[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] PROTECTING CUSTOMER NETWORK PROPRIETARY INFORMATION IN THE INTERNET AGE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMUNICATIONS AND TECHNOLOGY OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ JULY 11, 2018 __________ Serial No. 115-148 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov __________ U.S GOVERNMENT PUBLISHING OFFICE 35-164 WASHINGTON : 2019 COMMITTEE ON ENERGY AND COMMERCE GREG WALDEN, Oregon Chairman JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey Vice Chairman Ranking Member FRED UPTON, Michigan BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois ANNA G. ESHOO, California MICHAEL C. BURGESS, Texas ELIOT L. ENGEL, New York MARSHA BLACKBURN, Tennessee GENE GREEN, Texas STEVE SCALISE, Louisiana DIANA DeGETTE, Colorado ROBERT E. LATTA, Ohio MICHAEL F. DOYLE, Pennsylvania CATHY McMORRIS RODGERS, Washington JANICE D. SCHAKOWSKY, Illinois GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina LEONARD LANCE, New Jersey DORIS O. MATSUI, California BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida PETE OLSON, Texas JOHN P. SARBANES, Maryland DAVID B. McKINLEY, West Virginia JERRY McNERNEY, California ADAM KINZINGER, Illinois PETER WELCH, Vermont H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico GUS M. BILIRAKIS, Florida PAUL TONKO, New York BILL JOHNSON, Ohio YVETTE D. CLARKE, New York BILLY LONG, Missouri DAVID LOEBSACK, Iowa LARRY BUCSHON, Indiana KURT SCHRADER, Oregon BILL FLORES, Texas JOSEPH P. KENNEDY, III, SUSAN W. BROOKS, Indiana Massachusetts MARKWAYNE MULLIN, Oklahoma TONY CARDENAS, California RICHARD HUDSON, North Carolina RAUL RUIZ, California CHRIS COLLINS, New York SCOTT H. PETERS, California KEVIN CRAMER, North Dakota DEBBIE DINGELL, Michigan TIM WALBERG, Michigan MIMI WALTERS, California RYAN A. COSTELLO, Pennsylvania EARL L. ``BUDDY'' CARTER, Georgia JEFF DUNCAN, South Carolina Subcommittee on Communications and Technology MARSHA BLACKBURN, Tennessee Chairman LEONARD LANCE, New Jersey MICHAEL F. DOYLE, Pennsylvania Vice Chairman Ranking Member JOHN SHIMKUS, Illinois PETER WELCH, Vermont STEVE SCALISE, Louisiana YVETTE D. CLARKE, New York ROBERT E. LATTA, Ohio DAVID LOEBSACK, Iowa BRETT GUTHRIE, Kentucky RAUL RUIZ, California PETE OLSON, Texas DEBBIE DINGELL, Michigan ADAM KINZINGER, Illinois BOBBY L. RUSH, Illinois GUS M. BILIRAKIS, Florida ANNA G. ESHOO, California BILL JOHNSON, Ohio ELIOT L. ENGEL, New York BILLY LONG, Missouri G.K. BUTTERFIELD, North Carolina BILL FLORES, Texas DORIS O. MATSUI, California SUSAN W. BROOKS, Tennessee JERRY McNERNEY, California CHRIS COLLINS, New York FRANK PALLONE, Jr., New Jersey (ex KEVIN CRAMER, North Dakota officio) MIMI WALTERS, California RYAN A. COSTELLO, Pennsylvania GREG WALDEN, Oregon (ex officio) C O N T E N T S ---------- Page Hon. Marsha Blackburn, a Representative in Congress from the State of Tennessee, opening statement.......................... 1 Prepared statement........................................... 3 Hon. Leonard Lance, a Representative in Congress from the State of New Jersey, prepared statement.............................. 4 Hon. Michael F. Doyle, a Representative in Congress from the Commonwealth of Pennsylvania, opening statement................ 4 Prepared statement........................................... 6 Hon. Anna G. Eshoo, a Representative in Congress from the State of California, opening statement............................... 7 Hon. Frank Pallone, Jr., a Representative in Congress from the State of New Jersey, prepared statement........................ 8 Hon. Greg Walden, a Representative in Congress from the State of Oregon, prepared statement..................................... 79 Witnesses Hance Haney, Director and Senior Fellow, Technology and Democracy Project, Discovery Institute................................... 9 Prepared statement........................................... 12 Robert McDowell, Senior Fellow, Hudson Institute, Former Commissioner, Federal Communications Commission................ 23 Prepared statement........................................... 25 Laura Moy, Deputy Director, Georgetown Law Center on Privacy and Technology..................................................... 33 Prepared statement........................................... 35 Submitted Material Article entitled, ``Smart TVs are watching us now,'' Axios, July 5, 2018........................................................ 81 Article entitled, ``How--and why--Apple, Google, and Facebook Follow you Around in Real Life,'' Fast Company, December 22, 2017........................................................... 83 Article entitled, ``Facebook scraped call, text message data for years from Android phones,'' Ars Technica, March 24, 2018...... 87 PROTECTING CUSTOMER NETWORK PROPRIETARY INFORMATION IN THE INTERNET AGE ---------- WEDNESDAY, JULY 11, 2018 House of Representatives, Subcommittee on Communications and Technology, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to notice, at 10:13 a.m., in room 2322, Rayburn House Office Building, Hon. Marsha Blackburn (chairman of the subcommittee) presiding. Present: Representatives Blackburn, Lance, Shimkus, Latta, Guthrie, Olson, Johnson, Long, Flores, Brooks, Collins, Walters, Costello, Doyle, Welch, Clarke, Ruiz, Dingell, Eshoo, Engel, Butterfield, Matsui, McNerney, and Pallone (ex officio). Staff Present: Jon Adame, Policy Coordinator, Communications and Technology; Kristine Fargotstein, Detailee, Communications and Technology; Sean Farrell, Professional Staff Member, Communications and Technology; Adam Fromm; Director of Outreach and Coalitions; Elena Hernandez, Press Secretary; Tim Kurth, Deputy Chief Counsel, Communications and Technology; Lauren McCarty, Counsel, Communications and Technology; Drew McDowell, Executive Assistant; Evan Viau, Legislative Clerk, Communications and Technology; Jeff Carroll, Minority Staff Director; Jennifer Epperson, Minority FCC Detailee; Tiffany Guarascio, Minority Deputy Staff Director and Chief Health Advisor; Alex Hoehn-Saric, Minority Chief Counsel, Communications and Technology; Jerry Leverich, Minority Counsel; Dan Miller, Minority Policy Analyst; and C.J. Young, Minority Press Secretary. OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TENNESSEE Mrs. Blackburn. The Subcommittee on Comms and Tech will now come to order. And the chair now recognizes herself for 5 minutes for an opening statement. Good morning to everyone. And welcome to today's hearing on protecting consumer privacy. And if you have not done so, I would encourage you to get your acronym app out as you try to follow along with what we have before us today. This is a topic that has attracted attention in a variety of contexts, and one that I am so pleased that we are discussing today. And I want to say thank you to our witnesses who are sharing their expertise with us as we strive to protect customer privacy when communicating in the internet age. Over 20 years ago, Congress realized the importance of protecting the confidentiality of Customer Proprietary Network Information, CPNI, when consumers use their primary method for instantaneous communication, which at that point was telephone calls. The rules that the FCC initially adopted to implement the statutory CPNI requirements only covered information from traditional call records. But over time, these protections have evolved to cover new forms of communication like interconnected Voice over IP, or VoIP, calls, and even information collected by telecommunications carriers on mobile devices. By enacting section 222, Congress established a specific statutory structure that acknowledged that consumers share sensitive data when they communicate over the phone. This was based on the assumption that only the telecommunications carrier had access to that data. In the internet age, telecommunications laws have been disrupted just like everything else. In some cases, app developers operating systems and Edge providers have access to the same exact CPNI that telecom carriers are required to protect in various ways. Consumers now use these different forms of communication interchangeably to serve the same purpose. For example, if a consumer uses his or her mobile phone to call someone using the standard telephone function on their cell phone, that call is traveling over the public switch telecom network and would be protected by the current CPNI rules and enforced by the FCC. If that same consumer uses the exact same cell phone to call the exact same person but uses a voice-based app to place a call, the communication would not be going over the PSTN and not be protected by the CPNI rules. As I said, you need your acronym app for this one. Both calls are conveying the same information, but the consumer's information in the second scenario is not protected in the same manner as the first scenario. This leads to a problem where consumers do not have the same privacy protections when using the same device for essentially the same purpose. This is when the FCC's 2016 Privacy Order was a consumer protection vehicle that drove at the wrong target. The Commission's inability to locate all the other traffic out there is precisely when wheels came off. As I have suggested before, the solution to this problem is broad privacy legislation, which is why I introduced legislation on the subject almost a year ago that steers us in the right direction. The BROWSER Act is comprehensive bipartisan privacy legislation that will give Americans seamless protection across all of their electronic communications. As we discuss these important issues today, we need to consider innovation and consumer privacy needs across the entire internet ecosystem so we can arrive at a solution that works for everyone. At this time, I yield the remainder of my time to Mr. Lance for his opening. [The prepared statement of Mrs. Blackburn follows:] Prepared statement of Hon. Marsha Blackburn Good morning and welcome to today's hearing on protecting consumer privacy. This is a topic that has attracted attention in a variety of contexts, and one that I am glad to discuss today. Thank you to our witnesses for sharing your expertise with us today as we strive to protect customer privacy when communicating in the Internet age. Over 20 years ago, Congress realized the importance of protecting the confidentiality of customer proprietary network information, or CPNI, when consumers used the primary method for instantaneous communication: telephone calls. The rules that the FCC initially adopted to implement the statutory CPNI requirements only covered information from traditional call records, but over time, these protections have evolved to cover new forms of communication-like interconnected voice over IP (VoIP) calls and even information collected by telecommunications carriers on mobile devices. By enacting Section 222, Congress established a specific statutory structure that acknowledged that consumers share sensitive data when they communicate over the phone. This was based on the assumption that only the telecommunications carrier had access to that data. In the Internet age, telecommunications laws have been disrupted just like everything else. In some cases, app developers, operating systems, and edge providers have access to the same exact CPNI that telecommunications carriers are required to protect in various ways. Consumers now use these different forms of communication interchangeably to serve the same purpose. For example, if a consumer uses his or her mobile phone to call someone using the standard telephone function on their cell phone, that call is traveling over the public switched telecommunications network and would be protected by the current CPNI rules, and enforced by the FCC. If that same consumer uses the exact same cell phone to call the exact same person, but uses a voice-based app to place the call, the communication would not be going over the PSTN and not be protected by the CPNI rules. Both calls are conveying the same information, but the consumer's information in the second scenario is not protected in the same manner as in the first scenario. This leads to a problem where consumers do not have the same privacy protections when using the same device for essentially the same purpose. This is why the FCC's 2016 privacy order was a consumer protection vehicle that drove at the wrong target. The commission's inability to locate all the other traffic out there is precisely why the wheels came off it. As I have suggested before, the solution to this problem is broad privacy legislation, which is why I introduced legislation on this subject almost a year ago that steers us in the right direction--the BROWSER Act is a comprehensive, bipartisan privacy bill that will give Americans seamless protection across all their electronic communications. As we discuss these important issues today, we need to consider innovation and consumer privacy needs across the entire Internet ecosystem so we can arrive at a solution that works for everyone. At this time, I will yield to the remainder of my time to Mr. Lance for an opening statement. Mr. Lance. Thank you, Chairman Blackburn. And welcome to our distinguished panel. Section 222 of the Communications Act was enacted during the Act's last major update in 1996. The section mandates the telecommunication entities protect consumer privacy information, as the chairman has said, CPNI. Since 1996, the internet has revolutionized communications in so many ways. However, as breaches of consumer data repeatedly confront us, we must ensure the rules and regulations protecting consumer information are up to date and applied equally across the internet ecosystem. The FCC has tried to keep up with the technological innovations over the past 20 years, but an outdated statute limits its efforts. It is crucial we protect consumers' sensitive information, no matter the means of communication, and without hampering innovation. I look forward to discussing how we can update the law to conform to the challenges and opportunities of the digital age. And I yield back. [The prepared statement of Mr. Lance follows:] Prepared statement of Hon. Leonard Lance Thank you Chairman Blackburn and welcome to our distinguished panel. Section 222 of the Communications Act was enacted during the Act's last major update in 1996. This section mandates that telecommunications carried protect customer proprietary network information or CPNI. Since 1996, the internet has revolutionized communications. Through innovations from Voice over IP, to apps like Snapchat or WhatsApp, to social media networks like Facebook and Twitter, consumers now have a bevy of options to communicate over networks separate from traditional telephone and cellular calls. These advances have made it easier and cheaper for people to connect with each other around the world. However, as breaches of consumer data continuously confront us, we must ensure the rules and regulations protecting consumer information are up to date and applied equally across the Internet ecosystem. The FCC has tried to keep up with the technological innovations over the past 20 years, but an outdated statute limits their efforts. It is crucial we protect consumer's sensitive information, no matter the means of communications, and without hampering innovation. I look forward to discussing how we can effectively update the law to conform to the challenges and opportunities of the digital age. Mrs. Blackburn. The gentleman yields back. Mr. Doyle, you are recognized for 5 minutes. OPENING STATEMENT OF HON. MICHAEL F. DOYLE, A REPRESENTATIVE IN CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA Mr. Doyle. Thank you, Madam Chair, for holding this hearing, and thank you to the witnesses for appearing before us today. Digital privacy in our modern era has never been more important. And as our society becomes increasingly connected, it will become even more important. I believe that we can and must do more to protect American's privacy and sensitive information. This committee's hearing with Facebook's CEO Mark Zuckerberg showed how concerned our members are with the practices of one of the world's largest tech companies. And what that hearing made clear was that the FTC does not have the manpower or authority to adequately enforce its own consent decree against Facebook, let alone proactively police this fast-evolving space. To solve this problem and to give the American people the protections they are demanding, we are going to need a comprehensive solution that includes more resources, more manpower, and more authority to go after bad actors, and the ability to set rules of the road for the digital economy. Facebook demonstrated all too well that after-the-fact- enforcement authority can't help us when the damage has already been done. Europe's implementation of its GDPR rules, as well as California's recently and quite quickly passed privacy law, are clear indications that people at home and abroad recognize the need for strong privacy protections. We in Congress and on this committee need to take that to heart as we are addressing this pressing issue. Now, with regards to today's hearing and the topic before us, CPNI, or Customer Network Proprietary Information, the FCC enforces the CPNI rules under section 222 of the Communications Act. This section restricts how telecommunications carriers can use and share customer data related to their service. This section and the authority it grants the Commission are some of the strongest privacy laws we have in this country and are intended to give consumers a modicum of protection. These rules were expanded in 2016 to include broadband services as well. Those rules too were simple but effective. The three components were, first, if your broadband provider wanted to use your data, it had to ask your permission. Secondly, it had to take reasonable steps to protect that data. And third, it needed to notify you if your data was breached. These rules were an expansion of the FCC's existing CPNI rules and would have meaningfully enhanced our nation's privacy laws. However, Chairman Blackburn cosponsored and successfully led an effort to repeal these simple, sensible rules. As of yet, there has been no replacement. The majority cannot claim that it values privacy when one of its signature achievements this Congress is the repeal of these meaningful rules. Americans around the country are shouting for more, not less, privacy protections. Whether it is through ballot initiatives, billboards, people want more control