[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE
DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE
DEPARTMENT OF JUSTICE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
COMMERCIAL AND ADMINISTRATIVE LAW
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
MAY 17, 2006
__________
Serial No. 109-155
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
U.S. GOVERNMENT PRINTING OFFICE
27-606 PDF WASHINGTON : 2006
------------------------------------------------------------------
For sale by Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
HENRY J. HYDE, Illinois JOHN CONYERS, Jr., Michigan
HOWARD COBLE, North Carolina HOWARD L. BERMAN, California
LAMAR SMITH, Texas RICK BOUCHER, Virginia
ELTON GALLEGLY, California JERROLD NADLER, New York
BOB GOODLATTE, Virginia ROBERT C. SCOTT, Virginia
STEVE CHABOT, Ohio MELVIN L. WATT, North Carolina
DANIEL E. LUNGREN, California ZOE LOFGREN, California
WILLIAM L. JENKINS, Tennessee SHEILA JACKSON LEE, Texas
CHRIS CANNON, Utah MAXINE WATERS, California
SPENCER BACHUS, Alabama MARTIN T. MEEHAN, Massachusetts
BOB INGLIS, South Carolina WILLIAM D. DELAHUNT, Massachusetts
JOHN N. HOSTETTLER, Indiana ROBERT WEXLER, Florida
MARK GREEN, Wisconsin ANTHONY D. WEINER, New York
RIC KELLER, Florida ADAM B. SCHIFF, California
DARRELL ISSA, California LINDA T. SANCHEZ, California
JEFF FLAKE, Arizona CHRIS VAN HOLLEN, Maryland
MIKE PENCE, Indiana DEBBIE WASSERMAN SCHULTZ, Florida
J. RANDY FORBES, Virginia
STEVE KING, Iowa
TOM FEENEY, Florida
TRENT FRANKS, Arizona
LOUIE GOHMERT, Texas
Philip G. Kiko, Chief of Staff-General Counsel
Perry H. Apelbaum, Minority Chief Counsel
------
Subcommittee on Commercial and Administrative Law
CHRIS CANNON, Utah Chairman
HOWARD COBLE, North Carolina MELVIN L. WATT, North Carolina
TRENT FRANKS, Arizona WILLIAM D. DELAHUNT, Massachusetts
STEVE CHABOT, Ohio CHRIS VAN HOLLEN, Maryland
MARK GREEN, Wisconsin JERROLD NADLER, New York
J. RANDY FORBES, Virginia DEBBIE WASSERMAN SCHULTZ, Florida
LOUIE GOHMERT, Texas
Raymond V. Smietanka, Chief Counsel
Susan A. Jensen, Counsel
Brenda Hankins, Counsel
Mike Lenn, Full Committee Counsel
Stephanie Moore, Minority Counsel
C O N T E N T S
----------
MAY 17, 2006
OPENING STATEMENT
Page
The Honorable Chris Cannon, a Representative in Congress from the
State of Utah, and Chairman, Subcommittee on Commercial and
Administrative Law............................................. 1
The Honorable Melvin L. Watt, a Representative in Congress from
the State of North Carolina, and Ranking Member, Subcommittee
on Commercial and Administrative Law........................... 6
WITNESSES
Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department
of Homeland Security, Washington, DC
Oral Testimony................................................. 9
Prepared Statement............................................. 11
Ms. Jane C. Horvath, Chief Privacy and Civil Liberties Officer,
U.S. Department of Justice, Washington, DC
Oral Testimony................................................. 15
Prepared Statement............................................. 17
Ms. Sally Katzen, Professor, George Mason University Law School,
Arlington, VA
Oral Testimony................................................. 25
Prepared Statement............................................. 26
Ms. Linda D. Koontz, Director, Information Management Issues,
U.S. Government Accountability Office, Washington, DC
Oral Testimony................................................. 31
Prepared Statement............................................. 33
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Prepared Statement of the Honorable Chris Cannon, a
Representative in Congress from the State of Utah, and
Chairman, Subcommittee on Commercial and Administrative Law.... 2
Prepared Statement of the Honorable Melvin L. Watt, a
Representative in Congress from the State of North Carolina,
and Ranking Member, Subcommittee on Commercial and
Administrative Law............................................. 4
APPENDIX
Material Submitted for the Hearing Record
Response to Post-Hearing Questions from Maureen Cooney, Acting
Chief Privacy Officer, U.S. Department of Homeland Security,
Washington, DC................................................. 64
Response to Post-Hearing Questions from Sally Katzen, Professor,
George Mason University Law School, Arlington, VA.............. 68
Response to Post-Hearing Questions from Linda D. Koontz,
Director, Information Management Issues, U.S. Government
Accountability Office, Washington, DC.......................... 70
PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE
DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE
DEPARTMENT OF JUSTICE
----------
WEDNESDAY, MAY 17, 2006
House of Representatives,
Subcommittee on Commercial
and Administrative Law,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:06 p.m., in
Room 2141, Rayburn House Office Building, the Honorable Chris
Cannon (Chairman of the Subcommittee) presiding.
Mr. Cannon. The Subcommittee will please come to order.
At the outset I want to note that immediately following the
hearing, we have scheduled the markup of H.R. 2840, the
``Federal Agency Protection of Privacy Act.''
Let me begin this hearing with an observation written in
1787 by Alexander Hamilton, one of our Founding Fathers, and
one of the more interesting of them. He wrote: ``Safety from
external danger is the most powerful director of national
conduct. Even the ardent love of liberty will, after a time,
give way to its dictates. The violent destruction of life and
property incident to war, the continual effort and alarm
attendant on a state of continual danger, will compel nations
the most attached to liberty to resort for repose and security
to institutions which have a tendency to destroy their civil
and political rights. To be more safe, they at length become
willing to run the risk of being less free.''
Mr. Hamilton's comments are as insightful today as they
were when he wrote them more than two centuries ago.
In this post-9/11 world, it is no easy task to balance the
competing goals of keeping our Nation secure while at the same
time protecting the privacy rights of our Nation's citizens.
As many of you know, the protection of personal information
in the hands of the Federal Government has long been a top
priority for my Subcommittee, the Subcommittee on Commercial
and Administrative Law. Under the leadership of House Judiciary
Committee Chairman Sensenbrenner, our Subcommittee has played a
major role in protecting personal privacy and civil liberties.
Our accomplishments to date include the establishment of
the first statutorily created privacy office in a Federal
agency, namely, the Department of Homeland Security. That
office has since earned plaudits from both the private and
public sectors, including the GAO.
Just this week, the DHS Privacy Office submitted to
Congress a comprehensive assessment of the impact of automatic
selectee and so-called no-fly lists for airline passengers on
privacy and civil liberties. While these lists can be useful
tools for preventing terrorist activity endangering the safety
of airline passengers and others, the collection of personal
information to create these tools could raise concerns about
their impact on privacy and civil liberties. I think we will be
interested to hear Ms. Cooney's summary of this report as part
of today's hearing.
Inspired by the successes of the DHS Privacy Office, our
Subcommittee also spearheaded the creation of a similar
function in the Justice Department, which was signed into law
in January of this year. Ms. Horvath, another of our witnesses,
was appointed to fill this important position on February 21.
We also look forward to hearing from Ms. Horvath about her
views and goals as the Chief Privacy and Civil Liberties
Officer for the Justice Department.
To supplement these efforts, our Subcommittee has also
conducted oversight hearings on the subject of the Government's
use of personal information. These include a hearing held on
the 9/11 Commission's privacy-related recommendations as well
as a hearing held just last month on the respective roles that
the Federal Government and information resellers have with
respect to personal information collected in commercial
databases.
As technological devices increasingly facilitate the
collection, use, and dissemination of personally identifiable
information, the potential for misuse of such information
escalates. Five years ago, the GAO warned: ``Our Nation has an
increasing ability to accumulate, store, retrieve, cross-
reference, analyze, and link vast numbers of electronic records
in an ever faster and more cost-efficient manner. These
advances bring substantial Federal information benefits as well
as increasing responsibilities and concerns.''
Unfortunately, the GAO continues to find, as we learned
from our hearing last month, that Federal agencies' compliance
with the Privacy Act and other requirements is, to quote,
``uneven.''
It is against this complex but exceedingly interesting
backdrop that we are holding this hearing today.
I now turn to my colleague, Mr. Watt, the Ranking Member of
the Subcommittee, and ask him if he has any opening remarks.
But before I recognize him, I just want to say that we
appreciate working with Mr. Watt on these issues. He has been
a--this Committee has worked well together, and he has been a
great support and addition. And with that, Mr. Watt, I
recognize you for an opening statement for 5 minutes.
[The prepared statement of Mr. Cannon follows:]
Prepared Statement of the Honorable Chris Cannon, a Representative in
Congress from the State of Utah, and Chairman, Subcommittee on
Commercial and Administrative Law
Let me begin this hearing with an observation written in 1787 by
Alexander Hamilton, one of our Founding Fathers. He wrote:
``Safety from external danger is the most powerful director of
national conduct. Even the ardent love of liberty will, after a
time, give way to its dictates. The violent destruction of life
and property incident to war, the continual effort and alarm
attendant on a state of continual danger, will compel nations
the most attached to liberty to resort for repose and security
to institutions which have a tendency to destroy their civil
and political rights. To be more safe, they at length become
willing to run the risk of being less free.''
Mr. Hamilton's comments are as insightful today as they were when
he wrote them more than two centuries ago.
In this post-September 11th world, it is no easy task to balance
the competing goals of keeping our nation secure while at the same time
protecting the privacy rights of our nation's citizens.
