[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]


 
                  ONLINE PRIVACY, SOCIAL NETWORKING, 
                        AND CRIME VICTIMIZATION

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON CRIME, TERRORISM,
                         AND HOMELAND SECURITY

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED ELEVENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 28, 2010

                               __________

                           Serial No. 111-144

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov



                  U.S. GOVERNMENT PRINTING OFFICE
57-673                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                       COMMITTEE ON THE JUDICIARY

                 JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California         LAMAR SMITH, Texas
RICK BOUCHER, Virginia               F. JAMES SENSENBRENNER, Jr., 
JERROLD NADLER, New York                 Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia  HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina       ELTON GALLEGLY, California
ZOE LOFGREN, California              BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas            DANIEL E. LUNGREN, California
MAXINE WATERS, California            DARRELL E. ISSA, California
WILLIAM D. DELAHUNT, Massachusetts   J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee               STEVE KING, Iowa
HENRY C. ``HANK'' JOHNSON, Jr.,      TRENT FRANKS, Arizona
  Georgia                            LOUIE GOHMERT, Texas
PEDRO PIERLUISI, Puerto Rico         JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois               TED POE, Texas
JUDY CHU, California                 JASON CHAFFETZ, Utah
TED DEUTCH, Florida                  TOM ROONEY, Florida
LUIS V. GUTIERREZ, Illinois          GREGG HARPER, Mississippi
TAMMY BALDWIN, Wisconsin
CHARLES A. GONZALEZ, Texas
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SANCHEZ, California
DANIEL MAFFEI, New York
JARED POLIS, Colorado

            Perry Apelbaum, Staff Director and Chief Counsel
      Sean McLaughlin, Minority Chief of Staff and General Counsel
                                 ------                                

        Subcommittee on Crime, Terrorism, and Homeland Security

             ROBERT C. ``BOBBY'' SCOTT, Virginia, Chairman

PEDRO PIERLUISI, Puerto Rico         LOUIE GOHMERT, Texas
JERROLD NADLER, New York             TED POE, Texas
ZOE LOFGREN, California              BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas            DANIEL E. LUNGREN, California
MAXINE WATERS, California            J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee               TOM ROONEY, Florida
ANTHONY D. WEINER, New York
MIKE QUIGLEY, Illinois
TED DEUTCH, Florida

                      Bobby Vassar, Chief Counsel

                    Caroline Lynch, Minority Counsel


                            C O N T E N T S

                              ----------                              

                             JULY 28, 2010

                                                                   Page

                           OPENING STATEMENTS

The Honorable Robert C. ``Bobby'' Scott, a Representative in 
  Congress from the State of Virginia, and Chairman, Subcommittee 
  on Crime, Terrorism, and Homeland Security.....................     1
The Honorable Louie Gohmert, a Representative in Congress from 
  the State of Texas, and Ranking Member, Subcommittee on Crime, 
  Terrorism, and Homeland Security...............................     2
The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Member, Subcommittee on Crime, 
  Terrorism, and Homeland Security...............................     4

                               WITNESSES

Mr. Gordon M. Snow, Assistant Director, Federal Bureau of 
  Investigation, United States Department of Justice, Washington, 
  DC
  Oral Testimony.................................................     5
  Prepared Statement.............................................     8
Mr. Michael P. Merritt, Assistant Director, United States Secret 
  Service, United States Department of Homeland Security, 
  Washington, DC
  Oral Testimony.................................................    13
  Prepared Statement.............................................    15
Mr. Joe Sullivan, Chief Security Officer (CSO), Facebook, Inc., 
  Palo Alto, CA
  Oral Testimony.................................................    23
  Prepared Statement.............................................    26
Mr. Marc Rotenberg, Executive Director, Electronic Privacy 
  Information Center (EPIC), Washington, DC
  Oral Testimony.................................................    40
  Prepared Statement.............................................    42
Mr. Joe Pasqua, Vice President for Research, Symantec, Inc., 
  Washington, DC
  Oral Testimony.................................................    54
  Prepared Statement.............................................    56

