[House Hearing, 111 Congress]
[From the U.S. Government Publishing Office]
H.R. 2221, THE DATA ACCOUNTABILITY AND PROTECTION ACT, AND H.R. 1319,
THE INFORMED P2P USER ACT
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMERCE, TRADE,
AND CONSUMER PROTECTION
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
MAY 5, 2009
__________
Serial No. 111-36
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
72-885 PDF WASHINGTON : 2012
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
HENRY A. WAXMAN, California, Chairman
JOHN D. DINGELL, Michigan JOE BARTON, Texas
Chairman Emeritus Ranking Member
EDWARD J. MARKEY, Massachusetts RALPH M. HALL, Texas
RICK BOUCHER, Virginia FRED UPTON, Michigan
FRANK PALLONE, Jr., New Jersey CLIFF STEARNS, Florida
BART GORDON, Tennessee NATHAN DEAL, Georgia
BOBBY L. RUSH, Illinois ED WHITFIELD, Kentucky
ANNA G. ESHOO, California JOHN SHIMKUS, Illinois
BART STUPAK, Michigan JOHN B. SHADEGG, Arizona
ELIOT L. ENGEL, New York ROY BLUNT, Missouri
GENE GREEN, Texas STEVE BUYER, Indiana
DIANA DeGETTE, Colorado GEORGE RADANOVICH, California
Vice Chairman JOSEPH R. PITTS, Pennsylvania
LOIS CAPPS, California MARY BONO MACK, California
MICHAEL F. DOYLE, Pennsylvania GREG WALDEN, Oregon
JANE HARMAN, California LEE TERRY, Nebraska
TOM ALLEN, Maine MIKE ROGERS, Michigan
JAN SCHAKOWSKY, Illinois SUE WILKINS MYRICK, North Carolina
HILDA L. SOLIS, California JOHN SULLIVAN, Oklahoma
CHARLES A. GONZALEZ, Texas TIM MURPHY, Pennsylvania
JAY INSLEE, Washington MICHAEL C. BURGESS, Texas
TAMMY BALDWIN, Wisconsin MARSHA BLACKBURN, Tennessee
MIKE ROSS, Arkansas PHIL GINGREY, Georgia
ANTHONY D. WEINER, New York STEVE SCALISE, Louisiana
JIM MATHESON, Utah PARKER GRIFFITH, Alabama
G.K. BUTTERFIELD, North Carolina ROBERT E. LATTA, Ohio
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
DONNA CHRISTENSEN, Virgin Islands
KATHY CASTOR, Florida
JOHN P. SARBANES, Maryland
CHRISTOPHER MURPHY, Connecticut
ZACHARY T. SPACE, Ohio
JERRY McNERNEY, California
BETTY SUTTON, Ohio
BRUCE BRALEY, Iowa
PETER WELCH, Vermont
(ii)
Subcommittee on Commerce, Trade, and Consumer Protection
BOBBY L. RUSH, Illinois
Chairman
JAN SCHAKOWSKY, Illinois CLIFF STEARNS, Florida
Vice Chair Ranking Member
JOHN SARBANES, Maryland RALPH M. HALL, Texas
BETTY SUTTON, Ohio DENNIS HASTERT, Illinois
FRANK PALLONE, New Jersey ED WHITFIELD, Kentucky
BART GORDON, Tennessee CHARLES W. ``CHIP'' PICKERING,
BART STUPAK, Michigan Mississippi
GENE GREEN, Texas GEORGE RADANOVICH, California
CHARLES A. GONZALEZ, Texas JOSEPH R. PITTS, Pennsylvania
ANTHONY D. WEINER, New York MARY BONO MACK, California
JIM MATHESON, Utah LEE TERRY, Nebraska
G.K. BUTTERFIELD, North Carolina MIKE ROGERS, Michigan
JOHN BARROW, Georgia SUE WILKINS MYRICK, North Carolina
DORIS O. MATSUI, California MICHAEL C. BURGESS, Texas
KATHY CASTOR, Florida
ZACHARY T. SPACE, Ohio
BRUCE BRALEY, Iowa
DIANA DeGETTE, Colorado
JOHN D. DINGELL, Michigan (ex
officio)
C O N T E N T S
----------
Page
Hon. Bobby L. Rush, a Representative in Congress from the State
of Illinois, opening statement................................. 1
Hon. George Radanovich, a Representative in Congress from the
State of California, opening statement......................... 2
Hon. John Barrow, a Representative in Congress from the State of
Georgia, opening statement..................................... 4
Hon. Cliff Stearns, a Representative in Congress from the State
of Florida, prepared statement................................. 5
Hon. Mary Bono Mack, a Representative in Congress from the State
of California, prepared statement.............................. 6
Hon. Tim Murphy, a Representative in Congress from the
Commonwealth of Pennsylvania, prepared statement............... 6
Hon. Lee Terry, a Representative in Congress from the State of
Nebraska, opening statement.................................... 7
Hon. Phil Gingrey, a Representative in Congress from the State of
Georgia, opening statement..................................... 8
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, prepared statement......................... 151
Witnesses
Eileen Harrington, Acting Director, Bureau of Consumer
Protection, Federal Trade Commission........................... 9
Prepared statement........................................... 12
Answers to submitted questions............................... 153
David M. Sohn, Senior Policy Counsel, Center for Democracy and
Technology..................................................... 36
Prepared statement........................................... 38
Answers to submitted questions............................... 157
Robert W. Holleyman II, President and Chief Executive Officer,
Business Software Alliance..................................... 48
Prepared statement........................................... 50
Answers to submitted questions............................... 161
Martin C. Lafferty, Chief Executive Officer, Distributed
Computing Industry Association................................. 57
Prepared statement........................................... 59
Stuart K. Pratt, President and Chief Executive Officer, Consumer
Data Industry Association...................................... 88
Prepared statement........................................... 90
Answers to submitted questions............................... 164
Marc Rotenberg, Executive Director, Electronic Privacy
Information Center............................................. 101
Prepared statement........................................... 103
Answers to submitted questions............................... 167
Robert Boback, Chief Executive Officer, Tiversa, Inc............. 113
Prepared statement........................................... 115
Thomas D. Sydnor, Senior Fellow and Director, Center for the
Study of Digital Property, Progress and Freedom Foundation..... 127
Prepared statement........................................... 129
H.R. 2221, THE DATA ACCOUNTABILITY AND PROTECTION ACT, AND H.R. 1319,
THE INFORMED P2P USER ACT
----------
TUESDAY, MAY 5, 2009
House of Representatives,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 2:00 p.m., in
Room 2123 of the Rayburn House Office Building, Hon. Bobby L.
Rush (chairman) presiding.
Members present: Representatives Rush, Stupak, Barrow,
Radanovich, Stearns, Bono Mack, Terry, Murphy of Pennsylvania,
Gingrey and Scalise.
Staff present: Christian Fjeld, Counsel; Marc Gromar,
Counsel; Valerie Baron, Legislative Clerk; Brian McCullough,
Minority Senior Professional Staff; Will Carty, Minority
Professional Staff; and Sam Costello, Minority legislative
Analyst.
OPENING STATEMENT OF HON. BOBBY L. RUSH
Mr. Rush. The subcommittee will now come to order.
Today the subcommittee is holding a legislative hearing on
two bills: H.R. 2221, the Data Accountability and Trust Act,
and H.R. 1319, the Informed P2P User Act. The chair will
recognize himself for 5 minutes for the purposes of an opening
statement.
Today the subcommittee is holding a legislative hearing on
the two above-mentioned bills. They were both introduced by two
distinguished members of the subcommittee, my colleagues Ms.
Bono Mack and Mr. Barrow, and H.R. 2221, which is the Data
Accountability and Trust Act, also known as DATA, was
introduced by myself and Mr. Stearns. Ms. Bono Mack and Mr.
Barrow introduced H.R. 1319. Both of these bills represent
strong bipartisan efforts to address high-profile problems
affecting American consumers.
H.R. 1319, the Informed P2P User Act, addresses the
increasingly frequent problem of consumers inadvertently
exposing their private sensitive information by way of peer-to-
peer file-sharing programs. Too often when consumers download
these programs onto their computers with the intent of sharing
and downloading certain files on the network, they are unaware
that they are also sharing other files they otherwise might
want to keep private. For instance, recent media reports have
focused on consumers unknowingly sharing their tax returns and
their Social Security numbers on P2P networks. Such inadvertent
file sharing can be the result of deceptive or misleading
disclosures by P2P software companies or they might emanate
from simple confusion on the part of consumers. Whatever the
case, the intent of H.R. 1319 is to provide consumers with the
power of informed consent before they download P2P software
onto their computers and share folders and files with network
participants.
The second bill that we will be discussing today is H.R.
2221, the Data Accountability and Trust Act. This is the third
Congress in which this bill has been introduced. Mr. Stearns as
chairman of this subcommittee in the 109th Congress originally
introduced the bill as H.R. 4127, and with the help of then-
Ranking Member Schakowsky, it eventually passed the full Energy
and Commerce Committee by a unanimous vote. However, no further
action was taken on the bill as a result of jurisdictional
disputes. In the subsequent 110th Congress, I reintroduced the
bill as H.R. 958, but we were unable to take any action. Once
again in this current Congress, I have reintroduced the bill
with Mr. Stearns, Mr. Barton, Ms. Schakowsky and Mr. Radanovich
as H.R. 2221 with the intent that it does eventually become
law.
H.R. 2221 has two basic components. First, the bill
requires that persons processing electronic data that contains
personal information must take steps to ensure that the data is
secure. Second, the bill establishes a notification procedure
and process that a company must take when a data breach occurs
in order to allow affected consumers to protect themselves.
Companies do not have to initiate such notices of they
determine that ``there is no reasonable risk of identity theft,
fraud or other unlawful acts.'' H.R. 2221 also imposes special
requirements on data brokers but accommodates other laws that
govern how certain data brokers are regulated. These bills may
require some revision, and while this may not be the first time
we have taken up data security, and H.R. 2221 already reflects
significant changes forged by compromise made in the 109th
Congress, the bill may be dated and in need of an update. This
subcommittee is looking forward to working in a bipartisan
fashion and seeking bipartisan cooperation based on our
historical bipartisanship, and I expect that bipartisanship to
be at work on both of these bills.
Lastly, I want to just announce for the record that I have
an intention to hold a joint hearing on consumer privacy with
Chairman Boucher and the Subcommittee on Communications,
Technology, and the Internet and to work on comprehensive
legislation. This is just a part of a larger process.
Mr. Rush. With that, I yield back the balance of my time
and recognize now for the purposes of an opening statement the
ranking member on this subcommittee, Mr. Radanovich, for 5
minutes.
OPENING STATEMENT OF HON. GEORGE RADANOVICH
Mr. Radanovich. Thank you, Mr. Chairman. Good afternoon,
everybody.
