[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]




PROTECTING CUSTOMER NETWORK PROPRIETARY INFORMATION IN THE INTERNET AGE

=======================================================================

                                HEARING

                               BEFORE THE

             SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 11, 2018

                               __________

                           Serial No. 115-148
                           
                           
                 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
                        
                               __________                        
                        
                    U.S GOVERNMENT PUBLISHING OFFICE
                    
35-164			  WASHINGTON : 2019     




                        
                    COMMITTEE ON ENERGY AND COMMERCE

                          GREG WALDEN, Oregon
                                 Chairman
JOE BARTON, Texas                    FRANK PALLONE, Jr., New Jersey
  Vice Chairman                        Ranking Member
FRED UPTON, Michigan                 BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois               ANNA G. ESHOO, California
MICHAEL C. BURGESS, Texas            ELIOT L. ENGEL, New York
MARSHA BLACKBURN, Tennessee          GENE GREEN, Texas
STEVE SCALISE, Louisiana             DIANA DeGETTE, Colorado
ROBERT E. LATTA, Ohio                MICHAEL F. DOYLE, Pennsylvania
CATHY McMORRIS RODGERS, Washington   JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BRETT GUTHRIE, Kentucky              KATHY CASTOR, Florida
PETE OLSON, Texas                    JOHN P. SARBANES, Maryland
DAVID B. McKINLEY, West Virginia     JERRY McNERNEY, California
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida            PAUL TONKO, New York
BILL JOHNSON, Ohio                   YVETTE D. CLARKE, New York
BILLY LONG, Missouri                 DAVID LOEBSACK, Iowa
LARRY BUCSHON, Indiana               KURT SCHRADER, Oregon
BILL FLORES, Texas                   JOSEPH P. KENNEDY, III, 
SUSAN W. BROOKS, Indiana                 Massachusetts
MARKWAYNE MULLIN, Oklahoma           TONY CARDENAS, California
RICHARD HUDSON, North Carolina       RAUL RUIZ, California
CHRIS COLLINS, New York              SCOTT H. PETERS, California
KEVIN CRAMER, North Dakota           DEBBIE DINGELL, Michigan
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
JEFF DUNCAN, South Carolina

             Subcommittee on Communications and Technology

                      MARSHA BLACKBURN, Tennessee
                                 Chairman
LEONARD LANCE, New Jersey            MICHAEL F. DOYLE, Pennsylvania
  Vice Chairman                        Ranking Member
JOHN SHIMKUS, Illinois               PETER WELCH, Vermont
STEVE SCALISE, Louisiana             YVETTE D. CLARKE, New York
ROBERT E. LATTA, Ohio                DAVID LOEBSACK, Iowa
BRETT GUTHRIE, Kentucky              RAUL RUIZ, California
PETE OLSON, Texas                    DEBBIE DINGELL, Michigan
ADAM KINZINGER, Illinois             BOBBY L. RUSH, Illinois
GUS M. BILIRAKIS, Florida            ANNA G. ESHOO, California
BILL JOHNSON, Ohio                   ELIOT L. ENGEL, New York
BILLY LONG, Missouri                 G.K. BUTTERFIELD, North Carolina
BILL FLORES, Texas                   DORIS O. MATSUI, California
SUSAN W. BROOKS, Tennessee           JERRY McNERNEY, California
CHRIS COLLINS, New York              FRANK PALLONE, Jr., New Jersey (ex 
KEVIN CRAMER, North Dakota               officio)
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
GREG WALDEN, Oregon (ex officio)
  
                            
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     1
    Prepared statement...........................................     3
Hon. Leonard Lance, a Representative in Congress from the State 
  of New Jersey, prepared statement..............................     4
Hon. Michael F. Doyle, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     4
    Prepared statement...........................................     6
Hon. Anna G. Eshoo, a Representative in Congress from the State 
  of California, opening statement...............................     7
Hon. Frank Pallone, Jr., a Representative in Congress from the 
  State of New Jersey, prepared statement........................     8
Hon. Greg Walden, a Representative in Congress from the State of 
  Oregon, prepared statement.....................................    79

                               Witnesses

Hance Haney, Director and Senior Fellow, Technology and Democracy 
  Project, Discovery Institute...................................     9
    Prepared statement...........................................    12
Robert McDowell, Senior Fellow, Hudson Institute, Former 
  Commissioner, Federal Communications Commission................    23
    Prepared statement...........................................    25
Laura Moy, Deputy Director, Georgetown Law Center on Privacy and 
  Technology.....................................................    33
    Prepared statement...........................................    35

                           Submitted Material

Article entitled, ``Smart TVs are watching us now,'' Axios, July 
  5, 2018........................................................    81
Article entitled, ``How--and why--Apple, Google, and Facebook 
  Follow you Around in Real Life,'' Fast Company, December 22, 
  2017...........................................................    83
Article entitled, ``Facebook scraped call, text message data for 
  years from Android phones,'' Ars Technica, March 24, 2018......    87
  

 
PROTECTING CUSTOMER NETWORK PROPRIETARY INFORMATION IN THE INTERNET AGE

                              ----------                              


                        WEDNESDAY, JULY 11, 2018

                  House of Representatives,
     Subcommittee on Communications and Technology,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:13 a.m., in 
room 2322, Rayburn House Office Building, Hon. Marsha Blackburn 
(chairman of the subcommittee) presiding.
    Present: Representatives Blackburn, Lance, Shimkus, Latta, 
Guthrie, Olson, Johnson, Long, Flores, Brooks, Collins, 
Walters, Costello, Doyle, Welch, Clarke, Ruiz, Dingell, Eshoo, 
Engel, Butterfield, Matsui, McNerney, and Pallone (ex officio).
    Staff Present: Jon Adame, Policy Coordinator, 
Communications and Technology; Kristine Fargotstein, Detailee, 
Communications and Technology; Sean Farrell, Professional Staff 
Member, Communications and Technology; Adam Fromm; Director of 
Outreach and Coalitions; Elena Hernandez, Press Secretary; Tim 
Kurth, Deputy Chief Counsel, Communications and Technology; 
Lauren McCarty, Counsel, Communications and Technology; Drew 
McDowell, Executive Assistant; Evan Viau, Legislative Clerk, 
Communications and Technology; Jeff Carroll, Minority Staff 
Director; Jennifer Epperson, Minority FCC Detailee; Tiffany 
Guarascio, Minority Deputy Staff Director and Chief Health 
Advisor; Alex Hoehn-Saric, Minority Chief Counsel, 
Communications and Technology; Jerry Leverich, Minority 
Counsel; Dan Miller, Minority Policy Analyst; and C.J. Young, 
Minority Press Secretary.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. The Subcommittee on Comms and Tech will now 
come to order. And the chair now recognizes herself for 5 
minutes for an opening statement.
    Good morning to everyone. And welcome to today's hearing on 
protecting consumer privacy. And if you have not done so, I 
would encourage you to get your acronym app out as you try to 
follow along with what we have before us today.
    This is a topic that has attracted attention in a variety 
of contexts, and one that I am so pleased that we are 
discussing today. And I want to say thank you to our witnesses 
who are sharing their expertise with us as we strive to protect 
customer privacy when communicating in the internet age.
    Over 20 years ago, Congress realized the importance of 
protecting the confidentiality of Customer Proprietary Network 
Information, CPNI, when consumers use their primary method for 
instantaneous communication, which at that point was telephone 
calls.
    The rules that the FCC initially adopted to implement the 
statutory CPNI requirements only covered information from 
traditional call records. But over time, these protections have 
evolved to cover new forms of communication like interconnected 
Voice over IP, or VoIP, calls, and even information collected 
by telecommunications carriers on mobile devices.
    By enacting section 222, Congress established a specific 
statutory structure that acknowledged that consumers share 
sensitive data when they communicate over the phone. This was 
based on the assumption that only the telecommunications 
carrier had access to that data. In the internet age, 
telecommunications laws have been disrupted just like 
everything else. In some cases, app developers operating 
systems and Edge providers have access to the same exact CPNI 
that telecom carriers are required to protect in various ways.
    Consumers now use these different forms of communication 
interchangeably to serve the same purpose. For example, if a 
consumer uses his or her mobile phone to call someone using the 
standard telephone function on their cell phone, that call is 
traveling over the public switch telecom network and would be 
protected by the current CPNI rules and enforced by the FCC. If 
that same consumer uses the exact same cell phone to call the 
exact same person but uses a voice-based app to place a call, 
the communication would not be going over the PSTN and not be 
protected by the CPNI rules.
    As I said, you need your acronym app for this one.
    Both calls are conveying the same information, but the 
consumer's information in the second scenario is not protected 
in the same manner as the first scenario. This leads to a 
problem where consumers do not have the same privacy 
protections when using the same device for essentially the same 
purpose.
    This is when the FCC's 2016 Privacy Order was a consumer 
protection vehicle that drove at the wrong target. The 
Commission's inability to locate all the other traffic out 
there is precisely when wheels came off.
    As I have suggested before, the solution to this problem is 
broad privacy legislation, which is why I introduced 
legislation on the subject almost a year ago that steers us in 
the right direction. The BROWSER Act is comprehensive 
bipartisan privacy legislation that will give Americans 
seamless protection across all of their electronic 
communications.
    As we discuss these important issues today, we need to 
consider innovation and consumer privacy needs across the 
entire internet ecosystem so we can arrive at a solution that 
works for everyone.
    At this time, I yield the remainder of my time to Mr. Lance 
for his opening.
    [The prepared statement of Mrs. Blackburn follows:]

              Prepared statement of Hon. Marsha Blackburn

    Good morning and welcome to today's hearing on protecting 
consumer privacy. This is a topic that has attracted attention 
in a variety of contexts, and one that I am glad to discuss 
today. Thank you to our witnesses for sharing your expertise 
with us today as we strive to protect customer privacy when 
communicating in the Internet age.
    Over 20 years ago, Congress realized the importance of 
protecting the confidentiality of customer proprietary network 
information, or CPNI, when consumers used the primary method 
for instantaneous communication: telephone calls. The rules 
that the FCC initially adopted to implement the statutory CPNI 
requirements only covered information from traditional call 
records, but over time, these protections have evolved to cover 
new forms of communication-like interconnected voice over IP 
(VoIP) calls and even information collected by 
telecommunications carriers on mobile devices.
    By enacting Section 222, Congress established a specific 
statutory structure that acknowledged that consumers share 
sensitive data when they communicate over the phone. This was 
based on the assumption that only the telecommunications 
carrier had access to that data. In the Internet age, 
telecommunications laws have been disrupted just like 
everything else. In some cases, app developers, operating 
systems, and edge providers have access to the same exact CPNI 
that telecommunications carriers are required to protect in 
various ways. Consumers now use these different forms of 
communication interchangeably to serve the same purpose.
    For example, if a consumer uses his or her mobile phone to 
call someone using the standard telephone function on their 
cell phone, that call is traveling over the public switched 
telecommunications network and would be protected by the 
current CPNI rules, and enforced by the FCC. If that same 
consumer uses the exact same cell phone to call the exact same 
person, but uses a voice-based app to place the call, the 
communication would not be going over the PSTN and not be 
protected by the CPNI rules. Both calls are conveying the same 
information, but the consumer's information in the second 
scenario is not protected in the same manner as in the first 
scenario.
    This leads to a problem where consumers do not have the 
same privacy protections when using the same device for 
essentially the same purpose. This is why the FCC's 2016 
privacy order was a consumer protection vehicle that drove at 
the wrong target. The commission's inability to locate all the 
other traffic out there is precisely why the wheels came off 
it. As I have suggested before, the solution to this problem is 
broad privacy legislation, which is why I introduced 
legislation on this subject almost a year ago that steers us in 
the right direction--the BROWSER Act is a comprehensive, 
bipartisan privacy bill that will give Americans seamless 
protection across all their electronic communications.
    As we discuss these important issues today, we need to 
consider innovation and consumer privacy needs across the 
entire Internet ecosystem so we can arrive at a solution that 
works for everyone.
    At this time, I will yield to the remainder of my time to 
Mr. Lance for an opening statement.

    Mr. Lance. Thank you, Chairman Blackburn. And welcome to 
our distinguished panel.
    Section 222 of the Communications Act was enacted during 
the Act's last major update in 1996. The section mandates the 
telecommunication entities protect consumer privacy 
information, as the chairman has said, CPNI.
    Since 1996, the internet has revolutionized communications 
in so many ways. However, as breaches of consumer data 
repeatedly confront us, we must ensure the rules and 
regulations protecting consumer information are up to date and 
applied equally across the internet ecosystem.
    The FCC has tried to keep up with the technological 
innovations over the past 20 years, but an outdated statute 
limits its efforts. It is crucial we protect consumers' 
sensitive information, no matter the means of communication, 
and without hampering innovation.
    I look forward to discussing how we can update the law to 
conform to the challenges and opportunities of the digital age. 
And I yield back.
    [The prepared statement of Mr. Lance follows:]

                Prepared statement of Hon. Leonard Lance

    Thank you Chairman Blackburn and welcome to our 
distinguished panel.
    Section 222 of the Communications Act was enacted during 
the Act's last major update in 1996. This section mandates that 
telecommunications carried protect customer proprietary network 
information or CPNI. Since 1996, the internet has 
revolutionized communications. Through innovations from Voice 
over IP, to apps like Snapchat or WhatsApp, to social media 
networks like Facebook and Twitter, consumers now have a bevy 
of options to communicate over networks separate from 
traditional telephone and cellular calls. These advances have 
made it easier and cheaper for people to connect with each 
other around the world.
    However, as breaches of consumer data continuously confront 
us, we must ensure the rules and regulations protecting 
consumer information are up to date and applied equally across 
the Internet ecosystem. The FCC has tried to keep up with the 
technological innovations over the past 20 years, but an 
outdated statute limits their efforts. It is crucial we protect 
consumer's sensitive information, no matter the means of 
communications, and without hampering innovation.
    I look forward to discussing how we can effectively update 
the law to conform to the challenges and opportunities of the 
digital age.

    Mrs. Blackburn. The gentleman yields back.
    Mr. Doyle, you are recognized for 5 minutes.