over their digital lives. This is why it is so concerning that the FCC is doing so little to enforce its existing protections under section 222. Thanks to the work by Senator Wyden and his staff, we recently discovered that real-time location of hundreds of millions of cell phones were being made available by our nation's wireless carriers without consumers' consent. At least one company, Securus, used their access to this data to create a service for tracking and locating nearly every cell phone in real time. On top of that, Securus forced families calling prisons to consent to have their location tracked as a condition for talking on the phone with their incarcerated family members. This seems like no choice at all. LocationSmart, the data aggregator that made this data available, had such poor security on their website that according to a researcher at Carnegie Mellon University, individuals could look up real-time location data with little effort. These carriers it seems trusted but did not verify that consumers were giving consent to be tracked, and that gross negligence on their part exposed supposedly protected sensitive data to hundreds of millions of people. These revelations are deeply troubling, but what is more troubling is the lack of knowledge by the FCC of what appears to be a pervasive practice in the wireless industry. Similar to the Facebook incident, we still don't even know the extent of this breach and who may have had access to this data. Madam Chairman, I would respectfully request that this committee hold a hearing on this incident to understand how it happened and to hold the responsible parties accountable. With that, I will yield back the remainder of my time, and I look forward to the testimony of our witnesses. [The prepared statement of Mr. Doyle follows:] Prepared statement of Hon. Michael F. Doyle Thank you, Chairman Blackburn, for holding this hearing-- and thank you to the witnesses for appearing before us today. Digital privacy in our modern era has never been more important, and as our society becomes increasingly connected it will become even more important. I believe that we can and must do more to protect American's privacy and sensitive information. This Committee's hearing with Facebook's CEO Mark Zuckerberg showed how concerned our members are with the practices of one of the world's largest tech companies. What that hearing made clear was that the FTC does not have the manpower or authority to adequately enforce its own consent decree against Facebook, let alone pro-actively police this fast-evolving space. To solve this problem and to give the American people the protections they are demanding, we are going to need a comprehensive solution that includes more resources, more manpower, more authority to go after bad actors, and the ability to set rules of the road for the digital economy. Facebook demonstrated all too well that after- the-fact enforcement authority can't help us when the damage has already been done. Europe's implementation of its GDPR rules, as well as California's recently and quite quickly passed privacy law, are clear indications that people at home and abroad recognize the need for strong privacy protections. We in Congress and on this Committee need to take that to heart as we address this pressing issue. Now, with regard to today's hearing and the topic before us, CPNI or Customer Network Proprietary Information: The FCC enforces CPNI rules under Section 222 of the Communications Act. This section restricts how telecommunications carriers can use and share customer data related to their service. This section and the authority it grants the Commission are some of the strongest privacy laws we have in this country and are intended to give consumers a modicum of protection. These rules were expanded in 2016 to include broadband services as well. Those rules too were simple, but effective. The three components were: first if your broadband provider wanted to use your data, it had to ask your permission, second it had to take reasonable steps to protect that data, and third it needed to notify you if your data was breached. These rules were an expansion of the FCC's existing CPNI rules and would have meaningfully enhanced our nation's privacy laws. Chairman Blackburn cosponsored and successfully led the effort to repeal these simple, sensible rules; as of yet there has been no replacement. The majority cannot claim that it values privacy when one of its signature achievements this Congress is the repeal of these meaningful rules. Americans around the country are shouting for more not less privacy protections; whether it is through ballot initiatives or billboards, people want more control over their digital lives. That is why it's so concerning that the FCC is doing so little to enforce existing protections under Section 222. Thanks to work done by Senator Wyden and his staff, we recently discovered that the real-time location of hundreds of millions of cell phones were being made available by our nation's wireless carriers without consumer's consent. At least one company, Securus, used their access to this data to create a service for tracking and locating nearly every cell phone in real time. On top of that Securus forced families calling prisons to consent to have their location tracked as a condition for talking on the phone with their incarcerated family member. That seems like no choice at all. Location Smart, the data aggregator that made this data available, had such poor security on their website that, according to a researcher at CMU, individuals could lookup real-time location data with little effort. The carriers, it seems, trusted but did not verify that consumers were giving consent to be tracked, and that gross negligence on their part exposed the supposedly protected sensitive data of hundreds of millions of people. These revelations are deeply troubling, but what's more troubling is the lack of knowledge by the FCC of what appeared to be a pervasive practice in the wireless industry. Similar to the Facebook incident, we still don't even know the extent of this breach and who may have had access to this data. Madam Chairman, I would respectfully request that this Committee hold a hearing on this incident to understand how it happened and to hold the responsible parties accountable. With that I yield back the remainder of my time and look forward to the testimony of our witnesses. Mrs. Blackburn. The gentleman yields back. Mr. Walden has not arrived. Does any member on the Republican side seek to claim his time? Seeing no one, I will go to--Mr. Pallone is not here. Does anyone on the Democrat side seek to claim his time? Ms. Eshoo, you are recognized. OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA Ms. Eshoo. Thank you, Madam Chairwoman. And thank you to the witnesses. It is good to see each one of you. I was surprised when the majority actually called this hearing. I think that there is an urgent need to examine privacy and data protections across the internet ecosystem, but I think this hearing, most frankly, is being held under disingenuous pretenses, and that the majority is inaccurately portraying itself as champions of consumer privacy reform when the record shows otherwise. Mr. Doyle raised this in his opening statement. In fact, the only action the majority has taken on privacy to date has been to actively roll back existing privacy protections and expose consumers to increased harm. Consumers legitimately feel that they have completely lost control of their personal information. There is not a single one-size- fits-all solution to this, but in 2016, I think we were making progress. That is when the FCC extended CPNI protections to apply to broadband access services. That was a step forward for consumers. It should have been the first step toward protecting privacy at other points in the digital economy, including at the Edge. But instead, the majority pushed through a partisan repeal of the rules before the ink was even dry on a razor-thin vote of 215 to 205 with 15 Republicans opposed. Everyone on this committee remembers what a bitter fight that was. But in the end, there were pressures that beat out consumer protection. So now as a result, there are currently no strong privacy rules anywhere in the digital ecosystem. Americans have spent the last 17 months completely vulnerable to privacy exploitation and data breaches without recourse. Our most sensitive information, location data, medical history, Social Security numbers and mothers' maiden names are daily transmitted through networks of companies who no longer have any meaningful obligation to protect it. And I think that the American people are legitimately outraged by this. So, Madam Chairwoman, I fully support real attempts. And I underscore that word, ``real attempts'' to seek meaningful solutions for privacy protection across the diverse internet economy. And I think our witnesses here today are going to help to inform our thinking. So with that, I yield back the balance of my time, and I want--yes. Oh, Jerry. I will be happy to yield to my colleague from California, Mr. McNerney. Mr. McNerney. Well, I thank my colleague for yielding. Despite demands from Americans for more control over the information they share online, last year, Republicans in Congress voted to strip consumers of the power to choose how ISPs use and share their information. Republicans also voted to eliminate important data security protection for consumers. Now, ISPs are no longer required to take even reasonable steps to secure consumers' personal information. Given the growing cyber threats that our Nation faces, it is critical that we do more and not less to secure consumers' data. That is why I introduced the MY DATA Act, which would give the Federal Trade Commission important tools to protect consumers' privacy and security online. I hope that we can work together to move the MY DATA Act forward. And does the ranking member wish some time? Mr. Pallone. Well, let me just say, if I could. Madam Chair, if I could ask unanimous consent to include my statement in the record. Mrs. Blackburn. Without objection. [The prepared statement of Mr. Pallone follows:] Prepared statement of Hon. Frank Pallone, Jr. Privacy is a deeply held American value. Today, location data is collected not only by phone companies, but by apps and phone operating systems. According to a recent Harris poll, 78 percent of people believe that a company's ability to protect their privacy is ``extremely important,'' but only 20 percent ``completely trust'' companies to maintain the privacy of their data. This is not surprising considering all of the recent privacy breaches, including the Cambridge Analytica scandal. That is why I called for hearings so we can directly question executives from tech companies, internet service providers, data brokers and other companies that collect our information. Unfortunately, as Americans were demanding greater privacy protections, Republicans eliminated existing privacy rules and they continue to show little appetite for meaningful reform. Two years ago, the FCC adopted strong privacy rules for internet service providers under Section 222 of the Communications Act. Instead of embracing those rules, one of the first acts of the Republican Congress and the Trump Administration was to repeal them. Consumers need strong privacy protection across the entire Internet ecosphere, which is broader than just ISPs, but eliminating ISP privacy protections just left Americans less safe and angry. It was only after a huge public uproar and protests back in their districts that Republicans put forward a weak and unacceptable alternative. Ms. Blackburn's bill lacks basic protections such as rulemaking authority and significant civil penalties. And even this watered-down proposal has garnered little support from Republicans. It's no wonder that states like California are stepping in to fill the void left by the repeal of these privacy rules. And now that Republicans have rolled back not only online privacy protections, but also net neutrality, the FCC is left with limited authority to protect privacy. For telecommunications companies, the CPNI rules do remain. These rules require providers to protect information like a caller's name, location, who they called, and for how long. These are strong rules, but they are only effective if the FCC aggressively enforces them, which Chairman Pai has not. According to recent news reports, third-party data aggregators, such as LocationSmart and Securus, obtained real- time location data from wireless carriers and allowed access to that data in ways that appear to violate the CPNI rules. This appeared to be happening for a long time. Fortunately, the FCC opened an investigation into LocationSmart, but why did it take so long? Why did it take a Canadian security researcher to identify the problem? And what is the FCC doing to proactively identify potential violations of its CPNI rules? These questions deserve answers, and that's why I've called for a hearing on this incident. In another move that puts companies before consumers, tomorrow, the FCC is considering eliminating the agency's traditional role in helping consumers resolve informal complaints. Currently, the informal complaint process is a free and easy way for consumers to use the FCC's help resolving everyday problems with communications companies. Chairman Pai is proposing that the FCC now just simply pass the consumer's complaint to the company. And then if the customer is unsatisfied, they will be encouraged to file a $225 formal complaint. This is simply not right. The FCC should work for consumers, not make life harder for them. That's why Ranking Member Doyle and I sent a letter to the Commissioners yesterday urging them not to limit the ability of FCC staff to help resolve consumers' complaints. At a time when every dollar matters to working class families, it should be among the Commission's highest priorities to help consumers on the losing end of a growing imbalance of power. With that, I yield the balance of my time. Mr. Pallone. Thank you. Mr. McNerney. I yield back. Mrs. Blackburn. The gentleman yields back. The gentlelady yields back. And that concludes member opening statements. And I would like to remind all members that pursuant to the committee rules, all members' opening statements will be made a part of the record. We want to thank our witnesses for being here today and taking time to be before the subcommittee. Today's witnesses will have the opportunity to give their opening statements, followed by a round of questions from members. On our panel today we have Mr. Hance Haney, director and senior fellow at the Technology and Democracy Project at the Discovery Institute. Mr. Rob McDowell, senior fellow at the Hudson Institute, and a former FCC commissioner. And I think she may get the prize for most appearances this year; Ms. Laura Moy, deputy director of the Georgetown Law Center on Privacy and Technology. We appreciate each of you being here, making your testimony available to us. We will begin today with you, Mr. Haney. You are now recognized for 5 minutes for an opening statement. STATEMENT OF HANCE HANEY, DIRECTOR AND SENIOR FELLOW, TECHNOLOGY AND DEMOCRACY PROJECT, DISCOVERY INSTITUTE; ROBERT MCDOWELL, SENIOR FELLOW, HUDSON INSTITUTE, FORMER COMMISSIONER, FEDERAL COMMUNICATIONS COMMISSION; AND LAURA MOY, DEPUTY DIRECTOR, GEORGETOWN LAW CENTER ON PRIVACY AND TECHNOLOGY STATEMENT OF HANCE HANEY Mr. Haney. Thank you very much, Chairman Blackburn, Ranking Member Doyle, and Ranking Member Pallone. Section 222 of the Communications Act requires telecommunications common carriers to obtain customer approval in order to use, disclose, or permit access to Customer Proprietary Network Information. CPNI consists of call detail information, including the time, location, duration of telephone calls, as well as the telephone numbers from which calls originate and terminate. It also includes billing and other information. Section 222 does not apply to broadband services, which are classified as an information service. Even though broadband services could be thought of as being provided by telecommunications carriers, the statute and the regulations look to the service provided, not to the provider of the service. Instead, broadband is subject to the unfair and deceptive acts and practices authority of the Federal Trade Commission. This is the same authority that governs video streaming services, search engines, social networking sites, e-commerce sites, and user-generated media sites. The FTC privacy framework is technology neutral and it identifies categories of sensitive information that may give rise to an obligation by companies to obtain affirmative, express customer consent, otherwise referred to as opt-in approval. Sensitive information includes information about children, financial and health information, Social Security numbers, and precise geolocation data, according to the FTC. Technology neutrality is appropriate because, as the FTC has observed, broadband providers are no different than other participants in the internet ecosystem in terms of their ability to collect and utilize information about consumers. The FTC's recognition that the requirement to use opt-in should be limited is also appropriate. Due to consumer inertia, most consumers typically don't take action in this type of situation. The requirement to obtain opt-in approval can be costly and inefficient, even a barrier to innovation. Consumers benefit from the use of information that companies see and collect in the course of serving their customers, as companies like Google have demonstrated. Advertising underwrites the cost of services that Google offers for free to the public, and there is no reason that advertising couldn't also help offset the cost that broadband providers incur in offering broadband service. Privacy regulation involves transaction costs and may have anti-competitive consequences if it is applied unevenly. Ideally, all market participants should be subject to a uniform privacy framework administered by a single agency for the sake of consistency. The FTC's current privacy enforcement practice satisfies these criteria. Admittedly, making the internet more secure will likely always be a work in progress, and there is a role for both market solutions as well as regulation. Legislation to enhance consumer privacy protection, if any, should strive for technological and competitive neutrality. In particular, it isn't rational to subject some market