revealed that the iphone collect

and store up to a year's worth of location data about the users. google has also faced scrutiny for the use of location data in its android phone software. you also hear from the justice department and federal trade commission officials at this two and a half hour hearing chaired by the minnesota senator al franken. >> it's my pleasure to welcome all of you to the first hearing of the senate judiciary subcommittee on privacy, technology and the law. i am sorry that everyone wasn't able to get into the hearing room but we are streaming live on c-span, thankfully, and thank ec's and for that. and i'd like to turn over to chairman leahy and thank you, sir, for the subcommittee and giving me the opportunity to lead. the chairman has a long track

record on protecting privacy and all i'm honored to join in this effort. mr. chairman? >> thank you, senator frank in, and i want to commend you for holding what is a very timely hearing none the privacy implications of other malae applications -- mobile applications for privacy, technology and the law. i thank senator franken for his dedicated leadership on the consumer privacy issues as the chairman of the subcommittee and thank dr. colburn for his amendment to such issues, too, and i appreciate both of them working together on this. throughout the three decades i've been in the senate i've worked to safeguard the privacy rights of all americans injured

in the federal privacy laws accomplish this goal and at the same time addressing the needs of both law enforcement and america's vital technology. it's been left my highest priorities as the chairman of the senate judiciary committee. that's why i decided to establish the new privacy subcommittee and was slash cementer freakin' said he would be willing to share at and to update the electronic communications privacy act. now the digital age can be wonderful, wonderful things for all of us. it's stretched to privacy like no time before and expose the new technologies come social networking sites, five phones and other mobile locations there are of course many to the consumers. there are the risks there to the privacy. like many americans certainly in

vermont where we cherish our privacy deeply concerned about the recent reports of the apple iphone, the google android and zero other mobile locations may be collecting, storing and tracking the user location data without the user's consent. i'm also concerned about reports at the sense of the location information may be maintained in an encrypted format making the information from a double to cyberthieves and other criminals. in an interview this morning i heard somebody speak of the industry about how this can be a very valuable thing to be able to sell information to various industries for advertising purposes and the amount of money they may make on that and for the u.s. they then make money off of that when i raise that point to simply take to make them aware of product that might

be in the location i said it's great. we all love to get a whole lot more unsolicited ads. so it's more of a one-way street. they reached a survey commissioned by the privacy firm trusty and of american smart phone users to identify privacy as the number one concern in using mobile and applications and they have good reason to be concerned. the collection used for the storage and other sensitive information has serious implications regarding the privacy rights and personal safety of american consumers. the hearing provides a good opportunity for us to talk about this and examine these pressing privacy issues and learn more about it. i'm pleased and the department of justice and federal trade commission here to discuss the

administration view in the privacy implications also plays from google and apple to address the privacy implications of the smart phones and tablets and other mobile applications. i welcome the bipartisan support for the consumer privacy issues to but i look forward to the productive discussion again. senator frank and come senator colburn, thank you both for holding this hearing. >> thank you, again, mr. sherman for holding this coming and i really want to express my pleasure with working with my -- the ranking member of the committee, senator coburn, thank you for your friendship and for working on these critical issues. before we turn to the business of today's hearing i want to take a moment to explain what i think the subcommittee is about and where we are headed. to me, the subcommittee is about addressing a fundamental shift that we have seen the past 40 or

50 years and who has our information and what they are doing with it. when i was growing up when people talked about attacking the privacy, they talked about protecting it from the government. they talked about unreasonable search and seizure, about keeping the government out of our families, out of our bedrooms, they talked about is the government trying to keep tabs on the books i read and the rallies i attend? we still have to protect ourselves from the government abuse and that is a big part of the digital privacy de date. but now we also have relationships with large corporations but are obtaining and storing increasingly large amounts of our information. and we have seen their growth of this whole other sphere of private entities whose entire businesses to aggregate information about each of us. while we are familiar with some of these entities the average person is not remotely aware of most of them.

two months ago if you stopped 100 people on the street and asked them have you ever heard as of chillon 100 of them would have said no. i certainly haven't. but suddenly when people start getting e-mails in their box telling them your information has been compromised you that they wanted to know who epsilon was to we don't get me wrong. the existence of this business model isn't a bad thing in fact usually it is a great thing. i love that i can use of google maps for free, no less, and the same for the application on my ipad that tells me the weather. but i think there is a balance we need to strike and that means we are beginning to change the way we think about privacy to account for the massive shift of our personal information into the hands of the private-sector because the fourth amendment doesn't apply to corporations and freedom of information act

doesn't apply to the silicon valley. while businesses may do a lot of things better than the government, the government is at least by definition directly accountable to the american people. let me put it this way. if it cannot that the d-nd was treating a detailed file on every single trippi taken the past year, do you think they could go one whole week without answering a single question from a reporter? this isn't a new trend and i am heartily the first person to notice it. 45 years ago a senator named patrick leahy passed a law we called the electronic communications privacy act which talked a lot about government but also contained commercial disclosure. in 1996 congress passed the law protecting privacy of medical records. 1998 passed a law protecting children's privacy and 1999 protecting financial records.

so we have some protections here and there but we are not even close to protecting all of the information that we need to. i believe consumers have a fundamental right to know what data is being collected about them and i also believe they have a right to decide whether they want to share that information and with whom they want to share it and when. i think we have those rights for all of our personal information. my goal for the subcommittee is to help members understand the benefits and privacy implications of new technology, to educate the public, to raise awareness and if necessary to legislate and make sure that our privacy protections are keeping up with our technology. today in this hearing we are looking at a specific kind of really sensitive information that i don't think we are doing enough to protect and that's

data from mobile devices, smart phones, tablets. this technology gives us an incredible benefits. let me repeat that. this technology gives us incredible benefits. it allows parents to see their kids and wish them good might even when they are halfway and around the world. it allows a lost driver to get directions and allows emergency responders the victim a matter of seconds. the same that allows the responders to locate us when we are in trouble isn't necessarily information all of us want to share all the time with the entire world and to adopt the said just the information on the mobile device isn't being protected in the way that it should be and the investigation by "the wall street journal" into 100 -- 101 popular applications for the iphone tecum -- iphone and royte found

that 47 of those, 47, transmitted the smart phone location to the third party companies and most of them did this without the user consent. three weeks ago the security researchers discovered the iphone and ipad running apple's latest operating system or gathering information about users locations, locations of to 100 times a day and storing the information on the phone or the tablet and copying it to every computer device that it's sink to. the american public also learned both the iphone and the android or automatically collecting certain information from the accusers and sending it back to ethel and google even when people weren't using location applications. in each of these cases most of the users have no idea what was happening and many of the cases once the user is learned about it they have no way to stop it.

these breaches of privacy can and have real consequences for real people. the justice department based on the 2006 data shows each year over 26,000 adults are stalked through the use of gps devices including gps device is on mobile phones. that's in 2006 when there were one-third as many smart phones as there are today. when i sent a letter to apple to ask the customer about its users' locations the first group to reach out to my office was the minnesota coalition of battered women. they asked how can we help? because we see case after case where a stalker or an abusive spouse has used the technology and the mobile phones to stock and harass the victims. but it isn't just stocking. i think today's hearing will show that there is a range of

harm to come from the privacy breeches. and there's also the simple fact americans want stronger protections for this information on the greater depth the debt is far too little to protect this information prosecutors bring cases of a federal antihacking law relying on breaches of privacy policy but many mobile apps don't have the privacy policies and they're so complicated their almost universally dismissed before being read. in fact once the maker of mobile at for the companies like apple or google or even the wireless company gets your location information. many cases under the current federal law the companies are free to disclose the information and other sensitive information to almost anyone they pleased without letting you know. and then the company's share

your information and others again, without letting you know. this is a problem. it's a serious problem. and i think that is something the american people should be aware of and i think it is a problem that we should be looking at. before i turn it fun to be sure the answer to the problem isn't in the location based services. no one up here wants to stop apple or google from producing products or doing the incredible things that you do. and i think you for testifying. you guys are brilliant. when people think of the word pro yet to think of the people that founded your company's. what today is about is trying to find a balance between all of those wonderful benefits and the public right to privacy and i for one think that is doable. now i will turn the floor over to my friend ranking member

senator coburn for his opening remarks in. >> mr. chairman on will be brief i want you to know whether you have on your front since the location of the meetings you attend so to be forewarned. >> that makes me very frightened [laughter] >> i would thank the witnesses for being here today. transparency and we do in the government and outside of government when it's not fiduciary and when it's not proprietary is important for the american people, as is the issue of privacy, and rather than making the decision on what needs to change i think we need a whole lot more information and knowledge in terms of those of us on the legislative side before we come to the conclusion about what should or what needs to be done so i am looking forward to the witness's testimony and with that on will shorten this up and hear from the witness is.

>> i think we will begin our first panel now. i want to introduce them. we have just a coverage, she is deputy director of the bureau of consumer protection at the federal trade commission. she is served as an assistant director in the trigger to lead federal trade protection since 1998 and of the financial practices and now the division of privacy and identity protection. she previously served as legal the adviser to the director of the bureau of consumer protections. she received her law degree from new york university and undergraduate from harvard university. jason feinstein is the deputy director, deputy assistant attorney general for the criminal division of the u.s. department of justice. before joining the criminal

division, mr. weinstein served as a chief of the section in the u.s. attorney's office for the district of maryland he was also an assistant u.s. attorney in the u.s. attorney's office in the southern district of new york. mr. weinstein attended princeton university and george washington university law school and i understand that your wife is very pregnant and you may have to leave during your testimony or during ms. rich's testimony and as the chairman, it will be fine. [laughter] >> [inaudible] >> if i turn on the microphone of help. >> i am deputy director of the

federal trade commission bureau of consumer protection. i appreciate this opportunity to present the testimony on mobile privacy heriot we are a consumer protection agency and privacy has been an important component of the mission for 40 years. during this time the commission has employed a variety of strategies to protect consumer privacy including law enforcement, regulation, outreach to consumers and businesses and policy initiatives. just as we have protected the consumer privacy and the brick and mortar marketplace on the phones, on the e-mail, mail and on the internet, we are committed to protecting privacy in the rapidly growing global arena. to ensure the task as a technical and practical ability to engage in the law enforcement and informed policy development in the mobile space, the commission has hired technology to work with the fcc staff. the agency also has created in a mobile lounge with numerous smart phone devices on various

platforms and carriers as well as software and other to collect and preserve evidence. in addition the commission staff have explored the consumer protection issues through workshops and reports. what is clear from the work in this area is the rapid growth of the mobile products and services creates many opportunities for consumers of also raised serious privacy concerns. these concerns stem from the always on me and always with you personal nature of mobile devices, the invisible collection and sharing of data with multiple parties, the ability to reject consumers including children and teens to the precise location and the difficulty of providing meaningful disclosures and choices about the data collection on the small screen. hinault enforcement is critical to the consumer protection mission. the primary law enforcement tool prohibits unfair or deceptive practices. this applies regardless whether a company's marketing offline

command for the desktop or telephone were using the mobile device. in the commission's testimony, we described four cases brought under the ftc act that addresses the global arena. two of these cases against two of the largest players in the ecosystem, google and twitter highlight the efforts to challenge the deceptive claims that undermine consumers' choices about how the information is shared with third parties. in google, the commission alleged the company deceived consumers by using information collected from the users to generate unpopular social network. the commission's proposed settlement contained a strong release including independent audits at the privacy policy and procedures lasting 20 years that protect the privacy of all of the google customers including mobile users. in a twitter, the commission charged with eight laps in the

company data security allows the hackers to take over the trigger accounts and to gain access to the users private tweets and numbers. as in google it projects a that the dirt collect through the mobile devices and inquires independent audits of the practices for 20 years. if the company violates this ordered the commission the obtain civil penalties of $16,000 per violation. similarly in the ongoing litigation, the commission obtains temporary restraining order against the defendant allegedly sent 5 million unsolicited text messages to the mobile phones of the u.s. consumers. the commission alleged the public relations company planted a deceptive endorsements game applications in the itunes mobile apps store. the commission public law enforcement presence in the global arena is still at a relatively early stage.

