[Senate Hearing 113-781] [From the U.S. Government Publishing Office] S. Hrg. 113-781 THE LOCATION PRIVACY PROTECTION ACT OF 2014 ======================================================================= HEARING before the SUBCOMMITTEE ON PRIVACY, TECHNOLOGY AND THE LAW of the COMMITTEE ON THE JUDICIARY UNITED STATES SENATE ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION __________ JUNE 4, 2014 __________ Serial No. J-113-63 __________ Printed for the use of the Committee on the Judiciary [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] U.S. GOVERNMENT PUBLISHING OFFICE 97-739 PDF WASHINGTON : 2016 _________________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800 Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001 COMMITTEE ON THE JUDICIARY PATRICK J. LEAHY, Vermont, Chairman DIANNE FEINSTEIN, California CHUCK GRASSLEY, Iowa, Ranking CHUCK SCHUMER, New York Member DICK DURBIN, Illinois ORRIN G. HATCH, Utah SHELDON WHITEHOUSE, Rhode Island JEFF SESSIONS, Alabama AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina AL FRANKEN, Minnesota JOHN CORNYN, Texas CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas MAZIE HIRONO, Hawaii JEFF FLAKE, Arizona Kristine Lucius, Chief Counsel and Staff Director Kolan Davis, Republican Chief Counsel and Staff Director ------ Subcommittee on Privacy, Technology and the Law AL FRANKEN, Minnesota, Chairman DIANNE FEINSTEIN, California JEFF FLAKE, Arizona, Ranking CHUCK SCHUMER, New York Member SHELDON WHITEHOUSE, Rhode Island ORRIN G. HATCH, Utah CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah MAZIE HIRONO, Hawaii JOHN CORNYN, Texas LINDSEY GRAHAM, South Carolina Alvaro Bedoya, Democratic Chief Counsel Elizabeth Taylor, Republican Chief Counsel (II) C O N T E N T S ---------- JUNE 4, 2014, 2:35 P.M. STATEMENTS OF COMMITTEE MEMBERS Page Flake, Hon. Jeff, a U.S. Senator from the State of Arizona....... 4 Franken, Hon. Al, a U.S. Senator from the State of Minnesota..... 1 prepared statement........................................... 142 Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont, prepared statement........................................... 141 WITNESSES Witness List..................................................... 37 Atkinson, Robert D., Ph.D., President, The Information Technology and Innovation Foundation, Washington, D.C......................... 22 prepared statement........................................... 115 Goldstein, Mark L., Director, Physical Infrastructure Issues, U.S. Government Accountability Office, Washington, D.C......... 8 prepared statement........................................... 60 Greenberg, Sally, Executive Director, National Consumers League, Washington, D.C................................................ 21 prepared statement........................................... 99 Hanson, Bea, Principal Deputy Director, Office on Violence Against Women, U.S. Department of Justice, Washington, D.C..... 5 prepared statement........................................... 39 Hill, Brian, Detective, Criminal Investigations Division, Anoka County Sheriff's Office, Andover, Minnesota........................... 16 prepared statement........................................... 79 Mastria, Luigi, Executive Director, Digital Advertising Alliance, Washington, D.C................................................ 19 prepared statement........................................... 84 Rich, Jessica, Director, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C.................................... 7 prepared statement........................................... 46 Southworth, Cindy, Vice President, Development and Innovation, and Founder, Safety Net Technology Project, National Network to End Domestic Violence, Washington, D.C............................. 24 prepared statement........................................... 122 QUESTIONS Questions submitted to Robert D. Atkinson by Senator Flake....... 145 Questions submitted to Mark L. Goldstein by Senator Franken...... 147 Questions submitted to Luigi Mastria by Senator Flake............ 146 Questions submitted to Jessica Rich by Senator Franken........... 148 ANSWERS Responses of Robert D. Atkinson to questions submitted by Senator Flake.......................................................... 149 Responses of Mark L. Goldstein to questions submitted by Senator Franken........................................................ 157 Responses of Luigi Mastria to questions submitted by Senator Flake.......................................................... 151 Responses of Jessica Rich to questions submitted by Senator Franken........................................................ 155 MISCELLANEOUS SUBMISSIONS FOR THE RECORD Chamber of Commerce of the United States of America, R. Bruce Josten, Executive Vice President, Government Affairs, June 11, 2014, letter................................................... 160 Consumers Union, George Slover, Senior Policy Counsel, June 3, 2014, letter................................................... 162 IAB, Mike Zaneis, EVP and General Counsel, June 4, 2014, letter.. 163 MAPPS, John M. Palatiello, Executive Director, June 4, 2014, letter......................................................... 165 MCBW, Liz Richards, Executive Director, May 28, 2014, letter..... 169 National Center for Victims of Crime, Mai Fernandez, Executive Director, June 2, 2014, letter................................. 172 NRF, David French, Senior Vice President, Government Relations, June 4, 2014, letter........................................... 174 NWLC, Fatima Goss Graves, Vice President for Education and Employment, and Lara S. Kaufmann, Senior Counsel and Director of Education Policy for At-Risk Students, June 3, 2014, letter. 158 OTA, Craig Spiezle, Executive Director, June 2, 2014, letter..... 176 Stalking Case: Harry Hitzeman, Daily Herald, ``Kansas Man Convicted of Stalking, Choking Woman in Elgin,'' October 31, 2012, article.................................................. 177 Stalking Case: Justin Scheck, Wall Street Journal, ``Stalkers Exploit Cellphone GPS,'' August 3, 2010, article............... 178 Stalking Case: Dan Rozek, Sun-Times, ``Accused GPS-Stalker Tells Judge He Wants To Plead Guilty to Murder,'' July 18, 2011, article........................................................ 183 Stalking Case: Francie Grace, CBS News, ``Stalker Victims Should Check for GPS,'' February 6, 2003, news story.................. 184 THE LOCATION PRIVACY PROTECTION ACT OF 2014 ---------- WEDNESDAY, JUNE 4, 2014 United States Senate, Subcommittee on Privacy, Technology and the Law, Committee on the Judiciary, Washington, DC. The subcommittee met, pursuant to notice, at 2:35 p.m., in room SD-226, Dirksen Senate Office Building, Hon. Al Franken, Chairman of the Subcommittee, presiding. Present: Senators Franken, Blumenthal, and Flake. OPENING STATEMENT OF HON. AL FRANKEN, A U.S. SENATOR FROM THE STATE OF MINNESOTA Chairman Franken. This hearing will be called to order. Welcome to the Senate Judiciary Subcommittee on Privacy, Technology, and the Law. This is a hearing on my bill to protect sensitive location information, the Location Privacy Protection Act of 2014. Three years ago, I held a hearing to look at how our laws were protecting the location information generated by smartphones, cell phones, and tablets. The first group that I heard from was the Minnesota Coalition for Battered Women. They told me that across Minnesota victims were being followed through so-called stalking apps specifically designed to help stalkers secretly track their victims. I started investigating these stalking apps. Let me read you some of their websites. Here is one called SPYERA. It says: ``Most of the time if you think your spouse is being unfaithful, you are right.'' ``[SPYERA] will be your spy in their pocket.'' ``[Y]ou will need to sneak your spouse's phone and download it to their phone.'' ``After the software is downloaded, you will be able to see where they are geographically. If your husband is in two counties over from where you live, SPYERA will tell you that.'' And, of course, ``husband'' can mean ``wife'' or ``ex'' or whatever you want to put in there. Here is another. This is from FlexiSPY. ``FlexiSPY gives you total control of your partner's phone without them knowing it--See exactly where they are, or were, at any given date and time.'' Here is another quote that has since been taken down: ``Worried about your spouse cheating? Track EVERY text, EVERY call and EVERY move they make using our EASY Cell Phone Spy Software.'' These apps can be found online in minutes. And abusers find them and use them to stalk thousands of women around the country. The Minnesota Coalition for Battered Women submitted testimony about a northern Minnesota woman who was the victim of domestic violence--and the victim of one of these stalking apps. This victim had decided to get help. And so she went to a domestic violence program located in a county building. She got to the building, and within 5 minutes, she got a text from her abuser asking her why she was in the county building. The woman was terrified. And so an advocate took her to the courthouse to get a restraining order. As soon as she filed for the order, she got a second text from her abuser asking her why she was at the county courthouse and whether she was getting a restraining order against him. They later figured out that she was being tracked through a stalking app installed in her phone. This does not just happen in Minnesota. A national study conducted by the National Network to End Domestic Violence found that 72 percent of victim services programs across the country had seen victims who were tracked through a stalking app or a stand-alone GPS device. Without objection, I will add to the record the accounts of a few other victims. Here is one from a victim in Illinois. She was living in Kansas with her abuser. She fled to Elgin, Illinois, a town three States away. She did not know that the whole time her cell phone was transmitting her precise location to her abuser. He drove the 700 miles to Elgin. He tracked her to a shelter and then to the home of her friend, where he assaulted her and tried to strangle her. Here is one from a victim in Scottsdale, Arizona. Her husband and she were going through a divorce. Her husband tracked her for over a month through her cell phone. Eventually, he murdered their two children in a rage. In most of these cases, the perpetrator was arrested because it is illegal to stalk someone. But it is not clearly illegal to make and to market and to sell a stalking app. And so nothing happened to the companies making money off of the stalking. Nothing happened to the stalking apps. My bill would shut down these apps once and for all. It would clearly prohibit making, running, and selling apps and other devices that are designed to help stalkers track their victims. It would let police seize the money that these companies make and use that money to actually prevent stalking. My bill will prioritize grants to the organizations that train and raise awareness around GPS stalking. And it would make the Department of Justice get up-to-date statistics on GPS stalking. That is a big deal, because the latest statistics we have from DOJ are from 2006, and at that point they estimated over 25,000 people were being GPS-stalked annually, back in 2006, and we know what smartphone technology has done since then. But my bill does not protect just victims of stalking. It protects everyone who uses a smartphone, an in-car navigation device, or any mobile device connected to the Internet. My bill makes sure that if a company wants to get your location or give it out to others, they need to get your permission first. I think that we all have a fundamental right to privacy: a right to control who gets your sensitive information and with whom they share it. Someone who has a record of your location does not just know where you live. They know where you work and where you drop your kids off at school. They know the church you attend and the doctors that you visit. Location information is extremely sensitive. But it is not being protected in the way it should be. In 2010, the Wall Street Journal found that half of the most popular apps were collecting their users' location information and then sending it to third parties, usually without permission. Since then, some of the most popular apps in the country have been found disclosing their users' precise location to third parties without their permission. And it is not just apps. The Nissan Leaf's on-board computer was found sending drivers' locations to third-party websites. OnStar threatened to track its users even after they canceled their service; they only stopped when I and other Senators called them out on this. And a whole new industry has grown up around tracking the movements of people going shopping--without their permission, and sometimes when they do not even enter a store. The fact is, that most of this is totally legal. With only a few exceptions, if a company gets your location information over the Internet, they are free to give it to almost anyone they want. My bill closes these loopholes. If a company wants to collect or share your information, it has to get your permission first and put up a post online saying what the company is doing with your data. Once a company is tracking you, it has to be transparent, or else it has to send you a reminder that you are being tracked. Those requirements apply only to the first company getting location information from your device. For any other company getting large amounts of location data, all they have to do is put up a post online explaining what they are doing with that data. That is it. These rules are built on existing industry best practices, and they have exceptions for emergencies, theft prevention, and parents tracking their kids. The bill is backed by the leading anti-domestic violence and consumer groups. Without objection, I will add letters to the record from the Minnesota Coalition for Battered Women, the National Center for Victims of Crime, the National Women's Law Center, the Online Trust Alliance, and Consumers Union--all in support of my bill. This bill is just common sense. [The letters and stalking cases appear as submissions for the record.] Chairman Franken. Before I turn it over to my friend the