participants to heightened privacy regulation just because they were subject to economic regulations in the past. We live in an era of rapid technological convergence in which it is wise to consider that every participant in the internet ecosystem is a potential competitor at least to some extent. Moreover, privacy protection should be calibrated according to the sensitivity of the information at issue in recognition of the fact that there are transaction costs associated with consumer consent systems. Opt-in systems are particularly burdensome and should be reserved for only the most sensitive personal information. Where customer information is less sensitive, consumers' privacy expectations should be balanced with the benefits consumers are likely to derive from a dynamic, competitive market, including greater abundance of choices and lower prices. Such a market is one where all providers have similar opportunities to innovate and earn a fair return on investment. Finally, to the extent possible, regulation should reflect the practical reality that it is difficult to make predictions about how the market will evolve and at what pace, and that the process of calibrating regulation on an ongoing basis as necessary to reflect changes in the market can be slow. Thank you. [The prepared statement of Mr. Haney follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. The gentleman yields back. Mr. McDowell, you are recognized. STATEMENT OF ROBERT MCDOWELL Mr. McDowell. Thank you, Chairman Blackburn, Ranking Member Doyle, and Ranking Member Pallone as well, and distinguished members of the committee. It is an honor to be back before you here today. I did serve as a Commissioner of the FCC from 2006 to 2013. Today, I am a partner at Cooley LLP, as well as co-leader of its communications practice, which is global. I am also a senior fellow at the Hudson Institute, as the chairman pointed out, and I testify today in my own capacity, and the views I express today are purely my own. Sitting behind me is a remarkable young woman, as my aide- de-camp for the day. She is my daughter Mary-Shea Virginia McDowell. It is always good to have someone watching your back when you are in Washington, so---- Safeguarding sensitive or private information is a concept as old as human beings. The English term ``eavesdropping'' was created centuries ago when the ancestors of today's data thieves literally lingered under the eaves of roofs to listen to the private conversations of others. Fast forward to 1980 when the FCC extended itself into the privacy arena in a narrow way as part of its computer inquiry proceedings. It issued rules governing what is now dubbed Customer Proprietary Network Information, or CPNI--could use some branding work on that name, I think--mainly as a safeguard against regulated monopoly local phone companies from using sensitive customer data to help their unregulated affiliates compete against new entrants at the time. Then Congress codified section 222 in 1996, mandating the Commission to adopt more specific CPNI protection rules applicable only to common carriers. Since then, dramatic changes have occurred in the telecommunications, media, and technology, or TMT marketplace. The maturation of the internet ecosphere, especially the mobile internet, has produced consumer benefits that were unimaginable 22 years ago when section 222 was codified. And America has led the way in these innovations. Furthermore, the mobile net has also helped spark trillions of dollars in American economic growth. Brilliant engineers and intrepid entrepreneurs have invented new tools that have dramatically altered and improved our daily lives, forcing business models to experiment and converge. Section 222, however, has remained the same despite these new market realities. Only telecommunications carriers must live under this law governed by the FCC, while the rest of the players in the dynamic internet ecosphere operate under privacy standards administered by the Federal Trade Commission. This duality has created a legal and regulatory asymmetry in the diverse internet market. Additionally, America's public policy has evolved to create a regulatory regime that sometimes does not focus as much on the sensitivity of the data that is collected, but rather, it focuses on what kind of market player collects the data. This approach could be more confusing for consumers, including myself, and companies alike, than would having one set of technology neutral rules that apply consistently across all platforms, including those we can't even imagine today. Only Congress has the authority to modernize privacy and consumer protection laws to reflect the realities of the 21st century internet marketplace. I respectfully suggest that Congress examine a modernized and harmonized privacy framework that is technology neutral and which focuses on the sensitivity of the data that is collected, rather than the type of entity that collects the data. That said, any uniform standard should guard against imposing overreaching or unnecessary regulations to help maintain America's leadership in the global TMT economy. Thank you again for inviting me to appear before you today, and I look forward to your questions. [The prepared statement of Mr. McDowell follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. The gentleman yields back. Ms. Moy, you are recognized. STATEMENT OF LAURA MOY Ms. Moy. Thank you very much. Good morning, Chairman Blackburn, Ranking Member Doyle, Ranking Member Pallone, and distinguished members of the committee. So the subject of today's hearing is Customer Proprietary Network Information, sometimes referred to as CPNI, which I agree with Mr. McDowell that that may need some branding work. That is the information collected by telecommunications providers--and right now, that means just phone providers-- about subscribers' use of the information. So important information about our communications, like who we call and who calls us, how often we call them, how long we talk to them, and where we are calling from. And I am really glad we are having a hearing on CPNI because the law that protects CPNI is one of the strongest Federal consumer privacy laws we have. It requires phone carriers to get their customers' permission before using CPNI for purposes other than to provide the phone service. In other words, you are paying for your phone service, and your carrier simply delivers the service without always trying to make an extra buck off your private life. So your phone carrier can't use the fact that you have been calling banks and credit card companies to market your payday loans, or the fact that you have been calling an elderly relative and healthcare providers more frequently to market your home health services, nor can it sell that information to outsiders without getting your permission first. The CPNI privacy law also enables an expert agency to issue regulations that can be modified and updated in accordance with changing technology and business practices. And this is really important. The CPNI privacy law also gives the FCC robust enforcement authority in the form of fines. And using this authority just in the last few years, the FCC has fined four different carriers for violations of CPNI privacy protections. The CPNI privacy law should serve as a model for future privacy laws this Congress may consider because of its substantive strength, the regulatory flexibility it offers through rulemaking, and its enforcement strength. But instead, however, the benefits to consumer privacy presented by the CPNI privacy law has faced some major setbacks. As multiple people in this room have mentioned, last year, Congress, including a number of members of this subcommittee, voted against the application of these strong privacy rules to broadband providers, even though, like the phone, broadband is now an essential service, and like phone carriers, broadband providers enjoy privileged insight into their subscribers' private communication. And this year, as the FCC eliminated net neutrality rules, it removed broadband providers altogether from the reach of the CPNI privacy law, which, as I said, is one of the strongest consumer privacy laws we have on the books. So that brings us to today, and here, as we consider what our path forward should be. It is clear that we must do something. Ninety-one percent of adults in America feel that consumers have lost control of their personal information. And nearly 70 percent thinks the law should do a better job of protecting their information. Consumers want more privacy protection, not less. This is why the recent elimination of existing privacy protections was so unpopular among the American public. As Congress considers how to give Americans the privacy protections they deserve, it should keep a few things in mind: First, prospective rulemaking authority is an incredibly important consumer protection tool. After-the-fact enforcement can be helpful, but an enforcement-only regime does not always create clarity, and because it comes only after a problem has occurred, it does not necessarily protect consumers from the problem in the first place. Granting rulemaking authority to an expert agency also fosters much needed regulatory flexibility. We don't always know what the next privacy or data security threat will be, but unfortunately, we all know that there will be one. An agency with rulemaking authority can respond to shifting threats more quickly than Congress can. Second, consumer protections are only as good as their enforcement, so any new protections Congress creates on privacy or data security must be accompanied by strong enforcement authority. Right now, the FTC does use substantial work on privacy and data security. But with few exceptions, it does not have the ability to seek civil penalties for privacy and data security violations. In fact, FTC staff and commissioners have appeared before Congress requesting civil penalty authority to buttress their authority. Agencies that are tasked with protecting consumers' private information cannot do it without the proper tools. Civil penalty authority is needed. Third, Congress should avoid the temptation to address complex challenges with the one-size-fits-all approach. There are different types of actors on the internet with different roles to play, different relationships with and commitments to consumers, different competition environments and different abilities to solve problems. If we adopt a uniform regulatory approach to the entire internet, we are going to be left with the lowest common denominator, something like transparency with enforcement that just prohibits deceptive practices. And that is not good enough. Consumers are asking for more. I appreciate your commitment to this issue. Thanks for having me. I look forward to answering your questions. [The prepared statement of Ms. Moy follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Mrs. Blackburn. The gentlelady yields back. And we thank all of you for your testimony. And we will begin our questions and answers. I will begin by recognizing myself for 5 minutes. Mr. Haney, I would like to start with you. Devices often have much more detail location information than what carrier location provides. For example, later iPhone models integrated location information from various sensors, Wi-Fi, Bluetooth, GPS, cell towers, et cetera, and create a more precise location. Apple calls this data Hybridized Emergency Location, or HELO. Is this feature integrated into the operating system? Mr. Haney. Yes, I believe it is. Mrs. Blackburn. And would you classify HELO data as CPNI? Mr. Haney. No. Mrs. Blackburn. If you applied current CPNI rules to HELO data, would Apple be permitted to transfer this data to a service like RapidSOS? Mr. Haney. No, not without subsequent permissions. Mrs. Blackburn. OK. Would Uber, which relies on HELO data, be able to function if HELO data was subject to CPNI rules, or would the app become unusable due to individual opt-in consent mechanisms every single time a user opens the app? Mr. Haney. In terms of ability to function, no, probably not. In terms of the consumers, they probably suffer from opt- in fatigue. Mrs. Blackburn. OK. Thank you. Mr. McDowell, how is the data that is collected by mobile apps different from the data collected by a telecom provider? Because it does not sound that different to me. Mobile apps are collecting the time an app is used, the duration, and the location of where the user is when they are using the app. And we heard through our algorithms hearing that we recently did how all this collection goes even a step further and anticipates my future choices, plans, and decisions. So aren't these the same details a telecom provider collects and are protected under the CPNI rules? And what are the rules protecting this information from a mobile app, and what level of opt-in has the consumer performed? Mr. McDowell. A lot of questions there, Madam Chair. Mrs. Blackburn. Yes. Mr. McDowell. All excellent ones. So, first of all, an app can actually collect more data than a carrier would have access to. For instance, if you scan a UPC code, the price of something in a supermarket, there is an app that can tell you if there is a better deal nearby. So it knows where you are, it knows what you are buying, it knows your price points. It knows a lot about you all of a sudden, the demographics, based on that thing that you are buying. That is just one of many examples. It is the 10th anniversary this week of the Apple App Store. So happy birthday to the App Store. I think it is a wonderful thing. And there are, I think, 1.5 million apps in that app store. And certainly, Apple has some terrific standards that it tries to live by there. But those apps, with 1.5 million, or whatever the actual number is, there are just as many ways of gleaning information about consumers, where they are, what they are buying, what they want, what they are saying, how they look. There are a lot of aspects there that carriers don't necessarily have access to. So the CPNI rules would be sort of a--or the data that CPNI governs would be sort of a subset of what all the other information that apps collect. Mrs. Blackburn. You mentioned we need to modernize and harmonize the protection rules. So I want you to elaborate just a touch on that point. Mr. McDowell. Absolutely. So from a consumer's perspective, there is certain information that we find sensitive. And this can vary from consumer to consumer, of course, and other information not. So if you think of your information regarding your health or your financial information, things like that, those are easy examples of what we consider to be sensitive, and you don't necessarily want the whole world, or very few people, having access to that, versus you are conducting a search to buy a new car. Maybe you want to have the greater world know that you are looking for this kind of car at this type of price point. So that is less sensitive information. So that is what I was trying to illustrate too, is as consumers, we care about the type of information. It doesn't matter who has that information. There aren't politically favored or politically disfavored entities out there. We are concerned about anyone breaching that or disclosing that information in a way that we don't agree with or the way that we don't command. Mrs. Blackburn. OK. I appreciate that. Ms. Moy, I have a question for you. In the interest of time, I will submit that. I yield back my time and recognize Mr. Doyle. Mr. Doyle. Thank you, Madam Chair. Ms. Moy, it was recently revealed that our nation's top wireless carrier shared real-time location data of hundreds of millions of Americans with third parties without consumers' consent. This access was used by at least one entity, Securus, as part of a service to enable their customers to determine the exact location of hundreds of millions of cell phones in real time without user consent. How is it possible that such a massive data breach of such sensitive data could occur, and why do you think the FCC was in the dark on such a widespread practice? Ms. Moy. Those are really good questions, and questions that the agency itself should be asking. So in this instance, Securus was getting information through these data brokers, location aggregators, that were sourcing it directly from the wireless carriers who were giving these data brokers direct access into their location information. We know about the Securus case, but about a month ago, Verizon told journalist Frank Bajak of the Associated Press, that about 75 companies have been obtaining its customer data from LocationSmart, and another broker called Zumigo, I think. And I want to emphasize that this is really private information. Location can tell someone about where you work, where you live, where your kids go to school. In a recent Supreme Court decision, the Court likened location data maintained by phone carriers to electronic ankle bracelets. With respect to how this could have happened, clearly, the carriers have not been taking location privacy seriously enough, if they were enabling data brokers to take over the customer consent process and then not properly policing it. But ultimately, the responsibility falls with the FCC to ensure that carriers are actually meeting their statutory obligation to protect that information. Mr. Doyle. So tell me, if a Federal regulator is captured by industry and declines to assert their own authority, what role does the private right of action or enforcement authority by state attorney generals play, and how can that maybe be a check on a reluctant agency? Ms. Moy. That is a great question, because we have something sort of like that under the--well, we do have that under the Children's Online Privacy Protection Act. The Children's Online Privacy Protection Act, which is a 1998 privacy law that specifically involves the information that children share with a provider of an online site or service, grants state attorneys general the authority to bring civil actions against companies that they believe have violated the Act--or have violated, actually, the regulations passed by the FTC under that act on behalf of citizens of the state in the event that the agency itself, the Federal agency, doesn't do that. I think that is a really important and strong privacy enforcement tool. It has been used by multiple state attorneys general, and it would be great to see something like that in additional privacy laws moving forward. Mr. Doyle. Tell me, do you think Chairman Pai's past work for