[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
PROTECTION OF PRIVACY IN THE DHS INTELLIGENCE ENTERPRISE
PART I AND II
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INTELLIGENCE,
INFORMATION SHARING, AND
TERRORISM RISK ASSESSMENT
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
APRIL 6, 2006 and MAY 10, 2006
__________
Serial No. 109-72
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
27-629 WASHINGTON : 2007
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�0900012006
COMMITTEE ON HOMELAND SECURITY
Peter T. King, California, Chairman
Don Young, Alaska Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas Loretta Sanchez, California
Curt Weldon, Pennsylvania, Vice Edward J. Markey, Massachusetts
Chairman Norman D. Dicks, Washington
Christopher Shays, Connecticut Jane Harman, California
John Linder, Georgia Peter A. DeFazio, Oregon
Mark E. Souder, Indiana Nita M. Lowey, New York
Tom Davis, Virginia Eleanor Holmes Norton, District of
Daniel E. Lungren, California Columbia
Jim Gibbons, Nevada Zoe Lofgren, California
Rob Simmons, Connecticut Sheila Jackson-Lee, Texas
Mike Rogers, Alabama Bill Pascrell, Jr., New Jersey
Stevan Pearce, New Mexico Donna M. Christensen, U.S. Virgin
Katherine Harris, Florida Islands
Bobby Jindal, Louisiana Bob Etheridge, North Carolina
Dave G. Reichert, Washington James R. Langevin, Rhode Island
Michael McCaul, Texas Kendrick B. Meek, Florida
Charlie Dent, Pennsylvania
Ginny Brown-Waite, Florida
______
Subcommittee on Intelligence, Information Sharing, and Terrorism Risk
Assessment
Rob Simmons, Connecticut, Chairman
Curt Weldon, Pennsylvania Zoe Lofgren, California
Mark E. Souder, Indiana Loretta Sanchez, California
Daniel E. Lungren, California Jane Harman, California
Jim Gibbons, Nevada Nita M. Lowey, New York
Stevan Pearce, New Mexico Sheila Jackson-Lee, Texas
Bobby Jindal, Louisiana James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania Kendrick B. Meek, Florida
Ginney Brown-Waite, Bennie G. Thompson, Mississippi
Florida
Peter T. King, New York
(II)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Rob Simmons, a Representative in Congress From the
State of Connecticut, and Chairman, Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk
Assessment..................................................... 1
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California, and Ranking Member, Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk
Assessment..................................................... 2
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Committee............................................. 5
The Honorable Charlie Dent, a Representative in Congress From the
State of Pennsylvania.......................................... 16
The Honorable Jim Gibbons, a Representative in Congress From the
State of Nevada................................................ 6
The Honorable Ginny Brown-Waite, a Representative in Congress
From the State of Florida...................................... 17
Witnesses
Thursday, April 6, 2006
Panel I
Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department
of Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Panel II
Mr. Kirk Herath, Chief Privacy Officer, AVP-Associate General
Counsel, Nationwide Insurance Companies:
Oral Statement................................................. 19
Prepared Statement............................................. 21
Mr. Patrick Hughes, Lieutenant General, USA (Retired), Vice
President--Homeland Security, L-3 Communications:
Oral Statement................................................. 35
Prepared Statement............................................. 36
Mr. Jonathan Turley, Shapiro Professor of Public Interest Law,
George Washington Law School:
Oral Statement................................................. 29
Prepared Statement............................................. 31
PROTECTION OF PRIVACY IN THE DHS INTELLIGENCE ENTERPRISE
PART I
----------
Thursday, April 6, 2006
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Intelligence, Information
Sharing and Terrorism Risk Assessment,
Washington, DC.
The subcommittee met, pursuant to call, at 9:20 a.m., in
Room 311, Cannon House Office Building, Hon. Rob Simmons
[chairman of the subcommittee] presiding.
Present: Representatives Simmons, Gibbons, Dent, Brown-
Waite, Lofgren, and Thompson.
Mr. Simmons. [Presiding.] The subcommittee will be meeting
today to hear testimony on the protection of privacy in the
Department of Homeland Security Intelligence Enterprise.
We will be hearing testimony from four witnesses today. Our
first panel, we will hear from Ms. Maureen Cooney, acting chief
privacy officer of the Department of Homeland Security.
On our second panel, we will hear from Mr. Kirk Herath,
chief privacy officer and associate general counsel at the
Nationwide Insurance Companies; Mr. Jonathan Turley, Shapiro
professor of Public Interest Law at the George Washington
University Law School; and Lieutenant General Patrick Hughes,
vice president of Homeland Security at L-3 Communications.
And I thank all of our panelists for coming today.
The right to privacy is implicit in the Fourth Amendment
right of the people to be secure in their persons, houses,
papers and effects against unreasonable searches and seizures,
and it shall not be violated.
It is embedded in the founding ideals of this nation.
Justice William O. Douglas, in Griswold v. Connecticut, wrote
that the right to privacy is ``older than the Bill of Rights,
older than our political parties.''
We are all acutely aware of the privacy issues facing the
government today, especially as the president and Congress work
to defend America against those who wish to commit mass murder.
And I remind my colleagues and others of a passage in the
9/11 Commission report, which states, ``We learned that the
institutions charged with protecting our borders, civil
aviation and national security did not understand how grave
this threat could be and did not adjust their polices, plans
and practices to deter or defeat it. We learned of fault lines
within our government between the foreign and domestic
intelligence and between and within agencies. We learned of the
pervasive problems of managing and sharing information across
large and unwieldy government that has been built in a
different era to confront different dangers. We hope that the
terrible losses chronicled in this report can create something
positive--an America that is safer, stronger and wiser.''
And, indeed, the creation of the Department of Homeland
Security was a response to that effort to create something
positive, something safer, stronger and wiser, but at the same
time, something that respects our Constitution and our Bill of
Rights and the rights that are detailed therein.
The House Permanent Select Committee on Intelligence is
leading the effort to examine the NSA Terrorist Surveillance
Program, and the House Judiciary Committee is taking a close
look at the Foreign Intelligence Surveillance Act. Speaking for
myself, I support both of those committee initiatives.
We are here today to ensure that the Department of Homeland
Security is also paying proper attention to privacy matters at
the department and the department's intelligence activities.
The Department of Homeland Security has a legally mandated
duty to protect the privacy of U.S. persons in the course of
its intelligence work and in its information collection
activities. However, just 2 days ago, the General Accounting
Office issued a report stating that federal agencies, including
DHS, lacked polices that specifically address their use of
personal information from commercial sources.
Ms. Cooney, I hope you will be able to address some of
these issues for us in your testimony today.
While DHS receives information from commercial sources, it
also receives information from intelligence and law enforcement
communities as through the regulatory screening activities of
the department.
This information is vital to America's border security,
critical infrastructure protection, transportation security,
and a number of other security activities. Gathering,
processing, analyzing and sharing information intelligence will
be vital to preventing the next attack on our homeland. We must
ensure, however, that the department protects the privacy of
the American people while also protecting them from terrorist
attack.
The chair now recognizes the ranking minority member of the
committee, the gentlelady from California, Ms. Lofgren, for any
statement she might wish to make.
Ms. Lofgren. Thank you, Mr. Chairman.
Welcome, Ms. Cooney, and also Mr. Harris and Mr. Turley.
I appreciate being recognized for this statement. Our topic
is privacy rights. I think the elephant in the room is the
issue of the NSA Warrantless Eavesdropping Program. NSA
eavesdropping is an important issue for the subcommittee to
address under its oversight responsibilities over intelligence
and information sharing techniques.
The Bush administration has failed repeatedly to give
Congress meaningful answers about this eavesdropping program,
and the Congress so far has failed to hold it accountable
through oversight. The administration seems unwilling to
provide Congress with the information it needs to conduct its
proper oversight role.
I have tried to secure information about this Warrantless
Eavesdropping Program. I have asked the Department of Defense
and the Department of Justice to investigate this program, but
they have declined.
I asked President Bush to direct that a special council be
appointed to investigate. He has not answered the letter, but
through his press secretary, declined.
To date, press reports are all the information about this
program that members of Congress and the public have. Congress
should not accept this.
One serious question about this Warrantless Eavesdropping
Program is whether it complies with the law. This subcommittee
should get an answer to that question.
Whenever possible, it is important to work in a bipartisan
fashion. Indeed, 2 weeks ago, the chairman and I produced a
legislation jointly, and I think we set a land-speed record for
a subcommittee markup. It is not comfortable or enjoyable to be
critical when you sit next to somebody on a frequent basis and
hope to work with them, but the hope for comity can never be an
excuse for ducking the need to take action.
As a ranking member, I cannot and do not control the agenda
of our subcommittee. The chairman sets the agenda. I have
sought to have this committee discharge its oversight
responsibility in the matter of the NSA through written request
by staff, written request by myself, as well as personal
conversations, but these efforts resulted in today's hearing
that will not serve as the needed oversight of the NSA
Warrantless Surveillance Program.
I tried to secure a witness from the NSA to testify today,
and as part of the record, I ask unanimous consent to place
material about this in the record of this hearing.
Mr. Simmons. Without objection, so ordered.
Ms. Lofgren. Thank you.
I appreciate that Professor Turley is here today to testify
about the NSA Eavesdropping Program. I thank him for his
testimony, which I have reviewed. His observations about the
administration's legal claims in support of this program are
important, and it is viewed the administration's legal claims
present risks, not only for our intelligence gathering process,
but also for our constitutional separation of powers are
significant.
While I am thankful to have Professor Turley's testimony,
Congress needs to hear more than legal arguments from scholars
about this program. We need to do our oversight job and find
out what is actually going on by calling the witnesses who have
direct knowledge of what the government is actually doing.
There is only one intelligence subcommittee as the Homeland
Security Committee and we are it. We cannot get thorough
information on the NSA Eavesdropping Program without a
government witness with firsthand knowledge about it.
So today is a lost opportunity for this subcommittee. But
today, actually right now, the attorney general of the United
States is testifying before the House Judiciary Committee. The
attorney general knows all about the NSA program and is in a
position to answer questions about it. I don't know if he will,
but the opportunity to question him about what he knows about
the NSA program is a far sight more promising than what we will
have allowed this hearing to be.
So I will excuse myself now to see whether the attorney
general will permit the Congress to discharge its oversight
obligations. With regrets, the structure of this hearing
ensures that we will not succeed in that mission in this
subcommittee today.
And I would also like to present to the chair a letter from
the minority pursuant to Rule 2M. We are seeking an additional
hearing.
Thank you, Mr. Chairman. I am going to go see Mr. Gonzales.
Mr. Simmons. Normally, I would yield to the distinguished
ranking member of the committee, but the ranking member of the
subcommittee has made a few statements that I would have to
respond to.
This subcommittee has had this civil rights and privacy
hearing on the schedule for some time, and we have been open to
any witnesses that the minority would submit to us.
It is my understanding that the individual that the ranking
member refers to could not make it today, and so in a
bipartisan fashion, we extended to the minority the opportunity
of introducing that information into the record at a later date
and holding the record open, which I thought was a fair
proposal.
We also offered to postpone this hearing to a later date.
Ms. Lofgren. That is incorrect, sir.
Mr. Simmons. Well, that is what I suggested to my staff. We
also discussed the issue of recessing and reconvening. So from
my perspective, at least from where I sit, every effort has
been made to make this a productive hearing.
It is very disappointing to me to hear a prepared statement
typed and prepared, obviously, in advance, and only to receive
it here on the record. That to me is a disappointing thing to
have to experience, but I guess I can say that in my experience
on the Hill, both as a staffer on the Senate Intelligence
Committee for 4 years and in my 5 years as a member of
Congress, doing my best to provide bipartisan oversight. I have
encountered disappointments.
Ms. Lofgren. If I will just--
Mr. Simmons. If the lady would allow me to finish my
statement.
Ms. Lofgren. Certainly.
Mr. Simmons. I have encountered those disappointments, and
I will not allow those disappointments to prevent me from
continuing to conduct the activities of this subcommittee in a
bipartisan fashion to the best of my ability.
And now the chair would like to recognize the distinguished
ranking member of the full committee, Mr. Bennie Thompson of
Mississippi. The gentleman is recognized.
Mr. Thompson. Thank you, Mr. Chairman. In the interest of
being fair and balanced, I will yield my time to the ranking
member for a response.
Ms. Lofgren. And I thank the ranking member. I would just
note that I have now served in Congress for a little over 11
years, and I have never encountered a situation such as this in
those 11 years. The NSA is reluctant to testify. They need to
be ordered to testify by, not the ranking member because I lack
that power, but by the chairman.
We have endeavored to secure that. We have asked for--
perhaps the chairman did order his staff to delay. They have
refused our staff the opportunity. So I don't want to get in a
he-said-she-said. There is no point in that. But I am severely
disappointed that we have failed to discharge our oversight
hearing. I will always work in a bipartisan way when there is
an opportunity.
In the last Congress, Mr. Thornberry and I actually almost
melded our staffs. We didn't have a majority and minority
report at the end of the Congress. We had one report. I hope
that we can do that again this year, but so far, I had to
conclude that we may not achieve that level of success. That is
not the topic here today.
I will just say, this is an opportunity--was an opportunity
to discharge the oversight obligations that we have as the
Intelligence Subcommittee over the NSA. We will not accomplish
that in this subcommittee today, and I think that is a
disappointment. Perhaps we will remedy that in the future. And
if so, I will eagerly be a participant with the chairman.
And I would yield back to the ranking member, and I will
now adjourn to the attorney general.
Mr. Thompson. Thank you very much.
Reclaiming my time, Mr. Chairman.
I am pleased that the committee is turning its attention to
the question of privacy protections in the department's
Intelligence Enterprise. The Privacy Office has done a
tremendous job in making privacy an integral part of the
department's various initiatives and technology program.
The more often we respect privacy from the beginning, the
more likely expensive department programs won't have to be
canceled for ignoring this cherished right. Respecting privacy
makes good business sense.
While I look forward to Ms. Cooney's testimony about how
privacy should inform the department intelligence process, I
note that she could do her job more effectively if she had more
powers.
I believe that the privacy officer must be able to access
all the records and speak to all the people she needs to in
order to conduct truly effective privacy impact assessments. To
boost her independence, moreover, the privacy officer should
serve a set term and should be able to report her findings to
Congress directly rather than having to rely on an internal
review process at the department that has often resulted in
delays.
As one observer has noted, while a truly vigorous and
independent privacy officer can be inconvenient for government
officials over the short term, over the long run, vigorous
checks and balances will strengthen the Department of Homeland
Security by inspiring greater public confidence in DHS
programs. This is especially important in an intelligence
context.
As a recently publicized NSA Domestic Surveillance Program
has demonstrated, there must be effective oversight within
agencies and by Congress itself in order to ensure that the war
on terror does not also become a war on privacy and other civil
liberties.
I hope all the witnesses, including Professor Turley, will
address this issue so we can learn more about what the
department might do to guard against the kinds of abuses we
have seen with the NSA and what steps Congress should take to
ensure that the NSA program does not undermine the public
support for our efforts to secure the homeland.
Welcome to our witnesses.
And I yield back, Mr. Chairman.
Mr. Simmons. I thank the gentleman for his statement. And I
assure him that one of the purposes of this hearing is to learn
how the privacy office is performing its duties, and if, in
fact, issues that are currently in regulation need to be in
statute. It would be our responsibility to act positively in
that fashion.
Mr. Gibbons. Mr. Chairman, parliamentary inquiry.
Mr. Simmons. Yes, Mr. Gibbons?
Mr. Gibbons. Mr. Chairman, would you tell me what the
jurisdiction of this committee is? Do we have jurisdiction over
NSA?
Mr. Simmons. I have discussed that with the parliamentarian
of the House of Representatives, and I have been told that we
do not.
Mr. Gibbons. I had objected to, in addition, of Ms.
Lofgren's letters regarding her request on NSA to the
committee. And I would say that as a concept of jurisdictional
oversight that comments about this committee's failure to bring
NSA before it certainly lacks our jurisdiction, and I would
hope that my objection to the addition of Ms. Lofgren's letters
regarding NSA to this committee would stand.
