[Senate Hearing 110-1025]
[From the U.S. Government Publishing Office]
S. Hrg. 110-1025
PROTECTING PERSONAL INFORMATION: IS THE FEDERAL GOVERNMENT DOING
ENOUGH?
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
JUNE 18, 2008
__________
Available via http://www.gpoaccess.gov/congress/index.html
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
----------
U.S. GOVERNMENT PRINTING OFFICE
44-117 PDF WASHINGTON : 2010
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska
THOMAS R. CARPER, Delaware GEORGE V. VOINOVICH, Ohio
MARK L. PRYOR, Arkansas NORM COLEMAN, Minnesota
MARY L. LANDRIEU, Louisiana TOM COBURN, Oklahoma
BARACK OBAMA, Illinois PETE V. DOMENICI, New Mexico
CLAIRE McCASKILL, Missouri JOHN WARNER, Virginia
JON TESTER, Montana JOHN E. SUNUNU, New Hampshire
Michael L. Alexander, Staff Director
Holly A. Idelson, Counsel
Adam R. Sedgewick, Professional Staff Member
Brandon L. Milhorn, Minority Staff Director and Chief Counsel
John K. Grant, Minority Counsel
Trina Driessnack Tyrer, Chief Clerk
Patricia R. Hogan, Publications Clerk and GPO Detailee
Laura W. Kilbride, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Lieberman............................................ 1
Senator Collins.............................................. 4
Senator Akaka................................................ 7
Senator Carper............................................... 34
WITNESSES
Wednesday, June 18, 2008
Linda D. Koontz, Director, Information Management Issues, U.S.
Government Accountability Office............................... 9
Hugo Teufel III, Chief Privacy Officer, U.S. Department of
Homeland Security.............................................. 11
Ari Schwartz, Vice President and Chief Operating Officer, Center
for Democracy and Technology................................... 13
Peter P. Swire, C. William O'Neill Professor of Law, Moritz
College of Law, The Ohio State University Senior Fellow, Center
for American Progress.......................................... 15
Alphabetical List of Witnesses
Koontz, Linda D.:
Testimony.................................................... 9
Prepared statement........................................... 39
Schwartz, Ari:
Testimony.................................................... 13
Prepared statement........................................... 75
Swire, Peter P.:
Testimony.................................................... 15
Prepared statement........................................... 87
Teufel, Hugo, III:
Testimony.................................................... 11
Prepared statement........................................... 64
APPENDIX
Susan E. Dudley, Administrator, Office of Information and
Regulatory Affairs, and Karen Evans, Administrator, Office of
E-Government and Information Technology, Office of Management
and Budget, prepared statement................................. 95
GAO Report to Congressional Requesters, ``Privacy: Alternatives
Exist for Enhancing Protection of Personally Identifiable
Information,'' GAO-08-526, May 2008............................ 98
PROTECTING PERSONAL INFORMATION:
IS THE FEDERAL GOVERNMENT
DOING ENOUGH?
----------
WEDNESDAY, JUNE 18, 2008
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10:04 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Akaka, Carper, and Collins.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. Good morning and welcome to our hearing
today on Federal efforts to protect personal privacy. I want to
welcome our distinguished panel and also particularly commend
the Government Accountability Office (GAO), Ms. Koontz, for
your excellent work on the report that is being released today
on the Federal Government's privacy efforts.\1\ I also want to
particularly thank our colleague and dear friend, Senator
Akaka, who has taken a particular interest in government
privacy issues and has encouraged Senator Collins and me to
convene today's hearing.
---------------------------------------------------------------------------
\1\ The GAO Report on Privacy appears in the Appendix on page 98.
---------------------------------------------------------------------------
We live in an age that really is defined by information.
The explosion of new technologies to gather, share, and store
huge quantities of information has made possible significant
advances in every aspect of our lives, including more efficient
and effective governmental programs. But these same
technologies have also dramatically altered the privacy
landscape. It is easier than ever for government and private
entities to acquire large amounts of personal information about
people--information that can cause harm to those people if
improperly disclosed or used.
Loss of privacy, for instance, can lead to crimes such as
identify theft or stalking. The dissemination or misuse of
certain private data can also result in the loss of employment,
discrimination, harassment, or surveillance. So it is
essential, obviously, for government to collect and use
personal information--for example, to provide security, conduct
law enforcement, or administer and extend governmental
benefits. But we also have to do everything we possibly can to
ensure that in collecting and using personal information, we
tread very carefully because when dealing with the personal
information of individual Americans, we have got to properly
balance our policy goals against potential incursions on their
privacy.
Congress constructed a foundation for respecting individual
privacy within the Federal Government in the landmark Privacy
Act of 1974 which seeks to prohibit unauthorized disclosure of
personal information, ensure the accuracy and relevance of
information collected by the government, and provide
individuals with access to their information and a means of
redressing errors. Six years ago, the law was strengthened by
the Electronic Government Act of 2002, the so-called E-
Government Act, which went through this Committee on its way to
becoming law. That Act now requires that agencies analyze in
advance the potential privacy impacts of new information
systems and data collections, and minimize those potential
risks. One of the questions I want to ask today is whether
governmental agencies are fulfilling their obligations under
the E-Government Act.
Obviously, notwithstanding these two pieces of legislation,
we know that there is much more to do, and the GAO report makes
that clear.
New technologies and data practices have overtaken some of
the core definitions of the Privacy Act of 1974. That is, in
the world of information collection and dissemination,
millennia ago. For instance, in 1974, Congress simply could not
foresee the government's use of what are now called ``private
data brokers''--a totally unimagined line of enterprise in
1974--with access to extensive personal information about
individuals. So we now need to ensure that this practice does
not become an end run around the protections of the Privacy
Act. I know that is not the intention. These private data
brokers are of significant assistance both to the government
and, of course, the private sector. But, still, we have to be
concerned about privacy.
New policy demands, including some of the homeland security
efforts that have originated in this Committee, call for
sharing information among a wider array of agencies. Security
concerns combined with new technologies, such as biometrics,
are driving the collection of new types of personal
information. The American people may have justifiable concerns
about sharing their personal information when the government is
collecting and storing their fingerprints, retinal scans, even
their DNA, and we have to reassure them. We need to look
closely to see how these new programs and practices intersect
with existing privacy law and what adjustments may be
necessary.
When we created the Department of Homeland Security,
however, we did mandate the establishment of a Chief Privacy
Officer within the Department to address what we knew would be
challenging questions as to how to integrate privacy
considerations--including implementation of government privacy
law--into the critical mission, the new mission post-September
11, 2001, of homeland security. I am pleased that the second
person to hold that position, Mr. Teufel, is one of our
witnesses today. Incidentally, Senator Collins and I working
closely together with other Members of the Committee, also
created an expanded network of privacy officials as part of the
two laws that originated in this Committee that enacted
recommendations of the 9/11 Commission.
But the question remains whether we have adequate
leadership and resources devoted to privacy at the government-
wide level. In 2003, in response to another request from this
Committee, GAO concluded that the Office of Management and
Budget (OMB) needed to assert more leadership on privacy
questions to ensure that the agencies of our government were
actually carrying out their responsibilities under the Privacy
Act and other government privacy law. In fact, today there is
no one in OMB, no office in the Federal Government, no high-
level official, not even, as far as I can determine, a
political appointee or member of the Senior Executive Service
(SES), whose job it is to focus full time on government-wide
privacy policy. This contrasts, interestingly enough, with many
other countries, including those of our friends and allies in
Europe, which have elevated privacy policy to the highest
levels of their governments. This absence of leadership for
privacy in the U.S. Government I know is a message we will hear
loud and clear today.
So I look forward to the testimony, and then to working
together to ensure our privacy laws continue to provide
appropriate and meaningful protections for our citizens. It
sure does look to me, based on the GAO report, that it is time
for us to do an updating and overall revision of the Privacy
Act of 1974.
[The prepared statement of Senator Lieberman follows:]
PREPARED STATEMENT OF SENATOR LIEBERMAN
Good morning and welcome to our hearing today on federal efforts to
protect personal privacy. I want to welcome our distinguished panel and
also commend the Government Accountability Office for its excellent
work on this issue, as reflected in their report being released today
on the federal government's privacy efforts. I also want to thank my
colleague, Senator Akaka, who has taken a particular interest in
government privacy issues and encouraged Senator Collins and me to
convene today's hearing.
We live in an ``information age,'' and the explosion of new
technologies to gather, share, and store huge quantities of information
has made possible huge advances in every aspect of our lives, including
more efficient and effective government programs. But these same
technologies have also dramatically altered the privacy landscape. It
is easier than ever for government and private entities to acquire
large amounts of personal information about people--information that
can cause harm to those people if it is improperly used or disclosed.
For the individual, loss of privacy can lead to crimes such as
identify theft or stalking. The dissemination or misuse of certain
private data can also result in other harms such as loss of employment,
discrimination, or unwarranted harassment or surveillance. Certainly,
it is essential for government to collect and use personal
information--for example to provide security, conduct law enforcement,
or administer benefits. But we must strive to ensure that we tread
carefully when dealing with the personal information of individuals and
that we properly balance our many policy goals against potential
incursions on privacy.
Congress constructed a foundation for respecting individual
privacy within the federal government in the landmark Privacy Act of
1974 which seeks to prohibit unauthorized disclosure of personal
information, ensure the accuracy and relevance of information collected
by the government, and provide individuals with access to their
information and a means of redress for errors. Six years ago, that law
was buttressed by the Electronic Government Act of 2002, which I
introduced and had the privilege of guiding through this Committee on
its way to becoming law. The E-Government Act requires that agencies
analyze in advance the potential privacy impacts of new information
systems and data collections, and minimize those potential risks. But
we know there is more to do.
New technologies and data practices have overtaken some of the core
definitions of the Privacy Act. For instance, the Act simply could not
foresee the government's use of private data brokers with access to
extensive personal information about individuals, and we need to ensure
this practice does not become a serious end-run around the protections
of the Privacy Act.
New policy demands--including some of the homeland security efforts
that are of vital concern to this Committee--call for sharing
information among a wider array of agencies. Security concerns combined
with new technologies, such as biometrics, are also driving the
collection of new types of personal information. Americans may have
justifiable concerns about sharing their personal information when the
government is collecting and storing their fingerprints, retinal scans,
even their DNA. We need to look closely to see how these new programs
and practices intersect with existing privacy law, and what adjustments
may be necessary.
This Committee has recognized the need for dedicating officials and
resources to address privacy concerns within government, particularly
as we tackle challenging new missions such as homeland security. When
we created the Department of Homeland Security, we mandated the
establishment of a Chief Privacy Officer within the department to
address what we knew would be challenging questions as to how to
integrate privacy considerations--including implementation of
government privacy law--into the critical mission of homeland security.
I am pleased that the second individual to hold that position, Mr.
Teufel, is one of our witnesses today. We also created an expanded
network of privacy officials as part of the two laws enacting
recommendations of the 9/11 Commission.
But the question remains whether we have adequate leadership and
resources devoted to privacy at the government-wide level. In 2003, in
response to a request from this committee, GAO concluded that OMB
needed to assert more leadership on privacy to ensure that agencies
fulfilled the mandates of the Privacy Act and other government privacy
law. In fact, there is no one in OMB, no office in the federal
government, no high-level official, not even a political appointee or
member of the Senior Executive Service, whose job it is to focus full-
time on government-wide privacy policy. This stands in stark contrast
to many other countries, including those in the European Union, which
have elevated privacy policy to the highest levels of government. This
absence of leadership is a message we will hear loud and clear today.
I look forward to the testimony and to working together to ensure
that our privacy laws continue to provide appropriate and meaningful
protections for our citizens. Senator Collins.
Senator Lieberman. Senator Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you. Thank you, Mr. Chairman, for
holding this important hearing.
We live in a world of unprecedented access to information.
