We turned 
to him again and again for advice, and it is a pleasure to be 
with him.
    We especially appreciate the fact that all the Members are 
here during August. I know that it is unprecedented, and we are 
very grateful to you for your interest in our work.
    I want to say that the statements made by the Chairman and 
Ranking Members of the two Subcommittees were extraordinarily 
good statements. I thank you for those. I also thank you for 
the personal sentiments that you expressed.
    Your Subcommittees, as well as your parent Committee, have 
a very long record of concern and leadership in these issues, 
so it is a very special pleasure for us to be with you. We 
simply point out that our Commission's recommendations were 
unanimous. I think you know that.
    I think from the very beginning of the Commission's work, 
about 18 or more months ago, all of us have been very conscious 
of the need to make sure that in our zeal to fight terrorism, 
we do not compromise the very rights and liberties that make 
our system of Government and society worth defending.
    Concern about the civil liberties of American citizens was 
one of the number of reasons why the Commission rejected the 
idea of moving the domestic intelligence and counterterrorism 
responsibilities of the FBI out of that agency and placing them 
in an MI-5 type agency. We feared that such a new agency, not 
steeped in respect for law and the Constitution that pervades 
the FBI and the Justice Department, and reporting to the 
National Intelligence Director, the Director of Central 
Intelligence rather than the Attorney General, would be more 
likely to trample on individual rights.
    The Commission made three major recommendations with 
respect to civil rights. The first dealt with the critical and 
complicated privacy issues that are at the heart of our new 
information society and at the heart of the necessary efforts 
to increase the amount of information gathered by our 
intelligence agencies and shared by them among themselves and 
with State and local law enforcement officials.
    We recommend improvements and enhancements in those 
information gathering abilities and in information sharing. But 
we also recognize that with the enhanced flow of information 
comes a need to establish guidelines and oversight to make sure 
that the privacy of our citizens and residents is respected and 
preserved.
    We did not conduct extensive investigation of our own on 
data mining and other privacy issues raised by information 
gathering and sharing. We relied very much on the Markle Task 
Force. I'm sure that work is familiar to you. We believe, along 
with the Markle Task Force, that we have the ability to gather 
and share information and protect privacy at the same time. 
This requires, however, leadership and coordination in the 
executive branch.
    No one agency can deal with this problem alone. We 
recommend that the President lead a Government-wide effort 
through OMB and the National Intelligence Director to set 
common standards for information use throughout the 
Intelligence Community. These standards would govern the 
acquisition, accessing, sharing and using of private data so as 
to protect individual rights.
    The same technology that facilitates the gathering and 
sharing of information can also protect us from the misuse of 
that information. And for the balance of the statement, I turn 
to Senator Gorton.

  TESTIMONY OF THE HONORABLE SLADE GORTON, COMMISSION MEMBER, 
NATIONAL COMMISSION ON TERRORIST ATTACKS UPON THE UNITED STATES

    Mr. Gorton. Our second major recommendation in this area 
relates to the USA PATRIOT Act, many of the provisions of which 
expire at the end of next year and will be the subject of 
hearings by the House and Senate Judiciary Committees. The only 
specific provisions of that act on which we expressed a view 
are those relating to information sharing.
    The elimination of the wall that had severely constrained 
the flow of information acquired through surveillance under the 
Foreign Intelligence Surveillance Act from the intelligence 
side of the FBI and to the criminal side of the Agency and to 
Federal prosecutors, and the broadening of the ability of the 
Justice Department to share grand jury information with other 
intelligence and law enforcement agencies.
    We endorse the extension of those provisions which, 
witnesses were virtually unanimous in telling us, were 
extremely helpful to law enforcement and intelligence 
investigations with little, if any, adverse impact on the 
rights of potential defendants. But we did propose a general 
test to be applied to consideration of the renewal of the other 
provisions of the USA PATRIOT Act, and we believe that that 
principle should also be applied to other legislative and 
regulatory proposals designed to strengthen our security, but 
that may impinge on individual rights.
    The test is a simple but important one. The burden of proof 
should be on the proponents of the measure to establish that 
the power or authority being sought would, in fact, materially 
enhance national security, and that there will be adequate 
supervision of the exercise of that power or authority to 
ensure protection of civil liberties. If the power is granted, 
there must be adequate guidelines and oversight properly to 
confine its use.
    We think that the same spirit that informed our 
recommendation as to the burden of proof that should be applied 
to measures of this kind is also reflected in H.R. 338, 
recently reported out of this Subcommittee and the full 
Judiciary Committee. H.R. 338 requires Federal agencies that 
are proposing rules that will require the collection of 
personal information from individuals to conduct privacy impact 
assessments as part of their rule-making process to ensure that 
privacy interests of individuals receive attention and 
protection.
    The Commission, of course, takes no position on that bill. 
But we can observe that it proceeds from the same concerns that 
animate our recommendations.
    Our third recommendation flows from the first two. 
Individual rights and liberties must be adequately protected in 
the administration of the significant powers that Congress has 
granted to executive branch agencies to protect national 
security. There should be a central office or board that has 
the responsibility to oversee adherence guidelines that are 
built into these programs to safeguard these rights and 
liberties.
    We make no recommendation as to how this office or board 
should be composed or where in the executive branch it should 
be located. Some commissioners believe that it should be a 
permanent office located in the Justice Department and 
reporting to the Attorney General, but with oversight of the 
programs of the Department of Homeland Security and other 
agencies, as well as those of the Justice Department. Others 
envisage a Cabinet-level interagency board or committee 
reporting to the President. But we are all agreed that some 
entity of this kind should be created.
    And departing for just a moment from my written statement, 
both the Chairman and Mr. Watt referred to the importance of 
this vehicle. Yesterday, Mr. Lee Hamilton and I testified 
before the Senate Judiciary Committee. Thereafter, I made a 
contact I'd made previously with Senators McCain and Lieberman 
who are working on a bill to provide exactly this board.
    I went and spoke at length with the staff director of the 
Senate Commerce Committee, formerly a member of my staff, on 
such a draft. And it may well be that you would like to contact 
them, see the direction in which they are going and work 
together. It looked to me like a very constructive first draft.
    We close with an observation from our report. We must find 
ways of reconciling security with liberty since the success of 
one protects the other. The choice between security and liberty 
is a false choice as nothing is more likely to endanger 
America's liberties than the success of a terrorist attack at 
home. Our history has shown us that insecurity threatens 
liberty. Yet, if our liberties are concerned, we lose the 
values that we are struggling to defend.
    We will be pleased to respond to your questions.
    Mr. Cannon. Thank you, Mr. Hamilton and Mr. Gorton.
    [The prepared statement of Messrs. Hamilton and Gorton 
follows:]
          Prepared Statement of Lee Hamilton and Slade Gorton
    Chairman Cannon, Ranking Member Watt, and other distinguished 
members of the Subcommittee: We are honored by the opportunity to 
appear before you today. We appreciate the opportunity to discuss with 
you the findings and recommendations of the Commission with respect to 
privacy and civil liberties. These Subcommittees, as well as your 
parent Committee, have a long record of concern with these issues, so 
it is a special pleasure to discuss with you the important question of 
how the measures we must take to protect our nation against the threat 
of terrorist attacks can be reconciled with the individual rights and 
liberties we hold so dear.
    We want to emphasize that the Commission's views on these issues--
as well as all others dealt with in our Report--were unanimous. We are 
five Republicans and five Democrats, but we are united in our 
commitment to make our country safer and more secure in the face of the 
novel threat posed by transnational terrorism. And we can report to you 
that from the very beginning of the Commission's work some eighteen 
months ago, all of us have been conscious of the need to make sure that 
in our zeal to fight the scourge of terrorism we do not compromise the 
very rights and liberties that make our system of government and our 
society worth defending.
    Concern about the civil liberties of American citizens was one of a 
number of reasons why the Commission rejected the idea of moving the 
domestic intelligence and counterterrorism responsibilities of the FBI 
out of that agency and placing them in a new MI-5-type agency. We 
feared that such a new agency, not steeped in the respect for the law 
and the Constitution that pervades the FBI and the Justice Department, 
and reporting to the National Intelligence Director or the Director of 
Central Intelligence rather than to the Attorney General, would be more 
likely to trample on individual rights.
    The Commission made three major recommendations with respect to 
civil liberties. The first dealt with the critical and complicated 
privacy issues that are at the heart of our new ``information society'' 
and at the heart of the necessary efforts to increase the amount of 
information gathered by our intelligence agencies and shared by them 
among themselves and with state and local law enforcement officials. 
The Commission recommends improvements and enhancements in those 
information-gathering abilities and in information sharing. But we also 
recognize that with the enhanced flow of information comes a need to 
establish guidelines and oversight to make sure that the privacy of our 
citizens and residents is respected and preserved.
    We did not conduct extensive investigation of our own on data-
mining and other privacy issues raised by information gathering and 
sharing. Instead, we relied on the excellent work done by the Markle 
Foundation Task Force, reflected in two reports, in 2002 and 2003. The 
insights of the Markle Task Force have been reinforced by the more 
recent investigation and report by the Technology and Privacy Advisory 
Committee established by Secretary Rumsfeld to advise him on the 
privacy implications of the Department's Terrorism Information 
Awareness Program--a report that this Subcommittee is also focusing on 
today.
    We believe, along with the Markle Task Force, that we have the 
ability to gather and share information and protect privacy at the same 
time. But this requires leadership and co-ordination in the executive 
branch. No one agency can deal with this problem alone. Instead, we 
recommend that the President lead a government-wide effort, through OMB 
and the National Intelligence Director, to set common standards for 
information use throughout the intelligence community. These standards 
would govern the acquisition, accessing, sharing and using of private 
data so as to protect individual rights. The same technology that 
facilitates the gathering and sharing of information can also protect 
us from the misuse of that information.
    Our second major recommendation in this area relates to the USA 
PATRIOT Act, many of the provisions of which expire at the end of next 
year and will be the subject of hearings by the House and Senate 
Judiciary Committees. The only specific provisions of that Act on which 
we expressed a view are those relating to information-sharing: the 
elimination of the ``wall'' that had severely constrained the flow of 
information acquired through surveillance under the Foreign 
Intelligence Surveillance Act from the intelligence side of the FBI to 
the criminal side of the agency and to federal prosecutors, and the 
broadening of the ability of the Justice Department to share grand jury 
information with other intelligence and law enforcement agencies. We 
endorsed the extension of those provisions, which witnesses were 
virtually unanimous in telling us were extremely helpful to law 
enforcement and intelligence investigations with little if any adverse 
impact on the rights of potential defendants.
    But we did propose a general test to be applied to consideration of 
the renewal of other provisions of the USA PATRIOT Act, and we believe 
that that principle should also be applied to other legislative and 
regulatory proposals that are designed to strengthen our security but 
that may impinge on individual rights. The test is a simple but 
important one: The burden of proof should be on the proponents of the 
measure to establish that the power or authority being sought would in 
fact materially enhance national security, and that there will be 
adequate supervision of the exercise of that power or authority top 
ensure protection of civil liberties. If the power is granted, there 
must be adequate guidelines and oversight to properly confine its use.
    We think the same spirit that informed our recommendation as to the 
burden of proof that should be applied to measures of this kind is also 
reflected in H.R. 338, recently reported out of this Subcommittee and 
the full Judiciary Committee. H.R. 338 requires federal agencies that 
are proposing rules that will require the collection of personal 
information from individuals to conduct privacy impact assessments as 
part of their rulemaking process to ensure that privacy interests of 
individuals receive attention and protection. The Commission, of 
course, takes no position on that bill. But we can observe that it 
proceeds from the same concerns that animate our recommendations.
    Our third major recommendation flows from the first two. Individual 
rights and liberties must be adequately protected in the administration 
of the significant powers that Congress has granted to executive branch 
agencies to protect national security. There should be a central office 
or board that has the responsibility to oversee adherence to guidelines 
that are built into these programs to safeguard those rights and 
liberties. We make no recommendation as to how this office or board 
should be composed or where in the executive branch it should be 
located. Some Commissioners believe that it should be a permanent 
office located in the Justice Department and reporting to the Attorney 
General, but with oversight of programs in the Department of Homeland 
Security and other agencies as well as in the Justice Department. 
Others envision a Cabinet-level interagency board or committee, 
reporting to the President. But we are all agreed that some entity of 
this kind should be created.
    We close with an observation from our Report:

        We must find ways of reconciling security with liberty, since 
        the success of one protects the other. The choice between 
        security and liberty is a false choice, as nothing is more 
        likely to endanger America's liberties than the success of a 
        terrorist attack at home. Our history has shown us that 
        insecurity threatens liberty. Yet, if our liberties are 
        curtailed, we lose the values that we are struggling to defend.

    We would be pleased to respond to your questions.

    Mr. Cannon. Mr. Marsh.

  TESTIMONY OF THE HONORABLE JOHN O. MARSH, JR., MEMBER, U.S. 
DEPARTMENT OF DEFENSE TECHNOLOGY AND PRIVACY ADVISORY COMMITTEE