Mr. Simmons. I appreciate the gentleman's comment.
In January of this year, I did write to the chair and
ranking members of the intelligence committee and asked
permission to have access to the information within their
committee dealing with the National Security Surveillance
Program.
That permission was not granted, and at the time, I was
told that the House of Representatives would pursue oversight
of those activities through the two committees which have
jurisdiction, which are the Intelligence Committee and the
Judiciary Committee.
So that fact is well known, and the ranking member of the
subcommittee does know that the Judiciary Committee on which
she serves has jurisdiction.
Mr. Gibbons. I had voiced my objection at the time the
letter was admitted, but I did not get a response out of you,
so I would just state for the record that I did object to her
inclusion of that letter.
Mr. Simmons. The objection is heard, and without objection,
it is sustained.
Mr. Thompson. Excuse me, Mr. Chairman. By sustaining the
objection, what are you saying?
Mr. Simmons. The subcommittee, a few moments ago, agreed by
unanimous consent to include a letter into the record from, I
believe, an individual from the National Security Agency. I do
not know what that letter is. Nobody on the subcommittee knows
what that letter is, or at least not on this side.
The gentleman from Nevada has expressed an objection to
including that letter in the record now that he knows more
about it.
Am I correct, Mr. Gibbons?
Mr. Gibbons. That is absolutely correct, and it is based on
the jurisdiction of this committee. If the letter were in about
the Homeland Security Department, that would be another story,
but it is based on jurisdiction outside this committee, and I
don't know what the content of the letter is, and I don't know
what it was about. I don't think it is official for this
committee to take up matters.
Mr. Thompson. Well, Mr. Chairman, I would like to say under
the rules according to the minority interpretation, we believe
we do have jurisdiction, and we just have a difference of
opinion.
Mr. Simmons. Why don't we agree if it is agreeable that we
will review the transcript and make a determination at a later
date, and I will withdraw my offer to sustain the gentleman's
objection.
Mr. Gibbons. I don't have a problem with bringing it before
the committee and having the committee in general look at it
and make that decision.
Mr. Simmons. Is that agreeable to the ranking member?
Mr. Thompson. In terms of withdrawing it and looking at it
later?
Mr. Simmons. Yes.
Mr. Thompson. No problem.
Mr. Simmons. I thank the gentleman.
I also thank the patience of our witnesses here today as we
try to work our way through certain issues and get started.
The chair now calls our first panel, Ms. Maureen Cooney,
acting chief privacy officer of the Department of Homeland
Security. During her time with DHS Privacy Office, Ms. Cooney
has served as chief of staff and as director of International
Privacy Policy before becoming acting chief privacy officer.
Ms. Cooney worked on international privacy and security
issues as legal adviser for the International Consumer
Protection at the U.S. Federal Trade Commission, and her legal
career includes broad experience with the national services and
enforcement issues, including international work on anti-money
laundering and foreign compliance issues, information sharing
and privacy and security matters. She is a graduate of
Georgetown University and holds a JD from the Georgetown
University Law Center.
I notice, Ms. Cooney, that you have substantial testimony
that you wish to make. Normally, we limit it to 5 minutes, but
if you need to exceed that, please be my guest. And welcome.
STATEMENT OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Ms. Cooney. Thank you. Good morning. Chairman Simmons,
Ranking Member Thompson and members of the subcommittee, it is
an honor to testify before you today on privacy activities
across the Department of Homeland Security.
As the subcommittee well knows, the Department of Homeland
Security was the first agency to have a statutorily required
privacy officer. The inclusion of a senior official accountable
for privacy policy and protection within the department honors
the value placed on privacy as an underpinning of the American
freedoms and democracy we seek to protect.
Privacy is a cultural value at DHS. Secretary Chertoff
recently noted that as a young department, we have the
opportunity to build into the sinews of this organization
respect for privacy and the thoughtful approach to privacy.
He went on to express a belief that I share. We want the
government to be a protector of privacy, and we want to build
security regimes that maximize privacy protection and that do
it in a thoughtful and intelligent way. If it is done right, it
will be not only a long-lasting ingredient of what we do in
Homeland Security, but a very good template for what
governments ought to do in general when it comes to protecting
people's personal autonomy and privacy.
The chief privacy officer and the DHS Privacy Office have a
special role working in partnership and collaboration across
the department, to integrate privacy into the consideration of
the ways in which the department assesses its programs, uses
technologies and handles information.
The Privacy Office has oversight of privacy policy matters
and information disclosure policy, including compliance with
the Privacy Act of 1974, the Freedom of Information Act, and
the Completion of Privacy Impact Assessment.
The Privacy Office also evaluates new technologies used by
the department for their impact on personal privacy. Further,
under Section 222, the chief privacy officer is required to
report to Congress on these matters, as well as on complaints
about possible privacy violations.
The DHS Privacy Office takes an operational approach to
advancing privacy policy. We embed adherence to good privacy
practices in the investment and oversight and design phases or
programs through accountability and transparency tools,
including privacy notices required under the Privacy Act, the
use of privacy impact assessments and privacy audits and
complaint reviews.
Our approach is consistent for all DHS programs and
initiatives, and we have found that it works equally well for
the law enforcement, homeland security and intelligence
functions of the Department.
As mentioned, one of the main mechanisms for
operationalizing privacy protections is through the consistent
use of the privacy impact assessment process throughout the
department.
The General Accountability Office released a report earlier
this week on government use of commercial reseller data and
compliments, in fact, the Department of Homeland Security's
privacy impact assessment process and guidance, which has been
shared with our federal partners across the government.
They also complimented the department on its dialogue on
that very issue and the guidance which we are currently writing
and collaborating on with within the department.
Privacy impact assessments required by Section 208 of the
E-Government Act of 2002 and Section 222 of the Homeland
Security Act allow us to access the privacy impact of utilizing
new or significantly changing information systems that collect
personally identifiable information, including attention to
mitigating privacy risks.
Although the E-Government Act allows exceptions from the
PIA requirement for national security systems, as a matter of
good privacy practice, the Privacy Office at the Department of
Homeland Security requires that all DHS systems, including
national security systems, undergo a PIA--privacy impact
assessment--if they contain personal information.
We use the PIA process as a good government information
management tool and privacy protective process across the
department's programs.
In cases where the publication of a PIA would be
detrimental to national security, the PIA document may not be
published or may be published in a redacted form. This means
that information systems that are part of the Intelligence
Enterprise at the department also undertake these important
analyses to ensure the privacy considerations are fully
integrated into their deployment of programs.
Let me quickly turn to information sharing. The Department
of Homeland Security was created, in significant part, to
foster information sharing for homeland security purposes. The
Privacy Act, of course, provides the statutory authority for
both inter-and intra-agency information sharing.
The Privacy Office policy supports the exchange of
information between the department's component organizations
whenever those organizations establish an appropriate need
based on an express purpose.
We work with department components to facilitate the timely
exchange of information in a privacy-sensitive manner, while
working toward the goal of the right persons getting the right
information at the right time.
The department must also foster external information
sharing for homeland security purposes with all of our partners
at the federal, state, local, tribal and private sector levels.
As the department incorporates the need to share in its
internal and external information sharing design, it is, of
course, paramount that privacy be built into the process.
We have worked collaboratively with our intelligence and
analysis colleagues for whom information sharing is part of
their critical mission--to also ensure that personally
identifiable information of U.S. persons is treated in a manner
that fully conforms with their rights and is handled
sensitively.
The DHS policy on handling U.S. person information contains
a significant role for the DHS privacy officer to review
activities that could involve a potential violation of the
privacy rights of U.S. citizens and also requires the privacy
officer to collaborate on new initiatives to ensure that they
enhance and do not erode privacy protections relating to the
collection, use and maintenance of personal information.
Members of the committee, we take this responsibility very
seriously. We look forward to working with you on this effort
and ask for your support. Thank you for inviting me today.
[The statement of Ms. Cooney follows:]
Prepared Statement of Maureen Cooney
April 6, 2006
Introduction
Chairman Simmons, Ranking Member Lofgren, and Members of the
Subcommittee, it is an honor to testify before you today on privacy
activities at the United States Department of Homeland Security, with
particular reference to privacy as part of the Department's
Intelligence Enterprise.
Because this marks my first appearance before the Subcommittee, I
would like to offer some biographical background. It is my honor to
currently serve as the Acting Chief Privacy Officer for the Department
of Homeland Security. I come to this post with 20 years of federal
experience in risk management and compliance and enforcement activities
as well as in consumer protection work on global information privacy
and security issues post 9-11. I was recruited from the Federal Trade
Commission to join the Department of Homeland Security more than two
years ago as Chief of Staff of the Privacy Office and Senior Advisor
for International Privacy Policy. Since that time, it has been my
privilege to help build the DHS Privacy Office, under the leadership of
former Chief Privacy Officer, Nuala O'Connor Kelly, and Secretaries
Chertoff and Ridge.
As the Subcommittee well knows, the Department of Homeland Security
was the first agency to have a statutorily required Privacy Officer.
The inclusion of a senior official accountable for privacy policy and
protections within the Department honors the value placed on privacy as
an underpinning of our American freedoms and democracy. It also
reflects Congress' understanding of the growing sensitivity and
awareness of the ubiquitous nature of personal data flows in the
private and public sectors and a recognition of the impact of those
flows upon our citizens' lives.
In addressing the Department's Data Privacy and Integrity Advisory
Committee, which was created to advise the Secretary and the Chief
Privacy Officer on significant privacy issues, Secretary Michael
Chertoff recently noted that the Department has the opportunity to
build into the ``sinews of this. . .organization, respect for privacy
and a thoughtful approach to privacy.'' Secretary Chertoff expressed a
belief that I share:
We want the government to be a protector of privacy, and we
want to build security regimes that maximize privacy protection
and that do it in a thoughtful and intelligent way . . . . [I]f
it's done right,[it] will be not only a long-lasting ingredient
of what we do in Homeland Security, but a very good template
for what government ought to do in general when it comes to
protecting people's personal autonomy and privacy.\1\
---------------------------------------------------------------------------
\1\ March 7, 2006 public Meeting of the Department of Homeland
Security Data Privacy and Integrity Advisory Committee, Ronald Reagan
Building and International Trade Center, Washington, D.C.
---------------------------------------------------------------------------
The Chief Privacy Officer \2\ and the DHS Privacy Office have a
special role, working in partnership and collaboration across the
Department, to integrate privacy into the consideration of the ways in
which the Department assesses its programs and uses technologies,
handles information, and carries out our protective mission. The
Privacy Office has oversight of privacy policy matters and information
disclosure policy, including compliance with the Privacy Act of 1974,
the Freedom of Information Act, and the completion of Privacy Impact
Assessments on all new programs, as required by the E-Government Act of
2002 and Section 222 of the Homeland Security Act of 2002. The Privacy
Office also evaluates new technologies used by the Department for their
impact on personal privacy. Further, under Section 222, the Chief
Privacy Officer is required to report to Congress on these matters, as
well as on complaints about possible privacy violations.
---------------------------------------------------------------------------
\2\ The DHS Chief Privacy Officer is the first statutorily required
privacy officer in the federal government. Section 222 of the Homeland
Security Act, as amended, provides in pertinent part, the
responsibilities of the DHS Chief Privacy Officer are to assume primary
responsibility for privacy policy, including--
(1) assuring that the use of technologies sustain, and do not
erode, privacy protections relating to the use, collection and
disclosure of personal information;
(2) assuring that personal information contained in Privacy Act
systems of records is handled in full compliance with fair information
practices as set out in the Privacy Act of 1974;
(3) evaluating legislative and regulatory proposals involving
collection, use, and disclosure of personal information by the Federal
Government;
(4) conducting a privacy impact assessment of proposed rules of the
Department on the privacy of personal information, including the type
of personal information collected and the number of people affected;
and
(5) preparing a report to Congress on an annual basis on activities
of the Department that affect privacy, including complaints of privacy
violations, implementation of the Privacy Act of 1974, internal
controls and other matters.
---------------------------------------------------------------------------
Today, I would like to describe for you how the Privacy Office has
worked to build privacy into the sinews of our organization so that a
culture of privacy informs the way in which we carry out our national
mission of protecting our homeland. I'll explain our operational
approach of embedding adherence to good privacy practices into the
programs of the Department, through the budget and design phases of
programs, through accountability and transparency tools, including
reviews of privacy notices (systems of records notices), the use of
privacy impact assessments, and privacy audits and reviews. Our
approach is consistent for all DHS programs and initiatives and we have
found that it works equally well for the law enforcement, homeland
security and intelligence functions of the Department.
I would then like to focus on the mandates of information sharing
and intelligence activities and how those imperatives for national
preparedness can be achieved while integrating privacy attentiveness
and protections into Departmental operations.
Building a Culture of Privacy
The Privacy Office works in partnership with each DHS Directorate
and component to promote a business ethic of privacy attentiveness and
responsible stewardship for the personal information that we collect,
use and disseminate. This is fundamental to the Department's overall
achievement of its mission and for engendering the trust of the
American people and visitors to our nation.
We operationalize privacy at the outset of DHS program initiation
through two primary means. First, the Privacy Office works to
incorporate privacy in the development processes used to build DHS
information systems. Second, the Privacy Office confirms that privacy
is embedded in the information systems that involve personal data
through the privacy assessment process. These two methods allow the
Privacy Office to ``bake'' privacy into Departmental operations.
Building privacy into the development process starts with the
investment review processes for major programs and information systems
at the Department. In partnership with the DHS Management Directorate,
the Privacy Office participates on three separate committees that
review project proposals and set performance criteria for program and
technology investment budget approvals. We thus can use the ``power of
the purse'' to ensure that program personnel are attentive to privacy
requirements.
The Privacy Office then works to operationalize privacy protections
through ``privacy gateways'' that focus on the projected design and use
of an information technology system. In collaboration with the Office
of the Chief Information Officer, the Privacy Office is developing
these ``privacy gateways'' for the systems development life cycle
review of technology deployed for Departmental programs to ensure that
privacy practices are integrated through a monitored and auditable
process.
Consequently, Department design and deployment initiatives move
forward only after proper attention has been paid not only to
operational issues, but also to privacy issues. In fact, privacy is
considered a cornerstone of the Department's program architecture,
consistent with the mandate to protect the homeland while preserving
essential liberties.
Once funding for an information system is determined and privacy is
considered in the systems development life cycle, the Privacy Office
monitors privacy compliance through the use of a Privacy Impact
Assessment (PIA). Conducting PIAs demonstrates the Department's efforts
to assess the privacy impact of utilizing new or significantly changing
information systems, including attention to mitigating privacy risks.
Touching on the breadth of privacy issues, PIAs allow the examination
of the privacy questions that may surround a program or system's
collection of information, as well as, the system's overall development
and deployment.
When worked on early in the development process, PIAs provide an
opportunity for program managers and system owners to build privacy
protections into a program or system in the beginning. This avoids
forcing the protections in at the end of the developmental cycle when
remedies can be more difficult and costly to implement. In accordance
with Section 208 of the E-Government Act of 2002 and OMB's implementing
guidance, the Department of Homeland Security is required to perform
PIAs whenever it procures new information technology systems or
substantially modifies existing systems that contain personal
information. The Chief Privacy Officer reviews and signs off on all
Departmental PIAs and then they are published.
Although the E-Government Act allows exceptions from the PIA
requirement for national security systems, as a matter of good privacy
practice, the Privacy Office requires that all DHS systems, including
national security systems, undergo a PIA if they contain personal
information. We use the PIA process as a good government information
management tool and privacy protective process across the Department's
programs. In cases where the publication of the PIA would be
detrimental to national security, the PIA document may not be published
or may be published in redacted form. This means that information
systems that are part of the Intelligence Enterprise at the Department
undertake these important analyses to ensure that privacy
considerations are fully integrated. Our intelligence information
systems are better considered and developed as a result of conducting
PIAs.