                                APPENDIX

Material Submitted for the Hearing Record........................    77


                  ONLINE PRIVACY, SOCIAL NETWORKING, 
                        AND CRIME VICTIMIZATION

                              ----------                              


                        WEDNESDAY, JULY 28, 2010

              House of Representatives,    
              Subcommittee on Crime, Terrorism,    
                              and Homeland Security
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 2:19 p.m., in 
room 2141, Rayburn House Office Building, the Honorable Robert 
C. ``Bobby'' Scott (Chairman of the Subcommittee) presiding.
    Present: Representatives Scott, Lofgren, Quigley, Deutch, 
Gohmert, Goodlatte, and Lungren.
    Staff present: (Majority) Bobby Vassar, Subcommittee Chief 
Counsel; Jesselyn McCurdy, Counsel; Ron LeGrand, Counsel; Joe 
Graupensperger, Counsel; Liliana Coronado, (Fellow) Federal 
Public Defender's Office Detailee; Veronica Eligan, 
Professional Staff Member; (Minority) Caroline Lynch, Counsel; 
Kimani Little, Counsel; Art Baker, FBI Detailee; and Kelsey 
Whitlock, Legislative Assistant.
    Mr. Scott. Subcommittee will now come to order. And I want 
to apologize for starting late. We had a Judiciary Committee 
bill on the floor, and the rules prohibit us having a bill on 
the floor and meeting at the same time, so I am glad that that 
bill didn't take very long.
    I am pleased to welcome you today to this hearing before 
the Subcommittee on Crime, Terrorism and Homeland Security 
about Internet Privacy, Social Networking and Crime 
Victimization.
    The Internet presents individuals, in their personal and 
professional capacities, numerous opportunities to share 
personal information. Some of the information disclosed by 
individuals is done so incidental to the use of the Internet.
    So for example, in order to use various online accounts for 
services such as e-mail, shopping and messaging, consumers also 
must establish passwords, reveal credit card numbers, and 
divulge other personally identifiable information.
    In other circumstances, the sharing of information is 
central to a particular use of the Internet. For example, some 
Internet users actively share information, much of it extremely 
personal, through social networking sites.
    Both categories of information present unique privacy 
challenges. This hearing will examine these issues and risks of 
criminal victimization.
    Of course, we know that criminals are constantly devising 
new ways to infect the computers of Internet users with various 
types of malware. Much of this malware is intended to capture 
the private information of individuals and report it back to 
the criminal to be used in the next step to the scheme, often 
involving some form of identity theft.
    We have Federal and state laws prohibiting this type of 
crime, but it is important that consumers know what they can do 
to protect themselves and that we demand that the Internet 
companies take appropriate steps to ensure the security of this 
information.
    This is part of what we will focus on today, but we also 
want to pay particular attention to the special risk to 
victimizations based on participation in social networking.
    Based on the widespread popularity of social networking 
sites, such as Facebook, there is no doubt that these sites 
provide an enjoyable and unique experience to their users. 
Those who use these sites are able to share information with 
their friends, find old friends, and establish new friendships. 
And in so doing, they share and broadcast some of the most 
sensitive and intimate details of their lives.
    Unfortunately, there are those who seek out and exploit the 
details to perpetrate criminal acts. For example, personal 
details shared on these sites may allow criminals to guess a 
user's forgotten password clues for various online accounts.
    Burglars have targeted people's homes based on information 
found on Facebook pages that the resident is on vacation and 
not at home. And based on fears about possible victimization of 
young people by Internet predators, Facebook has agreed to 
install a panic button on user pages hosted on its U.K. Web 
site so suspicious behavior can be reported to the authorities 
immediately.
    One scheme that has proliferated involves hijacking of a 
Facebooker's user's account by a criminal who sends a financial 
distress call to the user's friends on that Facebook page, 
asking them to wire money to an account which is, unbeknownst 
to them, actually that of the criminal.
    To discuss all these types of issues, we have a panel of 
witnesses representing a broad spectrum of experience and 
various Internet privacy issues from perspectives of law 
enforcement, industry, and privacy advocacy.
    Before we proceed with their testimony, it is my pleasure 
to recognize the Ranking Member of the Subcommittee, my 
colleague from Texas, Judge Gohmert.
    Mr. Gohmert. Thank you, Mr. Chairman. I do appreciate you 
holding this hearing on a very important topic, privacy, social 
networking and crime victimization have become competing 
interests as the Internet continues to revolutionize the way we 
conduct commerce, seek employment, keep up with family and 
friends, make new friends, and communicate in general.
    The Internet's impact on communication and on society is 
often compared to the impact that the invention of the printing 
press had on the literary market. We are in the midst of a 
technology evolution like never seen before.
    Every year, or even more frequently, there is some new 
gadget that is faster and smaller than its predecessor, or 
capable of doing something that was never thought possible. 
This has certainly been true in all aspects of personal 
computing and the development and access to the Internet.
    The Internet has not only facilitated communication, but 
other aspects of everyday life, as well. We no longer have to 
go to the post office to pay a bill. We can buy books, food, 
furniture, just about every other thing without going to a 
store. We can now look for a new home or a new car at any hour 
of the day simply by logging on.
    Unfortunately, with these benefits and conveniences come 
new ways to commit crimes and new ways to exploit our personal 
information. The conveniences generally seem to outweigh the 
risk. But by educating ourselves about the potential risk and 
vulnerabilities created by these conveniences, Internet users 
can help prevent the spread of identity theft and other crimes 
on the Web.
    Identity thieves who hack into your personal computer or a 
merchant computer, steal your personal information, have 
received considerable attention by the media and Congress. 
People have become aware of identity theft, interchanging their 
habits to prevent becoming a victim.
    You don't have to look any further than the popularity of 
personal shredding machines to realize that habits do often 
change when there is awareness of the risk.
    But there are new schemes and new variations of old schemes 
employed by criminals to defeat the security measures and 
actions taken by a concerned public. For instance, within the 
last few months, staff of this Committee received e-mails 
supposedly from a former staffer asking that money be wired 
immediately to a certain account as a sender claimed to be the 
victim of a robbery while touring London.
    When the sender could not answer basic questions, the 
communications stopped. Later, it was learned the former 
staffer's Internet address book had been compromised, and 
everyone in it received the same plea for help. This scam has 
also apparently been attempted using social networking sites.
    The dramatic increase in the popularity of social 
networking sites has perhaps overshadowed some of the risk of 
sharing too much information in those forums. Unlike the 
sensitive but relatively limited information needed to make an 
online purchase, these social networking sites provide the 
opportunity and the temptation to incrementally put more and 
more personal information into cyberspace.
    Most users who have no real sense of who can see this 
information, or what can be done with it or what steps can be 
taken to prevent it from being exploited, and all of this 
information is a potential treasure trove for identity thieves 
and for the facilitation of other crimes. Some in the 
information industry refer to personal information as ``The new 
currency of crime.''
    According to a recent national survey of 2,000 online 
households conducted by the Consumer Reports National Research 
Center, two out of three online U.S. households use social 
networks, nearly twice as many as a year ago. But millions who 
use these services put themselves and their families at risk by 
exposing very sensitive personal information. If a picture is 
really worth 1,000 words, some of the visuals that are posted 
on these sites say way too much, and in all likelihood can 
assist a predator in choosing their prey.
    Again, I want to thank the Chairman for holding this 
hearing. I firmly believe that making the public aware of some 
of the new dangers associated with the ever-expanding Internet 
is an important tool for Internet users, particularly teenagers 
and children, to protect themselves.
    This is particularly true here in Congress, where we have 
software and hardware that is so secure that only we and the 
Chinese have access to all our secrets.
    With that, I yield back, and thank you for the time, 
Chairman.
    Mr. Scott. Thank you. And we have one panel of witnesses 
with us. Excuse me, does the gentleman from Virginia have a 
comment?
    Mr. Goodlatte. Just briefly, Mr. Chairman, I want to thank 
you for holding this hearing. As the co-chairman of the 
bipartisan Congressional Internet Caucus and chairman of the 
House Republican High-Tech Working Group, this is a very, very 
important discussion about how to prevent crime and keep people 
safe on the Internet.
    It is a rapidly evolving technology, and we have got to 
make sure that the Internet does not become the wild, Wild West 
of the 21st century. But there are a lot of exciting new 
developments going on not only to make new services available 
to people, but also to empower them to, in many ways, get a 
better handle on controlling their access to the Internet in 
terms of the information that they provide and that they can 
determine how to provide it.
    In addition, social networking technologies like Facebook--
and Facebook, quite frankly, has been a leader in this regard--
have done a great service to the Internet by making greater 
transparency for the people who are legitimately and honestly 
using the Internet. If you go on a technology like Facebook, 
you have got to disclose who you are, and therefore you can 
see, as you participate, who you are and decide for yourself 
who you want to share that information with.
    But it also is a move away from people thinking that they 
can anonymously undertake activities on the Internet to perform 
various types of criminal activities. The more we promote that 
type of activity, the fact that you identify yourself and who 
you are, and you decide for yourself what information you are 
going to share, I think the greater progress we will make in 
being able to crack down on the people who want to think that 
they are operating in the shadows of the Internet and 
conducting crime.
    Now, there are lots that people have to learn about that as 
they do it so that they can understand how they best can 
protect themselves, and the technologies need to evolve further 
to root out people who would conduct criminal activity on the 
Internet.
    But I think that is what we should be learning about today 
and encouraging today so that the Internet can continue to grow 
and continue to be the educational tool, the tool for commerce, 
the tool for entertainment that it has become and is enjoyed by 
hundreds of millions of Americans and billions of people around 
the world. So I look forward to hearing from our witnesses 
today.
    Thank you, Mr. Chairman.
    Mr. Scott. Thank you. And I would like to thank you for 
your hard work on a lot of the technology issues that many of 
us have trouble understanding. You and our other colleague from 
Virginia, Mr. Boucher, have done a lot of work in a bipartisan 
way in cooperation, which is very helpful to the Committee. So 
we want to thank you for your leadership.
    Our first witness today will be Gordon Snow, who is 
assistant director of FBI's cyber division. He has had a 
distinguished career with the FBI, including positions as a 
section chief in cyber national security section and the 
director, the National Cyber Investigative Joint Task Force.
    Our second witness will be Michael Merritt, who is 
assistant director of the Secret Service's Office of 
Investigations. He oversees the Secret Service's criminal 
investigations, including those of electronic and financial 
crimes.
    Our third witness will be Joe Sullivan, who is the chief 
security officer for Facebook. He is a former assistant U.S. 
attorney and has the daily responsibility for overseeing 
Facebook's security policies.
    Our fourth witness will be Mark Rotenberg, who is the 
executive director of the Electronic Privacy Information 
Center. His organization is one of the leading advocates of 
online privacy rights and has taken a special interest in these 
interests as they relate to social networking.
    Our fifth and final witness will be Joe Pasqua, who is the 
vice president of research for Symantec Corporation. He has led 
the efforts in that corporation in areas such as online safety, 
reputation-based security and data protection.
    Each of our witnesses' written statements will be entered 
into the record in its entirety. We ask our witnesses to 
summarize his or her testimony in 5 minutes or less. And to 
help stay within the time, there is a timing device at the 
table which will begin green, and when 1 minute is left, it 
will turn to yellow, and turn red when 5 minutes have expired.
    Also want to recognize our colleague from Florida, Mr. 
Deutch. Did you have a comment? Okay. Thank you very much.
    So we will begin with Assistant Director Snow.

TESTIMONY OF GORDON M. SNOW, ASSISTANT DIRECTOR, FEDERAL BUREAU 
    OF INVESTIGATION, UNITED STATES DEPARTMENT OF JUSTICE, 
                         WASHINGTON, DC