I would first like to thank the witnesses before us today
and the organizations that have offered comments and
suggestions assisting the important work of crafting a robust
and workable data security bill. Both that bill and the P2P
bill that we have, there are core concerns about the
unauthorized or inadvertent sharing of sensitive information. I
want to commend Mr. Stearns, Ms. Schakowsky, Mr. Barton, Mr.
Dingell, Mr. Whitfield and now Mr. Rush and Mr. Waxman, all of
whom were chairmen and/or ranking members who have helped bring
attention to these issues. I also want to recognize Ms. Bono
Mack's leadership on digital security over the years and on her
bill to prevent inadvertent file sharing on peer-to-peer
networks.
File sharing presents privacy and security issues but also
relates to online safety more generally, and being a father, I
am glad to see that a bill that improves children's digital
safety and will help protect from some of the atrocities that
are being committed using these networks on line.
Huge data security breaches shocked us all starting back in
2005 with the ChoicePoint breach and millions of people in the
United States had discovered that they are victims of identity
theft. Billions are lost by consumers and by businesses as they
spend money and time to repair their finances. Particularly in
difficult economic times when credit is increasingly tough to
secure, the potential disruption and obstruction of commercial
activity in every sector of the U.S. economy cannot be ignored.
Internet-based and other electronic transactions are
fundamental these days and ensuring consumer confidence in
these systems is essential. The Congress, and this committee in
particular, are charged with the responsibility to ensure that
the entities possessing and dealing in sensitive consumer data
keep the doors locked and the alarm on.
The health of our modern network system of commerce demands
it. Very simply, H.R. 2221 would create a uniform national data
breach notification regime. I believe that notification must be
based on the actual risk of potential harm from identity theft
or other malfeasance and the mandates that we put on covered
entities must be the same across the country. Allowing
individual States to alter the rules will only lead to consumer
confusion and unnecessary business expenses, costs that will
inevitably be passed on to the consumer. Let us get a good bill
that robustly protects consumers while not adding requirements
that only add costs.
The world has changed since we last considered this bill,
and I am anxious to hear about those developments. Some parts
of the bill may now be obsolete, given the actions of the
private sector, actions by both those who hold sensitive
information and by companies who now offer products directly to
consumers to monitor their credit. We must take all of this
into account and get a workable bill that we can all support.
While the data security bill is one with which the
committee has some experience, Ms. Bono Mack's bill, H.R. 1319,
is a relatively new one. She was out in front on the issue last
Congress, introducing an earlier version of the bill last
September. Since then we have seen multiple news stories about
the problems the bill attempts to addressing, inadvertent
sharing of sensitive files across peer-to-peer networks. I want
to state at the outset that it is not the committee's intent to
simply demonize P2P software. There are many legitimate and
important uses of this innovative program and I am glad that
the P2P industry is here to talk about the uses of their
products. However, the systems present some interesting
problems as well. Last month the P2P security company Tiversa,
who is here to testify, found the schematics of Marine One,
President Obama's new helicopter, on a P2P server in Iran. In
other reporting it was found that millions of sensitive
personal records including Social Security numbers, medical
records, credit reports and tax returns with names and
addresses were easily found on P2P networks.
The problem of inadvertent sharing is enhanced by the
actual architecture of the programs. It is often unclear to a
user what may be leaked, and it can be difficult to change
settings to prevent it. After Mr. Waxman examined this in the
former committee down the hall, it appears that 2 years later
many P2P providers have not taken adequate steps to address
this. We need to take a close look at the problem and the bill.
We do not want to sweep technologies into a potential regime
that we do not intend nor do we want to exclude technologies
that we can all agree should be covered. How we define P2P
software is critical.
Mr. Chairman, I look forward to the comments on these bills
and I would like to express my gratitude to the majority for
their intent to develop these bills. Thank you, Mr. Chairman.
Mr. Rush. The chair thanks the gentleman.
The chair now recognizes Mr. Barrow for 2 minutes. Mr.
Barrow is a sponsor of one of the bills and certainly I am
grateful to him for his legislative work. Mr. Barrow, you are
recognized for 2 minutes for the purposes of an opening
statement.
OPENING STATEMENT OF HON. JOHN BARROW
Mr. Barrow. Thank you, Mr. Chairman.
We live in a world where digital technology has connected
people and their ideas, their information and products, making
possible all kinds of new kinds of collaboration and
innovation. There is no doubt that this has made us all a lot
more productive. It has also made it possible for folks to
invade our personal records and reveal private information
about us and our families that we choose not to disclose.
The purpose of today's hearing is to discuss threats to
data security and ways we can work to fill in the gaps that
leave our personal records vulnerable. I had the opportunity to
work with Congresswoman Mary Bono Mack on H.R. 1319, the
Informed Peer to Peer User Act, and I hope that this hearing
will shed some light on the privacy and security risks that are
associated with peer-to-peer file-sharing programs. A lot of
folks who connect to these networks don't even realize that
their most personal and private files are visible to everyone
else on the network at any time. A lot of folks are posting
their tax returns, financial records and personal messages on
the Internet and don't even know it. I hope that our work on
this committee will come up with a strategy that will let
individuals know in a way that they can understand and use that
the information on the computers could be at risk. We have
truth in lending and we have truth in labeling. I think it is
time we had truth in networking also.
I want to thank Congresswoman Mary Bono Mack for allowing
me to work with her on the Informed Peer to Peer User Act and I
want to thank Chairman Waxman and Ranking Member Barton for
bringing these important issues to the forefront in our
committee, and most importantly, I want to thank every one of
you on this panel today for being here to lend your expertise
on this important subject.
Thank you, and I yield back the balance of my time.
Mr. Rush. The chair thanks the gentleman. The chair now
recognizes the other author of one of these bills that we are
hearing today, Ms. Bono Mack--I am sorry--Mr. Stearns, I am
sorry, the former ranking member of the subcommittee, Mr.
Stearns of Florida, who is recognized for 2 minutes for the
purposes of an opening statement.
Mr. Stearns. Thank you, Mr. Chairman, and I--
Mr. Rush. I didn't mean to confuse you with Ms. Bono Mack.
OPENING STATEMENT OF HON. CLIFF STEARNS
Mr. Stearns. She is much better looking.
Mr. Chairman, thank you very much, and I think in your
opening statement you pretty much outlined my feeling about
this. Obviously this is a bill that was introduced on October
25, 2005. It was H.R. 4127, and as you pointed out, we passed
this bill by unanimous consent. Ms. Schakowsky and I worked
together on that bill and we had compromises. We got the bill.
So I am very pleased that you have taken the initiative, the
leadership to offer this bill again, and I am very glad to be
an original cosponsor with you. I am hoping it has the same
kind of success that we had, Ms. Schakowsky and I, because it
is a very, very important bill.
Recently some hackers broke into a Virginia State website
used by pharmacists to track prescription drug abuse. They took
all these names and it is 8 million patients and they deleted
them from the site and they are asking for money to replace
them, so in a way they are asking for ransom, and if this
Virginia website had an encrypted data security full-blown
protection of this information, it would have been difficult,
if not impossible, for these hackers to get in and to take this
information. It is 8,257,000 names. And that is why this bill
is so important so I am very pleased to support it.
Also, the gentlelady from California's bill, the Informed
P2P User Act, which is again very important. With the diverse
connectivity we have in networks, and of course with the
increased broadband that we are starting to see, people are
going to go more to this peer-to-peer downloading and this
centralized resources in your computer and these servers going
back and forth between each other, you have got to have some
notification to the users what is occurring or a lot of their
applications and their information will be also taken.
So it is very appropriate these two bills come together, I
think, and Mr. Chairman, I commend you and your staff for
bringing them both because in a way we are talking about data
security with both of them and protection of the consumer, and
I thank you, Mr. Chairman.
Mr. Rush. The chair thanks the gentleman. Now the chair
recognizes Ms. Bono Mack of California for 2 minutes for the
purposes of an opening statement.
OPENING STATEMENT OF HON. MARY BONO MACK
Ms. Bono Mack. I thank the chair and Ranking Member
Radanovich and the distinguished panel for being here today.
Thank you for holding a hearing on important privacy
legislation. Today my comments will focus entirely on H.R.
1219, the Informed P2P User Act, but before I dig into the
issue of P2P, I would like to thank Ranking Member Barton as
well as my colleague, Congressman Barrow, for their willingness
to work together on H.R. 1319. As you have seen, this is a
bipartisan bill and their support has been essential. I thank
them both.
The risks associated with peer-to-peer file-sharing
programs has been widely reported by the media and thoroughly
investigated by Congress. Many of our witnesses today have
testified before other Congressional committees on the dangers
associated with P2P file-sharing programs, and each time the
committee was given a status update of the dangers.
Additionally, industry claimed ignorance and stated they would
handle the problem through self-regulation. This hands-off
approach has not worked and any set of voluntary best practices
put forth by the P2P industry can no longer be seen as
credible. To paraphrase Groucho Marx, you want me to believe
you and your voluntary measures instead of my own two eyes. How
many more medical records and tax returns is it going to take
for us to act? How many state secrets will be made available to
those who want to harm us? How much more damage are we going to
allow P2P file-sharing programs to do to our economy? I believe
enough is enough and the time to act is now.
Industry's opportunity to self-regulate has passed. P2P
file-sharing programs like Lime Wire and Kazaa before it have
proven they are either incapable of solving the problem of
inadvertent file sharing on their own or they have absolutely
no intention of solving the problem at all. Either way, this
behavior is unacceptable, as the committee charged with
consumer protection, we have a responsibility to our
constituents to act.
I am also aware that some of you have concerns about some
of the language of H.R. 1319. Please note that my office is
very willing to listen to your concerns and work with you to
craft a bill that is not overly broad but still carries out the
current intent of H.R. 1319. I believe that if we work together
we should be able to produce a bill that protects our
constituents and preserves the legitimate use of P2P
applications.
I look forward to today's discussion, and I thank the
chairman very much for holding this hearing. I yield back.
Mr. Rush. The chair thanks the gentlelady. Now the chair
recognizes the gentleman from Pennsylvania, Dr. Murphy, for the
purposes of an opening statement. The gentleman is recognized
for 2 minutes.
OPENING STATEMENT OF HON. TIM MURPHY
Mr. Murphy of Pennsylvania. Thank you, Mr. Chairman, and by
the way, I would also like to welcome a Pittsburgher, Mr.
Boback of Tiversa, he and I have spoken a number of times in
the past, as well as this incredibly distinguished panel. The
expertise you all have, I am excited about you being here.
The sad thing about this is, this is a discussion that has
not begun today. I think some of you have testified in past
years and I know that Mr. Boback and I have spoken years ago.