Data are being collected and stored in quantities of almost
unimaginable size by a wide range of public and private
entities. People freely share personal information about
themselves on blogs or social networking Web sites. At the same
time, most Americans believe that protecting some degree of
personal privacy is a fight worth waging in the Digital Age.
In 1974, Congress passed the Privacy Act to establish rules
for government's use of computerized recordkeeping systems. To
provide some context, in that same year, President Nixon
resigned the presidency in the wake of the Watergate scandal.
Gasoline cost 55 cents per gallon. And an exciting new gadget--
the pocket calculator--was just beginning to appear on store
shelves.
Thirty-four years later, as we hold this hearing, six
presidents have occupied the Oval Office, the average cost of
gasoline exceeds $4 per gallon, and the BlackBerrys that the
Chairman and I depend so heavily on can do more than all but
the most sophisticated computers of 1974.
Yet with very few modifications, the 1974 Privacy Act has
remained the primary law governing the Federal Government's
collection, storage, and use of personal information about its
citizens.
Obviously, technology has changed dramatically during the
past 34 years. The Federal Government can now gather, store,
and share information much more efficiently than was even
contemplated 34 years ago. Yet it is a testament to the
original drafters of the Privacy Act that, in spite of these
significant advances in technology, many of the law's
provisions remain applicable to the technology in use today.
Nevertheless, as the GAO and our other witnesses will
testify, current law could be strengthened to improve
assurances that personal information is legitimately collected
and adequately secured.
We should build on the success of the original law while
ensuring that it is adequate to meet the new challenges of the
Information Age. We can accomplish this by remaining true to
the principles of openness, accuracy, transparency, and
accountability that underpin the Fair Information Practices,
which were developed by the U.S. Government and endure as
guiding principles for protecting the privacy and security of
personal data.
This hearing will examine several important questions.
First, are the rules governing the collection and use of
personal information clear to both the officials who have
access to it and the public that provides it? System of Records
Notices, descriptions of routine uses of information, and other
basic tools of the privacy regime are supposed to describe
various information systems so that government officials and
the public will know when and how personal information can be
collected and shared. In many cases, however, the tools are
worded so broadly that they really provide little clarity as to
which rules govern any particular information system.
Second, how can we ensure the security of personal
information collected and maintained by the U.S. Government?
Unfortunately, there are far too many recent examples that
demonstrate the need for the Federal Government to better
secure the sensitive information that it collects and
maintains.
For example, in 2006, the Veterans Affairs Department
reported that the personal information of approximately 26.5
million veterans was compromised when a laptop containing
departmental records was stolen. A 2007 study by the Inspector
General for Tax Administration found that at least 490 laptops
containing sensitive taxpayer data had been lost or stolen
between 2003 and 2007. But lost or stolen laptops are not the
only security concern, as is evidenced by a 2006 data
compromise of employee information at the Department of
Agriculture that was caused by unauthorized access to the
agency's systems.
Beyond the physical and cyber security of sensitive data,
we must also ask what is the best way to deal with innovative
technologies--such as data mining--that seek to use information
in entirely new ways. Technology develops so rapidly in this
day and age that we will need to be more vigilant in ensuring
that the wheels of progress are not inadvertently running over
our basic privacy rights.
And, finally, how can we continue to encourage the
legitimate sharing of accurate information among government
agencies for legitimate purposes while maintaining adequate
controls to hold accountable those who might compromise an
individual's privacy by misusing their personal information?
The recent inappropriate searches by State Department
contractors of the passport files of Senators McCain, Obama,
and Clinton highlight the need for improvements in this area.
Prohibitions against unauthorized use of the passport system
did not prevent these improper inquiries, although audit
mechanisms did facilitate prompt administrative action against
the contractors responsible. As the government searches for
ways to improve the sharing and the analysis of the information
it collects, we must develop effective security measures and
consider whether our laws properly sanction those who use
sensitive information for inappropriate purposes.
This hearing is yet another step in a robust dialogue now
occurring about privacy in our country. A strong privacy
regime, built on the principles of transparency,
accountability, and security, should inspire the confidence of
the American people that the Federal Government is not
compromising personal privacy but, rather, preserving and
protecting it. Doing so, however, in the Digital Age is a new
challenge.
Thank you, Mr. Chairman.
[The prepared statement of Senator Collins follows:]
PREPARED STATEMENT OF SENATOR COLLINS
We live in a world of unprecedented access to information. Data are
being collected and stored in quantities of almost unimaginable size by
a wide range of public and private entities. People freely share
personal information about themselves on blogs or social networking Web
sites. At the same time, most Americans believe that protecting some
degree of personal privacy is a fight worth waging in the digital age.
In 1974, Congress passed the Privacy Act to establish rules for
government's use of computerized record-keeping systems. In that same
year, President Nixon resigned the presidency in the wake of the
Watergate scandal. Gasoline cost 55 cents per gallon. And an exciting
new gadget--the pocket calculator--was just beginning to appear on
store shelves.
Thirty-four years later, six presidents have occupied the Oval
Office, the average cost of gasoline exceeds $4 per gallon, and the
Blackberrys that the Chairman and I depend on can do more than all but
the most sophisticated computers of 1974. Yet with very few
modifications, the 1974 Privacy Act has remained the primary law
governing the federal government's collection, storage, and use of
personal information about its citizens.
Obviously, technology has changed dramatically since the Privacy
Act was written. The federal government can now gather, store, and
share information more efficiently than was even imagined possible 34
years ago. Yet it is a testament to the original drafters of the
Privacy Act that in spite of these significant advances in technology,
many of its provisions remain applicable to the technology in use
today.
Nonetheless, as the GAO and our other witnesses will testify,
current law could be strengthened to improve assurances that personal
information is legitimately collected and adequately secured. We should
build on the success of the original laws while ensuring that they are
adequate to meet the new challenges of the Digital Age. We can
accomplish this by remaining true to the principles of openness,
accuracy, transparency, and accountability that underpin the Fair
Information Practices, which were developed by the U.S. government and
endure as guiding principles for protecting the privacy and security of
personal information.
This hearing will examine several important questions. First, are
the rules governing the collection and use of personal information
clear to both the officials who have access to it and the public that
provides it? System of Records Notices, descriptions of routine uses of
information, and other basic tools of the privacy regime are supposed
to describe various information systems so that government officials
and the public will know when and how personal information can be
collected and shared by the government. In many cases, however, these
tools are worded so broadly that they provide little clarity as to what
rules govern any particular information system.
Second, how can we ensure the security of personal information
collected and maintained by the U.S. government? Unfortunately, there
are far too many recent examples that demonstrate the need for the
federal government to better secure the sensitive information that it
collects and maintains.
In 2006, the Department of Veterans Affairs reported that the
personal information of approximately 26.5 million veterans was
compromised when a laptop containing Department records was stolen. A
2007 study by the Inspector General for Tax Administration found that
at least 490 laptops containing sensitive taxpayer data had been lost
or stolen between 2003 and 2007. But lost or stolen laptops are not the
only security concerns, as in a 2006 data compromise of employee
information at the Department of Agriculture that was caused by
unauthorized access to the agency's systems.
Beyond the physical- and cyber-security of sensitive data, we must
also ask what is the best way to deal with innovative technologies--
such as data mining--that seek to use information in entirely new ways.
Technology develops so rapidly in this day and age that we will need to
be vigilant to ensure that the wheels of progress are not inadvertently
running over our basic privacy rights.
And, finally, how can we continue to encourage the sharing of
information among government agencies for legitimate purposes while
maintaining adequate controls to hold accountable those who might
compromise an individual's privacy by misusing their personal
information? The recent inappropriate searches by State Department
contractors of the passport files of Senators McCain, Obama, and
Clinton highlight the need for improvements in this area. Prohibitions
against unauthorized use of the passport system did not prevent these
improper inquiries--though audit mechanisms did facilitate prompt
administrative action against the contractors responsible. As the
government searches for ways to improve the sharing and analysis of the
information it collects, we must develop effective security measures
and consider whether our laws properly sanction those who use sensitive
information for inappropriate purposes.
This hearing is yet another step in a robust dialog now occurring
about privacy in this country. A strong privacy regime, built on
principles of transparency and accountability, should inspire the
confidence of the American people that the federal government is not
compromising personal privacy but rather preserving and protecting it.
Chairman Lieberman. Thank you, Senator Collins, for that
excellent opening statement.
Let me say again how much I appreciate the leadership role
that Senator Akaka has played on these matters, and I would
like now to ask him if he would like to make an opening
statement.
OPENING STATEMENT OF SENATOR AKAKA
Senator Akaka. Thank you very much, Mr. Chairman. I also
want to welcome the panel and thank you and Ranking Member
Collins for having this hearing today.
Two years ago, following our joint hearing on the
Department of Veterans Affairs (VA) data breach, I requested
that this Committee take a closer look at the Privacy Act to
see if it continued to protect Americans' personal information
in this increasingly electronic age. Systems and procedures to
prevent loss or unauthorized disclosure are not enough. Data
security also relies on a robust privacy framework that
minimizes the collection, use, and sharing of personal
information and provides individuals the opportunity to access
their data and correct any mistakes.
For the past few years, I have been looking into Federal
data collection and privacy issues and asked GAO for several
reports. And today GAO is releasing two reports which I and
others requested: One on the need for updating the Privacy Act
and another on the need to consolidate privacy functions with a
Senior Privacy Officer. And I agree with the GAO's findings,
and I am glad to see that the Chairman also believes that the
Privacy Act needs to be updated.
Without strong privacy oversight, I fear that key privacy
safeguards will fall through the cracks and Americans' personal
information will remain at risk. Furthermore, I believe that
the framework for protecting privacy in the Federal Government
needs to be updated and loopholes closed. Failure to do so
risks inaccurate information guiding our national security
decisions as well as Americans' access to government services
and benefits.
I look forward to working with the Chairman and Ranking
Member on legislation to address these issues, and, Mr.
Chairman, I would like to ask that my full statement be made
part of the record.
Chairman Lieberman. Without objection, so ordered, and
thank you very much, Senator Akaka, for those words.
[The prepared statement of Senator Akaka follows:]
PREPARED STATEMENT OF SENATOR AKAKA
Thank you Chairman Lieberman and Ranking Member Collins for holding
today's hearing on the Privacy Act.
Two years ago, following our joint hearing with the Veterans'
Affairs Committee on the data breach at the Department of Veterans
Affairs--which risked the personal information of 26.5 million veterans
and active duty military--I requested that this Committee take a closer
look at the Privacy Act to see if it continued to protect American's
personal information in this increasingly electronic age. While our
hearing at that time was focused on information security practices, I
knew that we also needed to look at the safeguards for the collection,
use, and sharing of personal information.
Data security does not just rely on systems and procedures to
prevent loss or unauthorized disclosure. It also relies on a robust
privacy framework that minimizes the amount and use of personal
information and provides individuals the opportunity to access their
data and correct any mistakes.
For the past few years I have been looking into federal data
collection and privacy issues. At my request, the Government
Accountability Office (GAO) conducted several investigations on federal
data mining activities and found that federal agencies are not
following all key privacy and information security practices. In its
May 2004 report, GAO found 122 data mining activities in the federal
government that use personal data. Thirty-six of these activities mined
personal information from the private sector and 46 activities mined it
from other agencies. This included student loan application data, bank
account numbers, credit card information, and taxpayer identification
numbers. The use of private sector data and the failure of agencies to
follow key privacy requirements limit the ability of the public to
control their personal information and risks the denial of government
services or benefits.
I believed then, as I do now, that a strong privacy official at
each federal agency would help ensure compliance with federal privacy
and information security laws. Unfortunately, according to a report
being released today by GAO, despite the fact that federal agencies are
required to designate a senior official for privacy, some of these
officials still do not have full responsibility for all of the major
privacy functions. Without such oversight--from ensuring compliance
with privacy laws to providing redress procedures and privacy
training--I fear that key privacy safeguards will fall through the
cracks and Americans' public information will remain at risk.
Today, however, our focus is on how the law is working. According
to GAO and many privacy experts, the framework for protecting privacy
in the federal government needs to be updated and loopholes closed.