but we are moving forward rapidly devoting resources to keep the pace of the developing technology. the commission staff have a number of mobile investigations in the pipeline including investigations related to children's privacy on the mobile devices. i anticipate many of these investigations would be completed in the next few months and any company or public statements would be posted in the website. while the mobile reena prevents the new methods of data collection and new technologies many of the privacy concerns as the fcc has been dealing with for 30 years at the bottom it's all about insuring they understand and can control data collection and sharing and the data doesn't fall into the right hands. the ftc has the authority experience and a strong commitment to tackle these issues. in closing the commission was committed to protecting consumer privacy in the global sphere to

the law enforcement and by working with industry and consumer groups to develop the solutions that protect consumers while allowing innovation. i'm happy to answer any question. >> thank you. mr. weinstein. >> thank you mr. try. i've asked to stay until 11:30 which will be the last time you probably listen to anything i say. good morning, chairman and ranking member coburn and members of the committee i think for the opportunity to be here today. over the last decade we have witnessed an explosion of mobile computing technology. laptops and cell phones, tablets and smart phones americans are using more mobile computing devices more extensively than ever before. we can now they get shot and conduct business and social is remotely with our friends and loved ones instantly almost anywhere and now more than ever the world is almost literally at our fingertips. in ways we don't often think about, what we say and write and do with the mobile devices can be open to the world and it's the use of mobile devices

continue to grow, these devices are increasingly tempting targets for identity feeds and other criminals. so it's these decisis increase the connectivity, productivity and efficiency they pose potential threats for safety and privacy. those threats fall into these three different categories. the first category are posed by cybercrime roskam identity feeds, and other criminals seek to misuse the information that's stored to generate by the mobile devices to to so to the crimes. from around the corner or around the globe they worked every single day to access the computer systems and mobile devices of government agencies and universities, banks, merchants, credit card companies. large volumes of personal information, to steal property and perpetrate large-scale data breaches that we have tens of millions of americans have risked for identity theft. in addition, some of the cybercrime will seek to inject the computers and homes and businesses with malicious codes to make part of the net, the network of compromise computers under the remote command and

control of the criminal or foreign adversary who can capture every keystroke and mouse click and password, credit card number and e-mail that we send. smart phones and tablets or in a real sense mobile computers and the link, the line between the mobile devices and personal computers is shrinking every day. so they provide yet another computing platform for cyber criminals to target infectious by malicious code. unfortunately americans who are using the computers in the devices are suffering from the extensive pervasive invasion of privacy of the hands of these criminals almost every single time they turn on their computers. one of the department of justice missions is protecting the privacy of americans and prosecuting criminals to threaten and finally the privacy. for the detection and skill of the prosecutors and agents we have had a number of enforcement success in putting the operation in connecticut which is believed to have infected over 2 million in worldwide.

as mobile devices become more prevalent more and more personal information about the users we should expect they will be increasingly targeted by criminals. it's critical there for that law enforcement has the necessary tools to enforce and and prosecute those crimes which are against the privacy of all americans. the second category of the threats of the privacy comes from the collection and the disclosure of location information and other personal information by the providers themselves including application providers. they may or may not be appropriate for the criminal investigation it all depends on the circumstances. some may address the regulatory action and as we easily with the matters we must carefully consider the clarity and the scope of the privacy policies and other user agreements that govern the relationship between the providers and the customers. the third category of threats comes from criminals who use mobile devices to facilitate all sorts of their own crimes from the traditional cybercrime clich identity theft to violent crimes like kidnapping and murder. as technology evolves it is critical but law enforcement people to keep pace.

law enforcement most people to get the data it needs to investigate and prosecute the crimes successfully and identify the perpetrators would freeze the called putting fingers of the keyboard i guess we should say putting fingers on the touch pad. this identification is already a challenge in the cases involving the traditional computers for the data critical to investigation of cyber criminals and predators and terse and other factors is often deleted by predators before the law enforcement cannot attain the process. the challenge is even greater in the cases involving mobile devices three although we increasingly encounter suspects to use as reference and tablets just as the with a computer many providers do not meet the records necessary to trace the ip address that the suspect smart phone. the records are in absolutely mrs. really to the investigative team that needs to identification of a particular suspect. i think for the opportunity mr. chairman to discuss the challenges the department sees on the start from the tablets continues to grow and to protect

the privacy of the users of computers and mobile devices we look forward at the department of justice to continue to work with the congress as it considers these issues and i would be pleased to answer questions. >> thank you. thank you both. >> in the fcc's december, 2010 consumer privacy report the commission states that certain kinds of information is so sensitive that before any of this data is collected, used or shared, companies should see, quote come express' consent from the customer. you identify the four categories of data that are this sensitive. information about children, financial information, medical and information, and precise ngo location data. first of all, why does the ftc think that it before the company gets or shares your location information they should go out of their way to making consent?

>> we identified the four categories because misuse of the data can have real consequences for consumers. in the case of the location data, and you mentioned and your colleagues mentioned it can lead -- if it falls into the wrong hands it can be used for stocking, teens and children have a lot of mobile devices and so we are often talking about team and children information and their location. location can't just tell you where a person is at a particular time. it's collected over time. you can also know what church someone is going to, what political meeting they've gone to, when and where they walked to and from school, that is a sensitive data that requires attention. ..

>> there may be specific types of restrictions if you're talking about data other than location like health care data covered by other particular privacy laws. if you're talking location data, there's no legal restriction. 23 the company is not covered,

it's not considered to be an electronic communications services provider or remote communicator, there's no restriction at all, the company is share with whoever they want. >> one of the defining features of the mobile market is there's a lot of entities, advertisers, companies like apple and google amassing large amounts of information about users. outside of any assurances they make to their customers or requirements of financial records and laws, do the companies in this sphere have to meet certain data security standards? in other words, what's to prevent them from getting hacked? >> i'm not aware, mr. chairman, of my legal requirement of a company in possession of your personal data, location data, financial data, or other use of

what you do online, secure that data in any particular way. my understanding is that's a decision based on the company based on its practices and assessment of risk. one of the arguments you hear talking about data retention because there's no requirement they obtain data for a learn -- certain length of time, and when we talk to industry and talk to privacy groups about the need for data retention for some reasonable period of time to make sure law enforcement needs the data it needs to protect privacy, you hear that if companies are required by law to store that data for some length of time, it puts them at greater risk of being hacked. it's an open question. it's one for the congress to consider if there's a requirement for data retention, whether it's appropriate to impose some requirement that that data be secured in some way to reduce that risk. >> thank you, mr. weinstein.

i want to introduce a few key pieces of testimony into record. i want to introduce joint testimony from the minnesota coalition for battered women and the national network to end domestic violence as well as testimony from the national center of victims of crime. this testimony lays out how law enforcement can use this technology to find stalkers and also cites cases of two minnesota women both stalked by their partners through their smart phones. these are extreme cases, but i think there's no clear statement on how this technology presents clear benefits on very clearly privacy threats, and how we need to be very careful in this space. now i'd like to turn it over to the ranking member, senator colburn. >> thank you, mr. chairman.

one comment i make is i hope after you all testify that you'll hang around and listen to the second panel. what i find is in congress we talk past each other, and when we observe us talking past each other, we learn something if we're an outside observer. i hope when we hear both sides today it will actual ac sen wait the ability to solve the problems in front 6 -- of us. i have a question for both of you to individual answer. both of you have demonstrated that under certain laws in the books today, you can do a lot in terms of addressing these privacy issues. my question for you is is in your opinion, what else do you need in terms of statute to actually facilitate your ability to protect the privacies of individuals in this country without diminishing the benefits we're seeing from this

technology? >> the commission has not taken position in this area, however, in the report that senator franken referred to, we discussed some key protections we think should be applied in industry, not just -- across industry including in mobile, that we believe would protect privacy while also allowing innovation to continue, and that first is -- basically, companies should have privacy by design, meaning at the very early stages of developing their products and services, they need to give privacy serious thought so that they develop those products and services in a way that maximizes safety to consumer data. that means not collecting more data than needed, not retaining for longer than needed, providing security for it, making sure it's accurate.

those things, if implemented early, can be done in a way that still permits innovation and still permits the business to function. >> can you do that through regulation now? can you make those demands through regulation? >> we have used the ftc act prohibiting unfair practices to bring enforcement against companies under certain circumstances that don't do those things. the second piece is streamlined easy to use choice for consumers. streamlines it, making it easy to use is particularly important on mobile devices where we've seen -- we don't see privacy policies as mentioned in the "wall street journal" article, and when we do, it may take 100 clicks to get through the terms of service to find that, you know, we've encouraged the use of icons and ways to make it easier for consumers to exercise choice about things like sharing

data with third parties. >> like writing in plain english? >> yes. and then the third piece is, of course, greater transparency overall which means if you do have privacy policies, they should be written in a simple way so they are easy to compare, and potentially you should be -- a consumer should be able to access the data that companies have on them, so we believe if implemented those protections would achieve much greater protection for consumers while allowing for up no vaition. >> the question i have for you is do you have the ability to implement that now under the ftc guidelines? >> those are policies, some of which can be implemented under the ftc act, but others are forward looking policy calls. >> would you mind submits to the committee which are which to guide us in addressing where we

think we might need to go? >> yes. >> thank you. >> there are four or five things that the justice department thinks commerce should consider in legal changes, but most are not particular to mobile devices, a few are. the reason they are not all specific is we think it's important to put in perspective the threats you see in terms of cybercrime committed on mobile devices are new variations on old problems. when someone puts malwear on your commuters -- computer, that's old school cybercrime with new school technology. we need to fight it generally. that being said, number one, there are a number of further fixes to 1030, computer fraud and abuse act, beyond those that were contained in the identity theft and restitution act in 2008 that we believe are appropriate and would strengthen

pepties and deterrence and make sure there's potential consequences. those we anticipate are part of the security package i told senator whitehouse is soon. it relates to cyberstalking. that statute requires currently that the victim and the defendant are in different states. that's significantly hampers our ability to use the statute. cyberstalkers harass and even across the street, not necessarily across state line. the third is data retention. we think -- although we don't is a specific proposal, there are undoubtedly a reasonable period of time that congress can require providers to retain data allowing us to solve crimes against privacy that properly balances the needs of law enforcement, privacy, and industry. the fourth is data breach reporting. you know, as we see every week, we see a new article in the

newspaper about another data brief whether it's sony or rsa. there's no federal requirement, but there's state laws, but no legal requirement requiring data breach reporting to consumers or law enforcement. the fifth is that among the data not even maintained let alone retained is data allowing us to trace back an ip address to the smart phone using at at time that the criminal conduct occurred. the last piece, and i'll stop, is not a particular proposal, but something we urge you to consider. i alluded to there are no legal -- there are significant legal restrictions on a provider's ability to share data with law enforcement. there are no restrictions, virtually no restrictions on a providers ability to share with a third party. we think the congress may wish to consider whether they strike

the balance between privacy between consumers and providers they are engaged in commerce with. >> thank you very much. mr. chairman? >> thank you, senator coburn, and now the chairman. >> you mentioned it, and i'm glad you did. i'm going to be introducing a bill very shortly to update the electronic communications privacy act. i think social security -- i think it's a very important act and it applies to the applications currently available, and that could be bad for the consumers, also bad for law enforcement. let me just point out the priefly requirements ecpa applies to providers or the service providers are remote

