[Senate Hearing 112-662]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-662

 
  STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE 
                                 TIMES?

=======================================================================

                                HEARING

                               before the

                  OVERSIGHT OF GOVERNMENT MANAGEMENT,
                     THE FEDERAL WORKFORCE, AND THE
                   DISTRICT OF COLUMBIA SUBCOMMITTEE

                                 of the

                              COMMITTEE ON
                         HOMELAND SECURITY AND
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE


                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 31, 2012

                               __________

         Available via the World Wide Web: http://www.fdsys.gov

       Printed for the use of the Committee on Homeland Security
                        and Governmental Affairs


                  U.S. GOVERNMENT PRINTING OFFICE
76-066                    WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  



        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  JERRY MORAN, Kansas

                  Michael L. Alexander, Staff Director
               Nicholas A. Rossi, Minority Staff Director
                  Trina Driessnack Tyrer, Chief Clerk
            Joyce Ward, Publications Clerk and GPO Detailee


  OVERSIGHT OF GOVERNMENT MANAGEMENT, THE FEDERAL WORKFORCE, AND THE 
                   DISTRICT OF COLUMBIA SUBCOMMITTEE

                   DANIEL K. AKAKA, Hawaii, Chairman
CARL LEVIN, Michigan                 RON JOHNSON, Wisconsin
MARY L. LANDRIEU, Louisiana          TOM COBURN, Oklahoma
MARK BEGICH, Alaska                  JERRY MORAN, Kansas

                       Eric M. Tamarkin, Counsel
               Rachel R. Weaver, Minority Staff Director
                      Lauren Corcoran, Chief Clerk


                            C O N T E N T S

                                 ------                                
Opening statement:
                                                                   Page
    Senator Akaka................................................     1
    Senator Johnson..............................................     3
Prepared statement:
    Senator Akaka................................................    35
    Senator Carper...............................................    37

                               WITNESSES
                         Tuesday, July 31, 2012

Mary Ellen Callahan, Chief Privacy Officer, U.S. Department of 
  Homeland Security..............................................     4
Greg Long, Executive Director, Federal Retirement Thrift 
  Investment Board...............................................     6
Greg C. Wilshusen, Director, Information Security Issues, U.S. 
  Accountability Office..........................................     8
Peter Swire, C. William O'Neill Professor of Law at Ohio State 
  University.....................................................    19
Chris Calabrese, Legislative Counsel, American Civil Liberties 
  Union..........................................................    21
Paul Rosenzweig, Visiting Fellow, Heritage Foundation............    23

                     Alphabetical List of Witnesses

Calabrese, Chris:
    Testimony....................................................    21
    Prepared statement...........................................    84
Callahan, Mary Ellen:
    Testimony....................................................     4
    Prepared statement...........................................    38
Long, Greg:
    Testimony....................................................     6
    Prepared statement...........................................    46
Rosenzweig, Paul:
    Testimony....................................................    23
    Prepared statement...........................................    99
Swire, Peter:
    Testimony....................................................    19
    Prepared statement...........................................    69
Wilshusen, Greg C.:
    Testimony....................................................     8
    Prepared statement...........................................    52

                                APPENDIX

Questions and responses for the Record from:
    Ms. Callahan.................................................   117
    Mr. Long.....................................................   119
    Mr. Wilshusen................................................   124
    Mr. Swire....................................................   126
    Mr. Calabrese................................................   127
    Mr. Rosenzweig...............................................   131


  STATE OF FEDERAL PRIVACY AND DATA SECURITY LAW: LAGGING BEHIND THE 
                                 TIME?

                              ----------                              


                         TUESDAY, JULY 31, 2012

                                 U.S. Senate,      
              Subcommittee on Oversight of Government      
                     Management, the Federal Workforce,    
                            and the District of Columbia,  
                      of the Committee on Homeland Security
                                        and Governmental Affairs,  
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 10:03 a.m., in 
Room SD-628, Dirksen Senate Office Building, Hon. Daniel K. 
Akaka, Chairman of the Subcommittee, presiding.
    Present: Senators Akaka and Johnson.

               OPENING STATEMENT OF SENATOR AKAKA

    Senator Akaka. I call this hearing of the Subcommittee on 
Oversight of Government Management, the Federal Workforce, and 
the District of Columbia to order.
    I want to say Aloha and welcome our guests and all those 
who are here and interested in this hearing, and I just want to 
thank all of you for being here.
    Today, the Subcommittee will examine the foundation for our 
Federal privacy and data security laws. Unfortunately, key 
pieces of this foundation have serious cracks that need to be 
fixed.
    The Privacy Act, a cornerstone of Federal privacy 
protection, was enacted way back in 1974 to respond to the 
increasing ease of collecting and storing personal information 
in computer databases. It governs how the Federal Government 
gathers, shares, and protects Americans' personal information.
    Despite dramatic technological change over the last four 
decades, much of the Privacy Act remains stuck in the 1970s. 
Many of the definitions in the Act are simply out of date and 
do not make sense in the current data environment. As a result, 
the Act is difficult to interpret and apply, and it provides 
inconsistent protection to the massive amount of personal 
information in the hands of the government. I want to highlight 
a few specific concerns.
    Earlier this year, the Supreme Court restricted Privacy Act 
remedies. In Federal Aviation Administration v. Cooper, the 
Social Security Administration violated the Privacy Act by 
sharing the plaintiff's HIV status with other Federal agencies. 
The Court concluded that he could not be compensated for 
emotional distress, because Privacy Act damages are limited to 
economic harm. By many experts' accounts, this decision 
rendered the Act toothless, and scholars across the political 
spectrum have called for Congress to amend the Privacy Act to 
fix this decision.
    Additionally, agencies frequently use private sector 
databases for law enforcement and other purposes that affect 
individuals' rights. This is not covered by Federal privacy 
laws, which creates a loophole that allows agencies to avoid 
privacy requirements. We should require privacy impact 
assessments (PIA) on agencies' use of commercial sources of 
Americans' private information. This would provide basic 
transparency of the use of commercial databases so that 
individuals have appropriate protections such as access, 
notice, correction, and purpose limitations.
    Strong Executive Branch leadership is also essential to 
effectively enforcing the privacy protections we do now have. 
Over time, Congress has statutorily required Chief Privacy 
Officers (CPOs) in many agencies across the Federal Government, 
and the Office of Management and Budget (OMB) mandated in 1999 
that all agencies designate a senior privacy official to assume 
responsibility for privacy policy. My Privacy Officer With 
Enhanced Rights (POWER) Act--included in the Implementing 
Recommendations of the 9/11 Commission Act of 2007--
strengthened the authorities of the Department of Homeland 
Security (DHS) Chief Privacy Officer, and I would say with 
positive results.
    Despite OMB's mandate to oversee privacy policies 
governmentwide, it has not named a chief privacy official since 
the Clinton Administration. As a result, responsibility for 
protecting privacy is fragmented and agencies' compliance with 
privacy requirements is inconsistent.
    Widespread agency data breaches, and inconsistent responses 
when they occur, are symptoms of this problem. We all remember 
the massive data breach at the Department of Veterans Affairs 
in May 2006 where the personal information of more than 26 
million veterans and active duty members of the military was 
exposed. After that breach, OMB issued guidance requiring 
agencies to strengthen safeguards for personal information and 
implement data breach notification policies. But implementation 
of the guidance has been uneven, and the number of Federal data 
breaches has only grown.
    Recently, a contractor to the Federal Retirement Thrift 
Investment Board (FRTIB) was the subject of a cyber attack that 
compromised the personal information of over 123,000 
participants in the Thrift Savings Plan (TSP). This included 43 
current and former Members of Congress. I was one of them. I 
was concerned to learn that the Board had not followed the 2007 
OMB guidance and did not have a data breach notification policy 
in place when they learned of the breach. I am working with the 
Government Accountability Office (GAO) to determine how many 
other agencies have not followed this guidance and determine 
whether there is sufficient oversight of agencies that have 
complied.
    This builds on the substantial work GAO has completed in 
response to my nine previous requests on privacy and data 
security. I have also worked closely with GAO in drafting my 
Privacy Act Modernization for the Information Age Act, S. 1732, 
which would make the OMB guidance mandatory for agencies and 
fix many of the other cracks in the privacy and data security 
foundation.
    Promoting privacy and civil liberties has been a priority 
during my tenure in the U.S. Senate, and I will continue 
focusing on this issue until the end of the year. I hope my 
colleagues will join me in two current efforts to address the 
problems raised at this hearing: S. 1732 and my amendment to 
the cybersecurity bill we are currently considering on the 
floor. Protecting Americans' privacy is a bipartisan issue that 
I hope my colleagues will continue to advance in the years to 
come.
    And so, I would like to call on my brother here for any 
opening statement that he may have. Senator Johnson.

              OPENING STATEMENT OF SENATOR JOHNSON

    Senator Johnson. Thank you, Mr. Chairman, witnesses. I want 
to thank you for taking time and not only being here today but 
also for preparing your thoughtful testimony.
    Aloha. Mr. Chairman, before I start, I am not quite sure 
whether we are going to have another hearing. We may, but in 
case we do not, I just want to say what a pleasure it has been 
serving with you as your Ranking Member on the Subcommittee.
    I mean, you are a kind, gentle, honorable soul; and for 
somebody new to the Senate, this is a very nice start for me to 
be able to serve with someone like you. So, it has really been 
a pleasure. I just wanted to say that.
    I want to thank you for having this hearing. I think this 
is very timely. The full Senate now is taking up the 
cybersecurity bill. One of the primary issues that we are 
having to deal with is the privacy aspect, and all the effects 
of cybersecurity, trying to maintain security within our 
Internet network, certainly privacy is a real consideration 
there. It is a serious issue. It is an important issue. It is 
also highly complex.
    Back in February I read a book review in the Wall Street 
Journal on a book called Abundance by Peter Dimandis and Steven 
Kotler, and just to put the issue in perspective how complex 
this is, I just want to start reading the very beginning of 
this book review.
    It says, ``If every image made and every word written from 
the earliest string of civilization to the year 2003 were 
converted to digital information, the total would come to five 
exabytes.''
    We cannot even comprehend what an exabyte is. It is one 
followed by 18 zeros. So again, everything from the dawn of 
civilization to the year 2003, five exabytes. From the year 
2003 to 2010, we were producing five exabytes of information 
every 2 days. Next year the authors project that we will be 
producing five exabytes of information every 10 minutes.
    So, in the age of Facebook and Google where people are 
voluntarily and willingly providing all kinds of information to 
private companies, I think we really have to ask some very 
serious questions.
    With technology advancing at such a rapid rate, certainly 
the types of questions I will be asking in this hearing are 
going to be pretty basic. I am new here. I was not around in 
1974 when the Privacy Act was, I was around but not here, when 
it was enacted.
    So, I am just going to be asking basic questions about what 
was the purpose of that, what is the purpose moving forward, 
how do we grapple with just this exponential growth in 
information and the serious threat to our cyber networks of 
attack from criminals, from foreign sources, and we need to 
take a look at what the purpose, what the cost and benefit of 
governmental actions, and is there potentially a better way.
    So, that will kind of be the thrust of my questions. I am 
really looking forward to the testimony. Again, it is very 
timely and, Mr. Chairman, I again want to thank you for holding 
the hearing.
    Senator Akaka. Thank you very much, Senator Johnson.
    Now, I would like to welcome our witnesses to the hearing 
in the first panel. Ms. Mary Ellen Callahan, Chief Privacy 
Officer, at the Department of Homeland Security.
    I know today is your last day at DHS. So, I want to thank 
you so much for your service and what you have brought to that 
particular office of Chief Privacy Officer, and we have so much 
to learn from you and your experiences that you have had thus 
far.
    I appreciate your outstanding leadership on privacy and 
really wish you the best of luck in your future endeavors. 
Thank you so much for your service.
    Mr. Greg Long, Executive Director of the Federal Retirement 
Thrift Investment Board, and Mr. Greg Wilshusen, Director, 
Information Security Issues at the U.S. Government 
Accountability Office.
    As you know, it is the custom of the Subcommittee to swear 
in all witnesses. So, will you please rise and raise your right 
hand.
    Do you solemnly swear that the testimony you are about to 
give this Subcommittee is the truth, the whole truth, and 
nothing but the truth so help you, God.
    Ms. Callahan. I do.
    Mr. Long. I do.
    Mr. Wilshusen. I do.
    Senator Akaka. Thank you.
    Let it be noted in the record that the witnesses answered 
in the affirmative.
    Before we start, I want you to know that your full written 
statement will be made a part of the record. I would also like 
to remind you to please limit your oral remarks to about 5 
minutes.
    Ms. Callahan, will you please proceed with your statement.