Whether it is the ineffective definition of System of Records or the
ever expanding list of routine uses, we need to reexamine the Privacy
Act and related privacy laws to ensure that they work in the 21st
century. Failure to do so risks inaccurate information guiding our
national security decisions as well as Americans' access to government
services and benefits.
I believe that legislative changes are needed to the federal
privacy framework and look forward to working with the Chairman and
Ranking Member to address these issues. Thank you again for holding
this hearing.
Chairman Lieberman. Let's go right to the panel. Again, I
would like to welcome you all. Our first witness is Linda
Koontz, who is the Director for Information Management Issues
at the Government Accountability Office, with responsibility
for issues concerning the collection, use, and dissemination of
government information. Ms. Koontz has recently directed
studies on privacy, records management, data mining,
information access and dissemination, and E-Government.
It is a pleasure to have you. Please proceed with your
testimony.
STATEMENT OF LINDA D. KOONTZ,\1\ DIRECTOR, INFORMATION
MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Koontz. Thank you, Mr. Chairman and Members of the
Committee. I appreciate the opportunity to participate in
today's hearing on government protection of personally
identifiable information. As you know, collecting such
information is vital for the Federal Government to provide
services and benefits, as well as to respond to threats such as
terrorism. At the same time, government use of personal
information raises privacy concerns, such as whether the legal
mechanisms governing such use remains sufficient for protecting
personal privacy in the context of modern information
technology.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Koontz appears in the Appendix on
page 39.
---------------------------------------------------------------------------
In my remarks, I will present key results from a report
that we are releasing today on this issue. For our review, we
assessed the sufficiency of current laws and guidance for
protecting personally identifiable information and identified
alternatives for addressing issues raised by our assessment.
The primary relevant statute is the Privacy Act of 1974,
which is the major mechanism for controlling Federal
collection, use, and disclosure of personally identifiable
information. The Act's provisions are largely based on a set of
key privacy principles know as the Fair Information Practices,
which call for such things as limiting the collection of
personal information, ensuring that information is accurate
when it is collected, and keeping the public informed of any
such collections. These widely accepted principles, first
proposed in 1973 by a U.S. Government Advisory Committee, are
not legal requirements. However, they do provide a useful
framework for balancing the need for privacy with other public
policy interests, and they are used by numerous countries and
organizations as the basis for privacy laws and policies.
Besides the Privacy Act, another relevant statute is the E-
Government Act of 2002, which requires agencies to conduct
Privacy Impact Assessments (PIAs)--that is, analyses of how
personal information is protected when it is collected, stored,
shared, and managed in a government information system.
The two statutes and related guidance from the Office of
Management and Budget set minimum requirements for agencies.
But our review showed that they may not consistently protect
personally identifiable information and may not fully adhere to
key privacy principles. Based on our analysis, extensive
discussions with agency officials and the perspectives of
privacy experts obtained through a panel convened for us by the
National Academy of Sciences, we identified issues in three
major areas: First, applying privacy protections consistently
to all Federal collection and use of personal information;
second, ensuring the use of personally identifiable information
is limited to a stated purpose; and third, establishing
effective mechanisms for informing the public about privacy
protections.
In the first area, applying protections consistently,
issues arise primarily from the scope of the Privacy Act, which
is limited to what are called ``System of Records.'' These are
defined as any grouping of records containing personal
information that is retrieved by an individual identifier.
Thus, the Act covers personal information in a given
information system if an agency uses an individual identifier
for retrieval, but not if some other method is used, such as
searching for all individuals with a certain medical condition
or who apply for a certain benefit.
The resulting inconsistency has led experts to agree that
the definition of a System of Records is too narrow. The
Congress could address this issue by revising the definition to
cover all personally identifiable information collected, used,
and maintained systematically by the Federal Government.
The second area, ensuring that use of personally
identifiable information is limited to a stated purpose, is
based on the principles that collecting personal information
should be disclosed beforehand, and use of this information
should be limited to a specified purpose. When the government
must define a specific purpose and use for personal
information, individuals gain assurance that their privacy will
be protected and the information will not be used in ways that
could unfairly affect them. However, current laws and guidance
impose only modest requirements for defining the purposes and
use of personal information. Agencies may define purposes very
generally which allows for unnecessarily broad ranges of uses
without meaningful limitations. These issues could be addressed
by requiring that specific limits be set on the use of
information both within and among agencies.
The third area, establishing effective mechanisms for
informing the public, is related to both openness and
accountability. These principles call for informing the public
about privacy policies and practices and for holding agencies
accountable for protecting privacy in their use of personal
information. Currently, these principles are enforced through a
System of Records Notices that agencies are required to publish
in the Federal Register. However, it is questionable that such
a publication effectively informs the public at large. First,
the notices can be difficult to understand, as they are
generally written in legalistic terms. Second, they do not
always contain complete and useful information. And, finally,
finding relevant notices and determining which ones are in
force may be challenging. Options to address these issues
include providing easy-to-understand, brief notices along with
comprehensive versions, setting requirements to improve the
content of privacy notices, and revising the Privacy Act to
require that all notices be published on a central Web site.
The challenge of how best to balance the Federal
Government's need to collect and use information with
individuals' privacy rights in the current environment merits a
national debate on all relevant issues. In assessing such a
balance, Congress should consider amending applicable laws
according to the alternatives we have identified in our report.
Mr. Chairman, that concludes my statement. I would be happy
to answer questions at the appropriate time.
Chairman Lieberman. Thanks, Ms. Koontz. That is a good
beginning.
Our next witness is Hugo Teufel III, Chief Privacy Officer
of the Department of Homeland Security, a position he has
occupied since July 2006. Mr. Teufel has primary responsibility
in his position for privacy policy at the Department, including
compliance with the 1974 Privacy Act and the privacy provisions
of the E-Government Act. He previously served in the General
Counsel's office at the Department and, before that, was the
Associate Solicitor for General Law at the Department of the
Interior.
Thanks for being here, Mr. Teufel.
STATEMENT OF HUGO TEUFEL III,\1\ CHIEF PRIVACY OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Teufel. Thank you very much, Chairman Lieberman,
Ranking Member Collins, Senator Akaka, and Members of the
Committee. It is an honor to testify before you here today, and
I must confess that I am humbled in the presence of my co-
panelists here. Linda Koontz and I have worked together for the
last 2 years, and we take very seriously the recommendations in
her reports. And we usually get it right, but sometimes there
is room for improvement, and she lets us know, and we carry out
her recommendations, by and large. Ari Schwartz is someone who
we regularly reach out to, along with other members of the
privacy advocacy community, and I often seek Mr. Schwartz's
advice and counsel on issues. And, of course, Peter Swire is
someone from whom, since the very first week or two of my
tenure in the Privacy Office, I have sought advice and counsel,
and it is always great to see him and talk to him and be here.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Teufel appears in the Appendix on
page 64.
---------------------------------------------------------------------------
I read with interest the formal letter inviting me to come
and testify, and I noted that this hearing was to consider the
adequacy of laws and structures with respect to privacy. And,
of course, this is a Congressional Committee, a Senate
Committee, and so there will be a lot of talk on the law. I
would like to spend just a little bit of time on structure
before I conclude my opening remarks.
In the 23 months that I have been in the office, I have
thought a lot about the office and the position of Privacy
Officer and what it is and what it should be and what it has
been at other agencies. And so in my opinion, and what I have
tried to do at the Department of Homeland Security, I have
grouped our responsibilities into five functional categories:
Policy, process, incidents and breaches, education, and
outreach.
The significance there is that if you look at other Privacy
Officers--and I will put aside Census Bureau, Internal Revenue
Service, and Postal Service--most other Privacy Officers and
Privacy Offices within government often focus on the technical
aspects and do not necessarily get involved with policy and
with outreach. Policy is critical as part of Section 222 of the
Homeland Security Act, and we are the primary privacy policy
office--that is difficult to say fast early in the morning--at
the Department of Homeland Security. But outreach is also
essential because there are a lot of external stakeholders who
are concerned about what it is that government is doing with
personally identifiable information.
So policy, advice--it can be advice and counsel orally
given or it can be written policy, as we have done with respect
to Social Security numbers and mixed-use systems,
administratively extending Privacy Act protections to non-U.S.
citizens.
Process, what we think about when we talk about Privacy
Impact Assessments and System of Records Notices.
Incidents and breaches--just as it sounds.
Education, really undervalued but terribly important,
because whenever humans are involved, people make mistakes. And
you cannot get rid of mistakes, but you can minimize them, and
the way to do that is education, education, education.
And then the last is outreach--part of what we are doing
today and what we regularly do in and around the D.C. area, and
sometimes even internationally.
So having said that, as I was preparing today, I was
reminded of something that I had heard a couple of weeks ago.
As you may know, I am going to be graduating this week from the
Naval War College with a master's in national security and
strategic studies. The University of Connecticut had not
started their master's program in homeland security 4\1/2\
years ago, or I would have probably entered that program. And 2
weeks ago, I was at the University of Virginia Law School for
their National Security Law Institute. And, in fact, we were at
the Pentagon, and we were listening to Judge Jamie Baker, who
is the former legal adviser to the National Security Council
and now is an associate judge on the Court of Appeals for the
Armed Forces, and he was talking about his office and the
importance of the legal adviser to the National Security
Council. And he noted in his remarks that the law and structure
are important, but they are not conclusive. Senior officials
have to call on you, and they have to have trust and confidence
in you as an adviser in order for you to be able to do your job
effectively.
And with that, I will stop, and thank you very much.
Chairman Lieberman. Very interesting. Thank you. The record
will note that had you had the opportunity, you would have
become a UConn Huskie. [Laughter.]
Ari Schwartz is next, familiar with this Committee, but you
have already received a good introduction from Mr. Teufel: Vice
President and Chief Operating Officer at the Center for
Democracy and Technology (CDT). Mr. Schwartz also serves as a
member of the National Institute of Standards and Technology
Information Security and Privacy Advisory Board and the State
of Ohio Chief Privacy Officer Advisory Committee.
At this time I will ask you to talk about the fact that you
lead the Anti-Spyware Coalition. We welcome you today and look
forward to your testimony, Mr. Schwartz.
STATEMENT OF ARI SCHWARTZ,\1\ VICE PRESIDENT AND CHIEF
OPERATING OFFICER, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. Schwartz. Thank you very much, Mr. Chairman, Ranking
Member Collins, and Senator Akaka, for holding this hearing
today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Schwartz appears in the Appendix
on page 75.
---------------------------------------------------------------------------
Thirty-four years ago, the U.S. Congress took the
revolutionary step toward ensuring that U.S. citizens'
information in the hands of the Federal Government would be
treated fairly and with respect. The Privacy Act of 1974 sets
forth privacy protections that have been an example for
governments at different levels around the world. While the Act
reached for the goal of privacy, it was by no means perfect.
And, in fact, Congress recognized its imperfections even at the
time of passage, creating a study commission to report back on
how, among other things, the Privacy Act could be improved.
The GAO studies released today suggest that the major
concerns of the Personal Privacy Study Commission of 1977 have
not only never been addressed fully, but have even worsened
with time. While the structure of the Act is still solid,
technological advances have outdated many of the key
definitions. The Privacy Act guidance from OMB has served to
confuse as much as it clarified, and the Department of Justice
has not released its Privacy Act Overview for agencies for 4
years. This important document had been issued at least every 2
years since the mid-1980s.
While the Privacy Act implementation has been allowed to
decay, Congress has created other protections to help ensure
greater transparency over collections of personal information.
The E-Government Act recognized that making more information
available online was certain to raise new privacy concerns, and
in order to address this problem, Congress took the step of
requiring a Privacy Impact Assessment for all new and changed
collections and new databases. The Privacy Impact Assessments
were designed to provide greater transparency to how the
government collects and uses personal information.
Over the past 6 years, Privacy Impact Assessments have
become an essential tool to help protect privacy.