Ranking Member, I want to make one thing clear. Location-based services are terrific. I use them all the time when I drive across Minnesota. They save time and money, and they save lives. Ninety-nine percent of companies that get your location information are good, legitimate companies. And so I have already taken into account many of the industry concerns that I heard when we debated this bill last Congress: I have capped liability, I have made compliance easier. And if folks still have issues with the bill, I want to address them. So, with that, I will turn it over to Senator Flake. OPENING STATEMENT OF HON. JEFF FLAKE, A U.S. SENATOR FROM THE STATE OF ARIZONA Senator Flake. Thank you, Mr. Chairman. Thank you again to the witnesses for being here. I know you have busy schedules, and I really appreciate you doing this. I think we can all agree that stalking and domestic violence are serious concerns. That is why I was pleased to support the reauthorization of the Violence Against Women Act. I agree with those who will testify today, like Ms. Southworth of the National Network to End Domestic Violence and Detective Hill on the second panel, that domestic violence and stalking are serious problems that need to be addressed. I am not aware of any concerns that have been expressed about some of the sections of this bill, those that address the stalking apps and directing the Government to study GSP stalking and prioritize grants to educate law enforcement about this problem. Having said that, there are sections of the bill that I think are still a bit concerning. The bill before us regulates the commercial collection of geolocation information. Some concerns have been raised about its effect on businesses and applications that use geolocation information to provide consumers with services that they now rely on. I would like to enter into the record letters from the National Retail Federation and the Interactive Advertisement Bureau if that is okay. Chairman Franken. Without objection. Senator Flake. Thanks. [The letters appear as submissions for the record.] Senator Flake. In our efforts to protect the privacy of Americans, which is extremely important, we have got to be careful not to stifle innovation in dynamic sectors of the economy. A lot of the concerns that have been expressed are about static regulations that deal with a dynamic sector of the economy, and we want to make sure that we do not hamper development of new products and technologies. With that, I look forward to the witnesses. Thanks. Chairman Franken. Thank you, Senator Flake. The first panel of witnesses has seated themselves. Thank you. Bea Hanson is the Principal Deputy Director of the United States Department of Justice Office on Violence Against Women. Before joining the OVW, Ms. Hanson was director for emergency services and the chief program officer for Safe Horizon, a crime victims service organization in New York City. Ms. Hanson is a Minnesotan by birth and was raised in St. Paul. Jessica Rich is the Director of the FTC's Bureau of Consumer Protection. During her time at the FTC, Ms. Rich has led major policy initiatives related to privacy, data security, and emerging technologies; overseen enforcement actions; and developed significant FTC rules. She also received the Chairman's Award in 2011 for her contributions to the FTC's mission. Mark Goldstein is the Director of Physical Infrastructure Issues for the U.S. Government Accountability Office. He is a frequent witness before Congress and served as senior staff member of the Senate Committee on Homeland Security and Governmental Affairs. He will testify about the two different studies that GAO conducted at my request on the subject of location privacy. I would like to welcome you all. Thank you for appearing. Your written testimony will be made part of the record. You each have about 5 minutes for any opening remarks that you would like to make. We will start with Ms. Hanson. STATEMENT OF BEA HANSON, PRINCIPAL DEPUTY DIRECTOR, OFFICE ON VIOLENCE AGAINST WOMEN, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, D.C. Ms. Hanson. Thank you so much. Good afternoon, Chairman Franken, Ranking Member Flake, and members of the Committee. Thank you for the opportunity to testify on behalf of the Department of Justice regarding stalking, mobile devices, and location privacy. My name is Bea Hanson, and I am the Principal Deputy Director of the United States Department of Justice Office on Violence Against Women, or OVW. One key way that the Department of Justice has focused on strengthening the criminal justice response to stalking is through the implementation of the Violence Against Women Act, or VAWA. Since the passage of VAWA in 1994, we have made significant strides in enhancing the criminal justice system's response to stalking, and Congress has been a strong partner in our national efforts to address this issue. Since 1994, Congress has amended VAWA to address our growing understanding of this crime, adding stalking to the purpose areas of grant programs, broadening the Federal interstate stalking statute to protect victims of cyber stalking, and enhancing penalties for repeat stalking offenders. Just last year, in the most recent VAWA reauthorization, Congress closed a loophole in the Federal cyber stalking statute to permit Federal prosecutors to pursue cases where the offender and the victim both lived in the same State. Congress also amended the Jeanne Clery Campus Security Act to require that universities report crime statistics on incidents of stalking. As you both know, stalking is a complex crime, and it continues to be missed, misunderstood, and very much underestimated. Incidents of stalking behavior, when considered separately, may seem relatively innocuous. However, stalking behavior tends to escalate over time, and it is often paired with or followed by sexual assault, physical abuse, or homicide, as Chairman Franken has pointed out. Its victims feel isolated, vulnerable, and frightened, and tend to suffer from anxiety, from depression, and from insomnia. Results of the 2010 National Intimate Partner and Sexual Violence Survey, or NISVS, which was released by the Centers for Disease Control in late 2011, demonstrate the grave scope of this crime. Using a conservative definition of stalking, the survey found that 6.6 million people were stalked in the previous 12-month period and that 1 in 6 women and 1 in 19 men were stalked at some point in their lifetimes. The survey report noted that, although anyone can be a victim of stalking, females were more than three times more likely to be stalked than males, and that young adults had the highest rates of stalking victimization. The report also showed the too frequent nexus between stalking and intimate partner abuse. For the overwhelming majority of victims, the stalker is someone who is known to them--an acquaintance, a family member, or, most often, a current or former intimate partner. And the NISVS report confirmed that most stalking cases involve some form of technology. More than three-quarters of the victims reported having received unwanted phone calls, voice messages, and text messages; and roughly one-third of the victims were watched, followed, or tracked with a listening or other kind of device. The report authors noted that their findings showed a higher percentage of stalking than previous national studies and hypothesized that this increase could be due to new technologies that make stalking behavior easier. Technology has provided new tools for stalkers. For example, the rapid increased use of cellular phones in recent years has created a new market in malicious software that, when installed on mobile devices, allows perpetrators to intercept victims' communications without their knowledge or consent. Through the use of this software, perpetrators can read victims' e-mail and text messages, listen to their telephone calls, trace their movements, and turn on the microphone in their phone to record conversations occurring in the immediate surrounding area. And all this can be done remotely and surreptitiously. A recent study conducted by the National Network to End Domestic Violence, supported by the Department of Justice Office for Victims of Crime, further suggests that technology- enhanced stalking, including the use of mobile devices, is neither novel nor rare. Of the more than 750 victims service agencies that responded, 72 percent reported helping victims who had been tracked by GPS either through a cell phone or a GPS device. The findings from NISVS and other surveys underscore how critical it is that professionals who work with stalking victims understand the dynamics of stalking, particularly how stalkers use technology. We know that stalking is often a precursor to other forms of violence. Because stalking can be challenging to recognize, OVW grant programs support specialized training for police, prosecutors, and others to ensure that comprehensive services are available to victims. We also fund a number of training and technical assistance projects that target the intersection of technology and the crimes of stalking, sexual assault, domestic violence, dating violence, and there is more information on that in my written testimony. And we have some of our grantees who are going to be talking here later on the second panel. I appreciate the opportunity to testify today, and I look forward to continuing to working with Congress, working with you all, as it considers these important issues. Thank you. [The prepared statement of Ms. Hanson appears as a submission for the record.] Chairman Franken. Thank you, Ms. Hanson. Ms. Rich? STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION, WASHINGTON, D.C. Ms. Rich. Good afternoon, Chairman Franken and Ranking Member Flake. My name is Jessica Rich, and I am the Director of the Bureau of Consumer Protection at the Federal Trade Commission. I very much appreciate this opportunity to present the Commission's testimony on consumer protection issues involving geolocation information and to offer some initial views on the draft Location Privacy Protection Act. Protecting consumers' privacy is a key focus of the Commission's efforts, and we commend the Committee for its continued attention to this really important issue. Products and services that use geolocation data make consumers' lives easier and more efficient, as you have noted, Chairman Franken. Consumers can get turn-by-turn directions to their destinations, find the closest bank, and check the weather when they are traveling, among many other examples. At the same time, the increasing collection, use, and disclosure of this data presents serious privacy concerns. For this reason, the Commission considers precise geolocation data to be sensitive, warranting opt-in consent prior to collection from a consumer's mobile device. Why is this data so sensitive? A device's geolocation can reveal consumers' movements in real time and over time and, thus, divulge intimate personal details about them, such as the doctor's office they visit, how often they go, their place of worship, and when and what route their kids walk to school in the morning and return home in the afternoon. This data can be accessed and used in many ways consumers do not expect, for example, collected through stalking apps, sold to third parties for unspecified uses, paired with other data to build detailed profiles of consumers' activities, or stolen by hackers. The risks to consumer range from unwanted tracking to threats to personal safety. The Commission has taken action to protect this data through law enforcement and outreach efforts. Using its authority under the FTC Act, the Commission has brought cases against companies engaged in unfair and deceptive practices involving geolocation data. One example is our recent settlement with Snapchat, the developer of a popular mobile messaging app. In that case, the FTC alleged that, in addition to misrepresenting that photo and video messages sent through the service would disappear, which was what was publicized most about that case, Snapchat also collected and transmitted geolocation data from its app, even though its privacy policy claimed it did not track users or access such information at all. In another case, this one involving the developer of a popular flashlight app, the FTC alleged that the developer told users that it would collect diagnostic and technical information simply to assist with product support, but failed to disclose that the app transmitted the device's precise geolocation and unique device ID to ad networks. Finally, in a series of settlements with rent-to-own retailer Aaron's and its affiliates, the FTC alleged that the companies' installation and use of software on rental computers that secretly monitored and tracked consumers violated the FTC Act. The software could log keystrokes, capture screen shots, and take photo using the computer's webcam, all unbeknownst to users. Notably, the FTC alleged that installing location- tracking software on the rented computers without the renter's consent and disclosing this geolocation to rent-to-own stores was an unfair and illegal practice. In addition to enforcement, the Commission also has conducted studies, held workshops, and issued reports in this area. For example, in 2012, FTC staff issued two reports about the disclosures provided in mobile apps for kids. The report showed that the apps collected data from the kids' devices, including unique device ID and geolocation data, and shared it with third parties, often without notice to parents. And in February of last year, FTC staff issued a report providing specific recommendations about how all players in the mobile ecosystem--platforms, app developers, ad networks, analytics companies, and trade associations--can and must ensure that consumers have timely, easy-to-understand disclosures and choices about what data companies collect and use, including geolocation data. Now, turning to a discussion of the Location Privacy Protection Act, the Commission very much supports the goals of this bill, which seeks to improve the transparency and consumer control over the collection and use of sensitive geolocation data. The bill really represents an important step forward, notably by requiring clear and accurate disclosures and opt-in consent from consumers before this sensitive