Securus is reason for him to recuse himself from any investigation or enforcement action? Ms. Moy. I don't know that I can answer that directly, except to say that I do; it does raise some red flags that he does have a past working for a company that is accused of wrongdoing in this particular instance. Mr. Doyle. Let me ask you, do you think Americans have fewer privacy protections as a result of the broadband privacy CRA? Ms. Moy. As a person who advocated strongly for those broadband privacy rules and thinks that they are really important, yes, I do. I think that privacy is in a worse place, especially when you think about your home internet connection. An internet provider can see not only information about all of the websites that you visit, including those that pertain to your health information, your political viewpoints and so on, but can also see information about Internet-of-Things connected devices. So perhaps information about when you are opening your garage door, when you are using your baby monitor, maybe even when you are using your connected toothbrush or connected mattress. They can see maybe when there are guests in your home and additional devices. There is just a lot of really sensitive information that a network provider has access to, and consumers, unfortunately, have no choice but to share that information with those providers. Mr. Doyle. Do you think Americans are better off with the FTC enforcing privacy protections on broadband providers as some in the majority have alleged? Ms. Moy. Frankly, no. There are multiple reasons, but part of it is that the FTC doesn't have rulemaking authority, so it can't create perspective rules-of-the-road on this issue. And its enforcement tools are really limited. It doesn't have the same kind of bite to its enforcement that the FCC does. As I said, the FCC has brought multiple actions against carriers in the past few years for CPNI violations with fines attached. The FTC doesn't have that type of authority. Mr. Doyle. Thank you, Madam Chair. I yield back. Mrs. Blackburn. The gentleman yields back. Mr. Olson, you are recognized for 5 minutes. Mr. Olson. I thank the chair. And welcome, Mr. Haney, Ms. Moy. And a special welcome to the McDowell family, our commissioner, and his daughter Mary-Shea is right behind his left shoulder. We talked before the hearing. She is a junior in high school, about to go off to college, and I take great pride, as your father does as well having--my wife went to Duke University like your father. You won't become a North Carolina Tar Heel. Never, ever. So thank you for that. But to the business ahead, Commissioner McDowell, we have all become familiar with the idea of targeted advertising. As you know, companies grab our data and, when we buy something-- like, for example, I bought a lot of Houston Astros World Series hats, Jose Altuve jerseys, George Springer bobblehead. All of a sudden, ads popped up, when I got on the internet, with the Astros, the Rockets, the Oilers, pro-baseball. Obviously, they are targeting me with direct ads because of my behavior on the internet. Google and Facebook as well do this automatically. Users like myself have to opt out most times, because I don't want those targeted ads. Most people don't want those ads. But if a telecommunications provider does this automatically, the exact same behavior that Googles and Facebooks do, that is illegal. Can you explain that? Doesn't that sound anticompetitive? Mr. McDowell. Well, it does create that asymmetry that I was talking about in my opening remarks. So that is because of section 222 and the FCC's enforcement of that. So we have a diverse internet ecosphere. There are business models that have come forth in the past decade, even the past year or two, that we couldn't even imagine a year or two ago, right. So we don't know what is coming up next, what brilliant entrepreneurs are going to think of. So we don't know ways they might be using our data. But you do have 222, section 222, offering one standard and FTC sometimes administering a different standard. Mr. Olson. Mr. Haney, in your opening statement, you state that ``privacy protection encourages broadband usage and therefore promotes broadband investment.'' So this should incentivize broadband providers to invest heavily in privacy protection. Is this what you see in the marketplace? Does it work in the market? Mr. Haney. I think in the marketplace, privacy protection can be strengthened, but I think that current privacy protection is working in the market to incentivize all providers to invest, to create for consumers more abundance of choices, lower prices, services that we can't even imagine at this point. And I think that to the extent that Congress through legislation enhances consumer privacy, that it is very important, not only to be certain that all providers are created equally, but also that the privacy regulation is not overly burdensome. Mr. Olson. Thank you. Back to you, Commissioner McDowell, about my Houston Astros hats purchases swarm me with ads. Most consumers, as we mentioned, don't want their call detail information released to third parties or used for targeted ads. It doesn't matter if that call comes from a digital telephone or even an app. Do you believe the best way to address this problem would be with one technology neutral privacy rule that covers all call detail information? Mr. McDowell. I think one standard would be very helpful and would allay a lot of confusion among consumers and market players of all kinds alike. So when I was at the Commission in 2007, we expanded the CPNI rules to what we call interconnected Voice over Internet Protocol providers, or interconnected VoIP, as we call it. But if you are not an interconnected VoIP, if you are just VoIP, using internet protocol through an app, then it is not regulated by 222. But to the consumer, it is the same function. It is an internet voice and video call to someone. One type, if it is interconnected, is regulated in 222. Another type, if it is not interconnected to the PSTN, the public switched telephone network, is not. So that creates that asymmetry and a lot of confusion for folks, I think. Mr. Olson. Well, thank you. I will close with a comment on Hurricane Harvey. During your tenure at the FCC, you were pushing hard after hurricane Ike hit my hometown about putting your lines below the soil, bury them. We did that for Harvey. Those lines stayed up the whole time. Information critical for emergency were being flown all across Houston areas. So thank you, thank you for that. Go Blue Devils. Beat the Tar Heels forever. I yield back. Mr. McDowell. I did not ask him to say that. Mrs. Blackburn. The gentleman yields back. Mr. Pallone, you are recognized for 5 minutes. Mr. Pallone. Thank you, Madam Chair. Today's hearing highlights how much consumers on the internet have lost over the past year and a half. Consumers' privacy protections, consumers' data security protections, and consumers' net neutrality have been ripped away. So I think it is a rough time to be online. The Republicans delivered a one-two punch when they rolled back consumer broadband privacy rules and then repealed the net neutrality safeguards that ensure the internet remain free and open. So let me start, Ms. Moy, can you explain how these two anti-consumer actions worked in concert to give consumers fewer privacy protections online? Ms. Moy. Sure. Yes. So the first was these set of rules that really implemented section 222, the CPNI law, which, as I said, is one of the strongest consumer privacy laws that we have, and apply it to broadband providers. And unfortunately, Congress undid those regulations with the CRA resolution. But even after the CRA resolution, section 222, at least the statute of it, still applied to broadband providers until the more recent net neutrality order that undid the net neutrality rules, as well as Title II classification. So consumers now are left without the statutory protections of 222 to apply to broadband information and are left only with the baseline prohibition on unfair and deceptive practices under section 5 of the FTC Act, which more or less just prohibits broadband providers from doing things other than what they have told consumers in a consumer-facing statement they would do. Mr. Pallone. Well, thanks. Let me ask Mr. Haney. It is evident that in the internet age, so many different entities have access to our private information. And you also make mention of this in your written testimony. So if you could tell me, what types of companies, other than phone companies, have access to information traditionally thought of as CPNI, and are they subject to as stringent regulations as telecommunications companies? Mr. Haney. I mention video streaming services, search engines, social networking sites, e-commerce sites, and user- generated media sites as examples. And currently, they are subject to the same privacy regulation as broadband providers, but as I mentioned, broadband is not the same thing as a common carrier telecommunications service. And therefore, only the common carrier telecommunications service, what we think of as telephone calls or any voice communication, excepting a voice app that is not interconnected to the public switched telephone network, that would be the only category that would be subject to the privacy protection that Ms. Moy supports. Mr. Pallone. All right. Thank you. Let me go back to Ms. Moy. I was alarmed by the reports of the vast troves of location data that third-party aggregator LocationSmart was making available to anyone on the web. It seems to me that we don't even know yet the entire scope of that incident. So do we know how exactly and how many companies or individuals have access to the data that LocationSmart was making available and what these data were used for? Ms. Moy. We don't know. We know the one specific example of Securus, we know that in some detail because there were public records posted on the Georgia Department of Corrections website that showed screen shots from what the Securus platform looked like. And alarmingly, it enabled users of that platform to enter in the phone number of any phone in the country, upload a document of any sort, and without that document being scrutinized, they could obtain real-time location information for any individual in the country. We do know, as I said before, from an AP report that 75 companies reportedly had access to location information through LocationSmart pertaining to Verizon customers. But I think it is safe to say that this is just the tip of the iceberg, right? If all four major wireless carriers were outsourcing a location information access to these third-party data brokers, only one of which is LocationSmart, then we are probably just seeing the very beginnings of what could be a massive investigation and a lot of privacy violations. Mr. Pallone. Do you have any suggestions what the FCC could do to help us better understand the scope of this incident problem? Ms. Moy. So the CPNI rules do require carriers to maintain records about who has access to customer CPNI, using the customer consent model. And so the FCC ought to be able to, using its investigatory authority, ought to be able to demand those records from the major wireless carriers, and that trail of records should lead them right down the path to finding out how many violations there were. And if those records don't exist, then that is a violation in and of itself. Mr. Pallone. Thank you. Thank you, Madam Chair. Mrs. Blackburn. The gentleman yields back. Mr. Lance, you are recognized for 5 minutes. Mr. Lance. Thank you very much. And I apologize to the panel for shuttling. We have several subcommittees this morning. This is a very important topic, and certainly we want to proceed in a bipartisan way on it. Given the rules implementing 222 continue to distinguish between local and long distance service and impose authentication requirements that are 20 years and perhaps out of date, do you believe that the current rules make sense in today's modern marketplace or do you believe that we should update them reflecting consumers' current expectations? And this is for the panel in its entity. Mr. Haney? Mr. Haney. I believe the rules, sir, are out of date. They were designed, not only to protect consumer expectations, but they were also designed to try to allocate competitive advantages and competitive disadvantages in the marketplace as new entrants joined the market to compete with traditional incumbents. That dynamic is no longer relevant, and so I believe that the rules can and should be updated. But I do think it is important, sir, that the rules should apply equally to everyone. Every provider in the internet ecosystem is in a position to see and to collect information about consumers, some of it sensitive. Mr. Lance. Mr. McDowell. Mr. McDowell. I would agree with Mr. Haney in that the rules are out of date. Twenty two years ago was when Congress passed section 222. Every aspect of the internet ecosphere is completely different now than it was then in terms of data collection as well. And one also point to follow up on the exchange with Mr. Pallone, is that, if you have a device, like Mary-Shea's little brother Cormac, he has a hand-me-down iPhone, but he is not a subscriber, so he lives off the land, so to speak, through unlicensed. And those transmissions--voice, video, apps, gaming, whatever--would not be covered, right, except by the FTC. They are not covered under 222. So this starts to talk about the limitations or point out the limitations, and there are millions of nonsubscribers such as our youngest child, Cormac. Mr. Lance. Thank you. Ms. Moy. Ms. Moy. Thank you. So the regulations almost were updated, as you know, and the updates to those regulations would have applied to phone providers who are subject to the CPNI rules as well as to broadband providers to whom the CPNI rules had been extended. And so that included, for example, an update of the data security provisions in the CPNI rules to do away with some of the more prescriptive things that was maybe an older approach to data security and to replace it with a more flexible, reasonable security measures standard in accordance with several factors, such as the nature and scope of the carrier's activities, the sensitivity of the data that it collects, and so on. So I do believe that updates to the rules such as those that were almost enacted that were passed in 2016 and then reversed by the CRA resolution would be appropriate. And the question is just how we get back to where we are. Mr. Lance. Would they have applied across-the-board? Ms. Moy. They would have applied to phone carriers as well as to broadband providers. If you are asking if they would have applied to other entities such as apps and so on, no, they would not. And I would completely support rulemaking authority to apply similar regulations to---- Mr. Lance. I am a co-sponsor of the chairman's legislation, the BROWSER legislation, and I would hope that the distinguished panel would look at it. And the chairman has taken the lead across this country in this area, and I am pleased to associate myself with what the chairman is attempting to do here. And I certainly agree with the panel that we need to update the procedures. Mr. McDowell, if Congress enacts new privacy legislation, should information about calls be treated the same regardless of how a call is made? Mr. McDowell. If Congress looks at this, yes, again, back to one uniform standard, I think that that would be very helpful to everybody involved. As we are finding out today, it is a complicated issue. It doesn't need to be as complicated. Mr. Lance. Thank you. And, Chairman, I yield back 32 seconds. Mrs. Blackburn. The gentleman yields back. Mr. Welch, you are recognized. Mr. Welch. Thank you very much. Mr. Haney, do you believe that the CPNI rules as they apply to telecoms have served a good function to protect privacy of telephone users? Mr. Haney. I think the rules were more onerous than they needed to be, but---- Mr. Welch. Well, go ahead. Mr. Haney. I think that the requirement to get opt-in consent actually inhibited innovation, because as it applied to the incumbents in the marketplace, it is very difficult to get opt-in consent from consumers. Mr. Welch. All right. I am going to come back to that. Do you think that the privacy protections, though, that were outlined in the CPNI did ultimately protect privacy rights of the users? Mr. Haney. Yes, sir. Mr. Welch. And would you have a problem having that privacy protection applied across all technologies? Mr. Haney. I think if it applied across all technologies, it would be a huge improvement. Mr. Welch. So CPNI across all technologies you would be supportive of? Mr. Haney. Well, except for the fact that I do believe it is overly burdensome. Mr. Welch. All right. I am going to try to summarize what I am hearing. Because, number one, all three of you, I think, want technology-neutral provisions, correct? And I don't think there is opposition up here to having it be technology neutral. Number two, you want a uniform enforcement so it is not complicated, right? Mr. Haney. Yes. Mr. Welch. So, three, there is a big debate about this opt in or opt out. And essentially, that is the burden. Who is going to be protected? Is it going to be the consumer and he or she has the opportunity to opt in or opt out versus the burden that the opportunity costs for the technology provider. Isn't that essentially what it boils down to? Mr. McDowell. If I could add to that, yes. So certainly, and earlier what Mr. Haney said, there is the potential for opt-in fatigue, as we see with the GDPR in Europe. I don't think that is the standard we want to operate on. I think that would actually suffocate our internet ecosphere, but---- Mr. Welch. Let me---- Mr. McDowell. But uniformity, that concept, I think---- Mr. Welch. But here is the thing. I am a consumer. I don't have a clue how all these things operate, and that is how most of us are. I would feel much more comfortable if I was able to opt in or not. If it was the opt-in approach, I would feel more empowered. Mr. McDowell. Coming over the horizon too real quick-- sorry--we ought to probably have another hearing some day on blockchain and the evolution of blockchain and how that is going to help privacy protection. That is a whole other technological argument---- Mr. Welch. You know what, I actually got to say I don't buy that. Mr. McDowell. OK. Mr. Welch. And here is why. There is always something over the horizon. All right. None of