Skip to main content

tv   [untitled]    December 27, 2013 2:30pm-4:31pm EST

2:30 pm
we need to allocate their resources. hopefully that is something that will enable us to look at risk, put more money there and there is less risk, be able to the list wanted to in terms of weight we can do to help you work better, just give us one good idea and speak very briefly. >> i'll start. in some ways, sir, you have answered my question. or you have given my response. it is recognizing that this country, there are a number of risks that we face. it is a large country, and part of the conversation that we have to have it both the department of homeland security and the administration as lawmakers and with the american public is we can't medicate every threat. and so it is understanding fellows that will have the most significant consequences and ensuring that we are having a conversation about how we go about mitigating them, that we have the resources, the personnel to go about doing it. so having the conversations that
2:31 pm
we have debate and over the course of time are, i think, what's critical. you have already taken steps by moving away from sequestration. that will be helpful to us as well. but again i think that recognizing that we have to manage risk and that we can't prevent every incident, and as long as we are adapting. >> general? >> yes, sir. the federal protective services to the be very brief, very brief. >> we have to work and we've our way through both state, local, federal, and civilian contractors environments. and we do that with a very small force. your help in helping us to -- your support in helping us move through and navigate through some of those areas is critical, quite frankly. because we are trying to look
2:32 pm
out and predict, if you will, what is coming down the road to keep our people safe. and we really need the support of folks like yourself and this committee to help us see through that and help us to work through some of these challenges. >> brief response, please. >> we believe that continuing to evaluate those employees who have access to classified information and to our facilities is critical, and we need to have resources to be able to conduct those evaluations. we need to have access to records that are sometimes publicly available, sometimes not available in order to do those evaluations. general support for that approach to doing business i think is essential. >> all right. thanks. senator ayotte, before you arrived i was think senator heitkamp was here, we were
2:33 pm
blessed to have four former state attorney general's on this committee that really adds a great deal of expertise in this particular area, so welcome. >> and one. i want to thank the witnesses for being here. i wanted to follow up with you, mr. lewis, and ask you about how other dod policies might affect the security clearances at facilities. and then those who can gain access to them. in particular, just the thought of whether any duty regulations that need to be reviewed or revised. for example, the current discharge regulation and how to implement it. as i understand it, in the case of mr. alexis, had he been dishonorably discharge that would've raised a flag, and that would have gone right directly to his fitness to hold his security clearance. could you help me understand in light of this case, is this
2:34 pm
something that we need to think about? one of the things, i'm wondering about is, well, is the whole breakdown with the reach out, obviously that was beyond -- is there anything that we need to do on the mental health and here looking back on this? and i understand that 2020 -- it's always 2020 when you look back in something and you can see things that you didn't see at a time. but what i'm trying to understand is there anything we need look at the interment on those two issues from the dod perspective or anything we can do -- i also served on the joint armed service committee, on the committees we should be doing? >> i do not believe that there are issues with how the discharges occur. and not to get into specifics, but generally based on what was
2:35 pm
known at the time of his discharge, it was not considered to be an unusual determination as to an honorable discharge in that particular case. but the larger issue is how do we collect, how do we identify and collect relevant information that allows us to constantly adjust our perspective about certain individuals, and individuals were entrusted positions? that's really the challenge. i hate to keep blowing the same horn, but that continuous evaluation process, not just collecting information but having the staff available to evaluate the information and take action on that information, to me that is the real issue. >> well, i appreciate it. and then, of course, senator collins, senator mccaskill, senator heitkamp and i also have
2:36 pm
one whether do random checks that would be important is welcome at the receiver security clearance. instead of a pretty lengthy but right now upon which there's the review unless there's a reason something is flagged. i wanted to ask also, mr. lewis, general lewis, what steps have we taken -- i'm sorry, general patterson. i apologize. general patterson, what do you see as we look at this whole situation now with what's happening at the navy yard that you're already implement and to make sure that we don't find ourselves in the same situation? we can legislate but i know you're reviewing the whole situation and understanding what steps are already taking and a positive action that you can talk about? >> yes, ma'am. within the federal protection service we are working very closely with our federal partners to look at again processes and procedures for folks coming and going into
2:37 pm
federal buildings. we are also looking at our communications processes as well as to one of the challenges during the navy yard was the fact that so many of the responding agencies, the level of communication and how do you do that. so we are looking aggressively at how we do that, not just in the washington, d.c. area, but across the united states. because in a crisis situation, communication becomes critical, and as such, good time adjudication is essential hopefully to a positive result. so we are looking at a variety of areas and taking lessons as they come about from the navy yard as to how we improve processes across the spectrum within the federal protective services. >> thank you very much. i also wanted to ask you, mr. patterson, is it accurate to say that -- general patterson --
2:38 pm
is it accurate to say that fps doesn't use a risk assessment tool consistent with the interagency security committee's standards? trying to understand where we are with this. i know that there was also a report from gao that fps's interim assessment tool wasn't consistent with this assessment standards because it excludes consequence from assessments. and i want to understand if there is a difference, why isn't there. is it something we should be more uniform are putting in place, or is there a reason for its? >> there is a reason, and we have just built what we call a modified infrastructure survey tool, and that particular to was developed from ip, infrastructure protection folks within the department who didn't -- were developed that to a
2:39 pm
repeat of about six or seven years. we thought that this was a tool that we could modify, and because it brought what we believe all of the areas of the isc requirements to bear. now, so what we look at with our tool is specifically bone ability. that's what the tool is for, to look at the bone ability of a facility. separate from the vulnerability peace we also do a threat assessment. we connect with the joint terrorism task force, with local law enforcement, with any number of agencies out there to get what we believe a very in depth comprehensive perspective on the threat that we also provide to our federal partners. the peace that is not part of the process is the consequence peace. we haven't figured out how to do that yet within a federal facility. >> what was -- what does that mean? >> that's one of the things we're working on with the isc
2:40 pm
for a better design. what is a winner asking for consequence within the federal sector, what is it you're looking for? we know that when we help a federal partners begin to pull together and understand their emergency occupancy plans, that we help them to understand and we go to the consequence peace. when they look at that, after studying the federal security level, we're also looking at the consequence peace. we haven't figured out yet how to incorporate that in an algorithm method that will allow us to provide a reasonable and rational meaning if you will take consequent, to let's say the least facility. we are fairly certain that folks like irs, social security and others have stepped through the consequences of losing a
2:41 pm
facility or if it was an event something happened to the facility. we haven't figured out yet how to incorporate that into a tool. that's something we're working on to figure out. >> i appreciate your answer and want to thank all of you. look forward to working with you on this important issue. thank you. >> thank you, sir and a yacht. at this point i'm going to excuse this panel of witnesses, and thank you again. thanks for the work -- i would you say as you head back for work from here, just keep in mind, all those people, hundreds of families who lost loved ones in oklahoma city in that bombing, keep in mind those at fort hood who lost their loved ones. keep in mind if you will the families of the 12 men and women who died at the washington navy yard. and just think of them as we
2:42 pm
celebrate christmas or some other way, the holidays, the families sitting around the christmas tree, their dining room table and there's somebody missing. there's somebody missing. we need to do our dead level best every day to ensure that those number of indie chairs, people who are not around because of a tragic like the ones i just mentioned, keep their families in mind and that touches energized our efforts going forward. this is not just about process. this is not just about gao recommendations and comply with recommendations. this is about saving people's lives and make sure they have a good life and share that life for a long time with their families. take it with you, and thank you.
