[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
ONLINE PRIVACY, SOCIAL NETWORKING,
AND CRIME VICTIMIZATION
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
AND HOMELAND SECURITY
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
SECOND SESSION
__________
JULY 28, 2010
__________
Serial No. 111-144
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
U.S. GOVERNMENT PRINTING OFFICE
57-673 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
JOHN CONYERS, Jr., Michigan, Chairman
HOWARD L. BERMAN, California LAMAR SMITH, Texas
RICK BOUCHER, Virginia F. JAMES SENSENBRENNER, Jr.,
JERROLD NADLER, New York Wisconsin
ROBERT C. ``BOBBY'' SCOTT, Virginia HOWARD COBLE, North Carolina
MELVIN L. WATT, North Carolina ELTON GALLEGLY, California
ZOE LOFGREN, California BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas DANIEL E. LUNGREN, California
MAXINE WATERS, California DARRELL E. ISSA, California
WILLIAM D. DELAHUNT, Massachusetts J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee STEVE KING, Iowa
HENRY C. ``HANK'' JOHNSON, Jr., TRENT FRANKS, Arizona
Georgia LOUIE GOHMERT, Texas
PEDRO PIERLUISI, Puerto Rico JIM JORDAN, Ohio
MIKE QUIGLEY, Illinois TED POE, Texas
JUDY CHU, California JASON CHAFFETZ, Utah
TED DEUTCH, Florida TOM ROONEY, Florida
LUIS V. GUTIERREZ, Illinois GREGG HARPER, Mississippi
TAMMY BALDWIN, Wisconsin
CHARLES A. GONZALEZ, Texas
ANTHONY D. WEINER, New York
ADAM B. SCHIFF, California
LINDA T. SANCHEZ, California
DANIEL MAFFEI, New York
JARED POLIS, Colorado
Perry Apelbaum, Staff Director and Chief Counsel
Sean McLaughlin, Minority Chief of Staff and General Counsel
------
Subcommittee on Crime, Terrorism, and Homeland Security
ROBERT C. ``BOBBY'' SCOTT, Virginia, Chairman
PEDRO PIERLUISI, Puerto Rico LOUIE GOHMERT, Texas
JERROLD NADLER, New York TED POE, Texas
ZOE LOFGREN, California BOB GOODLATTE, Virginia
SHEILA JACKSON LEE, Texas DANIEL E. LUNGREN, California
MAXINE WATERS, California J. RANDY FORBES, Virginia
STEVE COHEN, Tennessee TOM ROONEY, Florida
ANTHONY D. WEINER, New York
MIKE QUIGLEY, Illinois
TED DEUTCH, Florida
Bobby Vassar, Chief Counsel
Caroline Lynch, Minority Counsel
C O N T E N T S
----------
JULY 28, 2010
Page
OPENING STATEMENTS
The Honorable Robert C. ``Bobby'' Scott, a Representative in
Congress from the State of Virginia, and Chairman, Subcommittee
on Crime, Terrorism, and Homeland Security..................... 1
The Honorable Louie Gohmert, a Representative in Congress from
the State of Texas, and Ranking Member, Subcommittee on Crime,
Terrorism, and Homeland Security............................... 2
The Honorable Bob Goodlatte, a Representative in Congress from
the State of Virginia, and Member, Subcommittee on Crime,
Terrorism, and Homeland Security............................... 4
WITNESSES
Mr. Gordon M. Snow, Assistant Director, Federal Bureau of
Investigation, United States Department of Justice, Washington,
DC
Oral Testimony................................................. 5
Prepared Statement............................................. 8
Mr. Michael P. Merritt, Assistant Director, United States Secret
Service, United States Department of Homeland Security,
Washington, DC
Oral Testimony................................................. 13
Prepared Statement............................................. 15
Mr. Joe Sullivan, Chief Security Officer (CSO), Facebook, Inc.,
Palo Alto, CA
Oral Testimony................................................. 23
Prepared Statement............................................. 26
Mr. Marc Rotenberg, Executive Director, Electronic Privacy
Information Center (EPIC), Washington, DC
Oral Testimony................................................. 40
Prepared Statement............................................. 42
Mr. Joe Pasqua, Vice President for Research, Symantec, Inc.,
Washington, DC
Oral Testimony................................................. 54
Prepared Statement............................................. 56
APPENDIX
Material Submitted for the Hearing Record........................ 77
ONLINE PRIVACY, SOCIAL NETWORKING,
AND CRIME VICTIMIZATION
----------
WEDNESDAY, JULY 28, 2010
House of Representatives,
Subcommittee on Crime, Terrorism,
and Homeland Security
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:19 p.m., in
room 2141, Rayburn House Office Building, the Honorable Robert
C. ``Bobby'' Scott (Chairman of the Subcommittee) presiding.
Present: Representatives Scott, Lofgren, Quigley, Deutch,
Gohmert, Goodlatte, and Lungren.
Staff present: (Majority) Bobby Vassar, Subcommittee Chief
Counsel; Jesselyn McCurdy, Counsel; Ron LeGrand, Counsel; Joe
Graupensperger, Counsel; Liliana Coronado, (Fellow) Federal
Public Defender's Office Detailee; Veronica Eligan,
Professional Staff Member; (Minority) Caroline Lynch, Counsel;
Kimani Little, Counsel; Art Baker, FBI Detailee; and Kelsey
Whitlock, Legislative Assistant.
Mr. Scott. Subcommittee will now come to order. And I want
to apologize for starting late. We had a Judiciary Committee
bill on the floor, and the rules prohibit us having a bill on
the floor and meeting at the same time, so I am glad that that
bill didn't take very long.
I am pleased to welcome you today to this hearing before
the Subcommittee on Crime, Terrorism and Homeland Security
about Internet Privacy, Social Networking and Crime
Victimization.
The Internet presents individuals, in their personal and
professional capacities, numerous opportunities to share
personal information. Some of the information disclosed by
individuals is done so incidental to the use of the Internet.
So for example, in order to use various online accounts for
services such as e-mail, shopping and messaging, consumers also
must establish passwords, reveal credit card numbers, and
divulge other personally identifiable information.
In other circumstances, the sharing of information is
central to a particular use of the Internet. For example, some
Internet users actively share information, much of it extremely
personal, through social networking sites.
Both categories of information present unique privacy
challenges. This hearing will examine these issues and risks of
criminal victimization.
Of course, we know that criminals are constantly devising
new ways to infect the computers of Internet users with various
types of malware. Much of this malware is intended to capture
the private information of individuals and report it back to
the criminal to be used in the next step to the scheme, often
involving some form of identity theft.
We have Federal and state laws prohibiting this type of
crime, but it is important that consumers know what they can do
to protect themselves and that we demand that the Internet
companies take appropriate steps to ensure the security of this
information.
This is part of what we will focus on today, but we also
want to pay particular attention to the special risk to
victimizations based on participation in social networking.
Based on the widespread popularity of social networking
sites, such as Facebook, there is no doubt that these sites
provide an enjoyable and unique experience to their users.
Those who use these sites are able to share information with
their friends, find old friends, and establish new friendships.
And in so doing, they share and broadcast some of the most
sensitive and intimate details of their lives.
Unfortunately, there are those who seek out and exploit the
details to perpetrate criminal acts. For example, personal
details shared on these sites may allow criminals to guess a
user's forgotten password clues for various online accounts.
Burglars have targeted people's homes based on information
found on Facebook pages that the resident is on vacation and
not at home. And based on fears about possible victimization of
young people by Internet predators, Facebook has agreed to
install a panic button on user pages hosted on its U.K. Web
site so suspicious behavior can be reported to the authorities
immediately.
One scheme that has proliferated involves hijacking of a
Facebooker's user's account by a criminal who sends a financial
distress call to the user's friends on that Facebook page,
asking them to wire money to an account which is, unbeknownst
to them, actually that of the criminal.
To discuss all these types of issues, we have a panel of
witnesses representing a broad spectrum of experience and
various Internet privacy issues from perspectives of law
enforcement, industry, and privacy advocacy.
Before we proceed with their testimony, it is my pleasure
to recognize the Ranking Member of the Subcommittee, my
colleague from Texas, Judge Gohmert.