    Mr. Marsh. Thank you, Mr. Chairman, Members of the 
Committee and leaders of the Committee. I thank you for calling 
this hearing. I would point out to you that I am here 
representing an advisory committee appointed by Secretary of 
Defense to the Department of Defense composed of members who 
gave their time to make this study. Therefore, I am not 
speaking for the Department of Defense of what action may or 
may not occur in reference to our recommendations, but I am 
very sanguine about that.
    I would also like to point out, as resource people for the 
committee, which I hope you will avail yourself of, the staff 
director of the Defense TAPAC Committee, Ms. Lisa Davis; an 
extraordinary writer, Fred Cate, who helped prepare all this 
testimony; a technologist and attorney, Lee Zeichner, who is 
here, and also the critical infrastructure protection 
capabilities of George Mason University where I teach and that 
assisted in this.
    Mr. Minow could not be here, but I can tell you he 
performed a yeoman's task of guiding this committee, and his 
enormous prestige and ability I think is reflected in this 
work.
    A little history, if I might. This committee occurred 
because of what was discerned to be abuses, or concerns about 
abuses, largely outside of the Department of Defense on a 
common technique that is growing and needs to be addressed 
called ``data mining.'' Data mining is the result of massive 
volumes of information, either people in or out of Government 
or organizations, and the use of that data mining can be very, 
very helpful in the intelligence process.
    There is a dichotomy here because although the Defense 
Department got in trouble with the pursuit of this, 
nevertheless, the statute to the homeland security authorized 
and encouraged them to engage in data processing. The data 
processing that was occurring in the Pentagon was called TIA. 
Its original name was terrorism information awareness or total 
information awareness or terrorist information awareness, 
whichever one you want, but it raised very serious questions in 
the media and in the Congress of the United States.
    When that happened, Mr. Rumsfeld named this committee, and 
he gave them six questions that he wished to be answered as to 
the validity of that type of technology and whether it could be 
effective, and how do we protect individual liberty and 
privacy.
    Incidentally, I prefer the term ``liberty.'' It is a far 
stronger word than ``privacy.'' Privacy occurs because of 
liberty. Privacy is a subset of liberty.
    Now, these four questions were the questions to which we 
devoted our time and attention. And our first overtures were to 
TIA, which was being done under DARPA, the Defense Advanced 
Research Project Agency, that has done extraordinary work and 
is indeed the agency that developed the Internet. It became 
apparent to the committee that to address this one program, 
TIA, would be putting a finger in a dike where many, many 
fingers were going to be necessary.
    This is a widespread practice in the Federal Government and 
perhaps at State levels. A GAO survey indicated, as we were 
finishing up our work, that there were 88 departments and 
agencies engaged in data mining, or were planning to, that 
there were an additional 34 about to, and in all, there were 
122 data mining programs ongoing in our national Government, 
not just in the Department of Defense. It became very apparent 
to us, as we began to examine people, that data mining was 
going on in other departments of Government. And there weren't 
that many controls in my view and, I think, in the committee 
view as to how that should be handled.
    So what we sought to do--this report is seeking to provide 
some guidelines as to how to utilize data mining, which we 
think is essential only if it is used in a proper way, and we 
believe that it can be. It can use the FICE Accord. It can use 
technologies of minimization where in order to achieve certain 
information you do not have to collect as much as you perceive 
that you have to collect.
    And also, there is the issue of anonymization. There are 
technologies today in seeking records, you can anonymize the 
records so that the people examining the records or capturing 
the information do not know--do not know at the time what that 
information is or they do not associate it with an individual. 
At a later date, under certain guidelines, you can unlock that 
and find that out.
    But one of the things, and it seems to me to be a rule, 
where U.S. persons are involved and you have a particularized 
area of interest in that U.S. person and you go into data 
mining, you use and resort to the FICE Accord. We place stress 
or emphasis on the role of the FICE Accord.
    Now, out of this would come--and I submit to the Committee 
that I will not go through it all; your staff has seen it--
there came 12 recommendations. Seven of those recommendations 
relate to the Department of Defense, because it was the 
Department of Defense that had asked for these inputs. Five of 
those relate to the Federal Government at large.
    I was very impressed with the legislation that's proposed, 
H.R. 338, that came out of this Committee, because as you read 
our report and read the proposed statute, you begin to see that 
there's a synchronization or there's a common theme through 
there. It may not be the answer yet, but it seems to me steps 
toward an answer.
    So we talk about here how you can establish a process for 
data mining inside the Department of Defense. And the idea was, 
you create a mechanism in the Department of Defense that has 
audit trails, that has overview, that has training, that has 
authorization for certain techniques, and then you extrapolate 
that and replicate those systems of protection into the general 
Federal Government. And this evolved because we got in, we saw 
we had a far, far greater problem.
    It is not simply the Department of Defense, but there are 
other departments and agencies of the Government, and indeed 
data mining is done by the States. The program called Matrix, 
which is a law enforcement program in the State of Florida, 
uses data mining; and Matrix, I think you will find, has 
significant Federal funding from certain other Federal 
agencies, not the Department of Defense.
    But we also place an emphasis on congressional oversight of 
what's to be done. There needs to be a protocol or culture of 
privacy that we need to encourage and develop. So we commend 
those to you.
    I thank you for what you're doing. The stakes are very, 
very high. As I commented to my assistant professor, Ms. Angie 
Chen of George Mason University, who is here today, ``the law 
is going to have to address this.''
    In September of 1787, as Washington was submitting the 
draft Constitution to the convention, of the articles--to the 
Congress--of the Confederation, it had a resolution in it. I 
commend to you that resolution because it read, and it was 
Washington's dilemma, a resolution probably written by Madison.
    Washington fully concurred. The biggest problem, Washington 
said, was drafting a document that was able to reconcile the 
issue of liberty on one side and security on the other.
    That's the problem that we have today. And we see our 
Nation's capital, the people's House is a citadel, with the 
Jersey walls and hydraulic gates and the limitation. Visitation 
here used to be about 22,500. It is down now I understand to 
about 2,000. These are evidences of the oppression and 
intimidation that we are having to suffer because of the 
problems with terrorism. But we will address that and we will--
and we will be stronger for it.
    I would say to you, I was teaching these issues before 9/
11. We are feeling that we are being overwhelmed by rapid 
advances in technology, particularly in the information 
communication and information technology which gives the 
terrorists enormous weapons.
    Prior to 9/11, we would not sort out how we were going to 
handle that, and the law was falling behind that technology. 
And the Congress at the time was having trouble coming to grips 
with it in a jurisdictional sense because of its pervasive 
effort. Hopefully, through these types of efforts, we will, 
one, be able to establish jurisdiction, and, secondly, be able 
to achieve a very favorable and satisfactory result.
    I thank you, Mr. Chairman.
    Mr. Cannon. Thank you, Mr. Marsh.
    [The prepared statement of Mr. Marsh follows:]
              Prepared Statement of John O. Marsh, Jr.\1\
---------------------------------------------------------------------------
    \1\ I gratefully acknowledge the assistance in the preparation of 
this statement of Fred H. Cate, a Distinguished Professor and director 
of the Indiana University Center for Applied Cybersecurity Research, 
who served as Reporter for the Technology and Privacy Advisory 
Committee.
---------------------------------------------------------------------------
    Chairmen Chabot and Cannon, Distinguished Members:
    I appreciate the opportunity to testify today about the work and 
final recommendations of the Technology and Privacy Advisory Committee 
appointed by Secretary of Defense Rumsfeld and chaired by the Honorable 
Newton N. Minow, one of the nation' most experienced and distinguished 
public servants. The Committee was created to examine the issues that 
are the subject of today's hearing--the impact of the government's use 
of personal information on privacy and civil liberties. Although our 
charge focused on the Department of Defense, we rapidly discovered that 
the issues, as well as the data mining activities that raise them, 
occur throughout the government and require attention.
    I applaud your leadership and that of your colleagues on the 
Committee in holding today's hearing. As a former Member of Congress 
and Secretary of the Army, I know that few issues could be more 
important than the security of the Republic or the civil liberties of 
its citizens. Ensuring that both are rigorously protected is a critical 
obligation of all branches of Government--but especially of the 
Congress--and I congratulate you for embracing that responsibility in 
this hearing today.
           the tension between privacy and national security
    The final report of the 9/11 Commission report does a masterful job 
of describing the horrendous terrorist attacks that took place on the 
morning of September 11, 2001, and of analyzing the factors that 
contributed to our nation's vulnerability to those attacks. The report 
goes on to make a number of thoughtful recommendations, including the 
urgent need that we use all of the information at our collective 
disposal to protect against further attacks, but that we do so only in 
ways that are consistent with protecting personal privacy.
    The 9/11 Commission report does not suggest how we might exploit 
that information without invading privacy. The report identifies the 
goal, without providing any guidance as to the means. The Technology 
and Privacy Committee had spent the prior year addressing many of these 
issues about how we use information to protect national security 
without infringing on privacy.
                          background of tapac
    The history of TAPAC is fully laid out in our final report, the 
executive summary from which I attach to my prepared testimony, so I 
will only briefly recite it here. In early 2002, the Defense Advanced 
Research Projects Agency (``DARPA'') announced that it was developing 
advanced information technologies which could access personally 
identifiable information in the fight against terrorism. The project--
called ``Terrorism Information Awareness'' (``TIA'') \2\ soon prompted 
serious public and congressional criticism centered on the possible use 
by government of personal information on U.S. citizens and permanent 
resident aliens.
---------------------------------------------------------------------------
    \2\ When first announced, the program was entitled ``Total 
Information Awareness.'' The title was changed to ``Terrorism 
Information Awareness'' in May 2003.
---------------------------------------------------------------------------
    To address these and other concerns, in February 2003 Secretary 
Rumsfeld appointed the Technology and Privacy Advisory Committee, the 
members of which were private citizens, independent from the government 
and ``selected on the basis of their preeminence in the fields of 
constitutional law and public policy relating to communication and 
information management.'' Establishment of the Technology and Privacy 
Advisory Committee, 68 Fed. Reg. 11,384 (2003) (DOD, notice). He 
charged TAPAC with answering four questions:

        1.  Should the goal of developing technologies that may help 
        identify terrorists before they act be pursued?

        2.  What safeguards should be developed to ensure that the 
        application of this or any like technology developed within DOD 
        is carried out in accordance with U.S. law and American values 
        related to privacy?

        3.  Which public policy goals are implicated by TIA and what 
        steps should be taken to ensure that TIA does not frustrate 
        those goals?

        4.  How should the government ensure that the application of 
        these technologies to global databases respects international 
        and foreign domestic law and policy? U.S. Department of 
        Defense, Technology and Privacy Advisory Committee Charter 
        (2003).

    In June 2004, TAPAC released its final report, containing its 
conclusions and 7 and 5 12 recommendations addressing data mining 
within the Department of Defense and throughout the federal government. 
Before turning to those conclusions and recommendations, I want to 
stress two features of the Committee and its work.
    First, the panel was strictly bi-partisan, both in its membership 
and in the way it pursued its work. It was chaired by the Honorable 
Newton N. Minow, Senior Counsel to the law firm of Sidley Austin Brown 
& Wood, who served as chairman of the Federal Communications Commission 
under President Kennedy, and later served as chairman of the Carnegie 
Corporation, Public Broadcasting Service, and The RAND Corporation, and 
vice chairman of the Commission on Presidential Debates. It would be 
hard to find a more impartial, skillful, or experienced public servant.
    The other Committee members with whom I was privileged to serve 
were:

        Floyd Abrams, a partner in the New York law firm of Cahill 
        Gordon & Reindel, the William J. Brennan, Jr. Visiting 
        Professor of First Amendment Law at the Columbia Graduate 
        School of Journalism, and one of the nation's leading experts 
        on the First Amendment.

        Zoe Baird, President of the Markle Foundation, and previously 
        was senior vice president and general counsel of Aetna, Inc., 
        and an attorney in White House and in the Justice Department.

        Griffin Bell, formerly Managing Partner of King & Spalding, a 
        judge on the U.S. Court of Appeals for the Fifth Circuit, and 
        Attorney General of the United States.

        Gerhard Casper, President Emeritus of Stanford University and 
        the Peter and Helen Bing Professor in Undergraduate Education 
        at Stanford.

        William T. Coleman, Jr., Senior Partner and the Senior 
        Counselor in O'Melveny and Myers; he served as Secretary of 
        Transportation during the Ford Administration.

        Lloyd N. Cutler, founding partner of the law firm of Wilmer, 
        Cutler & Pickering; he served as Counsel to Presidents Clinton 
        and Carter.

    The second feature is that Secretary Rumsfeld charged the Committee 
with considering not only laws applicable to privacy, but also 
``American values related to privacy.'' This important addition to the 
Committee's mandate obligated us to ask not only what the law 
concerning government use of personal information was, but what it 
should be.
the prevalence of government data mining and the limits of relevant law
    From the outset, the Committee was struck by two discoveries. The 
first was how widespread, not only in the Department of Defense, but 
throughout the federal government, data mining was. In fact, report by 
the General Accounting Office, released in May 2004 after the TAPAC 
finished its work, found 42 federal departments or agencies--including 
every cabinet-level agency that responded to the GAO's survey--engaged 
in (88), or were planning to engage in (34), 122 data mining efforts 
involving personal information. Thirty-six of those involve accessing 
data from the private sector; 46 involve sharing data among federal 
agencies. U.S. General Accounting Office, Data Mining: Federal Efforts 
Cover a Wide Range of Uses (GAO-04-548), May 2004, at 3, 27-64, tables 
2-25.
    The Committee's second discovery was how limited the federal law 
applicable to the government's use of personal information really was. 
The law that does exist is often too narrow to ensure either that the 
government can access the data it really needs to protect national 
security and fight crime effectively or that individual privacy is 
protected in the process. In particular, that law depends significantly 
on whether the individual(s) involved are U.S. citizens, where the 
search takes place, whether the information has ever been disclosed to 
third parties, and the government's motivation for the search. In the 
face of new terrorist threats posed within the territory of the United 
States and global information technologies this system has grown 
increasingly unworkable.
    So what the Committee found was widespread data mining, and little 
clarity in the law.
                        tapac's recommendations
    As a result, the Committee focused its deliberations, and 
ultimately its recommendations, on what the law should be to ensure 
that information is used to enhance national security without impinging 
on individual privacy or liberty. We unanimously agreed that the United 
States should use data mining to enhance national security; our 
recommendations then were focused on assuring that the privacy 
interests of U.S. persons are not compromised when it does so. Because 
those recommendations are included in the attached executive summary, I 
will not recite all of them here, but I would like to focus on six that 
are most relevant to today's hearing.
1. Privacy Tools
    First, we thought it imperative that government data mining 
programs take advantage of the technological and other tools available 
to protect privacy. So, for example, we recommended requiring:

        a.
            Data minimization--the least data consistent with the 
        purpose of the data mining should be accessed, disseminated, 
        and retained.

        b.
            Data anonymization--whenever practicable data mining should 
        be performed on databases from which information by which 
        specific individuals can be commonly identified (e.g., name, 
        address, telephone number, SSN, unique title, etc.) has been 
        removed, encrypted, or otherwise obscured. Where it is not 
        practicable to use anonymized data, or access to identifying 
        information is required, the agency should comply with 
        Recommendation 2.4 below.

        c.
            Audit trail--data mining systems should be designed to 
        create a permanent, tamper-resistant record of when data have 
        been accessed and by whom.

        d.
            Security and access--data mining systems should be secured 
        against accidental or deliberate unauthorized access, use, 
        alteration, or destruction, and access to such systems should 
        be restricted to persons with a legitimate need and protected 
        by appropriate access controls taking into account the 
        sensitivity of the data.

        e.
            Training--all persons engaged in developing or using data 
        mining systems should be trained in their appropriate use and 
        the laws and regulations applicable to their use. 
        (Recommendation 2.2)

    We also recommended special protection when data mining would 
involve the use of data from the private sector or other government 
agencies. (Recommendation 2.3)
2. Privacy Culture
    Second, we thought it was critical that concern for privacy and 
other civil liberties be instilled at every level within agencies that 
engage in data mining. We therefore proposed that agency personnel 
receive appropriate training (Recommendation 2.2(e)), the creation of a 
policy-level privacy officer to help promote sensitivity to privacy 
throughout agencies (Recommendation 4), the appointment of external 
privacy advisors to help provide privacy-related input from outside of 
the agency (Recommendation 5), and that the agency head be charged 
specifically with creating ``culture of sensitivity to, and knowledge 
about, privacy issues'' throughout the agency (Recommendation 7).
3. Internal Accountability
    Third, we believed that accountability was absolutely critical to 
protecting privacy, to ensuring that data mining was conducted 
efficiently and effectively, and to building public confidence in the 
government's data mining efforts. This objective undergirded many of 
our recommendations. We thought of accountability as occurring in two 
distinct settings: internal and external.
    Internal accountability would be enhanced, we believed, first by 
ensuring that no agency engage in data mining involving personal 
information without making a conscious, thoughtful decision to do so, 
or without fully appreciating the potential privacy ramifications of 
its actions. So, for example, we recommended that data mining require 
written authorization by the agency head. (Recommendation 2.1) That 
written finding would demonstrate that a senior government official had 
thought through:

        a.
            the purposes for which the system may be used;

        b.
            the need for the data to accomplish that purpose;

        c.
            the specific uses to which the data will be put;

        d.
            that the data are appropriate for that use, taking into 
        account the purpose(s) for which the data were collected, their 
        age, and the conditions under which they have been stored and 
        protected;

        e.
            that other equally effective but less intrusive means of 
        achieving the same purpose are either not practically available 
        or are already being used;

        f.
            the effect(s) on individuals identified through the data 
        mining (e.g., they will be the subject of further investigation 
        for which a warrant will be sought, they will be subject to 
        additional scrutiny before being allowed to board an aircraft, 
        etc.)

        g.
            that the system has been demonstrated to his or her 
        satisfaction to be effective and appropriate for that purpose;

        h.
            that the system complies with the other requirements of 
        this recommendation as enacted by law, executive order, or 
        other means;

        i.
            that the system yields a rate of false positives that is 
        acceptable in view of the purpose of the search, the severity 
        of the effect of being identified, and the likelihood of 
        further investigation; and

        j.
            that there is a system in place for dealing with false 
        positives (e.g., reporting false positives to developers to 
        improve the system, correcting incorrect information if 
        possible, remedying the effects of false positives as quickly 
        as practicable, etc.), including identifying the frequency and 
        effects of false positives. (Recommendation 2.1)