OPENING STATEMENT OF HON. MICHAEL F. DOYLE, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Doyle. Thank you, Madam Chair, for holding this 
hearing, and thank you to the witnesses for appearing before us 
today.
    Digital privacy in our modern era has never been more 
important. And as our society becomes increasingly connected, 
it will become even more important. I believe that we can and 
must do more to protect American's privacy and sensitive 
information.
    This committee's hearing with Facebook's CEO Mark 
Zuckerberg showed how concerned our members are with the 
practices of one of the world's largest tech companies. And 
what that hearing made clear was that the FTC does not have the 
manpower or authority to adequately enforce its own consent 
decree against Facebook, let alone proactively police this 
fast-evolving space.
    To solve this problem and to give the American people the 
protections they are demanding, we are going to need a 
comprehensive solution that includes more resources, more 
manpower, and more authority to go after bad actors, and the 
ability to set rules of the road for the digital economy.
    Facebook demonstrated all too well that after-the-fact-
enforcement authority can't help us when the damage has already 
been done.
    Europe's implementation of its GDPR rules, as well as 
California's recently and quite quickly passed privacy law, are 
clear indications that people at home and abroad recognize the 
need for strong privacy protections. We in Congress and on this 
committee need to take that to heart as we are addressing this 
pressing issue.
    Now, with regards to today's hearing and the topic before 
us, CPNI, or Customer Network Proprietary Information, the FCC 
enforces the CPNI rules under section 222 of the Communications 
Act. This section restricts how telecommunications carriers can 
use and share customer data related to their service. This 
section and the authority it grants the Commission are some of 
the strongest privacy laws we have in this country and are 
intended to give consumers a modicum of protection.
    These rules were expanded in 2016 to include broadband 
services as well. Those rules too were simple but effective.
    The three components were, first, if your broadband 
provider wanted to use your data, it had to ask your 
permission. Secondly, it had to take reasonable steps to 
protect that data. And third, it needed to notify you if your 
data was breached.
    These rules were an expansion of the FCC's existing CPNI 
rules and would have meaningfully enhanced our nation's privacy 
laws. However, Chairman Blackburn cosponsored and successfully 
led an effort to repeal these simple, sensible rules. As of 
yet, there has been no replacement.
    The majority cannot claim that it values privacy when one 
of its signature achievements this Congress is the repeal of 
these meaningful rules.
    Americans around the country are shouting for more, not 
less, privacy protections. Whether it is through ballot 
initiatives, billboards, people want more control over their 
digital lives. This is why it is so concerning that the FCC is 
doing so little to enforce its existing protections under 
section 222.
    Thanks to the work by Senator Wyden and his staff, we 
recently discovered that real-time location of hundreds of 
millions of cell phones were being made available by our 
nation's wireless carriers without consumers' consent.
    At least one company, Securus, used their access to this 
data to create a service for tracking and locating nearly every 
cell phone in real time. On top of that, Securus forced 
families calling prisons to consent to have their location 
tracked as a condition for talking on the phone with their 
incarcerated family members. This seems like no choice at all.
    LocationSmart, the data aggregator that made this data 
available, had such poor security on their website that 
according to a researcher at Carnegie Mellon University, 
individuals could look up real-time location data with little 
effort.
    These carriers it seems trusted but did not verify that 
consumers were giving consent to be tracked, and that gross 
negligence on their part exposed supposedly protected sensitive 
data to hundreds of millions of people.
    These revelations are deeply troubling, but what is more 
troubling is the lack of knowledge by the FCC of what appears 
to be a pervasive practice in the wireless industry.
    Similar to the Facebook incident, we still don't even know 
the extent of this breach and who may have had access to this 
data.
    Madam Chairman, I would respectfully request that this 
committee hold a hearing on this incident to understand how it 
happened and to hold the responsible parties accountable.
    With that, I will yield back the remainder of my time, and 
I look forward to the testimony of our witnesses.
    [The prepared statement of Mr. Doyle follows:]

              Prepared statement of Hon. Michael F. Doyle

    Thank you, Chairman Blackburn, for holding this hearing--
and thank you to the witnesses for appearing before us today.
    Digital privacy in our modern era has never been more 
important, and as our society becomes increasingly connected it 
will become even more important. I believe that we can and must 
do more to protect American's privacy and sensitive 
information. This Committee's hearing with Facebook's CEO Mark 
Zuckerberg showed how concerned our members are with the 
practices of one of the world's largest tech companies.
    What that hearing made clear was that the FTC does not have 
the manpower or authority to adequately enforce its own consent 
decree against Facebook, let alone pro-actively police this 
fast-evolving space. To solve this problem and to give the 
American people the protections they are demanding, we are 
going to need a comprehensive solution that includes more 
resources, more manpower, more authority to go after bad 
actors, and the ability to set rules of the road for the 
digital economy. Facebook demonstrated all too well that after-
the-fact enforcement authority can't help us when the damage 
has already been done.
    Europe's implementation of its GDPR rules, as well as 
California's recently and quite quickly passed privacy law, are 
clear indications that people at home and abroad recognize the 
need for strong privacy protections. We in Congress and on this 
Committee need to take that to heart as we address this 
pressing issue.
    Now, with regard to today's hearing and the topic before 
us, CPNI or Customer Network Proprietary Information: The FCC 
enforces CPNI rules under Section 222 of the Communications 
Act. This section restricts how telecommunications carriers can 
use and share customer data related to their service. This 
section and the authority it grants the Commission are some of 
the strongest privacy laws we have in this country and are 
intended to give consumers a modicum of protection.
    These rules were expanded in 2016 to include broadband 
services as well. Those rules too were simple, but effective. 
The three components were: first if your broadband provider 
wanted to use your data, it had to ask your permission, second 
it had to take reasonable steps to protect that data, and third 
it needed to notify you if your data was breached. These rules 
were an expansion of the FCC's existing CPNI rules and would 
have meaningfully enhanced our nation's privacy laws. Chairman 
Blackburn cosponsored and successfully led the effort to repeal 
these simple, sensible rules; as of yet there has been no 
replacement. The majority cannot claim that it values privacy 
when one of its signature achievements this Congress is the 
repeal of these meaningful rules.
    Americans around the country are shouting for more not less 
privacy protections; whether it is through ballot initiatives 
or billboards, people want more control over their digital 
lives. That is why it's so concerning that the FCC is doing so 
little to enforce existing protections under Section 222. 
Thanks to work done by Senator Wyden and his staff, we recently 
discovered that the real-time location of hundreds of millions 
of cell phones were being made available by our nation's 
wireless carriers without consumer's consent.
    At least one company, Securus, used their access to this 
data to create a service for tracking and locating nearly every 
cell phone in real time. On top of that Securus forced families 
calling prisons to consent to have their location tracked as a 
condition for talking on the phone with their incarcerated 
family member. That seems like no choice at all.
    Location Smart, the data aggregator that made this data 
available, had such poor security on their website that, 
according to a researcher at CMU, individuals could lookup 
real-time location data with little effort. The carriers, it 
seems, trusted but did not verify that consumers were giving 
consent to be tracked, and that gross negligence on their part 
exposed the supposedly protected sensitive data of hundreds of 
millions of people.
    These revelations are deeply troubling, but what's more 
troubling is the lack of knowledge by the FCC of what appeared 
to be a pervasive practice in the wireless industry. Similar to 
the Facebook incident, we still don't even know the extent of 
this breach and who may have had access to this data.
    Madam Chairman, I would respectfully request that this 
Committee hold a hearing on this incident to understand how it 
happened and to hold the responsible parties accountable. With 
that I yield back the remainder of my time and look forward to 
the testimony of our witnesses.

    Mrs. Blackburn. The gentleman yields back.
    Mr. Walden has not arrived. Does any member on the 
Republican side seek to claim his time?
    Seeing no one, I will go to--Mr. Pallone is not here.
    Does anyone on the Democrat side seek to claim his time?
    Ms. Eshoo, you are recognized.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Thank you, Madam Chairwoman. And thank you to 
the witnesses. It is good to see each one of you.
    I was surprised when the majority actually called this 
hearing. I think that there is an urgent need to examine 
privacy and data protections across the internet ecosystem, but 
I think this hearing, most frankly, is being held under 
disingenuous pretenses, and that the majority is inaccurately 
portraying itself as champions of consumer privacy reform when 
the record shows otherwise. Mr. Doyle raised this in his 
opening statement.
    In fact, the only action the majority has taken on privacy 
to date has been to actively roll back existing privacy 
protections and expose consumers to increased harm. Consumers 
legitimately feel that they have completely lost control of 
their personal information. There is not a single one-size-
fits-all solution to this, but in 2016, I think we were making 
progress. That is when the FCC extended CPNI protections to 
apply to broadband access services. That was a step forward for 
consumers. It should have been the first step toward protecting 
privacy at other points in the digital economy, including at 
the Edge.
    But instead, the majority pushed through a partisan repeal 
of the rules before the ink was even dry on a razor-thin vote 
of 215 to 205 with 15 Republicans opposed. Everyone on this 
committee remembers what a bitter fight that was. But in the 
end, there were pressures that beat out consumer protection. So 
now as a result, there are currently no strong privacy rules 
anywhere in the digital ecosystem.
    Americans have spent the last 17 months completely 
vulnerable to privacy exploitation and data breaches without 
recourse. Our most sensitive information, location data, 
medical history, Social Security numbers and mothers' maiden 
names are daily transmitted through networks of companies who 
no longer have any meaningful obligation to protect it. And I 
think that the American people are legitimately outraged by 
this.
    So, Madam Chairwoman, I fully support real attempts. And I 
underscore that word, ``real attempts'' to seek meaningful 
solutions for privacy protection across the diverse internet 
economy. And I think our witnesses here today are going to help 
to inform our thinking.
    So with that, I yield back the balance of my time, and I 
want--yes. Oh, Jerry. I will be happy to yield to my colleague 
from California, Mr. McNerney.
    Mr. McNerney. Well, I thank my colleague for yielding.
    Despite demands from Americans for more control over the 
information they share online, last year, Republicans in 
Congress voted to strip consumers of the power to choose how 
ISPs use and share their information. Republicans also voted to 
eliminate important data security protection for consumers.
    Now, ISPs are no longer required to take even reasonable 
steps to secure consumers' personal information. Given the 
growing cyber threats that our Nation faces, it is critical 
that we do more and not less to secure consumers' data. That is 
why I introduced the MY DATA Act, which would give the Federal 
Trade Commission important tools to protect consumers' privacy 
and security online. I hope that we can work together to move 
the MY DATA Act forward.
    And does the ranking member wish some time?
    Mr. Pallone. Well, let me just say, if I could. Madam 
Chair, if I could ask unanimous consent to include my statement 
in the record.
    Mrs. Blackburn. Without objection.
    [The prepared statement of Mr. Pallone follows:]

             Prepared statement of Hon. Frank Pallone, Jr.

    Privacy is a deeply held American value. Today, location 
data is collected not only by phone companies, but by apps and 
phone operating systems. According to a recent Harris poll, 78 
percent of people believe that a company's ability to protect 
their privacy is ``extremely important,'' but only 20 percent 
``completely trust'' companies to maintain the privacy of their 
data. This is not surprising considering all of the recent 
privacy breaches, including the Cambridge Analytica scandal. 
That is why I called for hearings so we can directly question 
executives from tech companies, internet service providers, 
data brokers and other companies that collect our information.
    Unfortunately, as Americans were demanding greater privacy 
protections, Republicans eliminated existing privacy rules and 
they continue to show little appetite for meaningful reform. 
Two years ago, the FCC adopted strong privacy rules for 
internet service providers under Section 222 of the 
Communications Act. Instead of embracing those rules, one of 
the first acts of the Republican Congress and the Trump 
Administration was to repeal them. Consumers need strong 
privacy protection across the entire Internet ecosphere, which 
is broader than just ISPs, but eliminating ISP privacy 
protections just left Americans less safe and angry.
    It was only after a huge public uproar and protests back in 
their districts that Republicans put forward a weak and 
unacceptable alternative. Ms. Blackburn's bill lacks basic 
protections such as rulemaking authority and significant civil 
penalties. And even this watered-down proposal has garnered 
little support from Republicans. It's no wonder that states 
like California are stepping in to fill the void left by the 
repeal of these privacy rules. And now that Republicans have 
rolled back not only online privacy protections, but also net 
neutrality, the FCC is left with limited authority to protect 
privacy. For telecommunications companies, the CPNI rules do 
remain. These rules require providers to protect information 
like a caller's name, location, who they called, and for how 
long. These are strong rules, but they are only effective if 
the FCC aggressively enforces them, which Chairman Pai has not.
    According to recent news reports, third-party data 
aggregators, such as LocationSmart and Securus, obtained real-
time location data from wireless carriers and allowed access to 
that data in ways that appear to violate the CPNI rules. This 
appeared to be happening for a long time. Fortunately, the FCC 
opened an investigation into LocationSmart, but why did it take 
so long? Why did it take a Canadian security researcher to 
identify the problem? And what is the FCC doing to proactively 
identify potential violations of its CPNI rules? These 
questions deserve answers, and that's why I've called for a 
hearing on this incident.
    In another move that puts companies before consumers, 
tomorrow, the FCC is considering eliminating the agency's 
traditional role in helping consumers resolve informal 
complaints.
    Currently, the informal complaint process is a free and 
easy way for consumers to use the FCC's help resolving everyday 
problems with communications companies.
    Chairman Pai is proposing that the FCC now just simply pass 
the consumer's complaint to the company. And then if the 
customer is unsatisfied, they will be encouraged to file a $225 
formal complaint.
    This is simply not right. The FCC should work for 
consumers, not make life harder for them. That's why Ranking 
Member Doyle and I sent a letter to the Commissioners yesterday 
urging them not to limit the ability of FCC staff to help 
resolve consumers' complaints. At a time when every dollar 
matters to working class families, it should be among the 
Commission's highest priorities to help consumers on the losing 
end of a growing imbalance of power.
    With that, I yield the balance of my time.

    Mr. Pallone. Thank you.
    Mr. McNerney. I yield back.
    Mrs. Blackburn. The gentleman yields back. The gentlelady 
yields back. And that concludes member opening statements.
    And I would like to remind all members that pursuant to the 
committee rules, all members' opening statements will be made a 
part of the record.
    We want to thank our witnesses for being here today and 
taking time to be before the subcommittee. Today's witnesses 
will have the opportunity to give their opening statements, 
followed by a round of questions from members.
    On our panel today we have Mr. Hance Haney, director and 
senior fellow at the Technology and Democracy Project at the 
Discovery Institute. Mr. Rob McDowell, senior fellow at the 
Hudson Institute, and a former FCC commissioner. And I think 
she may get the prize for most appearances this year; Ms. Laura 
Moy, deputy director of the Georgetown Law Center on Privacy 
and Technology.
    We appreciate each of you being here, making your testimony 
available to us.
    We will begin today with you, Mr. Haney. You are now 
recognized for 5 minutes for an opening statement.

     STATEMENT OF HANCE HANEY, DIRECTOR AND SENIOR FELLOW, 
 TECHNOLOGY AND DEMOCRACY PROJECT, DISCOVERY INSTITUTE; ROBERT 
MCDOWELL, SENIOR FELLOW, HUDSON INSTITUTE, FORMER COMMISSIONER, 
   FEDERAL COMMUNICATIONS COMMISSION; AND LAURA MOY, DEPUTY 
   DIRECTOR, GEORGETOWN LAW CENTER ON PRIVACY AND TECHNOLOGY

                    STATEMENT OF HANCE HANEY

    Mr. Haney. Thank you very much, Chairman Blackburn, Ranking 
Member Doyle, and Ranking Member Pallone.
    Section 222 of the Communications Act requires 
telecommunications common carriers to obtain customer approval 
in order to use, disclose, or permit access to Customer 
Proprietary Network Information.
    CPNI consists of call detail information, including the 
time, location, duration of telephone calls, as well as the 
telephone numbers from which calls originate and terminate. It 
also includes billing and other information.
    Section 222 does not apply to broadband services, which are 
classified as an information service. Even though broadband 
services could be thought of as being provided by 
telecommunications carriers, the statute and the regulations 
look to the service provided, not to the provider of the 
service.
    Instead, broadband is subject to the unfair and deceptive 
acts and practices authority of the Federal Trade Commission. 
This is the same authority that governs video streaming 
services, search engines, social networking sites, e-commerce 
sites, and user-generated media sites.
    The FTC privacy framework is technology neutral and it 
identifies categories of sensitive information that may give 
rise to an obligation by companies to obtain affirmative, 
express customer consent, otherwise referred to as opt-in 
approval.
    Sensitive information includes information about children, 
financial and health information, Social Security numbers, and 
precise geolocation data, according to the FTC.
    Technology neutrality is appropriate because, as the FTC 
has observed, broadband providers are no different than other 
participants in the internet ecosystem in terms of their 
ability to collect and utilize information about consumers.
    The FTC's recognition that the requirement to use opt-in 
should be limited is also appropriate. Due to consumer inertia, 
most consumers typically don't take action in this type of 
situation. The requirement to obtain opt-in approval can be 
costly and inefficient, even a barrier to innovation.
    Consumers benefit from the use of information that 
companies see and collect in the course of serving their 
customers, as companies like Google have demonstrated. 
Advertising underwrites the cost of services that Google offers 
for free to the public, and there is no reason that advertising 
couldn't also help offset the cost that broadband providers 
incur in offering broadband service.
    Privacy regulation involves transaction costs and may have 
anti-competitive consequences if it is applied unevenly. 
Ideally, all market participants should be subject to a uniform 
privacy framework administered by a single agency for the sake 
of consistency.
    The FTC's current privacy enforcement practice satisfies 
these criteria. Admittedly, making the internet more secure 
will likely always be a work in progress, and there is a role 
for both market solutions as well as regulation.
    Legislation to enhance consumer privacy protection, if any, 
should strive for technological and competitive neutrality. In 
particular, it isn't rational to subject some market 
participants to heightened privacy regulation just because they 
were subject to economic regulations in the past.
    We live in an era of rapid technological convergence in 
which it is wise to consider that every participant in the 
internet ecosystem is a potential competitor at least to some 
extent. Moreover, privacy protection should be calibrated 
according to the sensitivity of the information at issue in 
recognition of the fact that there are transaction costs 
associated with consumer consent systems.
    Opt-in systems are particularly burdensome and should be 
reserved for only the most sensitive personal information. 
Where customer information is less sensitive, consumers' 
privacy expectations should be balanced with the benefits 
consumers are likely to derive from a dynamic, competitive 
market, including greater abundance of choices and lower 
prices. Such a market is one where all providers have similar 
opportunities to innovate and earn a fair return on investment.
    Finally, to the extent possible, regulation should reflect 
the practical reality that it is difficult to make predictions 
about how the market will evolve and at what pace, and that the 
process of calibrating regulation on an ongoing basis as 
necessary to reflect changes in the market can be slow.
    Thank you.
    [The prepared statement of Mr. Haney follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Blackburn. The gentleman yields back.
    Mr. McDowell, you are recognized.