computing service providers, google, apple, or other mobile application providers collect data automatically. they might not fall into either of the definitions, but that would mean the government could just obtain the location of sensitive information collecting it without a search warrant. i mentioned a search warrant situation earlier when i spoke, but they might be able to do it without. does ecpa apply to providers of mobile applications, and if knot, what are some of the changes we should make? >> mr. chairman, the answer really would be the same answer i give if you asked me that about mobile application providers, but if you asked me about verizon, google, or apple for that matter. companies provide a broader

range of services, a company is considered a provider of electronic communication service for one service it provides. remote commuting service for another service provides neither for another service it provides. even a company like verizon is clearly an ecs for its communication services. it would be -- a company like apple might be an rcs for the mobile backup service. google could be for google docs. a mobile app provider is an rcs or ecs or neither one. it depends on the nature of the particular service. >> does that mean we have a gap in ecpa and should address it in new legislation? >> i think as all of the companies expand the range of services they provide, there's gaps. there's companies where newer companies provide services that don't fall in one of the two categories. i don't have a particular proposal, but we're happy to

work with you to explore where the gaps are and where they should be filled. >> it's an area i suggested and something like law enforcement gets all the information without a search warrant? without going through a court? >> well, if a company is not covered by ecpa, we can get store data using a subpoena or another legal process. a search warrant is not required in most instances. >> you mentioned ecpa and sony, and the degree as i read more and more about it is more and more frightening what's there. now, on three occasions the judiciary committee favorably supported my data security and privacy bill and among other things establishes a national standard for notifying consumers about data breaches involving their perm -- personal information. we'll try in congress to get

this passed. you -- if there's been a data breach, your information is there. you wouldn't have to rely on the good graces of the company that screwed up a lot of the data breach, but they would have to be required to notify you. how important is it for your department and other law enforcement agencies to be notified that there's a security breach so that they can look at whether it affects our criminal laws in national security and then i'll ask ms. rich a similar question. >> it's vital for law enforcement. if we don't know about the breach, we can't investigate, but if it's too late, the trail has gone cold. there's 47 state laws that in some fashion govern breach reporting, but only a few

require the victim to notify law enforcement. some of our biggest hacking and identify theft cases, a number of which i testified about a month ago were made possible because we got early reporting from the victim companies and got cooperation from the companies throughout the investigation, and that was critical to our ability to follow the trail and find the hackers and people who stole personal data. the two things law enforcement needs to have a shot at making these cases are prompt victim reporting, and if there's customer notification which there should be, the opportunity to delay the notification where appropriate, but we think that data breach reporting is vital to the ability to do our jobs, and we anticipate there's a data breach proposal that's contained in the package. >> and ms. rich? >> the ftc has long supported legislation to require data breach notification and data

security. we play a complement ri role that they pursue the hackers who get the data, but our perspective is it's extremely important to oles shore up ash also shore up the protections with those companies with the sensitive data. there's always criminals, but it's very important that companies secure themselves again so they are not easy targets, and we believe legislation, requiring notification, and security is vital to that mission. >> thank you, and, again, chairman, franken, i thank you for the hearing. i think it's extremely important, and i go after budget malters now, but appreciate you doing that. >> please do that. thank you, mr. chairman. >> thank you, senator franken for your leadership again. thank you senator leahy for your champ uponning the privacy --

championing these privacy issues and providing that leadership for us. i want to thank our witnesses for being here. also apple and google and the consul at that particular times that we have -- consultants we have in this profoundly important hearing, and whatever the kinds of challenging questions that we may ask, i hope that we are all on the same side of this cause because right now what we face in my view is literally a wild west so far as the internet is concerned. we can debate the legal technicalities, but the ftc that dictates unfair practices doesn't provide the kind of targeted enforcement opportunity that i think is absolutely necessary and i know the department of justice is going to be seeking additional authority which is absolutely necessary in just one area

pertaining to young people, children, which we haven't discussed so far today, but which obviously raises very discreet and powerfully important issues, and so let me begin with ms. rich. do you think the present statutes sufficiently protect young people, children who are 13 and under talking about marketing, locational information, other kind of privacy issues? >> we do have a very strong law, the children's online privacy protection act applying to children 12 and under, and we are undertaking review of that, but have not reached results of that yet. we want to see if it's keeping up with technology, but vice president reached the end of that. in a workshop on that, there's a fair amount of agreement from industry and work groups alike

that statute is flexible to cover a lot of mobile technologies and activities across a broad swath of technologies. >> and do you agree? >> i do. i was thinking this morning i have two, soon to be three little kids, and my 3-year-old is better with my iphone than i am, and it's terrifying to think about what kind of threats, online threats will be out there by the time he's old enough to really use my iphone with permission, so i think that as we move into this space, i think it's important in any legal changes we make be technology neutral to the extent possible in one of the geniuses of ecpa is it's able to be flexible and adaptable over a periods of 25 years as technology changes, but i think that anything that the congress can do i think to protect kids in particular in this space is a worthy effort. >> and let me ask ms. rich

referring to your description of privacy by design. in addition to the requirement that senator leahy is supporting if there's notification, and i strongly support that requirement. i think it is a basic fundmental protection, shouldn't there be some requirement that companies design and safeguard this information when they structure these systems, and also potentially liability if they fail to sufficiently safeguard that information? my ability so that we provide up sentives -- incentives for companies to do the right thing? >> absolutely. using section 5, 34 cases against companies just in the last, you know, five or six years, against companies that failed to secure data, and we believe it's vital to hold

companies accountable for that. >> and what about a private write back? >> commission hasn't taken a position on legislation or private right of action. >> because we had testimony from professor john savage of brown university who said to us, and i'm quoting "computer insiders, but the incentives offered are weak because security is expensive, and there's no requirement adopted until disaster strikes." >> let me correct something i just said. commission has taken a position on data security. i was confused by the question. we strongly support data security and data breach legislation, absolutely, which includes civil penalties. >> thank you. my time expired, and i will be submitting some additional questions for the record. thank you both.

>> senator whitehouse. >> thank you, senator franken. quick question and a longer one. the quick question is both of you had a chance to look into the, you might call it the dark side of the interpret, the dark underbelly of the internet, and you're also people who use it and have families who use it, and so you both have the experience of the regular american dealing with the internet with a certain measure of confidence in it, and you have a hyingenned a-- heightened awareness based on your professional obligations. based on that, how well informed do you believe the average american is about the dangers and hazards that lurk out there on the internet, and is this significant in terms of things as simple as willingness to down load protective patches and get

up-to-date with commercial technology to protect yourself, setting aside other responses that the public might have if more informed. can you quantify a little bit how well-informed the average american is about the risks? >> we believe that consumers really have no idea of the layers of sharing that go on behind the scenes, so, for example, many consumers may like the location services, and they may want to share their location information in order to obtain them. what they don't realize is that their location data as well as the device id is flowing to support providers, to advertisers, to all sorts of other parties in the chain, and we believe that that's why when certain high-profile security breach happens at companies like

epselan are so shocked because they had no idea their data was there. >> i think the large population we're talking about, there's great variation, but i venture to say and this is based on personal information, that the vast majority of people are not informed like they should be and the heightened awareness of the apple and google media -- phren see this created, i think people focus on the issues. the fact is these situations may or may not be criminal enforcement matters. everybody has to be vigilant. providers can take step to make sure the user agreements are transparent and easy -- >> if you don't mind a little, earlier in your answer you set up the traditional dichotomy if you will between a legitimate communication or application and

something that is infected with malware and probably a law enforcement problem if it could be discovered. we're now in a new area kind of in between those two where the product might be something that the subscriber would want. i can imagine a location application that told you whenever you were near a particular fast food restaurant so they can ping you and say come on in for a big mac or whatever it might be. that could be somebody realliments or somebody really does nonet -- not want at all. if you load an app on to a smart phone, you know you are loading one dimension of the app, but you don't know what else is attached on to that. what should the ftc be doing by way of disclosure requirements

to be sure when you load an app, whoever put that app on the menu really for people to choose among has fully disclosed all elements are in it and it's not o trojan horse when the real purpose is to find information about you to sell to individuals. where are you in terms of getting that transaction properly overseen and with some rules i guess what you call privacy by design in your earlier statement? >> it's challenging in the mobile sphere because of the nature of the small screen, but the ftc called on industry to develop simplified disclosures embed the in the interactions. for example, when you download the app, if they share the information with third parties, they have to tell you that there and then, not in a privacy policy that takes 100 screens to download and look at, so, you

know, i think there needs to be serious work done to improve the interaction between these companies and consumers, and we also don't think that if it's not necessary to sthair for the business model, is not necessary to share with other companies for the business model, it shouldn't be happening, and, you know, we've also seen that when sometimes sharing is necessary for the business model, but instead of shares a limited slice of information needed, they pull the information off the whole device and share it with third parties. that's the privacy by design piece. >> and from your point of view, the trojan horse am ji tar -- analogy for some apps is a fair one? >> yes. >> okay, thank you. >> thank you, senator whitehouse. one more question here for ms. rich and the ranking member has one more question. ms. rich, in your testimony, just talking about the little screen and signing off on

privacy agreements and anyway, in your testimony you emphasizedded the ftc's ability to protect consumers against accepted trade practices when an iphone user activates their phone they click and agree to a 4144 word software license agreement, and that tells users they can withdraw their concept of apple's collection of information by simply turning off the location services button on their phones. i'll add a copy of that agreement to the record. as it turns out until a week ago turning off the switch did not stop the collection of location information by apple, so i guess my question to ms. rich is is that a desippettive trade practice in >> i can't comment on a specific company's practices, but if a statement is

made by a company that is false, it is a deceptive practice. similarly, as shown in our cases, if there's a misleading statement and some sort of disclaimer in fine print, that's dissentive. there's a lot we can do to challenge the practices you're talking about, but i'm not commenting about a specific company. >> thank you. ranking member? >> mr. chairman, i just have one comment. i think we need to be very careful on this idea of security because the greatest example i know is we spend $64 billion a year on i.t. in the federal government, and then on top of that, we spend tens of billions on security, and we are breached daily. we should not be requesting the standard that we can want even live -- cannot live up to at the federal government. the concern is an accurate one, but i think we have to work on what that standard would be whether it's a good faith effort or something, but to say

somebody's liable for a breach r their security when we all know, almost every system in the world can be breached today, we need to be careful with how far we carry that, and that's all i add. >> can i address that briefly to say that we agree there's no such thing as perfect security and we use a reasonable standard. many of the types of practices preventing breaches are things like not collecting more data than you need. >> yeah, i agree. >> basic. >> senator, another question in >> yeah, just to follow-up on senator coburn's observation. as with any kind of liability or accountability, legal responsibility, there's a duty of care, and that duty of care can impose reasonable measures that common sense or technology

would provide the means to do, and so i guess my question is why not some liability to ordinary consumers imposed through federal law that would impose accountability for a standard of care that is availability under modern technology with the kind of reasonable approach, sensible responsibility. >> yes, senator, we agree with you. in the data security sphere, it's reasonable security. it's having a good process that assesses risk and addresses those risk. it's not perfection. >> and why not also require remedies in the case of a breach where that kind of accountability is imposed? for example, insurance or credit freezes, credit monitoring, as a matter of law so that what is increasingly becoming standard practice would be imposed on all

companies and provide the incentive to do more? >> absolutely. we think that's important both to address what's happened to consumers and provide effective deterrence. >> you agree, mr. weinstein? i know you're speaking out of the consumer protection area. >> i'm trying to stay in my lane, but look, i'll make the general observation, and i think this touches on issues at the hearing last month. there's no perfect system. it requires a multilayered approach, laws that breaches be reported. it undoubtedly requires providers to take as much of an effort, make as much of an effort as they can to protect systems, requires public-private partnership, and some proposals in the packages you'll receive addresses that issue, and it requires better work by everybody involved. >> well, we look forward to the package that you'll be receiving

in hopefully a very short time. thank you. >> thank you, senator, and i want to thank ms. rich and mr. weinstein. mr. weinstein, good luck, and congratulations with your new baby. we'll proceed to the second panel of this hearing. i think i'll introduce our panel as they are making their transition to the table just to move things along. well, maybe i'll -- there seems to be a little chaos here. we'll take a little moment of pause. think about the first panel and all the issues raced and thoughts that were expressed. [inaudible conversations]

