Areas, and sustaining existing capabilities. But, again, that measure can be better. On the administrative management side, weve made progress in measuring our ability to effectively, efficiently release the funding, monitor programmatic use of the funds, monitor grantee Financial Management of the funds, monitor the closing of the awards and grantee draw down. Were making progress, mr. Chairman, weve got an opportunity to make even more. Thanks. Yes, sir. For us, i think its about getting good, quality information and data for us to make the right decisions on when we issue a card. Its about continuing to get that information after we issue the cards so we can monitor the individual to ensure they havent done something as to disqualify them. Whether its on a terrorism watch list or something through a criminal issue. I think the other thing that is going to make us better is installing readers. We believe that the coast guard, whom were close partners with, made the right decision to take a riskbased approach and put readers where they need to be. And that we think thats going to be a measure in our program for our program considering its a by yo metric credential. I think the last thing is share information. Which we do on a daily basis. So we need good, quality information to make good decisions with. We need the information to keep on coming so we can continue to make good decisions after we issue the credential. We need to install readers. And we need to continue to share information, which we do on a daily basis with our parter ins. Thank you very much. I mean, the most difficult question is how do you measure security and risk . I think we have actually looked at that quite a bit across a lot of these programs. I think one of the better problems we found is Coast Guard Program called maritime Security Risk analysis model where they can, at the facility level, try to measure the riskbased on vulnerabilities and threats and various scenarios. Like that, i think they did that. Coast guard also took a step trying to develop a more sophisticated measure of how much Coast Guard Programs actually reduce risks in the port environment. And so was the percentage reduction of maritime Security Risk subject to coast guard influence in the programs, and were critical of this. In the end, it was subject matter x person. The coast guard sitting down and thinking about what the reductions measures are and then putting the single point of, you know, percentage on that. We had couple of criticisms in terms of way maybe trying to make it better and maybe give particularly so much judgment. You want to give a range instead of a point estimate like that. But i dont want to criticize the coast guard in the sense they certainly were trying to think larger about the suite of programs and what extend they reduce risk. Whether they want to keep the measure or not is something theyre looking at. It was a measure they were using within the coast guard. They werent really using it for that much. If you have a performance measure but youre not really using it to monitor things or prioritize resources, you got to kind of question whether its a useful metric in the end. Thank you. Okay. Some of you began to answer the second part of my question. I want to take another shot at it. My staff, my colleagues, we oftentimes say these words, the road to improvement is always under construction. Thats true here as well. I just want to in terms of thinks of metrics, but thinking were making progress but areas were not making nearly enough. Theres been some allusion to this. We can actually measure weve not made nearly enough. Are any of those. Who can help enable us to make the progress . Us, the legislative branchs committee, the president and his budget . Who needs to help out . Ellen . Yes, i think that just to sort of set the scene here, we certainly need an approach that is flexible, innovative, so question take on the adaptive adversary. We need something that an approach that is riskbased so we can make the most costeffective use of our resources. That said, we recognize not that we dont want to have negative impacts on global trade, so we are looking in the nearterm to specific improvements in the area of the targeting algorithms, the reducing the alarms. Working with our partners at some of the csi ports to increase the percentage of scanning that is undertaken. Were looking at, i think its a key point that i hope doesnt get lost in todays discussion, looking across all pathways. Focussing on a single pathway doesnt necessarily reduce overall risks. So as we go forward, we need to consider improving security across all transportation pathways. And lastly, i would note that we are continuing the dialogue with stakeholders to see what additional or expanded roles they might take in improving security of ports. Thanks. Admiral . I think theres a couple of areas. The first is complacency. From the congress to the Security Guard at the facility. We have to make sure we maintain the sense of urgency with regard to Port Security. The threat is adaptive. As good as physical Security Systems we have in place are, there are emerging threats like cyber that we have not yet addressed. We have begun to address them. I believe the coast guard has the authorities we need to do with that. Were working on what the resources might be. So you may hear about that. The other area that would be of concern is the real highend threat that needs to be intercepted offshore. We need to maintain and get out there and do something about some unidentified threat for our shore. It requires ships, helicopters, and people not only able to get there and present at the time when you need them. So those two things are areas where we need to make sure continue to build our capability and our plans for action. Okay, thank you. Kevin . Mr. Chairman, i would echo a couple of comments that ellen made. On the targeting side, theres always an opportunity to improve or an lettics and capability to assess risk. Were pursuing it aggressively. We have a good system for taking in current intelligence, manipulating the Data Elements against it and identifying risk. We want to get better. Its an area we get congressional support to continue to improve in that area. But the radiation portal monitors. We need to be able to dial the algorithms. Theyre sensitive for the threat materials were worried about. They reduce the National Raid logical alarm we face on normal comedies and bananas that hit on the monitor. We dont want to waste time on the alarms. We want to focus on what potentially could be dangerous terrible. I think there are continue d we are looking another other threats to the Global Supply chain, contraband that can support criminal activity and so forth we did that after 9 11 with the world custom organization. Theres always opportunities to take it to the next level and build kacht with those governments and Custom Services that are willing to step forward but dont have the capacity or funding. And then, of course, the private sector. Continued opportunities there not only supply chain side but looking to whether a terminal operative perspective there light be a return on investment to do Security Work that we can share and benefit in. Were pursuing all of these angles as the secretary noted in his letter. Theres a great points. I appreciate your responses. Ill come back and ask the same question in the last witnesses. You want them to answer it . [ inaudible ] okay. Okay. Thank you. Lets talk about the 100 mandate. And the fact were at 2 to 4 . I think im right. Ngo, i would love for do you get on this. Theres no question the 9 11 Commission Said rePort Security we need 100 screening. We hear its not practical. So the question somewhere between 2 to 4 and 100 , where do we need to be. How do we need to decide where we need to be, how do we become more effective in terms of container inspection . Ill start im sure colleagues will want to chime in. I think the key question for us is not the percentage itself but are we inspecting the right percentage . Is it are we inspecting and identifying the containers high risk and many hitting at the threat at the earliest possible point. While you had to step out to vote, senator, we talked about the metrics were following and whether were establiaccomplish that. I would like to reintegrate one of the elements for you. On the containers that we identify as potentially high risk through automated targeting system, we are currently examining with our foreign partners under the Container Security initiative 85 of those containers before they are on a vessel destined for the u. S. Within that thats 15 that arent getting inspected. They are getting inspected fully at the first port of arrival in the United States. We are checking them before they enter the stream of commerce to the u. S. And getting 85 of them before they are even on a ship destined for the u. S. Okay. If the 15 , one of them has a Nuclear Weapon in it, its a little late, isnt it . Yes, but thats not the only layer we have i understand. But when we think about this, youre saying 85 of those deemed highrisk. So what is our goal to get to 100 of those deemed high risk . Our goal there, sir, is to increasingly target with our the reports forming how we can encourage anything we think is high risk before leaving. We think we have placed those csi locations in the righright locations. Were assessing how the threats have changed. Are there strategically important ports question add. Capabilities can work with additional countries to encourage them to take measures. Mentioning, as you came in, sir, working with terminal operators. Is there a way we can encourage them to increase the overall inspection if they think theres a return on the investment. Working with the customers to sell security benefit that we can benefit from and share the information results of. Any comments on that . The container inspection world really does belong to customs and border protection. I can certainly attest to the impracticality at looking at every container. I have seen the targeting we do jointly on cargo and the automated processes are effective and adoptable. So if theres a new intel stream that comes in, we can quickly change their targeting and identify wcargo that might be associated with a newly identified threat. All right. Here is the question as a common sense. We say its not capable to do 100 screening. Where is the study that says here is what it will cost and slow down commerce. Has that been done . A number of that studies in that regard have been done. I offer that gao might want to comment as well. We have done a study and provided several papers to congress estimating up to 16 billion in costs. The European Union has done a study, the private sector has done several studies. The challenge, sir, theres 800 or so initial ports for containerized cargo destined for the u. S. An average of 3 to 5 million per port. An average of 5 million to implement the system. That scope just makes it very challenging to get to the level. A lot of questions on who pays, who is responsible, how it is monitored and so forth. If you take the rand study, even though its dated now, say if you had one sneaks in, and you have the tragedy they spoke about at the port of los angeles estimated 1 trillion effect on the gdp. 16 billion doesnt seem that great. So where do we go, gao . Senator, thank you. I thought about this a lot. We have done several studies on it. As far as the one study youre asking for. The only place ive seen it in is a