As many of you know, the protection of personal information in the
hands of the federal government has long been a top priority for my
Subcommittee--the Subcommittee on Commercial and Administrative Law.
Under the leadership of House Judiciary Committee Chairman
Sensenbrenner, our Subcommittee has played a major role in protecting
personal privacy and civil liberties.
Our accomplishments to date include the establishment of the first
statutorily-created privacy office in a federal agency, namely the
Department of Homeland Security. That office has since earned plaudits
from both the private and public sectors, including the GAO.
Just this week, the DHS Privacy Office submitted to Congress a
comprehensive assessment of the impact of automatic selectee and so-
called ``no-fly'' lists for airline passengers on privacy and civil
liberties. While these lists can be useful tools for preventing
terrorist activity endangering the safety of airline passengers and
others, the collection of personal information to create these tools
could raise concerns about their impact on privacy and civil liberties.
I think we will be very interested to hear Ms. Cooney's summary of this
report as part of today's hearing.
Inspired by the successes of the DHS Privacy Office, our
Subcommittee also spearheaded the creation of a similar function in the
Justice Department, which was signed into law in January of this year.
Ms. Horvath, another of our witnesses, was appointed to fill this
important position on February 21st. We also look forward to hearing
from Ms. Horvath about her views and goals as the Chief Privacy and
Civil Liberties Officer for the Justice Department.
To supplement these efforts, our Subcommittee has also conducted
oversight hearings on the subject of the government's use of personal
information. These include a hearing held on the 9/11 Commission's
privacy-related recommendations as well as a hearing held just last
month on the respective roles that the federal government and
information resellers have with respect to personal information
collected in commercial databases.
As technological developments increasingly facilitate the
collection, use, and dissemination of personally identifiable
information, the potential for misuse of such information escalates.
Five years ago, the GAO warned:
``Our nation has an increasing ability to accumulate, store,
retrieve, cross-reference, analyze, and link vast numbers of
electronic records in an ever faster and more cost-efficient
manner. These advances bring substantial federal information
benefits as well as increasing responsibilities and concerns.''
Unfortunately, the GAO continues to find--as we learned from our
hearing last month--that federal agencies' compliance with the Privacy
Act and other requirements is ``uneven.''
It is against this complex, but exceedingly interesting backdrop
that we are holding this hearing today.
Mr. Watt. Thank you, Mr. Chairman, and I am going to ask
that my civil written statement be put in the record.
Mr. Cannon. Without objection, so ordered.
[The prepared statement of Mr. Watt follows:]
Prepared Statement of the Honorable Melvin L. Watt, a Representative in
Congress from the State of North Carolina, and Ranking Member,
Subcommittee on Commercial and Administrative Law
Mr. Watt. Thank you, sir, and then I'm going to stray to
make some less civil remarks, so you might have bragged too
early because I'm feeling a sense of frustration here.
I'm reflecting back to a point several terms ago when
eyebrows were raised by the fact that Representative Bob Barr,
one of the, quote-unquote, more conservative Members of this
Committee, and Representative Mel Watt, quote-unquote, one of
the more liberal Members of this Committee, met out here in
front of the Capitol and had a press conference about a bill
that is this bill.
Well, we marked it up, and Mr. Barr is now gone on into the
private sector. The year after he left, we marked it up again.
And, you know, at some point we're going to have to do
something on this issue more than mark up this bill in the
Subcommittee if we are going to begin to be serious about doing
what we need to do, it seems to me.
And so it is from that that I am feeling this great sense
of frustration that I am beginning to get the feeling that any
time some of my colleagues want to feel like they want to say
publicly that they are doing oversight over our Government or
interested in protecting privacy rights, the way to do that is
to put this bill back on for another hearing and another
markup, and then next term of Congress we'll be back doing the
same thing over and over again as we now have been doing--
what?--two or three, maybe--I don't know how many terms of
Congress we've marked this bill up and had hearings on it.
So if I'm feeling a little frustrated, it's not because I
don't think this is something important. It is more important
today than it was when we started three or four terms of
Congress ago.
Yeah, we thought the Government was doing some things to
invade the privacy rights of individuals, but we certainly--our
Government wasn't getting a list of everybody's phone numbers
and monitoring phone calls within the United States. So this
has gone to a level that is so far beyond what we anticipated
or thought about or thought we were addressing at the time we
originally introduced this bill. And yet here we are having
another hearing, marking up the bill in our Subcommittee, and
so I guess maybe I should make a commitment not to be back here
next term of Congress doing the same thing that we've done now
several times. Unless we are going to be serious about pushing
this legislation and getting it considered in the full
Committee in the House, in the Senate, this may be just another
show that some of our Members think is time to make another
public demonstration that we are concerned about the privacy
rights of our citizens and the possibility that the
Government--the probability--the reality that the Government is
way over there beyond where they ought to be on invading those
privacy rights.
So I will--I've put my civilized statement in the record,
Mr. Chairman. I've made my uncivilized statement. But believe
me, I'm just frustrated about where we are on this issue
because we've had hearing after hearing, we've had markup after
markup, but we still don't have any real results to show for
it.
So, with that, I yield back.
Mr. Cannon. The record of this hearing should reflect the
Chairman's view that even when Mr. Watt intends to be uncivil,
he is an awfully civil human being.
I hope that the gentleman is not suggesting that there is
any lack of commitment on my part to this bill, and I point out
that actually we've changed the rules recently that allows us
now on this side of the Hill to criticize the other side of the
Hill for its lack of action. We've actually passed this bill on
the House side from the whole--the House of Representatives has
passed it out. It has not been acted on by the Senate. The
Senate is a complicated body, and we hope that by passing this
again, and maybe again and again--we actually passed the
Bankruptcy Act eight times before they passed it on the other
side. So I agree with the gentleman and his concerns and wish
that this issue were actually behind us. And hopefully we'll
take that step today to do that.
I just might also point out that there's a difference
between monitoring phone calls and comparing numbers that
people are calling to connect those phone calls to our enemies
outside the country, without arguing for the rightness of any
of that, just to make the distinction on the record here.
Without objection, all Members may place their statements
in the record at this point. Hearing no objection, so ordered.
Without objection, the Chair will be authorized to declare
recesses of the hearing at any point. Hearing no objection, so
ordered.
I ask unanimous consent that the Members have 5 legislative
days to submit written statements for inclusion in today's
record. Hearing no objection, so ordered.
I'm now pleased to introduce the witnesses for today's
hearing, three of whom have previously testified before our
Subcommittee. We welcome you back and appreciate your continued
assistance to our Subcommittee.
Our first witness is Maureen Cooney, the Acting Chief
Privacy Officer for the Department of Homeland Security. As I
previously noted, the Subcommittee played a major role in
establishing Ms. Cooney's office at DHS. The legislation
creating her office not only mandated the appointment of a
Privacy Officer, but specified the officer's responsibilities.
One of the principal responsibilities of the DHS Privacy
Officer as set out by statute is the duty to assure that ``the
use of technologies sustain, and do not erode, privacy
protections relating to the use, collection, and disclosure of
personal information.'' In addition, the Privacy Officer must
assure that personal information is handled in full compliance
with the Privacy Act and assess the privacy impact of the
Department's proposed rules.
Before joining DHS' Privacy Office, Ms. Cooney worked on
international privacy and security issues at the U.S. Federal
Trade Commission where she served as a principal liaison to the
European Commission for privacy issues, a very difficult and
burdensome task, I'm sure, especially eating in French
restaurants on occasion. I hope you had that opportunity. You
don't need to--no incriminating statement is due on that.
She also played a major role in the revision of the
guidelines for information systems and networks for the
Organization of Economic Cooperation and Development. Prior to
that assignment, Ms. Cooney worked on privacy and security
issues with the Treasury Department and at the Office of the
Comptroller of the Currency. Ms. Cooney received her bachelor's
degree in American Studies from Georgetown University and her
law degree from Georgetown University Law Center.
Our next witness is Jane Horvath, the recently appointed
Chief Privacy Officer and Civil Liberties Officer for the
Department of Justice. In this capacity, Ms. Horvath is
responsible for reviewing the Justice Department's compliance
with the privacy laws and with developing the Department's
privacy policies. In addition to safeguarding privacy, Ms.
Horvath oversees the Department's policies relating to the
protection of individual civil liberties, specifically in the
context of DOJ's counterterrorism and law enforcement efforts.
These are really awesome responsibilities. Before joining the
Justice Department, Ms. Horvath was the Director of the
Washington, D.C., Office of Privacy Laws and Business, a
privacy consulting firm. While there, she focused on advising
U.S. companies on international privacy trends among other
matters. Ms. Horvath received her undergraduate degree from the
College of William and Mary and her law degree from the
University of Virginia.
Professor Sally Katzen is our next witness. Ms. Katzen is a
visiting professor at George Mason University Law School as
well as the Sachs Scholar at Johns Hopkins University. Next
year, she will be a Public Interest, Public Service Faculty
Fellow at the University of Michigan Law School. Prior to
joining academia in 2001, Professor Katzen was responsible for
developing privacy policy for the Clinton administration for
nearly a decade. As the Administrator of the Office of
Information and Regulatory Affairs at the Office of Management
and Budget, she was effectively the chief information office--
policy official for the Federal Government. Her
responsibilities included developing Federal privacy policies.
Professor Katzen later served as the Deputy Assistant to the
President for Economic Policy and Deputy Director of the
National Economic Council in the White House. Thereafter, she
became the Deputy Director for Management at OMB. Before
embarking on her public service career, Professor Katzen was a
partner in the Washington, DC, law firm of Wilmer, Cutler and
Pickering, where she specialized in regulatory and legislative
matters. Professor Katzen graduated magna cum laude from Smith
College and magna cum laude from the University of Michigan Law
School, where she was editor in chief of the Law Review.