data can be collected. The bill contains both civil and criminal provisions and gives the Department of Justice sole authority to enforce both. We very much support strong remedies for violations. However, as the Federal Government's leading privacy enforcement agency, we do recommend that the Commission be given responsibility for enforcing the civil provisions of the bill. Thank you very much for this opportunity to provide the Commission's views. The FTC is very committed to protecting the privacy of consumers' geolocation information, and we look forward to continuing to work with the Committee and Congress on this issue. [The prepared statement of Ms. Rich appears as a submission for the record.] Chairman Franken. Thank you, Ms. Rich. I noted your recommendation in your written testimony and again just now. Ms. Rich. Okay. Thanks. Chairman Franken. Mr. Goldstein? STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL INFRASTRUCTURE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, WASHINGTON, D.C. Mr. Goldstein. Thank you. Good afternoon, Mr. Chairman, Ranking Member Flake, and members of the Subcommittee. Thank you for the opportunity to be here this afternoon and provide testimony on consumers' location data. Smartphones and in-car navigation systems give consumers access to useful location-based services. However, questions about privacy can arise if companies use or share consumers' location data without their knowledge. Several agencies have responsibility to address consumers' privacy issues, including the FTC, which has authority to take enforcement actions against unfair or deceptive acts, and the NTIA, which advises the President on telecommunications and information policy issues. My testimony addresses: one, companies' use and sharing of consumers' location data; two, consumers' location privacy risks; and, three, actions taken by selected companies and Federal agencies to protect consumers' location privacy. Our findings were as follows in the two reports we released over the last couple of years. First, that 14 mobile industry companies and 10 in-car navigation providers that GAO examined in its 2012 and 2013 reports, including mobile carriers and auto manufacturers, collect location data and use or share them to provide consumers with location-based services and improve consumer services. For example, mobile carriers and application developers use location data to provide social networking services that are linked to consumers' locations. In-car navigation services use location data to provide services such as turn-by-turn directions and roadside assistance. Location data can also be used and shared to enhance the functionality of services such as search engines to make search results more relevant, for example, returning results of the nearby businesses. Second, while consumers can benefit from location-based services, their privacy may be at risk when companies collect and share location data. For example, in both our reports, we found that when consumers are unaware that their location data are shared and for what purpose that data might be shared, they may be unable to judge whether location data are shared with trustworthy third parties. Furthermore, when location data are amassed over time, they can create detailed profiles of individual behavior, including habits, preferences, and roads traveled--private information that could be exploited. Additionally, consumers could be at higher risk of identity theft or threats to personal safety when companies retain location data for long periods of time or in ways that link the data to individual consumers. Companies can anonymize location data that they use or share in part by removing personally identifying information. However, in our 2013 report, we found that in-car navigation providers that GAO examined used different de-identification methods that may lead to varying levels of protection for consumers. Third, companies GAO examined in both reports have not consistently implemented practices to protect consumers' location privacy. The companies have taken some steps that align with recommended practices for better protecting consumers' privacy. For example, all the companies we examined in both reports used privacy policies or other disclosures to inform consumers about the collection of location data and other information. However, companies did not consistently or clearly disclose to consumers what the companies do with these data or third parties with which they might share that data, leaving consumers unable to effectively judge whether such uses of their location data might violate their privacy. In our 2012 report, we found that Federal agencies have taken steps to address location privacy data through educational outreach events, reports with recommendations to protect consumer privacy, and guidance for industry. For example, the Department of Commerce's NTIA has brought stakeholders together to develop codes of conduct for industry. But GAO found that this effort lacks specific goals, milestones, and performance measures, making it unclear whether the effort would actually even address location privacy. Additionally, in response to a recommendation in GAO's 2012 report, the FTC issued guidance in 2013 to inform companies of the Commission's views on the appropriate actions mobile industry companies should take to disclose their privacy practices and obtain consumers' consent. GAO made recommendations to enhance consumer protections in 2012. GAO recommended, for example, that NTIA develop goals and milestones and measures for its stakeholder initiative. GAO will continue to monitor this effort in the future. Mr. Chairman, this concludes my oral statement. I would be happy to respond to any comments. Thank you. [The prepared statement of Mr. Goldstein appears as a submission for the record.] Chairman Franken. Thank you, Mr. Goldstein. Thank you all for your testimony. Ms. Hanson and Ms. Rich, your agencies have already done important work to combat cyber stalking and GPS stalking, but I want to challenge you to do more. I want to press you to investigate and shut down these smartphone stalking apps. They hurt tens of thousands of people every year. They market themselves directly and brazenly to stalkers, and they are easily available on the Internet. My bill will give you even more tools to go after these apps, but will you pledge to me today that you will use all of your existing tools to investigate and shut down these apps? Ms. Rich. Yes, I will, within my powers. We do have a Commission that needs to approve things, but I run the Bureau of Consumer Protection. I will note that we did bring a case against a similar service called Remote Spy. We litigated a case against them that was providing this very same type of service to spy on people, and we obtained a strong order against the company, and we can use similar tools to pursue these types of stalking apps. Chairman Franken. Thank you. Ms. Hanson. From my role at the Office on Violence Against Women, we are a grant-funded organization, and we really want to work with you and work together to address these issues around stalking applications. This has been a huge, a big priority for the Department. I would like to bring back to those folks who actually do the prosecution and want to share your concerns with the Criminal Division, specifically the computer crime and intellectual property section, as well as the U.S. Attorney's Office, Executive Office of the U.S. Attorney who handles the criminal prosecutions, and I will bring that back to them. Chairman Franken. Well, thank you. And there is bipartisan agreement on this. In 2011, I sent a letter joined by Senators Grassley, Klobuchar, Cornyn, Blumenthal, Graham, Whitehouse, Schumer, and Feinstein asking your agencies to crack down on these apps. So I want to ask each of you to do everything you can to shut them down. Mr. Goldstein, some of the witnesses on our second panel urge us to be cautious about legislating. They favor self- regulation. As part of your investigation, you looked at industry best practices for the collection and sharing of location data. In an interview after the report, you said that there were not very many rules in place and that in many ways this was still ``the Wild West of the Electronic Era.'' Did you find that industry best practices were being implemented consistently? And did you find that consumers were being given the information they needed to make choices about their privacy? Mr. Goldstein. Thank you, Mr. Chairman. Our reports clearly indicate that there is no comprehensive approach; that some companies do pay attention very consistently to the rules, the self-regulating rules that are out there, and some do not; and that there is a great variety and not a lot of transparency. Those seem to be the two principal problems, a lot of variety and that some pay attention to some rules and not others, and the lack of transparency and that consumers do not always have enough information to make choices about what kind of information is being retained, how long it is being retained, by whom it is being retained and used, things like that. So there are quite a lot of problems still out there with the application of the rules. Chairman Franken. And I see you are nodding, Ms. Rich. Ms. Rich. Yes. Many industry groups and individual companies say they implement opt-in or have opt-in as a best practice. But our enforcement more broadly, even outside of stalking apps, but related to the collection of geolocation information, including the Snapchat case, the Goldenshores case, which was the flashlight case, our case against Aaron's, and also our survey of kids' apps shows that this opt-in standard is not being complied with on a regular basis. Chairman Franken. Yes, I found the Snapchat case particularly ironic because their whole selling point was that once you post a video or a photo, it would disappear. Ms. Rich. And we allege that was not true, among other things. Chairman Franken. But it did not. Other than that, it was exactly what it said. Okay. I am running out of my time. I will ask one more question, and we want to get to our other panel, so I will give it to Senator Flake, and I will ask one more question of Ms. Hanson. Senator Flake. Thank you. Mr. Goldstein, in your testimony you outline a series of ``what if's,'' asserting that location data could be used to track consumers, and I think we all understand the potential of this. You say that these--which can be used to steal identity, stalk them, monitor them without their knowledge. You also say that collection of data, location data, poses a threat. We all understand that. You have explained that very well. But in your study or in your investigation, did you uncover examples of companies stealing customers' identities or stalking them or criminals' obtaining location data? We know the potential exists. Did you actually turn up any nefarious activity? Mr. Goldstein. No, Senator, we did not. It was really a look at the kinds of issues that were out there. It was not really within the scope. But we also did not find any. Senator Flake. Ms. Rich, you mentioned a few of them and cases that have been brought. What has been out there in popular media that has caught your attention? Is that usually how you find these cases? Or how do you come on to these cases where you decide to bring action against them? Ms. Rich. We find cases in a variety of ways. We may be tipped off by an insider. We may get referrals from businesses or consumer groups or tech people. But responding to the question you just asked my colleague, one thing that our cases do show is that companies, even flashlights, are collecting this data, contrary to the claims they are making, and then they are sharing it. So it is being collected and used, and given what it can show in terms of consumers' private activities, that raises concerns. Senator Flake. Yes, certainly I think we all recognize that people use it for advertising and some of the disclosing--or giving the opportunity to opt out. My question to Mr. Goldstein was do we see criminals using it for purposes that are--the potential certainly exists, but if there are examples of that in a criminal way. We have seen some of the stalking, and obviously we want to make sure that we crack down on that. But I know that the potential exists. I was just wondering, in the studies have we seen that actually occurring? We see some of it on the commercial side, but not so much on the criminal side yet. Is that an accurate statement? Ms. Rich. I think that the stalking apps are the clearest example of the harm that it can do. I agree. Senator Flake. I mentioned in my opening statement that we want to make sure that we do not stifle any development of new technologies and new positive uses of this geolocation information. Ms. Hanson, the Department of Justice, as you know, works with law enforcement agencies across the country and broadcasters, transportation agencies, and the wireless industry to issue Amber Alerts. The National Center for Missing and Exploited Children manages a secondary distribution of these Amber Alerts. These are obviously only sent when a child is at risk of serious injury or death. Would Amber Alerts fall within one of the exceptions to the bill? Ms. Hanson. I would have to bring this back to the Department about how this would be an exception or not. I know that Amber Alerts have been important in identifying missing children. I think we need to look at this issue more broadly, and I can bring that back to the Department to take a look at it. Through our office, the Office on Violence Against Women, I think, you know, we have seen and you will hear testimony from folks on the second panel. If you look at the cases of cyber stalking that we actually look at--when you look at it from the perspective of victims of domestic violence, in actuality we do have a large number of victims who have said that they have been tracked. My testimony talked about 72 percent of those reported, looking at victims service agencies, had been tracked by GPS, through cell phone or GPS. So, you know, I think those are important issues we need to look at, but I can bring back this issue, the question about the Amber Alert. Senator Flake. A hypothetical, and some people have talked about and some are actually working on programs, I think, that