[House Report 118-210]
[From the U.S. Government Publishing Office]


118th Congress    }                                     {       Report
                        HOUSE OF REPRESENTATIVES
 1st Session      }                                     {      118-210

======================================================================



 
               PRIVACY ENHANCING TECHNOLOGY RESEARCH ACT

                                _______
                                

 September 21, 2023.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

   Mr. Lucas, from the Committee on Science, Space, and Technology, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 4755]

    The Committee on Science, Space, and Technology, to whom 
was referred the bill (H.R. 4755) to support research on 
privacy enhancing technologies and promote responsible data 
use, and for other purposes, having considered the same, 
reports favorably thereon with an amendment and recommends that 
the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     3
Background and Need for Legislation..............................     3
Legislative History..............................................     4
Related Committee Hearings.......................................     4
Section-by-Section...............................................     5
Committee Consideration..........................................     6
Roll Call Votes..................................................     6
Application of Law to the Legislative Branch.....................     8
Statement of Oversight Findings and Recommendations of the 
  Committee......................................................     8
Statement of General Performance Goals and Objectives............     8
Duplication of Federal Programs..................................     8
Federal Advisory Committee Act...................................     8
Unfunded Mandate Statement.......................................     8
Earmark Identification...........................................     8
Committee Cost Estimate..........................................     8
New Budget Authority, Entitlement Authority, and Tax Expenditures     9
Congressional Budget Office Cost Estimate........................     9
Changes in Existing Law Made by the Bill, as Reported............     9

    The amendment is as follows:
  Strike all that follows after the enacting clause and insert 
the following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Privacy Enhancing Technology Research 
Act''.

SEC. 2. PRIVACY ENHANCING TECHNOLOGY.