Following her graduation from law school, she clerked for Judge
J. Skelly Wright of the United States Court of Appeals for the
District of Columbia Circuit.
Our final witness is Linda Koontz, who is the Director of
GAO's Information Management Issues Division. In that capacity,
she is responsible for issues regarding the collection and use
and dissemination of Government information. Ms. Koontz has led
GAO's investigations into the Government's data-mining
activities as well as e-Government initiatives. In addition to
obtaining her bachelor's degree from Michigan State University,
Ms. Koontz received certification as a Government financial
manager.
I extend to each of you my warm regards and appreciation
for your willingness to participate in today's hearing. In
light of the fact that your written statements will be included
in the hearing record, I request that you limit your oral
remarks to 5 minutes. Accordingly, please feel free to
summarize highlights of your--or highlight the salient points
of your testimony. You will note that we have a lighting system
that starts with a green light. After 4 minutes, it turns to a
yellow light, and then at 5 minutes, it turns to a red light.
It is my habit to tap the gavel at 5 minutes. We'd appreciate
it if you'd finish up your thoughts within that time frame. We
don't like to cut people off in their thinking, but I find that
it works much better if everybody knows that 5 minutes is 5
minutes. So if you could wrap it up by that time, the time we
get there, I would appreciate that, and I will try to be
consistent in my tapping, and that includes for other Members
of the Committee, who are given 5 minutes to ask questions.
This is not like an ironclad rule, by the way. Just we actually
are interested in what you have to say, not in the clock.
After you've presented your remarks, the Subcommittee
Members, in the order they arrived, will be permitted to ask
questions of the witnesses, subject to the 5-minute limit.
Pursuant to the direction of the Chairman of the Judiciary
Committee, I ask the witnesses to please stand and raise your
right hand to take the oath.
[Witnesses sworn.]
Mr. Cannon. The record should reflect that each of the
witnesses answered in the affirmative, and you may be seated.
Ms. Cooney, would you now please proceed with your
testimony?
TESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, DC
Ms. Cooney. Thank you. Chairman Cannon, Ranking Member
Watt, and Members of the Committee, good afternoon. Thank you
for the opportunity to speak to the issue of privacy in the
hands of the Federal Government and most specifically on
activities at the Department of Homeland Security, the role of
the Chief Privacy Officer, and initiatives led by the
Department's Privacy Office.
As the Subcommittee well knows, the Department of Homeland
Security was the first Federal agency to have a statutorily
required Privacy Officer. We appreciate the support of this
Committee. The inclusion of a senior official accountable for
privacy policy and protections honors the value placed on
privacy as an underpinning of our American freedoms and
democracy. It also reflects Congress' understanding of the
growing sensitivity and awareness of the ubiquitous nature of
personal data, flows in both private and public sectors, and a
recognition of the impact of those data flows upon our
citizens' lives.
At the most recent meeting of the Department's Data Privacy
and Integrity Advisory Committee, which was created to advise
the Secretary and the Chief Privacy Officer on significant
privacy issues, Secretary Chertoff noted that the Department
has the opportunity to build into the sinews of this
organization respect for privacy and a thoughtful approach to
privacy.
Secretary Chertoff expressed a belief that I share. We want
the Government to be a protector of privacy, and we want to
build security regimes that maximize privacy protection and
that do it in a thoughtful and meaningful way. If done right,
it will be not only a long-lasting ingredient of what we do in
Homeland Security but a very good template for what Government
ought to do in general when it comes to protecting people's
personal autonomy and privacy.
The Chief Privacy Officer and the DHS Privacy Office have a
special role working in partnership and collaboration across
the Department to integrate privacy into the consideration of
the ways in which the Department assesses its programs and uses
technologies, handles information, and carries out our
protective mission.
The Privacy Office has oversight of privacy policy matters
and information disclosure policy, including compliance with
the Privacy Act of 1974, the Freedom of Information Act, and
the completion of privacy impact assessments on all new
programs or new collections of personal information as required
by the E-Government Act of 2002 and section 222 of the Homeland
Security Act of 2002.
The Privacy Office also evaluates new technologies used by
the Department for their impact on personal privacy. Further,
the Chief Privacy Officer reports directly to the Secretary and
is required to report to Congress on these matters, as well as
on complaints about possible privacy violations.
At this point, if I may, I would like to amplify my written
testimony by speaking for a few minutes about the U.S. privacy
framework that applies to the Federal space. In tandem, the
Privacy Act of 1974, the Freedom of Information Act that
promotes transparency of Government operations and
accountability, a significant privacy principle, and the E-
Government Act of 2002 that augmented the Privacy Act by
operationalizing privacy reviews for all new major data
collection systems or significant changes to information
systems provide a robust umbrella of privacy protections for
which the United States can be proud and which I believe is
second to none in the Government space. Notice, transparency,
and accountability are key to our work in the privacy area.
Today, I'm very happy to address our efforts in this regard
with respect to the activities of the Department of Homeland
Security from a seat at the table during the investment review
process at DHS for technology acquisitions and program funding,
through all steps of the technology and program lifecycle
development process, the use of PIAs to integrate privacy
considerations into standards, strategic planning for programs
at the Department, and notice to the public through systems of
record notices, to audits and oversight and the development of
policy guidance and implementation on key data issues.
I thank you again for the opportunity to share the
accomplishments of the DHS Privacy Office, which I have noted
in our written testimony, and hope to demonstrate through both
the written and oral testimony the importance of privacy in the
hands of the Department of Homeland Security and how important
it is as a part of our culture. We appreciate the support this
Subcommittee has given to our office and look forward to
working with you on matters of mutual interest and concern.
Thank you again.
[The prepared statement of Ms. Cooney follows:]
Prepared Statement of Maureen Cooney
Chairman Cannon, Ranking Member Watt, and Members of the
Subcommittee, I am delighted to be back before you today to discuss
Privacy in the Hands of the Government as it pertains to activities of
the Department of Homeland Security and the efforts of the Privacy
Office. Building privacy attentiveness into the very sinews of our
still young agency is a responsibility that we take seriously at DHS.
In the eight months that I have served as Acting Chief Privacy
Officer, within the Privacy Office we have continued to develop and
operationalize privacy policy for the Department, consistent with our
statutory mission in Section 222 of the Homeland Security Act and with
support and partnership throughout the Department. And as I hope the
following testimony will demonstrate, we have been actively
implementing our statutory responsibilities as part of the larger
mission of the Department. By ensuring that the Department's programs,
policies, personnel, and technologies account for and embrace fair
information principles--the use of personal information for legitimate,
tailored, and sound purposes--the Privacy Office has worked to enhance
public trust in the Department and to ensure the protection of an
essential right of our people.
My predecessor, Nuala O'Connor Kelly, testified before this
Subcommittee in February 2004, and outlined the first year activities
of the DHS Privacy Office. I would like to update the Subcommittee on
our continued work since that time and our plans for future
initiatives.
The Privacy Office has focused on making privacy an integral part
of DHS operations. We often use the phrase ``operationalizing privacy''
to describe these efforts. We want DHS personnel to think about privacy
every time they consider the collection, use, maintenance or disclosure
of personally identifiable information. Our efforts to operationalize
privacy have encompassed a number of activities.
operationalizing privacy through compliance
One way to operationalize privacy is to ensure that DHS is fully
compliant with statutory privacy requirements and the DHS Privacy
Office has been actively engaged in this effort.
In my previous appearance before the Subcommittee, which focused on
the use by the government of data from information resellers, I
outlined for the Subcommittee how we have used the E-Government Act of
2002's requirement that Privacy Impact Assessments be conducted for new
or substantially revised information systems to make sure that privacy
is built into DHS programs and that there is transparency about the
types of information used by DHS as well as the purposes for which the
information is used. PIAs are fundamental in making privacy an
operational element within the Department and we have fully utilized
this tool to embed privacy as part of DHS operations.
To do this, we have updated and refined our guidance on conducting
Privacy Impact Assessments and have distributed it widely both
internally to DHS offices and programs and externally to other
agencies. Along with the guidance, we also have issued a template for
DHS offices to follow in drafting Privacy Impact Assessments. We have
fully utilized our Privacy Office website for transparency purposes and
have posted these documents so that the public is also aware of our
guidance.
``Imitation is the sincerest form of flattery,'' according to an
old expression, and I am happy to report that the DHS Privacy Office's
PIA Guidance has served as the basis for other agencies' PIA
activities. For example, our PIA template served as the basis for a
model PIA for HSPD-12 (Common Identification Standards for Federal
Employees) implementation, which was distributed by the Office of
Management and Budget through its Interagency Privacy Committee. In
addition, other federal agencies have requested to liberally borrow the
guidance and we are happy to be able to share it and to add to
government efficiency and harmonization of approaches to privacy in the
government space.
In addition to requiring that DHS programs conduct Privacy Impact
Assessments for new or substantially revised programs, privacy is one
of the issues that must be addressed before funding is awarded to a
program that involves the collection, use and maintenance of personally
identifiable information. The Privacy Office provides significant
support to the DHS Office of the Chief Information Officer (OCIO) in
the budget process by ensuring that all proposed spending on
information technology investments that involve personally identifiable
information meets privacy requirements. Not only are our programs
required to complete a Privacy Threshold Analysis, which helps us to
determine whether a full Privacy Impact Assessment is necessary, but
funding for DHS programs through the budget process cannot go forward
without program compliance with privacy mandates. The DHS Privacy
Office therefore has a strong ``stick'' to accompany the ``carrot'' of
funding to ensure that privacy becomes operationalized in DHS programs.