Transparency and Accountability
To assure that information in DHS record systems is handled in a
manner consistent with the fair information practices principles set
out in the Privacy Act of 1974, the Privacy Office carefully reviews
new Systems of Records Notices and new initiatives that seek to collect
information to be placed under existing SORNs. The Privacy Office works
closely with the Office of the General Counsel on the legal issues
attendant to these SORNs and with all DHS program offices to analyze
the ways in which the information will be shared through approved
routine uses. In addition to SORNs, we benchmark programs' compliance
with fair information practices principles based upon their development
and adherence to internal policies, procedures, and public statements
of program goals. To that end, we are working on a privacy tool that
will assist programs in doing periodic self assessments against similar
measures.
Another way the Privacy Office encourages transparency and
accountability is through outreach and public workshops. Just
yesterday, the Privacy Office hosted a public event concerning
Transparency and Accountability: The Use of Personal Information within
the Government. We explored the front end of the privacy process--how
public notices inform the public of the intended use of personal
information by government--and the back end of the process--how
government can live up to the promises made in public notices through
mechanisms for appropriate access, including through Privacy Act
disclosures, Freedom of Information Act disclosures, and other
appropriate means.
Privacy Audits and Reviews
The Privacy Office also has an important oversight function within
the Department in assessing whether the fair information practices
embedded in the Privacy Act of 1974 are appropriately implemented in
our programs, along with other relevant frameworks. We do this through
privacy audits and providing guidance at points along the development
of programs. While the Privacy Office has an important internal role,
it also receives and reports on complaints and concerns from the public
about the privacy attentiveness of DHS programs. In response, we
undertake reviews of those concerns and report on them to the Secretary
and to Congress, per Section 222 of the Homeland Security Act,
providing constructive guidance.
Privacy Protection and Public Security through Information Sharing and
Intelligence
The Department of Homeland Security was created, in significant
part, to foster information sharing for homeland security purposes. And
from its beginning, the Department has undertaken the important work of
removing the invisible barriers that block appropriate information
flows within the Department. The Privacy Act, of course, provides the
statutory authority for intra-agency information sharing when there is
a need to know, and Privacy Office policy supports the exchange of
information between the Department's component organizations whenever
the organizations establish an appropriate need based on an express
purpose. The Privacy Office, therefore, works with Department
components to facilitate the exchange of information in a privacy
sensitive manner, while working toward the goal of the right persons
getting the right information at the right time.
The Department must also foster external information sharing for
homeland security purposes with all of our partners at the Federal,
state, local, tribal and private sector levels. As the Department
incorporates the ``need to share,'' in its information sharing design
it is, of course, paramount that privacy be built into the process. Our
work on internal information sharing complements and informs the
Department and Privacy Office's efforts to assist with external
information sharing efforts.
Just as the sharing model has changed, so must the paradigm shift
to enhanced, stronger, and embedded privacy protections because, as
Secretary Chertoff has said, ``When we share information, if we do it
in a disciplined way, we actually elevate the security of both those
who share--and those who receive--the information.'' The Privacy Office
has therefore worked diligently to help create an information sharing
model that allows for robust information exchanges for homeland
security purposes even while it fosters robust privacy protections.
In particular, we have worked collaboratively with our Intelligence
and Analysis colleagues, for whom information sharing is part of their
critical mission, to ensure that personally identifiable information of
U.S. persons is treated in a manner that fully conforms with their
rights and is handled sensitively. The DHS policy on handling U.S.
person information developed by the Intelligence and Analysis section
of DHS contains a significant role for the DHS Privacy Officer to
review activities that could involve a potential violation of the
privacy rights of U.S. citizens and also requires the Privacy Officer
to collaborate on new initiatives to ensure that they enhance and do
not erode privacy protections relating to the collection, use and
maintenance of personal information. This policy is another example of
the way that the Privacy Office has helped to construct a culture of
privacy at DHS and has worked to make privacy an operational imperative
as we move forward with our mission.
Related to these activities is the fact that over the past four
years, the Administration has provided new tools to permit federal
agencies to exchange information. Most recently, in Executive Order
13388, Further Strengthening the Sharing of Terrorism Information to
Protect Americans, which was issued on October 25, 2005, the President
made clear his intent that all federal agencies work to prepare an
environment in which information flows support counterterrorism
functions. The Executive Order specifically recognizes the importance
of protecting the ``freedom, information privacy, and other legal
rights of Americans.'' This message is further reflected in the
Presidential Memorandum of December 16, 2005, to all federal
departments and agencies providing guidelines and specific requirements
to build the new Information Sharing Environment.
As part of this Memorandum, the President issued Guideline 5
stating that ``the Federal Government has a solemn obligation, and must
continue fully, to protect. . .the information privacy rights and other
legal rights of Americans. . .'' in the building of an information
sharing environment.
In parallel with the President's efforts, Congress enacted three
laws providing the U.S. Government with greater authority for
collecting, analyzing, and disseminating terrorist information: the USA
PATRIOT Act of 2001, the Homeland Security Act of 2002, and the
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA). This
last statute puts in place a mechanism to formalize the creation of the
information sharing environment on an interagency level and it, too,
provides that the privacy rights of individuals must be central to the
environment's creation.
``Need to Share'' and the Role of the DHS Privacy Office
Recent legislative enactments confirm what the National Commission
on Terrorist Attacks Upon the United States recommended and that the
President has required in his Executive Orders on information sharing,
that we have moved from a ``need to know'' environment to a ``need to
share'' environment. This ``need to share'' presents significant
improvements to information exchange, but it also presents significant
challenges to individual expectations for privacy and to institutional
privacy safeguards. At the Department of Homeland Security, as we move
forward in our ability to share data, we are aware of our
responsibility for the privacy, security and authorized use of the data
entrusted to us.
Specifically, technology and information policy should be maximized
to build privacy protections into data sharing models. But technology
and privacy awareness, while important tools in protecting individual
privacy interests, will not be enough to address current challenges. As
we move forward, we will also need to establish and enforce concrete
safeguards to prevent unauthorized access, use, or disclosure.
The Privacy Office has provided expertise and guidance for building
the ISE by working closely with the Information Sharing Environment
Program Manager (ISE/PM) and various steering groups on issues not only
dealing directly with privacy, but also with subjects such as
governance, operations, and harmonization of technologies. Through
these efforts, the Privacy Office is assisting with facilitating the
incorporation of privacy protections at the roots of the ISE
development.
Currently, the Privacy Office is a member of an interagency working
group, operating under the joint leadership of the Director of National
Intelligence and the Department of Justice, as specified by the
President under Guideline 5. This group will conduct a review of
current executive department and agency information sharing policies
and procedures regarding the protection of information privacy and
other legal rights of Americans; and develop guidelines designed to be
implemented by executive departments and agencies to ensure that the
information privacy and other legal rights of Americans are protected
in the development and use of the ISE, including in the acquisition,
access, use, and storage of personally identifiable information.
The review of policies is focusing on coordinating and
consolidating the work already done to focus on the key issues to
harmonizing privacy protections. This review will lead into the
development of appropriate guidelines that will outline a process for
the operation of the entire ISE.
Conclusion
The Privacy Office will continue to work to ensure that privacy is
woven into the very fabric of the Department as a guiding principle and
value through operationalizing privacy throughout the Department and
responding to privacy concerns about information sharing environments
in positive, constructive ways.
In addition, as the Acting Chief Privacy Officer of DHS, I endeavor
at all times to keep an open door to the privacy community around the
nation and the world to ensure that the Department benefits from the
range and depth of privacy practitioners and concerned citizens
everywhere.
We face great challenges. But we must achieve both security and
privacy and, with both, sustain our values and freedoms. I do not doubt
that we can move forward together and achieve our mission of protecting
and preserving our lives and our way of life, preserving our Liberty
and with it, our privacy. I appreciate the opportunity to testify
before this important committee today. I look forward to hearing the
other witnesses' testimony and to answering your questions.
Mr. Simmons. Thank you very much for that testimony.
I have a couple of questions, and then we will defer to the
members of the subcommittee for their questions.
Do you believe the Privacy Office has the support and the
backing of DHS senior leadership and, in particular, leadership
in the intelligence component in order to effectively fulfill
your mission?
Ms. Cooney. Thank you for the question, Mr. Chairman.
Yes, absolutely. I do feel that we have always had the
support since the time that I joined the Department of Homeland
Security under both Secretary Ridge and now Secretary Chertoff,
both of our secretaries.
And the reason I am concentrating on that is because in any
organization, in privacy matters or any compliance and
enforcement matters, you need leadership from the top in order
to embed it within the culture of the organization.
Both of our secretaries have been extremely supportive.
They have been supportive of our privacy officers, of the more
than 400 employees who work on Privacy Acts and Freedom of
Information Acts issues every day in the department. And, in
particular, if I might say, our intelligence partners have
always been very supportive.
I know that General Hughes is here today testifying. He was
a wonderful partner during his tenure at the department. And
Mr. Allen could not be more supportive and his staff.
Mr. Simmons. The issue of privacy frequently comes up in
the context of collection activities. The Department of
Homeland Security generally speaks of acquiring or gathering
information which presumably they obtain from other agencies
who also have their own privacy officers and presumably abide
by their own privacy regulations. But the Department of
Homeland Security might also collect information, for example,
at the border or during a Coast Guard intercept.
How do you deal with that kind of activity to ensure that
the right to privacy is protected in the collection activities
of the your own organization?
Ms. Cooney. I would say broadly, and particularly with the
components that you are mentioning--border security, which
would be customs and border protection, or if it is TSA, or
immigration and customs enforcement--each of those particular
entities under the DHS umbrella have very specific standards
and processes that they use in collecting information.
And a major part of that is compliance with the Privacy Act
of 1974, which, as is true with any federal agency, requires
that an agency only collects information that is mission
critical, information that assists us in carrying out our
particular duties as government employees.
We review in the Privacy Office in collaboration with those
component agencies those policies and procedures and in
particular, do privacy audits on those collection mechanisms.
Mr. Simmons. I thank you. My time has expired.
The chair recognizes the gentleman from Mississippi.
Mr. Thompson. Thank you very much, Mr. Chairman.
Ms. Cooney, for the record, do you have subpoena power or
anything with your office in collecting data?
Ms. Cooney. No, Congressman Thompson, we don't.
Mr. Thompson. Have you felt that you could do your work--
have you had any problems getting data?
Ms. Cooney. Initially, with one of our complaint reviews--
that is one of our responsibilities--we did have some
difficulty in getting full information within the department. I
will say, since that initial experience, I am not aware of
difficulty in that area.
If I may, in my 20 years of federal service, a good part of
that has been in compliance and enforcement work. And it is not
unusual that you ask for information even under a subpoena. And
people think they are being fully compliant and are not, and
you ask again, and you say, ``Anything else?,'' and they give
you more.
We are diligent and persistent in our activities even
without some type of authority that you are mentioning. And
within the government, that is standard process, and I assume
that our staff will always be persistent in carrying out our
compliance responsibilities.
Mr. Thompson. Do you have the ability to take sworn
testimony?
Ms. Cooney. We do not, sir.
Mr. Thompson. Would that help you?
Ms. Cooney. In certain cases, it could be helpful. I think
it would be--what I would say on that is, as we partner in the
agency in other areas, we do have partners within the agency
who have that ability, particularly the inspector general.
With one of our major reviews, we did partner with the
inspector general and referred part of our conclusion to the
inspector general for his further review. He had the ability to
use subpoena power to take sworn statements. To the extent that
that works effectively in the absence of powers on our own, we
would certainly leverage every opportunity in the department to
make sure there is full compliance with all privacy laws.
Mr. Thompson. So if you had the ability to subpoena
witnesses for information or the ability to take affidavits,
would that enhance your ability as chief privacy officer to
function?
Ms. Cooney. I know that our department--well, let me say it
this way: It could. It might be helpful. To date, I guess I
would say, again, to date, I don't think that we have seen that
we have not received the information that we have needed in
order to carry out our abilities.
Sometimes issues that I look at--and I am a lawyer, but I
don't practice as a lawyer in the agency. I practice as a
policymaker. But as a lawyer, thinking through that background,
I would always want to be careful in our taking statements of
not jeopardizing a case that someone else in another area of
the department has authority for, which is why I think at least
to date, it is important in the absence of having subpoena
powers or the ability to take affidavits, to be mindful that in
the pursuit of our own activities, we need to be careful to
partner with people who may need to follow up on an
investigation.
Mr. Thompson. Well, I understand that. But I am trying to
be respectful of your office and try to figure out other than
friendly persuasion what real authority do you have to actually
get the information.
Ms. Cooney. I would say our greatest assistance in getting
the information that we have needed is leadership from the
secretary's office, from the secretary himself. It was true
under Secretary Ridge, and it was true very recently in a
review that we did under Secretary Chertoff, not unlike the
type of leadership buy-in that you need in a corporation. And
that is what we have relied on.
Mr. Thompson. So in absence of authority to do your job,
you depend on leadership persuasion from the top?
Ms. Cooney. Absolutely. We need their support in doing our
job just as our colleagues do in theirs.
Mr. Thompson. So can you initiate an investigation on your
own?
Ms. Cooney. Yes, we do do that, absolutely.
Mr. Thompson. Without any leadership from the top? You have
sole authority?
Ms. Cooney. That is right. We inform the secretary, as
would be responsible, and then we pursue our responsibilities
under the statute, under Section 222, that requires us to look
at complaints and concerns about agency programs and processes.
Yes, sir.
Mr. Thompson. Thank you, Mr. Chairman. My time is expired.
Mr. Simmons. I thank the gentleman for his questions.
The gentleman from Pennsylvania, Mr. Dent, is recognized.
Mr. Dent. Thank you, Mr. Chairman.
Good morning.
Ms. Cooney. Good morning.
Mr. Dent. Do you believe that the department is doing an
effective job in protecting the privacy of American citizens?
Ms. Cooney. Yes, Mr. Dent. I do believe we are. We are
certainly trying very hard. I can tell you that the staff of
the Privacy Office works extremely diligently, very long hours,
is a very energetic staff, and that we have built various
active partnerships across the department.
I think all through our processes, from investment review,
to life cycle development reviews of technologies that the
department might deploy in programs, to our privacy impact
assessments when programs are getting ready to be developed,
and all through that developmental process, to the audit
reviews afterwards, and then on reviews of complaints, I think
we are being extremely proactive.
I might add, we have an internal DHS data and privacy
integrity board made up of senior managers, in particular,
guidance that we are trying to fashion on the use of commercial
reseller data. That particular internal board will meet next
week to collaborate with us and to have a dynamic discussion on
how operationally guidance might work and be implemented.
We also have an external privacy advisory committee that
gives advice directly to the secretary and to the chief privacy
officer. They have looked most recently at the information
sharing issues that relate to intelligence information that we
handle at the department and that we need to push out both to
the private sector and state and local partners.
So we certainly are trying in as many venues and as many
ways as possible to effectively push out privacy and privacy
attentiveness within the department.
Mr. Dent. And my final question. Do any of the information
sharing systems within the DHS Intelligence Enterprise require
privacy impact assessment or PIA as required by the E-
Government Act of 2002? And can you give us an example of PIAs
that have been done with regards to the DHS Intelligence
Enterprise?
Ms. Cooney. Yes. I am happy to do that. Most recently, we
have worked on a privacy impact assessment that deals with our
Homeland Security Information Network. We refer to it as HSIN.
It is a network database that is managed by our Homeland
Security operations center.
But, of course, much of the information that is within that
database is brought in and analyzed by our intelligence
analysis area as well as others. Much of it is information from
citizens who happen to see suspicious activity and can call
into the department. It includes information from our law
enforcement components, our folks on the line every day
protecting the borders.
We have recently worked on that privacy impact assessment.
It is publicly available on our web site on the Privacy Office
web site.
As I mentioned before, when these privacy impact
assessments concern what might be considered national security
operations, they don't necessarily require publication, but we
work very hard at transparency of DHS operations. And so on
that particular PIA, we worked diligently with HSOP and with
I&A to fashion the PIA in a way that we could describe as
robustly as possible exactly what information we are collecting
and how we are handling it.
It is in the name of activity information rather than
information about individuals. However, there is some
information that comes into that database that concerns
individuals. And to the extent that it is personally
identifiable information, there are added safeguards and
restrictions, roll-based access, in terms of who gets to see
that information and when.
Mr. Dent. Thank you. I yield back.