Mr. Gohmert. Thank you, Mr. Chairman. I do appreciate you
holding this hearing on a very important topic, privacy, social
networking and crime victimization have become competing
interests as the Internet continues to revolutionize the way we
conduct commerce, seek employment, keep up with family and
friends, make new friends, and communicate in general.
The Internet's impact on communication and on society is
often compared to the impact that the invention of the printing
press had on the literary market. We are in the midst of a
technology evolution like never seen before.
Every year, or even more frequently, there is some new
gadget that is faster and smaller than its predecessor, or
capable of doing something that was never thought possible.
This has certainly been true in all aspects of personal
computing and the development and access to the Internet.
The Internet has not only facilitated communication, but
other aspects of everyday life, as well. We no longer have to
go to the post office to pay a bill. We can buy books, food,
furniture, just about every other thing without going to a
store. We can now look for a new home or a new car at any hour
of the day simply by logging on.
Unfortunately, with these benefits and conveniences come
new ways to commit crimes and new ways to exploit our personal
information. The conveniences generally seem to outweigh the
risk. But by educating ourselves about the potential risk and
vulnerabilities created by these conveniences, Internet users
can help prevent the spread of identity theft and other crimes
on the Web.
Identity thieves who hack into your personal computer or a
merchant computer, steal your personal information, have
received considerable attention by the media and Congress.
People have become aware of identity theft, interchanging their
habits to prevent becoming a victim.
You don't have to look any further than the popularity of
personal shredding machines to realize that habits do often
change when there is awareness of the risk.
But there are new schemes and new variations of old schemes
employed by criminals to defeat the security measures and
actions taken by a concerned public. For instance, within the
last few months, staff of this Committee received e-mails
supposedly from a former staffer asking that money be wired
immediately to a certain account as a sender claimed to be the
victim of a robbery while touring London.
When the sender could not answer basic questions, the
communications stopped. Later, it was learned the former
staffer's Internet address book had been compromised, and
everyone in it received the same plea for help. This scam has
also apparently been attempted using social networking sites.
The dramatic increase in the popularity of social
networking sites has perhaps overshadowed some of the risk of
sharing too much information in those forums. Unlike the
sensitive but relatively limited information needed to make an
online purchase, these social networking sites provide the
opportunity and the temptation to incrementally put more and
more personal information into cyberspace.
Most users who have no real sense of who can see this
information, or what can be done with it or what steps can be
taken to prevent it from being exploited, and all of this
information is a potential treasure trove for identity thieves
and for the facilitation of other crimes. Some in the
information industry refer to personal information as ``The new
currency of crime.''
According to a recent national survey of 2,000 online
households conducted by the Consumer Reports National Research
Center, two out of three online U.S. households use social
networks, nearly twice as many as a year ago. But millions who
use these services put themselves and their families at risk by
exposing very sensitive personal information. If a picture is
really worth 1,000 words, some of the visuals that are posted
on these sites say way too much, and in all likelihood can
assist a predator in choosing their prey.
Again, I want to thank the Chairman for holding this
hearing. I firmly believe that making the public aware of some
of the new dangers associated with the ever-expanding Internet
is an important tool for Internet users, particularly teenagers
and children, to protect themselves.
This is particularly true here in Congress, where we have
software and hardware that is so secure that only we and the
Chinese have access to all our secrets.
With that, I yield back, and thank you for the time,
Chairman.
Mr. Scott. Thank you. And we have one panel of witnesses
with us. Excuse me, does the gentleman from Virginia have a
comment?
Mr. Goodlatte. Just briefly, Mr. Chairman, I want to thank
you for holding this hearing. As the co-chairman of the
bipartisan Congressional Internet Caucus and chairman of the
House Republican High-Tech Working Group, this is a very, very
important discussion about how to prevent crime and keep people
safe on the Internet.
It is a rapidly evolving technology, and we have got to
make sure that the Internet does not become the wild, Wild West
of the 21st century. But there are a lot of exciting new
developments going on not only to make new services available
to people, but also to empower them to, in many ways, get a
better handle on controlling their access to the Internet in
terms of the information that they provide and that they can
determine how to provide it.
In addition, social networking technologies like Facebook--
and Facebook, quite frankly, has been a leader in this regard--
have done a great service to the Internet by making greater
transparency for the people who are legitimately and honestly
using the Internet. If you go on a technology like Facebook,
you have got to disclose who you are, and therefore you can
see, as you participate, who you are and decide for yourself
who you want to share that information with.
But it also is a move away from people thinking that they
can anonymously undertake activities on the Internet to perform
various types of criminal activities. The more we promote that
type of activity, the fact that you identify yourself and who
you are, and you decide for yourself what information you are
going to share, I think the greater progress we will make in
being able to crack down on the people who want to think that
they are operating in the shadows of the Internet and
conducting crime.
Now, there are lots that people have to learn about that as
they do it so that they can understand how they best can
protect themselves, and the technologies need to evolve further
to root out people who would conduct criminal activity on the
Internet.
But I think that is what we should be learning about today
and encouraging today so that the Internet can continue to grow
and continue to be the educational tool, the tool for commerce,
the tool for entertainment that it has become and is enjoyed by
hundreds of millions of Americans and billions of people around
the world. So I look forward to hearing from our witnesses
today.
Thank you, Mr. Chairman.
Mr. Scott. Thank you. And I would like to thank you for
your hard work on a lot of the technology issues that many of
us have trouble understanding. You and our other colleague from
Virginia, Mr. Boucher, have done a lot of work in a bipartisan
way in cooperation, which is very helpful to the Committee. So
we want to thank you for your leadership.
Our first witness today will be Gordon Snow, who is
assistant director of FBI's cyber division. He has had a
distinguished career with the FBI, including positions as a
section chief in cyber national security section and the
director, the National Cyber Investigative Joint Task Force.
Our second witness will be Michael Merritt, who is
assistant director of the Secret Service's Office of
Investigations. He oversees the Secret Service's criminal
investigations, including those of electronic and financial
crimes.
Our third witness will be Joe Sullivan, who is the chief
security officer for Facebook. He is a former assistant U.S.
attorney and has the daily responsibility for overseeing
Facebook's security policies.
Our fourth witness will be Mark Rotenberg, who is the
executive director of the Electronic Privacy Information
Center. His organization is one of the leading advocates of
online privacy rights and has taken a special interest in these
interests as they relate to social networking.
Our fifth and final witness will be Joe Pasqua, who is the
vice president of research for Symantec Corporation. He has led
the efforts in that corporation in areas such as online safety,
reputation-based security and data protection.
Each of our witnesses' written statements will be entered
into the record in its entirety. We ask our witnesses to
summarize his or her testimony in 5 minutes or less. And to
help stay within the time, there is a timing device at the
table which will begin green, and when 1 minute is left, it
will turn to yellow, and turn red when 5 minutes have expired.
Also want to recognize our colleague from Florida, Mr.
Deutch. Did you have a comment? Okay. Thank you very much.
So we will begin with Assistant Director Snow.
TESTIMONY OF GORDON M. SNOW, ASSISTANT DIRECTOR, FEDERAL BUREAU
OF INVESTIGATION, UNITED STATES DEPARTMENT OF JUSTICE,
WASHINGTON, DC
Mr. Snow. Good afternoon, Chairman Scott, Ranking Member
Gohmert and Members of the Subcommittee. I appreciate the
opportunity to testify before you today regarding the FBI's
efforts to combat cybercrime as it relates to social networking
sites.
Regardless of which social networking is used, online----
Mr. Scott. Mr. Snow, could you bring your mic a little
closer to you?
Mr. Snow. Regardless of which social networking site is
used, online users continue to be fooled by persons claiming to
be somebody else. Individuals can misrepresent everything about
themselves while they communicate online, their names and
business affiliations, and also their gender, age and location,
identifiers that are far more difficult to fake in person.
Years ago, we called these type of people ``confidence
men,'' or con men. Today, we refer to them as being engaged in
social engineering.
There are a variety of Internet fraud schemes being used by
cyber criminals at any given time. By way of example, a recent
fraud scheme involves a cyber criminal gaining access to an
unsuspecting users' e-mail account or social networking
account, claiming to be the account holder and sending messages
to many of the users' friends.