  (a) National Science Foundation Support of Research on Privacy 
Enhancing Technology.--The Director of the National Science Foundation, 
in consultation with the heads of other relevant Federal agencies (as 
determined by the Director), shall support merit-reviewed and 
competitively awarded research on privacy enhancing technologies, which 
may include the following:
          (1) Fundamental research on technologies for de-
        identification, pseudonymization, anonymization, or obfuscation 
        to mitigate individuals' privacy risks in data sets while 
        maintaining fairness, accuracy, and efficiency.
          (2) Fundamental research on algorithms and other similar 
        mathematical tools used to protect individual privacy when 
        collecting, storing, sharing, analyzing, or aggregating data.
          (3) Fundamental research on technologies that promote data 
        minimization in data collection, sharing, and analytics that 
        takes into account the trade-offs between the data minimization 
        goals and the informational goals of data collection.
          (4) Research awards on privacy enhancing technologies 
        coordinated with other relevant Federal agencies and programs.
          (5) Supporting education and workforce training research and 
        development activities, including re-training and upskilling of 
        the existing workforce, to increase the number of privacy 
        enhancing technology researchers and practitioners.
          (6) Multidisciplinary socio-technical research that fosters 
        broader understanding of privacy preferences, requirements, and 
        human behavior to inform the design and adoption of effective 
        privacy solutions.
          (7) Development of freely available privacy enhancing 
        technology software libraries, platforms, and applications.
          (8) Fundamental research on techniques that may undermine the 
        protections provided by privacy enhancing technologies, the 
        limitations of such protections, and the trade-offs between 
        privacy and utility required for the deployment of such 
        technologies.
          (9) Fundamental research on technologies and techniques to 
        preserve the privacy and confidentiality of individuals from 
        unconsented, unwanted, or unauthorized location tracking, 
        including through GPS.
  (b) Integration Into the Computer and Network Security Program.--
Subparagraph (D) of section 4(a)(1) of the Cyber Security Research and 
Development Act (15 U.S.C. 7403(a)(1)(D)) is amended by inserting ``, 
including privacy enhancing technologies'' before the semicolon.
  (c) Coordination With the National Institute of Standards and 
Technology and Other Stakeholders.--
          (1) In general.--The Director of the Office of Science and 
        Technology Policy, acting through the Networking and 
        Information Technology Research and Development Program, shall 
        coordinate with the Director of the National Science 
        Foundation, the Director of the National Institute of Standards 
        and Technology, the Federal Trade Commission, and the heads of 
        other Federal agencies, as appropriate, to accelerate the 
        development, deployment, and adoption of privacy enhancing 
        technologies.
          (2) Outreach.--The Director of the National Institute of 
        Standards and Technology shall conduct outreach to--
                  (A) receive input from private, public, and academic 
                stakeholders on the development of privacy enhancing 
                technologies; and
                  (B) facilitate and support ongoing public and private 
                sector engagement to inform the development and 
                dissemination of voluntary, consensus-based technical 
                standards, guidelines, methodologies, procedures, and 
                processes to cost-effectively increase the integration 
                of privacy enhancing technologies in data collection, 
                sharing, and analytics performed by the public and 
                private sectors.
  (d) Report on Privacy Enhancing Technology Research.--Not later than 
three years after the date of the enactment of this Act, the Director 
of the Office of Science and Technology Policy, acting through the 
Networking and Information Technology Research and Development Program, 
shall, in coordination with the Director of the National Science 
Foundation, the Director of the National Institute of Standards and 
Technology, and the heads of other Federal agencies, as appropriate, 
submit to the Committee on Commerce, Science, and Transportation of the 
Senate, the Subcommittee on Commerce, Justice, Science, and Related 
Agencies of the Committee on Appropriations of the Senate, the 
Committee on Science, Space, and Technology of the House of 
Representatives, and the Subcommittee on Commerce, Justice, Science, 
and Related Agencies of the Committee on Appropriations of the House of 
Representatives, a report containing information relating to the 
following:
          (1) The progress of research on privacy enhancing 
        technologies.
          (2) The progress of the development of voluntary resources 
        described under subsection (c)(2)(B).
          (3) Any policy recommendations that could facilitate and 
        improve communication and coordination between the private 
        sector and relevant Federal agencies for the implementation and 
        adoption of privacy enhancing technologies.
  (e) Protecting Personal Identifying Information.--Any personal 
identifying information collected or stored through the activities 
authorized under this section shall be done in accordance with part 690 
of title 45, Code of Federal Regulations (relating to the protection of 
human subjects), or any successor regulation.
  (f) Definition.--In this section, the term ``privacy enhancing 
technology''--
          (1) means any software or hardware solution, technical 
        process, or other technological means of mitigating 
        individuals' privacy risks arising from data processing by 
        enhancing predictability, manageability, disassociability, and 
        confidentiality; and
          (2) may include--
                  (A) cryptographic techniques for facilitating 
                computation or analysis on data while mitigating 
                privacy risks;
                  (B) techniques for--
                          (i) publicly sharing data without enabling 
                        inferences to be made about specific 
                        individuals;
                          (ii) giving individuals' control over the 
                        dissemination, sharing, and use of their data; 
                        and
                          (iii) generating synthetic data; and
                  (C) any other technology or approach that reduces the 
                risk of re-identification, including when combined with 
                other information.

                          Purpose and Summary

    H.R. 4755 supports research on privacy enhancing 
technologies and promotes responsible data use.