Mr. Simmons. I thank the gentleman.
The gentlelady from Florida, Ms. Brown-Waite, is
recognized.
Ms. Brown-Waite. Thank you very much, Mr. Chairman.
Ms. Cooney, you have a very, very impressive resume, and
this question may have been asked before. I apologize if it
was. Please don't hesitate to tell me.
But as I looked at your resume, your title is chief privacy
officer, the acting chief privacy officer. Do you think that
your duties are impaired any way by the title of acting, and do
you have any idea when the acting with all the responsibilities
will become the actual privacy officer, chief privacy officer?
Ms. Cooney. Thank you for your question.
Since taking this position, my philosophy has been that it
is just business as usual within the Privacy Office and the
department in terms of fully integrating privacy into our
operations. So the title itself, I don't think, has made a
significant difference for me in the way in which I go about
this job, nor in the way in which senior leadership has
partnered with me to be effective in that job.
We cannot do this alone in the privacy office. This is an
enterprise-wide value and initiative to protect privacy at the
department. So I have not seen an impediment based on my acting
position, and I am happy to continue to serve in this role as
long as the secretary asks me to do so.
Ms. Brown-Waite. My next question is: Do you think that the
Privacy Office has the adequate resources and funding to
actually carry out the mission of the office?
Ms. Cooney. Well, I would first answer that by thanking
members of Congress for your support in building our budget
from the time that we were in our infancy when we had three
FTEs and a budget of $750,000 to the 15 FTEs that we have now
and about an equal number of very experienced privacy
contractors who are embedded and made part of our privacy team,
and the budget we have now of $4.3 million.
The exercise of pushing privacy out through the enterprise,
of course, has also grown as the department and as we have
multiplied our homeland security programs. We will need to
continue to watch that as those programs grow, but we continue
to leverage our ability to effectuate privacy by capitalizing
on privacy officers that are in our component agencies, our
major programs--U.S. VISIT, Citizen and Immigration Services,
Transportation and Security Administration, and Cyber Security,
as well as the more than 400 privacy professionals who I
mentioned to you are embedded within the department.
Ms. Brown-Waite. What is the average longevity of the 16
full-time employees that you now have? Or did it just increase
with last year's funding?
Ms. Cooney. We have gradually increased each year that we
have been in operation. We had been at 12 FTEs, and we received
four new ones in the 2006 budget. We have filled one of those.
We are actively interviewing for two other of those spots, and
the fourth position has been posted.
Under our former chief privacy officer, Nuala O'Connor
Kelly, and together, we felt that that was imperative that
whatever tools and resources Congress gave us, we would
immediately use them. And we are actively doing that. So it has
been incremental over the years.
Ms. Brown-Waite. Well, obviously, it takes a very special
kind of person to fill this, and I would just encourage you
don't fill it just for filling's sake. Go out there and get the
best and the brightest.
Ms. Cooney. Thank you. We will do our very best to do that.
Ms. Brown-Waite. Thank you very much, and keep up the good
job.
Ms. Cooney. Thank you.
Mr. Simmons. I thank the gentlelady for her comments.
Are there any additional comments or questions that members
may wish to make?
Ms. Cooney, thank you very much for your testimony. It is
great to have you here. You have responded very well. I think
you shouldn't be acting anymore. I think you should be
permanent. And what we always say is, if there are any
budgetary or legislative impediments to performing your duties
that you will make the subcommittee aware of those. Thank you.
And now the chair will call the second panel.
Ms. Cooney. Thank you.
Mr. Simmons. The second panel consists of Mr. Keith
Herath--I hope I am pronouncing your name correctly--chief
privacy officer and associate general counsel at Nationwide
Insurance Company, who is primarily responsible for creating
and implementing privacy policy. Mr. Herath is currently
serving a 2-year term on the DHS Data Privacy and Integrity
Advisory Committee.
Mr. Jonathan Turley, Shapiro Profess of Public Interest Law
at the George Washington University Law School. He is a
nationally recognized legal scholar. In 1990, Professor Turley
joined the George Washington law faculty, and in 1998 became
the youngest chaired professor in the school's history.
And Lieutenant General Patrick Hughes, who is vice
president of Homeland Security at L-3 Communications and has
over 38 years of strategic planning and leadership experience.
Prior to joining L-3 Communications, General Hughes was
assistant secretary for information analysis at the U.S.
Department of Homeland Security, a position he held from 2003
to 2005.
Thank you all for being here.
General Hughes, in particular, to you, welcome back. It is
good to see you here.
And the chair now recognizes Mr. Herath to testify.
STATEMENT OF KIRK HERATH, CHIEF PRIVACY OFFICER, AVP-ASSOCIATE
GENERAL COUNSEL, NATIONAWIDE INSURANCE COMPANIES
Mr. Herath. Thank you. Good morning, Mr. Chairman, and
members of the subcommittee. Thank you for the opportunity to
speak with you today.
My name is Kirk Herath. I am the chief privacy officer,
associate general counsel and assistant vice president for
Nationwide Insurance Companies located in Columbus, Ohio. I am
also currently serving as the president of the International
Association of Privacy Professionals. In addition, I serve as a
member of the Department of Homeland Security's Data Privacy
and Integrity Advisory Committee.
I would like it noted that the opinions expressed here
today are mine alone and do not reflect those of any other
person or organization.
Privacy is a vibrant and growing profession. Privacy is
recognized by the private sector, and increasingly in the
public sector and academia, as an important and integral part
of an organization's success.
The job of a privacy professional demands mastery of a
complex set of laws technology, security standards, and program
management techniques. In many ways, the emergence and growth
of the International Association of Privacy Professionals
reflects the growing importance of privacy in public and
private sectors.
Privacy protections within the government and marketplace
require professionals to assess, create, monitor, and maintain
policies and practices. The IAPP was founded 5 short years ago,
and in that time, it now has 2,200 members in over 23
countries.
Clearly, the profession of privacy has cemented its
position as a critical resource in any organization that deals
with data. Privacy professionals within DHS play an important
role in furthering our nation's twin goal in protecting its
citizens' security and their rights.
Most of us in the private sector discovered that the sheer
scale of implementing privacy and safeguard requirements
required a central office to coordinate the implementation of
one corporate privacy policy that comply with a new set of
emerging laws.
The federal government appears to be coming to the same
conclusion. A central office is needed to coordinate privacy
for a large government agency.
One can find many resources about how to create a privacy
program. However, the steps in creating a privacy program can
be summed up in the following: You first assess, you assess
current processes, procedures, uses of data, et cetera. You
then address, which is to identify and address gaps in your
process and procedures. You monitor and audit to make sure that
everything you put in place is working as it should, and then
you repeat this process, because the environment is constantly
changing.
There are many challenges with implementing privacy. With
every assessment or audit, there are three competing factors
vying for the most beneficial outcome. These include the
business need for quick access to abundant amounts of personal
information. Information is money. The business cannot succeed
without person information. For DHS, information may lead to
greater security.
Customer expectation is number two. The customer wants the
product or service that they purchased or contracted for. The
customer also has high expectations for how they want companies
or organizations to manage and use their information.
And third, privacy regulations. Like all regulations, they
serve a good purpose. However, they often conflict with
organizational goals.
The job of a privacy officer is to help balance these three
competing interests, because in the end, it rarely happens that
each of the three competing interests is exactly equal.
Generally, they are different.
Listing the challenges that arise when implementing privacy
is easy. Resolving them takes time and resources and the power
to effectuate the necessary change. It is a constant balancing
act often with different outcomes each time an issue arises.
The DHS Privacy Office's mission is to minimize the impact
on the individual's privacy, particularly the individual's
personal information and dignity, while also achieving the
mission of the Department of Homeland Security.
One wonders whether the DHS Privacy Office has the budget
staff and institutional authority to adequately carry out its
mission. In fact, the DHS Privacy Office has done a wonderful
job working with the limited resources made available to it.
They have done many of these assessments of existing programs
and appear to be integrated in the planning and review
processes for future programs or programs under development.
They have addressed most of the gaps discovered through their
initial assessments.
Where they can probably use the most assistance and
resources is with operating their ongoing monitoring and audit
function. This function is in its infancy and is inadequately
staffed. Even if it were adequately staffed, it is doubtful
that the Privacy Office has the legal authority to conduct the
type of deep analysis necessary to ensure ongoing adherence to
privacy laws.
In sum, the Privacy Office is well organized and
understands what it needs to do to carry out its objectives. It
is highly motivated and experienced. Nevertheless, there are a
few things Congress should consider to make it more successful.
I respectfully submit the following: Number one, strengthen
the statutory authority of the Privacy Office. It should have a
clear and direct reporting line to Congress. The DHS Privacy
Office should have a larger budget to carry out its critical
mission. Its current $4.3 million budget is insufficient in
light of the DHS's overall budget.
Congress should consider adding chief privacy officers and
privacy offices to all federal agencies or at least those that
generally collect and process personal information on citizens.
Transparency in information processing is fundamental to
the role that the Privacy Office plays. The Freedom of
Information Act Office needs to stay connected to the Privacy
Office, because this is the Privacy Office's single real
connection to its customers, namely citizens.
DHS should quickly appoint an official replacement for
Nuala O'Connor Kelly, who left many months ago. Not having an
official replacement devalues the Privacy Office politically
and organizationally.
In conclusion, I hope my testimony helps illustrate the
large effort, cost and authority necessary for an organization
to effectively implement a Privacy Office. For the DHS Privacy
Office to carry out its statutorily defined requirements, it
will need resources and the authority to implement a privacy
program that balances the requirements of law and a
responsibility of the government to protect its citizens.
Additionally, no Privacy Office can be successful without
clear and strong support from the top. If support from
leadership is absent, the privacy function will never be able
to effectively carry out its mission. In fact, trying to
perform a privacy function without senior leadership support
may be worse than not doing anything with privacy, because it
provides an illusion to privacy without the reality of having
any in.
Thank you for inviting me to speak with you this morning. I
would be happy to answer any questions that the committee may
have.
[The statement of Mr. Herath follows:]
Prepared Statement of Kirk M. Herath
April 6, 2006
Introduction
Mr. Chairman, members of the Subcommittee good morning. Thank you
for opportunity to speak with you this morning.
My name is Kirk Herath, I am the Chief Privacy Officer, Associate
Vice President, and Associate General Counsel for Nationwide Insurance
Companies, located in Columbus, Ohio. I am also currently serving as
President of the International Association of Privacy Professionals
(IAPP), the world's largest association for the privacy field,
representing over 2,000 privacy professionals in business, government,
and academia from 23 countries. Additionally, I serve as a member of
the Department of Homeland Security's (DHS) Data Privacy and Integrity
Advisory Committee, which advises the Secretary of the Department of
Homeland Security and the DHS Chief Privacy Officer on privacy and data
integrity issues related to personal information.
I would like it noted that I am here today in a personal capacity
as an expert in privacy and privacy compliance. I am not here today
officially representing my employer, my professional association or the
Data Privacy and Integrity Advisory Committee. Thus, the opinions
expressed here are mine alone and do not reflect those of any other
person or organization.
This morning, I will explain to the Committee how privacy has
become imbedded into most private and a growing number of public
organizations and how, in fact, it has become a legitimate profession
and career path for thousands of knowledge workers. I also will attempt
to describe for the Committee the very basic steps any organization
needs to go through to address privacy and build a privacy
infrastructure. Following this description, I will compare and contrast
the role that the DHS Privacy Office plays to what any other privacy
office would do, whether it is private or public sector, particularly
the trade-offs and balancing that is required to be successful.
Finally, I will also respectfully attempt to provide a brief set of
recommendations for the Committee to consider if it desires to ensure
more consistent privacy protections for DHS, or for any federal agency
that collects and processes personal information.
The Profession and Business of Privacy
Before I describe how privacy programs should be organized and
compare that to the DHS Privacy Office, I would like to discuss
profession of privacy and the work of the IAPP. I believe that this
will provide a good framework for the Subcommittee to see how Privacy
is a vibrant and growing profession. In sum, privacy is recognized by
the private sector, and increasingly in the public sector and academia,
as an important and integral part of an organization's success. The
growth of the IAPP reflects this view. The IAPP is a rapidly growing
professional association that represents individual members working in
the field of privacy. The organization works to define and promote this
nascent profession through education, networking, and certification.
In many ways, the emergence and growth of the IAPP reflects the
growing importance of privacy in public and private sectors. Privacy
protections within the government and marketplace require professionals
to assess, create, monitor, and maintain policies and practices. Put
simply: privacy professionals are needed to give privacy protections
viability within any organization.
The IAPP was founded five short years ago as an emerging network of
privacy professionals recognized the need for a professional
association. The organization has grown rapidly since those early days
and now boasts over 2200 members in 23 countries. The IAPP's recent
annual conference here in Washington was, to the best of my knowledge,
one of the largest privacy conferences ever held, with over 800
attendees. Clearly, the market has placed a very high value on privacy
and the robust, but responsible use of data.
When the IAPP was initially formed, the majority of our members
shared a similar title: chief privacy officer, or CPO. Indeed, many--if
not most--Fortune 500 companies have now appointed a chief privacy
officer. But the majority of IAPP members are not CPOs. Rather, we have
seen a robust hierarchy of professional roles in privacy emerge--in
both the privacy and the public sectors. These privacy pros cover
issues of compliance, product development, marketing, security, human
resources, consumer response, and more. The management of privacy
issues in large organizations now requires a broad and deep team of
professionals with increasingly sophisticated skills. It is a hybrid
profession encompassing a broad set of skills. Some organizations have
even created job families for their privacy professionals. It is now a
career track.
The job of a privacy professional demands mastery of a complex set
of laws, technology, security standards, and program management
techniques. In 2004, the IAPP introduced the first broad-based privacy
certification to the US marketplace, the Certified Information Privacy
Professional (CIPP). This credential is meant to serve as a
demonstration of a candidate's knowledge of a broad range of
fundamental privacy concepts. To date, over 800 people have taken the
exam and over 600 CIPPs have been granted in the US.
In 2005, the IAPP extended the CIPP program to include issues of
governmental privacy. The CIPP/G program covers issues specific to the
public sector: such as the Privacy Act, eGovernment Act, Freedom of
Information Act, Patriot Act, and more. To date, the IAPP has granted
over 70 CIPP/Gs. The IAPP expects more growth in this sector, due to
the growing importance of privacy in the public sector. This hearing
reinforces that view.
Clearly, the profession of privacy has cemented its position as a
critical resource in any organization that deals with data--whether
that data is consumer or citizen data, or both. Privacy professionals
within DHS and the few other government agencies that have privacy
offices play an important role in further our nation's twin goal of
protecting its citizen's security and their rights.
I encourage members of the committee to visit the IAPP's website,
www.privacyassociation.org, to learn more about the profession of
privacy. And, as a CIPP/G myself, I strongly recommend that the
committee consider the value of such privacy certifications as a tool
to ensure privacy issues are properly identified and addressed in the
public and private sectors.
Operationalizing Privacy within an Organization_An Example
One of the reasons Chairman Simmons invited me today was to provide
the Committee with a brief overview of the process private sector
companies undergo to implement an effective privacy program. I believe
that the steps taken by private sector companies take to protect the
privacy of personal information can easily be extrapolated to the
public sector. To the best of my knowledge, these were essentially the
same steps that the DHS Privacy Office completed in order to provide
the same privacy protection that individuals have come to expect from
all entities that collect, use, and share their personal information.
I will use my own experience with Nationwide to describe for the
Committee the basic steps necessary for any organization--either public
or private--to implement and continue to manage its privacy
responsibilities. Explaining how privacy has been adopted in the
private sector will help illustrate the steps--including opportunities
and challenges--necessary to effectively carry out a privacy program.
First, let me give you a brief overview of Nationwide. Nationwide
is a fortune 100 company comprised of several dozen different companies
and divisions that sell a variety of products--from auto, home, and
commercial insurance to mortgages to financial products--such as
annuities and investment funds, to retirement plans--such as 401k and
457 plans. Nationwide employees over 30,000 employees and has an
exclusive sales force of just over 4,000 agents. It also sells its
products and services through tens of thousands of independent agents,
producers and brokers. Despite a complex organization, we have a legal
duty to safeguard our customer information and protect their data
wherever it is stored, accessed or shared. This can be a daunting task
without a good plan and organization.