  TESTIMONY OF MARY ELLEN CALLAHAN,\1\ CHIEF PRIVACY OFFICER, 
              U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Callahan. Thank you very much, sir. Good morning, 
Chairman Akaka, Ranking Member Johnson.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Callahan appears in the appendix 
on page 38.
---------------------------------------------------------------------------
    Thank you for the opportunity to appear before you today to 
discuss my role as the Department of Homeland Security's Chief 
Privacy Officer, the Privacy Act, and the collaborative 
achievements of the Privacy Committee of the Federal Chief 
Information Officers Council.
    As you know, the Department of Homeland Security is the 
first department in the Federal Government to have a 
statutorily mandated privacy officer, and for that I am 
eternally grateful. I have had the privilege of serving in that 
role since March 2009. The Homeland Security Act and the POWER 
Act grants the Chief Privacy Officer the primary responsibility 
for ensuring that privacy considerations and protections are 
comprehensively integrated into all DHS programs, policies, and 
procedures.
    I also ensure that personal information contained in 
Privacy Act system of record is handled in full compliance with 
fair information practices. Many of my authorities are similar 
to those of Federal Chief Privacy Officers; but I am unique, 
however, in that my statutory mandate includes the authority to 
investigate department programs and operations.
    During my tenure, I have led three major investigations of 
significant non-compliance with departmental privacy policy. 
Consistent with the office's unique position as both an adviser 
and an oversight body for the Department's privacy sensitive 
programs and systems, I recently approved the creation of a 
privacy oversight group within the DHS privacy office.
    In addition to conducting investigations, the privacy 
oversight team has instituted a series of privacy compliance 
reviews to improve a program's ability to comply with privacy 
assurances.
    One specific example of my office's privacy efforts is the 
response to the OMB guidance on safeguarding personally 
identifying information (PII). OMB guidance required agencies 
to develop and implement a policy on breach notifications which 
in DHS refers to as privacy incidents. In September 2007 and 
then updated again in early 2012, the DHS privacy office 
distributed its Privacy Incident Handling Guidance throughout 
the Department to inform employees of their responsibilities to 
safeguard PII. The guidance provides detailed information on 
how to handle all stages of privacy incidents.
    To ensure that staff are cognizant of PII protections, we 
also recently updated our annual online training which is 
mandatory for all DHS employees and contractors.
    One of the topics of this hearing today is the Privacy Act 
of 1974. The Privacy Act was passed in an era before electronic 
communications and databases were the norms in Federal 
agencies.
    Nonetheless, many of the concepts embedded in the original 
Act are flexible enough to permit similar records to be treated 
consistently regardless of where they are located.
    One method to address modern challenges of implementing the 
Privacy Act is to share best practices among Federal privacy 
officials. Formal council-level bodies exist for many Federal 
chief officers. There is no formal council-level body that 
exists for Chief Privacy Officers. I am, however, proud to 
serve as the co-chair of the privacy committee of the Chief 
Information Officer (CIO) Council. The privacy committee was 
initially formed in response to the need to coordinate on 
shared challenges such as information sharing and protection of 
personally identifiable information.
    Since its formal establishment in 2009, the committee has 
successfully functioned as a consensus-based forum for the 
development of privacy policy and protections throughout the 
Federal Government and is thoroughly integrated into the 
technology initiatives occurring within the Federal CIO 
Council. It provides an important venue in which to share 
experiences, training, innovative approaches, and best 
practices. The committee has also led the development of 
privacy standards and safeguards for emerging technologies such 
as cloud computing and social media.
    In addition, the privacy committee this year has gathered 
the uniform resource locators (URLs) or the Web sites for all 
the privacy impact assessments and system of records notices 
for each of the 55 participating Federal agencies. That list of 
privacy impact assessments and systems of records notice are 
available on CIO.com. The achievements of the privacy committee 
indicate the vital role it serves in promoting consistent 
Federal privacy policy, and it has been an honor to serve as 
one of the committee's co-chairs.
    The men and women who serve in the privacy offices 
throughout the Federal Government are really unsung heroes. 
Located in various parts of organizational structures, they 
strive every day to apply the spirit and the law of the Privacy 
Act, the E-Gov Act and related privacy laws and policies.
    It has been my pleasure to serve with these colleagues as 
their co-chair for the last 3\1/2\ years. I want to acknowledge 
all the hard work that they have performed throughout my 
Federal service.
    Going forward, I am confident the Department will continue 
to embed privacy protections throughout its programs and 
services. I am happy to answer any of your questions. Thank 
you, sir.
    Senator Akaka. Thank you very much, Ms. Callahan.
    Mr. Long, will you please proceed with your statement.

    TESTIMONY OF GREG LONG,\1\ EXECUTIVE DIRECTOR, FEDERAL 
               RETIREMENT THRIFT INVESTMENT BOARD

    Mr. Long. Good morning, Chairman Akaka and Members of the 
Subcommittee. My name is Greg Long and I am the Executive 
Director of the Federal Retirement Thrift Investment Board. The 
five members of the Board and I serve as fiduciaries of the 
Thrift Saving Plan. As fiduciaries, the law directs that we act 
solely in the interest of the TSP participants and 
beneficiaries and exclusively for the purpose of providing them 
with benefits. Because of this fiduciary duty, Congress 
afforded the FRTIB significant independence. The FRTIB does not 
receive appropriated funds for its operations. We are funded 
through participant monies and our budget is not subject to 
review or approval by Congress or the President.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Long appears in the appendix on 
page 46.
---------------------------------------------------------------------------
    The TSP maintains individual accounts for more than 4.5 
million Federal and Postal, members of the uniformed services, 
retirees, and spousal beneficiaries. As of June 30, the TSP 
held approximately $313 billion in retirement savings.
    I have been asked to discuss a number of issues, including 
the cyber attack that resulted in the unauthorized access of 
the personally identifiable information of roughly 123,000 TSP 
participants and payees. In July 2011, a desktop computer used 
by an employee of Serco, an agency contractor, was subjected to 
a sophisticated cyber attack. Neither Serco nor the FRTIB was 
aware of the attack at the time it occurred.
    In April 2012, the Federal Bureau of Investigation (FBI) 
notified Serco that the they had discovered data that appeared 
to be stolen from Serco. Serco then notified us of the cyber 
attack. At that time, it was unclear whether agency data had 
been accessed.
    On April 13, we determined that personally identifiable 
information of TSP participants had been compromised. Within 1 
hour, we notified U.S. Computer Emergency Readiness Team (U.S. 
CERT).
    The FRTIB and Serco then worked to analyze numerous files 
to determine what data was accessed and which participants were 
affected.
    On May 20, an independent verification and validation 
concluded that the various files that had been correctly 
analyzed.
    On May 25, 5 days after the validated list was produced, we 
notified affected participants about the cyber attack. My 
agency sent letters to each affected participant notifying them 
of the cyber attack and offering them one year of free identity 
theft consultation, restoration, and continuous credit 
monitoring.
    I would like to emphasize the fact that this cyber attack 
was made on our contractor's network. Neither the FRTIB's 
network nor the TSP participant Web site were affected.
    As the fiduciary for a plan charged with protecting the 
retirement savings, data security and privacy protection are 
priorities for us. Over the past decade, the FRTIB has 
undertaken a significant number of changes to its 
infrastructure and established information technology (IT) 
technical controls to improve our IT security posture.
    In addition to those information technology improvements, 
the FRTIB has successfully added new services for its 
participants. Most recently in May, we rolled out the Roth TSP 
option which allows for after-tax contributions to the TSP.
    Many of these changes added significant complexity to the 
plan. The need to implement these new funds and services, in 
large part, mandated how we assigned our personnel and 
allocated funding. For example, rolling out the Roth TSP 
initiative was a 2-year project that required staffing from 
every office within the Agency.
    The FRTIB has security controls in place. Completing all of 
the documentation and accreditation that is required in the 
Federal Information Security Management Act (FISMA), however, 
is an on-going area of focus for our Agency.
    In September 2011, I approved an Enterprise Information 
Security and Risk Management (EISRM) Directive. Last month, I 
approved policies covering 18 families of management, 
operational, and technical security controls.
    To ensure that our privacy and data security policies are 
appropriate, I have commissioned a ``Tiger Team'' to develop a 
plan to improve the security posture of agency information 
systems.
    Mr. Chairman and Members of the Subcommittee, helping 
people retire with dignity is what drives the employees of the 
FRTIB. I deeply regret the cyber attack and the concern that it 
has caused our participants.
    I want to assure all of our participants that we will 
continue to pursue all new avenues to ensure the safety and 
security of their personal data and their retirement funds.
    I would be pleased to take any questions.
    Senator Akaka. Thank you very much, Mr. Long.
    Now, we will have a statement of Mr. Wilshusen. Will you 
please proceed.