                  STATEMENT OF ROBERT MCDOWELL

    Mr. McDowell. Thank you, Chairman Blackburn, Ranking Member 
Doyle, and Ranking Member Pallone as well, and distinguished 
members of the committee. It is an honor to be back before you 
here today.
    I did serve as a Commissioner of the FCC from 2006 to 2013. 
Today, I am a partner at Cooley LLP, as well as co-leader of 
its communications practice, which is global. I am also a 
senior fellow at the Hudson Institute, as the chairman pointed 
out, and I testify today in my own capacity, and the views I 
express today are purely my own.
    Sitting behind me is a remarkable young woman, as my aide-
de-camp for the day. She is my daughter Mary-Shea Virginia 
McDowell. It is always good to have someone watching your back 
when you are in Washington, so----
    Safeguarding sensitive or private information is a concept 
as old as human beings. The English term ``eavesdropping'' was 
created centuries ago when the ancestors of today's data 
thieves literally lingered under the eaves of roofs to listen 
to the private conversations of others.
    Fast forward to 1980 when the FCC extended itself into the 
privacy arena in a narrow way as part of its computer inquiry 
proceedings. It issued rules governing what is now dubbed 
Customer Proprietary Network Information, or CPNI--could use 
some branding work on that name, I think--mainly as a safeguard 
against regulated monopoly local phone companies from using 
sensitive customer data to help their unregulated affiliates 
compete against new entrants at the time.
    Then Congress codified section 222 in 1996, mandating the 
Commission to adopt more specific CPNI protection rules 
applicable only to common carriers. Since then, dramatic 
changes have occurred in the telecommunications, media, and 
technology, or TMT marketplace.
    The maturation of the internet ecosphere, especially the 
mobile internet, has produced consumer benefits that were 
unimaginable 22 years ago when section 222 was codified. And 
America has led the way in these innovations.
    Furthermore, the mobile net has also helped spark trillions 
of dollars in American economic growth. Brilliant engineers and 
intrepid entrepreneurs have invented new tools that have 
dramatically altered and improved our daily lives, forcing 
business models to experiment and converge.
    Section 222, however, has remained the same despite these 
new market realities. Only telecommunications carriers must 
live under this law governed by the FCC, while the rest of the 
players in the dynamic internet ecosphere operate under privacy 
standards administered by the Federal Trade Commission.
    This duality has created a legal and regulatory asymmetry 
in the diverse internet market. Additionally, America's public 
policy has evolved to create a regulatory regime that sometimes 
does not focus as much on the sensitivity of the data that is 
collected, but rather, it focuses on what kind of market player 
collects the data. This approach could be more confusing for 
consumers, including myself, and companies alike, than would 
having one set of technology neutral rules that apply 
consistently across all platforms, including those we can't 
even imagine today.
    Only Congress has the authority to modernize privacy and 
consumer protection laws to reflect the realities of the 21st 
century internet marketplace. I respectfully suggest that 
Congress examine a modernized and harmonized privacy framework 
that is technology neutral and which focuses on the sensitivity 
of the data that is collected, rather than the type of entity 
that collects the data.
    That said, any uniform standard should guard against 
imposing overreaching or unnecessary regulations to help 
maintain America's leadership in the global TMT economy.
    Thank you again for inviting me to appear before you today, 
and I look forward to your questions.
    [The prepared statement of Mr. McDowell follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    Mrs. Blackburn. The gentleman yields back.
    Ms. Moy, you are recognized.