In the message, the con man states that he is on travel and
has been robbed of his credit cards, passport, money and cell
phone. He also states the need for money is immediate. Without
realizing the message is from a criminal, the victims of the
fraud account holder contacts often wires money to an overseas
account without validating the claim.
Another tool used by criminals to exploit social networking
sites is a technique called phishing. Phishing schemes attempt
to make Internet users believe that they are receiving messages
from a trusted source.
Phishing attacks on members come in various formats,
including messages within the social networking site, either
from strangers or from compromised friends' accounts, links or
videos within a social networking profile leading to something
harmful, or e-mails sent to users claiming to be from the
social network site itself.
Users fall victim to the schemes due to higher level of
trust typically displayed while using social networking sites.
Users often accept into their private sites people they do not
actually know, or they sometimes fail to set privacy settings
on their profile which might help avoid these attacks.
Cyber-thieves also used data mining techniques on social
networking sites to extract sensitive information about the
victims. For example, a ``Getting To Know You'' quiz sent to a
large list of social networking site users, while not appearing
malicious, may mimic the same questions that are asked by
financial institutions or e-mail account providers when the
individual has forgotten their password. An e-mail address in
the answer to the quiz questions can provide the cyber-criminal
with the tools to enter your bank account, your e-mail account
or credit card in order to transfer money or siphon off your
savings and investments.
The potential for considerable profits in this realm is
enticing young criminals and resulted in the creation of a
large economy known as the cyber-underground. The underground
is governed by rules and logic that closely mimic those of the
legitimate business world, including a unique language, a set
of expectations about its members' conduct, and a system of
stratification based on knowledge and skill, activities and
reputation.
Beyond cyber-crime, valuable national security information
can also be inadvertently exposed by military or government
personnel via their social networking site profile. In a
recently publicized case, an individual created a fake profile
on multiple social networking sites posing as an attractive
female intelligence analyst and extended friend requests to
government contractors, military and other government
personnel. Many of the friend requests were accepted. According
to press accounts, the deception provided its creator with
access to a fair amount of sensitive data, including a picture
from a soldier taken on patrol in Afghanistan that contained
embedded data identifying his exact location.
Mr. Chairman, the Department of Justice and the FBI, in
collaboration with our inter-agency partners, have been working
closely with the new cyber-security office at the White House
to address the President's national efforts to investigate and
prosecute cyber-crime. To this end, we have established cyber-
squads in each of our 56 field offices around the country, with
more than 1,000 specially trained agents, analysts and digital
forensic experts.
Still, we cannot combat this threat alone. Some of the best
tools in the FBI's arsenal are our longstanding partnerships
with federal, state, local and international law enforcement
agencies, as well as with private sector and academia.
These relationships include our partnerships with the
National White Collar Crime Center at the Internet Crime
Complaint Center, the National Cyber Forensic and Training
Alliance, and the InfraGard program. We also partner with the
Information Sharing and Analysis Centers and the National
Center for the Missing and Exploited Children.
Chairman Scott, Ranking Member Gohmert and Members of the
Subcommittee, in the interest of time today, I have touched
upon some of the more pervasive methods of criminal activity
via social networking. I would be more than happy to further
expand upon any of these issues during questioning, and I
appreciate the opportunity to come before you today and share
the work with FBI is doing to address the threat posed by
cyber-criminals in this country and around the world.
[The prepared statement of Mr. Snow follows:]
Prepared Statement of Gordon M. Snow
__________
Mr. Scott. Thank you, Mr. Snow.
We have been joined by the gentlelady from California, Ms.
Lofgren, who has taken a strong interest in this issue, and
thank you for coming.
Mr. Merritt?
TESTIMONY OF MICHAEL P. MERRITT, ASSISTANT DIRECTOR, UNITED
STATES SECRET SERVICE, UNITED STATES DEPARTMENT OF HOMELAND
SECURITY, WASHINGTON, DC
Mr. Merritt. Good afternoon, Chairman Scott, Ranking Member
Gohmert and other distinguished Members of the Committee. Thank
you for the opportunity to testify on the Secret Service's role
investigating cyber and computer-related crimes.
As the original guardian of the Nation's financial
infrastructure, the Secret Service has a long, distinguished
history of protecting American consumers and financial
institutions from fraud. Over the last 145 years, our criminal
investigators have confronted all types of financial fraud,
from paper to plastic to computer-based attacks targeting our
financial payment schemes.
In recent years, our investigations have revealed a
significant increase in the quantity and complexity of cyber
cases involving various computer networks in the United States.
Broader access to advanced computer technologies and the
widespread use of the Internet have fostered the growth of
transnational cyber criminals, which has resulted in a marked
increase in computer-related crimes targeting our Nation's
financial infrastructure.
Current trends show an increase in network intrusions,
hacking attacks, malicious software, and account takeovers,
resulting in data breaches affecting every sector of the
American economy. In addition, social networking sites have
become prime targets for cyber-criminals to expand their
prospects for facilitating malicious or fraudulent activity.
As documented in the 2010 Secret Service Verizon data
breach investigative report, the use of social engineering
tactics to obtain personally identifiable information has
increased. While cyber-criminals operate anonymously in a world
without borders, the law enforcement community is limited by
jurisdictional boundaries. Thus, the international scope of
these cyber-crime cases has increased the time and resources
required for successful investigation and adjudication.
In addition, the level of collaboration among these
transnational cyber-criminals has raised the complexity of
these cases and the potential for greater harm.
To address the emerging threats posed by these
transnational groups, the Secret Service has adopted a
multifaceted approach to investigating these crimes while
working to prevent future attacks. A central component of our
approach is the training provided through our electronic crime
special agent program. Today, roughly 1,300, or more than half
of our field office special agents, have received training in
forensic identification and the preservation and retrieval of
electronically stored evidence.
In addition, since 2008, the Secret Service, through the
National Computer Forensics Institute, has provided computer
forensics training to 836 state and local law enforcement
officials representing over 300 agencies from all 50 states and
two territories. As cyber-crimes continue to increase in size,
scope and depth, the Secret Service is committed to sharing
information and best practices with our law enforcement
partners, academia, and the private sector.
To accomplish this, we have established 29 electronic crime
task forces, including the first international task force,
based in Rome, Italy.
Currently, membership in our ECTFs includes approximately
5,500 partners from law enforcement and the private sector and
academia. These partners have access to the resources provided
through our international network of ECTFs. To coordinate these
investigations at the headquarters level, the Secret Service
has enhanced our cyber-intelligence section to focus on
generating new leads in support of our cyber-investigations.
The men and women who work in this section have been
instrumental in our success in infiltrating online cyber-
criminal networks around the world. These successful
investigations include two of the largest known network
intrusion cases to date, TGX and the Heartland Payment Systems
case. These intrusions resulted in the compromise of
approximately 40 million accounts and 130 million accounts
respectively and the indictment of dozens of suspects.
As detailed in my written statement, the Secret Service has
implemented a number of initiatives to combat the scourge of
cyber and computer-related crimes. Today, social networking
sites provide yet another target-rich environment for cyber-
criminals to exploit personal identifiable information.
Responding to the growth in these types of crimes and the
level of sophistication these criminals employ will demand an
increase in resources and greater collaboration between law
enforcement and the private sector. Accordingly, the Secret
Service will focus its resources on increasing public awareness
through education, providing training for our local law
enforcement partners, and adjusting our investigative
techniques to stay ahead of the criminal trends.
The Secret Service is committed to our mission of
safeguarding our Nation's critical financial infrastructure and
will continue to aggressively investigate cyber and computer-
related crimes to protect American consumers and financial
institutions from harm.
Chairman Scott, Ranking Member Gohmert and distinguished
Members of the Committee, this concludes my prepared statement.
Thank you again for this opportunity to testify on behalf of
the Secret Service. I will be pleased to answer any questions
at your convenience.
Thank you.
[The prepared statement of Mr. Merritt follows:]
Prepared Statement of Michael P. Merritt
__________
Mr. Scott. Thank you, Mr. Merritt.
Mr. Sullivan, I believe you came off a vacation to be with
us today. We certainly appreciate that. We certainly notice
that, and thank you for being with us.