would send an Amber Alert to a specific location if a child was lost in a mall and you do not need the Amber Alert at that point because there are certain standards and thresholds at which those are issued. But you might be able to send it at a lower threshold if it could be confined to a specific location, say a mall. But obviously, if the geolocation information of individuals who were in that mall, they would not have consented to receive that Amber Alert, they would not have opted in, but could--would this be an exception? And how do we work with the exceptions like that where useful information could go out but not for regulations that could come? Does that make sense? I am sorry. Ms. Hanson. It makes sense. It is not the area that I work in, so what I would like to do is bring that back to other folks in the Department and get back to you on that. Senator Flake. Okay. [The information referred to appears as a submission for the record.] Senator Flake. You had a---- Chairman Franken. Well, I just wanted to clarify that an Amber Alert would be--in Section 3 of the bill, we put in exceptions, and any emergency, allowing a parent or legal guardian to locate an emancipated minor child, and also it is for fire, medical, public safety, or other emergency services. So this is specifically in the bill. It would be exempted. Senator Flake. Okay. There are some that are a little less clear. I think Mr. Atkinson in the second panel will note that there are certain programs like Circle of 6, Siren, these apps allow women to share their precise geolocation information with friends who are in an unsafe situation. These, I think we all agree, can be used to help women who are in an unsafe situation. We just want to make sure that we do not do something that would prohibit those kind of uses, and that is a little tougher or a little fuzzier than an Amber Alert. And so I hope as we move through this process--and maybe the second panel can shed some light on that as well. Thank you, Mr. Chairman. Chairman Franken. Thank you. Senator Blumenthal has joined us. Senator Blumenthal. Thank you, Mr. Chairman. Thank you to you for having this hearing and for your really instrumental work on a lot of this legislation. Thanks to this excellent panel, and I want to thank particularly Bea Hanson for your work on sexual assault on campuses and your help to me in the roundtables that we organized around Connecticut and the proposals that we formulated as a result, and the President's great work on this issue, thanks to the wonderful staff that he has working on this issue. To that point, I wonder if you could talk a little bit about what additional steps colleges and universities ought to be taking with respect to cyber stalking and the relationship or the intersection of cyber stalking with campus sexual assault. You know, in Connecticut, more than 50,000 individuals are stalked every year. A lot of it occurs on campuses because college students tend to be more attuned to this technology. And yet I found, as I went around the State of Connecticut, that college administrators and officials there often were not as focused as perhaps they should be on this issue of cyber stalking and the technology that is available to enable it. So perhaps if you could talk a little bit about that issue. Ms. Hanson. Thank you, Senator Blumenthal. And thank you for your work on addressing campus sexual assault and the report that you put together as a result of all of the hearings you did in Connecticut. I think that nexus between campus sexual assault and cyber stalking is important, especially when we look at the use of cell phones and smartphones, especially among the college campus students. There is work that is being done, there is more work that we need to do, in terms of looking at prevention messages and incorporating issues of stalking and cyber stalking, particularly into messages around sexual assault because we know often that stalking is not something that occurs by itself, but that it often escalates over time and can often be a precursor to crimes like sexual assault or even homicide. I agree with you on your point about the need to train and talk to administrators about it. I think that there is a lot more knowledge among the students than there is among the administrators about the training that is needed to look at cyber stalking and those connections. So we are more than happy to work with you and the rest of the Committee if there are ways that we can make those efforts even stronger. Senator Blumenthal. I thank you. This technology has huge promise, but also tremendous peril, and the awareness of the peril is sometimes difficult among young people who think of themselves as invincible. And yet because of that delusion, they may be the most vulnerable, and the most vulnerable often to their friends who seemingly want to befriend or support them, and yet use this technology really to put them in great peril. So I thank you for your focus on that. I would like to ask, Ms. Rich, whether you believe under your current authority you can take action against some of the makers, the manufacturers who may be, knowingly or unknowingly, promoting misuse or abuse of this technology. Ms. Rich. To date, we have taken action--we did take action and litigated a case against a promoter, a seller of spyware that specifically sold it so that you could capture the movements of somebody secretly. And we did that under our existing authority. We also--I mentioned before you came in, we brought several cases against companies that either under our deception or unfairness authority shared geolocation without consent or notice to consumers. So we do have authority, but we do need to prove deception or unfairness. And the across-the- board notice and consent requirements with exceptions for legitimate use that are in the proposed--the law which make it easier for us to enforce. Senator Blumenthal. So you would welcome this additional measure? Ms. Rich. We very much support the goals and the basic provisions of the bill, yes. Senator Blumenthal. Do you plan to have roundtables or workshops or other means of increasing awareness among students and others? Ms. Rich. We recently had a seminar on mall tracking, which is not about stalking but it is about the use of GPS to track consumers' movements in stores, and I think that raised awareness about the use of geolocation, and we will be issuing a report on that. And we will be--we continue to have workshops and seminars on consumer protection issues like these. Senator Blumenthal. Thank you. Thank you, Mr. Chairman. Chairman Franken. Thank you, Senator. I am going to ask just one real short question of Ms. Hanson, and it is mainly a short answer, I think, that will be required. The latest statistics we have on the prevalence of GPS stalking are from a 2006 study conducted by the Department. Back then, an estimated 25,000 people a year were victims of GPS stalking. That was, again, in 2006, before the explosion of smartphones. Today the vast majority of adults own a cell phone, and most of them a smartphone. So we just intuitively know that rates of GPS stalking must have increased since then. Ms. Hanson, my bill will institute regular reporting on GPS stalking, but in the meantime, will DOJ update its statistics on GPS stalking as soon as possible? And if there are barriers in doing that, would you tell me what they are? Ms. Hanson. Yes, thank you. Thank you for that question. This is a one-time supplement that we had put out in 2006 that was funded by the Office on Violence Against Women. Since then, as I said in my testimony, the National Intimate Partner and Sexual Violence Survey came out in 2011, and the National Institute of Justice as part of the Department of Justice has been working with the CDC on that. There are questions about stalking, and what I would like to do is go back and talk to folks at BJS and talk to those folks at NISVS to make sure that--to identify if there is any additional stalking questions that would be helpful for us to ask through the Department, just so that we are not duplicating anything that would be in the NISVS report. But I would be happy to go and look into that and get back to you on that, so thank you. Chairman Franken. Well, thank you very much. I have some questions that I will submit to you for the written record, but I would like to thank all three of you for your testimony and invite up our second panel. [The questions of Chairman Franken appear as submissions for the record.] Chairman Franken. All right. I would like to start by introducing our panel. Detective Brian Hill of Elk River, Minnesota, has served in the Anoka County Sheriff's Office since 2000 and has been a detective with the Criminal Investigation Division since 2008. Detective Hill is an expert in digital forensics and has trained over 3,000 law enforcement officers, prosecutors, judges, advocates, and others across Minnesota on the use of technology to facilitate stalking. He himself was trained by the Minnesota Bureau of Criminal Apprehension, the FBI, and the Secret Service. He also served our country as a member of the Air Force Reserves and was deployed for 2 years for the wars in Iraq and Afghanistan. We are very grateful for your service at home and abroad, Detective Hill, and proud to have you here. Thank you. Mr. Lou Mastria is the executive director of the Digital Advertising Alliance. He leads the DAA's effort on self- regulation, consumer transparency, and consumer choice. Mr. Mastria is a certified information privacy professional and has served as the chief privacy officer for a range of organizations. Thank you for being here. Ms. Sally Greenberg is the executive director of the National Consumers League, NCL. She has testified before Congress on a variety of consumer protection issues, including on fraud and excessive fees on car rentals. Previously, she worked at the U.S. Department of Justice and the Anti- Defamation League. Ms. Greenberg was also born and raised in Minnesota and is a graduate of Southwest High School, close to where I grew up in St. Louis Park. Dr. Robert Atkinson is the founder and president of the Information Technology Innovation Foundation. He holds a Ph.D. in city and regional planning from UNC-Chapel Hill and is a published author on economics and technology policy. Before founding ITIF, he was vice president of the Progressive Policy Institute and director of their new technology project. Ms. Cindy Southworth is the vice president of development and innovation at the National Network to End Domestic Violence and founder of NNEDV's Safety Net Project. She is one of the Nation's leading experts on stalking apps and has trained thousands of people across the country on stalking apps and the use of technology to facilitate stalking. Thank you and thanks to all of you again for joining us. Your complete written testimony will be made part of the record. I will note for the record that Ms. Southworth's written testimony on behalf of the National Network to End Domestic Violence is also being submitted on behalf of the Minnesota Coalition for Battered Women. So why don't we start with Detective Hill. You each have 5 minutes for any opening remarks you would like to make. Detective Hill, please go ahead. STATEMENT OF BRIAN HILL, DETECTIVE, CRIMINAL INVESTIGATIONS DIVISION, ANOKA COUNTY SHERIFF'S OFFICE, ANDOVER, MINNESOTA Mr. Hill. Chairman Franken, Ranking Member Flake, and distinguished members of the Subcommittee, my name is Brian Hill, and I thank you for the opportunity to appear before the Subcommittee to testify about law enforcement's support of the Location Privacy Protection Act of 2014. Since 2008, I have been a detective with the Criminal Investigations Division of the Anoka County Sheriff's Office in Minnesota. I investigate felony domestic and sexual violence cases with access to Anoka County's state-of-the-art digital forensics lab. I am a computer/mobile device forensic examiner/ investigator. The written testimony I submitted details my trainings, certifications, and professional association memberships. Why is this legislation important? Imagine the trauma of surviving domestic and sexual violence. Now add cyber stalking to that trauma. Stealth stalking apps endanger domestic violence victims' safety, financial stability, and social well- being. As we all increasingly use our cell phones to work, bank, text, access the Internet, e-mail, and pay bills, stalking apps are a tool to isolate victims from the functions and social connections their phones provide, including isolating them from contacting domestic violence advocates or law enforcement. To be rid of a stealth stalking app, victims must buy new phones, create new e-mail accounts, and change all passwords and security questions. Although there are never any guarantees, victims live with the frightening uncertainty of whether the stealth stalking apps are really gone or if they will reappear after removal. Victims' privacy and peace of mind continue to be violated by this uncertainty, often long after they have bought new phones or changed their passwords. For instance, I have worked with a victim who suspected that her estranged boyfriend put spyware on her phone. She stated he knew about private phone conversations and text messages. Also, he would show up randomly where she was. I examined her phone and could not get a full data extraction to determine if there was any spyware. Later, she brought in her computer, and I had found her computer has accessed a stalking program called FlexiSPY. There was then proof that the program was installed on her phone. I worked with her on the expensive and complicated tasks of getting a new phone and e-mail account on a safe computer. Proliferation of cheaper stalking apps has made these harrowing experiences more and more common. In the last 3 years, our mobile forensic exams in our office have increased exponentially by 220 percent in 3 years, averaging 30 exams per month. After 7 years of experience, I continue to discover new apps. For instance, our office is currently investigating an attempted murder in the context of domestic violence. We discovered Ti-spy, running in stealth mode on the victim's mobile device. Ti-Spy advertises itself as a $7 parental monitoring software which can be installed on smartphones to track text messages, calls, GPS