   TESTIMONY OF GREG C. WILSHUSEN,\1\ DIRECTOR, INFORMATION 
     SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Akaka, Ranking Member Johnson, 
thank you for the opportunity to testify at today's hearing on 
the State of Federal privacy and data security laws.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wilshusen appears in the appendix 
on page 52.
---------------------------------------------------------------------------
    Two key laws, the Privacy Act and E-Government Act are 
intended to protect the privacy of Americans personal 
information and to specify measures that Federal agencies can 
take to reduce the risk of data breaches.
    The increasingly sophisticated ways in which personal 
information is obtained and used by the Federal Government has 
the potential to assist in performing critical functions such 
as helping to detect and prevent terrorist threats and 
enhancing online interactions with citizens. But, they can also 
pose challenges in ensuring the protection of citizens privacy.
    Today, I will describe the impact of recent technology 
developments on key laws for privacy protection and actions 
agencies can take to protect against and respond to data 
breaches involving personal information.
    But, first, if I may, Mr. Chairman, I would like to 
recognize several colleagues of mine who were instrumental in 
developing my statement and who work very well in this area.
    Behind me is John de Ferrari and David Plocher; and also 
Jeff Woodward, Lee McCracken, and Melina Asencio made 
significant contributions to this effort.
    Senator Akaka. Thank you.
    Mr. Wilshusen. Mr. Chairman, technological advances since 
the Privacy Act became law in 1974 have radically changed the 
way information is organized and shared among organizations and 
individuals.
    Federal agencies use social media services, data mining, 
electronic databases, and other technologies to collect, use, 
and maintain personally identifiable information.
    These advances have rendered some of the provisions of the 
Privacy Act and E-Government Act inadequate to fully protect 
all personal information collected, used, and maintained by the 
Federal Government.
    For example, we identified issues associated with applying 
privacy protections consistently to all Federal collection and 
use of personal information, limiting the collection and use of 
this information to stated purposes, and establishing effective 
mechanisms for informing the public about privacy protections.
    Accordingly, we suggested that Congress consider amending 
the Privacy Act and E-Government Act to address these issues. 
Doing so could provide a number of benefits including: Ensuring 
that privacy protections are applied consistently to all 
Federal collection and use of personal information; providing a 
proper balance between allowing government agencies to collect 
and use such information and limiting that collection and use 
to what is necessary and relevant; and providing individuals 
with pertinent information about what personal data are to be 
collected, how they are to be used, and the circumstances under 
which they may be shared.
    Mr. Chairman, as you know, much of the personal information 
collected and maintained by Federal agencies is processed and 
stored on computerized systems and networks. Yet, these systems 
and networks often do not provide sufficient security 
safeguards to protect this information.
    To assist agencies in protecting information, we have 
reported that they should assess the privacy implications of a 
planned information system or data collections prior to 
implementation; implement a robust information security 
program; and limit the collection of personal information, the 
time it is retained, and who has access to it.
    Nevertheless, Federal systems remain vulnerable and data 
breaches do occur. The number of security incidents reported by 
Federal agencies involving personally identifiable information 
has risen from about 13,000 in the year 2010 to over 15,500 in 
2011, an increase of 19 percent.
    Thus, it is important that proper response policies and 
procedures be in place. Notifying individuals affected by data 
breaches has clear benefits such as allowing people to take 
steps to protect themselves from identity theft.
    Such notification is consistent with agency's 
responsibilities to inform individuals about how their 
information is being accessed and used and it promotes 
accountability for privacy protection.
    In summary, Mr. Chairman, ensuring the privacy and security 
of personal information collected by the Federal Government 
remains a challenge, particularly in light of the increasing 
dependence on networked computer systems that can store, 
process, and transfer vast amounts of data.
    Updating Federal laws and guidance to reflect current 
practices for collecting and using personal information will be 
key to meeting this challenge as is the need for agencies to 
effectively implement data security controls and privacy 
protections.
    Without sufficient attention to these matters, American's 
personal information will remain at risk.
    Chairman Akaka, Ranking Member Johnson, this concludes my 
statement. I will be happy to answer any questions.
    Senator Akaka. Thank you very much for your statement.
    Mr. Long, you testified that the Board did not have a 
breach notification plan in place at the time of the cyber 
attack because of insufficient resources.
    The Board has also informed Committee staff that it does 
not consider itself bound by the OMB guidance because the Board 
is an independent entity and it decides on a case-by-case basis 
which OMB guidance to follow.
    Please discuss your view on whether the guidance applies to 
the Board as well as whether you would expect any differences 
in the Board's approach going forward.
    Mr. Long. Senator, thank you very much.
    The OMB guidance has been very useful through the data 
breach event and the cyber attack. We did not have a breach 
notification policy in place. We review every piece of OMB 
guidance that comes to us, and we look at it to determine 
whether there is anything within that guidance that conflicts 
with my status and the Board status as a fiduciary. As a 
fiduciary, we have to act solely in the interest of the 
participants and beneficiaries.
    In this case that guidance followed best practices. It was 
the right thing to do. We reviewed it and it is one of the 
items that we decided to get to.
    However, and I regret that this happened but we did not 
have the breach notification policy in place at the time that 
the cyber attack occurred.
    However, in responding to the cyber attack that guidance 
was followed, and it was very useful in crafting our message 
and determining the process that we eventually went through.
    Senator Akaka. Thank you for that.
    As you know, I have offered an amendment to the 
cybersecurity bill we are debating on the floor to make breach 
notification mandatory. I think it is really critical to make 
certain agencies prioritize this before a breach occurs. We 
hope that can be done in that way.
    Mr. Wilshusen, in my view, agency privacy officers have 
been critical to focusing attention and providing leadership on 
privacy issues. I advocated the first statutory CPO at DHS and 
I have been pleased that this position was expanded to other 
agencies.
    There have been several proposals over the years to create 
a Chief Privacy Officer at OMB to manage privacy policy across 
the government. What do you see as the potential benefits of 
designating a CPO for the Federal Government as a whole?
    Mr. Wilshusen. Well, first, I would say that it would 
certainly raise the profile of privacy within the Federal 
Government and the importance of implementing privacy 
protections throughout the agencies.
    In addition, the position could also provide advice to 
others within the Executive Office (EO) of the President as 
well as help coordinate privacy issues across Federal agencies, 
even potentially helping to monitor the implementation of 
privacy controls and privacy protections at the Federal 
agencies and report on them appropriately.
    Senator Akaka. Thank you.
    This question is for Ms. Callahan and Mr. Wilshusen. As you 
know, the recent STOCK Act requires, among other things, that 
the financial disclosure forms of approximately 20,000 senior 
Executive Branch employees be posted online, which will make 
them available to anyone worldwide with Internet access.
    I think government transparency is critical but publishing 
employees' personal financial information on the Internet does 
raise some concerns.
    So, my question to both of you is: Do you feel this is an 
unnecessary invasion of employee privacy?
    Ms. Callahan. I guess I will go first.
    Thank you, Mr. Chairman. The STOCK Act has required that 
the financial disclosures that were required for a series of 
individuals, both senior status as well as political 
appointees, not only be available under a Freedom of 
Information Act (FOIA) which it always has been but to be 
available electronically online in a searchable fashion.
    First, the privacy committee that I spoke about earlier 
actually has been trying to figure out some governmentwide 
guidance on how to address these issues and how to advise the 
20 some thousand individuals whose information is impacted. We 
have had a lot of informal conversations with ethics councils 
and so on.
    As a privacy advocate, I am concerned and I believe there 
may be some privacy considerations in two fashions. One is the 
potential of identity theft, and we talk about data breaches 
and how to protect our information and how to preserve the 
information.
    The information that is provided on that form, even if all 
of the Social Securities and other sensitive information has 
been removed, still paints a very detailed picture of an 
individual that would be available for somebody to look at and 
to investigate.
    So, not only is identity theft a possibility but theft in 
general could be a possibility if you notice the types of 
assets and the protections therein. I also worry about the 
chilling effect that it could have on employees or potential 
employees in the Federal service.
    With that said, as the privacy officer with the privacy 
committee, we have tried to put in as many protections and give 
as much advice as we can in order to respond to this recent 
requirement.
    Senator Akaka. Thank you. Mr. Wilshusen.
    Mr. Wilshusen. I would just say I also understand the need 
to balance government transparency and how government 
operations are conducted and by whom. But at the same time, the 
information that is being posted is quite personal in nature. 
So there are certainly privacy risks and those risks need to be 
balanced, as has been decided against the need for open 
transparency.
    But GAO has not looked at this issue specifically so I 
cannot really comment much beyond that.
    Senator Akaka. Thank you very much and thanks for those 
responses.
    I also want to note that a number of influential homeland 
security and intelligence community officials recently wrote to 
Congress that this requirement will create significant national 
security threats and could place certain Federal employees and 
their families in harms way.
    I think it is important to look closely at these issues and 
make any changes that are needed to protect our national 
security and employee safety.
    Mr. Wilshusen and Ms. Callahan, I have been disappointed 
that the Privacy and Civil Liberties Oversight Board (PCLOB) 
has been dormant for so long.
    Peter Swire, who will be testifying on the second panel, 
has argued that the most important short-term action the Senate 
can take on privacy is to confirm the five nominees for the 
Board.
    Do you agree with Mr. Swire's assessment? Mr. Wilshusen.
    Mr. Wilshusen. I would say we have not looked at that 
particular issue as part of my work so I cannot comment.
    Ms. Callahan. As the Chief Privacy Officer at the 
Department of Homeland Security, the statute requires that we 
work with the PCLOB; and at DHS and throughout the Federal 
Government, the Chief Privacy Officers are very much looking 
forward to working with the Board once it is confirmed.
    Senator Akaka. Thank you very much.
    Senator Johnson, your questions.
    Senator Johnson. Thank you, Mr. Chairman.
    First of all, Ms. Callahan, I also want to thank you for 
your service and certainly wish you well in your next endeavor. 
As the co-chair of the privacy committee, let us just kind of 
start out. I would like to get your assessment of the range of 
privacy practices and controls throughout the different 
agencies.
    Can you just kind of comment on that?
    Ms. Callahan. Certainly, sir. Thank you very much.
    As noted in my oral testimony, there are privacy officers 
throughout the Federal Government. They are in different places 
throughout the Federal Government logistically, 
organizationally within the Departments.
    I have been very fortunate to report directly to the 
Secretary thanks to the Homeland Security Act, and I think that 
has inured not only to my benefit but to the Department's 
benefit.
    Federal Chief Privacy Officers are in different places 
reporting to different positions, whether it be the general 
counsel, the chief information officer, the chief financial 
officer; and I worry that consistency and organizational 
structure may lead to more inefficiencies in terms of trying to 
address privacy considerations.
    With that said, the work of the privacy committee and the 
work of these individuals is really yeoman's work in that they 
are working every day to integrate the privacy elements. It 
just depends on where they are in the organizational structure 
they have more success or less.
    Senator Johnson. Would you say the range in terms of 
uniformity of privacy standards is primarily related to what? I 
mean, would you say how high profile the privacy officer is in 
relationship to the Secretary or are there other factors at 
play?
    Ms. Callahan. I think that is a factor. I think that the 
culture of the agency or Department may also be a factor. There 
also may be a factor in the sense that if they had a privacy 
consideration or a problem before that may have heightened the 
privacy considerations.
    The chairman mentioned the Veterans' Affairs Committee and 
the Veterans' Affairs Committee CIO is actually one of my co-
chairs on the privacy committee to kind of have that nexus 
between technology and privacy.
    Senator Johnson. Do you think that probably the best way of 
getting uniformity is really through the privacy committee 
then? Is that working well? Do you have any other suggestions 
on that?
    Ms. Callahan. I certainly think that has helped a lot and 
that has helped leverage best practices, also to leverage 
resources. DHS is the most well-resourced privacy office and 
again thank you for that.
    To go and use our work to try to go across the less funded 
agencies, as I said, we have 55 members who are participating 
including, obviously, independent agencies, and I think that 
has been very useful.
    The attention that privacy gets, including this hearing, I 
think will be very beneficial.
    Senator Johnson. This might be kind of a hard question but 
can you name the top two or three agencies in terms of privacy 
compliance and maybe name two or three that really give you 
concern or not, probably not?
    Ms. Callahan. Well, the No. 1 is obviously the Department 
of Homeland Security. [Laughter.]
    Beyond that, it probably does not behoove me even on my 
last day to comment.
    Senator Johnson. Maybe privately you can give it to us.
    Ms. Callahan. I would be happy to, sir.
    Senator Johnson. Mr. Long, can you give me some sense of 
your evaluation of how good these standards are for cyber 
protection, let us say, in your agency and maybe even 
generalize it throughout the Federal Government in comparison 
to the private sector?
    Mr. Long. I can comment certainly on our agency. One of the 
actions that we have been very busy with over the past decade 
has been to focus on IT improvements and architecture and 
technical controls.
    So, we undertook a significant modernization effort in 
terms of hardening our server environment. We made sure that we 
had protection built into our new capabilities--that has been a 
big focus on what we do going forward.
    That said, we certainly have to focus on the FISMA 
documentation that is required. Even with all of this, we know 
that there are sophisticated attackers out there. We have been 
a victim. Our contractor was the victim and we felt the effects 
of that attack.
    So, we need to go back and re-double our efforts and that 
is exactly one of the efforts that we are going through right 
now. We have felt that we have focused on IT security but this 
is a wake-up call and we are going to look at it and look at it 
closely.
    Senator Johnson. Who do you rely on in terms of advising 
and trying to set up your IT security?
    Mr. Long. We have internally our chief technology officer. 
We will focus on the chief technology person as well as the 
chief information security officer that reports to the head of 
technology.
    We recently established an office that reports directly to 
me for enterprise risk management. In addition, we will reach 
out to the third-party providers of services and now we are 
actually reaching out to DHS to figure out whether we can learn 
things from different councils and then through other 
government bodies.
    Senator Johnson. Are you finding DHS to be very helpful 