2:43 pm
>> [inaudible conversations] >> [inaudible conversations] >> to our second and final panel, welcome. we are glad you could join us. just very briefly introduces and then welcome the statement and have a chance to ask some questions. our first witness is mark
2:44 pm
goldstein, director for united states government accountability office, gao as was mentioned earlier, investigative audit arm of the united states congress. we're grateful for the work that you and your colleagues do. mr. goldstein is responsible for government property, critical infrastructure and in telecommunications. at the request of this committee, and i think of the congressional committees, gao has conducted 12 reviews of federal facility security federal protective service became part of the homeland security and 23 caching 2003. planning and budgeting for security and challenges hampering protection of federal agencies. the second witness is stephen amitay -- is the emphasis on the
2:45 pm
first syllable? good. executive director and general counsel for the national association of security companies. mr. amitay has worked with congress, federal agencies and government accountable office, focus on facility security since 2006. final witness, david wright, mr. wright is present of the national protection and american federation of government employees. mr. wright has served in his present passably since 2006. and mr. wright is a 27 year veteran of the federal protective services, last served as inspector. mr. wright rings a wealth of expensive with me and work with the agency and congress to find
2:46 pm
solutions to many of the challenges facing federal protective service. we thank you for all of that. we welcome you. you will each are invited to summarize your prepared statement in about five minutes and your entire state will be made a part of the record. thank you for joining us today. let me ask a question. were you all here for the first panel? raised her hand. great. thanks for staying for yours. you are recognize, mr. goldste mr. goldstein. >> thank you, mr. chairman, members of the committee. thank you for the opportune to testify on issues related to federal protection service and protection of federal buildings. as part of the department of homeland security the federal protective service is responsible for protecting federal employees and visitors an approximate 9600 federal facilities, under the control and custody of the administration. recent incidents of federal facilities demonstrate the continued bone ability to attack or other acts of violence. talpa published its mission sts connects the two security
2:47 pm
assessments and that's approximate 13,500 contract security guards deployed to federal facilities. my testimony discusses challenges we face in first ensuring contract guard are deployed to federal facility and properly trained. and conducting risk assessment at federal facility. it is based on jails were issued from 2008-2013 risk assessment and programs and preliminary results of geos ongoing work to determine the extent to which fps and select federal agencies facility risk assessment methodologies align with federal risk assessment standards. our findings are as follows. first fps faces challenges in turn that contract have improperly trained and certified before being deployed to federal facilities around the country. in our september 2013 report we found a providing active should respond in screener training is the challenge for fps are for example, according to guard companies, the contract guard
2:48 pm
have not received training on how to respond during incidents involving an active she did it without injuring all guard received training on how to respond to incidents at federal facilities, involving an active should come fps is limited assurance that the guards were prepared for this thread. similarly an official from one fps contract guard, one fps contract recovery stated that 133, about 38%, of its 350 guards had never received screener training. as result the guards deployed at federal this is maybe using x-ray, magnetometer equipment but they're not qualified to use which raises questions about the ability to screen access at the gao facility. one of their primary responsibilities. gao is unable to determine the extent to which the guards have received active should respond in screener training in part because fps lacks the competence and reliable system for guard oversight. fbs agreed with gao's 2013 recommendations they take steps to identify guards that are not
2:49 pm
required training and provided to them. g. also found fps can just like effective management controls to ensure its guards have met training requirements. although fps agreed with our 2012 recommendation that they develop a comprehensive and reliable system for managing information on parts training, certification and politician, it does not yet have such a system. fps continue to face challenges assessing risk at federal facilities. gao reported in 2012 fps does not assess the risk at federal facilities in a manner consistent with federal standards. gao spent in a result from a tank we work on risk assessment at federal this was indicated it still is a challenge. federal standards such as national infrastructure protection plan to risk management framework and provision state that a risk assessment should include threats, phone number and cost assessment. risk assessment help decision makers to identify and evaluate
2:50 pm
security risks and implement protective measures to mitigate that risk. instead of conducting risk assessment, they're using an interim vulnerability assessment tool referred to as a modified infrastructure server tool, mist, to assist federal facilities. however, mist did not assess the consequence, resulting from an undesirable event. risk assessment experts jia spoke with jim agreed that a tool does not estimate consequence does not allow an agency to fully assess its risk. they have limited knowledge of risks based at about 9600 set of facilities around the country. fps official stated they did not include consequence information in mist because is not part of the original design. gao will continue to monitor this and plans to issue report on this issue early next year. in response to recent report, we have agreed with recommendations
2:51 pm
in our 2012 and 2013 reports to improve fps contract guard and the risk assessment processes. mr. chairman, this concludes my opening statement. i would happy to answer questions. >> mr. amitay. >> chairman carper, serna ayotte, my name is stephen amitay and an executive director for nasper, national association of security companies. it's nation's largest contract degree trade association with member companies employed more than 300,000 security officers across the nation servicing governmental clients including numerous federal agencies. nasc works with officials at every level of government to put in place higher standards and requirements for security companies and private security officers. of most relevant today's hearing since 2007, nasco has worked with congress, fps and gao on issues and legislation related to the federal protective services protected security
2:52 pm
officer, pso program. nasco also recruited federal security committee on its 2013 best practices for armed security officers in federal facilities. not including the military services that are boxing 35,000 contracts at the officers across the federal government and the use of contract security is a proven, effective and cost efficient countermeasure to reduce risk and mitigate threats at federal facilities. to further ensure security at federal securities, fps and its security contractors need to work together to address issues and challenges with the pso program that gao has identified over the past several years. at the same time improvements need to be made to other elements in the risk assessment and threat mitigation process for federal facilities. these elements are governed by isc standards. however, as gsa has found out and as we learned earlier today,
2:53 pm
often the requirements of the isc standards are not met i federal facilities. one critical element in this process is the decision to implement specific security countermeasures for its facility. ngsa owned or leased buildings, fps is is possible for conducting the facility to security assessment and recommending countermeasures. but trendy as you noted in your opening remarks, the decision template those recommendations or put another way, the decision to mitigate risk or accept risk is solely up to the facility security committee, or the fsc, which is made up of representatives from facilities. however, again, as gao has found, quote tenant agent representatives to the fsc generally do not have any security knowledge or experience but are expected to make security decisions for their respective agencies. a lack of experienced decision-makers on fscs is something that security contractors have witnessed her stand and it calls into question
2:54 pm
whether fscs are making informed risk-based decisions regarding the mitigation or acceptance of risk. of course, tight budgets have put pressure on agency to accept more risk. in the end, countermeasures deemed necessary for sigir should not be rejected because of a lack of understanding or and and willingness to provide funding. tracked in support strength for fsc members as most teachers being able to challenge and fsc over noncompliance with standards or decision not to implement countermeasures. old provisions were and legislation that was passed last congress by this committee. as to addressing the issues with fps, pso program that gao has identified, as most other issues of the program, while fps pace may not be as fast as dsl and to get a contractors would like, none the less fps commitment to improve the pso program is not questioned under been substantial progress made.