                  Background and Need for Legislation

    Data about individuals is being generated at an increasing 
rate as more services rely on advertising to operate, and more 
devices are connected to the Internet. While Congress has not 
passed a general data protection law to promote the responsible 
use of this data, a number of U.S. states and other countries 
have started creating privacy laws that implicate organizations 
of all types and sizes. As a result, organizations are 
increasingly looking for low-cost and effective technologies 
and techniques to help them preserve the privacy of their 
consumers and employees. Privacy enhancing technologies (PETs), 
such as differential privacy and secure multiparty computation, 
have the potential to strengthen consumer privacy while still 
enabling the use of consumer data. PETs may also help with the 
implementation of other laws that encourage research activities 
that use large amounts of data, such as the National Artificial 
Intelligence Initiative Act (P.L. 116-283) and the Digital 
Accountability and Transparency Act (P.L. 113-101). However, 
the application of modern PETs is limited. Additional research 
and standard setting activities are necessary to broaden the 
applicability of the technology and encourage its further 
development and adoption. In addition, barriers remain to the 
successful coordination, development, and adoption of PETs by 
Federal agencies, especially for public health research.
    The National Science Foundation (NSF) and the National 
Institute of Standards and Technology (NIST) are key agencies 
for privacy research and standards development. NSF has a long 
history of funding fundamental research and education 
activities related to privacy technologies. Similarly, NIST has 
long carried out research on privacy to inform the development 
and standardization of technologies that access personal data. 
For example, NIST created privacy standards for Federal systems 
in response to the Privacy Act of 1974 (P.L. 93-579). In 2020, 
NIST released the NIST Privacy Framework to help organizations 
identify and manage their privacy risks.

                          Legislative History

    H.R. 4755 was introduced on July 19, 2023, by 
Representative Stevens (D-MI) and Representative Kean (R-NJ).
    On July 27, 2023, the Committee on Science, Space, and 
Technology met to consider H.R. 4755. Representative Sykes (D-
OH) offered an amendment for NSF to include fundamental 
research on technologies and techniques to preserve the privacy 
and confidentiality of individuals from unconsented, unwanted, 
or unauthorized location tracking. The amendment was agreed to 
by a voice vote. Chairman Lucas moved that Committee favorably 
report the bill, H.R. 4755, as amended, to the House of 
Representatives with the recommendation that the bill be 
approved. The motion was agreed to by a vote of 35-0.
    In the 117th Congress, Representative Stevens (D-MI) and 
Representative Gonzalez (R-OH) introduced H.R. 847, the 
Promoting Digital Privacy Technologies Act.\1\
---------------------------------------------------------------------------
    \1\Promoting Digital Privacy Technologies Act, H.R. 847, 117th 
Cong.
---------------------------------------------------------------------------
    On May 3, 2022, the Committee met to consider H.R. 847. 
Representative Stevens (D-MI) offered an amendment in the 
nature of a substitute to make technical changes throughout the 
bill and update provisions in response to stakeholder feedback 
and Committee Member priorities, including expanding research 
provisions and ensuring the Office of Science and Technology 
Policy (OSTP) coordinates PET research activities broadly 
across the Federal government. The amendment was agreed to on a 
voice vote. Representative Stevens (D-MI) offered an amendment 
to make technical changes to the bill in response to agency 
technical assistance, including updating the definitions in the 
bill. The amendment was agreed to on a voice vote. 
Representative Posey (R-FL) offered an amendment to ensure any 
personally identifiable information collected or stored through 
the activities in the Act would follow human subject data 
protections. The amendment was agreed to on a voice vote. The 
Committee favorably reported H.R. 847, as amended, by a voice 
vote.
    On May 10, 2022, the House met to consider H.R. 847 under 
suspension of the rules. The motion to suspend the rules and 
pass H.R. 847, as amended, was agreed to by the Yeas and Nays 
with a vote of 401-19. The motion to reconsider was laid on the 
table and agreed to without objection.

                       Related Committee Hearings

    On April 26, 2023, the full committee held a hearing 
entitled, ``An Overview of The National Science Foundation 
Budget Proposal for Fiscal Year 2024,'' which discussed the 
major areas of research at the NSF, including privacy. The 
hearing consisted of testimony from Dr. Sethuraman 
Panchanathan, Director of the NSF, and Dr. Dan Reed, Chair of 
the National Science Board.
    On May 12, 2023, the Committee held a hearing entitled ``An 
Overview of the Budget Proposal for the National Institute of 
Standards and Technology for Fiscal Year 2024''. The hearing 
included discussion of major areas of research under the 
National Institute of Standards and Technology laboratory 
programs, the agency's role in working with industry to advance 
U.S. competitiveness through standards development, and 
specifically NIST's work on a Privacy Framework. The Honorable 
Laurie E. Locascio, Undersecretary of Commerce for Standards 
and Technology and Director for the National Institute of 
Standards and Technology, testified before the committee.