When we look at what has been released about the documents from
Marine One, a couple terabytes of information on the Joint
Strike fighter jet, a whole host of so much information, it
makes me wonder why anybody trusts to have any files on the
computers at all. It reminds me of the way that Rome acted
during the time the Barbarians were beginning to invade various
parts of Germany, and I am sure some Roman emperor, some Roman
generals were saying nothing to worry about, we have this
system under control, even when they were sacking Rome, and I
believe that is where we are now. It is not safe. The portals
created by these peer-to-peer networks are huge and the fact
that our Department of Defense keeps anything on any computer
that is accessible from the outside still astounds me. I
applaud this bill, and I think this is important because it
does move a long way towards protecting consumers and families
who inadvertently have their files stolen and accessed whether
it is their tax records, medical records or anything else. But
the best thing we need to remember for so many folks whether
they are John and Jane Doe in their home somewhere or it is our
defense department or is any corporation that no matter what we
do here, they are still responsible for keeping the information
inaccessible to the Internet because those folks from other
countries who continue to send out press releases denying they
are doing it and yet all paths seem to lead back to those
countries, we have to understand that the wealth of information
we have on our computer networks and what we have done to
protect those is all for naught if we continue to put those on
computers.
With that, Mr. Chairman, I yield back.
Mr. Rush. The chair thanks the gentleman. Now the gentleman
from Nebraska, Mr. Terry, is recognized for 2 minutes for the
purposes of an an opening statement.
OPENING STATEMENT OF HON. LEE TERRY
Mr. Terry. Thank you, Mr. Chairman. I want to thank you for
holding today's hearing, but more specifically, we have been
down this road a couple times before and I think it is
imperative that we move these bills.
I am going to pile on a little bit Mr. Murphy's comments
that I view this as nibbling around the edges of cybersecurity.
We are pointing to specific problems and trying to come up with
specific solutions. All the while we are losing sight of the
forest. I am not saying these shouldn't be done but I just
think we need to think about in a grander scheme of
cybersecurity and how it all ties in with our national security
now, our financial security, and hopefully we can start
elevating the level of discussion here but I want to
congratulate the authors of both of the bills here. I think you
have done a decent job here of finding the right solution for
these specific problems and I support them. Yield back.
Mr. Rush. The chair thanks the gentleman and now the chair
recognizes the gentleman from Georgia, Dr. Gingrey, for 2
minutes for the purposes of an opening statement.
OPENING STATEMENT OF HON. PHIL GINGREY
Mr. Gingrey. Mr. Chairman, thank you for calling this
hearing today that focuses on two bipartisan pieces of
legislation, H.R. 2221, the Data Accountability and Trust Act,
and H.R. 1319, the Informed Peer to Peer User Act. I also want
to commend both you and Ranking Member Radanovich for your
collective leadership and for the spirit of comity in which
this subcommittee is operating, Mr. Chairman.
At a time when our society is becoming ever more reliant on
technology, whether for e-commerce or HIT, health information
technology, we need to ensure the security of an individual's
identity and personal information. Unfortunately, we have seen
significant breaches of information that have led to identity
theft, fraud and allegations that were first reported in the
Wall Street Journal that Chinese hackers--it is bad enough what
Ranking Member Stearns was saying about the pharmaceutical and
prescription drug information but Chinese hackers stole several
terabytes of data related to design and electronic systems of
the Joint Strike fighter. That is some serious business.
H.R. 2221 is legislation that was first written in the
109th Congress by my colleague from Florida, Mr. Stearns. It is
now being spearheaded by you, Mr. Chairman, and I applaud you
on this effort. This legislation requires entities holding data
that contains personal information to implement enhanced
security measures to prevent future breaches. In instances in
which unauthorized access does occur, then the consumers must
be notified shortly thereafter that their files were
compromised.
Similarly, H.R. 1319 is legislation that was introduced by
Ms. Bono Mack of California, full committee Ranking Member
Barton and my colleague from Savannah, Georgia, Mr. Barrow, and
it is designed to protect consumers through additional
information about the practice of peer-to-peer file sharing
over the Internet. Simply referred to as P2P file sharing
around the IT industry, this practice certainly has a number of
benefits. However, too often personal information is
compromised over the peer-to-peer program for various reasons,
many of which of course are inadvertent. H.R. 1319 would add an
additional layer of security that would prohibit peer-to-peer
programs from sharing files until the program receives informed
consent from the user on two separate occasions.
Mr. Chairman, we need to maintain security on the Internet
in this growing technologically-based world, and I do support
both bipartisan bills. I look forward to hearing from the
witnesses, and I yield back.
Mr. Rush. The chair thanks the gentleman and the chair
thanks all the members of the subcommittee for their opening
statements.
It is now my pleasure to introduce our outstanding expert
panel. These panelists have come from far and near to be with
us today, and we certainly welcome them and we certainly want
to tell each and every one of you beforehand that we thank you
so much for taking the time out from your busy schedule to
participate with us in this hearing.
I would like to first of all introduce you now. From my far
left is Ms. Eileen Harrington. Ms. Harrington is the acting
director of the Bureau of Consumer Protection for the Federal
Trade Commission. Next to Ms. Harrington is Mr. David M. Sohn,
who is the senior policy counsel for the Center for Democracy
and Technology. Next to Mr. Sohn is Mr. Robert W. Holleyman,
II. Mr. Holleyman is the president and CEO of Business Software
Alliance. Seated next to him is Mr. Martin C. Lafferty. He is
the chief executive officer of Distributed Computing Industry
Association. Next to Mr. Lafferty is Mr. Stuart K. Pratt,
president and CEO of the Consumer Data Industry Association,
and then next to him is Mr. Marc Rotenberg, who is the
executive director of the Electronic Privacy Information
Center. The gentleman next to Mr. Rotenberg is Mr. Robert
Boback. He is the CEO of Tiversa, Incorporated. And lastly but
not least, the gentleman seated next to Mr. Boback is Mr.
Thomas D. Sydnor. He is the senior fellow and director of the
Center for the Study of Digital Property of the Progress and
Freedom Foundation.
Again, I want to thank each and every one of the witnesses
for appearing today. It is my pleasure to extend to you 5
minutes for the purposes of opening statement, and we will
begin with Ms. Harrington.
STATEMENTS OF EILEEN HARRINGTON, ACTING DIRECTOR, BUREAU OF
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION; DAVID M. SOHN,
SENIOR POLICY COUNSEL, CENTER FOR DEMOCRACY AND TECHNOLOGY;
ROBERT W. HOLLEYMAN II, PRESIDENT AND CHIEF EXECUTIVE OFFICER,
BUSINESS SOFTWARE ALLIANCE; MARTIN C. LAFFERTY, CHIEF EXECUTIVE
OFFICER, DISTRIBUTED COMPUTING INDUSTRY ASSOCIATION; STUART K.
PRATT, PRESIDENT AND CHIEF EXECUTIVE OFFICER, CONSUMER DATA
INDUSTRY ASSOCIATION; MARC ROTENBERG, EXECUTIVE DIRECTOR,
ELECTRONIC PRIVACY INFORMATION CENTER; ROBERT BOBACK, CHIEF
EXECUTIVE OFFICER, TIVERSA, INC.; AND THOMAS D. SYDNOR, SENIOR
FELLOW AND DIRECTOR, CENTER FOR THE STUDY OF DIGITAL PROPERTY,
PROGRESS AND FREEDOM FOUNDATION
STATEMENT OF EILEEN HARRINGTON
Ms. Harrington. Thank you very much, Chairman Rush, Ranking
Member Radanovich and members of the subcommittee. I am Eileen
Harrington, the acting director of the FTC's Bureau of Consumer
Protection. I appreciate the opportunity to appear to present
the Commission's testimony on data security and peer-to-peer
file sharing. The Commission's views are set forth in its
written testimony. My oral presentation and answers to your
questions represent my views.
Let me start with data security. Companies must protect
consumers' sensitive data. If they don't, that data could fall
into the wrong hands, resulting in fraud and consumers losing
confidence in the marketplace. The Commission has undertaken
substantial efforts described fully in its written testimony to
promote data security. Let me highlight three particular
efforts for you: our law enforcement activities, our pending
rulemaking on health information security and our study of
emerging technologies.
Today the Commission announced its 26th law enforcement
action against a business that we allege failed to have
reasonable procedures to protect consumers' personal
information. Case number 26 is against mortgage broker James
Nutter and Company for allegedly failing to implement basic
computer security measures. In settling these charges, the
company has agreed to maintain reasonable security measures in
the future and to periodic outside audits of its security
practices. The Commission's data security cases are well
publicized and send a strong message to the business community:
you must have reasonable data security measures in place.
Second, a few weeks ago the Commission issued a proposed
rule to require that consumers be notified when the security of
their health information is breached. The proposed rule arises
from a mandate in the Recovery Act to address new types of web-
based entities that collect or handle consumers' sensitive
health information. Covered entities include those that offer
personal health records which consumers can use as an
electronic individually controlled repository for their medical
information. Personal health records have the potential to
provide numerous benefits for consumers but only if they have
confidence that the security of the health information they put
it in will be maintained.
Third, the Commission continues to examine new technologies
to identify emerging privacy and data security issues. In
February, for example, the Commission staff released a report
recommending principles for industry self-regulation of privacy
and data security in connection with behavioral advertising. We
are also considering a petition submitted by EPIC raising data
security concerns about cloud computing services provided by
Google.
Finally, a few words about the proposed data security bill,
H.R. 2221. The Commission strongly supports the goals of the
legislation, which are to require companies to implement
reasonable security procedures and provide security breach
notification to consumers. We also strongly support the
provisions that would give the Commission the authority to
obtain civil penalties for violations. We have provided
technical comments to committee staff, particularly with regard
to the scope of the proposed legislation and the data broker
provisions and very much appreciate the opportunity to provide
input.
Turning to P2P file sharing, let us be clear about one
thing. The FTC's interest is the safety and privacy of
consumers' personal documents and information, not copyright
piracy. Although P2P technologies may offer benefits to
computing, they have also been associated with significant data
security risks. The press has reported disturbing instances of
sensitive documents being shared via P2P networks. Sensitive
documents likely have been shared under three scenarios. First,
some consumers may have shared documents because they failed to
read or understand information about how to keep files from
being shared or did not understand the consequences of altering
default settings. Second, some consumers may have unknowingly
downloaded malware that caused their files to be made available
on P2P networks. Third, some businesses and other organizations
that hold sensitive personal information such as tax or medical
records have not implemented procedures to block installation
of P2P file-sharing software on their company or organization-
owned computers and networks. Some of the most highly
publicized instances of personal information being shared over
P2P networks occurred because businesses failed to prevent the
installation of P2P software on their systems or because their
employees placed sensitive corporate documents onto home
computers that had downloaded P2P software.
The FTC has worked with the P2P industry as it has set
standards for disclosure and default settings that protect
consumers' files and information. We have received reports
about the performance of seven P2P companies and are currently
reviewing them to see whether these companies comply with the
industry standards. We will make the results of our review
public this summer. We also educate consumers about the risks
associated with these programs. In addition to a 2008 consumer
alert, the FTC's Internet website, onguardonline.gov,
highlights information about the risks of P2P file-sharing
software.