[inaudible conversations] [inaudible conversations] [inaudible conversations] >> all right. i want to introduce the second panel witnessesment i want to thank you all for being here. ashkan soltani is a technology researcher and consultant specializing in consumer privacy and security on the internet. he has more than 15 years experience as a technical consultant to internet companies and federal government agencies. most recently worked as a technical consultant on the "wall street journal's" what they know, and he has a masters

degree in information science and ba in computer science from the university of california san diego. justin brookman is the consumer privacy at the center for democracy and technology, also the chief of the internet bureau of the new york attorney general's office. under his leadership, the internet bureau was one of the most active and aggressive law enforcement groups working on internet issues. he received his jd from the new york university school of law in 1998 and his ba in government and foreign affairs from the university of virginia in 1995. dr. bud tribble is the vice president of software technology at apple. tribble helped design the operating system for mac computers, also the chief technology officer for the son

netscape alliance. earned a ba in physics at the university of california san diego and md and ph.d. in biofizz i thinks -- biophysics. alan davidson is at google, previously a computer scientist working at alan and hamilton designing information systems for nasa's space station freedom. he has an sd in mathematics and computer science and an sm in technology from mit and a jd from yale law school. jonathan zuck is the president of the association of competitive technology representing small and mid-sized information technology companies before joining act, zuck spent

15 years as a professional software developer and executive and holds a masters in international relations from the paul h. school of advanced international studies of the john hopkins university. i want to thank you all for being here today, and please give your opening statements. we'll start from my left and your right, mr. ashkan soltani. >> chairman franken, ranking member coburn, and established members of the committee. thank you. my name is ashkan soltani, a technology researcher and consultant specializing with the internet. i am here on my own not representing the view of my previous employers.

unlike desk top computers, mobile devices introduce privacy challenges. users carry their phones and tablets with this everywhere they go from homes, offices, day care, to the grocery discoer. a device's location is determined ewes a number of different technologies including gps, information about nearby cell towers and points and other techniques. while the accuracy varies depending on technology used, it can be sense titch and perm in all cases. if you live in -- it's reasonably easier to know where you work and play. this information reveals who you are as a person and how you spend your time. this is why consumers are surprised by the recent stories of how their data is collected. with the expansion of gps -- sorry, with the except of gps, a process of which a devices

location is determined can expose that location to multiple parties including at&t and verizon, google, and even the provider delivering the information about that location like a mapping website or service. researchers incoming myself with smart phones send location information quiet ri in the background to apple and google servers effectively when the device is not actively being used. that is the background collection happens automatically unless the user knows about the practice and turns it off. this is a default believer. most phones keep a copy of historical location on the device. until recently, the iphone retained your location history for about a year, stored security on the phone and any device the computer was backed up to.

anyone with access to this file would be able to obtain records of your location, and there's no way to disable it. many mobile smart phone platforms like apple ios allows third parties to develop applications for the device, e-mail, social networks tools like facebook, and, of course, games. as reported in the "wall street journal" last year, many popular apps trace that location information or unique identifiers to outside parties. for instance, if a user opens a popular restaurant app, not only does the app learn information about the user, but so do the advertisers and partners. this is surprising to most customers since they may not have a relationship with these downstream partners. this information suspect located -- this information is not limited to just location. many of the apps have access to

information and phone numbers and text messages. exposure about the use of consumer information is ineffective or absent. many disclosures are vague and too confusing to understand, and they rarely mention specifics about data retention and information sharing practices. things that a privacy conscious consumer cares about. half of the popular apps lack discernible privacy policies. in order to make meaningful choices about their privacy, consumers needs to increase transparency on who is collecting information about them and why. clear definitions should be required for sensitive categories like location and other identifiers, and developers need to provide consumers with meaningful choice that will allow consumers to control and share information and for what purpose. only in an environment that fosters trust and control will consumers be able to take full advantage of mobile technologies have to offer.

i thank you for inproviding me hear to testify, and i look forward to answering your questions. >> thank you. mr. brookman. >> thank you very much for the opportunity to testify here today. there really could not be a more timely topic than the issue of mobile privacy. consumers are embracing mobile devices and offer an array of functionality making our lives better. however, the same privacy issues frustrating consumers in the online space is heightened in the mobile environment opposed websites, apps access a far broader range of personal information like contact information, access to a smart phone's camera or microphone and precise location information. at the same time, the tools consumers have to see how apps share their information a weaker than they are on the web. i've been invited here to today

to talk about the excising laws and whether they are at adequate in protecting consumer information. the answer it no, there's no privacy law in the united states, a few centered specific laws governing small sets of consumer information. in the mobile space, there's a patchwork outdated inept laws applying to some, but not offering consumers meaningful and consistent protections. traditionally mobile devices were one area with strong protections over data, the consumer facts and rules historically required carriers to get customer's affirmative per hition to sell the information on the phones on which you can call and whatnot. however, a cells branched out with data plans, the ftc on opted not to extend those rules leaving confirmation

unregulated. furthermore, rules never applied to most of the players in the modern app space like operating systems and location providers like apple and google, advertising networks, and data brokers. the mobile data ecosystem expands, the narrow rules which at one point covered everything, no longer offered sufficient protections for consumers in the mobile space. there's a couple other statutes that apply. they do not effectively protect consumers here. one is the iconic privacy agent we discussed that covers a government act of informs but has protections around certain companies in disclosing the content of the consumer's community cations. unfortunately, the definitions were written in 1986 before the modern app ecosystem developed. the law covers some apps, but certainly not all, and probably not extending to the operating systems like apple and google.

the law does not really map well mobile privacy issues and not consistently, and even if it did apply to all the players without additional rules or require meaningful transparency in telling consumers what you do with their data, companies could bury permissions to share data with consumer agreements that consumers will not read. some applied criminal constitute to mobile privacy issues. last month, for example, it was reported that the u.s. attorney from normings was up vest gaiting apps for information without accurate disclosure. i'm sympathetic to the policy goals. it's not the ideal approach to use a broad crm statute -- criminal statute to combat hacking and protect privacy. i think i don't like companies sharing my information and it should be protected by the law, but people should not go to jail

for it. assuming none of the laws apply, the baseline protected in the country is that the ftc's prohibition of unfair practices. the ftc brought important cases in this area, but the bar is still very low. the baseline rule for most data is that companies cannot affirmably lie about how they use your data. many company's response are not to make any recommendations at all. this is why policies are legalistic and vague. the easiest way to get in trouble is make a statement about what they are doing. the mobile space as was testified, many app makers don't make recommendations at all and they offer anything whatsoever. it's not possible in the modern environment for people to know how their data is stored and shared, so we've longed personal petitioned for a privacy law that requires companies to say what they do with data, give some choice around secondary transfers, secondary uses, and

what they do with it when they are done. furmore, for sensitive information, religion or sexuality, health, financial, and most relevant to this hearing, location information, we believe that enhanced application of the unfair practice principles including affirmative consent should govern for this type of information, we should air on the type of consumer privacy and disclosure. thank you for the opportunity to testify, and i look forward to your questions. >> thank you, mr. brookman, and by the way, for all of you, your complete written testimonies will be made part of the record, and mr. tribbles? >> good morning, chairman franken, ranking member coburn, and members of the subcommittee. i'm bud troubles, software technology for apple. thank you for the opportunity to further explain apple's approach to location privacy. i want to use my time to

emphasize a few key points. first, apple's deeply committed to protecting the privacy of all of our customers. we adopted a single comprehensive privacy policy for all products. this policy is available from a link on every page of apple's website. we do not share personally identifiable information with others without the customer's concept and require all third party application developers agree to specific restrictions protecting our customer's privacy. second, apple does not track user's locations. apple has never done so and has no plans to do so. our customers want and expect their mobile devices to quickly and reliably determine their locations for specific activities such as shopping, travel, or finding the nearest restaurant. frabbing a phone using gps satellite takes up to several minutes. they reduce the time by using

prestored wifi hot spot and cell tower location data on the phone in combination which what hot spots is foreseeable by the iphone. we maintain a secure crowd source data base contains information with known locations of hot spots and towers that apple collects from millions of devices. it's important to point out that during this collection process, an apple device does not transmit to apple any data that is uniquely associated with that device or customer. this information is used to determine the locations of cell towers and wifi hot spots for the crowd-based sources. by design, they have control over collection data over all devices. apple built a master locations services into our ios mobile operating system making it easy to opt out entirely of location-based services.

these are simply switching off. when the switch is off, the device does not transmit or collect location information. equally important, apple does not allow any application to receive deviolation location information without first receiving the users explicit concept from a box. the box is mandatory and can want be overridden. customers may change their mind and opt out of services for individual applications by simple on-off switches. parents can use controls to password protect and prevent access by their chirch to location services. apple is committed to responding promptly and deliberately to all privacy and technology concerns that may arise. in recent weeks, there's considerable attention given to the mapper in which our devices store and use a cash subset of apple's crowd source data base. the purpose of this cash is to allow the device to relibbly

determine a user's location. these concerns are addressed in detail in my written testimony. i want to reassure you that apple has never tracked an individual's actual location from the information residing in that cache. it's not the past or present location of the iphone, but the location of wifi hot spots. apple does not have access to the user's phone at any time, although the cache was not increpted, it was protected by other apps on the phone. moreover, cache information location is backed up on a customer's computer, it may or may not have been encrypted. while investigating the cache, there was a bug that caused the crowd source data base even when the switch was turned off.

this big was fixed and other issues including the size and the backup of the cache have been addressed in our latest free ios software update released last week. in addition, in our next major ios software release, the information stored in the local cache is encrypted. apple is committed to giving customers clear and transparent notice, choice, and control over their information, and we believe our products do so in a simple and elegant way. we share the subcommittee's concern about the collection and misuse of my customer data, particularly location data and appreciate this opportunity to explain our approach. be happy to answer any questions you may have. >> thank you, mr. tribble. mr. davidson? >> thank you, ranking member, chairman, and members of the subcommittee. i'm chairman of google in north and south america.

thank you for the opportunity to testify at this important hearing before this new subcommittee. mobile devices and location services are now used routinely by tens of millions of americans and create enormous benefits for our society. those services will not be used or succeed without consumer trust. that trust must be built on a sustained effort by our industry to protect user privacy and security. with this in mind at google, we made our services opt-in only treating this information with the highest degree of care. google focuses on privacy protection trout the life cycle of a product starting with the initial design, the privacy by design concept discussed at the last panel. we subscribe to the view that by focusing on the user, all else will follow. we provide information to our users and apply the principles of transparency, control, and security. we are particularly sensitive when it comes to location information.