us have a clue as to what is going to be developed next year. But what we do have is the capacity to hit a key stroke and say we will opt in or we will opt out. Right? And what I am hearing from you is that your apprehension of the opt-in is it will diminish innovation. All right. And I am not quite sure why you say that. This is like a key stroke. The amount of information that they can get over the computer can include a key stroke from Peter Welch on opt-in or opt-out, right? It is not a big deal, really. Mr. Haney. Well, as we look at consumer behavior, when they are offered the opportunity to opt in, let's say one-third, for example, chooses to opt in. But when they are offered an opportunity to opt out, a very small percentage of consumers-- -- Mr. Welch. No, exactly. You have precisely defined the issue. Who is going to be the default winner or loser on this? And if the technology company has access to the information and then can sell it, then they are going to reap some reward for that. And you would like to think--or you suggest that that is necessarily going to be a better product for me? I am not sure that is right. But I would like to be the one making the choice. So I think the number one issue is who bears the burden here, because I know the companies would prefer to get and use all the information they can. And then number two is a basic question about rulemaking. There has got to be some flexibility. And there are a lot of folks here who don't believe that Congress or anybody else should be doing any rules any time, any place, for any reason. I am not one of them, all right. Because that means that it is kind of anarchy out there. So do you have any opposition, you or Mr. McDowell, to some rulemaking authority as part of enforcement? Mr. McDowell. To the FTC? Mr. Welch. Well, we can have a debate about FTC, FCC, the uniformity. I am sympathetic to having a uniform standard, but there has got to be real enforcement, in my view. Mr. McDowell. Sure. So, historically, FTC has been the expert agency for privacy. Mr. Welch. Right. Mr. McDowell. So the FCC has had a very narrow aspect of this; only the common carriers and only regarding certain information for certain purposes under what we call CPNI. The whole rest of the universe in the privacy universe has been the FTC. So I am not opposed to having the FTC with some limited rulemaking authority in this space. Mr. Welch. OK. I yield back. Mrs. Blackburn. The gentleman yields back. Mr. Shimkus, you are recognized. Mr. Shimkus. Yes. Thank you, Madam Chairman. To my colleague from Vermont, I wouldn't be so dismissive of the blockchain debate in this because--and, Peter, if you got a second, I am sorry to interrupt--because, the country of Estonia has full data protection on personal health records, on data; they are totally wireless, phone app, every government entity. And they are a small country, but it is all blockchain- developed. And if you are following cryptocurrency and that debate, that is all blockchain too. So I do agree that we ought to be looking at this as far as this privacy debate somewhere in the future on a different data because this could solve a lot of the problems of--I am not the big cryptocurrency guy, but as far as an individual accessing other internet-provided government functions, I think Estonia has proven the safety of the use of this type of system. So I just want to throw that out since you mentioned it. But I do want to go to Commissioner McDowell because of your former position in the FCC. So we have some questions. You have heard that this committee held a hearing with Facebook a few months ago. And if you didn't hear, you should have heard. There have been reports that Facebook had collected call records and SMS data from Android devices and had the Facebook app installed going back for years. Our subcommittee chairs just sent letters to Google and Apple regarding their collection handling of location data amongst other information that is at the core of their operating systems. Given your experience as an FCC Commissioner, I expect you are pretty familiar with filings. My understanding is--and we are not, Members, we don't really follow how these filings occur. My understanding is that wireless carriers have a whole regime associated with serving these same devices. Those records are considered extremely sensitive personal information. They are CPNI and are subject to privacy regulations strictly enforced by the FCC. What kind of reports are these entities required to file? Mr. McDowell. So, under CPNI--I am going to whip out my cheat sheet here because the Code of Federal Regulations can get kind of weedy. So they have to file an annual report. And, actually, under the FCC's privacy order from 2016, these reports were going to go away, and now they are back but only on common carriers. So that is just important, again, part of the asymmetry problem. But they have to first have an affirmation that the company, the carrier, has operating procedures in place to ensure that it is complying with the CPNI rules. Second, it has to explain how those operating procedures ensure compliance. Third, they have to report on any actions taken against data breach--data brokers, rather. And data breaches are another story. And, number four, report on customer complaints concerning data breaches. And then, when it comes to data breaches, they have to first notify law enforcement and then wait 7 days before notifying the consumer. So there is a lot going on. But those are annual reports filed with the FCC. Mr. Shimkus. What kind of consent must the provider obtain? Mr. McDowell. So, for instance, if you want to pay your phone bill through your bank online bill pay and you want to see your call detail, you can't do it through your bank website unless you go to your carrier, your phone company, your wireless company, whoever it might be, and give them consent to share that information with your bank, for instance. So that is a form of opt-in. Mr. Shimkus. And you mentioned that, in case of breach, there is--they need to file notification of that, correct? Mr. McDowell. Data breaches, they do. Absolutely. Mr. Shimkus. That is all I have, Madam Chairman. And I yield back my time. Mrs. Blackburn. The gentleman yields back. Let's see. Mrs. Dingell, you are recognized for 5 minutes. Mrs. Dingell. Thank you, Madam Chair. I think that you have seen from this hearing that consumers are--and what we are talking about every day when we are talking to people that consumers are consistently losing control of their private information across the board. First, it was Equifax; then Facebook. Now we have talked about LocationSmart today, a third-party aggregator of cell site location information, which has made Americans' location data available to anyone with an internet connection. And I think that is what people don't understand. And when we are talking about where someone's phone is what we are really talking about is real location time any minute because I bet most of us in this room have a cell phone in their purse or their pocket right now. These breaches of trust cannot become normal. And I worry that, with each passing scandal, we are becoming numb to this gross invasion of privacy. I talk to people, and they say there is nothing we can do about it. But there is something that we can do about it. It is why we need to be talking, and I think too many people don't understand how much data there is and what people are doing about it. So, Ms. Moy, I know you have answered questions, but I would like to dig in a little more. Can you talk more about LocationSmart, how they obtain their information, and talk a little more about who had access formally but who informally or illegally could have gotten access to that information and what they might have done with it? Ms. Moy. Sure. Yes. So, again, LocationSmart was providing access to information, location information, for virtually any mobile phone user in the country. So it had direct access to the location information provided by all of the major wireless carriers. And it was providing that information informally. And this really seems like the carriers essentially outsourcing access to their customer sensitive information and the whole consent process, right? So, if the carriers don't want to deal with trying to get consent on a case-by-case basis, for example, applications that want to access the information from the carrier side or websites, that the carrier was outsourcing this function to a data broker, the LocationSmart company. And LocationSmart presumably is supposed to have been getting and keeping records of customer consent for every instance in which it was providing that location information. It was not doing so. LocationSmart was not doing that for a long period of time. We don't know exactly how long, but we do know that the securest platform that, again, would have enabled anyone--this is the sort of formal access to location information that you are talking about--would have enabled anyone who worked in a prison and had access to the securest location-based services platform to just type in a phone number and upload any documents--no one at the company was looking at those documents, according to the information that they told Senator Wyden's staff--and then get real-time location information for anyone. So this was going on for a long period of time. Apparently, either the carriers didn't know about it or didn't care. The FCC either didn't know about it or didn't care. And with respect to informal access, the LocationSmart platform also was not secure. So some security researchers demonstrated that they were able to gain access to location information through the LocationSmart portal without having formal access to that system. Mrs. Dingell. Ms. Moy, let's keep building on that. Do you believe cell site location information is covered customer proprietary network information under the statute? Ms. Moy. Yes. I am really glad that you asked that question because it certainly is information about one's use of the telecommunication service that is accessible to the carrier only by virtue of the carrier-customer relationship. And it is information pertaining to the location of the user. So, under the statute, this does, in my belief, meet the definition of CPNI. And so, to me, it does appear to be a CPNI violation that was happening on a massive scale. Mrs. Dingell. So do you believe there were violations of section 222? Ms. Moy. It does appear that way to me. Mrs. Dingell. I will yield back my 29 seconds, Madam Chair. Mrs. Blackburn. The gentlelady yields back. Mr. Latta. Mr. Latta. Thank you, Madam Chair. And thank you all for being with us today. Mr. McDowell, if I could start my questioning. There are many ongoing conversations in the realm of data privacy. The Digital Commerce and Consumer Protection Subcommittee, which I chair, has held several hearings on these issues, and we will hear from the entire FTC next week about their work in the area. In your testimony, you mentioned the formidable protections of the FTC. And I have been clear about my support for the FTC's enforcement authority and even introduced a bill to make sure that the FTC's jurisdiction remained in place in the face of the legal challenge. Do you believe that the FTC is equipped to handle privacy matters for the vast portion of the economy under its jurisdiction from Main Street stores to some of the largest companies in the world, including common carriers, for their ever-increasing noncommon carrier activities? Mr. McDowell. So I think in terms of privacy, it is the expert agency on privacy, and it is very well equipped in a lot of ways. They have brought hundreds of actions against a variety of companies, including broadband internet service providers in the privacy realm and have fined them, et cetera. So, from that perspective, yes. Again, going back to kind of the premise of my opening remarks, though, we do need some harmonization and modernization, I think, of standards. They are an agency roughly the same size as the Federal Communications Commission in terms of budget, in terms of number of attorneys and economists and engineers, although fewer engineers there than at the FCC. So they might need help in that regard as these issues become more thorny and more widespread. Mr. Latta. Thank you. Let me follow up again, Mr. McDowell. I understand that under the current CPNI rules, telecommunication providers file annual compliance certifications. I also have a bill that strives to reduce the regulatory burdens on small businesses out there. Do the rural telecom providers in my district have more stringent requirements than an edge provider offering similar services? Mr. McDowell. Yes. So that goes back to that dichotomy, that duality between what a telecom carrier has in terms of their obligations under section 222 versus an app provider that might be providing the same functionality, let's say voice, through an app that is not regulated by 222. Mr. Latta. OK. Not picking on you. Another question. In your testimony, you discussed how you voted to extend the CPNI rules in 2007 when you were Commissioner to cover a practice where data brokers, otherwise known as pre-texters, were obtaining unauthorized access to CPNI and then turning around and selling personal telephone records. In 2013, the FCC also found that the CPNI rules applied to data collected on a mobile device if directed by the carrier. Under the section 222 authority given to the FCC, how far can the FCC extend the CPNI rules to cover current and future practices and services impacting telecommunication services? Mr. McDowell. Excellent question. So the Federal Communications Commission--it gets to be alphabet soup pretty quickly--is limited to applying section 222 to common carriers. If you are not classified as a common carrier, 222 can't apply. FCC does not have the authority. Only Congress could change that if it wanted it to. Mr. Latta. OK. And, Madam Chairman, I yield back the balance of my time. Mrs. Blackburn. The gentleman yields back. Ms. Eshoo, you are recognized. Ms. Eshoo. Thank you, Madam Chairwoman. And thank you again to the witnesses and to Commissioner McDowell. It is really a special pleasure to see you again and to have your daughter with us as well. I am so frustrated listening. I have learned. But the whole case of privacy and what the Congress has done, I really think, needs to be restated. Congress is responsible for having wiped out privacy protections for the American people, period. That is why we are where we are. The CRA wiped it out. Whatever was left or whatever net neutrality contained in it relative to any protections, scorched earth, gone. Now we have the BROWSER Act. It does nothing meaningful for real privacy. There is no rulemaking authority. There is no civil penalty for enforcement. There is no data security. It preempts any kind of state laws. California just passed something which is very strong. And, actually, when the strong bill came out, the interests went to work to water it down to a few drips of water, and Californians were outraged. And there was such pressure on the state legislature based on what Californians said that it came out strong. But the BROWSER Act preempts that. It also preempts the FCC, the expert telecom agency. So where are we? Seventeen months and counting, blah, blah, blah, blah. Anyone that has voted, in my view, for these things has to answer to their constituents when they complain to us, Independents, Republicans, conservative, right wing, left wing, Democrats, everyone, when they say: This is what has happened to me. So, let's be honest about where we are. All right. So everything has been wiped out, in my view. There isn't anything protecting anyone. Where do we go from here? I don't think 220(b), whatever it is--that really covers something very small. We are talking about a landscape that is very different, as you said, Commissioner McDowell, when that was placed on the books. I don't believe that there is a reason that some people want the FTC. The FTC doesn't have what it needs to enforce a darn thing, in my view. And I don't know if Congress is going to step up and give them all these authorities that the FCC had. All of a sudden, they love the FTC. FTC can't do a damn thing. It doesn't have any teeth to do it. They have asked Congress for a false set of teeth, but they haven't been purchased yet. So, Ms. Moy, where do you go from here? Where would you start building something? Ms. Moy. Thank you for the question. Thank you very much. Ms. Eshoo. Yes. Well, I am so darn frustrated. And it is like we are dancing around something that is really lovely, and we are just going to plant a few flowers, and then everything's going to bloom. Everything's been wiped out. That is why we are in the place that we are. Ms. Moy. I think you are right. So the internet does raise a bunch of important questions about privacy. But just because we now have apps that collect health-related information and wearable health devices, we don't have doctors in here complaining that they should not be subject to HIPAA. And we do not have schools in here asking that they not be subject to not be FERPA, the Federal privacy law, just because there are now educational apps and educational data is being collected over the internet. We shouldn't do away with the existing privacy regulations that we have just because we are lacking privacy across the board. We need to keep and build on the privacy protections that we do have. And that is where I would say that whatever we are going to have moving forward, it has to have rulemaking authority, strong enforcement authority, as you say, including civil penalties. And it ought to have a role for the state attorneys general who have much greater resources across the 50 states and territories than one Federal agency can have alone. Ms. Eshoo. Let me just give Commissioner McDowell a few seconds. I know that we may not agree on some of this, but I want to hear what you have to say very quickly. Mr. McDowell. So the CRA overturned the requirements on carriers only. This wasn't the entire internet ecosphere. So that goes back to the FTC. Ms. Eshoo. So what is left? What is left? Who is protected and how? Mr. McDowell. So through the Federal Trade Commission. So that is broadband and all the rest. So that is through the Federal--if you think the FTC needs more resources or a different statutory standard, then that is certainly Congress' prerogative. Ms. Eshoo. OK. Thank you very much. Mrs. Blackburn. The gentlelady