Nationwide began centrally managing privacy as Congress was putting
the finishing touches on the Gramm-Leach-Bliley Act (GLBA) in late
1999. As you may know, GLBA requires financial institutions, including
banks and insurance companies, to inform customers in an annual privacy
statement how the company uses, protects, and shares customers
nonpublic personal information. GLBA also requires that financial
institutions safeguard customer information. It's not enough for a
company just to tell a customer that it is ``protecting your nonpublic
personal information'' or that ``access to your information is limited
to employees who have a business need-to-know your information.'' A
company must have the processes and technological controls in place to
veritably support the privacy statement.
Prior to GLBA, each entity of Nationwide managed compliance with
state privacy laws--mainly some version of the 1982 Model National
Association of Insurance Commissioners (NAIC) Privacy Act--
independently in the 16 states where some version of this model had
been enacted into law. To the extent possible, each company or division
managed privacy practices differently. As you can imagine, this created
a patchwork effect with respect to privacy. Each company and division
adopted different privacy standards and practices. Even the philosophy
of privacy varied between companies, with some companies following a
very high standard for privacy and others following a standard that was
the minimum necessary to comply with the law. Senior management had not
articulated a uniform privacy policy and spread this policy throughout
the organization, companies and divisions. In sum, there was no
consistent guidance on privacy. To be fair, this situation existed
because there was no single set of national privacy laws that applied
equally to every entity, and there was no real enforcement mechanism.
For the private sector, this all changed when Congress enacted the
Gramm-Leach-Bliley Act in November 1999. Among other requirements, the
GLBA effectively forced companies to centralize privacy management and
compliance. The sheer scale of implementing the privacy and safeguard
requirements of GLBA required a centrally coordinated office to
coordinate the implementation of one corporate privacy policy that
complied with the new set of laws. I was assigned the role of advising
Nationwide executive leadership on a privacy policy and compliance plan
and then, with their agreement and approval with this privacy policy
and plan, to implement GLBA requirements throughout all Nationwide
companies and divisions.
GLBA and other federal and state privacy laws have had a positive
effect on customers and citizens. A good example of this is that DHS
probably would not have hired the first statutorily-required privacy
officer in the federal government, Nuala O'Conner Kelly, if not
directed to do so by law. Customers and citizens have come to expect
that entities that use, share, or disclose their personal information
should protect this information and should use, share, or disclose it
appropriately. The federal government appears to be coming to the same
conclusion: a central office is needed to coordinate privacy for any
large government agency, perhaps one is even needed to coordinate
``among'' the federal agencies, but I will address that later.
The Four Basic Steps of a Privacy Program
One can find several books and a plethora of articles today about
how to create a privacy program. Most of these are good descriptions
that go into each area in great detail and are worthwhile reading.
However, the steps in creating a privacy program can be summed up in
the following manner. To implement a privacy program, any company or
agency needs to follow a seemingly simple four step model:
1. Assess,
2. Address,
3. Monitor and Audit,
4. Repeat.
Step One_Assess
The goal in step one is to conduct dozens and dozens of
assessments. The best way to carry out this task is to create a large
cross-functional team. For example, in my case, I formed what we called
a Virtual Privacy Team (VPT) that included about 40 people from across
our corporation. Each Nationwide company or division had representation
on the VPT. These team members in turn lead their own business unit or
staff office privacy compliance team, which varied in size and scope,
within each of the companies or divisions. By my estimation--by using
this model, we were able to centrally manage and coordinate the
activities of over 500 employees actively working on our corporate
privacy implementation during 2000-2001, which was the high water
compliance year of us, as we worked to comply with strict legal and
regulatory time lines.
Basically, the objective in the first step in implementing privacy
in an organization is to assess current processes, procedures, uses of
data, etc. Any organization going through this process needs to
conduct, among others, the following assessments:
1. Analysis of the legal requirements.
a. What federal or state privacy laws exist that affect
the organization?
b. What were the specific requirements for each privacy
law?
c. How were companies and divisions complying with
these patchwork of regulations?
2. Evaluation of existing privacy standards, practices, and
philosophies.
3. Evaluation of information security practices.
a. Does Nationwide have an information security policy?
b. Does it meet the standards of the Safeguard Rule
(the companion information security regulation within
GLBA)?
c. Collection of personal information.
d. Which areas of Nationwide are collecting personal
information?
e. What type of information is being collected?
f. Why is this type of information being collected
(purpose)?
g. Where is it stored?
h. Is Nationwide only collecting personal information
necessary to complete the customer's request?
4. Collection of Personal Information.
a. Which areas of Nationwide are collecting personal
information?
b. What types of information is being collected?
c. Why is this type of information being collected
(purpose)?
d. Where is it stored?
e. Is Nationwide only collecting personal information
necessary to complete the customer's request?
5. Use of Personal Information.
a. How is information being use?
b. What is it being used to accomplish for the
organization?
c. Is there a legal or rational basis for each use of
information?
6. Access to Personal Information.
a. Who can access personal information?
b. Does everyone with access have a business need-to-
know the information?
c. Is access monitored?
d. Are employees technologically capable of accessing
personal information that they should not be able to
access?
7. Disclosure of Personal Information
a. How is personal information shared within
Nationwide?
b. Are the principles of need-to-know enforced?
c. Do these disclosures have a legal basis?
8. Disclosure of Personal Information with Third Parties.
a. Does a contract exist with all third parties that
receive Nationwide information?
b. Have we conducted an information security audit to
determine whether the third party is capable of
adhering to the laws that require the information to be
protected?
9. Data Integrity
a. Is the data accurate and up-to-date?
b. Is there a way for customers to access their data
and valid correct errors?
10. Management
a. What documentation or privacy procedures exist?
b. Is it up-to-date, accurate, and sufficient for the
company of division?
c. Does it need to change to satisfy the new law?
d. Can it be extrapolated to the rest of the
organization as a best practice?
e. Is there anyone responsible for complying with laws
and regulations?
After going through the first assessment, which formed our legal
analysis of privacy, the VPT in conjunction with a steering committee
that I chaired drafted a privacy policy for Nationwide and a privacy
statement detailing our privacy policy for our customers. The privacy
policy was then adopted by a steering committee of senior Nationwide
executives. This became the privacy philosophy that the VPT adhered to
when implementing privacy across all Nationwide companies and
divisions. It was the foundation upon which we have built our program
over these past six years.
Step Two_Assess
Over an 18-month period, as these different assessments were
completed, the VPT concurrently analyzed the results and determined how
they fit with the overarching privacy policy. We then addressed the key
question of whether the results of the assessment were sufficient or
did they need modifications to match the newly drafted privacy policy?
This is the hallmark of step two, which is identify and address gaps in
your processes and procedures.
In step two, the VPT and small number of outside consultants
conducted gap analyses between the legal requirements, the new
Nationwide Privacy Policy and the results of the different assessments.
For example, number nine in the assessment list, above, was Disclosure
of Personal Information with Third Parties. To address this assessment,
the VPT member worked with the team responsible for executing contracts
in each company or division to evaluate the findings in the assessment
against the legal requirements and Nationwide's Privacy Policy. In some
cases, they discovered that they could not find a copy of a contract,
or that a written contract didn't exist. Many contracts did not contain
the new confidentiality, privacy, and information security, language
required by the GLBA. These teams identified the gaps and developed a
plan to address the gaps identified.
The VPT then created project plans to address the gaps. Let's use
an assessment from earlier--Access to Personal Information. One of the
items of the assessment was an illustration of how personal information
flowed through a company or division. This assessment included where
the personal information was stored and which associates could access
it.
The privacy sub-team then documented the tasks necessary to address
the gap between the assessment and both the legal requirements and
Nationwide Privacy Policy. The next step was to develop a project plan
to assign the activities for each task and to monitor the progress.
Step Three_Monitor and Audit
After the dozens and dozens of projects to address the identified
gaps were finished, we created a privacy compliance program to audit
the privacy procedures that the teams implemented. For practical
reasons, this program was created and housed in the Office of Privacy,
because it contained the evolving set of experienced professionals
capable of carrying out these tasks.
There are several purposes to the audit phase of privacy
implementation. One purpose is to confirm that the privacy processes
are still operating. Sometimes, when the novelty of a project fades,
employees inadvertently regress back to old practices. Also, employees
often change jobs and the institutional memory leaves the unit.
Monitoring through self-assessment or more formal audits keep
compliance issues fresh and illustrate actual privacy practices to
business leaders.
Another purpose of continuous monitoring or auditing is to
determine whether a compliance process change is necessary as a result
of a new business process. Business is a constantly changing
environment. Audits help discover when new privacy processes are
necessary to meet these new changes.
Finally, informal monitoring and audits prepare companies for
formal market conduct audits by regulators. Regularly conducting
internal audits allows business to understand and address privacy risks
before a regulator conducts an audit. This reduces the risk of
regulatory enforcement and fines.
Step Four_Repeat
Privacy implementation never ends. Thus, the four step process is
really a continuous improvement loop. This has been extremely important
over the past six years, as each year the private sector has been faced
with an ever expanding array of legislative and regulatory requirements
around privacy and information security. In addition to the changing
legal landscape, a company is required to repeat the process to
accommodate new business goals or changes to existing processes.
In summary, this may be an overly simplistic explanation of the
complex process of implementing privacy throughout any organization--
public or private. However, I believe that it correctly points out the
nature of the process and is easy to understand. There is one other
important item to note here. None of this is possible without a clear
mandate and strong support from the top of the organization. If the
privacy office lacks the support of the chief executive, whether this
is a private or public organization, it will never be able to
effectively carry out its mission. A privacy office without senior
management support may be worse than not having a privacy office,
because it merely provides an illusion of privacy without the reality.
The Challenges_Balancing Competing Interests
Earlier, I discuss the requirement for financial institutions to
create a privacy statement, which describes how the company uses,
protects, and shares customer information. It is difficult for a large
company like Nationwide to make blanket promises to customers, because
there are many competing priorities when it comes to privacy. This is
no different for the DHS Privacy Office.
The challenges that arise while implementing privacy at Nationwide
became apparent immediately. In business, information is money. At
Nationwide, the more a division knows about an individual, the better
the company can protect the financial needs of the individual. However,
certain laws or contractual obligations between parties often make it
difficult to ``know'' everything about a customer. It is equally true
in both the private and public sectors.
Let me give you an example of how this can impact a company:
Susan works for a municipality and has a 457 deferred compensation
plan with Nationwide that she obtained through her employer--a
municipal government--whose relationship is with an independent
producer under contract to Nationwide. Susan also has a Nationwide
Insurance Agent through whom she purchased auto and homeowners
insurance. Susan trusts her Agent to help her protect her financial
assets--specifically, her house and her car. One day, Susan visits her
agent and says that she has accepted a new job with a private company
and is moving to a new city. Based on this scenario, one can see that
Susan has at least three financial needs:
1. Change her auto insurance to a new state;
2. Change her homeowners insurance to the new state and
residence;
3. Consider options for the assets in her 457 plan.
Today, the Agent can help Susan with the first two of her three
financial needs. It would help Susan the most if the Agent could also
look up the details of her 457 plan and provide this information to a
licensed Nationwide broker to help Susan understand options for getting
the most out of her 457 plan after she moves to a new job. But, for a
variety of legal reasons, the outcomes of privacy implementation at
Nationwide prevent this from occurring. The Agent does not have access
to--nor does he even have knowledge of--Susan's 457 plan information
and, thus, he cannot help her consider options after she changes jobs.
I bring up this simple example to illustrate the challenges with
implementing privacy. With every assessment, task to address a gap, or
audit, there are three competing factors vying for the most beneficial
outcome from their perspective. These include:
1. The business need for quick access to abundant amounts of
personal information. Remember, information is money. The
business cannot succeed without personal information.
2. The customer expectation. The customer wants the product or
service that purchased or contracted for. The customer also has
high expectations for how they want companies to manage and use
their information. In short, they want it locked in a vault
stronger than Fort Knox. But at the same time, they want
Nationwide to be able to access it via phone, e-mail, Internet,
or Agent 24 hours a day, seven days a week. They also expect to
be provided additional products or services that can either
save them or make them money. These are in and of themselves
other competing interests for companies to manage.
3. The privacy regulations. Like all regulations, they serve a
good purpose, in this case: protect individual investors or
insured. But, they also come with unintended consequences, just
like Susan's example from above.
As you can see, the job of a Privacy Officer is to help balance
these three competing interests, like a carpenter of a three-legged
stool. Picture a three-legged stool. The benefit of having three legs
instead of four is that each leg can be a slightly different length,
yet the stool will still function as a stool, even if it is a little
lopsided. Because, in the end, it rarely happens that each leg of the
stool--each of the three competing interests--is exactly equal.
Generally, they are different. Sometimes, the privacy regulation is a
bit longer, meaning the most important interest in a given business
project. Other times, the interest of the customer or the business is
given a slightly greater importance. But, the stool still functions as
a stool.
This is no different for the DHS Office of Privacy. Ms. Cooney, her
predecessor and those who will follow her, has also been asked to
become a carpenter of a three-legged stool. But, in the DHS Privacy
Office's case, the three competing interests are:
1. Government's responsibility for security, including
responsibilities under the Homeland Security Act, the Aviation
and Border Security Acts, and others
2. Individual privacy expectations;
3. The Privacy Office's responsibilities under Section 222 of
the HAS, the Privacy Act, the Freedom of Information Act, and
other competing and compatible privacy laws.
Listing the challenges that arise when implementing privacy is
easy; resolving them takes time and resources and the power to
effectuate the necessary change. It is a constant balancing act often
with different outcomes each time an issue arises. It is hard to argue
that the DHS Privacy Office is not faced with tremendous challenges in
this area, as they balance the nation's collective security interests
against the individual's interest in privacy.
A Very Brief Analysis of the DHS Privacy Office
Now, compare and contrast the process that I have just described to
the DHS' Privacy Office: assess, address, audit, and repeat. All four
steps must be tailored to government processes and then followed in the
DHS for the Privacy Office to meet the requirements set forth by the
Homeland Security Act, the Privacy Act, and several other laws
regulating the government's use of personally identifiable data.
Consider also the discussion about balancing important competing
interests within an organization.
As you know, the Homeland Security Act (HSA) of 2002 authorized the
formation of the Department of Homeland Security and the addition of a
secretary to the president's cabinet to oversee the new department.
Among other things, the Homeland Security Act also provides that the
Secretary ``shall appoint a senior official in the Department to assume
primary responsibility for privacy policy, including:
(1) assuring that the use of technologies sustain, and do not
erode, privacy protections relating to the use, collection, and
disclosure of personal information;
(2) assuring that personal information contained in Privacy Act
systems of records is handled in full compliance with fair
information practices as set out in the Privacy Act of 1974;
(3) evaluating legislative and regulatory proposals involving
collection, use, and disclosure of personal information by the
Federal Government;
(4) conducting a privacy impact assessment of proposed rules of
the Department or that of the Department on the privacy of
personal information, including the type of personal
information collected and the number of people affected; and
(5) preparing a report to Congress on an annual basis on
activities of the Department that affect privacy, including
complaints of privacy violations, implementation of the Privacy
Act of 1974, internal controls, and other matters.''
To operationalize its legislative mandate, the DHS Privacy Office
developed a Mission Statement that states the mission of the DHS
privacy office is to minimize the impact on the individual's privacy,
particularly the individual's personal information and dignity, while
achieving the mission of the Department of Homeland Security.'' The
mission goes on to state--and I am summarizing here--that the Privacy
Office will achieve this goal through:
1. education and outreach efforts to infuse a culture of
privacy across the department,
2. communicating with individuals impacted by DHS programs to
learn more about the impact of DHS policies and programs, and,
3. Encouraging and demanding adherence to privacy laws.
Anyone who reads this Mission can see that the DHS Privacy Office
is faced with the exactly same opportunities and challenges that any
privacy office, including mine, faces every day--but on a much, much
larger scale, and with a completely different risk dynamic. At
Nationwide, my office is responsible for educating employees and
establishing a culture of privacy, resolving the natural conflicts that
occur with business interests in regard to this concept of privacy, and
requiring adherence to privacy laws. There would appear to be little
difference between my mission and the mission of the DHS Privacy
Office.