recommendation weve made, and i think that cvp and the department would have been better off if at that point they said this is it. This is the feasibility study. This is the costbenefit analysis. And put it to batter and show the tradeoffs. There are multiple studies theyve done. I feel bad, i think the department in all the little pieces theyve done since then theyve almost gotten there. But i dont see that. But i just i would like to stop to talk about kind of one popular called for the 100 scanning of maritime cargo. They called for 100 scanning of air cargo. They said almost nothing about ports an maritime. Okay. Thats great to know. Yeah. So but moving on. So we do think that challenges are insurmountablinsurmountable. The safe port act was left a lot of things undefined. I think through the pilots cvp tried to understand the undefined things would be in terms of cost. Who does it, what is the point . But i think this is a concern it would create a false sense of security in a couple of ways. You can scan the container if its kind of within a regime that we trust. A port we trust. We know maybe the container we have some confidence after its scanned and gets on the ship, its going to be monitored or Something Like that. But a lot of times we wont have that case. A lot of cases because ports laid out where they do the scanning are offsite. If the truck has to drive 3 to 5 miles. A lot can happen in that period. One thing the coast guard commented on. Thad allen said it was more likely that weapons of mass destruction would come in not through a kind of highly regulated regime like containers, but through some small vessel coming in and snuck in some other way. I also agree. I think intelligence, in the end, would be the key if theres weapons of mass destruction that someone is trying to smuggle in. Im not sure ats by itself would catch that. They looked at probably millions and millions of containers and used the riskbased analysis and theyre still finding things, but, you know, its not like when they find drugs in these things that because it went to one match between, oh, we rated that one high risk. They find stuff in there that had gotten through the system. Drugs or other contraband. I think our approach has been to look at the programs that we have. We still would have liked to see the feasibility analysis. I think at this point its not implemented. I think its water under the bridge. We would like to see us doing better with what we have. Recognizing were not going to have a perfect system. Thats optimizing the targeting system, monitoring it on a regular basis. Youre testing it to see how its doing. Its having the best csis footprint you can. Some of the ports are not highrisk ports. Maybe they should pack up and shake hands with the parter ins. The partners will keep helping us but move some of the operations toso s tto other por do you have specific recommendations on ports from the gao in. Yes, we have a recommendation that they use the portrisk model they used in 2009 to initially plan the 100 scan and thinking about that. And used a similar type model to figure out the ports they were in. We tried to reproduce that and found 12 of the ports lowrisk ports. More than half were in highrisk one. We recognize there had is some ports that arent going to let us in. You know, i mean, you have some nasty players throughout. Theyre not going let a joint u. S. Program into there. We have recommendations and we understand im not sure i can disclose details of individual ports, but there is movement in term of additional csis ports both opening and closing. Okay. Lets go back to grants and tiered port system for a minute. If were not doing analysis on progress. Do we revauevaluate the ports i terms of tiers. Is that done retunely, yearly, biannually . How often do we reanalyze ports. Number two, without the metrics. Theyre getting better, how do we take what we have improved and measure it to show a decreased risk for tier 1 port so that the dollars you have can to go to where the risks are the greatest. Thanks for the question, senator. We reassess the risk of the nations ports every year. We use the risk formula that incorporates the most rented data we have available on threat vulnerability and consequence. There have been times where changes in that risk data have resulted in the changes in the grouping of ports. For example, last year, and fy 13, there are eight tier 1 ports. San diego had change in it relative risk formula. These are relative to one another. So this year it is not a tier 1 port. We are making those adjustments. We work very closely with the departments intelligence and Analysis Unit to populate the risk formula with the most recent data. So, yes, we are looking at that continually. Your second question as to what the measurement and really what i would consider to be, you know, buying down of that risk and the vulnerability. I agree weve got some progress to make there in terms of agreement on measurements and metrics to show that progress. And show it in a way. When the chairman comes back, his question was about how can the congress help, and here i think i might ask of the chairman and you, senator, is that we have a continued dialogue about the type of data that would enable you to have more confidence and the American People have more confidence we are making that progress and that we are being effective stewards of the taxpayer dollars. I agree that we have made progress and plenty examples. We would like to continue to work with you to get the data and the measurement that would show that in a more compelling way. Each port has a Port Security plan, right . Yes. All right. Has Homeland Security done an analysis of what the total cost would be to bring it up on a co effective benefit. How much total for all the tier 1 ports would we need to spend to bring them where they need to be . Do we have that . Do we know that . Im not aware of the analysis. Thats an important question. Because if you dont know what they need, well never get there. And so, i mean, we certainly at the i know you i know where the weaknesses are and i know thats where the grant money is going. Im saying in the big picture, if were going to spend 100 million this year on Port Security grants, and the total bill for bringing our tier 1 ports is 2. 5 billion, you know, were 12 1 2 years from bringing it. By that time, youre going have replacement needs. Sure. So the question is dont we think its important to really know by port here is the total cost to get us where we want you. And which one of those top eight ports, which one has the greatest vulnerability basis. Should we not be spending maybe 70 million at one point and 30 million and the other eight what the basis is to bring them to the level where we feel confident. Well take a close look at that. We have moved the entire suite of Grant Programs toward Performance Measurement against the core capabilities in the National Preparedness goal, following up implementing the president s aid on National Preparedness. We continue to find the Performance Measures for those. But were through the threat hazard identification and Risk Assessment process we are asking grantees to do a lot of what youre talking about in terms of identifying capabilities and using the investments to close the capability gaps response were moving in that direction. But im not aware of a single analysis where weve put a price tag on by port what it would take to close the gap in every port against one level. Well take a look at that. I just think that would be important to know. Because youre going to have limited funds from here on out. Its not going to change. Spending sending the dollars this is all riskbased, right . Yes. Ending the dollars where the greatest risk is should be our priority. I recommend you look at that. I dont know if the gao has any comments or not. If i might, well take a close look at that. I think the threat has identification Risk Assessment process. And the area of Maritime Security working groups at the local, at the port level, i think, theyre getting at a lot of that. But i agree with you. We can make even more progress. On two of your points. The first, how do you account for previous grant money in determining the risk ranking for the next. We actually do that as part of the coast guards Security Risk assessment model that grk ao mentioned. If it mitigates the consequences of an attack on a facility it gets reflected in our model. That data is part of the risk formula dhs determines to use the tier for the next year. It is in there. The other piece you ask about, you know, have we defined what a secure port is. When will we know when we get there . Its an interesting question. What i can tell you about the port. I have watched the initial focus being on secure individual facilities. Make sure we have fences, cameras, and guards and get facilities. And then i saw it evolve to we need to secure the port as a system as well. How do we link these fences snogt we invested in things like Communication Systems that allow everyone. And Surveillance Systems that were focussed on the Common Infrastructure not on the private sector infrastructure. And we decided thats good. Have we been able to address what were going to do if we get attacked and need it recover. We invested in trade resumption plans. Its been a national evolution. I believe were still in the evolution. We have emerging threats such as cyber. I think the next round of grants is putting money toward cyber vulnerability assessments so we can understand with a its going to take to secure the Cyber Infrastructure and the maritime. I dont know well ever be able to say were there. But i do see a logical profession on how we focussed our planning and investment. We have a diagnostic system for cyber within Homeland Security. Is the twic system similar to the system . Let me take that one, sir. Yeah. Right now the twic system works is that the contractor provides the enrollment equipment. Then they connect to a system that eventually gets back to tsa. That system whether its on the enrollment side, the data center side, up to the tsa side is standard. They go through accreditation, they go through auditing, they go through testing. Its not monitored within the dhs system. Its monitored through the tsa operation center. So everything from the contractors data center youve answered my question. Got it. All right. Thank you. I would like to ask mr. Caldwell to an my earlier question. Absolutely. The next question im going to ask of all of you is what we do we need to do. What is the to do list on the committee and the congress . To make sure were continuing to make progress. Absolutely, mr. Chairman. I ask of you and the committee is for a continued dialogue. I shared this with Ranking Member coburn before he stepped out. A continued dialogue about the types of data and the types of measures that would give you the competence, give the American People the confidence we are investing the grant dollars in a way that is most efficient and most effective and that were all good stewards of these resources. I agree with admiral thomas. This is the threat is evolving. So, too, have our measurement of, you know, where were headed next. So i would appreciate a continued dialogue with you about how we define the measures of success that give you the confidence were looking for. Thanks. Something for our to do list. I think its continued support and helping us, you know, get from tsas point of view and the coast guards point of view. Understanding that the coast guard