Unfortunately, as with other privacy laws, the Federal
Government has unevenly implemented even the most basic
transparency requirements of the PIAs across agencies. Like
other directives issued by the Administration on privacy, the
guidance was vague and has simply not provided agencies with
the tools they need to successfully implement the Privacy
Impact Assessment requirement unless they already had privacy
experts on staff.
Too few agencies have the kind of privacy expertise and
leadership necessary to develop internal rules and best
practices or even to comply with existing law. The Department
of Homeland Security is one agency that has had that kind of
leadership through its inception through Nuala Kelly, who
started the privacy program, and now through Hugo Teufel, who
has already shown us why he is a leader that can bring together
this kind of program at the agency.
While privacy experts often focus on these major problems
as if the only thing harmed is the privacy of Americans, it is
important to note that they have an even greater impact on the
effectiveness of the Federal Government. For example, one
agency that CDT spoke to told us that the privacy audit
revealed that they had lost track of half of their System of
Records and, therefore, millions of the personal records held
by the agency. At the time of the audit, they just did not know
where this information was.
As one retiring security official from the Department of
Interior explained publicly earlier this month while discussing
that agency's constant failures in privacy and security
reporting, he said, ``We are promiscuous with our data. We
don't know where our data is.''
You can call this a privacy concern, you can call this a
security concern, or you can call this a data management
concern. But to the American taxpayer, the loss of their
personal information is certainly called a failure.
To solve these problems, CDT suggests that Congress work
with the Executive Branch on the five following areas:
One, expanding Privacy Act coverage. CDT agrees with the
GAO's basic assertion that the Privacy Act key definition of
System of Records is out of date. We believe that this issue
must be addressed in legislation and urge the Committee to
introduce such legislation in this Congress. We suggest a new
definition that would ensure coverage of all information that
reasonably can be expected to identify an individual.
Two, closing Privacy Act loopholes. CDT also urges the
Committee to consider legislation that would limit the
``routine use'' exemptions. As GAO found, there are simply no
current standards across the government for this exemption, and
agencies have filled the void with an array of confusing and
overbroad loopholes.
In addition, we urge the closing of another common
loophole. Congress should make it clear that the Act's core
principles apply to commercial data used by government.
Three, improving Privacy Impact Assessments. As we
testified before this Committee last year, CDT supports the
creation of best practices for Privacy Impact Assessments as
called for in the E-Government Act Reauthorization Act,
recently passed by this Committee. CDT urges the Committee to
require PIAs for any program that uses commercial data, whether
the personal information will be stored in the agency or kept
outside of the agency. CDT also supports requiring PIAs for
systems of government employee information.
Four, improving privacy leadership. When Peter Swire was
chief privacy counselor, privacy had a higher profile within
the Federal Government than at any other time. While Professor
Swire is a unique leader in this space, CDT believes that a
similar permanent Chief Privacy Officer within OMB written into
law would help ensure that agencies understand the importance
of this issue to Congress, to the next Administration, and to
the Americans that you represent.
CDT also urges the creation of an independent Chief Privacy
Officer (CPO) Council with a similar structure to the Chief
Information Officers (CIO) Council and to the Chief Financial
Officers (CFO) Council as well.
And five, increasing and improving privacy reporting and
audits. OMB requirements for privacy reporting are a major leap
forward in focusing attention on privacy issues, but getting
the right implementation and accountability processes in place
is an essential goal. Most importantly, OMB should be required
to create standardized measurements for privacy-protecting
processes. CDT also believes that the Committee should require
that the systems of greatest privacy risk undergo regular
audits by Inspectors General and/or, when the IGs are
overwhelmed or not experts in privacy, by third-party audit
firms.
In conclusion, I would like to urge this Committee to act
this year. In the past, CDT has called for the creation of a
new 1-year commission to study the Privacy Act and privacy
policy in the government and offer solutions. But with the
release of these GAO reports and numerous hearings on this and
related issues in this Congress, we believe that the basic work
that would have been done by such a commission has already been
completed. There is now consensus around a set of
recommendations for action by Congress and the Executive Branch
to fill gaps and loopholes in privacy law and policy. CDT urges
this Committee to draft a bill with the recommendations
outlined above and quickly bring it to the Senate floor so that
the next President can have the right tools in place upon
taking office and can get started immediately on strengthening
privacy in the Federal Government.
We look forward to working with you, and we thank you for
your leadership on this important issue.
Chairman Lieberman. Thanks very much, Mr. Schwartz. Thanks
for your specific proposals, too, which are very helpful to the
Committee.
The final witness this morning is Peter Swire, the C.
William O'Neill Professor of Law at the Moritz College of Law
of the Ohio State University. I want to express relief that I
have been able to announce that when Senator Carper is not here
because as a very zealous Ohio State graduate, he probably
would have created a disruption of some kind. [Laughter.]
Mr. Swire. There was some discussion of whether to make
it----
Chairman Lieberman. Yes, the Big O, right. Also, Professor
Swire is a Senior Fellow at the Center for American Progress
specializing in privacy issues. From 1999 to early 2001, during
the Clinton Administration, he served as the Chief Counselor
for Privacy in the U.S. Office of Management and Budget.
Thanks very much for being here, and we welcome your
testimony now.
STATEMENT OF PETER P. SWIRE,\1\ C. WILLIAM O'NEILL PROFESSOR OF
LAW, MORITZ COLLEGE OF LAW, THE OHIO STATE UNIVERSITY
Mr. Swire. Thank you, Chairman Lieberman, Ranking Member
Collins, and Senator Akaka, for your attention to these issues
today. And thanks to your Committee and the E-Government Act of
2002 for really making Privacy Impact Assessments a major tool
across the Federal Government. This Committee has been vital in
protecting and addressing these issues. And it is a pleasure,
as we have heard across the panel today, being on this panel,
that GAO has been really a major source of expertise in
government-wide attention to privacy for a number of years.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Swire appears in the Appendix on
page 87.
---------------------------------------------------------------------------
At Homeland Security, Hugo Teufel and his predecessor have
really built what has become the leading office in any Federal
agency on privacy issues, and Federal Computer Week, for
instance, earlier this year recognized Becky Richards of the
office for her outstanding achievements for compliance in
privacy. And so it is good to see that kind of recognition from
the outside world.
And Ari Schwartz has been obviously a leader on these
issues for quite a few years now, and we appreciate that.
In my statement today, I am going to talk about two issues
and then briefly mention a third. I am going to try to give
some of my experiences at OMB and some lessons for what that
means going forward. The main technical substantive issue today
is on biometrics. I am going to talk about an emerging issues,
fingerprints and things like that, where I think the Committee
really should consider action.
And then in my written testimony, we talk about a third
issue that I could get to in questions, but I am not going to
address it in detail. The Center for American Progress released
a report earlier this month called ``The ID Divide: Addressing
the Challenges of Identification and Authentication in American
Society.'' We put together a working group over a period of a
year to address a wide range of issues--homeland security,
immigration, voting, privacy, and security. And so we have a
series of recommendations about how a process to look at
identification systems would be a good thing to bring into the
Federal Government as they address this generally going
forward.
So turning to OMB and my 2 busy years there, I have five
points to sort of bring up from that experience. And the
overarching theme is that in an information-sharing world, we
have tried to break down the data silos. We have tried to make
sure that information gets shared across agencies. But,
unfortunately, we have put the silos back in when it comes to
privacy protection. So we have an agency over here and an
agency over there with separate Privacy Officers, but no
overarching structure for handling privacy across agencies. And
I think that has really been a lack for the last number of
years.
So to get to my list of five things, during the time that I
was at OMB as a political appointee, a policy official, the
first thing we did was coordinate across agencies. For
instance, Ari Schwartz of CDT released a study just a couple of
months into my time showing we had forgotten to put privacy
policies up on Federal agencies. And that was deeply
embarrassing, but it was also deeply helpful because within 4
months we got all the major Federal agencies to have privacy
policies up. We saw a problem and could fix it.
During that time, at the CIO Council we created a Privacy
Committee, which was active during that time, which made
Privacy Impact Assessments a best practice at that time. And so
the E-Government Act was able to build on some things that
happened in the agencies when the time came. So the first point
is to coordinate across agencies.
The second point is to act as a source of expertise. We
answered Privacy Act questions from around the government. When
the Health Insurance Portability and Accountability Act
(HIPAA), the medical privacy rule, was happening, I served as
White House coordinator for that, and the interagency issues
were informed by somebody who does privacy across agencies.
Similarly, when the Gramm-Leach-Bliley Act was being put into
effect, there were many different agencies involved, and we
served as a background source of expertise on privacy issues.
A third point, which people in Congress and the government
would appreciate, is our role in clearance. You know that in
the Federal Government, the moment they decide to testify, it
all goes through OMB. And I was in OMB, and when there was a
privacy issue, it got routed to my office, and we were able to
comment with a consistent, informed view on how to handle
privacy issues.
The way it works in Homeland Security is Mr. Teufel would
get to see things as they are happening at DHS. But when it
goes to OMB, that is somebody else's job at that point. It is
the next step in the process. So having somebody at the central
White House level really makes that job work better.
A fourth point is that I was available for special
projects. In 2000, the Chief of Staff, John Podesta, asked me
to chair a White House task force on a tricky set of issues.
How do you update our wiretap laws for the Internet age? We had
telephone wiretap laws. How does it work for the Internet? And
I chaired a 14-agency task force with all the intelligence
agencies, but it meant there was some privacy expertise in the
room to work together with the agencies who most were focused
on gathering information. And we came up with recommendations
that year.
And then the fifth point about this OMB position was I
could serve as a single point of contact. People knew who to
yell at. The press knew who to call. The public could come to
us. For the privacy groups, industry groups, and government
agencies, there was one place to go for a forum and a way to
talk about these issues going forward.
So I think those five points suggest some real usefulness
to having a policy official in the White House structure that
focuses on privacy going forward.
There is one lesson, I think, that I learned from that
time--that it helps to have it be a statutory position. The
position of the Administration when I was there was, because I
was not statutory, I was not appropriate to testify in front of
Congress. So I had to brief other people every time we had a
privacy-related hearing. And I think that having a statutory
position would help make sure that Congress would be well
informed on these issues going forward.
I am now going to shift to talking for the remainder of my
time on biometric issues, which I think is a major emerging
issue. It is vaguely covered by the Privacy Act but has not
gotten the attention. We have new videos up today at the Center
for American Progress Web site on this. But I highlight this in
part because President Bush signed Homeland Security
Presidential Directive 24 (HSPD-24), his guidance on
biometrics, on June 9, 2008, using words like ``expanding'' and
``maximizing'' the use of biometrics. The guidance mentions
privacy, but does not provide any implementation of what that
is going to mean going forward. And here is the sort of
background for concern.
Computer scientist Terry Boult has raised an issue called
the ``biometric dilemma.'' The more you use biometrics, the
less secure they become. And the reason is the more you use
secrets, the less secret they become. And so, in particular,
when you think about fingerprints--Secretary Chertoff said not
too long ago in a press availability that it is very difficult
to fake a fingerprint. But that is not true. You can do a
highly advanced research task. Go to Google or your favorite
search engine and put in ``fake fingerprint.'' And on the first
page, you will see multiple articles about how to do that for
under $10. Unfortunate, but true. Go do it. You can do it on
your BlackBerry probably while we are having the hearing.
And how effective are these fake fingerprints? Well, Bruce
Schneier, a famous security expert, tested one of the
techniques, and he reported, ``against 11 commercially
available fingerprint biometric systems, it was able reliably
to fool all of them.''
And so we have a situation where fingerprints become the
new data breach problem. If we have great big Federal databases
full of fingerprints, those are data breaches waiting to
happen. If you lose your Social Security number or your credit
card number, you can, you hope, get a new one. You lose your
fingerprint, it is very hard to get a new finger. And so we
have this systematic security problem, data breach problem
going forward if we have these huge government databases
maximizing and expanding, as the recent directive said.