    Mr. Snow. Good afternoon, Chairman Scott, Ranking Member 
Gohmert and Members of the Subcommittee. I appreciate the 
opportunity to testify before you today regarding the FBI's 
efforts to combat cybercrime as it relates to social networking 
sites.
    Regardless of which social networking is used, online----
    Mr. Scott. Mr. Snow, could you bring your mic a little 
closer to you?
    Mr. Snow. Regardless of which social networking site is 
used, online users continue to be fooled by persons claiming to 
be somebody else. Individuals can misrepresent everything about 
themselves while they communicate online, their names and 
business affiliations, and also their gender, age and location, 
identifiers that are far more difficult to fake in person.
    Years ago, we called these type of people ``confidence 
men,'' or con men. Today, we refer to them as being engaged in 
social engineering.
    There are a variety of Internet fraud schemes being used by 
cyber criminals at any given time. By way of example, a recent 
fraud scheme involves a cyber criminal gaining access to an 
unsuspecting users' e-mail account or social networking 
account, claiming to be the account holder and sending messages 
to many of the users' friends.
    In the message, the con man states that he is on travel and 
has been robbed of his credit cards, passport, money and cell 
phone. He also states the need for money is immediate. Without 
realizing the message is from a criminal, the victims of the 
fraud account holder contacts often wires money to an overseas 
account without validating the claim.
    Another tool used by criminals to exploit social networking 
sites is a technique called phishing. Phishing schemes attempt 
to make Internet users believe that they are receiving messages 
from a trusted source.
    Phishing attacks on members come in various formats, 
including messages within the social networking site, either 
from strangers or from compromised friends' accounts, links or 
videos within a social networking profile leading to something 
harmful, or e-mails sent to users claiming to be from the 
social network site itself.
    Users fall victim to the schemes due to higher level of 
trust typically displayed while using social networking sites. 
Users often accept into their private sites people they do not 
actually know, or they sometimes fail to set privacy settings 
on their profile which might help avoid these attacks.
    Cyber-thieves also used data mining techniques on social 
networking sites to extract sensitive information about the 
victims. For example, a ``Getting To Know You'' quiz sent to a 
large list of social networking site users, while not appearing 
malicious, may mimic the same questions that are asked by 
financial institutions or e-mail account providers when the 
individual has forgotten their password. An e-mail address in 
the answer to the quiz questions can provide the cyber-criminal 
with the tools to enter your bank account, your e-mail account 
or credit card in order to transfer money or siphon off your 
savings and investments.
    The potential for considerable profits in this realm is 
enticing young criminals and resulted in the creation of a 
large economy known as the cyber-underground. The underground 
is governed by rules and logic that closely mimic those of the 
legitimate business world, including a unique language, a set 
of expectations about its members' conduct, and a system of 
stratification based on knowledge and skill, activities and 
reputation.
    Beyond cyber-crime, valuable national security information 
can also be inadvertently exposed by military or government 
personnel via their social networking site profile. In a 
recently publicized case, an individual created a fake profile 
on multiple social networking sites posing as an attractive 
female intelligence analyst and extended friend requests to 
government contractors, military and other government 
personnel. Many of the friend requests were accepted. According 
to press accounts, the deception provided its creator with 
access to a fair amount of sensitive data, including a picture 
from a soldier taken on patrol in Afghanistan that contained 
embedded data identifying his exact location.
    Mr. Chairman, the Department of Justice and the FBI, in 
collaboration with our inter-agency partners, have been working 
closely with the new cyber-security office at the White House 
to address the President's national efforts to investigate and 
prosecute cyber-crime. To this end, we have established cyber-
squads in each of our 56 field offices around the country, with 
more than 1,000 specially trained agents, analysts and digital 
forensic experts.
    Still, we cannot combat this threat alone. Some of the best 
tools in the FBI's arsenal are our longstanding partnerships 
with federal, state, local and international law enforcement 
agencies, as well as with private sector and academia.
    These relationships include our partnerships with the 
National White Collar Crime Center at the Internet Crime 
Complaint Center, the National Cyber Forensic and Training 
Alliance, and the InfraGard program. We also partner with the 
Information Sharing and Analysis Centers and the National 
Center for the Missing and Exploited Children.
    Chairman Scott, Ranking Member Gohmert and Members of the 
Subcommittee, in the interest of time today, I have touched 
upon some of the more pervasive methods of criminal activity 
via social networking. I would be more than happy to further 
expand upon any of these issues during questioning, and I 
appreciate the opportunity to come before you today and share 
the work with FBI is doing to address the threat posed by 
cyber-criminals in this country and around the world.
    [The prepared statement of Mr. Snow follows:]

                  Prepared Statement of Gordon M. Snow












                               __________
    Mr. Scott. Thank you, Mr. Snow.
    We have been joined by the gentlelady from California, Ms. 
Lofgren, who has taken a strong interest in this issue, and 
thank you for coming.
    Mr. Merritt?

  TESTIMONY OF MICHAEL P. MERRITT, ASSISTANT DIRECTOR, UNITED 
  STATES SECRET SERVICE, UNITED STATES DEPARTMENT OF HOMELAND 
                    SECURITY, WASHINGTON, DC

    Mr. Merritt. Good afternoon, Chairman Scott, Ranking Member 
Gohmert and other distinguished Members of the Committee. Thank 
you for the opportunity to testify on the Secret Service's role 
investigating cyber and computer-related crimes.
    As the original guardian of the Nation's financial 
infrastructure, the Secret Service has a long, distinguished 
history of protecting American consumers and financial 
institutions from fraud. Over the last 145 years, our criminal 
investigators have confronted all types of financial fraud, 
from paper to plastic to computer-based attacks targeting our 
financial payment schemes.
    In recent years, our investigations have revealed a 
significant increase in the quantity and complexity of cyber 
cases involving various computer networks in the United States. 
Broader access to advanced computer technologies and the 
widespread use of the Internet have fostered the growth of 
transnational cyber criminals, which has resulted in a marked 
increase in computer-related crimes targeting our Nation's 
financial infrastructure.
    Current trends show an increase in network intrusions, 
hacking attacks, malicious software, and account takeovers, 
resulting in data breaches affecting every sector of the 
American economy. In addition, social networking sites have 
become prime targets for cyber-criminals to expand their 
prospects for facilitating malicious or fraudulent activity.
    As documented in the 2010 Secret Service Verizon data 
breach investigative report, the use of social engineering 
tactics to obtain personally identifiable information has 
increased. While cyber-criminals operate anonymously in a world 
without borders, the law enforcement community is limited by 
jurisdictional boundaries. Thus, the international scope of 
these cyber-crime cases has increased the time and resources 
required for successful investigation and adjudication.
    In addition, the level of collaboration among these 
transnational cyber-criminals has raised the complexity of 
these cases and the potential for greater harm.
    To address the emerging threats posed by these 
transnational groups, the Secret Service has adopted a 
multifaceted approach to investigating these crimes while 
working to prevent future attacks. A central component of our 
approach is the training provided through our electronic crime 
special agent program. Today, roughly 1,300, or more than half 
of our field office special agents, have received training in 
forensic identification and the preservation and retrieval of 
electronically stored evidence.
    In addition, since 2008, the Secret Service, through the 
National Computer Forensics Institute, has provided computer 
forensics training to 836 state and local law enforcement 
officials representing over 300 agencies from all 50 states and 
two territories. As cyber-crimes continue to increase in size, 
scope and depth, the Secret Service is committed to sharing 
information and best practices with our law enforcement 
partners, academia, and the private sector.
    To accomplish this, we have established 29 electronic crime 
task forces, including the first international task force, 
based in Rome, Italy.
    Currently, membership in our ECTFs includes approximately 
5,500 partners from law enforcement and the private sector and 
academia. These partners have access to the resources provided 
through our international network of ECTFs. To coordinate these 
investigations at the headquarters level, the Secret Service 
has enhanced our cyber-intelligence section to focus on 
generating new leads in support of our cyber-investigations.
    The men and women who work in this section have been 
instrumental in our success in infiltrating online cyber-
criminal networks around the world. These successful 
investigations include two of the largest known network 
intrusion cases to date, TGX and the Heartland Payment Systems 
case. These intrusions resulted in the compromise of 
approximately 40 million accounts and 130 million accounts 
respectively and the indictment of dozens of suspects.
    As detailed in my written statement, the Secret Service has 
implemented a number of initiatives to combat the scourge of 
cyber and computer-related crimes. Today, social networking 
sites provide yet another target-rich environment for cyber-
criminals to exploit personal identifiable information.
    Responding to the growth in these types of crimes and the 
level of sophistication these criminals employ will demand an 
increase in resources and greater collaboration between law 
enforcement and the private sector. Accordingly, the Secret 
Service will focus its resources on increasing public awareness 
through education, providing training for our local law 
enforcement partners, and adjusting our investigative 
techniques to stay ahead of the criminal trends.
    The Secret Service is committed to our mission of 
safeguarding our Nation's critical financial infrastructure and 
will continue to aggressively investigate cyber and computer-
related crimes to protect American consumers and financial 
institutions from harm.
    Chairman Scott, Ranking Member Gohmert and distinguished 
Members of the Committee, this concludes my prepared statement. 
Thank you again for this opportunity to testify on behalf of 
the Secret Service. I will be pleased to answer any questions 
at your convenience.
    Thank you.
    [The prepared statement of Mr. Merritt follows:]

                Prepared Statement of Michael P. Merritt

















                               __________

    Mr. Scott. Thank you, Mr. Merritt.
    Mr. Sullivan, I believe you came off a vacation to be with 
us today. We certainly appreciate that. We certainly notice 
that, and thank you for being with us.
    Mr. Sullivan?