Mr. Sullivan?
TESTIMONY OF JOE SULLIVAN, CHIEF SECURITY OFFICER (CSO),
FACEBOOK, INC., PALO ALTO, CA
Mr. Sullivan. Certainly. It is my pleasure to be here. So
thank you, Chairman Scott, Ranking Member Gohmert and
Subcommittee Members for this opportunity.
As Facebook's chief security officer, and as a former
Federal prosecutor who specialized in high-tech crime in
Silicon Valley, this topic has special meaning for me. At
Facebook, I work every day on developing high product security
standards, engaging people outside the company, such as
educators, parents, students and other Internet users, to learn
about and promote safe Internet practices. And I also work
closely with law enforcement around the world to help ensure
that those who are responsible for online abuse are held
accountable.
While the Internet now connects nearly two billion people,
until recently, it was a useful but very passive repository of
information. But in just a few years, it is really evolved to
an interactive social experience defined by your connections,
interests, and your communities.
These developments enlist people not just as passive
viewers but also as creators of online content, frequently in a
framework that is social and involves forums or communities
defined by people themselves. And since its creation, Facebook
has been at the forefront of this change, growing from a
network of students at a handful of universities to a worldwide
community.
Today, Facebook and other social technologies have the
power to enrich people's lives in ways that were unimagined
even 5 years ago. Facebook's become an invaluable communication
tool, allowing individuals to connect for myriad purposes, to
communicate with family near and far, for charitable causes, in
the political realm for grassroots organizing and for local
community-building.
In the same way that Facebook has brought innovation to
communication, on the security team and across the company, we
try and bring innovation to Internet security. We are
constantly working to enhance online safety and address new and
emerging security threats.
And because those efforts are frequently behind the scenes,
I particularly appreciate the opportunity to highlight a few of
them for you today. We believe that our proactive efforts and
innovations in security are the key to providing a positive
online experience.
In my written testimony, I focus on a number of different
areas. One of those important areas is key partnerships. As a
company, we reach out to law enforcement and Internet privacy,
safety and security experts everywhere to learn about best
practices and to build on them.
For example, last year we created a Safety Advisory Board
consisting of representatives from five of the leading online
safety organizations. And we have regular meetings with them
and almost daily feedback from them on things that we can do in
particular in the area of teen safety.
The Board has been a great resource. One example has been
their contributions to the improved safety and security
messaging that we have launched in the last few months.
I am also proud of the strong relationships with the law
enforcement agencies here at the table today. The FBI has long
been a leader in cyber-crime investigation, and we are working
closely with the FBI on several large, multi-jurisdictional
cases right now against malware distributors and spammers who
have attempted to take advantage of the scale of social
networking sites. We have also worked with them on child safety
cases.
And the Secret Service is resourceful and innovative not
only on the Internet threat cases that they prioritize, but
also on other types of electronic crime investigations where we
have turned to them for assistance.
Following up on the comments of Congressman Goodlatte,
before Facebook, I think the common wisdom was that the
Internet was a place where people should avoid using their real
names or sharing information. Facebook was the first major web
service that required people to build their profiles and
networks using real names, while at the same time giving them
privacy controls so that they can limit who accesses their
information.
This was an important policy and technical architecture
choice which both allowed people using Facebook to become more
connected and made the service safer. In a culture of authentic
identity, your actions are observed by your real-world friends,
and it makes Facebook less attractive to predators and other
bad actors. And to be honest, those people, they stand out like
sore thumbs on our site.
We also make it easier for people to control what they want
to share, with whom and when. In my written testimony, I give
several examples, both in the context of privacy and in
security, where we give people controls over who sees what and
how they manage the security of their account.
On the back end, we are also very proactive. So, for
example, we became a level one PCI-compliant company, meeting
heightened data security standards even though, as a business,
we don't even meet the standard of those requirements being
necessary for our business.
We will also develop proprietary technologies that allow us
to continuously improve on our online safety efforts. We
generally don't discuss the back-end algorithms and things that
we use in that context, but these technologies allow us to
perform ongoing authentication checks and also to engage our
users in types of community verification.
Our technology has also helped us to obtain and take legal
action against people who try to do things that they shouldn't.
Congress enacted the CAN-SPAM Act, and I am proud to say that
Facebook is responsible for the two largest judgments in the
history of that Act, $873 million against Adam Guerbuez and
$711 million against the notorious spammer, Sanford Wallace.
I see that my time is up, so I would just like to maybe go
on a little bit and mention that, as we come here today, I
think that security requires vigilance, and Congress has been
vigilant in enacting targeted statutes to address Internet
security problems. It is an ongoing chess match, and there is
more to be done.
A couple of examples of things where we hope to continue to
work closely with the government are building out that national
database of convicted sex offenders that was called for in the
KIDS Act that Congress passed a couple years ago. We need
access to that national database today. And if we had access to
it, we would use it.
We need continued investment in cyber-literacy in
particular for teens and parents. An example, to get really in
the weeds, is we need broader access to the hashes of known
images of exploitation of children. With these hashes, we would
be able to run that list against our site and identify any
known image of child pornography and make sure that it was not
on our service. Facebook is the largest photo-sharing Web site
on the Internet, and that type of technology would be very
helpful.
We also need, I think law enforcement to receive more
resources for training. They need better technology in the
office, and they need better training on how to, in particular,
work on the international cases.
Unfortunately, the vast majority of the significant cyber-
crime that is going on today is cross-jurisdictional, and it
brings up new challenges that law enforcement have not had to
deal with on a day-in, day-out basis. For example, collection
of electronic data can involve service of legal process in
multiple countries and numerous jurisdictions across the United
States. As a result, these cases move too slowly, and many
international cases never get prosecuted at all.
In conclusion, I would just like to say that Facebook has
always sought to provide a safer environment than was generally
available, and we will continue to innovate in order to enhance
the safety and security of our community of users.
And on behalf of Facebook, I thank the Subcommittee for its
leadership and dedication to Internet innovation and safety.
[The prepared statement of Mr. Sullivan follows:]
Prepared Statement of Joe Sullivan
__________
Mr. Scott. Thank you very much.
Mr. Rotenberg?
TESTIMONY OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER (EPIC), WASHINGTON, DC
Mr. Rotenberg. Thank you, Chairman Scott, Ranking Member
Gohmert, Members of the Subcommittee. I appreciate the
opportunity to be here this afternoon.
My name is Mark Rotenberg. I am the executive director of
EPIC, and we are a leading privacy organization. We are
particularly concerned about the privacy issues related to
Facebook.
As you know, Facebook has become enormously influential on
the Internet. It has more than 500 million members. Someone
pointed out recently that, if it were a country, it would be
larger than the United States, Japan, and Germany combined. So
it is a very big player on the Internet.
At the same time, Facebook also has an enormous impact by
what it chooses to do or not do on the privacy of Internet
users. And when Facebook has changed its privacy policies and
the privacy settings of Internet users, it is raised real
privacy concerns.
In fact, my organization, EPIC, has filed two complaints at
the Federal Trade Commission resulting from these changes in
privacy settings because we believe they significantly
disadvantaged Internet users and created new risks to privacy.
Now, to be clear, the service is very useful. In fact, in
preparing for this hearing, I actually posted on my own
Facebook wall a question to Facebook users. I said, ``What
concerns do you have that I should share with Committee
Members?''
And many people responded, some who I know well, some who I
don't know particularly well, but the comments were helpful.
And I incorporated them in my prepared statement for you today
to give you some sense of the concerns that Facebook users
have.
And this point about changing the privacy settings came
back again and again and again. And I bring this to your
attention today, because I know in this discussion about the
risk of online victimization, which is a real threat,
oftentimes people talk about the need to better educate users,
to warn users about what they should or should not post.
And while I agree in some circumstances that is helpful,
user education can only go so far if a user has made a
determination not to disclose certain types of information to
certain organizations and the company in possession of that
information chooses to change the rules of the game.
User might say, for example, ``I don't want this
information to be widely available or searchable through an
Internet search engine. I only want these photos to be
available to my friends or family members,'' and then the
company says, ``Well, we have a transition now in the privacy
settings, and we are going to change those defaults a bit. And
if you want to change them back, you are always free to do
so.''