    That written finding would also serve to ensure that a policy-level 
official (in almost every case an official whose appointment was 
subject to Senate confirmation), was involved in making the 
determination to go forward.
    We believed internal accountability would also be fostered through 
the creation of a senior policy-level privacy officer (Recommendation 
5), by regular audits of all data mining programs (Recommendation 2.5), 
by seeking the advice of external privacy experts (Recommendation 5), 
and through renewed efforts by the agency head to ensure the 
``effective operation of meaningful oversight mechanisms'' 
(Recommendation 6).
4. External Accountability
    Fourth, while accountability within an agency is essential, it is 
no substitute for external accountability, and it was here that our 
strongest--and most controversial--recommendations were focused. I 
suspect it is the failure to provide for meaningful external 
accountability that has contributed to public unrest about programs 
such as TIA and CAPPS II. Our goal was to help diffuse some of that 
controversy in the future by providing for meaningful external 
oversight.
    TAPAC recognized that programs to enhance national security and 
public safety will often involve classified information or require 
speedy action, and so traditional accountability measures (such as 
public notice and opportunity to comment, or judicial review) may not 
work. Nevertheless, we believed that significant tools are available 
and should be required when the government accesses personal 
information about its citizens or legal aliens.

        a.
            Judicial Review

    One critical external accountability measure we recommended is 
recourse to the courts before conducting data mining with personally 
identifiable information about U.S. persons. (Recommendation 2.4) We 
recommended the Foreign Intelligence Surveillance Act court, to help 
provide for speedy and confidential review, but the particular court is 
not nearly as important as the concept of judicial review. The public 
understandably derives confidence from knowing that an independent, 
judicial authority is reviewing government data mining efforts. This is 
especially true when, because of secrecy concerns, the public may not 
have access to information about those efforts.
    We stressed that judicial review could be obtained for specific 
searches or for entire data mining programs (Recommendation 2.4(a)(v)), 
and we provided that, in exigent circumstances, the review could be 
obtained after-the-fact (Recommendation 2.4(c)). Our goal in crafting 
these provisions was not merely to ensure that the process of judicial 
review not interfere with national security, but also to highlight that 
even the exigencies of the war on terrorism do not justify abandoning 
the vital principle of judicial review.

        b.
            Congressional Oversight

    The other essential component of external accountability is 
oversight by the Congress. You are the people's elected representatives 
and it is your unique duty to ensure that the people's business is 
carried out effectively, efficiently, and without compromising the 
people's rights. TAPAC therefore recommended that each agency's privacy 
officer have a direct reporting line to Congress, as you provided with 
regard to the Department of Homeland Security's privacy officer--a 
position ably filled by Ms. Nuala O'Connor Kelly, who appeared before 
TAPAC. We went a step further, however, to recommend that the agency 
head appear as well, and that the privacy officer and agency head 
jointly brief you, at least annually, on

        a.
            the agency's compliance with applicable privacy laws;

        b.
            the number and nature of data mining systems within the 
        agency, the purposes for which they are used, and whether they 
        are likely to contain individually identifiable information 
        about U.S. persons;

        c.
            the number and general scope of agency findings authorizing 
        data mining;

        d.
            the number and general scope of agency findings and court 
        orders authorizing searches of individually identifiable 
        information about U.S. persons; and

        e.
            other efforts to protect privacy in the agency's collection 
        and use of U.S. person data. (Recommendation 11)

    These are serious obligations; we meant them to be. Nothing less 
guarantees you the information and regular access to senior personnel 
necessary to provide the accountability that the public expects.
    To carry out these obligations, we made an equally bold 
recommendation that you take the steps necessary to streamline 
committee jurisdiction:

        To facilitate this reporting process and consistent, 
        knowledgeable oversight, each house of Congress should identify 
        a single committee to receive all of the agencies' reports. 
        Other committees may have jurisdiction over specific agencies 
        and therefore also receive reports from those agencies, but we 
        believe it is important for a single committee in each house to 
        maintain broad oversight over the full range of federal 
        government data mining activities. To the extent the 
        jurisdiction of congressional committees overlaps, we believe 
        it is essential for Congress to clarify and clearly articulate 
        the relative responsibilities of each committee, to avoid 
        undermining either privacy protection or national security 
        efforts. (Recommendation 11)

    As a former Member of Congress, I am well aware of the uphill 
battle that such an effort involves, but we believed it is essential 
for meaningful oversight of both privacy and security.
5. Consistent Laws and Processes
    Fifth, TAPAC recommended that all of the actions outlined above be 
carried out across the government. This would include adopting a single 
framework of legal, technological, training, and oversight mechanisms 
necessary to guarantee the privacy of U.S. persons in the context of 
national security and law enforcement activities; the appointment of a 
privacy officer in every federal agency; and the creation of an inter-
agency coordinating committee and the use of external advisors to help 
ensure the consistent application of privacy laws and principles. 
(Recommendations 8-10)
    TAPAC recognized that privacy protections would not necessarily be 
the same in every setting, but we believed it essential that they be 
consistent, based on common principles, and subject to uniform 
oversight.
    The recent report of the 9/11 Commission only highlights the 
importance of these recommendations. It makes little sense to 
coordinate this nation's intelligence and national security activities, 
without going one step further to coordinate the laws and processes 
that ensure those activities respect our privacy and civil liberties.
6. Research
    Finally, TAPAC recognized the importance of research into 
technological and other tools for making data mining more precise and 
accurate and for protecting privacy, as well as into the development of 
policies and laws to facilitate both data mining and privacy. 
(Recommendations 7, 12) One unfortunate consequence of Congress 
blocking further development of TIA was to prohibit further research by 
DARPA into both data mining and privacy.
    This is regrettable; our nation desperately needs to understand 
better the technological, behavioral, and policy tools for using 
information effectively and appropriately, whether to fight terrorism, 
apprehend criminals, or otherwise serve the public. There are many 
private initiatives to expand our understanding--my own program at the 
George Mason School of Law is one example--but if we are serious about 
using information to fight terrorism and serious about protecting 
privacy while doing so, it is going to require the investment of public 
funds.
             the link between privacy and national security
    I began by describing the tension between privacy and national 
security; I would now like to highlight what TAPAC saw as the essential 
link between the two. Many of our recommendations that may have been 
motivated by a desire to protect privacy, also contribute to enhancing 
security as well. Data minimization, for example, is a key privacy 
tool, but it also helps protect intelligence agencies from being 
overwhelmed by irrelevant data. Tools for data correction are another 
example: data mining with inaccurate data certainly threatens privacy 
and civil liberties, but it also threatens security as well. Any system 
of data analysis that is not concerned with data quality and accuracy 
is likely to compromise both privacy and security.
    Privacy and national security are also inherently linked because 
American values will not accept the latter at the cost of the former. 
Recent protests over TIA, CAPPS II, and other programs have shown that 
the American public will not either. Inadequate, unclear, or uncertain 
privacy laws are slowing the development of new and promising data 
mining programs, they are undermining research into this important 
weapon in the war on terrorism, and they are hampering the very data 
sharing that the 9/11 Commission wisely recommended. Clearing up this 
mess is critical both to protecting our privacy and to protecting our 
security.
                  the role of the judiciary committee
    TAPAC took no position on which committee in Congress should take 
the lead on this vital effort, but I believe the Committee on the 
Judiciary is an ideal choice. The issues involve come within the 
jurisdiction of many committees--Armed Services, Intelligence, 
Commerce, Ways and Means, and others--but the foundational issue that 
cuts across all of these different settings is the constitutional and 
legal framework applicable to data mining. That is the fundamental 
question--the starting place for all other analysis. That is your turf. 
And I assume that is why you have called these important hearings 
today.
                               conclusion
    Throughout Washington, throughout the nation, citizens are lining 
up to be searched before entering federal buildings or boarding 
aircraft. The mail is delayed so it can be scanned. Luggage is x-rayed 
and rummaged through. Roads are closed, entrances blocked with concrete 
barricades, access to public resources denied. Surveillance cameras and 
identity checks are replacing anonymity. The result is not just 
inconvenience or annoyance, it is a vast toll on our economy and 
productivity and a profound intrusion on our privacy and most basic 
civil liberties.
    Think of the effect on government. The threat of terrorism has 
turned the People's House into an armed citadel. The Capitol, the very 
heart of democratic government, is under siege, and with it our 
privacy, liberty, and most cherished values.
    Data mining--as both the 9/11 Commission and TAPAC noted--is a 
vital weapon in the war on terrorism. It poses grave risks to privacy, 
but there are numerous steps, many (but certainly not all) of which are 
outlined in the TAPAC report, that can reduce or eliminate those risks. 
Those steps may not only protect privacy, but also enhance security as 
well. More importantly, when pursued effectively and subject to 
appropriate safeguards, data mining may threaten privacy and civil 
liberties far less than the other tools on which we rely so heavily and 
so regrettably today.
    Thank you.

                               ATTACHMENT





    Mr. Cannon. Ms. O'Connor Kelly.