                           Section-by-Section


Section 1. Short title

Section 2: Privacy enhancing technology

            Subsection (a)--National Science Foundation Support of 
                    Research on Privacy Enhancing Technology
    This subsection directs the NSF to support competitive, 
fundamental research on PETs, coordinating awards with other 
relevant federal agencies.
            Subsection (b)--Integration in the Computer and Network 
                    Security Program
    This subsection adds PETs to a list of research areas 
supported by the NSF Directorate for Computer and Information 
Science and Engineering (CISE).
            Subsection (c)--Coordination with the National Institute of 
                    Standards and Technology and Other Stakeholders
    This subsection directs OSTP to coordinate activities 
related to PETs between NSF, NIST, and the FTC. This section 
also directs NIST to conduct outreach and disseminate 
voluntary, consensus-based resources to facilitate the 
development of PETs.
            Subsection (d)--Report on Research and Standards 
                    Development
    This subsection directs OSTP to submit a report to Congress 
after 2 years that tracks the progress of PETs development and 
resources developed under Section 5, as well as makes 
recommendations to improve the communication and coordination 
between Federal agencies and the private sector on PETs.
            Subsection (e)--Protecting Personal Identifying Information
    This subsection directs agencies conducting activities 
under this section to abide by the Common Rule for human 
subjects' research (part 690 of title 45, Code of Federal 
Regulations).
            Subsection (f)--Definition

                        Committee Consideration

    On July 27, 2023, the Committee met in open session and 
ordered reported favorably the bill, H.R. 4577, as amended, by 
a recorded vote of 35 yeas to 0 nays, a quorum being present.

                            Roll Call Votes

    Clause 3(b) of rule XIII requires the Committee to list the 
record votes on the motion to report legislation and amendments 
thereto. The following reflects the record votes taken during 
the Committee consideration:

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

              Application of Law to the Legislative Branch

    The Committee finds that H.R. 4755 does not relate to the 
terms and conditions of employment or access to public services 
or accommodations within the meaning of section 102(b)(3) of 
the Congressional Accountability Act (Public Law 104-1).

  Statement of Oversight Findings and Recommendations of the Committee

    In compliance with clause 3(c)(1) of rule XIII and clause 
(2)(b)(1) of rule X, the Committee's oversight findings and 
recommendations are reflected in the descriptive portions of 
this report.

         Statement of General Performance Goals and Objectives

    Pursuant to clause (3)(c)(4) of rule XIII, the goal of H.R. 
4755 is to support research on privacy enhancing technologies 
and promote responsible data use.

                    Duplication of Federal Programs

    Pursuant to clause 3(c)(5) of rule XIII, the Committee 
finds that no provision of H.R. 4755 establishes or 
reauthorizes a program of the Federal Government known to be 
duplicative of another Federal program, including any program 
that was included in a report to Congress pursuant to section 
21 of Public Law 111-139 or identified in the most recent 
Catalog of Federal Domestic Assistance.

                     Federal Advisory Committee Act

    The Committee finds that the legislation does not establish 
or authorize the establishment of an advisory committee within 
the definition of section 5(b) of the Federal Advisory 
Committee Act.

                       Unfunded Mandate Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                         Earmark Identification

    Pursuant to clauses 9(e), 9(f), and 9(g) of rule XXI, the 
Committee finds that H.R. 4755 does not include any 
congressional earmarks, limited tax benefits, or limited tariff 
benefits.