The point that I am trying to make is that these changes in
the privacy settings create risks for users that they really
cannot control. This is the reason that we went to the Federal
Trade Commission and urged the FTC to enforce the agreement
that users had with Facebook and other Internet firms to
respect their privacy settings.
Now, I am bringing attention to this FTC complaint because
I think it has some specific implications for what this
Committee might be able to do to address user concerns about
online privacy in the social network space.
Because the FTC has not acted on this complaint, it means
that the companies are able to continue to make these changes,
and that there is no recourse for users. And what I am
proposing, therefore, is that the Federal law that regulates
the disclosure of information by companies such as Facebook,
the Electronic Communications Privacy Act, be amended so that
these disclosures to third parties could not occur without
clear and affirmative consent.
In other words, if a person has chosen not to disclose
personal information to an application developer that is a
business partner, a Facebook or an Internet Web site that is
also a business partner of Facebook, that preference should be
respected. And if it is not respected, then I think it is
creating a significant risk to the privacy of users online.
Looking ahead, this is going to continue to be an important
concern for Internet users until we have comprehensive
legislation protecting people online.
Thank you very much for the opportunity to testify. I would
be pleased to answer your questions.
[The prepared statement of Mr. Rotenberg follows:]
Prepared Statement of Marc Rotenberg
__________
Mr. Scott. Thank you.
We have been joined by the gentleman from Illinois, Mr.
Quigley, so thank you for being with us.
Mr. Pasqua?
TESTIMONY OF JOE PASQUA, VICE PRESIDENT FOR RESEARCH, SYMANTEC,
INC., WASHINGTON, DC
Mr. Pasqua. Mr. Chairman, Ranking Member Gohmert and
Members of the Subcommittee, thank you for the opportunity to
appear here today and discuss this important topic. As a global
information security leader, Symantec welcomes the opportunity
to provide the Committee with our insights on how to keep
social network users safe online.
While social networking has provided many new benefits, it
has also opened new doorways for cyber-crime. It has expanded
online opportunities for the underground economy, which has
discovered that social networking pays.
The infiltration of communities and the spreading of spam
or malware have become a part of everyday life within social
networks, and that trend is increasing. The potential abuses
cyber-criminals have conceived are highly varied and range from
targeted spying, spam and phishing mail distribution to
exploitation of security holes within particular social
networking platforms.
Attacks against both social networking sites themselves, as
well as individual users of those sites, have now become
standard practice for criminals. Part of the reason for this is
that these sites combine two factors that make for an ideal
target for online criminal activity: a massive number of users
and a high level of trust among the users.
Social networks also provide a rich repository of
information cyber-criminals can use to refined their phishing
attacks. Many Internet users today are too blase about the
information they post on the web. Social network users should
always be cautious about the information they post online and
how it can be used.
In a rush to embrace the advantages of sharing information
on the Internet, many young people in particular have created
online data sets, or ``tattoos,'' that, much like the real
thing, are difficult to remove. Posting personal information
online can also leave them vulnerable to identity theft.
Details such as postal codes, birthdates, mother's maiden
names, can all be used by cyber-criminals to crack passwords,
hijack accounts, send out spam, and distribute malware.
In addition to the direct insertion of malware or the
distribution of mass mailings, cyber-criminals use social
networks to lure users to primed Web sites where they can steal
personal data so that they can sell it for profit. There has
been a marked increase in crimeware, or software used to
conduct cyber-crime, on social networks and elsewhere.
In 2009, Symantec created over 2.5 million new virus
signatures and discovered more than 210 million distinct
malware variants. That is a 56 and 75 percent increase,
respectively, over the same period in 2008.
And to put this in perspective, Symantec created more
malware signatures in the past 15 months than in the previous
18 years combined. So it is a massive, massive increase.
Attackers are now going directly after the end user and
attempting to trick them into downloading malware or divulging
sensitive information under the auspice that they are doing
something perfectly innocent. Social engineering's popularity
is at least in part spurred by the fact that the operating
system that a user is using or a browser is largely irrelevant.
It is the actual user that is being targeted, not necessarily
vulnerabilities in the machine.
To their credit, social network sites squash most threats
quickly, but it is not just targeted attacks you should be
worried about. It is adapted attacks. Adapted attacks occur
when bad guys take existing threats and use social networks to
increase the effectiveness of the attack through social
engineering. There is nothing like being surrounded by friends
to get you to lower your guard, and that is what they make you
think they are doing.
Given the potential for monetary gain from compromised
corporate intellectual property, cyber-criminals have also
turned their attention toward enterprises. Attackers are
leveraging the abundance of personal information openly
available on social networking sites to synthesize socially
engineered attacks on key individuals within targeted
companies. This can take into account position within the
company, colleagues, hobbies, places they have been, pictures,
etcetera.
I am just going to skip ahead a little bit and wrap up
because I see I am running low on time. But I will mention
that, according to a recent Symantec enterprise security
survey, most organizations do not have social networking policy
in place despite giving employees unfettered access to these
popular Web sites. Our survey also found that 84 percent of
CIOs and CISOs consider social networking sites to be a serious
threat to their security.
In closing, I have provided in my written testimony to the
Committee a number of useful precautions that all users of
social networks should consider in their use of this new
medium, and we all call this to the Committee's attention.
Mr. Chairman and Members of the Committee, Symantec
appreciates the opportunity to provide our input on combating
cyber-crime on social networks and protecting online privacy so
the Internet can reach its full potential. We look forward to
continuing to work with the Committee as it considers future
legislation in this area.
Thank you.
[The prepared statement of Mr. Pasqua follows:]
Prepared Statement of Joseph Pasqua
__________
Mr. Scott. Thank you. And I want to thank all of our
witnesses for their testimony. And we will now have questions,
and I will recognize myself first.
Are there laws in other countries that do not apply here in
terms of protecting people's privacy? Mr. Rotenberg?
Mr. Rotenberg. Maybe I should take this.
Mr. Chairman, part of our work at EPIC is looking at
different approaches to privacy protection. And I think it is
fairly well known that the Europeans have I guess we could say
a more comprehensive approach to privacy protection in that
companies that collect data on users have presumptive
obligations to protect the privacy of that information.
Here in the United States, we tend to do it on a sectoral
basis. We would legislate for a particular industry, for
example, like medical records, electronic health records.
I think what is important about this approach is that it
means that when companies like Facebook gather information on
users in other countries, they have to be more careful about
disclosure to other parties because they do run some risk of
stepping over the line on those more comprehensive privacy
laws.
Mr. Scott. I think, Mr. Rotenberg, you mentioned changing
security settings.
Mr. Rotenberg. Yes, the privacy settings.
Mr. Scott. And what allegation were you making there?
Mr. Rotenberg. Well, essentially that, for a person in the
United States who wants to protect their privacy on Facebook,
they have to go to a series of screens provided by Facebook and
make some choices. Do they want their photographs, for example,
to be available to everyone, or to their friends, or friends of
friends, or just a small group? And you make a lot of these
decisions about a lot of different information that you put
online.
Our objection is that, when the user makes those decisions,
and then Facebook comes along later on and says, ``Well, we
want to change our approach to privacy, and maybe you had your
photographs available only for family members but we are going
to change that setting to everyone,'' that is where the problem
arises. And that is actually the basis of most of the concerns
we think today that Facebook users have about privacy. It is
the changes in those settings.
Mr. Scott. Mr. Sullivan, did you want to respond to that?
Mr. Sullivan. Thank you, Chairman.
Our position on privacy hasn't changed. It is our belief
that people who use Facebook own their information, and they
have the right to share their information in the way that they
want to share it. And it is our responsibility to respect their
wishes.
On the subject of U.S. versus international laws, we
attempt to treat all of our users by one very high standard. We
don't differentiate between U.S. users and other users in terms
of presenting different standards to them or treat their
information with different levels of care.
Our approach has been to try and improve over time.
Facebook is a relatively new technology. As a company and a
product, we are 6 years old. And we are growing and learning
every day.
And the number one way that we learn is through feedback
from our users, and we are constantly innovating and trying to
learn from our users, and every innovation that we do is driven
by user feedback.