is prum all gaiting the rule. Theres a lot of things that had to happen before they get to the point they can do it. When they say they need the readers. They need the readers. Theres no way insinuating theres some day delay on the rules side. Theres a lot of work in getting to this point. We asked for the continuing support 0 so question put readers in place, buy down risk, and use the full capability of the card. To the admirals point before, its critical we maintain mission focus. Its also critical we make riskbased decisions so we can protect the right areas. For our look at it, its data quality, identity vertdifications, reduction and fraud. Ensuring that the right people get the card and the right people keep the card after its been issued. Thank you. Mr. Caldwell. Im doing a combo answer. Im still busy trying to answer the question you asked before and the last one. Ill see what i can do. Three things. One for the agencies to do and the committee to do. First off, kind of keeping the programs flexible. Whether this i know the coast guard is trying to make their infrastructure patrols and things like that not predicta e predictable. Keeping a little bit of deterrence out there. I like what i see at cvp when theyre doing they call it the key side or dock side scanning or a ship come in and they target a ship. It wont be based on whether the containers are high risk or not. Theyll be scanning every seventh one or tenth one and things like that. Maybe flexibility in csi and whether they need to shift the deck a little bit to the Different Countries if possible. I think cyber is the growing area. Thats an area where dhs and coast guard have been monitoring the situation, and theyre talking about taking action. I think they do. Well have a report were issues tomorrow for Senate Commerce that have a lot more detail on the thoughts on that. Something for the committee, i think its starting to show up on the radar of the agencies as well is, you know, for what we have, we have to sustain it. And you have vessels and you have scanners and you have aircraft that have are pretty important in the regime. Particularly in term of the interdiction and the deterrence and the daily things like scanning containers. Some are reaching the end of their live. I know, cvp is trying to extend the life of their scanners. At some point, youll have a lot of youve built the regime and the things that go with it. It will take some sustainability and translate into resources. Okay. Last three witnesses have pretty much sort of gotten to my last question, which was what is our to do list. And i dont know, ellen, you and mr. Admiral thomas had a chance to do that. Our to do list. Chairman, i think i just echo some of the points that were made earlier, and emphasize in moving forward anything we need to do takes into consideration that dhs confronts a multitude of threats. To be Cost Effective and efficient we need to bear that in mind. I think the second point weve made earlier is that big picture security across all path ways to buy down risks dont want to encourage a balloon effect where we put all of our security wher security assets over here and the agile adversary circumvents that. So the picture has to be across all path ways. And then echoing mr. Caldwells point about the aging infrastructure and funding dhs with the president s budget. Okay, admiral thomas, anything that we should be doing on the legislative side . Thank you, chairman. I dont have much to add to whats been said. There may have been specifics that we identify as we continue to analyze the ports, but i think we have the right access through the staffs to get that information to you. I would say this type of oversight and continued focus by this committee on this issue is really important to stave off that complacency that im concerned about, so we do appreciate that. Good, thank you. Four quick things, echoing several things that mr. Caldwell mentioned, continued support that we discussed today, the automated targeting system, the csi and were working on the recommendations mr. Caldwell mentioned. Recapitalization and sustainment of our critical technology. Along with Domestic NuclearDetection Office well be working with your team on those plans. Three, that what you said at the beginning, understanding the critical economic exped. And facilitated movement of cargo aspect of our mission, that continues to be critical and needs to be understood. And then, four, working with the secretary in the department on an agreed path forward on scanning, keeping us honest on the good faith efforts identified and discussed today and working together on the best framework for the future. Good, thanks. I think dr. Coburn, when i was out voting, asked a question dealing with fiduciary agents and i just want to come back and he asked part of my question, i just want to come back and say the second half of the question. Maybe yall can take a shot at that. I need to be someplace else, literally someplace else in eight minutes. Bynum, im going to ask you to take a shot at this. Absolutely. Rather than ending the use of fiduciary agents for all ports, why not let ports decide for themselves if theyd like to use one . Weve considered that proposal and dont think its in the best interest of the program. If some are using fid ushiaries and others not, the benefit weve derived by moving away from the fiduciary agent models as the appropriations have gone down and our capabilities internally have grown in terms of program oversight, management and monitoring. We have a pretty good window into the project level data and the approach grantees are taking. We lost some of that visibility. As you might expect, there was a variety of varying levels of performance across the fiduciary agent model. And the other thing is, with the fee that fiduciary agents had access to, you know, three to five percent of the funds, we think those funds are better invested in actual security projects. So i know theres a range of opinions in the Port Community about the fiduciary agent model, but weve decided that the best thing for the most effective and efficient management of the program is to bring that management inhouse and not use the fiduciary agent model. Okay, thanks. This last question is for miss mcclain, admiral thomas, and mr. Mcaleenan. Really short answers if you would. First question, what effect has increased security along our land borders had on Maritime Border Security . What effect has increased security long our land borders had on Maritime Border Security . 30 seconds. Yes, mr. Chairman, two quick points. I think the programs we developed in the land border context informed how we deal with those programs in the maritime context. And second, i think it pointed out to us, and i real quickly go back to south florida in the 80s, how you need a riskbased approach across all path ways to secure any single path way. Thank you. All right, thank you. Admiral . Well, somewhat outside the realm of Port Security, but certainly weave seen the balloon effect on particularly the southern part of the west coast and also in the caribbean, as we secure our land borders for Illegal Drugs and contraband and other illegal activities, they have taken to the water. So weve adjusted our forces. And thats really the impact that weve seen there. Okay, thank you. I agree with the admiral. We have not seen a Significant Impact in terms of changes in the threat within commercial flows. We have seen it, the effect of security at ports push activity to the west coast as well as up through puerto rico. Okay. The second half to that question, but i dont have time to ask it. You may not have time to answer it. Im just going to wrap it up here. Im really glad that dr. Coburn encourages us to have this hearing. Its timely. Theres a fair amount of progress to be reported on and still plenty of work to do and im encouraged theres a sense of team at play, that certainly helps. And were part of that team, but thank you all for your preparation today for coming and helping to make this a very, very good hearing. Its clear to me that one of the most important takeaways from todays hearing is that its critically important that we strike the right balance. Easy to say, but hard to do, strike the right balance between security, trying to make sure we dont unduly impede the flow of transportation and trade. 95 of trade moves on the water, but our ports are vital to our nations wellbeing. Theyre a conduit for a lot. With that, ill call a halt to this. We will some of my colleagues are going to have, lets see here. Some questions to ask and we may have some more ourselves, but the hearing record will remain open for 15 days. Thats until may the 19th. It says until may 19th. Probably should say june 19th at 5 00 p. M. For the submission of statements and questions for the record. With that i say to our republican staff and our democrat staff and all my colleagues, thank you very much for your help in this and to each of you for joining us today. I think one of you members said oversight is a good thing and we hear that a lot. So we wont disappointment you. Thanks so much for that. Were adjourned. Probe esident obama is travg this week, he gave a speech in poland. The president spoke about china and russia. Heres a portion of his remarks. On the same day that pols were voting here, tanks were crushing peaceful democracy protests at teen an men square on the other side of the world. The blessings of liberty must be earned and renewed by every generation, including our own. And this is the work to which we rededicate ourselves today. Our democracys must be defined not by what or who were against, but policies of inclusion that welcomes all our citizens. Our economies must deliver a broader prosperity that creates more opportunity across europe and across the world, especially for young people. Leaders must uphold the public trust and stand against corruption, not steal from the pockets of their own people. Our societies must embrace a greater justice that recognizes the inherent dignity of every human being. As weve been reminded by russias aggression in ukraine, our free nations cannot be complacent in pursuit of the vision we share. A europe that is whole and free and at peace. We have to work for that. We have to stand with those who seek freedom. [ applause ] you can watch that entire speech at cspan. Org. The next leg of the president s trip is in brussels, belgium, for the g7 summit. President obama and british Prime MinisterDavid Cameron will talk to reporters following the conclusion of the meeting. Well join that News Conference live at 10 00 a. M. Eastern on cspan. And then well go to the Senate ForeignRelations Committee which is looking at the recent president ial elections in ukraine. A former ambassador to ukraine will testify. Live coverage also on cspan. On a lonely windswept point on the northern shore of france, the air is soft, but 40 years ago at this moment, the air was dense with smoke and the cries of men and the air was filled with the crack of rifle fire and the roar of cannon. At dawn on the morning of the 6th of june, 1944, 225 rangers jumped off the British Landing craft and ran to the bottom of these cliffs. Their mission was one of the most difficult and daring of the invasion. To climb these sheer and desolate cliffs and take out the enemy guns. The allies had been told some of the mightiest of these guns were here and they would be trained on the beaches to stop the allied advance. The rangers looked up and saw the enemy soldiers at the edge of