                        Committee Cost Estimate

    Pursuant to clause 3(d)(1) of rule XIII, the Committee 
adopts as its own the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974. At the time this report was 
filed, the estimate was not yet available.

           New Budget Authority, Entitlement Authority, and 
                            Tax Expenditures

    Pursuant to clause 3(c)(2) of rule XIII, the Committee 
finds that H.R. 4755 would result in no new or increased budget 
authority, entitlement authority, or tax expenditures or 
revenues.

               Congressional Budget Office Cost Estimate

    Pursuant to clause 3(c)(3) of rule XIII, at the time this 
report was filed, the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974 was not yet available.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italics and existing law in which no change is 
proposed is shown in roman):

              CYBER SECURITY RESEARCH AND DEVELOPMENT ACT




           *       *       *       *       *       *       *
SEC. 4. NATIONAL SCIENCE FOUNDATION RESEARCH.

  (a) Computer and Network Security Research Grants.--
          (1) In general.--The Director shall award grants for 
        basic research on innovative approaches to the 
        structure of computer and network hardware and software 
        that are aimed at enhancing computer security. Research 
        areas may include--
                  (A) authentication, cryptography, and other 
                secure data communications technology;
                  (B) computer forensics and intrusion 
                detection;
                  (C) reliability of computer and network 
                applications, middleware, operating systems, 
                control systems, and communications 
                infrastructure;
                  (D) privacy and confidentiality, including 
                privacy enhancing technologies;
                  (E) network security architecture, including 
                tools for security administration and analysis;
                  (F) emerging threats;
                  (G) vulnerability assessments and techniques 
                for quantifying risk;
                  (H) remote access and wireless security;
                  (I) enhancement of law enforcement ability to 
                detect, investigate, and prosecute cyber-
                crimes, including those that involve piracy of 
                intellectual property;
                  (J) secure fundamental protocols that are 
                integral to inter-network communications and 
                data exchange;
                  (K) secure software engineering and software 
                assurance, including--
                          (i) programming languages and systems 
                        that include fundamental security 
                        features;
                          (ii) portable or reusable code that 
                        remains secure when deployed in various 
                        environments;
                          (iii) verification and validation 
                        technologies to ensure that 
                        requirements and specifications have 
                        been implemented; and
                          (iv) models for comparison and 
                        metrics to assure that required 
                        standards have been met;
                  (L) holistic system security that--
                          (i) addresses the building of secure 
                        systems from trusted and untrusted 
                        components;
                          (ii) proactively reduces 
                        vulnerabilities;
                          (iii) addresses insider threats; and
                          (iv) supports privacy in conjunction 
                        with improved security;
                  (M) monitoring and detection;
                  (N) mitigation and rapid recovery methods;
                  (O) security of wireless networks and mobile 
                devices;
                  (P) security of cloud infrastructure and 
                services;
                  (Q) security of election-dedicated voting 
                system software and hardware; and
                  (R) role of the human factor in cybersecurity 
                and the interplay of computers and humans and 
                the physical world.
          (2) Merit review; competition.--Grants shall be 
        awarded under this section on a merit-reviewed 
        competitive basis.
          (3) Authorization of appropriations.--There are 
        authorized to be appropriated to the National Science 
        Foundation to carry out this subsection--
                  (A) $35,000,000 for fiscal year 2003;
                  (B) $40,000,000 for fiscal year 2004;
                  (C) $46,000,000 for fiscal year 2005;
                  (D) $52,000,000 for fiscal year 2006; and
                  (E) $60,000,000 for fiscal year 2007.
  (b) Computer and Network Security Research Centers.--
          (1) In general.--The Director shall award multiyear 
        grants, subject to the availability of appropriations, 
        to institutions of higher education, nonprofit research 
        institutions, or consortia thereof to establish 
        multidisciplinary Centers for Computer and Network 
        Security Research. Institutions of higher education, 
        nonprofit research institutions, or consortia thereof 
        receiving such grants may partner with 1 or more 
        government laboratories or for-profit institutions, or 