as a start, on our android mobile services, it's all opt-in. here's how it works. when i first took myaround phone out of the box, one the screens asked me in plain language to affirmatively choose whether or not to share location information with google. a screen shot of this process is included in our testimony and on the board over here. if the user doesn't choose to turn it on at set up or go into the settings later to turn it on, the phone will not send information back to google's location receiver -- servers. if they opt in, all information sent back to the location servers is anonymous and not traceable to a specific user or device, and they can change their mind later and turn it off. beyond this, we require every third party application to notify users that it will be accessing location information before the user installs the

app. the user has the opportunity to cancel the installation if they don't want dmftion collected -- information collected. we believe this approach is essential for location services. highly transparent information for users about what is being collected, opt-in choice before the location information is collected, and high security standards to protect information. our hope is this becomes a standard for the broader industry. we are doing all of this because of our belief in the importance of location-based services. many of you experience the benefits of the services like seeing realtime traffic, transit maps for your commute, finding the closest gas station on your car's gps, and it's not just about convenience, they can be lifesavers and help you find hospitals and police stations, where to fill a prescription at 1 in the morning for a sick child, and only scratched the surface of what is possible. for example, google is working with the national center for

missing and exploited children to explore how to deliver amber alerts about missing children in the vicinity of the alert, and mobile services may soon be able to tell people in the path of a tornado or guide them to an escape route in a hurricane. these promises new services will not develop without consumer trust. the strong privacy and security practices i described are a start, but there's several issues requiring the attention of government, problems industry can't solve on their own. we support the idea of privacy legislation providing a basic framework to protect consumers online and offline and support action to prevent data breach notification rather than the patchwork state laws that exist. in a critical area of congress and particularly for this committee, is the issue of access, government access, to a user's sensitive information. we live now under 25-year-old

surveillance law, ecpa written before e-mail or text messaging was existing. most data stored orphan line does not receive the fourth amendment protections nor do users know the detailed location information collected by their wireless carrier can be ob tined without a warrant. they are a founder of the coalition and interest grouping seeking to update the laws meeting the needs of consumers. we hope you will review its work. in summary, i'll say we strongly support your involvement in the issue, appreciate the chance to be here, look forward to working with you in building trust in these new services. thank you. >> thank you very much, mr. davidson. mr. zuck. >> chairman franking, ranking member coburn, distinguished members of the subcommittee, i'm jonathan zuck, the president of association of competitive technology, and i thank you for holding this important hearing. as a representative of more than

3,000 small and medium sized i.t. companies, and a former developer myself and the spokesman for the people that write the application for the mobile devices, i want to encourage you to treat the issue of privacy generally in the mobile market place in a holistic matter. . .

the users are using today. location based services offered a unique opportunity for me street business as well. such particular products or services smart phones and receive local small-business based on the current location data. these ads have the benefit reaching potential customers of the assignment to the time of the purchase being made for a much smaller cost the and the newspaper circulars or tv ads the stores are able to afford. this dynamic market valued today at about $4 billion is projected to be $30 billion by 2015. application developers are enjoying, from essonnes brought by the lower cost entry in the distribution and often consumer facing applications to read these applications we have come to enjoy our made predominantly by small businesses, over 85% are made by small businesses and not just in silicon valley. the next time chairman frank your drawing one of your famous maps you will be able to reflect

over 70% of these applications come from outside california including places such as morehead minnesota and tulsa oklahoma. this is a national phenomenon with international implications for economic growth and recovery. we have an opportunity to meet the goals to double exports. we are in a period of experimentation and delivery of new services for the complete focus on the customer. one benefit of small businesses to give the lead here is they cannot afford to ignore the demand of the customers. second, when approaching the issue of the data privacy and the holistic matter i think it is imperative as we heard from the earlier panel to remember there's a whole lot of data. as a focus on a particular new type of data collection to cut off the nose to spite the face. there's more data including the location and the large company databases in the top 1,000 multiplications to collect and lifetime. in fact the vote is on a particular type of data collection and the new market would necessarily discriminate against this lawlessness is and responsible for so much economic

growth in the mobile sector while leaving larger players largely untouched. finally there are myriad laws to address the legitimate privacy consumer protection concerns as was raised earlier whether it is trade practices of the state or federal level there are vehicles in place to address the transgressions even the use of antitrust has been used in the past to deal with privacy issues. while i don't agree with all of the recommendations made by the center for democracy and technology i would agree any approach to the privacy legislation needs to be comprehensive and should focus on the data itself and how it's used and to the general question and not focus on a particular means of collection are a particular technology platform. there is legitimate concern among american consumers about the privacy as we heard from chairman leahy in number of americans are concerned about the privacy. i think one of the ongoing frustrations of my constituents in the small business in general they find themselves time and time again during that time

without really having done the crime. it is as though once a week there is some kind of a big company news like the sony play station dhaka, google with sci-fi collecting the social security numbers. these are the issues that are causing the concern and fear among customers and not the prospect of getting one more customized added to their phone. despite that the rules the debt created inevitably impact small business is more than our larger brethren. the settlement is a good exceed love this phenomenon. the sec stated would like to use the settlement is a model for regulation going forward for the entire industry but the irony is not only has a global brought the regulation to the doorstep, the level of the integration they enjoy makes them immune to the consequences. who's most likely to be affected by the law that effect the transfer of information to third parties. a small business that has the partnership to provide the services in its ever-changing market place or a huge company that can simply by the third

party thereby circumventing the rules. the idea dates back to russell the first to say the whole is more than the sum of its parts and nowhere is that more true than the mobile computing marketplace. i would like to encourage members of the committee to take a step back from the headlines of today and look at the issue of privacy in a holistic manner. thank you and i look forward to your questions. >> thank you for being here today and for your thoughtful testimony. the last month i asked apple in a letter why it was building a comprehensive location database on iphone and ipad and storing it on people's computers. abel's reply to my letter will be added to the record. but this is what the apple ceo steve jobs said to the press. we build a crowd source database of wi-fi and sell the tower hot spots those can be over

100 miles away from where you are. those are not telling you anything about your location. yet in a written statement issued that same week, apple explained that this very same data will, quote, help pure iphone herrara with the and accurately calculate its location or as the associated press summarizes the day the help the phone figure of its location, apple said. but steve jobs the same week said those aren't telling you anything about your location. it doesn't appear to be in both of these statements can be true at the same time. this data, does this data -- ayaan de stand door anticipating -- you are anticipating my questions i will ask. does this indicate anything

about your location or doesn't it? >> senator, the data that is stored in the database is the location of many wi-fi hot spots and sell phone towers as we can have. that data doesn't actually contained in our database any customer information at all. it's completely anonymous and it's only about the cell phone towers and the wi-fi hot spots. however, when a portion of the databases download on to your phone, your phone also knows which hotspots ansel phone towers it can receive right now. so the combination of the database of where are the powers and hot spots plus the phone knowing which ones it can receive right now is how copps the phone figures of where it is without the gps.

>> okay, consumers are hearing this a lot from both apple and google and i think it's confusing because apple basically said yes that final has location but it's not your relocation. and when it came out that both the iphone and the android or automatically sending certain location data to apple and google, they both said yes for getting location but it's not your location. mr. soltani, tell me, whose location is it? is it accurate, anonymous come kanaby tied back to individual users? >> that is a great question. in many cases the location the beta refers to is actually the location of the device or somewhere near it.

it's true in some rural areas it is going to be up to 100 miles away and the practice for the average customer, the average consumer is much closer and the order of about 100 feet according to a developer in the technology. if you refer to the figure three of my testimony, you can see an example of this location has identified by whatever the gop the could database is. i took my location based on the gps and my location based on the strongest wi-fi signal in the lobby just out here and the dog on the left refers to my location is determined by the exact gps and then the dhaka on the right determines the location based on this wi-fi jeal location technology and there's about 20 feet where i was sitting on the bench. depending how you want to slice it i would consider that my

location. the thousand databases time stamps that described at what point i encountered some of these and they could be used to trace the trail and then finally, to the degree at the data contains a identifiers. as we heard earlier that gentleman from the doj said ip addresses are necessary to identify consumers or criminals to the degree that those addresses are used to identify criminals they become identifiable and it's difficult to call this stuff anonymous making the claims i think is not really sincere. >> because basically if you have -- this location like a lustration you see. and so, let me ask mr. brookman

the same question i asked mr. weinstein. my wireless company, companies like apple and google and the mobile apps i have on my phone do and can get my location or something very close. mike understanding, mr. brookman, is that in a variety of cases under the current law, each of those entities may disclose my location to almost anyone they want to without my knowing it and without my consent. is their right? and if so, exactly, how exactly can they do this? >> that is correct. as i mentioned before, the de sold law in this country for sharing data is you can do whatever you want. the only thing you can't do was what you previously promised not to do with that data, so if someone like apple or google said if you give this location

data to google mabus we promise not to share it with an effort as a partner. under that scenario would be prohibited under the act from sharing it. otherwise i think for most players in the space it would be very hard to make the legal argument they are required to have the affirmative requirement not to share data. >> mr. davidson, mr. tribble, let me ask one more question because my time is running out. you're two companies run the biggest application markets in the world, and both of your companies say you care deeply about privacy, and yet neither of your stores require that the applications have a privacy policy. what tour companies be willing to come at the abbas in your store to have a clear understandable privacy policy this would by no means fix everything, but it would be a symbol first step and would show your commitment on this issue.

mr. davidson? >> it's a great question. i would be happy to take as an extremely important issue you raised about the application privacy. at google we've tried to maximize the openness of our platform to ll lots of different small businesses to develop applications. we have relied on a provision states model at google so that before an application can get access to information the after ask permission from the user. you're asking about the next step which is the affirmative application and i would just say i will take that issue back to the leadership. i think it's a very good suggestion for us to think about. >> mr. tribble? >> i can't that's a great question. what we do currently is required contractually third-party developers to provide clear and complete notice if they are going to do anything with the accuser's information or a device information.

so if you want to become an apple developer and you sign an agreement with apple that says you're going to do that it doesn't specifically require a privacy policy but what i will say is probably a privacy policy in this general area is not enough and i would agree with the earlier panel that what we need to do because people may not read a privacy policy is put things in the user interface that make it clear to people what is happening with their information, and apple and thinks this way for example when an application is using your location data we put a little purple icon right up next to the battery to let the user know that. now, we say that in the privacy policy, too, and that should say that, too but we put something in the user interface to make it even more clear to the user. we also have an error that shows it is could using location the

last 24 hours, so transparency goes beyond just what's in the privacy policy. it's designing into the application and system itself information feedback to the user about what's happening with their information. >> thank you. just want a yes or no, mr. soltani. isn't it true that there is no mechanism for the iphone to give notify users that the applications can disclose their information to whomever they want? >> i have a meeting i have to take for about five minutes and then i will be that. >> senator blumenthal. >> thank you, mr. chairman. thank you, senator coburn. i want to focus on the very

broad area or issue of trust that mr. davidson raised, which i think goes to the core of much of what you do with the consent and acquiescence of consumers and most particularly the practice and the goal of building a wireless network maps, both apple and google are engaged in that business activity, are you not? >> yes. >> in particular i want to ask some questions about the google wi-fi experience scandal from all three terms have been used to describe it. in particular, as you know and now we all know, for three years, google intercepted and collected bits of user information payload data, e-mails, passwords, browsing

history, and personal information while driving around taking pictures of people's homes on the streets and the st. programs. the company first denied that it was collecting this information, did not? >> we did not know that we were. >> and then it denied that it was collecting it intentionally, is that true? >> i think we still believe we were not collecting it intentionally. >> and in fact, this personal data in the interception and the downloading of this is contemplated in fact by a patent application that has been submitted to both of the u.s. patent office and internationally, does it not? >> i'm not specifically familiar with the details. as the mcginn you've been provided with a copy.

