[House Hearing, 109 Congress]
[From the U.S. Government Printing Office]


 
        PROTECTION OF PRIVACY IN THE DHS INTELLIGENCE ENTERPRISE
                             PART I AND II

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON INTELLIGENCE,
                        INFORMATION SHARING, AND
                       TERRORISM RISK ASSESSMENT

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                     APRIL 6, 2006 and MAY 10, 2006

                               __________

                           Serial No. 109-72

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________


                    U.S. GOVERNMENT PRINTING OFFICE
27-629                      WASHINGTON : 2007
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512�091800  
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�0900012006


                     COMMITTEE ON HOMELAND SECURITY

                  Peter T. King, California, Chairman

Don Young, Alaska                    Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas                Loretta Sanchez, California
Curt Weldon, Pennsylvania, Vice      Edward J. Markey, Massachusetts
Chairman                             Norman D. Dicks, Washington
Christopher Shays, Connecticut       Jane Harman, California
John Linder, Georgia                 Peter A. DeFazio, Oregon
Mark E. Souder, Indiana              Nita M. Lowey, New York
Tom Davis, Virginia                  Eleanor Holmes Norton, District of 
Daniel E. Lungren, California        Columbia
Jim Gibbons, Nevada                  Zoe Lofgren, California
Rob Simmons, Connecticut             Sheila Jackson-Lee, Texas
Mike Rogers, Alabama                 Bill Pascrell, Jr., New Jersey
Stevan Pearce, New Mexico            Donna M. Christensen, U.S. Virgin 
Katherine Harris, Florida            Islands
Bobby Jindal, Louisiana              Bob Etheridge, North Carolina
Dave G. Reichert, Washington         James R. Langevin, Rhode Island
Michael McCaul, Texas                Kendrick B. Meek, Florida
Charlie Dent, Pennsylvania
Ginny Brown-Waite, Florida

                                 ______

 Subcommittee on Intelligence, Information Sharing, and Terrorism Risk 
                               Assessment

                   Rob Simmons, Connecticut, Chairman

Curt Weldon, Pennsylvania            Zoe Lofgren, California
Mark E. Souder, Indiana              Loretta Sanchez, California
Daniel E. Lungren, California        Jane Harman, California
Jim Gibbons, Nevada                  Nita M. Lowey, New York
Stevan Pearce, New Mexico            Sheila Jackson-Lee, Texas
Bobby Jindal, Louisiana              James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania           Kendrick B. Meek, Florida
Ginney Brown-Waite,                  Bennie G. Thompson, Mississippi
Florida
Peter T. King, New York

                                  (II)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Rob Simmons, a Representative in Congress From the 
  State of Connecticut, and Chairman, Subcommittee on 
  Intelligence, Information Sharing, and Terrorism Risk 
  Assessment.....................................................     1
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California, and Ranking Member, Subcommittee on 
  Intelligence, Information Sharing, and Terrorism Risk 
  Assessment.....................................................     2
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Committee.............................................     5
The Honorable Charlie Dent, a Representative in Congress From the 
  State of Pennsylvania..........................................    16
The Honorable Jim Gibbons, a Representative in Congress From the 
  State of Nevada................................................     6
The Honorable Ginny Brown-Waite, a Representative in Congress 
  From the State of Florida......................................    17

                               Witnesses
                        Thursday, April 6, 2006
                                Panel I

Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department 
  of Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9

                                Panel II

Mr. Kirk Herath, Chief Privacy Officer, AVP-Associate General 
  Counsel, Nationwide Insurance Companies:
  Oral Statement.................................................    19
  Prepared Statement.............................................    21
Mr. Patrick Hughes, Lieutenant General, USA (Retired), Vice 
  President--Homeland Security, L-3 Communications:
  Oral Statement.................................................    35
  Prepared Statement.............................................    36
Mr. Jonathan Turley, Shapiro Professor of Public Interest Law, 
  George Washington Law School:
  Oral Statement.................................................    29
  Prepared Statement.............................................    31


        PROTECTION OF PRIVACY IN THE DHS INTELLIGENCE ENTERPRISE
                                 PART I

                              ----------                              


                        Thursday, April 6, 2006

             U.S. House of Representatives,
                    Committee on Homeland Security,
                  Subcommittee on Intelligence, Information
                     Sharing and Terrorism Risk Assessment,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:20 a.m., in 
Room 311, Cannon House Office Building, Hon. Rob Simmons 
[chairman of the subcommittee] presiding.
    Present: Representatives Simmons, Gibbons, Dent, Brown-
Waite, Lofgren, and Thompson.
    Mr. Simmons. [Presiding.] The subcommittee will be meeting 
today to hear testimony on the protection of privacy in the 
Department of Homeland Security Intelligence Enterprise.
    We will be hearing testimony from four witnesses today. Our 
first panel, we will hear from Ms. Maureen Cooney, acting chief 
privacy officer of the Department of Homeland Security.
    On our second panel, we will hear from Mr. Kirk Herath, 
chief privacy officer and associate general counsel at the 
Nationwide Insurance Companies; Mr. Jonathan Turley, Shapiro 
professor of Public Interest Law at the George Washington 
University Law School; and Lieutenant General Patrick Hughes, 
vice president of Homeland Security at L-3 Communications.
    And I thank all of our panelists for coming today.
    The right to privacy is implicit in the Fourth Amendment 
right of the people to be secure in their persons, houses, 
papers and effects against unreasonable searches and seizures, 
and it shall not be violated.
    It is embedded in the founding ideals of this nation. 
Justice William O. Douglas, in Griswold v. Connecticut, wrote 
that the right to privacy is ``older than the Bill of Rights, 
older than our political parties.''
    We are all acutely aware of the privacy issues facing the 
government today, especially as the president and Congress work 
to defend America against those who wish to commit mass murder.
    And I remind my colleagues and others of a passage in the 
9/11 Commission report, which states, ``We learned that the 
institutions charged with protecting our borders, civil 
aviation and national security did not understand how grave 
this threat could be and did not adjust their polices, plans 
and practices to deter or defeat it. We learned of fault lines 
within our government between the foreign and domestic 
intelligence and between and within agencies. We learned of the 
pervasive problems of managing and sharing information across 
large and unwieldy government that has been built in a 
different era to confront different dangers. We hope that the 
terrible losses chronicled in this report can create something 
positive--an America that is safer, stronger and wiser.''
    And, indeed, the creation of the Department of Homeland 
Security was a response to that effort to create something 
positive, something safer, stronger and wiser, but at the same 
time, something that respects our Constitution and our Bill of 
Rights and the rights that are detailed therein.
    The House Permanent Select Committee on Intelligence is 
leading the effort to examine the NSA Terrorist Surveillance 
Program, and the House Judiciary Committee is taking a close 
look at the Foreign Intelligence Surveillance Act. Speaking for 
myself, I support both of those committee initiatives.
    We are here today to ensure that the Department of Homeland 
Security is also paying proper attention to privacy matters at 
the department and the department's intelligence activities.
    The Department of Homeland Security has a legally mandated 
duty to protect the privacy of U.S. persons in the course of 
its intelligence work and in its information collection 
activities. However, just 2 days ago, the General Accounting 
Office issued a report stating that federal agencies, including 
DHS, lacked polices that specifically address their use of 
personal information from commercial sources.
    Ms. Cooney, I hope you will be able to address some of 
these issues for us in your testimony today.
    While DHS receives information from commercial sources, it 
also receives information from intelligence and law enforcement 
communities as through the regulatory screening activities of 
the department.
    This information is vital to America's border security, 
critical infrastructure protection, transportation security, 
and a number of other security activities. Gathering, 
processing, analyzing and sharing information intelligence will 
be vital to preventing the next attack on our homeland. We must 
ensure, however, that the department protects the privacy of 
the American people while also protecting them from terrorist 
attack.
    The chair now recognizes the ranking minority member of the 
committee, the gentlelady from California, Ms. Lofgren, for any 
statement she might wish to make.
    Ms. Lofgren. Thank you, Mr. Chairman.
    Welcome, Ms. Cooney, and also Mr. Harris and Mr. Turley.
    I appreciate being recognized for this statement. Our topic 
is privacy rights. I think the elephant in the room is the 
issue of the NSA Warrantless Eavesdropping Program. NSA 
eavesdropping is an important issue for the subcommittee to 
address under its oversight responsibilities over intelligence 
and information sharing techniques.
    The Bush administration has failed repeatedly to give 
Congress meaningful answers about this eavesdropping program, 
and the Congress so far has failed to hold it accountable 
through oversight. The administration seems unwilling to 
provide Congress with the information it needs to conduct its 
proper oversight role.
    I have tried to secure information about this Warrantless 
Eavesdropping Program. I have asked the Department of Defense 
and the Department of Justice to investigate this program, but 
they have declined.
    I asked President Bush to direct that a special council be 
appointed to investigate. He has not answered the letter, but 
through his press secretary, declined.
    To date, press reports are all the information about this 
program that members of Congress and the public have. Congress 
should not accept this.
    One serious question about this Warrantless Eavesdropping 
Program is whether it complies with the law. This subcommittee 
should get an answer to that question.
    Whenever possible, it is important to work in a bipartisan 
fashion. Indeed, 2 weeks ago, the chairman and I produced a 
legislation jointly, and I think we set a land-speed record for 
a subcommittee markup. It is not comfortable or enjoyable to be 
critical when you sit next to somebody on a frequent basis and 
hope to work with them, but the hope for comity can never be an 
excuse for ducking the need to take action.
    As a ranking member, I cannot and do not control the agenda 
of our subcommittee. The chairman sets the agenda. I have 
sought to have this committee discharge its oversight 
responsibility in the matter of the NSA through written request 
by staff, written request by myself, as well as personal 
conversations, but these efforts resulted in today's hearing 
that will not serve as the needed oversight of the NSA 
Warrantless Surveillance Program.
    I tried to secure a witness from the NSA to testify today, 
and as part of the record, I ask unanimous consent to place 
material about this in the record of this hearing.
    Mr. Simmons. Without objection, so ordered.
    Ms. Lofgren. Thank you.
    I appreciate that Professor Turley is here today to testify 
about the NSA Eavesdropping Program. I thank him for his 
testimony, which I have reviewed. His observations about the 
administration's legal claims in support of this program are 
important, and it is viewed the administration's legal claims 
present risks, not only for our intelligence gathering process, 
but also for our constitutional separation of powers are 
significant.
    While I am thankful to have Professor Turley's testimony, 
Congress needs to hear more than legal arguments from scholars 
about this program. We need to do our oversight job and find 
out what is actually going on by calling the witnesses who have 
direct knowledge of what the government is actually doing.
    There is only one intelligence subcommittee as the Homeland 
Security Committee and we are it. We cannot get thorough 
information on the NSA Eavesdropping Program without a 
government witness with firsthand knowledge about it.
    So today is a lost opportunity for this subcommittee. But 
today, actually right now, the attorney general of the United 
States is testifying before the House Judiciary Committee. The 
attorney general knows all about the NSA program and is in a 
position to answer questions about it. I don't know if he will, 
but the opportunity to question him about what he knows about 
the NSA program is a far sight more promising than what we will 
have allowed this hearing to be.
    So I will excuse myself now to see whether the attorney 
general will permit the Congress to discharge its oversight 
obligations. With regrets, the structure of this hearing 
ensures that we will not succeed in that mission in this 
subcommittee today.
    And I would also like to present to the chair a letter from 
the minority pursuant to Rule 2M. We are seeking an additional 
hearing.
    Thank you, Mr. Chairman. I am going to go see Mr. Gonzales.
    Mr. Simmons. Normally, I would yield to the distinguished 
ranking member of the committee, but the ranking member of the 
subcommittee has made a few statements that I would have to 
respond to.
    This subcommittee has had this civil rights and privacy 
hearing on the schedule for some time, and we have been open to 
any witnesses that the minority would submit to us.
    It is my understanding that the individual that the ranking 
member refers to could not make it today, and so in a 
bipartisan fashion, we extended to the minority the opportunity 
of introducing that information into the record at a later date 
and holding the record open, which I thought was a fair 
proposal.
    We also offered to postpone this hearing to a later date.
    Ms. Lofgren. That is incorrect, sir.
    Mr. Simmons. Well, that is what I suggested to my staff. We 
also discussed the issue of recessing and reconvening. So from 
my perspective, at least from where I sit, every effort has 
been made to make this a productive hearing.
    It is very disappointing to me to hear a prepared statement 
typed and prepared, obviously, in advance, and only to receive 
it here on the record. That to me is a disappointing thing to 
have to experience, but I guess I can say that in my experience 
on the Hill, both as a staffer on the Senate Intelligence 
Committee for 4 years and in my 5 years as a member of 
Congress, doing my best to provide bipartisan oversight. I have 
encountered disappointments.
    Ms. Lofgren. If I will just--
    Mr. Simmons. If the lady would allow me to finish my 
statement.
    Ms. Lofgren. Certainly.
    Mr. Simmons. I have encountered those disappointments, and 
I will not allow those disappointments to prevent me from 
continuing to conduct the activities of this subcommittee in a 
bipartisan fashion to the best of my ability.
    And now the chair would like to recognize the distinguished 
ranking member of the full committee, Mr. Bennie Thompson of 
Mississippi. The gentleman is recognized.
    Mr. Thompson. Thank you, Mr. Chairman. In the interest of 
being fair and balanced, I will yield my time to the ranking 
member for a response.
    Ms. Lofgren. And I thank the ranking member. I would just 
note that I have now served in Congress for a little over 11 
years, and I have never encountered a situation such as this in 
those 11 years. The NSA is reluctant to testify. They need to 
be ordered to testify by, not the ranking member because I lack 
that power, but by the chairman.
    We have endeavored to secure that. We have asked for--
perhaps the chairman did order his staff to delay. They have 
refused our staff the opportunity. So I don't want to get in a 
he-said-she-said. There is no point in that. But I am severely 
disappointed that we have failed to discharge our oversight 
hearing. I will always work in a bipartisan way when there is 
an opportunity.
    In the last Congress, Mr. Thornberry and I actually almost 
melded our staffs. We didn't have a majority and minority 
report at the end of the Congress. We had one report. I hope 
that we can do that again this year, but so far, I had to 
conclude that we may not achieve that level of success. That is 
not the topic here today.
    I will just say, this is an opportunity--was an opportunity 
to discharge the oversight obligations that we have as the 
Intelligence Subcommittee over the NSA. We will not accomplish 
that in this subcommittee today, and I think that is a 
disappointment. Perhaps we will remedy that in the future. And 
if so, I will eagerly be a participant with the chairman.
    And I would yield back to the ranking member, and I will 
now adjourn to the attorney general.
    Mr. Thompson. Thank you very much.
    Reclaiming my time, Mr. Chairman.
    I am pleased that the committee is turning its attention to 
the question of privacy protections in the department's 
Intelligence Enterprise. The Privacy Office has done a 
tremendous job in making privacy an integral part of the 
department's various initiatives and technology program.
    The more often we respect privacy from the beginning, the 
more likely expensive department programs won't have to be 
canceled for ignoring this cherished right. Respecting privacy 
makes good business sense.
    While I look forward to Ms. Cooney's testimony about how 
privacy should inform the department intelligence process, I 
note that she could do her job more effectively if she had more 
powers.
    I believe that the privacy officer must be able to access 
all the records and speak to all the people she needs to in 
order to conduct truly effective privacy impact assessments. To 
boost her independence, moreover, the privacy officer should 
serve a set term and should be able to report her findings to 
Congress directly rather than having to rely on an internal 
review process at the department that has often resulted in 
delays.
    As one observer has noted, while a truly vigorous and 
independent privacy officer can be inconvenient for government 
officials over the short term, over the long run, vigorous 
checks and balances will strengthen the Department of Homeland 
Security by inspiring greater public confidence in DHS 
programs. This is especially important in an intelligence 
context.
    As a recently publicized NSA Domestic Surveillance Program 
has demonstrated, there must be effective oversight within 
agencies and by Congress itself in order to ensure that the war 
on terror does not also become a war on privacy and other civil 
liberties.
    I hope all the witnesses, including Professor Turley, will 
address this issue so we can learn more about what the 
department might do to guard against the kinds of abuses we 
have seen with the NSA and what steps Congress should take to 
ensure that the NSA program does not undermine the public 
support for our efforts to secure the homeland.
    Welcome to our witnesses.
    And I yield back, Mr. Chairman.
    Mr. Simmons. I thank the gentleman for his statement. And I 
assure him that one of the purposes of this hearing is to learn 
how the privacy office is performing its duties, and if, in 
fact, issues that are currently in regulation need to be in 
statute. It would be our responsibility to act positively in 
that fashion.
    Mr. Gibbons. Mr. Chairman, parliamentary inquiry.
    Mr. Simmons. Yes, Mr. Gibbons?
    Mr. Gibbons. Mr. Chairman, would you tell me what the 
jurisdiction of this committee is? Do we have jurisdiction over 
NSA?
    Mr. Simmons. I have discussed that with the parliamentarian 
of the House of Representatives, and I have been told that we 
do not.
    Mr. Gibbons. I had objected to, in addition, of Ms. 
Lofgren's letters regarding her request on NSA to the 
committee. And I would say that as a concept of jurisdictional 
oversight that comments about this committee's failure to bring 
NSA before it certainly lacks our jurisdiction, and I would 
hope that my objection to the addition of Ms. Lofgren's letters 
regarding NSA to this committee would stand.
    Mr. Simmons. I appreciate the gentleman's comment.
    In January of this year, I did write to the chair and 
ranking members of the intelligence committee and asked 
permission to have access to the information within their 
committee dealing with the National Security Surveillance 
Program.
    That permission was not granted, and at the time, I was 
told that the House of Representatives would pursue oversight 
of those activities through the two committees which have 
jurisdiction, which are the Intelligence Committee and the 
Judiciary Committee.
    So that fact is well known, and the ranking member of the 
subcommittee does know that the Judiciary Committee on which 
she serves has jurisdiction.
    Mr. Gibbons. I had voiced my objection at the time the 
letter was admitted, but I did not get a response out of you, 
so I would just state for the record that I did object to her 
inclusion of that letter.
    Mr. Simmons. The objection is heard, and without objection, 
it is sustained.
    Mr. Thompson. Excuse me, Mr. Chairman. By sustaining the 
objection, what are you saying?
    Mr. Simmons. The subcommittee, a few moments ago, agreed by 
unanimous consent to include a letter into the record from, I 
believe, an individual from the National Security Agency. I do 
not know what that letter is. Nobody on the subcommittee knows 
what that letter is, or at least not on this side.
    The gentleman from Nevada has expressed an objection to 
including that letter in the record now that he knows more 
about it.
    Am I correct, Mr. Gibbons?
    Mr. Gibbons. That is absolutely correct, and it is based on 
the jurisdiction of this committee. If the letter were in about 
the Homeland Security Department, that would be another story, 
but it is based on jurisdiction outside this committee, and I 
don't know what the content of the letter is, and I don't know 
what it was about. I don't think it is official for this 
committee to take up matters.
    Mr. Thompson. Well, Mr. Chairman, I would like to say under 
the rules according to the minority interpretation, we believe 
we do have jurisdiction, and we just have a difference of 
opinion.
    Mr. Simmons. Why don't we agree if it is agreeable that we 
will review the transcript and make a determination at a later 
date, and I will withdraw my offer to sustain the gentleman's 
objection.
    Mr. Gibbons. I don't have a problem with bringing it before 
the committee and having the committee in general look at it 
and make that decision.
    Mr. Simmons. Is that agreeable to the ranking member?
    Mr. Thompson. In terms of withdrawing it and looking at it 
later?
    Mr. Simmons. Yes.
    Mr. Thompson. No problem.
    Mr. Simmons. I thank the gentleman.
    I also thank the patience of our witnesses here today as we 
try to work our way through certain issues and get started.
    The chair now calls our first panel, Ms. Maureen Cooney, 
acting chief privacy officer of the Department of Homeland 
Security. During her time with DHS Privacy Office, Ms. Cooney 
has served as chief of staff and as director of International 
Privacy Policy before becoming acting chief privacy officer.
    Ms. Cooney worked on international privacy and security 
issues as legal adviser for the International Consumer 
Protection at the U.S. Federal Trade Commission, and her legal 
career includes broad experience with the national services and 
enforcement issues, including international work on anti-money 
laundering and foreign compliance issues, information sharing 
and privacy and security matters. She is a graduate of 
Georgetown University and holds a JD from the Georgetown 
University Law Center.
    I notice, Ms. Cooney, that you have substantial testimony 
that you wish to make. Normally, we limit it to 5 minutes, but 
if you need to exceed that, please be my guest. And welcome.