                     STATEMENT OF LAURA MOY

    Ms. Moy. Thank you very much.
    Good morning, Chairman Blackburn, Ranking Member Doyle, 
Ranking Member Pallone, and distinguished members of the 
committee.
    So the subject of today's hearing is Customer Proprietary 
Network Information, sometimes referred to as CPNI, which I 
agree with Mr. McDowell that that may need some branding work. 
That is the information collected by telecommunications 
providers--and right now, that means just phone providers--
about subscribers' use of the information. So important 
information about our communications, like who we call and who 
calls us, how often we call them, how long we talk to them, and 
where we are calling from.
    And I am really glad we are having a hearing on CPNI 
because the law that protects CPNI is one of the strongest 
Federal consumer privacy laws we have. It requires phone 
carriers to get their customers' permission before using CPNI 
for purposes other than to provide the phone service. In other 
words, you are paying for your phone service, and your carrier 
simply delivers the service without always trying to make an 
extra buck off your private life.
    So your phone carrier can't use the fact that you have been 
calling banks and credit card companies to market your payday 
loans, or the fact that you have been calling an elderly 
relative and healthcare providers more frequently to market 
your home health services, nor can it sell that information to 
outsiders without getting your permission first.
    The CPNI privacy law also enables an expert agency to issue 
regulations that can be modified and updated in accordance with 
changing technology and business practices. And this is really 
important.
    The CPNI privacy law also gives the FCC robust enforcement 
authority in the form of fines. And using this authority just 
in the last few years, the FCC has fined four different 
carriers for violations of CPNI privacy protections.
    The CPNI privacy law should serve as a model for future 
privacy laws this Congress may consider because of its 
substantive strength, the regulatory flexibility it offers 
through rulemaking, and its enforcement strength.
    But instead, however, the benefits to consumer privacy 
presented by the CPNI privacy law has faced some major 
setbacks. As multiple people in this room have mentioned, last 
year, Congress, including a number of members of this 
subcommittee, voted against the application of these strong 
privacy rules to broadband providers, even though, like the 
phone, broadband is now an essential service, and like phone 
carriers, broadband providers enjoy privileged insight into 
their subscribers' private communication.
    And this year, as the FCC eliminated net neutrality rules, 
it removed broadband providers altogether from the reach of the 
CPNI privacy law, which, as I said, is one of the strongest 
consumer privacy laws we have on the books.
    So that brings us to today, and here, as we consider what 
our path forward should be. It is clear that we must do 
something. Ninety-one percent of adults in America feel that 
consumers have lost control of their personal information. And 
nearly 70 percent thinks the law should do a better job of 
protecting their information.
    Consumers want more privacy protection, not less. This is 
why the recent elimination of existing privacy protections was 
so unpopular among the American public.
    As Congress considers how to give Americans the privacy 
protections they deserve, it should keep a few things in mind:
    First, prospective rulemaking authority is an incredibly 
important consumer protection tool. After-the-fact enforcement 
can be helpful, but an enforcement-only regime does not always 
create clarity, and because it comes only after a problem has 
occurred, it does not necessarily protect consumers from the 
problem in the first place.
    Granting rulemaking authority to an expert agency also 
fosters much needed regulatory flexibility. We don't always 
know what the next privacy or data security threat will be, but 
unfortunately, we all know that there will be one. An agency 
with rulemaking authority can respond to shifting threats more 
quickly than Congress can.
    Second, consumer protections are only as good as their 
enforcement, so any new protections Congress creates on privacy 
or data security must be accompanied by strong enforcement 
authority.
    Right now, the FTC does use substantial work on privacy and 
data security. But with few exceptions, it does not have the 
ability to seek civil penalties for privacy and data security 
violations. In fact, FTC staff and commissioners have appeared 
before Congress requesting civil penalty authority to buttress 
their authority. Agencies that are tasked with protecting 
consumers' private information cannot do it without the proper 
tools. Civil penalty authority is needed.
    Third, Congress should avoid the temptation to address 
complex challenges with the one-size-fits-all approach. There 
are different types of actors on the internet with different 
roles to play, different relationships with and commitments to 
consumers, different competition environments and different 
abilities to solve problems. If we adopt a uniform regulatory 
approach to the entire internet, we are going to be left with 
the lowest common denominator, something like transparency with 
enforcement that just prohibits deceptive practices. And that 
is not good enough. Consumers are asking for more.
    I appreciate your commitment to this issue. Thanks for 
having me. I look forward to answering your questions.
    [The prepared statement of Ms. Moy follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Blackburn. The gentlelady yields back.
    And we thank all of you for your testimony. And we will 
begin our questions and answers. I will begin by recognizing 
myself for 5 minutes.
    Mr. Haney, I would like to start with you. Devices often 
have much more detail location information than what carrier 
location provides. For example, later iPhone models integrated 
location information from various sensors, Wi-Fi, Bluetooth, 
GPS, cell towers, et cetera, and create a more precise 
location. Apple calls this data Hybridized Emergency Location, 
or HELO. Is this feature integrated into the operating system?
    Mr. Haney. Yes, I believe it is.
    Mrs. Blackburn. And would you classify HELO data as CPNI?
    Mr. Haney. No.
    Mrs. Blackburn. If you applied current CPNI rules to HELO 
data, would Apple be permitted to transfer this data to a 
service like RapidSOS?
    Mr. Haney. No, not without subsequent permissions.
    Mrs. Blackburn. OK. Would Uber, which relies on HELO data, 
be able to function if HELO data was subject to CPNI rules, or 
would the app become unusable due to individual opt-in consent 
mechanisms every single time a user opens the app?
    Mr. Haney. In terms of ability to function, no, probably 
not. In terms of the consumers, they probably suffer from opt-
in fatigue.
    Mrs. Blackburn. OK. Thank you.
    Mr. McDowell, how is the data that is collected by mobile 
apps different from the data collected by a telecom provider? 
Because it does not sound that different to me. Mobile apps are 
collecting the time an app is used, the duration, and the 
location of where the user is when they are using the app. And 
we heard through our algorithms hearing that we recently did 
how all this collection goes even a step further and 
anticipates my future choices, plans, and decisions.
    So aren't these the same details a telecom provider 
collects and are protected under the CPNI rules? And what are 
the rules protecting this information from a mobile app, and 
what level of opt-in has the consumer performed?
    Mr. McDowell. A lot of questions there, Madam Chair.
    Mrs. Blackburn. Yes.
    Mr. McDowell. All excellent ones. So, first of all, an app 
can actually collect more data than a carrier would have access 
to. For instance, if you scan a UPC code, the price of 
something in a supermarket, there is an app that can tell you 
if there is a better deal nearby. So it knows where you are, it 
knows what you are buying, it knows your price points. It knows 
a lot about you all of a sudden, the demographics, based on 
that thing that you are buying. That is just one of many 
examples.
    It is the 10th anniversary this week of the Apple App 
Store. So happy birthday to the App Store. I think it is a 
wonderful thing. And there are, I think, 1.5 million apps in 
that app store. And certainly, Apple has some terrific 
standards that it tries to live by there. But those apps, with 
1.5 million, or whatever the actual number is, there are just 
as many ways of gleaning information about consumers, where 
they are, what they are buying, what they want, what they are 
saying, how they look. There are a lot of aspects there that 
carriers don't necessarily have access to.
    So the CPNI rules would be sort of a--or the data that CPNI 
governs would be sort of a subset of what all the other 
information that apps collect.
    Mrs. Blackburn. You mentioned we need to modernize and 
harmonize the protection rules. So I want you to elaborate just 
a touch on that point.
    Mr. McDowell. Absolutely. So from a consumer's perspective, 
there is certain information that we find sensitive. And this 
can vary from consumer to consumer, of course, and other 
information not. So if you think of your information regarding 
your health or your financial information, things like that, 
those are easy examples of what we consider to be sensitive, 
and you don't necessarily want the whole world, or very few 
people, having access to that, versus you are conducting a 
search to buy a new car. Maybe you want to have the greater 
world know that you are looking for this kind of car at this 
type of price point. So that is less sensitive information.
    So that is what I was trying to illustrate too, is as 
consumers, we care about the type of information. It doesn't 
matter who has that information. There aren't politically 
favored or politically disfavored entities out there. We are 
concerned about anyone breaching that or disclosing that 
information in a way that we don't agree with or the way that 
we don't command.
    Mrs. Blackburn. OK. I appreciate that.
    Ms. Moy, I have a question for you. In the interest of 
time, I will submit that.
    I yield back my time and recognize Mr. Doyle.
    Mr. Doyle. Thank you, Madam Chair.
    Ms. Moy, it was recently revealed that our nation's top 
wireless carrier shared real-time location data of hundreds of 
millions of Americans with third parties without consumers' 
consent. This access was used by at least one entity, Securus, 
as part of a service to enable their customers to determine the 
exact location of hundreds of millions of cell phones in real 
time without user consent.
    How is it possible that such a massive data breach of such 
sensitive data could occur, and why do you think the FCC was in 
the dark on such a widespread practice?
    Ms. Moy. Those are really good questions, and questions 
that the agency itself should be asking. So in this instance, 
Securus was getting information through these data brokers, 
location aggregators, that were sourcing it directly from the 
wireless carriers who were giving these data brokers direct 
access into their location information.
    We know about the Securus case, but about a month ago, 
Verizon told journalist Frank Bajak of the Associated Press, 
that about 75 companies have been obtaining its customer data 
from LocationSmart, and another broker called Zumigo, I think. 
And I want to emphasize that this is really private 
information. Location can tell someone about where you work, 
where you live, where your kids go to school. In a recent 
Supreme Court decision, the Court likened location data 
maintained by phone carriers to electronic ankle bracelets.
    With respect to how this could have happened, clearly, the 
carriers have not been taking location privacy seriously 
enough, if they were enabling data brokers to take over the 
customer consent process and then not properly policing it. But 
ultimately, the responsibility falls with the FCC to ensure 
that carriers are actually meeting their statutory obligation 
to protect that information.
    Mr. Doyle. So tell me, if a Federal regulator is captured 
by industry and declines to assert their own authority, what 
role does the private right of action or enforcement authority 
by state attorney generals play, and how can that maybe be a 
check on a reluctant agency?
    Ms. Moy. That is a great question, because we have 
something sort of like that under the--well, we do have that 
under the Children's Online Privacy Protection Act. The 
Children's Online Privacy Protection Act, which is a 1998 
privacy law that specifically involves the information that 
children share with a provider of an online site or service, 
grants state attorneys general the authority to bring civil 
actions against companies that they believe have violated the 
Act--or have violated, actually, the regulations passed by the 
FTC under that act on behalf of citizens of the state in the 
event that the agency itself, the Federal agency, doesn't do 
that.
    I think that is a really important and strong privacy 
enforcement tool. It has been used by multiple state attorneys 
general, and it would be great to see something like that in 
additional privacy laws moving forward.
    Mr. Doyle. Tell me, do you think Chairman Pai's past work 
for Securus is reason for him to recuse himself from any 
investigation or enforcement action?
    Ms. Moy. I don't know that I can answer that directly, 
except to say that I do; it does raise some red flags that he 
does have a past working for a company that is accused of 
wrongdoing in this particular instance.
    Mr. Doyle. Let me ask you, do you think Americans have 
fewer privacy protections as a result of the broadband privacy 
CRA?
    Ms. Moy. As a person who advocated strongly for those 
broadband privacy rules and thinks that they are really 
important, yes, I do. I think that privacy is in a worse place, 
especially when you think about your home internet connection. 
An internet provider can see not only information about all of 
the websites that you visit, including those that pertain to 
your health information, your political viewpoints and so on, 
but can also see information about Internet-of-Things connected 
devices. So perhaps information about when you are opening your 
garage door, when you are using your baby monitor, maybe even 
when you are using your connected toothbrush or connected 
mattress. They can see maybe when there are guests in your home 
and additional devices. There is just a lot of really sensitive 
information that a network provider has access to, and 
consumers, unfortunately, have no choice but to share that 
information with those providers.
    Mr. Doyle. Do you think Americans are better off with the 
FTC enforcing privacy protections on broadband providers as 
some in the majority have alleged?
    Ms. Moy. Frankly, no. There are multiple reasons, but part 
of it is that the FTC doesn't have rulemaking authority, so it 
can't create perspective rules-of-the-road on this issue. And 
its enforcement tools are really limited. It doesn't have the 
same kind of bite to its enforcement that the FCC does.
    As I said, the FCC has brought multiple actions against 
carriers in the past few years for CPNI violations with fines 
attached. The FTC doesn't have that type of authority.
    Mr. Doyle. Thank you, Madam Chair. I yield back.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Olson, you are recognized for 5 minutes.
    Mr. Olson. I thank the chair. And welcome, Mr. Haney, Ms. 
Moy. And a special welcome to the McDowell family, our 
commissioner, and his daughter Mary-Shea is right behind his 
left shoulder.
    We talked before the hearing. She is a junior in high 
school, about to go off to college, and I take great pride, as 
your father does as well having--my wife went to Duke 
University like your father. You won't become a North Carolina 
Tar Heel. Never, ever. So thank you for that.
    But to the business ahead, Commissioner McDowell, we have 
all become familiar with the idea of targeted advertising. As 
you know, companies grab our data and, when we buy something--
like, for example, I bought a lot of Houston Astros World 
Series hats, Jose Altuve jerseys, George Springer bobblehead. 
All of a sudden, ads popped up, when I got on the internet, 
with the Astros, the Rockets, the Oilers, pro-baseball. 
Obviously, they are targeting me with direct ads because of my 
behavior on the internet.
    Google and Facebook as well do this automatically. Users 
like myself have to opt out most times, because I don't want 
those targeted ads. Most people don't want those ads. But if a 
telecommunications provider does this automatically, the exact 
same behavior that Googles and Facebooks do, that is illegal.
    Can you explain that? Doesn't that sound anticompetitive?
    Mr. McDowell. Well, it does create that asymmetry that I 
was talking about in my opening remarks. So that is because of 
section 222 and the FCC's enforcement of that. So we have a 
diverse internet ecosphere. There are business models that have 
come forth in the past decade, even the past year or two, that 
we couldn't even imagine a year or two ago, right. So we don't 
know what is coming up next, what brilliant entrepreneurs are 
going to think of.
    So we don't know ways they might be using our data. But you 
do have 222, section 222, offering one standard and FTC 
sometimes administering a different standard.
    Mr. Olson. Mr. Haney, in your opening statement, you state 
that ``privacy protection encourages broadband usage and 
therefore promotes broadband investment.'' So this should 
incentivize broadband providers to invest heavily in privacy 
protection.
    Is this what you see in the marketplace? Does it work in 
the market?
    Mr. Haney. I think in the marketplace, privacy protection 
can be strengthened, but I think that current privacy 
protection is working in the market to incentivize all 
providers to invest, to create for consumers more abundance of 
choices, lower prices, services that we can't even imagine at 
this point. And I think that to the extent that Congress 
through legislation enhances consumer privacy, that it is very 
important, not only to be certain that all providers are 
created equally, but also that the privacy regulation is not 
overly burdensome.
    Mr. Olson. Thank you.
    Back to you, Commissioner McDowell, about my Houston Astros 
hats purchases swarm me with ads. Most consumers, as we 
mentioned, don't want their call detail information released to 
third parties or used for targeted ads. It doesn't matter if 
that call comes from a digital telephone or even an app.
    Do you believe the best way to address this problem would 
be with one technology neutral privacy rule that covers all 
call detail information?
    Mr. McDowell. I think one standard would be very helpful 
and would allay a lot of confusion among consumers and market 
players of all kinds alike.
    So when I was at the Commission in 2007, we expanded the 
CPNI rules to what we call interconnected Voice over Internet 
Protocol providers, or interconnected VoIP, as we call it. But 
if you are not an interconnected VoIP, if you are just VoIP, 
using internet protocol through an app, then it is not 
regulated by 222. But to the consumer, it is the same function. 
It is an internet voice and video call to someone.
    One type, if it is interconnected, is regulated in 222. 
Another type, if it is not interconnected to the PSTN, the 
public switched telephone network, is not. So that creates that 
asymmetry and a lot of confusion for folks, I think.
    Mr. Olson. Well, thank you. I will close with a comment on 
Hurricane Harvey. During your tenure at the FCC, you were 
pushing hard after hurricane Ike hit my hometown about putting 
your lines below the soil, bury them. We did that for Harvey. 
Those lines stayed up the whole time. Information critical for 
emergency were being flown all across Houston areas. So thank 
you, thank you for that.
    Go Blue Devils. Beat the Tar Heels forever.
    I yield back.
    Mr. McDowell. I did not ask him to say that.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Pallone, you are recognized for 5 minutes.
    Mr. Pallone. Thank you, Madam Chair.
    Today's hearing highlights how much consumers on the 
internet have lost over the past year and a half. Consumers' 
privacy protections, consumers' data security protections, and 
consumers' net neutrality have been ripped away. So I think it 
is a rough time to be online.
    The Republicans delivered a one-two punch when they rolled 
back consumer broadband privacy rules and then repealed the net 
neutrality safeguards that ensure the internet remain free and 
open.
    So let me start, Ms. Moy, can you explain how these two 
anti-consumer actions worked in concert to give consumers fewer 
privacy protections online?
    Ms. Moy. Sure. Yes. So the first was these set of rules 
that really implemented section 222, the CPNI law, which, as I 
said, is one of the strongest consumer privacy laws that we 
have, and apply it to broadband providers. And unfortunately, 
Congress undid those regulations with the CRA resolution.
    But even after the CRA resolution, section 222, at least 
the statute of it, still applied to broadband providers until 
the more recent net neutrality order that undid the net 
neutrality rules, as well as Title II classification.
    So consumers now are left without the statutory protections 
of 222 to apply to broadband information and are left only with 
the baseline prohibition on unfair and deceptive practices 
under section 5 of the FTC Act, which more or less just 
prohibits broadband providers from doing things other than what 
they have told consumers in a consumer-facing statement they 
would do.
    Mr. Pallone. Well, thanks.
    Let me ask Mr. Haney. It is evident that in the internet 
age, so many different entities have access to our private 
information. And you also make mention of this in your written 
testimony. So if you could tell me, what types of companies, 
other than phone companies, have access to information 
traditionally thought of as CPNI, and are they subject to as 
stringent regulations as telecommunications companies?
    Mr. Haney. I mention video streaming services, search 
engines, social networking sites, e-commerce sites, and user-
generated media sites as examples. And currently, they are 
subject to the same privacy regulation as broadband providers, 
but as I mentioned, broadband is not the same thing as a common 
carrier telecommunications service. And therefore, only the 
common carrier telecommunications service, what we think of as 
telephone calls or any voice communication, excepting a voice 
app that is not interconnected to the public switched telephone 
network, that would be the only category that would be subject 
to the privacy protection that Ms. Moy supports.
    Mr. Pallone. All right. Thank you.
    Let me go back to Ms. Moy. I was alarmed by the reports of 
the vast troves of location data that third-party aggregator 
LocationSmart was making available to anyone on the web. It 
seems to me that we don't even know yet the entire scope of 
that incident. So do we know how exactly and how many companies 
or individuals have access to the data that LocationSmart was 
making available and what these data were used for?
    Ms. Moy. We don't know. We know the one specific example of 
Securus, we know that in some detail because there were public 
records posted on the Georgia Department of Corrections website 
that showed screen shots from what the Securus platform looked 
like. And alarmingly, it enabled users of that platform to 
enter in the phone number of any phone in the country, upload a 
document of any sort, and without that document being 
scrutinized, they could obtain real-time location information 
for any individual in the country.
    We do know, as I said before, from an AP report that 75 
companies reportedly had access to location information through 
LocationSmart pertaining to Verizon customers. But I think it 
is safe to say that this is just the tip of the iceberg, right? 
If all four major wireless carriers were outsourcing a location 
information access to these third-party data brokers, only one 
of which is LocationSmart, then we are probably just seeing the 
very beginnings of what could be a massive investigation and a 
lot of privacy violations.
    Mr. Pallone. Do you have any suggestions what the FCC could 
do to help us better understand the scope of this incident 
problem?
    Ms. Moy. So the CPNI rules do require carriers to maintain 
records about who has access to customer CPNI, using the 
customer consent model. And so the FCC ought to be able to, 
using its investigatory authority, ought to be able to demand 
those records from the major wireless carriers, and that trail 
of records should lead them right down the path to finding out 
how many violations there were. And if those records don't 
exist, then that is a violation in and of itself.
    Mr. Pallone. Thank you. Thank you, Madam Chair.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Lance, you are recognized for 5 minutes.
    Mr. Lance. Thank you very much. And I apologize to the 
panel for shuttling. We have several subcommittees this 
morning. This is a very important topic, and certainly we want 
to proceed in a bipartisan way on it.
    Given the rules implementing 222 continue to distinguish 
between local and long distance service and impose 
authentication requirements that are 20 years and perhaps out 
of date, do you believe that the current rules make sense in 
today's modern marketplace or do you believe that we should 
update them reflecting consumers' current expectations?
    And this is for the panel in its entity. Mr. Haney?
    Mr. Haney. I believe the rules, sir, are out of date. They 
were designed, not only to protect consumer expectations, but 
they were also designed to try to allocate competitive 
advantages and competitive disadvantages in the marketplace as 
new entrants joined the market to compete with traditional 