the cliff shooting down at them with machine guns and throwing grenades, and the american rangers began to climb. This weekend, American History tv will mark the 70th anniversary of the dday invasion of normandy saturday at 10 30 eastern. Watch from the memorial in washington. Thats followed at 11 30 by author simons. Hell take your questioe. At 1 30, a look back at president ial speeches commemorating the day, all on American History tv saturday on cspan3. Next, senator al franken chairs a hearing on legislation he introduced that would outlaw the use of tracking apps on smart phones and other devices without the users consent. The bill would ban stalking apps that allow predators to track a potential victims movements. This hearing will be called to order. Welcome to the Senate JudiciarySub Committee on privacy, technology and the law. This is a hearing on my bill to protect sensitive Location Information, the location, Privacy Protect act of 2014. Three years ago, i held a hearing to look at how our laws were protecting the Location Information generated by smart phones, cell phones, and tablets. The first group they heard from was the Minnesota Coalition for battered women. They told me that across minnesota, victims were being followed through socalled stalking apps. Specifically designed to help stalkers secretly track their victims. I started investigating these stalking apps. Let me read you some of their from some of their websites. Heres from one call spy era. It says, quote, most of the time you think your spouse is being unfaithful, you are right. Spy era will be your spy in their pocket. You will need to sneak your spouses phone and download it to their phone. After the software is downloaded, youll be able to see where they are gee rafically. If your husband is two counties over from where you live, spy era will tell you that. And of course husband can mean wife or ex or whatever you want to put in there. Heres another, this is from flexy spy. Flexy spy gives you total control of your partner os phone without them knowing it. See exactly where they are, or were, at any given date in time, unquote. Heres another quote thats since been taken down. Quote, worried about your spouse cheating . Track every text, every call, and every move they make, using our easy cell phone spy software. These apps can be found online in minutes and abusers find them and use them to stalk thousands of women around the country. The Minnesota Coalition for battered women submitted testimony about a northern minnesota woman who was the victim of Domestic Violence and the victim of one of these stalking apps. This victim had decided to get help. So she went to a Domestic Violence program located in a county building. She got to the building and within five minutes, she got a text from her abuser asking her why she was in the county building. The woman was terrified and so an advocate took her to the courthouse to get a restraining order. As soon as she filed for the order, she got a second text from her abuser asking why she was at the county courthouse and whether she was getting a restraining order against him. They later figured out she was being tracked through a stalking app installed in her phone. This doesnt just happen in minnesota. A National Study conducted by the National Network to end Domestic Violence found that 72 of Victims Service programs across the country had seen victims who were tracked through a stalking app or a standalone gps device. Without objection ill add to the record the accounts of a view other victims. Heres one from the victim in illinois. She was living in kansas with her abuser. She fled to elgin, illinois, a town three states away. She didnt know the whole time her cell phone was transmitting her precise location to her abuser. He drove the 700 miles to elgin, tracked her to a shelter and then to the home of her friend, where he assaulted her and tried to strangle her. Heres one from a victim in scottsdale, arizona. Her husband and she were going through a divorce. Her husband tracked her for over a month, through her cell phone. Eventually he murdered their two children in a rage. In most of these cases, the perpetrator was arrested because its illegal to talk someone. But its not clearly illegal to make and to market and to sell a stalking app. So Nothing Happened to the Companies Making money off of the stalking. Nothing happened to the stalking apps. My bill will shut down these apps once and for all. It would clearly prohibit, making, running, and selling apps and other devices that are designed to help stalkers track their victims. It would let police seize the money that these Companies Make and use this money to actually prevent stalking. My bill will prioritize grants to the organizations that train and raise awareness around gps stalking and it would make the department of justice get up to date statistics on gps stalking. Thats a big deal. Because the latest statistics we have from doj are from 2006. And at that point, they estimated over 25,000 people were being gpsstalked annually, back in 2006. And we know what Smart Phone Technology has done since then. But my bill doesnt just protect victims of stalking. It protects everyone who uses a smart phone, an incar navigation device, or any mobile device connected to the internet. My bill makes sure that if a Company Wants to get your location or give it out on others, they need to get your permission first. I think that we all have a fundamental right to privacy, a right to control who gets your sensitive information, and with whom they share it. Someone who has a record of your location doesnt just know where you live. They know where you work and where you drop your kids off at school. They know the church you attend and the doctors that you visit. Location information is extremely sensitive, but its not being protected the way it should be. In 2010, the wall street journal found that half of the most popular apps were collecting their users Location Information and then sending it to thirdparties, usually without permission. Since then, some of the most popular apps in the country have been found disclosing their users precise location to thirdparties without their permission. And its not just apps. The nissan leafs onboard commuters was found to be sending drivers locations. Onstar threatened even after they canceled the service. They only stopped when i and other senators called them out on this. And a whole new industry has grown up of tracking the movements of people going shopping, without their permission and sometimes when they dont even enter a store. The fact is that most of this is totally legal with only a few exceptions, if a company gets your location over the internet, they are free to give it to almost anyone they want. My bill closes these loopholes. If a Company Wants to collect or share your information, it has to get your permission first. And put up a post online saying what the company is doing with your data. Once the company is tracking you, it has to be transparent or else has to send you a reminder that youre being tracked. Those requirements apply only to the First Company getting Location Information from your device. For any other Company Getting large amounts of location dat a all they have to do is put up a post online explaining what theyre doing with their data. Thats it. These rules are built on existing industry best practices. And they have exceptions for emergencies, Theft Prevention and parents tracking their kids. The bill is backed by the leading antiDomestic Violence and consumer groups without objection. I will add letters to the record from the Minnesota Coalition for battered women, the National Center for victims of crime, the National Womens law center, the Online Trust Alliance and consumers union, all in support of my bill. This bill is just common sense. Before i turn it over to my friend, the Ranking Member, i want to make one thing clear. Locationbased services are terrific. I use them all the time. When i drive across minnesota. They save time and money and they save lives. 99 of companies that get your information, your Location Information are good, legitimate companies. So ive already taken into account many of the industrys concerns that i heard when we debated this bill in the last congress. Ive capped liability, ive made compliance easier. And if folks still have issues with the bill, i want to address. So with that, i will turn it over to senator flake. Thank you, mr. Chairman. Thank you again to the witnesses for being here. I know you have busy schedules and appreciate you doing this. I think we can all agree that stalking and Domestic Violence are serious concerns. Thats why i was pleased to support the reauthorization of violence against women act. I agree with those who will testify today that, like mrs. Southworth of the National Network to end Domestic Violence and detective hill, second panel, that domestic vile ins and stalking are Serious Problems that need to be addressed. Im not aware of any concerns that have been expressed about some of the sections of this bill, those that address the stalking apps and directing the government to study gps stalking and prioritize grants to educate Law Enforcement about this problem. Having said that, there are sections of the bill i think that are still a bit concerning. The bill before us regulates the commercial collection of geoLocation Information. Some concerns have been raised about its effect on businesses and applications that use geoLocation Information to provide consumers with services that they now rely on. Id like to enter into the record letters from the National Retail federation and the Interactive Advertisement Bureau if thats okay. Sorry. Without objection. In our efforts to protect the privacy of americans, which is extremely important, we have to be careful not to stifle innovation in dynamic sectors in the economy. A lot of the concerns that have been expressed are about static regulations that deal with a dynamic sector of the economy, and we want to make sure that we dont hamper development of new products and technologies. With that, i look forward to the witnesses. Thanks. Thank you, senator flake. Um, while the first panel of witnesses has seated themselves, thank you. Bea hanson is the Principal Deputy director of the United States department of Justice Office on violence against women. Before that, she was director for Emergency Services and the chief Program Officer for safe horizon, a crime Victims Service organization in new york city. Miss hanson is a minnesota an by birth and was raised in st. Paul. Jessica rich is the director of the ftcs bureau of Consumer Protection. During her time at the ftc, miss rich has led major policy initiatives related to privacy, Data Security and emerging technology, overseen actions and developed significant ftc rules. She also received the chairmans award in 2011 for her contributions to the ftcs mission. Mark goldstein is the director of physical infrastructure issues for the u. S. Government accountability office. He is a frequent witness before congress and served as senior staff member on the committee for Homeland Security and government affairs. Hell testify about two studies at gao conducted at my request on the subject of Location Privacy. Like to welcome you all. Thank you for appearing. Your written testimony will be made part of the record. You each have about five minutes for any opening remarks that youd like to make. Well start with miss hanson. Thank you, so much. Good