whether it's assessable during a voyage or not. we see drug smauggler attempt t break the custom seal, put a load inside the door of the container and lock it up. it's only doable around the deck area. we know which containers could be accessed and we do routine seal checks s upon arrival. there are different steps in our -- >> somebody counterfeit your seal? can somebody counterfeit your seal? >> they can try to, yes. we have detected dozens of attempts to do that pretty effectively. >> so they not have been able to do that as of yet? >> i won't say, senator -- >> that you're aware of. >> successful counterfeit attempts. we train our personnel to detect what our seals are supposed to look like. whether they've been tampered with. there's a number of sequences and other kind of safe guards in

this process. >> i'll just -- this is a long time ago, but i'll share an experience with you. i bought a company in puerto rico, put it into four containers, all the equipment. everything that was there. all four container arrived at one of my plants here. all the seals were there. when we opened the containers, everything of significant value that could have been marketed was gone. but the seals were still there. so the fact is, and that was way before 9/11. that was in the '70s. but the fact is, that people will try to do it. so my question is, is -- i guess my question is really this, do we have the capability to track ships from the time they leave a port until the time arrive here and know whether or not they've been boarded or accessed between

this embarkment and the embark here? >> that's the question that i probably can't answer. >> got you. all right. thank you. >> senator, did you want me to touch upon the metrics issue? >> yes please. >> i think at the strategic level. a more detailed functional plan, we have not seen metrics laid out early as to what the end state is and how we're going to measure that. but we have seen problems particularly at the program level, most often, those are easier to look for and find. i think we have found an improvement of the metrics of how the programs are run. one of the first things we do when we look at the program, do you know how the program is being run and have those metric.

a lot of times we'll find weaknesses in the internal controls. i think those are improved across the board. when i see some of the programs that have matured. a lot is better management of the program. where we have not seen large improvements is in the area of actually measuring results of the program and what they're trying to achieve. i would also agree with you the importance of cost-benefit analysis. a lot of times we'll get a discussion from the agency that could be expensive and we don't have enough money to do it. in the end if you spend $3 billion on grants. it's an outstanding record for nine years they come up with performance measures on the port security grant. so maybe a couple of extra millions to do the analysis. in the hindsight it might be money well spent. one example of cost-benefit analysis that was done rigorously involves the advanced portals d.n.d.o. put in.

the first ones they put in was light -- it was not very rigorous in terms of the testing. we pointed that out. when they did the rigorous testing, and then they looked at how much they would cost marginally compared to the additional they get. they cancelled the program after spending $280 million. eventually they were planning to spend, like, $3 billion. it was the case where whatever the testing or analysis cost, i think in the end, lead to a good result. >> okay.

let me ask mr. kamoie. you all plans to reinsert the f fiduciary agents to -- >> we do not, senator. >> why is that? >> when the fiduciary agent model was used, it was at time when the appropriations levels for the program were much higher. after realms of stimulus funding, the agent model was absolutely necessary to assist the agency in distributing and monitoring the funds. over time, however, as the appropriations level has gone down, and our internal capability with staffing has increased to manage the program, the fiduciary agent model has become less necessary. and in terms of monitoring

performance, there was a varying level of performance by fiduciary agents and monitoring. given our increased staffing, our increased capabilities, we think it's more appropriate that we monitor an oversight and grant funding and how it's spent. the other thing i'll say is that the allowability of management and administrative costs from the grant program to fiduciary agents of 3 to 5%, would result, for example, just this year in 3 to $5 million in overhead costs that we think are better invested. >> do you have the flexibility to use some of the grant money for grant management? >> senator, i'll have to check the language and get back with you. >> would it help you. in other words, rather than spending 3 to $5 million. if we spend it on managing grants, especially cost

effectiveness of grants. and looking at that, i'm pleased with the progress that is being made. i don't think we're there yet. i would love know what we need to do to help you to be able to get to the point. my model for grants, at the federal government is a vision of library and museum sciences. if you get a grant from them, you can guarantee they're going check on you. they're going do a metric, they're going to know whether you followed your plan and the grant. if you're not, they pull it. you don't ever get another one again. so everybody has a different expectations. the fact that some grant money is going to things that aren't really for security. you know, if you had the reputation, i guarantee everybody would be put down the way you put down. even though you have flexibility. >> absolutely i'll take a look at that. we're willing to learn lessons. >> it's the best-run grant program in the federal government. >> i appreciate that.