   TESTIMONY OF JOE SULLIVAN, CHIEF SECURITY OFFICER (CSO), 
                 FACEBOOK, INC., PALO ALTO, CA

    Mr. Sullivan. Certainly. It is my pleasure to be here. So 
thank you, Chairman Scott, Ranking Member Gohmert and 
Subcommittee Members for this opportunity.
    As Facebook's chief security officer, and as a former 
Federal prosecutor who specialized in high-tech crime in 
Silicon Valley, this topic has special meaning for me. At 
Facebook, I work every day on developing high product security 
standards, engaging people outside the company, such as 
educators, parents, students and other Internet users, to learn 
about and promote safe Internet practices. And I also work 
closely with law enforcement around the world to help ensure 
that those who are responsible for online abuse are held 
accountable.
    While the Internet now connects nearly two billion people, 
until recently, it was a useful but very passive repository of 
information. But in just a few years, it is really evolved to 
an interactive social experience defined by your connections, 
interests, and your communities.
    These developments enlist people not just as passive 
viewers but also as creators of online content, frequently in a 
framework that is social and involves forums or communities 
defined by people themselves. And since its creation, Facebook 
has been at the forefront of this change, growing from a 
network of students at a handful of universities to a worldwide 
community.
    Today, Facebook and other social technologies have the 
power to enrich people's lives in ways that were unimagined 
even 5 years ago. Facebook's become an invaluable communication 
tool, allowing individuals to connect for myriad purposes, to 
communicate with family near and far, for charitable causes, in 
the political realm for grassroots organizing and for local 
community-building.
    In the same way that Facebook has brought innovation to 
communication, on the security team and across the company, we 
try and bring innovation to Internet security. We are 
constantly working to enhance online safety and address new and 
emerging security threats.
    And because those efforts are frequently behind the scenes, 
I particularly appreciate the opportunity to highlight a few of 
them for you today. We believe that our proactive efforts and 
innovations in security are the key to providing a positive 
online experience.
    In my written testimony, I focus on a number of different 
areas. One of those important areas is key partnerships. As a 
company, we reach out to law enforcement and Internet privacy, 
safety and security experts everywhere to learn about best 
practices and to build on them.
    For example, last year we created a Safety Advisory Board 
consisting of representatives from five of the leading online 
safety organizations. And we have regular meetings with them 
and almost daily feedback from them on things that we can do in 
particular in the area of teen safety.
    The Board has been a great resource. One example has been 
their contributions to the improved safety and security 
messaging that we have launched in the last few months.
    I am also proud of the strong relationships with the law 
enforcement agencies here at the table today. The FBI has long 
been a leader in cyber-crime investigation, and we are working 
closely with the FBI on several large, multi-jurisdictional 
cases right now against malware distributors and spammers who 
have attempted to take advantage of the scale of social 
networking sites. We have also worked with them on child safety 
cases.
    And the Secret Service is resourceful and innovative not 
only on the Internet threat cases that they prioritize, but 
also on other types of electronic crime investigations where we 
have turned to them for assistance.
    Following up on the comments of Congressman Goodlatte, 
before Facebook, I think the common wisdom was that the 
Internet was a place where people should avoid using their real 
names or sharing information. Facebook was the first major web 
service that required people to build their profiles and 
networks using real names, while at the same time giving them 
privacy controls so that they can limit who accesses their 
information.
    This was an important policy and technical architecture 
choice which both allowed people using Facebook to become more 
connected and made the service safer. In a culture of authentic 
identity, your actions are observed by your real-world friends, 
and it makes Facebook less attractive to predators and other 
bad actors. And to be honest, those people, they stand out like 
sore thumbs on our site.
    We also make it easier for people to control what they want 
to share, with whom and when. In my written testimony, I give 
several examples, both in the context of privacy and in 
security, where we give people controls over who sees what and 
how they manage the security of their account.
    On the back end, we are also very proactive. So, for 
example, we became a level one PCI-compliant company, meeting 
heightened data security standards even though, as a business, 
we don't even meet the standard of those requirements being 
necessary for our business.
    We will also develop proprietary technologies that allow us 
to continuously improve on our online safety efforts. We 
generally don't discuss the back-end algorithms and things that 
we use in that context, but these technologies allow us to 
perform ongoing authentication checks and also to engage our 
users in types of community verification.
    Our technology has also helped us to obtain and take legal 
action against people who try to do things that they shouldn't. 
Congress enacted the CAN-SPAM Act, and I am proud to say that 
Facebook is responsible for the two largest judgments in the 
history of that Act, $873 million against Adam Guerbuez and 
$711 million against the notorious spammer, Sanford Wallace.
    I see that my time is up, so I would just like to maybe go 
on a little bit and mention that, as we come here today, I 
think that security requires vigilance, and Congress has been 
vigilant in enacting targeted statutes to address Internet 
security problems. It is an ongoing chess match, and there is 
more to be done.
    A couple of examples of things where we hope to continue to 
work closely with the government are building out that national 
database of convicted sex offenders that was called for in the 
KIDS Act that Congress passed a couple years ago. We need 
access to that national database today. And if we had access to 
it, we would use it.
    We need continued investment in cyber-literacy in 
particular for teens and parents. An example, to get really in 
the weeds, is we need broader access to the hashes of known 
images of exploitation of children. With these hashes, we would 
be able to run that list against our site and identify any 
known image of child pornography and make sure that it was not 
on our service. Facebook is the largest photo-sharing Web site 
on the Internet, and that type of technology would be very 
helpful.
    We also need, I think law enforcement to receive more 
resources for training. They need better technology in the 
office, and they need better training on how to, in particular, 
work on the international cases.
    Unfortunately, the vast majority of the significant cyber-
crime that is going on today is cross-jurisdictional, and it 
brings up new challenges that law enforcement have not had to 
deal with on a day-in, day-out basis. For example, collection 
of electronic data can involve service of legal process in 
multiple countries and numerous jurisdictions across the United 
States. As a result, these cases move too slowly, and many 
international cases never get prosecuted at all.
    In conclusion, I would just like to say that Facebook has 
always sought to provide a safer environment than was generally 
available, and we will continue to innovate in order to enhance 
the safety and security of our community of users.
    And on behalf of Facebook, I thank the Subcommittee for its 
leadership and dedication to Internet innovation and safety.
    [The prepared statement of Mr. Sullivan follows:]

                   Prepared Statement of Joe Sullivan





























                               __________

    Mr. Scott. Thank you very much.
    Mr. Rotenberg?

  TESTIMONY OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC 
       PRIVACY INFORMATION CENTER (EPIC), WASHINGTON, DC

    Mr. Rotenberg. Thank you, Chairman Scott, Ranking Member 
Gohmert, Members of the Subcommittee. I appreciate the 
opportunity to be here this afternoon.
    My name is Mark Rotenberg. I am the executive director of 
EPIC, and we are a leading privacy organization. We are 
particularly concerned about the privacy issues related to 
Facebook.
    As you know, Facebook has become enormously influential on 
the Internet. It has more than 500 million members. Someone 
pointed out recently that, if it were a country, it would be 
larger than the United States, Japan, and Germany combined. So 
it is a very big player on the Internet.
    At the same time, Facebook also has an enormous impact by 
what it chooses to do or not do on the privacy of Internet 
users. And when Facebook has changed its privacy policies and 
the privacy settings of Internet users, it is raised real 
privacy concerns.
    In fact, my organization, EPIC, has filed two complaints at 
the Federal Trade Commission resulting from these changes in 
privacy settings because we believe they significantly 
disadvantaged Internet users and created new risks to privacy.
    Now, to be clear, the service is very useful. In fact, in 
preparing for this hearing, I actually posted on my own 
Facebook wall a question to Facebook users. I said, ``What 
concerns do you have that I should share with Committee 
Members?''
    And many people responded, some who I know well, some who I 
don't know particularly well, but the comments were helpful. 
And I incorporated them in my prepared statement for you today 
to give you some sense of the concerns that Facebook users 
have.
    And this point about changing the privacy settings came 
back again and again and again. And I bring this to your 
attention today, because I know in this discussion about the 
risk of online victimization, which is a real threat, 
oftentimes people talk about the need to better educate users, 
to warn users about what they should or should not post.
    And while I agree in some circumstances that is helpful, 
user education can only go so far if a user has made a 
determination not to disclose certain types of information to 
certain organizations and the company in possession of that 
information chooses to change the rules of the game.
    User might say, for example, ``I don't want this 
information to be widely available or searchable through an 
Internet search engine. I only want these photos to be 
available to my friends or family members,'' and then the 
company says, ``Well, we have a transition now in the privacy 
settings, and we are going to change those defaults a bit. And 
if you want to change them back, you are always free to do 
so.''
    The point that I am trying to make is that these changes in 
the privacy settings create risks for users that they really 
cannot control. This is the reason that we went to the Federal 
Trade Commission and urged the FTC to enforce the agreement 
that users had with Facebook and other Internet firms to 
respect their privacy settings.
    Now, I am bringing attention to this FTC complaint because 
I think it has some specific implications for what this 
Committee might be able to do to address user concerns about 
online privacy in the social network space.
    Because the FTC has not acted on this complaint, it means 
that the companies are able to continue to make these changes, 
and that there is no recourse for users. And what I am 
proposing, therefore, is that the Federal law that regulates 
the disclosure of information by companies such as Facebook, 
the Electronic Communications Privacy Act, be amended so that 
these disclosures to third parties could not occur without 
clear and affirmative consent.
    In other words, if a person has chosen not to disclose 
personal information to an application developer that is a 
business partner, a Facebook or an Internet Web site that is 
also a business partner of Facebook, that preference should be 
respected. And if it is not respected, then I think it is 
creating a significant risk to the privacy of users online.
    Looking ahead, this is going to continue to be an important 
concern for Internet users until we have comprehensive 
legislation protecting people online.
    Thank you very much for the opportunity to testify. I would 
be pleased to answer your questions.
    [The prepared statement of Mr. Rotenberg follows:]