There are things to do about this, but they have not been
done yet. And so in my testimony, I suggest a couple of actions
this Committee could consider immediately to start to do the
work on biometrics that I think would be helpful.
The first idea--and this is part of data breach laws
generally--is to encourage encrypting transmission of things
like this, biometrics, and encourage encryption when you store
them. And so I suggest the E-Government Act of 2002 can be
amended to provide a default for storing and transmitting
biometrics in encrypted form. An exception to this ``always
encrypt'' policy should be permitted only if it is justified in
a Privacy Impact Assessment, only if it is really a good idea,
and if it has received specific authorization from the Chief
Privacy Officer for the agency. So I would like Mr. Teufel to
have to sign off on it if we are going to have unencrypted uses
of biometrics around the agency. And it may have to be
considered whether in the private sector this should apply as
well because if the private sector compromises these
biometrics, then the government cannot use them either.
A second point going forward is that access to biometric
databases should be very well audited. We saw with the passport
records of the Senators how audit can be helpful in sending a
message and training people that they should not be messing
around in people's files. Biometrics going forward can be
compromised, and we should audit the possibility.
And then in the written testimony, I also talk about some
promising new biometric technologies that are more privacy
protective. One is called biometric encryption. And I suggest
reports are appropriate. You could ask Homeland Security and
the Justice Department Privacy Office to do reports on these
technologies so that they have to say what works, what does
not, whether pilot programs are appropriate to fix this.
In conclusion, when it comes to biometrics, I will go back
to an analogy I used when the Homeland Security Department was
being created 6 years ago and I testified in Congress. Too
often, we see this as if it is a truck where we only have an
accelerator for some of these uses, but no brakes. And the
concern with new technologies, if we simply expand biometrics
without the brakes, is that we could compromise our
fingerprints and our biometrics for a generation and we cannot
get them back, so we should build them right in the first
place. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks, Mr. Swire. Very interesting and
obviously informed and helpful testimony. We will do 6-minute
rounds of questions and keep going until we are finished with
our questions.
Ms. Koontz, let me begin with you. The GAO report
highlights a longstanding concern, which is that agencies are
sharing and using personal data for purposes beyond the
original stated purpose. I wanted to ask you to give us a few
examples that you found in your work of that and indicate to us
how widespread you think the practice is.
Ms. Koontz. I think that what we were covering in our
report is that there are only really very modest limitations in
the law on sharing. Within an agency, the information may be
shared as long as it is necessary for an employee to do their
job. Outside of an agency, it can be shared pursuant to a
routine use, but I think that all the panelists have commented
that routine uses over time have become very numerous, very
broad, and do not serve as a very useful way to limit the
sharing of information.
Chairman Lieberman. And, again, this is sharing between
agencies of the Federal Government.
Ms. Koontz. Yes. I think we also make the point, though,
that as we move toward an information-sharing environment, in
the wake of September 11, 2001, we realize we need to share
information better than we have in the past. In some cases,
information also needs to be shared with State and local
governments, and it needs sometimes to be shared with the
private sector.
One of the concerns that we raise in our report is that the
Privacy Act does not ensure in all cases that the privacy
protections travel with the data; that is, there are not onward
transfer provisions that make sure that the protections travel
with the data when they go outside the hands of the original
collector and maintainer of the information. So I think that is
a definite concern going forward that we need stronger
protections because we foresee that there is going to be more
sharing. We need stronger protections to ensure that the
information is protected consistently as it travels.
Chairman Lieberman. You are quite right that a real focus
for us on information sharing, again, started in this Committee
with the legislation based on the 9/11 Commission Report, which
found that, to use the familiar metaphor, there was no place
where the dots were located together so that they could be
connected to try to prevent September 11, 2001, from happening.
So there is no question that what we are trying to do is really
encourage--and, insofar as possible, mandate--the sharing of
information for national security or homeland security
purposes.
But is that the major area in which you are concerned? My
own concern was that other agencies, unrelated to security
work, are collecting information on American citizens and,
beyond the stated purpose, sharing that information with other
agencies for matters unrelated to security.
Ms. Koontz. I am not sure that I can give you any examples
where people actually exceeded the purposes for which it was
originally collected. I think our concern is that it can be
shared pursuant to all kinds of routine uses, and they are so
numerous and broad that there are not really meaningful bounds
on the sharing of information.
Chairman Lieberman. OK. What are possible solutions to this
problem?
Ms. Koontz. In terms of sharing?
Chairman Lieberman. Yes, sharing among agencies that goes
beyond the original purpose for which the information was
collected.
Ms. Koontz. Right. It is a very important part of privacy
that the information be only used in the way that is consistent
with the purpose for which it was collected. So when the
government told the person when they collected the information
in the first place that this was the purpose, we need to handle
that consistently over time.
There are a couple things. First of all, in the System of
Records Notices, in the public notices under the Privacy Act,
there is not a requirement to state an overall purpose.
Agencies are supposed to state purposes for each of the routine
uses, but not an overall purpose. We think that requiring
agencies to state the overall purpose of the collection is
important. It is also important that they be very specific
about that purpose so that it serves as a useful constraint.
We also think that there should be mechanisms so that when
information is shared outside an agency, that there are
agreements with outside entities that will constrain the use of
that information and provide protections to it.
Chairman Lieberman. That makes sense. Mr. Teufel, just to
state again the obvious, in the case of a lot of information
that the Department of Homeland Security and, obviously, the
National Counterterrorism Center have, the original purpose, if
you will, that Congress has mandated is that you share the
information for the collective good. Why don't you talk a
little bit about how you react to this question about the
original purpose being exceeded?
Mr. Teufel. Sure. Well, first of all, I do not think I have
an answer. Second, what I am going to tell you may run over my
time, so with the Committee's indulgence, I will do the best I
can to answer the question.
Chairman Lieberman. Go ahead.
Mr. Teufel. We think a lot about routine uses. You may be
aware, and Ms. Koontz, in a report that she did on my office
last year, mentions that we have 208 legacy agency System of
Records Notices. So these are System of Records Notices that
could be from Department of Energy, Department of
Transportation, or Department of Justice, and every agency
approaches System of Records Notices differently.
Chairman Lieberman. Just for the record give us a brief
definition of what that means, what a System of Records Notices
is.
Mr. Teufel. A System of Records Notice is a document that
is required to be published under the Privacy Act of 1974 when
an agency has a System of Records. A System of Records is a
collection of information about U.S. citizens or legal
permanent residents that is accessible by some unique
identifier. So there are a lot of databases out there, and this
is one of the things that others will talk about, that you can
have a database that has personally identifiable information in
it, but it will not be, under the definition in the Privacy
Act, considered a System of Records. And, accordingly, there is
not a System of Records Notice published in the Federal
Register. We put them up on our Web site.
So we have 208 legacy agency System of Records Notices
(SORNs), and we are determined by the end of the year to update
as many of those as possible. So the first thing that we did
was we revised our guidance that is up on our Web site on how
to conduct and prepare a System of Records Notice, and we
looked at routine uses. And often there are routine uses that
agencies will have, and they will just publish lists of routine
uses that apply to every System of Records Notice at the
agency. We do not do that. We do have a template where we list
standard routine uses that one might see. Some may be for State
and local information sharing. It might be for health purposes,
law enforcement purposes, those sorts of things. But we do not
have blanket routine uses that we have published. We look at
each and every System of Records Notice when we decide which
routine uses go into that particular document.
So we have these 208 System of Records Notices out there,
and over the last few months, my office and a contractor have
gone through all of those to look at the different approaches
and to see where we can harmonize and reduce. And this is
something that Ms. Koontz had recommended in a report last
year. There is a requirement under the Privacy Act, and I think
it is OMB Circular A-130, that we, every 2 years, go through
and look at System of Records Notices to make sure that we
actually need the information and what are we doing with it.
So we have made tremendous progress, and we have draft
System of Records Notices for all 208. Many we will consolidate
and go under government-wide, Executive Branch-wide System of
Records Notices. Others will be DHS-wide, and for the
remaining, they will be component-specific SORNs. So that is
part of the answer.
The other part of the answer is information sharing, and it
is something that my office really has been grappling with, and
in the remaining time in my office, it is one of two fairly
major priorities, the other being cyber security. How do we do
this? How do we do information sharing as Congress has mandated
we do, but we do it in a way that is privacy sensitive? And I
do not have an answer for you. We are working on this issue and
working very closely with our colleagues at the Department of
Justice and the Office of the Director of National
Intelligence, as well as the program manager for the
information-sharing environment.
Chairman Lieberman. That is a good answer. Thank you.
Senator Collins.
Senator Collins. Thank you.
Professor Swire, I want to follow up on some of your
comments on biometrics. Biometrics have really been sold to
Congress, and I think to the public and by the Department of
Homeland Security, as the answer. I, therefore, was very
interested in your comments about the ability to fake
fingerprints, for example, because I believe as your testimony
said and as I recall, Secretary Chertoff has been quoted as
saying, that it is very difficult to fake a fingerprint. And I
think you are telling us today that it is not.
The U.S. Visa Waiver Program is based on having biometrics
included in the exit program so that we can track who is here
and who is leaving our country. So I am particularly interested
in your analysis of the rush to embrace biometrics and whether
they really will result in a better, more secure system, and
also your red flags about the need for encryption.
Do you know whether or not the Transportation Security
Administration (TSA), for example, which is using biometrics
for the new Clear system at airports to speed on the way
travelers who have given the Department biometric information,
do you know if that system is using encrypted data when it is
being used at the test airports around the country?
Mr. Swire. Thank you, Senator. I have not reviewed the
Clear system in particular, so I do not have an answer on that.
I think that when it comes to biometrics, there are vendors
who are trying to sell systems, and they want to have people
believe it is a good answer. And I also think that there is
enormous pressure to sort of do something, to come up with
secure ways to do things. And if our current things do not work
very well, we want to move to the next generation, and
biometrics has seemed tempting.
The fact that fingerprints are easy to fake, the basic way
you do it and the simplest method is if I have a picture of
your finger, I just--nowadays, pictures come in my cell phone,
for instance. I just blow it up, put it on my computer, and
photo-shop it a little bit, and then I am able to print it out
on a laser printer--this is pretty standard--and I can then get
Gummy Bears or similar gel from the CVS and put it over my
finger. And that is basically what it takes.
You could have fancy machines, which is not what we mostly
have, that could make sure the pulse is pulsing and things like
that. But the basic idea that I just put your fingerprint on
top of my finger is very easy to do.
So that is known, and biometrics researchers, the sort of
academic ones who are not trying to sell their products, have
long lists of articles explaining these vulnerabilities. And
that is why I think reports from the agencies, maybe including
the Privacy Office, to really look at these might be one very
specific step so that the eagerness to do things can be
tempered by making sure we get the technical part right.
Senator Collins. Well, it is particularly interesting to
hear you say that, because several years ago, when I was the
Chairman of the Permanent Subcommittee on Investigations, we
did an investigation on how easy it was to counterfeit
identification using readily available software on the
Internet. And, indeed, my staff counterfeited, I think, a dozen
different IDs for me, licenses in five different States, a
college ID--probably that one would not have been----
Mr. Swire. You should be careful doing those. There are
some laws about that.
Senator Collins. Exactly. [Laughter.]
Well, I can tell you that the law is a lot stronger after
we did that investigation. But there were real loopholes in the
law as far as making that illegal if it is done through the
Internet. So we are constantly trying to catch up with our laws
and our policies to the technology that is out there. And your
comments on biometrics are an excellent caution to us because
it has been sold as the way to have secure IDs. And now I am
hearing from you that just as my staff was able to easily
locate the technology on the Internet to counterfeit
identifications, now you are telling me that we could do that
with fingerprints as well.
So it seems to me there are two issues here. One is: Is
this technology really increasing security? The second is: How
do we protect individual fingerprints from being counterfeited
and used by those who would do us harm.