the other thing is the spend down. we're still, in terms of, we granted but we still a lot ways to go. where are we on that? is it because these are long-term programs? that's getting better as well. early on in the program when ports were doing larger capital project infrastructure building with multiphase complicated projects, it took a long time to spend down a lot of projects have been completed. we've taken a number of steps to assist grantees in the spend down. one, we remind them quarterly. we're in touch. we've shotened the period of grants to two years. but your question was where are we? in august of '12, for -- and we follow up in writing with these numbers, but for the program years, '08 to '11, 80% of the

available funds were not yet drawn down. a year later, for fy 8-12. of course every year one goes off the books. we move the needle down to 44% of funds not being drawn down, and we did a check at the end of april. right now we're at 39.3%. not yet drawn down from '08 to '13. >> i'll have to recess. senator carper will be back in a moment. >> thank you, senator.

let see if we can see if there's any consensus on the metrics that we're using. how do we measure success. let start with you, miss mclean. what are the metrics we are using and ought to be using. how are we doing? >> mr. chairman -- i think there is several -- there are several indicators that evidence and success in securing the ports. i would note in the last seven years, our relationships are programs internationally, those global partnerships, the capacity building, the agreements, everything that is necessary to supply the whole

global supply chain. i think there's been suggest advancements in that area. i also think that our improvements in the advanced data and targeting area make us more secure. coast guards, port assessments 1500 ports. we think there are a lot of indicators that there's a global recognition of the need to tackle this issue on a broader basis. >> all right. >> same question to admiral paul. >> thank you, mr. chairman. i was in port in galveston, texas for 2001 and the three years we followed, we scrambled to figure out what it meant to secure our ports. from my perspective, it's clear we've achieved a lot. i think one the first things we did, mr. caldwell mentioned the strategies. we recognized in order to build a secure port we had to build

regime locally, nationally, and internationally. we had to build awareness so we could figure out what was going on and pick anomalies. we need the capability to respond to the anomalies. if you look at the three building blocks and compare them to where they were in september 11, 2001. it's clear there are progresses. there are clear metrics with each of those. with regard to the regimes, thank you to the congress for the maritime transportation security act and the safe port act. it was the impetus for the national regime as well as regimes that have now been implemented as far down as individual port authorities. i'm not just talking about regimes required by the law. i'm talking about they understand a security is part of the business product. i think in that regard there's clear measures. we're intangible from hear to sea. i can tell you there was no awareness or recognition that security really was parking lot

of t -- part of the product in the port. we got the message across with safety and environment. they get it as part of the business as well. i think there's a metric there. certainly with regard to awareness and capability. we have built the capabilities federally, locally, internationally. all of which, i think, are clear evidence that we've been effective in terms of enhancing it. i'm with you. i think we need to do more. i'm concerned about emerging threats like cyber. we need to develop some metrics there. >> we'll come back and finish. how are we doing, what are we doing, what metrics are we using, how do we demonstrate to what we're doing better. i want to come back and say what is on the to-do list, first. >> mr. chairman, i'll touch on five areas. broadly, our ability to identify and mitigate risk is the metric we seek to measure ourselves on. first, on the data front, as was alluded to. we're getting advanced information on cargo shipments.

manifest information, entry information, and import security filing. in terms of targeting and assessing that risk, category two, we're analyzing it with the automated targeting system, we think it's a sophisticated cape thablt is constantly approved and currently working on responding to the ideas on identifying the effectiveness of those targets with more granularity. three, examining the earliest possible point in the cycle. currently 85% of the shipments we identify as high risk are examined before they leave for the u.s. our examination in the 58 ports are accepted 99 percent of the time. we think those are very solid metrics. 100% of the containers identified as potentially high risk are examined before they are let into the u.s. stream of commerce. 85% prior of leading and the rest of the 15% before allowed to enter the u.s. on arrival.

securing the supply chain, category four. over 50% of all cargo containers are part of the partnership with our 10,750 partners. we've increased the security supply chain through the partnership. we're recognizing other country systems including the european union and six other agreements to ensure broader visibility globally as ellen alluded to, the international partnership. and five, our efforts to address the highest consequence threats. we're scanning 99.8% of all arriving containerized cargo. >> say that again. >> 99.8%. so just about everything in arriving in sea port is skeined through a radiation port monitor. the other part of this coin, sir, the facilitation piece you have referenced. vast majority of cargo arriving in the u.s. is released before