location, and basically any phone data. As in the case of discovering Ti-Spy, I typically become engaged in a forensic investigation after victims or domestic violence advocates detect the unsettling signs of digital wrongdoing. They notice patterns of the abuser's knowledge about the victim's life and whereabouts when the abuser has no way of knowing. While my department deals with only felony cases, stalking apps are frequently used in misdemeanor domestic violence cases. Investigating cyber stalking is labor intensive and requires expensive, specialized equipment. Most law enforcement agencies, however, do not have the resources, equipment, staffing, or training to examine mobile devices for stalking apps, which can limit data recovery of potential evidence. Anoka County is fortunate to have eight different tools and dedicated staff for mobile examinations. Because of our county's resources, other counties and Federal agencies request our assistance. In a survey by the Minnesota Coalition for Battered Women in conjunction with the courts, advocates indicated that cyber stalking was the number one priority for law enforcement training in the protective order context because technology is frequently used to stalk victims and violate protective orders. To address the need for training on cyber stalking, I have worked closely with the Minnesota Coalition for Battered Women, and its 80-plus member programs, to train over 3,000 domestic and sexual assault advocates, law enforcement, prosecutors, and judges since 2009. Our efforts have borne fruit, but strained resources and the lack of awareness undercut law enforcement's ability to recognize and respond to domestic violence victims' increasing reports of cyber stalking. This erodes victim trust in the criminal justice system. A common abuser tactic in domestic violence is to convince the victim she is crazy. Victims then feel more crazy when they report the abuser has installed stealth stalking apps, only to be told, "We do not believe you," or "We do not have the resources to examine your phone." When law enforcement cannot effectively identify and respond to cyber stalking reports, victims stop reporting crimes and abusers win. This Act is a major step in addressing the stalking app problem. The most important part is that apps will be required to notify the user a second time, 24 hours to 7 days after initial installation, about the tracking implications. Victims will then be notified when the perpetrator does not have access to their phone. If this notice only applied to stalking apps, they would simply change the name of the app or market it in a different way. Just like in human trafficking, when Craigslist no longer allowed certain ads, the company backpages.com emerged and began to offer those ads. This Act would address such evasion of the law. And it also comes down to economics. By banning stealth GPS stalking apps, we make it unprofitable for the companies to make these programs, which decreases abusers' access to them. Additionally, the Act brings national public awareness to this issue by requiring information gathering, reporting, and training grants for law enforcement. Finally, the Act supports victim safety by requiring that all apps get permission to collect or share location information, making sure that a stalking app cannot disguise itself as an employee or family tracking app--or simply as a flashlight app. I urge you to support the Location Privacy Protection Act of 2014. Thank you again to the Committee for reviewing my testimony and for your support of law enforcement's efforts to keep domestic violence victims and our communities safe. [The prepared statement of Mr. Hill appears as a submission for the record.] Chairman Franken. Thank you, Detective Hill. Mr. Mastria? STATEMENT OF LUIGI ``LOU'' MASTRIA, EXECUTIVE DIRECTOR, DIGITAL ADVERTISING ALLIANCE, WASHINGTON, D.C. Mr. Mastria. Chairman Franken, Ranking Member Flake, members of the Subcommittee, good afternoon and thank you for the opportunity to speak at this important hearing. My name is Lou Mastria. I am the executive director of the Digital Advertising Alliance, and I am pleased to report to the Committee on how industry has extended its successful online program to mobile to ensure consumers have access to the same transparency control in mobile as they do on desktop. Of particular interest to this Committee today, our mobile principles require consent for collection of location data and an easy-to-use tool to withdraw such consent, leaving the consumer ultimately in charge. Last year, the DAA released its Mobile Guidance, providing consumer-friendly privacy controls in this still very fast growing medium. This important, self-initiated update to our principles reflects the market reality that brands and customers increasingly engage with each other on a variety of screens. The DAA is a cross-industry nonprofit organization founded by the leading advertising and marketing trade associations-- the ANA, the 4As, DMA, IAB, AAF, and NAI. These organizations originally came together in 2008 to develop the self-regulatory principles to cover the collection and use of web-viewing data. In 2012, the Obama administration publicly praised the DAA program as a model of success, and more recently, Federal Trade Commission Commissioner Ohlhausen was quoted as calling the DAA ``one of the great success stories in the [privacy] space.'' The Internet is a tremendous engine of economic growth, supporting the employment of more than 5 million Americans. Mobile advertising by itself in the U.S. totaled more than $7 billion last year, and that is more than a 100-percent increase from the year prior. Revenue from online and mobile advertising subsidizes the content and services we all enjoy. Research shows that advertisers pay several times more for relevant ads, and as a result, this generates greater revenue to support free content. Consumers also engage more actively with relevant ads. Simply stated, companies have a very vested interest in getting this right. Self-regulation like the DAA is the ideal way to address the interplay of privacy and online and mobile advertising while preserving innovation. It provides industry, as demonstrated by the multiple updates to our program, with a nimble way of responding to new market challenges presented by a still evolving mobile ecosystem. The DAA mobile program applies broadly to the diverse set of actors that work together to deliver relevant advertising. The DAA principles call for enhanced notice outside of the privacy policy, consent for location data, and strong, independent enforcement mechanisms. Together these principles are intended to increase consumers' trust and confidence in how information is gathered in mobile by increasing transparency and control. The mobile program leverages an already successful universal icon to give consumers transparency and control about data collection and use. In April of this year, DAA issued specific guidance on how to provide this transparency tool in mobile. This will provide companies and consumers a consistent, reliable user experience in the multiple screens on which they interact. This will also provide companies a consumer-friendly way to provide notice and choice outside of the privacy policy. This advancement builds on the unprecedented level of industry cooperation which has led the DAA icon to being served globally more than a trillion times each month. In the coming months, DAA will also release a new mobile choice app which will empower consumers to make choices about data collected through mobile devices, including applications. Of particular relevance to this hearing and today, cyber stalking is a serious issue, as was detailed earlier. But criminal activity is separate and apart from the legitimate commercial uses covered by DAA. I want to note DAA's stringent requirements for the collection and use of precise location data for commercial purposes. The DAA program requires consent prior to collection and the provision of an easy-to-use tool to withdraw such consent. We have required privacy-friendly tools, including notice in the download process, notice at first install, or other similar measures to ensure that companies are transparent in a consistent manner about data collection and that consumers can make informed choices. To help ensure that both the mechanisms we require are used and that consumer choices are honored, we rely on our accountability programs. Accountability is a key feature of the DAA program. All of our principles are backed by the robust enforcement programs administered by the Better Business Bureau and the Direct Marketing Association. There have been more than three dozen publicly announced enforcement programs under this program to date. In summary, I would submit that the DAA is a story of empowering consumers through transparency and control. It has nimbly adapted consumer controls to meet quickly evolving market changes and consumer preferences. And it has done so while responsibly supporting the investment necessary to fund free or lower-cost products and services desired by consumers. I am pleased to answer any questions you might have. [The prepared statement of Mr. Mastria appears as a submission for the record.] Chairman Franken. Thank you, Mr. Mastria. Ms. Greenberg? STATEMENT OF SALLY GREENBERG, EXECUTIVE DIRECTOR, NATIONAL CONSUMERS LEAGUE, WASHINGTON, D.C. Ms. Greenberg. Good afternoon, Chairman Franken, Ranking Member Flake, and members of the subcommittee. My name is Sally Greenberg, and I am the executive director of the National Consumers League. The league was founded in 1899 and is the Nation's pioneering consumer organization. Our nonprofit mission is to advocate on behalf of consumers and workers in the United States and abroad. Supreme Court Justice Louis Brandeis, who served as NCL's general counsel, noted in a landmark 1928 decision that the right to privacy is ``the most comprehensive of rights, and the right most valued by civilized men.'' We could not agree more. Privacy is a cornerstone of consumer protection and a fundamental human right. The ubiquity of smartphones, tablets, and other mobile devices has dramatically changed the way consumers interact with the digital world. Thanks to the widespread use of location data, consumers can now navigate to their favorite coffee shops, discover the closest sushi restaurant, and be more easily located by emergency response providers. This technology has clearly provided immense consumer benefits. However, as the collection and use of location data has become an integral part of the mobile ecosystem, so, too, has consumer concern over the use and misuse of these data. According to a Consumer Reports poll from 2012, 65 percent of consumers were very concerned that smartphone apps could access their personal contacts, photos, location, and other data without their permission. A similar Los Angeles poll showed that 82 percent of those surveyed were either very or somewhat concerned about the Internet and smartphone firms collecting their information. This should not be surprising. Unlike location data gained from a non-mobile device, such as a desktop computer, data from mobile phones is inherently personal and can be used to learn and possibly disclose information that in many cases consumers would rather be kept private. Justice Sotomayor summed this concern up perfectly in her concurring opinion in U.S. v. Jones. She noted that, ``Disclosed in [GPS] data . . . will be trips . . . to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on.'' The consensus among consumer privacy advocates and government agencies such as the GAO and FTC that we have just heard from a moment ago is that there is no adequate legal framework protecting consumers' location data in the current and ever-evolving mobile ecosystem. Absent such a framework, consumers must rely on business to adhere to a variety of often voluntary and inconsistently applied company policies and industry best practices. That is why we believe so strongly that this bill is absolutely necessary and will help to protect especially sensitive types of information that consumers use, such as location data. S. 2171 would do just that. This bill would establish a level playing field for businesses that seek to collect and share location data. It would help to restore consumer trust and location-based services and ensure that the many benefits of this technology continue to flow to consumers and the economy while adhering to uniform rules of the road for protecting location privacy. In particular, we believe that the bill's opt-in provisions will allow consumers to take control over their private location information, giving them the right to choose to share that information, or not, and be informed how their location data will be used and by whom. And by prohibiting so-called stalking apps that we have heard so much about, the law will appropriately outlaw a class of inherently deceptive and predatory applications that compromise the personal safety of domestic violence victims. No Federal law currently prohibits the operation of these apps, which are designed to run secretly without the user's knowledge. In addition, we strongly believe that the section providing for private rights of action are critical. Given the limited resources of Federal enforcement agencies, a narrowly defined private right of action with caps on available damages gives an extra layer of protection to consumers while addressing industry concerns about abuses of that private right of action. In closing, I would like to reiterate NCL's strong support for S. 2171. In today's ever-changing digital economy, consumers expect and deserve that the privacy of their location information will be protected. Absent such protections, consumers may indeed become less trusting in location-based services, which would be harmful to innovation and the economy as a whole. Thank you, Mr. Chairman, Mr. Ranking Member, and members of the Subcommittee, on behalf of the National Consumers League and America's consumers, for your leadership in convening this hearing and your invitation to testify on this important issue. I look forward to answering any questions you may have. [The prepared statement of Ms. Greenberg appears as a submission for the record.] Chairman Franken. Thank you, Ms. Greenberg. Dr. Atkinson? STATEMENT