Mr. Swire. If we do it badly, our fingerprints will get out
there. They will be breached, and they will be out there. And
we cannot get them back, right? So that means for our
generation that fingerprint will be an insecure identifier. And
that is a reason to be a step or two more cautious because if
you screw it up, you have done it for a generation of people.
Senator Collins. Well, that is why I want to follow up with
TSA on the Clear system and what the protections are, and I am
going to turn to Mr. Teufel to see if he knows the answer to
that.
When the fingerprint and other information that is given to
airports that are being used, it it encrypted? Is it retained
at the airport and, thus, subject to misuse?
Mr. Teufel. Sadly, the BlackBerry is a wonderful thing, but
it does not always give me an answer as fast as I might need
it.
I do not know the answer, but I can tell you that on our
Web site, dhs.gov/privacy, we have privacy documentation
posted, and I believe the answer may be in there. And I will be
talking with TSA's Privacy Officer, Peter Pietra, on this when
I get back. So I am just hesitant to give an answer without
being informed.
Senator Collins. If you would get back to us on that issue,
that would be helpful.\1\
---------------------------------------------------------------------------
\1\ Response from Peter Pietra to Senator Collins appears in Mr.
Teufel's response on page 36.
---------------------------------------------------------------------------
Just quickly, because my time is expiring, Mr. Teufel, what
do you think of the idea that Mr. Schwartz and Mr. Swire have
raised about having a Privacy Officer at OMB designated in law
so that it does not depend on the interests of a particular
Administration to help provide government-wide guidance on
privacy issues? Would that be helpful to you? Or would it be
just another layer of bureaucracy?
Mr. Teufel. Well, I do not think it would be another layer
of bureaucracy, and certainly as a Privacy Officer, I like
Privacy Officers.
Senator Collins. Some of your best friends. [Laughter.]
Mr. Teufel. Some of my best friends are Privacy Officers.
But my one concern would be I am just a Privacy Officer for
DHS, and I am hesitant to speak beyond my role at DHS. And also
I am mindful of the head of OMB's ability to manage his or her
office.
Senator Collins. But just your personal opinion--I realize
you are not speaking for the Department or the Administration.
But you are on the front lines day in and day out in the
Department, that, other than the VA and the Department of
Health and Human Services (HHS), has the most information about
Americans, and the Internal Revenue Service (IRS), I suppose.
Mr. Teufel. Yes, ma'am. I work very closely with Karen
Evans at OMB, and I think very highly of her. She co-chairs the
Privacy Committee within the CIO Council, and she has
designated me to be the Chair of the Cyber Security
Subcommittee of the Privacy Committee. I think it is a good
approach, and I like working with her. I think she has provided
some excellent leadership in the role as the person I interact
with on a regular basis at OMB for privacy issues.
Senator Collins. Thank you.
Chairman Lieberman. Thanks, Senator Collins. I just want to
point out that Ms. Evans is the E-Government person at OMB.
Mr. Teufel. Yes, sir.
Chairman Lieberman. So she is not, as you know, a full-time
government-wide privacy person.
I just want to make sure I understand what you said, Mr.
Swire because it is important to the Committee. What you are
saying is obviously you have to get somebody else's fingerprint
to be able to compromise the biometric system.
Mr. Swire. Yes.
Chairman Lieberman. So your concern is about the security,
quite consistent with what we are focused on today, of
fingerprints that the government has in its possession.
Mr. Swire. And, in particular, if there are databases that
the government holds where they just have lots and lots of
fingerprints in there, if you have a breach of those databases,
then all those people's fingerprints become compromised.
Chairman Lieberman. Right, with very significant
consequences.
Mr. Swire. Even if it is encrypted at Clear or out at the
edges, if the database is lying around subject to breach, that
is a risk.
Chairman Lieberman. Right. That is a good point. Senator
Akaka.
Senator Akaka. Thank you very much, Mr. Chairman.
GAO's report lays out some solid suggestions about ways to
strengthen our privacy laws. However, one of the major issues
not discussed in the report is the list of exemptions to the
Privacy Act for law enforcement and intelligence activities. I
believe that this issue merits some discussion since the major
privacy arguments over the past few years have been with the
treatment of personal information in the national security and
homeland security context.
Can each of you discuss these exemptions and whether you
have recommendations for changing these sections of the Privacy
Act?
Ms. Koontz. I will start us off. The exemptions are
definitely an issue. They did not come up specifically in the
work that we did, but we think that, going forward, any
reconsideration of the provisions of the Privacy Act will have
to include debate about the law enforcement exemptions and the
general and specific exemptions in the Privacy Act.
Mr. Swire. This is related, in my mind, to the information-
sharing environment set of issues because that is where it
comes up a lot of the time. I wrote an article called ``Privacy
and Information Sharing in the War Against Terrorism.'' It came
out about 2 years ago. And it was an attempt to--this was after
I had worked on the Markle Task Force, which did a lot of
information-sharing work.
I think it is somewhat difficult to address it within the
Privacy Act itself, but what the article called for was an
expanded process, a sort of due diligence process or an
expanded Privacy Impact Assessment process, at the time that
you create new information-sharing programs. I think when you
are building each one of those programs, an expanded list of
questions about how to look at it, what should be shared, what
should not, how do you minimize, and the rest, that might be
the best way day in and day out to try to address that.
Mr. Schwartz. I will say, Senator, it is a good question. I
am hesitant to touch the more general exemptions, especially
the law enforcement exemption. I think that exemption actually
is, compared to other law enforcement exemptions, pretty
tailored for the Privacy Act and fits into the Privacy Act
pretty well. The problem that we have had is more of these
routine use exemptions where we see lists of 30 or 40
exemptions that the agency is just making up at that particular
time. So if you have a set of 40 exemptions for a particular
program that, as Ms. Koontz said, does not have a main purpose
listed in the first place so you cannot compare the main
purpose to these exemptions and try and figure out how they
should be used, it is basically giving a complete loophole for
sharing of the information for many purposes, and maybe for any
purpose, if these exemptions are written widely enough. And I
have even spoken with agencies, and with the Postal Service,
for example, where there was a System of Records Notice that
they put out a number of years ago, where I questioned the
existence of some of the routine uses. And they said, ``Well,
those are just our blanket routine uses; we always put them in
there. We agree with you they do not make sense for this
particular program, but those are the ones we always use.''
So then they went back and they changed their blanket
exemptions because of our concerns based on that. But most
agencies have not done that. As I mentioned in my testimony,
the Department of Defense has 16 routine uses that they use for
every collection of information. Obviously, not every
collection is used in exactly the same way 16 times. It makes
sense to look at how that particular program is being used and
say this is how we plan on sharing it. If we want to do
something different, we have to put out another System of
Records Notice. We have to make a commitment to the American
people that we are going to let them know what this system does
and how we are going to use that; and if we change that, we
have to let them know how we are changing it.
Mr. Teufel. So what I would reiterate is that we do not at
the Department of Homeland Security have blanket routine uses.
For every System of Records Notice, we think about each and
every routine use individually. Do we need this routine use in
this particular System of Records Notice? So we are very
thoughtful or we seek to be very thoughtful in terms of what we
include in a System of Records Notice.
With respect to law enforcement and intelligence
exemptions, I can think of a number of occasions when I have
had a number of senior staff in my office, and we have gotten
out our Department of Justice Privacy Act guide and gone
through and looked at the case law and discussed what the
meaning is of the particular exemptions and how they apply and
whether they apply in a given System of Records Notice. And so
I can tell you with respect to my agency--I cannot speak to
others--that we seek to be very thoughtful in the use of those
exemptions and to make sure that they are appropriate for a
particular system.
Senator Akaka. Thank you. I have been concerned about the
impact of data mining on the protection of personal information
in the Federal Government for a number of years. This includes
the use of commercial data for data mining. Could each of you
discuss how the Privacy Act could be amended to cover data
mining and the use of commercial data? Ms. Koontz.
Ms. Koontz. I think one thing that could be done is to
expand the protections of the Privacy Act to all personally
identifiable information regardless of whether it is retrieved
by a personal identifier or maintained in some other kind of
way. We actually have done a number of studies about data
mining and seen how much it has increased in recent years, as
well as other analytical initiatives. And it is true that the
Privacy Act does not currently always cover data-mining kinds
of initiatives, but this is one way that it could.
As far as information resellers, one of the reasons that it
is not always covered by the Privacy Act is that the Act says
that the government has to maintain the information. So it
means if someone merely pings a database or looks at a database
but does not retrieve the information and maintain it, the
protections of the Privacy Act will not apply in that case.
Some language along the lines of ``systematic use,''
focusing on use rather than maintenance of the information,
might be an appropriate way to treat that reseller information.
Mr. Schwartz. First, I would like to strongly agree with
everything that Ms. Koontz just said, and those are two
excellent points. The first one that she made on the
information and identifiability of information I think is a key
one. The way that the Privacy Act was written, the question was
whether information is actually being retrieved by name, by
Social Security number, by a specific identifier. In data
mining, you are not doing that. You could have a database that
has 200 times more personal information, than what is
considered a System of Records today, where you are searching
on someone's actual Social Security number, and use this new
database for data mining where you are searching not on the
person's name, not on the person's Social Security number, but
for attributes about them. Then that pulls out names and
information, and that would not be considered a Privacy Act
System of Records today or covered under the Privacy Act.
It gets very confusing, but the basic problem is that we
set up this system, this law, with the idea of what a database
in the 1970s looked like, where you would search for a
particular identifier or a particular person's name. We do not
do that today, and data mining is one key example where you do
not do that at all today, and the privacy sensitivity may
actually even be greater than in the kind of database that the
Privacy Act was written for, although clearly the goals of the
Privacy Act cover this. And I think some of the agencies have
taken that idea and said, we have to write Privacy Impact
Assessments for this kind of data; we should take a step
further and make sure that this is protected. But it is not
clear that is being done across the government, and we need to
make sure that is protected.
Mr. Swire. Can I just respond? This is the single place
where technology has changed the most since the 1970s. I think
this is echoing what we just heard. In the 1970s, you had
things in files retrieved by name. Today we have things called
``Search,'' and we can go through huge databases. And so
changing that is the core of how technology has been changed.
There are some ideas in the GAO report about ways to possibly
do it, but it is worth recognizing this is the one place where
the technology has really shifted and the law has not caught
up.
Senator Akaka. Mr. Teufel.
Mr. Teufel. A couple of very quick things here. First, I
note that my office is holding a workshop on data mining. I do
not know if we have the Federal Register notice out yet, but I
think we have scheduled it for July 24 and July 25, and we will
be looking at coming up with best practices.
Second, the Homeland Security Act talks about data mining
and, if I am not mistaken, talks about the Department looking
at data mining and doing data mining.
The third thing is what is the definition of ``data
mining,'' and my office has issued a series of reports over the
years--I think in 2006, 2007, and 2008--and every year we have
a different definition to look at. So without getting into what
those definitions are, it is important to note that when we
talk about it, we need to have some common frame of reference.
And then, finally, with respect to information resellers,
our Data Privacy and Integrity Advisory Committee has issued
some reports on that. One of the things that has come out of
those reports has been that in our PIA guidance, we have made
some changes so that we ask the question, and then we publish
in our Privacy Impact Assessments whether information is being
used that comes from information resellers.
Senator Akaka. Thank you, Mr. Chairman.
Chairman Lieberman. Thanks, Senator Akaka. We will go now
to a second round of 6 minutes for Members who have questions.
One of the Fair Information Practices underlying the
Privacy Act is so-called ``data integrity,'' the importance of
ensuring that personal information the government collects is
accurate. When this is not the case, it obviously increases the
risk that individuals will be subject to unfair treatment, in
this case not only based on violation of privacy but on the
inaccuracy of the personal data.
I know that people who spend a lot of time in this field
have said that inaccurate and incomplete information, so-called
``dirty data,'' is a large problem in some government programs.
And, Ms. Koontz, I wanted to ask you first about that. Is it a
large problem? And is the government investing in technologies
to monitor and improve data quality? For instance, one of the
places we have heard it is on the so-called no-fly list, that
there is a lot of names there that may not be quite right.