it touches the dock. our ct partners are getting fewer examples because they secure the supply chain. we establish mobile technology for agricultural to clear shipments on the dock instead of waiting hours and having the bananas sit. the u.s. chamber of commerce and 71 others wrote to the secretary this week in an open letter saying the regime is working well and that the facilitation piece in particular, we've achieved through the layered risk approach. those are the risks we look and happy to elaborate on any specifics. >> mr. chairman, i think while you were out we agreed in the port security grant programs we have measures and made progress. we agree question continue to make progress. on the program attic side of the effectiveness measures, we look very carefully at the six priorities of the grant program. enhancing maritime marine awareness, explosive device

detection, chemical explosive pretext, response, and recovery capabilities, enhancing cybersecurity capabilities, maritime security risk, mitigation prompts, planning, training exercises, and the transportation worker identification credential implementation. right now we have a measure we're looking at building new capabilities across those six areas, and sustaining existing capabilities. but, again, that measure can be better. on the administrative management side, we've made progress in measuring our ability to effectively, efficiently release the funding, monitor programmatic use of the funds, monitor grantee financial management of the funds, monitor the closing of the awards and grantee draw down. we're making progress, mr. chairman, we've got an opportunity to make even more. >> thanks. >> yes, sir. for us, i think it's about

getting good, quality information and data for us to make the right decisions on when we issue a card. it's about continuing to get that information after we issue the cards so we can monitor the individual to ensure they haven't done something as to disqualify them. whether it's on a terrorism watch list or something through a criminal issue. i think the other thing that is going to make us better is installing readers. we believe that the coast guard, whom we're close partners with, made the right decision to take a risk-based approach and put readers where they need to be. and that -- we think that's going to be a measure in our program for our program considering it's a by yo metric credential. i think the last thing is share information. which we do on a daily basis. so we need good, quality information to make good decisions with. we need the information to keep on coming so we can continue to

make good decisions after we issue the credential. we need to install readers. and we need to continue to share information, which we do on a daily basis with our parter ins. >> thank you very much. i mean, the most difficult question is how do you measure security and risk? i think we have actually looked at that quite a bit across a lot of these programs. i think one of the better problems we found is coast guard program called maritime security risk analysis model where they can, at the facility level, try to measure the risk-based on vulnerabilities and threats and various scenarios. like that, i think they did that. coast guard also took a step trying to develop a more sophisticated measure of how much coast guard programs actually reduce risks in the port environment. and so was the percentage reduction of maritime security risk subject to coast guard influence in the programs, and we're critical of this. in the end, it was subject matter x person. the coast guard sitting down and

thinking about what the reductions measures are and then putting the single point of, you know, percentage on that. we had couple of criticisms in terms of way maybe trying to make it better and maybe give particularly so much judgment. you want to give a range instead of a point estimate like that. but i don't want to criticize the coast guard in the sense they certainly were trying to think larger about the suite of programs and what extend they reduce risk. whether they want to keep the measure or not is something they're looking at. it was a measure they were using within the coast guard. they weren't really using it for that much. if you have a performance measure but you're not really using it to monitor things or prioritize resources, you got to kind of question whether it's a useful metric in the end. >> thank you. okay. some of you began to answer the second part of my question. i want to take another shot at it. my staff, my colleagues, we oftentimes say these words, the road to improvement is always

under construction. that's true here as well. i just want to -- in terms of thinks of metrics, but thinking we're making progress but areas we're not making nearly enough. there's been some allusion to this. we can actually measure we've not made nearly enough. are any of those. who can help enable us to make the progress? us, the legislative branchs committee, the president and his budget? who needs to help out? ellen? >> yes, i think that just to sort of set the scene here, we certainly need an approach that is flexible, innovative, so question take on the adaptive adversary. we need something that an

approach that is risk-based so we can make the most cost-effective use of our resources. that said, we recognize not that we don't want to have -- negative impacts on global trade, so we are looking in the near-term to specific improvements in the area of the targeting algorithms, the reducing the alarms. working with our partners at some of the csi ports to increase the percentage of scanning that is undertaken. we're looking at, i think it's a key point that i hope doesn't get lost in today's discussion, looking across all pathways. focussing on a single pathway doesn't necessarily reduce overall risks. so as we go forward, we need to consider improving security across all transportation pathways. and lastly, i would note that we are continuing the dialogue with