Nevertheless, one wonders whether the DHS Privacy Office has the
budget, staff and institutional authority to adequately carry out its
mission. I will address some of these concerns in my recommendations
and considerations below. In fact, the DHS Privacy Office has done a
wonderful job working with the limited resources made available to it.
They have done many of the assessments of existing DHS programs and
appear to be integrated into the planning and review processes for
future programs or programs under development. They have addressed most
of the gaps discovered through their initial assessments. They also
have a nascent employee privacy education component, although it lacks
adequate funding. Where they could probably use the most assistance and
resources is with operating their ongoing monitoring and audit
function. This function is in its infancy and is inadequately staffed.
Even if it were adequately staffed, it is doubtful that the Privacy
Office has the legal authority to conduct the type of deep analysis
necessary to ensure ongoing adherence to privacy laws. This incongruity
is addressed further under my recommendations, below.
In sum, the Privacy Office is well organized and understands what
it needs to do to carry out to meet its objectives. Its staff is highly
motivated and experienced. However, they may lack support from the top
and they clearly lack the financial resources necessary to effectively
do the job Congress directed them to perform through Section 222 of the
HSA.
Recommendations and Items for Consideration
While there are always risk assessments and balancing tests between
privacy and other interests that must occur whether one is working in a
public or private sector privacy capacity, there are still a few things
that Congress should consider to make it more likely that our nation's
privacy laws are not violated. Therefore, I respectfully submit the
following for the Committee to consider as it defines its future
agenda:
1. Strengthen the Statutory Authority of the DHS Privacy
Office. The Privacy Office should have a clear and direct
reporting line to Congress. If Congress is uncomfortable with
Inspector General-like powers, then consider taking a half-
measure and give the Privacy Office ombudsman-like power.
Burying the office inside DHS means that it will never have the
authority or respect it needs to carry out its mandate. The
Privacy Office will rarely be able to act independently, and it
will spend more time merely trying to survive politically than
it will carrying out its mission to protect our citizens'
privacy.
2. The DHS Privacy Office should have a larger budget to carry
out its critical mission. The current $4.3 million budget does
not on its face appear sufficient in light of DHS' overall
budget to protect the privacy of all Americans. The difference
between this year and last year's budget is only an increase of
a few hundred dollars. I would doubt that any other area of DHS
saw this paltry of an increase in its budget.
3. Congress should consider adding Chief Privacy Officers and
Privacy Offices to all federal agencies, or at least those that
generally collect and process personal information on citizens.
Congress may even want to consider creating a Federal Data
Commissioner, similar in authority and scope to those existing
in the nations of the European Union. The Data Commissioner
could either be the first among equals, or it could be the
overarching policymaking body for enforcing all federal data
processing. This body would have inspector general powers.
4. Transparency in information processing is fundamental to the
role that the Privacy Office plays. The Freedom of Information
Act Office needs to stay connected to the Privacy Office,
because this is the Privacy Office's single real connection to
its customers, namely U.S. citizens. One of the hallmarks of
fair information practices is the ability of citizens or
customers to know what information an entity has on them and
have the ability to correct any erroneous information. This is
simple due process and improves the integrity and accuracy of
any organization's data. This role is naturally played the
Privacy Office.
5. DHS should quickly appoint an official replacement for Nuala
O'Connor Kelly, who left many months ago. The Acting Privacy
Officer, Maureen Cooney, is doing a very capable job and should
be seriously considered as the official replacement. However,
the optics of not having an official replacement devalues the
Privacy Office politically and organizationally. It indicates
the job being capably performed by the staff may not be seen as
worthy by senior department and administration officials as
other areas in DHS and this undercuts the Privacy Office's
authority.
Conclusion
I hope that my testimony helped illustrate the large effort, cost,
and authority necessary for a corporation to effectively implement a
privacy office. In order for the DHS Office of Privacy to effectively
carryout its statute-defined requirements, it will need resources and
the authority to implement a privacy program that balances the
requirements of law, the responsibility of the government to protect
its citizens, and the individual right of privacy.
Additionally, as I stated above, no privacy office can be
successful without clear and strong support from the top. If support
from the chief executive is absent, the privacy function will never be
able to effectively carry out its mission. In fact, trying to perform a
privacy function without senior management support may be worse than
not doing anything with privacy, because it provides an illusion of
privacy without the reality of having any.
Thank you for inviting me to speak with you this morning. I would
be happy to answer any questions that you may have. I would also be
more than happy to speak with you again or to work with you and your
staff on any privacy issue.
Mr. Simmons. Thank you very much.
And now the chair recognizes Professor Turley.
We have your statement in the record this morning. If you
can summarize in 5 minutes, that would be appreciated. And we
look forward to hearing what you have to say.
STATEMENT OF JONATHAN TURLEY, SHAPIRO PROFESSOR OF PUBLIC
INTEREST LAW, GEORGE WASHINGTON LAW SCHOOL
Mr. Turley. Thank you, Mr. Chairman. I will do my very
best.
Mr. Simmons. If I could just say, I had a seminar at Yale
that was 2 hours, but since I have come to Congress, my
colleagues have not allowed me to take that amount of time.
Mr. Turley. A most enlightened institution for that reason.
Mr. Chairman, members of subcommittee, thank you very much
for allowing me to speak on this important issue today of
privacy and Homeland Security. And, of course, they are not
separate issues. When we talk about Homeland Security, it is
privacy that we are protecting. It is one of our core values.
It defines us as a people.
Now, the DHS represents, for privacy advocates like myself,
something of a concern just by its mere size and the myriad of
functions that it has taken on. Due to its size and those
functions, it has a much greater impact on privacy. It affects
the lives of Americans more than any other agency, because it
is the agency of first contact for most Americans when it comes
to airports and immigration and customs and disaster relief. So
to the extent that DHS does not respect the privacy interest,
it has the greatest impact upon citizens.
The other problem and concern for the DHS for many privacy
advocates is that it is much like a governmental iceberg, that
even though you see the DHS or at least its counterparts in
your daily life, 90 percent of the agency remains below the
surface, and so there is a lack of transparency. And privacy is
often protected by the fact of transparency in government, the
greater transparency, the greater protection of privacy because
it tends to deter misconduct, and you don't have the abuses at
all rather than having to chase them down through oversight
committees.
Now, of course, privacy is protected in the Constitution.
It is protected by various statutes, and for much of our
history, it was protected by practical limitations. Probably
the greatest protection of privacy was that the government
could not engage in surveillance of a large number of people at
one time.
In the last two decades, we have seen that technological
barrier fall as we saw with DARPA and the TIA program. We now
have the ability to follow Americans in real time. That is
something the framers would never have anticipated, and it is
why privacy is very much under threat.
The greatest concern for privacy is uncertainty, that is
uncertainty is the scourge of privacy. Privacy is based upon an
inception that your privacy will be recognized. To the extent
that you are uncertain, you have a chilling effect, and that
affects how people live their lives. And DHS recently was found
to have one of the lowest privacy scores in a 2006 study.
I have gone through the myriad examples of threats to
privacy that relate to DHS, but much of my testimony deals with
the NSA operation. Now the problem with the NSA operation is
really two-fold.
One--and let me put this as simply as I can--it is based on
a crime. Now, the overwhelming majority of experts in this
field--Republicans and Democrats--are pretty uniform in this
conclusion. It is inescapable.
There is an exclusivity provision in federal law. You
cannot do what the president ordered his subordinates to do. If
I thought that this was a close question, I think I have a
reputation of going right down the middle on questions that are
debatable. This is a crime. It was ordered 30 times by the
president, and he stated that he will continue to order it.
It gives me no pleasure to say that. And I am not talking
about his motivation. But often, people act for the best
motivations with the worst possible means.
My testimony lays out why this is a criminal act, and that
presents a serious problem for DHS. I do believe this committee
has jurisdiction over this question. This committee has a
liaison function with intelligence agencies. It governs
intelligence information gathering that relate to DHS entities.
It has a role in intel; it looks at the role of intel in threat
prioritization in its oversight function. It is the recipient
of information.
After post-9/11, there is a mandate that agencies share
information. The expectation is that Homeland Security is
either the direct or indirect recipient of NSA information.
That creates, not just the danger of DHS officials
participating in a criminal enterprise, but it creates the
specter of the fruit of the poisonous tree where activities of
DHS may be undermined because of their reliance on unlawfully
gathered information.
I know that my time is out, but I have listed towards the
end of my testimony various proposals that can help protect
privacy. But there is one that I just wish to emphasize. All of
us, I believe, as Americans, have a faith in privacy. We know
how important it is. I know the chairman has valued that. We
have discussed that. But we cannot remain silent, because
silence is a choice.
The NSA operation represents a serious threat to privacy
and a serious threat to our constitutional values. And I hope
that this committee will assert its authority--I know the
chairman has attempted to do so--but will be vigorous in
asserting its authority to hold hearings on the NSA operation
and not to be deterred by any past refusals.
Thank you so much, sir.
[The statement of Mr. Turley follows:]
Prepared Statement of Professor Jonathan Turley
Chairman Simmons, Representative Lofgren, members of the
Subcommittee, thank you for allowing me to appear today to testify on
the important issues of privacy and homeland security.
I come to this subject with prior work as both an academic and a
litigator in the areas of national security and constitutional law. As
an academic, I have written extensively on electronic surveillance as
well as constitutional and national security issues. I also teach
constitutional law, constitutional criminal procedure and other
subjects that relate to this area. As a litigator, I have handled a
variety of national security cases, including espionage and terrorism
cases. I am appearing today, however, in my academic capacity to
address important issues related to domestic surveillance and homeland
security.
I. GENERAL PRIVACY CONCERNS RAISED BY POST 9-11 SURVEILLANCE AND
ENFORCEMENT.
The Department of Homeland Security (DHS) is the agency with the
greatest ability to erode privacy since it has the dominant role, with
the Federal Bureau of Investigation (FBI), in domestic enforcement
activities. Due to its size and diverse functions, the DHS has a much
greater impact on privacy than any other agency. The DHS affects the
lives of Americans to a far greater extent than most agencies because
it has a far greater number of contacts with citizens in their everyday
lives from airport security to disaster relief to immigration to
customs. The DHS is not just a massive agency, it is a massive consumer
of information from other agencies, state governments, private
contractors, and private citizens. While the FBI is subject to criminal
procedures and routine court tests, DHS is like a government iceberg
with ninety percent of its work below the visible surface. This general
lack of transparency makes it easier for abuses to occur by reducing
the risk of public disclosure and review.
At risk is something that defines and distinguishes this country.
Privacy is one of the touchstones of the American culture and
jurisprudence. Indeed, it is a right that is the foundation for other
rights that range from freedom of speech to freedom of association to
freedom of religion. The very sanctity of a family depends on the
guarantee of privacy and related protections from government
interference.
Privacy is protected by the Constitution, including but not limited
to the protections afforded by the Fourth Amendment. It is also
protected in various statutes, such as the Privacy Act of 1974; E-
Government Act of 2002, and the Federal Information Security Management
Act of 2002 (FISMA). Further protections can be found in the
substantive and procedural requirements of surveillance laws such as
Title III and the Foreign Intelligence Surveillance Act (FISA).
Finally, there have long been practical protections of privacy.
Until recent technological advances, there were practical barriers for
the government to be able to conduct widespread surveillance on
citizens. However, it is now possible to track citizens in real time
with the use of advanced computers as recently made clear by the
disturbing Terrorism Information Awareness (TIA) project of Defense
Advanced Research Projects Agency (DARPA). These new technological
advances constitute an unprecedented threat to privacy. Agencies like
DHS often naturally gravitate to the accumulation of greater and
greater information. Technology now allows these agencies to satiate
that desire to a degree that would have been unthinkable only a couple
of decades ago.
Despite these protections, privacy remains the most fragile and
perishable of our fundamental rights. When pitted against claims of
national security, privacy is often treated as an abstraction and
government officials offer little more than rhetorical acknowledgement
of privacy concerns in their programs and policies. The resulting
uncertainty is the very scourge of privacy. Privacy depends on a
certain expectation of citizens that they are not being watched or
intercepted. When uncertain of the government's effect that inhibits
the exercise of free speech and other rights.
The uncertainty over privacy is clear in recent polls and studies.
Notably, the DHS receives one of the lowest scores on the privacy
question. The 2006 Privacy Trust Study of the Ponemon Institute gave
the DHS only a 17 percent score, down by 10 percent from the previous
year.
This freefall is more than a public relations problem. Our
constitutional test for privacy under the Fourth Amendment is based on
``the reasonable expectation of privacy'' under the Katz doctrine. To
the extent that a citizen has a reasonable expectation of privacy, the
government is usually required to satisfy a higher burden, including
the use of a warrant for searches. The Katz test has now created a
certain perverse incentive for government. As agencies like DHS reduce
that expectation of privacy in the public, it actually increases the
ability of the government to act without protections like warrants. The
result is a downward spiral as reduced expectations of privacy lead to
increased government authority which lead to further reduced
expectations.
Privacy concerns after 9-11 have grown with each year in the war on
terror. There is a pervasive view that the Administration is wielding
unchecked and, in some cases, unlawful authority in the war on terror.
In areas that range from enemy combatant detentions to warrantless
domestic surveillance programs to data mining of private records, the
chilling effect for privacy and civil liberties has become positively
glacial for many citizens, particularly citizens of the Muslim faith or
Middle Eastern descent.
Just in the last few months, Congress has faced a remarkably wide
range of issues that directly threaten privacy rights and civil
liberties. It is regrettably a long and lengthening list. Today, in the
interests of time, I wanted to focus on a few of the most recent
controversies to show how privacy rights and civil liberties are eroded
by the aggregation of otherwise disparate and insular programs. While
these examples may appear unrelated, they each impact privacy rights
and civil liberties in significant ways. The point that I wish to
convey is that privacy is being undermined in a myriad of ways and that
any effort to protect this right will have to be equally comprehensive.
a. The Failure to Comply with Privacy Standards, including the
Use of Reseller Information That Lack Fair Information
Practices. As shown recently by the GAO, the DHS is using an
increasing amount of data from information resellers that lack
critical protections and fair information practices. The recent
misuse of 100 million personal records in alleged violation of
the Privacy Act typifies this concern.
b. Over-classification and Reclassification Efforts. The
Administration has led a serious rollback in the efforts to
gain greater transparency in government by over-classifying and
reclassifying basic documents and information. Agencies like
DHS can prevent disclosure of misconduct or negligence by using
classification rules to avoid review.
c. Registered Traveler Programs. The DHS continues to encourage
the creation of registered traveler programs that would
assemble a databank of pre-screened passengers. Whether run
privately or governmentally, these programs offer illusory
security but present serious threats to civil liberties.
d. Failure to inform Congress of Surveillance Programs like the
NSA operation. One of the greatest protections of civil
liberties is the separation of powers doctrine and its inherent
system of checks and balances. The failure to inform the
members of Congress, particularly the full committee membership
of the intelligence committee, of ongoing intelligence
activities negates any meaningful oversight functions.
e. New Threats Against Whistleblowers. Legislation to increase
penalties for federal whistleblowers is a startling reaction to
the disclosure of unlawful activity. This is exemplified by the
proposed increase in penalties for officials seeking to
disclose unlawful activity under the NSA domestic surveillance
program. Likewise, the continued refusal of Congress to pass a
federal shield law for journalists can only be seen as an
intentional deterrent for whistleblowers. When an official at
DHS is aware of an unlawful program, the media may be the only
effective way to stop the illegality.
These are a few of the most recent examples of how privacy
rights and civil liberties protections are being pummeled
across a long spectrum of insular governmental policies and
programs. If Congress truly wants to protect privacy, it must
deter threats by increasing both the likelihood of disclosure
of unlawful conduct and the penalties for such conduct. This
requires greater transparency in agencies like the DHS, better
oversight in Congress, and fuller protection for those who seek
to disclose misconduct.