Ms. Koontz. Obviously, data integrity, a big issue across
government and in the privacy area. The principle really talks
about the fact that the data has to be accurate enough for the
purpose for which it is used. So, again, it has to be tied to
that purpose. Accuracy for one purpose may not be enough for
another purpose. The no-fly list may need a higher level of
accuracy than other ones.
We did not do a compliance audit across government in order
to determine to what extent agencies were complying with these
various principles. I will say that when we did our report on
Privacy Act compliance a number of years ago at your request,
we did point out that while there was sort of mixed compliance
across the Federal Government, one area was data integrity that
needed improvement across 25 agencies that we looked at at that
point.
Chairman Lieberman. Mr. Teufel, what is your experience
with this in the Department of Homeland Security? Do we have a
dirty data problem in accurate information being collected?
Mr. Teufel. Well, I think government always can work on
improving the accuracy, relevance, timeliness, and completeness
of data that it has. So I do not think I can answer any way
other than we can always do a better job, and part of our
effort in looking at all of these legacy SORNs and revising
them is considering this very issue.
I also note that, as we discussed earlier with respect to
law enforcement and intelligence exemptions, there is an
exemption with respect to accuracy, relevance, timeliness, and
completeness when it comes to law enforcement and intelligence
information. And so while I am a Privacy Officer and not an
intel guy or not a law enforcement guy, I have to at least on
behalf of the agency mention this, that in those contexts you
cannot have necessarily accurate, timely, complete information
because you have sources and methods, some of whom or which you
cannot attest to the veracity of. You get information that
comes in, and you will have to assess it and determine its
credibility, but it may not be accurate, timely, or complete.
Chairman Lieberman. OK. Mr. Schwartz, and Mr. Swire, let me
get you both into this question of so-called dirty data. Is it
a significant problem, inaccurate information, personal
information being held by government agencies? And if it is,
are there any mechanisms that we should be putting into place
to try to clean up the data?
Mr. Swire. Yes, in our ID Divide report, we have about four
pages on dirty data problems, and the place that really hits
home is on matching programs. So, for instance, under the Help
America Vote Act, there is matching where you delete voter
rolls if you think there is not the right person signed up.
Under E-Verify for new hires, you can say somebody is not
eligible to work. And there has been very high levels of error
reported and we have detailed footnotes because of this dirty
data problem.
What you see is numbers like 3 percent, 5 percent, or 10
percent of all records have inaccuracies in them, depending on
which thing you look at. And if you then say you are not
eligible to vote, you are not eligible to get a job, you are
not eligible to get a driver's license at that 3- or 5-percent
level, that is a lot of people's lives that are getting hit.
And so dirty data directly affects people's lives if they
get turned down at the Department of Motor Vehicles (DMV) and
have to try to figure out how to get a driver's license. And so
that is where you really see it, and those are big numbers,
millions of people.
Chairman Lieberman. Those are big numbers. So how do we
deal with that? I mean, just at the beginning somebody input
the data inaccurately or did not have accurate information?
Mr. Swire. It is a long list of things that happen. You
type it in wrong, or somebody read the reader wrong. But also
you have nicknames--there are lists of ways. I think that you
need to have redress procedures. You need to have second ways
for people----
Chairman Lieberman. Give me a little more definition of
what a redress procedure is.
Mr. Swire. OK. Let's say I go to the DMV and they say you
cannot get a driver's license because your match is not right
with Social Security or something. There has to be some way for
me as a normal person, not having to hire a lawyer, to be able
to say, look, there is a mistake here, work with me on this. I
am an American citizen. I am supposed to be able to get a
driver's license. Social Security says I do not have a match.
And how those day-in, day-out procedures work when you get
the bureaucratic ``no'' is something I think we have not spent
enough time talking about. If we are going to be matching
databases and we know there are going to be errors, we have to
have ordinary ways for ordinary people to get it fixed.
Chairman Lieberman. I agree. Mr. Schwartz.
Mr. Schwartz. I agree that it is not going to be perfect,
and I think Mr. Teufel's points are well taken. However, I do
think that it is a widely acknowledged problem in the Federal
Government. I think pretty much any agency you speak to
directly, speak to their Chief Information Officers, and they
will say, yes, that this is a problem not just with my agency
but with every agency across government. And it is something
that we need to address.
The important piece here is, to get to the point that
Professor Swire was speaking about, that we do not think of
privacy as the barrier to getting to better data. There are a
lot of times where people talk about privacy as a bureaucracy
that is in place on top of putting these kinds of systems in
place. In this case, I think that privacy actually is helping
greater efficiency by making sure that you have the correct
data. By including people in the redress process and by coming
up with a redress process that works efficiently and
effectively, that is not adding bureaucracy to the system. That
is making sure that the information you have is correct and
works efficiently. So if we can get that kind of process in
place where we are correcting data, where we involve the data
subject, where possible, into that process, I think we are
going to end up with more efficiency down the road, although it
is going to take longer to clean up the data in the short term.
Chairman Lieberman. Mr. Teufel, do you want to add
something quickly?
Mr. Teufel. Please, if I may. Redress is an important
issue, the ability to find out what information government has
and then correct that information. And I note that at the
Department of Homeland Security there is DHS TRIP, Traveler
Redress Inquiry Program, which is a one-stop shop for people
affected by things that happen at DHS to write in and seek
redress. And it applies not just to U.S. citizens and legal
permanent residents, which is one of the restrictions of the
Privacy Act, but also applies to non-U.S. citizens.
Chairman Lieberman. This is all done on the Internet?
Mr. Teufel. Yes, it is.
Chairman Lieberman. And do you have any sense of how it is
going?
Mr. Teufel. It has been awhile since I have looked at the
figures, but from what I recall, it is very good.
Chairman Lieberman. Good. Thank you. Senator Collins.
Senator Collins. Thank you.
We have talked a lot this morning about potential changes
in the Privacy Act, the E-Government Act, and other laws. But
the Fair Information Practices, the principles in that, which
were developed in 1972, have proven very resilient because they
are not technology dependent. They are principles like
openness, transparency, and accountability.
I would like to ask all of you whether we should be
considering, in addition to changes in the Privacy Act, any
changes in the Fair Information Practices. And I will start
with Ms. Koontz.
Ms. Koontz. I think you said it already. The Fair
Information Practices have stood the test of time. The Privacy
Act is based on the Fair Information Practices. The laws in
many countries are based on Fair Information Practices, and
over time, we have used them frequently in our work as a
framework to look through to look at privacy protections. So I
would not suggest anything specific.
Senator Collins. Mr. Teufel.
Mr. Teufel. As Privacy Officers, we live and die by the
Fair Information Practices. So it is not making changes to
them. I think it is adhering rigorously to them.
Senator Collins. Mr. Schwartz.
Mr. Schwartz. I agree with that, but I think it is
important to note that the Fair Information Practices have
evolved over time. In the 1972 set, we had four listed, and now
I think when you talk to most people, it is between eight and
ten, depending on if you merged two together here or there. So
they have changed over time. Ideas like data minimization,
which was not in the original set, but is embedded in the
Privacy Act, is now a term that we use pretty regularly today
where you are getting rid of data. You are not collecting data
you do not need, and you are getting rid of it when you do not
need it anymore. That is one example where we have had a shift
over time.
But I think the basic Fair Information Practices still
exist today, and they were written into the Privacy Act, and I
think that is the structure of the Privacy Act that we need to
keep and make sure that we do not tinker with the Act so much
that we lose that structure.
Senator Collins. Professor Swire.
Mr. Swire. I agree with what was said, but there is one of
them that is under huge pressure--the idea of no secondary use,
that you just use the data for the reason you started with it,
and then you do not use it for 100 other purposes. That is
where the pressure is.
So within each agency, including the huge Homeland Security
Department, it can go around for other purposes, not just the
original purpose, and then these routine uses means it can go
out of the agency to other agencies, and it can sort of be in a
free zone.
And so I think that is the hardest thing, is which uses are
OK and which ones are not. And it has been hard to figure out
how to build that into law.
Senator Collins. Thank you.
Mr. Teufel, Mr. Schwartz noted in his testimony that there
are times when the Privacy Impact Assessment is actually
completed after the project has been developed and approved
rather than being anticipated beforehand. Is this a problem at
DHS?
Mr. Teufel. To the extent it is, it is less and less of a
problem, and the reason for that is because of a couple of
things. One is the increase in component Privacy Officers. Last
year, I made a recommendation to Secretary Chertoff and he
agreed that we ought to have more component Privacy Officers,
and so in some of the operational components and department-
level components that did not have Privacy Officers, there are
now Privacy Officers. Immigration and Customs Enforcement (ICE)
and Citizenship and Immigration Services (CIS) come to mind.
TSA had a component Privacy Officer; still does. U.S. Visitor
and Immigrant Status Indicator Technology (US-VISIT) has one as
well.
So having folks on the ground out in the components makes a
difference because they can work these issues and are much
closer to the people at the programmatic level who are doing
things.
The other thing is that we have been able to--and I hate to
use the word--operationalize--just because I am not sure that
is a real word. But we have operationalized privacy throughout
the Department, so we have really infused ourselves into the
bureaucratic process. And I do not use that in a pejorative
way, but government is bureaucracy, and if you can get into the
bureaucracy, you can make it work for you from a privacy
perspective. And so we are doing better and better.
Now, there are always programs that pop up, and we hear
about them. One popped up earlier this week, and I was after
hours on the phone with senior officials from a component and
the General Counsel's Office--Where are we? What is going on?
And we will be able to get our work done before this program
goes live. But sometimes we have to be very quick on our feet
that we make sure that we do a thorough job but a timely job,
even though the component or the program folks have not told us
early enough on what they are up to.
Senator Collins. Thank you.
Chairman Lieberman. Thanks, Senator Collins.
Senator Akaka, next. And then we will conclude with Senator
Carper.
Senator Akaka. Thank you very much, Mr. Chairman.
Mr. Teufel, today GAO is releasing a report I requested
that reviews the responsibilities of senior agency Privacy
Officers across the government. According to the report, some
agencies like DHS have placed all of the responsibility under
one official while others have shared responsibility.
As the DHS Chief Privacy Officer, what do you believe are
the benefits of having one individual responsible for privacy
at an agency?
Mr. Teufel. Well, I think the benefits that Mr. Swire
mentioned earlier, that single point of contact, the person who
is responsible for privacy so that if there is a question or a
problem, the public, Congress, and people within the agency
know to whom to go for an answer, to get the situation
resolved, I think it is important, but I recognize that every
agency is different, and so some agencies may have less
involvement with personally identifiable information. For
others like DHS, a big part of the Department's success is
reliant on personally identifiable information. So you have to
have someone who is senior enough and who has access to the
right people to go in and say, hey, I think there is an issue
here, we need to talk about it.
And as I mentioned earlier in my opening remarks, at a lot
of agencies it makes sense to have someone who is more of a
technician than a policy person because the privacy issues may
not be that great at other agencies, and DHS is among them. You
have to have somebody who is involved with policy and somebody
who can go into the front office and component leadership
offices and talk about the issues and work out solutions.
Senator Akaka. You mentioned having a person at a senior
level. Where do you think this office should be set? At what
level of an agency?
Mr. Teufel. I think it could be any number of places, and I
think, whether it is an SES-level position or an executive
schedule-level position, whether it is a direct report to the
Secretary or perhaps somebody senior within the management or
the Administration bureau or directorate, as I mentioned
before, listening to Judge Baker, the important thing is that
you have that access and that people will listen to you, that
they have trust in confidence in you and that they will seek
out your advice and counsel.
Having said that, there is value to reporting directly to
the Secretary and Deputy Secretary.
Senator Akaka. Yes. The reason I asked that is several
years back, we wanted to bring about changes in accounting in
Defense, and we set up an office for that. Two years later, the
person that we were able to put there came to me and said, ``I
am resigning.'' And I asked, ``Why?'' He said, ``Because I
cannot make the changes that need to be made.'' He said, ``It
should be on a higher level.'' This tells me that a privacy
officer needs to be at a higher level to make a difference.