stakeholders to see what additional or expanded roles they might take in improving security of ports. >> thanks. admiral? >> i think there's a couple of areas. the first is complacency. from the congress to the security guard at the facility. we have to make sure we maintain the sense of urgency with regard to port security. the threat is adaptive. as good as physical security systems we have in place are, there are emerging threats like cyber that we have not yet addressed. we have begun to address them. i believe the coast guard has the authorities we need to do with that. we're working on what the resources might be. so you may hear about that. the other area that would be of concern is the real high-end threat that needs to be intercepted offshore. we need to maintain and get out there and do something about some unidentified threat for our

shore. it requires ships, helicopters, and people not only able to get there and present at the time when you need them. so those two things are areas where we need to make sure continue to build our capability and our plans for action. >> okay, thank you. kevin? >> mr. chairman, i would echo a couple of comments that ellen made. on the targeting side, there's always an opportunity to improve or an lettics and capability to assess risk. we're pursuing it aggressively. we have a good system for taking in current intelligence, manipulating the data elements against it and identifying risk. we want to get better. it's an area we get congressional support to continue to improve in that area. but the radiation portal monitors. we need to be able to dial the algorithms. they're sensitive for the threat materials we're worried about. they reduce the national raid logical alarm we face on normal

comedies and bananas that hit on the monitor. we don't want to waste time on the alarms. we want to focus on what potentially could be dangerous terrible. i think there are continue d -- we are looking another other threats to the global supply chain, contraband that can support criminal activity and so forth we did that after 9/11 with the world custom organization. there's always opportunities to take it to the next level and build kacht with those governments and custom services that are willing to step forward but don't have the capacity or funding. and then, of course, the private sector. continued opportunities there not only supply chain side but looking to whether a terminal operative perspective there light be a return on investment

to do security work that we can share and benefit in. we're pursuing all of these angles as the secretary noted in his letter. >> there's a great points. i appreciate your responses. i'll come back and ask the same question in the last witnesses. >> you want them to answer it? [ inaudible ] >> okay. okay. thank you. let's talk about the 100% mandate. and the fact we're at 2 to 4%. i think i'm right. ngo, i would love for do you get on this. there's no question the 9/11 commission said report security we need 100% screening. we hear it's not practical. so the question somewhere between 2 to 4% and 100%, where do we need to be. how do we need to decide where we need to be, how do we become more effective in terms of

container inspection? i'll start i'm sure colleagues will want to chime in. i think the key question for us is not the percentage itself but are we inspecting the right percentage? is it -- are we inspecting and identifying the containers high risk and many hitting at the threat at the earliest possible point. while you had to step out to vote, senator, we talked about the metrics we're following and whether we're establiaccomplish that. i would like to reintegrate one of the elements for you. on the containers that we identify as potentially high risk through automated targeting system, we are currently examining with our foreign partners under the container security initiative 85% of those containers before they are on a vessel destined for the u.s. within that -- >> that's 15% that aren't getting inspected. >> they are getting inspected

fully at the first port of arrival in the united states. we are checking them before they enter the stream of commerce to the u.s. and getting 85% of them before they are even on a ship destined for the u.s. >> okay. if the 15%, one of them has a nuclear weapon in it, it's a little late, isn't it? >> yes, but that's not the only layer we have -- >> i understand. but when we think about this, you're saying 85% of those deemed high-risk. so what is our goal to get to 100% of those deemed high risk? >> our goal there, sir, is to increasingly target with our the reports forming how we can encourage anything we think is high risk before leaving. we think we have placed those csi locations in the righright locations. we're assessing how the threats have changed. are there strategically

important ports question add. capabilities can work with additional countries to encourage them to take measures. mentioning, as you came in, sir, working with terminal operators. is there a way we can encourage them to increase the overall inspection if they think there's a return on the investment. working with the customers to sell security benefit that we can benefit from and share the information results of. >> any comments on that? >> the container inspection world really does belong to customs and border protection. i can certainly attest to the impracticality at looking at every container. i have seen the targeting we do jointly on cargo and the automated processes are effective and adoptable. so if there's a new intel stream that comes in, we can quickly change their targeting and identify wcargo that might be associated with a newly

identified threat. >> all right. here is the question as a common sense. we say it's not capable to do 100% screening. where is the study that says here is what it will cost and slow down commerce. has that been done? >> a number of that studies in that regard have been done. i offer that gao might want to comment as well. we have done a study and provided several papers to congress estimating up to $16 billion in costs. the european union has done a study, the private sector has done several studies. the challenge, sir, there's 800 or so initial ports for containerized cargo destined for the u.s. an average of 3 to 5 million per port. an average of 5 million to implement the system. that scope just makes it very challenging to get to the level. a lot of questions on who pays, who is responsible, how it is monitored and so forth. >> if you take the rand study,