from that standpoint? I mean, is that a really good core group 
to go to or would you be better off going to potentially other 
agencies that may have, I mean, do you have a clue in terms of 
which agencies are hardened in terms of cybersecurity? Which 
ones lead the way?
    Mr. Long. In terms of our outreach to DHS prior to this 
event and to other agencies, it was limited. We certainly 
participated on the small agency counsel. We participated on 
multiple groups, the chief information security council.
    So, we would rely on small government groups on an ad hoc 
basis. Now, as reaction to a cyber attack on our vendors 
network, we are now trying to figure out how we can formalize 
that better, whether it is through DHS or other groups within 
the government.
    And then second, in forming a team to look at these issues, 
to figure out whether we need to go to third-party, private 
institutions to assist us with remediation and best practices 
on technology.
    Senator Johnson. OK. Thank you. I am almost out of time.
    Are we going to do a second round?
    Senator Akaka. Yes.
    Senator Johnson. OK. I will wait.
    Senator Akaka. Thank you very much, Senator Johnson.
    Ms. Callahan, I am interested in hearing more about your 
experience as the only Chief Privacy Officer with the 
strengthened investigative authorities granted by the 9-11 
Commission Act of 2007.
    In my view, extending these authorities to DHS was 
critical, given the Department's broad homeland security 
authorities, but I believe these investigative powers also 
could provide an important check against abuses in other 
agencies.
    So, my question has two parts. Will you please elaborate on 
how your work has benefited from these authorities and also 
discuss whether you believe they should be extended to Chief 
Privacy Officers across the government?
    Ms. Callahan. Thank you, sir.
    My investigatory authority has benefited my position in the 
Department quite a lot. As I mentioned earlier, the 
investigatory authority kind of helps me have the life cycle of 
privacy compliance in terms of how we announce what we are 
going to do beforehand, how we go and have the privacy 
compliance reviewed to make sure that our assurances are, 
indeed, consistent with what we have done, and if we have had a 
deviation, that we have the ability to have the investigation 
to go and look at what went wrong and how we can help 
ameliorate it and mitigate it for the entire Department.
    I have had three major investigations of Department 
noncompliance with privacy policy. In each of those, it was not 
just a data breach, although a data breach was involved in at 
least one of them.
    But, it was more of a systemic circumstance where the 
Department as a whole could learn from it, and I will use as an 
example, my first investigation was actually of the Inspector 
General (IG) which I took a slight bit of glee about.
    But what had happened was the Inspector General using 
financial information for their financial audits that are 
required, their contractor used an unencrypted Universal Serial 
Bus (USB) drive and passed it among each other because the DHS 
system was too hard to use and to utilize. So, they had it as 
kind of the team USB drive. That had information from the U.S. 
Immigration and Customs Enforcement (ICE), the United States 
Citizenship and Immigration Services (USCIS), the Customs and 
Border Protection (CBP) and other components on it because it 
was part of the financial concerns.
    The USB drive was lost; and so, the Inspector General, 
consistent with his authority, did the fact-finding of what 
happened and kind of the facts associated therein.
    I then applied a privacy analysis to the circumstances, to 
the noncompliance with DHS policy and also looked at avenues 
and ways for recommendations for the entire Department to 
ameliorate both the contractor use of DHS information but also 
when people hold other component information, what is the data 
breach process, what is the notification process, and the 
mitigation process. And, I think that was a successful example 
of using my investigatory authority to help further the goals 
of the Department.
    Relatedly, I had an investigation associated with social 
media use which has then resulted in the management directive 
on the operational use of social media for the entire 
Department.
    And, I think that those are good examples. Investigations 
are a significant resource drain but at the same time they 
really help to shape the direction of the Department, and I 
think that my office and the Department and its maturation in 
privacy policy has benefited extraordinarily from that process.
    Senator Akaka. Thank you.
    Mr. Long, you testified that Serco, a contractor that 
assists TSP with recordkeeping was the subject of the cyber 
attack that we are discussing today.
    How do you intend to work with current and future 
contractors to ensure that TSP personal information is properly 
secured?
    Mr. Long. Senator, thank you.
    The contract in question, the one with Serco, is actually 
currently in the process of being designed for rebid. So, we 
have put out a public announcement a couple of months ago. We 
are in the process of designing the procurement action. We 
anticipate rolling that out on the street by the end of this 
calendar year and then awarding it the next fiscal year.
    That contract, I can assure you, will have very stringent 
IT security restrictions built into it.
    Senator Akaka. Further, do you think Serco will continue to 
provide recordkeeping services for TSP in the future?
    Mr. Long. I anticipate that it will be a full and open 
competition. We are seeking robust competition from all 
parties.
    Senator Akaka. Yes.
    Mr. Long, you testified that TSP has an extraordinary 
record retention burden. I agree that some data breaches could 
be prevented by limiting the time agencies retain personal 
information.
    Will you please elaborate further on your recommendation?
    Mr. Long. Yes. One of the comments that I think you see 
going through the testimony is a recommendation on limiting the 
time that personally identifiable information is retained and 
that relates to one of the recommendations that we made in that 
currently the statute that governs what we do at FRTIB does not 
contain a statute of limitations for judicial review of a claim 
for benefits brought by a TSP participant or beneficiary.
    This is an indefinite exposure to potential litigation for 
an unlimited period of time even after a participant takes all 
their accounts and is gone for years.
    Therefore, we have advocated for a statute of limitations 
that would limit the amount of time the benefits claim is open, 
therefore, limiting the amount of time we would have to retain 
personally identifiable information. A 5-year statute of 
limitations is what we recommend and that is typically longer 
than what is generally seen within other Employee Retirement 
Income Security Act (ERISA), 401(k) plan type designs.
    Senator Akaka. Thank you.
    My last question. Mr. Wilshusen, you testified that the 
Privacy Act is ineffective in informing the public about 
privacy practices and policies.
    For example, system of records notices published in the 
Federal Register often are difficult to find and to understand. 
Will you please elaborate on why establishing a centralized 
Federal Government privacy Web site as proposed in my bill, S. 
1732, will help address this concern?
    Mr. Wilshusen. Well, I think because it will provide a 
central location and one that is readily accessible. If it is 
on a Web site that users and the public can access in order to 
find information about the Systems of Records Notices (SORNs) 
or PIAs as well as other privacy protections that are available 
to information that is collected and used by the Federal 
Government that will be certainly helpful in meeting the 
openness principle as well as the notification of government 
activities for the public.
    Senator Akaka. Thank you very much. Senator Johnson.
    Senator Johnson. Thank you, Mr. Chairman.
    Mr. Wilshusen, you testified about the concept of limiting 
the information the Federal Government obtains and basically 
limiting the time that it is kept.
    Can you elaborate on that point?
    Mr. Wilshusen. Well, certainly. If Federal agencies are 
collecting personally identifiable information for a stated 
purpose, once that purpose has been achieved, if they continue 
to retain that information indefinitely for no other particular 
use, then potentially if appropriate security controls are not 
placed over that information, it could be subject to risk of 
unauthorized disclosure to someone who might be able to break 
into their systems or gain access to that information.
    So, the principle is just for as long as you need the 
information, keep it, protect it. Once that need no longer 
exists, then get rid of it, delete it, subject to Federal 
records retention schedules.
    Senator Johnson. Does any agency in the Federal Government 
employ that practice right now?
    Mr. Wilshusen. I think probably in certain circumstances 
they might. I know, for example, that OMB had a requirement, in 
terms of safeguarding personally identifiable information, that 
if personal information is placed on agency laptop computers 
which are then taken out of the building and the agency 
determines that it no longer needs that information on those 
laptops, then it needs to delete it within 30 days.
    To the extent that is being implemented and followed is 
something we have not expressly examined to date.
    Senator Johnson. Ms. Callahan, picking up on that same 
point, in your privacy committee is this something that is 
being discussed.
    Ms. Callahan. In the privacy committee, we are not 
discussing necessarily retention periods. We are having that 
conversation more intra-department in terms of looking at how 
long we retain information and what is the nexus between the 
different data retention periods and how do they impact both 
our mission but also the other information that is collected.
    Mr. Wilshusen mentioned if there is an extract of 
information and put on a laptop or a USB drive, hopefully an 
encrypted one, we do have requirements associated with that.
    But, that is just an extract of the information. The 
database at large, we are governed by the data retention 
periods. We do look at them every time the Department of 
Homeland Security does the statutorily required biennial review 
of SORNs to make sure the retention period should remain, and 
we do consider those issues as we renew the SORNs.
    Senator Johnson. Are there within agencies, though, are 
there actually processes for deleting information?
    Ms. Callahan. Oh, I am sorry. There are processes for 
deleting information before the period, before the retention 
period is up.
    Officials are often reticent to do that for two reasons. 
One because they already have an approved retention period from 
the National Archives and you do not want to go counter to 
that.
    The second, there is also the question about whether or not 
it affects operations if you delete information on a more 
subjective standard as Mr. Wilshusen had argued. That is a 
discussion within the privacy community a lot in terms of what 
is the proper retention period. As I said, within the 
Department we have those conversations frequently.
    Senator Johnson. You just used a word that I want to try 
and pick up and question you about. Counter. How many different 
rules, regulations, laws in the Federal Government run counter 
to each other when it comes to privacy?
    I realize that is a really large question. But, do you have 
a relatively succinct answer for that or can you hit on that?
    Ms. Callahan. I think the tension is that the goal of the 
privacy officer is to support the missions and to support 
privacy, and retention is one element of that. I think all of 
the fair information practice principles are ones that you have 
to analyze.
    And so, I think that, if you look at statutes throughout 
the government, the Privacy Act, 40 years old, has some 
elements that may be logically inconsistent with some of the 
other more recent statutes. Yes.
    Senator Johnson. Let us go to the other elements that Mr. 
Wilshusen had talked about in terms of limiting the 
information. Is there any kind of robust effort, or any effort, 
ongoing in any agency about really taking a look at what 
information is really required so we do not ask for more than 
we really need?
    Ms. Callahan. I can answer that question for the Department 
of Homeland Security which is, yes, we are looking into ways to 
not collect the same information over and over from the same 
people if we do not have to.
    One of the things that surprised me when I came to the 
Department was how we had a lot of the same information in 47 
or however many different databases and the databases were not 
necessarily federated or integrated with each other. That could 
have privacy risks in and of itself because you have different 
people logging on. You may not have auditing accountability.
    We are working within the Department to find an 
infrastructure that will allow us to be more efficient, more 
effective, maybe collect less information from the public, and 
I think that they may all cheer for that, but also to have a 
system that has more privacy controls and more privacy 
protections in terms of a way to have the databases interact.
    So, we are thinking about it in the fledgling stages but 
that is definitely something that I think the Department is 
going to move forward with.
    Senator Johnson. Mr. Wilshusen, we are debating a 
cybersecurity bill which, depending upon how it all turns out, 
might impose certain requirements, regulations on the private 
sector.
    I just kind of want to get your feel in terms of the 
government's ability to meet those same types of standards. I 
realize that is very difficult to answer because we really do 
not know what those standards might be.
    But can you just in general speak to the level of technical 
competency within most agencies, how broad that technical 
competency is versus the private sector?
    Mr. Wilshusen. I would be glad to. We do quite a bit of 
work examining the information security controls at Federal 
agencies, and we look at it from different levels. One, across 
the Federal Government in terms of how agencies are reporting 
the implementation of the various different controls as part of 
the FISMA reporting process.
    As part of GAO's responsibility to audit the government 
consolidated financial statements, we work with the agency's 
IGs to assess the effectiveness of their controls in protecting 
information security controls over the financial information.
    Then, we do other tests of agency's information security 
controls as requested by Members of Congress. We have been 
reporting that Federal information security has been a high 
risk area, a governmentwide high risk area since 1997.
    Just most recently, the work that we have done and in 
reviewing the work also of the IGs, the majority of the 24 
major CFO Act agencies have weaknesses in most of the 
information security controls that we review.
    And, these would include access controls or those controls 
are designed to restrict, limit, and detect unauthorized access 
to resources as well as other security management programs and 
their procedures for managing the configurations of their 
devices.
    By and large most of those agencies have weaknesses in 
those areas.
    Senator Johnson. Just one quick followup.
    Can you access or make an evaluation in terms of the 
competency between the Federal Government and those agencies in 
the private sector? Because you are going to see the weaknesses 
in the private sector as well.
    Mr. Wilshusen. In the few instances where we have examined 
the security controls at private sector organizations that are 
performing services for the Federal Government, we have found 
the same types of security weaknesses in those systems as we do 
in the Federal systems.
    Senator Johnson. OK. Thank you very much.
    Senator Akaka. Thank you very much, Senator Johnson.
    I want to thank our first panel very much for your 
responses, your statements, and your valuable offering here. I 
would like to wish you well in your work and hope we can 
continue to work together on privacy and security issues as 
well.
    So, thank you very much for being here.
    I would ask that our second panel come forward. I want to 
welcome our second panel.
    Mr. Peter Swire, C. William O'Neill Professor of Law at 
Ohio State University. Mr. Swire had a previous engagement in 
Seattle, Washington, he will be testifying by teleconference 
this morning.
    Mr. Chris Calabrese, Legislative Counsel at the American 
Civil Liberties Union (ACLU). And, Mr. Paul Rosenzweig, who is 
a visiting fellow at the Heritage Foundation. Thank you all so 
much for being here.
    As you know, it is the custom of this Subcommittee to swear 
in all witnesses. So, will you please rise and raise your right 
hand.
    Do you swear that the testimony you are about to give this 
Subcommittee is the truth, the whole truth, and nothing but the 
truth so help you, God?
    Mr. Swire. I do.
    Mr. Calabrese. I do.
    Mr. Rosenzweig. I do.
    Senator Akaka. Thank you very much all of you.
    Let it be noted for the record that the witnesses have 
answered in the affirmative.
    Before we start, I want to remind you that your full 
written statements will be a part of the record. We ask you to 
please limit your oral remarks to 5 minutes.
    Mr. Swire, please proceed with your statement.