STATEMENT OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. Cooney. Thank you. Good morning. Chairman Simmons, 
Ranking Member Thompson and members of the subcommittee, it is 
an honor to testify before you today on privacy activities 
across the Department of Homeland Security.
    As the subcommittee well knows, the Department of Homeland 
Security was the first agency to have a statutorily required 
privacy officer. The inclusion of a senior official accountable 
for privacy policy and protection within the department honors 
the value placed on privacy as an underpinning of the American 
freedoms and democracy we seek to protect.
    Privacy is a cultural value at DHS. Secretary Chertoff 
recently noted that as a young department, we have the 
opportunity to build into the sinews of this organization 
respect for privacy and the thoughtful approach to privacy.
    He went on to express a belief that I share. We want the 
government to be a protector of privacy, and we want to build 
security regimes that maximize privacy protection and that do 
it in a thoughtful and intelligent way. If it is done right, it 
will be not only a long-lasting ingredient of what we do in 
Homeland Security, but a very good template for what 
governments ought to do in general when it comes to protecting 
people's personal autonomy and privacy.
    The chief privacy officer and the DHS Privacy Office have a 
special role working in partnership and collaboration across 
the department, to integrate privacy into the consideration of 
the ways in which the department assesses its programs, uses 
technologies and handles information.
    The Privacy Office has oversight of privacy policy matters 
and information disclosure policy, including compliance with 
the Privacy Act of 1974, the Freedom of Information Act, and 
the Completion of Privacy Impact Assessment.
    The Privacy Office also evaluates new technologies used by 
the department for their impact on personal privacy. Further, 
under Section 222, the chief privacy officer is required to 
report to Congress on these matters, as well as on complaints 
about possible privacy violations.
    The DHS Privacy Office takes an operational approach to 
advancing privacy policy. We embed adherence to good privacy 
practices in the investment and oversight and design phases or 
programs through accountability and transparency tools, 
including privacy notices required under the Privacy Act, the 
use of privacy impact assessments and privacy audits and 
complaint reviews.
    Our approach is consistent for all DHS programs and 
initiatives, and we have found that it works equally well for 
the law enforcement, homeland security and intelligence 
functions of the Department.
    As mentioned, one of the main mechanisms for 
operationalizing privacy protections is through the consistent 
use of the privacy impact assessment process throughout the 
department.
    The General Accountability Office released a report earlier 
this week on government use of commercial reseller data and 
compliments, in fact, the Department of Homeland Security's 
privacy impact assessment process and guidance, which has been 
shared with our federal partners across the government.
    They also complimented the department on its dialogue on 
that very issue and the guidance which we are currently writing 
and collaborating on with within the department.
    Privacy impact assessments required by Section 208 of the 
E-Government Act of 2002 and Section 222 of the Homeland 
Security Act allow us to access the privacy impact of utilizing 
new or significantly changing information systems that collect 
personally identifiable information, including attention to 
mitigating privacy risks.
    Although the E-Government Act allows exceptions from the 
PIA requirement for national security systems, as a matter of 
good privacy practice, the Privacy Office at the Department of 
Homeland Security requires that all DHS systems, including 
national security systems, undergo a PIA--privacy impact 
assessment--if they contain personal information.
    We use the PIA process as a good government information 
management tool and privacy protective process across the 
department's programs.
    In cases where the publication of a PIA would be 
detrimental to national security, the PIA document may not be 
published or may be published in a redacted form. This means 
that information systems that are part of the Intelligence 
Enterprise at the department also undertake these important 
analyses to ensure the privacy considerations are fully 
integrated into their deployment of programs.
    Let me quickly turn to information sharing. The Department 
of Homeland Security was created, in significant part, to 
foster information sharing for homeland security purposes. The 
Privacy Act, of course, provides the statutory authority for 
both inter-and intra-agency information sharing.
    The Privacy Office policy supports the exchange of 
information between the department's component organizations 
whenever those organizations establish an appropriate need 
based on an express purpose.
    We work with department components to facilitate the timely 
exchange of information in a privacy-sensitive manner, while 
working toward the goal of the right persons getting the right 
information at the right time.
    The department must also foster external information 
sharing for homeland security purposes with all of our partners 
at the federal, state, local, tribal and private sector levels. 
As the department incorporates the need to share in its 
internal and external information sharing design, it is, of 
course, paramount that privacy be built into the process.
    We have worked collaboratively with our intelligence and 
analysis colleagues for whom information sharing is part of 
their critical mission--to also ensure that personally 
identifiable information of U.S. persons is treated in a manner 
that fully conforms with their rights and is handled 
sensitively.
    The DHS policy on handling U.S. person information contains 
a significant role for the DHS privacy officer to review 
activities that could involve a potential violation of the 
privacy rights of U.S. citizens and also requires the privacy 
officer to collaborate on new initiatives to ensure that they 
enhance and do not erode privacy protections relating to the 
collection, use and maintenance of personal information.
    Members of the committee, we take this responsibility very 
seriously. We look forward to working with you on this effort 
and ask for your support. Thank you for inviting me today.
    [The statement of Ms. Cooney follows:]

                  Prepared Statement of Maureen Cooney

                             April 6, 2006

Introduction
    Chairman Simmons, Ranking Member Lofgren, and Members of the 
Subcommittee, it is an honor to testify before you today on privacy 
activities at the United States Department of Homeland Security, with 
particular reference to privacy as part of the Department's 
Intelligence Enterprise.
    Because this marks my first appearance before the Subcommittee, I 
would like to offer some biographical background. It is my honor to 
currently serve as the Acting Chief Privacy Officer for the Department 
of Homeland Security. I come to this post with 20 years of federal 
experience in risk management and compliance and enforcement activities 
as well as in consumer protection work on global information privacy 
and security issues post 9-11. I was recruited from the Federal Trade 
Commission to join the Department of Homeland Security more than two 
years ago as Chief of Staff of the Privacy Office and Senior Advisor 
for International Privacy Policy. Since that time, it has been my 
privilege to help build the DHS Privacy Office, under the leadership of 
former Chief Privacy Officer, Nuala O'Connor Kelly, and Secretaries 
Chertoff and Ridge.
    As the Subcommittee well knows, the Department of Homeland Security 
was the first agency to have a statutorily required Privacy Officer. 
The inclusion of a senior official accountable for privacy policy and 
protections within the Department honors the value placed on privacy as 
an underpinning of our American freedoms and democracy. It also 
reflects Congress' understanding of the growing sensitivity and 
awareness of the ubiquitous nature of personal data flows in the 
private and public sectors and a recognition of the impact of those 
flows upon our citizens' lives.
    In addressing the Department's Data Privacy and Integrity Advisory 
Committee, which was created to advise the Secretary and the Chief 
Privacy Officer on significant privacy issues, Secretary Michael 
Chertoff recently noted that the Department has the opportunity to 
build into the ``sinews of this. . .organization, respect for privacy 
and a thoughtful approach to privacy.'' Secretary Chertoff expressed a 
belief that I share:
        We want the government to be a protector of privacy, and we 
        want to build security regimes that maximize privacy protection 
        and that do it in a thoughtful and intelligent way . . . . [I]f 
        it's done right,[it] will be not only a long-lasting ingredient 
        of what we do in Homeland Security, but a very good template 
        for what government ought to do in general when it comes to 
        protecting people's personal autonomy and privacy.\1\
---------------------------------------------------------------------------
    \1\ March 7, 2006 public Meeting of the Department of Homeland 
Security Data Privacy and Integrity Advisory Committee, Ronald Reagan 
Building and International Trade Center, Washington, D.C.
---------------------------------------------------------------------------
    The Chief Privacy Officer \2\ and the DHS Privacy Office have a 
special role, working in partnership and collaboration across the 
Department, to integrate privacy into the consideration of the ways in 
which the Department assesses its programs and uses technologies, 
handles information, and carries out our protective mission. The 
Privacy Office has oversight of privacy policy matters and information 
disclosure policy, including compliance with the Privacy Act of 1974, 
the Freedom of Information Act, and the completion of Privacy Impact 
Assessments on all new programs, as required by the E-Government Act of 
2002 and Section 222 of the Homeland Security Act of 2002. The Privacy 
Office also evaluates new technologies used by the Department for their 
impact on personal privacy. Further, under Section 222, the Chief 
Privacy Officer is required to report to Congress on these matters, as 
well as on complaints about possible privacy violations.
---------------------------------------------------------------------------
    \2\ The DHS Chief Privacy Officer is the first statutorily required 
privacy officer in the federal government. Section 222 of the Homeland 
Security Act, as amended, provides in pertinent part, the 
responsibilities of the DHS Chief Privacy Officer are to assume primary 
responsibility for privacy policy, including--
    (1) assuring that the use of technologies sustain, and do not 
erode, privacy protections relating to the use, collection and 
disclosure of personal information;
    (2) assuring that personal information contained in Privacy Act 
systems of records is handled in full compliance with fair information 
practices as set out in the Privacy Act of 1974;
    (3) evaluating legislative and regulatory proposals involving 
collection, use, and disclosure of personal information by the Federal 
Government;
    (4) conducting a privacy impact assessment of proposed rules of the 
Department on the privacy of personal information, including the type 
of personal information collected and the number of people affected; 
and
    (5) preparing a report to Congress on an annual basis on activities 
of the Department that affect privacy, including complaints of privacy 
violations, implementation of the Privacy Act of 1974, internal 
controls and other matters.
---------------------------------------------------------------------------
    Today, I would like to describe for you how the Privacy Office has 
worked to build privacy into the sinews of our organization so that a 
culture of privacy informs the way in which we carry out our national 
mission of protecting our homeland. I'll explain our operational 
approach of embedding adherence to good privacy practices into the 
programs of the Department, through the budget and design phases of 
programs, through accountability and transparency tools, including 
reviews of privacy notices (systems of records notices), the use of 
privacy impact assessments, and privacy audits and reviews. Our 
approach is consistent for all DHS programs and initiatives and we have 
found that it works equally well for the law enforcement, homeland 
security and intelligence functions of the Department.
    I would then like to focus on the mandates of information sharing 
and intelligence activities and how those imperatives for national 
preparedness can be achieved while integrating privacy attentiveness 
and protections into Departmental operations.

Building a Culture of Privacy
    The Privacy Office works in partnership with each DHS Directorate 
and component to promote a business ethic of privacy attentiveness and 
responsible stewardship for the personal information that we collect, 
use and disseminate. This is fundamental to the Department's overall 
achievement of its mission and for engendering the trust of the 
American people and visitors to our nation.
    We operationalize privacy at the outset of DHS program initiation 
through two primary means. First, the Privacy Office works to 
incorporate privacy in the development processes used to build DHS 
information systems. Second, the Privacy Office confirms that privacy 
is embedded in the information systems that involve personal data 
through the privacy assessment process. These two methods allow the 
Privacy Office to ``bake'' privacy into Departmental operations.
    Building privacy into the development process starts with the 
investment review processes for major programs and information systems 
at the Department. In partnership with the DHS Management Directorate, 
the Privacy Office participates on three separate committees that 
review project proposals and set performance criteria for program and 
technology investment budget approvals. We thus can use the ``power of 
the purse'' to ensure that program personnel are attentive to privacy 
requirements.
    The Privacy Office then works to operationalize privacy protections 
through ``privacy gateways'' that focus on the projected design and use 
of an information technology system. In collaboration with the Office 
of the Chief Information Officer, the Privacy Office is developing 
these ``privacy gateways'' for the systems development life cycle 
review of technology deployed for Departmental programs to ensure that 
privacy practices are integrated through a monitored and auditable 
process.
    Consequently, Department design and deployment initiatives move 
forward only after proper attention has been paid not only to 
operational issues, but also to privacy issues. In fact, privacy is 
considered a cornerstone of the Department's program architecture, 
consistent with the mandate to protect the homeland while preserving 
essential liberties.
    Once funding for an information system is determined and privacy is 
considered in the systems development life cycle, the Privacy Office 
monitors privacy compliance through the use of a Privacy Impact 
Assessment (PIA). Conducting PIAs demonstrates the Department's efforts 
to assess the privacy impact of utilizing new or significantly changing 
information systems, including attention to mitigating privacy risks. 
Touching on the breadth of privacy issues, PIAs allow the examination 
of the privacy questions that may surround a program or system's 
collection of information, as well as, the system's overall development 
and deployment.
    When worked on early in the development process, PIAs provide an 
opportunity for program managers and system owners to build privacy 
protections into a program or system in the beginning. This avoids 
forcing the protections in at the end of the developmental cycle when 
remedies can be more difficult and costly to implement. In accordance 
with Section 208 of the E-Government Act of 2002 and OMB's implementing 
guidance, the Department of Homeland Security is required to perform 
PIAs whenever it procures new information technology systems or 
substantially modifies existing systems that contain personal 
information. The Chief Privacy Officer reviews and signs off on all 
Departmental PIAs and then they are published.
    Although the E-Government Act allows exceptions from the PIA 
requirement for national security systems, as a matter of good privacy 
practice, the Privacy Office requires that all DHS systems, including 
national security systems, undergo a PIA if they contain personal 
information. We use the PIA process as a good government information 
management tool and privacy protective process across the Department's 
programs. In cases where the publication of the PIA would be 
detrimental to national security, the PIA document may not be published 
or may be published in redacted form. This means that information 
systems that are part of the Intelligence Enterprise at the Department 
undertake these important analyses to ensure that privacy 
considerations are fully integrated. Our intelligence information 
systems are better considered and developed as a result of conducting 
PIAs.
Transparency and Accountability
    To assure that information in DHS record systems is handled in a 
manner consistent with the fair information practices principles set 
out in the Privacy Act of 1974, the Privacy Office carefully reviews 
new Systems of Records Notices and new initiatives that seek to collect 
information to be placed under existing SORNs. The Privacy Office works 
closely with the Office of the General Counsel on the legal issues 
attendant to these SORNs and with all DHS program offices to analyze 
the ways in which the information will be shared through approved 
routine uses. In addition to SORNs, we benchmark programs' compliance 
with fair information practices principles based upon their development 
and adherence to internal policies, procedures, and public statements 
of program goals. To that end, we are working on a privacy tool that 
will assist programs in doing periodic self assessments against similar 
measures.
    Another way the Privacy Office encourages transparency and 
accountability is through outreach and public workshops. Just 
yesterday, the Privacy Office hosted a public event concerning 
Transparency and Accountability: The Use of Personal Information within 
the Government. We explored the front end of the privacy process--how 
public notices inform the public of the intended use of personal 
information by government--and the back end of the process--how 
government can live up to the promises made in public notices through 
mechanisms for appropriate access, including through Privacy Act 
disclosures, Freedom of Information Act disclosures, and other 
appropriate means.