even though it's dated now, say if you had one sneaks in, and you have the tragedy they spoke about at the port of los angeles estimated $1 trillion effect on the gdp. $16 billion doesn't seem that great. so where do we go, gao? >> senator, thank you. i thought about this a lot. we have done several studies on it. as far as the one study you're asking for. the only place i've seen it in is a recommendation we've made, and i think that cvp and the department would have been better off if at that point they said this is it. this is the feasibility study. this is the cost-benefit analysis. and put it to batter and show the trade-offs. there are multiple studies they've done. i feel bad, i think the department in all the little pieces they've done since then they've almost gotten there. but i don't see that.

but i just -- i would like to stop to talk about kind of one popular -- called for the 100% scanning of maritime cargo. >> they called for 100% scanning of air cargo. they said almost nothing about ports an maritime. >> okay. that's great to know. >> yeah. so -- >> but moving on. so we do think that challenges are insurmountablinsurmountable. the safe port act was left a lot of things undefined. i think through the pilots cvp tried to understand the undefined things would be in terms of cost. who does it, what is the point? but i think this is a concern it would create a false sense of security in a couple of ways. you can scan the container if

it's kind of within a regime that we trust. a port we trust. we know maybe the container we have some confidence after it's scanned and gets on the ship, it's going to be monitored or something like that. but a lot of times we won't have that case. a lot of cases because ports laid out where they do the scanning are offsite. if the truck has to drive 3 to 5 miles. a lot can happen in that period. one thing the coast guard commented on. thad allen said it was more likely that weapons of mass destruction would come in not through a kind of highly regulated regime like containers, but through some small vessel coming in and snuck in some other way. i also agree. i think intelligence, in the end, would be the key if there's weapons of mass destruction that someone is trying to smuggle in. i'm not sure ats by itself would catch that. they looked at probably millions and millions of containers and used the risk-based analysis and

they're still finding things, but, you know, it's not like when they find drugs in these things that -- because it went to one match between, oh, we rated that one high risk. they find stuff in there that had gotten through the system. drugs or other contraband. i think our approach has been to look at the programs that we have. we still would have liked to see the feasibility analysis. i think at this point it's not implemented. i think it's water under the bridge. we would like to see us doing better with what we have. recognizing we're not going to have a perfect system. that's optimizing the targeting system, monitoring it on a regular basis. you're testing it to see how its doing. it's having the best csis footprint you can. some of the ports are not high-risk ports. maybe they should pack up and shake hands with the parter ins. the partners will keep helping us but move some of the operations toso s tto other por

>> do you have specific recommendations on ports from the gao in. >> yes, we have a recommendation that they use the port-risk model they used in 2009 to initially plan the 100% scan and thinking about that. and used a similar type model to figure out the ports they were in. we tried to reproduce that and found 12 of the ports low-risk ports. more than half were in high-risk one. we recognize there had is some ports that aren't going to let us in. you know, i mean, you have some nasty players throughout. they're not going let a joint u.s. program into there. we have recommendations and we understand -- i'm not sure i can disclose details of individual ports, but there is movement in term of additional csis ports both opening and closing. >> okay.

let's go back to grants and tiered port system for a minute. if we're not doing analysis on progress. do we revauevaluate the ports i terms of tiers. is that done retunely, yearly, biannually? how often do we reanalyze ports. number two, without the metrics. they're getting better, how do we take what we have improved and measure it to show a decreased risk for tier 1 port so that the dollars you have can to go to where the risks are the greatest. >> thanks for the question, senator. we reassess the risk of the nation's ports every year. we use the risk formula that

incorporates the most rented data we have available on threat vulnerability and consequence. there have been times where changes in that risk data have resulted in the changes in the grouping of ports. for example, last year, and fy 13, there are eight tier 1 ports. san diego had change in it relative risk formula. these are relative to one another. so this year it is not a tier 1 port. we are making those adjustments. we work very closely with the departments intelligence and analysis unit to populate the risk formula with the most recent data. so, yes, we are looking at that continually. your second question as to what the measurement and really what i would consider to be, you know, buying down of that risk and the vulnerability. i agree we've got some progress to make there in terms of