maybe you could have a look at it. >> do you recognize the document? have you seen it before? >> i haven't seen this document before, but i probably -- i haven't seen this document >> are you familiar with the goal that it describes of in fact pinpointing the location of wireless routt first to construct a wireless network map by intercepting and downloading the payload data in precisely the way that mcdougal denies having done -- google denies having done? >> i apologize. i'm not familiar with that aspect of it or anything relating back to the patent content. >> are you aware that this process may have been used in

the program to collect private confidential information and use it to construct a wireless network groups. >> it is not our policy to collect, it was in the company's intent to collect the contador payload information, we've been specific about the fact that we ever use that information. as you indicated people of the company were quite surprised. and honestly embarrassed to find out that we have been collecting it. so we said before this was a mistake that we didn't intend to collect this information and we tried very hard to work with regulators to make sure we are now doing the responsible thing. we haven't used it and we are working with the regulation to try to figure out what to do with it and in many cases we have destroyed it. >> why would the company then said that a patent application

for the process, that very process it denied having used? >> i'm sorry i can't speak to the specifics because we were not aware that this was a topic for today's hearing but i will say that generally we submit the patent applications for many different things. often they are fairly speculative and probably do hundreds of patent applications a year through scores and it wouldn't be surprising at all that in this area it's so important we would be looking for innovative ways to provide location based services. but it was certainly as we have said publicly it was a mistake and we certainly never intended to collect payload information. >> in fact the payload information would be extremely valuable in constructing this wireless network map, what did not? >> i'm not sure that we would say that. i think what is most important is basically having the

identification of a hot spot and location which is what we were collecting and that is what we have used to create this database as others have, and it's not obvious that small snippets of a few seconds of whatever happens to be broadcast in the clear in someone's home at any given precise second when you're passing by with a car would necessarily be that valuable, and i think we certainly never intended to collect it. >> would be valuable in your opinion, mr. tribble, to have that kind of delude data in constructing a wireless network map? >> i'm actually not sure how valuable -- i'm not sure how valuable it would be. we don't collect data or use that in our mechanisms for the mustachio

locating -- geolocating and they said they are not sure how you do that but they probably haven't seen the pattern. so why can't really i guess specifically answer your question. >> let me ask mr. brookman and mr. soltani as to whether you have an opinion of the de data payload would be strengthening of the location network or map. >> i'm not a technologist so i will defer to mr. soltani. would be the premier li interesting fact is here is a wireless access point the need to sense that sending information out technologically, but i don't believe that the content of that communication would be valuable at all. >> i would concur. i think that the small differentiation is what you're referring to is whether the header information which is not necessarily -- whether that is payload data.

so google collects the information about the hot spot, which includes the header information about the address or the identifier for the hot spot and i think that is the question of whether that is valid data. so, not payload data, but that remains to be determined. >> let me turn back into mr. davidson. what are the plans that google has to use or dispose of the information that has been down loaded and collected? >> we are in active conversations with many regulators including the office of this if connecticut regulators around the world, some of them asked us to destroy the data and we have done so to read some of them are continuing their investigations. our intent is to answer all questions of any regulator who's got an interest in this. we do not intend to ever use the data. we dispose of it whenever regulators tell us we should >> would you agree that collection of the data violates

privacy rights and that it may in fact be illegal? >> i think our position was that it was not illegal but it wasn't ever intend either and it wasn't what we -- how we expect to operate or services. >> if it wasn't illegal, don't you agree that it should be? >> i think this raises a complicated question about what happens to things that get broadcast in the clear and with the obligations are about people hearing them. and i think it is a complicated question. it is an important question but i think that we have to be careful about it. i think the mall appropriately says it regulates i believe it regulates the use of the information. and as i said before, we have no intention to use it rated >> i would have additional questions, mr. chairman, my time has expired, and i appreciate your indulgence. in the meantime i would like the patents to be made a part of the

record. >> absolutely. >> the ranking member. >> mr. chairman, this is for both apple and google. u-boats of requirements to the people that want a apps for your system. how do you enforce the requirements to put on them? >> how do you know that they're keeping the work? but they aren't using data that they have agreed to, how do you know? >> yes, senator, so apple curates the alps in the store the way they get apps on the phone is the year in the apple app store. as i mentioned, we have requirements for the developers. what we do is we look, we examine apps, we don't what the source code, but we run them, try them out, examine them before we even put them into the store. if they don't meet our requirements --

>> understand that, but once -- >> once they are in the apps store we do random elbe it's on the applications -- we don't audit every single one, just like the federal government doesn't audit every single tax return, but we do random audits and do things like examine the network traffic produced by that application to see if it is properly respecting the privacy of the customers. if we find an issue through that means or through public informations blog or active community of app users we will investigate, and if we find a violation of terms including privacy terms or specific location handling terms, we will contact -- contacted during the investigation and hopefully have gotten them to fix it, but if they don't, we will notify them the app will be removed from the

store within 24 hours and we will do that. now, in fact, the overwhelming case is the developers are highly incentive to stay in the app stores during the investigation or if we warn them, typically they correct in boston that correction involves making sure the pop-up a notice panel telling the customers what they are doing. >> so, we have taken a slightly different approach at google. we have strived to make sure that our platform is as open as possible. and we don't -- we have chosen not to be the gatekeeper in terms of what application people get access to. now, that has -- that is striking a balance, but we tried to maximize openness and we've taken a different approach to protect consumer privacy which is to use the power of the device itself to make sure that people know what information is being selected as the device

itself. with that application wants to have access to. and that is a powerful form of policing for the users but we don't been generally go back and try to make sure that every application does what it says it's going to do that we are also really trying to maximize the ability of small app developers to get online. >> is that notification when he download at app in plain english where it is easily understood is the ten page deal everyone goes to and says i accept? >> it's a terrific question. we tried hard to avoid that, so we do not sure that ten page thing that says all the different things that may happen. it's plain language, plain language is really more than a screen. sometimes you have to scroll down a little bit and it says barry specifically what pieces of information not just location

information, all types of information that might be coming from the phone and that the application sought access to it and i will tell you personally i've seen applications five selected and hopefully a lot of people do this when we say why it is my so what your program need my contact database? it doesn't and i should reject it. >> what is the motivation for the producer, and you can comment on this, too, to have that information. is it so they can use it and sell it? >> i'm sure that it's going to be a combination of things and in many cases they will be providing valuable services. so, for square or other locations let you know if your friends are nearby, twittered lets you look at tweets near your location. there are valuable services provided. sometimes people might be using data to survey or build data bases of their own and that is the kind of thing consumers need to decide whether they want to make that trade.

>> mr. tribble, you want to comment on that? .. reflects the fact that most of these businesses are not collecting personal information, and those that are very often have privacy policies that extend from other online presences of websites.

as to your question about the use and why they do it, most of the time it is some overt process where someone is actively checking in and doing something very specific where they know they are sharing information in order to get information. the other use is to allow for partnerships and revenue streams from ad networks. and so data is not stored by small businesses in most cases, but actually transferred back to the likes of google and apple which are the ones actually accumulating large databases and data about users. the one thing that is worth noting is that is another bite of the apple that these folks have with application developers terms of services so that in sharing information back there are restrictions on the kind of policies we have to have in place in order to share that information back with the network and make use of the service. >> a queue. i will have additional questions.

>> thank you very much. it strikes me that we are in of very new area in trying to think about what our take of. should be. whether existing models are a good analogy for where we are right now and where we should go an interest in discussing to have. i encourage each of you to take that as a question and get back to me in writing. along the discussion. if you want to sell pharmaceuticals in this country you can do so but you have to disclose their side effects. if you want to operate on somebody in this country you can do so but you have to get their consent endless things that could go wrong and the surgery. if you want to sell a consumer-products you have to

put appropriate warnings. if the product is dangerous to have to pull it back of the market. if you want to sell stock he have to file a proper sec filing so people know what the financial information behind the stock offering is and can make an intelligent decision. in all those different ways that we regulate conduct we are trying to make, to your statement, mr. davidson, as open as possible a market but not at the expense of people who are trying to take advantage of people. so it worries me that the principle. we hear it from you in terms of as open as possible. we hear it from the isp in terms of don't blame us for what comes across the pipes, even if it is crawling with mel where and really putting our national security at risk. we are just providing a service. we just wanted to go through. that is not an argument that we allow to stand in pharmaceuticals and consumer

products, surgery, really anywhere. we build an arena in which the market and work, but we make sure that the boundaries are those of safety. i think we really need to be working on those boundaries, and i think that as open as possible is simply not an adequate standard to this task. as open as possible, yes, but within what controls? i think we have been questioned. we have to be focusing. it is complicated by the fact that some of these things you want and you are choosing them. some of it rides along with that. i don't know how effective your program that allows you to check in and out until you with things that have access is in terms of the real-life consumer. what does the 14-year-old

loading an application know about these choices? how informed is that juries? i'm not sure that is the boundary i am personally comfortable with. you mentioned that you could change her mind later if he saw something must going wrong. can you change your mind in yours? >> absolutely. you can easily go back. >> you can remove the application very easily. >> you're not aware someone is selling look this affirmation. >> this is a tremendously important area about the need to educate our consumers and users better because we believe you're right that a lot of users don't understand that we have tried to make it very simple and strike

the right balance. we don't say openness at all costs. what we have said is we are trying to maximize and increase openness. we have tried to create an open platform. it's not no-holds-barred. we do have a constant policy for our market. the question is, where is the appropriate way, who are the appropriate actors to go of -- after jack we don't go after trucking companies. we go after the manufacturers. i would just say, we're trying to strike the right balance and also need to it educate consumers. it says the red light. >> you go after the trucking company if it knew what it was carrying. >> google is in a better position to know what is being carried as a professional

company and specializes in vast resources than a 17-year-old who has been told by his friend that this is a cool application. i don't think that is a comparable analogy either for you to rely on. the other thing, if somebody wants to take control of your computer and slated to their bought that they will try a lot of different ways to do with. many of the ways in which they try this stuff will involve broadcast to thousands of people. most people are careful enough to know better than to open the attachment. they're getting more sophisticated. ordinarily you could have a success rate for only one in a thousand. you can still be a successful

proper gator. there are some things for which even a very high his failure rate is still not good. even if 999 of 1,000 of your customer said, oops, i don't want them to do that, if somebody is putting these applications up not for the official purpose, the stated purpose, but because they loaded a bunch of other stuff behind it that they want to use for an alternative to alternative motive, you ticket for one reason but that's not really what they're doing business. this is the way to get in the door. the economic advantage of your information. it seems that there is some line we want to draw that is an absolute line that says even -- you really shouldn't be in a position where you are agreeing to this with as little information as you have in the

same way that you try to protect people from having their computers slaves by slamming mills. again, i think we need to consider more what our model is going to be and then work off of that. all i can say is that i have not yet heard a model here today that is convincing to me that it adequately protects both the internet itself and the privacy. it isn't this privacy. they can cause mischief, and it could be all the way to help right now where rather than -- it could be something that is ultimately illegal other than something that is just an welcome. i wanted thank chairman franken for having this hearing. i think it has been very interesting, significant. at think it is an issue where we

have a lot of work to do ahead of us, and i want to appreciate the participation of all of you. we bring different perspectives. no one's perspective is ideal, but together and working hard on this i think that we can get something accomplished that will make the internet safe for and make people less vulnerable to abuse and make sure that it is more clear that you're getting what you pay for war when you load up when you choose to take on these applications. much appreciation to the chairman for leading his. >> thank you, senator white house. i apologize to the witnesses. i had to step out for a meeting on the the menace of the flooding. senator schumer has stepped in. >> let me thank you, mr. chairman, for having this