 TESTIMONY OF PETER SWIRE,\1\ C. WILLIAM O'NEILL PROFESSOR OF 
                  LAW AT OHIO STATE UNIVERSITY

    Mr. Swire. Mr. Chairman, and Ranking Member Johnson, thank 
you for asking me to testify here today for this hearing on 
Federal privacy, and thank you also letting me testify 
remotely. I was unable to be in Washington today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Swire appears in the appendix on 
page 69.
---------------------------------------------------------------------------
    I would like to congratulate Mary Ellen Callahan for her 
service at DHS and the leadership she has shown to the Federal 
agency privacy community over time.
    In this testimony, there are a lot of issues we could talk 
about. I am going to briefly talk about four issues.
    Chairman Akaka, as you said, I think that the Senate should 
promptly confirm the five nominees for the Federal Privacy and 
Civil Liberties Oversight Board. This is the most important 
short-term action the Senate can take on privacy.
    With the cybersecurity legislation, we are going to have 
potentially a lot more information sharing and the PCLOB is the 
way to have the oversight to go with that. All five nominees 
for the PCLOB have been voted out of the Judiciary Committee 
and all five have been supported by the 9/11 commission 
cochairs, Kean and Hamilton.
    There were some dissenting votes in the Committee for the 
proposed chairman, David Medine. He is an outstanding nominee. 
He was a senior civil servant at the Federal Trade Commission 
(FTC) on privacy for many years. He has done work at the law 
firm of WilmerHale with compliance. He really has a workable 
realistic sense of things.
    It is important to confirm the chairman as a part of the 
slate because only the chairman can hire staff by statute. So, 
unless we confirm the full slate, we will not have an oversight 
Board.
    The second topic I am going to discuss is the idea of 
having a Federal Chief Privacy Officer. Senator Akaka in S. 
1732 would create this by statute.
    I had a role similar to that when I was chief counselor for 
privacy in the Office of Management and Budget under President 
Clinton and that has not been repeated as a position.
    I think such a position has three advantages. It can 
coordinate across agencies, and new issues come up all the time 
as we were hearing. Here is one example. Drones is an issue 
that hits the Federal Aviation Administration (FAA) but up 
until now drones have not had to deal with privacy; but if they 
come through out the U.S. airspace, we have new privacy issues 
and we should have a sort of coordinated Federal response to 
the privacy issues there.
    Second, a Federal Chief Privacy Officer could help with 
clearance across agencies so we have coordinated policy. And 
third, increasingly there are international issues, transborder 
issues for privacy, and so having that work correctly overseas 
is, I think, very important.
    In doing this, I think it helps to have a statute. We have 
seen the DHS have the outstanding agency privacy activities in 
large part because your Committee put that into the statute and 
has supported the position that Mary Allen Callahan has been 
in. And I think that without a statute, it is easy for OMB not 
to move forward and really create the office.
    My testimony suggests that the Chief Privacy Officer might 
take the lead on nonclassified information systems whereas the 
PCLOB perhaps would take the lead on oversight for classified 
information systems.
    So, the third point I would like to get to is some 
loopholes in the Privacy Act as written. And, the proposed S. 
1732 correctly recognizes there is a loophole in the Privacy 
Act for the definition of system of records.
    The current definition applies only to records that are 
retrieved by name; but with modern search engines, we often 
retrieve things in lots of other ways and then turned up the 
names.
    So, the proposed amendment would close the loophole and it 
would have the effect of requiring a much greater number of 
system of record notices for Federal agencies.
    In my view having more of these SORNs, would create 
compliance burdens for agencies but not necessarily give us the 
biggest pay off in terms of privacy.
    So, my testimony suggests a more promising approach might 
be to improve the privacy impact assessments under the E-Gov 
Act. For instance, we could post these PIAs to a unified Web 
site. We could have public comments on the PIAs, and agencies 
could be required to respond to these public comments and I 
think this might be a more effective way to put attention on 
the most important privacy related systems.
    The fourth in my four points is that the oversight process 
for this Committee could focus more attention on the line 
between what is identified and de-identified data in Federal 
agencies.
    De-identification is a way where we can get uses from the 
data. We can look for patterns and all of that but still have 
privacy protection. Recently, the Federal Trade Commission has 
proposed a promising approach for de-identifying data for the 
private sector.
    I think we can learn from that initiative, and also I will 
be working with the future privacy forum this year on a project 
on how to do de-identified data better.
    So, in conclusion, I thank the Committee for the service of 
drawing attention back to these issues of Federal agency 
privacy policies and I look forward to trying to help with any 
questions. Thank you.
    Senator Akaka. Thank you very much, Mr. Swire.
    Mr. Calabrese, would you please proceed with your 
statement.

TESTIMONY OF CHRISTOPHER R. CALABRESE,\1\ LEGISLATIVE COUNSEL, 
                 AMERICAN CIVIL LIBERTIES UNION

    Mr. Calabrese. Good afternoon, Chairman Akaka, Ranking 
Member Johnson. Thank you for the opportunity to testify on 
behalf of the American Civil Liberties Union on the Privacy 
Act, a landmark statute that now requires a major update from 
Congress.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Calabrese appears in the appendix 
on page 84.
---------------------------------------------------------------------------
    The Privacy Act lays out citizens rights and Federal agency 
responsibilities for the handling of personal information. The 
Act controls when records can be collected and how they can be 
disclosed, provides notice and mandates agencies keep secure, 
accurate, and accessible records.
    But, the Act has always had some major loopholes and has 
become even more outdated over time. Agencies often sidestep 
access, accuracy, and relevance requirements by taking the many 
permissible exceptions under the Privacy Act. They also avoid 
the Privacy Act's prohibitions on disclosure by labeling any 
and all sharing as routine.
    Additionally, the Act only protects systems of records when 
an agency retrieves information about a specific individual or 
information tied to that individual. Hence, it does not apply 
to techniques such as data mining which use pattern-based 
searches not tied to an individual.
    Finally, the Federal Government often uses commercial 
databases which frequently contain incorrect information and 
are outside the protections of the Privacy Act.
    Major steps toward fixing these problems can be found in 
Senator Akaka's legislation.
    As we have heard, agency notice when personal information 
is lost or stalled in is a serious and ongoing problem. The 
ACLU believes that existing OMB guidance is inadequate. It 
gives far too much discretion to individual agencies as to 
whether to disclose these embarrassing breaches.
    The Supreme Court has also weakened the remedies under the 
Act. In a case called FAA v. Cooper, decided in March, the 
court held that when an agency disclosed an individual's HIV 
status, he could not recover damages for mental or emotional 
distress the matter how severe because he did not suffer 
financial harm as a result of the violation.
    This decision is particularly harmful because the damage 
from privacy disclosures is often an embarrassment, anxiety, 
and emotional distress, precisely what the court forecloses.
    Finally, despite improvements from some agencies, oversight 
remains inadequate. This reality is as we have heard troubled 
times already embodied by the PCLOB, which is tasked with 
monitoring agency information sharing practices related to 
terrorism.
    As we have heard, it existed in its current form since 2007 
but a full slate of nominees was not put forward by either 
President Bush or President Obama until late last year and the 
Board is still vacant.
    Significant misuse of personal information has resulted 
from these erosions of Federal privacy protections. The most 
recent example of this trend is the sweeping changes the 
National Counterterrorism Center (NCTC), made to its guidelines 
on the collection and use of information about U.S. persons not 
suspected of wrongdoing.
    Previously, NCTC discarded information on U.S. persons not 
connected to terrorism within 180 days. However, under its new 
guidelines, NCTC keeps this information for up to 5 years.
    This collection may be happening as a so-called routine use 
under the Privacy Act. This change, along with others affecting 
how NCTC analyzes and shares information, now allows the agency 
to perform searches on people with no connection to terrorism 
and shares the results for a wide variety of purposes with 
almost anyone.
    By fully exploiting loopholes in the Privacy Act, NCTC can 
turn the vast power of the U.S. intelligence community on 
innocent Americans. Using personal information for different 
purposes, and sharing it broadly are precisely the type of harm 
the Privacy Act was enacted to prevent.
    The Federal Government collects an enormous amount of 
personal information so people can receive benefits and 
services, exercise fundamental rights like voting or 
petitioning the government, getting licenses for everything 
from purchasing a handgun to businesses and industry, for 
employment, education, and for many types of health care.
    This information collection is nearly ubiquitous in 
American life. None of this would have been a surprise in 1974. 
According to the congressional findings from the Privacy Act, 
the use of information technology can greatly magnify the harm 
to the individual; and so, in order to protect privacy, it is 
necessary and proper for the Congress to regulate the 
collection, maintenance, use, and dissemination of information 
by such agencies.
    Congress must once again take up that duty and protect 
personal information on all of us by updating the Privacy Act. 
Thank you.
    Senator Akaka. Thank you very much Mr. Calabrese for your 
statements.
    Mr. Rosenzweig, please proceed with your statement.