TESTIMONY OF NUALA O'CONNOR KELLY, CHIEF PRIVACY OFFICER, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. O'Connor Kelly. Chairman Cannon, Ranking Member Watt, 
Chairman Chabot, Ranking Member Nadler, Members of 
Subcommittees and distinguished colleagues on the panel, it is 
my great honor to be before you on behalf of the United States 
Department of Homeland Security's Privacy Office, which I am 
privileged to lead as the Department's first Chief Privacy 
Officer.
    I am pleased to offer my reflections on the findings and 
recommendations of the 9/11 Commission Report and also on the 
Report of the Department of Defense, TAPAC, particularly as 
they relate to the privacy of individuals.
    As the first statutorily-mandated Privacy Officer in the 
Federal Government in a role that provides both investigative 
oversight and policy advice, I am keenly aware of the 
challenges presented by the Commission's role. In every 
respect, the 9/11 Commission has met those daunting challenges 
admirably, and I know I join every American in thanking them 
for their work.
    The Report teaches us that one of the reasons the United 
States failed to prevent the September 11 attacks was its 
failure to think creatively.
    As the Commission's work points out, our future requires 
new and creative modes of thinking and demands that we 
institutionalize new and imaginative mindsets within the very 
culture and structure of our Federal Government. Most 
importantly, we must perform our tasks in a manner that 
respects the privacy, the dignity and the personal freedoms of 
each individual in the United States.
    Just as the Commission recommends institutionalizing 
imagination, we at the Department of Homeland Security have 
already begun operationalizing privacy awareness within the 
very culture of our organization. This has meant both 
responding to privacy complaints from within and outside the 
Department and actively raising privacy awareness across each 
of our directorates.
    We have crafted privacy training and privacy policies for 
many of our new programs, ensured that the statutorily-required 
privacy impact assessments and system of record notices are 
written and reviewed, and counseled DHS officials regarding the 
effective and responsible uses of new technologies.
    Outside of our organization, we have reached to advocacy 
groups, to our partners in the European Union and throughout 
the world and to the general public for input and guidance on 
our programs. We are vigorously pursuing our statutory mission 
of ensuring that the Department's technologies and programs 
sustain, and do not erode, privacy protections relating to the 
collection, use and disclosure of personal information.
    No one has been a greater champion in these efforts than 
Secretary Tom Ridge, who from the very inception of our 
Department has recognized that privacy is a vital thread that 
runs through the fabric of the United States. Privacy is a 
value today that we seek to protect, as we protect both the 
tangible and intangible assets of our country through all of 
our endeavors at the Department.
    I wish to thank Secretary Ridge and also Deputy Secretary 
Loy and commend them for their leadership and active support of 
my role and for the efforts of the DHS Privacy Office, 
including our more than 430 Privacy and Freedom of Information 
Act specialists throughout the Department.
    The wisdom that Congress demonstrated when it mandated a 
Chief Privacy Officer and an integrated Privacy Office within 
the Department of Homeland Security represents precisely the 
kind of bold and creative thinking that will be demanded of our 
leaders and policymakers in the post-9/11 world. As the United 
States transforms its Federal intelligence and law enforcement 
communities, operationalizing privacy protections across the 
Federal Government, it is imperative that we sustain this 
dialogue among policymakers, technologists, intelligence 
professionals, law enforcement officials and also the private 
sector.
    The Commission's recommendations raise a number of points 
that are crucial to bear in mind as we move ahead in this new 
process. The Commission points out that the choice between 
security and liberty is a false choice. We as a Nation must 
abandon the pessimistic and misguided notion that in order to 
be safe we must sacrifice the privacy of our personal 
information. The Department of Homeland Security's Privacy 
Office has worked tirelessly to demonstrate that the dichotomy 
between liberty and security is a false one by working in 
partnership with program and policy personnel to embed privacy 
within successful security initiatives from the very beginning.
    As we seek to combine information in new and creative ways 
in the Federal Government, we must also establish and enforce 
concrete safeguards that prevent the Federal Government from 
exceeding its boundaries. As the Commission correctly points 
out, the burden should be on policymakers to prove that any new 
power granted to the Government is accompanied by adequate 
guidelines and oversight to properly confine its use.
    The Commission's report findings heavily underscore the 
need to abandon the compartmentalized structure of our 
intelligence bureaucracy that existed before 9/11 and move to a 
more integrated system. Congress should permit agencies to 
share and disclose information collected for counterterrorism 
purposes if such sharing and disclosure is necessary and 
appropriate to achieve a security function. However, agencies 
should also demonstrate an adherence to privacy principles and 
fair information practices, including educating employees about 
the purposeful and responsible use of information.
    A final matter is the recommendation of the Commission that 
the President appoint a board within the executive branch to 
oversee adherence to these guidelines and recommend the 
commitment the Government makes to defend its civil liberties.
    We are keenly aware in our office of the benefit of having 
a central, coordinating privacy authority that is both 
knowledgeable about organizational structures and yet 
independent enough to act as an effective privacy advocate. It 
is one of the greatest challenges and opportunities of our 
office that we serve both outside and inside roles in the 
structure of our agency. The Chief Privacy Officer is appointed 
by the Secretary, but also is a position created by Congress 
and reports to Congress. The dual aspects of this role have 
allowed our office to turn a critical eye on the most 
controversial and also mundane aspects of the Department's 
operations, while offering a supporting hand to our key 
decisionmakers.
    Any privacy oversight body in a sense must also be both 
outside and inside the Federal Government. Any such body must 
combine real knowledge of ongoing activities with real 
authority to confront and prevent abuse. I look forward to 
sharing my own experiences and participating in the public 
dialogue on such a matter in the coming months.
    I extend my deepest gratitude to Chairman Cannon and to the 
Members of the Subcommittee for your oversight and interest in 
our office, and I thank you for your time and attention.
    Mr. Cannon. Thank you, and thank you to all the Members of 
the panel.
    [The prepared statement of Ms. O'Connor Kelly follows:]
               Prepared Statement of Nuala O'Connor Kelly
    Chairman Cannon, Ranking Member Watt, Members of the Subcommittee, 
and distinguished colleagues on this panel, it is an honor to testify 
before you today regarding the 9/11 Commission on behalf of the United 
States Department of Homeland Security's Privacy Office, which I am 
privileged to lead as the first Chief Privacy Officer.
    I am pleased to offer my reflections on the findings and 
recommendations of the 9/11 Commission's report. That Commission was 
charged by Congress and our President with the important yet daunting 
task of investigating this tragic event in our history with an eye 
toward implementing future changes. As the first statutorily-mandated 
Privacy Officer in the Federal Government, and as someone who provides 
both investigative oversight and policy advice, I am keenly aware of 
the challenges presented by the Commission's role. It is a role that 
requires both tenacity and discretion, persistent determination and 
unyielding patience, meticulous attention to detail and perceptive 
understanding of the ``bigger picture''. In every respect, the 9/11 
Commission has met those daunting challenges admirably, and I know that 
I join every American when I commend and thank them for their fine 
work.
    We have heard from the Commission's Report that among the many 
reasons for the United States government's failure to prevent those 
dreadful attacks was a failure to think creatively about the challenges 
we faced and to act upon information we received. In the words of the 
Commission, we suffered a ``failure of imagination''. Looking forward, 
it is clear from the Commission's work that the years ahead will 
require new and creative modes of thinking and will demand that we 
``institutionalize'' new, imaginative mindsets within the very culture 
and structures of our government. Most importantly, we must perform 
these tasks in a manner that respects the privacy, dignity, and 
personal freedoms of every individual who lives in and visits the 
United States. Indeed, years from now, we will be said to have suffered 
yet another tragic ``failure of imagination'' if, while undertaking 
efforts to reform our intelligence community and protect our security, 
we fail to think and act creatively to protect privacy as well.
             one year onward: protecting privacy within dhs
    My firm belief, which has been affirmed by my experiences during 
the past year, is that protecting both privacy and security is well 
within the grasp of our collective imagination. In fact, during my 
first year as the Chief Privacy Officer of our Department, I have 
operated under that very premise, and have worked to ensure that 
privacy and security go hand-in-hand as we carry out our protective 
mission. In much the same way that the 9/11 Commission recommends 
``institutionalizing imagination'', we at the Department of Homeland 
Security have begun instituting and operationalizing privacy awareness 
within the very culture of our organization. We have done so by working 
side-by-side with senior leadership and by ensuring that as programs 
move forward to implementation, they have been carefully and thoroughly 
analyzed for their impact on personal privacy. This has meant 
responding to privacy complaints from inside and outside the Department 
and actively raising awareness of privacy across all of our 
directorates. We have crafted privacy training and privacy policies for 
many of our programs, ensured that statutorily-required Privacy Impact 
Assessments and System of Records Notices are written and reviewed, and 
counseled DHS officials regarding the effective and responsible use of 
technology. Beyond our organization, we have reached out to advocacy 
groups and the general public for input and guidance. Moreover, on the 
international level, we have reached important agreements with our 
partners in the EU and elsewhere, and have participated in fruitful 
discussions with organizations like the International Association of 
Data Protection and Privacy Commissioners. In short, my office is 
vigorously pursuing its statutory missions, including ensuring that DHS 
technologies ``sustain, and do not erode, privacy protections relating 
to the use, collection, and disclosure of personal information.''
    It is not an accident that DHS in its very first year began linking 
the values of homeland security and privacy protection as being 
compatible rather than opposing goals. It was a well thought out 
legislative design, firmly embedded in Section 222 of the Homeland 
Security Act, to reflect fundamental American values. No one has been a 
greater champion of this pairing of values than Secretary Tom Ridge, 
who from the very beginning has set the direction ``from the top'' that 
privacy, matters of individual dignity, and civil liberties define the 
fabric of America that we seek to protect in all of our endeavors at 
DHS. Today, I wish to thank Secretary Ridge publicly and commend him 
for his leadership and active support for the role and efforts of the 
Privacy Office at DHS and the entire Privacy team, which includes more 
than 430 Privacy Act and Freedom of Information specialists who work 
throughout the Department.
         looking forward: privacy across the federal government
    The wisdom Congress demonstrated when it mandated a Privacy Officer 
within DHS represents precisely the kind of bold and creative thinking 
that will be demanded of our leaders and policy-makers in a post 9/11 
world. As the United States transforms its federal intelligence and law 
enforcement communities, operationalizing privacy protections across 
all of government will be more imperative, and more challenging, than 
ever. It will require, first and foremost, sustained dialogue among 
policy makers, technologists, intelligence professionals, law 
enforcement officials, and the private sector. The Commission's Report 
has provided an excellent starting point for that dialogue. Their 
recommendations raise a number of points that are crucial to bear in 
mind as we move ahead in this process.
    First, as the Commission quite correctly points out, ``the choice 
between security and liberty is a false choice''. We as a nation must 
abandon, once and for all, the notion that in order to be safe, we must 
give up our right to keep our personal information private. As the 
recent TAPAC Report concluded, ``The stakes on both sides--guarding 
against attacks and protecting privacy--could not be higher. We must 
not sacrifice one for the other. . . .'' Within DHS, the Privacy Office 
has worked tirelessly to prove this point, and to demonstrate that the 
sometimes perceived dichotomy between liberty and security is a false 
one. As I have said on numerous occasions, the protection of privacy is 
neither an adjunct, nor the antithesis to, the mission of the 
Department of Homeland Security. Rather, privacy protection is, in 
fact, at the core of that mission. Likewise, privacy protection must 
also be at the core of our national mission as we devise ways to reform 
and improve our intelligence and anti-terrorist efforts.
    One way that we as a nation can put to rest the perceived dichotomy 
between liberty and security is by unleashing the vast potential of our 
technology. Too often, advances in technology are met with concern and 
trepidation. Yet, just as our technology can be misused to suppress 
privacy, so too can it be used to enhance and protect it. During my 
time as Chief Privacy Officer, I have observed first-hand how 
technology solutions can greatly enhance the privacy of individuals. 
Technical features such as encryption, audit trails, one-way hash 
functions, and tiered access control modules, among others, make it 
possible to analyze information in a way that protects people's safety 
while limiting access to personal information and preserving the 
integrity of data. Moreover, as technologists know quite well, 
information security is paramount to protecting privacy. Therefore, the 
key to ensuring that technologies used by our government sustain and do 
not erode privacy will be to harness the creative energy of those who 
design and implement our technical infrastructures, challenging them to 
devise new solutions that secure and protect our personal information.
                        oversight and guidelines
    Technology and privacy awareness, while important, will not be 
enough to address our current challenges. As we move forward, we will 
also need to establish and enforce concrete safeguards that prevent 
government from exceeding its proper bounds. As the Commission 
correctly points out, the burden should be on policy-makers to prove 
that any new power granted to government is accompanied by ``adequate 
guidelines and oversight to properly confine its use.'' The idea here 
is an important one--privacy protections must be put in place at the 
front-end of our governmental processes when programs are in their 
infancy, rather than later, after privacy abuses and mistakes have 
already taken place.
    The United States has a firm foundation upon which to build 
additional privacy protections. Existing laws such as the Privacy Act 
of 1974, the Freedom of Information Act, and the E-Government Act all 
seek to embed ``fair information practices'' and a general respect for 
privacy into the daily operations of our government. Coupled with our 
Constitutional provisions, these statutes form an essential part of a 
privacy culture that will only become more relevant in the years to 
come. As we build upon this legacy of privacy protection, we must find 
ways to embed these values within the new statutory frameworks that 
will govern the collection, use, sharing, and retention of intelligence 
and other personal information.
    Much of the 9/11 Commission Report's comments in this area address 
the need to integrate and coordinate the data that are collected for 
our antiterrorism efforts more effectively. The Report's findings 
underscore the need to abandon the compartmentalized structure of our 
intelligence bureaucracy that existed before 9/11 and move to a more 
integrated system. It is my view that Congress should permit agencies 
to establish clear parameters for sharing information to protect 
privacy. As some have said, we must move from a ``need to know'' to a 
``need to share''. Establishing reasonable limits on access and 
embedding fair use principles will be important, not only because it 
will protect individuals, but also because it will engender the kind of 
trust in government that is necessary to achieve the cooperation of 
both the public and private sectors. In failing to abide by these 
principles, we risk replacing the problem of ``stove-pipes'', in which 
disparate pieces of information are never adequately integrated, with 
one of ``leaky pipes'', in which personal information is exposed for 
all to see.
       creating an oversight body for privacy and civil liberties
    I would like to address, as a final matter, the recommendation of 
the Commission that the President appoint ``a board within the 
executive branch to oversee adherence to the guidelines we recommend 
and the commitment the government makes to defend our civil 
liberties.''
    I am keenly aware of the benefits of having a central, coordinating 
privacy authority that is both knowledgeable enough about 
organizational structures to obtain information and yet independent 
enough to act as an effective privacy advocate. It has been one of the 
greatest advantages of my position at DHS that I serve concomitant 
roles both inside and outside the structures of our agency. The Chief 
Privacy officer is appointed by the Secretary, but is a position 
created by statute and required to report to Congress. The dual aspects 
of this role have allowed me to turn a critical eye on the most 
controversial and the most ordinary aspects of the Department's 
operations, while also offering a supportive hand to key decision-
makers. I do not see my office as the enemy of the missions of the 
Department. Rather, I see it as crucial to achieving that mission 
successfully.
    Implementing such an oversight position for the entire federal 
government is admittedly a different task, one that would require 
attention to matters of a completely different nature and scale. Since 
the government's response to the 9/11 Commission's recommendations is 
still being formulated, it is too early to say precisely what type of 
body will best address the privacy needs of our Federal Government. 
While the challenges and responsibilities faced by the person or 
persons who undertake this responsibility will be distinct from those 
faced by the Chief Privacy Officer at DHS, I look forward to sharing my 
own experiences and participating in the public dialogue on this matter 
in the coming months.
                               conclusion
    Each and every one of the issues raised by the 9/11 Commission 
regarding the upholding of personal privacy presents a unique but 
highly important challenge to our nation. Facing these challenges will 
require extraordinary imagination. The exercise of that imagination and 
the implementation of the resulting changes certainly will not be easy. 
And yet as Thomas Jefferson wisely noted, ``It is part of the American 
character to consider nothing as desperate; to surmount every 
difficulty with resolution. . . .'' If there is any over-arching lesson 
to be learned from the fine work of the 9/11 Commission, it is 
precisely that. Three years after the 9/11 attacks on New York and 
Washington, and in the memory of those who passed in the fields of 
Pennsylvania, our nation is united in its desire to learn from the past 
by re-organizing and reforming antiterrorism efforts. At the same time, 
we seek to renew our foundational commitment to respecting the privacy 
of each individual, as a matter of law and policy. As the DHS Privacy 
Officer, I work daily to ensure that this sacred commitment--our 
unwavering determination to secure both our liberty and our land--is a 
guiding force behind every decision at the Department of Homeland 
Security. Thanks to the fine work of this Subcommittee, I am quite 
confident that our commitment to the protection of individual privacy 
will continue to guide anti-terrorism efforts not only within DHS, but 
across our entire Federal Government.
    I would like to extend my deepest gratitude to you, Chairman Cannon 
and to the Members of the Subcommittee for your tireless work and 
enduring contribution to our nation. Thank you today for your time and 
attention. I would be happy to respond to your questions.