incumbents. That dynamic is no longer relevant, and so I 
believe that the rules can and should be updated. But I do 
think it is important, sir, that the rules should apply equally 
to everyone. Every provider in the internet ecosystem is in a 
position to see and to collect information about consumers, 
some of it sensitive.
    Mr. Lance. Mr. McDowell.
    Mr. McDowell. I would agree with Mr. Haney in that the 
rules are out of date. Twenty two years ago was when Congress 
passed section 222. Every aspect of the internet ecosphere is 
completely different now than it was then in terms of data 
collection as well.
    And one also point to follow up on the exchange with Mr. 
Pallone, is that, if you have a device, like Mary-Shea's little 
brother Cormac, he has a hand-me-down iPhone, but he is not a 
subscriber, so he lives off the land, so to speak, through 
unlicensed. And those transmissions--voice, video, apps, 
gaming, whatever--would not be covered, right, except by the 
FTC. They are not covered under 222.
    So this starts to talk about the limitations or point out 
the limitations, and there are millions of nonsubscribers such 
as our youngest child, Cormac.
    Mr. Lance. Thank you.
    Ms. Moy.
    Ms. Moy. Thank you. So the regulations almost were updated, 
as you know, and the updates to those regulations would have 
applied to phone providers who are subject to the CPNI rules as 
well as to broadband providers to whom the CPNI rules had been 
extended. And so that included, for example, an update of the 
data security provisions in the CPNI rules to do away with some 
of the more prescriptive things that was maybe an older 
approach to data security and to replace it with a more 
flexible, reasonable security measures standard in accordance 
with several factors, such as the nature and scope of the 
carrier's activities, the sensitivity of the data that it 
collects, and so on.
    So I do believe that updates to the rules such as those 
that were almost enacted that were passed in 2016 and then 
reversed by the CRA resolution would be appropriate. And the 
question is just how we get back to where we are.
    Mr. Lance. Would they have applied across-the-board?
    Ms. Moy. They would have applied to phone carriers as well 
as to broadband providers. If you are asking if they would have 
applied to other entities such as apps and so on, no, they 
would not. And I would completely support rulemaking authority 
to apply similar regulations to----
    Mr. Lance. I am a co-sponsor of the chairman's legislation, 
the BROWSER legislation, and I would hope that the 
distinguished panel would look at it. And the chairman has 
taken the lead across this country in this area, and I am 
pleased to associate myself with what the chairman is 
attempting to do here. And I certainly agree with the panel 
that we need to update the procedures.
    Mr. McDowell, if Congress enacts new privacy legislation, 
should information about calls be treated the same regardless 
of how a call is made?
    Mr. McDowell. If Congress looks at this, yes, again, back 
to one uniform standard, I think that that would be very 
helpful to everybody involved. As we are finding out today, it 
is a complicated issue. It doesn't need to be as complicated.
    Mr. Lance. Thank you. And, Chairman, I yield back 32 
seconds.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Welch, you are recognized.
    Mr. Welch. Thank you very much.
    Mr. Haney, do you believe that the CPNI rules as they apply 
to telecoms have served a good function to protect privacy of 
telephone users?
    Mr. Haney. I think the rules were more onerous than they 
needed to be, but----
    Mr. Welch. Well, go ahead.
    Mr. Haney. I think that the requirement to get opt-in 
consent actually inhibited innovation, because as it applied to 
the incumbents in the marketplace, it is very difficult to get 
opt-in consent from consumers.
    Mr. Welch. All right. I am going to come back to that. Do 
you think that the privacy protections, though, that were 
outlined in the CPNI did ultimately protect privacy rights of 
the users?
    Mr. Haney. Yes, sir.
    Mr. Welch. And would you have a problem having that privacy 
protection applied across all technologies?
    Mr. Haney. I think if it applied across all technologies, 
it would be a huge improvement.
    Mr. Welch. So CPNI across all technologies you would be 
supportive of?
    Mr. Haney. Well, except for the fact that I do believe it 
is overly burdensome.
    Mr. Welch. All right. I am going to try to summarize what I 
am hearing. Because, number one, all three of you, I think, 
want technology-neutral provisions, correct? And I don't think 
there is opposition up here to having it be technology neutral.
    Number two, you want a uniform enforcement so it is not 
complicated, right?
    Mr. Haney. Yes.
    Mr. Welch. So, three, there is a big debate about this opt 
in or opt out. And essentially, that is the burden. Who is 
going to be protected? Is it going to be the consumer and he or 
she has the opportunity to opt in or opt out versus the burden 
that the opportunity costs for the technology provider.
    Isn't that essentially what it boils down to?
    Mr. McDowell. If I could add to that, yes. So certainly, 
and earlier what Mr. Haney said, there is the potential for 
opt-in fatigue, as we see with the GDPR in Europe. I don't 
think that is the standard we want to operate on. I think that 
would actually suffocate our internet ecosphere, but----
    Mr. Welch. Let me----
    Mr. McDowell. But uniformity, that concept, I think----
    Mr. Welch. But here is the thing. I am a consumer. I don't 
have a clue how all these things operate, and that is how most 
of us are. I would feel much more comfortable if I was able to 
opt in or not. If it was the opt-in approach, I would feel more 
empowered.
    Mr. McDowell. Coming over the horizon too real quick--
sorry--we ought to probably have another hearing some day on 
blockchain and the evolution of blockchain and how that is 
going to help privacy protection. That is a whole other 
technological argument----
    Mr. Welch. You know what, I actually got to say I don't buy 
that.
    Mr. McDowell. OK.
    Mr. Welch. And here is why. There is always something over 
the horizon. All right. None of us have a clue as to what is 
going to be developed next year. But what we do have is the 
capacity to hit a key stroke and say we will opt in or we will 
opt out. Right?
    And what I am hearing from you is that your apprehension of 
the opt-in is it will diminish innovation. All right. And I am 
not quite sure why you say that. This is like a key stroke. The 
amount of information that they can get over the computer can 
include a key stroke from Peter Welch on opt-in or opt-out, 
right? It is not a big deal, really.
    Mr. Haney. Well, as we look at consumer behavior, when they 
are offered the opportunity to opt in, let's say one-third, for 
example, chooses to opt in. But when they are offered an 
opportunity to opt out, a very small percentage of consumers--
--
    Mr. Welch. No, exactly. You have precisely defined the 
issue. Who is going to be the default winner or loser on this? 
And if the technology company has access to the information and 
then can sell it, then they are going to reap some reward for 
that. And you would like to think--or you suggest that that is 
necessarily going to be a better product for me? I am not sure 
that is right. But I would like to be the one making the 
choice.
    So I think the number one issue is who bears the burden 
here, because I know the companies would prefer to get and use 
all the information they can.
    And then number two is a basic question about rulemaking. 
There has got to be some flexibility. And there are a lot of 
folks here who don't believe that Congress or anybody else 
should be doing any rules any time, any place, for any reason. 
I am not one of them, all right. Because that means that it is 
kind of anarchy out there.
    So do you have any opposition, you or Mr. McDowell, to some 
rulemaking authority as part of enforcement?
    Mr. McDowell. To the FTC?
    Mr. Welch. Well, we can have a debate about FTC, FCC, the 
uniformity. I am sympathetic to having a uniform standard, but 
there has got to be real enforcement, in my view.
    Mr. McDowell. Sure. So, historically, FTC has been the 
expert agency for privacy.
    Mr. Welch. Right.
    Mr. McDowell. So the FCC has had a very narrow aspect of 
this; only the common carriers and only regarding certain 
information for certain purposes under what we call CPNI. The 
whole rest of the universe in the privacy universe has been the 
FTC.
    So I am not opposed to having the FTC with some limited 
rulemaking authority in this space.
    Mr. Welch. OK. I yield back.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Shimkus, you are recognized.
    Mr. Shimkus. Yes.
    Thank you, Madam Chairman.
    To my colleague from Vermont, I wouldn't be so dismissive 
of the blockchain debate in this because--and, Peter, if you 
got a second, I am sorry to interrupt--because, the country of 
Estonia has full data protection on personal health records, on 
data; they are totally wireless, phone app, every government 
entity. And they are a small country, but it is all blockchain-
developed. And if you are following cryptocurrency and that 
debate, that is all blockchain too.
    So I do agree that we ought to be looking at this as far as 
this privacy debate somewhere in the future on a different data 
because this could solve a lot of the problems of--I am not the 
big cryptocurrency guy, but as far as an individual accessing 
other internet-provided government functions, I think Estonia 
has proven the safety of the use of this type of system. So I 
just want to throw that out since you mentioned it.
    But I do want to go to Commissioner McDowell because of 
your former position in the FCC. So we have some questions.
    You have heard that this committee held a hearing with 
Facebook a few months ago. And if you didn't hear, you should 
have heard. There have been reports that Facebook had collected 
call records and SMS data from Android devices and had the 
Facebook app installed going back for years. Our subcommittee 
chairs just sent letters to Google and Apple regarding their 
collection handling of location data amongst other information 
that is at the core of their operating systems.
    Given your experience as an FCC Commissioner, I expect you 
are pretty familiar with filings. My understanding is--and we 
are not, Members, we don't really follow how these filings 
occur. My understanding is that wireless carriers have a whole 
regime associated with serving these same devices. Those 
records are considered extremely sensitive personal 
information. They are CPNI and are subject to privacy 
regulations strictly enforced by the FCC.
    What kind of reports are these entities required to file?
    Mr. McDowell. So, under CPNI--I am going to whip out my 
cheat sheet here because the Code of Federal Regulations can 
get kind of weedy. So they have to file an annual report. And, 
actually, under the FCC's privacy order from 2016, these 
reports were going to go away, and now they are back but only 
on common carriers. So that is just important, again, part of 
the asymmetry problem. But they have to first have an 
affirmation that the company, the carrier, has operating 
procedures in place to ensure that it is complying with the 
CPNI rules. Second, it has to explain how those operating 
procedures ensure compliance. Third, they have to report on any 
actions taken against data breach--data brokers, rather. And 
data breaches are another story. And, number four, report on 
customer complaints concerning data breaches.
    And then, when it comes to data breaches, they have to 
first notify law enforcement and then wait 7 days before 
notifying the consumer. So there is a lot going on. But those 
are annual reports filed with the FCC.
    Mr. Shimkus. What kind of consent must the provider obtain?
    Mr. McDowell. So, for instance, if you want to pay your 
phone bill through your bank online bill pay and you want to 
see your call detail, you can't do it through your bank website 
unless you go to your carrier, your phone company, your 
wireless company, whoever it might be, and give them consent to 
share that information with your bank, for instance. So that is 
a form of opt-in.
    Mr. Shimkus. And you mentioned that, in case of breach, 
there is--they need to file notification of that, correct?
    Mr. McDowell. Data breaches, they do. Absolutely.
    Mr. Shimkus. That is all I have, Madam Chairman.
    And I yield back my time.
    Mrs. Blackburn. The gentleman yields back.
    Let's see.
    Mrs. Dingell, you are recognized for 5 minutes.
    Mrs. Dingell. Thank you, Madam Chair.
    I think that you have seen from this hearing that consumers 
are--and what we are talking about every day when we are 
talking to people that consumers are consistently losing 
control of their private information across the board. First, 
it was Equifax; then Facebook. Now we have talked about 
LocationSmart today, a third-party aggregator of cell site 
location information, which has made Americans' location data 
available to anyone with an internet connection. And I think 
that is what people don't understand. And when we are talking 
about where someone's phone is what we are really talking about 
is real location time any minute because I bet most of us in 
this room have a cell phone in their purse or their pocket 
right now.
    These breaches of trust cannot become normal. And I worry 
that, with each passing scandal, we are becoming numb to this 
gross invasion of privacy. I talk to people, and they say there 
is nothing we can do about it. But there is something that we 
can do about it. It is why we need to be talking, and I think 
too many people don't understand how much data there is and 
what people are doing about it.
    So, Ms. Moy, I know you have answered questions, but I 
would like to dig in a little more.
    Can you talk more about LocationSmart, how they obtain 
their information, and talk a little more about who had access 
formally but who informally or illegally could have gotten 
access to that information and what they might have done with 
it?
    Ms. Moy. Sure. Yes. So, again, LocationSmart was providing 
access to information, location information, for virtually any 
mobile phone user in the country. So it had direct access to 
the location information provided by all of the major wireless 
carriers. And it was providing that information informally.
    And this really seems like the carriers essentially 
outsourcing access to their customer sensitive information and 
the whole consent process, right? So, if the carriers don't 
want to deal with trying to get consent on a case-by-case 
basis, for example, applications that want to access the 
information from the carrier side or websites, that the carrier 
was outsourcing this function to a data broker, the 
LocationSmart company. And LocationSmart presumably is supposed 
to have been getting and keeping records of customer consent 
for every instance in which it was providing that location 
information. It was not doing so. LocationSmart was not doing 
that for a long period of time. We don't know exactly how long, 
but we do know that the securest platform that, again, would 
have enabled anyone--this is the sort of formal access to 
location information that you are talking about--would have 
enabled anyone who worked in a prison and had access to the 
securest location-based services platform to just type in a 
phone number and upload any documents--no one at the company 
was looking at those documents, according to the information 
that they told Senator Wyden's staff--and then get real-time 
location information for anyone.
    So this was going on for a long period of time. Apparently, 
either the carriers didn't know about it or didn't care. The 
FCC either didn't know about it or didn't care. And with 
respect to informal access, the LocationSmart platform also was 
not secure. So some security researchers demonstrated that they 
were able to gain access to location information through the 
LocationSmart portal without having formal access to that 
system.
    Mrs. Dingell. Ms. Moy, let's keep building on that.
    Do you believe cell site location information is covered 
customer proprietary network information under the statute?
    Ms. Moy. Yes. I am really glad that you asked that question 
because it certainly is information about one's use of the 
telecommunication service that is accessible to the carrier 
only by virtue of the carrier-customer relationship. And it is 
information pertaining to the location of the user. So, under 
the statute, this does, in my belief, meet the definition of 
CPNI. And so, to me, it does appear to be a CPNI violation that 
was happening on a massive scale.
    Mrs. Dingell. So do you believe there were violations of 
section 222?
    Ms. Moy. It does appear that way to me.
    Mrs. Dingell. I will yield back my 29 seconds, Madam Chair.
    Mrs. Blackburn. The gentlelady yields back.
    Mr. Latta.
    Mr. Latta. Thank you, Madam Chair.
    And thank you all for being with us today.
    Mr. McDowell, if I could start my questioning. There are 
many ongoing conversations in the realm of data privacy. The 
Digital Commerce and Consumer Protection Subcommittee, which I 
chair, has held several hearings on these issues, and we will 
hear from the entire FTC next week about their work in the 
area.
    In your testimony, you mentioned the formidable protections 
of the FTC. And I have been clear about my support for the 
FTC's enforcement authority and even introduced a bill to make 
sure that the FTC's jurisdiction remained in place in the face 
of the legal challenge.
    Do you believe that the FTC is equipped to handle privacy 
matters for the vast portion of the economy under its 
jurisdiction from Main Street stores to some of the largest 
companies in the world, including common carriers, for their 
ever-increasing noncommon carrier activities?
    Mr. McDowell. So I think in terms of privacy, it is the 
expert agency on privacy, and it is very well equipped in a lot 
of ways. They have brought hundreds of actions against a 
variety of companies, including broadband internet service 
providers in the privacy realm and have fined them, et cetera. 
So, from that perspective, yes.
    Again, going back to kind of the premise of my opening 
remarks, though, we do need some harmonization and 
modernization, I think, of standards. They are an agency 
roughly the same size as the Federal Communications Commission 
in terms of budget, in terms of number of attorneys and 
economists and engineers, although fewer engineers there than 
at the FCC. So they might need help in that regard as these 
issues become more thorny and more widespread.
    Mr. Latta. Thank you.
    Let me follow up again, Mr. McDowell. I understand that 
under the current CPNI rules, telecommunication providers file 
annual compliance certifications. I also have a bill that 
strives to reduce the regulatory burdens on small businesses 
out there.
    Do the rural telecom providers in my district have more 
stringent requirements than an edge provider offering similar 
services?
    Mr. McDowell. Yes. So that goes back to that dichotomy, 
that duality between what a telecom carrier has in terms of 
their obligations under section 222 versus an app provider that 
might be providing the same functionality, let's say voice, 
through an app that is not regulated by 222.
    Mr. Latta. OK. Not picking on you. Another question.
    In your testimony, you discussed how you voted to extend 
the CPNI rules in 2007 when you were Commissioner to cover a 
practice where data brokers, otherwise known as pre-texters, 
were obtaining unauthorized access to CPNI and then turning 
around and selling personal telephone records.
    In 2013, the FCC also found that the CPNI rules applied to 
data collected on a mobile device if directed by the carrier. 
Under the section 222 authority given to the FCC, how far can 
the FCC extend the CPNI rules to cover current and future 
practices and services impacting telecommunication services?
    Mr. McDowell. Excellent question.
    So the Federal Communications Commission--it gets to be 
alphabet soup pretty quickly--is limited to applying section 
222 to common carriers. If you are not classified as a common 
carrier, 222 can't apply. FCC does not have the authority. Only 
Congress could change that if it wanted it to.
    Mr. Latta. OK.
    And, Madam Chairman, I yield back the balance of my time.
    Mrs. Blackburn. The gentleman yields back.
    Ms. Eshoo, you are recognized.
    Ms. Eshoo. Thank you, Madam Chairwoman.
    And thank you again to the witnesses and to Commissioner 
McDowell. It is really a special pleasure to see you again and 
to have your daughter with us as well.
    I am so frustrated listening. I have learned. But the whole 
case of privacy and what the Congress has done, I really think, 
needs to be restated. Congress is responsible for having wiped 
out privacy protections for the American people, period. That 
is why we are where we are. The CRA wiped it out. Whatever was 
left or whatever net neutrality contained in it relative to any 
protections, scorched earth, gone.
    Now we have the BROWSER Act. It does nothing meaningful for 
real privacy. There is no rulemaking authority. There is no 
civil penalty for enforcement. There is no data security. It 
preempts any kind of state laws. California just passed 
something which is very strong. And, actually, when the strong 
bill came out, the interests went to work to water it down to a 
few drips of water, and Californians were outraged. And there 
was such pressure on the state legislature based on what 
Californians said that it came out strong. But the BROWSER Act 
preempts that. It also preempts the FCC, the expert telecom 
agency.
    So where are we? Seventeen months and counting, blah, blah, 
blah, blah. Anyone that has voted, in my view, for these things 
has to answer to their constituents when they complain to us, 
Independents, Republicans, conservative, right wing, left wing, 
Democrats, everyone, when they say: This is what has happened 
to me.
    So, let's be honest about where we are. All right. So 
everything has been wiped out, in my view. There isn't anything 
protecting anyone. Where do we go from here? I don't think 
220(b), whatever it is--that really covers something very 
small. We are talking about a landscape that is very different, 
as you said, Commissioner McDowell, when that was placed on the 
books.
    I don't believe that there is a reason that some people 
want the FTC. The FTC doesn't have what it needs to enforce a 
darn thing, in my view. And I don't know if Congress is going 
to step up and give them all these authorities that the FCC 
had.
    All of a sudden, they love the FTC. FTC can't do a damn 
thing. It doesn't have any teeth to do it. They have asked 
Congress for a false set of teeth, but they haven't been 
purchased yet.
    So, Ms. Moy, where do you go from here? Where would you 
start building something?
    Ms. Moy. Thank you for the question. Thank you very much.
    Ms. Eshoo. Yes. Well, I am so darn frustrated. And it is 
like we are dancing around something that is really lovely, and 
we are just going to plant a few flowers, and then everything's 
going to bloom. Everything's been wiped out. That is why we are 
in the place that we are.
    Ms. Moy. I think you are right. So the internet does raise 
a bunch of important questions about privacy. But just because 
we now have apps that collect health-related information and 
wearable health devices, we don't have doctors in here 
complaining that they should not be subject to HIPAA. And we do 
not have schools in here asking that they not be subject to not 
be FERPA, the Federal privacy law, just because there are now 
educational apps and educational data is being collected over 
the internet.
    We shouldn't do away with the existing privacy regulations 
that we have just because we are lacking privacy across the 
board. We need to keep and build on the privacy protections 
that we do have. And that is where I would say that whatever we 
are going to have moving forward, it has to have rulemaking 
authority, strong enforcement authority, as you say, including 
civil penalties. And it ought to have a role for the state 
attorneys general who have much greater resources across the 50 
states and territories than one Federal agency can have alone.
    Ms. Eshoo. Let me just give Commissioner McDowell a few 
seconds. I know that we may not agree on some of this, but I 
want to hear what you have to say very quickly.
    Mr. McDowell. So the CRA overturned the requirements on 
carriers only. This wasn't the entire internet ecosphere. So 
that goes back to the FTC.
    Ms. Eshoo. So what is left? What is left? Who is protected 
and how?
    Mr. McDowell. So through the Federal Trade Commission. So 
that is broadband and all the rest. So that is through the 
Federal--if you think the FTC needs more resources or a 
different statutory standard, then that is certainly Congress' 
prerogative.
    Ms. Eshoo. OK.
    Thank you very much.
    Mrs. Blackburn. The gentlelady yields back.
    Mr. Guthrie, you are recognized.
    Mr. Guthrie. Thank you, Madam Chairwoman. I appreciate 
that.
    And, Commissioner McDowell, in your testimony, you 
mentioned Marty Cooper and the first cell phone. You also 
discussed how competition is an important part of how CPNI 
rules came into existence. In addition to protecting consumers' 
privacy, the rules were originally intended to promote 
competition in the emerging enhanced services market by 
preventing the regulated side of AT&T from sharing information 
with its nonregulated information services side.
    And we have come a long way since the device Mr. Cooper 
had. But a legal landscape that reflects this evolution is not 
necessarily followed. It appears edge providers are freer to 
innovate as information is shared across all sorts of 
affiliated entities.
    What effect does the current regulatory structure have on 
thwarting new entrants?
    Mr. McDowell. So if the new entrant is not a common 