Privacy Audits and Reviews
    The Privacy Office also has an important oversight function within 
the Department in assessing whether the fair information practices 
embedded in the Privacy Act of 1974 are appropriately implemented in 
our programs, along with other relevant frameworks. We do this through 
privacy audits and providing guidance at points along the development 
of programs. While the Privacy Office has an important internal role, 
it also receives and reports on complaints and concerns from the public 
about the privacy attentiveness of DHS programs. In response, we 
undertake reviews of those concerns and report on them to the Secretary 
and to Congress, per Section 222 of the Homeland Security Act, 
providing constructive guidance.

Privacy Protection and Public Security through Information Sharing and 
Intelligence
    The Department of Homeland Security was created, in significant 
part, to foster information sharing for homeland security purposes. And 
from its beginning, the Department has undertaken the important work of 
removing the invisible barriers that block appropriate information 
flows within the Department. The Privacy Act, of course, provides the 
statutory authority for intra-agency information sharing when there is 
a need to know, and Privacy Office policy supports the exchange of 
information between the Department's component organizations whenever 
the organizations establish an appropriate need based on an express 
purpose. The Privacy Office, therefore, works with Department 
components to facilitate the exchange of information in a privacy 
sensitive manner, while working toward the goal of the right persons 
getting the right information at the right time.
    The Department must also foster external information sharing for 
homeland security purposes with all of our partners at the Federal, 
state, local, tribal and private sector levels. As the Department 
incorporates the ``need to share,'' in its information sharing design 
it is, of course, paramount that privacy be built into the process. Our 
work on internal information sharing complements and informs the 
Department and Privacy Office's efforts to assist with external 
information sharing efforts.
    Just as the sharing model has changed, so must the paradigm shift 
to enhanced, stronger, and embedded privacy protections because, as 
Secretary Chertoff has said, ``When we share information, if we do it 
in a disciplined way, we actually elevate the security of both those 
who share--and those who receive--the information.'' The Privacy Office 
has therefore worked diligently to help create an information sharing 
model that allows for robust information exchanges for homeland 
security purposes even while it fosters robust privacy protections.
    In particular, we have worked collaboratively with our Intelligence 
and Analysis colleagues, for whom information sharing is part of their 
critical mission, to ensure that personally identifiable information of 
U.S. persons is treated in a manner that fully conforms with their 
rights and is handled sensitively. The DHS policy on handling U.S. 
person information developed by the Intelligence and Analysis section 
of DHS contains a significant role for the DHS Privacy Officer to 
review activities that could involve a potential violation of the 
privacy rights of U.S. citizens and also requires the Privacy Officer 
to collaborate on new initiatives to ensure that they enhance and do 
not erode privacy protections relating to the collection, use and 
maintenance of personal information. This policy is another example of 
the way that the Privacy Office has helped to construct a culture of 
privacy at DHS and has worked to make privacy an operational imperative 
as we move forward with our mission.
    Related to these activities is the fact that over the past four 
years, the Administration has provided new tools to permit federal 
agencies to exchange information. Most recently, in Executive Order 
13388, Further Strengthening the Sharing of Terrorism Information to 
Protect Americans, which was issued on October 25, 2005, the President 
made clear his intent that all federal agencies work to prepare an 
environment in which information flows support counterterrorism 
functions. The Executive Order specifically recognizes the importance 
of protecting the ``freedom, information privacy, and other legal 
rights of Americans.'' This message is further reflected in the 
Presidential Memorandum of December 16, 2005, to all federal 
departments and agencies providing guidelines and specific requirements 
to build the new Information Sharing Environment.
    As part of this Memorandum, the President issued Guideline 5 
stating that ``the Federal Government has a solemn obligation, and must 
continue fully, to protect. . .the information privacy rights and other 
legal rights of Americans. . .'' in the building of an information 
sharing environment.
    In parallel with the President's efforts, Congress enacted three 
laws providing the U.S. Government with greater authority for 
collecting, analyzing, and disseminating terrorist information: the USA 
PATRIOT Act of 2001, the Homeland Security Act of 2002, and the 
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA). This 
last statute puts in place a mechanism to formalize the creation of the 
information sharing environment on an interagency level and it, too, 
provides that the privacy rights of individuals must be central to the 
environment's creation.

``Need to Share'' and the Role of the DHS Privacy Office
    Recent legislative enactments confirm what the National Commission 
on Terrorist Attacks Upon the United States recommended and that the 
President has required in his Executive Orders on information sharing, 
that we have moved from a ``need to know'' environment to a ``need to 
share'' environment. This ``need to share'' presents significant 
improvements to information exchange, but it also presents significant 
challenges to individual expectations for privacy and to institutional 
privacy safeguards. At the Department of Homeland Security, as we move 
forward in our ability to share data, we are aware of our 
responsibility for the privacy, security and authorized use of the data 
entrusted to us.
    Specifically, technology and information policy should be maximized 
to build privacy protections into data sharing models. But technology 
and privacy awareness, while important tools in protecting individual 
privacy interests, will not be enough to address current challenges. As 
we move forward, we will also need to establish and enforce concrete 
safeguards to prevent unauthorized access, use, or disclosure.
    The Privacy Office has provided expertise and guidance for building 
the ISE by working closely with the Information Sharing Environment 
Program Manager (ISE/PM) and various steering groups on issues not only 
dealing directly with privacy, but also with subjects such as 
governance, operations, and harmonization of technologies. Through 
these efforts, the Privacy Office is assisting with facilitating the 
incorporation of privacy protections at the roots of the ISE 
development.
    Currently, the Privacy Office is a member of an interagency working 
group, operating under the joint leadership of the Director of National 
Intelligence and the Department of Justice, as specified by the 
President under Guideline 5. This group will conduct a review of 
current executive department and agency information sharing policies 
and procedures regarding the protection of information privacy and 
other legal rights of Americans; and develop guidelines designed to be 
implemented by executive departments and agencies to ensure that the 
information privacy and other legal rights of Americans are protected 
in the development and use of the ISE, including in the acquisition, 
access, use, and storage of personally identifiable information.
    The review of policies is focusing on coordinating and 
consolidating the work already done to focus on the key issues to 
harmonizing privacy protections. This review will lead into the 
development of appropriate guidelines that will outline a process for 
the operation of the entire ISE.

Conclusion
    The Privacy Office will continue to work to ensure that privacy is 
woven into the very fabric of the Department as a guiding principle and 
value through operationalizing privacy throughout the Department and 
responding to privacy concerns about information sharing environments 
in positive, constructive ways.
    In addition, as the Acting Chief Privacy Officer of DHS, I endeavor 
at all times to keep an open door to the privacy community around the 
nation and the world to ensure that the Department benefits from the 
range and depth of privacy practitioners and concerned citizens 
everywhere.
    We face great challenges. But we must achieve both security and 
privacy and, with both, sustain our values and freedoms. I do not doubt 
that we can move forward together and achieve our mission of protecting 
and preserving our lives and our way of life, preserving our Liberty 
and with it, our privacy. I appreciate the opportunity to testify 
before this important committee today. I look forward to hearing the 
other witnesses' testimony and to answering your questions.

    Mr. Simmons. Thank you very much for that testimony.
    I have a couple of questions, and then we will defer to the 
members of the subcommittee for their questions.
    Do you believe the Privacy Office has the support and the 
backing of DHS senior leadership and, in particular, leadership 
in the intelligence component in order to effectively fulfill 
your mission?
    Ms. Cooney. Thank you for the question, Mr. Chairman.
    Yes, absolutely. I do feel that we have always had the 
support since the time that I joined the Department of Homeland 
Security under both Secretary Ridge and now Secretary Chertoff, 
both of our secretaries.
    And the reason I am concentrating on that is because in any 
organization, in privacy matters or any compliance and 
enforcement matters, you need leadership from the top in order 
to embed it within the culture of the organization.
    Both of our secretaries have been extremely supportive. 
They have been supportive of our privacy officers, of the more 
than 400 employees who work on Privacy Acts and Freedom of 
Information Acts issues every day in the department. And, in 
particular, if I might say, our intelligence partners have 
always been very supportive.
    I know that General Hughes is here today testifying. He was 
a wonderful partner during his tenure at the department. And 
Mr. Allen could not be more supportive and his staff.
    Mr. Simmons. The issue of privacy frequently comes up in 
the context of collection activities. The Department of 
Homeland Security generally speaks of acquiring or gathering 
information which presumably they obtain from other agencies 
who also have their own privacy officers and presumably abide 
by their own privacy regulations. But the Department of 
Homeland Security might also collect information, for example, 
at the border or during a Coast Guard intercept.
    How do you deal with that kind of activity to ensure that 
the right to privacy is protected in the collection activities 
of the your own organization?
    Ms. Cooney. I would say broadly, and particularly with the 
components that you are mentioning--border security, which 
would be customs and border protection, or if it is TSA, or 
immigration and customs enforcement--each of those particular 
entities under the DHS umbrella have very specific standards 
and processes that they use in collecting information.
    And a major part of that is compliance with the Privacy Act 
of 1974, which, as is true with any federal agency, requires 
that an agency only collects information that is mission 
critical, information that assists us in carrying out our 
particular duties as government employees.
    We review in the Privacy Office in collaboration with those 
component agencies those policies and procedures and in 
particular, do privacy audits on those collection mechanisms.
    Mr. Simmons. I thank you. My time has expired.
    The chair recognizes the gentleman from Mississippi.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    Ms. Cooney, for the record, do you have subpoena power or 
anything with your office in collecting data?
    Ms. Cooney. No, Congressman Thompson, we don't.
    Mr. Thompson. Have you felt that you could do your work--
have you had any problems getting data?
    Ms. Cooney. Initially, with one of our complaint reviews--
that is one of our responsibilities--we did have some 
difficulty in getting full information within the department. I 
will say, since that initial experience, I am not aware of 
difficulty in that area.
    If I may, in my 20 years of federal service, a good part of 
that has been in compliance and enforcement work. And it is not 
unusual that you ask for information even under a subpoena. And 
people think they are being fully compliant and are not, and 
you ask again, and you say, ``Anything else?,'' and they give 
you more.
    We are diligent and persistent in our activities even 
without some type of authority that you are mentioning. And 
within the government, that is standard process, and I assume 
that our staff will always be persistent in carrying out our 
compliance responsibilities.
    Mr. Thompson. Do you have the ability to take sworn 
testimony?
    Ms. Cooney. We do not, sir.
    Mr. Thompson. Would that help you?
    Ms. Cooney. In certain cases, it could be helpful. I think 
it would be--what I would say on that is, as we partner in the 
agency in other areas, we do have partners within the agency 
who have that ability, particularly the inspector general.
    With one of our major reviews, we did partner with the 
inspector general and referred part of our conclusion to the 
inspector general for his further review. He had the ability to 
use subpoena power to take sworn statements. To the extent that 
that works effectively in the absence of powers on our own, we 
would certainly leverage every opportunity in the department to 
make sure there is full compliance with all privacy laws.
    Mr. Thompson. So if you had the ability to subpoena 
witnesses for information or the ability to take affidavits, 
would that enhance your ability as chief privacy officer to 
function?
    Ms. Cooney. I know that our department--well, let me say it 
this way: It could. It might be helpful. To date, I guess I 
would say, again, to date, I don't think that we have seen that 
we have not received the information that we have needed in 
order to carry out our abilities.
    Sometimes issues that I look at--and I am a lawyer, but I 
don't practice as a lawyer in the agency. I practice as a 
policymaker. But as a lawyer, thinking through that background, 
I would always want to be careful in our taking statements of 
not jeopardizing a case that someone else in another area of 
the department has authority for, which is why I think at least 
to date, it is important in the absence of having subpoena 
powers or the ability to take affidavits, to be mindful that in 
the pursuit of our own activities, we need to be careful to 
partner with people who may need to follow up on an 
investigation.
    Mr. Thompson. Well, I understand that. But I am trying to 
be respectful of your office and try to figure out other than 
friendly persuasion what real authority do you have to actually 
get the information.
    Ms. Cooney. I would say our greatest assistance in getting 
the information that we have needed is leadership from the 
secretary's office, from the secretary himself. It was true 
under Secretary Ridge, and it was true very recently in a 
review that we did under Secretary Chertoff, not unlike the 
type of leadership buy-in that you need in a corporation. And 
that is what we have relied on.
    Mr. Thompson. So in absence of authority to do your job, 
you depend on leadership persuasion from the top?
    Ms. Cooney. Absolutely. We need their support in doing our 
job just as our colleagues do in theirs.
    Mr. Thompson. So can you initiate an investigation on your 
own?
    Ms. Cooney. Yes, we do do that, absolutely.
    Mr. Thompson. Without any leadership from the top? You have 
sole authority?
    Ms. Cooney. That is right. We inform the secretary, as 
would be responsible, and then we pursue our responsibilities 
under the statute, under Section 222, that requires us to look 
at complaints and concerns about agency programs and processes. 
Yes, sir.
    Mr. Thompson. Thank you, Mr. Chairman. My time is expired.
    Mr. Simmons. I thank the gentleman for his questions.
    The gentleman from Pennsylvania, Mr. Dent, is recognized.
    Mr. Dent. Thank you, Mr. Chairman.
    Good morning.
    Ms. Cooney. Good morning.
    Mr. Dent. Do you believe that the department is doing an 
effective job in protecting the privacy of American citizens?
    Ms. Cooney. Yes, Mr. Dent. I do believe we are. We are 
certainly trying very hard. I can tell you that the staff of 
the Privacy Office works extremely diligently, very long hours, 
is a very energetic staff, and that we have built various 
active partnerships across the department.
    I think all through our processes, from investment review, 
to life cycle development reviews of technologies that the 
department might deploy in programs, to our privacy impact 
assessments when programs are getting ready to be developed, 
and all through that developmental process, to the audit 
reviews afterwards, and then on reviews of complaints, I think 
we are being extremely proactive.
    I might add, we have an internal DHS data and privacy 
integrity board made up of senior managers, in particular, 
guidance that we are trying to fashion on the use of commercial 
reseller data. That particular internal board will meet next 
week to collaborate with us and to have a dynamic discussion on 
how operationally guidance might work and be implemented.
    We also have an external privacy advisory committee that 
gives advice directly to the secretary and to the chief privacy 
officer. They have looked most recently at the information 
sharing issues that relate to intelligence information that we 
handle at the department and that we need to push out both to 
the private sector and state and local partners.
    So we certainly are trying in as many venues and as many 
ways as possible to effectively push out privacy and privacy 
attentiveness within the department.
    Mr. Dent. And my final question. Do any of the information 
sharing systems within the DHS Intelligence Enterprise require 
privacy impact assessment or PIA as required by the E-
Government Act of 2002? And can you give us an example of PIAs 
that have been done with regards to the DHS Intelligence 
Enterprise?
    Ms. Cooney. Yes. I am happy to do that. Most recently, we 
have worked on a privacy impact assessment that deals with our 
Homeland Security Information Network. We refer to it as HSIN. 
It is a network database that is managed by our Homeland 
Security operations center.
    But, of course, much of the information that is within that 
database is brought in and analyzed by our intelligence 
analysis area as well as others. Much of it is information from 
citizens who happen to see suspicious activity and can call 
into the department. It includes information from our law 
enforcement components, our folks on the line every day 
protecting the borders.
    We have recently worked on that privacy impact assessment. 
It is publicly available on our web site on the Privacy Office 
web site.
    As I mentioned before, when these privacy impact 
assessments concern what might be considered national security 
operations, they don't necessarily require publication, but we 
work very hard at transparency of DHS operations. And so on 
that particular PIA, we worked diligently with HSOP and with 
I&A to fashion the PIA in a way that we could describe as 
robustly as possible exactly what information we are collecting 
and how we are handling it.
    It is in the name of activity information rather than 
information about individuals. However, there is some 
information that comes into that database that concerns 
individuals. And to the extent that it is personally 
identifiable information, there are added safeguards and 
restrictions, roll-based access, in terms of who gets to see 
that information and when.
    Mr. Dent. Thank you. I yield back.
    Mr. Simmons. I thank the gentleman.
    The gentlelady from Florida, Ms. Brown-Waite, is 
recognized.
    Ms. Brown-Waite. Thank you very much, Mr. Chairman.
    Ms. Cooney, you have a very, very impressive resume, and 
this question may have been asked before. I apologize if it 
was. Please don't hesitate to tell me.
    But as I looked at your resume, your title is chief privacy 
officer, the acting chief privacy officer. Do you think that 
your duties are impaired any way by the title of acting, and do 
you have any idea when the acting with all the responsibilities 
will become the actual privacy officer, chief privacy officer?
    Ms. Cooney. Thank you for your question.
    Since taking this position, my philosophy has been that it 
is just business as usual within the Privacy Office and the 
department in terms of fully integrating privacy into our 
operations. So the title itself, I don't think, has made a 
significant difference for me in the way in which I go about 
this job, nor in the way in which senior leadership has 
partnered with me to be effective in that job.
    We cannot do this alone in the privacy office. This is an 
enterprise-wide value and initiative to protect privacy at the 
department. So I have not seen an impediment based on my acting 
position, and I am happy to continue to serve in this role as 
long as the secretary asks me to do so.
    Ms. Brown-Waite. My next question is: Do you think that the 
Privacy Office has the adequate resources and funding to 
actually carry out the mission of the office?
    Ms. Cooney. Well, I would first answer that by thanking 
members of Congress for your support in building our budget 
from the time that we were in our infancy when we had three 
FTEs and a budget of $750,000 to the 15 FTEs that we have now 
and about an equal number of very experienced privacy 
contractors who are embedded and made part of our privacy team, 
and the budget we have now of $4.3 million.
    The exercise of pushing privacy out through the enterprise, 
of course, has also grown as the department and as we have 
multiplied our homeland security programs. We will need to 
continue to watch that as those programs grow, but we continue 
to leverage our ability to effectuate privacy by capitalizing 
on privacy officers that are in our component agencies, our 
major programs--U.S. VISIT, Citizen and Immigration Services, 
Transportation and Security Administration, and Cyber Security, 
as well as the more than 400 privacy professionals who I 
mentioned to you are embedded within the department.
    Ms. Brown-Waite. What is the average longevity of the 16 
full-time employees that you now have? Or did it just increase 
with last year's funding?
    Ms. Cooney. We have gradually increased each year that we 
have been in operation. We had been at 12 FTEs, and we received 
four new ones in the 2006 budget. We have filled one of those. 
We are actively interviewing for two other of those spots, and 
the fourth position has been posted.
    Under our former chief privacy officer, Nuala O'Connor 
Kelly, and together, we felt that that was imperative that 
whatever tools and resources Congress gave us, we would 
immediately use them. And we are actively doing that. So it has 
been incremental over the years.
    Ms. Brown-Waite. Well, obviously, it takes a very special 
kind of person to fill this, and I would just encourage you 
don't fill it just for filling's sake. Go out there and get the 
best and the brightest.
    Ms. Cooney. Thank you. We will do our very best to do that.
    Ms. Brown-Waite. Thank you very much, and keep up the good 
job.
    Ms. Cooney. Thank you.
    Mr. Simmons. I thank the gentlelady for her comments.
    Are there any additional comments or questions that members 
may wish to make?
    Ms. Cooney, thank you very much for your testimony. It is 
great to have you here. You have responded very well. I think 
you shouldn't be acting anymore. I think you should be 
permanent. And what we always say is, if there are any 
budgetary or legislative impediments to performing your duties 
that you will make the subcommittee aware of those. Thank you.
    And now the chair will call the second panel.
    Ms. Cooney. Thank you.
    Mr. Simmons. The second panel consists of Mr. Keith 
Herath--I hope I am pronouncing your name correctly--chief 
privacy officer and associate general counsel at Nationwide 
Insurance Company, who is primarily responsible for creating 
and implementing privacy policy. Mr. Herath is currently 
serving a 2-year term on the DHS Data Privacy and Integrity 
Advisory Committee.
    Mr. Jonathan Turley, Shapiro Profess of Public Interest Law 
at the George Washington University Law School. He is a 
nationally recognized legal scholar. In 1990, Professor Turley 
joined the George Washington law faculty, and in 1998 became 
the youngest chaired professor in the school's history.
    And Lieutenant General Patrick Hughes, who is vice 
president of Homeland Security at L-3 Communications and has 
over 38 years of strategic planning and leadership experience. 
Prior to joining L-3 Communications, General Hughes was 
assistant secretary for information analysis at the U.S. 
Department of Homeland Security, a position he held from 2003 
to 2005.
    Thank you all for being here.
    General Hughes, in particular, to you, welcome back. It is 
good to see you here.
    And the chair now recognizes Mr. Herath to testify.