2:55 pm
since the appointment of the director patterson, the degree of dialogue and breath of cooperation between fps and to get a contractors has been unparalleled and currently fps and security contractors are working on a host of initiatives to improve the pso program. to address the lack of fps resources to provide critical pso extra and magnetometer training, fps is about to launch a pilot program developed with nasco that will train and certify contract instructors so that they can provide this important trend. fps is also moving to increase active shooter training for psos, and wisely they're looking at what other federal agencies are doing in this area as well as seeking input from security contractors. fps is working with nasco to revise and standardize the pso training lesson plans and his plan to require that security contractor instructors be certified for all areas of pso training. fps is come out with a
2:56 pm
much-needed revision of the security guard information manual, and it cover to instruct pso somehow to act and not following it is considered a contract violation to the format of this new version will also allow for making revisions as needed. one area that needs further review of the instructions related to a psos ability and authority to act and potential liability for acting in extreme situations such as active shooter as is provided to contract security officers of some federal agency congress but want to consider providing dhs the statutory authority to authorize psos to make arrests on federal property. fps is also working to improve pso post orders and improve its management of pso training and certification data. for this latter effort nasco strongly recommends fps export commercially available technology. in conclusion much still needs to be done to address the pso program issues raised by gao. however, fps has come a long way
2:57 pm
in the past decade with its contract security force. nasco looks forward to continue to work with fps and congress to improve the security at federal facilities. thank you. >> thank you so much. [inaudible] >> make sure your microphone is on. we want to hear every word. >> chairman carper, send ayotte, thank you for the opportunity to testify at this important hearing. i'm david wright, president of the american federation of government employees, local 918 which represents federal protective service officers nationwide. i'm also an inspector with the fps. we are committed to the critical homeland security mission of securing our nation's federal buildings, but are important issues that required resolution. federal employees and facilities are extremely vulnerable to attack from both criminal and terrorist threats. i want to assure you that my fps law enforcement officers are
2:58 pm
trained, equipped and competent in responding to active shooter attacks. and i am appalled that bureaucracy and inefficiency restricted our fps law enforcement officers whose office is less than one mile away from navy yard from assisting with the pursuit of the active shooter. basically, it's because the navy does not pay security piece to the fps. congressional review of fiscal security at federal properties must be viewed in the context with the leadership required to accomplish the fps mission. which to say the least, remains unfocused if not broken. at all levels. fiscal sector to place a significant role in protection of all occupants of federal buildings, but the frustrating, efficient and outright wasteful bureaucratic system of implement and physical security to countermeasures through a flawed facility security assessment process, and implementation by facilities security committee who have to divert their mission
2:59 pm
funding is i can be and not to security. security in the dirksen senate office building is not based on individual senate offices ability to pay. why should other major federal facilities be different? the fps expected workforce is constantly beleaguered by new and/or modified security assessment programs, and individual conflicting management demands throughout the assessment process. i've lost confidence in the ability of the national protection program director at to resolve this wasteful process. i understand the department science and technology directorate has offered to make the integrated rapid officials screening tool compliant with the isc. it was tested by both general services administration and officials at the federal protective service. i think that would be a good start to ring again our assessment problems. the use of private contract security guards at major federal facility is a risk.
3:00 pm
they are basically limited to the arrest powers of a citizen. the proactive law enforcement patrol and weapons screening at this building is accomplished by federal police officers who have the lawful afford to respond to active shooters, and how can we demand less to federal buildings with thousands of occupants? ..
3:01 pm
when he arranged to buy a system from his neighbor on behalf of the government. the punishment of a three day suspension is the opposite of accountability. i've been told there are other instances of misconduct by equal and even higher ranking officials. after accountability is established, performance across the board can improve with focused professional and ethical management that builds on best practices in the regions. give our inspectors and police officers and tools that work in direction on priorities and will make sure the job instead. in conclusion, federal employees and the public they serve deserve the best and most effective protection we can provide. they're not getting that now, an expeditious and fair action by dhs and congress is required. once again, i thank you for this opportunity and i'm available for questions. >> mr. wright, thank you for coming and for your service. senator ayotte for the first
3:02 pm
question that this panel. senator ayotte. >> thank you, mr. chairman. i appreciate that. i want to ask rest mr. goldstein is particularly on the gao report and what you have found. it really troubles me when we think that there is no comprehensive, i believe you described a strategy or oversight model. and then, the fact we are not sure how many people are receiving. there's certain that category receiving act of duty shooter training and/or screener training. how can we from the gao perspective -- what is your recommendation in terms of the policy is how we can do this as quickly as possible to address this problem? >> thank you, senator. we been concerned with respect to active shooter training and training on magnetometers that
3:03 pm
fps has not done a good enough job at ensuring that his contract guard work force is able to get that training. one of the problems of the active shooter training, which i think people don't understand, though, is it is a small part of one part of the training they receive anyhow. they get kind of a special training or two hours, which covers special events of various kinds that might occur in a building. out of 120 hours to receive overall, only two hours go to a special event is only a fraction of that actually covers active shooter training. it's important to recognize contract guards are not really getting active shooter training for the most part. we are concerned they don't have enough training in the area. sanest roofer of magnetometers. when gao did penetration testing
3:04 pm
and penetrated all 10 buildings we try to get into in a variety of different cities with bomb making materials, we found out timecards did not have the requisite training to be a post and we find now, several years later, but many guards still do not have that. >> manage the contract guards. >> yes, ma'am. >> let me ask mr. wright, with respect to the agencies that can pay the fee, how does your training differ? how does the training of the individual i understand would work, maybe i have this wrong, but what worked in the federal protective service union. you know, when i look at this training issue, do you know how the training differs? the >> as federal law in person officers, we complete our training that the federal law enforced the training center. >> said he would go through the same veteran training of any law enforcement officer? the
3:05 pm
>> yes. there is a slight difference. we are talking contract guards. they are stationary at their pose, whereas our federal protective service inspectors and police officers are mobile. >> and if he were to the point of your testimony, if you were to provide the services, for example, at the navy yard at the federal protective service, just so i understand, would you do more of a roaming capacity? the capitol police officers actually seen that the magnetometer when we walk through. i'm trying to understand physically what this would look like. >> that is the model i would look for is a model that works at the capital and capital buildings that you would have federal officers began their career at the magnetometer, at the x-rays before they promote up and gain seniority and go out into the field. >> and i want to understand, is
3:06 pm
there other agencies with regard to this training issue on the fps contracting issue, is this something we are facing beyond the navy yard? is in the contracting issue in terms of the training issue goes well beyond the navy yard facility. is that true, mr. goldstein? >> the work we've done here focuses on sbs. we have not looks at contract guards situations. >> it would be focused here on the navy yard. >> ray. we have found that the training overall that fps is given, by nasa, the pentagon force protection, kennedy center. they remind generally with the kinds of training you would give to a contract guard at the federal facility. the problem is implementing it. that's where we seem to see the
3:07 pm
falloff is ensuring the guards are actually getting. >> there's basically no accountability. we can check out the training box, but no one is saying this person has done it. we are tracking them. basically no one person is setting, you have to do a certain amount of streaming you have to complete every year and that is part of being in that position. that isn't happening with this? >> excuse me, i senator coburn noted, those are contract requirements to have your protective security officers have to require training and certifications. that would be a contract violation. >> so we are entering contracts or recount of every choir to train a preening? >> with the x-ray and magnetometer training, of the 132 hours of required training for fps security officers, contract guards, 16 hours are
3:08 pm
provided by fps, eight of which is x-ray bag screening. fps's inability for their personnel to provide that training is an issue that the gao has noted. that is not a matter of the security contractors not providing the training they require to provide. >> we're not providing training for security contractors come in but we should be reviewing contracts to make sure to properly prioritize the type of agreement were brokering for background and training, shouldn't we? >> there's a couple issues. one is, as mr. amitay says correct me, it is not providing in many cases the training they're obligated to provide. on the other hand, fps is also not gaining the assurance that he is a contract guard companies themselves are providing the training that they are obligated to provide. they're not doing enough for the
3:09 pm