very important hearing, and there are so many different types of issues and questions that have come up because we are in this brave new world where information is available much more freely creating new privacy concerns and the balance is one of the most important things that we can do at the beginning of the century. i look forward to your lead in as we try to balance the important benefits. i am glad that you stepped in. i always tell people that the senate has so many different factions that somebody who is interested can step into. this is a classic example. thank you. i am glad that their representative, a particular area that some of you know i care about. there are a lot, but i'm going to talk on a couple today. google and apple have come here, and i thank you both for that. want to ask about those deadly

different aspect of balancing technology with public safety which is the smart phone applications that enable truck driving. as you know, several weeks ago a number of my colleagues and i wrote letters to your company's calling your attention to the dangerous applications that were being sold in your stores and asking you to take immediate -- to immediately remove them. endanger public safety by allowing truck drivers to avoid police checkpoints. i don't have to go into how bad drunk driving is in our country, and i just read those newspaper articles, particularly at prominent christmastime of parents just looking so forlorn because they have lost a child to drug driving. anyway, the dui that was popping

up and stories were terrifying because they undermine turn driving checkpoints. the applications have names like buzz and faa's alert. they are intended to notify driver's in real time when they approached police tried driving checkpoints. there is only one purpose to these and we know what that is. that is to allow drivers to avoid the checkpoints and avoid detection. people often think twice about drug trafficking, driving while drinking because they know that they could get stuffed with all the consequences. these applications enable them not to. we brought these to the attention of ram and they pulled them down. i am disappointed that google and apple have not done the same, and i would like to ask you how you can justify to sell applications that the public at serious risk. i know you agree with me that front driving is a terrible hazard. i know each of your company's has different reasons for not

removing these applications. i would like to discuss them with you separately. first, tell me your reasoning why do will has not removed this kind of application. >> i will start by saying we take this issue seriously and appreciate you raising it. as i discussed, we have a policy on our application store, on our platform where we do try to maintain an openness of applications and maximize it. we do have a set of content policies regarding our android marketplace. although we need to evaluate each application separately applications that share information about sobriety checkpoints are not a violation of content policy. >> let me ask you this. would you allow an application that provided specific directions on how to cook methamphetamines?

that doesn't explicitly violate the terms of your service explicitly but generates a public safety hazard. >> it would be fairly fact specific. we look at these things specifically. we look at applications that are unlawful, directly related to on laughlin activity. we do take those down. we do have a fairly open policy about what we allow. >> no one is disputing fairly open. that is the model of google. your company that has paid the price in a certain sense for those beliefs. everyone respects the company. my view is, even under your present terms of prohibiting illegal behavior this application with it. why wouldn't you then change the application to include this at least specifically so that it doesn't -- you know, i know if

you had to draft a generalized language it might be trouble, but why wouldn't you do that? >> again, we have a set of content policies. we try to keep them abroad. i just say you raise what is an extremely important question that we are actively discussing internally and i will take this back. >> if you don't believe under your current rules this would be prohibited you would look at specifically at least narrowly trying to eliminate this application. you agree is a terrible thing. >> we agree it is a bad thing. >> and it probably causes death. >> senator, i think this is an extremely a important issue. >> all right. mr. guy tribble, tell me why you have it. the reasoning, that is why i am doing this separately. >> senator, you know, i share your of warrants of drug driving.

as aids physician who has worked in an emergency room i have seen firsthand the tragedy that can come about due to drunk driving. we are in complete and utter agreement on that. you know, apple in this case is carefully examining the situation. one of the things that we found is that some of these applications are actually publishing data on when and where the checkpoints are that are published by the police department's. >> not in the same time. >> in some cases the police department actually publishes when and where they're going to have a checkpoint. not all of them do that, and there are variances to the theories on why. >> how many police departments? >> i have seen a map of san francisco. ninth and kiri will have a checkpoint tomorrow on the web.

>> to the publish all of them? >> i don't know. we are looking into this. we think it is a very serious issue. >> sort of a weekly, i think. >> i would bet you that i don't know of a police department that in real time would publish where all the checkpoints are being. >> as you often of the public in general that they do it. that means that they believe these checkpoints provide a deterrent effect and that water publicity -- >> different type of check points. >> i agree. we are in the process of looking into it. we will not allow laps to encourage illegal and activity.

>> apple has pulled down applications before. >> absolutely. >> tasteless jokes. well, this is worse than that. wouldn't you say? >> i would say that in some cases it is difficult to to decide what the intent of these applications are, but if they intend to encourage people to break the law then our policy is to pull them off of the store. >> then i would suggest that you look at just keeping that policy as is. a little different situation than mr. davidson. you would find that the intent of these applications is to encourage people to break the law. >> and i will take that back. >> i know my time is up. i apologize. i would encourage you to make a distinction between a police department that says, well, we usually have a checkpoint here

and an application that just talks about where the new checkpoints are and in real time. you say they publish it. if they publish it two days later -- >> i understand that distinction and agree. >> so apple will take a serious look. >> yes. >> i would like if both of you could give me an answer, say, two weeks from now as to what -- is that to send? >> i can certainly give you a progress report. >> of about a month from now as to what your internal examination has come up with? thank you. i think my colleague. >> i was saying we were going to get to a second round, not that you were two minutes over. never never do that to you, distinguished senator from new york. i am going to a indulge my prerogative as chair and go to a second round.

>> it tells you that if that application will access your location, calendar, contact list you have a chance to opt out of those. and i finally ask you if you want to share your location within the application and nothing else. don't you think it would be helpful to inform consumers if an application will be a will to get information from calendars or address book? what more can apple do to inform consumers of the information? >> well, in the case of those things, we encourage it, as i mentioned, and even require the

provider themselves to give notice and give consent from the consumer before they do that. different from google in those cases, we do not provide or attempt to provide technical means in all cases to prevent the application from getting any and all information. in fact, we think that would be very difficult. however, specifically in the case of location we do make sure that every single time an application or for the first time an application asks to get access to that user's location it pops up that dialog box that says this application would like to use your location. yes or no. so, i would say that our -- to things. one is our priority in this case has been, the sensitive nature

of vacation and providing technical measures or attend to on the phone to provide that notice every single time when the application first asks. in the case of other information which may also be personal information but maybe not to the same extent of where am i right now, we require the application to give notice and consent, but we do not have a technical means to require that. it is not that we've been want to. it is especially difficult because when you start to do that for every though piece of information this screen the user is confronted with in terms of yes no yes no yes no potentially becomes very long and complex. >> google has a screen that contains a number of those, and it seems to work for you guys come right? >> it works or a skies, yes.

>> the ranking member asked you how your company and forces your own rules for applications. when you were in my office yesterday, i actually ask you this question. how many applications have you removed from your store because they share information with third parties without user consent? >> as i mentioned, not put in there in the first place. but if we find an application be investigated, work with the developer to get them to give proper notice and tell them at some point if we find them violating you're going to be off in 24 hours. in fact, i think all of the

applications today or application vendors today have fixed their applications rather than get yanked from the store. >> so the answer to my question is? >> is -- >> zero? >> zero. >> of all the things you have seen what is the most serious privacy threat that mobile devices posed today? >> thank you for your question. the biggest take away from this is that consumers are repeatedly surprised by the information that applications and platforms are accessing. trusting their computers and other devices with a great deal of personal information. to the degree these platforms are not taking adequate steps to make this clear to consumers that others have access to this

information, that's a problem. we have talked about the applications were a certain application might need access, an example, it needed access to your vacation information. i don't think what consumers would know. and stemming from that it sounds like the providers of these platforms are surprised as well that there are collecting information. they were surprised they were collecting wife my information. they were surprised that even a year ago they responded to this issue that they were collecting information. many to improve transparency on this stuff. in order to do that we need clear definitions of what things like up in maine. for example, the check box that you have done check, clear

definitions. clear definitions of what location is. most importantly, clear definitions of what third and first parties mean. >> could you describe the results of the wall street journal investigation into mobile applications? specifically the information that applications are getting from users and sharing with third parties and tell us. he said there are surprised the average user has any idea this is happening. >> i don't think most consumers no applications access things like your location information or information stored on your device. >> your address book. >> address book, contacts. there is at the case where you will install facebook and its synchronizes your address book. people were surprised by that functionality. i don't think people realize the data that is held on the phone verses the data that is transmitted to websites and even

more, transmitted to downstream at companies and other entities that are not even the website that builds the application. ultimately this might be an issue with regard tap incentives. we have ample and co will as platform providers. in the example earlier with ever making problematic products we have the same companies, the truck and the product. it is weird to figure out what the incentive should be for them to do the right thing and make intelligent defaults. i think we have seen them fall in the favor of what is in their best interest. >> thank you. thank you all. >> thank you, mr. chairman. i want to thank all of you,

again, for being here and for your very, very useful contributions. just by way of a brief footnote to your conversation, earlier you may or may not be aware, but sometimes the police department's publicized checkpoints so that turned drivers will go to alternative routes where they do not publicize the checkpoint. there may be more strategy than you may be aware and some of the law enforcement practices that are involved here. i welcome both your willingness to come back with your response. i think that is a very welcome and commendable thing and i want to book and command kugels response on the notice issue with case of breaches which i think is a very important source

of support for notice legislation and would ask, i don't think i saw in your testimony, and able to look any reference to the requirement for notice in case of breaches of confidentiality. and with apple likewise support that kind of legislation? >> i actually am not the policy person. but i will say is that in general we think it is extremely important that information kept on our servers stays secure. we do a lot to make sure that is the case. we think that -- i personally think if customers are at risk from information, important information leak from servers, i, for example, as a consumer would like to know.

fortunately apple, the issue we are discussing is not that. if that were to happen and think that would be something that consumers would want to know about. >> well, what bit -- would it be the practice to notify consumers in case of the breaches in as possible? >> i believe we are subject to at least state laws along those lines, bridges edification and although it is not my area of the company i certainly believe. i know we would comply with that. ..

so to speak as well as remedies such as credit freezes, credit monitoring in case to prevent such and we would welcome any comments from the panel, or not, whichever you prefer. >> fortunately i testified on this issue last week so i'm thinking about it. from the consumer perspective there are pretty strong legal regimes in place to require reasonable security practices. the ftc has brought cases where companies failed to adequately secure data, and the notification, 46 and 47 states have provisions in place, so the legal regime right now already has pretty fond protections in place to read the things we would probably look for our one, more authority to the fcc would be greater pick capacity but

obviously more would be better and penalty authority especially as well the ftc hasn't had the ability to get penalties for violations. i think that they are a stronger stick. you could see better practices. also i think we would like to see other fair information practices put into law. sali upc brought up is the idea of updated minimization. if you have data on your servers you don't need any more and get rid of it. both for sony and the echelon case it seems they were holding old data that they didn't need any more. sony had a 2,070 days credit card numbers they weren't even using. echelon, keeping e-mail addresses of people who previously opted out. personally if i got an e-mail from somebody ought to dhaka from years ago i would think your data was breached. so i think putting into the law protections for the minimization

is the stronger fcc authority would be valuable things. >> mr. brookman, did sony have in place adequate safeguards? >> i am not a technologist. there has been a lot of press reports indicating that there are things they should have done better. there are servers not touched to the latest security software, they were holding old data and the password verification system should have been stronger. i'm probably not the best person to testify to that. to say that it seems an adequate, but there are definitely strong in the face of criticizing what they've done. >> in fact they acknowledge that much better, stronger safeguards should be in place going forward whether that is an implicit acknowledgement as the inadequacy previously we can't ask them because they are not here today, but certainly they

are going to upgrade or at least promised to upgrade their safeguards. >> they said they were going to put better protections in place. so there were maybe a greater consequence to the data security breach as the have the authority and hopefully companies would maybe think about it more in advance than trying to attend the security. >> i have a bunch of other questions which i will ask the witnesses, and i will continue to ask more but think you mr. chairman. >> thank you, senator blumenthal. the hearing record will be held open for a week. in closing, i want to thank my friend, the ranking member, i want to thank all of you who testified today, thank you all. as i said at the beginning of the hearing i think the people have a right to know who is getting their information and the right to decide how that

information is shared and is used after having heard today's testimony, i still have serious doubt those rights are being respected in all or in practice. we need to think seriously about how to address this problem and we need to address this problem now. they are only going to become more and more popular. they will soon be the predominant way that people access the internet. so this is an urgent issue that we will be dealing with. we will hold the record as i said open for a week for submission of questions, and this hearing is now adjourned. [inaudible conversations]