STATEMENT OF KIRK HERATH, CHIEF PRIVACY OFFICER, AVP-ASSOCIATE 
        GENERAL COUNSEL, NATIONAWIDE INSURANCE COMPANIES

    Mr. Herath. Thank you. Good morning, Mr. Chairman, and 
members of the subcommittee. Thank you for the opportunity to 
speak with you today.
    My name is Kirk Herath. I am the chief privacy officer, 
associate general counsel and assistant vice president for 
Nationwide Insurance Companies located in Columbus, Ohio. I am 
also currently serving as the president of the International 
Association of Privacy Professionals. In addition, I serve as a 
member of the Department of Homeland Security's Data Privacy 
and Integrity Advisory Committee.
    I would like it noted that the opinions expressed here 
today are mine alone and do not reflect those of any other 
person or organization.
    Privacy is a vibrant and growing profession. Privacy is 
recognized by the private sector, and increasingly in the 
public sector and academia, as an important and integral part 
of an organization's success.
    The job of a privacy professional demands mastery of a 
complex set of laws technology, security standards, and program 
management techniques. In many ways, the emergence and growth 
of the International Association of Privacy Professionals 
reflects the growing importance of privacy in public and 
private sectors.
    Privacy protections within the government and marketplace 
require professionals to assess, create, monitor, and maintain 
policies and practices. The IAPP was founded 5 short years ago, 
and in that time, it now has 2,200 members in over 23 
countries.
    Clearly, the profession of privacy has cemented its 
position as a critical resource in any organization that deals 
with data. Privacy professionals within DHS play an important 
role in furthering our nation's twin goal in protecting its 
citizens' security and their rights.
    Most of us in the private sector discovered that the sheer 
scale of implementing privacy and safeguard requirements 
required a central office to coordinate the implementation of 
one corporate privacy policy that comply with a new set of 
emerging laws.
    The federal government appears to be coming to the same 
conclusion. A central office is needed to coordinate privacy 
for a large government agency.
    One can find many resources about how to create a privacy 
program. However, the steps in creating a privacy program can 
be summed up in the following: You first assess, you assess 
current processes, procedures, uses of data, et cetera. You 
then address, which is to identify and address gaps in your 
process and procedures. You monitor and audit to make sure that 
everything you put in place is working as it should, and then 
you repeat this process, because the environment is constantly 
changing.
    There are many challenges with implementing privacy. With 
every assessment or audit, there are three competing factors 
vying for the most beneficial outcome. These include the 
business need for quick access to abundant amounts of personal 
information. Information is money. The business cannot succeed 
without person information. For DHS, information may lead to 
greater security.
    Customer expectation is number two. The customer wants the 
product or service that they purchased or contracted for. The 
customer also has high expectations for how they want companies 
or organizations to manage and use their information.
    And third, privacy regulations. Like all regulations, they 
serve a good purpose. However, they often conflict with 
organizational goals.
    The job of a privacy officer is to help balance these three 
competing interests, because in the end, it rarely happens that 
each of the three competing interests is exactly equal. 
Generally, they are different.
    Listing the challenges that arise when implementing privacy 
is easy. Resolving them takes time and resources and the power 
to effectuate the necessary change. It is a constant balancing 
act often with different outcomes each time an issue arises.
    The DHS Privacy Office's mission is to minimize the impact 
on the individual's privacy, particularly the individual's 
personal information and dignity, while also achieving the 
mission of the Department of Homeland Security.
    One wonders whether the DHS Privacy Office has the budget 
staff and institutional authority to adequately carry out its 
mission. In fact, the DHS Privacy Office has done a wonderful 
job working with the limited resources made available to it. 
They have done many of these assessments of existing programs 
and appear to be integrated in the planning and review 
processes for future programs or programs under development. 
They have addressed most of the gaps discovered through their 
initial assessments.
    Where they can probably use the most assistance and 
resources is with operating their ongoing monitoring and audit 
function. This function is in its infancy and is inadequately 
staffed. Even if it were adequately staffed, it is doubtful 
that the Privacy Office has the legal authority to conduct the 
type of deep analysis necessary to ensure ongoing adherence to 
privacy laws.
    In sum, the Privacy Office is well organized and 
understands what it needs to do to carry out its objectives. It 
is highly motivated and experienced. Nevertheless, there are a 
few things Congress should consider to make it more successful.
    I respectfully submit the following: Number one, strengthen 
the statutory authority of the Privacy Office. It should have a 
clear and direct reporting line to Congress. The DHS Privacy 
Office should have a larger budget to carry out its critical 
mission. Its current $4.3 million budget is insufficient in 
light of the DHS's overall budget.
    Congress should consider adding chief privacy officers and 
privacy offices to all federal agencies or at least those that 
generally collect and process personal information on citizens.
    Transparency in information processing is fundamental to 
the role that the Privacy Office plays. The Freedom of 
Information Act Office needs to stay connected to the Privacy 
Office, because this is the Privacy Office's single real 
connection to its customers, namely citizens.
    DHS should quickly appoint an official replacement for 
Nuala O'Connor Kelly, who left many months ago. Not having an 
official replacement devalues the Privacy Office politically 
and organizationally.
    In conclusion, I hope my testimony helps illustrate the 
large effort, cost and authority necessary for an organization 
to effectively implement a Privacy Office. For the DHS Privacy 
Office to carry out its statutorily defined requirements, it 
will need resources and the authority to implement a privacy 
program that balances the requirements of law and a 
responsibility of the government to protect its citizens.
    Additionally, no Privacy Office can be successful without 
clear and strong support from the top. If support from 
leadership is absent, the privacy function will never be able 
to effectively carry out its mission. In fact, trying to 
perform a privacy function without senior leadership support 
may be worse than not doing anything with privacy, because it 
provides an illusion to privacy without the reality of having 
any in.
    Thank you for inviting me to speak with you this morning. I 
would be happy to answer any questions that the committee may 
have.
    [The statement of Mr. Herath follows:]

                  Prepared Statement of Kirk M. Herath

                             April 6, 2006

Introduction
    Mr. Chairman, members of the Subcommittee good morning. Thank you 
for opportunity to speak with you this morning.
    My name is Kirk Herath, I am the Chief Privacy Officer, Associate 
Vice President, and Associate General Counsel for Nationwide Insurance 
Companies, located in Columbus, Ohio. I am also currently serving as 
President of the International Association of Privacy Professionals 
(IAPP), the world's largest association for the privacy field, 
representing over 2,000 privacy professionals in business, government, 
and academia from 23 countries. Additionally, I serve as a member of 
the Department of Homeland Security's (DHS) Data Privacy and Integrity 
Advisory Committee, which advises the Secretary of the Department of 
Homeland Security and the DHS Chief Privacy Officer on privacy and data 
integrity issues related to personal information.
    I would like it noted that I am here today in a personal capacity 
as an expert in privacy and privacy compliance. I am not here today 
officially representing my employer, my professional association or the 
Data Privacy and Integrity Advisory Committee. Thus, the opinions 
expressed here are mine alone and do not reflect those of any other 
person or organization.
    This morning, I will explain to the Committee how privacy has 
become imbedded into most private and a growing number of public 
organizations and how, in fact, it has become a legitimate profession 
and career path for thousands of knowledge workers. I also will attempt 
to describe for the Committee the very basic steps any organization 
needs to go through to address privacy and build a privacy 
infrastructure. Following this description, I will compare and contrast 
the role that the DHS Privacy Office plays to what any other privacy 
office would do, whether it is private or public sector, particularly 
the trade-offs and balancing that is required to be successful. 
Finally, I will also respectfully attempt to provide a brief set of 
recommendations for the Committee to consider if it desires to ensure 
more consistent privacy protections for DHS, or for any federal agency 
that collects and processes personal information.

The Profession and Business of Privacy
    Before I describe how privacy programs should be organized and 
compare that to the DHS Privacy Office, I would like to discuss 
profession of privacy and the work of the IAPP. I believe that this 
will provide a good framework for the Subcommittee to see how Privacy 
is a vibrant and growing profession. In sum, privacy is recognized by 
the private sector, and increasingly in the public sector and academia, 
as an important and integral part of an organization's success. The 
growth of the IAPP reflects this view. The IAPP is a rapidly growing 
professional association that represents individual members working in 
the field of privacy. The organization works to define and promote this 
nascent profession through education, networking, and certification.
    In many ways, the emergence and growth of the IAPP reflects the 
growing importance of privacy in public and private sectors. Privacy 
protections within the government and marketplace require professionals 
to assess, create, monitor, and maintain policies and practices. Put 
simply: privacy professionals are needed to give privacy protections 
viability within any organization.
    The IAPP was founded five short years ago as an emerging network of 
privacy professionals recognized the need for a professional 
association. The organization has grown rapidly since those early days 
and now boasts over 2200 members in 23 countries. The IAPP's recent 
annual conference here in Washington was, to the best of my knowledge, 
one of the largest privacy conferences ever held, with over 800 
attendees. Clearly, the market has placed a very high value on privacy 
and the robust, but responsible use of data.
    When the IAPP was initially formed, the majority of our members 
shared a similar title: chief privacy officer, or CPO. Indeed, many--if 
not most--Fortune 500 companies have now appointed a chief privacy 
officer. But the majority of IAPP members are not CPOs. Rather, we have 
seen a robust hierarchy of professional roles in privacy emerge--in 
both the privacy and the public sectors. These privacy pros cover 
issues of compliance, product development, marketing, security, human 
resources, consumer response, and more. The management of privacy 
issues in large organizations now requires a broad and deep team of 
professionals with increasingly sophisticated skills. It is a hybrid 
profession encompassing a broad set of skills. Some organizations have 
even created job families for their privacy professionals. It is now a 
career track.
    The job of a privacy professional demands mastery of a complex set 
of laws, technology, security standards, and program management 
techniques. In 2004, the IAPP introduced the first broad-based privacy 
certification to the US marketplace, the Certified Information Privacy 
Professional (CIPP). This credential is meant to serve as a 
demonstration of a candidate's knowledge of a broad range of 
fundamental privacy concepts. To date, over 800 people have taken the 
exam and over 600 CIPPs have been granted in the US.
    In 2005, the IAPP extended the CIPP program to include issues of 
governmental privacy. The CIPP/G program covers issues specific to the 
public sector: such as the Privacy Act, eGovernment Act, Freedom of 
Information Act, Patriot Act, and more. To date, the IAPP has granted 
over 70 CIPP/Gs. The IAPP expects more growth in this sector, due to 
the growing importance of privacy in the public sector. This hearing 
reinforces that view.
    Clearly, the profession of privacy has cemented its position as a 
critical resource in any organization that deals with data--whether 
that data is consumer or citizen data, or both. Privacy professionals 
within DHS and the few other government agencies that have privacy 
offices play an important role in further our nation's twin goal of 
protecting its citizen's security and their rights.
    I encourage members of the committee to visit the IAPP's website, 
www.privacyassociation.org, to learn more about the profession of 
privacy. And, as a CIPP/G myself, I strongly recommend that the 
committee consider the value of such privacy certifications as a tool 
to ensure privacy issues are properly identified and addressed in the 
public and private sectors.