checks and certifications. >> who is watching all of this? you are watching that, but who within the chain of command, and meaning to management of this is making sure it gets done? >> each region is supposed to go through a process to assure themselves into checks and audits. some regions have not done it. some have not done at any random fashion adult with a but they could gain assurance. some have done it. but we've gone in and looked at what they've done, not only did we find our own breaches in any case is a guards standing post about proper certifications and qualifications, we also found significant disparities between our review in the review fps had done as well. >> i think also some of those disparities are in the documentation per se. i think there are instances where the guards have received required training. they do have required certifications, but there are
3:10 pm
issues with the documentation. with certain medical requirements. some require a licensed physician and others could be a nice bright visionary. gao might come in and looking at what the current requirements are for licensed physician and see this ps i'll was kind of banners practitioner and is in violation. >> i know my time as i peered what we talk about here is the documentation on this training for the most important focus here, the screaming and active shooter training. >> it was a wide variety of issues. we've got not just the magnetometer, but we found 23% of files we reviewed contained no documentation for the required training and certification. this could be firearms training, drug testing. no indication fps we reviewed is
3:11 pm
across the spectrum of the certifications cards need. >> my time is up. >> thank you. thank you for those questions. we'll ask two questions. the second one i am going to ask, i like to ask in a couple situations like this, different panels, different points of views, a broad range of perspectives to testify and answer questions. i want you to beach pic may be one -- we will say to you. go back to what you hurt one another saying in response to the testimony, response to questions. in fact, the first panel, some of the things they said in the testimony and just thinking about takeaways for us. you would just like to put the
3:12 pm
exclamation point behind it. keep these couple of points in mind. these are really good takeaways. that's my second question. seal be thinking about that. the first question i have is for mr. goldstein. re: attack two days and some extent. i would say to be visited very, very briefly. in the past decade or so, you've overseen 12 independent reports of federal facility in the armed card programs. you collaborate with state and local law enforcement and human capital planning. gao has also conduct it covert testing. you talked about some of the stuff that's gone on at federal facilities. in other words, they tried to
3:13 pm
penetrate how secure they are. it's a little like what we do in the nuclear power plant world. how we can, for the record, how would you assess federal security facility today? over 30,000 feet, how would you assess federal facility security today? realizing way on a time continuum. we focus more and more going back to especially 1995. how are we doing today? getting better, getting worse? is an uneven? >> is very uneven, mr. chairman. yes, there have been improvements since oklahoma city and since the twin towers of course we have more focus on this area, more intelligence as well. some of the basic issues still remain unresolved. the kinds of issues he got up in some of your issues brought up
3:14 pm
this morning. they still do not equate information in the forefront in terms of getting into a federal building and making sure not only to people who stand on the frontlines of federal buildings are qualified to be there and can do the service they are being paid to do, that taxpayers are paying them for. more broadly, we are wisely using government resources in this area because we haven't defectively adapted a risk management process to the federal portfolio, virtually every building at a level three or level for security risk is treated in the same fashion. we don't prioritize across that portfolio in an effective way to make sure we are effectively spending government resources. i think we still have a long way to go. >> if a question is maybe you
3:15 pm
had to pick the next thing that the federal protective services are to be doing in order to further improve federal facilities, securities expeditiously as possible. i don't know if that's a fair question, but take a shot at it. >> we've talked a lot this morning about the two fundamental issues on risk assessment and contractors. while they are moving slowly, i think they're trying to move in the right direction in both of those areas. the area that is still the security community here and has come up a couple of times is the three leg will between gsa, federal security committees and fps in trying to get security at federal buildings. should there be a significant role for individual agents used within a specific building for people who don't have a lot of security back around.
3:16 pm
should they be making decisions about the government's buildings? by the isc has developed anders to try and improve the level and effectiveness of the federal security committees, that's an area they still need to spend more time in trying to figure out, is that the best way we can protect federal buildings? been that good, thank you very much. i am going to ask you to respond to my first question again. a pointer to really like to say of anything else you heard in this hearing, don't forget this. there's a few things we have to keep in mind. just one or two if you would. go ahead. >> if you will indulge the focus of this hearing was navy yard tragedy. just very clearly, right off the bat in regards to active
3:17 pm
shooter, look at our jurisdiction and authority. our guys responded to the navy yard. we were lasting two minutes away and we had people at the d.o.t., the department of transportation facility right across the street, ready to act his age and use their training and equipment. we were held back. that is just a real low level status. i need you to demand accountability. this committee, as referred to by mr. goldstein in 2009, after they penetrated 10 of our buildings, our sbs director sat here and committed to this committee that he would fix the national weapon detection training program. to this day, that program is not
3:18 pm
complete. >> are we making any progress? >> uneven. it is scattered across the nation. i think one of the big problems with fps is you finally have a vision or at least someone is a vision at headquarters. i guarantee you, once that vision these headquarters, it goes down to 11 different regions. i think three, four, five different senior executive service officials and the message gets lost. thereby once again reducing any semblance of accountability. we have 11 different regions and 11 different ways of doing business regardless of what our headquarters says.
3:19 pm
>> okay, thank you. mr. amitay. >> thank you. going off of what david just said, it is true that there is a vision now at headquarters. part of that is to standardize the training, to increase the training and the lines of communication with the regents do need to be improved. of those than a problem with fps, the fact intent to do with 11 different regions. they think you'll see as fps can't even mention the national weapon detection training program, which is basically the x-ray and magnetometer training for pss. that is a new program that requires six hours of initial training and eight hours of eight or pressure training to the current requirement of eight hours of initial training and essentially eight hours combined with 40 hours of refresher training every three years. that's a positive development. delivery of the training has
3:20 pm
been a problem and has been slow getting it out. i think fps realizes the inspectors really should not be doing training. that should be their mission and they're starting to turn this over. they want to turn it over to certified contract security and struck her's and we think that's a great idea that will allow for more cost efficient and faster training. also, an active shooter training. definitely, fps needs to be doing more with that. other regencies are ahead in terms of training contract security officers to respond to active shooter is immense. i've talked with several contract is in a basically say what those instructions opposed orders, there is some confusion for pss as to what they can do an active shooter situation. obviously, as the instructions do say, when you're faced with an active shooter and loss of
3:21 pm
life coming you can engage them. are they able to be more aggressive in terms of maybe detect being an active shooter. the person comes and has been really suspicious. can they get into the guys face and see what he's doing? i've been in told that at d.o.e., the active shooter policy for their contract security officers is basically don't let the threat contained in. i think fps is working to improve the training, to bring it up to a higher quality. they are working to monitor better their certification and training records. stay on them with it. there is technology out there. i sometimes cringe when they say we are working with science and technology to basically try to come up with a data management system, some theme as was
3:22 pm
pointed out, the contractors have greater integration in terms of a comprehensive data management system. so the fps contractors can no gao can know who does have the required training certifications. >> already. thank you. mr. goldstein, last word. >> thank you, mr. chairman. one quick clarification. gao's recommendation, there've been 26 between 2010 and 2013. buyer records, only four are in process and have been a process for three or four weeks. we will provide your staff at the exact information. >> is very interesting. thank you. >> three points brought up this morning, which is very relevant. i think it is important there be
3:23 pm
better clarity and to contract liabilities. we've interviewed dozens and dozens of contractors over the last decade, all of whom have felt they don't have clarity on what their roles and responsibilities our and when they can is for someone they when they can't use force. most have told us over the years that their companies have all been said, did you ever pull out your gun. don't you ever do anything with it. there is a lack of clarity in this area. the second is the role of the inspector at the federal protective service. it would be great if they were able to come as mr. wright has said, be able to roam around more, to be able to assure the security and buildings they responsibly for. they are doing other work. they're involved in getting contracts at the door. they're often still contract officers. the level of things that they are responsible for really precludes them in many instances from actually being out and about and be in the and ears and
3:24 pm
taking care of the police function they really have. that would be the second. the third finally as i don't believe there is much ordination at all based on the work we've done in the past with local and state police jurisdictions so that when tragedy does strike at the federal protective service has worked out in any kind of detail with local police jurisdictions exactly what kind of focus, what kind of approach, what kind of countermeasures they can take in the event of tragedy. more work needs to be done in that area as well. >> thank you all for being here. thank you for what you do with your lives. thank you for your preparation for this hearing and for your response to her question. mr. goldstein, a special thanks to everyone at gao for the continued good work that you do.