agreement on measurements and metrics to show that progress. and show it in a way. when the chairman comes back, his question was about how can the congress help, and here i think i might ask of the chairman and you, senator, is that we have a continued dialogue about the type of data that would enable you to have more confidence and the american people have more confidence we are making that progress and that we are being effective stewards of the taxpayer dollars. i agree that we have made progress and plenty examples. we would like to continue to work with you to get the data and the measurement that would show that in a more compelling way. >> each port has a port security plan, right? >> yes. all right. has homeland security done an

analysis of what the total cost would be to bring it up on a co effective benefit. how much total for all the tier 1 ports would we need to spend to bring them where they need to be? do we have that? do we know that? i'm not aware of the analysis. that's an important question. because if you don't know what they need, we'll never get there. and -- >> so, i mean, we certainly at the -- >> i know you i know where the weaknesses are and i know that's where the grant money is going. i'm saying in the big picture, if we're going to spend $100 million this year on port security grants, and the total bill for bringing our tier 1 ports is $2.5 billion, you know, we're 12 1/2 years from bringing it. by that time, you're going have replacement needs. >> sure. >> so the question is don't we

think it's important to really know by port here is the total cost to get us where we want you. and which one of those top eight ports, which one has the greatest vulnerability basis. should we not be spending maybe 70 million at one point and $30 million and the other eight what the basis is to bring them to the level where we feel confident. >> we'll take a close look at that. we have moved the entire suite of grant programs toward performance measurement against the core capabilities in the national preparedness goal, following up implementing the president's aid on national preparedness. we continue to find the performance measures for those. but we're through the threat hazard identification and risk assessment process we are asking grantees to do a lot of what you're talking about in terms of identifying capabilities and

using the investments to close the capability gaps response we're moving in that direction. but i'm not aware of a single analysis where we've put a price tag on by port what it would take to close the gap in every port against one level. we'll take a look at that. >> i just think that would be important to know. because you're going to have limited funds from here on out. it's not going to change. spending -- sending the dollars -- this is all risk-based, right? >> yes. >> ending the dollars where the greatest risk is should be our priority. i recommend you look at that. i don't know if the gao has any comments or not. >> if i might, we'll take a close look at that. i think the threat has identification risk assessment process. and the area of maritime security working groups at the local, at the port level, i think, they're getting at a lot of that.

but i agree with you. we can make even more progress. >> on two of your points. the first, how do you account for previous grant money in determining the risk ranking for the next. we actually do that as part of the coast guard's security risk assessment model that grk ao mentioned. if it mitigates the consequences of an attack on a facility it gets reflected in our model. that data is part of the risk formula dhs determines to use the tier for the next year. it is in there. the other piece you ask about, you know, have we defined what a secure port is. when will we know when we get there? it's an interesting question. what i can tell you about the port. i have watched the initial focus being on secure individual facilities. make sure we have fences, cameras, and guards and get facilities. and then i saw it evolve to we

need to secure the port as a system as well. how do we link these fences snogt we invested in things like communication systems that allow everyone. and surveillance systems that were focussed on the common infrastructure not on the private sector infrastructure. and we decided that's good. have we been able to address what we're going to do if we get attacked and need it recover. we invested in trade resumption plans. it's been a national evolution. i believe we're still in the evolution. we have emerging threats such as cyber. i think the next round of grants is putting money toward cyber vulnerability assessments so we can understand with a it's going to take to secure the cyber infrastructure and the maritime. i don't know we'll ever be able to say we're there. but i do see a logical profession on how we focussed our planning and investment. >> we have a diagnostic system for cyber within homeland

security. is the twic system similar to the system? >> let me take that one, sir. >> yeah. >> right now the twic system works is that the contractor provides the enrollment equipment. then they connect to a system that eventually gets back to tsa. that system whether it's on the enrollment side, the data center side, up to the tsa side is standard. they go through accreditation, they go through auditing, they go through testing. it's not monitored within the dhs system. it's monitored through the tsa operation center. so everything from the contractor's data center -- >> you've answered my question. got it. all right. thank you. >> i would like to ask mr.