Privacy compliance reviews are another important tool for
operationalizing privacy into DHS programs, and during this past year,
the Privacy Office undertook the first privacy review of what we expect
to be many when we analyzed compliance by the U.S. Customs and Border
Protection (CBP) with its Passenger Name Record (PNR) Undertakings.
These Undertakings were provided by CBP to the European Commission in
order to demonstrate that CBP has adequate privacy protocols in place
to protect personally identifiable information as a condition precedent
to receiving PNR information about European airline passengers. Based
on the Undertakings, the EU agreed to share passenger name record
information with CBP in order to fight terrorism and other serious
crimes as well as to facilitate transatlantic travel.
The Privacy Office's compliance review consisted of a full analysis
of CBP policies and procedures, interviews with key managers and staff
who handle PNR, and a technical review of CBP systems and
documentation. This compliance review occurred over a several-month
period and as a result of changes recommended by the Privacy Office or
made unilaterally by CBP, we were able to conclude that CBP achieved
full compliance with the representations it had made in the
Undertakings. This finding was the primary factor in the ability of the
Privacy Office to conclude a successful joint review, with
representatives of the EU, of CBP's compliance with the US-EU PNR
Agreement.
We conducted a different kind of compliance review when we examined
the use of commercial data by the Transportation Security
Administration (TSA) in connection with the Secure Flight Program after
privacy concerns were raised by the Government Accountability Office.
We analyzed whether TSA's public notices about this use of commercial
data for testing purposes matched the actual test protocols and made
recommendations, as a result of this review. The Privacy Office
continues to work closely with TSA to implement privacy statutory
requirements and best practices in the design and implementation of
this as well as other TSA screening programs.
In compliance with the requirements of the Computer Matching and
Privacy Protection Act, as amended, the Privacy Office established a
Privacy and Data Integrity Board to approve matching agreements
undertaken by DHS components, as required by law, and to weigh in on
privacy policy issues of interest and concern to the Department. Our
Board held several meetings at which we discussed ideas for responsible
information handling, and the Board was instrumental in assisting the
Privacy Office in completing several required reports.
Ensuring publication of appropriate Privacy Act systems of records
notices (SORNs) rounded out the Privacy Office's compliance activities.
These notices, in fact, necessarily are a regular and ongoing part of
the Privacy Office's work and of our statutory obligation to ensure
that the Department maintains personally identifiable information in
conformity with the requirements of the Privacy Act.
operationalizing privacy through education
A significant way to increase privacy awareness and ensure that it
is embedded in DHS is through education and training. The Privacy
Office trains all new DHS employees as part of their overall
orientation to the Department. We continue to develop, moreover, more
robust training courses to be provided to all DHS employees and
contractors to augment their privacy background and to raise awareness
and sensitivity about the importance of the respectful use of personal
information by the Department. And we have conducted training on
Privacy Impact Assessment requirements for individual DHS offices,
information technology managers, business managers, and systems
analysts. Establishing the lines of communication between DHS personnel
and our office through these training programs helps us to get our
message across and helps employees to be sensitized to proper
information handling techniques.
Our component privacy officers also make sure that employees in our
components and offices are provided robust privacy training. I would be
remiss, in fact, if I didn't emphasize the close collaboration and
rapport our office has with other privacy officers in the Department,
who were installed at our urging and who help the DHS Privacy Office
carry out our important work
In addition to our general education and training programs, the
Privacy Office has conducted two workshops intended to raise privacy
awareness among DHS personnel as well as the public. These workshops
have drawn subject matter experts together to discuss privacy issues
raised by homeland security programs. The issues we have explored are
both relevant and topical. We have posted both transcripts and
summaries of our activities on our website.
I mentioned in my April 4, 2006 testimony before this Subcommittee
that we had conducted a workshop on the government's use of commercial
data for homeland security purposes. The objective of that workshop was
to look at the policy, legal and technology issues associated with the
government's use of commercial data in homeland security programs. Just
last week our Privacy and Data Integrity Board held preliminary
discussions on development of a policy regarding the use of commercial
data by DHS, and the information we gleaned from our workshop will be
helpful as we move forward on this vital issue.
Last month, we conducted another workshop on the use of personal
information by the government and how we can achieve transparency and
accountability. This workshop sparked discussions about the utility of
privacy notices to accomplish transparency and how those notices can be
written in a way that is comprehensible while it is also comprehensive.
We also discussed the utility of the Freedom of Information Act for
fostering accountability through access to information about
individuals that is maintained by the government. We were fortunate to
have several panel members from other nations who could contribute a
global perspective on this issue. Again, the workshop complemented our
internal training efforts to raise privacy awareness and also served an
important educational function to improve public understanding of DHS
programs.
information sharing and outreach
Information sharing has become a significant focus of the DHS
Privacy Office. The Intelligence Reform and Terrorism Prevention Act
established requirements for an information sharing environment. This
legislative mandate augmented Executive Orders and Homeland Security
Directives issued by President Bush all aimed at fostering a climate of
robust exchanges of terrorism related information in a privacy
sensitive manner. Executive Order 13356, for example, directed all
departments and agencies to enhance the interchange of terrorism-
related information within the Federal government and between the
Federal government and appropriate authorities of state and local
governments. The DHS Privacy Office led the effort to integrate privacy
protections into the planning process supporting the implementation of
this Executive Order.
Similarly, the DHS Privacy Office led the effort within DHS to
integrate privacy protections at the earliest stages of implementing
HSPD-11, a Presidential directive that concerns terrorist-related
screening procedures. Within DHS, moreover, the Privacy Office has
supported the work of the Information Sharing and Collaboration Office
(ISCO), which was established to lead the creation of a DHS information
sharing environment. The Privacy Office provided both resources and
guidance to ISCO to help create a set of business rules for sharing
personal information in a way that minimizes privacy intrusions while
maximizing use of the data for homeland security purposes.
The Privacy Office also participated in a number of interagency
activities designed to foster inter-agency exchanges of information on
privacy technologies and other privacy issues. We chair, for example,
the Social, Legal and Privacy Subgroup of the National Science and
Technology Council's (NSTC) Subcommittee on Biometrics. Established by
Executive Order, NSTC is the principal means by which the President
coordinates science, space, and technology policy across the
government. NSTC's Subcommittee on Biometrics has examined issues
related to the development and use of biometric technologies in the
Federal government and the Social, Legal and Privacy Subgroup was
responsible for developing a rich, centralized repository of
information about the social history of biometrics, the legal framework
that applies to the collection and use of biometrics, and the privacy
principles that should govern the responsible use of this technology.
Analysis of this repository and actual implementations resulted in a
paper that connects privacy and biometrics at a structural level so
that both fields can be understood within a common framework, thus
enabling federal agencies and public entities to implement privacy-
protective biometric systems.
We have also begun coordinating with the White House's Privacy and
Civil Liberties Oversight Board on information sharing and other
relevant issues. Through this work, the DHS Privacy Office is able to
foster interagency cooperation, coordination and collaboration on
privacy matters.
The Privacy Office has also reached out to experts in the private
sector to help us understand programmatic, policy, operational and
technology issues that affect privacy, data integrity, and data
interoperability. To that end, in April 2004, the Department chartered
the Data Privacy and Integrity Advisory Committee (DPIAC) under the
authority of Federal Advisory Committee Act to provide an external and
expert perspective to the Secretary and Chief Privacy Officer. The DHS
Privacy Office provides administrative and managerial support to the
DPIAC. In return, the Committee has provided significant advice to the
Chief Privacy Officer and the Secretary on important privacy
considerations. The Committee offered its recommendations on TSA's
Secure Flight Program, which have helped the DHS Privacy Office to
formulate its own advice on this significant initiative. The Committee
also provided guidance on the Use of Commercial Data to Reduce False
Positives in Screening Programs, which will help inform any final
policy that the Privacy Office recommends on this important topic. We
expect to continue to get advice from the Committee on other issues of
interest to the Department.
international initiatives
Because the work of the Department is both national and
international in scope, the work of the DHS Privacy Office is equally
broad. The primary goal of the DHS Privacy Office's international
activities has been to convey to the global community the importance of
fair information practices to our office, the Department and the
nation. We have devoted significant resources to working with programs
in multilateral global forums, such as the OECD, as well region-centric
international organizations such as the Asian Pacific Economic
Cooperation forum (APEC). In addition, of course, the Privacy Office
works with the European Union and on issues raised by the Joint
Supervisory Body representatives of Europol and Eurojust.
We have had substantial input on a number of international privacy
initiatives, including the Enhanced International Travel Security
Initiative (EITS), under the leadership of DHS's Science and Technology
Directorate and US-VISIT, and real-time sharing of lost and stolen
passports in a way that properly protects privacy, through an APEC-
sponsored initiative known as the Regional Movement Alert List. The
Privacy Office also works more generally within international
organizations to shift the international privacy dialogue away from
conflicting laws to compatible privacy principles in order to foster
information sharing for homeland security and other necessary purposes.
Our work has been helpful in improving international opinion regarding
the United States Government's attention to privacy principles in the
design and operation of information systems.
future activities
As I hope the foregoing demonstrates, the DHS Privacy Office takes
a comprehensive approach to its statutory mission and has worked on a
wide range of initiatives to ensure that privacy policy concerns are
part of the necessary dialogue on the development and implementation of
homeland security programs. We have been fortunate that Congress has
provided funding to allow us to expand our staff of dedicated privacy
professionals whose credentials rival those of anyone in the government
or the private sector. And we are energized as we look ahead to some
future activities.
We recently completed a draft of a report on data mining, which is
required by the 2005 DHS Appropriations Act, and we expect to continue
our study of data mining programs at the Department in the coming year.