OF ROBERT D. ATKINSON, PH.D., PRESIDENT, THE INFORMATION TECHNOLOGY AND INNOVATION FOUNDATION, WASHINGTON, D.C. Mr. Atkinson. Thank you. My clock is not working, so I will look over here for it. I assume that means I get some time, not zero. Chairman Franken. I will account for the looking over. [Laughter.] Chairman Franken. Ten percent. Mr. Atkinson. Thank you. Thank you, Chairman Franken, Ranking Member Flake, and members of the Committee. I appreciate the opportunity to submit testimony today. I am Rob Atkinson, president of the Information Technology and Innovation Foundation, which is a think tank focusing on policies to support technological innovation. This proposed legislation addresses two very distinct and unrelated issues: One is commercial use of geolocation information by third parties; the second is the use of that information by individuals, particular around stalking. Since these issues are separate and unrelated, I will address them separately. The issue of limiting the collection of geolocation data by third parties, in our view would stifle innovation in an area that is rapidly evolving. We have seen in the last few years tremendous growth in innovation around location-based services, and, importantly, the U.S. has led in this space. Of the top ten Internet companies in the world, eight of them are American. This is in part because our approach to regulation in this fast-moving digital age has really been to not regulate ahead of time. Unlike Europe, which is home to none of those ten Internet firms, they have embraced the precautionary principle to regulate well in advance of any real harms. This principle I believe is important for location-based services, especially in part because there is tremendous innovation happening in this space, and innovation that will continue to happen. In fact, we will probably see more innovation in the next 5 years than in the last. Things like in-car navigation and infotainment systems, connected devices making up the Internet of things, facial recognition--these are all interesting and important technologies that, unfortunately, do not lend themselves to a slower-moving regulatory process. I would support what Mr. Mastria said about industry-led self-regulation being a better approach, at least in this initial stage of technological change and innovation. Clearly, as we heard from Director Rich, the FTC has already taken actions and, in my view, has significant ability to take continued actions. We already see self-regulation working, for example, the Digital Advertising Initiative, but also on the two major platforms--iOS and Android--consumers have the ability to notice when location is on, to accept it, to not, to turn it off, turn it on. Second--and I think this is an important point--there is basically at this point no evidence or very little evidence of actual harms arising from commercial use. I will get to the stalking. There are clearly harms there. But in commercial use, I do not believe there is really any evidence of harms. Virtually all of the concern expressed to date by privacy advocates stems from speculative harms that could happen, but not actually ones that have happened. Third, our view is that some of the provisions in the bill, particularly the private right of action, could be stifling of innovation, particularly in the app space where for the top 800 apps for Android and iOS (Apple), the average company size is 25 employees. A lot of these companies, if they were faced with the potential of a $1 million fine for making a small coding mistake or putting something inaccurate on a website, I believe would think twice about developing a mobile app. Another component that I think is important is there are many apps that run in the background without the user's knowledge that are actually very, very important. Carrier IQ is an example of that. It is a diagnostic app that many of the mobile carriers use, and it enables the cell system to work effectively so carriers know when calls are dropped, where they are dropped, where they might add cellular capacity. These are apps we want to have running on the phone because they are acting in the public good. Finally, I would argue that some of the sections dealing with notice can be problematic. For companies to have to list every single company that they deal with from a business perspective could compromise some of their commercial information. Moving on to the domestic violence issue, I commend you on your efforts there, and I think this is really the most important part of the bill. We certainly fully agree with the outline in Section 4, Criminal Penalties, and Sections 5 through 10. But there are a couple of components that we would want to provide some suggestions on. The 24-hour to 7-day notice provision as it is written in the bill now, it currently applies to all apps, including applications like, for example, the Weather Channel or Google Maps or Yelp. These are apps where an individual who might put those apps on the phone, they simply cannot get access to the geolocation data. That is third-party geolocation that stays there. That is very different than one of these stalking apps. It is very different than an app like Amber Alert GPS Teen, which is for parents to put something on their kids' cell phone. So I would urge you to think about confining that 24/7 rule only to apps where the individual can get access to the GPS stream and not to have all apps, since the stalker cannot use the Weather Channel, for example, to stalk his or her victim. I do not think that really mattered, the point that Detective Hill made. The issue here is regulating the behavior of the app. The app could call itself anything, and it would still be under--it would still be subject to this rule if it is allowing the data stream to go to an individual. Another component I would urge you to think about, and that is international access. One of the concerns we have is even if we can shut down these abysmal stalking apps, stalkers may be able to get access overseas, on overseas websites, and I think thinking about that question, could there be blocking of certain--if we know there is, you know, the same sort of I-Spy site here and it just relocates to the Cayman Islands--could we block access to those? So, in summary, I will just say that geolocation offers many opportunities for innovation, and regulation at this point is premature. But, again, I commend you, Senator, for your leadership on the criminalization of the stalking apps, in particular, which I think are a serious problem and will help with that. Thank you. [The prepared statement of Mr. Atkinson appears as a submission for the record.] Chairman Franken. Thank you, Dr. Atkinson. Ms. Southworth? STATEMENT OF CINDY SOUTHWORTH, VICE PRESIDENT, DEVELOPMENT AND INNOVATION, AND FOUNDER, SAFETY NET TECHNOLOGY PROJECT, NATIONAL NETWORK TO END DOMESTIC VIOLENCE, WASHINGTON, D.C. Ms. Southworth. Good afternoon, Chairman Franken, Ranking Member Flake, and distinguished members of the Committee. My name is Cindy Southworth, and I am the vice president of development and innovation at the National Network to End Domestic Violence. I am also representing our member, the Minnesota Coalition for Battered Women, and I work closely with the Arizona Coalition Against Domestic Violence and the Connecticut Coalition Against Domestic Violence--in fact, all 56 coalitions. I founded the Safety Net Technology Project in 2002 to support survivors, help victim advocates, train police, and work with technologists and policymakers on thoughtful innovation. We work closely with many technology companies, including Verizon and Google. We serve on the Facebook Safety Advisory Board, and we work with the Application Developers Alliance. Since 2002, we have presented over 900 trainings to more than 65,000 practitioners. My esteemed and brilliant colleagues are with me today, and I want to say for the record that we love technology. We affectionately think of ourselves as the ``geeks of the domestic violence movement.'' The previous panel covered the statistics at length, so I will skip that. But I want to say that stalkers use location tracking services, freestanding GPS devices, and smartphone applications. Phone spyware is one of the most problematic. It allows abusers to monitor much more than location, but location is indeed one of the most dangerous, and it is currently the loophole. This phone spyware does not notify the victim that it has been installed, so an abuser can install it without her knowledge, consent, through any consents, and then it is done. A standard feature that spy developers go to great lengths to hide is that it is even installed. It does not show up in most phones as an installed app, which seems to be going to great length to hide it. These apps are often brazenly marketed to stalkers, sometimes briefly mentioning employee monitoring and child safety--almost as an afterthought or cover story--and heavily focusing on the features that will help you ``spy on your spouse.'' One of the most disturbing apps that I have seen recently is called ``HelloSpy,'' and it has a long list of stalking features and has a continuous animated image on their main web page showing a scene from a movie where a man roughly shoves a woman off the bed, backward, head first. It loops over and over and over. And just in the time that I was taking those screen shots, I had to witness that about 100 times to create that poster. On another HelloSpy web page, there is a photo of a man grabbing a woman's arm, and the woman has visible abrasions on her face. Next to this photo is a list of the features of HelloSpy, including track phone location and many more. Many of the apps on the next poster that you will see are developed and advertised directly to stalkers to facilitate crimes. In some tragic cases, GPS devices and apps may have actually aided an offender in locating the victim to commit murder. Or in other cases, location tracking was just one piece of an overwhelming list of controlling tactics that preceded a victim's death. For example, in 2009, in Seattle, a man used the location service on his wife's phone to track her to a local store. After finding her speaking to a man there, he shot and killed their five children and then himself. In Philadelphia, a man installed a tracking device on his ex's new partner's car. Overnight he checked that GPS device 147 times in one night, hunted him down using the GPS, and stabbed him to death 70 times. The Electronic Communications Privacy Act, ECPA, prohibits the manufacture, distribution, possession, and advertising of communication intercepting devices; however, it does not cover devices that surreptitiously track location information. Many apps on the poster very likely violate ECPA, and I would be happy to send this poster back with Director Hanson to give to her prosecutor friends at DOJ. It is important to note, however, that there are apps that track only GPS location and do not offer eavesdropping capabilities--and, hence, are not clearly prohibited under Federal law. Unfortunately, I am aware of only one instance where the Department of Justice has indicted a creator of spyware, and it was the creator of Loverspy, and he promptly fled the country and is now on the FBI's Cyber Most Wanted List. I would be delighted if the developer of HelloSpy would join this creator and be indicted shortly. So the solution. Number one, we need to require consent prior to tracking or sharing information. Survivors of abuse must be informed about how their location information will be used, disclosed, and shared. This consent process should be prominent, transparent, and easy to understand. Two, location tracking must be transparent and visible to users. Consent is critical, but consent alone is insufficient. Abusers often install these tracking apps without the knowledge of the victim. Relatively simple safeguards can be added. In fact, some of those safeguards already exist on the Apple technology and even in the Droid technology, letting people know that your location is being tracked. If GPS technology is being used legitimately to monitor children or employees, there is no need for a stealth mode. In fact, the reputable family safety products are visible. In 2005, the AntiSpyware Coalition created a consensus definition of spyware, which stated that ``tracking software done covertly is spying.'' And that was developed by technology companies. This provision, the transparent--the reminder provision is probably the most important element of the bill behind the criminalization. So number three, criminalize the operation, sale, and marketing of technologies whose primary purpose is to surreptitiously track someone's location and facilitate a crime. It is past time to also criminalize intercepting tracking location in addition to intercepting electronic communication. Four, allow law enforcement to seize the proceeds of those sales. No one should profit from encouraging or enabling criminal acts, and stalking app and device developers are creating and selling crime-facilitating products with abandon. Five, allow individuals an enforcement option through a very modest private right of action. The proposed protections for victims will be of little use without effective enforcement mechanisms, and the threshold I think is quite low. In fact, our organization has insurance that would cover the accidental oversight, not the punitive but obviously it should not cover that if you are doing it willfully with malintent. Six, enact parallel State laws. Since the overwhelming majority of stalking and domestic violence investigations are completed at the local level, we are hoping that your bill will become a model for State statutes. In conclusion, NNEDV supports innovation and has seen countless positive ways that technology can increase the safety and support for survivors of abuse and stalking. We are proud of the close working relationship that we have with technologists, and we thank Verizon, Facebook, Google, Apple, the Application Developers Alliance, and so many more for working with us to increase victim safety. The Location Privacy Protection Act of 2014 will narrowly impact a handful of bad actors that design or operate products created and sold to facilitate terrifying crimes. Senator Franken, thank you for your tireless and