caldwell to an my earlier question. >> absolutely. the next question i'm going to ask of all of you is what we do we need to do. what is the to do list on the committee and the congress? to make sure we're continuing to make progress. >> absolutely, mr. chairman. i ask of you and the committee is for a continued dialogue. i shared this with ranking member coburn before he stepped out. a continued dialogue about the types of data and the types of measures that would give you the competence, give the american people the confidence we are investing the grant dollars in a way that is most efficient and most effective and that we're all good stewards of these resources. i agree with admiral thomas. this is the threat is evolving. so, too, have our measurement of, you know, where we're headed

next. so i would appreciate a continued dialogue with you about how we define the measures of success that give you the confidence we're looking for. >> thanks. something for our to do list. >> i think it's continued support and helping us, you know, get from tsa's point of view and the coast guard's point of view. understanding that the coast guard is prum all gaiting the rule. there's a lot of things that had to happen before they get to the point they can do it. when they say they need the readers. they need the readers. there's no way insinuating there's some day delay on the rules side. there's a lot of work in getting to this point. we asked for the continuing support 0 so question put readers in place, buy down risk, and use the full capability of the card. to the admiral's point before, it's critical we maintain mission focus. it's also critical we make

risk-based decisions so we can protect the right areas. for our look at it, it's data quality, identity vertdifications, reduction and fraud. ensuring that the right people get the card and the right people keep the card after it's been issued. >> thank you. mr. caldwell. >> i'm doing a combo answer. i'm still busy trying to answer the question you asked before and the last one. i'll see what i can do. three things. one for the agencies to do and the committee to do. first off, kind of keeping the programs flexible. whether this -- i know the coast guard is trying to make their infrastructure patrols and things like that not predicta e predictable. keeping a little bit of deterrence out there. i like what i see at cvp when they're doing -- they call it the key side or dock side scanning or a ship come in and they target a ship. it won't be based on whether the containers are high risk or not.

they'll be scanning every seventh one or tenth one and things like that. maybe flexibility in csi and whether they need to shift the deck a little bit to the different countries if possible. i think cyber is the growing area. that's an area where dhs and coast guard have been monitoring the situation, and they're talking about taking action. i think they do. we'll have a report we're issues tomorrow for senate commerce that have a lot more detail on the thoughts on that. something for the committee, i think it's starting to show up on the radar of the agencies as well is, you know, for what we have, we have to sustain it. and you have vessels and you have scanners and you have aircraft that have are pretty important in the regime. particularly in term of the interdiction and the deterrence and the daily things like scanning containers.

some are reaching the end of their live. i know, cvp is trying to extend the life of their scanners. at some point, you'll have a lot of -- you've built the regime and the things that go with it. it will take some sustainability and translate into resources. >> okay. last three witnesses have pretty much sort of gotten to my last question, which was what is our to do list. and i don't know, ellen, you and mr. admiral thomas had a chance to do that. our to do list. >> chairman, i think i just echo some of the points that were made earlier, and emphasize in moving forward anything we need to do takes into consideration that dhs confronts a multitude of threats. to be cost effective and efficient we need to bear that in mind. i think the second point we've

made earlier is that big picture security across all path ways to buy down risks don't want to encourage a balloon effect where we put all of our security wher security assets over here and the agile adversary circumvents that. so the picture has to be across all path ways. and then echoing mr. caldwell's point about the aging infrastructure and funding dhs with the president's budget. >> okay, admiral thomas, anything that we should be doing on the legislative side? >> thank you, chairman. i don't have much to add to what's been said. there may have been specifics that we identify as we continue to analyze the ports, but i think we have the right access through the staffs to get that information to you. i would say this type of oversight and continued focus by this committee on this issue is really important to stave off

that complacency that i'm concerned about, so we do appreciate that. >> good, thank you. >> four quick things, echoing several things that mr. caldwell mentioned, continued support that we discussed today, the automated targeting system, the csi and we're working on the recommendations mr. caldwell mentioned. recapitalization and sustainment of our critical technology. along with domestic nuclear detection office we'll be working with your team on those plans. three, that what you said at the beginning, understanding the critical economic exped. >> and facilitated movement of cargo aspect of our mission, that continues to be critical and needs to be understood. and then, four, working with the secretary in the department on an agreed path forward on scanning, keeping us honest on the good faith efforts identified and discussed today and working together on the best framework for the future. >> good, thanks. i think dr. coburn, when i was out voting, asked a question

dealing with fiduciary agents and i just want to come back and he asked part of my question, i just want to come back and say the second half of the question. maybe y'all can take a shot at that. i need to be someplace else, literally someplace else in eight minutes. bynum, i'm going to ask you to take a shot at this. >> absolutely. >> rather than ending the use of fiduciary agents for all ports, why not let ports decide for themselves if they'd like to use one? >> we've considered that proposal and don't think it's in the best interest of the program. if some are using fid ushiaries and others not, the benefit we've derived by moving away from the fiduciary agent models as the appropriations have gone down and our capabilities

internally have grown in terms of program oversight, management and monitoring. we have a pretty good window into the project level data and the approach grantees are taking. we lost some of that visibility. as you might expect, there was a variety of varying levels of performance across the fiduciary agent model. and the other thing is, with the fee that fiduciary agents had access to, you know, three to five percent of the funds, we think those funds are better invested in actual security projects. so i know there's a range of opinions in the port community about the fiduciary agent model, but we've decided that the best thing for the most effective and efficient management of the program is to bring that management in-house and not use the fiduciary agent model. >> okay, thanks. this last question is for miss mcclain, admiral thomas, and mr.