afternoon, chairman franken and Ranking Member flake and members of the committee. Thank you for the opportunity to testify on behalf of the department of justice regarding stalking, mobile devices and Location Privacy. My name and bea hanson, im the Principal Deputy director at the United States department of Justice Office on violence geaps women or ovw. One key way that the department of justice has focused on strengthening the criminal justice response to stalking is through the implementation of the violence against women act our vawa. Since the passage of vawa in 1994, weve made strides in enhancing the criminal justice response to stalking. Congress has been a Strong Partner to help us address this issue. Since 1994, congress has amended vawa to add stalking to the purpose area of Grant Programs, broadening the stalking statute to protect victims of sirp stalking and enhancing penalties for repeat offenders. Just last year in the most recent reauthorization, congress closed a loophole in the federal cyber stalking statute to permit federal prosecutors to pursue cases pr the offender and victim both lived in the same state. Congress also amended the jean cleary Campus Security act to require that universities report Crime Statistics on incidents of stalking. As you both know, stalking is a complex crime and it continues to be misunderstood and very much underestimated. Incidents of stalking behavior, whether considered separately, may seem relatively innocuous. However stalking behavior tends to escalate over time, and its often paired with or followed by Sexual Assault, physical abuse or homicide, as chairman franken pointed out. Its victims feel isolated, vulnerable, and frightened and tend to suffer from anxiety from depression and from insomnia. Results of the 2010 National Intimate Partner and Sexual Violence survey which was released by the centers for Disease Control in late 2011 demonstrate the grave scope of this crime. Using a conservative definition of stalking, the survey found 6. 6 Million People were stalked in the previous 12month period, and that one in six women and 1 in 19 men were stalked at some point in their lifetimes. The survey report noted that although anyone can be a victim of stalking, females were more than three times more likely to be stalked than males. And young adults have the highest rates of stalking victimization. The report also showed the two frequent nexus between stalking and intimate partner abuse. For the overwhelming majority of victims, the stalker is someone thats known to them. An acquaintance, family member, or former intimate partner. The study confirmed most stalking cases involved some form of technology. More than 3 4 of the victim reported receiving unwanted phone calls and Text Messages. One third of the victims were watched, followed, or tracked with other kind of listening device. The report noted that they found a higher percentage of stalking than previous studies and hypothesized that it could be due to new technologies that make stalking behavior easier. Technology has provided new tools for stalkers, for example, the rapid increase of cellular phones in recent years has created a new market in Malicious Software that when installed on mobile devices allows perpetrators to intercept victims communications without their knowledge or consent. Through the use of the software, perpetrators can read email, listen to telephone calls, and turn on the microphone to record conversations in the immediate area, all that can be done surreptitiously. A recent study further suggests that Technology Enhanced stalking, including the use of mobile devices, is neither novel nor rare. Of the more than 750 Victim Service agencies that responded 72 reported victims who were tracked from these devices. Its critical that professionals who work with stalking victims understand the dynamics of stalking, particularly how stalkers use technology. We know stalking is a precursor to other forms of violence. Ovw Grant Programs support specialized training for police, prosecutors and others to ensure comprehensive seev comprehensive services are available to victims. Were also targeting the inner section of technology and the crime of stalking, Sexual Assault violence and dating violence. More information on that in my written testimony. We have some of our grantees that will be talking later here in the second panel. I appreciate the opportunity to testify today and i look forward to a continuing to working with congress, working with you all as it considers these important issues. Thank you. Thank you, mrs. Hanson. Miss rich . Good afternoon, chairman franken and Ranking Member flake. My name is jessica rich and im the director of the bureau of Consumer Protection at the federal trade commission. I very much appreciate this opportunity to present the commissions testimony on Consumer Protection issues involving geoLocation Information and to offer initial views on the Privacy Protection act. Protecting consumers privacy is a key focus of the commissions efforts and we commend the committee for its continued attention to this really important issue. Products and services that use geolocation data make consumers lives easier and more efficient as youve noted, chairman franken. Consumers can get turn by turn directions to their destinations, find the closest bank, check the weather when theyre traveling, among many other examples. At the same time, the increasing collection, use, and disclosure of this data prevents serious privacy concerns. For this reason, the commission considers gee wro location data to be sensitive, warranting opted consent prior to collection from a consumers mobile device. Why is this data so sensitive . A devices geolocation can reveal consumers movements in real time and over time and thus develop inlt matt personal details about them, such as the Doctors Office they visit, how often they go, their place of worship and when and what route their kids walk to school in the morning and return home in the afternoon. This data can be accessed and used in many ways consumers dont expect. For example, collected through stalking apps, sold to thirdparties for unspecified uses, paired with other data to build profiles of consumers activities or stolen by hackers. Can result in unwanted tracking to stalking. Using its authority of the ftc act, the commission has brought cases against Companies Engaged in unfair and deceptive practices involving geolocation data. One example is our settlement with snap chat, the developer ofa a popular mobile messaging app. In that case, the ftc alleged that in addition to representing that photo and video messages sent through the service would disappear, which was what was publicized most about that case, snap chat also collected and transmitted geolocation data from its app, even though its Privacy Policy claimed it didnt track users or access such information at all. In other case, this one involving the developer of a popular flashlight app, the ftc allege the developer told users it would collect diagnostic and Technical Information to assist with product support, but failed to disclose that the app transmit the the devices location and unique device i. D. To ad networks. Finally with retailer aarons and its affiliates. The use of software on rental computers that tracked consumers, violated the ftc app. It could log key strokes, capture screen shots all unbeknownst to users. The ftc acknowledged that installing tracking twidevices the rented computers was an unfair and illegal practice. In addition to enforcement, the commission has conducted studies and held workshops in this area. In 2012, ftc staff issued two reports about the disclosures provided in mobile apps for kids. The reports showed that the apps collected data from the kids devices, including unique device i. D. And geolocation data and shared it with thirdparties, often without notice to parents. In february of last year, ftc staff issued a report providing specific recommendations about how all players in the mobile ecosystem, platforms, app developers, Analytics Companies and trade associations can and must ensure that consumers have timely, easy to understand disclosures and choices about what Data Companies collect and use, including geolocation data. Now turning to a discussion of the location Privacy Protect act, the commission very much supports the goals of this bill, which seeks to improve the transparency and consumer control over the collection and use of sensitive geolocation data. The bill represents an important step forward, notably by requiring clear and accurate disclosures and opting con sent from consumers before the Sensitive Data can be collected. The bill contains both civil and criminal provisions and gives the department of justice Sole Authority to enforce both. We very much support strong remedies for violations. However, as the federal governments leading privacy endorsement agent, we recommend the committee be responsible for enforcing the civil provisions of the bill. Thank you very much for this opportunity. The ftc is very committed to protecting the privacy of consumers geolocation and we look to working with the committee and congress on this issue. Thank you, mrs. Rich. I noted your recommendation in your written testimony and again just now. Okay, thank you. Mr. Goldstein. Thank you for the opportunity to be here this afternoon and provide testimony on consumers location data. Smart phones and incar Navigation Systems give consumers access to useful locationbased services. Okay, sorry. Im sorry. He actually sounded very good. Very sonarous. [ laughter ] go ahead. Sorry you were interrupted by miss rich. [ laughter ] right. However questions about privacy can arise if Companies Use or Share Location data without their knowledge. Several agencies have responsibility to address consumers privacy issue, including the ftc which has authority to take action against unfair deceptive acts and the ntia which advises the president on telecommunications issues. My testimony addresses companys use and sharing of data. Two, consumers Location Privacy risks. And three, actions taken by agencies to protect consumers location data. Our findings were as follows in two reports that we released over the last couple years. First, that 14 mobile companies and ten incar navigation providers that goa examine inned the reports, including mobile carriers and auto manufacturers, collect location data and use or share them to improve consumer services. For example, mobile carriers and Application Developers use location data to provide social Networking Services to are linked to consumers location. Incar navigation use location data to provide services such as turn by turn directions, or roadside assistance. Location data can also be used and shared to enhance the functionality of services such as Search Engines to make search results more relevant. Second, while consumers can benefit from the locationbased services their privacy may be at risk when Companies Collect and Share Location data. For example, in both our reports, we found when consumers are unaware that their location data are shared and for what purpose that data may be shared, may may be unable to judge whether the data is shared with trustworthy parties. They can create detailed profiles of individual behavior, including habits, preferences and routes traveled, private information that could be exploit exploited. Additionally, there could be increased risks for identity theft. Companies can anon miz location data that they use or share