And in addition to innovating, the other thing we try and
pride ourselves on is responding quickly. So when we get
feedback that something isn't working right, we try and fix it
very quickly.
With regard to our privacy settings, we have spent a
considerable time and effort in the last year trying to make
them better and trying to make them easier to understand. I
feel very good about where our privacy settings are today, and
would love the opportunity to walk anyone through how those
settings work today.
We have a one-page that has all of your privacy settings on
it right now. We try and break it into three simple buckets--
your directory information, how you share information, and how
you share information with applications.
With regard to how you share information, it is literally a
one-click process, where you can go on the site right now and
say, ``I am not sure what my settings were for each different
thing that I posted, but right now I would like to make
everything I have ever put on the site friends-only.'' One
click, you can do that.
In addition, we know that people want flexibility, so we
have tried to build contextual messaging into our product so
that, at the time you make decisions about sharing, you can
customize the setting for that particular piece of information.
So if I want to share information about being in front of this
Committee today, I might want to share that only at work, or
maybe I want to share it with all of my friends. I have the
ability, one status update at a time, to change the setting to
direct it to different audiences.
Mr. Scott. I mean--I think, because sometimes people make
those choices, and Facebook comes behind and changes the
settings. Is that accurate?
Mr. Sullivan. No, that is not accurate.
Mr. Scott. Mr. Marc, do you want to make your statement?
Mr. Rotenberg. I am kind of astounded by Mr. Sullivan's
answer to your question. I mean, we have documented this in 50
pages to the Federal Trade commission, and it is discussed by
hundreds of thousands of Facebook users across the Facebook
platform. So maybe Mr. Sullivan would like to rethink how he
answered your question.
In fact, I think he should also rethink what he said
earlier in response to your question about the ability of users
to selectively disclose what information to make available
online. Facebook has an increasingly broad category of what it
considers to be publicly available information. That is the
information that the user really has no control over, even the
users who would like the highest level of privacy settings.
And it is clear to just about everyone what direction that
category is heading, which is to say that Facebook will simply
continue to make more user information available. So I think
maybe Mr. Sullivan would like to rethink that answer also.
Mr. Scott. Do you want to respond, Mr. Sullivan?
Mr. Sullivan. I am not interested in changing my answer. I
stand by it.
Mr. Scott. Gentleman from Texas.
Mr. Gohmert. Thank you, Mr. Chairman.
And appreciate all the witnesses being here and for the
testimony.
I am curious, Mr. Sullivan, what information would you
recommend not sharing on Facebook specifically?
Mr. Sullivan. Personally and as a company, we want people
to make those decisions for themselves.
Mr. Gohmert. Well, but I am asking you personally rather
than Facebook.
Mr. Sullivan. Well, personally, I choose to share quite a
bit of information through Facebook, and I put different levels
of visibility on different types of information.
My contact information I make available to my friends on
Facebook, so my friends can go on Facebook and see my e-mail
address, my phone numbers, my Instant Messaging identifiers and
things like that. The pages that I am a fan of, I am happy to
share that with other people because I like to interact with
people who are fans of the same sports teams that I am fans of,
etcetera. My--information--I am sorry.
Mr. Gohmert. Let me ask you, since our time is so limited,
what problems has China indicated that they have with Facebook
that would prevent them from allowing Facebook to be
accessible, that is?
Mr. Sullivan. To be honest, I don't think we have----
Mr. Gohmert. Well, I would prefer you be honest. Thank you.
Mr. Sullivan. I don't think we have received a clear answer
on that. My understanding is that it relates to our refusal to
moderate speech.
Mr. Gohmert. To moderate speech? So if somebody said
something unkind about China, they would want that moderated.
Is that correct?
Mr. Sullivan. It is a very sensitive issue that we spend a
good deal of time trying to make sure that we as a company
respect free speech rights of our users.
Mr. Gohmert. I will take that as a yes. Thank you.
Mr. Pasqua, I appreciate your being here. And I hadn't
bought a Symantec or Norton product in probably 10 or 15 years.
But there is a perception that, once information is put
into a social networking site, that it is there forever, and
there is just really not anything that can be done. Since you
have been in the security business with the software, is there
anything that can be done to actually pull stuff out once it is
in there?
Mr. Pasqua. The fact of the matter is, there really are a
lot of different sites out there, and they have different
capabilities. Obviously, Facebook is a major important one, but
there are certain types of information on certain sites that
you can remove. There are other types of information in other
sites where you really have very little control over pulling
back information once you have created that content.
So if you, for example, have a comment on a blog that is
controlled by someone else, you can't necessarily control
whether you can delete that comment, or change it or amend what
you have said. It is really up to the owner of that Web site.
Mr. Gohmert. Okay. Let me ask our Federal entities
representatives.
Mr. Snow, how easy is it to pass information about
questionable Internet activity to other Federal entities,
whether the NSA, CIA, Secret Service? How easy is it within the
FBI to do that?
Mr. Snow. Sir, from the FBI's position, it is very easy for
us to pass----
Mr. Gohmert. Well, I understand that is your position, but
from a factual standpoint, how easy is it?
Mr. Snow. Yes, sir. We right now--and the Chairman
originally discussed it somewhat--we have the National Cyber
Investigative Joint Task Force that has been designated by the
White House and----
Mr. Gohmert. No, no, I understand all that, but, you know,
I have enough friends that are Federal agents in all different
sectors, and I keep hearing about difficulty, even since we had
the big umbrella of Homeland Security, in communicating. In
fact, some say that it is even created more problems in getting
information from one to the other, because now it goes up
before it comes down and goes lateral.
So that is what I am asking, really from a practical
standpoint, how easy is it? If you see a problem, can you just
send that out to friends at Secret Service, or what do you have
to go through to get that done?
Mr. Snow. Absolutely, sir. Anything that I have, I can
pass, almost in real-time, depending on which systems are
linked or not linked. So at----
Mr. Gohmert. Do you need approval from anyone to do that?
Mr. Snow. Sir, I am the approving entity and individual in
the cyber division, so anything cyber-related would go through
me. But I also take a very strong approach, a proactive
approach, on pushing those approval processes down to my
workers and my operators out at the National Cyber
Investigative Joint Task Force.
Mr. Gohmert. Great.
Mr. Merritt, how easy is the flow, from your experience?
Mr. Merritt. Very easy, sir. I mentioned the cyber-
intelligence section within our criminal investigative
division.
Mr. Gohmert. Right.
Mr. Merritt. These are extremely talented, both agents and
contractors with superior computer and linguistic capabilities
who monitor, real-time, these codding portals we have talked
about, the codding Web sites.
And when, in fact, an anomaly appears or a malware, for
example, based on our electronic crimes task forces, we
distribute that information real-time to our members. In turn,
they channel it down their flow chains. To include, we have a
representative on each FBI joint task force, along with our
national Joint Terrorism Task Force, and we do have a member at
their NCIJTF.
So the big benefit of this, sir, would be the private
sector who are not seeing this. Some corporations are better
suited, with their analysts, to identifying anomalies and
intrusions more so than others, especially the medium to small
size companies. But we do have that ability, and we do do that.
Mr. Gohmert. Thank you.
Mr. Merritt. Thank you.
Mr. Gohmert. Mr. Pasqua, I didn't mean to be cryptic, but
it is been back when I was a judge in the 1990's, I personally
bought some Norton securityware. I had examined the boxes, all
of the properties. Norton seemed to have good qualities, but
they had a $20 rebate if you sent the original receipt. And I
did, kept all the copies of everything I sent, said wait 6
weeks.
I waited about 10 weeks, called, and the lady said, ``If
you don't have proof that we received it, then you have got
nothing.'' And I said, ``Well, I didn't send it certified
because that would have eaten up the $20.'' And I said, ``But I
have got copies of everything.'' She said, ``Too bad. We don't
take copies. It said that in the rebate. We got the original.''
So I have cost Symantec, because people know I am somewhat
literate in the area, lots more than $20, and it is too late to
send me my $20 now that I am in Congress. But anyway, that is
the reason I haven't bought anything from Symantec in years,
but I appreciate the time, and I yield back.
Mr. Quigley [Presiding]. The gentleman yields back.
The gentlewoman from California is recognized.