Operationalizing Privacy within an Organization_An Example
    One of the reasons Chairman Simmons invited me today was to provide 
the Committee with a brief overview of the process private sector 
companies undergo to implement an effective privacy program. I believe 
that the steps taken by private sector companies take to protect the 
privacy of personal information can easily be extrapolated to the 
public sector. To the best of my knowledge, these were essentially the 
same steps that the DHS Privacy Office completed in order to provide 
the same privacy protection that individuals have come to expect from 
all entities that collect, use, and share their personal information.
    I will use my own experience with Nationwide to describe for the 
Committee the basic steps necessary for any organization--either public 
or private--to implement and continue to manage its privacy 
responsibilities. Explaining how privacy has been adopted in the 
private sector will help illustrate the steps--including opportunities 
and challenges--necessary to effectively carry out a privacy program.
    First, let me give you a brief overview of Nationwide. Nationwide 
is a fortune 100 company comprised of several dozen different companies 
and divisions that sell a variety of products--from auto, home, and 
commercial insurance to mortgages to financial products--such as 
annuities and investment funds, to retirement plans--such as 401k and 
457 plans. Nationwide employees over 30,000 employees and has an 
exclusive sales force of just over 4,000 agents. It also sells its 
products and services through tens of thousands of independent agents, 
producers and brokers. Despite a complex organization, we have a legal 
duty to safeguard our customer information and protect their data 
wherever it is stored, accessed or shared. This can be a daunting task 
without a good plan and organization.
    Nationwide began centrally managing privacy as Congress was putting 
the finishing touches on the Gramm-Leach-Bliley Act (GLBA) in late 
1999. As you may know, GLBA requires financial institutions, including 
banks and insurance companies, to inform customers in an annual privacy 
statement how the company uses, protects, and shares customers 
nonpublic personal information. GLBA also requires that financial 
institutions safeguard customer information. It's not enough for a 
company just to tell a customer that it is ``protecting your nonpublic 
personal information'' or that ``access to your information is limited 
to employees who have a business need-to-know your information.'' A 
company must have the processes and technological controls in place to 
veritably support the privacy statement.
    Prior to GLBA, each entity of Nationwide managed compliance with 
state privacy laws--mainly some version of the 1982 Model National 
Association of Insurance Commissioners (NAIC) Privacy Act--
independently in the 16 states where some version of this model had 
been enacted into law. To the extent possible, each company or division 
managed privacy practices differently. As you can imagine, this created 
a patchwork effect with respect to privacy. Each company and division 
adopted different privacy standards and practices. Even the philosophy 
of privacy varied between companies, with some companies following a 
very high standard for privacy and others following a standard that was 
the minimum necessary to comply with the law. Senior management had not 
articulated a uniform privacy policy and spread this policy throughout 
the organization, companies and divisions. In sum, there was no 
consistent guidance on privacy. To be fair, this situation existed 
because there was no single set of national privacy laws that applied 
equally to every entity, and there was no real enforcement mechanism.
    For the private sector, this all changed when Congress enacted the 
Gramm-Leach-Bliley Act in November 1999. Among other requirements, the 
GLBA effectively forced companies to centralize privacy management and 
compliance. The sheer scale of implementing the privacy and safeguard 
requirements of GLBA required a centrally coordinated office to 
coordinate the implementation of one corporate privacy policy that 
complied with the new set of laws. I was assigned the role of advising 
Nationwide executive leadership on a privacy policy and compliance plan 
and then, with their agreement and approval with this privacy policy 
and plan, to implement GLBA requirements throughout all Nationwide 
companies and divisions.
    GLBA and other federal and state privacy laws have had a positive 
effect on customers and citizens. A good example of this is that DHS 
probably would not have hired the first statutorily-required privacy 
officer in the federal government, Nuala O'Conner Kelly, if not 
directed to do so by law. Customers and citizens have come to expect 
that entities that use, share, or disclose their personal information 
should protect this information and should use, share, or disclose it 
appropriately. The federal government appears to be coming to the same 
conclusion: a central office is needed to coordinate privacy for any 
large government agency, perhaps one is even needed to coordinate 
``among'' the federal agencies, but I will address that later.

The Four Basic Steps of a Privacy Program
    One can find several books and a plethora of articles today about 
how to create a privacy program. Most of these are good descriptions 
that go into each area in great detail and are worthwhile reading. 
However, the steps in creating a privacy program can be summed up in 
the following manner. To implement a privacy program, any company or 
agency needs to follow a seemingly simple four step model:
        1. Assess,
        2. Address,
        3. Monitor and Audit,
        4. Repeat.

Step One_Assess
    The goal in step one is to conduct dozens and dozens of 
assessments. The best way to carry out this task is to create a large 
cross-functional team. For example, in my case, I formed what we called 
a Virtual Privacy Team (VPT) that included about 40 people from across 
our corporation. Each Nationwide company or division had representation 
on the VPT. These team members in turn lead their own business unit or 
staff office privacy compliance team, which varied in size and scope, 
within each of the companies or divisions. By my estimation--by using 
this model, we were able to centrally manage and coordinate the 
activities of over 500 employees actively working on our corporate 
privacy implementation during 2000-2001, which was the high water 
compliance year of us, as we worked to comply with strict legal and 
regulatory time lines.
    Basically, the objective in the first step in implementing privacy 
in an organization is to assess current processes, procedures, uses of 
data, etc. Any organization going through this process needs to 
conduct, among others, the following assessments:
        1. Analysis of the legal requirements.
                a. What federal or state privacy laws exist that affect 
                the organization?
                b. What were the specific requirements for each privacy 
                law?
                c. How were companies and divisions complying with 
                these patchwork of regulations?
        2. Evaluation of existing privacy standards, practices, and 
        philosophies.
        3. Evaluation of information security practices.
                a. Does Nationwide have an information security policy?
                b. Does it meet the standards of the Safeguard Rule 
                (the companion information security regulation within 
                GLBA)?
                c. Collection of personal information.
                d. Which areas of Nationwide are collecting personal 
                information?
                e. What type of information is being collected?
                f. Why is this type of information being collected 
                (purpose)?
                g. Where is it stored?
                h. Is Nationwide only collecting personal information 
                necessary to complete the customer's request?
        4. Collection of Personal Information.
                a. Which areas of Nationwide are collecting personal 
                information?
                b. What types of information is being collected?
                c. Why is this type of information being collected 
                (purpose)?
                d. Where is it stored?
                e. Is Nationwide only collecting personal information 
                necessary to complete the customer's request?
        5. Use of Personal Information.
                a. How is information being use?
                b. What is it being used to accomplish for the 
                organization?
                c. Is there a legal or rational basis for each use of 
                information?
        6. Access to Personal Information.
                a. Who can access personal information?
                b. Does everyone with access have a business need-to-
                know the information?
                c. Is access monitored?
                d. Are employees technologically capable of accessing 
                personal information that they should not be able to 
                access?
        7. Disclosure of Personal Information
                a. How is personal information shared within 
                Nationwide?
                b. Are the principles of need-to-know enforced?
                c. Do these disclosures have a legal basis?
        8. Disclosure of Personal Information with Third Parties.
                a. Does a contract exist with all third parties that 
                receive Nationwide information?
                b. Have we conducted an information security audit to 
                determine whether the third party is capable of 
                adhering to the laws that require the information to be 
                protected?
        9. Data Integrity
                a. Is the data accurate and up-to-date?
                b. Is there a way for customers to access their data 
                and valid correct errors?
        10. Management
                a. What documentation or privacy procedures exist?
                b. Is it up-to-date, accurate, and sufficient for the 
                company of division?
                c. Does it need to change to satisfy the new law?
                d. Can it be extrapolated to the rest of the 
                organization as a best practice?
                e. Is there anyone responsible for complying with laws 
                and regulations?
    After going through the first assessment, which formed our legal 
analysis of privacy, the VPT in conjunction with a steering committee 
that I chaired drafted a privacy policy for Nationwide and a privacy 
statement detailing our privacy policy for our customers. The privacy 
policy was then adopted by a steering committee of senior Nationwide 
executives. This became the privacy philosophy that the VPT adhered to 
when implementing privacy across all Nationwide companies and 
divisions. It was the foundation upon which we have built our program 
over these past six years.

Step Two_Assess
    Over an 18-month period, as these different assessments were 
completed, the VPT concurrently analyzed the results and determined how 
they fit with the overarching privacy policy. We then addressed the key 
question of whether the results of the assessment were sufficient or 
did they need modifications to match the newly drafted privacy policy? 
This is the hallmark of step two, which is identify and address gaps in 
your processes and procedures.
    In step two, the VPT and small number of outside consultants 
conducted gap analyses between the legal requirements, the new 
Nationwide Privacy Policy and the results of the different assessments. 
For example, number nine in the assessment list, above, was Disclosure 
of Personal Information with Third Parties. To address this assessment, 
the VPT member worked with the team responsible for executing contracts 
in each company or division to evaluate the findings in the assessment 
against the legal requirements and Nationwide's Privacy Policy. In some 
cases, they discovered that they could not find a copy of a contract, 
or that a written contract didn't exist. Many contracts did not contain 
the new confidentiality, privacy, and information security, language 
required by the GLBA. These teams identified the gaps and developed a 
plan to address the gaps identified.
    The VPT then created project plans to address the gaps. Let's use 
an assessment from earlier--Access to Personal Information. One of the 
items of the assessment was an illustration of how personal information 
flowed through a company or division. This assessment included where 
the personal information was stored and which associates could access 
it.
    The privacy sub-team then documented the tasks necessary to address 
the gap between the assessment and both the legal requirements and 
Nationwide Privacy Policy. The next step was to develop a project plan 
to assign the activities for each task and to monitor the progress.

Step Three_Monitor and Audit
    After the dozens and dozens of projects to address the identified 
gaps were finished, we created a privacy compliance program to audit 
the privacy procedures that the teams implemented. For practical 
reasons, this program was created and housed in the Office of Privacy, 
because it contained the evolving set of experienced professionals 
capable of carrying out these tasks.
    There are several purposes to the audit phase of privacy 
implementation. One purpose is to confirm that the privacy processes 
are still operating. Sometimes, when the novelty of a project fades, 
employees inadvertently regress back to old practices. Also, employees 
often change jobs and the institutional memory leaves the unit. 
Monitoring through self-assessment or more formal audits keep 
compliance issues fresh and illustrate actual privacy practices to 
business leaders.
    Another purpose of continuous monitoring or auditing is to 
determine whether a compliance process change is necessary as a result 
of a new business process. Business is a constantly changing 
environment. Audits help discover when new privacy processes are 
necessary to meet these new changes.
    Finally, informal monitoring and audits prepare companies for 
formal market conduct audits by regulators. Regularly conducting 
internal audits allows business to understand and address privacy risks 
before a regulator conducts an audit. This reduces the risk of 
regulatory enforcement and fines.

Step Four_Repeat
    Privacy implementation never ends. Thus, the four step process is 
really a continuous improvement loop. This has been extremely important 
over the past six years, as each year the private sector has been faced 
with an ever expanding array of legislative and regulatory requirements 
around privacy and information security. In addition to the changing 
legal landscape, a company is required to repeat the process to 
accommodate new business goals or changes to existing processes.
    In summary, this may be an overly simplistic explanation of the 
complex process of implementing privacy throughout any organization--
public or private. However, I believe that it correctly points out the 
nature of the process and is easy to understand. There is one other 
important item to note here. None of this is possible without a clear 
mandate and strong support from the top of the organization. If the 
privacy office lacks the support of the chief executive, whether this 
is a private or public organization, it will never be able to 
effectively carry out its mission. A privacy office without senior 
management support may be worse than not having a privacy office, 
because it merely provides an illusion of privacy without the reality.

The Challenges_Balancing Competing Interests
    Earlier, I discuss the requirement for financial institutions to 
create a privacy statement, which describes how the company uses, 
protects, and shares customer information. It is difficult for a large 
company like Nationwide to make blanket promises to customers, because 
there are many competing priorities when it comes to privacy. This is 
no different for the DHS Privacy Office.
    The challenges that arise while implementing privacy at Nationwide 
became apparent immediately. In business, information is money. At 
Nationwide, the more a division knows about an individual, the better 
the company can protect the financial needs of the individual. However, 
certain laws or contractual obligations between parties often make it 
difficult to ``know'' everything about a customer. It is equally true 
in both the private and public sectors.
    Let me give you an example of how this can impact a company:
    Susan works for a municipality and has a 457 deferred compensation 
plan with Nationwide that she obtained through her employer--a 
municipal government--whose relationship is with an independent 
producer under contract to Nationwide. Susan also has a Nationwide 
Insurance Agent through whom she purchased auto and homeowners 
insurance. Susan trusts her Agent to help her protect her financial 
assets--specifically, her house and her car. One day, Susan visits her 
agent and says that she has accepted a new job with a private company 
and is moving to a new city. Based on this scenario, one can see that 
Susan has at least three financial needs:
        1. Change her auto insurance to a new state;
        2. Change her homeowners insurance to the new state and 
        residence;
        3. Consider options for the assets in her 457 plan.
    Today, the Agent can help Susan with the first two of her three 
financial needs. It would help Susan the most if the Agent could also 
look up the details of her 457 plan and provide this information to a 
licensed Nationwide broker to help Susan understand options for getting 
the most out of her 457 plan after she moves to a new job. But, for a 
variety of legal reasons, the outcomes of privacy implementation at 
Nationwide prevent this from occurring. The Agent does not have access 
to--nor does he even have knowledge of--Susan's 457 plan information 
and, thus, he cannot help her consider options after she changes jobs.
    I bring up this simple example to illustrate the challenges with 
implementing privacy. With every assessment, task to address a gap, or 
audit, there are three competing factors vying for the most beneficial 
outcome from their perspective. These include:
        1. The business need for quick access to abundant amounts of 
        personal information. Remember, information is money. The 
        business cannot succeed without personal information.
        2. The customer expectation. The customer wants the product or 
        service that purchased or contracted for. The customer also has 
        high expectations for how they want companies to manage and use 
        their information. In short, they want it locked in a vault 
        stronger than Fort Knox. But at the same time, they want 
        Nationwide to be able to access it via phone, e-mail, Internet, 
        or Agent 24 hours a day, seven days a week. They also expect to 
        be provided additional products or services that can either 
        save them or make them money. These are in and of themselves 
        other competing interests for companies to manage.
        3. The privacy regulations. Like all regulations, they serve a 
        good purpose, in this case: protect individual investors or 
        insured. But, they also come with unintended consequences, just 
        like Susan's example from above.
    As you can see, the job of a Privacy Officer is to help balance 
these three competing interests, like a carpenter of a three-legged 
stool. Picture a three-legged stool. The benefit of having three legs 
instead of four is that each leg can be a slightly different length, 
yet the stool will still function as a stool, even if it is a little 
lopsided. Because, in the end, it rarely happens that each leg of the 
stool--each of the three competing interests--is exactly equal. 
Generally, they are different. Sometimes, the privacy regulation is a 
bit longer, meaning the most important interest in a given business 
project. Other times, the interest of the customer or the business is 
given a slightly greater importance. But, the stool still functions as 
a stool.
    This is no different for the DHS Office of Privacy. Ms. Cooney, her 
predecessor and those who will follow her, has also been asked to 
become a carpenter of a three-legged stool. But, in the DHS Privacy 
Office's case, the three competing interests are:
        1. Government's responsibility for security, including 
        responsibilities under the Homeland Security Act, the Aviation 
        and Border Security Acts, and others
        2. Individual privacy expectations;
        3. The Privacy Office's responsibilities under Section 222 of 
        the HAS, the Privacy Act, the Freedom of Information Act, and 
        other competing and compatible privacy laws.
    Listing the challenges that arise when implementing privacy is 
easy; resolving them takes time and resources and the power to 
effectuate the necessary change. It is a constant balancing act often 
with different outcomes each time an issue arises. It is hard to argue 
that the DHS Privacy Office is not faced with tremendous challenges in 
this area, as they balance the nation's collective security interests 
against the individual's interest in privacy.

A Very Brief Analysis of the DHS Privacy Office
    Now, compare and contrast the process that I have just described to 
the DHS' Privacy Office: assess, address, audit, and repeat. All four 
steps must be tailored to government processes and then followed in the 
DHS for the Privacy Office to meet the requirements set forth by the 
Homeland Security Act, the Privacy Act, and several other laws 
regulating the government's use of personally identifiable data. 
Consider also the discussion about balancing important competing 
interests within an organization.
    As you know, the Homeland Security Act (HSA) of 2002 authorized the 
formation of the Department of Homeland Security and the addition of a 
secretary to the president's cabinet to oversee the new department. 
Among other things, the Homeland Security Act also provides that the 
Secretary ``shall appoint a senior official in the Department to assume 
primary responsibility for privacy policy, including:
        (1) assuring that the use of technologies sustain, and do not 
        erode, privacy protections relating to the use, collection, and 
        disclosure of personal information;
        (2) assuring that personal information contained in Privacy Act 
        systems of records is handled in full compliance with fair 
        information practices as set out in the Privacy Act of 1974;
        (3) evaluating legislative and regulatory proposals involving 
        collection, use, and disclosure of personal information by the 
        Federal Government;
        (4) conducting a privacy impact assessment of proposed rules of 
        the Department or that of the Department on the privacy of 
        personal information, including the type of personal 
        information collected and the number of people affected; and
        (5) preparing a report to Congress on an annual basis on 
        activities of the Department that affect privacy, including 
        complaints of privacy violations, implementation of the Privacy 
        Act of 1974, internal controls, and other matters.''
    To operationalize its legislative mandate, the DHS Privacy Office 
developed a Mission Statement that states the mission of the DHS 
privacy office is to minimize the impact on the individual's privacy, 
particularly the individual's personal information and dignity, while 
achieving the mission of the Department of Homeland Security.'' The 
mission goes on to state--and I am summarizing here--that the Privacy 
Office will achieve this goal through:
        1. education and outreach efforts to infuse a culture of 
        privacy across the department,
        2. communicating with individuals impacted by DHS programs to 
        learn more about the impact of DHS policies and programs, and,
        3. Encouraging and demanding adherence to privacy laws.
    Anyone who reads this Mission can see that the DHS Privacy Office 
is faced with the exactly same opportunities and challenges that any 
privacy office, including mine, faces every day--but on a much, much 
larger scale, and with a completely different risk dynamic. At 
Nationwide, my office is responsible for educating employees and 
establishing a culture of privacy, resolving the natural conflicts that 
occur with business interests in regard to this concept of privacy, and 
requiring adherence to privacy laws. There would appear to be little 
difference between my mission and the mission of the DHS Privacy 
Office.
    Nevertheless, one wonders whether the DHS Privacy Office has the 
budget, staff and institutional authority to adequately carry out its 
mission. I will address some of these concerns in my recommendations 
and considerations below. In fact, the DHS Privacy Office has done a 
wonderful job working with the limited resources made available to it. 
They have done many of the assessments of existing DHS programs and 
appear to be integrated into the planning and review processes for 
future programs or programs under development. They have addressed most 
of the gaps discovered through their initial assessments. They also 
have a nascent employee privacy education component, although it lacks 
adequate funding. Where they could probably use the most assistance and 
resources is with operating their ongoing monitoring and audit 
function. This function is in its infancy and is inadequately staffed. 
Even if it were adequately staffed, it is doubtful that the Privacy 
Office has the legal authority to conduct the type of deep analysis 
necessary to ensure ongoing adherence to privacy laws. This incongruity 
is addressed further under my recommendations, below.
    In sum, the Privacy Office is well organized and understands what 
it needs to do to carry out to meet its objectives. Its staff is highly 
motivated and experienced. However, they may lack support from the top 
and they clearly lack the financial resources necessary to effectively 
do the job Congress directed them to perform through Section 222 of the 
HSA.