    Mr. Cannon. I think we are going to proceed by seniority on 
each side of the dais, beginning with the co-Chairman of this 
panel, Mr. Chabot.
    Mr. Chabot. I did mention in my opening statement that I 
have a particular interest in H.R. 338, the Federal Agency 
Protection of Privacy Act, formerly known as the Defense of 
Privacy Act, it is basically the same bill, and I think, 
Senator Gorton and Secretary Marsh, you have both mentioned 
that in your testimony.
    A number of us were very concerned and have been for years 
that too often when regulations or rules were promulgated by 
various agencies that privacy protections of the American 
people too often were kind of an afterthought and were not 
necessarily taken into consideration, and they should be up 
front.
    In essence, what this Act requires is--we all know about 
environmental impact statements--is basically a privacy impact 
statement. What it amounts to is to determine whether or not 
the agency has taken into consideration privacy issues and 
maybe there was an alternative way to be less intrusive on 
those privacy rights, just to make sure we are looking at these 
things ahead of time.
    I actually introduced this back in the 106th Congress; and 
our colleague, Congressman Bob Barr, took it up in the 107th. 
We reintroduced it; and I want to thank my Ranking Member, Mr. 
Nadler from New York, for cosponsoring this and also Chairman 
Cannon for cosponsoring this as well. But it passed in the 
Judiciary Committee back on July 7, so it will be moving 
hopefully to the floor in the near future.
    But I would be interested to hear from the panel members as 
to how they think--and I know, Senator, I think you stated you 
cannot necessarily recommend for or against legislation, but 
how do you think this could potentially impact the issues that 
we are talking about here relative to the 9/11 Commission?
    Mr. Gorton. We in the 9/11 Commission took sort of a self-
denying ordinance, you know, in not going beyond the 
recommendations that we made. We were perhaps as surprised as 
we were delighted that we were able to come out unanimously, 
and that required a degree of self-restraint. So we cannot take 
a particular position on your bill. But we can say it is quite 
consistent. It certainly seems to proceed from the same 
philosophy that guided us in asking for the creation of this 
board to see to the protection of the civil liberties from any 
new powers granted in the war against terrorism.
    Mr. Chabot. Thank you.
    Secretary Marsh, I didn't know if you wanted to add 
anything.
    Mr. Marsh. I believe that it would be helpful to give it 
more of a defense or national security flavor for those 
portions that involve the Department of Defense or the 
Intelligence Community, and they have to be singled out because 
they are going to have to be treated differently. But I think 
it is a step in the right direction.
    If you look at the recommendations of the Committee Report, 
they are very elaborate recommendations on establishing a 
regime or protocol of how to do this, and it involves the 
President of the United States. We are suggesting also 
overview, not because they are not going to do a good job but 
simply to emphasize the importance of what is being done by the 
legislation.
    I think the legislation is a very good starting point, 
Congressman; and I welcome it. It is responsive to one of our 
problems.
    Mr. Chabot. Thank you very much.
    I am probably not going to be able to get into a lot, I 
have 1 minute left, but one of the other areas that I wanted to 
delve into, maybe some of my colleagues will, is one of the 
recommendations of the 9/11 Commission Report that stated, ``At 
this time of increased and consolidated Government authority, 
there should be a board within the executive branch to oversee 
adherence to the guidelines we recommend and the commitment the 
Government makes to defend our civil liberties.''
    I think prior to deciding the structure of an organization 
there must be a clear understanding of that organization's 
mission. So there are a number of questions that I think at 
some point it would be very helpful to get into, such as does 
the 9/11 Commission view the board recommended in the report as 
being limited to examining privacy, or should it weigh in on 
all things related to the nexus between civil liberties and 
Government action, and would the board be charged with 
evaluating security against privacy protections and would it be 
a watchdog or a facilitator.
    There are many aspects that I think we would be interested 
to get into, but my time has already wound up here, so I will 
yield back my time at this point.
    Mr. Cannon. The gentleman yields back.
    Mr. Nadler, would you like to take the next 5 minutes?
    Mr. Nadler. Thank you, Mr. Chairman.
    Congressman Hamilton, Senator Gorton, in your statement, in 
your joint statement, you said that the test, referring to the 
PATRIOT Act and some other things, the test is a simple but 
important one. The burden of proof should be on the proponents 
of the measure to establish that the power or authority being 
sought would in fact materially enhance national security and 
that there will be adequate supervision of the exercise of that 
power or authority to ensure protection of civil liberties. It 
is sort of a but-for test: but for this power, would we be less 
safe?
    This Committee has repeatedly asked the Attorney General 
that question with respect--or at least some Members of this 
Committee have repeatedly asked the Attorney General that 
question with respect to various provisions of the PATRIOT Act, 
and we have been unable to get any specific responses.
    In other words, if this power which the PATRIOT Act grants 
had existed pre-9/11, would--if that power had existed pre-9/
11, would it have made a difference in preventing 9/11, for 
example, in your opinion? We have been unable to get any 
answers on that.
    So my question is, in light of that experience, with 
respect to the privacy board or privacy officers you are 
proposing, what steps do you think that we need to take to 
ensure that these officials, one, are independent; two, are 
able to get the information that they need to get in order to 
do their work--information, as I said, this Committee can often 
not get; and, three, that they have the clout needed to have an 
impact?
    Mr. Hamilton. Well, Mr. Nadler, those are difficult 
questions to answer because they really go to the power of the 
Congress to conduct effective oversight. And my view, I guess 
not the Commission's view--I shouldn't try to speak for the 
Commission at this point--but I am very concerned about the 
lack of robustness, if you would, or aggressiveness, in 
congressional oversight today.
    We did not try to get into the specifics of the PATRIOT 
Act, except with regard to the one provision on the wall of 
separation, but we did suggest this test for any official, and 
that is as deeply as we went into it.
    When the executive does not respond to the Congress--and, 
incidentally, we hear that complaint often in our appearing 
before different Committees. It appears to me that the problem 
is quite pervasive in the executive-congressional relationship. 
It is not anything that is new. It goes back for a good many 
years.
    I think there is a lot of timidity in the Congress with 
regard to its exercise of oversight and, at the end of the day, 
they are only going to pay attention to you if you have budget 
authority with them.
    Mr. Nadler. That brings up the real question I am asking, 
which is not simply--I think that this Congress has been very 
timid in exercising oversight, too, but that is really a 
separate issue.
    My point was that we have been unable to get the 
information, and in light of that experience, if we are to 
establish this privacy board, these privacy officers that you 
are recommending, what do we have to do to make sure that they 
can get the information that we have not been able to get, that 
they can get information that they need once we have 
established that they are independent and that they have the 
clout? What powers do we have to give them, what authority do 
we have to give them to make sure they can do the job that you 
are outlining for us?
    Mr. Hamilton. Mr. Nadler, we simply did not try to get into 
the details of the powers that the board would have.
    You mentioned I think a moment ago that Congress has to 
fill in the details, and this is a major detail that you would 
have to fill in. My own personal view is the board should have 
quite robust powers. But the important thing here to recognize 
is that what we have recommended calls for a great deal of 
Government intervention and strengthening of Government powers 
over individual lives. That is just inherent in 
counterterrorism policy. You are greatly expanding the role of 
Government when you are fighting terrorists, and we think it is 
necessary because of the threat.
    Mr. Nadler. Could I have 1 additional minute?
    Mr. Cannon. Without objection.
    Mr. Hamilton. You have to have some check on that 
expansion.
    Mr. Nadler. Which brings me to the other question I wanted 
to ask, and that is an internal board cannot take the place, in 
my opinion, of meaningful court oversight, so to what extent do 
you think--so Secretary Marsh is probably the better person to 
ask this question to--to what extent should there be court 
judicial review of the actions or lack of actions of this board 
or these privacy officers?
    Mr. Marsh. Well, we recommend that there be oversight 
internally and that the oversight will be in the courts. We 
feel that court review at various junctures of this is a very, 
very powerful method of protecting----
    Mr. Nadler. So it shouldn't be an arbitrary and capricious 
standard. You should have better access?
    Mr. Marsh. We insist on access to the FISA courts wherever 
you are dealing with a U.S. person.
    Mr. Cannon. The gentleman's time has expired.
    Mr. Nadler. Thank you, Mr. Chairman.
    Mr. Cannon. Do you want another minute or two?
    Mr. Nadler. I would.
    Mr. Cannon. Without objection, the gentleman is recommended 
for an additional 2 minutes.
    Mr. Nadler. Senator Gorton seems to be interested in 
answering this, too. The question I would like you to address 
is, the courts should have oversight, but very often, in fact, 
even usually, the courts' oversight of administrative agencies 
is limited to an arbitrary and capricious standard, which means 
that what the agency does generally goes, unless their conduct 
is really egregious. Should we establish some other standard 
for reviews and give the courts more power, in effect, to 
second-guess what this board or these privacy officers might do 
or not do?
    Mr. Gorton. Mr. Nadler, I have three points in answer to 
your very good question.
    First, in the two areas, really both relating to the wall 
and on which we did express an opinion, that portion of the 
PATRIOT Act met the tests that we had set out. That was number 
one.
    Number two, you all, in your wisdom, of course, passed the 
PATRIOT Act with an expiration date.
    Mr. Nadler. Part of it has an expiration date.
    Mr. Gorton. At least as far as that part is concerned, you 
have the ultimate power. The Justice Department, obviously, is 
going to have to answer your questions, or you are going to 
have to lie down and ignore a failure to do so. But that is 
probably the greatest single power that you reserved to 
yourself, to see to it that you as the Congress get----
    Mr. Nadler. But the privacy officers and this board are not 
going to have to the power to do this. What do we give them?
    Mr. Gorton. We recommended the creation of a board that 
could protect these rights. As Lee said, we have not gone into 
all of the details as to where it should be. Some the Members 
thought it ought to be in the Department of Justice. I think, 
given your questions, you are probably inclined to believe that 
it ought to be an independent agency or board.
    Those are decisions for you all to make, as are the 
decisions as to the degree of the review for it or the right of 
an individual to sue outside of the system with respect to the 
law.
    Mr. Nadler. I am less concerned where we put it than what 
powers they have, how independent it is, and how we can enforce 
the executive branch to comply with the decisions it makes.
    Mr. Gorton. It should be independent, and it should be 
powerful enough so that it gets listened to.
    Mr. Nadler. Thank you. Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman yields back.
    I hope the panel and also the Members of the two Committees 
will consider that, in dealing with these details, we may not 
have enough information. We may need to be considering a 
commission that will help us think through some of the details, 
because I share the concerns of the gentleman from New York on 
how we go about this.
    The gentleman from Arizona, Mr. Flake, is recognized for 5 
minutes.
    Mr. Flake. I thank the Chairmen, both Mr. Chabot and Mr. 
Cannon, for organizing this hearing and the witnesses for 
coming.
    I want to thank the 9/11 Commission for its particular 
focus on secure sources of identification. That has been 
something that I have been concerned about for a couple of 
years. I introduced legislation last year, H.R. 3461, to 
require States, if they want their State driver's license used 
as a form of Federal identification, or identification for 
Federal purposes, that there have to be some kind of standards 
there. Because, as it stands, if a State like California 
doesn't use the same kind of standards or uses lax standards, 
it doesn't affect just the citizens of California, it affects 
all of us, because it is used increasingly as the closest form 
of a national ID as we have. When it is used for air travel and 
other things, there is certainly a Federal nexus there.
    We also have created more of a Federal nexus when we allow, 
with the Help America Vote Act, an individual State to allow 
them to use a driver's license as a form of identification to 
register to vote. So there is a Federal nexus here, and I am 
pleased with the Commission's focus on this.
    I would just like to get your thoughts on it and how 
quickly we ought to move to that. My bill specifically says if 
a State wants its drivers' licenses used as a form of Federal 
ID, it has to have some kind of standard.
    You have also talked about standards for birth 
certificates, because those are the sort of breeder documents 
that are then used to secure these forms of ID. Can you give 
some elaboration on those things? Mr. Hamilton?
    Mr. Hamilton. Mr. Flake, thank you for the question.
    I think we do suggest in our recommendations that there be 
Federal standards applied to these identification documents, 
birth certificates, driver's licenses and a lot of other 
things. That has to be seen in a broader context, and the 
context is that we need, we believe, a modern border 
immigration system. You have to look at all the ways that 
people get into the United States, and you need to stress 
biometric exit and entry systems. You have got to give these 
officials that check people coming into the country, whether it 
is by land, sea or air, access to information with regard to 
visitors and immigrants.
    You have to have in your Intelligence Community the ability 
to look at the indicators of terrorist travel. Terrorists have 
to travel a lot. You have to develop an exchange of information 
with other countries so that you can make, for example, a real-
time verification of passports, and you are going to have to 
involve a lot more local and State officials.
    Now, all of those things go together with what you are 
talking about; and the secure identification of U.S. citizens 
becomes very, very important in letting the right people in and 
keeping the bad people out.
    Mr. Flake. What I found was quite striking as well. In 
Arizona, my 16-year-old son just went and got his driver's 
license. His driver's license is good, I think, until he is age 
65. He can get a driver's license theoretically, and he did, 
for 44 years.
    Now, somebody entering the country, for other States to do 
this--gratefully, Arizona does this right. It doesn't anymore 
offer a driver's license for a period longer than the 
expiration of a visa. But only 11 States operate that way.
    In other States that offer--and I don't know how many will 
allow you to get a 44-year license, but if you come on a 
student visa for 6 months or a year or 2 years, you can get a 
license for up to 20 or 30 or perhaps even 44 years, and there 
is your de facto ID. And we know that two of the terrorists on 
9/11 had overstayed, yet they had licenses from States that 
existed for longer than their visa.
    Senator Gorton, do you feel that is an important part as 
well, to ensure that a driver's license, because it is used as 
a form of Federal ID, if you will, not be issued for a longer 
period than the stay of the visa?
    Mr. Gorton. Well, again, the Commission didn't judge that 
specific idea. We did speak, as Lee has said, to birth 
certificates and driver's licenses, because driver's licenses 
are the most common form of identification and our 
concentration was on having uniform standards for them. You are 
talking about a form of uniform standards, at least.
    We are concerned not so much about their length, though 
that is an important consideration, as their validity, as 
really identifying who a person is. That is where our 
concentration lies.
    Mr. Flake. Thank you.
    Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman yields back.
    I am quite certain the gentleman from Iowa, when he has the 
opportunity to speak, is going to be concerned about that 
issue, as I think many of the members of this panel are.
    Mr. Scott, would you like to take 5 minutes?
    Before you do so, let me just point out that the Ranking 
Member has graciously agreed to defer in the event that others 
have to leave. So we have not skipped over Mr. Watt, but he has 
been gracious in letting others go first.
    Mr. Scott.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Hamilton, with the extra powers for information 
gathering, wiretapping, data mining and whatnot, did the 
Commission limit these extra powers to terrorism-related 
investigations? The PATRIOT Act was not limited to terrorism, 
and some of us had some concerns about that. Had it been 
confined to terrorism, it might not have been as controversial. 
These extra powers may be extended to any kind of criminal 
investigation.
    Mr. Hamilton. Well, Mr. Scott, our focus was on terrorism, 
and when we recommended, as we do in several places, an 
expansion of Government power, we were limiting it to 
terrorism.
    Mr. Scott. Do I understand that you did not recommend a 
national ID card?
    Mr. Hamilton. We did not.
    Mr. Scott. The no-fly lists have obviously been over-
inclusive from time to time, as the recent situation with 
Senator Kennedy is just one of the most recent examples. How 
many false positives should we be tolerating before we--I guess 
the more people you stop and keep off the plane, the more 
likely it is that one of them might actually be a terrorist. 
What kind of tolerance should we have for these false 
positives?
    Mr. Gorton. Well, you know, our goal should be no false 
positives. But one of the reasons that we were so interested in 
this subject is that on 9/11 the FAA's no-fly list had 16 or 18 
names on it. That is all. Part of our reason for a National 
Intelligence Director and a National Counterterrorism Center, 
was at the same time the State Department had a list of several 
thousand people that it suspected to be terrorists and the FAA 
didn't even know that the list existed. They learned about it 
at one of our hearings earlier this year.
    So we do think that there should be an integration of valid 
terrorist information about the methods that these terrorists 
used to attack the United States. But it is obviously wrong to, 
you know, confuse one name for another. Just because there is 
one bad guy named Edward Kennedy doesn't mean Senator Kennedy 
should be kept off. We have got to be very careful, it seems to 
me, to see to it that the lists are real lists that identify 
real people and don't have a significant number of false 
positives.
    Mr. Scott. Thank you.
    Secretary Marsh, a lot of the data mining information went 
to the level of personalization of the lists and the 
information but didn't really go to the kind of information 
that we are talking about. What kind of information can be 
obtained in this data mining? Are we talking about, I guess, 
library records, travel records, credit, medical? Exactly what 
are we talking about?
    Mr. Marsh. The databases actually can cover a very broad 
range of different subjects. They could cover travel, they 
could cover finance, they can cover possibly health records, if 
you get an exception.
    The data mining is an accepted and very effective process. 
It is not new. We did data mining with fingerprints and law 
records years ago, but it is now so sophisticated because of 
computerization and it can reach so far and it reaches across 
boundaries and it can be international.
    What we need are methodologies, and I think a number are 
being developed, whereby we can confine those lists very 
quickly and minimize what we have to have, and then anonymize, 
so there is no disclosure of who you are looking at until you 
reach the point.
    Mr. Scott. One of the things we had--I am not sure what the 
status of it is now--the FBI guidelines used to be that you 
wouldn't gather information unless you were actually 
investigating a specific crime or had some specific 
investigation. You just wouldn't gather information.
    Mr. Marsh. I believe that was in law enforcement, wasn't 
it?
    Mr. Scott. Well, are we mining this data just for 
generalized----
    Mr. Marsh. That which is done--defense criteria on data 
mining is different than law enforcement. But in defense that 
is done toward a specific objective, and inside the NSA you 
will find that they are very specifically oriented. I think 
there are 650 million intercepts a day that are filtered 
through. But they are very specific; and they are looking at a 
suspicious, threatening person and using a general pattern 
search to try and find that person.
    Mr. Cannon. Does the gentleman desire additional time?
    Mr. Scott. Could I follow through on that, Mr. Chairman?
    Mr. Cannon. Without objection, the gentleman is recognized 
for an additional 2 minutes.
    Mr. Scott. Thank you.
    Well, are we looking after a specific person to track him 
down in terms of travel and who he is contacting? Still, you 
are looking at one specific person, not just going into a 
database and seeing what pops out.
    Mr. Marsh. Right. Correct.
    Mr. Scott. So you mentioned in law enforcement we are 
relegated to waiting until you are actually investigating a 
crime. In this case, are you just gathering information?
    Mr. Marsh. For intelligence purposes, yes.
    Mr. Scott. Is this United States citizens?
    Mr. Marsh. A United States citizen comes under a court 
order.
    Mr. Scott. So you have to have particularized suspicion.
    Mr. Marsh. That is right.
    Mr. Scott. And probable cause.
    Mr. Marsh. All the rules change when you have a U.S. 
person, which is a United States citizen, a permanent foreign 
resident or a U.S. Corporation that is not foreign controlled.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Cannon. The gentleman yields back.
    I guess we are at Mr. Forbes. Would you like to be 
recognized for 5 minutes?
    Mr. Forbes. Thank you, Mr. Chairman.
    Mr. Chairman, I would like to echo what you said earlier 
about the privilege that we have to be with such a 
distinguished panel and also to appreciate the comments of the 
Ranking Member today.
    We have had a number of hearings in different Committees, 
and there have been some individuals who have run out to press 
conferences or made comments in the Committees about why we 
weren't just enacting all the recommendations without hearings. 
I think the comment that said that before we go anywhere we 
need to understand what the recommendations are and the 
ramifications of those recommendations is so true, and I thank 
you all for being here today and your patience in helping us do 
just that.
    Let me go to my fellow Virginian for a question. Mr. Marsh, 
I would like to follow up on what Congressman Scott was saying. 
The first question I would have is so many people today are 
telling us that the only way we can have an adequate defense is 
to do some sort of risk assessment, some sort of risk 
assessment where we are concentrating our defenses, because we 
just have so many vulnerable areas, so it would be impossible 
to cover them all. Can we be effective in that risk assessment 
if we are not doing an effective job with data mining?
    Mr. Marsh. The panel concluded that data mining is an 
absolutely essential tool for a counterterrorist program but 
that data mining program must be formalized, it must be 
established, it must be controlled, it must have procedures, it 
must be audited, and, if you are dealing with U.S. citizens, 
you must use the FISA court.
    Mr. Forbes. Recently, we had a private citizen--that it was 
determined through the use of open-source information that a 
U.S. National Guardsman was plotting terrorist activities on 
his fellow soldiers. This was, obviously, a very ingenious way 
to find a terrorist before they could commit a terrorist act. 
Could you tell us if the TAPAC recommendations limit data 
mining for open source information?
    Mr. Marsh. No. Not completely, no.
    Mr. Forbes. They wouldn't.
    One final thing. Do we have any idea what foreign countries 
are doing right now with data mining and how they are utilizing 
it? I am sure you studied that and analyzed that.
    Mr. Marsh. There are significant private efforts offshore. 
Some of their programs are more strict and stern than ours. I 
believe the oldest is--I may be mistaken here, somebody help 
me--is Sweden.
    What you have touched on, Mr. Congressman, a concern that 
exists in this community with this technology is that we have a 
lead, and we must maintain that lead, and there are abilities 
possibly by others to overtake us in that technological lead, 
and staying--staying in that lead is absolutely essential.
    One of the recommendations of our panel is research on data 
mining that does not necessarily mean go do data mining but do 
the research to find what you can do, what are the capabilities 
you can achieve by doing it, simply in order to maintain a 
supremacy and lead, which we think in this struggle is 
absolutely essential.
    Mr. Forbes. We found the same concern, as you know, with 
biological weapons. Because we had stopped a lot of our 
research on creating some of those weapons, so the counter to 
that was we also had stopped our research on the defense of 
those weapons. As you mentioned, this is a technological edge 
that we could lose in a matter of months if we are not careful 
in how we are handling that.
    Mr. Marsh. It is my recollection that this very fine report 
talks in terms of addressing these research programs to achieve 
some of these ends, if I am not mistaken.
    Mr. Hamilton. Yes, we address that in very general terms.
    Mr. Forbes. Mr. Chairman, thank you very much. Thank you.
    Mr. Cannon. The gentleman yields back.
    I think that Mr. King is next in line. The Vice Chairman of 
the Committee is going to be penultimate or next to 
penultimate. But, Mr. King, you are recognized for 5 minutes.
    Mr. King. Thank you, Mr. Chairman. Again, I thank you for 
holding these hearings today and also Chairman Chabot.
    I appreciate the testimony of the panelists. I know you put 
a lot of hours and days into this endeavor and this interesting 
report that brings some solid recommendations out, and I have 
some questions about a number of those.
    I reflect back, though, across some of the other questions 
and testimony, and Congressman Flake made mention of the Help 
America Vote Act. I would just point out there is not a 
requirement for a picture identification to be presented at 
this point. So there is an allowance there for a poll worker to 
request identification, but not a requirement. So when it comes 
to voting, we don't have any more credibility there than we 
have sometimes getting into the United States. Both of those 
things are important.
    With the passport exception for the Western Hemisphere, one 
can come into the United States from any Nation in the Western 
Hemisphere, other than Cuba, alleging to be a United States 
citizen, simply by making, and I believe the language, 
statutory language, is a credible allegation of citizenship. If 
it were not for that, I might still be in Jamaica, by the way, 
and that is how I know that law. That might not be so bad. And 
I hear your recommendations on tightening that up.
    With regard to Congressman Flake's questions, I would also 
add this point that I would associate myself with the remarks 
of Congressman Hamilton with regard to the security. I direct 
my first question to you, Congressman Hamilton--would you 
consider a biometric Social Security card to be a national ID 
card?
    Mr. Hamilton. I don't think we tried to make those kind of 
judgments. We on the Commission were no experts on this whole 
field--and it is a difficult one--of biometric measures, and we 
did not address that.
    Mr. King. Thank you. I wanted to make just a few remarks on 
the security of our borders and how we might tighten that up. 
But I really would focus my interests instead, because I think 
we have a gap in our focus here, on where these recommendations 
of the Commission might go. Some of the statements that were 
made and some of the language causes my curiosity to be piqued.
    The failure to think creatively I recognize that, and I 
agree with that. But we have a Commission recommendation to 
bring this all under one leadership, one voice, and you looked 
at MI-5 and stepped away from that because it was a higher 
probability of violating privacy and individual liberty. So the 
soaring rhetoric of--let me see, what was that word I was 
looking for--the institutionalization of imagination, it 
captures my imagination.
    I would like to be able to institutionalize imagination. I 
would like to be able to inspire that in all the people that 
can think outside the box and think creatively, and I would 
like to find a way to root out some of the linear thinkers 
within our intelligence departments and replace them with 
creative thinkers. And yet, if I were going to form an 
organization that would be shaping group-think, I would want to 
have one person at the top, all information underneath there. I 
would want to have control of the budget and the hiring and 
firing process, and I would just about bet you if you put me at 
the top of that, I could create group-think within that 
organization. I might even do it without wanting to do so.
    So my concern is that we end up creating an organization 
that does exactly what we are trying to avoid, and I direct my 
question or request for a response for that remark to Ms. 
O'Connor Kelly first.
    Ms. O'Connor Kelly. Well, I would have to defer to the 
experts on the 9/11 Commission, as I am not the expert on the 
Intelligence Community.
    Mr. King. You are the institutionalization of imagination 
though, and I that is why I went to you.
    Ms. O'Connor Kelly. Sure. Absolutely. And I think we were 
quoting language from the report. I think there are so many 
different ways we can create privacy oversight and privacy 
values in the Federal Government. We can look not only at our 
experience with the Department of Homeland Security and having 
a Privacy Office within the ministry or the Department, we can 
look internationally at the creation of privacy czars, privacy 
commissioners, data protection officials throughout the world, 
many of which sit as part of the Federal service but outside of 
any Federal agency. We can certainly look at our own history 
with privacy commissions in previous decades.
    So I think that point is an excellent one. You can't 
legislate creativity. That is precisely a very good point. But 
you can create bodies that will be both self-analyzing and also 
create oversight structures within and outside the Federal 
Government that could hope to create the kind of value 
structure that you are all talking about today in protecting 
privacy and respecting individuality, while also achieving the 
security mission.
    Mr. King. Mr. Marsh, would you comment?
    Mr. Marsh. Congressman, I think the real danger in your 
bill, in our recommendations, is that they will go through some 
sort of baptism of bureaucracy and they will become very, very 
bureaucratic, and instead of doing the innovative, creative 
things that they need to do. I think we need to avoid the 
creation of a bureaucracy there, and that is going to depend on 
the leadership. Because the nature of these types of programs 
are regulatory, and my experience has been with regulatory 
things you get into, actually, a very helpful and useful 
bureaucracy, but I am not sure that is the goal you are driving 
for here.
    Mr. King. Mr. Chairman, could I ask unanimous consent for 
an extra additional minute?
    Mr. Cannon. Without objection, so ordered.
    Mr. King. Thank you, Mr. Chairman.
    I would just direct my question to Senator Gorton then. Did 
you examine the successes, the historical successes of 
intelligence, as you put these recommendations together?
    Mr. Gorton. The answer to that question is, yes, of course 
we have had successes in our intelligence during the course of 
a 45-year Cold War. But I think I would really like to answer 
your previous question, if I may.
    We have had a decentralized system. We have had an FBI that 
didn't talk to the CIA, and a CIA that didn't talk to the 
Department of Defense intelligence agencies. Decentralization's 
ultimate reward was 9/11. What we are trying to do is to cure 
9/11. And this is not to say that there wasn't imagination. I 
think there was a great deal of imagination on the part of the 
FBI agents in Arizona. I think there was imagination on the 
part of those who arrested Moussaoui. I think similar things 
have taken place in the CIA. But, in many cases, they didn't 
even get to the top of their own agencies, much less anyone in 
authority, say, in the White House, who could get the benefit 
of that imagination.
    Our recommendations for a National Counterterrorism Center 
and for the National Intelligence Director are so that there is 
a focal point, someone who is entitled to get all of the 
information, say, on counterterrorism that comes up from each 
of these agencies, put that work together, task them to do 
things to fill in gaps or to fill in holes, and have it there 
before the National Security Council, before the policy centers 
so they can act on it.
    If you read our report through, I think you will join me in 
saying we had a couple of presidents who had to be frustrated. 
They just weren't getting the information that they needed from 
this current stovepipe system where people were hugging onto 
bits of information they got, rather than using them and 
sharing them.
    Mr. King. Did any agency get it right?
    Mr. Cannon. Would the gentleman like an additional 2 
minutes?
    Mr. King. One would be plenty, Mr. Chairman.
    Mr. Cannon. Without objection, so ordered.
    Mr. King. Did any agency get it right?
    Mr. Gorton. Well, if you say did any agency get it right in 
a way that prevented 9/11, of course, the answer to that 
question is an obvious no.
    Did the FBI get it right when it prosecuted those who 
perpetrated the first World Trade Center, yes, they did, 
treating it as a law enforcement matter. But then there was 
this wall. They couldn't talk to one another with their 
intelligence people, and that clearly contributed to 9/11.
    Mr. King. Thank you very much.
    Mr. Hamilton. Mr. King, some agencies got it more right 
than others. The CIA understood the threat of terrorism as well 
as anybody. They spoke about it; and in 1998 the Director of 
the CIA said, we have got a war going on here. The only problem 
is, nobody paid any attention to him. Nobody even within the 
CIA paid any attention to him, and the other intelligence 
agencies didn't pay any attention to him.
    If you want a competition of ideas, which your question 
suggests, you have got to have a free flow of information, and 
that is what we didn't have. If you want group-think, it is the 
status quo that developed group-think. And what we are 
suggesting, I believe, is more vitality, more information in 
the system, which I think will bring about more competitive 
analysis.
    Everybody wants more competitive analysis in theory; not 
everybody wants it in practice. But if you increase the flow of 
information from foreign intelligence and defense intelligence 
and homeland security intelligence and if you increase the flow 
of information from the CIA and the NSA and the NGA and the NRO 
and all of these other agencies that you have that now collect 
intelligence but keep it to themselves, or at least they did 
prior to 9/11, I think improvements have been made since 9/11, 
but what we are trying to do is, to pick up one your words, is 
to institutionalize all of this, to get more information 
flowing through the system.
    We are certainly not trying to put all of the power in the 
National Intelligence Director so that that director controls 
what becomes the intelligence product.
    Mr. King. Thank you, Mr. Chairman.
    Mr. Marsh. Mr. King, in reference to your earlier 
question----
    Mr. Cannon. Mr. Marsh, we have had a note from the C-SPAN 
people. Many of you are not speaking closely enough into the 
mikes. I think, Mr. Hamilton, you have been doing that, so I 
didn't interrupt. If you would pull that mike closer to you.
    That is much better.
    Mr. Marsh. In order to make those sorts of regulatory 
efforts effective, you need to place a burden on the most 
senior officials of the Department--I am talking about the 
Secretary--and you need to establish a role for the President 