carrier, section 222 does not apply. So we have lower 
regulatory barriers. You are probably going to see more 
innovation and investment. That has sort of been the story of 
the internet ecosphere, or other markets as well. You could 
make a lot of case studies there.
    So, if there is a new entrant in the telecom market, they 
would have to live under section 222.
    Mr. Guthrie. So it is a disadvantage versus the edge 
providers for----
    Mr. McDowell. It is a different--yes. It is a slight----
    Mr. Guthrie. The more restrictive----
    Mr. McDowell. Yes. It is trickier.
    Mr. Guthrie. More restrictive regulated.
    If you argue unregulated allows you to--or lower regulation 
allows more entrants, then they are more regulated.
    Mr. McDowell. Correct.
    Mr. Guthrie. OK. So, Mr. Haney, what is the functional 
difference between placing a call from a smartphone using my 
wireless carrier's network and using a third-party app?
    Mr. Haney. The only difference is legal. And using the 
carrier is subject to the full panoply of FCC privacy 
regulation; using an app that is not interconnected to the 
public switch telephone network is subject to the FTC the same 
as the rest of the internet ecosystem.
    Mr. Guthrie. So completely similar products are completed--
--
    Mr. Haney. Completely different treatment.
    Mr. Guthrie. Different treatment.
    Should my information be subject to different privacy 
protections depending on the network that I use?
    Mr. Haney. No, sir, I don't believe so.
    Mr. McDowell. If I could put a finer point on it, though. 
If it is unlicensed--so you can have that transmission, as I 
tried to point out earlier through unlicensed. You are not a 
subscriber. That is not common carriage. It is not regulated. 
But the same functionality to the consumer, that would be 
unregulated.
    But if it is through a carrier, it doesn't matter how that 
carrier is supplying it or providing a service, then then 
section 222 would apply.
    Mr. Guthrie. It is treated differently.
    I guess my point I am trying to get at is the same product 
is treated differently based on----
    Mr. McDowell. How it is done.
    Mr. Guthrie. So, also, Mr. Haney, you stated the goal 
should be to prevent regulations from hamstringing some market 
participants but not others. And the logical way to do that is 
by ensuring that all participants in the internet ecosystem are 
treated the same.
    Is there a role for Congress to achieve that goal through 
legislation, or is that preferable to rely on the Commission?
    Mr. Haney. Sir, the FCC cannot do it. The FCC does not have 
legal authority to enhance privacy more broadly speaking than 
just telecommunications common carriers. So, if the goal is to 
provide the FTC with rulemaking authority, civil penalties, 
what have you, then that would require an act of Congress.
    Mr. Guthrie. OK. Thank you.
    Well, I appreciate your answers to my questions.
    And I concluded my questions, and I yield back.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Butterfield, you are recognized.
    Mr. Butterfield. Thank you very much, Madam Chairman.
    And thank you to the witnesses for your testimony today.
    As consumers, we are inundated with privacy policies from 
the companies with which we do business, whether it is 
financial institutions or doctors or hospitals or even ISPs and 
edge providers. We are forced to read these long legal 
documents on small mobile device screens. And the older you 
are, the worse it is. Trust me, I know.
    Sometimes we are even told that we cannot access a certain 
essential application for work or otherwise without quickly 
agreeing to the question. So I don't have it directed to either 
of you. If anyone wants to respond, you certainly can. Do you 
think consumer privacy disclosures are effective in letting 
consumers know the kinds of information about them that is 
collected, how it is used, and whether and with whom it is 
shared?
    Ms. Moy. I think you are raising a really good point about 
the deception standard, right, which is the FTC, the Federal 
Trade Commission, just has this authority to prohibit unfair 
and deceptive trade practices. So, when it comes to privacy, 
most of the time for consumers what that means is that our 
privacy is only protected insofar as we are reading privacy 
policies, agree with what is in them, actually have a choice 
about whether or not to agree to that--in theory, we have a 
choice--and then that the company doesn't do something with our 
information other than what they claim.
    And so this is why it is so important. We all know that 
there are so many instances in which we share our information, 
but we really don't have a choice. We don't have the time to 
read those privacy policies. Maybe we can't read them. They are 
very difficult to read. Maybe we are required, as you say, to 
have access to a service for work. And when we really do have 
no choice but to share information with a business that is 
going to use it for some other purpose, then it is so important 
to have standards in place that prevent that information from 
being used in other ways without our permission.
    Mr. Butterfield. What say the Hudson Institute? Do you have 
some thoughts?
    Mr. McDowell. So one aspect of all this debate, by the way, 
too, is the aspect of contract law and tort law. So every day 
there are class action lawsuits filed against a variety of 
market players in this space or other spaces too.
    So the idea of foreign contracts in any industry, whether 
it is the internet or something else, anything, that is as old 
as America, if not older.
    But, also, the idea of class actions as well as being a 
deterrent against these wholesale violations of contract or of 
common law that a contract might fly in the face of common law. 
So this is a whole other aspect of this whole debate which is 
important to know.
    Mr. Butterfield. OK.
    Mr. Haney. May I just add that there may very well be a 
need to create more baseline regulation to satisfy what we can 
all agree consumers expect to remain private. But there is no 
way the prospective regulation can anticipate everything that 
is going to happen in the marketplace. So there is, I think, an 
important role for user agreements.
    And, also, in addition to class action lawsuits, press 
reaction, consumer outrage, the kind of response we have seen 
to secure it, all of those things I think play a role in terms 
of protecting privacy.
    But I agree with you. I don't read the user agreements. 
They are incomprehensible most of the time.
    Mr. Butterfield. That kind of leads me into my second and 
last question, and that is, are you aware of any, I am going to 
say serious research, or do you have any ideas of how to make 
privacy policies more consumer friendly?
    I know there is a lot of chatter about it, a lot of 
conversation. But is there any serious research going on about 
how we can go to the next level?
    Yes.
    Ms. Moy. I know that there has been some good research 
here, including by a team of computer scientists led by Lorrie 
Faith Cranor at Carnegie Mellon on privacy policies. But I am 
not sure that there are any great solutions right now. 
Unfortunately, the legal complexities associated with these 
disclosures are extremely difficult to translate into a user-
friendly----
    Mr. Butterfield. That is what I needed to hear.
    Any agreement with what she just said?
    Mr. McDowell. It is complicated, to paraphrase Avril 
Lavigne.
    Mr. Butterfield. It is complicated. OK.
    Do you associate yourself with Mr. McDowell?
    Mr. Haney. Yes, sir.
    Mr. Butterfield. Thank you.
    I yield back, Madam Chair.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Johnson, you are recognized.
    Mr. Johnson. Thank you, Madam Chair.
    Hopefully, I can see around to see all of you, but thanks 
for being here with us today. Important topic that we are 
talking about.
    Section 222 defines CPNI in part as ``information that 
relates to the quantity, technical configuration, type, 
destination, location, and amount of use of a telecommunication 
service subscribed to by any customer of a telecommunication's 
carrier and that is made available to the carrier by the 
customer solely by virtue of the carrier-customer 
relationship.''
    Mr. McDowell, is this information similar to the 
information obtained by app developers and other edge providers 
who know, by nature of their relationship with the users of 
their platform, just how much consumers are using the app, when 
they are using it, where they are using it, and what they might 
even be searching for on that platform?
    Mr. McDowell. It can be similar. And app providers and 
websites can actually gather even more data. And the reason 
being, it is increasingly true because more and more Web 
traffic is becoming secured, in other words, to where an ISP 
can't see what is transversing across its networks.
    So what app developers can gather is a larger umbrella than 
what is covered by CPNI, which is viewed as a smaller subset of 
data, but very important data.
    Mr. Johnson. So should we have similar rules to protect 
that kind of data? They seem awfully similar.
    Mr. McDowell. So you are asking if we need CPNI rules to 
apply broadly to everybody. Is that what you are asking or the 
other way around?
    Mr. Johnson. Well, should it apply to this kind of data 
that I just described to you----
    Mr. McDowell. Yes.
    Mr. Johnson [continuing]. Third-party edge provides are 
collecting?
    Mr. McDowell. Yes. I think you need clarity here so that 
everyone knows what the rules of the road are.
    Mr. Johnson. OK. All right.
    And again to you, Mr. McDowell. Do consumers differentiate 
between the various voice and texting services available on 
their phones, or do they view, for instance, Verizon mobile 
service and Google Voice as essentially the same service?
    Mr. McDowell. The same functionality from the consumer's 
perspective.
    Mr. Johnson. OK. Section 222 protects the private 
information contained in traditional subscriber line bills. It 
also protects the location information of customers. Today's 
smartphones provide a host precise geolocation information on 
each device. This precise geolocation can locate a person 
within feet of their actual location. The network providers 
cannot access this information, yet we know the Android 
operating system does in order to serve ads to the device.
    Is there a reason why the operating system should have this 
sort of precise information but not the carrier?
    Mr. McDowell. So it is an excellent question. Your device 
can triangulate off of WiFi signals, cell towers, Bluetooth, 
any sort of radio frequency energy that is emanating if it 
knows where that is coming from. Then it can triangulate and 
tell you where this device is right now.
    So carriers can tell where you are vis-a-vis a cell tower 
but not necessarily specifically where you are. This has a lot 
of implications with 9-1-1 location accuracy and things like 
that. So there are times when you want everyone to where you 
are, and there are times where you don't want anyone to know 
where you are. And it shouldn't matter if it is telecom carrier 
or an app provider.
    Mr. Johnson. Today, I don't know that consumers know who 
knows where they are. I am not sure they know where they are in 
this kind of interconnected environment.
    Final question: What do you think of the consumer being 
given opt-in rights for this data in order to choose for 
themselves who they share it with?
    Mr. McDowell. And we talked about this earlier, and the 
finer point on the discussion from earlier, which is opt-in 
gives consumers a lot of power for each time this issue comes 
up, right? So that is a good thing.
    The downside to it--and this is where we as policymakers, 
folks have to wrestle with it--is the idea of opt-in fatigue. 
If you think of how many usernames and passwords you have for 
various websites and apps and everything else, and they change 
a lot--you should be changing them a lot if you are not--that 
is exhausting.
    So opt-in can become exhausting. Can there be a mix, maybe 
a blend of opt-in or safe harbor, for instance, as well, that 
you know you are going to get a certain standard of protection 
in a safe harbor that does not require an opt-in? That is one 
idea which I think deserves some discussion.
    Mr. Johnson. OK. All right.
    Madam Chair, I yield back a whole 10 seconds.
    Mrs. Blackburn. The gentleman yields back.
    And, Mr. McNerney, you are recognized.
    Mr. McNerney. I thank the chair.
    Ms. Moy, every day consumers are faced with another data 
breach undermining the choices they have about their privacy. 
But despite this troubling trend, last year, the Republicans in 
Congress voted to do away with reasonable data security 
requirements for internet service providers.
    So how did the data security rules protect consumers before 
they were overturned?
    Ms. Moy. Thank you.
    Yes. So the broadband privacy rules would have required 
broadband providers and phone providers to take reasonable 
measures to protect their customers' information from 
unauthorized use, disclosure, or access. And they also would 
have required providers suffering a breach to notify affected 
consumers within 30 days. There were a bunch of factors to 
determine what reasonable security measures might look like in 
the rules, but, unfortunately, as you said, those rules have 
been eliminated.
    Mr. McNerney. Are the ISPs subject to any data security 
rules today?
    Ms. Moy. No. There are no concrete rules right now that 
apply to broadband providers.
    Mr. McNerney. So it is the Wild West then, isn't it?
    Ms. Moy. It is, in fact, the Wild West when it comes to 
data security.
    Mr. McNerney. OK. Can you explain why it is wrongheaded for 
Congress to repeal privacy rules in the name of protecting 
consumers?
    Ms. Moy. So, a colleague of mine had a great analogy here, 
which is, if you have a house with a broken roof, you don't 
raze the house to the ground; you fix the roof. And I think 
that we are looking at something similar when it comes to 
privacy. Consumers are concerned about loss of control over 
their private information across the board. That suggests a 
need for greater and stronger privacy protections everywhere.
    And as I said, I do think that it is important to modernize 
the Federal Trade Commission by giving it important tools, like 
rulemaking authority and strong enforcement, civil penalty 
authority. But we should not be doing away with existing 
privacy laws we have, like broadband privacy, but also health 
privacy, education privacy, and so on.
    Mr. McNerney. Well, there are some privacy proposals, such 
as the BROWSER Act, that don't include specific protections for 
data security.
    Do you think consumers have meaningful privacy protections 
without data security protections?
    Ms. Moy. No. You know, I think privacy and data security go 
hand in hand. What consumers are complaining about is a loss of 
control over their information. And that loss of control can 
come in the form of a business failing to get a customer's 
consent to use their information in a way that the customer 
didn't anticipate. But it can also come in the form of a 
business failing to safeguard the information from unauthorized 
access by malicious attackers or even by employees within the 
company as was the case with AT&T a few years ago in a case 
that ended up resulting in an FCC enforcement action.
    Mr. McNerney. What are some of the guiding principles that 
we should be considering whenever thinking about data security 
legislation? You have already given those, but----
    Ms. Moy. I have. But one that we haven't talked a whole lot 
about, I think, is really preemption. Although this is not the 
topic of this hearing today, this subcommittee has considered a 
number of pieces of legislation to standardize data security 
and breach notification requirements that apply to companies.
    But, unfortunately, many of those proposals would eliminate 
state law on data security and breach notification. And there 
are so many great and wonderful strong, innovative laws that 
are taking place at the state level that preempting all of 
those laws would be a net loss for consumers.
    Mr. McNerney. Well, you have a way of answering the 
question right before I ask.
    You testified that the State AGs should have enforcement 
authority. Does the BROWSER Act do this?
    Ms. Moy. No, unfortunately not.
    Mr. McNerney. Thank you.
    Mr. McDowell, in addition to section 222 of the 
Communications Act, there are also important data security 
protections under sections 631 and 338. How important are these 
protections for consumers? And what can the FCC do to ensure 
that they are being followed?
    Mr. McDowell. They are similar in spirit. So 631, for 
instance, is regarding your video viewing habits, what you 
view. So it is about protecting consumer information. The FCC 
has enforcement authority, fining authority, et cetera, over 
those sections.
    Mr. McNerney. OK. Good. You think those are good and should 
continue to be enforced. But the FTC doesn't have the resources 
to enforce.
    Mr. McDowell. Well, look. The FCC and FTC are similarly 
sized and almost identically sized agencies. So, again, and 
also back to the state preemption issue. It is a matter of how 
many agencies you are going to have with different standards 
for different piece parts of a converging internet ecosphere, 
and that is what becomes confusing.
    Mr. McNerney. All right. I will yield back.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Long, you are recognized.
    Mr. Long. Thank you, Madam Chairman.
    Mr. Haney, it is my understanding that the location 
information considered CPNI, if it is associated with a call 
over the telephone network. But it seems like tech companies 
have the ability to track location information not just 
associated with their app but with a variety of apps or an 
entire mobile device in some instances.
    Who has better insight into location information, 
telecommunications providers or tech companies?
    Mr. Haney. Sir, I believe it is tech companies.
    Mr. Long. Under current law, what authority governs the 
collection of location information by smartphone manufacturers, 
operating systems, or apps?
    Mr. Haney. That was the Federal Trade Commission.
    Mr. Long. How does the authority differ from FCC's CPNI 
requirements?
    Mr. Haney. The FCC's CPNI requirements are prospective 
regulation. It is very clear. The FTC recognizes that this is a 
dynamic marketplace--the technology is always evolving--and 
that it is impossible to anticipate everything and draft a 
regulation to address it. And so the FTC tries to be more 
flexible and to respond after there is a problem instead of 
trying to anticipate every problem.
    Mr. Long. OK. Thank you.
    Madam Chairwoman, I yield back.
    Mrs. Blackburn. The gentleman yields back.
    Ms. Clarke, you are recognized.
    Ms. Clarke. I thank you, Madam Chairwoman. And I thank our 
distinguished panelists for their testimony here today. Let me 
also thank our ranking member for convening this important 
hearing regarding privacy, an important topic for all 
Americans.
    Under the FCC's broadband privacy protections, broadband 
providers had to get opt-in consent sharing most types of 
consumer's data. Unfortunately, our Republican colleagues in 
Congress wiped those privacy protections off the books.
    Ms. Moy, when I am using my internet connection at home 
today, are there any clear opt-in or even opt-out requirements 
that apply to how my ISP collects and uses my data?
    Ms. Moy. No. There are not.
    Ms. Clarke. OK. And what are the rules that apply to my 
broadband provider when it collects or uses my data? 
Specifically, what can the FTC require under section 5 of the 
FTC Act?
    Ms. Moy. At this point in time, there are no rules. The FTC 
can prohibit unfair and deceptive trade practices. But it has 
very little power to do anything where there are privacy 
violations unless a business has actually exceeded what it told 
consumers in its privacy policy, which, as we know, most people 
don't read.
    Ms. Clarke. Oh, boy.
    Over the past several years, the extent to which corporate 
conglomerates will discriminate to improve their bottom line 
has come into focus. Whether it is broadband providers, 
redlining low-income communities, or Facebook discriminating 
against certain groups when it comes to housing advertisements, 
the result is marginalizing families in their communities.
    I am concerned that the lack of meaningful privacy 
protections is only going to make these problems more 
pervasive. For that reason, I think Americans are in desperate 
need of strong privacy protections wherever they go online.
    Ms. Moy, can you tell me how sacrificing privacy 
protections, like our Republican colleagues did with their 
privacy CRA, can have a desperate impact on some consumers, 
particularly those in communities of color?
    Ms. Moy. Thank you, Representative. That is a really 
important question. And I think that it really helps us put a 
finer point on what we are really concerned about when we are 
thinking about harms associated with privacy violations.
    When a business, whether it is a broadband provider or 
another type of company, has information about our private 
lives and they use that information to target content and 
advertisements to us, the targeting may result in reinforcing 
existing social disparities, right? Keeping us in our boxes. 
Limiting the educational opportunities that are available to 
us, the job training opportunities and, indeed, the job 
opportunities themselves, financial opportunities. And these 
are some of the results that may come from collecting 
information from consumers.
    I think that that is why it is so important to have strong 
privacy rules where, as with some entities in the ecosystem, 
consumers really have no choice but to share information about 
their private lives that could reveal things like sensitive 
demographic information or financial status.
    Ms. Clarke. Thank you.
    As we consider legislative solutions to protect privacy, I 
am guided by the belief that any successful solution must not 
require our constituents to become lawyers or engineers in 
order to understand their rights and to protect themselves and 
their personal information. The privacy rules of the road can 
change dramatically depending upon where someone goes on the 
internet. Rather, consistency, uniformity, and technological 
neutrality are keys to any privacy solution. Do you all agree 
on the panel?
    Mr. Haney. Yes.
    Mr. McDowell. Yes.
    Ms. Moy. Yes.
    Ms. Clarke. Very well.
    Madam Chair, with that, I yield back.
    Mrs. Blackburn. The gentlelady yields back.
    Mr. Costello, you are recognized.
    Mr. Costello. Thank you, Madam Chair.
    Mr. McDowell, as Mr. Doyle referenced earlier, and, to me, 
what was just discussed about selling location data to third 
parties sounds more like an issue of consent and how we can 
make sure consumers truly understand what they are consenting 
to before they use a service. I think Ms. Moy alluded to that 
in terms of third-party consents. Oftentimes you don't even 
know what you are consenting to.
    But I also understand that the FCC, and possibly even the 
FTC, are looking into what exactly occurred here. And will we 
have them both in front of the committee soon so we can ask 
additional questions of the investigation at the time? This is 
my question. I think this highlights the asymmetry in the 
current rules. If this was an edge provider who had shared 
location data, would it be subject to the same regulations?
    Mr. McDowell. Not section 222, no.
    Mr. Costello. Could you point to any regulation that it 
would?
    Mr. McDowell. Not unless it has some affiliation with a 
carrier, so no.
    Mr. Costello. OK. Related also to section 222. CPNI, VoIP, 
et cetera, when you break it down--my smartphone here. If I tap 
the phone app icon to make a call, there is one set of rules. 
But if I tap the Google Voice app icon to make the call, which 
I don't do, there is another set of rules.
    Can you talk about the practicality of having separate 
regulatory regimes in that sense? And should consumers expect 
their data to be treated the same regardless of what technology 
they use, to use the term ``technology neutral''?
    Mr. McDowell. Absolutely. Again, to your point, to the 
consumer, there is no difference. It is the same functionality. 
You want to convey a voice message in real time, have a 
conversation with somebody in real time. So it doesn't matter 
whose app or whose network or if it is licensed or unlicensed 
or it is through a carrier or through an edge provider--by the 
way, I think they are all tech companies. I know we try to draw 
distinctions between ISPs and the tech community. I think they 
are all technology companies. And they are all great American 
success stories. But nonetheless, from the consumer's 
perspective, there shouldn't be any difference regarding what 
information----
    Mr. Costello. And so the regulatory framework should be 
uniform.
    Mr. McDowell. I agree, yes.
    Mr. Costello. Up and down.
    Mr. McDowell. Yes.
    Mr. Costello. Ms. Moy alluded to, in her statement, the 
issue--and we have read it elsewhere--with states attorneys 
general. And, Ms. Moy, I will give you the opportunity to 
address this as well.
    I understand that taking FTC regulations and having someone 
else enforce it at the FTC, the argument goes, isn't being 
aggressive enough? But do you have concerns with that? And 
then, after you answer that, Ms. Moy, aren't there some 
differences, though, with the statute that you are referencing 
just in terms of the technical expertise required to interpret 
vis-a-vis the statute that you were pointing to.
    So Mr. McDowell and then Ms. Moy.
    Mr. McDowell. Sure. And state attorneys general can do a 
terrific job protecting consumers on a number of fronts. My 
concern, though, is having 50 different standards or----
    Mr. Costello. Totally.
    Mr. McDowell [continuing]. More with all the territories. 
And that is going to really harm American global 
competitiveness in this space. So, again, back to uniform 