in part by removing personally identifying information. However, in our 2013 report, we found that incar navigation providers that goa examined use different identification methods that may lead to varying levels of protection for consumers. Third, Consumer Companies have not consistently implemented practices to protect consumers Location Privacy. Some steps have been taken. For example, all of the companies we examined, used privacy policies or other disclosures to inform consumers about the collection of location data and other information. However, companies did not consistently or clearly disclose to consumers what the companies do with this data or thirdparties which they might share that data, leaving consumers unable to effectively judge whether such uses of their location data might violate their privacy. In our 2012 report, we found federal agencies have taken steps to address this through Educational Outreach events, reports with recommendations and guidance for industry. For example, the department of commerce has brought stakeholders together to develop codes of conduct for industry, which goa found lacks specific goals and Performance Measures making it unclear whether the effort would address Location Privacy. Additionally, in response to a recommendation gaos 2012 report, the ftc issued guidance in 2014 to inform companies on the commissions views on the appropriate Actions Companies should take to disclose privacy actions and obtain consent. Gao recommended that nta develop goals and milestones that measure for stakeholder initiative. Gao will continue to monitor this effort in the future. This concludes my oral statement. Id be happy to respond to any comments. Thank you. Thank you, mr. Goldstein. And thank you all for your. Miss hanson and miss rich, your agencies have already done important work to combat gps stalking and cyber stalking, but i want to press you to do more. I want to challenge you to investigate and shut down these smart phone stalking apps. They are tens of thousands of people every year. They market themselves directly and brazenly to stalkers and theyre easily available on the internet. My bill will give you even more tools to go after these guys, but will you pledge to me today that you will use all of your existing tools to investigate and shut down these apps . Yes, i will, within my powers. We do have a commission that needs to approve things, but i run the bureau of Consumer Protection. I will note that we did bring a case against a Similar Service called remote spy. We litigated a case against them that was providing this very same type of service to spy on people and we obtained a strong order against the company and we can use similar tools to pursue these types of stalking apps. Thank you. You know, my role at the office of violence against women. Were a grantfunded organization and really want to work with you and Work Together to address these issues around stalking applications. This has been a huge, big priority for the department. I would like to bring this back to those folks who actually do the prosecution and want to share the concerns of the criminal division, specifically the computer crime and intellectual property section, as well as the u. S. Attorneys office, executive office of the u. S. Attorney, who handles the criminal prosecutions and ill bring that back to them. Well, thank you. And there is bipartisan agreement on this. In 2011, i sent a letter by senators grassley, klobuchar, white house, shumar and feinstein asking your agencies to crack down on these apps, i want to ask each of you to everything you can to shut them down. Mr. Goldstein, some of the witnesses on the second panel urge us to be cautious about regulating. They favor selfregulation. As part of your investigation you looked at best practices for the collection and sharing of location data. In an interview, you said there werent very many rules in place and that in many ways, this was still, quote, the wild west of the electronic era, unquote. Did you find that industry best practices were being implemented consistently and did you find that consumers were being given the information they needed to make choices about their privacy . Thank you, mr. Chairman. Our reports clearly indicate that there is no comprehensive approach, that some companies do Pay Attention very consistently to the rules, the selfregulating rules that are out there, and some do not. And that there is a great variety. And not a lot of transparency. Those seem to be the two principal problems that some Pay Attention to some rules and not others and the lack of transparency and the consumers dont always have enough information to make choices about what kind of information is being retained, how long its being retained, by whom its being retained and used, things like that. So there are quite a lot of problems still out there with the application of the rules. And i see youre nodding, miss rich . Yes. Many Industry Groups and individual companies, um, say they implement opt in or have opt in as best practice, but our enforcement even more broadly outside of stalking apps, related to the collection of geoLocation Information, including the snap chat case, the flashlight case, our case against aarons and also our survey of kids apps shows that this opt in standard is not being complied with in a regular basis. Yeah, i found the snap chat particularly ironic because their whole selling point was that once you post a video or a photo, that it would disappear. And we allege that wasnt true, among other things. But other than that, it was exactly what it said. Yeah. Okay. Im running out of my time. Ill ask one more question and we want to get to our other panel. So ill give it to senator flake and ill ask one more question of miss hanson. Thank you. Mr. Goldberg, in your testimony, you outlined a series of what ifs. Asserting that location data could be used to track consumers. I think we all understand the potential of this. You say which can be used to steal identity, stalk them, monitor them without their knowledge. You also say that collection of data, location data poses a threat. We all understand that. Youve explained that very well. But in your study, or in your investigation, did you uncover examples of companies stealing customers identities, or stalking them, or criminals obtaining location data . We know the potential exists, did you actually turn up any nefarious activity. No, senator, we did not. It was really a look at the kinds of issues that were out there. It was not really within the scope, but we also did not find any. Um, miss rich, are you you mentioned a few of them, cases that have been brought. Whats been out there in popular media that has caught your attention . Or is that usually how you find these cases . Or, how do you come on to these cases where you decide to bring action against someone . We find cases in a variety of ways. We may be tipped off by an insider. We may be get referrals from businesses or consumer groups or tech people. But, um, responding to the question you just asked my colleague, i mean, one thing that our cases do show is that companies, even flashlights, are collecting this data, contrary to the claims theyre making and then theyre sharing it. So it is being collected and used and given what it can show, in terms of consumers private activities, that raises concerns. Yeah, certainly i think we all recognize that people use it for advertising and some of them arent disclosing or giving the opportunity to opt out. My question was to mr. Goldstein was, do we see criminals using it for purposes that are potential certainly exists, but if there are examples of that in a criminal way. Weve seen some of the stalking and obviously we want to make sure that we crack down on that, but i know that the potential exists, i was just wondering in the studies if we see it actually occurring. We see some of it on the commercial side, but not so much on the criminal side yet, is that an accurate statement . I think that the stalking apps are the clearest example of the harm that it can do. I agree. In my opening statement, i want to make sure that we dont stifle any development of new technologies and new positive uses of this geoLocation Information. And miss hanson, the department of Justice Works with Law Enforcement agencies across the country and broadcasters, transportation eagagencies, ande Wireless Industry to issue amber alerts. These are obviously only sent when a child is at risk of serious injury or death. Would amber alerts fall within one of the exceptions to the bill . I think i would have to bring this back to the department about how this would be an exception or not. Amber alerts, i know have been important in identifying missing children. I think we need to look at this issue more broadly and i can bring that back to the department to take a look at it. Through our office end on the office of violence against women, weave seen and youll hear from testimony from folks on the second panel, if you look at the cases of of of cyber stalking, that we actually look at, when you look at it from the prospective victims of Domestic Violence, that in actuality we have a large number of victims who have said they have been tracked. My testimony talked about 72 of those reported of looking at Victim Service agencies, had been tracked by gps through cell phone or gps. So i think those are important issues we need to look at, but i can bring back this issue, question about the amber alert. If you could i can answer that, but ill wait. A hypothetical some people have talked about and some are working on programs that would send an amber alert to a specific location, if a child was lost in a mall, and you dont need the amber alert at that point because there are certain standards and thresholds at which those are issued, but those you might be able to send it at a lower threshold if it could be confined to a specific location, say a mall, but obviously if the geoLocation Information of individuals who are in that mall, they would not have consented to receive that amber alert, they would not have opted in, but could would this be an exception and how do we work with the exceptions like that . Where useful information could go out but not for regulations that could come . Does that make sense . Im sorry. No, it makes sense. Its not the area that i work in. So what id like to do is bring that back to other folks in the department and get back to you on that. Okay. You had a well, i just wanted to clarify that an amber alert would be in section 3 of the bill, we put in exceptions. And any emergency allowing a parent or legal guardian to locate an emancipated minor or child, and also for fire, medical, Public Safety or other Emergency Services. So this is specifically in the bill. It would be exempted. Okay, there are some that are less clear, i think, mr. Atkinson in the second panel will note there are certain programs like circle of 6, siren 7, these apps allow women to share their precise geoLocation Information with friends who are in an unsafe situation. These, i think we all agree, can be used to help women in an unsafe situation. We just want to make sure we dont do something that would prohibit those kind of uses. Thats a little tougher or fuzzier than amber alert. Maybe the second panel can shed light on that as well. But thank you, mr. Chairman. Thank you. Senator blumenthal has joined us. Thank you mr. Chairman. Thank you to you for having this hearing and for your really instrumental work on a lot of this ledge