II. THE NSA DOMESTIC SURVEILLANCE PROGRAM
The recent NSA operation brings together many of the most dangerous
elements discussed above: lack of congressional oversight, the
violation of federal law, the pursuit of whistleblowers, and finally
the absence of any meaningful action from Congress. In terms of privacy
rights, the NSA operation also presents the most serious attack on the
guarantees that are essential for the exercise of the full panoply of
rights in the United States.
The disclosure of the National Security Agency's (NSA) domestic
spying operation on December 16, 2005 has created a constitutional
crisis of immense proportions for our country. Once a few threshold,
and frankly meritless arguments of legality are stripped away, we are
left with a claim of presidential authority to violate or circumvent
federal law whenever a president deems it to be in the nation's
security interests. As I made clear in a January hearing, these claims
lack any limiting principle in a system based on shared and limited
government. It is antithetical to the very premise of our
constitutional system and values.
This is, of course, not the first time that President Bush or his
advisers have claimed presidential authority to trump federal law. In
its infamous August 1, 2002 ``Torture Memo,'' the Justice Department
wrote that President Bush's declaration of a war on terrorism could
``render moot federal law barring torture.'' The Justice Department
argued that the enforcement of a statute against the President's wishes
on torture ``would represent an unconstitutional infringement of the
president's authority to conduct war.''
The President also assumed unlimited powers in his enemy combatant
policy, where he claimed the right to unilaterally strip a citizen of
his constitutional rights (including his access to counsel and the
courts) and hold him indefinitely.
On December 30, 2005, President Bush again claimed authority to
trump federal law in signing Title X of the FY 2006 Department of
Defense Appropriations Act. That bill included language outlawing
``cruel, inhumane or degrading treatment'' of detainees, such as
``waterboarding'', the pouring of water over the face of a bound
prisoner to induce a choking or drowning reflex. In a signing
statement, President Bush reserved the right to violate the federal law
when he considered it to be in the nation's interest.
The NSA operation, however, is far more serious because the
President is claiming not just the authority to engage in surveillance
directly prohibited under federal law, but to do so domestically where
constitutional protections are most stringent. The scope of this
claimed authority is candidly explained in the Attorney General's
recent whitepaper, ``Legal Authorities Supporting the Activities of the
National Security Agency Described by the President.'' As I noted in
the prior hearing, it is a document remarkable not only in its sweeping
claims of authority but its conspicuous lack of legal authority to
support those claims. It is also remarkably close to the arguments
contained in the discredited Torture Memo.
The vast majority of experts in this field have concluded that the
NSA program is unlawful. Even stalwart Republican members and
commentators have rejected its legality. It is an inescapable
conclusion. Under Section 1809, FISA states that it is only unlawful to
conduct ``electronic surveillance under color of law except as
authorized by statute.'' The court in United States v. Andonian, 735
F.Supp. 1469 (C.D. Cal. 1990), noted that Congress enacted FISA to
``sew up the perceived loopholes through which the President had been
able to avoid the warrant requirement.''
FISA does allow for exceptions to be utilized in exigent or
emergency situations. Under Section 1802, the Attorney General may
authorize warrantless surveillance for a year with a certification that
the interception is exclusively between foreign powers or entirely on
foreign property and that ``there is no substantial likelihood that the
surveillance will acquire the contents of any communications to which a
United States person is a party.''
No such certification is known to have occurred in this operation.
Nor was there an authorization under Section 1805(f) for warrantless
surveillance up to 72 hours under emergency conditions. Finally, there
was no claim of conducting warrantless surveillance for 15 calendar
days after a declaration of war, under Section 1811.
The NSA operation was never approved by Congress. Moreover, the
Administration's attempts to use the Authorization for Use of Military
Force, Pub. L. 107-40, 115 Stat. 224 (2001), as such authorization is
beyond incredible, it is unfathomable.With no exceptions under the Act,
the NSA operation clearly conducted interceptions covered by the Act
without securing legal authority in violation of Section 1809.
The NSA operation is based on a federal crime ordered by the
President not once but at least 30 times. Indeed, in his latest State
of the Union Address, President Bush pledged to continue to order this
unlawful surveillance. A violation of Section 1809 is ``punishable by a
fine of not more than $10,000 or imprisonment for not more than five
years, or both.'' Likewise, an institutional defendant can face even
larger fines and, under Section 1810, citizens can sue officials
civilly with daily damages for such operations.
The DHS is likely a recipient--directly or indirectly--of the
information gathered under this unlawful program. In my view,
government officials participating in this program are participating in
an ongoing criminal enterprise. The DHS officials have an independent
obligation to determine if this program is lawful and to refuse to
participate on any level with the program if it is viewed as unlawful.
This includes the receipt or use of intelligence. Moreover, to the
extent that federal courts determine that this operation is unlawful,
the incorporation of the intelligence in DHS investigations or
enforcement may ultimately result in undermining those activities.
Under a classic ``fruit of the poisonous tree'' theory, the use of this
tainted intelligence can taint any information gathered as a result of
its use.
Putting aside the questions of criminality, the NSA operation
jeopardizes basic privacy guarantees. First, it shows an unchecked and
unilateral exercise of presidential authority. Second, the conspicuous
absence of congressional oversight has destroyed any faith in a
legislative check on such authority. Finally, it created uncertainty
for citizens as to their guarantees of privacy and civil liberties
under this program or other undisclosed programs.
III. WHAT CAN BE DONE?
Just as there are a myriad of threats to privacy, there are a
myriad of possible measures to protect privacy interests. The most
significant protections often come in the form of protecting those who
would reveal violations while deterring those who would commit the
violations. Such reforms include the following:
a. Investigation of the NSA domestic surveillance program with
public hearings.
b. Strengthening of whistleblower protections, particularly for
employees at defense, intelligence, and homeland security
agencies.
c. Strengthening laws on data mining and data sharing by
agencies, including meaningful deterrents for agencies like DHS
that violate the Privacy Act and other statutory protections.
d. Reverse the trend toward reclassification and over-
classification of documents that decreases the transparency of
government by enacting new avenues to challenges overbroad
assertions of classified status.
e. The Congress should prohibit not simply a government-run
registered traveler system but a private-run system. The DHS
support for a pilot program in Orlando should be ended by
barring the expenditure of any federal funds and prohibiting
the incorporation of such a program into TSA airport security
systems.
f. Congress should require compliance with conferral rules on
all intelligence operations (other than covert activities) so
that all members of the intelligence committees are informed of
operations like NSA's domestic surveillance program.
g. A new system of privacy officers should be established so
that every major office in agencies like DHS have a privacy
officer who will be responsible for training, enforcing, and
certifying compliance with federal privacy laws.
h. Enhancing the authority and funding for the DHS Privacy
Officer. While Congress created this position in the Homeland
Security Act of 2002, there is a widespread view that the
privacy officer needs greater authority and access as well as
more resources to police the programs of this massive agency.
The slow response of the DHS to establish this office indicates
a lack of internal support of the model of an independent
internal watchdog office. For this reason, changes should
include a reporting requirement not only to the DHS but
directly to Congress.
i. Congress should pass a federal shield law for journalists,
as has virtually every state. Increasing legal threats for
journalists, including contempt rulings, presents an obvious
deterrent to any whistleblower seeking to disclose unlawful
conduct.
j. Congress should require an annual report, with regular
public hearings, on privacy matters to identify emerging
threats to privacy and possible legislative solutions.
IV. CONCLUSION
These threats to privacy rights and civil liberties have created
not just a constitutional crisis but a test for every citizen. Our
legal legacy was secured at great cost but it can be lost by the simple
failure to act. The President is right: these are dangerous times for
our constitutional system. However, it is often the case that our
greatest threats come from within. Indeed, Justice Brandeis warned the
nation to remain alert to the encroachments of men of zeal in such
times:
Experience should teach us to be most on our guard to protect
liberty when the Government's purposes are beneficent. Men born
to freedom are naturally alert to repel invasions of their
liberty by evil-minded rulers. The greatest dangers to liberty
lurk in insidious encroachments by men of zeal, well-meaning
but without understanding.
Citizens, let alone congressional members, cannot engage in the
dangerous delusion that they can remain silent and thus remain
uncommitted in this crisis. Remaining silent is a choice; it is a
choice that will be weighed not just by politics but by history.
Thank you for the opportunity to speak with you today and I would
be happy to answer any questions that you might have at this time.
Mr. Simmons. And thank you very much for that testimony. We
very much appreciate that.
General Hughes, welcome back, and we look forward to your
testimony.
LIEUTENANT GENERAL PATRICK HUGHES, USA (RET.), VICE PRESIDENT
OF HOMELAND SECURITY, L-3 COMMUNICATIONS
General Hughes. Well, thank you. As you said, my testimony
is contained in my written input. I appreciate the chance to
appear before you today.
I would like to express my views in a very simple form
rapidly. I believe in protected rights of all persons in the
United States expressed in law, including, certainly, the right
to privacy.
Within the law, I think we are compelled under the
conditions we now live in to collect information, analyze it,
and produce utility information to perform the mission of
protecting our nation and our citizens and residents.
In the process of acquiring and providing information for
this utility, we must discover and preclude terrorism. We
simply cannot afford to have terrorist acts of the kind that we
know could occur here in the United States.
I also am mindful that much of the work of the Department
of Homeland Security is focused on other crimes, crimes that
are not terrorist in nature but are associated perhaps and are
crimes of national security implications.
So much of what they do and what we expect from them as
citizens has to do with criminal acts under the law as
currently constituted.
The use of this acquired information is important. It must
be used legally to discover these acts or this plan and
conspiracy ahead of time in an attempt to preclude it. And that
is really a very difficult goal under the complicated
conditions that we now heard about from testimony this morning
and that you know so very well, because you have lived there.
I don't think I am qualified to offer exact recommendations
within constitutional law or within civil law and criminal law
in this country, but I am a person who has practiced the effort
to do this work here in the United States and overseas, and we
must find some balance between protecting the rights of our
citizens and our residents and countering the planned and
indeed engaged acts of terrorists and criminals which do
threaten our security, and in some cases, perhaps, our
existence as we know it.
Thank you very much.
[The statement of General Hughes follows:]
Prepared Statement of Patrick M. Hughes
April 6, 2006
Representative Simmons, Representative Lofgren, Members of the Sub-
Committee on Intelligence, Information Sharing and Terrorism Risk
Assessment:
Thank you for the invitation to appear before you on the subject of
``Protection of Privacy in the DHS Intelligence Enterprise.'' I am
appearing today as a private United States citizen, although it is
noteworthy that from November 2003 until March 2005, during the early
formative and developmental stages of the Department of Homeland
Security, I was the Assistant Secretary for Information Analysis in the
Information Analysis and Infrastructure Protection Directorate of DHS.
Since then I have continued my interest and work in matters dealing
with homeland security, homeland defense and intelligence related to
homeland security on both professional and personal levels. Prior to
this period I served for more than 35 years in the US Army and from
1999 until 2003 as a private consultant to both government and
industry.
Because of this background I was asked to come here to give my
views on issues that relate to the protection of privacy and really the
protection and assurance of legal and procedural rights of Americans in
the context of intelligence gathering and production of information
that can be acted upon by those who work to protect the lives and
property of our citizens. This ``operationalization'' of intelligence--
especially where it concerns persons who are residents of the US,
including those who have full rights of citizenship, is vital to
understanding my views. We have all learned, through bitter experience
that we must seek to interdict, to preclude, to stop--impending acts of
terrorism, before they occur, because that is the right thing to do. It
is an imperative of all who serve our nation. In this modern era of the
potential for the application of weapons with mass effects, we simply
cannot afford to allow the commission of terrorism because we cannot
bear the price and we cannot afford the consequences.
Indeed, the toll that crime with homeland security implications
takes on our social order each day, and the results of catastrophic
disasters--which we have recently suffered through on a scale not
experienced before--also affect my view of what we should protect and
what we should abrogate when human beings become involved in these
events. As we look to the future--in my view--we can anticipate the
worsening of these conditions.
My views have been formed in the crucible of combating the Viet
Cong Infrastructure in Vietnam; in seeking to discover acts of
espionage and subterfuge during the Cold war; in ferreting out the
meaning of North Korean activities; in engaging in the smaller but
vexing conflicts of recent years, including the hunt for War criminals
and insurgent groups in Bosnia, our attempts to decipher the tribal
groups of Somalia, and our best efforts to break the erosive conditions
found in places like Panama and Haiti. My views, like yours, have been
formed in the crucible of 9-11 and in the conditions and events of the
post-9-11 period in which many terrorist attacks and crimes with
homeland security impact have occurred albeit primarily overseas. Here
too--we must anticipate the future. New threats are on the horizon.
My views are simple--yet found in the very complex context of
today's problems and circumstances.
My view is that we must engage in the collection of necessary
information about persons of concern in order to discover conspiracy
and intent that should be--that must be--interdicted in order to
forestall an unacceptable condition, under the law.
If we fail to interdict we must act in a similar fashion to
understand that which we failed to stop and to know with certainty who
or what was responsible for the event--so that we can learn and so that
we can attribute both blame and appropriate action in light of that
blame.
My view is that we should not violate the rights of American
citizens in engaging in such activities, but rather that we should seek
a legal finding of necessity under the law as rapidly as possible--
before we abrogate any rights for the greater good.
My view is that we must create a mechanism that provides for very
rapid response (minutes to hours) to the legal tests of suspicion and
probable cause to engage in both information collection and operational
action--before the passage of time and the changing of circumstances
results in the loss of our opportunity to act to prevent a catastrophe.
My view is that we must provide for a degree of information
collection, analysis, storage and production necessary to support
analysis and operational decisions. Without this functional ability we
cannot do the job. This capability--of necessity--must include
intelligence, law enforcement, judicial organizations, the military and
elements of governance and must be empowered through a form of secure
interoperability that protects the security of the information and the
rights of the persons involved.
My view is that the government should have the right to compel any
person--no matter who they are or what their legal status is--to
provide dependable assured identification to appropriate authorities in
appropriate conditions, like travel via mass transportation
conveyances. Similarly we should have the right to compel the full
disclosure of materials and items that are being transferred within,
through and across our borders, on one's person, in luggage, and in
cargo--no matter what the nature of those materials and items are.
We should have a viable mechanism that requires--not requests--that
information be provided when citizen concern about activities they note
reaches a level of compelling reaction. In this age we cannot sit idly
by and not report that which seems to us to be suspicious or illegal,
especially in the context of homeland security and homeland defense.
Conversely we should not tolerate reports of a frivolous nature, or
those based solely on contentious relationships and interpersonal
disagreements.
Finally, we should protect large gatherings and public venues with
appropriate sensory technologies and dependable observation. Surely the
answer, in the aftermath of a future terrorist event, cannot be that we
failed to secure a specific place or condition because of privacy
concerns.
In many cases this set of personal beliefs and views on my part--my
``opinions'' if you will--are hardly new or revolutionary. They are--in
my view--basic and evolutionary. They form the foundation for a set of
laws and procedures that will protect the rights of our residents, our
citizens and will help to protect and secure our Republic. I do not
advocate excessive restriction nor do I advocate trampling on the
rights of our people. Rather I counsel that we should find a set of
laws and procedures that meet our needs--in the context of demonstrated
threats and future conditions we can anticipate--and put those laws and
procedures into force.
I know this is difficult to do. I also recognize the highly
politicized environment in which we are interacting today. As a fellow
citizen I simply hope for some balance between doing that which is
right and necessary to protect our people and property on our own soil,
and not doing that which violates the expectation of privacy and
personal freedom that each person is entitled to under the law.
My goal is to secure a peaceful and safe progressive existence for
our nation.
Mr. Simmons. I thank all three witnesses for their
excellent testimony.
And I think, General Hughes, you stated very explicitly the
conundrum that we face as Americans on the one hand, providing
for common defense is an essential responsibility of the
federal government. The Preamble to the Constitution also says
that we must establish justice. The First and Fourth Amendment
rights are clear to all of us. And so in a situation where we
are involved with threats, yes, we want to collect actionable
intelligence, but at the same time, we don't want to violate
the rights of innocent citizens. And so this is the challenge
of the balancing act.