Ms. Lofgren. Thank you very much. And first, let me offer
my regrets for not being here at the beginning of the hearing,
because I would have liked to have given a word of welcome to
two of the witnesses who represent companies located in Silicon
Valley, which I represent in the House. And that is both the
Facebook witness and, of course, Symantec, both companies that
employ many of my constituents. So, welcome here.
As I think about the risks involved in use of technology, I
think of them in at least two categories. One, there is really
nothing the government can do about.
I mean, if you decide to post your home address on Facebook
and not limit who sees it, and then say, ``Oh, by the way, I am
on vacation for a month,'' it is like saying, ``Please come
burglarize me.'' So that is really an education issue that the
government, and I really think the companies, are not
responsible for. It is a matter of Americans understanding what
they are doing.
There is a second issue, which is really a technology
issue, which is allowing people the opportunity to have their
rights respected. And I wanted to address, really, two
questions, probably three questions, to Mr. Sullivan.
It has been mentioned here by EPIC, certainly a very well
regarded organization that I have supported for years, that the
settings are too tough and maybe not fully implemented. And I
have actually complained, most recently a few months ago, not
that you couldn't do it, but that it was too complicated.
And I suggested to the Facebook people I met with that you
need not the Geek Squad but the Granny Squad. I mean, design it
for, you know, a grandma in the Midwest so she can understand
it and make it do what she wants with very simple clicks.
Do you think you have accomplished that yet? I realize this
is really still a startup. I mean, even though you are at half
a billion, you know, it is 6 years, and you are still growing.
Mr. Sullivan. Thank you very much for that question. And I
think that it is something that we spend time thinking about
every day, because I think your goals and our goals are aligned
on this issue. We want people to understand and be able to use
the controls because they will feel good about our service. And
I think that the controls that we have in place now are the
best we have ever had.
And as I mentioned earlier, the controls that we launched
as a result of the feedback that we received from people like
you, we think that we have dramatically simplified so that
you--you know, as you know, before, you had to go to five or
six different screens to cover all the different types of
sharing that you could do, and now you can manage all of that
on a single page.
Ms. Lofgren. And maybe that you are not at liberty, and
this may not be a fair question, but if EPIC had some further
suggestions for you to consider to simplify this, would you
welcome those suggestions?
Mr. Sullivan. We certainly would. In fact, I would like to
mention that both before the large rollout that we did last
fall of trying to engage users on new privacy settings, and
during the spring we did reach out to a large number of
organizations outside the company that asked for feedback, and
we received feedback from a number of highly regarded
organizations across the nonprofit and public and private
sector.
Ms. Lofgren. Let me ask you two other questions, and this
is one really having to do with people who decide that Facebook
is too much trouble and they wanted to delete their account.
I mean, if you post somewhere else, I realize that is on
somebody else's Facebook and you can't necessarily get rid of
that. But if you close your own account, is every whisper of
information that you have lodged with Facebook erased with
that?
Mr. Sullivan. Yes.
Ms. Lofgren. And finally, I would like to make a
suggestion, unless this has already been implemented. There are
times when things go wrong.
For example, somebody has failed to take appropriate steps
to safeguard their Facebook account, and it gets hijacked.
There is nobody to call. I mean, you can send an e-mail, but it
takes a long time to be sorted out. Are there plans in place to
have kind of a rapid response when things of that nature occur?
Mr. Sullivan. Yes. It is another area where we are
continuing to innovate. What we have done is we have placed
``Report'' buttons across our site, and you should be able to
find them on basically every single page. And we have put those
buttons in places where we think that you are most likely to
run into a problem and would want to report something. And the
``Report'' button opens up a dialogue.
And like you said, I think in the old days of the Internet,
companies would have a single e-mail address, and all of the
issues would come into one big bucket, and then you have to
have someone sort it. The way we do it now is, during the
report process, we have some very easy drop-downs where a user
can specify what the specific issue is. And that directs it
into a prioritization queue.
And so, for example, the most serious issues we try and get
to within, you know, hours, most frequent----
Ms. Lofgren. What would a serious issue be, for example?
Mr. Sullivan. So, an identity theft or cyber-bullying, or a
threat to life or a potential suicide discussion, or something
like that.
Ms. Lofgren. Okay. Well, that is more serious than
hijacking a Facebook page. Where would that fall in your
priority list? How long would it take to respond to that, do
you think?
Mr. Sullivan. I think probably within 24 hours, but----
Ms. Lofgren. If I told you it was 3 weeks, would you be
willing to look into it?
Mr. Sullivan. I certainly would like to look into it.
Ms. Lofgren. I would appreciate that.
I realize my time is just about over, but before I did, I
just want to, since the Chairman didn't get his rebate, I would
like to say I just bought a Symantec product that I have
installed on my home computer, and it is protecting me from
viruses and malware, and I appreciate it very much, and love
your products.
And I yield back.
Mr. Pasqua. Thank you.
And Member Gohmert, I am sorry we lost you as a customer. I
hope we can win you back. But most importantly, I hope you are
using some sort of protection on your machine.
Mr. Quigley. The gentlewoman's time has expired.
Mr. Goodlatte from Virginia is recognized.
Mr. Goodlatte. Thank you, Mr. Chairman.
Folks, welcome. I missed most of your testimony because I
had to go deal with another Committee and some legislation I
had there. I apologize for that.
But I did want to ask Mr. Snow, with the many Federal
agencies involved in some aspect of identity theft or related
cyber-crimes, is there ever confusion on the part of the
private industry sector as to what agency they should call for
assistance or to report a breach? Do you have some kind of a
clearinghouse, or----
Mr. Snow. Yes, sir. Our most powerful clearinghouse is the
agent and investigators that are in the field. So all the
different agencies, federal, state and local, and our
international partners are out pushing the outreach programs.
We have three very strong outreach programs--the Internet
Crime Complaint Center, which is a public-private partnership;
our InfraGard program, and then our computer education and
development unit, which go out, along with our domain entities,
as to other Federal agencies and state and local partners to
let people know, if you have crime or you have crime reporting,
to come and talk to us.
The clearinghouse actually takes place back in the
investigative agencies along with where the different
jurisdictional lines reside. So for instance, if you had a
problem, an Internet breach, you could Google it. You would
come up with probably about five or six places to go report.
If you were directed to the FBI Web site, FBI.gov, you
would be directed back to the Internet Crime Complaint Center.
It would talk to you about what that crime complaint center
does, what it can provide you, and how to report. It would have
a very accessible link there.
The Internet Crime Complaint Center, if you started there,
would have the same issue and reporting mechanism. And then, we
have an educational partnership that is called www-
lookstoogoodtobetrue, and you would be able to go there, also.
An important part of the education, and I know we have
talked about the education, is that all three of these sites,
individuals that are suspecting that they may be subjects, or
potential subjects, which everybody is, of Internet fraud or
computer hacking, can sign up for informational alerts that
will come to whatever piece that you have.
Mr. Goodlatte. Thank you.
Mr. Sullivan, let me follow up on the question from Ms.
Lofgren regarding the privacy issues there. Can you explain
Facebook's privacy transition tool? How does this process
ensure that users are considering privacy issues in evaluating
their own security settings?
Mr. Sullivan. Certainly. So, last December, we took on I
think what was probably an unprecedented event in the history
of the Internet, and that is that we tried to engage every
single one of our users and make them think about privacy.
And so, what we did was we put that wizard, which was a
page that talked about privacy and laid out your settings and
what we were recommending as settings, in front of every single
user, and we simply wouldn't let you use the service again
until you walked through these pages and said, ``I want to do
it this way.''
And so, that was quite a massive undertaking, and it got
quite a bit of attention, and we were pleased in both regards
because we saw that users engaged with this wizard, that they
made decisions, that they talked about privacy, they thought
about privacy, they thought about what they put on the site
before. And they have continued to use the privacy settings
after that day even more than they ever did.
Mr. Goodlatte. What is instant personalization? I know that
Facebook has become a platform upon which you have invited
other vendors to build various tools that they can utilize as
members of Facebook. What assurances do you have that partner
sites in this program have sufficient protection to safeguard
Facebook users?