                  Prepared Statement of Marc Rotenberg


























                               __________
    Mr. Scott. Thank you.
    We have been joined by the gentleman from Illinois, Mr. 
Quigley, so thank you for being with us.
    Mr. Pasqua?

TESTIMONY OF JOE PASQUA, VICE PRESIDENT FOR RESEARCH, SYMANTEC, 
                      INC., WASHINGTON, DC

    Mr. Pasqua. Mr. Chairman, Ranking Member Gohmert and 
Members of the Subcommittee, thank you for the opportunity to 
appear here today and discuss this important topic. As a global 
information security leader, Symantec welcomes the opportunity 
to provide the Committee with our insights on how to keep 
social network users safe online.
    While social networking has provided many new benefits, it 
has also opened new doorways for cyber-crime. It has expanded 
online opportunities for the underground economy, which has 
discovered that social networking pays.
    The infiltration of communities and the spreading of spam 
or malware have become a part of everyday life within social 
networks, and that trend is increasing. The potential abuses 
cyber-criminals have conceived are highly varied and range from 
targeted spying, spam and phishing mail distribution to 
exploitation of security holes within particular social 
networking platforms.
    Attacks against both social networking sites themselves, as 
well as individual users of those sites, have now become 
standard practice for criminals. Part of the reason for this is 
that these sites combine two factors that make for an ideal 
target for online criminal activity: a massive number of users 
and a high level of trust among the users.
    Social networks also provide a rich repository of 
information cyber-criminals can use to refined their phishing 
attacks. Many Internet users today are too blase about the 
information they post on the web. Social network users should 
always be cautious about the information they post online and 
how it can be used.
    In a rush to embrace the advantages of sharing information 
on the Internet, many young people in particular have created 
online data sets, or ``tattoos,'' that, much like the real 
thing, are difficult to remove. Posting personal information 
online can also leave them vulnerable to identity theft. 
Details such as postal codes, birthdates, mother's maiden 
names, can all be used by cyber-criminals to crack passwords, 
hijack accounts, send out spam, and distribute malware.
    In addition to the direct insertion of malware or the 
distribution of mass mailings, cyber-criminals use social 
networks to lure users to primed Web sites where they can steal 
personal data so that they can sell it for profit. There has 
been a marked increase in crimeware, or software used to 
conduct cyber-crime, on social networks and elsewhere.
    In 2009, Symantec created over 2.5 million new virus 
signatures and discovered more than 210 million distinct 
malware variants. That is a 56 and 75 percent increase, 
respectively, over the same period in 2008.
    And to put this in perspective, Symantec created more 
malware signatures in the past 15 months than in the previous 
18 years combined. So it is a massive, massive increase.
    Attackers are now going directly after the end user and 
attempting to trick them into downloading malware or divulging 
sensitive information under the auspice that they are doing 
something perfectly innocent. Social engineering's popularity 
is at least in part spurred by the fact that the operating 
system that a user is using or a browser is largely irrelevant. 
It is the actual user that is being targeted, not necessarily 
vulnerabilities in the machine.
    To their credit, social network sites squash most threats 
quickly, but it is not just targeted attacks you should be 
worried about. It is adapted attacks. Adapted attacks occur 
when bad guys take existing threats and use social networks to 
increase the effectiveness of the attack through social 
engineering. There is nothing like being surrounded by friends 
to get you to lower your guard, and that is what they make you 
think they are doing.
    Given the potential for monetary gain from compromised 
corporate intellectual property, cyber-criminals have also 
turned their attention toward enterprises. Attackers are 
leveraging the abundance of personal information openly 
available on social networking sites to synthesize socially 
engineered attacks on key individuals within targeted 
companies. This can take into account position within the 
company, colleagues, hobbies, places they have been, pictures, 
etcetera.
    I am just going to skip ahead a little bit and wrap up 
because I see I am running low on time. But I will mention 
that, according to a recent Symantec enterprise security 
survey, most organizations do not have social networking policy 
in place despite giving employees unfettered access to these 
popular Web sites. Our survey also found that 84 percent of 
CIOs and CISOs consider social networking sites to be a serious 
threat to their security.
    In closing, I have provided in my written testimony to the 
Committee a number of useful precautions that all users of 
social networks should consider in their use of this new 
medium, and we all call this to the Committee's attention.
    Mr. Chairman and Members of the Committee, Symantec 
appreciates the opportunity to provide our input on combating 
cyber-crime on social networks and protecting online privacy so 
the Internet can reach its full potential. We look forward to 
continuing to work with the Committee as it considers future 
legislation in this area.
    Thank you.
    [The prepared statement of Mr. Pasqua follows:]