  TESTIMONY OF PAUL ROSENZWEIG,\1\ VISITING FELLOW, HERITAGE 
                           FOUNDATION

    Mr. Rosenzweig. Thank you very much, Mr. Chairman, Senator 
Johnson. I appreciate the opportunity to be with you today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Rosenzweig appears in the 
appendix on page 99.
---------------------------------------------------------------------------
    I take a very different perspective, I think, on the 
Privacy Act. I think I share the view of almost everybody who 
has spoken that the Privacy Act is outdated. Any act that was 
passed at a time when the personal computer did not exist 
cannot hope to match the current technological structures we 
have.
    Where I think I differ is in thinking that we can fiddle 
around at the edges with modifications and extensions of older 
conceptions. To my mind, the technological revolution is so 
great that it is really time for a wholesale 
reconceptualization of what the Privacy Act is and how we deal 
with privacy.
    We stand at the cusp of a technological revolution, indeed, 
not at the cusp but in the midst of it. We are not just doing 
exabytes but yottabyte and zettabytes of data every day, all of 
it in unstructured formats, but that is being matched by 
massive increases both in processing capacity and data storage 
capacity that allow people to make sense of this data in new 
and different ways.
    The new sense making that we are doing is of great value. 
It is of value commercially to people who want to sell things; 
but as relevant to this Committee, it is of value to the 
government. It is of value to the government in 
counterterrorism and in law enforcement.
    It brings with it acknowledgedly the threat that it may 
also be put to purposes which we would not want the government 
to do, things like targeting people because of their political 
beliefs or something like that but we can no longer maintain 
the artificial categories of use distinctions, purpose 
distinctions, data retention rules that are being destroyed 
essentially by the technological changes that are happening 
around us.
    We retained data in the NCTC for an increased amount of 
time not because we want to target America's political beliefs 
but because we have come to learn that we cannot predict today 
how much value there will be in this information 5 years from 
now and what particular pieces of information will be of value 
to, say, a new terrorist investigation.
    We have seen in counterterrorism investigations, at least 
when I was in the Department 5 years ago, data searches that go 
back 8, 10, 12 years. This is the type of reality that we must 
deal with while at the same time recognizing that there is the 
threat of misuse.
    To my mind, the best way to ensure the privacy of citizens 
in America today, the reasonable privacy of citizens, is to no 
longer tie our conceptions to older technological constructs of 
word searches by name or by date.
    Rather, we should focus instead on use and purpose 
limitations that are inconsistent with those current 
capabilities and the threat environment.
    We should better focus the privacy rules on what I think 
are, and I will admit this, much more difficult questions of 
defining what is and is not an appropriate consequence that can 
be imposed from the use of data, that is, structuring when we 
can take that data and impose an adverse consequence on an 
American citizen.
    That requires a much finer degree of analysis at the back 
end rather than categorical imperatives at the front end: use 
only for this purpose, keep only for this long, when you 
cannot, in any way, define those in advance with any degree of 
clarity.
    To my mind, while many of the improvements that are 
proposed for the Privacy Act will certainly work marginal 
increases in the benefits that we would gain to privacy in the 
system, in the end they are going to be overtaken by technology 
and we will wind up, if we do not take this task on, with a 
government use of data analytics and a privacy rule that 
restricts us to a locked-in technology that is where we are 
today while both the commercial sector in America, and more 
important from my perspective, our peer competitors outside of 
the United States rush ahead with technological advancements 
that we have denied ourselves because of fears of technology.
    That does not suggest that we cannot ignore the possibility 
of misuse. Indeed, as my testimony suggests, I think that 
enhanced oversight and audit are the key ways to go forward in 
doing that; but categorical rules are, in my judgment, a 
straight jacket and should be eschewed.
    With that, I look forward to answering your questions. 
Thank you.
    Senator Akaka. Thank you very much for your statement, Mr. 
Rosenzweig.
    Mr. Swire, you testified forcefully about OMB's leadership 
void in Federal privacy policy and the need for a Federal Chief 
Privacy Officer to spearhead the interagency clearance process 
and represent the Administration on international privacy 
matters.
    Why, in your view, has OMB not taken on a stronger 
leadership role in privacy and what steps should OMB be taking?
    Mr. Swire. So, Senator, I would say that one thing I did 
see when I was in OMB is that the headcount in the Executive 
Office of the President is closely guarded. There is a very 
strict limit on how many people can be employed within OMB.
    And so, when they are making choices about working on the 
Federal budget and doing all of the management tasks that they 
are doing, they are very cautious about adding staff.
    At the peak of my time there, I had myself, two full-time 
people, and a detailee, and that was with a lot of work to get 
up to the staff at that level.
    I think what we see, and this is what happened with Howard 
Schmidt in the cybersecurity czar position is that there needs 
to be a way where OMB and the Executive Office of the President 
work with the agencies to provide more staffing.
    That is just a lot of work to set up and I really do think 
that having a pretty good nudge from Congress will help put 
that in place; and without it, it just seems like a large 
challenge that is hard for them to put together 
bureaucratically.
    Senator Akaka. Thank you.
    Mr. Calabrese, you testified that the Privacy Act does not 
extend to the Federal Government's use of commercial databases. 
Some of these databases may have a high level of inaccuracies. 
Even though their use may affect Americans' rights, there is no 
notice about their use and no process for individuals to 
correct their records.
    Will you please elaborate on this problem and how we could 
achieve better transparency of the Federal Government's use of 
commercial databases?
    Mr. Calabrese. Thank you, Senator Akaka.
    Well, of course, the first answer is we could adopt your 
amendment as part of the cybersecurity bill. It has in it a 
provision that says that commercial databases will be required 
to comply with the E-Government Act which is, of course, a 
close companion to the Privacy Act which requires agencies to 
disclose how they are using databases, where the information 
comes from, the sources of it, and that is a very important 
transparency tool.
    Right now, we really do not have a feel even for how 
agencies are accessing these records, where they are coming 
from, what they are relying on. Many of these databases started 
as marketing databases.
    So, if you were compiling a database to sell magazine 
subscriptions, 80 percent accuracy or 90 percent accuracy was 
great. If you got a few wrong, it was just a few wrong 
subscriptions. Obviously, that same standard cannot apply when 
agencies are performing vital functions.
    So, I think we start with the transparency provision. We 
learn where this information is coming from, what they are 
using with it, then we can begin to figure out how it should be 
properly regulated.
    Senator Akaka. Thank you, Mr. Calabrese.
    Mr. Rosenzweig, the Supreme Court's ruling in FAA v. Cooper 
earlier this year restricted Privacy Act remedies; and by many 
experts' accounts, rendered the Act, as I mentioned, in my 
statement, toothless.
    Experts including Jim Harper at Cato have urged Congress to 
amend the Privacy Act so it is clear that individuals are 
compensated for proven mental and emotional distress.
    Do you agree that we should amend the Privacy Act to 
restore these remedies?
    Mr. Rosenzweig. Senator, I think that the much superior way 
of ensuring Federal compliance with the Privacy Act is through 
the mechanisms that we established, the privacy officers in the 
various communities, the oversight of Inspectors General of 
this Committee.
    Those deal much more effectively, in my judgment, with 
systematic errors. The oversight you had today of the thrift 
board is a perfectly good example.
    To my mind, in general, the private litigation system is a 
less efficient and effective way of creating systematic change. 
That is not to say that I disagree that most of the privacy 
harm is psychic in nature because most of privacy is about our 
own senses of personal value, shame, whatever it is that you 
are protecting rather than economic harm.
    But at the same time, I think that enhancing litigation 
over individual Privacy Act violations would actually be a 
diversion of resources from a much more effective and 
systematic way of addressing the real privacy failures that do 
happen in the government that should be addressed through 
privacy officers, Inspectors General, the PCLOB if it ever gets 
started, this Committee, that sort of thing.
    Senator Akaka. Thank you.
    After that answer, let me ask Mr. Swire and Mr. Calabrese 
whether you can reflect on this or what do you think about 
this? Mr. Swire.
    Mr. Swire. On the Privacy Act damages question, I would 
support putting back in place the way I thought the law was 
before. I think that the interpretation by the courts was more 
narrow than was intended by the Privacy Act. I think emotional 
harms that are proven to a jury, or to a judge are real harms 
here and we should put that back in the law.
    Senator Akaka. Thank you.
    Mr. Calabrese. And I would simply note that I do not think 
this is a diversion of resources but a supplement of resources. 
We already have oversight by Federal agencies and I agree that 
is appropriately systematic and necessary; but individuals are 
still harmed by these disclosures, and the harm goes far beyond 
the economic arm.
    As such, it should be recognized. Individuals should be 
compensated. The Federal agencies and the Federal Government is 
requiring this information. So, hence, it is also required to 
protect the people and that information when it is lost or 
misused.
    Senator Akaka. Thank you very much. Senator Johnson, your 
questions.
    Senator Johnson. Thank you, Mr. Chairman.
    Let me start with the more philosophical question. Since 
1974, or quite honestly even prior to that, versus 2012 has the 
definition or maybe I should state it, has the expectation of 
privacy changed?
    I will start with you, Mr. Rosenzweig.
    Mr. Rosenzweig. I think it changes all the time. I think 
that we live in a society now in which people go on Jerry 
Springer and meet their ex-wife's new boyfriend and have a 
fight with him on public TV.
    I think that the expectation changes with catastrophic 
events. We have a different expectation of what is an 
acceptable privacy intrusion at airports today than we did 
before. Many people do not like that but the expectation is 
changing nonetheless.
    I think that what we are really talking about in many 
contexts is kind of not privacy so much as an expectation of 
anonymity or lack of governmental scrutiny without 
justification, and that too seems to be changing.
    But, by that, I mean that we are now in a time where people 
have come to understand that so much of their life is out there 
on Facebook, on twitter voluntarily or involuntarily because 
the credit card systems have changed.
    But, where we are right now is that people expect that the 
gaze of law enforcement, for example, will not turn on them 
without a good justification or reason. That is a pretty 
different change from what it used to be which was that we 
expected that we were totally obscure and that the government 
did not even know anything about us. Now, we think that it 
knows about us; we just do not want it to pay attention.
    Senator Johnson. Mr. Calabrese, do you want to add to that 
or challenge it?
    Mr. Calabrese. Yes, I would actually disagree candidly. I 
think that while people have different interpretations of 
privacy, I think the values that underlie privacy are really 
the bedrock of this country.
    I mean, they start with a Fourth Amendment. They start, 
essentially, with the right to be left alone. People interpret 
that in different ways.
    I think younger people, when I talk to them, believe very 
strongly in privacy. They interpret it a little differently. 
They think of it more as information control. I decide who sees 
what about me rather than the anonymity that we talked about in 
previous generations.
    But, I think, this bedrock principle that I should be free 
from government scrutiny certainly and government interference 
in my private life is one that is a fundamental thread in 
American values.
    Senator Johnson. Mr. Swire.
    Mr. Swire. I have a right not to go on Jerry Springer and a 
right not to have Federal agencies gather all the data that 
Jerry Springer might get out of some of his interviews.
    The enduring values goes back to the Fourth Amendment 
saying that there should be no unreasonable searches and 
seizures. What is reasonable changes with the facts.
    But, I think a book by Alan Westin from around 1970 called 
Privacy and Freedom goes through the history over time and 
shows that the values that are at stake are very enduring. 
Technology changes somewhat, the safeguards change somewhat but 
the link between privacy and freedom is a very long-standing 
one.
    Senator Johnson. Thank you. I think most people recognize 
the harm of loss of privacy when it comes to theft of either 
assets or certainly identity, certainly the harm caused by 
disclosure of health circumstances, that kind of stuff, can you 
also speak on other types of harm caused by loss of privacy and 
exposure of private information? Personal and private 
information.
    Mr. Calabrese, we will start with you.
    Mr. Calabrese. Yes, no, of course.
    It is such a wide variety. I think we can begin with the 
harm of surveillance. I fear to learn about particular things, 
visit particular Web sites because it may muzzle me. I may not 
want to visit a Web site that talks about radical Islam in 
spite of the fact I am the furthest thing from a radical 
Islamic.
    I fear that will somehow be connected with me and I will 
suffer some investigation or harm because of it.
    Then, more general just dignity reasons. I mean there are 
plenty of things that we do in our life that we would not want 
taken out of context, whether it is just the songs we listen to 
or the people we are friends with.
    All of these things are sort of the right to a personal 
life. That is really the fundamental piece here is that it is 
very difficult to explore new ideas, to learn about new 
concepts and to just sort of engage in the thought process that 
is necessary to be a responsible citizen in a democracy without 
the privacy to make mistakes, to explore ideas that you may 
want to later discard, all of that really requires privacy. And 
if you do not have it, it is sort of a fundamental harm to your 
right as a citizen.
    Senator Johnson. Mr. Rosenzweig.
    Mr. Rosenzweig. I agree that privacy is an enabler of 
personal development. And so, it strikes me that is the value 
that we want to protect, but it is just an enabler.
    What we want to protect is the ability to develop 
personally, to speak freely as you will. The problem or the 
challenge that we face right now is we might want to protect 
the ability to develop personally through privacy protections, 
they are going away. Right?
    If you engage in any sort of activity on the web today, it 
is out there. We can limit what the government does with it but 
there is no way that we can limit anything beyond the pieces of 