[inaudible conversations]

chinese and american officials met in washington this

week for two days of talks on economic and strategic issues. this is the third year these meetings have been held. u.s. officials said the talks resulted in an agreement to allow american companies greater access to the chinese government contracts and the sale of some u.s. financial products in china. they agreed to the iraq export controls of certain goods and services. secretary of state hillary clinton, treasury secretary tim geithner and their chinese counterparts address the media at the end of the conference. >> good afternoon. i want to begin by thanking our chinese colleagues, led by vice

premier wong and the entire chinese delegation for a productive and comprehensive dialogue between us. and i also along with secretary geithner, want to thank everyone on the american side, not just those from the state department or treasury, but indeed from across the government. the unprecedented level of work that has taken place since our last s&ed in beijing was truly impressive. the strategic and economic dialogue continues to grow broader and deeper. it reflects the complexity and the importance of our bilateral relationship, and we have covered a lot of ground together, and i happy to report

we have made a lot of progress. the list of agreements and understandings reached is quite long. we have seen concrete progress on a wide range of shared challenges from the energy and environment to international trade and security. for example, there is now a new partnership that will bring u.s. and chinese companies and universities together. those which are developing innovative and environmental technologies will now be working nationally and with local governments and ngos to promote sustainable development projects such as next generation batteries for electric cars and new clean air and water initiatives. already, to lean university in

new orleans and east china normal university are collaborating to improve the conservation of wetlands. and we have seen many other examples. we are also leading the groundwork for potentially significant future collaborations on development from working together to innovate and distribute clean cookstove and fuel to strengthening public health systems in developing countries. and our people to people programs continue to expand. most notably, our 100,000 strong student exchange initiative, which has already raised the stated goal of dollars to go along with the very generous chinese government support for 20,000 american students, because all of us are committed to increase more people to

people interaction and opportunities. now i am well aware that these specific and substantive partnerships may not produce major headlines. but i think they do reflect our shared commitment to translate the high level sentiments and rhetoric of these diplomatic encounters to the real world benefits for our citizens, our country's and the wide world. just as important, although perhaps even harder to quantify are the habits of cooperation and mutual respect that we form through these discussions. we believe that to keep our relationship on a positive path as foreseen by president obama and hu jintao, the united states and china have to be honest about our differences and address them firmly and

forthrightly. at the same time, we are working together to expand the areas where we cooperate and narrow the areas where we diverge. and we are building a lot more understanding and trust. so we discuss everything. and whether it is something that was sensitive to us or sensitive to them, all the difficult issues including human rights, and we both have made our concern very clear to the other. we had candid discussions on some of our most persistent challenges from addressing in north korea and iran to rebalancing of the global economy. we agree on the importance of cooperating in afghanistan to advance the common goals of political stability and economic renewal. we've established a new u.s.-china consultations on the

asia-pacific region where we shared a wide range of common interests and challenges. and for the first time in these dialogues, senior military and defense leaders from both sides sat down face-to-face in an effort to further our understanding to develop, trust, and avoid misunderstandings that can lead to dangerous miscalculations. this new strategic security dialogue is a very important step forward and we think will add immeasurably to our bilateral relationships. as we have discussed these issues and we have committed to keeping the relationship moving forward, we have some milestones ahead of us. for the first time president obama plans to participate in this year's east asia senate,

and vice president biden will travel to china this summer continuing our discussions on the full range of shared regional and global challenges. and he hopes to return the hospitality by welcoming vice president to washington at a later date. i look forward to seeing our chinese partners at the regional forum in indonesia and both the president and dhaka and the secretary or greatly anticipating the united states hosting apec in hawaii. those are just a few of the highlights, but from day-to-day at every level of our government, we are working hard to build positive, cooperative comprehensive relationship that our presidents have asked for. this is the long, hard, and a

glamorous work of diplomacy. at the plenary sessions the state councilor and i shared yesterday there was a dizzying array of issues we are working on together, and i felt dissatisfied because that was not the case two years ago, and i anticipate we are going to see further progress because we want to realize the full promise of our partnership and we hope to leave a more peaceful and prosperous world for our children and our children's children. so let me again, thank our chinese friendship for making this long journey and for working as we move forward on our journey together into the future. now i am pleased to turn to my colleague and partner, secretary

geithner. >> thank you come psychiatry clinton. let me outline the highlights of our discussions on the economic side. we had a very comprehensive discussion about a full range of economic issues between us and facing the global economy. as always, we reviewed the major risks and challenges to the gross domestic in china and the united states, and we talked about the major risks and challenges of the global economic front. we talked about the investment in both countries, energy policy, financial reform, very comprehensive discussions and we benefit of the u.s. air chinese side from an exceptionally talented and very senior delegation of financial experts and members of the cabinet, regulators etc. and that's three important. now, our three key objectives of the u.s. side were first to

encourage the ongoing transformation of the chinese economy away from its export dependant growth model of the past three more balanced growth strategy led by the domestic demand to encourage leveling the competitively and decoupling field both in china and around the world. and to strengthen our engagement with china on financial reform issues in both countries. we have made very significant progress in our economic relationship over the past two years. our exports to china reached $110 billion last year and they are growing of 50% faster than exports in the rest of the world. and those exports are in all the things americans create and build from agriculture, all sectors of manufacturing services and advanced technology, and they support hundreds of thousands of jobs across the united states. now overall, we are seeing very

promising shift in the direction of chinese economic policy. since last june as you know, the chinese currency has appreciated against the dollar by more than 5%. and an annual rate of about 10% when he take into account the fact the chinese inflation is significantly faster than that of the united states. we hope china moves to allow the rate to appreciate more rapidly and more broadly against the currency of all of its trading partners. and this adjustment is critical not just to china's's ongoing efforts to continue pressures and to manage the risk capital interests bring to the credit and asset markets but also to encourage the shift to the growth strategy led by domestic. china outlined in its five-year plan a comprehensive set of

reforms again to shift the strategy away from one rely on experts to domestic demand. and china has joined the broad commitment with other countries in the g20 to put in place mechanisms to produce the risk that we see once again the emergence of large imbalances that can threaten future financial stability and future economic growth. this process is going to take time, and of course it's going to require a sustained effort of reform but it is essential to the future health of the global economy and the trajectory of the future growth in china. again we are seeing progress here, too if you just step back and look the surplus is as a percentage of gdp about 10% before the crisis. it's now around 5% and we would like to see that progress sustained. speaking to the third area focused on the discussions which is how to create a more level playing field, in our meetings the last few days we have seen you know some very important

steps towards that goal. let me read you a few of them. first china committed to making long-term improvements in its high level protection of the enforcement regime to strengthen the inspection of the government software used at all levels of government and this will help protect u.s. innovators as well as chinese innovators in all industries not justin software, and i think that's very important. china also confirmed that it will no longer employed government procurement preferences for indigenous innovation products at any level of government. and this is important to make sure of course the u.s. technology and the terms can compete fairly for business opportunities in china. china is committed to increase transparency acquiring government authority to publish regulations at least 30 days in advance, so again, the u.s. firms all foreign firms have a chance to see that information,

see the regulations and draft any opportunity for input just as their chinese counterparts do. china and the united states recognizing the importance of transparency and fairness in the export policies agreed to indicate the discussions on exports, on the terms of the respected export credit policy and this is important because china by some measures the largest provider of export credit in the world. finally, we have been discussing with the chinese authorities the important objective of how to make sure companies in china that compete with enterprises are not put at a broad disadvantage. final focus of discussion on the economic side was china's chief of ongoing financial reform to create a more open, more flexible, dynamic financial system and these reforms which are designed to increase the returns to the savers to further develop china's chief equity and

bond markets and expand opportunities for the foreign financial and institutions in china are very important and very promising, not just of course in expanding opportunities for u.s. institutions but also reinforcing the shift in strategy by the chinese government towards the strategy led by domestic demand. now, when president hu jintao visited in january president obama discuss the evolution of the relationship as, quote, a healthy competition that the spurs both countries to innovate and become even more competitive of course as china faces significant economic challenges at home, we have our challenges in the united states, too, and we are working hard not just to repair the damage caused by the financial crisis but it sure as we restore fiscal stability and return to living within our means as a country we are making sure we preserve the capacity to invest in things critical to the future strength of the american economy and i can see based on

the strength of the conversations and of this emerging relationship that the economic relationship with china will continue to grow and deepen and continue to provide a tremendous opportunities for both nations, and you see today concrete tangible signs of progress on both sides that underscore that commitment in both and in conclusion lunch and wears a tree clinton began which is to think the delegations on both sides and both the american and chinese participants. they brought a directness and candor and frankly greater openness than we've seen and i think that's very welcome and i want to express my personal gratitude to the vice premier for his leadership in these discussions and to complement him for the substantial changes he's already been able to bring about. thank you very much.

>> translator: under the guidance of president hu jintao and present obama and thanks to the endeavor the round of the chinese strategic and economic dialogue has been a great success. such a mission about the economic dialogue is to implement the important agreement to bridge between the two presidents, president hu jintao's recent statement to the united states this past january and to implement the billing of china and u.s. comprehensive beneficial economic partnership. we have in-depth discussions of the overture and strategic issues and bilateral economic cooperation and particularly secretary geithner and i signed the agreement pre-work promoting strong sustainable balanced economic growth and economic cooperation and the framework of the two countries will carry out and expand in a more extensive

economic cooperation. we agree that in today's complex economic and we're met the two nations should step up the policy and contribute to the sound economic growth in both countries. the implications of the sovereign debt crisis, the disaster chartered by japan's earthquake, turbulence in the middle east before the global economy, and we highlight the international agreement with the strong and sustainable work devotee of the reform of the global economic structure to gradually build a fair and reasonable international economic order. we agree that in the transformation of the gross models and economic restructuring and the rates and

infrastructure programs and the science and technology innovation and expand the national and corporate exchanges in the corporation. we highlight our commitment to build a more open trade investment system. the united states commands to the, quote, trade in the regime for the export control both china and to consult through the jcci tea in a cooperative manner towards the economy status and a comprehensive manner and the two sides will strengthen the cooperation in bilateral negotiations and the strategic cooperation protection for safety and products and quality but still run of negotiations and reject. we also had in-depth discussions of the financial corporation and agreed to strengthen regarding

the regulation of the systemically important financial institutions, shuttle banking systems, credit rating agencies, the reform of the policy combat and joint lead advance the international architecture and we welcome the financial institutions in america and recognize the enormous ratio comprehensive consolidation provision and aspect. the united states commits to further and force strong supervisions over the presence and mature the have enough capital to fulfill financial obligations. it's an important prerequisite for the corporation and in the economic dialogue the mutual understanding consensus has enriched the outcomes. this will be a strong boost to the growth of the partnership based on a jewel respect and