                  Prepared Statement of Joseph Pasqua





















                               __________

    Mr. Scott. Thank you. And I want to thank all of our 
witnesses for their testimony. And we will now have questions, 
and I will recognize myself first.
    Are there laws in other countries that do not apply here in 
terms of protecting people's privacy? Mr. Rotenberg?
    Mr. Rotenberg. Maybe I should take this.
    Mr. Chairman, part of our work at EPIC is looking at 
different approaches to privacy protection. And I think it is 
fairly well known that the Europeans have I guess we could say 
a more comprehensive approach to privacy protection in that 
companies that collect data on users have presumptive 
obligations to protect the privacy of that information.
    Here in the United States, we tend to do it on a sectoral 
basis. We would legislate for a particular industry, for 
example, like medical records, electronic health records.
    I think what is important about this approach is that it 
means that when companies like Facebook gather information on 
users in other countries, they have to be more careful about 
disclosure to other parties because they do run some risk of 
stepping over the line on those more comprehensive privacy 
laws.
    Mr. Scott. I think, Mr. Rotenberg, you mentioned changing 
security settings.
    Mr. Rotenberg. Yes, the privacy settings.
    Mr. Scott. And what allegation were you making there?
    Mr. Rotenberg. Well, essentially that, for a person in the 
United States who wants to protect their privacy on Facebook, 
they have to go to a series of screens provided by Facebook and 
make some choices. Do they want their photographs, for example, 
to be available to everyone, or to their friends, or friends of 
friends, or just a small group? And you make a lot of these 
decisions about a lot of different information that you put 
online.
    Our objection is that, when the user makes those decisions, 
and then Facebook comes along later on and says, ``Well, we 
want to change our approach to privacy, and maybe you had your 
photographs available only for family members but we are going 
to change that setting to everyone,'' that is where the problem 
arises. And that is actually the basis of most of the concerns 
we think today that Facebook users have about privacy. It is 
the changes in those settings.
    Mr. Scott. Mr. Sullivan, did you want to respond to that?
    Mr. Sullivan. Thank you, Chairman.
    Our position on privacy hasn't changed. It is our belief 
that people who use Facebook own their information, and they 
have the right to share their information in the way that they 
want to share it. And it is our responsibility to respect their 
wishes.
    On the subject of U.S. versus international laws, we 
attempt to treat all of our users by one very high standard. We 
don't differentiate between U.S. users and other users in terms 
of presenting different standards to them or treat their 
information with different levels of care.
    Our approach has been to try and improve over time. 
Facebook is a relatively new technology. As a company and a 
product, we are 6 years old. And we are growing and learning 
every day.
    And the number one way that we learn is through feedback 
from our users, and we are constantly innovating and trying to 
learn from our users, and every innovation that we do is driven 
by user feedback.
    And in addition to innovating, the other thing we try and 
pride ourselves on is responding quickly. So when we get 
feedback that something isn't working right, we try and fix it 
very quickly.
    With regard to our privacy settings, we have spent a 
considerable time and effort in the last year trying to make 
them better and trying to make them easier to understand. I 
feel very good about where our privacy settings are today, and 
would love the opportunity to walk anyone through how those 
settings work today.
    We have a one-page that has all of your privacy settings on 
it right now. We try and break it into three simple buckets--
your directory information, how you share information, and how 
you share information with applications.
    With regard to how you share information, it is literally a 
one-click process, where you can go on the site right now and 
say, ``I am not sure what my settings were for each different 
thing that I posted, but right now I would like to make 
everything I have ever put on the site friends-only.'' One 
click, you can do that.
    In addition, we know that people want flexibility, so we 
have tried to build contextual messaging into our product so 
that, at the time you make decisions about sharing, you can 
customize the setting for that particular piece of information. 
So if I want to share information about being in front of this 
Committee today, I might want to share that only at work, or 
maybe I want to share it with all of my friends. I have the 
ability, one status update at a time, to change the setting to 
direct it to different audiences.
    Mr. Scott. I mean--I think, because sometimes people make 
those choices, and Facebook comes behind and changes the 
settings. Is that accurate?
    Mr. Sullivan. No, that is not accurate.
    Mr. Scott. Mr. Marc, do you want to make your statement?
    Mr. Rotenberg. I am kind of astounded by Mr. Sullivan's 
answer to your question. I mean, we have documented this in 50 
pages to the Federal Trade commission, and it is discussed by 
hundreds of thousands of Facebook users across the Facebook 
platform. So maybe Mr. Sullivan would like to rethink how he 
answered your question.
    In fact, I think he should also rethink what he said 
earlier in response to your question about the ability of users 
to selectively disclose what information to make available 
online. Facebook has an increasingly broad category of what it 
considers to be publicly available information. That is the 
information that the user really has no control over, even the 
users who would like the highest level of privacy settings.
    And it is clear to just about everyone what direction that 
category is heading, which is to say that Facebook will simply 
continue to make more user information available. So I think 
maybe Mr. Sullivan would like to rethink that answer also.
    Mr. Scott. Do you want to respond, Mr. Sullivan?
    Mr. Sullivan. I am not interested in changing my answer. I 
stand by it.
    Mr. Scott. Gentleman from Texas.
    Mr. Gohmert. Thank you, Mr. Chairman.
    And appreciate all the witnesses being here and for the 
testimony.
    I am curious, Mr. Sullivan, what information would you 
recommend not sharing on Facebook specifically?
    Mr. Sullivan. Personally and as a company, we want people 
to make those decisions for themselves.
    Mr. Gohmert. Well, but I am asking you personally rather 
than Facebook.
    Mr. Sullivan. Well, personally, I choose to share quite a 
bit of information through Facebook, and I put different levels 
of visibility on different types of information.
    My contact information I make available to my friends on 
Facebook, so my friends can go on Facebook and see my e-mail 
address, my phone numbers, my Instant Messaging identifiers and 
things like that. The pages that I am a fan of, I am happy to 
share that with other people because I like to interact with 
people who are fans of the same sports teams that I am fans of, 
etcetera. My--information--I am sorry.
    Mr. Gohmert. Let me ask you, since our time is so limited, 
what problems has China indicated that they have with Facebook 
that would prevent them from allowing Facebook to be 
accessible, that is?
    Mr. Sullivan. To be honest, I don't think we have----
    Mr. Gohmert. Well, I would prefer you be honest. Thank you.
    Mr. Sullivan. I don't think we have received a clear answer 
on that. My understanding is that it relates to our refusal to 
moderate speech.
    Mr. Gohmert. To moderate speech? So if somebody said 
something unkind about China, they would want that moderated. 
Is that correct?
    Mr. Sullivan. It is a very sensitive issue that we spend a 
good deal of time trying to make sure that we as a company 
respect free speech rights of our users.
    Mr. Gohmert. I will take that as a yes. Thank you.
    Mr. Pasqua, I appreciate your being here. And I hadn't 
bought a Symantec or Norton product in probably 10 or 15 years.
    But there is a perception that, once information is put 
into a social networking site, that it is there forever, and 
there is just really not anything that can be done. Since you 
have been in the security business with the software, is there 
anything that can be done to actually pull stuff out once it is 
in there?
    Mr. Pasqua. The fact of the matter is, there really are a 
lot of different sites out there, and they have different 
capabilities. Obviously, Facebook is a major important one, but 
there are certain types of information on certain sites that 
you can remove. There are other types of information in other 
sites where you really have very little control over pulling 
back information once you have created that content.
    So if you, for example, have a comment on a blog that is 
controlled by someone else, you can't necessarily control 
whether you can delete that comment, or change it or amend what 
you have said. It is really up to the owner of that Web site.
    Mr. Gohmert. Okay. Let me ask our Federal entities 
representatives.
    Mr. Snow, how easy is it to pass information about 
questionable Internet activity to other Federal entities, 
whether the NSA, CIA, Secret Service? How easy is it within the 
FBI to do that?
    Mr. Snow. Sir, from the FBI's position, it is very easy for 
us to pass----
    Mr. Gohmert. Well, I understand that is your position, but 
from a factual standpoint, how easy is it?
    Mr. Snow. Yes, sir. We right now--and the Chairman 
originally discussed it somewhat--we have the National Cyber 
Investigative Joint Task Force that has been designated by the 
White House and----
    Mr. Gohmert. No, no, I understand all that, but, you know, 
I have enough friends that are Federal agents in all different 
sectors, and I keep hearing about difficulty, even since we had 
the big umbrella of Homeland Security, in communicating. In 
fact, some say that it is even created more problems in getting 
information from one to the other, because now it goes up 
before it comes down and goes lateral.
    So that is what I am asking, really from a practical 
standpoint, how easy is it? If you see a problem, can you just 
send that out to friends at Secret Service, or what do you have 
to go through to get that done?
    Mr. Snow. Absolutely, sir. Anything that I have, I can 
pass, almost in real-time, depending on which systems are 
linked or not linked. So at----
    Mr. Gohmert. Do you need approval from anyone to do that?
    Mr. Snow. Sir, I am the approving entity and individual in 
the cyber division, so anything cyber-related would go through 
me. But I also take a very strong approach, a proactive 
approach, on pushing those approval processes down to my 
workers and my operators out at the National Cyber 
Investigative Joint Task Force.
    Mr. Gohmert. Great.
    Mr. Merritt, how easy is the flow, from your experience?
    Mr. Merritt. Very easy, sir. I mentioned the cyber-
intelligence section within our criminal investigative 
division.
    Mr. Gohmert. Right.
    Mr. Merritt. These are extremely talented, both agents and 
contractors with superior computer and linguistic capabilities 