Finally, we support legislation that requires distributors
of P2P file-sharing programs to provide timely, clear and
conspicuous notice and obtain consent from consumers regarding
the essential aspects of those programs. H.R. 1319 may provide
very useful protections for consumers. The agency has worked
with committee staff on previous versions of the bill and we
look forward to working with committee staff again regarding
this proposed legislation, and we thank you very much for
giving the FTC the opportunity to present its views today.
[The prepared statement of Ms. Harrington follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair now recognizes Mr. Sohn for 5 minutes.
STATEMENT OF DAVID M. SOHN
Mr. Sohn. Chairman Rush, Ranking Member Radanovich, members
of the subcommittee, thank you for the opportunity to
participate in today's hearing. The Center for Democracy and
Technology is very pleased to see this subcommittee focusing on
data privacy and security issues. Based on my conversations
with subcommittee staff, I am going to focus my comments this
afternoon on the Data Accountability and Trust Act with just a
few words at the end about the Informed P2P User Act.
But before I do that, I would like to make a general point.
Both of the bills that are the focus of today's hearing reflect
the fact that technology has greatly expanded the ability to
collect, store, use and share personal data. The modern
information economy that this makes possible has many benefits
but it also has greatly changed the privacy landscape and it
has expanded the risk of inappropriate disclosure of personal
data. Unfortunately, the law has simply not kept pace with
these changes. In particular, the United States has no general
privacy law establishing any kind of fair baseline of
principles or expectations to govern consumer privacy, and in
the absence of that kind of overall legal framework, when new
privacy issues arise, Congress is essentially left to legislate
on a one-off basis without any clear guiding principles and
without necessarily much consistency. The result, what we have
today, is a confusing patchwork of laws in this area. So based
on that, CDT would certainly urge the subcommittee to put a
high priority on the enactment of baseline federal privacy
legislation and we are very happy to hear Chairman Rush saying
today that he plans a joint hearing and does plan to work on
comprehensive privacy legislation.
Now I would like to turn to the Data Accountability and
Trust Act. CDT supports the idea of a nationwide data breach
notification standard so long as that standard is as least as
effective as the laws already in place at the State level. The
key point to understand here is that data breach notification
is already the law of the land because it is required by all
but a few of the States. So from a consumer perspective,
replacing State notification laws with a weak federal standard
could actually be a step backwards, and even replacing them
with a good federal standard still doesn't offer a lot of
tangible progress. The principal consumer gains from H.R. 2221
therefore come from section 2 of the bill, namely the provision
for requiring data security procedures and especially the
provisions requiring information brokers to let consumers
review what is in their data broker files. Based largely on
these provisions, the CDT does support the framework set forth
in the bill.
My written testimony offers some suggestions for
improvements to the bill. For example, the breach notification
provisions could be improved by requiring a company that
suffers a breach but determines that there isn't enough risk to
notify consumers to nonetheless provide a brief explanation to
a regulator basically just to keep everybody honest. For the
provisions on security standards and consumer access to
information broker files, CDT recommends taking a close look at
the scope of those requirements. In particular, the bill uses a
definition of personal data that is really quite limited, which
may make sense for breach notification provisions but might
make less sense for the provisions in section 2.
Preemption deserves a mention as well. It is important to
note that preempting State laws in this area is a very
significant step. The only reason we are here talking about
breach notification today is that notification laws were
pioneered by the States and especially California. States were
able to do that because the Gramm-Leach-Bliley Act preempted
inconsistent State laws but otherwise left States free to
experiment. Fortunately, the authors of H.R. 2221 have been
careful with preemption. CDT does believe that preemption makes
sense for the specific issue of breach notification and the
bill does provide for that. I would just say that as the bill
moves forward, Congress needs to keep in mind that the price of
preemption must be strong federal action and that overbroad
preemption has to be avoided. Overall, CDT does appreciate the
careful work of Chairman Rush and the other sponsors of this
bill and we stand ready to cooperate with them on possible
improvements as the bill moves forward.
Finally, just a couple words on the Informed P2P User Act.
CDT absolutely supports the principle that file-sharing
software should clearly communicate to users how their files
may be made available to third parties. Inadvertent sharing of
personal files is a very serious privacy matter. As set forth
in my written testimony, however, legislating this area does
pose some difficulties. CDT has reservations about the
potential unintended breadth of the bill and also has some
reservations about Congress starting down the path of imposing
specific design mandates for software developers. That said, we
share the broad goal and my written testimony offers some ideas
for modifications to consider if the subcommittee chooses to
proceed with the bill.
Thanks again for the opportunity to testify.
[The prepared statement of Mr. Sohn follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair thanks the gentleman. The chair
recognizes now for 5 minutes of opening statement Mr.
Holleyman.
STATEMENT OF ROBERT W. HOLLEYMAN II
Mr. Holleyman. Mr. Chairman, Ranking Member Radanovich,
other members of this subcommittee, I want to thank you for the
opportunity to testify today. The Business Software Alliance
represents the leading developers of software and hardware. Of
the software that is sold around the world, roughly 90 percent
of that is from companies who are U.S.-based companies and our
members believe strongly that the type of inquiry that this
committee is engaged in today is important not only to ensure
that our customers are using software properly but also to
ensure that the promise of electronic commerce and equally
important the promise for the type of sensitive data that the
government will hold and does hold that we could have greater
confidence because that will add enormous efficiencies to our
system.
As we look at the issue of breaches, the data is astounding
in terms of the problems that we have seen. I won't repeat all
of the information that has been so widely covered in the press
and by the subcommittee except that I will note that the trend
is that data breaches are growing. In 2008, it is estimated
that there was a 47 percent increase in data breaches over the
prior year, and the average cost of each breach is growing, and
for the ninth year in a row, identity theft has topped the list
of FTC consumer complaints, about 26 percent of all their
complaints, and according to the Privacy Rights Clearinghouse,
a staggering 270 million records containing sensitive personal
information have been affected since 2005. And certainly we
have heard on this panel today, we have heard in your opening
statements about Heartland Payment Systems, the single largest
fraud-related data loss ever in the United States. Estimates of
over $100 million individual credit and debit card accounts
were compromised and the consequences of that have been
enormous.
And finally, to the point that I made about the importance
of government data, nearly 20 percent of all data breaches
involve government, federal, State and local governments, and
as we move to the promise of governments holding even more
sensitive data regarding our health records as people live
longer, as our population grows, as we build the kind of
openness and confidence in government, we have to ensure that
that important nexus is also protected.
With that, Mr. Chairman, I would like to comment on your
pending bill. We believe that this bill, Mr. Rush, makes
significant contributions to restoring and building a goal of
consumer citizen trust. We support its effort to establish a
uniform national standard and provide the preemption of State
laws. We also believe that it is important to recognize that it
would prevent excessive notification. We do need notification
but not all breaches are equal, and part of what we need both
in business but part of what consumers need is to ensure that
when the notification occurs, it is the result of something
that is meaningful. Third, we support exempting from
notification data that has been rendered unusable, unreadable
and indecipherable. We would recommend that the limitation in
the bill that refers to encryption be broader so that we are
looking at what the test is, and really this creates market-
based incentives that supplement the regulatory authority that
is given. It is that combination that will ensure that more
holders of data ensure that even if there is a breach, that the
party that has carried out the breach or the unlawful entity
can't do anything with that data, and that is an important
safeguard. Fourth, we believe that your bill takes an
appropriate risk-based approach to securing data and we support
the grant of authority and would recommend that it be limited
to the FTC and State attorneys general rather than extending a
private right of actions.
A couple of comments about H.R. 1319. We welcome this
effort by Ms. Bono Mack and other members of the subcommittee
to address this issue. Consumer privacy can be and is being
compromised because of certain peer-to-peer file-sharing
applications. We also appreciate this subcommittee's
willingness, the committee's willingness to look at the current
breadth of this bill to identify where it could be
appropriately limited. We do believe that there are two goals
in this. One is to protect consumer security and promote trust
and the second is to ensure that technological innovation
continues to proceed. It is this balance that must be struck
and it must be struck carefully. We are all concerned that the
bill, if it is in its current form, could pull in some of the
very legitimate applications and uses of peer-to-peer
technology that are important for every consumer, important for
legitimate companies. As it seeks to look at some of the bad
actors or some of the peer-to-peer software that we widely know
as an anti-piracy organization that have led to the widespread
theft of software, music, movies and other content, we also
know that the bill in its current form could sweep in any
Internet-aware features of software such as automatic updates
for anti-virus software such as the crash analysis feature of
operating systems or the web browsers on our computers. We know
that that is not the intent of this bill but as written it
could reach that breadth, and so we would urge the committee to
recognize that while some effort should be made, it is
important to enhance security. We also want to ensure that the
technological progress and growth proceeds and that will
benefit all users of legitimate software.
So on behalf of BSA, thank you for this opportunity and
look forward to your questions.
[The prepared statement of Mr. Holleyman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair thanks the gentleman. The Mr. Chairman,
Mr. Lafferty, for 5 minutes.
STATEMENT OF MARTIN C. LAFFERTY
Mr. Lafferty. Chairman Rush, Ranking Member Radanovich,
subcommittee members, thank you for holding this important
hearing. I am Marty Lafferty, CEO of the Distributed Computing
Industry Association.
Both of the bills under consideration have far-reaching
consequences. Our expertise relates primarily to H.R. 1319.
DCIA is a trade group focused on P2P and related technologies.
Our mission is to foster commercial development of these
technologies so that their benefits can be realized by all
participants in the distribution chain including content rights
holders and Internet service providers. We currently have 125
member companies including P2P, cloud computing, file sharing
and social network software distributors, broadband operators,
content providers and service and support companies. P2P has
evolved greatly in the 8 years since Napster first brought the
term P2P file sharing to prominence. Fully licensed ad-
supported P2P, subscription P2P, paid download P2P, commercial
enterprise P2P, P2P TV, hybrid P2P and live P2P streaming now
deserve to be separated from the narrow subset of functionality
associated with file sharing. DCIA member companies
increasingly use P2P for the delivery of authorized
entertainment and corporate communications content where rights
holders rather than end users introduce files or live streams
for online delivery. We strongly urge the committee to apply
the term ``file sharing'' without the P2P prefix as a more
accurate descriptor for the focus of H.R. 1319.
The Committee on Oversight and Government Reform held a
hearing on this topic in July 2007 at which one of our member
companies testified. Within weeks of that hearing, the DCIA
established the Inadvertent Sharing Protection Working Group.
Over several months we recruited participants among leading P2P
and other tech sector companies and engaged with FTC staff to
address issues associated with unintended publishing of
confidential data by file sharers. This effort began by
providing demonstrations for FTC staff of how current file
share programs work in terms of users uploading material for
distribution. It continued through a process involving private
sector and regulatory participants to develop a program of
voluntary best practices for file-sharing software developers
to protect users against inadvertently sharing personal or
sensitive data. This program was announced in July of 2008. Its
summary, included in our written testimony, begins by defining
terms relevant to 1319 such as recursive sharing, sensitive
file types and user-originated files. It then outlines seven
steps that are required to be in compliance: default settings,
file-sharing controls, shared folder configurations, user error
protections, sensitive file type restrictions, file sharing
status communications and developer principles. The principles
address feature disablement, uninstallation, new version
upgrades and file-sharing settings. In August 2008, the DCIA
announced that compliance monitoring would begin in December to
allow developers time to integrate required elements of the
ISPG program into their planned upgrades and new releases.