to have a responsibility, and then you need to have your senior 
people come in here and respond to your Committee as a form of 
oversight and as a form of legislative audit. Then I think you 
will see the system will function much better.
    Mr. King. Thank you.
    Mr. Cannon. The gentleman yields back.
    The gentleman from Florida, Mr. Feeney, is recognized for 5 
minutes.
    Mr. Feeney. Thank you, Mr. Chairman, for these hearings.
    Mr. Marsh, along those lines, I have read the TAPAC report. 
It is very well done. But the first seven of your 12 
recommendations rely totally on the good will of the Secretary, 
and it is only the executive branch and congressional oversight 
that is addressed in your last five recommendations that will 
make sure future secretaries in not just this but other 
agencies will not just be dependent on goodwill. I would like 
to get back to that in a minute.
    But the other report that is fascinating is the 9/11 
Report, and I really commend the entire Commission represented 
here today by Senator Gorton and Congressman Hamilton. It is 
not just the detail and the breadth and the extraordinary way 
that you have addressed a host of wide-ranging issues, but it 
also I think puts you at a new standard of literary work for 
Government reports. It really is an animated way to deal with 
the technological and historical issues that led up to 9/11 and 
the terror we experienced on that day.
    I have to tell you that I might be the only Member here 
that in the midst of a hurricane had a flashlight out because I 
couldn't put down the book. It is not Hemingway or Shakespeare, 
but I think Arthur Conan Doyle would be proud of what you have 
done.
    Mr. Hamilton. Put it right up there with Harry Potter.
    Mr. Feeney. Yes, and, unfortunately, I don't think you will 
receive any of the commissions for that.
    But, having said that, Congressman Scott talked about some 
very interesting issues earlier, and he sort of drew the line 
between citizens and noncitizens and the right to access, to 
courts, et cetera. But it seems to me one of the things your 
report touches on is the huge difference in kind, not degree, 
but difference in kind between fighting crime and fighting 
actual intelligence threats.
    What we do with respect to bank robbers is put 99 percent 
of our resources into capturing, prosecuting and then punishing 
the bank robber. That model doesn't work when the next plane 
could be full of biological, chemical or nuclear weapons. I 
think that is something Americans have to understand. We are 
dealing with a difference, not in degree, but of kind, in the 
way that we fight these things.
    Much has been made of the stovepipes, and Congressman 
Hamilton just talked about the critical nature of the free flow 
of information internationally and then across Federal agency 
lines. I don't find much in your report on the recommendations, 
and I heard very little emphasis on the free flow of 
information to State and localities.
    The last time the continental U.S. was attacked by a 
serious foreign threat was 1812 when the British burned down 
our Capitol. We now have for the first time since 1812 State 
law enforcement, we have got sheriffs, we have got police 
chiefs, we have got fire departments, we have the private 
sector, people that run flight schools in Florida, for example, 
that have got to be part of the information flow, both from the 
local level up, because they are really your largest set of 
eyes and ears about imminent threats.
    Then, of course, the other way, you have to be able to 
share information. Along those lines, a lot of States have 
privacy protections that are, for example, in Florida, built 
into our Constitution. We have an explicit privacy clause.
    So I would like, Mr. Marsh, as you talk about data mining, 
and also the Senator and the Congressman, to tell us what, if 
anything, as we decide whether or not to set up a privacy 
office in every single agency or every single sub-agency, 
whether we decide to put it at one major level of the Federal 
Government, whether that is inside the White House or whether 
that is independent--those debates are obviously ongoing. But I 
would like to have you tell us what we ought to focus on as we 
use the 280 million sets of eyes and ears around the country in 
sharing information up and down and how privacy can be 
adversely impacted if we are not careful in that flow of 
information stream as well.
    Mr. Hamilton. Mr. Feeney, I will try a cut at it, and I am 
sure others will want to contribute.
    The first point I want to make is with regard to the link 
you suggest between intelligence and law enforcement. That is a 
very important link, and that is one of the reasons we didn't 
go to an MI-5, incidentally.
    The fellow who is out here investigating a crime with the 
idea of prosecution in court will often pick up information 
that is very valuable to the intelligence side of the FBI, and 
vice versa. The person doing intelligence, looking at terrorist 
activity, often will pick up information that is very vital to 
the law enforcement side. So we think there is a natural 
synergy or link, if you would, between the two sides of the 
FBI.
    The second point, we really did address quite frequently 
the need to push information down to the State and local 
officials. My recollection is somewhere in the report we say 
18,000 local officials, police officials and others, are 
enormously important assets for us in terms of counterterrorism 
activity. And we did find, as I think maybe your question 
suggested, that that flow of information was not nearly as good 
as it ought to be. I think here, too, there have been 
improvements, incidentally, but there is a long way to go.
    I believe I am correct in saying that a major concern of 
Director Mueller--I certainly don't want to try to speak for 
him--is to try to improve that flow of information to agents in 
the field; and in some cases, like New York City, I believe the 
relationship between the FBI and the New York City police is 
being worked out quite well.
    But it is a huge advantage for us in counterterrorism to be 
able to take advantage of the local law enforcement people, and 
they simply must be brought into the information pool to a much 
greater extent than has been true in the past.
    Now, the third point I am not sure I caught with regard to 
privacy. You wanted to know how it was adversely impacted by 
all of this?
    Mr. Feeney. Well, we have talked a lot about international 
privacy protections, sharing amongst Federal agencies. But as 
we go up and down from local, State and Federal and the other 
way, what do we need to think about in terms of protecting 
people's privacy there, too?
    Mr. Hamilton. It is a pervasive problem, because if you 
must, as we believe on the Commission, increase the flow of 
information, that means the privacy concerns are greater, and 
that is why we think there has to be some overall direction on 
it within the executive branch and a lot of review, as some of 
the other Members of the Committee have suggested, by courts 
and the Congress.
    Mr. Gorton. Mr. Chairman, may I comment on Mr. Feeney's 
question?
    Mr. Cannon. Absolutely. I think you will note I am fairly 
strict on the time frame for asking questions but try to allow 
some extension of that time, whereas we have not interrupted 
the answers which we find and I think the rest of the Committee 
finds fascinating. So, please, Mr. Gorton, go ahead.
    Mr. Gorton. Mr. Feeney, I think you did have two separate 
questions. There has been a traditional and very legitimate 
objection on the part of local law enforcement officials all 
across the country that communications are one way, that the 
FBI wanted to get information from them, and rarely if ever 
shared it with them. Director Mueller has made significant 
attempts in this connection. The creation of a Joint Terrorism 
Task Force in every major FBI office in the country has done 
so.
    Two weeks ago, I visited with the mayor of Seattle, the 
chief of police, and the fire chief and found that my city had 
done an excellent job in setting up and following some of our 
recommendations on emergency response, setting up the single 
command structure and the like, and asked him just that 
question. And the answer to that question was, yes, it is 
better, but it still has a long way to go. We are not getting 
all of the information down that we need, but progress has been 
made.
    With respect to your other question on privacy, I think I 
might refer you to another report. I am a member of the Markle 
Foundation's study. In fact, with the permission of the 
Chairman, I am going to leave here in about 30 minutes. I am 
due at its meeting in Colorado this evening.
    It has spent a tremendous amount of very constructive time 
on data mining, the questions that Mr. Scott asked, on what can 
be shared and how it ought to be shared and, very specifically 
on this sharing, how will we bring these thousands of local law 
enforcement agencies into this field with a very strong 
protection of human rights. It has now had two reports. Its 
second came out about 6 or 8 months ago. We referred to it in 
our opening testimony here, and I think it will be of great 
value to you in answering that question.
    Mr. Marsh. Mr. Feeney, on the classification, you should be 
aware there are two systems to the classification in our 
country that involve national security and law enforcement. The 
national security is Confidential, Secret, Top Secret, 
Codeword. That is generally the result of an executive order 
over on the defense side. Clearance for those are extremely 
expensive, very hard to obtain. There is inability in our 
Government to transfer those from Department to Department, 
which is a major problem.
    The second relates to the law enforcement type of issues 
that Senator Gorton spoke about. I served for 4\1/2\ years on 
the Gilmore Commission, which looked at local responders. The 
single most frequent complaint that we received from first 
responders from across the Nation was the failure to get 
sensitive or classified information to them that they needed 
for their security purposes. That has improved somewhat by a 
recent order of the Department of Homeland Security but not 
anywhere near where it needs to be.
    This is another area, where some information comes down, 
and it is marked ``law enforcement sensitive.'' Now, it is a 
form of classification. Very frequently, law officers with law 
enforcement sensitive information do not transfer that to other 
people who need to know it inside the community. You have 
broached a matter that is a major, major problem that is really 
administrative but has enormous impacts in other ways of 
operation.
    Ms. O'Connor Kelly. Mr. Feeney, as the operational Privacy 
Officer on the panel, I note that a major focus of our work 
this past year has been addressing exactly the issue you have 
raised of information sharing both across the Federal 
Government but also with the State and local partners.
    Obviously with the major homeland security efforts being 
undertaken at the State level, we are being forced to share--
and we should be sharing--information with our State and local 
homeland security directors. I see it as sort of a four-tiered 
issue.
    First of all, Homeland Security is made up of 22 different, 
separate parts of agencies. So we had to first construct a 
structure that allows information sharing within the 
Department, which was actually a major undertaking given the 
privacy act systems that existed in those agencies.
    Then to share with other agencies--our partner agencies at 
both Defense and Justice and other parts of the Federal service 
to make those agencies more efficient in the use of 
information--then to share with our State and local partners. 
And finally to share with the private sector. With over 85 
percent of our critical infrastructures in the hands of the 
private sector in this country, we have a need to share and a 
need to know information about their efforts.
    And, of course, as has been pointed out, with the new rules 
under critical infrastructure sharing and sensitive homeland 
security information, we have hopefully heightened the ability 
to share, but also created good rules around the sharing that 
allows our employees to know what should be shared and what 
should not be shared, particularly when it pertains to 
individuals.
    Mr. Feeney. Thank you.
    Mr. Cannon. I would like to thank the very thoughtful Vice 
Chairman of the Subcommittee for that thought-provoking 
inquiry.
    And now the Chair recognizes the very patient Ranking 
Member of this Subcommittee for his opportunity to question for 
5 minutes.
    Mr. Watt.
    Mr. Watt. Thank you, Mr. Chairman.
    And I think I will use my 5 minutes to follow up on some 
lines of questioning that other people have already opened 
before I go to one final overarching question that I would like 
to pose. First, Mr. Nadler raised an interesting question about 
if Congress can't get information from executive agencies, how 
we could set up a board or commission oversight board, and how 
they would get information to do the necessary job that we 
would give them.
    It occurred to me that Ms. Kelly might be in a good 
position to respond to that. She is inside the Government, 
inside the executive branch.
    How would we structure, you think, a board, oversight 
board, to do the kinds of things that the 9/11 Commission 
report has suggested, and give them the kind of authority and 
mechanisms to get the information that they need when we appear 
to be having trouble getting that kind of information 
ourselves? Can you share any light on that, either now or 
subsequent to the hearing?
    If you have got some thoughts now, I would love to hear 
them.
    Ms. O'Connor Kelly. Yes.
    Mr. Watt. If you have follow-up thoughts I would love to 
hear them, too.
    Ms. O'Connor Kelly. Well, I have certainly been thinking 
about this issue for many years, and people wiser than me have 
been thinking about it for many decades.
    So I think there are a number of ways--and I don't want to 
preempt people in the Administration who may have thoughts on 
this themselves--but I think you hit on the exact point that 
the information on--perhaps it is human nature for people to 
not want to air their dirty laundry in public.
    And so to have a privacy office within the Federal agency, 
although it is looked upon somewhat quizzically elsewhere in 
the world, has actually been a very effective structure because 
we are seen as a helpmate in the mission of the Department, but 
also someone who has criticized from within in advance of 
programs being launched. And perhaps that idea is being 
enacted.
    But we also do rest heavily on our external role. And we 
have issued some critical reports of the Department, which we 
will be sharing with you in our annual report to Congress, 
which should be printed and finalized, hopefully, within a 
matter of weeks.
    Mr. Watt. I take it that what the Commission has 
recommended goes beyond privacy officers or bodies within 
agencies.
    Ms. O'Connor Kelly. Right.
    Mr. Watt. You may be suggesting that each agency that is 
dealing in this arena needs a privacy officer. But what the 
Commission, I think, is suggesting is something that--that is--
--
    Ms. O'Connor Kelly. Overseeing.
    Mr. Watt.--kind of overseeing all of this. And it may be a 
more difficult problem to get agencies to give up the 
information to that external body than even to an internal 
body.
    Ms. O'Connor Kelly. That may certainly be the case. And I 
think for that question, we should look to the experience of 
countries which already have operationalized independent data 
protection authorities. And there is ample evidence of their 
success, both in the European Union and also elsewhere in the 
world. It certainly might be worth even actually talking to 
some of those officials who lead those bodies.
    There is an International Association of Data Protection 
individuals, which we participate in and represent the United 
States to the extent that we are welcomed in that body. They 
have met with greater and lesser success in their own countries 
in doing exactly what you have suggested, getting Federal 
agencies to share information about their operations, 
particularly when it might be damaging or embarrassing to the 
agency--but perhaps a very necessary process.
    Mr. Hamilton. Mr. Watt.
    Mr. Watt. What I might suggest is ask--well.
    Mr. Hamilton. Mr. Watt, the key requirement----
    Mr. Watt. I would just say one other thing that Ms. Kelly 
suggested, she maybe follow up with----
    Ms. O'Connor Kelly. I would be happy to. Okay.
    Mr. Watt.--some written suggestions in response to this, 
because I am going to run out of time. That is what I am 
worried about.
    Mr. Hamilton. Well, the key requirement is that Government 
agencies must be required to respond to the board. Now, the 
experience of the 9/11 Commission is that we had to have the 
subpoena power. We didn't use it very frequently. But if we had 
not had it, our job would have been much, much more difficult. 
And if this board is not able to require agencies to respond in 
detail to your questions, it will be ineffective.
    Mr. Watt. Okay.
    Mr. Watt. Mr. Chairman, I guess I am going to have to ask 
unanimous consent for a couple of extra minutes to get to the 
next two questions that I have.
    Mr. Cannon. Without objection, so ordered.
    Mr. Watt. Let me go. We used the whole 5 minutes on that 
one question.
    I wanted to follow up on this national ID question that 
several people have kind of skirted around. The Commission's 
Report says--and I am quoting, I think--secure identification 
should begin in the United States. The Federal Government 
should set standards for the issuance of birth certificates and 
sources of identification such as driver's licenses. And then 
it goes on and says some other things.
    Now, Representative Hamilton did a great job of telling us 
what he is not suggesting, which is a national ID. What I am a 
little unclear about, and what other people have raised a 
number of questions about, is what, short of a national ID, is 
the Commission suggesting here? Because it sounds like the only 
way you can get to where you are talking about is to have some 
kind of national identification system.
    Mr. Cannon. If the gentleman would yield.
    Could I just add to that, if you have Federal standards and 
a free-flow information system between the States and the 
Federal Government and law enforcement agencies and the Federal 
agencies, what is the difference between standards and a 
national ID?
    Mr. Gorton. Very simply, everyone in the United States, or 
almost everyone in the United States, is comfortable with the 
idea that you have to have a driver's license in order to 
drive. Fifty states and all of the other jurisdictions issue 
driver's licenses. And they do so so that people can be 
identified, you know, when they are driving and when they are 
arrested.
    What we are saying is that it is very important in the 
fight for the struggle for national security that people be 
able to be identified. We now have 50 or 54, whatever it is, 
different systems for that. And we are simply saying, take 
something that everyone accepts now and have it standardized in 
a way that it really identifies the people who are holding onto 
it. And we have also incidentally--and we have mentioned it in 
passing--that we ought to sort of have--it would be a great 
idea to have a standard form of birth certificates; because as 
one of the Members up here said, almost everything stems from 
that, you know, for Americans, all kinds of things you have to 
get a copy of your birth certificate for. And it ought to be 
something that is valid, that people can rely on.
    We would like them to rely on driver's licenses. You don't 
have to get a driver's license if you don't want one. But if 
you want to drive, you do. Let's make it into--let's make it 
into something that really does say, when I pulled my driver's 
license out, you could be confident that this is really me and 
not somebody else.
    Mr. Cannon. Would the gentleman yield?
    Mr. Watt. Yes.
    Mr. Cannon. What I hear you saying, Senator Gorton, is that 
you want a national ID, you want to get that through the back 
door by using something that everybody already accepts. But 
that is, I think you stated very clearly, that you want or you 
think the Commission wants the national ability to identify 
people and using an already accepted purpose. So if you want, 
if you want to drive in America, you have to be part of a 
federalized system of identification?
    Mr. Gorton. I think there is a great deal of difference, 
Mr. Chairman, between something that you voluntarily go out and 
get and something that is mandated.
    Mr. Watt. Well, you might--you might be--this might be a 
semantic discussion. And, I mean, I think the discussion about 
a national ID has been going back and forth for a number of 
years. But it does seem to me that if you are suggesting a 
standardized birth certificate, that is not optional. So for 
newly born individuals, that is a national ID; for people who 
obtain a driver's license, that is a national ID.
    So you have left out people who have come into the United 
States who weren't born here and who don't get a birth 
certificate, or people who have opted not to get a driver's 
license. But you are not very far have having a requirement 
that you have some kind of national identification for those 
people, too, I would think.
    Mr. Hamilton. Well, I would----
    Mr. Gorton. Mr. Watt, you have already got a national ID 
You have one or the other. You just don't know whether it is 
any good.
    Mr. Hamilton. Mr. Watt, just to let you know our concern 
here, all of these hijackers, except one, had U.S. 
Identification. And what we are saying is that secure 
identification is very, very important in terms of 
counterterrorism.
    And we--we did not endorse a national ID. We think there is 
a distinction, as Senator Gorton has said, between Federal 
standards and having a national ID. But do not be deceived here 
with regard to the importance of identification. Keep in mind 
that these hijackers were extremely skillful in being able to 
find the gaps in our system. And we are trying to protect 
against that as best we can.
    Mr. Watt. And do let me be clear that I am not either 
supporting or condemning a national identification system. All 
I am trying to do is figure out what--what those options are 
and be clear on what the Commission is suggesting. Because for 
us to move from the onset that you have expressed to the 
reality of what you have expressed requires our understanding 
what you had in mind. And that is all I am trying to do.
    Let me do one other thing, Mr. Chairman. And I don't really 
think this question may be--well, anybody will want to answer--
but I think I have got to ask it because there is, it appears 
to me, to be a real rush politically to act on the 9/11 
Commission's Report and a real rush to--for security purposes 
to act on.
    And I guess the thing that I am wrestling with here in 
light of all of the questions that have been raised in this 
hearing is how we can proceed responsibly to get to a real good 
product without giving the public the perception that we are 
somehow dragging our feet and being picky and not paying 
attention to details.
    Did the Commission have any ideas about the timetable? I 
mean, obviously, we are 3 years beyond 9/11. Did the Commission 
have any ideas about the timetable for the implementation or 
passage of whatever legislative initiatives are required to 
implement the 9/11 Commission's recommendations?
    Mr. Gorton. Most of the attention so far to our 
recommendations has been to those two, or several that have to 
do with the structure of our intelligence system, the national 
intelligence director, the national counterterrorism center. 
The former of those has been recommended by probably a dozen 
commissions over years.
    I have got--one of our people yesterday had--no, no, 
meeting over in the Senate yesterday--he showed me a list of 48 
commissions since 1947 that have talked about restructuring our 
intelligence agencies none of which was successful.
    It came from here, you know. The joint--the Joint 
Intelligence Committees of the House and the Senate 2 years ago 
made a recommendation that is at least similar to that. 
Speaking for myself, I am inclined to hope that you do do 
something before the election in that respect.
    Mr. Watt. Can we do something on that front without doing 
something on the fronts that we have been discussing here 
today?
    Mr. Gorton. Well, certainly you can.
    Mr. Watt. I mean, is it advisable? I know the answer is we 
can.
    The question is, would it be advisable to do something on 
that front without--without setting up these security measures 
for individual liberties and privacy that we all know need to 
be in place at the same time that the protections need to be in 
place.
    Mr. Gorton. We believe that the recommendations that relate 
to the Committee, the subject of this Committee, are very, very 
important, Mr. Watt. We wouldn't have included them if we 
didn't. And we thought about them a great deal and dealt with 
them advisedly.
    I guess the other side of that coin is simply this. We know 
those terrorist organizations are still out there. We know they 
have declared war against the United States of America. We know 
that, while either through good preparation or good fortune, in 
the almost 3 years since 9/11 no other terrorist attack has 
taken place in the United States. We also know that lots of 
them have taken place other places in the world.
    So figuratively we have, if not literally, out there in the 
streets somewhere, is a bomb with a fuse and the fuse is lit. 
And we have no idea whether that fuse goes off in 5 days, 5 
weeks, 5 months or 5 years. But it is going to be awfully hard 
to stop the blame game if it goes off when we have done 
nothing.
    Mr. Watt. Thank you, Mr. Chairman. You have been very 
generous with your time. And I yield back.
    Mr. Cannon. Thank you. I want to thank the Ranking Member 
for some very insightful questions.
    I was not clear when we came into this hearing how clear 
you are from the Commission on the need for a national ID or a 
system of national identification. I think that has become 
very, very clear here.
    In addition, I think the question about coming up with a 
good product versus looking like we are dragging our feet is a 
very insightful question. And my reaction to that is we need to 
do some things. I am appreciative of the Administration. I am 
thankful daily that we haven't had in America another serious 
terrorist activity.
    Although I was doing a cottage meeting last night and had a 
very conservative person there who expressed, at some length 
and with some eloquence, appreciation for that, but recognized 
that we have terrorist groups in America that aren't associated 
with al Qaeda, groups that are doing things that by any 
definition are terrorist--and that includes some of our gang 
members, some of our ethnic gang members. We have some very 
serious problems to deal with. We have been very, very blessed. 
Al Qaeda or violent Islam is not our only problem. It is 
internal problems.
    I just feel like we need to point out here--generally 
speaking, I almost never preach from the podium here, but often 
use this to ask questions. I was thinking about George 
Washington, since his name came up a couple of times. He was 
asked at one point what the purpose of the other body was. And 
he had cup of very hot coffee. And he took the cup and poured 
some in the saucer, swirled it around and then drank from the 
saucer. And he said, the People's House, Congress, the House of 
Representatives, is like a turbulent boiling, scalding cup of 
coffee. And the Senate, by the way this is before the 17th 
amendment--I am not sure it still holds--but the Senate is the 
area where we cool it down and sip.
    I feel like we have barely sniffed the coffee, let alone 
gotten ready to cool it down or taste it here. So we have a 
very long way to go, but some things are really remarkable in 
our time.
    In the first place, I look at Ms. O'Connor Kelly. We have 
had a long and very productive discussion. I think she has done 
a remarkably good job at what she has done. She represents 
private industry bringing the most current state-of-the-art 
understanding of technology into the Government. And Government 
is much better because of that.
    And so as you are looking at the questions, Representative 
from Ohio--or Iowa, pardon me. As I am trying to go through 
these complex issues, my dear friend Mr. King suggested 
bureaucratization sets in. But Government is radically improved 
by the interface between free enterprise and new technology and 
our bureaucratic process.
    But at the same time we are getting these little inputs 
that make DHS a much more successful agency, we are 
federalizing more and more issues. And we are doing it because 
it is easier to deal with many of the issues that face us today 
at a Federal level. And some of those are absolutely important 
to be federalized.
    The State of Utah just recently passed a spyware bill. So 
my IT companies are thrilled with that bill. And I have to 
admit, the other day when I was talking to one of them, I said 
that I asked the governor to veto it. And the reason I asked 
her to veto it--obviously not very successfully--is because 
this is truly a Federal issue. You have to deal with that issue 
federally. And if you don't do it that way, you have chaos in 
our system. So we have this period of time where we are truly 
challenged. But the other side, we are responding to those 
challenges, sometimes appropriately, sometimes inappropriately 
with federalization of issues.
    And I am just deeply concerned that in a time of conflict, 
that men of zeal without understanding, or people with zeal 
without understanding, are going to assert that we need to do 
things federally for which there is no alternative. There is 
theoretically another way to deal with that.
    And, Mr. Marsh, you spoke twice about anonymizers. Now I 
think the original Web site that anonymized for people is 
actually in my district. Very cool. This goes way back--by the 
way--we are not claiming all the benefits of modern technology. 
But we have great opportunities with--with technology. And if 
we go down a path of federalization too quickly, we will end up 
with remarkable problems.
    I cannot drive through my major city, Provo, Utah, my most 
central city, without being keenly aware that every stoplight 
has a camera. I am no computer wonk, but I know the process to 
be able to focus, with some artificial intelligence, the camera 
on the driver and get a picture of the driver, and on the 
license plate and get a picture of the license plate of every 
car that goes through every intersection that has a stoplight 
and a camera in that city.
    That gives me the willies, and I think it gives Americans a 
bit of pause. On the one hand, a young woman who was kidnapped 
and the kidnapper was captured very quickly, in part by using 
some of this technology. We do want to stop kidnappers. We do 
want to stop terrorists.
    But I just feel like here in this Subcommittee and in the 
Constitution Subcommittee as well, we need to be looking at 
these issues very carefully and drinking from that saucer and 
not scalding our tonsils as we chug the coffee immediately.
    I also just feel the need to point out that what happened 
on 9/11 was tragic, and a great cost, but it was not entirely 
unanticipated. I think perhaps the magnitude of it was 
unanticipated. But when we set up the CIA and the FBI there was 
a debate, and that debate centered on the core principles that 
we have used to build all of our institutions in America, and 
that is separation of powers. And while, you know, as we look 
at that today, we need to be thinking in terms of the values 
incorporated and what was a system that didn't work very well 
and what we can do with technology today, which allows us to 
bridge the gap and still maintain separate centers of power, 
division of power.
    If you read one of the most remarkable Founding Fathers, 
Thomas Jefferson, he spoke over and over and over again about 
taking power from the highest level of Government and shifting 
or keeping everything down at the lowest level. And if you fly 
over America today and you see the big squares; that is, the 
particular application of Thomas Jefferson's vision of how to 
organize society.
    We did square townships so that towns could grow up in a 
context, and those townships could have smaller units all the 
way down to what we called wards, which were 100 families. And 
his idea of Government was that you govern at the 100-family 
level. And I believe the idea behind the concept of the well-
organized militia for the second amendment, was that people in 
that 100-family unit would be able to assert police authority 
within that group.
    Now, that is a concept that is embedded in our very 
geography in America, but which is not being considered, I 
don't think, today as we are looking at global attacks. And yet 
as I said earlier, all the attacks aren't global. Many of the 
attacks we have are home grown, homemade. They are not even 
foreign or different ethnicities from the bulk of the Northern 
Europeans who settled America. They are among us today, not 
appealing their sentences, because of the possibility of a 
death penalty if they get a new trial, or if he gets a new 
trial. So I am just--I am just deeply concerned about those 
things.
    I wanted to touch on another couple of points that you 
made, Mr. Marsh.
    You talked about a protocol or a culture of privacy. I 
remember thinking as a kid, no one, no employee of the IRS 
would ever give anyone information that the IRS collected. And 
then we had two Presidents, one of each party, who appear to 
have made even FBI raw data files available to people in the 
press. With that culture destroyed fundamentally--and that is 
not many people, if they have faith that their files are going 
to be kept private--we have to rebuild that culture somehow. 
Rebuilding that culture means going to people with technology 
at the lowest level where they can be protected and anonymizers 
are great possibilities. But you have other issues, like a 
certified identification, which hasn't been mentioned I don't 
think in any of these processes, which today is not used for 
anything but to avoid that little pop-up on your screen that 
says you are not a secure user. And you apparently can now pay 
$49 to get that pop-up eliminated. But it doesn't do anything 
for the issue of identification that we have been talking about 
here today.
    And then finally, I just want to point out that there is a 
lot of vagueness in most Americans' thinking about what they 
want out of privacy. And so I would like to just pause at one 
of the problems, or weigh how to think about that.
    If you saw the movie ``Enemy of the State'' with Will 
Smith, you have an innocent citizen who has something stashed 
in a bag that that then makes him the target of the vast 
bureaucracies of the CIA. And the appalling thing is the 
technology is all there. It was a very cool movie from that 
point of view.
    The likelihood of any of us being the subject of a hunt by 
the CIA is almost nonexistent. But the premise of the film, if 
you will recall, is a Congressman of integrity who wouldn't 
vote in a certain way and therefore was murdered.
    Now, I would like to think that all of my colleagues were 
men of, A, integrity and, B, they have never done anything they 
could be blackmailed with or that could be used to encourage 
them to vote a different way. But in most issues in America 
today, votes at the congressional level and the House of 
Representatives and the other body, or in city council, tend to 
be fairly narrow because we have hard choices. And the ability 
of evil men to get information on decisionmakers at any level 
of Government and thereby pervert decisions, that is what we 
are trying to avoid here.
    And so while driving, I am not worried when my license 
plate is captured, my face is captured by a camera at an 
intersection. But cumulatively in America, we need to be 
concerned about that. Because if you can prove that a city 
councilman was at an intersection near the house of a woman he 
was purported to be having an affair with, there is something 
wrong with that. It's important to the large process of how we 
govern ourselves and how we get good men and women to perform 
public functions without the threat of embarrassment when an 
issue comes up that they need to exercise their judgment on.
    Those are the areas at all levels of Government and in the 
judiciary as well, where I think the issues we are dealing with 
here are important and are worthy of being dealt with 
thoughtfully and carefully over time.
    And I suspect that this Subcommittee, perhaps, the 
Constitution Subcommittee in addition, is going to have a lot 
to say about how we at least approach that problem. And I think 
that means a commission with people who are very thoughtful, 
who have significant background, and who are people who are 
willing to say we don't necessarily need to Federalize this 
process. And if we do Federalize this process, it shouldn't 
just be the damn Feds sucking information out of the local 
folks. It ought to be the local folks who get something back. 
And to do that you ought to have some kind of protection, maybe 
an anonymizer. It may be a culture that existed at one time in 
the Federal Government, I am not sure what it is. It is vital 
to America and it is, I think, the cornerstone of what our 
grandchildren are going to enjoy or suffer in the future.
    So with that, are there any comments by anyone else on the 
panel or additional comments that you on the panel would like 
to make?
    Thank you. I apologize for preaching, but we are adjourned.
    [Whereupon, at 12:35 p.m., the Subcommittees were 
adjourned.]
                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