        other institutions of higher education or nonprofit 
        research institutions.
          (2) Merit review; competition.--Grants shall be 
        awarded under this subsection on a merit-reviewed 
        competitive basis.
          (3) Purpose.--The purpose of the Centers shall be to 
        generate innovative approaches to computer and network 
        security by conducting cutting-edge, multidisciplinary 
        research in computer and network security, including 
        improving the security and resiliency of information 
        technology, reducing cyber vulnerabilities, and 
        anticipating and mitigating consequences of cyber 
        attacks on critical infrastructure, by conducting 
        research in the areas described in subsection (a)(1).
          (4) Applications.--An institution of higher 
        education, nonprofit research institution, or consortia 
        thereof seeking funding under this subsection shall 
        submit an application to the Director at such time, in 
        such manner, and containing such information as the 
        Director may require. The application shall include, at 
        a minimum, a description of--
                  (A) the research projects that will be 
                undertaken by the Center and the contributions 
                of each of the participating entities;
                  (B) how the Center will promote active 
                collaboration among scientists and engineers 
                from different disciplines, such as computer 
                scientists, engineers, mathematicians, and 
                social science researchers;
                  (C) how the Center will contribute to 
                increasing the number and quality of computer 
                and network security researchers and other 
                professionals, including individuals from 
                groups historically underrepresented in these 
                fields; and
                  (D) how the Center will disseminate research 
                results quickly and widely to improve cyber 
                security in information technology networks, 
                products, and services.
          (5) Criteria.--In evaluating the applications 
        submitted under paragraph (4), the Director shall 
        consider, at a minimum--
                  (A) the ability of the applicant to generate 
                innovative approaches to computer and network 
                security and effectively carry out the research 
                program;
                  (B) the experience of the applicant in 
                conducting research on computer and network 
                security and the capacity of the applicant to 
                foster new multidisciplinary collaborations;
                  (C) the capacity of the applicant to attract 
                and provide adequate support for a diverse 
                group of undergraduate and graduate students 
                and postdoctoral fellows to pursue computer and 
                network security research;
                  (D) the extent to which the applicant will 
                partner with government laboratories, for-
                profit entities, other institutions of higher 
                education, or nonprofit research institutions, 
                and the role the partners will play in the 
                research undertaken by the Center;
                  (E) the demonstrated capability of the 
                applicant to conduct high performance 
                computation integral to complex computer and 
                network security research, through on-site or 
                off-site computing;
                  (F) the applicant's affiliation with private 
                sector entities involved with industrial 
                research described in subsection (a)(1);
                  (G) the capability of the applicant to 
                conduct research in a secure environment;
                  (H) the applicant's affiliation with existing 
                research programs of the Federal Government;
                  (I) the applicant's experience managing 
                public-private partnerships to transition new 
                technologies into a commercial setting or the 
                government user community;
                  (J) the capability of the applicant to 
                conduct interdisciplinary cybersecurity 
                research, basic and applied, such as in law, 
                economics, or behavioral sciences; and
                  (K) the capability of the applicant to 
                conduct research in areas such as systems 
                security, wireless security, networking and 
                protocols, formal methods and networking and 
                information technology, nanotechnology, or 
                industrial control systems.
          (6) Annual meeting.--The Director shall convene an 
        annual meeting of the Centers in order to foster 
        collaboration and communication between Center 
        participants.
          (7) Authorization of appropriations.--There are 
        authorized to be appropriated for the National Science 
        Foundation to carry out this subsection--
                  (A) $12,000,000 for fiscal year 2003;
                  (B) $24,000,000 for fiscal year 2004;
                  (C) $36,000,000 for fiscal year 2005;
                  (D) $36,000,000 for fiscal year 2006; and
                  (E) $36,000,000 for fiscal year 2007.

           *       *       *       *       *       *       *


                                  [all]