Data mining can be a useful and important tool in the war against
terrorism, and we are committed to ensuring that this technique is used
responsibly and appropriately at DHS.
We have already planned our next privacy workshop to focus on
Privacy Impact Assessments. This timely session will enable DHS program
officers to comply with the privacy requirements necessary for approval
of their funding requests. We are also finalizing arrangements for the
next DPIAC meeting, which will be held in California, and which will
focus on expectations of privacy in public spaces and the use of RFID
technology, two issues that have significant ramifications for
Departmental activities.
We plan to work closely with the OCIO to build privacy protections
into every system across DHS, and we intend to collaborate with the
Science and Technology Directorate to add privacy protections to the
approval process for new homeland security research initiatives.
Because they are our ``bread and butter'' issues, the DHS Privacy
Office will also continue to work to ensure that individual programs
sustain and enhance privacy protections through strict compliance with
the PIA and SORN requirements of federal law. We will continue to
refine our privacy guidance and enhance our privacy training
initiatives to foster a culture of privacy awareness within the agency.
We expect to complete development of a policy for the respectful
and appropriate use of commercial data for homeland security purposes.
And we anticipate that in the international arena, we will continue to
be an important voice for the development of privacy-appropriate cross-
border information sharing policies.
Thank you for the opportunity to share the accomplishments of the
DHS Privacy Office and to demonstrate, through this testimony, the
importance of privacy ``in the hands'' of the Department of Homeland
Security. We appreciate the support this Subcommittee has given to our
office and look forward to working with you on matters of mutual
interest and concern.
Mr. Cannon. Thank you, Ms. Cooney.
Ms. Horvath, you are recognized for 5 minutes.
TESTIMONY OF JANE C. HORVATH, CHIEF PRIVACY AND CIVIL LIBERTIES
OFFICER, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC
Ms. Horvath. Mr. Chairman and Members of the Subcommittee,
thank you for inviting me to testify regarding the Department
of Justice Privacy and Civil Liberties Office in connection
with the Committee's hearing.
I started as the Department of Justice's Chief Privacy and
Civil Liberties Officer on February 21, 2006. I am responsible
for Department-wide protection of privacy and civil liberties.
During my first 30 days at the Department of Justice, we
assessed the existing privacy and civil liberties functions at
the Department. I met with senior officials of the DOJ
components that had either privacy or civil liberties
responsibilities within the Department. At all of these
meetings, I was welcomed with enthusiasm. I received detailed
briefings regarding their privacy and civil liberties efforts.
From those meetings, we were able to determine priorities for
the Office of Privacy and Civil Liberties.
After meeting with the Chief Information Officer, we
decided to centralize the privacy impact assessment process. We
determined that the PIA process within the Department would be
much more effective if all the components were working from a
standard template with standard guidance. Utilizing some of the
aspects of the DHS model, we drafted official PIA guidance, a
privacy threshold analysis to determine whether a PIA is
required, and a new PIA template. Next month, we're going to
hold a 1-day training session on PIA preparation and Privacy
Act issues with members of the CIO staff and persons within the
components who are responsible for Privacy Act issues.
In furtherance of our civil liberties missions, we set up
and launched a DOJ Privacy and Civil Liberties Board on April
17, 2006. Representatives of the law enforcement, national
security, and other relevant components are represented on the
Board. We have subdivided the Board into three separate
committees: an Outreach Committee, focusing on outreach to the
Arab, Muslim, and other ethnic or religious minority
communities; a Data Committee, examining issues related to
information privacy within the Department; and a Law
Enforcement Committee, providing a forum for law enforcement to
discuss effort that might have an impact on civil liberties or
privacy.
Shortly after I arrived, we started to reach out to privacy
advocacy and public policy groups. We've met with
representatives from the ACLU, Center for Democracy and
Technology, Cato Institute, Heritage Foundation, the Center for
Information Policy Leadership at Hunton and Williams, and Peter
Swire, the former Chief Counselor for Privacy in the U.S.
Office of Management and Budget.
We've also been active in intergovernmental groups and
efforts. We believe that by working together as a group,
privacy officers within the Government can utilize each other's
collective experience.
Our office has also been active in advising the Department
of information-sharing initiatives. While information sharing
is an incredibly important initiative for our security, it also
involves important privacy and civil liberties issues. We are
pleased that the Administration and the Attorney General has
recognized the importance of addressing these issues at the
inception of information-sharing programs.
Since my arrival, I have co-chaired the President's
Information Sharing Environment Guideline 5 Working Group with
Alex Joel, the Director of National Intelligence Civil
Liberties Protection Officer. Guideline 5 of the December 16th
memorandum from President George W. Bush requires, in relevant
part, that the Attorney General and the Director of National
Intelligence develop guidelines designed to be implemented by
executive departments and agencies to ensure that the
information privacy and other legal rights of Americans are
protected in the development and use of the ISE, including in
the acquisition, access, use, and storage of personally
identifiable information. We also look forward to working with
the President's Privacy and Civil Liberties Oversight Board on
the guidelines.
The Privacy and Civil Liberties Office also oversees the
Department's compliance with the Privacy Act of 1974 and plays
an active role in ensuring that the Department's law
enforcement, litigation, and anti-terrorism missions are
carried out in accordance with its provisions. We also provide
Privacy Act guidance within the Department, both in response to
specific inquiries raised by the components and through
training programs.
Although I have only been at DOJ a short while, my arrival
has been greeted with enthusiasm. We have been consulted on
numerous initiatives. In the coming year, we hope to launch new
efforts, such as more extensive privacy and civil liberties
training, that will further the office's mission of protecting
the privacy and civil liberties of those who interact with the
Department of Justice.
Thank you for the opportunity to speak today.
[The prepared statement of Ms. Horvath follows:]
Prepared Statement of Jane C. Horvath
Mr. Cannon. Thank you, Ms. Horvath.
Professor Katzen?
TESTIMONY OF SALLY KATZEN, PROFESSOR, GEORGE MASON UNIVERSITY
LAW SCHOOL, ARLINGTON, VA
Ms. Katzen. Thank you, Mr. Chairman, Ranking Member Watt,
other Members of the Committee. I appreciate the invitation for
me to testify today, as I did several years ago, about
Government policies and practices that implicate privacy.
As the Chairman noted, privacy is one of the hallmarks of
our country--cherished, protected, defended throughout our
history. Since September 11, 2001, the debate has changed
somewhat as the commitment to privacy has often been spoken in
the context of national security and the need for combating
terrorism. But protecting our privacy and protecting our Nation
are not mutually exclusive goals, and our challenge is to
protect and defend our country in a way that promotes our core
values.
Now, I belabor this point because in the 2 years since I
appeared before this Committee, the concern for privacy and
what many Americans believe to be invasions of their privacy by
the Government has increased rather than decreased. More
articles about privacy policies and practices appear more
frequently in the press. There are more stories on radio and
television, and there is significantly more attention paid to
privacy on the Internet than ever before. The time devoted over
the last several weeks or months in public discourse to the
warrantless wiretaps by the National Security Agency and the
decision of some common carriers to release to the Government
information about calls made by millions of Americans is a
clear indication of Americans' commitment to and concern about
privacy.
Given the importance of privacy and its persistence in the
national debate, it's somewhat surprising that this
Administration has seemed so reluctant to take even minimal
steps to address these concerns. For example, one of the
subjects of today's hearing is the Privacy Officer at DHS. When
I last testified, I spoke in highly favorable terms of the
appointment of Ms. Kelly as the first statutorily required
privacy official at DHS. I stressed both the beneficial
attention that was being paid to privacy concerns and the fact
that having a privacy officer at DHS in no way diminished the
capacity of the Department to pursue its mission.
Ms. Kelly resigned from DHS last September, and with
respect to Ms. Cooney, we have in place an Acting Privacy
Officer. The job is hard enough. To be heard in policy decision
meetings, to be listened to when red flags are raised about a
proposal's privacy implications, to be supported when a hand
goes up and says, ``Maybe we should reconsider, maybe we should
do it differently,'' that job is not easy even for a tenured
employee. It is so much harder for an acting.
There may well be legitimate reasons that there has been a
delay in finding and installing Ms. Kelly's replacement, but
the unexpected and unexplained delay raises unfortunate
questions. Is it a lack of interest? Is it a lack of support by
the Secretary of DHS or by the White House?
In the same vein, I would mention that it has taken a very
long time for the White House to nominate and have the Senate
confirm the members of the Privacy and Civil Liberties Board
which Ms. Horvath spoke about. That, too, was set up by an Act
of Congress which was responding to legitimate questions and
concerns about Government policies.
In light of these examples, I would call for more oversight
by Congress and, equally more important, more legislation
concerning and empowering officials in the Government. In my
written testimony, I remind the Committee that I had urged that
there be statutory privacy officers at all major departments. I
am pleased that the Department of Justice now has one. I hope
that you will work with other Members of Congress and other
Committees to expand that base. And without being too pushy, I
would again renew my suggestion that the Committee support
establishing at OMB a statutory office headed by a Chief
Counselor for Privacy. Such an office was created and staffed
during the Clinton administration, and it served us well. The
current Administration chose not to fill that position when
they took office or since. As a result, there is no senior
official in the Executive Office of the President who has
privacy in his or her title or who is charged with oversight of
Federal privacy policies. Yet it's so much better to have
privacy considered at the outset rather than after the plans
are implemented and the stories appear on the front pages.
My time is running. I have comments about the markup.
Otherwise, I think it's a great bill in many respects. I
support the concept. And maybe during the questions and answers
I could speak to that.
I want to thank you again for asking me to participate.