Compliance monitoring resulted in reports from top brands that
use P2P for downloading, live streaming, open environment
sharing and corporate Internet deployments and for both user-
generated and professionally produced content. Specifically,
seven leading P2P representative program distributors submitted
detailed reports to FTC staff in February 2009. In March the
DCIA prepared and submitted a summary. We also noted that
software implementations of the popular BitTorrent protocol
typically require users to conduct a deliberate conversion
process from whatever native file format their content is in to
a torrent file before it can be published, thus minimizing this
risk of user error. The entire report plus data tables of
individual company submissions are in our written testimony but
here are highlights.
All respondents now have clearly disclosed install default
settings that only permit sharing files downloaded from the
network. They do not share user-generated files by default. A
hundred percent also provide complete uninstallation of their
file-sharing software that is simple to do and explained in
plain language, for example, by using the standard add/remove
program in Windows. And six out of seven, which is all where
this is applicable, now offer a simple way to stop sharing any
folder, subfolder or file by using easily accessed controls.
In April 2009, subcommittee staff invited the DCIA to
participate in redrafting H.R. 1319. We formed a DCIA member
subgroup to conduct this work. The process is underway and we
are glad to coordinate that work with staff. Among our greatest
concerns is that the bill as drafted would have unintended
consequences. The present draft goes way beyond the specific
concerns discussed here and would apply to additional
functionality and technologies that have nothing to do with
recursive sharing of sensitive file types. Applying these
requirements to numerous products, services and companies would
be burdensome and counterproductive. To the extent that
legitimate consumer concerns persist in the area that the bill
intends to address, we strongly believe they can best be
handled by ongoing self-regulation under the oversight of the
appropriate federal authority as we initiated with the ISPG.
The bill as constructed would unnecessarily burden U.S.-
based technology firms with innovation freeze and constraints
while being unenforceable against overseas competitors'
software available to U.S. consumers. The great concern also is
how it might stifle yet undeveloped new and potentially very
useful and valuable software applications. On the other hand,
the DCIA has committed to self-regulation through the ISPG to
address the subject matter of this bill and is making
substantial progress. So rather than a problematic new legal
measure, we believe that formalized requirements for compliance
with that process will be more effective in achieving the
purpose of the bill.
We look forward to working with the subcommittee on these
issues in a productive manner and will benefit all your
constituents. Thank you for your continued interest in our
industry.
[The prepared statement of Mr. Lafferty follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair thanks the gentleman. The chair now
recognizes Mr. Pratt for 5 minutes for the purposes of an
opening statement.
STATEMENT OF STUART K. PRATT
Mr. Pratt. Chairman Rush, Ranking Member Radanovich and
members of the subcommittee, thank you for this opportunity to
appear before you today. My name is Stuart Pratt, president and
CEO of the Consumer Data Industry Association. Our 250 member
companies provide our Nation's businesses with data tools
necessary to manage risk and a wide range of consumer
transactions, and these products include credit, mortgage
reports, identity verification tools, law enforcement
investigative products, fraud check transaction identification
systems, decision sciences technologies, location services and
collections. My comments today will focus exclusively on H.R.
2221, and we applaud its introduction.
CDIA's members agree that sensitive personal information
should be protected. We also agree that consumers should
receive breach notices when there is a significant risk of them
becoming victims of identity theft. Our members agree with the
Federal Trade Commission recommendations which embrace these
two concepts. I would only add that if a federal law is to be
enacted, it should be a true national standard.
We believe that data security and breach notification
provisions in H.R. 2221 would be most effective if they were
better aligned with requirements found in other current laws.
Alignment is key to ensuring that all who are affected by the
Act are successful in complying with new duties under DATA and
also with their current duties found under other laws such as
the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
Let me discuss some of the ways that 2221 interplays with
existing duties found in current laws.
Section 56 defines the term ``information broker.'' Absent
aligning this definition with other current laws, our members'
products will be affected. This bill would require information
brokers to have reasonable procedures to verify the accuracy of
personal information, provide consumers with access to these
data and ensure a system by which consumers can dispute
information. All of our members operate consumer reporting
agencies as this term is defined in the Fair Credit Reporting
Act. They produce data products defined as consumer reports.
Consumer reports are used to make determinations of a
consumer's eligibility for a service or a product and the FCRA
establishes duties for accuracy, access and correction as it
relates to these products. Our members agree that where data is
used to make a decision regarding consumers' eligibility for a
product or service, consumers should have these rights.
Since there are similar duties under the FCRA and DATA, we
propose the definition of information broker should be amended
to exclude the term ``consumer reporting agency'', and while we
appreciate the inclusion of section C3C which attempts to
address our concern, we believe that since the FCRA's duties
are well understood and the FTC has direct enforcement powers,
that we should have a complete exemption.
Regarding disclosure, section C3 allows an information
broker under certain circumstances to not disclose personal
information to a consumer. This section does not exempt an
information broker's fraud prevention tool from the duty to
verify accuracy. Fraud prevention tools are designed to
identify the possibility of fraud and to apply an accuracy
standard of fraud prevention tools is unworkable since these
tools are designed to warn a lender or utility or other
business about the possibility of fraud. Fraud prevention tools
consider how data has been used in previous identified cases of
fraud and employ many other relational strategies. We would
urge the expansion of C3B to include fraud prevention tools so
that they are completely exempted from the accuracy standard
requirement, not because the tools are designed poorly but
because these tools cannot line up with an accuracy standard in
the first place.
Your bill also as indicated establishes both a requirement
for data security and a requirement for security breach and we
have absolutely no qualms about either of those requirements.
Our member in fact comply with those types of requirements
today and our only request is that where our member companies
are already operating as a consumer reporting agency under the
Fair Credit Reporting Act or where they are operating as a
financial institution under the Gramm-Leach-Bliley Act, that
they would be exempted from these data security and these
security breach notification duties because they already have
those duties under the Fair Credit Reporting Act and also under
the Gramm-Leach-Bliley Act and in particular the safeguards
rules which include breach notification.
So this process of alignment will make this bill more
effective. If we can make this truly a national standard, you
certainly will have filled some gaps along the way. I think
that Mr. Sohn said it very well. In the meantime, we live with
a range of State laws. We have worked constructively with many,
many States in establishing those statutes and in establishing
definitions of the crime of identity theft and we will continue
to do that and we look forward concurrently to working with you
in the committee. Thank you.
[The prepared statement of Mr. Pratt follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair thanks the gentleman, and now the chair
recognizes Mr. Rotenberg for 5 minutes.
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Mr. Chairman, Mr. Radanovich, members of the
committee, thank you very much for the opportunity to be here
today. EPIC is a nonprofit research organization here in
Washington.
We have a particular interest in this issue of security
breach notification. EPIC was the organization that had urged
the Federal Trade Commission to investigate the data practices
of a company called ChoicePoint because we believed that that
company was making the personal information of American
consumers vulnerable to misuse. The FTC did not heed our
warning and instead we all read in the newspapers when an
investigation broke in Los Angeles that revealed that the
records of 145,000 American consumers had been sold to a
criminal ring engaged in the act of identity theft. I promise
you, after that news story appeared, the FTC and many State
attorneys general became very interested in this problem.
Now, we learned of the problem with ChoicePoint in part
because of a good law that had been passed in the State of
California which required companies that suffered from a
security breach to notify people who are impacted, and as a
result of the ChoicePoint notification, many other States began
to understand the need for security breach notification. Now,
this has been an evolving process. I think there are now 44
States in the United States that have security breach
notification, and while we certainly support an effort to
establish a high standard across the country, I do want to warn
you that one of the consequences of this bill would be to
effectively tie the hands of the State from further updating
their laws or enforcing stronger laws, and I think this would
be a mistake. I read recently, for example, that the California
State Senate has just approved new changes to its notification
law that would provide individuals with better information
about the type of personal information that was improperly
disclosed and how it might be misused. This need to be able to
continue to update security breach notification I think should
be a consideration as the committee looks at legislation to
establish a national standard.
One of the other points I would like to make about the
legislation concerns the relationship in the realm of
notification between the individuals who are impacted and the
role of the Federal Trade Commission, which is also notified
under the bill. There is understandable concern that if
individuals receive too many breach notices, they will serve no
purpose, and so there is a need to set a standard so that
people are not receiving lots and lots of these notices which
they will come to ignore. But with respect to the role of the
Federal Trade Commission, I think the bill could be
strengthened by requiring companies in all circumstances to
notify the Commission where substantive breaches have occurred,
and moreover to put on the Commission an obligation to be more
transparent about the information that it receives regarding
the problems of breach notification in the United States. There
is also a risk with the legislation as it is currently drafted
that the FTC will obtain information about security breaches,
may choose not to act on the information it receives and that
information will effectively remain secret both to the public
and to this committee and the problem will continue to grow, so
I hope that is an area that can be considered as well.
We talk also about the safe harbor provisions, essentially
companies that have certain security practices such as
encryption should be encouraged to put in place and maintain
those practices but again we think that notification can be
made to the Federal Trade Commission in those instances where
security breaches occur even if it may not be necessary to
notify the target population.
Finally, I would like to point out that since when the bill
was originally introduced there have been significant changes
both in the Internet and also in communications technology.
Facebook, for example, now has 200 million users. Four years
ago when this bill was first considered, there were many, many
fewer people using these social network services. This has two
implications. First of all, there is a new way to notify people
online. It is no longer necessary to talk just about a website
but also a social network presence. It also means that there is
a new risk in data collection that needs to consider the
growing significance of social network services. And finally, I
might mention that text messaging has become a very effective
way to notify people about things that might concern them
regarding security. We propose in our testimony that where
possible, text messaging be used as a supplement to the other
notification procedures including mail and e-mail.
So thank you again for the chance to testify and I would be
pleased to answer your questions.
[The prepared statement of Mr. Rotenberg follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair now recognizes Mr. Boback for 5
minutes.
STATEMENT OF ROBERT BOBACK
Mr. Boback. Chairman Rush, Ranking Member Radanovich and
distinguished members of the committee, I thank you for giving
us the opportunity to testify here today.
As many of you discussed in your opening statements the
security risks associated with peer-to-peer, our company,
Tiversa, which I am the CEO of, has unique insight on this in
that Tiversa has the unique technology that allows us to span
out globally to see all information that is occurring on all
the peer-to-peer clients, so it is just a Lime Wire or a Kazaa
or a BearShare, it is everyone, all encompassing, and we see it
in real time. So therefore this provides us a great insight to
provide information to the committee here today.
This information that we are finding is very sensitive.