 Prepared Statement of the Honorable Chris Cannon, a Representative in 
    Congress From the State of Utah, and Chairman, Subcommittee on 
                   Commercial and Administrative Law
    The Subcommittees will please come to order.
    Before we formally start today's proceedings, Chairman Chabot and I 
want to sincerely thank and recognize our colleagues on both 
Subcommittees and on both sides of the aisle for taking time out of 
their busy schedules to attend this important hearing. As many of you 
know, August is typically when Members of Congress return to their 
districts to catch up on constituent matters and spend time with their 
families. Unfortunately, in these extraordinary times, however, we must 
undertake extraordinary measures to deal with certain pressing issues.
    It also goes without saying that we express our sincere gratitude 
to our esteemed witnesses, each of whom reflect the greatest hallmarks 
of public service. We appreciate your contributions to our 
deliberations today.
    The title of today's hearing--Oversight Hearing on Privacy and 
Civil Liberties in the Hands of the Government Post-September 11, 2001: 
Recommendations of the 9/11 Commission and the U.S. Department of 
Defense Technology and Privacy Advisory Committee (which we'll refer to 
as ``TAPAC'')--clearly explains why we're here.
    As many of you know, the 9/11 Commission filed its final report 
last month. As some of you may not know, however, is that the report 
includes several recommendations intended to protect our citizens' 
privacy and civil liberties. In addition, it recommends that the 
federal government set standards for the issuance of birth certificates 
and sources of identification, such as drivers' licenses, to promote 
secure identification information. While most media headlines have 
emphasized the Commission's anti-terrorism proposals, I believe the 
privacy and civil liberties recommendations are among those most 
critical to our nation's future and which will form part of the focus 
of our hearing.
    Today's proceedings will also focus on certain recommendations that 
the TAPAC Committee made regarding safeguarding informational privacy. 
By way of background, TAPAC was established by Secretary Rumsfeld as an 
independent, bipartisan committee to examine the privacy ramifications 
presented by data mining activities by the Defense Department. I think 
we all agree that Secretary Rumsfeld is to be commended for taking this 
initiative and for ensuring that TAPAC's membership included some of 
our nation's most respected experts in the fields of constitutional and 
privacy law. I am informed that among the many luminaries who testified 
before TAPAC was our colleague from New York (Mr. Nadler).
    Advances in technology have increasingly facilitated the collection 
and dissemination of personally identifiable information, but have also 
correspondingly increased the potential for misuse of such information. 
As the recently renamed Government Accountability Office observed, 
``These advances bring substantial federal information benefits as well 
as increasing responsibilities and concerns.'' Interestingly, TAPAC, 
over the course of its deliberations, determined that as the Defense 
Department was not alone in its conduct of data mining activities, it 
was necessary for it to address this issue through a series of 
Government-wide recommendations.
    The purpose of today's hearing is to examine the validity of these 
recommendations and those of the 9/11 Commission that relate to privacy 
and civil liberties and to determine whether they warrant a legislative 
response. We would especially appreciate any guidance from our 
witnesses about how the Congress, in crafting legislation, can best 
protect our citizens' privacy without compromising legitimate law 
enforcement and terrorism detection efforts. And, as our witnesses 
know, it has been 30 years since a privacy commission was established 
as part of the Privacy Act of 1974. I would be interested in having our 
witnesses comment on whether now is the time to re-establish a privacy 
commission that would specifically focus on government privacy issues, 
especially given all the technological developments that have occurred 
since the commission filed its final report in 1977 and the current 
state of our nation's security concerns.
    I should also note that both my Subcommittee--the Subcommittee on 
Commercial and Administrative Law--and Chairman Chabot's Subcommittee--
the Constitution Subcommittee--have played a major role in with respect 
to protecting personal privacy and civil liberties in this era of 
heightened security under the leadership and guidance of Jim 
Sensenbrenner, the Chairman of the Judiciary Committee. As both the 9/
11 Commission Report and TAPAC Report concluded, it is no easy task to 
balance the competing goals of keeping our nation secure and protecting 
the privacy rights of our nation's citizens. I believe that our 
respective Subcommittees and the Judiciary Committee are uniquely and 
best suited to study and resolve these issues.
    Our accomplishments to date include the establishment of the first 
statutorily created privacy office in a federal agency, namely the 
Department of Homeland Security. We have also spearheaded the creation 
of a similar office in the Justice Department, which is contained in 
legislation now pending in the Senate. In addition, both my 
Subcommittee and the Constitution Subcommittee have considered and 
supported legislation requiring a federal agency to prepare a privacy 
impact analysis for proposed and final rules and to include this 
analysis in the notice for public comment issued in conjunction with 
the publication of such rules.
    I will conclude my opening remarks with a quote from one of our 
founding fathers. As I think you'll agree, Mr. Hamilton's observations 
and warnings are as meaningful today as they were when he wrote them 
more than two hundred years ago:
    ``Safety from external danger is the most powerful director of 
national conduct. Even the ardent love of liberty will, after a time, 
give way to its dictates. The violent destruction of life and property 
incident to war, the continual effort and alarm attendant on a state of 
continual danger, will compel nations the most attached to liberty to 
resort for repose and security to institutions which have a tendency to 
destroy their civil and political rights. To be more safe, they at 
length become willing to run the risk of being less free.''