ongoing efforts to end violence against women. Thank you, Ranking Member Flake, and the entire committee for your long support of Violence Against Women Act and these important location protections for survivors. [The prepared statement of Ms. Southworth appears as a submission for the record.] Chairman Franken. Thank you, Ms. Southworth. Thank you all. We are going to have 7-minute rounds for questioning. I will start. Detective Hill, your testimony mentioned that you are investigating an attempted murder where the victim was being tracked by a stalking app that advertised itself as a parental monitoring software. I actually saw something like that myself. When we had a public hearing to debate this bill 2 years ago, I read from the website of a stalking app named ``ePhone Tracker.'' It looked like this: ``Suspect your spouse is cheating? Track every text, every call, and every move they make using our easy cell phone spy software.'' And there was a lot of press about that after that hearing. Later the same day, we checked the website again. This is what it looked like: ``Is your child exposed to sexting?'' And all the stuff about your spouse was gone. Is it common for stalking apps to disguise themselves like this, Detective Hill? Mr. Hill. Absolutely. They typically will advertise themselves as being a family tracker or track your employees because they seem more friendly that way. Chairman Franken. Well, because a lot of people say, well, why don't you just go after stalking apps? Why don't you leave legitimate apps alone? These are really two separate issues. Your answer tells me that if we want to stop stalking apps, we cannot target just apps that label themselves as stalking apps. We also have to lay down a few basic rules of the road for any app that is collecting your basic--your location information. Mr. Hill. Oh, absolutely, because they will just change the title of their app to something else that stalkers will eventually figure out. Chairman Franken. Ms. Southworth, we sort of have a needle and thread, I guess. We do not want to interfere with the legitimate parental monitoring apps, but we do want to block stalking apps that are pretending to be something that they are not. How do you do that? Ms. Southworth. Legitimate parental monitoring apps, if they follow along with the best practice of the computer-based monitoring apps, are visible. With the Microsoft Family Safety product, the child knows they are being monitored and their parents have control functions. From the moment they turn the computer on, they can see that there is monitoring occurring. The same with employee monitoring products. There is absolutely no problem with knowing that your device or your computer is being monitored. So it is--in fact, the spyware industry definition says if it is a monitoring product, it is spying if is not visible to the user, and there is no exception for child or employee. I understand that a child would not need to consent in the U.S. under our law, but they would still need notice. Chairman Franken. Well, thank you, and I agree with you that the reminder provision is absolutely critical here. Dr. Atkinson has actually raised a couple of concerns about the reminder provision, so I want to turn to those. Dr. Atkinson, in your testimony, you say that reminders might make it harder for parents to keep track of their kids because the kids will know they are being tracked. As you just heard, though, we cannot limit reminders only to apps that call themselves stalking apps. A lot of stalking apps pretend to be parental tracking apps and things like that. More importantly, though, I disagree with you that the reminder provision ``would be applied too broadly to all apps using geolocation data,'' from your testimony. My bill requires reminders only if an app is running in a way that is imperceptible. I am not sure--you seem to miss that because in your testimony you cite the Passbook app, in your written testimony, for the iPhone as a legitimate app that ``is arguably `imperceptible to the user.' '' Well, I took a look at my home screen on my iPhone, and there it was. This was not my iPhone, but it is second from the left on the top there, and it shows up on your home screen by default. In fact, you cannot delete it. It is impossible to delete, and every time it gets your location, a little arrow pops up. Show the arrow next to the 92 percent. I do not know if you can see this. It is also in your privacy settings under location services. So the Passbook app that your testimony says is imperceptible is really easy to perceive, at least to me. Any app like the Passbook app would not have to remind their users of anything under my bill. My point, though, is that it is not a fluke that Passbook app is running transparently. That is just the industry best practice. So right there, any app that follows best practices will not have to send any extra reminders. So, Dr. Atkinson, isn't it already industry best practice that location apps run in a way that are transparent to the user? Mr. Atkinson. So my point with that was twofold. One was-- and I may have made--should have made that clear. ``Imperceptible'' is perhaps a vague standard and perhaps you might look at what would be a better definition in the bill of what is actually imperceptible. Is imperceptible related to the size of the icon? Is it related to being able to see in the list? That was one point I was trying to make there. I fully agree with you that--there are tracking apps, if you will, are apps that report location that do run in the background, like Carrier IQ. And those are used--those, again, are not applications that an individual can access. I cannot go to the Carrier IQ website and find out where my phone was. So that was really the point I was making, is make sure that--I would encourage you to make sure that the definition of any of these applications is only for those apps where an individual could put something on the phone and then the individual could get access to that geo data stream. Otherwise, there are other apps that are sometimes used for system performance where you would not want that to be the case. Chairman Franken. Well, I really do not think Carrier IQ should be a model here. In 2011, in fact, we had--people were outraged when they found out that the software was running in secret, and so outraged that Sprint, the single biggest user of Carrier IQ, removed the software from tens of millions--26 million devices. And I am sure that there are isolated cases where the reminder provision might be superfluous and where it might be difficult. But, I mean, imperceivable, when it is on the home page, is--I do not know exactly--this just seems very--by and large, very straightforward to me. But I have run out of time, and I will go to the Ranking Member. Senator Flake. Well, thank you. Mr. Atkinson, in your testimony, you note in the written testimony there are number of innovative new products that would be considered mobile devices under the legislation, but they are not smartphones. These are like smart shoe apps or watches or other help devices that use location data to tell you how many steps you have walked that day. But these do not allow notification. There is no interaction with the user. Would that stifle innovation in these areas if you have issues or regulations that cover that? Mr. Atkinson. I think it could. Ms. Southworth mentioned an app which is just simply a GPS device. And, in fact, the company I mentioned, the Amber Alert company, they actually sell just a pure GPS device you could put in your child's backpack so you can follow them around and make sure you know where they are. There is no real way to do notification on that device, so a stalker, for example, could, as she said, put one of those devices in someone's trunk of their car. While I support the notion that we should have notice on those for stalking apps, there are certainly other technologies where you could not do that. And then obviously on some of the new things that we are going to get, how would you do a notice, for example, on a shoe or a shirt or other things like that? It could be hard to do notice. Notice is easier when you are dealing with an actual computer-like device. Senator Flake. Right. Mr. Atkinson, following up on that, Ms. Southworth at the end of her testimony said that the Location Privacy Protection Act will ``narrowly impact a handful of bad actors that design or operate products created and sold to facilitate terrifying crimes.'' Is that an accurate description of the legislation, that it would simply impact a handful of bad actors? Mr. Atkinson. Certainly the component--some of the components, particularly toward the end of the bill, would certainly do that and are needed. But half of the bill or some share like that is really focused on just broad generalized commercial use of geolocation data, which has, frankly, nothing to do with stalking, has no relationship to stalking or identity theft or other problems. And the bill would address those issues, and I think in a way that perhaps could limit innovation. Senator Flake. I certainly agree on the point, and like I said, there is a big part of the bill that I support, the stalking legislation part of it. But I remain concerned about some of it stifling innovation you were talking about. Mr. Mastria, do you want to address that as well? Mr. Mastria. Senator Flake, thank you. We see that self- regulation has been both effective and up to the task to give consumers transparency and control around the--certainly on the desktop environment, and will bring that to the mobile environment. The desktop environment we have been in for over 3 years. Later on this year we will be releasing our mobile choice app, which has been a work in progress now for about a year. We released our Mobile Guidance last year. We released an industry code for how to display notice earlier this year. The mobile app will be the third step in a four-step process that will actually make the guidance enforceable. Senator Flake. Do you share Mr. Atkinson's concerns that some of these new devices are not interactive and there is no way for even best practices or businesses to band together for notification if there is no interaction with the user? Does that, in your view, stifle innovation? Mr. Mastria. So one of the reasons that we think that self- regulation works--and I just want to limit my answer to the scope of the program that I run. One of the reasons that we think that innovation is better served by self-regulation is that we can quickly adapt and quickly move to new business models. Not that many folks were simply thinking about apps and cross-app data, precise location data many years ago, but we have not only a set of principles in place and guidance for companies to follow, but we are also putting out tools for consumers to be able to make choices. So that has happened in a fairly quick amount of time. I think if there are challenges in the future around that, self- regulation seems to be a quick way to adapt to those changes. Senator Flake. In your view that could be far more nimble than perhaps Government regulation in this regard? Mr. Mastria. I think that is more eloquently put than I did. Yes, thank you. Senator Flake. Ms. Greenberg, you state in your testimony, ``. . . if companies affirmatively state in their privacy policies that they will collect and share their users' location data without consent with any third party they wish, they are free to do so and the FTC has little power to stop them.'' But in that scenario, doesn't the consumer have the ability not to use the company's service or the app? Ms. Greenberg. Well, certainly that is true, but there are many, many apps that consumers find very useful. I do not think that should mean that they sacrifice their privacy or their ability to say, ``What are you using this data for? Don't I have the right to say you need to let me know that this information is being shared and with whom it is being shared?'' So I think we can bridge that gap without interfering with companies' ability to innovate. Senator Flake. Mr. Atkinson, again, you noted in your testimony there were many beneficial uses of tracking apps. You mentioned examples of the loved one locator, Project Life Saver; if someone has autism or dementia or Alzheimer's, family members are able to track and make sure that there is a safe zone that they stay within. There are exceptions in the bill, exemptions in the bill for that, but some concerns have been raised where there are situations where a sibling or a close family friend or others who are not a parent or legal guardian might want to be involved in that. Do you want to address that again or in more detail? Mr. Atkinson. Sure. I think it is important to understand that ``stalking'' is not a technological term. It is a behavioral term. ``Tracking'' is the technological term. And I do not believe--nor does the bill do this--that we should ban tracking applications. There are enormous benefits for families, for other people to want to know where their device is, where their family members are. And we need to make sure that we can go forward with those. What I am somewhat concerned about--I do not believe we will end up with a situation where we can--I think companies will change their names. They will just be Family Trackers, or stalkers will just use Family Trackers. But fundamentally I do not know how we can solve the problem, because, for example, on the notification, any person who installs an app on a phone, on the iOS or Android, you can turn off notification. Now, you can hope that the person whose phone it is understands that and looks at it, and I think that would be part of the education effort we need to do. But how do you monitor your phone? How do you look at the apps running list, all those things? But there is simply--in both of those operating systems right now you can just say, ``Turn off notification.'' So I think it is a little more complicated, I think, than just simply taking a set of apps that are bad actors who have used them for bad purposes. Senator Flake. Thank you. Thank you, Mr. Chairman. Chairman Franken. Thank you. The emergency exception and public safety exception are not limited to parents. I just wanted you to know that. Let us talk about a couple things. Mr. Mastria, both you and Dr. Atkinson have referred