standards, not 50-plus standards state by state in the 
internet, which is borderless, right? It is an interconnected 
network of networks. The packets fly all across----
    Mr. Costello. Isn't there also a fair amount of 
interpretational flexibility with those 50 attorney generals? 
The statute that Ms. Moy is referencing is pretty 
straightforward, as I understand it.
    Mr. McDowell. I think to your point, if you are saying if 
there is going to be one standard, a national standard, but 
state attorneys general could enforce it, that is another 
conversation altogether.
    Mr. Costello. Ms. Moy, your comments.
    Ms. Moy. Thank you.
    So, I think that part of the issue here is that the FTC, 
while it does a lot of great work on privacy, it has a staff of 
just over 1,000, if I recall correctly. It doesn't have an 
office of engineering and technology. It doesn't have an 
engineering department at all. And its jurisdiction ranges as 
broadly--although it does a lot of internet privacy work, it 
also polices, for example, the consumer-facing statements made 
about pomegranate juice, right? It has an incredibly broad 
jurisdiction with very limited tools to enforce.
    So it is really important to have additional enforcement 
actors, additional cops on the beat, as it were, to ensure that 
businesses subject to the regulations passed by the commission 
are, in fact, being followed.
    Mr. Costello. But wouldn't you think if the FTC needed 
those additional policemen, as you used the term, they would 
request them, or they would find a way in their budget to have 
them?
    Ms. Moy. So, yes, perhaps.
    Mr. Costello. Might that be called something different 
than--you referenced the FCC division there. Might they be 
operating in a different division with the same type or better 
expertise on enforcement?
    Ms. Moy. Perhaps. But another thing that state attorneys 
general do is they talk to businesses that are based in their 
state. They do a lot of guidance in addition to enforcement.
    Mr. Costello. Thank you. I yield back.
    Mrs. Blackburn. The gentleman yields back.
    Ms. Matsui.
    Ms. Matsui. Thank you, Madam Chair. And thank you to the 
panel for being here today.
    We have talked about many things, and maybe I might be 
repeating myself. But I think we should listen and try to 
figure out from you all where we might be going forward because 
when you look at it, this concept of protecting proprietary 
consumer information began with the monolithic telephone era, 
which was pretty far back. And with the 1996 Telecom Act came a 
more precise focus on CPNI protections against unauthorized 
use, access, and disclosure. And it includes, among other 
types, phone numbers, dial and duration of calls placed to 
these numbers.
    But we all know that most consumers don't make any 
distinction at all between where these phone calls are 
delivered in packets, over the internet, or through switch 
access lines.
    But we all understand the need for context-specific privacy 
regulations that are responsive to the types of consumer 
relationship and sensitivity of information collected and 
shared to actually afford consumers the privacy protections 
they expect and they figure they are getting, for some reason.
    Ms. Moy, as different technologies provide similar 
services, what distinctions remain necessary or become 
unnecessary to protect sensitive consumer information?
    Ms. Moy. That is a very good question. And it is a really 
hard one that we are all grappling with right now.
    But, nevertheless, I do think that consumers have different 
relationships between the carriers that they contract with, 
that they pay a monthly subscriber fee to, that they expect 
they are paying for service as they do with the entities that 
are doing business over the internet. Just as when you send a 
letter in the mail to a friend, you have different expectations 
about what the mail carrier will do with the address 
information and the date on the outside of the envelop. So does 
the consumer have different expectations about what, again, the 
entity that they are just paying to transfer the data on their 
behalf will do with their private information as opposed to the 
companies with which they do business.
    That said, I do agree that there are certain services that 
consumers use now that have become so pervasive, so dominant 
that they are essentially unavoidable. And I look at 
unavoidability as, really, one of the key factors when it comes 
to considering what level of privacy protections should apply. 
When services truly are unavoidable for consumers and they have 
to share sensitive information, then I think that heightened 
privacy is appropriate, just as with healthcare, education, and 
finance.
    Ms. Matsui. OK. Could you get into more detail there? What 
do you think is unavoidable here that we are talking about?
    Ms. Moy. So, without talking about specific entities, I do 
think that there are certainly certain advertising platforms 
that are so pervasive as to be essentially unavoidable for 
consumers to share information with. It was Congressman 
Butterfield referenced certain services that consumers feel 
they must take part in because an employer requires it, for 
example. That may rise to a level of unavoidability for a 
consumer. And I think that, when we start seeing services rise 
to the level of being essential or unavoidable, then we require 
heightened privacy.
    Ms. Matsui. OK. Mr. McDowell, Mr. Haney, any comments on 
this?
    Mr. McDowell. So I am not sure if this is what was said, 
but I want to make sure we understand that there doesn't have 
to be a difference between who you pay money to for a service 
versus you are giving your personal data for a free service. 
You are actually surrendering something for free services as 
well. So they are not entirely free.
    But, again, back to one uniform consistent tech-neutral 
standard, I think that is the way to go.
    Mr. Haney. I agree.
    Ms. Matsui. OK. CPNI rules enacted require opt-in consent 
from consumers before a carrier can share information. But we 
know that it is often the case the third party to an online 
platform can and does receive data and information on the 
consumer. And the website may be used as an analytic tool from 
a third party; the website servers could send information on 
the user's visit back to the third party and allows that third 
party to access data similar to that gathered by the website.
    While this may be commonplace, it means that each user may 
have information aggregated by a party with whom they have no 
direct relationship or knowledge. There are a lot of parties 
here. So the third party accesses consumer data with whom the 
consumer does not have a direct relationship. How do consumers 
have a meaningful choice in how that data is used?
    Ms. Moy. That is a great question. That really gets to the 
heart of what the problem is with falling back on a general 
deception standard without rulemaking authority or anything 
else for the FTC to clarify--clarification, perhaps of its 
unfairness authority, rulemaking authority for it to create 
rules around things like data brokers and data security as well 
would be necessary.
    Ms. Matsui. OK. Thank you.
    It looks like I have run out of time. Thank you very much.
    I yield back.
    Mrs. Blackburn. Mr. Flores, you are recognized, 5 minutes.
    Mr. Flores. Thank you, Madam Chairman. I want to thank the 
panel for joining us today.
    When I do something with this phone, there is--I see four 
groups of people that is harvesting data from it. So not only 
is the cellular carrier getting information, but your app 
provider is getting information. The iOS folks, the operating 
system folks, are getting information, and theoretically, the 
ISP is as well if it is connected to Wi-Fi.
    So you have all talked about the need for a technology-
neutral solution to address privacy. So I would like to get 
into the weeds a little bit today.
    As a policymaker, what are the three or four most important 
things that that policy should have to protect the privacy of 
the American consumer?
    So we will start with you, Ms. Moy. And let's go quickly, 
because I have some----
    Ms. Moy. At the risk of sounding like a broken record, I 
think it is crucially important to, first of all, I do think 
that sectoral laws have a place and are really important to 
protect consumers in instances like health, education, finance, 
and telecommunications where there are heightened privacy 
obligations and requirements.
    But in addition, I think that whatever baseline we are 
going to have, if it is to be administered by an expert agency 
such as the Federal Trade Commission must include rulemaking 
authority to provide flexibility, regulatory agility, as we 
think of it, as well as robust enforcement tools, including 
civils penalties.
    Mr. Flores. OK. Mr. McDowell.
    Mr. McDowell. Sure. Transparency, uniformity. But also, 
most importantly, probably consumer choice. I would support 
rulemaking authority for the Federal Trade Commission but in a 
very limited way.
    Mr. Flores. OK. All right.
    Mr. Haney.
    Mr. Haney. Yes, sir. I think that enforcers should consider 
burdens on industry as they affect consumers, as they may 
affect innovation. I think that the FTC has got it right in 
looking at the sensitivity of the information at issue, so I 
think that is very important.
    Secondly, I think it is very important that the rules apply 
equally to every participant in the market so that everybody 
has the same opportunities to innovate and to earn a fair 
return on investment.
    Mr. Flores. OK. Great.
    Mr. McDowell, we had a question a few minutes ago about 50 
states attorneys general being used to pursue policy relief for 
consumers. California has passed a law 2 weeks ago.
    Would you agree that that is the wrong approach as well, to 
have 50 different state standards?
    Mr. McDowell. Yes, I disagree with that approach.
    Mr. Flores. OK. You were going down a direction a few 
minutes ago talking about blockchain, and you got cut off, 
unfortunately. And it seems to me like blockchain may be one of 
the technology solutions that addresses a lot of these policy 
issues.
    Can you expand on that? You didn't get a chance to before.
    Mr. McDowell. Sure. Real quick.
    So, first of all, it is already part of our lives. And as 
we start to roll out the Internet of Things, you are going to 
see more and more blockchain applications. And there is a 
tremendous amount of entrepreneurism and investment in this 
space, a lot of experimentation. And it is actually very pro-
consumer, empowers consumers tremendously. And it is different 
from encryption. Technically, they are two different things. So 
I think it will solve a lot of issues.
    And the quick backdrop on that is I think the first time I 
testified before this committee was 1998, so 20 years ago this 
summer. I am just recalling, in front of Chairman Dingell. And 
it was on slamming, which was the unauthorized switching of 
your long-distance carriers. That is not as much of an issue 
any more, right? So long distance isn't even a thing anymore. 
So markets change. Technology changes. So I think blockchain is 
going to be tremendously helpful as it develops.
    Mr. Flores. OK. Is there any change in your answer 
regarding what we should have in a 21st century privacy policy 
solution in light of the fact that blockchain is on the 
horizon?
    Mr. McDowell. Well, flexibility and light touch. And I 
tried to put that in my pre-filed remarks, that light touch, we 
have to make sure we are not cutting off innovation and 
experimentation and investment.
    Mr. Flores. Exactly.
    Ms. Moy, a question for you. In the context of the FCC's 
broadband privacy proceeding, you argued against pay for 
privacy because of a lack of broadband service options.
    What are your thoughts on a pay-for-privacy solution when 
it comes to Facebook and other similar providers?
    Ms. Moy. Thank you for that question. I think that that is 
a really good one.
    My concerns about pay for privacy--so I do not believe that 
privacy should be a luxury available only to those individuals 
who can afford it. That is the place where I start with when I 
am thinking about pay-for-privacy issues. That is particularly 
the case where, as with broadband, you are looking at an 
essential service. So--and something where consumers really 
can't avoid sharing information about themselves. If consumers 
have no choice but to share information with a broadband 
provider in order to participate in the modern economy, then 
they should not be required to pay a premium that they cannot 
afford in order to protect that information from additional 
uses.
    And so my position on pay for privacy in the broadband 
context was that premiums that may be charged or discounts 
given should not be coercive in nature to consumers nor should 
they make privacy options essentially practically, as a 
practical matter, unavailable to consumers who cannot afford 
them.
    I think that if we are looking at other services, then the 
threshold question is, is this service essential, a service 
that consumers cannot avoid sharing information with? If so, 
then I would have the same feelings about pay for privacy.
    Mr. Flores. Thank you.
    I think with regard to competition in the broadband space, 
as 5G rolls out on the near-term horizon that we are suddenly 
going to see that extra competition that will help the--absent 
a solution on privacy for the ISPs, I think we are going to 
have a market solution that helps us get there.
    That is the last of my questions. I yield back.
    Mrs. Blackburn. The gentleman yields back.
    Mr. Engel.
    Mr. Engel. Thank you, Madam Chair.
    Companies across the globe are changing the way they 
collect and use consumer data, and we are seeing more 
sophisticated practices, which obviously results in more 
challenges to American's privacy.
    Ms. Moy, you testified that agencies tasked with protecting 
consumers' private information should be given rulemaking 
authority. And you referenced remarks from Commissioner Maureen 
Ohlhausen when she asked Congress to give rulemaking authority 
to the FTC.
    So my first question to you is whether you think that 
rulemaking authority should be given to the FTC, the FCC, or 
both.
    Ms. Moy. So I think that each agency needs rulemaking 
authority for the areas in which it has expertise. We have 
separate expert agencies for reasons. The Federal 
Communications Commission has greater network expertise and 
communications expertise. And, again, has this Office of 
Engineering and Technology, a whole staff of network engineers 
that the Federal Trade Commission lacks.
    The Federal Trade Commission, on the other hand, is 
responsible for enforcing this baseline general privacy 
standard across the entire ecosystem, including, as I was 
saying before, the marketing of products like pomegranate 
juice.
    So the Federal Trade Commission needs rulemaking authority 
for general things, like data security obligations that ought 
to apply to all entities. It probably needs a clarification of 
its unfairness authority, particularly in light of recent court 
decisions that call into question how strong its authority is 
under that, under the statute.
    The Federal Communications Commission still requires 
rulemaking authority to implement those sections of the 
Communications Act that it is responsible for implementation 
and enforcing.
    Mr. Engel. Does the FTC have the resources it needs for 
enforcement? For instance, I was told that the tech lab only 
has six people in it.
    Ms. Moy. That is right. That is right.
    I think the Federal Trade Commission is doing the best job 
that it can with a relatively small staff, but, again, a staff 
of 1,100 people for the entire agency can't possibly be enough 
to police all of the unfairness and deceptive potential 
practices of all companies across the entire country, including 
privacy of the entire internet ecosystem.
    Mr. Engel. Ms. Moy, let me continue.
    As you know, one of the proposals that we are considering 
in this committee is the BROWSER Act. And if you can, could you 
discuss the rulemaking authority contained in the BROWSER Act 
and whether it will make for better and clearer privacy 
enforcement?
    Ms. Moy. Right. If I am correct, the BROWSER Act does not 
give rulemaking authority. I think that that is problematic. I 
think that any--as I was saying before, I think that any 
privacy law that we have in this area ought to have rulemaking 
authority and civil penalty authority and strong enforcement 
provisions, ideally an enforcement role for state attorneys 
general as well, or even private citizens.
    Yes, so I think that the BROWSER Act could be strengthened 
for sure.
    Mr. Engel. So you just said private citizens. Should 
Congress consider granting private citizens the right to bring 
civil actions against companies for violating privacy 
regulations?
    Ms. Moy. I do think that if Congress is serious about 
ensuring that businesses actually adhere to the standards set 
forth in the statute, then a private right of action is one of 
the strongest enforcement mechanisms you can have to ensure 
that that takes place.
    Mr. Engel. Now, rulemaking authority may help to protect 
consumer privacy but such protections still need to be enforced 
in order to be effective.
    So let me ask you this: Do you think the FCC has done an 
adequate job of enforcing section 222 which establishes the 
duty of telecommunication carriers to protect the 
confidentiality of proprietary information?
    Ms. Moy. I think that, at times, it has. It has not always 
been consistent, which is one of the reasons that it would be 
great to have additional enforcers, additional cops on the beat 
that can enforce those regulations.
    In recent years, the FCC brought actions against four 
different carriers for CPNI violations, but since the change in 
administration, I don't believe there have been any.
    Mr. Engel. Would more robust enforcement help fend off some 
of the abuses that have come to light recently such as what is 
happening with LocationSmart.
    Ms. Moy. Certainly. I think we still haven't seen anything 
come out of the LocationSmart scandal. It could be one of the 
largest privacy violations that we have had in recent years, 
maybe as big as the the Facebook-Cambridge Analytica scandal, 
but all we have heard is crickets from the FCC.
    Mr. Engel. Thank you. I see my time is up, Madam Chair. 
Thank you very much.
    Mrs. Blackburn. I thank the gentleman.
    Mr. Bilirakis, you are recognized.
    Mr. Bilirakis. Thank you, Madam Chair.
    I appreciate it very much. Mr. Haney as broadband was able 
to spread over the last 20 years, the rise of killer apps 
received a boost from the light-touch policies we put in 
motion. Gmail and Google Voice are two such services.
    Gmail has been in the news recently as reports indicate 
that, even though Google said it would stop scanning the 
traffic, the company still permits software developers outside 
of Google to scan Gmail inboxes.
    Google said that it only gives data to outside developers 
it has vetted. So it only gives data to outside developers it 
has vetted--again--and to whom users have granted permission to 
access email.
    However, that still means software developers are able to 
review who sent an email, who it was sent to, the time sent, 
and the contents of the message itself, which might contain 
health information, financial records, or other sensitive 
personal information.
    Is any of this information protected by the CPNI rules?
    Mr. Haney. No, sir, it is not.
    Mr. Bilirakis. It is not.
    Mr. Haney. It is not. It doesn't relate to telephone calls 
that have actually called. It doesn't relate to duration of the 
telephone calls, the timing, or the phone numbers of the calls 
that were made. So CPNI would not apply to that situation.
    Mr. Bilirakis. Thank you for answering me that.
    Again, Mr. Haney, you mentioned a few times that often 
systems are burdensome and are reserved only for the most 
sensitive personal information.
    Can you expand on the cost of the compliance with, again, 
the CPNI rules?
    Mr. Haney. I listed one example in my testimony. One of the 
telecommunications common carriers attempted to get opt-in 
approval across its subscriber base, and it was successful only 
29 percent of the time or 29 percent of its customers. And the 
cost that incurred was over 20 dollars for every affirmative 
response that it got. And there are other studies that come up 
with, or other examples, other anecdotes that come up with 
simply results. Most of the time, consumers take no action. And 
this is verified because when they're offered the chance to opt 
out, very few choose to opt out.
    And so I think the FTC is really, really on to something 
here by trying to categorize the most sensitive information 
that warrants the top, the highest protection, and, similarly, 
to try to identify more routine information, information that 
is not as sensitive, that doesn't require the most burdensome 
protection.
    Mr. Bilirakis. OK. Very good. I think you answered my third 
question as well. So I appreciate it very much.
    And I yield back, Madam Chair.
    Mrs. Blackburn. The gentleman yields back.
    At this time, I recognize Mr. Collins for 5 minutes.
    Mr. Collins. Thank you, Madam Chair.
    Thank you. When you have multiple hearings going on at 
once, here we go.
    What I want to talk about, really, are the kinds of apps 
that we now know are being offered by various retailers in the 
name of giving you discounts, the frequent buyer program, or 
whatever. But we know that, in some ways, if you loaded that 
app onto your phone, all of a sudden, whether it is a Target or 
a Walmart or whomever, they may be able to track other 
information unknowingly.
    So, Mr. Haney, I want to break this down a little bit. If 
you have such an app on your phone, you are in a retail 
establishment and you are going to use this, perhaps, for 
discounts or other things, can you talk about, a little bit, 
how that might work?
    Mr. Haney. Well, when I go to Home Depot, I believe my Home 
Depot app on my phone, it can tell me what aisle I'm looking 
for. It can tell where I am in the store, what store I'm in. I 
couldn't probably imagine every use that some of these 
brilliant people that are designing these apps, are 
contemplating. But the phones have multiple sensors in them, 
and apps can access some of the same information that other 
apps can access because it is stored in the operating system.
    And as far as whether it is fair to expect consumers to 
anticipate all of the different uses, all of the different ways 
they can be tracked, I don't believe it is fair to expect them 
to anticipate that in every case.
    But I do think that policymakers need to think in terms, 
not what agency has an office of engineering and what doesn't; 
we are talking about some very similar issues here. We are 
talking about irrespective of whether the underlying 
telecommunication services are being used for voice 
communication or an app that never connects with a Public 
Switched Network, we can always agree that what we are talking 
about is a voice communication.
    And I think that, again, striving for uniformity and 
striving, if we are going to increase the baseline through 
regulation, anticipatory regulation, if we are going to 
increase that baseline, let's just really strive to make it the 
least burdensome that we possibly can, to not try to anticipate 
everything that the marketplace may dream up. Let them 
experiment a little bit. But it may be appropriate to increase 
the baseline.
    Mr. Collins. I think that is all of our concerns. Everyone 
wants a discount, and you don't know what you don't know. And 
so, in this case, it could be your Wi-Fi; it could even be your 
microphone, certainly your GPS. And I think my concern would 
be, once you leave the store, is that off? I know, on my phone, 
I have got an app--it asks me, do I want to keep my location 
open all the time, or do I want to have my location only 
working when I have activated it? And most folks don't even 
know how to turn that on or off. So we are all about protecting 
our consumers, but this technology is going way faster----
    Mr. Haney. Yes.
    Mr. Collins [continuing]. Than anything we could imagine on 
the consumer protection front. We don't know what we don't 
know. So, I guess, Mr. McDowell, I guess you would agree most 
consumers don't anticipate or know the extent to which somebody 
could be tracking them.
    Mr. McDowell. First of all, I want to associate my remarks 
with Mr. Haney's just now. They were terrific.
    Absolutely, we don't know what we don't know. We don't know 
what is coming over the horizon. So there is that balance 
between we want to make sure we have this robust experimental 
marketplace that I believe firmly brings us more benefits than 
harms, but it does bring us harms, and so what do we do about 
those as policymakers?
    Mr. Collins. Well, I appreciate that. Sorry I was late, 
Madam Chair.
    But I yield back and thank the witnesses for their 
testimony.
    Mrs. Blackburn. The gentleman yields back.
    And there are no other members at this point wishing to ask 
questions. So we appreciate all of you being here today.
    Before we conclude this hearing, I ask unanimous consent to 
enter into the record the following documents: An article from 
Axios, an article from Fast Company on location tracking, an 
article from Ars Technica on call record scraping.
    Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mrs. Blackburn. Pursuant to committee rules, I remind 
members that they have 10 business days to submit additional 
questions. And I ask the witnesses to submit their responses 
within 10 business days upon receipt of the questions.
    Seeing no further business to come before the subcommittee 
today, and as you all see, there is agreement that we need to 
address the privacy and data security issues, without 
objection, the subcommittee is adjourned.
    [Whereupon, at 1:25 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                 Prepared statement of Hon. Greg Walden