3:25 pm
our caucus lunch has begun and i'm late. so i'm going to wrap it up here. if i had more time, one of the things i would get into this the issue of turnover among these contract officers. i don't think we spent much time on that. i would just say as a closing thought, when i was governor of delaware, we had a real problem in the area of information technology, training folks who work in that area as state employees, to provide skills and get hired away by someone paid a lot more money. the governor has succeeded me was further to realize that we ought to pay and changeup the way we incentivize folks to work for the state of delaware in that arena. we have a similar problem at the federal government.
3:26 pm
if you look at the skill set and compensation packages and the way we attract and retain skilled folks in the cyberworld, and the department of homeland security and national security agency, there's a difference. our staff and colleagues are working on the way to reduce the disparity said dhs will hire people to work in cybersecurity and train and hire away by others. were going to work on that. it would be interesting to know. training is so important. not just original training, but the quality of that training. my guess is there's a fair amount of turnover in these jobs. a lot of training dad, in order to the benefit of federal taxpayers, but those who ultimately contract officers go to work for.
3:27 pm
divide my time, i ask each of you to respond to that. just raise your hands, is that a problem? is that a concern we should have? okay, thank you very much. i would say in closing, the hearing record will remain open percent 17 months. all right, 17 days. until january 3rd at 5:00 p.m. for the submission of statements and questions for the record. i'm sure you'll get some. we would appreciate you responding to those. again, thank you for being here with us today. best wishes to you and your families during this holiday season. thanks very much. [inaudible conversations]
3:28 pm
[inaudible conversations] [inaudible conversations]
3:29 pm
>> we now have set their norms instead of theological norms that govern our acceptance or rejection of the ways in which a god or god or goddess can be to people. so for instance, david caresses saying that he has the additional insight into the bible and that deep inside help the other members of the community understand the bible, particularly the book of revelation vendor and understanding of living in a way most americans don't accept. that by itself doesn't have to be a problem. but when that leads to other elements, then that trigger both
3:30 pm
on for a snack as the popular press is concerned. and suddenly, this idea of somebody listening to god and having his followers to things that seem to be out of the national norms, but dangerous and that needs to be policed and controlled. >> federal trade commissioner, julie brill spoke about efforts in the u.s. to secure personal information on the internet. she's introduced by a valid account on foreign relations. >> if you're ready, we can get
3:31 pm
started. although, we are delighted to welcome you to this roundtable with ftc, federal trade commission, commissioner julie brill. this is part of our policy series made possible by a generous grant from the verbena foundation. i am instructed to ask you to please or not their cell phones. if you haven't figured out the nice gentleman in the corner, this is on the record. in fact, we arrived he spent. i am sent to you, a senior fellow here at the count over digital policy. juliet burdock a has organized this roundtable series and were grateful her. this meeting is happening that incredibly timely moment that leading tech companies are meeting with the president at the white house today. there's a hearing in the senate tomorrow on data brokers in the trade negotiations with europe.
3:32 pm
the u.s. is expected to table something on e-commerce, cyberframework throughout has been recently released and you published on november 27, some recommendations on the safe harbor. we are thrilled to be having this meeting today and we know it will be a fantastic conversation. i'm going to kick it off with brief comments. i recently served as ambassador to the oecd in paris. we convened a group of business leaders, government, technology and ngos. and came up with the first set of global internet policy principles. these principles and privacy guidelines affirm to ideas that are sometimes missing in the debate and are very important for us to remember are not in conflict and are both essential. the free flow of information.
3:33 pm
-- the free flow of information at this agile to an open internet. of course i'm an open internet has become an essential platform for innovation, expression and commerce. on the other hand, there is a need for individual countries to make rules protecting their, whether it's on privacy, cyber, fraud. these two things, sometimes the debate forget they are both essential. we're so lucky to have julie brill here to talk specifically an area privacy where she's become a leading voice. julie, just to give you background on her, i will take you her story. julie was sworn in as commission in 2010. she's been focusing their on issues affecting today's consumers come including privacy, advertising substantiation, fraud and competition and high technology and health care. before she came to the ftc,
3:34 pm
commissioner brill as attorney general chief of consumer protection in a trust for the north carolina department of justice. before that, she was an assistant attorney general for the state of vermont for over 20 years. for 1998 to 2009. commissioner brill has chaired the antitrust section of the american bar association. i'm just halfway through. prior to her cruel month for a snack, commissioner brill clerked for vermont, federal district court judge franklin junior. she graduated magna laude from princeton and nyu where she had a root scholarship for commitment to public service and nyu last goal. commissioner brill has been at the lot. she perceived awards and has testified for congress, published numerous articles, there've been many expert panel,
3:35 pm
consumer protection issues such as pharmaceuticals, privacy, credit reporting. when i'm most grateful to commissioner brill for is the cutting issues. she's figuring out what the right policies are that balance all the equities and then she's finding a way to speak about it in a way that satisfies the academics, advocates an average consumers. i have to believe part of that comes from the fact she doesn't spend all of her time in washington. she's based in vermont, where her family is and it actually seen her there so i can testify. she does her grocery shopping there. she thought of getting out around the country in the world and that gives her a really fabulous perspective and we are so lucky to have her at the commission. >> thanks, karen. i am pleased to be here. i wish i had your resume to read because yours is impressive, to.
3:36 pm
even though were both really young. the way we'll run this as i'm going to ask julie a few questions. then we'll open it up because all of your experts. this is really roundtable discussion. he just returned from 10 days in europe speaking mostly about privacy issues. can you tell us about the mood they are and of course we are also aware of the fact that the nsa surveillance revelation, the line between commercial privacy and government privacy has been completely blurred and there's been a real change. >> it's been interesting. a number of people who are here who would bear with me were also in europe, will comment on this that make it to the question and answer period. we should start out by saying the u.s. and the e.u. in europe have a long history of cooperation. i mean, you know better than anyone that the oecd.
3:37 pm
we need to remember that and keep in mind as we are thinking about entering to work through some of the latest areas of a troubled -- some of the latest areas causing tension in a relationship that is basically very, very sad. the nsa revelation has created tension. i mean, there is no question about that. as much press as it is god here in the united states, i think it's probably gotten much more in europe. i find that an overarching, especially seeing the change from september through now is that there is an increased willingness to try to cooperate and figure out a way to resolve the problems that exist. in other words, in the last six months i've been to europe or four times, both prior to this note and nsa revelation and if
3:38 pm
it timbre when they were still very, very fresh and i just got back from a long trip. i think between september and now, there has any recognition that we need to try to work through the problems. you know, there have been extensive government groups as well as private groups focus deeply on trying to address these issues here in the united states. you know, how should we be balancing a national security and individual citizens privacy rights. there have been a number of working groups underway. some of the results are starting to get discussed. there will be much more of that in the coming months. there have been working groups between the e.u. and the united state said that some folks in the working group that are european policymakers and whatnot have been able to
3:39 pm
interface with our policy leaders to try to talk through these issues as well. i think all of that has led to, while perhaps not a complete agreement on the way in which we doing things, at least an understanding to a certain extent of why certain things have been done and maybe the areas we need to address going forward. so you know, one of the things you asked about and maybe we should talk through is this issue of, should commercial privacy and government surveillance be treated together, or should they be treated separately? as one of the things i spent quite a bit of time talking about in europe. should we focus on not? >> sure, go right ahead. >> i have told my european counterparts and audiences in france are the same thing in the united states that the government surveillance issues are incredibly important.