to Digital Advertising Alliance's self-regulatory program for mobile marketing as a model program. But just so I am clear, you issued this code in July 2013, but you are not enforcing it. Is that correct? Mr. Mastria. The code was issued in July 2013. There had to be several operational steps that have to be put into place before it can become operational. One of them is that there had to be a standardized way for companies to display the notice to consumers. That happened in April. And the next step is to have an app so that consumers can express their choices. The next step after the app would be that enforcement would come. Once a consumer makes a choice, we want to make sure that that choice is honored and that companies are held to honoring that choice. Chairman Franken. So it is a model program in theory. Mr. Mastria. No. The desktop program version of this has been around for almost 3\1/2\ years. Chairman Franken. Okay. Mr. Mastria. So we have a great pedigree to show that, in fact, we do put the tools in market that we say we will. Chairman Franken. Okay. Well, can I ask, Ms. Greenberg, about what your opinion is of--you know, what the reality you see is in best practices? Ms. Greenberg. Well, it seems that DAA's code is coming late in the game--other industry players like CTIA and the Direct Marketing Association put codes in place years ago. And so with all due respect to Mr. Mastria--and we have looked at his code, it is full of holes. We would argue that it feels like a PR gesture and may be driven, in fact, by the introduction of this legislation. And I would also take issue with the idea that self- regulation is working. There is monumental evidence that self- regulation is not working. We have heard witnesses from GAO and the FTC say as much. The Wall Street Journal did an article that you mentioned with 101 apps being tested, and 47 of those disclosed users' location to a third party without user consent. So I would say we very much need this bill because self- regulation is not protecting consumers. Chairman Franken. You know, there is the point that the Ranking Member made: Has there been any evidence of harm? I think that most Americans believe in that they have some right to privacy. Do you think that there is harm that individuals can feel if their privacy is not being protected? Ms. Greenberg. Yes, the notion that there is no real harm from the tracking and using of location data for consumers really strikes at the heart of our notions of consumer protection and the idea that privacy is a bedrock American principle. We know that Justices of the Supreme Court whom I mentioned, Brandeis and Sotomayor, have articulated that that is a bedrock right. And we see from the Consumer Reports surveys, from the L.A. Times survey, the vast majority of consumers do care about their location data not being shared without their consent and do want to know where that location data is being sent and that it is being shared and for what purpose. So I think that flies in the face of what we know about how consumers feel about their privacy. Chairman Franken. Dr. Atkinson, last year your organization published a blog post about my location bill, and in it said that, ``The evidence for the use of stalking apps by stalkers and harassers is somewhat thin.'' Dr. Atkinson, I can understand how an economics think tank might think that, but I am curious what folks in the field have actually seen. Detective Hill, are stalking apps common or is the evidence of their prevalence somewhat thin? Mr. Hill. They are very common, and the more exams we have done--like I said, you know, our exams have increased 220 percent. The more exams we do, we are finding more and more that these apps do exist and are on phones. Chairman Franken. Ms. Southworth? Ms. Southworth. A week does not go by where our national office--we are not even set up to do direct services, but we get calls every single week from survivors who are really trying to figure out is the GPS device on my car, is it on the phone, is it an app, is it a setting. And we have a lot of work to do to help them try to figure it out, and we just do not have enough Detective Hills out there to send them to have those phones examined. Chairman Franken. Right, and that is why we are hoping--and I think Dr. Atkinson has stated his general approval of the stalking apps piece of this, so I do not want to send that wrong message. Just in the execution of it, in terms of giving--how important is it--and I will go to you again, Ms. Southworth--that people have a reminder that this is happening? And how realistic is that? Because Dr. Atkinson talked about your being able to suppress that. Ms. Southworth. It is vital, and the behavior is not new. As all the witnesses have said, you know, there is general support around helping victims. The challenge is offenders will do anything they can to control and monitor their victims, and back in the day they would look at the odometer when a victim went to the grocery store and see if she perhaps stopped to pick up a prescription because that is outside of the bounds of what she was allowed to do that day, that just phenomenal, crazy, and out of control that offenders do. What happens with some offenders is they will actually tell the victim, ``I am putting this stalking app on your phone, and I am going to be tracking you.'' If she knows it is there, when she comes to meet with Detective Hill to file a report, or she goes to the local advocate to meet and talk about a protection order, she can accidentally let the battery run dead. She can leave the phone behind. But if she does not know it is on the phone because either the offender did not tell her or she does not see it, there is no little arrow on the top, she cannot do anything to stay safe. Chairman Franken. Before I run out of time, I mean, this goes to the resources, because someone who feels like they are being tracked, saying it must be in this thing, what happens when they go to a police station routinely? Mr. Hill. Routinely what happens is the agencies do not have the tools to look at it, so they say they cannot, or they may only have one tool to look at it, and they quick take a look at it and do not see anything, and then send the victim on their way, which can be very frustrating. Chairman Franken. This is why we need and the bill does get resources for being able to do exactly what victims need. Mr. Hill. Absolutely. Chairman Franken. Okay. I am out of time, and we will go back to the Ranking Member, if you have any more questions. Senator Flake. Well, I appreciate that. Let me just say, like I said, the portions of the bill that deal with stalking, I applaud the Chairman for his dedication on this, and those who have testified, and groups and organizations that have worked on this for a long time. And I do think we definitely need action in those areas. My concern is just we in other areas, the other part of the bill, that we do not unnecessary stifle innovation that could help with some of these same areas we are talking about. But, Mr. Mastria, I think concerns have been raised about this legislation, that it might require notice to be provided and consent be obtained for individuals using a device. But some devices are used not just by one individual, a family table or a GPS in a car. Is there a concern among some members in your organization that notification may be given to an individual but not others who use the same device? Is that a concern? Mr. Mastria. Senator, I can speak to what the program code is, and the program says that if you are transferring location information, you have to get consent, and you have to get it either at the download or on install, at some point that is obvious. It has to be clear, meaningful, and prominent. I would like to take a step back and just answer a point that Ms. Greenberg made. Thank you for mentioning CTIA and DMA. They were both participants in the development of our code, and our code will be enforceable later on this year. In terms of the PR piece, our program has announced more than 30 public actions against both participants of the DAA and non-participants alike. That is not PR. It is not an easy conversation to have with a company that they are somehow noncompliant with our program. But the reality is that that is the mission that we have set out to do. The FTC had asked us to mount a program, challenged industry to mount a program to deliver transparency, control, and accountability, and we do that every single day. And that is the program that we have, and we think that it serves both industry and consumers well. Senator Flake. Thank you. That was my next question, actually, to describe the program you have with companies to, you know, give some discipline to what you are talking about. And you have actually referred companies for investigation. How many did you say? Mr. Mastria. There have been 33 public compliance actions. That number, I think it is in the 60 or 70 individual companies that are named in there, and of those, we get compliance from most of them eventually. But one of them did get referred to a Federal authority. Senator Flake. Well, thank you. That does it for me, and I really appreciate this hearing, and thank you for your testimony, everyone. Thank you, Mr. Chairman. Chairman Franken. Well, I would like to thank all the witnesses. Very, very quickly, because I do not want to have a long back-and-forth, but would you like to respond to that, Ms. Greenberg. But, again---- Ms. Greenberg. Yes, if I could just take a---- Chairman Franken. If you take a lot of time, I am going to go back to Mr. Mastria. Ms. Greenberg. I will just take a moment to say it is not that we are arguing with the idea that they may have pursued investigations. It is the code itself that is weak. The way we read the code, an app does not need to get permission if they do not share the data and they keep it to themselves under the code. And if the app does share precise location with a totally different company, they still do not need to get permission to share it if they are doing so for a variety of purposes, like market research or product hits. So, in other words, it is the code itself that is weak, and when I described it as full of holes, that is what I was referring to. Chairman Franken. I will go back to Mr. Mastria, just in fairness. Mr. Mastria. The code does call for consent when there is a transfer of location information, and the reason we do that is that we focus on when information is being transferred to unrelated apps or unrelated sites. And so that is the code, and that is part of the transparent---- Chairman Franken. Well, was her characterization of the code not accurate? Mr. Mastria. Yes; not accurate. I think that we focus on transfer of information to unrelated apps, unrelated sites, and we want to make consumers aware of that. We want to give them control over that. That is the part of the code that is really kind of the most--the essential piece of the DAA program. Chairman Franken. Okay. We may follow up. Mr. Mastria. Yes. Chairman Franken. I do not want to--okay. I do not want to do whatever I would be doing if I did it. So, in closing, I want to thank obviously the Ranking Member, Senator Flake, thank you, and I want to thank each of the witnesses, and every one of you who appeared today, and particular Detective Hill, who took time out of his job to travel here and to testify to us. We heard a lot of valuable testimony today. I think that my bill is going to protect our privacy without--I think it would not create difficulties for industry, and I am going to think about today's testimony, though, and other feedback that we get, and we will work to address that feedback to make any needed improvements in the bill between now and the time it gets a vote. So I thank all of you, and I mean that sincerely, I thank all of you for being here. But I think there is one thing that there is absolutely no question about. Stalking apps must be shut down. It is unacceptable that in this day and age companies are making money off of stalking and brazenly marketing themselves to stalkers. It is equally unacceptable that our laws have loopholes that let them do this. No matter what we do, no matter what form this bill takes, we have to stop these apps. I think there is agreement here. So we will hold the record open for 1 week for submission of questions for the witnesses and other materials. Thank you, thank you, thank you again. This hearing is adjourned. [Whereupon, at 4:32 p.m., the Subcommittee was adjourned.] A P P E N D I X Additional Material Submitted for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Bea Hanson [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Jessica Rich [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Mark L. Goldstein [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Brian Hill [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Luigi Mastria [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Sally Greenberg [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Robert D. Atkinson [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Cindy Southworth [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Chairman Leahy [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Prepared Statement of Chairman Franken [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Questions Submitted to Robert D. Atkinson by Senator Flake [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Questions Submitted to Luigi Mastria by Senator Flake [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Questions Submitted to Mark L. Goldstein by Senator Franken [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Questions Submitted to Jessica Rich by Senator Franken [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Responses of Robert D. Atkinson to Questions Submitted by Senator Flake [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Responses of Luigi Mastria to Questions Submitted by Senator Flake [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Responses of Jessica Rich to Questions Submitted by Senator Franken [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Responses of Mark L. Goldstein to Questions Submitted by Senator Franken [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Submission for the Record [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]