the government that we control, that you control.
    We can maybe limit commercial sectors here in the United 
States. We cannot limit what happens in Bermuda. We cannot 
limit what happens in Mexico.
    The challenge, I think, right now is to enable that 
personal development not by having to self-edit because of the 
fear of going to a Muslim Web site but by being much more 
strict about prohibiting adverse consequences on people for 
going to look at radical Islamic Web sites.
    So, I do not disagree with the end result. My problem is 
that the way of doing it by deliberately making the government 
or the commercial sector dumb about what people are doing is 
the wrong way to go about it.
    The right way to go about it is let us be smart but then 
make us do smart things with the smart data, not stupid things 
like challenging people just because they are going to Muslim 
Web site.
    Senator Johnson. Mr. Swire, would you like to comment on 
that?
    Mr. Swire. A lot of good things have been said. One other 
part of the privacy fair practice is accessing your data and 
correcting mistakes.
    So, if you are on the no-fly list and you should not be or 
your credit history is wrong, they have the wrong person with 
your name, having good procedures around that is another part 
of what we consider as privacy protection that I think we 
surely want to build into our information society.
    Senator Johnson. Thank you.
    Thank you, Mr. Chairman.
    Senator Akaka. Thank you very much, Senator Johnson.
    Mr. Calabrese, you testified that the exemptions to the 
Privacy Act for law enforcement and intelligence activities are 
problematic.
    Given the many recent privacy concerns about the treatment 
of personal information in the national and homeland security 
context, I agree that this issue merits further examination.
    How can we ensure that these exemptions are not abused 
without harming important law enforcement and intelligence 
activities?
    Mr. Calabrese. Thank you, Senator,
    Well, I think in terms of tightening controls, I think we 
can begin by acknowledging that the Privacy Act actually has 
pretty good disclosure limitations that says, you should not 
disclose information unless you have a good reason to do so.
    What we need to do is tighten some of the exceptions like 
routine use that allows essentially anything to be labeled 
routine and hence disclosed.
    And, I think that goes to the heart of how we get both a 
strong national security and also good privacy is we need to 
focus our investigations on people we suspect of wrongdoing, 
who are criminals, who are terrorists.
    When we have a basis for that investigation, we pursue it. 
There are plenty of mechanisms for doing so. That does not mean 
compiling a database of all the innocent people in advance in 
case they may some day be needed for this.
    When we have an investigation we pursue it. We do not put 
every American in what amounts to a lineup on the assumption 
that someday that lineup may prove valuable.
    One of our enduring rights in this country is that we are 
innocent until proven guilty. We need to hold onto that bedrock 
principle. Thank you.
    Senator Akaka. Thank you.
    Mr. Rosenzweig and Mr. Calabrese, I agree with Mr. Swire 
that approving the nominees for the Privacy and Civil Liberties 
Oversight Board is a critical priority, particularly as the 
Senate considers cybersecurity legislation.
    As you know, the Board is supposed to be a key check on the 
new information sharing authorities in the bill. I would like 
to hear your views on this issue.
    Let me call on Mr. Swire first.
    Mr. Swire. I think I spoke to it, sir. I am not sure I have 
more to add to the idea that we should get these folks 
confirmed.
    Senator Akaka. Thank you. Mr. Rosenzweig.
    Mr. Rosenzweig. I do not know all of the nominees. The 
three that I know are quite able. I would have hoped that the 
Senate would have acted with President Bush in 2007 to fill the 
Board and I would have hoped that President Obama, if he had 
acted with more alacrity and presented these nominees well 
before the near end of this session, we would have had a Board 
in place.
    I agree completely that at some point a Board needs to be 
put in place because, as I said, I think that the oversight and 
audit functions are critical to my vision of the best ways to 
enhance privacy. I just regret that the political dimension of 
this has brought us to the point where we are, what, 98 days 
out from an election and still trying to find a Board.
    Senator Akaka. Thank you. Mr. Calabrese.
    Mr. Calabrese. I agree obviously. We want to confirm these 
nominees tomorrow, if possible.
    I want to just caution, though, it is not a panacea. I mean 
PCLOB is relatively small, even if it was fully staffed, it is 
something like 10 full-time staff under its current budget 
allotment. A part-time Board with a full-time chairman.
    The agencies and the bureaucracies that it is supposed to 
oversee are quite literally massive. They are the size of small 
towns. So, there is no way that this Board is going to be able 
to provide any level of complete oversight.
    It is a piece. It is necessary to fill it but no one should 
believe that simply filling the PCLOB is going to answer all 
our oversight concerns.
    Senator Akaka. Thank you.
    Mr. Swire, if we create a Federal Chief Privacy Office, 
should that individual also review the information sharing 
provisions of the cybersecurity bill?
    Mr. Swire. So, how to work the CPO with the PCLOB is 
something that would take some work. I suggest in my testimony 
that we have a long-held decision between unclassified commuter 
systems in the Federal Government and the classified systems.
    The Privacy and Civil Liberties Oversight Board is 
specifically focused on classified and anti-terrorism 
activities. It makes sense I think for them to take the lead 
there and for the Federal Chief Privacy Officer to take the 
lead on unclassified systems. That is my best guess at how to 
proceed.
    Senator Akaka. Thank you.
    This is my final question for the entire panel. What key 
privacy protection issues that we have not yet discussed also 
warrant the attention of Congress? Mr. Calabrese.
    Mr. Calabrese. There are so many. I would say that it is 
really crucial to update our electronic communications privacy 
laws (ECPA). For example, ECPA was passed in 1986. It governs 
law enforcement access to electronic communications.
    It is woefully out of date. 1986 was an awful long time 
ago. Similarly location privacy, as the court weighed in US v. 
Jones this term, is a huge issue. Our cell phones have become 
portable tracking devices, and reining in that tracking so it 
only happens appropriately I think is a very important job.
    I could go on and on but I will stop at those two.
    Senator Akaka. Thank you. Mr. Rosenzweig.
    Mr. Rosenzweig. Those two are both worth thinking about. I 
guess I would add to that a consideration of whether or not the 
intelligence community's approach to privacy is sufficiently 
unified. I think there is divergency in views within that 
community.
    And, wow, I could probably think of a half dozen more but I 
will just stop with that.
    Senator Akaka. Mr. Swire.
    Mr. Swire. So, just two observations. One is that the Jones 
case about tracking the location I think is a very important 
moment for the Supreme Court but Congress can followup there.
    I did a project with some other groups at U.S. v. Jones.com 
which surveys ways to sort of get out the next generation of 
surveillance and civil liberties here. I think I would focus on 
that, how to do the electronic searches, how to update ECPA, 
and how to do some of the things discussed at US v. Jones.com.
    Senator Akaka. Thank you. Let me ask Senator Johnson for 
further questions.
    Senator Johnson. Thank you, Mr. Chairman.
    Let me just address the very real conundrum facing 
government. As we watch every terrorist act, the aftermath of 
that, people start doing a postmortem on that, and they go, 
well, we had this information, why did we not put two and two 
together and prevent the attack.
    A very real concern, and it is just that natural tension 
between privacy and the security that the American people 
expect. I guess I would like all three of you to, first of all, 
address that very real concern to me. How do we navigate that 
very fine line?
    I guess we will start with Mr. Swire.
    Mr. Swire. Thank you, Senator.
    So, I wrote a law review article around 2006 called Privacy 
and Information Sharing in the War Against Terrorism. It is 
online and law professors always love it if anybody ever reads 
a law review article.
    But I think that is a checklist of seven or eight questions 
that I think should be asked as you are building a new 
information system. And, it actually is similar to what Mr. 
Rosenzweig is saying about audit and accountability and setting 
it up so someone is looking at it carefully when you built it 
at the front and then auditing it once you have it in place.
    And, I think if you do that, then you do use information 
intensively but you have some safeguards in place.
    Senator Johnson. Thank you. Mr. Calabrese.
    Mr. Calabrese. Well, I think one of the biggest problems 
with information sharing today is that there is so much 
information that it overwhelms the ability of any analyst to 
essentially process it.
    I mean, you cannot connect the dots when it is millions of 
dots being given to you every day. I mean, Secretary Leiter, 
when he was the Director of the NCTC, talked about an amazing 
amount of leads and tips that they get every day.
    And so, I think that we need to try to weed out the 
innocent person chaff and focus more on actual leads, actual 
people who, when Abdulmutallab's father came in to the Embassy 
and said, please investigate my son, it certainly seems 
possible to me that lead became lost because there was so much 
information pouring in that a good lead was lost amongst all 
the chaff.
    I think we need to focus on narrowing our information 
sharing to the right information, and that is a difficult task 
but I think one that will bear the most fruit.
    Senator Johnson. Mr. Rosenzweig.
    Mr. Rosenzweig. I actually have a different perspective on 
that which is I agree that we are drowning in a flood of data, 
but to a large degree our capacity to analyze it has been 
hamstrung by our unwillingness to apply data analytics.
    Abdulmutallab was actually a good example because the 
father coming in was preceded apparently by a visa application 
that would have been in the field of innocent data, 
presumptively innocent data that was collected about all of 
these applicants.
    You cannot know ex-ante which data fields are going to be 
the ones that are relevant to an ongoing investigation. Up 
until just a couple of years ago, we actually did not have a 
coordinated Google-like search functionality within the 
intelligence community, not because we could not implement 
that, though it does take some money and coordination, but in 
part because we were concerned about the linkages between 
various databases as eroding privacy concerns.
    When you have those concerns at the front end, they 
sometimes create artificial limitations. I agree completely 
that the right answer is to try to use the analytics to narrow 
down leads into the people that we want to devote investigative 
resources to. That is precisely what all of these systems are 
intended to do.
    On the other hand, you cannot actually make them as 
effective as you might by limiting the intake on the front-end.
    So, my perspective is that we are always going to be doing 
too much until the day after an event when we will not have 
done enough, and the optimal answer is to try to get the right 
structures in place up-front and at least be able to defend 
your choices going forward.
    Senator Johnson. Mr. Calabrese, I will definitely side with 
people who are highly concerned about civil liberties and 
government intrusion into our lives.
    Can you, describe specific examples of purposeful misuse by 
the government of some of the information, personal privacy 
information as opposed to hackers getting in and information 
being not purposefully but illegally disclosed?
    Mr. Calabrese. Yes. Let me address your question first, 
Senator. I think we saw with the New York Police Departments 
(NYPDs) investigation of Muslim communities where they were, 
they began to surveil entire communities, do community mapping 
of Muslims, not because they had any particular belief that 
there was a particular person who they need to investigate but 
just simply to monitor the entire community.
    Similarly we have seen reports, and the ACLU has done FOIAs 
on this, where FBI agents under the guise of going and doing 
community outreach and just getting to know the Muslim 
community, something that I think everybody agrees is vital in 
terms of building bridges and connections so that they will 
feel free to come forward if there is a criminal issue, were 
turned into intelligence reports where reports were compiled on 
those innocent people who were trying to help the government do 
community outreach.
    So, when we turn people who are trying to help us into 
suspects, it builds exactly kind of distrust that we are trying 
to prevent and I would argue hinders investigations going 
forward.
    So, I think that is the kind of situation that we want to 
prevent and that is why we want to preserve some of the lines 
that we have been talking about.
    Senator Johnson. That is somewhat kind of outside what we 
are talking about here, at least what I am talking about in 
terms of privacy within the cyber community.
    Mr. Rosenzweig, you mentioned Google. I mean, Google has 
all the information. If you have a credit card, you have 
provided voluntarily all kinds of personal information. And, I 
guess, I just want somebody to speak to the disconnect between 
what we voluntarily give up to private companies that have a 
great deal of latitude, almost primoral latitude for use and 
misuse of that information in the Federal Government.
    Can you just kind of speak to that disconnect?
    Mr. Rosenzweig. Well, there is much to be said about 
Google's privacy policies which many people think are not 
strong enough in the private sector. I think the best way to 
characterize it would be this.
    Just this past week in Las Vegas, they had the Black Hat 
convention DEFCON which is a convention of hackers. And, one of 
the leaders of the audience asked this assembled group of true 
cyber experts who they feared more, Google's privacy invasions 
or the government's, and Google won hands down, because the 
people with the knowledge about this know that Google actually 
assembles, processes, and uses personal data much more 
efficiently, much more effectively than the Federal Government 
does.
    So, if you are one who sees in that a threat, as the people 
at DEFCON did, they are more afraid of Google than they are of 
the government by I think it was like six to one I saw in the 
newspapers. I obviously was not there but that kind of speaks 
to it.
    Senator Johnson. Thank you. I have run out of time again. I 
really do want to thank the witnesses for your thoughtful 
testimony and taking the time here. This has been a very 
interesting discussion and, Mr. Chairman, for holding this 
hearing. This is a good hearing.
    Senator Akaka. Go ahead.
    Senator Johnson. No. I think I am good. Thank you.
    Senator Akaka. Well, thank you very much, the second panel. 
I would like to thank each of you for your statement and your 
responses. This has been a useful and informative discussion 
that will help us chart the next steps to strengthen our 
Federal privacy and data security framework. I will continue 
focusing on these important issues during the rest of my time 
in the Senate.
    This hearing also will provide a blueprint for the next 
Congress on additional areas that must be addressed.
    The hearing record will be open for 2 weeks for additional 
statements or questions from members of this Subcommittee.
    Again, I want to thank you for being with us.
    The hearing is adjourned.
    [Whereupon, at 11:58 a.m., the Subcommittee adjourned.]