Recommendations and Items for Consideration
    While there are always risk assessments and balancing tests between 
privacy and other interests that must occur whether one is working in a 
public or private sector privacy capacity, there are still a few things 
that Congress should consider to make it more likely that our nation's 
privacy laws are not violated. Therefore, I respectfully submit the 
following for the Committee to consider as it defines its future 
agenda:
        1. Strengthen the Statutory Authority of the DHS Privacy 
        Office. The Privacy Office should have a clear and direct 
        reporting line to Congress. If Congress is uncomfortable with 
        Inspector General-like powers, then consider taking a half-
        measure and give the Privacy Office ombudsman-like power. 
        Burying the office inside DHS means that it will never have the 
        authority or respect it needs to carry out its mandate. The 
        Privacy Office will rarely be able to act independently, and it 
        will spend more time merely trying to survive politically than 
        it will carrying out its mission to protect our citizens' 
        privacy.
        2. The DHS Privacy Office should have a larger budget to carry 
        out its critical mission. The current $4.3 million budget does 
        not on its face appear sufficient in light of DHS' overall 
        budget to protect the privacy of all Americans. The difference 
        between this year and last year's budget is only an increase of 
        a few hundred dollars. I would doubt that any other area of DHS 
        saw this paltry of an increase in its budget.
        3. Congress should consider adding Chief Privacy Officers and 
        Privacy Offices to all federal agencies, or at least those that 
        generally collect and process personal information on citizens. 
        Congress may even want to consider creating a Federal Data 
        Commissioner, similar in authority and scope to those existing 
        in the nations of the European Union. The Data Commissioner 
        could either be the first among equals, or it could be the 
        overarching policymaking body for enforcing all federal data 
        processing. This body would have inspector general powers.
        4. Transparency in information processing is fundamental to the 
        role that the Privacy Office plays. The Freedom of Information 
        Act Office needs to stay connected to the Privacy Office, 
        because this is the Privacy Office's single real connection to 
        its customers, namely U.S. citizens. One of the hallmarks of 
        fair information practices is the ability of citizens or 
        customers to know what information an entity has on them and 
        have the ability to correct any erroneous information. This is 
        simple due process and improves the integrity and accuracy of 
        any organization's data. This role is naturally played the 
        Privacy Office.
        5. DHS should quickly appoint an official replacement for Nuala 
        O'Connor Kelly, who left many months ago. The Acting Privacy 
        Officer, Maureen Cooney, is doing a very capable job and should 
        be seriously considered as the official replacement. However, 
        the optics of not having an official replacement devalues the 
        Privacy Office politically and organizationally. It indicates 
        the job being capably performed by the staff may not be seen as 
        worthy by senior department and administration officials as 
        other areas in DHS and this undercuts the Privacy Office's 
        authority.

Conclusion
    I hope that my testimony helped illustrate the large effort, cost, 
and authority necessary for a corporation to effectively implement a 
privacy office. In order for the DHS Office of Privacy to effectively 
carryout its statute-defined requirements, it will need resources and 
the authority to implement a privacy program that balances the 
requirements of law, the responsibility of the government to protect 
its citizens, and the individual right of privacy.
    Additionally, as I stated above, no privacy office can be 
successful without clear and strong support from the top. If support 
from the chief executive is absent, the privacy function will never be 
able to effectively carry out its mission. In fact, trying to perform a 
privacy function without senior management support may be worse than 
not doing anything with privacy, because it provides an illusion of 
privacy without the reality of having any.
    Thank you for inviting me to speak with you this morning. I would 
be happy to answer any questions that you may have. I would also be 
more than happy to speak with you again or to work with you and your 
staff on any privacy issue.

    Mr. Simmons. Thank you very much.
    And now the chair recognizes Professor Turley.
    We have your statement in the record this morning. If you 
can summarize in 5 minutes, that would be appreciated. And we 
look forward to hearing what you have to say.

   STATEMENT OF JONATHAN TURLEY, SHAPIRO PROFESSOR OF PUBLIC 
           INTEREST LAW, GEORGE WASHINGTON LAW SCHOOL

    Mr. Turley. Thank you, Mr. Chairman. I will do my very 
best.
    Mr. Simmons. If I could just say, I had a seminar at Yale 
that was 2 hours, but since I have come to Congress, my 
colleagues have not allowed me to take that amount of time.
    Mr. Turley. A most enlightened institution for that reason.
    Mr. Chairman, members of subcommittee, thank you very much 
for allowing me to speak on this important issue today of 
privacy and Homeland Security. And, of course, they are not 
separate issues. When we talk about Homeland Security, it is 
privacy that we are protecting. It is one of our core values. 
It defines us as a people.
    Now, the DHS represents, for privacy advocates like myself, 
something of a concern just by its mere size and the myriad of 
functions that it has taken on. Due to its size and those 
functions, it has a much greater impact on privacy. It affects 
the lives of Americans more than any other agency, because it 
is the agency of first contact for most Americans when it comes 
to airports and immigration and customs and disaster relief. So 
to the extent that DHS does not respect the privacy interest, 
it has the greatest impact upon citizens.
    The other problem and concern for the DHS for many privacy 
advocates is that it is much like a governmental iceberg, that 
even though you see the DHS or at least its counterparts in 
your daily life, 90 percent of the agency remains below the 
surface, and so there is a lack of transparency. And privacy is 
often protected by the fact of transparency in government, the 
greater transparency, the greater protection of privacy because 
it tends to deter misconduct, and you don't have the abuses at 
all rather than having to chase them down through oversight 
committees.
    Now, of course, privacy is protected in the Constitution. 
It is protected by various statutes, and for much of our 
history, it was protected by practical limitations. Probably 
the greatest protection of privacy was that the government 
could not engage in surveillance of a large number of people at 
one time.
    In the last two decades, we have seen that technological 
barrier fall as we saw with DARPA and the TIA program. We now 
have the ability to follow Americans in real time. That is 
something the framers would never have anticipated, and it is 
why privacy is very much under threat.
    The greatest concern for privacy is uncertainty, that is 
uncertainty is the scourge of privacy. Privacy is based upon an 
inception that your privacy will be recognized. To the extent 
that you are uncertain, you have a chilling effect, and that 
affects how people live their lives. And DHS recently was found 
to have one of the lowest privacy scores in a 2006 study.
    I have gone through the myriad examples of threats to 
privacy that relate to DHS, but much of my testimony deals with 
the NSA operation. Now the problem with the NSA operation is 
really two-fold.
    One--and let me put this as simply as I can--it is based on 
a crime. Now, the overwhelming majority of experts in this 
field--Republicans and Democrats--are pretty uniform in this 
conclusion. It is inescapable.
    There is an exclusivity provision in federal law. You 
cannot do what the president ordered his subordinates to do. If 
I thought that this was a close question, I think I have a 
reputation of going right down the middle on questions that are 
debatable. This is a crime. It was ordered 30 times by the 
president, and he stated that he will continue to order it.
    It gives me no pleasure to say that. And I am not talking 
about his motivation. But often, people act for the best 
motivations with the worst possible means.
    My testimony lays out why this is a criminal act, and that 
presents a serious problem for DHS. I do believe this committee 
has jurisdiction over this question. This committee has a 
liaison function with intelligence agencies. It governs 
intelligence information gathering that relate to DHS entities. 
It has a role in intel; it looks at the role of intel in threat 
prioritization in its oversight function. It is the recipient 
of information.
    After post-9/11, there is a mandate that agencies share 
information. The expectation is that Homeland Security is 
either the direct or indirect recipient of NSA information. 
That creates, not just the danger of DHS officials 
participating in a criminal enterprise, but it creates the 
specter of the fruit of the poisonous tree where activities of 
DHS may be undermined because of their reliance on unlawfully 
gathered information.
    I know that my time is out, but I have listed towards the 
end of my testimony various proposals that can help protect 
privacy. But there is one that I just wish to emphasize. All of 
us, I believe, as Americans, have a faith in privacy. We know 
how important it is. I know the chairman has valued that. We 
have discussed that. But we cannot remain silent, because 
silence is a choice.
    The NSA operation represents a serious threat to privacy 
and a serious threat to our constitutional values. And I hope 
that this committee will assert its authority--I know the 
chairman has attempted to do so--but will be vigorous in 
asserting its authority to hold hearings on the NSA operation 
and not to be deterred by any past refusals.
    Thank you so much, sir.
    [The statement of Mr. Turley follows:]

            Prepared Statement of Professor Jonathan Turley

    Chairman Simmons, Representative Lofgren, members of the 
Subcommittee, thank you for allowing me to appear today to testify on 
the important issues of privacy and homeland security.
    I come to this subject with prior work as both an academic and a 
litigator in the areas of national security and constitutional law. As 
an academic, I have written extensively on electronic surveillance as 
well as constitutional and national security issues. I also teach 
constitutional law, constitutional criminal procedure and other 
subjects that relate to this area. As a litigator, I have handled a 
variety of national security cases, including espionage and terrorism 
cases. I am appearing today, however, in my academic capacity to 
address important issues related to domestic surveillance and homeland 
security.

I. GENERAL PRIVACY CONCERNS RAISED BY POST 9-11 SURVEILLANCE AND 
ENFORCEMENT.
    The Department of Homeland Security (DHS) is the agency with the 
greatest ability to erode privacy since it has the dominant role, with 
the Federal Bureau of Investigation (FBI), in domestic enforcement 
activities. Due to its size and diverse functions, the DHS has a much 
greater impact on privacy than any other agency. The DHS affects the 
lives of Americans to a far greater extent than most agencies because 
it has a far greater number of contacts with citizens in their everyday 
lives from airport security to disaster relief to immigration to 
customs. The DHS is not just a massive agency, it is a massive consumer 
of information from other agencies, state governments, private 
contractors, and private citizens. While the FBI is subject to criminal 
procedures and routine court tests, DHS is like a government iceberg 
with ninety percent of its work below the visible surface. This general 
lack of transparency makes it easier for abuses to occur by reducing 
the risk of public disclosure and review.
    At risk is something that defines and distinguishes this country. 
Privacy is one of the touchstones of the American culture and 
jurisprudence. Indeed, it is a right that is the foundation for other 
rights that range from freedom of speech to freedom of association to 
freedom of religion. The very sanctity of a family depends on the 
guarantee of privacy and related protections from government 
interference.
    Privacy is protected by the Constitution, including but not limited 
to the protections afforded by the Fourth Amendment. It is also 
protected in various statutes, such as the Privacy Act of 1974; E-
Government Act of 2002, and the Federal Information Security Management 
Act of 2002 (FISMA). Further protections can be found in the 
substantive and procedural requirements of surveillance laws such as 
Title III and the Foreign Intelligence Surveillance Act (FISA).
    Finally, there have long been practical protections of privacy. 
Until recent technological advances, there were practical barriers for 
the government to be able to conduct widespread surveillance on 
citizens. However, it is now possible to track citizens in real time 
with the use of advanced computers as recently made clear by the 
disturbing Terrorism Information Awareness (TIA) project of Defense 
Advanced Research Projects Agency (DARPA). These new technological 
advances constitute an unprecedented threat to privacy. Agencies like 
DHS often naturally gravitate to the accumulation of greater and 
greater information. Technology now allows these agencies to satiate 
that desire to a degree that would have been unthinkable only a couple 
of decades ago.
    Despite these protections, privacy remains the most fragile and 
perishable of our fundamental rights. When pitted against claims of 
national security, privacy is often treated as an abstraction and 
government officials offer little more than rhetorical acknowledgement 
of privacy concerns in their programs and policies. The resulting 
uncertainty is the very scourge of privacy. Privacy depends on a 
certain expectation of citizens that they are not being watched or 
intercepted. When uncertain of the government's effect that inhibits 
the exercise of free speech and other rights.
    The uncertainty over privacy is clear in recent polls and studies. 
Notably, the DHS receives one of the lowest scores on the privacy 
question. The 2006 Privacy Trust Study of the Ponemon Institute gave 
the DHS only a 17 percent score, down by 10 percent from the previous 
year.
    This freefall is more than a public relations problem. Our 
constitutional test for privacy under the Fourth Amendment is based on 
``the reasonable expectation of privacy'' under the Katz doctrine. To 
the extent that a citizen has a reasonable expectation of privacy, the 
government is usually required to satisfy a higher burden, including 
the use of a warrant for searches. The Katz test has now created a 
certain perverse incentive for government. As agencies like DHS reduce 
that expectation of privacy in the public, it actually increases the 
ability of the government to act without protections like warrants. The 
result is a downward spiral as reduced expectations of privacy lead to 
increased government authority which lead to further reduced 
expectations.
    Privacy concerns after 9-11 have grown with each year in the war on 
terror. There is a pervasive view that the Administration is wielding 
unchecked and, in some cases, unlawful authority in the war on terror. 
In areas that range from enemy combatant detentions to warrantless 
domestic surveillance programs to data mining of private records, the 
chilling effect for privacy and civil liberties has become positively 
glacial for many citizens, particularly citizens of the Muslim faith or 
Middle Eastern descent.
    Just in the last few months, Congress has faced a remarkably wide 
range of issues that directly threaten privacy rights and civil 
liberties. It is regrettably a long and lengthening list. Today, in the 
interests of time, I wanted to focus on a few of the most recent 
controversies to show how privacy rights and civil liberties are eroded 
by the aggregation of otherwise disparate and insular programs. While 
these examples may appear unrelated, they each impact privacy rights 
and civil liberties in significant ways. The point that I wish to 
convey is that privacy is being undermined in a myriad of ways and that 
any effort to protect this right will have to be equally comprehensive.
        a. The Failure to Comply with Privacy Standards, including the 
        Use of Reseller Information That Lack Fair Information 
        Practices. As shown recently by the GAO, the DHS is using an 
        increasing amount of data from information resellers that lack 
        critical protections and fair information practices. The recent 
        misuse of 100 million personal records in alleged violation of 
        the Privacy Act typifies this concern.
        b. Over-classification and Reclassification Efforts. The 
        Administration has led a serious rollback in the efforts to 
        gain greater transparency in government by over-classifying and 
        reclassifying basic documents and information. Agencies like 
        DHS can prevent disclosure of misconduct or negligence by using 
        classification rules to avoid review.
        c. Registered Traveler Programs. The DHS continues to encourage 
        the creation of registered traveler programs that would 
        assemble a databank of pre-screened passengers. Whether run 
        privately or governmentally, these programs offer illusory 
        security but present serious threats to civil liberties.
        d. Failure to inform Congress of Surveillance Programs like the 
        NSA operation. One of the greatest protections of civil 
        liberties is the separation of powers doctrine and its inherent 
        system of checks and balances. The failure to inform the 
        members of Congress, particularly the full committee membership 
        of the intelligence committee, of ongoing intelligence 
        activities negates any meaningful oversight functions.
        e. New Threats Against Whistleblowers. Legislation to increase 
        penalties for federal whistleblowers is a startling reaction to 
        the disclosure of unlawful activity. This is exemplified by the 
        proposed increase in penalties for officials seeking to 
        disclose unlawful activity under the NSA domestic surveillance 
        program. Likewise, the continued refusal of Congress to pass a 
        federal shield law for journalists can only be seen as an 
        intentional deterrent for whistleblowers. When an official at 
        DHS is aware of an unlawful program, the media may be the only 
        effective way to stop the illegality.
        These are a few of the most recent examples of how privacy 
        rights and civil liberties protections are being pummeled 
        across a long spectrum of insular governmental policies and 
        programs. If Congress truly wants to protect privacy, it must 
        deter threats by increasing both the likelihood of disclosure 
        of unlawful conduct and the penalties for such conduct. This 
        requires greater transparency in agencies like the DHS, better 
        oversight in Congress, and fuller protection for those who seek 
        to disclose misconduct.