who monitor, real-time, these codding portals we have talked 
about, the codding Web sites.
    And when, in fact, an anomaly appears or a malware, for 
example, based on our electronic crimes task forces, we 
distribute that information real-time to our members. In turn, 
they channel it down their flow chains. To include, we have a 
representative on each FBI joint task force, along with our 
national Joint Terrorism Task Force, and we do have a member at 
their NCIJTF.
    So the big benefit of this, sir, would be the private 
sector who are not seeing this. Some corporations are better 
suited, with their analysts, to identifying anomalies and 
intrusions more so than others, especially the medium to small 
size companies. But we do have that ability, and we do do that.
    Mr. Gohmert. Thank you.
    Mr. Merritt. Thank you.
    Mr. Gohmert. Mr. Pasqua, I didn't mean to be cryptic, but 
it is been back when I was a judge in the 1990's, I personally 
bought some Norton securityware. I had examined the boxes, all 
of the properties. Norton seemed to have good qualities, but 
they had a $20 rebate if you sent the original receipt. And I 
did, kept all the copies of everything I sent, said wait 6 
weeks.
    I waited about 10 weeks, called, and the lady said, ``If 
you don't have proof that we received it, then you have got 
nothing.'' And I said, ``Well, I didn't send it certified 
because that would have eaten up the $20.'' And I said, ``But I 
have got copies of everything.'' She said, ``Too bad. We don't 
take copies. It said that in the rebate. We got the original.''
    So I have cost Symantec, because people know I am somewhat 
literate in the area, lots more than $20, and it is too late to 
send me my $20 now that I am in Congress. But anyway, that is 
the reason I haven't bought anything from Symantec in years, 
but I appreciate the time, and I yield back.
    Mr. Quigley [Presiding]. The gentleman yields back.
    The gentlewoman from California is recognized.
    Ms. Lofgren. Thank you very much. And first, let me offer 
my regrets for not being here at the beginning of the hearing, 
because I would have liked to have given a word of welcome to 
two of the witnesses who represent companies located in Silicon 
Valley, which I represent in the House. And that is both the 
Facebook witness and, of course, Symantec, both companies that 
employ many of my constituents. So, welcome here.
    As I think about the risks involved in use of technology, I 
think of them in at least two categories. One, there is really 
nothing the government can do about.
    I mean, if you decide to post your home address on Facebook 
and not limit who sees it, and then say, ``Oh, by the way, I am 
on vacation for a month,'' it is like saying, ``Please come 
burglarize me.'' So that is really an education issue that the 
government, and I really think the companies, are not 
responsible for. It is a matter of Americans understanding what 
they are doing.
    There is a second issue, which is really a technology 
issue, which is allowing people the opportunity to have their 
rights respected. And I wanted to address, really, two 
questions, probably three questions, to Mr. Sullivan.
    It has been mentioned here by EPIC, certainly a very well 
regarded organization that I have supported for years, that the 
settings are too tough and maybe not fully implemented. And I 
have actually complained, most recently a few months ago, not 
that you couldn't do it, but that it was too complicated.
    And I suggested to the Facebook people I met with that you 
need not the Geek Squad but the Granny Squad. I mean, design it 
for, you know, a grandma in the Midwest so she can understand 
it and make it do what she wants with very simple clicks.
    Do you think you have accomplished that yet? I realize this 
is really still a startup. I mean, even though you are at half 
a billion, you know, it is 6 years, and you are still growing.
    Mr. Sullivan. Thank you very much for that question. And I 
think that it is something that we spend time thinking about 
every day, because I think your goals and our goals are aligned 
on this issue. We want people to understand and be able to use 
the controls because they will feel good about our service. And 
I think that the controls that we have in place now are the 
best we have ever had.
    And as I mentioned earlier, the controls that we launched 
as a result of the feedback that we received from people like 
you, we think that we have dramatically simplified so that 
you--you know, as you know, before, you had to go to five or 
six different screens to cover all the different types of 
sharing that you could do, and now you can manage all of that 
on a single page.
    Ms. Lofgren. And maybe that you are not at liberty, and 
this may not be a fair question, but if EPIC had some further 
suggestions for you to consider to simplify this, would you 
welcome those suggestions?
    Mr. Sullivan. We certainly would. In fact, I would like to 
mention that both before the large rollout that we did last 
fall of trying to engage users on new privacy settings, and 
during the spring we did reach out to a large number of 
organizations outside the company that asked for feedback, and 
we received feedback from a number of highly regarded 
organizations across the nonprofit and public and private 
sector.
    Ms. Lofgren. Let me ask you two other questions, and this 
is one really having to do with people who decide that Facebook 
is too much trouble and they wanted to delete their account.
    I mean, if you post somewhere else, I realize that is on 
somebody else's Facebook and you can't necessarily get rid of 
that. But if you close your own account, is every whisper of 
information that you have lodged with Facebook erased with 
that?
    Mr. Sullivan. Yes.
    Ms. Lofgren. And finally, I would like to make a 
suggestion, unless this has already been implemented. There are 
times when things go wrong.
    For example, somebody has failed to take appropriate steps 
to safeguard their Facebook account, and it gets hijacked. 
There is nobody to call. I mean, you can send an e-mail, but it 
takes a long time to be sorted out. Are there plans in place to 
have kind of a rapid response when things of that nature occur?
    Mr. Sullivan. Yes. It is another area where we are 
continuing to innovate. What we have done is we have placed 
``Report'' buttons across our site, and you should be able to 
find them on basically every single page. And we have put those 
buttons in places where we think that you are most likely to 
run into a problem and would want to report something. And the 
``Report'' button opens up a dialogue.
    And like you said, I think in the old days of the Internet, 
companies would have a single e-mail address, and all of the 
issues would come into one big bucket, and then you have to 
have someone sort it. The way we do it now is, during the 
report process, we have some very easy drop-downs where a user 
can specify what the specific issue is. And that directs it 
into a prioritization queue.
    And so, for example, the most serious issues we try and get 
to within, you know, hours, most frequent----
    Ms. Lofgren. What would a serious issue be, for example?
    Mr. Sullivan. So, an identity theft or cyber-bullying, or a 
threat to life or a potential suicide discussion, or something 
like that.
    Ms. Lofgren. Okay. Well, that is more serious than 
hijacking a Facebook page. Where would that fall in your 
priority list? How long would it take to respond to that, do 
you think?
    Mr. Sullivan. I think probably within 24 hours, but----
    Ms. Lofgren. If I told you it was 3 weeks, would you be 
willing to look into it?
    Mr. Sullivan. I certainly would like to look into it.
    Ms. Lofgren. I would appreciate that.
    I realize my time is just about over, but before I did, I 
just want to, since the Chairman didn't get his rebate, I would 
like to say I just bought a Symantec product that I have 
installed on my home computer, and it is protecting me from 
viruses and malware, and I appreciate it very much, and love 
your products.
    And I yield back.
    Mr. Pasqua. Thank you.
    And Member Gohmert, I am sorry we lost you as a customer. I 
hope we can win you back. But most importantly, I hope you are 
using some sort of protection on your machine.
    Mr. Quigley. The gentlewoman's time has expired.
    Mr. Goodlatte from Virginia is recognized.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    Folks, welcome. I missed most of your testimony because I 
had to go deal with another Committee and some legislation I 
had there. I apologize for that.
    But I did want to ask Mr. Snow, with the many Federal 
agencies involved in some aspect of identity theft or related 
cyber-crimes, is there ever confusion on the part of the 
private industry sector as to what agency they should call for 
assistance or to report a breach? Do you have some kind of a 
clearinghouse, or----
    Mr. Snow. Yes, sir. Our most powerful clearinghouse is the 
agent and investigators that are in the field. So all the 
different agencies, federal, state and local, and our 
international partners are out pushing the outreach programs.
    We have three very strong outreach programs--the Internet 
Crime Complaint Center, which is a public-private partnership; 
our InfraGard program, and then our computer education and 
development unit, which go out, along with our domain entities, 
as to other Federal agencies and state and local partners to 
let people know, if you have crime or you have crime reporting, 
to come and talk to us.
    The clearinghouse actually takes place back in the 
investigative agencies along with where the different 
jurisdictional lines reside. So for instance, if you had a 
problem, an Internet breach, you could Google it. You would 
come up with probably about five or six places to go report.
    If you were directed to the FBI Web site, FBI.gov, you 
would be directed back to the Internet Crime Complaint Center. 
It would talk to you about what that crime complaint center 
does, what it can provide you, and how to report. It would have 
a very accessible link there.
    The Internet Crime Complaint Center, if you started there, 
would have the same issue and reporting mechanism. And then, we 
have an educational partnership that is called www-
lookstoogoodtobetrue, and you would be able to go there, also.
    An important part of the education, and I know we have 
talked about the education, is that all three of these sites, 
individuals that are suspecting that they may be subjects, or 
potential subjects, which everybody is, of Internet fraud or 
computer hacking, can sign up for informational alerts that 
will come to whatever piece that you have.
    Mr. Goodlatte. Thank you.
    Mr. Sullivan, let me follow up on the question from Ms. 
Lofgren regarding the privacy issues there. Can you explain 
Facebook's privacy transition tool? How does this process 
ensure that users are considering privacy issues in evaluating 
their own security settings?
    Mr. Sullivan. Certainly. So, last December, we took on I 
think what was probably an unprecedented event in the history 
of the Internet, and that is that we tried to engage every 
single one of our users and make them think about privacy.
    And so, what we did was we put that wizard, which was a 
page that talked about privacy and laid out your settings and 
what we were recommending as settings, in front of every single 
user, and we simply wouldn't let you use the service again 