yields back. Mr. Guthrie, you are recognized. Mr. Guthrie. Thank you, Madam Chairwoman. I appreciate that. And, Commissioner McDowell, in your testimony, you mentioned Marty Cooper and the first cell phone. You also discussed how competition is an important part of how CPNI rules came into existence. In addition to protecting consumers' privacy, the rules were originally intended to promote competition in the emerging enhanced services market by preventing the regulated side of AT&T from sharing information with its nonregulated information services side. And we have come a long way since the device Mr. Cooper had. But a legal landscape that reflects this evolution is not necessarily followed. It appears edge providers are freer to innovate as information is shared across all sorts of affiliated entities. What effect does the current regulatory structure have on thwarting new entrants? Mr. McDowell. So if the new entrant is not a common carrier, section 222 does not apply. So we have lower regulatory barriers. You are probably going to see more innovation and investment. That has sort of been the story of the internet ecosphere, or other markets as well. You could make a lot of case studies there. So, if there is a new entrant in the telecom market, they would have to live under section 222. Mr. Guthrie. So it is a disadvantage versus the edge providers for---- Mr. McDowell. It is a different--yes. It is a slight---- Mr. Guthrie. The more restrictive---- Mr. McDowell. Yes. It is trickier. Mr. Guthrie. More restrictive regulated. If you argue unregulated allows you to--or lower regulation allows more entrants, then they are more regulated. Mr. McDowell. Correct. Mr. Guthrie. OK. So, Mr. Haney, what is the functional difference between placing a call from a smartphone using my wireless carrier's network and using a third-party app? Mr. Haney. The only difference is legal. And using the carrier is subject to the full panoply of FCC privacy regulation; using an app that is not interconnected to the public switch telephone network is subject to the FTC the same as the rest of the internet ecosystem. Mr. Guthrie. So completely similar products are completed-- -- Mr. Haney. Completely different treatment. Mr. Guthrie. Different treatment. Should my information be subject to different privacy protections depending on the network that I use? Mr. Haney. No, sir, I don't believe so. Mr. McDowell. If I could put a finer point on it, though. If it is unlicensed--so you can have that transmission, as I tried to point out earlier through unlicensed. You are not a subscriber. That is not common carriage. It is not regulated. But the same functionality to the consumer, that would be unregulated. But if it is through a carrier, it doesn't matter how that carrier is supplying it or providing a service, then then section 222 would apply. Mr. Guthrie. It is treated differently. I guess my point I am trying to get at is the same product is treated differently based on---- Mr. McDowell. How it is done. Mr. Guthrie. So, also, Mr. Haney, you stated the goal should be to prevent regulations from hamstringing some market participants but not others. And the logical way to do that is by ensuring that all participants in the internet ecosystem are treated the same. Is there a role for Congress to achieve that goal through legislation, or is that preferable to rely on the Commission? Mr. Haney. Sir, the FCC cannot do it. The FCC does not have legal authority to enhance privacy more broadly speaking than just telecommunications common carriers. So, if the goal is to provide the FTC with rulemaking authority, civil penalties, what have you, then that would require an act of Congress. Mr. Guthrie. OK. Thank you. Well, I appreciate your answers to my questions. And I concluded my questions, and I yield back. Mrs. Blackburn. The gentleman yields back. Mr. Butterfield, you are recognized. Mr. Butterfield. Thank you very much, Madam Chairman. And thank you to the witnesses for your testimony today. As consumers, we are inundated with privacy policies from the companies with which we do business, whether it is financial institutions or doctors or hospitals or even ISPs and edge providers. We are forced to read these long legal documents on small mobile device screens. And the older you are, the worse it is. Trust me, I know. Sometimes we are even told that we cannot access a certain essential application for work or otherwise without quickly agreeing to the question. So I don't have it directed to either of you. If anyone wants to respond, you certainly can. Do you think consumer privacy disclosures are effective in letting consumers know the kinds of information about them that is collected, how it is used, and whether and with whom it is shared? Ms. Moy. I think you are raising a really good point about the deception standard, right, which is the FTC, the Federal Trade Commission, just has this authority to prohibit unfair and deceptive trade practices. So, when it comes to privacy, most of the time for consumers what that means is that our privacy is only protected insofar as we are reading privacy policies, agree with what is in them, actually have a choice about whether or not to agree to that--in theory, we have a choice--and then that the company doesn't do something with our information other than what they claim. And so this is why it is so important. We all know that there are so many instances in which we share our information, but we really don't have a choice. We don't have the time to read those privacy policies. Maybe we can't read them. They are very difficult to read. Maybe we are required, as you say, to have access to a service for work. And when we really do have no choice but to share information with a business that is going to use it for some other purpose, then it is so important to have standards in place that prevent that information from being used in other ways without our permission. Mr. Butterfield. What say the Hudson Institute? Do you have some thoughts? Mr. McDowell. So one aspect of all this debate, by the way, too, is the aspect of contract law and tort law. So every day there are class action lawsuits filed against a variety of market players in this space or other spaces too. So the idea of foreign contracts in any industry, whether it is the internet or something else, anything, that is as old as America, if not older. But, also, the idea of class actions as well as being a deterrent against these wholesale violations of contract or of common law that a contract might fly in the face of common law. So this is a whole other aspect of this whole debate which is important to know. Mr. Butterfield. OK. Mr. Haney. May I just add that there may very well be a need to create more baseline regulation to satisfy what we can all agree consumers expect to remain private. But there is no way the prospective regulation can anticipate everything that is going to happen in the marketplace. So there is, I think, an important role for user agreements. And, also, in addition to class action lawsuits, press reaction, consumer outrage, the kind of response we have seen to secure it, all of those things I think play a role in terms of protecting privacy. But I agree with you. I don't read the user agreements. They are incomprehensible most of the time. Mr. Butterfield. That kind of leads me into my second and last question, and that is, are you aware of any, I am going to say serious research, or do you have any ideas of how to make privacy policies more consumer friendly? I know there is a lot of chatter about it, a lot of conversation. But is there any serious research going on about how we can go to the next level? Yes. Ms. Moy. I know that there has been some good research here, including by a team of computer scientists led by Lorrie Faith Cranor at Carnegie Mellon on privacy policies. But I am not sure that there are any great solutions right now. Unfortunately, the legal complexities associated with these disclosures are extremely difficult to translate into a user- friendly---- Mr. Butterfield. That is what I needed to hear. Any agreement with what she just said? Mr. McDowell. It is complicated, to paraphrase Avril Lavigne. Mr. Butterfield. It is complicated. OK. Do you associate yourself with Mr. McDowell? Mr. Haney. Yes, sir. Mr. Butterfield. Thank you. I yield back, Madam Chair. Mrs. Blackburn. The gentleman yields back. Mr. Johnson, you are recognized. Mr. Johnson. Thank you, Madam Chair. Hopefully, I can see around to see all of you, but thanks for being here with us today. Important topic that we are talking about. Section 222 defines CPNI in part as ``information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunication service subscribed to by any customer of a telecommunication's carrier and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.'' Mr. McDowell, is this information similar to the information obtained by app developers and other edge providers who know, by nature of their relationship with the users of their platform, just how much consumers are using the app, when they are using it, where they are using it, and what they might even be searching for on that platform? Mr. McDowell. It can be similar. And app providers and websites can actually gather even more data. And the reason being, it is increasingly true because more and more Web traffic is becoming secured, in other words, to where an ISP can't see what is transversing across its networks. So what app developers can gather is a larger umbrella than what is covered by CPNI, which is viewed as a smaller subset of data, but very important data. Mr. Johnson. So should we have similar rules to protect that kind of data? They seem awfully similar. Mr. McDowell. So you are asking if we need CPNI rules to apply broadly to everybody. Is that what you are asking or the other way around? Mr. Johnson. Well, should it apply to this kind of data that I just described to you---- Mr. McDowell. Yes. Mr. Johnson [continuing]. Third-party edge provides are collecting? Mr. McDowell. Yes. I think you need clarity here so that everyone knows what the rules of the road are. Mr. Johnson. OK. All right. And again to you, Mr. McDowell. Do consumers differentiate between the various voice and texting services available on their phones, or do they view, for instance, Verizon mobile service and Google Voice as essentially the same service? Mr. McDowell. The same functionality from the consumer's perspective. Mr. Johnson. OK. Section 222 protects the private information contained in traditional subscriber line bills. It also protects the location information of customers. Today's smartphones provide a host precise geolocation information on each device. This precise geolocation can locate a person within feet of their actual location. The network providers cannot access this information, yet we know the Android operating system does in order to serve ads to the device. Is there a reason why the operating system should have this sort of precise information but not the carrier? Mr. McDowell. So it is an excellent question. Your device can triangulate off of WiFi signals, cell towers, Bluetooth, any sort of radio frequency energy that is emanating if it knows where that is coming from. Then it can triangulate and tell you where this device is right now. So carriers can tell where you are vis-a-vis a cell tower but not necessarily specifically where you are. This has a lot of implications with 9-1-1 location accuracy and things like that. So there are times when you want everyone to where you are, and there are times where you don't want anyone to know where you are. And it shouldn't matter if it is telecom carrier or an app provider. Mr. Johnson. Today, I don't know that consumers know who knows where they are. I am not sure they know where they are in this kind of interconnected environment. Final question: What do you think of the consumer being given opt-in rights for this data in order to choose for themselves who they share it with? Mr. McDowell. And we talked about this earlier, and the finer point on the discussion from earlier, which is opt-in gives consumers a lot of power for each time this issue comes up, right? So that is a good thing. The downside to it--and this is where we as policymakers, folks have to wrestle with it--is the idea of opt-in fatigue. If you think of how many usernames and passwords you have for various websites and apps and everything else, and they change a lot--you should be changing them a lot if you are not--that is exhausting. So opt-in can become exhausting. Can there be a mix, maybe a blend of opt-in or safe harbor, for instance, as well, that you know you are going to get a certain standard of protection in a safe harbor that does not require an opt-in? That is one idea which I think deserves some discussion. Mr. Johnson. OK. All right. Madam Chair, I yield back a whole 10 seconds. Mrs. Blackburn. The gentleman yields back. And, Mr. McNerney, you are recognized. Mr. McNerney. I thank the chair. Ms. Moy, every day consumers are faced with another data breach undermining the choices they have about their privacy. But despite this troubling trend, last year, the Republicans in Congress voted to do away with reasonable data security requirements for internet service providers. So how did the data security rules protect consumers before they were overturned? Ms. Moy. Thank you. Yes. So the broadband privacy rules would have required broadband providers and phone providers to take reasonable measures to protect their customers' information from unauthorized use, disclosure, or access. And they also would have required providers suffering a breach to notify affected consumers within 30 days. There were a bunch of factors to determine what reasonable security measures might look like in the rules, but, unfortunately, as you said, those rules have been eliminated. Mr. McNerney. Are the ISPs subject to any data security rules today? Ms. Moy. No. There are no concrete rules right now that apply to broadband providers. Mr. McNerney. So it is the Wild West then, isn't it? Ms. Moy. It is, in fact, the Wild West when it comes to data security. Mr. McNerney. OK. Can you explain why it is wrongheaded for Congress to repeal privacy rules in the name of protecting consumers? Ms. Moy. So, a colleague of mine had a great analogy here, which is, if you have a house with a broken roof, you don't raze the house to the ground; you fix the roof. And I think that we are looking at something similar when it comes to privacy. Consumers are concerned about loss of control over their private information across the board. That suggests a need for greater and stronger privacy protections everywhere. And as I said, I do think that it is important to modernize the Federal Trade Commission by giving it important tools, like rulemaking authority and strong enforcement, civil penalty authority. But we should not be doing away with existing privacy laws we have, like broadband privacy, but also health privacy, education privacy, and so on. Mr. McNerney. Well, there are some privacy proposals, such as the BROWSER Act, that don't include specific protections for data security. Do you think consumers have meaningful privacy protections without data security protections? Ms. Moy. No. You know, I think privacy and data security go hand in hand. What consumers are complaining about is a loss of control over their information. And that loss of control can come in the form of a business failing to get a customer's consent to use their information in a way that the customer didn't anticipate. But it can also come in the form of a business failing to safeguard the information from unauthorized access by malicious attackers or even by employees within the company as was the case with AT&T a few years ago in a case that ended up resulting in an FCC enforcement action. Mr. McNerney. What are some of the guiding principles that we should be considering whenever thinking about data security legislation? You have already given those, but---- Ms. Moy. I have. But one that we haven't talked a whole lot about, I think, is really preemption. Although this is not the topic of this hearing today, this subcommittee has considered a number of pieces of legislation to standardize data security and breach notification requirements that apply to companies. But, unfortunately, many of those proposals would eliminate state law on data security and breach notification. And there are so many great and wonderful strong, innovative laws that are taking place at the state level that preempting all of those laws would be a net loss for consumers. Mr. McNerney. Well, you have a way of answering the question right before I ask. You testified that the State AGs should have enforcement authority. Does the BROWSER Act do this? Ms. Moy. No, unfortunately not. Mr. McNerney. Thank you. Mr. McDowell, in addition to section 222 of the Communications Act, there are also important data security protections under sections 631 and 338. How important are these protections for consumers? And what can the FCC do to ensure that they are being followed? Mr. McDowell. They are similar in spirit. So 631, for instance, is regarding your video viewing habits, what you view. So it is about protecting consumer information. The FCC has enforcement authority, fining authority, et cetera, over those sections. Mr. McNerney. OK. Good. You think those are good and should continue to be enforced. But the FTC doesn't have the resources to enforce. Mr. McDowell. Well, look. The FCC and FTC are similarly sized and almost identically sized agencies. So, again, and also back to the state preemption issue. It is a matter of how many agencies you are going to have with different standards for different piece parts of a converging internet ecosphere, and that is what becomes confusing. Mr. McNerney. All right. I will yield back. Mrs. Blackburn. The gentleman yields back. Mr. Long, you are recognized. Mr. Long. Thank you, Madam Chairman. Mr. Haney, it is my understanding that the location information considered CPNI, if it is associated with a call over the telephone network. But it seems like tech companies have the ability to track location information not just associated with their app but with a variety of apps or an entire mobile device in some instances. Who has better insight into location information, telecommunications providers or tech companies? Mr. Haney. Sir, I believe it is tech companies. Mr. Long. Under current law, what authority governs the collection of location information by