II. THE NSA DOMESTIC SURVEILLANCE PROGRAM
    The recent NSA operation brings together many of the most dangerous 
elements discussed above: lack of congressional oversight, the 
violation of federal law, the pursuit of whistleblowers, and finally 
the absence of any meaningful action from Congress. In terms of privacy 
rights, the NSA operation also presents the most serious attack on the 
guarantees that are essential for the exercise of the full panoply of 
rights in the United States.
    The disclosure of the National Security Agency's (NSA) domestic 
spying operation on December 16, 2005 has created a constitutional 
crisis of immense proportions for our country. Once a few threshold, 
and frankly meritless arguments of legality are stripped away, we are 
left with a claim of presidential authority to violate or circumvent 
federal law whenever a president deems it to be in the nation's 
security interests. As I made clear in a January hearing, these claims 
lack any limiting principle in a system based on shared and limited 
government. It is antithetical to the very premise of our 
constitutional system and values.
    This is, of course, not the first time that President Bush or his 
advisers have claimed presidential authority to trump federal law. In 
its infamous August 1, 2002 ``Torture Memo,'' the Justice Department 
wrote that President Bush's declaration of a war on terrorism could 
``render moot federal law barring torture.'' The Justice Department 
argued that the enforcement of a statute against the President's wishes 
on torture ``would represent an unconstitutional infringement of the 
president's authority to conduct war.''
    The President also assumed unlimited powers in his enemy combatant 
policy, where he claimed the right to unilaterally strip a citizen of 
his constitutional rights (including his access to counsel and the 
courts) and hold him indefinitely.
    On December 30, 2005, President Bush again claimed authority to 
trump federal law in signing Title X of the FY 2006 Department of 
Defense Appropriations Act. That bill included language outlawing 
``cruel, inhumane or degrading treatment'' of detainees, such as 
``waterboarding'', the pouring of water over the face of a bound 
prisoner to induce a choking or drowning reflex. In a signing 
statement, President Bush reserved the right to violate the federal law 
when he considered it to be in the nation's interest.
    The NSA operation, however, is far more serious because the 
President is claiming not just the authority to engage in surveillance 
directly prohibited under federal law, but to do so domestically where 
constitutional protections are most stringent. The scope of this 
claimed authority is candidly explained in the Attorney General's 
recent whitepaper, ``Legal Authorities Supporting the Activities of the 
National Security Agency Described by the President.'' As I noted in 
the prior hearing, it is a document remarkable not only in its sweeping 
claims of authority but its conspicuous lack of legal authority to 
support those claims. It is also remarkably close to the arguments 
contained in the discredited Torture Memo.
    The vast majority of experts in this field have concluded that the 
NSA program is unlawful. Even stalwart Republican members and 
commentators have rejected its legality. It is an inescapable 
conclusion. Under Section 1809, FISA states that it is only unlawful to 
conduct ``electronic surveillance under color of law except as 
authorized by statute.'' The court in United States v. Andonian, 735 
F.Supp. 1469 (C.D. Cal. 1990), noted that Congress enacted FISA to 
``sew up the perceived loopholes through which the President had been 
able to avoid the warrant requirement.''
    FISA does allow for exceptions to be utilized in exigent or 
emergency situations. Under Section 1802, the Attorney General may 
authorize warrantless surveillance for a year with a certification that 
the interception is exclusively between foreign powers or entirely on 
foreign property and that ``there is no substantial likelihood that the 
surveillance will acquire the contents of any communications to which a 
United States person is a party.''
    No such certification is known to have occurred in this operation. 
Nor was there an authorization under Section 1805(f) for warrantless 
surveillance up to 72 hours under emergency conditions. Finally, there 
was no claim of conducting warrantless surveillance for 15 calendar 
days after a declaration of war, under Section 1811.
    The NSA operation was never approved by Congress. Moreover, the 
Administration's attempts to use the Authorization for Use of Military 
Force, Pub. L. 107-40, 115 Stat. 224 (2001), as such authorization is 
beyond incredible, it is unfathomable.With no exceptions under the Act, 
the NSA operation clearly conducted interceptions covered by the Act 
without securing legal authority in violation of Section 1809.
    The NSA operation is based on a federal crime ordered by the 
President not once but at least 30 times. Indeed, in his latest State 
of the Union Address, President Bush pledged to continue to order this 
unlawful surveillance. A violation of Section 1809 is ``punishable by a 
fine of not more than $10,000 or imprisonment for not more than five 
years, or both.'' Likewise, an institutional defendant can face even 
larger fines and, under Section 1810, citizens can sue officials 
civilly with daily damages for such operations.
    The DHS is likely a recipient--directly or indirectly--of the 
information gathered under this unlawful program. In my view, 
government officials participating in this program are participating in 
an ongoing criminal enterprise. The DHS officials have an independent 
obligation to determine if this program is lawful and to refuse to 
participate on any level with the program if it is viewed as unlawful. 
This includes the receipt or use of intelligence. Moreover, to the 
extent that federal courts determine that this operation is unlawful, 
the incorporation of the intelligence in DHS investigations or 
enforcement may ultimately result in undermining those activities. 
Under a classic ``fruit of the poisonous tree'' theory, the use of this 
tainted intelligence can taint any information gathered as a result of 
its use.
    Putting aside the questions of criminality, the NSA operation 
jeopardizes basic privacy guarantees. First, it shows an unchecked and 
unilateral exercise of presidential authority. Second, the conspicuous 
absence of congressional oversight has destroyed any faith in a 
legislative check on such authority. Finally, it created uncertainty 
for citizens as to their guarantees of privacy and civil liberties 
under this program or other undisclosed programs.

III. WHAT CAN BE DONE?
    Just as there are a myriad of threats to privacy, there are a 
myriad of possible measures to protect privacy interests. The most 
significant protections often come in the form of protecting those who 
would reveal violations while deterring those who would commit the 
violations. Such reforms include the following:
        a. Investigation of the NSA domestic surveillance program with 
        public hearings.
        b. Strengthening of whistleblower protections, particularly for 
        employees at defense, intelligence, and homeland security 
        agencies.
        c. Strengthening laws on data mining and data sharing by 
        agencies, including meaningful deterrents for agencies like DHS 
        that violate the Privacy Act and other statutory protections.
        d. Reverse the trend toward reclassification and over-
        classification of documents that decreases the transparency of 
        government by enacting new avenues to challenges overbroad 
        assertions of classified status.
        e. The Congress should prohibit not simply a government-run 
        registered traveler system but a private-run system. The DHS 
        support for a pilot program in Orlando should be ended by 
        barring the expenditure of any federal funds and prohibiting 
        the incorporation of such a program into TSA airport security 
        systems.
        f. Congress should require compliance with conferral rules on 
        all intelligence operations (other than covert activities) so 
        that all members of the intelligence committees are informed of 
        operations like NSA's domestic surveillance program.
        g. A new system of privacy officers should be established so 
        that every major office in agencies like DHS have a privacy 
        officer who will be responsible for training, enforcing, and 
        certifying compliance with federal privacy laws.
        h. Enhancing the authority and funding for the DHS Privacy 
        Officer. While Congress created this position in the Homeland 
        Security Act of 2002, there is a widespread view that the 
        privacy officer needs greater authority and access as well as 
        more resources to police the programs of this massive agency. 
        The slow response of the DHS to establish this office indicates 
        a lack of internal support of the model of an independent 
        internal watchdog office. For this reason, changes should 
        include a reporting requirement not only to the DHS but 
        directly to Congress.
        i. Congress should pass a federal shield law for journalists, 
        as has virtually every state. Increasing legal threats for 
        journalists, including contempt rulings, presents an obvious 
        deterrent to any whistleblower seeking to disclose unlawful 
        conduct.
        j. Congress should require an annual report, with regular 
        public hearings, on privacy matters to identify emerging 
        threats to privacy and possible legislative solutions.

IV. CONCLUSION
    These threats to privacy rights and civil liberties have created 
not just a constitutional crisis but a test for every citizen. Our 
legal legacy was secured at great cost but it can be lost by the simple 
failure to act. The President is right: these are dangerous times for 
our constitutional system. However, it is often the case that our 
greatest threats come from within. Indeed, Justice Brandeis warned the 
nation to remain alert to the encroachments of men of zeal in such 
times:
        Experience should teach us to be most on our guard to protect 
        liberty when the Government's purposes are beneficent. Men born 
        to freedom are naturally alert to repel invasions of their 
        liberty by evil-minded rulers. The greatest dangers to liberty 
        lurk in insidious encroachments by men of zeal, well-meaning 
        but without understanding.
    Citizens, let alone congressional members, cannot engage in the 
dangerous delusion that they can remain silent and thus remain 
uncommitted in this crisis. Remaining silent is a choice; it is a 
choice that will be weighed not just by politics but by history.
    Thank you for the opportunity to speak with you today and I would 
be happy to answer any questions that you might have at this time.

    Mr. Simmons. And thank you very much for that testimony. We 
very much appreciate that.
    General Hughes, welcome back, and we look forward to your 
testimony.

 LIEUTENANT GENERAL PATRICK HUGHES, USA (RET.), VICE PRESIDENT 
            OF HOMELAND SECURITY, L-3 COMMUNICATIONS

    General Hughes. Well, thank you. As you said, my testimony 
is contained in my written input. I appreciate the chance to 
appear before you today.
    I would like to express my views in a very simple form 
rapidly. I believe in protected rights of all persons in the 
United States expressed in law, including, certainly, the right 
to privacy.
    Within the law, I think we are compelled under the 
conditions we now live in to collect information, analyze it, 
and produce utility information to perform the mission of 
protecting our nation and our citizens and residents.
    In the process of acquiring and providing information for 
this utility, we must discover and preclude terrorism. We 
simply cannot afford to have terrorist acts of the kind that we 
know could occur here in the United States.
    I also am mindful that much of the work of the Department 
of Homeland Security is focused on other crimes, crimes that 
are not terrorist in nature but are associated perhaps and are 
crimes of national security implications.
    So much of what they do and what we expect from them as 
citizens has to do with criminal acts under the law as 
currently constituted.
    The use of this acquired information is important. It must 
be used legally to discover these acts or this plan and 
conspiracy ahead of time in an attempt to preclude it. And that 
is really a very difficult goal under the complicated 
conditions that we now heard about from testimony this morning 
and that you know so very well, because you have lived there.
    I don't think I am qualified to offer exact recommendations 
within constitutional law or within civil law and criminal law 
in this country, but I am a person who has practiced the effort 
to do this work here in the United States and overseas, and we 
must find some balance between protecting the rights of our 
citizens and our residents and countering the planned and 
indeed engaged acts of terrorists and criminals which do 
threaten our security, and in some cases, perhaps, our 
existence as we know it.
    Thank you very much.
    [The statement of General Hughes follows:]

                Prepared Statement of Patrick M. Hughes

                             April 6, 2006

    Representative Simmons, Representative Lofgren, Members of the Sub-
Committee on Intelligence, Information Sharing and Terrorism Risk 
Assessment:
    Thank you for the invitation to appear before you on the subject of 
``Protection of Privacy in the DHS Intelligence Enterprise.'' I am 
appearing today as a private United States citizen, although it is 
noteworthy that from November 2003 until March 2005, during the early 
formative and developmental stages of the Department of Homeland 
Security, I was the Assistant Secretary for Information Analysis in the 
Information Analysis and Infrastructure Protection Directorate of DHS. 
Since then I have continued my interest and work in matters dealing 
with homeland security, homeland defense and intelligence related to 
homeland security on both professional and personal levels. Prior to 
this period I served for more than 35 years in the US Army and from 
1999 until 2003 as a private consultant to both government and 
industry.
    Because of this background I was asked to come here to give my 
views on issues that relate to the protection of privacy and really the 
protection and assurance of legal and procedural rights of Americans in 
the context of intelligence gathering and production of information 
that can be acted upon by those who work to protect the lives and 
property of our citizens. This ``operationalization'' of intelligence--
especially where it concerns persons who are residents of the US, 
including those who have full rights of citizenship, is vital to 
understanding my views. We have all learned, through bitter experience 
that we must seek to interdict, to preclude, to stop--impending acts of 
terrorism, before they occur, because that is the right thing to do. It 
is an imperative of all who serve our nation. In this modern era of the 
potential for the application of weapons with mass effects, we simply 
cannot afford to allow the commission of terrorism because we cannot 
bear the price and we cannot afford the consequences.
    Indeed, the toll that crime with homeland security implications 
takes on our social order each day, and the results of catastrophic 
disasters--which we have recently suffered through on a scale not 
experienced before--also affect my view of what we should protect and 
what we should abrogate when human beings become involved in these 
events. As we look to the future--in my view--we can anticipate the 
worsening of these conditions.
    My views have been formed in the crucible of combating the Viet 
Cong Infrastructure in Vietnam; in seeking to discover acts of 
espionage and subterfuge during the Cold war; in ferreting out the 
meaning of North Korean activities; in engaging in the smaller but 
vexing conflicts of recent years, including the hunt for War criminals 
and insurgent groups in Bosnia, our attempts to decipher the tribal 
groups of Somalia, and our best efforts to break the erosive conditions 
found in places like Panama and Haiti. My views, like yours, have been 
formed in the crucible of 9-11 and in the conditions and events of the 
post-9-11 period in which many terrorist attacks and crimes with 
homeland security impact have occurred albeit primarily overseas. Here 
too--we must anticipate the future. New threats are on the horizon.
    My views are simple--yet found in the very complex context of 
today's problems and circumstances.
    My view is that we must engage in the collection of necessary 
information about persons of concern in order to discover conspiracy 
and intent that should be--that must be--interdicted in order to 
forestall an unacceptable condition, under the law.
    If we fail to interdict we must act in a similar fashion to 
understand that which we failed to stop and to know with certainty who 
or what was responsible for the event--so that we can learn and so that 
we can attribute both blame and appropriate action in light of that 
blame.
    My view is that we should not violate the rights of American 
citizens in engaging in such activities, but rather that we should seek 
a legal finding of necessity under the law as rapidly as possible--
before we abrogate any rights for the greater good.
    My view is that we must create a mechanism that provides for very 
rapid response (minutes to hours) to the legal tests of suspicion and 
probable cause to engage in both information collection and operational 
action--before the passage of time and the changing of circumstances 
results in the loss of our opportunity to act to prevent a catastrophe.
    My view is that we must provide for a degree of information 
collection, analysis, storage and production necessary to support 
analysis and operational decisions. Without this functional ability we 
cannot do the job. This capability--of necessity--must include 
intelligence, law enforcement, judicial organizations, the military and 
elements of governance and must be empowered through a form of secure 
interoperability that protects the security of the information and the 
rights of the persons involved.
    My view is that the government should have the right to compel any 
person--no matter who they are or what their legal status is--to 
provide dependable assured identification to appropriate authorities in 
appropriate conditions, like travel via mass transportation 
conveyances. Similarly we should have the right to compel the full 
disclosure of materials and items that are being transferred within, 
through and across our borders, on one's person, in luggage, and in 
cargo--no matter what the nature of those materials and items are.
    We should have a viable mechanism that requires--not requests--that 
information be provided when citizen concern about activities they note 
reaches a level of compelling reaction. In this age we cannot sit idly 
by and not report that which seems to us to be suspicious or illegal, 
especially in the context of homeland security and homeland defense. 
Conversely we should not tolerate reports of a frivolous nature, or 
those based solely on contentious relationships and interpersonal 
disagreements.
    Finally, we should protect large gatherings and public venues with 
appropriate sensory technologies and dependable observation. Surely the 
answer, in the aftermath of a future terrorist event, cannot be that we 
failed to secure a specific place or condition because of privacy 
concerns.
    In many cases this set of personal beliefs and views on my part--my 
``opinions'' if you will--are hardly new or revolutionary. They are--in 
my view--basic and evolutionary. They form the foundation for a set of 
laws and procedures that will protect the rights of our residents, our 
citizens and will help to protect and secure our Republic. I do not 
advocate excessive restriction nor do I advocate trampling on the 
rights of our people. Rather I counsel that we should find a set of 
laws and procedures that meet our needs--in the context of demonstrated 
threats and future conditions we can anticipate--and put those laws and 
procedures into force.
    I know this is difficult to do. I also recognize the highly 
politicized environment in which we are interacting today. As a fellow 
citizen I simply hope for some balance between doing that which is 
right and necessary to protect our people and property on our own soil, 
and not doing that which violates the expectation of privacy and 
personal freedom that each person is entitled to under the law.
    My goal is to secure a peaceful and safe progressive existence for 
our nation.