3:40 pm
it's a conversation long overdue. i'm very glad it's happening here in the united states and europe in the trade atlantic discussion. the discussion around commercial use of data, i think, is a very important conversation. nec have been here in the united states, but it is a separate conversation. it should be happening separately from the national security issues. i say this for a number of reasons. i think if you look at the 1995 e.u. data protection directive, it has national security exceptions. if you look at the ways in which data flows between the united states and the e.u., whether it is through binding corporate rules for safe harbor, any other mechanism, there are national security exceptions. so we need to address the national security issues clearly. but let's talk about commercial privacy and all that needs to be
3:41 pm
done in the commercial privacy scare separately. >> so let's talk about commercial privacy. tell us your thoughts about the e.u. privacy regulation outline and also this concept of adequate d. >> sure. the e.u. regulation actually i think mirrors a number of the things we've been talking about. but at the ftc, federal trade commission, which is the nations leading privacy regulator in the u.s. or whether it is looking at some of the things happening in the state with respect to privacy. so when you look at the overarching, kind of policy is being pushed forward in the e.u. regulation, you see things like a desire to get parental consent for information about children.
3:42 pm
you see references and provisions dealing with data breach notification. ec privacy by design, which is a con fact that we have tried to urge on industry here in the united states. you see a focus on enhancing consumers control over their data, increasing transparency, improving data accuracy, strengthening data security and encouraging accountability. these are all concepts, whether embedded in law in the united states or are being discussed the federal trade commission and elsewhere in terms of developing best practices for industry here in the united states. these are all concepts. frankly, we embrace. certainly i embrace as they federal trade commission or and i know many of our counterpart also in race. so we have a lot in the united states dealing with children's
3:43 pm
privacy, or collection and use of information about kids under 13. we have data breach notification law for the state level, not the federal level. it would be nice to have data security law. but we do have some provision dealing with this on the state level. and our privacy report, the federal trade commission issued a big privacy report last year. they talked about a lot of concepts. privacy by design company to build privacy into products and services and not to push everything onto the consumers, overwhelming them with choices they need to make about privacy when frankly consumers are going online for using smartphones are engaging with connected devices in order to think about privacy. they want to do some pain with all this technological tools. so you need to build more privacy into products and services is deeply important.
3:44 pm
having said that, i think there are areas where we definitely need improvement in the united states. i think we have a ways to go, especially around transparency issues. so i spent a lot of my time talking about need for entities that are engaged in big data analytics, profiling of consumers, especially when it is focused on consumers at the individual level, rather than trying to do with identifying information. when we talk about profiles created about consumers being used whether for marketing purposes or eligibility decisions, we need a lot more transparency in that area. when it comes to the internet of things that is connected devices, connected cars, medical devices, anything else that is to devise that connects to the internet. again, we need more transparency and me to think about the tools
3:45 pm
that we can make available to consumers so they can stand what is going to happen with the information. who will be collecting it and what they will do with it. i think online tracking through developing some tools were consumers is very important so that can dimmers can control the percent to which they are tracked online. do not track is an issue that some folks that began with deeply and have developed some tools. some of the browsers have developed tools. some trade groups have developed tools. in some standards organizations are working on developing tools around tracking online. i'd like to see much more progress made there. finally, when it comes to legislation here in the united states, all i've been talking about the fire hasn't and the legislative sphere. it's been much more in terms of developing best practices and
3:46 pm
providing better tools to the ever so they understand that data is collect detainees and for what purposes come at better. we could use a more lost in the united states based on privacy ledges nation withheld. it helped level the playing field. it would clarify business is what ought to do and don't need to worry about and would make clear to the dimmers with their rights are and what can happen to their data. particularized law around data brokers and data profiling would also be helpful. i've also mentioned data security. so again, taking a step back and look at the trans-atlantic picture, i do think there are clear similarities between what europe is pushing. i think that here in the united states, we share many of those
3:47 pm
ideas and values and have been pushing it forward. here in the united states, there is room for improvement. i've certainly spent a lot of time talking about that. >> let me ask you two quick things. one of the things is telling europeans when i was over at the oecd is while they think that europeans care much more about privacy than we do, what we would pay as you will have more rules on the books, but we have a lot more force. i want to ask you about that because you're at the enforcement agent v. also, just where you see the safe harbor going. i read you think you're weak about it, but this report does come out with recommendations. a touchier talk about that. >> it is true. we have really good enforcement in the 90s it's not as respected the laws we do have in the books. i have spent a lot of time
3:48 pm
trying to educate not only folks here in the united states and for instance the act community, the day need to make sure they and the laws that apply. for instance, if they are engaged in activity that might cut on credit reporting great time at last or a list -- a tool for h.r. departments to use to screen prospective employees. our credit report is not applied. i spent a lot of time trying to educate entities in the united states about the breath of privacy laws. similarly, i spent time talking to european counterparts about the breadth of our privacy laws. we don't have a signed privacy legislation. in sensitive areas, but their health information, although we can talk a little bit about that because there are some gaps they are. whether it's health information, financial information from a children's information or credit reporting information, we do have good laws. the ftc is death by the cop on the beat.
3:49 pm
we do great and force them. i've heard many european counterparts say that they wish they could combine their regulation but the ftc enforcement of prowess. i know for some businesses that might be more freight team. >> i think -- >> it was a chuckle. they do privacy enforcement because one of the tools in the last i talked about is the federal trade commission. their acts and practices. it doesn't focused on financial fraud or add substantiation. and fact, it was written at the height of the depression and the
3:50 pm
joining up with the law that created us in 1914 at the height of the progressive area and is designed to be very broad and remedial. we use it in just that way. in the privacy contacts, we've used are unfair and deceptive privacy act of not only to focus on some of the biggest consumer facing companies, some of whom are represented in this room. google, facebook, myspace and twitter are under 20 year order as a result of i believe they have violated the federal trade commission act and engaged in unfair deceptive acts and practices. we've also focused on smaller players that aren't household names, but are playing key roles throughout the echo system, whether it's for mobile or internet or a case. hardware developers, active developers, analytics firms, ad
3:51 pm
networks. you name it, we have looked at the crack this is when they been brought to our attention or when we've learned about them. if we felt they were violating either the deception principle or in fairness principle, we go after them. >> how do we two of the safe harbor we understand how rules work in this. how can we safeguard the safe harbor and the flow of data? that's one of the areas i've seen change just in the last three. as the result of the nsa and snowden revelation, there started to be a growing conversation in europe the safe harbor was the problem.
3:52 pm
the reason why european citizen data was being looked at, was being examined by government for national security purposes was because of this tool. the safe harbor is one of several mac in the end that is in existence that allows for the transfer of data on a company based says between europe and the united states. without getting too detailed into involvement in all of the rigmarole of the lot, i can say from an economic perspective and from a business is, it is clearly an incredibly important tool and allows for a huge amount of trade and important relationships that consumers benefit from and businesses benefit from. yet it became kind of a target in this conversation. i started to say in september and i said last week, it was an
3:53 pm
easy target, but it wasn't the right target. if we want to focus on government surveillance issues, we should focus on government surveillance issues. whether it's happening through companies that have signed up for safe harbor or corporate rules or inadequacy determination, or any other mechanisms for cross-border transfers. you know, that is where the conversation should have been around the perp or is owed the government surveillance. so what i've noticed, frankly the e.u. commission just issued a report. a first step in its report on safe harbor. i think this conversation had been engaged in, as well as others. i don't want to say i'm the only one i any means. it seems to have gained residents resonance. if you read the latest report on building trust, as they call it, between the u.s. and e.u., they talk about the importance of
3:54 pm
safe harbor and the importance of maintaining it because of the important ties and level of business that's transact it between the e.u. and the u.s. having said all of that, safe harbor has been in existence for 15 years had a lot has changed. you know, i could ramble off all of the facts. just think about the number of smartphones people have come to the collection of geolocation information. all of these things does not exist or existed and perhaps nobody else is. i think what we need to do is look at safe harbor and say, are there ways we can improve it? the e.u. commission has made her team proposed recommendations
3:55 pm
for improving it. some of which i and we ought to, on this side take a serious look at. i talked about that last week in europe. i said there are ways without doing too much work. these are really a heavy lift, but it would help get rid of some of the irritant in terms of how safe harbor operates. for instance, creating better links between company's privacy policies department of commerce website so it's clear who's in safe harbor and who's out about alternative dispute resolution that is each of the company since you seem. an alternative dispute recognition is required for every company that signs up for safe harbor of some kind or another. the vast bulk of companies use an alternative resolution mechanism like trustee, which is free. it's free to european citizens.