[The prepared statement of Ms. Katzen follows:]
Prepared Statement of Sally Katzen
Mr. Chairman and other Members of the Committee. Thank you for
inviting me to testify today on a subject--``Privacy in the Hands of
the Government''--that is exceedingly important to the American public
and on which this Committee has commendably been actively engaged.
This hearing is a follow on to one at which I testified on February
10, 2004. With the permission of the Committee, I would request that
the written testimony that I prepared then be appended to my submission
for this hearing; much of the background and analysis presented in that
document remain pertinent today and incorporating it by reference will
enable me to better focus on more recent developments.
I have been involved in privacy policy and practices for well over
a decade, having served as the Administrator of the Office of
Information and Regulatory Affairs (OIRA) in the Office of Management
and Budget (OMB) from 1993 to 1998 and as the Chair of the Information
Policy Committee of the National Information Infrastructure Task Force,
which produced, among other things, a revision of the 1973 Code of Fair
Information Practices, entitled ``Principles for Providing and Using
Personal Information.'' During my later tenure as Deputy Director of
the National Economic Council and then as Deputy Director for
Management at OMB, I was involved in a series of privacy issues, any my
interest in the subject has continued during my years in academics.
My earlier testimony spoke to the importance of privacy in our
history and culture, and why I believe that privacy is one of the
hallmarks of America--cherished, protected and defended throughout our
country and throughout the years.
The arrival of the Information Age raised privacy concerns to a new
level, although after September 11, 2001, this was tempered by a clear
recognition of the importance of security and the need for combating
terrorism. But protecting our privacy and protecting our nation are not
mutually exclusive goals. Rather, the challenge for all of us is to
protect and defend our country in a way that preserves and promotes our
core values.
I belabor this point because in the two years since I appeared
before this Committee, the concern for privacy (and what many Americans
believe to be invasions of their privacy) has increased rather than
decreased. More articles about privacy policies and practices appear
more frequently in the press, there are more stories on the radio and
television, and there is significantly more attention paid to privacy
on the Internet than ever before. The time devoted over the last
several weeks/months in public discourse to the warrantless wiretaps by
the National Security Agency and the decision of some common carriers
to release to the government information about calls made by millions
of Americans is a clear indication of Americans' continued commitment
to, and concern about, privacy.
Given the importance of privacy and its persistence in the national
debate, it is somewhat surprising that this Administration has seemed
to be so reluctant to take even minimal steps to address these
concerns. For example, when I last testified, I spoke of the generally
highly favorable reactions to the tenure of Nuala O'Connor Kelly as the
first statutorily required privacy official at the Department of
Homeland Security (DHS). I stressed both the beneficial attention that
was paid to privacy concerns and the fact that having a privacy officer
at DHS in no way diminished the capacity of the Department to pursue
its mission. Ms. Kelly resigned from DHS many months ago, and
regrettably there is only an Acting privacy officer in place. Is it a
lack of interest or a lack of support for the position by the current
Secretary of DHS? Or by the White House? There may well be legitimate
problems in finding and installing Ms. Kelly's replacement, but the
unexplained delay sends a very bad signal to those who follow these
developments as an indication of the Administration's commitment to
privacy. In that same vein, it is worth noting that it took the longest
time for the White House to nominate and have the Senate confirm the
members of the Privacy and Civil Liberties Board, which is a committee
established by another act of Congress designed to respond to what were
perceived as legitimate questions and concerns about government
policies with respect to privacy.
In light of these examples, I would call for more oversight by the
Congress and, equally important, more legislation creating and
empowering officials in the government with responsibility for privacy
policy. I had urged in my earlier testimony that the Committee consider
expanding the number of statutory privacy offices from one to 24,
covering all major Departments (the so-called Chief Financial Officers
Act agencies) or at least a handful of critical agencies, including the
Department of Justice, the Department of the Treasury (and the Internal
Revenue Service), the Department of Defense and the Veterans
Administration, the Social Security Administration, and the Department
of Health and Human Services. I was pleased when Congress enacted
legislation establishing a privacy officer at the Department of
Justice. With respect, I would again urge this Committee to work with
others in the Congress to expand on this base. OMB guidance from two
administrations (issued first during the Clinton Administration and
repeated several years ago by the Bush Administration) has called for
the creation of such offices in Executive Branch agencies. The
imprimatur of Congress would enhance the influence and respect that
these officers have within their Departments. Equally important, by
establishing statutory privacy offices, the Congress would be able to
engage in systematic oversight of the attention paid to this important
value in the federal government.
I would also renew my suggestion that Congress establish at OMB a
statutory office headed by a Chief Counselor for Privacy. Such an
office was created and staffed during the Clinton Administration, and
it served us well. The current Administration chose not to fill the
position when they took office or since. As a result, there is no
senior official in the Executive Office of the President who has
``privacy'' in his/her title or who is charged with oversight of
federal privacy practices, monitoring of interagency processes where
privacy is implicated, or developing national privacy polices. Yet it
is so much better to have privacy implications considered beforehand--
in the formulation of program or projects--rather than after the plans
are implemented and the stories about them begin to appear on the front
pages of the national newspapers. And apart from damage control, having
someone on the ``inside'' addressing these issues may provide some
brakes on the runaway train of surveillance.
Finally, I understand that after this hearing, the Committee will
move to mark up H.R. 2840, the ``Federal Agency Protection of Privacy
Act of 2005.'' That bill reflects a commendable desire to ensure that
privacy impact statements are prepared by federal agencies as they
develop regulations that involve the collection of personal
information. Several thoughts occurred to me as I was rereading the
text for today's hearing.
First, Subsection (c) provides that an agency head may waive the
requirements for a privacy impact statement ``for national security
reasons, or to protect from disclosure classified information,
confidential commercial information, or information the disclosure of
which may adversely affect a law enforcement effort . . .'' Apart from
the fact that the basis for a waiver goes well beyond national
security, I recalled that there is a similar provision in the E-
Government Act of 2002, which requires a privacy impact assessment for
new federal government computer systems, but instead of giving an
essentially free pass for national security concerns, Section 208 (b)
(1) (D) of that Act requires the agency to provide the privacy impact
assessment to the Director of OMB. I would recommend that such a
provision be included in H.R. 2840 and, in addition, that the bill
provide that a copy of the analysis be sent to the Congressional
Intelligence Committees in the case of national security waivers and
the Congressional Judiciary Committees in the case of law enforcement
related waivers. In that way, there could be government-wide Executive
Branch oversight and, equally important, Congressional oversight over
agency decision-making in this area.
Second, the provisions of H.R. 2840 requiring an agency to prepare
a plan for, and carry out, a periodic review of existing regulations
that have a significant privacy impact on individuals or a privacy
impact on a significant number of individuals are quire detailed and
quite prescriptive. Rather than specifying all of the factors to be
considered, and the timetable and procedures for each element of the
review, it might be preferable to set forth un the bill the objectives
of a periodic review and task OMB with providing guidance for the
agencies as to how they should proceed. In this way, the terms are not
cast in concrete but can be more readily adjusted as changes occur,
either with respect to content or with respect to technology.
With those modest suggestions, I would endorse the bill and once
again commend this Committee for its effective and persistent
leadership on these very important issues.
Again, thank you for inviting me to testify today. I would be
pleased to elaborate on these comments or answer any questions that you
may have.
__________
ATTACHMENT
Prepared Statement of Sally Katzen before the Committee on the
Judiciary, Subcommittee on Commercial and Administrative Law, on
February 10, 2004 on ``Privacy in the Hands of the Government: The
Privacy Officer for the Department of Homeland Security''
Thank you for inviting me to testify today on a vitally important
subject--``Privacy in the Hands of the Government.'' This Committee is
to be congratulated, not only for its leadership in creating a
statutory Privacy Officer in the Department of Homeland Security (DHS),
but also for being vigilant in its oversight of that office.
I am currently a Visiting Professor at the University of Michigan
Law School, where one of my courses is a seminar on ``Technology Policy
in the Information Age''--a significant portion of which is devoted to
examining both the government and the private sector's privacy policies
and practices. I have been involved in privacy policy for over a
decade. In early 1993, I began serving as the Administrator of the
Office of Information and Regulatory Affairs (OIRA) in the Office of
Management and Budget (OMB); the ``I'' in OIRA signaled that I was, in
effect, the chief information policy official for the federal
government. Among other responsibilities, my office was charged with
developing federal privacy policies, including implementation of the
1974 Privacy Act. Later in 1993, I was asked to chair the Information
Policy Committee of the National Information Infrastructure Task Force,
which had been convened by the Vice President and chaired by then
Secretary of Commerce Ronald Brown. One of the first deliverables we
produced was from my committee's Privacy Working Group--a revision of
the 1973 Code of Fair Information Practices, entitled ``Principles for
Providing and Using Personal Information.'' During President Clinton's
second term, I worked with the Vice President's Domestic Policy Advisor
to create a highly visible and effective office for privacy advocacy in
OMB; we selected Peter Swire to head that office and be the first Chief
Counselor for Privacy, and I worked closely with him when I served as
Deputy Director for Management at OMB during the last two years of the
Clinton Administration. Since leaving government, I have, as indicated
earlier, been teaching both at the graduate and undergraduate level.
Given the Committee's extensive work in this area, it is not
necessary to speak at length on the importance of privacy in the
history and culture of our country. Nonetheless, to provide context for
the comments that follow, I want to be clear that, from my perspective,
privacy is one of the core values of what we are as Americans. Whether
you trace its roots from the first settlers and the ``frontier''
mentality of the early pioneers, or from the legal doctrines that
flowed from Justice Brandeis' oft-quoted recognition in the late 19th
century of ``the right to be let alone,'' privacy has been one of the
hallmarks of America--cherished, prized, protected and defended
throughout our country and throughout our history.