                              ----------                              

 Prepared Statement of the Honorable Steve Chabot, a Representative in 
  Congress From the State of Ohio, and Chairman, Subcommittee on the 
                              Constitution
    I'd like to thank Chairman Cannon for holding this important 
hearing today.
    September 11, 2001, changed our world. It changed the way in which 
we view terrorism and the way in which we, as a country, must protect 
ourselves.
    Since that tragic day, Congress acted quickly to protect the 
country from future terrorist attacks. For example, through the Patriot 
Act, we provided our law enforcement officials with enhanced 
investigative tools to prevent the planning of future attacks, and we 
authorized the creation of the Department of Homeland Security to 
better coordinate activities within our country to protect against the 
future threat of terrorism.
    In taking action, we have been mindful of the protections afforded 
by our Constitution and our need to protect them as we protect our 
country. In the Patriot Act, we included protective measures, such as 
the sunset provisions. When authorizing the Department of Homeland 
Security, we ensured that a privacy officer position was established to 
examine the implications of the agency's rules and regulations on 
privacy and to address any issues that may result.
    Over the last 20 months, the National Commission on Terrorist 
Attacks Upon the United States (9/11 Commission) has investigated the 
circumstances and events leading up to and on September 11.
    In their report, the 9/11 Commission identified deficiencies within 
the federal government and made recommendations, including 
recommendations to safeguard privacy, to better protect the American 
public. While we must move expeditiously to make our country safer, we 
take care to do so in a thoughtful and Constitutional manner.
    I look forward to discussing the Commission's recommendations with 
our witnesses today and determining what Congress can do to better 
protect the privacy of our citizens.
    As we move forward, it is important to remember that having 
effective anti-terrorism measures does not necessarily comprise the 
protections afforded by our Constitution, as one is not the enemy of 
the other. The enemy is terrorism.

                              ----------                              




                                 