Now, General Hughes, you served as the heart of I&A,
Intelligence and Analysis in the Department of Homeland
Security. Is that correct? That is my recollection. Different
name.
General Hughes. The same office but a different name.
Mr. Simmons. Yes.
General Hughes. The office has been enhanced by greater
independence.
Mr. Simmons. It would seem to me that in your capacity as
head of that, the Intelligence and Analysis Office, you would
receive intelligence products from other agencies--the CIA, the
National Security Agency, Defense Intelligence Agency, NRO, et
cetera, et cetera. You would receive those products.
Presumably, you would receive them in a timely fashion.
If you looked at a particular intelligence product, would
you know how the information was collected that went into that
product?
General Hughes. Usually, I would know how the information
was collected. In many cases, that collection mechanism would
be classified in order to protect its viability. But generally
speaking--in fact, sitting here trying to think about an
exception to that, I can't think of one. So generally, I would
know even in the most sensitive cases how it was collected.
Mr. Simmons. And would you make a reasonable assumption
that it was collected in accordance with the law?
General Hughes. Yes, I would. I do think the use of the
term law is important to me, and I would certainly defer to a
more expert person, but the term law must be accompanied, I
think, by the term interpretation and procedure. Many of the
activities carried out by the government and by law enforcement
organizations and intelligence organizations are found in the
larger construct of the law that are devolved, some would say
evolved, into procedure, policy and activity that can be
interpreted differently by different persons. That has been a
problem as long as our republic has been in existence, I think.
I think we all seek to do the right thing and we seek to do
it legally. There are occasions, I think, when different
interpretations are very valuable, because they point out the
tensions between what one group or one administration or one
organization might view as being correct to do and what another
person or group might do as being incorrect. But the law itself
is generally a larger body of knowledge that is interpreted by
others, and policy and procedures put into effect on that
basis. That makes it--I will use this term--problematic.
Mr. Simmons. As a military officer and as a federal
official sworn by your oath of office to uphold the
constitutional laws of the United States of America, if, in
your capacity as head of a INA or its predecessor, it came to
your attention that there might be a privacy issue, a violation
of privacy involving some of the information in your
possession, would you report that, or would you just keep it to
yourself?
General Hughes. Well, in fact, that very event happened,
especially as we formed the Department of Homeland Security.
There were questions of the right to privacy by citizens and
the right to protection under the privacy laws of the
information that we held in our files. And you had to take each
case on its own merits and determine within the procedure and
policy at the time in the context of law how you would handle
that information.
In some cases, the information was easy to expunge. It was
very rapidly obvious in the eyes of persons with good judgment,
our legal authorities and our privacy office that it should be
expunged, and it was.
In other cases where there is a belief that a conspiracy
exists and a person is a participant in it to conduct an act of
terrorism or another crime of homeland security implications,
the deliberate decision had to be made to retain that
information and use it, and I think that, personally, in my own
view, it is true but difficult to deal with that some of the
information from some of the people concern citizens and
residents of the United States.
I mean, I think every day you read about these events in
the newspaper, and they seem to me to be covered adequately by
law. It is against the law to plan to commit a crime at some
point, and certainly to commit a crime. And it is especially
against the law in the context of protecting the citizens'
rights in this era we now live in of the potential for mass
effects from such activities. I am not saying that the law
needs to be changed, I am saying that we need to understand
this in the context in which we are dealing with it.
Mr. Simmons. I hear your testimony to be that, for you,
this was a serious issue and something that you and your office
took seriously.
General Hughes. And I had the direct legal counsel
available in my office at all times and a direct connection to
the Privacy Office, and I can assure you, and I would certainly
be happy to do so under oath, that we not only took it
seriously, we practiced it seriously.
Mr. Simmons. I thank you. My time is expired.
The distinguished ranking member of the full committee, Mr.
Thompson, from Mississippi.
Mr. Thompson. Thank you very much, Mr. Chairman.
I am not sure if I am--I am a little troubled by what you
said, Mr. Hughes. Was this information gained that you
considered gained legally or illegally?
General Hughes. I certainly might hope that in every case,
it was gained legally, but once again, the interpretation of
the law and the interpretation of policy and procedure to some
degree has to rest in the eyes of the beholder until a
determination is made by legally constituted authority. In
searching my memory here this morning, I can't recall a single
case where I ever believed it was gained illegally. However, I
think once again one has to understand the modern environment
in order to deal with this question.
Mr. Thompson. We understand the environment.
General Hughes. Okay.
Mr. Thompson. Believe me. The question, though, is,
notwithstanding the environment, there are some privacy
considerations that have to be maintained.
General Hughes. And I believe they were.
Mr. Thompson. Well, I guess I will--Mr. Turley, under the
present scenario of wiretapping private citizens and not going
through any procedure, is it your belief that that process at
this point is in fact illegal?
Mr. Turley. I absolutely believe that. And I don't have a
scintilla of doubt. And if you look back at pass testimony I
have given to both the House and Senate--I have been called by
Democrats and Republicans, and I have always expressed when I
considered something to be a close call.
This is not a close call. This here is an exclusivity
provision under federal law. You have to do domestic
surveillance no matter how you may frame it. This has always
been viewed as domestic surveillance what was being done by the
NSA. And you have to do it under either FISA or Title 3. You
have to do it under that type of statutory authority. This was
created to go around that. It was a direct violation of the
exclusivity provision. And until the NSA operation, I don't
remember hearing anyone having any doubt about any of those
questions.
And that means that we have a very serious issue, because
the president stood in front of Congress during the State of
Union and said that not only had he ordered this 30 times, but
he would continue to do so until, basically, someone stopped
him.
And what was most astonishing is that members stood up and
gave him a standing ovation. It was one of the most bizarre
things I have ever seen as an academic. Members of Congress who
pass these laws had a president who told them that he was not
going to comply with those laws, and they give him a standing
ovation.
Now, the framers--I have to tell you, we all sort of speak
for the framers as if we are in some type of carni show.
[Laughter.]
But I think it is safe to say that the framers did not
think it was going to happen this way, that they believed that
Congress would have an institutional interest that it would
protect, that regardless of their affiliation to the president,
that they would fight to protect the legislative authority of
this body. This is the most central and direct threat to the
legislative branch's inherent authority that I have certainly
seen in my lifetime.
Mr. Thompson. Mr. Herath, you mentioned some things that we
could do to strengthen the Privacy Office. I talked about some
things like subpoena power, initiate investigations, and I
would think that in order to do your job, you need the tools
necessary. Where do you come down on that issue?
Mr. Herath. Well, Mr. Thompson, I agree that the subpoena
power and investigatory power in a formal sense is necessary.
That probably was part and parcel of my recommendation of the
statutory authority.
I think, however, and I am speaking on behalf of the
Privacy Office. I am not speaking on behalf of the Privacy
Office. I am speaking on behalf of me. But I think that would
probably be the last thing you would want to do as a privacy
official. The first step, as Ms. Cooney described, you try do
it, you know, informally through relationships.
If you have created a culture that is receptive to your
privacy requests, I would say the vast majority, if not 99
percent, of your request are going to be complied with.
However, I think that there does need to be, for those special
occasions where you simply in many cases know that whoever it
is you are asking is not forthcoming, I think you do need to
have sort of that final hammer with the subpoena.
Mr. Thompson. Or if that person that is withholding the
information knows that you have subpoena authority.
Mr. Herath. Correct.
Mr. Thompson. And, you know, it is just a matter of time
that they will pull that trigger.
Mr. Herath. Well, yes, I often say, you know, you have got
to have skin in the game. If there is no formal ramification
for withholding evidence, then there is a greater chance that
will be withheld.
Mr. Thompson. Thank you.
I yield back, Mr. Chairman.
Mr. Simmons. I thank the gentleman. Would the gentleman
like to go a second round?
Mr. Turley. One more.
Mr. Simmons. Okay.
Mr. Turley, thank you for your testimony. I was looking on
page five, where you made the statement, ``The NSA operation
was never approved by Congress.'' And again, while the
jurisdiction for this program resides with the House and Senate
Intelligence Committees, in my opinion, I have always been
troubled by the discussion of this program.
The ranking member of the House Intelligence Committee has
said publicly that the NSA program was essential to targeting
al-Qa'ida, and she made the statement as the ranking Democrat
on the House Intelligence Committee, ``I have been briefed
since 2003 on a highly classified NSA foreign collection
program that targeted al-Qa'ida. I believe the program is
essential to U.S. national security and that its disclosure has
damaged critical intelligence capabilities.''
As somebody who served many years ago on this Senate
Intelligence Committee, I was always puzzled by why senior
members of these oversight committees did not, on the one hand,
place the program into the law or alternatively legislate the
program out of the law, or I should say legislate it to cease.
I don't believe either one of those actions took place.
And I have also been concerned that through the routine
authorization and appropriation process of the Congress over
the years essentially dollars were authorized and appropriated
for the National Security Agency to continue to perform that
program. Now that takes me back to the mid-1980s when there was
a covert action directed against Nicaragua. It involved the
Contras and the Sandanistas, and, in fact, the Boland Amendment
did explicitly terminate that program in 1984.
Do you have any thoughts, or do any of the members have any
thoughts as to what might have been done back in 2003 that
would have perhaps better dealt with this issue.
Mr. Turley. I suppose my first answer is I believe that the
ranking Democratic member on the committee also mentioned that
she didn't feel that she was able, because of the restrictions,
to seek out advice of experts as to whether this was lawful
under FISA, and that it was not until this matter became public
that she concluded that, indeed, there were legal issues. She
was looking at it purely from an operational standpoint.
The second response is that I am still not sure why this
operation was not disclosed to the full membership of those
committees. My understanding is that it is only covert
operations that are retrained to the smaller group. This would
not constitute, as far as I know, that type of a covert
operation. The surveillance program has generally been viewed
as something that goes to the membership.
The third answer is that an appropriation of money has
never been considered by the courts as any form of
authorization. Under 1809, the authorization would have to be a
specific authorization to give essentially a third track if you
are not going to put it under FISA or Title 3.
And then, finally, my last response is, I am not too sure
that you could put what was the NSA operation in the federal
law without it being struck down. I mean, I think there is
serious constitutional questions.
But I also believe, as someone who has practiced--I have
been in the FISA court as a young intern at NSA, and I have
been counsel in FISA cases, and I still don't understand why
there was a need to go outside of FISA. FISA is the most user-
friendly law ever created for a president. And so I still am
not convinced about the need to circumvent the law.
Mr. Simmons. I appreciate that response.
I vaguely recall the Senate Resolution 400 required that
the committee be kept fully and currently informed. That
certainly applied to the Senate, maybe not to the House.
My recollection is that there were various compartments
that involved covert action and other activities, but that in
my experience, when a controversial program was briefed to the
committees and to the leadership, if it existed for more than a
year, it was handled within the oversight process. So perhaps
this is an issue for oversight of those committees.
And I recognize the gentleman from Mississippi.
Mr. Thompson. Thank you very much, Mr. Chairman.
I would like to respectfully disagree on some of the
jurisdictional issues that have come before us today. I think
all of us, including yourself, want to give the tools necessary
for law enforcement to do the job, but in collecting data, we
want to make sure that those privacy and civil liberties issues
are protected.
And if, in fact, the information gained is then
transmitted, that is gained illegally and transmitted to any
organization, and they began the process. That pause in
intelligence creates a real problem, whether it is DHS. If I am
a citizen, and I am all of a sudden on some kind of list that
was, for whatever reason, put on that list through intelligence
illegally gained, you know, I have a problem.
And I think all of us want to create a process that protect
the rights of citizens, protect the individual liberties, but
also keep America strong. I agree with Mr. Hughes, these are
difficult times, but we have to make more than just an average
effort to protect the rights of citizens. It has to be an
enhanced effort, a work in progress.
There is legislation on the books that talks about sharing
intelligence, talks about a number of things that I think gives
us significant jurisdiction authority to look at these things.
Facts about it, we passed the law requiring the sharing of
information between agencies because it was not taking place. I
want us to be cognizant of that.
The other issue is, and I will sort of make closing
comments at this point if you like rather than giving
questions. You know to the extent that we can strengthen
whistle blower protections for citizens who have concerns and
employees. We need to put that into place. We need to dispense
laws on data mining and data sharing by agencies. You just
can't go get the information and throw it out there for review
without the protection of citizens.
I have talked about the subpoena power that we all kind of
agree that you really can't do your job effectively unless you
have that.
I must also say, Mr. Chairman, I am concerned that because
we don't have it, the Privacy Office is using the leadership or
the secretary or some friendly persuasion rather than having
the inherent authority in that office to get it done. Whether
they have to exercise it or not, we need to have it in place.
This is a critical issue for all of us.
One of the strengths of our country and many of the things
our founding fathers put together was the interest in seeking
certain freedoms, and I would not want us under the color of
intelligence or any other statute limit many of those freedoms
for the citizens who operate within the law.
The law should protect them, and I look forward to
continuing the discussion along this line, Mr. Chairman, and
coming up with, not only a robust system that protects us all,
but also, on the other hand, a system that protects the
individual rights and liberties of American citizens.
And I yield back.
Mr. Simmons. I thank the gentleman for his comments, and
thank him very much for his participation in this hearing this
morning.
I think these issues are incredibly important, and I think
they are also incredibly difficult. I am haunted by what I read
in the 9/11 Commission report. I am reminded constantly that 12
of my constituents died on that day. And I recall regularly
that my daughter was living in New York City a few blocks from
the World Trade Center in an area that she could not return to
because of the damage and destruction that two of her roommates
and best friends from childhood were killed on that day. And I
struggle with the balance between liberty and security.
Could we have listened to the phone conversation of
Mohammad Atta? Could we have prevented that if we had done
things differently? And as we work to bring about the changes
to how we provide our Homeland Security for the safety of our
citizens, are we protecting the liberties that make this
country what it is and what we want it to be, not just for
ourselves but for our children and future generations?
This is a solemn responsibility and a difficult challenge
where, I believe, all of us have to work together to come up
with a solution. And we won't solve it today or tomorrow. We
will solve it through a process of discussion and debate and
hearing just as we have today.
I thank the panel for coming, and I thank the ranking
member.
The hearing is adjourned.
[Whereupon, at 10:49 a.m., the subcommittee was adjourned.]
PROTECTION OF PRIVACY IN THE
DHS INTELLIGENCE ENTERPRISE
PART II
----------
Wednesday, May 10, 2006
U.S. House of Representatives,
Subcommittee on Intelligence, Information
Sharing, and errorism Risk Assessment,
Committee on Homeland Security,
Washington, DC.
The subcommittee met, pursuant to call, at 4:03 p.m., in
Room 311, Cannon House Office Building, Hon. Rob Simmons
[chairman of the subcommittee] presiding.
Present: Representatives Simmons and Lofgren.
Mr. Simmons. [Presiding.] The Homeland Security Committee,
and Subcommittee on Intelligence, Information Sharing, and
Terrorism Risk Assessment will come to order.
We are meeting today at the request of the minority members
of the subcommittee under House Rule 11 to receive testimony
from a witness of the minority's choosing for one additional
day on the subject of protection of privacy in the Department
of Homeland Security intelligence enterprise.
The majority extended invitations to every witness that the
minority requested, and I personally called the primary
witness, Dean Parker, to secure her testimony today.
Unfortunately, none of the minority witnesses were able to
attend. But, as I have expressed to my friend and colleague
from California, I will continue in this effort.
Ms. Lofgren. Mr. Chairman, I appreciate that offer of
collaboration.
And as we discussed briefly early today, Dean Parker has
not been able to attend. And I think, since she doesn't have
current knowledge, we will continue to pursue the other three
witnesses which you have written to. And I look forward to
working with you in securing their attendance and learning what
we can.
So, at this point, I would concur that this hearing ought
to be called to a halt--or gavelled to a halt. And we will see
either those three witnesses or their representatives who can
speak knowledgeably for them at a future date.
And I thank you for your courtesy.
Mr. Simmons. I thank the ranking member for her comments. I
concur in her assessment of the situation.
Having no witnesses, the subcommittee stands adjourned.
[Whereupon, at 4:04 p.m., the subcommittee was adjourned.]