smartphone manufacturers, operating systems, or apps? Mr. Haney. That was the Federal Trade Commission. Mr. Long. How does the authority differ from FCC's CPNI requirements? Mr. Haney. The FCC's CPNI requirements are prospective regulation. It is very clear. The FTC recognizes that this is a dynamic marketplace--the technology is always evolving--and that it is impossible to anticipate everything and draft a regulation to address it. And so the FTC tries to be more flexible and to respond after there is a problem instead of trying to anticipate every problem. Mr. Long. OK. Thank you. Madam Chairwoman, I yield back. Mrs. Blackburn. The gentleman yields back. Ms. Clarke, you are recognized. Ms. Clarke. I thank you, Madam Chairwoman. And I thank our distinguished panelists for their testimony here today. Let me also thank our ranking member for convening this important hearing regarding privacy, an important topic for all Americans. Under the FCC's broadband privacy protections, broadband providers had to get opt-in consent sharing most types of consumer's data. Unfortunately, our Republican colleagues in Congress wiped those privacy protections off the books. Ms. Moy, when I am using my internet connection at home today, are there any clear opt-in or even opt-out requirements that apply to how my ISP collects and uses my data? Ms. Moy. No. There are not. Ms. Clarke. OK. And what are the rules that apply to my broadband provider when it collects or uses my data? Specifically, what can the FTC require under section 5 of the FTC Act? Ms. Moy. At this point in time, there are no rules. The FTC can prohibit unfair and deceptive trade practices. But it has very little power to do anything where there are privacy violations unless a business has actually exceeded what it told consumers in its privacy policy, which, as we know, most people don't read. Ms. Clarke. Oh, boy. Over the past several years, the extent to which corporate conglomerates will discriminate to improve their bottom line has come into focus. Whether it is broadband providers, redlining low-income communities, or Facebook discriminating against certain groups when it comes to housing advertisements, the result is marginalizing families in their communities. I am concerned that the lack of meaningful privacy protections is only going to make these problems more pervasive. For that reason, I think Americans are in desperate need of strong privacy protections wherever they go online. Ms. Moy, can you tell me how sacrificing privacy protections, like our Republican colleagues did with their privacy CRA, can have a desperate impact on some consumers, particularly those in communities of color? Ms. Moy. Thank you, Representative. That is a really important question. And I think that it really helps us put a finer point on what we are really concerned about when we are thinking about harms associated with privacy violations. When a business, whether it is a broadband provider or another type of company, has information about our private lives and they use that information to target content and advertisements to us, the targeting may result in reinforcing existing social disparities, right? Keeping us in our boxes. Limiting the educational opportunities that are available to us, the job training opportunities and, indeed, the job opportunities themselves, financial opportunities. And these are some of the results that may come from collecting information from consumers. I think that that is why it is so important to have strong privacy rules where, as with some entities in the ecosystem, consumers really have no choice but to share information about their private lives that could reveal things like sensitive demographic information or financial status. Ms. Clarke. Thank you. As we consider legislative solutions to protect privacy, I am guided by the belief that any successful solution must not require our constituents to become lawyers or engineers in order to understand their rights and to protect themselves and their personal information. The privacy rules of the road can change dramatically depending upon where someone goes on the internet. Rather, consistency, uniformity, and technological neutrality are keys to any privacy solution. Do you all agree on the panel? Mr. Haney. Yes. Mr. McDowell. Yes. Ms. Moy. Yes. Ms. Clarke. Very well. Madam Chair, with that, I yield back. Mrs. Blackburn. The gentlelady yields back. Mr. Costello, you are recognized. Mr. Costello. Thank you, Madam Chair. Mr. McDowell, as Mr. Doyle referenced earlier, and, to me, what was just discussed about selling location data to third parties sounds more like an issue of consent and how we can make sure consumers truly understand what they are consenting to before they use a service. I think Ms. Moy alluded to that in terms of third-party consents. Oftentimes you don't even know what you are consenting to. But I also understand that the FCC, and possibly even the FTC, are looking into what exactly occurred here. And will we have them both in front of the committee soon so we can ask additional questions of the investigation at the time? This is my question. I think this highlights the asymmetry in the current rules. If this was an edge provider who had shared location data, would it be subject to the same regulations? Mr. McDowell. Not section 222, no. Mr. Costello. Could you point to any regulation that it would? Mr. McDowell. Not unless it has some affiliation with a carrier, so no. Mr. Costello. OK. Related also to section 222. CPNI, VoIP, et cetera, when you break it down--my smartphone here. If I tap the phone app icon to make a call, there is one set of rules. But if I tap the Google Voice app icon to make the call, which I don't do, there is another set of rules. Can you talk about the practicality of having separate regulatory regimes in that sense? And should consumers expect their data to be treated the same regardless of what technology they use, to use the term ``technology neutral''? Mr. McDowell. Absolutely. Again, to your point, to the consumer, there is no difference. It is the same functionality. You want to convey a voice message in real time, have a conversation with somebody in real time. So it doesn't matter whose app or whose network or if it is licensed or unlicensed or it is through a carrier or through an edge provider--by the way, I think they are all tech companies. I know we try to draw distinctions between ISPs and the tech community. I think they are all technology companies. And they are all great American success stories. But nonetheless, from the consumer's perspective, there shouldn't be any difference regarding what information---- Mr. Costello. And so the regulatory framework should be uniform. Mr. McDowell. I agree, yes. Mr. Costello. Up and down. Mr. McDowell. Yes. Mr. Costello. Ms. Moy alluded to, in her statement, the issue--and we have read it elsewhere--with states attorneys general. And, Ms. Moy, I will give you the opportunity to address this as well. I understand that taking FTC regulations and having someone else enforce it at the FTC, the argument goes, isn't being aggressive enough? But do you have concerns with that? And then, after you answer that, Ms. Moy, aren't there some differences, though, with the statute that you are referencing just in terms of the technical expertise required to interpret vis-a-vis the statute that you were pointing to. So Mr. McDowell and then Ms. Moy. Mr. McDowell. Sure. And state attorneys general can do a terrific job protecting consumers on a number of fronts. My concern, though, is having 50 different standards or---- Mr. Costello. Totally. Mr. McDowell [continuing]. More with all the territories. And that is going to really harm American global competitiveness in this space. So, again, back to uniform standards, not 50-plus standards state by state in the internet, which is borderless, right? It is an interconnected network of networks. The packets fly all across---- Mr. Costello. Isn't there also a fair amount of interpretational flexibility with those 50 attorney generals? The statute that Ms. Moy is referencing is pretty straightforward, as I understand it. Mr. McDowell. I think to your point, if you are saying if there is going to be one standard, a national standard, but state attorneys general could enforce it, that is another conversation altogether. Mr. Costello. Ms. Moy, your comments. Ms. Moy. Thank you. So, I think that part of the issue here is that the FTC, while it does a lot of great work on privacy, it has a staff of just over 1,000, if I recall correctly. It doesn't have an office of engineering and technology. It doesn't have an engineering department at all. And its jurisdiction ranges as broadly--although it does a lot of internet privacy work, it also polices, for example, the consumer-facing statements made about pomegranate juice, right? It has an incredibly broad jurisdiction with very limited tools to enforce. So it is really important to have additional enforcement actors, additional cops on the beat, as it were, to ensure that businesses subject to the regulations passed by the commission are, in fact, being followed. Mr. Costello. But wouldn't you think if the FTC needed those additional policemen, as you used the term, they would request them, or they would find a way in their budget to have them? Ms. Moy. So, yes, perhaps. Mr. Costello. Might that be called something different than--you referenced the FCC division there. Might they be operating in a different division with the same type or better expertise on enforcement? Ms. Moy. Perhaps. But another thing that state attorneys general do is they talk to businesses that are based in their state. They do a lot of guidance in addition to enforcement. Mr. Costello. Thank you. I yield back. Mrs. Blackburn. The gentleman yields back. Ms. Matsui. Ms. Matsui. Thank you, Madam Chair. And thank you to the panel for being here today. We have talked about many things, and maybe I might be repeating myself. But I think we should listen and try to figure out from you all where we might be going forward because when you look at it, this concept of protecting proprietary consumer information began with the monolithic telephone era, which was pretty far back. And with the 1996 Telecom Act came a more precise focus on CPNI protections against unauthorized use, access, and disclosure. And it includes, among other types, phone numbers, dial and duration of calls placed to these numbers. But we all know that most consumers don't make any distinction at all between where these phone calls are delivered in packets, over the internet, or through switch access lines. But we all understand the need for context-specific privacy regulations that are responsive to the types of consumer relationship and sensitivity of information collected and shared to actually afford consumers the privacy protections they expect and they figure they are getting, for some reason. Ms. Moy, as different technologies provide similar services, what distinctions remain necessary or become unnecessary to protect sensitive consumer information? Ms. Moy. That is a very good question. And it is a really hard one that we are all grappling with right now. But, nevertheless, I do think that consumers have different relationships between the carriers that they contract with, that they pay a monthly subscriber fee to, that they expect they are paying for service as they do with the entities that are doing business over the internet. Just as when you send a letter in the mail to a friend, you have different expectations about what the mail carrier will do with the address information and the date on the outside of the envelop. So does the consumer have different expectations about what, again, the entity that they are just paying to transfer the data on their behalf will do with their private information as opposed to the companies with which they do business. That said, I do agree that there are certain services that consumers use now that have become so pervasive, so dominant that they are essentially unavoidable. And I look at unavoidability as, really, one of the key factors when it comes to considering what level of privacy protections should apply. When services truly are unavoidable for consumers and they have to share sensitive information, then I think that heightened privacy is appropriate, just as with healthcare, education, and finance. Ms. Matsui. OK. Could you get into more detail there? What do you think is unavoidable here that we are talking about? Ms. Moy. So, without talking about specific entities, I do think that there are certainly certain advertising platforms that are so pervasive as to be essentially unavoidable for consumers to share information with. It was Congressman Butterfield referenced certain services that consumers feel they must take part in because an employer requires it, for example. That may rise to a level of unavoidability for a consumer. And I think that, when we start seeing services rise to the level of being essential or unavoidable, then we require heightened privacy. Ms. Matsui. OK. Mr. McDowell, Mr. Haney, any comments on this? Mr. McDowell. So I am not sure if this is what was said, but I want to make sure we understand that there doesn't have to be a difference between who you pay money to for a service versus you are giving your personal data for a free service. You are actually surrendering something for free services as well. So they are not entirely free. But, again, back to one uniform consistent tech-neutral standard, I think that is the way to go. Mr. Haney. I agree. Ms. Matsui. OK. CPNI rules enacted require opt-in consent from consumers before a carrier can share information. But we know that it is often the case the third party to an online platform can and does receive data and information on the consumer. And the website may be used as an analytic tool from a third party; the website servers could send information on the user's visit back to the third party and allows that third party to access data similar to that gathered by the website. While this may be commonplace, it means that each user may have information aggregated by a party with whom they have no direct relationship or knowledge. There are a lot of parties here. So the third party accesses consumer data with whom the consumer does not have a direct relationship. How do consumers have a meaningful choice in how that data is used? Ms. Moy. That is a great question. That really gets to the heart of what the problem is with falling back on a general deception standard without rulemaking authority or anything else for the FTC to clarify--clarification, perhaps of its unfairness authority, rulemaking authority for it to create rules around things like data brokers and data security as well would be necessary. Ms. Matsui. OK. Thank you. It looks like I have run out of time. Thank you very much. I yield back. Mrs. Blackburn. Mr. Flores, you are recognized, 5 minutes. Mr. Flores. Thank you, Madam Chairman. I want to thank the panel for joining us today. When I do something with this phone, there is--I see four groups of people that is harvesting data from it. So not only is the cellular carrier getting information, but your app provider is getting information. The iOS folks, the operating system folks, are getting information, and theoretically, the ISP is as well if it is connected to Wi-Fi. So you have all talked about the need for a technology- neutral solution to address privacy. So I would like to get into the weeds a little bit today. As a policymaker, what are the three or four most important things that that policy should have to protect the privacy of the American consumer? So we will start with you, Ms. Moy. And let's go quickly, because I have some---- Ms. Moy. At the risk of sounding like a broken record, I think it is crucially important to, first of all, I do think that sectoral laws have a place and are really important to protect consumers in instances like health, education, finance, and telecommunications where there are heightened privacy obligations and requirements. But in addition, I think that whatever baseline we are going to have, if it is to be administered by an expert agency such as the Federal Trade Commission must include rulemaking authority to provide flexibility, regulatory agility, as we think of it, as well as robust enforcement tools, including civils penalties. Mr. Flores. OK. Mr. McDowell. Mr. McDowell. Sure. Transparency, uniformity. But also, most importantly, probably consumer choice. I would support rulemaking authority for the Federal Trade Commission but in a very limited way. Mr. Flores. OK. All right. Mr. Haney. Mr. Haney. Yes, sir. I think that enforcers should consider burdens on industry as they affect consumers, as they may affect innovation. I think that the FTC has got it right in looking at the sensitivity of the information at issue, so I think that is very important. Secondly, I think it is very important that the rules apply equally to every participant in the market so that everybody has the same opportunities to innovate and to earn a fair return on investment. Mr. Flores. OK. Great. Mr. McDowell, we had a question a few minutes ago about 50 states attorneys general being used to pursue policy relief for consumers. California has passed a law 2 weeks ago. Would you agree that that is the wrong approach as well, to have 50 different state standards? Mr. McDowell. Yes, I disagree with that approach. Mr. Flores. OK. You were going down a direction a few minutes ago talking about blockchain, and you got cut off, unfortunately. And it seems to me like blockchain may be one of the technology solutions that addresses a lot of these policy issues. Can you expand on that? You didn't get a chance to before. Mr. McDowell. Sure. Real quick. So, first of all, it is already part of our lives. And as we start to roll out the Internet of Things, you are going to see more and more blockchain applications. And there is a tremendous amount of entrepreneurism and investment in this space, a lot of experimentation. And it is actually very pro- consumer, empowers consumers tremendously. And it is different from encryption. Technically, they are two different things. So I think it will solve a lot of issues. And the quick backdrop on that is I think the first time I testified before this committee was 1998, so 20 years ago this summer. I am just recalling, in front of Chairman Dingell. And it was on slamming, which was the unauthorized switching of your long-distance carriers. That is not