stratigislation and this panel, particularly bea hanson for your work on Sexual Assault on campuses and your help to me in the round tables that we worked on and the proposals that we formulated as a result. Great work on this issue. Thanks to the wonderful staff that he has working on this issue. And to that point, i wonder if you could talk a little bit about what additional steps colleges and universities ought to be taking with respect to cyber stalking and the relationship of cyber stalking with campus Sexual Assault. You know, in connecticut, more than 50,000 individuals are stalked every year. A lot of it occurs on campuses because College Students tend to be more atune to this technology and yet i found as i went around the state of connecticut that College Administrators and officials there often were not as focused as perhaps they should be on this issue of cyber stalking and the technology thats available to enable it. So perhaps if you could talk a little bit about that issue. Thank you, senator blumenthal. And thank you for your work on addressing campus Sexual Assault and the report that you put together as a result of all of the hearings you did in connecticut. Um, i think that nexus between campus Sexual Assault and cyber stalking is important. Um, especially when you look at the the use of cell phones and smart phones, um, especially among the College Campus students. Theres work thats being done and theres more work that we need to do in terms of looking at prevention messages and incorporating issues of stalking and cyber stalking, particularly messages around Sexual Assault, because we know often that stalking isnt something that occurs by itself. But that it often escalates over time and can often be a precursor to crimes like Sexual Assault or even homicide. I agree with you on your point about the need to train and talk to administrators about it. I think theres a lot more knowledge among the students than there are among the administrators about the training thats needed to look at cyber stalking and those connections. So were more than happy to work with you and the rest of the committee if there are ways that we can make those efforts even stronger. I thank you. This technology has huge promise, but also tremendous peril. And the awareness of the peril is sometimes difficult among young people who think of themselves as invincible. And yet because of that illusion, they may be the most vulnerable. And the most vulnerable often to their friends who seemingly want to befriend or support them and yet use this technology, really, to put them in great peril. So i thank you for your focus on that. Id like to ask miss rich whether you believe under your Current Authority you can take action against some of the makers, the manufacturers, who may be knowingly or unknowingly promoting misuse or abuse of this technology. To date, we have taken action. We did take action and litigated a case against a promoter of a seller of spyware that specifically sold it so that you could capture the movements of somebody secretly. And we did that under our existing authority. We also, i mentioned before you came in, we brought several cases against companies that either under our deception or unfairness authority, shared geolocation without consent or notice to consumers. So we do have authority, but we do need to prove deception or unfairness. And, um, we the, across the board noticed consent requirements with exceptions for legitimate use that are in the proposed law, would make it easier for us to enforce. So you would welcome this additional measure . We very much support the goals and the basic provisions of the bill, yes. You plan to have round tables or workshops or other means of increasing Awareness Among students and others . We recently had a seminar on mall tracking which is not about stalking, but its about the use of gps to track consumers consur movements in stores. I think that raised awareness about the use of geolocation and we will be issuing a report on that. We continue to have workshops and seminars on Consumer Protection issues like these. Thank you. Thank you, mr. Chairman. Thank you, senator. Im going to ask just one little short question of ms. Hanson, and it is mainly a short answer, i think, that will be required. The latest statistics we have on the prevalence of gps stalking from a 2006 study conducted by the department, back then an estimated 25,000 people a year were victims of gps stalking. That was, again, 2006, before the explosion of smartphones. Today, the vast majority of adults own a smartphone and most of them or cell phone and most of them a smartphone. So we just intuitively know that the rates of gps stalking muffin creased since then. My bill will institute regular reporting on gps stalking, but in the meantime, will doj update statistics on gps stalking as soon as possible and if there are barriers to that, will you tell me what they are . Yes, thank you for that question. This is a onetime supplement we had put out in 2006 that was funded by the office on violence against women. Since then, as i said in my testimony, the National Intimate PartnerSexual Violence survey came out in 2011, and the National Institute of justice has been working with the cdc on that. There are questions about stalking and what i would like to do is go back and talk to folks to make sure that to identify if theres any additional stalking questions that might be helpful to be asked by the department. But i would be happy to go and look into that and get back to you on that. So thank you. Thank you very much. I have some questions that ill submit to you for the written record, but i would like to thank all three of you for your testimony and invite up our second panel. All right, thank you. All right. Thank you all. I would like to start by introducing our panel. Detective brian has served in the Sheriffs Office since 2000 and has been a detective with the criminal Investigation Division sense 2008. Detective hill is an expert in Digital Forensics and trained over 3,000 Law Enforcement officers, prosecutors, judges and advocates across minnesota on the use of technology that facilitates stalking. He himself was trained by the Minnesota Bureau of criminal apprehension, the fbi and secret service. He also served our country as a member of the air force reserves and was deployed for two years for the wars in iraq and afghanistan. Very grateful for your service at home and abroad, detective hill, and proud to have you here. Thank you. Mr. Lou mestria is the executive director of the Digital Advertising alliance. He leads the daas effort on selfregulation, Consumer Transparency and consumer choice. He is a certified Information Privacy professional and served as the chief privacy officer for a range of organizations. Thank you for being here. Ms. Ally greenberg is the executive director of the National Consumers league and has testified before congress on a variety of issues, including fraud and excessive fees on car rentals. Previously she worked at the u. S. Department of justice in the antidefamation league. She was born and raised in minnesota and a graduate of southwest high school, close to where i grew up. Dr. Robert akenson holds a ph. D. From unc chapel hill and published author on economics and technology policy. Before founding itif, he was Vice President of the Progressive Policy Institute and director of the new technology project. Welcome. Ms. Cindy southward is the Vice President of development in innovation at the National Network to end Domestic Violence and founder of the safety net project. Shes one of the nations leading experts on stalking apps and trained thousands of people across the country on stalking apps and the use of technology to facilitate stalking. Thanks to all of you again for joining us. Your complete written testimony will be made part of the record. I will note for the record that ms. Southworths written testimony is also being submitted on behalf of the Minnesota Coalition for battered women. So why dont we start with detective hill. You each have five minutes for eye opening remarks you would like to make. Detective hill, please go ahead. Chairman franken, and distinguished members, thank you for the to appear to testify about Law Enforcement support of the location Privacy Protection act of 2014. Since 2008, ive been a detective with the criminal Investigation Division of the Sheriffs Office in minnesota. I investigate felony and Sexual Violence cases with access to the county state of the art forensics lab. Im a computer mobile device forensics examiner investigator. The written testimony i submitted details of my training, certifications and professional association memberships. Why is this legislation important . Imagine the trauma of surviving domestic and Sexual Violence. Now add signer stalking to that trauma. Safe as we all use our cell phones to work, bank, text, access the internet, email and pay bills, stalking apps are a tool to isolate victims from the functions and social connections their phones provide. Including isolating them from contacting Domestic Violence advocates or Law Enforcement. To be rid of a selfstalking app, victims must buy new phones, create new email accounts and change all passwords. Victims live with the frightening uncertainty of whether the stealth stalking apps are really gone or if they will reappear after removal. Privacy and peace of mind continue to be violated by this uncertainty often long after they have bought new phones or changed passwords. I worked with a victim who suspected that her estranged boyfriend put spyware on her phone. She stated he knew about private phone conversations and Text Messages and he would show up randomly where she was. I examined her phone and couldnt determine if there was any spyware. Later, i found her computer had accessed a stalking program. There was then proof that the program was installed on her phone. I worked with her on the expensive and complicated task of getting a new phone and email account on a safe computer. In the last three years, our mobile forensic exams in our office have increased by 220 in three years, averaging 30 exams per month. After seven years of experience, i continue to discover new apps. For instance, we are investigating an attempted murder in the context of Domestic Violence. Tspy advertises itself as a 7 Parental Monitoring software which can be installed on smartphones to track Text Messages, calls, gps location and basically any phone data. As in the case of discovering tspy, i become engaged in a frep sicks investigation after victims detect signs of digital wrong doing. They notice patterns that the abusers knowledge of the victims life and whereabouts when the abuser has no way of knowing. Stalking apps are frequently used in misdemeanor Domestic Violence cases. Most Law Enforcement agencies do not have the resources, equipment, staffing or training to examine mobile devices for stalking apps, which can limit Data Recovery for potential evidence. We are fortunate to have eight different tools and dedicated staff. Because of our resources, other counties and agencies request our assistance. In a survey by the Minnesota Court for battered women, advocates indicated cyber stalking was the number one priority. Because technology is frequently used to stalk victims and violate protective orders. To address the need for training on cyber stalking, i have worked with the Minnesota Coalition for battered women and its 80 plus member programs to train over 3,000 domestic and Sexual Violence