The ``Information Age'' has brought new opportunities to benefit
from the free flow of information, but at the same time it has also
raised privacy concerns to a new level. Computers and networks can
assemble, organize and analyze data from disparate sources at a speed
(and with an accuracy) that was unimaginable only a few decades ago.
And as the capacity--of both the government and the private sector--to
obtain and mine data has increased, Americans have felt more
threatened--indeed, alarmed--at the potential for invasion (and
exploitation) of their privacy.
Before September 11, 2001, privacy concerns polled off the charts.
Since then, there has been a recognition of the importance of security
and the need for combating terrorism. But, as the Pew Internet surveys
(and others) have found, Americans' commitment to privacy has not
diminished, and some would argue (with much force) that if, in
protecting our nation, we are not able to preserve a free and open
society for our public lives, with commensurate respect for the privacy
of our private lives, then the terrorists will have won. For that
reason, it was both necessary and desirable in creating a Department of
Homeland Security to statutorily require the Secretary to appoint a
senior official with primary responsibility for privacy policy. Ms.
Kelly was selected for that position and took office about six months
ago.
We thus have some--albeit limited--operational experience with the
statutory scheme, and it is therefore timely to see what we have
learned and what more could (and should) be done by this Committee to
be responsive to privacy concerns.
I would draw two lessons from Ms. Kelly's tenure to date at DHS.
First, the existence of a Privacy Officer at DHS, especially
someone who comes to the position with extensive knowledge of the
issues and practical experience with the federal government, is highly
beneficial. We know that some attention is now being paid to privacy
concerns and that steps are being taken to advance this important value
that might otherwise not have occurred.
Consider the CAPPS II project, in which Ms. Kelly has recently been
involved. She inherited a Privacy Act Notice issued last winter that
was dreadful. She produced a Second Privacy Act Notice that reflected
much more careful thought about citizens' rights and provided more
transparency about the process. Regrettably, there was some
backsliding: the initial concept was that the information would be used
only to combat terrorism, whereas the second Notice indicated that the
information would be used not only for terrorism but also for any
violation of criminal or immigration law. Also, the document was vague
(at best) on an individual's ability to access the data and to have
corrections made. And there was more that should have been said about
the manner in which the information is processed through the various
data bases. But there is no question that the Second Notice was greatly
improved from the first.
Ms. Kelly was also involved with the US VISIT program, where she
produced a Privacy Impact Analysis (PIA). Some had argued that a PIA
was not required because the program did not directly affect American
citizens or permanent residents. Nonetheless, to her credit, she
prepared and issued a PIA that was quite thoughtful and was well
received. Whether one agrees or disagrees with the underlying program,
at least we know that someone was engaged in the issues that deserve
attention and the product of that effort was released to the public.
As someone outside the government, it is hard to know how
influential Ms. Kelly will be if--and it inevitably will happen--there
is a direct conflict between what a program office within DHS wants to
do and what the Privacy Officer would counsel against for privacy
reasons. Effectiveness in this type of position depends on autonomy and
authority--that is, on the aggressiveness of the office holder to call
attention to potential problems and on support from the top. We may
take some comfort from Secretary Ridge's comments; he has said all the
right things about supporting the Privacy Officer. But we cannot now
know what will happen when the ``rubber meets the road.''
This Committee, however, can further empower the Privacy Officer,
and lay the foundation for remedying any problems that may arise, by
maintaining its oversight and inquiring pointedly into how the
Department operates. For example, Ms. Kelly (and Secretary Ridge)
should be asked at what stage she is alerted to or brought into new
initiatives; what avenues are open for her to raise any questions or
concerns; and whether the Secretary will be personally involved in
resolving any dispute in which she is involved. The timing of the
release of the PIA for the US VISIT program suggests that Ms. Kelly may
not always be consulted on a timely basis. As I read the E-Government
Act of 2002, an agency is to issue a PIA before it develops or procures
information technology that collects, maintains or disseminates
information that is in an identifiable form. In this instance, the PIA
was released much further down the road, when the program was about to
go on line. Anything that helps the Privacy Officer become involved in
new initiatives at the outset, before there is substantial staff (let
alone money) invested in a project, would be highly salutary.
The second lesson that I take from the experience to date with the
Privacy Officer at DHS is that there has been no diminution in the
capacity of the Department to pursue its mission. Or as a political wag
would say, the existence of a Privacy Officer in DHS has not caused the
collapse of western civilization as we know it. This is wholly
consistent with what most Americans think--that national security and
privacy are compatible and are not intrinsically mutually exclusive.
The fact that there is no evidence that the existence, or any
activity, of the Privacy Officer has caused DHS to falter leads me to
suggest that the Committee consider expanding the number of statutory
privacy offices from one to 24, covering all major Departments (the so-
called Chief Financial Officers Act agencies) or at least a handful of
critical agencies. Imagine the salutary effect that a statutory privacy
office could have at the Department of Justice, the Department of the
Treasury (and the Internal Revenue Service), the Department of Defense
and the Veterans Administration, the Social Security Administration,
and the Department of Health and Human Services. All of these agencies
already have some form of privacy office in place, although many simply
process Privacy Act complaints, requests, notices, etc. and do not
involve themselves in the privacy implications of activities undertaken
by their agencies. It is significant, I believe, that OMB guidance from
two administrations (issued first during the Clinton Administration and
repeated recently by the Bush Administration) has called for the
creation of such offices in Executive Branch agencies. With the
imprimatur of Congress, these offices can achieve the status (and
increased influence) and gain the respect that the Privacy Officer has
enjoyed at DHS. Equally important, by establishing statutory privacy
offices, the Congress will be able to engage in systematic oversight of
the attention paid to this important value in the federal government--
something which has not occurred before this hearing today.
I hope I do not seem presumptuous to suggest--indeed, strongly
urge--one further step: establishing at OMB a statutory office headed
by a Chief Counselor for Privacy. As noted above, we had created such a
position during the Clinton Administration, and it served us well.
Peter Swire, the person we selected to head that office, was able to
bring his knowledge, insights, and sensitivity to privacy concerns to a
wide range of subjects. In his two years as Chief Counselor, he worked
on a number of difficult issues, including privacy policies (and the
role of cookies) on government websites, encryption, medical records
privacy regulations, use and abuse of social security numbers, and
genetic discrimination in federal hiring and promotion decisions, to
name just some of the subjects that came from various federal agencies.
He was also instrumental in helping us formulate national privacy
policies that arose in connection with such matters as the financial
modernization bill, proposed legislation to regulate internet privacy,
and the European Union's Data Protection Directive.
I believe it is unfortunate that the current Administration has
chosen not to fill that position. As a result, there is no senior
official in the Executive Office of the President who has ``privacy''
in his/her title or who is charged with oversight of federal privacy
practices, monitoring of interagency processes where privacy is
implicated, or developing national privacy polices. Perhaps it was the
absence of such a person that led to the Bush Administration's initial
lack of support for the designation of a Privacy Officer at the
Department of Homeland Security. Perhaps if someone had been appointed
to that position, the Administration would not have appeared to be so
tone deaf to privacy concerns in connection with the Patriot Act or any
number of law enforcement issues that have made headlines over the past
several years. An ``insider'' can provide both institutional memory and
sensitivity to counterbalance the unfortunate tendency of some within
the government to surveil first and think later. At the least, the
appointment of a highly qualified privacy guru at OMB would mean that
someone in a senior position, with visibility, would be thinking about
these issues before--rather than after--policies are announced.
Finally, I understand that after this Hearing, the Committee will
move to mark up H.R. 338, ``The Defense of Privacy Act.'' That bill
reflects a commendable desire to ensure that privacy impact statements
are prepared by federal agencies as they develop regulations which may
have a significant privacy impact on an individual or have a privacy
impact on a substantial number of individuals. I was struck in
reviewing the E-Government Act of 2002 for this testimony that it
requires an agency to prepare a PIA not only before it develops or
procures information technology that implicates privacy concerns, but
also before the agency initiates a new collection of information that
will use information technology to collect, maintain or disseminate any
information in an identifiable form. This law has gone into effect, OMB
has already issued guidance on how to prepare the requisite PIAs, and
the agencies are learning how to prepare these PIAs using that model.
Rather than impose another regime on agencies when they are developing
regulations (which are frequently the basis for the information
collection requests referenced in the E-Government Act of 2002), it
might be preferable to amend the E-Government Act to expand its
requirements to apply to regulations that implicate privacy concerns.
That approach would have the added benefit of eliminating the
inevitable debate over the judicial review provisions of H.R. 338,
which go significantly beyond the judicial review provisions of any of
the comparable acts (e.g., Reg.Flex., NEPA, Unfunded Mandates, etc.).
Lastly, if you were to amend the E-Government Act to include privacy-
related regulations, you might also consider including privacy-related
legislative proposals from the Administration. As you know, Executive
Branch proposals for legislation are reviewed by OMB before they are
submitted to the Congress. If there were a Chief Counselor for Privacy
at OMB, s/he would be able to provide input for the benefit of the
Administration, the Congress and the American people.
Again, thank you for inviting me to testify today. This Committee
has been an effective leader on privacy issues, and it is encouraging
that you are continuing the effort. I would be pleased to elaborate on
these comments or answer any questions that you may have.
Mr. Cannon. Thank you, Professor.
Ms. Koontz?