Mr. Teufel. I agree with you, Senator, and certainly when I
have talked to some of my colleagues at other departments,
senior career employees who are at the GS-15 level, I am not
sure that at every one of those departments they are able to
effectuate the policy changes that need to be made at those
agencies.
Senator Akaka. Thank you.
Ms. Koontz, I believe that it is extremely important for
the public to be aware of how the Federal agencies are using
their personal information. The GAO report suggests a layered
notice with a summary of the most important facts up front,
followed by a more detailed description. However, Privacy
Impact Assessments, if done correctly, can provide more
meaningful notice.
Could you elaborate how under your proposal Privacy Act
notices could be more easily understood by the public and how
they would interact with PIAs?
Ms. Koontz. Generally speaking, the problem with the public
notices right now is that they are difficult to understand,
they are treated as a legal compliance factor, and it may be
hard for the public to identify which ones are in force.
Publishing them in the Federal Register may not be the best way
to communicate with the public. I mean, it serves a purpose,
but I think in addition to publishing in the Federal Register,
we think that publishing them on the Internet and some kind of
centralized Web site, privacy.gov or something of the like,
would be a good step to help the public be able to identify
them. And then, second, I think the idea of layered notices
really lends itself to a Web-type of presentation because you
can provide an overall statement and then you can provide
details if people want to go deeper into the statement and
understand more about how the government is using information.
I agree that the Privacy Impact Assessments can be a useful
way of communicating with the public. If the agency has done a
good job talking about why they are collecting the information
and talking about the trade-offs, that can be an additional way
of communicating this to the public. My feeling is that privacy
is a lot about transparency, and having both means of
communications would still make sense.
Senator Akaka. Mr. Chairman, may I ask----
Chairman Lieberman. Please, go right ahead.
Senator Akaka. Mr. Swire, you mentioned in your testimony a
report you recently co-authored on identification in America. I
believe this report is timely considering the fact that DHS is
working to implement the REAL ID Act. As you may know, Senator
Sununu and I introduced S. 717 to repeal provisions of the REAL
ID Act and replace it with a negotiated rulemaking process that
incorporates States' views and provides privacy safeguards. And
you also know that some States have rejected the REAL ID Act
for these same reasons.
What are your views on S. 717, and the REAL ID Act, in
general?
Mr. Swire. Thank you, Senator. I support S. 717. I think it
is useful, just for a few sentences, to explain why. REAL ID,
as a process, never was debated in the Senate, never came
through the Committee process, etc. And I think as a statute,
there were things that would have been fixed, more stakeholders
could have been involved and all the rest, if it had a more
thorough process.
Going to the negotiated rulemaking means that the different
expert people, including the States, would be more deeply
involved, and I think that would create a framework for a
better long-term outcome.
Senator Akaka. Thank you. Mr. Chairman, if I may, a short
one.
Chairman Lieberman. Sure.
Senator Akaka. Mr. Schwartz, I understand that you are also
a member of the Information Security and Privacy Advisory
Board, which is working with the DHS Data Privacy and Integrity
Advisory Committee to develop recommendations for revisions to
the Privacy Act. And that is what we are trying to get at here.
Can you tell me the status of this joint effort and whether
other changes to the Privacy Act are being considered outside
of those listed in your testimony?
Mr. Schwartz. Thank you, Senator Akaka. I actually just
joined the Board at the last meeting, which was the beginning
of this month, but there was a status update on that, and there
was a discussion. It is a joint group that is working with the
DHS Advisory Committee as well, and my understanding is that it
is in its final phases now, and they are expecting to publish
something sometime this year if they can work out some of the
details together.
I think that many of the changes discussed are similar to
the things in the GAO report from what I was told. I have not
seen the latest draft, though, so I cannot fully comment on if
there is anything broader than that. Because I just came to the
Board, I am not on that Subcommittee at this point. So I will
try to get a report back to you from the chairman of the
committee sometime in the next couple of days.
Senator Akaka. Thank you very much, Mr. Chairman.
Chairman Lieberman. Thanks, Senator Akaka. Senator Carper,
I do want to put you on notice that in introducing Professor
Swire and mentioning his university affiliation----
Senator Carper. What affiliation is that? [Laughter.]
Senator Collins. You are just proving what the Chairman
said would happen. [Laughter.]
Chairman Lieberman. It is all yours.
Senator Carper. Ohio State University.
Chairman Lieberman. That is it.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. I apologize to our panelists, but I was
just over on the Senate floor with another graduate of Ohio
State, a law school graduate, Senator Voinovich. And I
shepherded with the support of, among others, Senator Lieberman
and Senator Collins legislation to help reduce the emission of
particulates from diesel engines. There are about 11 million of
them on the roads. Bad stuff. They create a lot of bad health
for us. And we appreciate the support of our colleagues in
getting the legislation done, and on to the President to sign
into law.
Professor Swire, he told me that you were here, and he
said, ``In the French Quarter of Columbus, we pronounce his
name `Swi-ray.''' And so I said, ``Well, you call him what you
want. We will call him Swire at the hearing.'' [Laughter.]
But we are glad that you are here, and thank you all for
coming.
I have a statement I would like to share and then maybe a
question or two, if I could. When I come in late at a hearing
like this and I have missed your testimony, what I am going to
ask you to do is just share with me and with my colleagues the
common ground that you see here, sort of the takeaways,
evolving from the discussion and from the questioning that
occurred. So just be thinking about that, if you will.
Mr. Chairman, thanks very much for holding this hearing.
And I want to say to Senator Akaka, thank you very much for
your leadership in bringing us here as well. And sometimes it
seems that almost every week another agency is compromised by
suspected hackers or a laptop is lost or stolen by current or
former employees. And all too often, these events put at risk
millions of Americans' sensitive information, names, birth
dates, Social Security numbers, and health information
included.
In fact, my staff tells me that there are criminal elements
in this world that have massive inventories of bank numbers,
Social Security numbers, and other personally identifiable
information that are sold to the highest bidder. Some of these
criminals have been caught--not enough--but largely these
criminal groups remain immune to our laws here in the United
States. And a lot of them operate outside of the United States,
as you know.
That is why agencies need to ensure that sensitive
information is protected during its collection, during its
transmission, and throughout its storage. Placed in the wrong
hands, this information can leave an individual vulnerable to
identity theft, which we suffered in our own family, or to
worse.
That is one of the reasons I chaired a hearing of the
Subcommittee on Federal Financial Management, Government
Information, Federal Services, and International Security on
March 12, 2008. And we looked into the Federal Information
Security Management Act. What I found there surprised me. Many
times agencies do not even know what information they hold.
They do not know where the information is stored. They do not
know who has the access and whether that information has been
compromised.
Our Federal Government stores some of our Nation's most
sensitive economic, corporate, and military secrets. It is
imperative that agencies find a better way to protect not just
an individual's identity but as much of that sensitive
information as we possibly can.
However, I feel the American public is slowly but surely
losing faith in our government's ability to protect its
sensitive information. That is why I have asked my staff to
work hard with some of our colleagues on this Committee on
reforming this critical information security law. And I look
forward to working with our Chairman and with my other
colleagues on this Committee on this legislation to protect our
Nation's most sensitive information.
With that having been said, and earlier having telegraphed
my pitch, we will just ask maybe Professor Swire to lead off.
Please summarize what you see as common ground and lessons for
us to take away from this hearing. Thank you. Again, welcome.
Mr. Swire. Oh, thank you very kindly. Go Buckeyes.
I think in terms of common ground, one thing I heard is
that the definition of ``Systems of Records,'' the definition
in the Privacy Act of what is covered, leaves out a lot of data
mining. That is a technological change from the 1970s. And how
to create a legal structure around that, I do not think we have
any answer to necessarily. There is going to be a workshop
coming up on that. But the idea that we do not retrieve records
one at a time now the way we did 35 years ago and we need to
come up with a new set of ways to deal with that, I think that
is a strong theme I heard today from pretty much everyone.
Senator Carper. Thank you, sir. Mr. Schwartz.
Mr. Schwartz. Well, I will pick one item out from, I think,
a number of things that the four of us probably agreed on. But
I think that there was a discussion about changes to encourage
leadership in privacy across agencies, and there are a number
of ways to do that, particularly through making sure that we
have high-level appointees within the agencies and probably
within OMB as well. But I think that certainly there was
agreement that it has to be a high-level staff on privacy that
can take accountability.
Senator Carper. Thanks very much.
Mr. Teufel. So my answer to you, sir, would be
transparency. It is key to the privacy framework in the public
sector in the United States, and Chairman Lieberman had
mentioned the European approach. And there are many things the
Europeans do well, but transparency is not something, I think,
the Europeans do as well as we can and often do in the United
States. The goal is for the public to have trust and confidence
in what its government is doing.
The other thing that one gets through transparency is that
it allows the public to make informed decisions that they then
can let you, the elected representatives of the country, know
about those views. And so I would stop with that.
Senator Collins, I did want to mention, thanks to the magic
of the BlackBerry, Peter Pietra, the component Privacy Officer,
tells me that Clear is one of the many providers under the
Registered Traveler Program, and there is a PIA out on the
Registered Traveler Program, and the data is encrypted.
Senator Collins. Thank you.
Senator Carper. We could not have done that 34 years ago,
could we? [Laughter.]
Pretty amazing. Thank you. Actually, information like that
sort of makes my colleagues and I joyful, which rhymes with
your name ``Teuful.'' [Laughter.]
Mr. Teufel. Thank you, Senator. I have never heard that
before. Thank you.
Chairman Lieberman. That was the proper response to a
Senator. Very well done. [Laughter.]
Senator Carper. Ms. Koontz.
Ms. Koontz. I think we agree that the System of Records
concept in the Privacy Act is outmoded. It is not consistent
with current uses of information or the technology that we are
employing. We would like to see the protections of the Privacy
Act expanded to all personally identifiable information,
regardless of how it is held.
I think another point is that we would like to see
personally identifiable information, its use and collection,
limited to a specified purpose.
And, finally, I agree with the point on transparency. We
need to promote transparency, and we need to improve the public
notices in a number of ways that serve as a vehicle for us to
inform the public about what the Federal Government is doing
with personally identifiable information.
Senator Carper. I thank you all. We thank you for being
here. We thank you for your testimony. And thank you for
allowing me to look for some common ground and some takeaways
that should serve us well in the future.
Mr. Chairman, much obliged.
Chairman Lieberman. Thank you very much, Senator Carper.
Actually, your question was a great one to conclude the hearing
on, and it illuminates what struck me. Senator Collins and I
were talking about it. As I listened to the testimony, you have
all been very helpful, and what is also true and significant,
and not always the case when we bring together a group of
people from different perspectives on a common issue, is that
there is quite a consensus among you about what needs to be
done.
So you have helped us enormously this morning, and I think
now we want to consider what we can do and perhaps in a short
time frame--which, unfortunately, is the case with this session
of Congress--whether there is some common ground proposal that
we can come forward with that will not stir up the kind of
controversy that will block it from being passed or whether we
want to wait until the next session and do something more
comprehensive.
But there is no question, in my mind, anyway, as I listen
to the testimony or read the GAO reports, that the Privacy Act
of 1974 is just not up to the realities of 2008 in the age of
information.
Senator Collins, did you want to add anything in
conclusion?
Senator Collins. Thank you. I just want to thank our
witnesses. This was an excellent panel, and I very much
appreciate your leadership, Mr. Chairman. Thank you.
Chairman Lieberman. Thanks, Senator Collins.
We will keep the record of the hearing open for 15 days in
case any of you want to add to your testimony, any answers you
may not have received already over your BlackBerrys and shared
with the Committee, or in case Members of the Committee who
have not been here, or even those who have, have additional
questions for you.
But, with that, I thank you very much. The hearing is
adjourned.
[Whereupon, at 11:57 a.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