until you walked through these pages and said, ``I want to do 
it this way.''
    And so, that was quite a massive undertaking, and it got 
quite a bit of attention, and we were pleased in both regards 
because we saw that users engaged with this wizard, that they 
made decisions, that they talked about privacy, they thought 
about privacy, they thought about what they put on the site 
before. And they have continued to use the privacy settings 
after that day even more than they ever did.
    Mr. Goodlatte. What is instant personalization? I know that 
Facebook has become a platform upon which you have invited 
other vendors to build various tools that they can utilize as 
members of Facebook. What assurances do you have that partner 
sites in this program have sufficient protection to safeguard 
Facebook users?
    Mr. Sullivan. Sir, from the security standpoint, we focus 
on a number of different things. This is a beta program that--
only used on a very limited number of carefully selected 
partner sites at the moment.
    And we have done a couple of different things. We have done 
some external auditing of their security measures. I manage an 
information security team that has investigative experts who 
understand the different types of vulnerabilities the Web sites 
have. We have made suggestions. We have had dialogue with their 
internal experts.
    And then, we also on the security side, we make suggestions 
for requirements to put into the written contracts about the 
standards that we expect those sites to live up to. So as I 
mentioned earlier, we are PCI level one compliant, and there 
are other security standards and acronyms that I won't share 
today, but are the types of things that we would look for.
    Mr. Goodlatte. One last thing. You indicated in your 
testimony that you will use legal means to go after people that 
are behind specific scams. Can you elaborate on this? Is it 
civil actions that you will pursue, or do you assist law 
enforcement authorities in pursuit of criminal charges, or 
both? What are you talking about there?
    Mr. Sullivan. So our goal is always to prevent something 
bad from happening. But if it does happen our second goal is to 
be incredibly aggressive.
    And so, I mentioned in my written testimony in a bit 
earlier a couple of the CAN-SPAM cases that we have brought. 
And so, in these two cases that have received a decent amount 
of attention in the mainstream press, they have actually 
received even more attention in the forums where the bad guys 
meet.
    And we spend a lot of time on my team in those forums. Like 
the folks at Symantec do, we spend a lot of time trying to 
understand what the bad guys are interested in, what they are 
focused on, which companies they are targeting, what their 
newest techniques are.
    And it has been fascinating for us to take back and share 
with the company the impact of these spam cases. You know, we 
certainly aren't going to collect $700 million from Mr. 
Guerbuez or, you know, $800 million from Sanford Wallace, but 
we are going to be pursuing them for the rest of their life, 
and that is a heavy judgment hanging over their heads.
    And you see people talking in these forums, saying, ``Don't 
go after Facebook. That is a bad idea.'' So we do see a 
deterrent effect in that type of civil action.
    Likewise, on the criminal side, we have brought a number of 
cases to both the FBI and the Secret Service over the last 
couple of years where we have identified individuals or groups 
that are attempting to target our users, whether through 
distribution of malware or through spam or other types of 
problems like that.
    Mr. Goodlatte. Thank you.
    My time has expired. Thank you, Mr. Chairman.
    Mr. Quigley. Thank you.
    Mr. Deutch is recognized.
    Mr. Deutch. Thank you, Mr. Chairman.
    Gentlemen, I think we need to do a better job of raising 
awareness among Internet users, particularly children. While 
most social networking activities are harmless, the fact is 
there are people who are out there who are going to tell a lie 
and hurt you.
    And whether it is someone seeking easy money or a child 
predator, when it comes to social networking, these criminals 
know the game, and they are going to play it. I am deeply 
concerned about the risks that the predators pose to children, 
and I believe we need to do more to minimize the risks to 
children online.
    Education is a critical component of crime prevention. As a 
parent, I am no stranger to the need to talk to children early 
and often about online predators. Parents must play a critical 
role to make them understand the risks that are out there.
    Now, I applaud the efforts of the FBI, Secret Service and 
other law enforcement agencies to protect children, but I think 
everyone would agree, if even one child is victimized, we as a 
government need to do more. And while we can't promise our 
children that we are never going to let them down, we can at 
least commit to not deserting them and focus on what additional 
tools might be helpful.
    To that end, as a Member of the Foreign Affairs Committee, 
I am particularly interested in the international component of 
this problem. Criminals thrive in areas where the government is 
too blind to see. And while this is true of traditional 
criminal activities, it is particularly true of Internet-based 
crimes.
    So how do we go after criminals who know the rules and 
purposely set up shop in lawless areas or countries that are 
willing to turn a blind eye to these activities? I guess, Mr. 
Merritt and Mr. Snow, I would turn to you for this.
    Mr. Merritt. Sir, I think somebody referenced it earlier, 
some of the challenges when these crimes originate overseas and 
they target either U.S. citizens or corporations, and then the 
financial infrastructure. In addition to some countries that 
don't have legislation that makes this necessarily a crime in 
their country, there are other challenges, as well.
    I mean, I think law enforcement here in the United States 
has been able to dispel the myth of anonymity that the computer 
and the Internet provide to the criminals because we have been 
successful in many investigations identifying these people.
    But you get into lack of legislation, countries that don't 
have an extradition treaty with the states, the official 
channels that we normally go through for MLATs and letters 
rogatory are very cumbersome and time-consuming.
    So a lot of it develops--and I will let Gordon speak for 
himself, but it develops on the relationship that you have with 
your foreign law enforcement counterparts and what you are able 
to successfully do with them, because we obviously have limited 
jurisdiction overseas.
    Mr. Snow. Yes, sir. I will--the comments of Mr. Merritt. 
The relationship internationally is just completely critical, 
and in legislation development, which, you know, we don't speak 
to but Department of Justice does, is also critical, the MLAT, 
the letter rogatories, the officer-to-officer contact that we 
have.
    And then the private-public partnerships that develop when 
you talk about child exploitation is critical also. So the 
National Center for Missing and Exploited Children are really 
doing some fantastic things in their public-private 
partnership, along with the International Center for Missing 
and Exploited Children.
    Mr. Deutch. Thank you.
    Mr. Sullivan, I am looking at the statement of rights and 
responsibilities on Facebook, which says, very clearly, you 
will not use Facebook if you are under 13. I would suggest to 
you that there are more 60-, 70-and 80-year-old grandparents, 
widows and widowers, with full, rich life histories who are, in 
fact, 10, 11 and 12 years old on Facebook than you could even 
imagine.
    And I wonder, since Facebook very clearly says it should 
not be used unless you are 13, what should we be doing? Do we 
pretend that the younger kids aren't doing it? Is there 
something Facebook can be doing to make it safer for those 
younger kids, which is, I think, the approach that makes the 
most sense to me? And have you tried to track the number of 
pre-teens who are actually using Facebook, since the numbers 
must be astounding?
    Mr. Sullivan. Sir, you are right that our policy is very 
clear, that we don't want people under the age of 13 to use our 
service. And we have taken a multi-tiered approach to trying to 
make that happen. And to the extent that you are aware, or if 
you become aware of someone under the age of 13, or you know 
their parents, I would ask that you put them in touch with me 
or advise them not to use the service until they turn 13.
    It is a topic that has received a lot of attention in 
recent years, how do we address teens and youth online. And the 
approach we have taken is kind of a three-tiered approach. I 
think that we do focus on policy and we focus on education, and 
then we build tools to try and prevent those under 13 from 
using our site.
    Mr. Deutch. I guess just if I may, Mr. Chairman, the last 
question is there are two approaches. You can devote 
considerable energy to trying to prevent 11-and 12-year-old 
kids from using Facebook, or you can acknowledge that there are 
thousands and thousands of 11 and 12 and 10, and I don't even 
know how young, kids who are using Facebook, and ratchet up the 
privacy levels or create a separate area for them. And is that 
even part of your thinking, or is the focus entirely on keeping 
them off?
    Mr. Sullivan. Our focus right now is on keeping them off of 
Facebook and on making Facebook as safe as possible for that 13 
to 18 group that is on the site. And so, I mentioned earlier 
that we don't have different rules for people in different 
jurisdictions around the world. We do treat people differently 
who are under the age of 18 in terms of what we would even 
allow them to do on the site or the type of information that is 
even made visible to them.
    Mr. Deutch. Last question, Mr. Chairman. Do you deny access 
to anyone--do you scan your members to find those who are 
clearly describing life experiences in one way on their 
biography, and then have pictures of little kids, lots and lots 
of pictures of 10, 11 year olds on their site?
    Mr. Sullivan. We do have some back-end tools and algorithms 
that we use. We also rely on a considerably passionate user 
community who is very happy to report other people to us. And 
finally, we do use technology to, you know, try and identify 
and make sure that those people aren't on our site.
    Mr. Deutch. Okay. I think, finally, there is an obligation 
also, as you work to address all of the concerns, if you know 
that there are thousands of kids out there that, while the goal 
may be to keep them off, we should be trying, and you should be 
trying, to keep them safe, as well.
    Mr. Sullivan. That is right.
    Mr. Quigley. Gentleman's time has expired.
    I would like to thank the witnesses for their testimony 
today. Members may have additional written questions, which we 
will forward to you and ask that you answer as promptly as you 
can so that they may be made part of the hearing record. The 
record will remain open for 1 week for submission of additional 
material.
    Without objection, the Subcommittee stands adjourned.
    [Whereupon, at 3:35 p.m., the Subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record



                                








                                





                                



















                                 