    Mr. Simmons. I thank all three witnesses for their 
excellent testimony.
    And I think, General Hughes, you stated very explicitly the 
conundrum that we face as Americans on the one hand, providing 
for common defense is an essential responsibility of the 
federal government. The Preamble to the Constitution also says 
that we must establish justice. The First and Fourth Amendment 
rights are clear to all of us. And so in a situation where we 
are involved with threats, yes, we want to collect actionable 
intelligence, but at the same time, we don't want to violate 
the rights of innocent citizens. And so this is the challenge 
of the balancing act.
    Now, General Hughes, you served as the heart of I&A, 
Intelligence and Analysis in the Department of Homeland 
Security. Is that correct? That is my recollection. Different 
name.
    General Hughes. The same office but a different name.
    Mr. Simmons. Yes.
    General Hughes. The office has been enhanced by greater 
independence.
    Mr. Simmons. It would seem to me that in your capacity as 
head of that, the Intelligence and Analysis Office, you would 
receive intelligence products from other agencies--the CIA, the 
National Security Agency, Defense Intelligence Agency, NRO, et 
cetera, et cetera. You would receive those products. 
Presumably, you would receive them in a timely fashion.
    If you looked at a particular intelligence product, would 
you know how the information was collected that went into that 
product?
    General Hughes. Usually, I would know how the information 
was collected. In many cases, that collection mechanism would 
be classified in order to protect its viability. But generally 
speaking--in fact, sitting here trying to think about an 
exception to that, I can't think of one. So generally, I would 
know even in the most sensitive cases how it was collected.
    Mr. Simmons. And would you make a reasonable assumption 
that it was collected in accordance with the law?
    General Hughes. Yes, I would. I do think the use of the 
term law is important to me, and I would certainly defer to a 
more expert person, but the term law must be accompanied, I 
think, by the term interpretation and procedure. Many of the 
activities carried out by the government and by law enforcement 
organizations and intelligence organizations are found in the 
larger construct of the law that are devolved, some would say 
evolved, into procedure, policy and activity that can be 
interpreted differently by different persons. That has been a 
problem as long as our republic has been in existence, I think.
    I think we all seek to do the right thing and we seek to do 
it legally. There are occasions, I think, when different 
interpretations are very valuable, because they point out the 
tensions between what one group or one administration or one 
organization might view as being correct to do and what another 
person or group might do as being incorrect. But the law itself 
is generally a larger body of knowledge that is interpreted by 
others, and policy and procedures put into effect on that 
basis. That makes it--I will use this term--problematic.
    Mr. Simmons. As a military officer and as a federal 
official sworn by your oath of office to uphold the 
constitutional laws of the United States of America, if, in 
your capacity as head of a INA or its predecessor, it came to 
your attention that there might be a privacy issue, a violation 
of privacy involving some of the information in your 
possession, would you report that, or would you just keep it to 
yourself?
    General Hughes. Well, in fact, that very event happened, 
especially as we formed the Department of Homeland Security. 
There were questions of the right to privacy by citizens and 
the right to protection under the privacy laws of the 
information that we held in our files. And you had to take each 
case on its own merits and determine within the procedure and 
policy at the time in the context of law how you would handle 
that information.
    In some cases, the information was easy to expunge. It was 
very rapidly obvious in the eyes of persons with good judgment, 
our legal authorities and our privacy office that it should be 
expunged, and it was.
    In other cases where there is a belief that a conspiracy 
exists and a person is a participant in it to conduct an act of 
terrorism or another crime of homeland security implications, 
the deliberate decision had to be made to retain that 
information and use it, and I think that, personally, in my own 
view, it is true but difficult to deal with that some of the 
information from some of the people concern citizens and 
residents of the United States.
    I mean, I think every day you read about these events in 
the newspaper, and they seem to me to be covered adequately by 
law. It is against the law to plan to commit a crime at some 
point, and certainly to commit a crime. And it is especially 
against the law in the context of protecting the citizens' 
rights in this era we now live in of the potential for mass 
effects from such activities. I am not saying that the law 
needs to be changed, I am saying that we need to understand 
this in the context in which we are dealing with it.
    Mr. Simmons. I hear your testimony to be that, for you, 
this was a serious issue and something that you and your office 
took seriously.
    General Hughes. And I had the direct legal counsel 
available in my office at all times and a direct connection to 
the Privacy Office, and I can assure you, and I would certainly 
be happy to do so under oath, that we not only took it 
seriously, we practiced it seriously.
    Mr. Simmons. I thank you. My time is expired.
    The distinguished ranking member of the full committee, Mr. 
Thompson, from Mississippi.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    I am not sure if I am--I am a little troubled by what you 
said, Mr. Hughes. Was this information gained that you 
considered gained legally or illegally?
    General Hughes. I certainly might hope that in every case, 
it was gained legally, but once again, the interpretation of 
the law and the interpretation of policy and procedure to some 
degree has to rest in the eyes of the beholder until a 
determination is made by legally constituted authority. In 
searching my memory here this morning, I can't recall a single 
case where I ever believed it was gained illegally. However, I 
think once again one has to understand the modern environment 
in order to deal with this question.
    Mr. Thompson. We understand the environment.
    General Hughes. Okay.
    Mr. Thompson. Believe me. The question, though, is, 
notwithstanding the environment, there are some privacy 
considerations that have to be maintained.
    General Hughes. And I believe they were.
    Mr. Thompson. Well, I guess I will--Mr. Turley, under the 
present scenario of wiretapping private citizens and not going 
through any procedure, is it your belief that that process at 
this point is in fact illegal?
    Mr. Turley. I absolutely believe that. And I don't have a 
scintilla of doubt. And if you look back at pass testimony I 
have given to both the House and Senate--I have been called by 
Democrats and Republicans, and I have always expressed when I 
considered something to be a close call.
    This is not a close call. This here is an exclusivity 
provision under federal law. You have to do domestic 
surveillance no matter how you may frame it. This has always 
been viewed as domestic surveillance what was being done by the 
NSA. And you have to do it under either FISA or Title 3. You 
have to do it under that type of statutory authority. This was 
created to go around that. It was a direct violation of the 
exclusivity provision. And until the NSA operation, I don't 
remember hearing anyone having any doubt about any of those 
questions.
    And that means that we have a very serious issue, because 
the president stood in front of Congress during the State of 
Union and said that not only had he ordered this 30 times, but 
he would continue to do so until, basically, someone stopped 
him.
    And what was most astonishing is that members stood up and 
gave him a standing ovation. It was one of the most bizarre 
things I have ever seen as an academic. Members of Congress who 
pass these laws had a president who told them that he was not 
going to comply with those laws, and they give him a standing 
ovation.
    Now, the framers--I have to tell you, we all sort of speak 
for the framers as if we are in some type of carni show.
    [Laughter.]
    But I think it is safe to say that the framers did not 
think it was going to happen this way, that they believed that 
Congress would have an institutional interest that it would 
protect, that regardless of their affiliation to the president, 
that they would fight to protect the legislative authority of 
this body. This is the most central and direct threat to the 
legislative branch's inherent authority that I have certainly 
seen in my lifetime.
    Mr. Thompson. Mr. Herath, you mentioned some things that we 
could do to strengthen the Privacy Office. I talked about some 
things like subpoena power, initiate investigations, and I 
would think that in order to do your job, you need the tools 
necessary. Where do you come down on that issue?
    Mr. Herath. Well, Mr. Thompson, I agree that the subpoena 
power and investigatory power in a formal sense is necessary. 
That probably was part and parcel of my recommendation of the 
statutory authority.
    I think, however, and I am speaking on behalf of the 
Privacy Office. I am not speaking on behalf of the Privacy 
Office. I am speaking on behalf of me. But I think that would 
probably be the last thing you would want to do as a privacy 
official. The first step, as Ms. Cooney described, you try do 
it, you know, informally through relationships.
    If you have created a culture that is receptive to your 
privacy requests, I would say the vast majority, if not 99 
percent, of your request are going to be complied with. 
However, I think that there does need to be, for those special 
occasions where you simply in many cases know that whoever it 
is you are asking is not forthcoming, I think you do need to 
have sort of that final hammer with the subpoena.
    Mr. Thompson. Or if that person that is withholding the 
information knows that you have subpoena authority.
    Mr. Herath. Correct.
    Mr. Thompson. And, you know, it is just a matter of time 
that they will pull that trigger.
    Mr. Herath. Well, yes, I often say, you know, you have got 
to have skin in the game. If there is no formal ramification 
for withholding evidence, then there is a greater chance that 
will be withheld.
    Mr. Thompson. Thank you.
    I yield back, Mr. Chairman.
    Mr. Simmons. I thank the gentleman. Would the gentleman 
like to go a second round?
    Mr. Turley. One more.
    Mr. Simmons. Okay.
    Mr. Turley, thank you for your testimony. I was looking on 
page five, where you made the statement, ``The NSA operation 
was never approved by Congress.'' And again, while the 
jurisdiction for this program resides with the House and Senate 
Intelligence Committees, in my opinion, I have always been 
troubled by the discussion of this program.
    The ranking member of the House Intelligence Committee has 
said publicly that the NSA program was essential to targeting 
al-Qa'ida, and she made the statement as the ranking Democrat 
on the House Intelligence Committee, ``I have been briefed 
since 2003 on a highly classified NSA foreign collection 
program that targeted al-Qa'ida. I believe the program is 
essential to U.S. national security and that its disclosure has 
damaged critical intelligence capabilities.''
    As somebody who served many years ago on this Senate 
Intelligence Committee, I was always puzzled by why senior 
members of these oversight committees did not, on the one hand, 
place the program into the law or alternatively legislate the 
program out of the law, or I should say legislate it to cease. 
I don't believe either one of those actions took place.
    And I have also been concerned that through the routine 
authorization and appropriation process of the Congress over 
the years essentially dollars were authorized and appropriated 
for the National Security Agency to continue to perform that 
program. Now that takes me back to the mid-1980s when there was 
a covert action directed against Nicaragua. It involved the 
Contras and the Sandanistas, and, in fact, the Boland Amendment 
did explicitly terminate that program in 1984.
    Do you have any thoughts, or do any of the members have any 
thoughts as to what might have been done back in 2003 that 
would have perhaps better dealt with this issue.
    Mr. Turley. I suppose my first answer is I believe that the 
ranking Democratic member on the committee also mentioned that 
she didn't feel that she was able, because of the restrictions, 
to seek out advice of experts as to whether this was lawful 
under FISA, and that it was not until this matter became public 
that she concluded that, indeed, there were legal issues. She 
was looking at it purely from an operational standpoint.
    The second response is that I am still not sure why this 
operation was not disclosed to the full membership of those 
committees. My understanding is that it is only covert 
operations that are retrained to the smaller group. This would 
not constitute, as far as I know, that type of a covert 
operation. The surveillance program has generally been viewed 
as something that goes to the membership.
    The third answer is that an appropriation of money has 
never been considered by the courts as any form of 
authorization. Under 1809, the authorization would have to be a 
specific authorization to give essentially a third track if you 
are not going to put it under FISA or Title 3.
    And then, finally, my last response is, I am not too sure 
that you could put what was the NSA operation in the federal 
law without it being struck down. I mean, I think there is 
serious constitutional questions.
    But I also believe, as someone who has practiced--I have 
been in the FISA court as a young intern at NSA, and I have 
been counsel in FISA cases, and I still don't understand why 
there was a need to go outside of FISA. FISA is the most user-
friendly law ever created for a president. And so I still am 
not convinced about the need to circumvent the law.
    Mr. Simmons. I appreciate that response.
    I vaguely recall the Senate Resolution 400 required that 
the committee be kept fully and currently informed. That 
certainly applied to the Senate, maybe not to the House.
    My recollection is that there were various compartments 
that involved covert action and other activities, but that in 
my experience, when a controversial program was briefed to the 
committees and to the leadership, if it existed for more than a 
year, it was handled within the oversight process. So perhaps 
this is an issue for oversight of those committees.
    And I recognize the gentleman from Mississippi.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    I would like to respectfully disagree on some of the 
jurisdictional issues that have come before us today. I think 
all of us, including yourself, want to give the tools necessary 
for law enforcement to do the job, but in collecting data, we 
want to make sure that those privacy and civil liberties issues 
are protected.
    And if, in fact, the information gained is then 
transmitted, that is gained illegally and transmitted to any 
organization, and they began the process. That pause in 
intelligence creates a real problem, whether it is DHS. If I am 
a citizen, and I am all of a sudden on some kind of list that 
was, for whatever reason, put on that list through intelligence 
illegally gained, you know, I have a problem.
    And I think all of us want to create a process that protect 
the rights of citizens, protect the individual liberties, but 
also keep America strong. I agree with Mr. Hughes, these are 
difficult times, but we have to make more than just an average 
effort to protect the rights of citizens. It has to be an 
enhanced effort, a work in progress.
    There is legislation on the books that talks about sharing 
intelligence, talks about a number of things that I think gives 
us significant jurisdiction authority to look at these things. 
Facts about it, we passed the law requiring the sharing of 
information between agencies because it was not taking place. I 
want us to be cognizant of that.
    The other issue is, and I will sort of make closing 
comments at this point if you like rather than giving 
questions. You know to the extent that we can strengthen 
whistle blower protections for citizens who have concerns and 
employees. We need to put that into place. We need to dispense 
laws on data mining and data sharing by agencies. You just 
can't go get the information and throw it out there for review 
without the protection of citizens.
    I have talked about the subpoena power that we all kind of 
agree that you really can't do your job effectively unless you 
have that.
    I must also say, Mr. Chairman, I am concerned that because 
we don't have it, the Privacy Office is using the leadership or 
the secretary or some friendly persuasion rather than having 
the inherent authority in that office to get it done. Whether 
they have to exercise it or not, we need to have it in place. 
This is a critical issue for all of us.
    One of the strengths of our country and many of the things 
our founding fathers put together was the interest in seeking 
certain freedoms, and I would not want us under the color of 
intelligence or any other statute limit many of those freedoms 
for the citizens who operate within the law.
    The law should protect them, and I look forward to 
continuing the discussion along this line, Mr. Chairman, and 
coming up with, not only a robust system that protects us all, 
but also, on the other hand, a system that protects the 
individual rights and liberties of American citizens.
    And I yield back.
    Mr. Simmons. I thank the gentleman for his comments, and 
thank him very much for his participation in this hearing this 
morning.
    I think these issues are incredibly important, and I think 
they are also incredibly difficult. I am haunted by what I read 
in the 9/11 Commission report. I am reminded constantly that 12 
of my constituents died on that day. And I recall regularly 
that my daughter was living in New York City a few blocks from 
the World Trade Center in an area that she could not return to 
because of the damage and destruction that two of her roommates 
and best friends from childhood were killed on that day. And I 
struggle with the balance between liberty and security.
    Could we have listened to the phone conversation of 
Mohammad Atta? Could we have prevented that if we had done 
things differently? And as we work to bring about the changes 
to how we provide our Homeland Security for the safety of our 
citizens, are we protecting the liberties that make this 
country what it is and what we want it to be, not just for 
ourselves but for our children and future generations?
    This is a solemn responsibility and a difficult challenge 
where, I believe, all of us have to work together to come up 
with a solution. And we won't solve it today or tomorrow. We 
will solve it through a process of discussion and debate and 
hearing just as we have today.
    I thank the panel for coming, and I thank the ranking 
member.
    The hearing is adjourned.
    [Whereupon, at 10:49 a.m., the subcommittee was adjourned.]


                      PROTECTION OF PRIVACY IN THE
                      DHS INTELLIGENCE ENTERPRISE
                                PART II

                              ----------                              


                        Wednesday, May 10, 2006

             U.S. House of Representatives,
          Subcommittee on Intelligence, Information
             Sharing, and errorism Risk Assessment,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 4:03 p.m., in 
Room 311, Cannon House Office Building, Hon. Rob Simmons 
[chairman of the subcommittee] presiding.
    Present: Representatives Simmons and Lofgren.
    Mr. Simmons. [Presiding.] The Homeland Security Committee, 
and Subcommittee on Intelligence, Information Sharing, and 
Terrorism Risk Assessment will come to order.
    We are meeting today at the request of the minority members 
of the subcommittee under House Rule 11 to receive testimony 
from a witness of the minority's choosing for one additional 
day on the subject of protection of privacy in the Department 
of Homeland Security intelligence enterprise.
    The majority extended invitations to every witness that the 
minority requested, and I personally called the primary 
witness, Dean Parker, to secure her testimony today.
    Unfortunately, none of the minority witnesses were able to 
attend. But, as I have expressed to my friend and colleague 
from California, I will continue in this effort.
    Ms. Lofgren. Mr. Chairman, I appreciate that offer of 
collaboration.
    And as we discussed briefly early today, Dean Parker has 
not been able to attend. And I think, since she doesn't have 
current knowledge, we will continue to pursue the other three 
witnesses which you have written to. And I look forward to 
working with you in securing their attendance and learning what 
we can.
    So, at this point, I would concur that this hearing ought 
to be called to a halt--or gavelled to a halt. And we will see 
either those three witnesses or their representatives who can 
speak knowledgeably for them at a future date.
    And I thank you for your courtesy.
    Mr. Simmons. I thank the ranking member for her comments. I 
concur in her assessment of the situation.
    Having no witnesses, the subcommittee stands adjourned.
    [Whereupon, at 4:04 p.m., the subcommittee was adjourned.]