as much of an issue any more, right? So long distance isn't even a thing anymore. So markets change. Technology changes. So I think blockchain is going to be tremendously helpful as it develops. Mr. Flores. OK. Is there any change in your answer regarding what we should have in a 21st century privacy policy solution in light of the fact that blockchain is on the horizon? Mr. McDowell. Well, flexibility and light touch. And I tried to put that in my pre-filed remarks, that light touch, we have to make sure we are not cutting off innovation and experimentation and investment. Mr. Flores. Exactly. Ms. Moy, a question for you. In the context of the FCC's broadband privacy proceeding, you argued against pay for privacy because of a lack of broadband service options. What are your thoughts on a pay-for-privacy solution when it comes to Facebook and other similar providers? Ms. Moy. Thank you for that question. I think that that is a really good one. My concerns about pay for privacy--so I do not believe that privacy should be a luxury available only to those individuals who can afford it. That is the place where I start with when I am thinking about pay-for-privacy issues. That is particularly the case where, as with broadband, you are looking at an essential service. So--and something where consumers really can't avoid sharing information about themselves. If consumers have no choice but to share information with a broadband provider in order to participate in the modern economy, then they should not be required to pay a premium that they cannot afford in order to protect that information from additional uses. And so my position on pay for privacy in the broadband context was that premiums that may be charged or discounts given should not be coercive in nature to consumers nor should they make privacy options essentially practically, as a practical matter, unavailable to consumers who cannot afford them. I think that if we are looking at other services, then the threshold question is, is this service essential, a service that consumers cannot avoid sharing information with? If so, then I would have the same feelings about pay for privacy. Mr. Flores. Thank you. I think with regard to competition in the broadband space, as 5G rolls out on the near-term horizon that we are suddenly going to see that extra competition that will help the--absent a solution on privacy for the ISPs, I think we are going to have a market solution that helps us get there. That is the last of my questions. I yield back. Mrs. Blackburn. The gentleman yields back. Mr. Engel. Mr. Engel. Thank you, Madam Chair. Companies across the globe are changing the way they collect and use consumer data, and we are seeing more sophisticated practices, which obviously results in more challenges to American's privacy. Ms. Moy, you testified that agencies tasked with protecting consumers' private information should be given rulemaking authority. And you referenced remarks from Commissioner Maureen Ohlhausen when she asked Congress to give rulemaking authority to the FTC. So my first question to you is whether you think that rulemaking authority should be given to the FTC, the FCC, or both. Ms. Moy. So I think that each agency needs rulemaking authority for the areas in which it has expertise. We have separate expert agencies for reasons. The Federal Communications Commission has greater network expertise and communications expertise. And, again, has this Office of Engineering and Technology, a whole staff of network engineers that the Federal Trade Commission lacks. The Federal Trade Commission, on the other hand, is responsible for enforcing this baseline general privacy standard across the entire ecosystem, including, as I was saying before, the marketing of products like pomegranate juice. So the Federal Trade Commission needs rulemaking authority for general things, like data security obligations that ought to apply to all entities. It probably needs a clarification of its unfairness authority, particularly in light of recent court decisions that call into question how strong its authority is under that, under the statute. The Federal Communications Commission still requires rulemaking authority to implement those sections of the Communications Act that it is responsible for implementation and enforcing. Mr. Engel. Does the FTC have the resources it needs for enforcement? For instance, I was told that the tech lab only has six people in it. Ms. Moy. That is right. That is right. I think the Federal Trade Commission is doing the best job that it can with a relatively small staff, but, again, a staff of 1,100 people for the entire agency can't possibly be enough to police all of the unfairness and deceptive potential practices of all companies across the entire country, including privacy of the entire internet ecosystem. Mr. Engel. Ms. Moy, let me continue. As you know, one of the proposals that we are considering in this committee is the BROWSER Act. And if you can, could you discuss the rulemaking authority contained in the BROWSER Act and whether it will make for better and clearer privacy enforcement? Ms. Moy. Right. If I am correct, the BROWSER Act does not give rulemaking authority. I think that that is problematic. I think that any--as I was saying before, I think that any privacy law that we have in this area ought to have rulemaking authority and civil penalty authority and strong enforcement provisions, ideally an enforcement role for state attorneys general as well, or even private citizens. Yes, so I think that the BROWSER Act could be strengthened for sure. Mr. Engel. So you just said private citizens. Should Congress consider granting private citizens the right to bring civil actions against companies for violating privacy regulations? Ms. Moy. I do think that if Congress is serious about ensuring that businesses actually adhere to the standards set forth in the statute, then a private right of action is one of the strongest enforcement mechanisms you can have to ensure that that takes place. Mr. Engel. Now, rulemaking authority may help to protect consumer privacy but such protections still need to be enforced in order to be effective. So let me ask you this: Do you think the FCC has done an adequate job of enforcing section 222 which establishes the duty of telecommunication carriers to protect the confidentiality of proprietary information? Ms. Moy. I think that, at times, it has. It has not always been consistent, which is one of the reasons that it would be great to have additional enforcers, additional cops on the beat that can enforce those regulations. In recent years, the FCC brought actions against four different carriers for CPNI violations, but since the change in administration, I don't believe there have been any. Mr. Engel. Would more robust enforcement help fend off some of the abuses that have come to light recently such as what is happening with LocationSmart. Ms. Moy. Certainly. I think we still haven't seen anything come out of the LocationSmart scandal. It could be one of the largest privacy violations that we have had in recent years, maybe as big as the the Facebook-Cambridge Analytica scandal, but all we have heard is crickets from the FCC. Mr. Engel. Thank you. I see my time is up, Madam Chair. Thank you very much. Mrs. Blackburn. I thank the gentleman. Mr. Bilirakis, you are recognized. Mr. Bilirakis. Thank you, Madam Chair. I appreciate it very much. Mr. Haney as broadband was able to spread over the last 20 years, the rise of killer apps received a boost from the light-touch policies we put in motion. Gmail and Google Voice are two such services. Gmail has been in the news recently as reports indicate that, even though Google said it would stop scanning the traffic, the company still permits software developers outside of Google to scan Gmail inboxes. Google said that it only gives data to outside developers it has vetted. So it only gives data to outside developers it has vetted--again--and to whom users have granted permission to access email. However, that still means software developers are able to review who sent an email, who it was sent to, the time sent, and the contents of the message itself, which might contain health information, financial records, or other sensitive personal information. Is any of this information protected by the CPNI rules? Mr. Haney. No, sir, it is not. Mr. Bilirakis. It is not. Mr. Haney. It is not. It doesn't relate to telephone calls that have actually called. It doesn't relate to duration of the telephone calls, the timing, or the phone numbers of the calls that were made. So CPNI would not apply to that situation. Mr. Bilirakis. Thank you for answering me that. Again, Mr. Haney, you mentioned a few times that often systems are burdensome and are reserved only for the most sensitive personal information. Can you expand on the cost of the compliance with, again, the CPNI rules? Mr. Haney. I listed one example in my testimony. One of the telecommunications common carriers attempted to get opt-in approval across its subscriber base, and it was successful only 29 percent of the time or 29 percent of its customers. And the cost that incurred was over 20 dollars for every affirmative response that it got. And there are other studies that come up with, or other examples, other anecdotes that come up with simply results. Most of the time, consumers take no action. And this is verified because when they're offered the chance to opt out, very few choose to opt out. And so I think the FTC is really, really on to something here by trying to categorize the most sensitive information that warrants the top, the highest protection, and, similarly, to try to identify more routine information, information that is not as sensitive, that doesn't require the most burdensome protection. Mr. Bilirakis. OK. Very good. I think you answered my third question as well. So I appreciate it very much. And I yield back, Madam Chair. Mrs. Blackburn. The gentleman yields back. At this time, I recognize Mr. Collins for 5 minutes. Mr. Collins. Thank you, Madam Chair. Thank you. When you have multiple hearings going on at once, here we go. What I want to talk about, really, are the kinds of apps that we now know are being offered by various retailers in the name of giving you discounts, the frequent buyer program, or whatever. But we know that, in some ways, if you loaded that app onto your phone, all of a sudden, whether it is a Target or a Walmart or whomever, they may be able to track other information unknowingly. So, Mr. Haney, I want to break this down a little bit. If you have such an app on your phone, you are in a retail establishment and you are going to use this, perhaps, for discounts or other things, can you talk about, a little bit, how that might work? Mr. Haney. Well, when I go to Home Depot, I believe my Home Depot app on my phone, it can tell me what aisle I'm looking for. It can tell where I am in the store, what store I'm in. I couldn't probably imagine every use that some of these brilliant people that are designing these apps, are contemplating. But the phones have multiple sensors in them, and apps can access some of the same information that other apps can access because it is stored in the operating system. And as far as whether it is fair to expect consumers to anticipate all of the different uses, all of the different ways they can be tracked, I don't believe it is fair to expect them to anticipate that in every case. But I do think that policymakers need to think in terms, not what agency has an office of engineering and what doesn't; we are talking about some very similar issues here. We are talking about irrespective of whether the underlying telecommunication services are being used for voice communication or an app that never connects with a Public Switched Network, we can always agree that what we are talking about is a voice communication. And I think that, again, striving for uniformity and striving, if we are going to increase the baseline through regulation, anticipatory regulation, if we are going to increase that baseline, let's just really strive to make it the least burdensome that we possibly can, to not try to anticipate everything that the marketplace may dream up. Let them experiment a little bit. But it may be appropriate to increase the baseline. Mr. Collins. I think that is all of our concerns. Everyone wants a discount, and you don't know what you don't know. And so, in this case, it could be your Wi-Fi; it could even be your microphone, certainly your GPS. And I think my concern would be, once you leave the store, is that off? I know, on my phone, I have got an app--it asks me, do I want to keep my location open all the time, or do I want to have my location only working when I have activated it? And most folks don't even know how to turn that on or off. So we are all about protecting our consumers, but this technology is going way faster---- Mr. Haney. Yes. Mr. Collins [continuing]. Than anything we could imagine on the consumer protection front. We don't know what we don't know. So, I guess, Mr. McDowell, I guess you would agree most consumers don't anticipate or know the extent to which somebody could be tracking them. Mr. McDowell. First of all, I want to associate my remarks with Mr. Haney's just now. They were terrific. Absolutely, we don't know what we don't know. We don't know what is coming over the horizon. So there is that balance between we want to make sure we have this robust experimental marketplace that I believe firmly brings us more benefits than harms, but it does bring us harms, and so what do we do about those as policymakers? Mr. Collins. Well, I appreciate that. Sorry I was late, Madam Chair. But I yield back and thank the witnesses for their testimony. Mrs. Blackburn. The gentleman yields back. And there are no other members at this point wishing to ask questions. So we appreciate all of you being here today. Before we conclude this hearing, I ask unanimous consent to enter into the record the following documents: An article from Axios, an article from Fast Company on location tracking, an article from Ars Technica on call record scraping. Without objection, so ordered. [The information appears at the conclusion of the hearing.] Mrs. Blackburn. Pursuant to committee rules, I remind members that they have 10 business days to submit additional questions. And I ask the witnesses to submit their responses within 10 business days upon receipt of the questions. Seeing no further business to come before the subcommittee today, and as you all see, there is agreement that we need to address the privacy and data security issues, without objection, the subcommittee is adjourned. [Whereupon, at 1:25 p.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] Prepared statement of Hon. Greg Walden Good morning. As questions continue to arise surrounding the exchange between consumers and the technology platforms and services they use on a daily basis, the Energy and Commerce Committee has focused its attention on the protection, transparency, and use of consumer data. Earlier this week, Chairman Blackburn and I, along with Chairman Latta and Chairman Harper, sent letters to Apple and Google to inquire about their data collection and sharing practices. We continue this important conversation today in the context of protecting customer proprietary network information, or CPNI. We can all recognize the importance of protecting consumers' personal information, no matter what kind of network they are using for communication. In the decades since Congress enacted the Communications Act of 1996, requiring telecommunications carriers to protect the confidentiality of CPNI, the Federal Communications Commission (FCC) has updated CPNI rules to address evolving technology, practices, and consumer expectations. For example, in 2007, the FCC extended the CPNI rules to cover voice calls made over the IP network that interconnected with the traditional telephone network. At that time, the FCC also beefed up its authentication provisions under the CPNI rules so third parties could not fraudulently obtain access to protected consumer data. Again, in 2013, consumer expectations and changes in technology led the FCC to extend CPNI protections to data collected on mobile devices under the direction or control of a telecommunications carrier. These were important advancements, and reflected the seriousness attached to how a customer's sensitive information, such as location data, is managed. Location information when attached to a call that touches the telephone network is considered to be ``call detail information'' and is thus protected under the CPNI rules. But, increasingly, other entities are utilizing location data to provide services on a mobile device that may not cross the public switched telephone network. New applications that rely on location-based services can be useful, efficient, and even potentially life-saving for consumers. We're hearing of new innovations in ride-sharing where an emergency button within an app will connect you with a 911 call center. There are new partnerships forming to share phone device location data directly to 911 public safety answering points, separate from and in addition to carrier location information. However, consumers deserve to know that an app that collects location information from a mobile device might not have to abide by the same rules as a telecommunications provider, and that their location information might not be as secure. While these entities are outside of the scope of the current CPNI rules, we must consider the entire internet ecosystem as we continue to work on comprehensive solutions. We have companies now that provide live communication, act as content producers and publishers, and aggregate data--all in one package--and the old rules just don't fit the today's paradigms. That is why the FCC's 2016 broadband privacy order was the wrong policy; we knew it wouldn't increase protections. That is why the 2015 net neutrality order was the wrong policy; we knew it wouldn't facilitate an environment to incentivize the next generation of services to close the close the broadband divide and deliver consumers smart cities, telemedicine, distance learning, and more. Today, we need to thoughtfully consider how effective the old protections under CPNI are in today's information sharing world. I'd like to thank our witnesses for joining us today. I look forward to hearing from you and hearing your insights. ---------- [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] [all]