TESTIMONY OF LINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT
ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, WASHINGTON, DC
Ms. Koontz. Mr. Chairman and Members of the Subcommittee, I
appreciate the opportunity to be here today to discuss key
challenges facing Federal privacy officers. As you know,
advances in information technology make it easier than ever for
the Federal Government to acquire data on individuals, analyze
it for a variety of purposes, and share it with other
governmental and nongovernmental entities. Further, the demands
of the war on terror put additional pressure on agencies to
extract as much value as possible from the information
available to them, adding to the potential for compromising
privacy.
This is the context in which agencies must carry out their
critical responsibilities for protecting the privacy rights of
individuals in accordance with current law. To do so, many
agencies have designated privacy officers to act as focal
points. Recently, these positions have gained greater
prominence. In response to rising concerns about privacy rights
in our electronic age, both legislation and guidance have
directed agencies to establish chief privacy officers or to
ensure that a senior official takes overall responsibility for
information privacy.
Privacy issues have also been at the heart of several
studies that the Congress has asked us to perform over the past
few years. Our results highlight some of the challenges faced
by agencies and privacy officials.
First, compliance with current law has posed challenges. In
2003, we reported that agency compliance with the requirements
of the Privacy Act was uneven. Agencies reviewed generally did
well with certain aspects of the requirements, such as issuing
public notices about systems containing personal information.
However, they did less well at others, such as ensuring that
information was complete, accurate, relevant, and timely before
it was disclosed to a non-Federal organization.
Agency officials told us that they needed more leadership
and guidance from the Office of Management and Budget to help
them with implementation in a rapidly changing environment.
Similarly, agencies have not always complied with the E-
Government Act requirement that agencies perform privacy impact
assessments, or PIAs, on certain systems containing personal
information. Such assessments are important to ensure that
information is handled in a way that protects privacy.
Although we have not yet done a comprehensive assessment of
agencies' implementation of PIAs, we did determine in recent
work on commercial data resellers that many agencies did not
perform PIAs on systems that used reseller information because
they believe that a PIA was not required.
Privacy officers also face the challenge of ensuring that
privacy protections are not compromised by advances in
technology. For example, Federal agencies are increasingly
using data mining, that is, analyzing large amounts of data to
uncover hidden patterns. Initially, this tool was used mostly
to detect financial fraud and abuse, but its use has expanded
to include purposes such as detecting terrorist threats.
In 2005, in a review of five different data-mining efforts
at selected agencies, we reported that these agencies did take
many of the steps needed to protect privacy. However, none
followed all key procedures. For instance, although they did
issue public notices, these notices did not always describe the
intended uses of personal information as required.
Another new technology presenting privacy challenges is
radio frequency identification, or RFID. This technology uses
wireless communications to transmit data and electronically
track and store information on tags attached to or embedded in
objects. As we reported in 2005, Federal agencies use or
propose to use RFID for physical access controls and to track
access. For example, DOD uses it to track shipments. Although
this kind of inventory control application is not likely to
generate privacy concerns, RFID use could raise issues if, for
example, people were not aware that the technology is being
used and that it could be embedded in items they are carrying
and be used to track them.
Agency privacy offices will play a key role in addressing
the challenges I have described. They will be instrumental in
ensuring that agencies comply with legislative requirements and
in ensuring that privacy is fully addressed in agency
approaches to new technologies. In addition, chief privacy
officers are in a position to work with OMB and other agencies
to identify ambiguities and clarify the applicability of
privacy requirements. Not least, they can work to increase
agency awareness and raise the priority of privacy issues.
That concludes my statement. I would be happy to answer
questions at the appropriate time.
[The prepared statement of Ms. Koontz follows:]
Prepared Statement of Linda D. Koontz
Mr. Cannon. Thank you, Ms. Koontz.
I just need to point out that we just had a panel of four
participants who all finished within seconds of the 5 minutes.
I have never seen that before in my life. Obviously, we have
some well-experienced panelists.
We have a significant problem here. We are going to try and
mark this bill up today, and we have six votes probably between
2:45 and 3:15. And so--yeah, we'll have six votes, so that
means that--let me just suggest that I'm not going to ask
questions, and all the Members of the panel can ask written
questions.
Professor, I suspect you have your comments already
written, and if you could submit those. You suggested you had
more that you wanted to say. Do you have that in written form
already?
Ms. Katzen. Yes, Mr. Chairman. My written testimony
includes two modest suggestions, one of which relates to the
national security issue, and I think it is important.
Mr. Cannon. Thank you. And if any of the panelists have
other things you would like to make part of the record, we'll
leave the record open for 5 days.
So I ask unanimous consent that the Members of the panel--
that we limit questioning to 3 minutes for the panel. Hearing
no objection, so ordered.
Mr. Watt. That is per Member?
Mr. Cannon. That is per Member, yes. Pardon me. Hearing no
objection, but with that clarification, so ordered. And we'll
keep the legislative record open for 5 days for questions.
Without objection, so ordered.
Thank you, and, Mr. Watt, you are recognized for 5 minutes.
Mr. Watt. For 3 minutes--3 minutes, I presume. Thank you,
sir.
Since we're going on to the markup of H.R. 2840 and all of
the witnesses heard my opening comments, I guess the most
appropriate question I could ask in my short period of time is
to Ms. Cooney and Ms. Horvath, since you all are here
representing the Administration, or at least your respective
Departments.
Do you have a clue whether the Administration really
supports and wants this bill? Because they haven't done
anything to try to get it passed that I'm aware of on the
Senate side, and we're engaging in a futile gesture here
passing it out of here without the Administration injecting
itself and saying it wants it.
So does either of you know whether the Administration
really wants this bill?
Ms. Cooney. Mr. Watt, I'd be happy to answer. I don't know
of a formal position that the Administration has taken on this
bill. I'm not aware of one. I think in our last appearance I
did mention that under section 222 we have very similar
requirements at DHS to do PIAs on rulemakings, and we've been
able to tackle that effort and can improve on it as we----
Mr. Watt. But this is a systemwide, governmentwide bill,
not a DHS bill. So I guess the question I'm asking is: Is the
Administration committed to having this done systemwide, or are
they not? If you don't know, I mean, just say you don't know.
Ms. Cooney. I know of no formal position on it.
Mr. Watt. Okay. I assume you don't know either, Ms. Koontz.
You're not here--you're kind of in a different position with
respect to the Administration. I understand that. Have you
heard anything through the grapevine about whether the
Administration wants it, Professor Katzen?
Ms. Katzen. No.
Mr. Watt. Okay. All right. I just keep pointing out that,
you know, we've marked this bill up several times. It's gone.
The Chairman indicated it went out of the House. Without the
Administration doing something to lift a finger to get it, it
ain't going to happen. So we might be back here again next term
of Congress doing the same thing.
I yield back.
Mr. Cannon. Thank you.
I think Mr. Franks--the gentleman is recognized for 3
minutes.
Mr. Franks. Mr. Chairman, I have no questions at this time.
Mr. Cannon. Thank you, Mr. Franks. We appreciate that
candor and directness, and I think--the gentleman from
Massachusetts, Mr. Delahunt, is recognized for 3 minutes.
Mr. Delahunt. Yes, thank you, Mr. Chairman. I'm going to
make an effort to answer Mr. Watt's question. I think it's
clear to me that the Administration--this is not a priority, I
think it's fair to say, for the Administration. Otherwise, this
bill would have been enacted into law last year. And I think
it's time, particularly given the context of recent revelations
concerning the NSA in particular that the Administration weigh
in in a very significant way. If this bill is to pass, the
Administration has to make it a priority. And I don't think any
of us--and I think I speak for all of us on this panel right
now--have not seen evidence of the Administration making it the
kind of priority that I think it deserves.
As my colleagues would remember, myself and Mr. Berman had
an amendment to the PATRIOT Act involving data mining, and
there was great resistance from the Department of Justice
regarding that particular amendment, which I believed to be
somewhat innocuous. Well, now I understand better, after
reading the USA Today and other revelations that occurred prior
to that why there would be such resistance. This is simply an
opportunity for the American people to find out what their
Government was doing.
I have to agree with you, Professor Katzen. You know, when
there's a lack of privacy afforded the individual citizen,
we're on our way to eroding democracy and living I a
totalitarian society. It's absolutely essential that this bill
becomes a priority.
Mr. Cannon. Would the gentleman yield?
Mr. Delahunt. I yield.
Mr. Cannon. Because I agree with the gentleman. Let me just
point out that it is our obligation as the Legislature to set
the limits and set the priorities here, and we have to do that
as Republicans and Democrats and as the House and the Senate.
That's sometimes hard. This Administration--no Administration
is going to focus on these issues like we do because our
perspective is different, and so I pledge to the gentleman that
we will----
Mr. Delahunt. I appreciate that, and I would even request--
the flip side, Mr. Chairman, is the lack of transparency,
secrecy, if you will, that I would suggest has been an earmark
of this Administration. We've had the National Archivist, Mr.
Leonard, complain about the ubiquitous classification of public
documents that is going on. And I would hope that you would
consider having a hearing into that particular issue. I think
that is something that is warranted, particularly given----
Mr. Cannon. I'd be happy to speak with the gentleman, whose
time has expired.
May I ask unanimous consent that we not continue with
questions, since we just had a vote called, and that we move
over to the markup of this bill? Thank you.
[Whereupon, at 2:48 p.m., the Subcommittee proceeded to
other business.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
Response to Post-Hearing Questions from Maureen Cooney, Acting Chief
Privacy Officer, U.S. Department of Homeland Security, Washington, DC
Response to Post-Hearing Questions from Sally Katzen, Professor, George
Mason University Law School, Arlington, VA
Response to Post-Hearing Questions from Linda D. Koontz, Director,
Information Management Issues, U.S. Government Accountability Office,
Washington, DC