3:56 pm
if they have a complaint about a company, they can go either to the european data protection authority, kind of like the country specific regulator or they can go to one of these companies and have their complaint heard for free. 20% of the company signed up for safe harbor are using a mechanism that will charge the consumer money. a lot can consumer advocate, i just had to say i don't think that the right direction here. i think we should work hard to try to get those alternative dispute resolution mechanism fees down as close as we can to europe. we need to increase transparency on the website and i think again, those are things that can be done fairly easily so people can understand what companies are in safe harbor, what companies are out, what their privacy policies aren't things like that. finally, we have to be lucky not
3:57 pm
the other cross-border data flow frameworks that we have been talking about globally. aipac, and the asia-pacific cross-border framework that's been developed and pushed forward has a really interesting concept built-in around accountability mechanisms. before a company ever reaches someone like me, a regulator who said he violated the law, they have put in place mechanisms for self-assessment for checks so that there is an entity, a private entity that can help ensure they are in compliance. i think it is a really good at that can be helpful to companies. i think we have to be thinking about whether or not there is room within the safe harbor framework for appropriate, you
3:58 pm
know, accountability mechanisms that are basically self-regulatory mechanism before you ever get to the cop on the beat. those are the ways in which i think safe harbor can be improved. the e.u. has all the things i've talked about. they have in some fashion or another mention. they talk about a number of other proposed changes, some of which i think would be tough. some of which i think need to be focused -- need to be a discussion within the national security community. some of them again i think relatively easy lives for the united states and we ought to be taking a serious look at them. it's a great tour of what's going on between us and europe. chew wants some of that provocative. i think we'll have a great discussion. i want to open it up to questions. please identify yourself when you're called on it that would
3:59 pm
be terrific. if you want, you can turn your name tag on it side. i work on near as this gentleman has done in the back in an exemplary way. >> thank you. i enjoyed your remarks in europe last week. >> can you say where you're from? >> alan roth. [inaudible] a question i would have for you is do you think the u.s. should be making a case in the lousy describing the enforcement you referred to for adequacy and the safe harbor for the united states, it's almost in congress to guess, it works good and plays very long time. it's ursula useful purposes. some of the countries deemed adequate armor my guess is there is not so much enforcement
4:00 pm
there. maybe they have rules, but much less of orders made. ..
4:01 pm
4:02 pm
4:03 pm
interesting and provocative question. that would be my divine. >> i'm going to call on people. we've got some twitching of it there. [laughter] we've done a lot of work, looking at the economic impact and how it's affecting u.s. companies. one of the big changes are seen, specially nationally as the growth of data nationalist emoticons that other countries are really looking that restrict
4:04 pm
teen data, even within their borders. this obviously has a huge impact on the internet, how it works, does this models and u.s. tech companies. be seen that in the past. the problem that we really see here is for inadvertent disclosures that additional privacy and security threats, there's a lot companies can do. they can make their systems more secure. we cannot gymnastic laws. but what we can't do is have from the air, and a response if we give our data to a foreign company that the government will mandate. there's not in the third can do. that's why it's such a problem right now, especially since this is the private sector. the question is aside from recommending the geneva convention not data, how do we
4:05 pm
address this? it seems like that's the sticking point, but not in the private sector can address. >> it's a very important issue. i think as i said in the opening dialogue that we had covered the issues around government access to information, whether it's information that private companies hold or elsewhere within government or the state level or local level, all it is is -- there's a huge come in my view, robust discussion underway in the united states about the appropriate level of surveillance and how it's taking place. i think it's great that conversation is going not. their personal views about it. i'm sure everybody has personal views about it. my job as a federal trade commissioner is to focus on of information. they are, and not fear of
4:06 pm
commercial use of information, again, i think i would disagree with you that there's nothing companies can do to better protect information. i understand where you're coming from, which is when someone taps into their data coming in now, whether it is a government entity or whatnot, they can't really stop it in the current framework and they're very involved in that conversation here the first conversation i talked about is how is government doing that. having said that, i know you want to jump in, but having said that, i think there is a lot companies can do to improve privacy protection. again, focusing on privacy by design. de-identifying data as much as possible. we have tons of recommendations about what businesses can do to enhance privacy.
4:07 pm
what is so special about this moment, in light of the revelation, while again i think commercial use of data and government use of data is separate and separate conversations, it is a moment in time for our society, as well as the global community is really focused on what is happening with data. now is a really good time for companies to step up to the plate and say look, we get it and we're going to do as much as we can to try to enhance privacy and data security. uic not from tech companies, in particular the united states, or a dialoguing today the president and have written a great deal as their desire to disclose more about what is happening in the government's surveillance side. ..
4:08 pm
noticed macina and very much appreciate that. >> looking at how that plays out, if you could talk about how we keep that tone going because what really helped us is bridging the view of the 13 points and that was going to take what must be done and the safe harbor as you put things we
4:09 pm
should look at very carefully some of them very powerful and that is simply much more difficult. >> a great question. and i think that we in the united states need to take that list of 13 items very seriously. i think that we are taking it very seriously. i am sure if there will be a group focused on developing a formal response. i have had conversations with my counterparts and folks at the commission last fall about my personal thoughts about them including those which i thought were relatively appropriate. not necessarily easy with -- i didn't focus on it in that way, but these things should be done. and then those that i thought would present a more difficult
4:10 pm
-- would have a more difficult road for good reason and i tried to describe what some of those reasons are, but i do think it's important that we move, meaning our government moved relatively quickly because i do think -- i am pleased to hear that you recognize the same shift. and all i would like to keep the momentum going in the current direction. the conversation going in the direction it is heading. i think that is important and one of the ways we can do that is to make it clear to the european counterparts that we are recognizing the issues that they have raised and we think there are serious issues and we want to work with them and i'm hopeful we will have a position and sit down with them and talk through each of the points. they mentioned to me various
4:11 pm
time frames in the report but will be sometime in march or april that we will be looking at january which is just a couple of weeks away to begin this conversation in a robust way because there will be evens that will take place in europe that identified for me that will raise the political focus on this issue even more. in order to build the trust that the europeans are asking us to build i think we need to do our part in that bridge building. >> i want to learn more from you about the american enforcement of privacy. let me first say i completely agree from the limited experience it's not much there. every time i go and give a
4:12 pm
lecture i ask people in the audience if anybody had ever asked for permission to use their information for a secondary use and i haven't seen one hand and going up but i need to know more about the american side. if it is that by the private company in arkansas and this company was 35 contracts i don't see anybody stopping them and the difference between having the data base is very charismatic and it is one click away for microsoft is building in new york city into one base it is hard to imagine the
4:13 pm
privacy. teach me some more about how you protect our privacy. >> i think a lot more needs to be done with respect to the profiles and with respect to the data brokers. you were referencing one particular company in arkansas and you referenced another large company. with respect to the entities that are engaged in profiling consumers that is the commercial entities they are creating profiles and the consumers used from the marketing purposes for eligibility decisions that are not currently covered by the law. and some of the profiles have very sensitive information including health conditions like very detailed information about health conditions, sexual orientation, ethnicity and other
4:14 pm
what i think most of us in this room and society would believe is highly sensitive information. i would very much like to see with respect to the day the brokers that are creating individual profiles about consumers. they would call reclaim your name and i would like to see american consumers be able to reclaim their name by the use of some of these greater transparency control tools. so for instance you referenced the arkansas company that we might as well call it axiom since we know who we are talking about the taken a step down the road providing the transparency tools to consumers they have a portal and the data that provides some information about some of the data they have on the consumers that is used for marketing. there are other large data
4:15 pm
brokers that could easily provide similar transparency tools and it's not just important to let consumers know what data you have about them but to the extent that it's used for marketing purposes i think that it should be the consumer should have the ability to say i don't want to be marketed based on the fact that i have diabetes. i don't want to be marketed based on the fact that i am of what ever ethnicity or whatever. and consumers should also be able to correct information if they want to. and then finally, to the extent this information is used for important decisions like are you who you say you are and can we do business with you, eligibility decisions that are not governed by current law. i think consumers need to have the right to see that information and correct it if it's wrong of course decisions are going to be made about them that are based on inaccurate information.