    Good morning. As questions continue to arise surrounding 
the exchange between consumers and the technology platforms and 
services they use on a daily basis, the Energy and Commerce 
Committee has focused its attention on the protection, 
transparency, and use of consumer data. Earlier this week, 
Chairman Blackburn and I, along with Chairman Latta and 
Chairman Harper, sent letters to Apple and Google to inquire 
about their data collection and sharing practices.
    We continue this important conversation today in the 
context of protecting customer proprietary network information, 
or CPNI. We can all recognize the importance of protecting 
consumers' personal information, no matter what kind of network 
they are using for communication.
    In the decades since Congress enacted the Communications 
Act of 1996, requiring telecommunications carriers to protect 
the confidentiality of CPNI, the Federal Communications 
Commission (FCC) has updated CPNI rules to address evolving 
technology, practices, and consumer expectations.
    For example, in 2007, the FCC extended the CPNI rules to 
cover voice calls made over the IP network that interconnected 
with the traditional telephone network. At that time, the FCC 
also beefed up its authentication provisions under the CPNI 
rules so third parties could not fraudulently obtain access to 
protected consumer data.
    Again, in 2013, consumer expectations and changes in 
technology led the FCC to extend CPNI protections to data 
collected on mobile devices under the direction or control of a 
telecommunications carrier.
    These were important advancements, and reflected the 
seriousness attached to how a customer's sensitive information, 
such as location data, is managed. Location information when 
attached to a call that touches the telephone network is 
considered to be ``call detail information'' and is thus 
protected under the CPNI rules. But, increasingly, other 
entities are utilizing location data to provide services on a 
mobile device that may not cross the public switched telephone 
network.
    New applications that rely on location-based services can 
be useful, efficient, and even potentially life-saving for 
consumers. We're hearing of new innovations in ride-sharing 
where an emergency button within an app will connect you with a 
911 call center. There are new partnerships forming to share 
phone device location data directly to 911 public safety 
answering points, separate from and in addition to carrier 
location information.
    However, consumers deserve to know that an app that 
collects location information from a mobile device might not 
have to abide by the same rules as a telecommunications 
provider, and that their location information might not be as 
secure.
    While these entities are outside of the scope of the 
current CPNI rules, we must consider the entire internet 
ecosystem as we continue to work on comprehensive solutions. We 
have companies now that provide live communication, act as 
content producers and publishers, and aggregate data--all in 
one package--and the old rules just don't fit the today's 
paradigms.
    That is why the FCC's 2016 broadband privacy order was the 
wrong policy; we knew it wouldn't increase protections. That is 
why the 2015 net neutrality order was the wrong policy; we knew 
it wouldn't facilitate an environment to incentivize the next 
generation of services to close the close the broadband divide 
and deliver consumers smart cities, telemedicine, distance 
learning, and more.
    Today, we need to thoughtfully consider how effective the 
old protections under CPNI are in today's information sharing 
world.
    I'd like to thank our witnesses for joining us today. I 
look forward to hearing from you and hearing your insights.
                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                                 [all]