                            A P P E N D I X

                              ----------                              

[GRAPHIC] [TIFF OMITTED] T6066.001

[GRAPHIC] [TIFF OMITTED] T6066.002

[GRAPHIC] [TIFF OMITTED] T6066.003

[GRAPHIC] [TIFF OMITTED] T6066.004

[GRAPHIC] [TIFF OMITTED] T6066.005

[GRAPHIC] [TIFF OMITTED] T6066.006

[GRAPHIC] [TIFF OMITTED] T6066.007

[GRAPHIC] [TIFF OMITTED] T6066.008

[GRAPHIC] [TIFF OMITTED] T6066.009

[GRAPHIC] [TIFF OMITTED] T6066.010

[GRAPHIC] [TIFF OMITTED] T6066.011

[GRAPHIC] [TIFF OMITTED] T6066.012

[GRAPHIC] [TIFF OMITTED] T6066.013

[GRAPHIC] [TIFF OMITTED] T6066.014

[GRAPHIC] [TIFF OMITTED] T6066.015

[GRAPHIC] [TIFF OMITTED] T6066.016

[GRAPHIC] [TIFF OMITTED] T6066.017

[GRAPHIC] [TIFF OMITTED] T6066.018

[GRAPHIC] [TIFF OMITTED] T6066.019

[GRAPHIC] [TIFF OMITTED] T6066.020

[GRAPHIC] [TIFF OMITTED] T6066.021

[GRAPHIC] [TIFF OMITTED] T6066.022

[GRAPHIC] [TIFF OMITTED] T6066.023

[GRAPHIC] [TIFF OMITTED] T6066.024

[GRAPHIC] [TIFF OMITTED] T6066.025

[GRAPHIC] [TIFF OMITTED] T6066.026

[GRAPHIC] [TIFF OMITTED] T6066.027

[GRAPHIC] [TIFF OMITTED] T6066.028

[GRAPHIC] [TIFF OMITTED] T6066.029

[GRAPHIC] [TIFF OMITTED] T6066.030

[GRAPHIC] [TIFF OMITTED] T6066.031

[GRAPHIC] [TIFF OMITTED] T6066.032

[GRAPHIC] [TIFF OMITTED] T6066.033

[GRAPHIC] [TIFF OMITTED] T6066.034

[GRAPHIC] [TIFF OMITTED] T6066.035

[GRAPHIC] [TIFF OMITTED] T6066.036

[GRAPHIC] [TIFF OMITTED] T6066.037

[GRAPHIC] [TIFF OMITTED] T6066.038

[GRAPHIC] [TIFF OMITTED] T6066.039

[GRAPHIC] [TIFF OMITTED] T6066.040

[GRAPHIC] [TIFF OMITTED] T6066.041

[GRAPHIC] [TIFF OMITTED] T6066.042

[GRAPHIC] [TIFF OMITTED] T6066.043

[GRAPHIC] [TIFF OMITTED] T6066.044

[GRAPHIC] [TIFF OMITTED] T6066.045

[GRAPHIC] [TIFF OMITTED] T6066.046

[GRAPHIC] [TIFF OMITTED] T6066.047

[GRAPHIC] [TIFF OMITTED] T6066.048

[GRAPHIC] [TIFF OMITTED] T6066.049

[GRAPHIC] [TIFF OMITTED] T6066.050

[GRAPHIC] [TIFF OMITTED] T6066.051

[GRAPHIC] [TIFF OMITTED] T6066.052

[GRAPHIC] [TIFF OMITTED] T6066.053

[GRAPHIC] [TIFF OMITTED] T6066.054

[GRAPHIC] [TIFF OMITTED] T6066.055

[GRAPHIC] [TIFF OMITTED] T6066.056

[GRAPHIC] [TIFF OMITTED] T6066.057

[GRAPHIC] [TIFF OMITTED] T6066.058

[GRAPHIC] [TIFF OMITTED] T6066.059

[GRAPHIC] [TIFF OMITTED] T6066.060

[GRAPHIC] [TIFF OMITTED] T6066.061

[GRAPHIC] [TIFF OMITTED] T6066.062

[GRAPHIC] [TIFF OMITTED] T6066.063

[GRAPHIC] [TIFF OMITTED] T6066.064

[GRAPHIC] [TIFF OMITTED] T6066.065

[GRAPHIC] [TIFF OMITTED] T6066.066

[GRAPHIC] [TIFF OMITTED] T6066.067

[GRAPHIC] [TIFF OMITTED] T6066.068

[GRAPHIC] [TIFF OMITTED] T6066.069

[GRAPHIC] [TIFF OMITTED] T6066.070

[GRAPHIC] [TIFF OMITTED] T6066.071

[GRAPHIC] [TIFF OMITTED] T6066.072

[GRAPHIC] [TIFF OMITTED] T6066.073

[GRAPHIC] [TIFF OMITTED] T6066.074

[GRAPHIC] [TIFF OMITTED] T6066.075

[GRAPHIC] [TIFF OMITTED] T6066.076

[GRAPHIC] [TIFF OMITTED] T6066.077

[GRAPHIC] [TIFF OMITTED] T6066.078

[GRAPHIC] [TIFF OMITTED] T6066.079

[GRAPHIC] [TIFF OMITTED] T6066.080

[GRAPHIC] [TIFF OMITTED] T6066.081

[GRAPHIC] [TIFF OMITTED] T6066.082

[GRAPHIC] [TIFF OMITTED] T6066.083

[GRAPHIC] [TIFF OMITTED] T6066.084

[GRAPHIC] [TIFF OMITTED] T6066.085

[GRAPHIC] [TIFF OMITTED] T6066.086

[GRAPHIC] [TIFF OMITTED] T6066.087

[GRAPHIC] [TIFF OMITTED] T6066.088

[GRAPHIC] [TIFF OMITTED] T6066.089

[GRAPHIC] [TIFF OMITTED] T6066.090

[GRAPHIC] [TIFF OMITTED] T6066.091

[GRAPHIC] [TIFF OMITTED] T6066.092

[GRAPHIC] [TIFF OMITTED] T6066.093

[GRAPHIC] [TIFF OMITTED] T6066.094

[GRAPHIC] [TIFF OMITTED] T6066.095

[GRAPHIC] [TIFF OMITTED] T6066.096

[GRAPHIC] [TIFF OMITTED] T6066.097

                                 