There are security measures. I commend the Honorable Ms. Bono
Mack for bringing this here today. The reason why is that many
security professionals around the world in high-ranking
positions in corporations in the United States and abroad
aren't even aware of this, so again, for her insight to bring
this to the committee and bring 1319 forward, it is very
important, because, again, the awareness is still not where it
needs to be. For instance, in the last 60 days, despite the
measures that have been taken by the peer-to-peer clients,
despite which I also admit are improving, Lime Wire is
improving its protocols to decrease the amount of breaches that
have happened, but in the last 60 days Tiversa has downloaded
breaches in the amount of 3,908,000 breaches, individual
breaches in the last 60 days. I find it very important that
2221 and 1319 are actually discussed on the same day. The
reason why is, this is where breaches are happening. As Mr.
Gingrey of Georgia called out, obviously we all saw the Wall
Street Journal article April 21st about the Joint Strike
fighter. It wasn't reported in the Wall Street Journal, this
was peer-to-peer. The information unfortunately is still on the
peer-to-peer. This was discovered in January 2005. We
discovered it. We reported it to the DOD. It is still here. It
is still out there. It has never been remediated. Awareness is
not where it needs to be. Oversight is not where it needs to be
in order to address these problems. That is the type of
national security ends.
Now, there are also the consumer ends. From Tiversa, we
process 1.6 billion searches per day every day. Google is about
1.7 billion per day, so we were about nine times what Google is
processing on a daily basis. In those searches we are able to
see what the users are looking for around the world, and in
those searches we see people searching for your financial
records. They are not looking to apply for a credit card. They
are not looking for health insurance. They are looking for your
health insurance because they want to quickly go online and buy
online pharmaceuticals using your medical insurance card as
medical identity theft. No credit monitoring will stop that.
They want to get your Social Security number filed with your
tax return. We did a study with the Today show showing that in
that instant 275,000 tax returns were found in one search on
the peer-to-peer, so a minimum of 275,000 Social Security
numbers on one time. Now, we have done other searches where it
has been over half a million on one time and yet I would also
strongly urge the FTC that on the website where it would
identify to users that this information is coming from the
peer-to-peer, there is not one mention of peer-to-peer on where
are they getting your information. Nine million victims every
year of identity theft and the number one mention on the FTC's
website is dumpster diving. It doesn't add up. The numbers
don't add up to dumpster diving. Consumers are not aware of
this problem, not from a national security standpoint.
Executives don't know it. Security executives do not know this
problem. Consumers aren't aware of this problem. They need to
know that their information is out there and it is being sought
after on an enormous scale such that even in our research in
the last few months we have had a 60 percent increase in
searches for information that will lead to identity theft and
fraud. This is a serious growing problem that consumers again
are not aware of, so we applaud 2221 for a national breach. I
will tell you that as we find these breaches, these 3,900,000
breaches, as we can we return the information and alert the
companies to the breach. Again, we do it out of our duty of
care policy. There are no strings attached to that.
I will tell you that there are thousands of cases that our
employees have provided to users, to companies nationwide that
they completely disregard the breach. Many of those are
actually cited in my written testimony, so you would think that
you are safe if you do not use peer-to-peer. Well, I will show
you in the written testimony there are users out there that all
they did was go to the hospital and they provided their
information there and now that is one of the things, so
individuals need to have an identity theft protection service
as well as a national breach notification such as 2121, and I
thank you for the opportunity and welcome questions.
[The prepared statement of Mr. Boback follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. Thank you very much. Now the chairman recognizes
Mr. Sydnor. Mr. Sydnor, you are recognized for 5 minutes for
opening statement.
STATEMENT OF THOMAS D. SYDNOR
Mr. Sydnor. Thank you, Chairman Rush, Ranking Member
Radanovich and members of the subcommittee. My name is Thomas
Sydnor and I am a senior fellow at the Progress and Freedom
Foundation. I am here speaking today on my own behalf, and I am
also the author of two studies on the causes of inadvertent
file sharing, File-Sharing Programs and Technological Features
to Induce Users to Share, published by the United States Patent
and Trademark Office, and Inadvertent File Sharing Revisited,
published by the Progress and Freedom Foundation, and I am here
today to testify in support of H.R. 1319, the Informed Peer-to-
Peer User Act.
Mr. Rush. Mr. Sydnor, would you please excuse me just for a
moment? I want to alert the members that there is a little over
5 minutes for a vote, a three-series vote. There are three
votes in the series, and that will be the last votes of the
day. So if members want to leave to go and vote after this
witness completes his opening statement, then the chair will
recess the committee and reconvene at the conclusion of this
series of votes. So we would ask that the members please return
promptly so that we can complete the questioning of these
witnesses and complete this hearing.
Mr. Sydnor, would you please continue?
Mr. Sydnor. Thank you, Mr. Chairman.
I am testifying today in support of the bill because my
written statement and my past published work on inadvertent
sharing I think shows that in the past we have tried to rely on
voluntary self-regulation and it has failed. Voluntary self-
regulation should be an incredibly important part of our
technology policy and for that reason it must be taken
seriously. Unfortunately, in the context of distributors of
filing sharing programs used mostly for unlawful purposes, it
has been tried, voluntary self-regulation. It has failed
miserably in the past, and I can report that it is failing
again right now.
I want to consider just as an example the file-sharing
program Lime Wire 5. The DCIA has hailed Lime Wire 5 as the
gold standard for the implementation of its new voluntary best
practices, and Lime Wire itself has a result of this hearing
generated great publicity for itself by telling Congress that
at long last Lime Wire 5 put the final nail in the coffin of
inadvertent sharing of sensitive files, and the program is that
last statement is not even arguably correct, and to show why, I
want you to consider a hypothetical based upon the recent
reports from Today Investigates showing that in New York State
alone researchers could find over 150,000 inadvertently shared
tax returns. The report also showed the real-world consequences
of inadvertent sharing by profiling the Bucci family, who had
their tax returns stolen by an identity thief because they had
inadvertently shared their tax returns because their preteen
daughters were using a file-sharing program reported to be Lime
Wire. But the real problem in such a case is that a tax return
is really only the tip of the iceberg. Such episodes usually
occurring mean that a family is sharing all of its personal
data file stored on the family computer. All the parents' work
and personal documents, scans of legal, medical and financial
records, scanned documents providing identifying information
about the family's children, all of the family's digital
photos, all of its home videos, entire music collection,
probably thousands of files.
Now, consider two families that have been affected by this
type of catastrophic inadvertent file sharing, and just assume
it was caused by an earlier version of Lime Wire. Consider what
happens if they upgrade to Lime Wire 5. One family doesn't know
they have a problem. They are unaware that a problem exists but
they hear reports like Lime Wire 5 has ensured the complete
lockdown of the safety and security of Lime Wire users and so
they upgrade to Lime Wire 5. Will that correct their
inadvertent sharing of sensitive documents problem? It will
not. By default, simply by being installed, the family will
continue to share documents that are by any a reasonable
definition sensitive. They will continue to share the family
photo collection. They will continue to share scanned legal,
medical and financial records, perhaps even tax returns,
continue to share data about their children. They will continue
to share all their home videos. They will continue to share
their entire music collection. So they will continue to be
exposed to the full range of risks: identity theft, data on
their children getting into the hands of the pedophiles that
use their networks, and the risk of a lawsuit.
Now, the other family does know their problem. They detect
it and they resolve it by uninstalling Lime Wire, remove it
from their computer. So this family actually has put the final
nail in the coffin of their inadvertent file-sharing problem
but they hear about Lime Wire, they kids reinstall it because
now it is completely secure. What will happen? By default,
simply by being installed, that program will revive, will call
back from the dead the family's inadvertent file-sharing
problem. It will automatically begin re-sharing all the data
files that were shared before except for some types simply by
being installed. That is not acceptable behavior, it is not
acceptable practice, and I think it indicates why the committee
should be commended for its work on H.R. 1319. Thank you.
[The prepared statement of Mr. Sydnor follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Rush. The chair thanks this witness and all the
witnesses. Now the chair will ask that this committee stand in
recess until such time as we return from a series of three
votes. I would ask the witnesses if you please would wait so
that the members can come back and ask questions. Thank you so
much. The committee is in recess.
[Recess.]
Mr. Rush. The hearing will now come to order. The chair
recognizes himself for 5 minutes for the purposes of
questioning the witnesses.
I would like to start out with some very simple questions
to get on the record how the witness may view the legislation
we are contemplating today. I will ask each and every one of
you if you would just answer with a yes or no if you can, and
if not, give me a very brief explanation of your answer. So my
first question is with regard to H.R. 1319, do you support the
legislation in its current form? If not, do you support the
intent of the bill with revisions? And my second question, do
support H.R. 2221 as it is currently drafted? If not, do you
support the intent of the bill with some revisions? I will
start with Mrs. Harrington.
Ms. Harrington. The Federal Trade Commission strongly
supports the intent of both bills. We would like to continue
working with committee staff on revisions to each but we are
very--and we are particularly supportive of the enforcement
authority and tools that both bills give the FTC of civil
penalty authority.
Mr. Rush. Thank you.
Mr. Sohn?
Mr. Sohn. CDT has significant reservations about H.R. 1319
as drafted but we certainly support the intent. We do think it
may be tricky to figure out the drafting details but we are
certainly happy to work with the committee on that. On H.R.
2221, we generally do support the bill as drafted. There are
some modifications we have suggested and we absolutely support
the intent.
Mr. Rush. Thank you.
Mr. Holleyman?
Mr. Holleyman. I actually agree fully with Mr. Sohn's
comment that we support the intent of both bills. We have some
recommendations in our written testimony. I believe strongly
that action is needed. I think it may be more difficult to make
some of the definitions in 1319 but are certainly eager to work
with the committee to ensure the intent is fulfilled.
Mr. Rush. Mr. Lafferty?
Mr. Lafferty. I will just speak to 1319. We absolutely
support the intent of the bill, the clear, conspicuous notice
and the informed consent for very important file-sharing
modalities that could have major impact on consumers. We just
don't think it can be legislated. We have worked hard to try to
come up with suggestions for a redraft and it is very difficult
to get the language not to reach out and touch other kinds of
technologies and future software applications that would be
impacted and disadvantage U.S. firms from overseas competitors.
So we support the intent but not the language.
Mr. Rush. Mr. Pratt?
Mr. Pratt. The CDIA has no position on H.R. 1319. With
regard to H.R. 2221, we certainly support the intent. We have
outlined in our written testimony the range of suggestions
about how we could align the bills with other federal laws and
if we could accomplish that goal, I think we would feel more
comfortable with the final work product. Thank you.
Mr. Rush. Thank you.
Mr. Rotenberg. Mr. Chairman, we do support the intent of
H.R. 2221 and generally support the legislation as drafted. We
have a number of suggestions in our testimony for how to
strengthen it.
With respect to 1319, we don't have a position for or
against the bill. With respect to the intent behind 1319, we
think it may be possible to get to some of the concerns
regarding security through other legislation but we would
certainly be happy to work with the committee to see how it can
be accomplished.