advocates, Law Enforcement, prosecutors and judges since twi2009. Strained resources and lack of awareness undercut Law Enforcements abilities of cyber stalking. This erodes Victims Trust in the criminal justice system. A common abuser tactic is to convince the victim shes crazy. Victims then feel more crazy when they report the abuser has installed selfstalking apps only to be told we dont believe you or we dont have the resources to examine your phone. When Law Enforcement cant identify and respond to cyber stalking reports, victims stop reporting crimes and abusers win. This act is a major step in addressing the problem. The most important part is that app also be required to notify the user a second time. 24 hours to 7 days after an initial installation about the tracking implications. Victims will be notified when the perpetrator doesnt have access to their phone. In human trafficking, when craigslist no longer allows certain ads, the company backpages. Com emerged and now runs those ads. By beening stealth gps stalking apps, we make it unprofitable for the companies to make these programs which decreases access to them. Additionally, the act brings Public Awareness by requiring information gathering, reporting and training grants for Law Enforcement. Finally, the act supports victim safety by requiring all apps Share Location, making sure a stalking app cant disguise itself as a family tracking app or as a flashlight app. I urge you to support in act. Thank you again to the committee for reviewing my testimony and for your support of Law Enforcement efforts to keep victims safe. Thank you, detective hill. Mr. Mastria . Chairman franken, members of the subcommittee, good afternoon and thank you for the opportunity to speak at this hearing. Im the executive director of the Digital Advertising alliance and pleased to report on how industry has extended its Successful Online program to mobile to ensure consumers have access to the same transparency control in mobile as they do on desk top. Of particular interest to this and an easytouse tool to withdraw such consent, leaving the consumer in charge. Last year, the d. A. Released its mobile guidance. This important selfinitiated update to our principles reflects the market reality that brands and customers engage with each other on a variety of screens. The d. A. S across the industry nonprofit these organizations originally came together in 2008 to develop selfregulatory principles to cover the collection and use of web viewing data. In 2012, the Obama Administration publicly praised the program as a model success. And more recently, commissioner olhaasen was quoted as calling it one of the Great Success stories in the privacy space. The internet is a tremendous engine of economic growth. Mobile advertising in the u. S. Totals more than 7 billion last year, more than 100 increase from the year prior. Revenue from online and mobile advertising subsidized the contents and services we all enjoy. Research shows that advertisers pay several times more, general rating more revenue. Simply stated, companies have a very vested interest in get thing right. Selfregulation like the daa is the ideal way to address the privacy and online and mobile advertising. While preserving innovation. It provides the industry, as demonstrated by the mobile updates to our program, with a nimble way of responding to new market challenges presented by a still evolving mobile ecosystem. The program applies broadly to the diverse set of actors that Work Together to deliver relevant advertising. The principals call for enhanced notice, consent for location data and strong independent enforcement mechanisms. Together, these principals are intended to increase Consumer Trust and confidence by increasing transparency and control. The Mobility Program leverages an already successful universal icon to give consumers transparency and control about Data Collection and use. In april of this year, daa issued specific guidance on how to provide this transparency tool in mobile. This will provide companies and consumers a consistent, reliable User Experience in the multiple screens on which they interact. This will provide companies of consumer friendly way this advancement builds on the unprecedented level of industry cooperation, which has led the daa icon being served globally more than a trillion times each month. In the coming months, daa will release a new mobile choice app, which will empower consumers to make choices about Data Collection through mobile devices, including application. Of particular relevance to this hearing and today, cyber stalking is a serious issue as was detailed earlier. But criminal activity is separate and apart from the commercial uses covered by daa. I want to note daas stringent requirements for the collection and use of precise location data for commercial purposes. The Program Requires consent prior to collection and the provision of an easytouse tool to withdraw such consent. We have required privacy friendly tools, including notice in the down load process, notice at first install or other measures to ensure that companies are transparent in a consistent matter about Data Collection and consumers can make informed choices. To ensure that both the mechanisms we require are used and the Consumer Choices are honored, we rely on our accountability programs. Accountability is a key feature of the daa program. All of the principles are backed by the Better Business bureau and the direct marketing association. In summary, i would submit that the daa is a story of empowering consumers through transparency and control. It has adapted consumer controls to meet quickly evolving market changes and Consumer Preferences and done so while responsibly supporting the investment necessary to fund lower cost products and services desired by consumers. Im pleased to answer any questions you might have. Thank you, mr. Mastria. Ms. Greenberg . Good afternoon chairman frank and members of the subcommittee. Im sally greenberg, executive director of the National Consumers league. The league was founded in 1899 and is the nations pioneering consumer organization. Our Nonprofit Mission is to advocate on behalf of consumers and workers in the United States and abroad. The Supreme Court justice who served as the general counsel, note t in a landmark 1928 decision the right to privacy is the most comprehensive of rights and the right most valued by civilized men. We could not agree more. Privacy is a corner stone of Consumer Protection and a fundamental human right. The ubiquity of smartphones and other mobile devices has changed the way consumers interact with the digital world. Thanks to the widespread use of location data, consumers can navigate to their favorite coffee shops and be more easily located by Emergency Response providers. This technology has provided immense consumer benefits. However, as the data has become a part of the mobile ecosystem, so too has Consumer Concern over the use and misuse of these data. According to a Consumer Reports poll from 2012, 65 of consumers were very concerned that smartphone apps could access their personal content, data and location without their permission. A similar poll showed that 82 of those surveyed were very or somewhat concerned about the internet and smartphone firms collecting their information. This should not be surprising. Up like location data gained from a nonmobile device such as a desk top computer, data from mobile phones is inherently personal and can be used to learn and possibly disclose information that in many cases consumers would rather be kept private. Justi justi justi Justice Sotamayor noted this consent amok consumer and privacy advocates and consumer and Government Agencies such as the gao and ftc we just heard from a moment ago is that there is no adequate legal frame works protecting location data in the current and ever evolving mobile ecosystem. Absent such a frame work, consumers must rely on business to adhere to Company Policies and industry practices. That is why we believe so strongly that this bill is absolutely necessary and it will help to protect especially sensitive types of information that consumers use such as location data. S2171 would do just that, this bill could establish a level Playing Field of businesses that seek to collect and Share Location data and help to restore Consumer Trust and ensure that the benefits of this Technology Continue to flow to consumers and the economy and protecting Location Privacy. In particular, we believe that the bills provisions will allow consumers to take control over their private Location Information, giving them the right to choose to share that information or not, and be informed how their location data will be used and by whom. And by prohibiting socalled stalking apps we have heard about, the law will appropriately outlaw a class of inherently predatory applications that can compromise personal safety of Domestic Violence victims. No federal law prohibits these apps. In addition, we believe that the section providing for private rights of action are critical. Given the limited resources of federal enforcement agencies, a narrow he defined right of action would cap damages, while addressing industry concerns about abuses of that private right of action. In closing, i would like to reiterate the strong support for s2171. Consumers expect and deserve the privacy of their location will be protected. Absent such protections, it would will harmful to invocation and the economy as a whole. Thank you on behalf of the National Consumers league and americas consumers for your leadership in convening this hearing and your invitation to testify on this issue. I look forward to answering any questioning you may have. Thank you, ms. Greenberg. Dr. Atkinson . Thank you. Thank you, chairman franken and Ranking Members. I appreciate the opportunity to submit testimony today. Im president of a think tank focusing on policies to support technological innovation. This proposed legislation addresses two very distinct and unrelated issues. One is commercial use of geolocation by third partying. The second is the use of that information by individuals, particularly around stalk, since these issues are separate and unrelated, ill address them separately. The issue of limiting the collection of geolocation by third parties in our view would stifle innovation in an area that is rapidly evolving. Weve seen in the last few years tremendous growth in Location Based Services and importantly the u. S. Has led in this. The top ten Internet Companies in the world, eight are american. This is in part because our approach to regulation in this fastmoving digital age has really been to not regulate ahead of time, unlike europe, which is home to none of those ten internet firms, they have embraced the principle to regulate well in advance of any real harms. This principle is location for Location Based Services especially, in part because theres tremendous innovation happening, and innovation that will continue to happen and well probably see more innovation in the next five years than in the last. Things like incar navigation, connected devices making up the internet things, facial recognition, these are all interesting and important technologies and unfortunately dont lend themselves to a slower moving regulatory process. I would support what mr. Mastria said about industry led selfregulation being a better approach. Clearly as we heard from administrator rich, the ftc has already taken actions and in our view has significantbi