Mr. Sullivan. Sir, from the security standpoint, we focus
on a number of different things. This is a beta program that--
only used on a very limited number of carefully selected
partner sites at the moment.
And we have done a couple of different things. We have done
some external auditing of their security measures. I manage an
information security team that has investigative experts who
understand the different types of vulnerabilities the Web sites
have. We have made suggestions. We have had dialogue with their
internal experts.
And then, we also on the security side, we make suggestions
for requirements to put into the written contracts about the
standards that we expect those sites to live up to. So as I
mentioned earlier, we are PCI level one compliant, and there
are other security standards and acronyms that I won't share
today, but are the types of things that we would look for.
Mr. Goodlatte. One last thing. You indicated in your
testimony that you will use legal means to go after people that
are behind specific scams. Can you elaborate on this? Is it
civil actions that you will pursue, or do you assist law
enforcement authorities in pursuit of criminal charges, or
both? What are you talking about there?
Mr. Sullivan. So our goal is always to prevent something
bad from happening. But if it does happen our second goal is to
be incredibly aggressive.
And so, I mentioned in my written testimony in a bit
earlier a couple of the CAN-SPAM cases that we have brought.
And so, in these two cases that have received a decent amount
of attention in the mainstream press, they have actually
received even more attention in the forums where the bad guys
meet.
And we spend a lot of time on my team in those forums. Like
the folks at Symantec do, we spend a lot of time trying to
understand what the bad guys are interested in, what they are
focused on, which companies they are targeting, what their
newest techniques are.
And it has been fascinating for us to take back and share
with the company the impact of these spam cases. You know, we
certainly aren't going to collect $700 million from Mr.
Guerbuez or, you know, $800 million from Sanford Wallace, but
we are going to be pursuing them for the rest of their life,
and that is a heavy judgment hanging over their heads.
And you see people talking in these forums, saying, ``Don't
go after Facebook. That is a bad idea.'' So we do see a
deterrent effect in that type of civil action.
Likewise, on the criminal side, we have brought a number of
cases to both the FBI and the Secret Service over the last
couple of years where we have identified individuals or groups
that are attempting to target our users, whether through
distribution of malware or through spam or other types of
problems like that.
Mr. Goodlatte. Thank you.
My time has expired. Thank you, Mr. Chairman.
Mr. Quigley. Thank you.
Mr. Deutch is recognized.
Mr. Deutch. Thank you, Mr. Chairman.
Gentlemen, I think we need to do a better job of raising
awareness among Internet users, particularly children. While
most social networking activities are harmless, the fact is
there are people who are out there who are going to tell a lie
and hurt you.
And whether it is someone seeking easy money or a child
predator, when it comes to social networking, these criminals
know the game, and they are going to play it. I am deeply
concerned about the risks that the predators pose to children,
and I believe we need to do more to minimize the risks to
children online.
Education is a critical component of crime prevention. As a
parent, I am no stranger to the need to talk to children early
and often about online predators. Parents must play a critical
role to make them understand the risks that are out there.
Now, I applaud the efforts of the FBI, Secret Service and
other law enforcement agencies to protect children, but I think
everyone would agree, if even one child is victimized, we as a
government need to do more. And while we can't promise our
children that we are never going to let them down, we can at
least commit to not deserting them and focus on what additional
tools might be helpful.
To that end, as a Member of the Foreign Affairs Committee,
I am particularly interested in the international component of
this problem. Criminals thrive in areas where the government is
too blind to see. And while this is true of traditional
criminal activities, it is particularly true of Internet-based
crimes.
So how do we go after criminals who know the rules and
purposely set up shop in lawless areas or countries that are
willing to turn a blind eye to these activities? I guess, Mr.
Merritt and Mr. Snow, I would turn to you for this.
Mr. Merritt. Sir, I think somebody referenced it earlier,
some of the challenges when these crimes originate overseas and
they target either U.S. citizens or corporations, and then the
financial infrastructure. In addition to some countries that
don't have legislation that makes this necessarily a crime in
their country, there are other challenges, as well.
I mean, I think law enforcement here in the United States
has been able to dispel the myth of anonymity that the computer
and the Internet provide to the criminals because we have been
successful in many investigations identifying these people.
But you get into lack of legislation, countries that don't
have an extradition treaty with the states, the official
channels that we normally go through for MLATs and letters
rogatory are very cumbersome and time-consuming.
So a lot of it develops--and I will let Gordon speak for
himself, but it develops on the relationship that you have with
your foreign law enforcement counterparts and what you are able
to successfully do with them, because we obviously have limited
jurisdiction overseas.
Mr. Snow. Yes, sir. I will--the comments of Mr. Merritt.
The relationship internationally is just completely critical,
and in legislation development, which, you know, we don't speak
to but Department of Justice does, is also critical, the MLAT,
the letter rogatories, the officer-to-officer contact that we
have.
And then the private-public partnerships that develop when
you talk about child exploitation is critical also. So the
National Center for Missing and Exploited Children are really
doing some fantastic things in their public-private
partnership, along with the International Center for Missing
and Exploited Children.
Mr. Deutch. Thank you.
Mr. Sullivan, I am looking at the statement of rights and
responsibilities on Facebook, which says, very clearly, you
will not use Facebook if you are under 13. I would suggest to
you that there are more 60-, 70-and 80-year-old grandparents,
widows and widowers, with full, rich life histories who are, in
fact, 10, 11 and 12 years old on Facebook than you could even
imagine.
And I wonder, since Facebook very clearly says it should
not be used unless you are 13, what should we be doing? Do we
pretend that the younger kids aren't doing it? Is there
something Facebook can be doing to make it safer for those
younger kids, which is, I think, the approach that makes the
most sense to me? And have you tried to track the number of
pre-teens who are actually using Facebook, since the numbers
must be astounding?
Mr. Sullivan. Sir, you are right that our policy is very
clear, that we don't want people under the age of 13 to use our
service. And we have taken a multi-tiered approach to trying to
make that happen. And to the extent that you are aware, or if
you become aware of someone under the age of 13, or you know
their parents, I would ask that you put them in touch with me
or advise them not to use the service until they turn 13.
It is a topic that has received a lot of attention in
recent years, how do we address teens and youth online. And the
approach we have taken is kind of a three-tiered approach. I
think that we do focus on policy and we focus on education, and
then we build tools to try and prevent those under 13 from
using our site.
Mr. Deutch. I guess just if I may, Mr. Chairman, the last
question is there are two approaches. You can devote
considerable energy to trying to prevent 11-and 12-year-old
kids from using Facebook, or you can acknowledge that there are
thousands and thousands of 11 and 12 and 10, and I don't even
know how young, kids who are using Facebook, and ratchet up the
privacy levels or create a separate area for them. And is that
even part of your thinking, or is the focus entirely on keeping
them off?
Mr. Sullivan. Our focus right now is on keeping them off of
Facebook and on making Facebook as safe as possible for that 13
to 18 group that is on the site. And so, I mentioned earlier
that we don't have different rules for people in different
jurisdictions around the world. We do treat people differently
who are under the age of 18 in terms of what we would even
allow them to do on the site or the type of information that is
even made visible to them.
Mr. Deutch. Last question, Mr. Chairman. Do you deny access
to anyone--do you scan your members to find those who are
clearly describing life experiences in one way on their
biography, and then have pictures of little kids, lots and lots
of pictures of 10, 11 year olds on their site?
Mr. Sullivan. We do have some back-end tools and algorithms
that we use. We also rely on a considerably passionate user
community who is very happy to report other people to us. And
finally, we do use technology to, you know, try and identify
and make sure that those people aren't on our site.
Mr. Deutch. Okay. I think, finally, there is an obligation
also, as you work to address all of the concerns, if you know
that there are thousands of kids out there that, while the goal
may be to keep them off, we should be trying, and you should be
trying, to keep them safe, as well.
Mr. Sullivan. That is right.
Mr. Quigley. Gentleman's time has expired.
I would like to thank the witnesses for their testimony
today. Members may have additional written questions, which we
will forward to you and ask that you answer as promptly as you
can so that they may be made part of the hearing record. The
record will remain open for 1 week for submission of additional
material.
Without objection, the Subcommittee stands adjourned.
[Whereupon, at 3:35 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