Mr. Rush. Mr. Boback?
Mr. Boback. Mr. Chairman, we strongly support both 2221 as
well as 1319 in clearly raising awareness and providing some
responsibility and structure to a very needed process both on
the peer-to-peer as well as just federal data breach
notification.
Mr. Sydnor. Mr. Chairman, I will confine my comments to
H.R. 1319. Yes, absolutely strongly support the intent of the
bill. I am aware that there are legitimate concerns about
making sure that we don't necessarily sweep in entirely--
potentially entirely legitimate uses of peer-to-peer technology
and would be happy to continue to work with the committee and
anyone else to try to get to a place where everyone is
comfortable.
Mr. Rush. The chair thanks the witnesses. The chair's time
is concluded. The chair now recognizes Ms. Bono Mack from
California for 5 minutes for questioning.
Ms. Bono Mack. I thank the chairman and our panelists also
for your time today.
Mr. Lafferty, I would like to read to you a bolded warning
in the user guide on the Lime Wire website entitled ``Using
Lime Wire and P2P software safely.'' The warning states, and I
quote, ``Please ensure that any folder on your computer that
contains personal information is not included in your Lime Wire
library.'' So tell me, Mr. Lafferty, if I were to complete a
default installation of Lime Wire 5.1.2, what files and folders
will the mere installation of the program included in my Lime
Wire library?
Mr. Lafferty. With Lime Wire 5 and later versions of Lime
Wire, sensitive file types, which are a large number of
extensions of files to protect your spreadsheets, your Word
documents, PDFs, things that might have sensitive data, are
unshared by default. So I would completely refute the testimony
of Tom Sydnor earlier. It just isn't true. When you--neither
example that he gave with the family that kept--just upgraded
the version or the one that uninstalled it and reinstalled it,
in both cases all the sensitive file types are unshared by
default. It is over. They are no longer accessed or shared. To
re-share any of those files, you would have to individually
take the file and go through--ignore several warnings to put
those individual files into the mode where they could be shared
and then be asked whether you want to share that with specific
friends or the network at large. So Lime Wire 5 has done away
with the concept of shared folders really and now it is a file-
by-file--
Ms. Bono Mack. There are specific warnings? What do they
say? And it is not--it is still actually sort of an inherent
default. You have little boxes that come up. I believe there
are four different boxes that are there. And one does say my
documents, so you just that that could be an Excel spreadsheet
which in fact would probably be saved under a my documents
folder, would it not?
Mr. Lafferty. If you chose to put the my documents folder
into a shared mode, it would still--
Ms. Bono Mack. Is that the default for an Excel spreadsheet
for the standard user?
Mr. Lafferty. I don't understand the question.
Ms. Bono Mack. Where is a default Excel spreadsheet saved
on your computer, on your hard drive? Is it not necessarily
defaulted to my documents?
Mr. Lafferty. It is probably different for every person,
but the point is--
Ms. Bono Mack. Probably different? What is the default?
Where does--Mr. Sydnor, perhaps you have the answer to that.
Mr. Lafferty. It doesn't really matter where it is that.
That file type won't be shared.
Ms. Bono Mack. How could it not matter? With all due
respect, how could it not matter where it is? That is the root
of the whole problem here.
Mr. Lafferty. Because it won't be shared.
Ms. Bono Mack. Unless you check simply one of the four--
Mr. Lafferty. Unless you choose that individual file if it
has that Excel spreadsheet.
Ms. Bono Mack. That individual file?
Mr. Lafferty. Individual file, correct.
Ms. Bono Mack. Mr. Sydnor, do you care to comment on that?
Mr. Sydnor. Yes. That is not quite an accurate statement
about how the Lime Wire my library feature works. My library in
Lime Wire 5 basically are the set documents that are going to
be managed in Lime Wire and thereby that set of documents is
going to be much easier to share because they are going to be
in the library and there will be a button to click to share
them, and that is why Lime Wire users' guide has the warning
that you read, please ensure that any folder in your computer
that contains personal information is not included in your Lime
Wire library. Now, by default when you install Lime Wire 5.1,
and I did it last night again, the default option is to have
Lime Wire put all the files stored in your my documents folder
and all of its subfolders into the Lime Wire library. That
alone will not share them but it will make them available for
sharing and much easier to share and therefore the behavior of
the program simply not consistent with the advice in the users'
guide. As to my testimony earlier, it was quite correct. The
difference--the reason I think we are getting confused is, when
I say sensitive files, I mean files that would actually be
sensitive to share over a network like Gnutella so you have,
for example, scans of your family medical records and tax
returns, those can be stored in image file formats often and
those will be shared by default, and if you upgrade to Lime
Wire 5, it will continue to share those file types if you were
sharing them before, and if you install Lime Wire 5 on your
computer and a previous version of Lime Wire has ever been
there, then it will automatically begin re-sharing files that
were shared previously. So simply installing the program can
indeed resume sharing of files even if you are installing on a
computer where there is no version of Lime Wire currently
installed. I am correct about that. I reran the test again this
morning before the hearing.
Ms. Bono Mack. Thank you. I know my time is expired and I
hope we have a second round. Thank you, Mr. Chairman.
Mr. Rush. The chair intends to have a second round. The
chair now recognizes the gentleman from Georgia, Mr. Barrow,
for 5 minutes.
Mr. Barrow. I thank the chair. I want to try and get my
arms around the inadequacy of the current situation and talk
about what it is this legislation proposes to do in order to
try and alter the situation for the better.
Ms. Harrington, am I correct in understanding that there
are very limited tools available to the FTC right now to deal
with this issue, that basically the only option you have under
current law is to initiate a specific enforcement action
against somebody, a fact-specific action based on a specific
instance and that basically you are pretty much limited to, is
it adjunctive proceedings? Is that about the extent of it?
Ms. Harrington. That is right.
Mr. Barrow. No civil penalties whatsoever?
Ms. Harrington. No civil penalties.
Mr. Barrow. No rulemaking authority, no prescribing of
proper procedures or best practices, you just have to go after
individual cases and all you can do is tell folks to stop doing
what they are doing when you prove that they have done it?
Ms. Harrington. The rulemaking authority available to the
Commission is under the Magnusson-Moss amendments to the FTC
Act and those are laborious and take a very long time, the
procedures to use.
Mr. Barrow. So what we are proposing to give the FTC under
1319 would give you all some authority you don't have right
now. Are the civil penalties helpful to you all in trying to
bring some order to this situation?
Ms. Harrington. There are two things that are helpful.
Civil penalty authority is very helpful, and also to the extent
that some practices in these very fact-specific situations
might be injurious but neither deceptive nor unfair, then
having additional statutory authority is very helpful.
Mr. Barrow. Earlier on in the testimony, we heard some
folks raise some issues about the international end of things.
We all know we are connected to a worldwide web and that any
effective regulation of this marketplace in our country is
going to involve dealings with folks who can cross the
boundaries in cyberspace pretty much at will. What was your
concern, if not the extraterritoriality of the law, the
extraterritorial effect of us being able to regulate this? How
do you think we can address that supposed shortcoming of us
attempting to regulate this on our own shores?
Ms. Harrington. Well, first of all, the subcommittee was
instrumental in giving the Commission additional authority
under the U.S. Safe Web Act, which we used to get information
about overseas targets and to enlist help from other
governments and that is very useful. But that said, if there
are overseas software providers who are making available file-
sharing software that is injurious to U.S. consumers, we can
certainly assert our jurisdiction over those practices that
occur within the United States but we may not be able to reach
the purveyors if they are in other countries and particularly
in countries that aren't particularly interested in helping
out.
One of the things that we are very concerned about is that
the dominant players in this industry, which are in the United
States, do the best thing and the right thing and we think that
setting some legislative standards such as the ones that are
set forth in the bill would really help. We want the U.S.
players to be the best players so that they continue to be the
dominant players and the ones that consumers can use with some
confidence.
Mr. Barrow. The impression I get from what you are saying,
this is how I hear what you are saying, is that if we police
the marketplace where everybody shops, we don't have to worry
about the marketplace where few very people shop or hardly
anybody goes. Is that a fair way of putting it?
Ms. Harrington. Well, we certainly should police the
marketplace where everybody stops if that marketplace is
subject to our jurisdiction.
Mr. Barrow. But the high-volume users, the ones that have
the lion's share of the market, if we can make sure that what
they are doing is right and appropriate and folks who trade at
these places will not have to worry about losing their stuff,
we don't have to worry quite so much about those areas that
might be hard to reach. Why strain at a gnat and swallow an
elephant in the process.
Ms. Harrington. You know, that is certainly the intention.
There is always a risk that overseas operators can gain in
market share in the United States by doing--you know, by
gaining some sort of competitive advantage over the regulated
entities in our marketplace but, you know, that is not a worry
right now that is keeping me awake at night.
Mr. Barrow. I will wait for a second round, Mr. Chairman.
Thank you, ma'am.
Mr. Rush. Thank you.
The chair now recognizes the gentleman from Louisiana, Mr.
Scalise, for 5 minutes.
Mr. Scalise. Thank you, Mr. Chairman. Really I can open
this up to the whole panel on H.R. 1319. Do you think this will
help prevent a legal use of peer-to-peer software including
stealing personal records, copyright violations and things like
sharing child pornography?
Ms. Harrington. I think it will help under some
circumstances and under others we need more. The data security
bill actually could be very helpful here too because, as I
mentioned in my oral statement, there are really three
scenarios where sensitive information is shared. One is when
consumers don't know, don't understand, and this bill will
hopefully go a long way I think there. It is not going to help
when the problem is malware, and it is not going to help when
the problem is a business that has not prohibited and barred
from its system and its computers file-sharing software and it
is not going to help if the problem is that an employee of a
company takes sensitive information home and puts it on his or
her computer and that computer has file-sharing software or
malware on it that extracts that, so it is going to go a long
way to help in scenario one.
Mr. Scalise. Anybody else want to touch on that?
Mr. Sohn. I will just say I do think the intent and the
focus of the bill is certainly on the inadvertent disclosure so
that the privacy-related concerns, I think that would be the
main impact and is the main thrust of the bill.
Mr. Scalise. Let me ask about the data breaches that have
occurred, I think FTC had dealt with it, the largest one I have
seen, the TJX, which I think initial estimates were about 45
million Visa/MasterCard records were breached. Ultimately it
turned out somewhere close to 100 million were breached, and
you all had brought charges against them, and subsequently
other companies. Is there now an industry standard for data
protection? What is your feeling on where we are today versus
some of those cases a few years ago?
Ms. Harrington. Well, there are certainly well-established
good practices that in the cases that we have brought were not
followed. For example, you know, downloading available patches,
preventing against well-known attacks and kinds of attacks are
well-settled, you know, necessary practices. They are not even
best practices. They are necessary. And those companies did not
follow those practices.