4:16 pm
so, we do a good job of protecting privacy. and i try to outline all that or some of that and my opening remarks. it's hard again to talk about it so quickly that i think that there is room for improvement particularly in the area that you have identified. >> some the news about safe harbor in a slightly different direction you made the point that the way things have changed in the last 15 years with respect to a safe harbor the that is also true with the internet itself. so that was 15 years ago. it was 1-1. it wasn't transactional. there was a lot of structured data. today the internet is one timoney and there is unstructured data.
4:17 pm
the way we think about the internet and privacy and the guidelines and those were obviously in a different era. in your thoughts how do we get that those guidelines in the 21st century and the transformative technology and you talked a little bit about the transparency sort of in the context of the beta brokers who but what would you like to see in terms of transparency and accountability as we begin to think about how we get out of those guidelines. >> that is a good question and deep because there are a lot of different ways in which we can adapt some of the principles for the modern technology. i think a great starting point
4:18 pm
for that conversation is the report that the federal trade commission did in 2012, where i think that's fair information practices are still good because they are general and the trick isn't so much do they apply to new technologies but how we are going to apply them to the new technologies and so we talked about implementing three or four techniques if he will or getting the business to focus on the ways in which they can't help shape the new technology so that consumers do have notice and choice and there's accountability and transparency and accuracy and all those other principals so we talked about the need for the proxy by
4:19 pm
design. that is one issue and i touched on that briefly before and that is the concept where we don't place so much of a burden to make a million choices about privacy because it is just too hard and overwhelming for the consumers. instead, companies folk focus on building and they do so at the beginning, not when the problem arises but they are sensitized to doing that at the beginning. so the second would be to engage in a much simpler notice and a choice for consumers. that is it's fine to have a full-blown privacy policy that's, you know, ten pages in small type but no one ever reads except for academics and technologists and we read them but no consumer actually reads them and to have that at the end of the day is helpful but it's much more important especially on smart phones when you think about the limited real-estate
4:20 pm
that is available to have quick messages to consumers. we are about to collect the location and download the contact list. the icons, pictures, simplified notice and choice is a very important issue. transparency is the feared initio and i touched on that and i think there is a lot more that we can do to inform consumers about what's happening with the data and what control they might have. the fourth principle is important and that's the issue of the identification and how as much as possible we can focus on using the information in a form that is identified as robust as possible. and we have a three part recommendation on how to
4:21 pm
identify. three part recommendation on how to identify the information. it is identified to the extent reasonably possible from a technological perspective and a company that is engaged in using the identified information promises to not read identify the information because now there's been so many studies showing how easy it is to take the identified information and identify it with individuals and in particular consumers. so there's a promise to not identify and if the data is transferred to anyone else, the company that holds the data makes the company that is giving the data to promise to also not agree identify. those are some principles that i think helped to deal with the current incredible change that we've seen in technology and focus on how we can implement to these important principles in this new technological age. but it's complex.
4:22 pm
i recognize that. >> it is complicated, but you are making it come alive. i apologize and we will come to you next. >> i'm going to pull together your comments with those that we heard earlier where i heard it but i will also add another setting this morning where we can identify and i am interested in the negotiations between the united states and europe and recognize the word is because of the snowden regulations making it an even more difficult job.
4:23 pm
>> negotiating between the u.s. and europe which is commonly called ttip trade investment negotiation partnership. you suggest that there is room for agreement at least in your positive reactions to recent european regulatory annunciations. i am very conscious that there is a whole u.s. interagency process in the ftc and the agency and yet i don't know the how much you have to coordinate with the trade representative's but many people feel the trade representative's going on between europe is really more about regulatory harmonization than anything else.
4:24 pm
so what extent do you have to really or do relate in this atmosphere in which these negotiations have now had three meetings and the president has put some emphasis on this? >> the issues i was talking about in terms of the safe harbor and the e.u. report in terms of how to improve to maintain net am the separate ttip discussions and trade negotiations. we are an independent agency has pointed out we are not officially the federal trade commission is not officially involved and the ttip discussions. however, the u.s. the art and other folks who are deeply involved in it, the u.s. trade
4:25 pm
representative and others do consult with our staff about technical issues particularly when it comes to issues around privacy enforcement because again trying to explain it is in the sentence, it is a . so, we are not tall at the table in those discussions and my job is to focus on protecting consumers and protecting competition and with respect to the privacy data flow it is to make sure that we have appropriately law enforcement and we are engaged inappropriate law enforcement as well as development around those issues. i've been a cop on the beat at the state level or the federal level for a long time and by a big believer in enforcement.
4:26 pm
that is our job that is separate and different than the trade negotiations. >> part of what is coming up is a lack of of the revelations created a real sense that the lack of trust or created for some type of negotiations as a part of the ttip and they talked about putting the chapter of the information into the negotiations and those of you that are not aware, the resolution put aside a fabulous task force with a global security internet to see whether
4:27 pm
in fact this is happening. >> there are other people on the side of the ftc. do they want to comment in any way on anything? okay. >> thank you, commissioner, for your always thoughtful remarks. on the application developers i've come to the conclusion that the corporations are poor and making decisions for consumers, but they are only slightly better than the government particularly the foreign government. this is my personal opinion.
4:28 pm
when the consumers can benefit on a great scale from the mass customization and personalization. i worry that a rules set in place that might do things like limit the data collection done for the consumer's benefit that limit the opportunities for the consumers to make choices themselves about what goods and services they can obtain at the low cost or no cost and i'm wondering if you can share your thoughts about what we can do to ensure that the mass customization and the personalization and individualized goods and services becomes an opportunity and they do not foreclose those by setting rules and the limitations. >> some of what i have talked about i do think what focus on collections of issues.
4:29 pm
there are thoughtful questions as always. whether or not there are permissible purposes for which information can be collected as well as used and my view is that in terms of attracting consumers online given the incredible depth of information that is now available, the explosion of data about each and everyone of us as we walk around with our smart phones and we use our applications and our engagement and online activity and the activity is all getting linked together to create a very rich profiles it strikes me that you are presenting a framework that
4:30 pm
arguably says if there is no collection we don't have any benefits for the consumers and the way that information is either collected or created. as a good example, we have some very strong walls about how the health information will be used, collected and used for the providers that work with them. the other entities that are really in the health care system consumers are going online and investigating what does it mean if my skin is itchy does this mean i have a condition or my kid has been up for five nights and i don't know if that is a fl


info Stream Only

Uploaded by TV Archive on