Mr. Scalise. Anybody else want to add anything to that? We
are getting into now an area of moving towards electronic
medical records. There was some funding language in the
stimulus bill to start going down that road more as people's
health information gets put on the Web more and more. What kind
of protections are there today, what kind do we need, whether
it is in either these two bills or another vehicle to protect
people's health records as they become available on the
Internet so that they are only available to the doctors who
need to be reviewing them?
Ms. Harrington. Well, the Recovery Act also directed both
the FTC and the Department of Health and Human Services to do
rulemaking to set standards for breach notification when
consumers' sensitive health information is placed at risk. The
FTC, as I mentioned, has just issued a proposed rule dealing
with personal health records and other non-HIPAA-covered
entities that may have this sensitive information to set breach
notification standards and we are continuing also to work with
HHS to do a report that is due back to Congress in a year on
these issues.
Mr. Scalise. Any of you all doing any work on that issue?
Mr. Boback?
Mr. Boback. I would like to also comment on that. There are
no standards as far as peer-to-peer notifications. There are no
standards as far as peer-to-peer security measures. In fact,
most companies don't even have any standards on peer-to-peer.
When asked, most corporations, large and scale, what
information they are doing about peer-to-peer, most people, if
they respond at all will say that they are blocking peer-to-
peer and that they have a policy against it. That is the extent
of it. And I will tell you that--or they will say that they
have a firewall or an encryption of which nothing--firewall
does not stop peer-to-peer, encryption does not stop peer-to-
peer. Intrusion prevention detection and all the standard
security measures do not peer-to-peer disclosures from
happening, which is why in the past 60 days we have had, you
know, almost 4 million disclosures of this type via peer-to-
peer because there is just no standards.
Mr. Scalise. And finally Mr. Holleyman.
Mr. Holleyman. Mr. Scalise, we believe that the incentives
that are in Chairman Rush's bill that would encourage a
marketplace to grow for companies who hold sensitive data to
use proper security technologies to make that information
inaccessible to anyone who might actually breach it, that those
market-based incentives is a great supplement to the
enforcement authority that the bill would give. So we think the
two together can be effective.
Mr. Scalise. Thanks. I yield back, Mr. Chairman.
Mr. Rush. The chair intends to engage the members of the
committee in a second round of questioning and we will allow
each member an additional 2 minutes for the second round of
questioning. The chair recognizes himself now for the second
round and allocates 2 minutes for the purposes of questioning.
Mr. Rotenberg and Mr. Sohn, is the definition of personal
information under H.R. 2221, is it adequate in terms of data
security? The bill only addresses financial information. Should
we also consider requiring companies to secure sensitive
information such as medical information or password numbers or
et cetera? I mean, should we expand the definition of personal
information?
Mr. Sohn. Well, the bill has several different components,
and I think for purposes of the breach notification component,
the definition there is fairly close to what has been done in a
lot of the States and it reflects a lot of what has been common
in the data breach notification area. I think for purposes of
something like security standards, asking companies to have
reasonable procedures in place to protect data, there is no
reason to restrict it to the rather narrow set of data that is
in the definition of personal information now because what is
currently in the bill only applies--it is not just name and
address and some other information. There actually has to be
either a Social Security number or a financial account number
plus password or a driver's license number, something like
that. So I do think that the bill might consider using a
broader definition of personal information for some purposes
and the narrower definition for others.
Mr. Rotenberg. Mr. Chairman, in my written statement I made
a suggestion on this issue of personal information. I do think
it is appropriate to have a broader standard and also to
recognize that some of the personal identifiers nowadays aren't
just limited, for example, to a Social Security number or
driver's license number. There are other types of personal
identifiers like a Facebook member number or even the IP
address associated with your computer that needs to be
incorporated as well. So I think those changes can be made both
to get to more circumstances where the bill should reach and
also new types of identifiers.
Mr. Rush. The chair thanks the witnesses. Now the chair
recognizes the gentlelady from California for 2 minutes for
additional questions.
Ms. Bono Mack. I thank the chair for the second round.
Mr. Holleyman, you testified that the P2P bill would cover
more than just the illegitimate purpose software. You
identified a number of legitimate uses of P2P software such as
bicoastal collaboration on projects. I think you actually
mentioned Palm Springs to Chicago airports collaborating. So
this is of course when used correctly beneficial use of P2P
software. So we all agree that this technology can be extremely
helpful but if such programs are covered by H.R. 1319, what is
the harm? How is notice and consent an issue? Back to the Palm
Springs-Chicago, yes, I can see them collaborating on plans but
I don't think they necessarily want to collaborate on payroll
numbers and the like. So how is notice and consent an issue in
this case?
Mr. Holleyman. Ms. Bono Mack, our sense is that there is a
rapid growth in the legitimate uses of P2P, and that it will
become a de facto part of how we use technology that most
people will want to use. So our sense is as that part of the
market grows, we want to ensure that the legislation doesn't
overreach to get into things which all of us would generally
agree would not necessarily need--an initial notice that that
is there is fine but the process of how you would then disable
that needs to be clarified.
Ms. Bono Mack. Which is growing faster, illegitimate or
legitimate uses?
Mr. Holleyman. I think our sense as technologists is--and I
am not a technologist, I play one on TV, but not as
technologists but our engineers and our companies believe that
legitimate purposes of peer-to-peer in the next 10 years will
certainly grow much faster than the illegitimate ones.
Ms. Bono Mack. In the next 10 years, quickly in 10 seconds,
Mr. Boback, which has grown faster, legitimate or illegitimate
uses?
Mr. Boback. I will tell you that legitimate uses are now
emerging so while there is still a growth at this point because
the awareness is still decreased and there is not enough
awareness as to the problem, the legitimate uses and the
distribution content is an absolute must going forward. So I am
a supporter of peer-to-peer, however, the security measures
just as in the early stages of the World Wide Web need to be
addressed as in your bill 1319.
Ms. Bono Mack. Thank you.
Mr. Rush. The chair now recognizes the gentleman from
Georgia.
Mr. Barrow. I thank the chair. I think Ms. Bono Mack is
getting to the heart of the issue on the peer-to-peer
legislation. If I could reframe the issue, we want to fix what
is broke with this system. There is stuff out there that is
inside this legislation's definition of peer-to-peer file-
sharing program that is malicious. There is stuff out there
that is inside this definition that is perfectly benign.
Mr. Holleyman and Mr. Sohn, I am going to pitch this one in
you all's direction. How would you all define what we are
getting at in such a way as to stop the bad stuff and allow all
the other stuff to continue without having to have a
proliferation of warnings and opt-outs that basically hobble
this technology before it can even get started? Take a shot at
how you would define this in order to be able to reach the
stuff you want to reach.
Mr. Holleyman. I will start on that, Mr. Barrow. In our
testimony, we have actually listed five ways in which we would
modify the definition in the bill and believe that if those
types of changes are made, that that would be useful and would
help preserve the intent of the bill including looking at the
type of purposes that peer-to-peer file-sharing program is
typically used for, going at many of those things like
copyright infringements, which are a huge source of concern
to--
Mr. Barrow. Is that an effective way of defining it though
so that the regulators can get at what is going on?
Mr. Holleyman. We actually think that the regulators
would--their hand would be strengthened by more precision in
the definition rather than the breadth that is in there
currently.
Mr. Barrow. Mr. Sohn, what do you think?
Mr. Sohn. I also set forth in my testimony some ideas on
that point of how you might make this more narrow and apply to
what we think of as file-sharing software. I agree with Mr.
Lafferty's testimony that the key here really isn't peer-to-
peer. Peer-to-peer is a kind of architecture. It is really
about file-sharing functions that could enable documents and
other kinds of files on a user's local computer to be made
available to third parties, you know, in bulk and third parties
that haven't been selected or aren't even known to the user and
so we propose four bullet points of items that we think could
be in the definition but it tends to focus on that, the ability
to share files with unknown parties with no intervening action
or knowledge or selection by the user in terms of who that file
will be shared with.
Mr. Barrow. Mr. Chairman, my time is expired but I would
like to ask the witnesses to go beyond that and actually be
prepared to work with counsel and us to see if we can actually
come up with some concrete language to accomplish this. Thank
you. I yield the mic.
Mr. Rush. The chair now recognizes the gentleman from
Louisiana for an additional 2 minutes.
Mr. Scalise. Thank you again, Mr. Chairman.
These two bills might not necessarily be the vehicles for
it but they might. It has been a problem for years, especially
with identity theft getting worse with so many documents and
authenticators that use Social Security numbers that require
Social Security numbers to be used or documents that are public
record that still require people to use Social Security
numbers. A number of States have gone on their own and tried to
ferret those out and prohibit Social Security numbers on public
documents but it is not universal. There is no real standard
still. I think there as standalone legislation, it might have
been in the last Congress, that really didn't go anywhere but
there is a way that we can have some kind of standard to
protect people's Social Security numbers so that they are not
required for certain documents or authenticators so that they
are not so easily obtainable by third parties that are trying
to take them for bad purposes? I will start it off with Ms.
Harrington and anybody else that wants to take a shot.
Ms. Harrington. Well, as part of the President's identity
theft task force work that we have been engaged in, there are
couple of important initiatives that we are supporting. One,
the task force brought about a government-wide examination of
government uses of Social Security numbers with the goal of
minimizing to circumstances where the number is absolutely
essential, federal government agencies' use of Social Security
numbers, and I think a lot of progress has been made in the
government on that. Number two, the FTC as part of the identity
theft task force work convened a workshop and has continued to
work on the question of authentication and how better
authentication procedures and technologies can be developed so
that something like the ubiquitous Social Security number is no
longer needed. But there are lots of commercial settings right
now where both consumers and businesses benefit from the use of
Social Security numbers and may need them, and until we have
much better authentication measures available, it is a very
tough question to answer what to use instead of Social Security
numbers. For example, consumers have really benefited in many
instances from being able to quickly get a loan to get a car.
That whole credit reporting system depends on Social Security
numbers, and you know, we need a replacement but we don't have
one yet.
Mr. Scalise. And at least in the government sector where we
can set up a mechanism where people aren't required to have it
on a document that is public record because--
Ms. Harrington. Right.
Mr. Scalise. --clearly in the government arena, there are
records that are public and some of those records require a
Social Security number, which obviously poses big, big security
breach problems that have been documented. In this legislation,
if there a way to maybe try to address that, I don't want to
interfere with the chairman or Ms. Bono Mack's bill but if
there is a way we can do something that doesn't necessarily
cause other problems on the other side we can try to address a
narrow part of that problem.
Mr. Rush. The gentleman's time is expired.
Mr. Scalise. Thank you.
Mr. Rush. The chair really just wants to again thank the
witnesses. We have imposed on your time pretty significantly
this afternoon and we certainly are appreciative of the fact
that you have allowed us to do that and you have been a great
panel. If you would be so kind, we want to keep the record open
for at least 72 hours until there might be members of the
subcommittee who will in writing ask questions and if you would
respond in writing within 72 hours, the chair would certainly
appreciate that.
So thank you so very much again and you have really done
this subcommittee quite a great service. The hearing now stands
adjourned.
[Whereupon, at 4:45 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