mcaleenan. really short answers if you would. first question, what effect has increased security along our land borders had on maritime border security? what effect has increased security long our land borders had on maritime border security? 30 seconds. >> yes, mr. chairman, two quick points. i think the programs we developed in the land border context informed how we deal with those programs in the maritime context. and second, i think it pointed out to us, and i real quickly go back to south florida in the '80s, how you need a risk-based approach across all path ways to secure any single path way. thank you. >> all right, thank you. admiral? >> well, somewhat outside the realm of port security, but certainly weave seen the balloon effect on particularly the southern part of the west coast

and also in the caribbean, as we secure our land borders for illegal drugs and contraband and other illegal activities, they have taken to the water. so we've adjusted our forces. and that's really the impact that we've seen there. >> okay, thank you. >> i agree with the admiral. we have not seen a significant impact in terms of changes in the threat within commercial flows. we have seen it, the effect of security at ports push activity to the west coast as well as up through puerto rico. >> okay. the second half to that question, but i don't have time to ask it. you may not have time to answer it. i'm just going to wrap it up here. i'm really glad that dr. coburn encourages us to have this hearing. it's timely. there's a fair amount of progress to be reported on and still plenty of work to do and i'm encouraged there's a sense of team at play, that certainly helps. and we're part of that team, but

thank you all for your preparation today for coming and helping to make this a very, very good hearing. it's clear to me that one of the most important take-aways from today's hearing is that it's critically important that we strike the right balance. easy to say, but hard to do, strike the right balance between security, trying to make sure we don't unduly impede the flow of transportation and trade. 95% of trade moves on the water, but our ports are vital to our nation's well-being. they're a conduit for a lot. with that, i'll call a halt to this. we will -- some of my colleagues are going to have, let's see here. some questions to ask and we may have some more ourselves, but the hearing record will remain open for 15 days. that's until may the 19th. it says until may 19th.

probably should say june 19th at 5:00 p.m. for the submission of statements and questions for the record. with that i say to our republican staff and our democrat staff and all my colleagues, thank you very much for your help in this and to each of you for joining us today. i think one of you members said oversight is a good thing and we hear that a lot. so we won't disappointment you. thanks so much for that. we're adjourned. probe esident obama is travg

this week, he gave a speech in poland. the president spoke about china and russia. here's a portion of his remarks. >> on the same day that pols were voting here, tanks were crushing peaceful democracy protests at teen an men square on the other side of the world. the blessings of liberty must be earned and renewed by every generation, including our own. and this is the work to which we rededicate ourselves today. our democracys must be defined not by what or who we're against, but policies of inclusion that welcomes all our citizens. our economies must deliver a broader prosperity that creates more opportunity across europe and across the world, especially

for young people. leaders must uphold the public trust and stand against corruption, not steal from the pockets of their own people. our societies must embrace a greater justice that recognizes the inherent dignity of every human being. as we've been reminded by russia's aggression in ukraine, our free nations cannot be complacent in pursuit of the vision we share. a europe that is whole and free and at peace. we have to work for that. we have to stand with those who seek freedom. [ applause ] >> you can watch that entire speech at c-span.org. the next leg of the president's trip is in brussels, belgium, for the g-7 summit. president obama and british prime minister david cameron will talk to reporters following the conclusion of the meeting. we'll join that news conference

live at 10:00 a.m. eastern on c-span. and then we'll go to the senate foreign relations committee which is looking at the recent presidential elections in ukraine. a former ambassador to ukraine will testify. live coverage also on c-span. on a lonely wind-swept point on the northern shore of france, the air is soft, but 40 years ago at this moment, the air was dense with smoke and the cries of men and the air was filled with the crack of rifle fire and the roar of cannon. at dawn on the morning of the 6th of june, 1944, 225 rangers jumped off the british landing craft and ran to the bottom of these cliffs. their mission was one of the most difficult and daring of the invasion. to climb these sheer and desolate cliffs and take out the enemy guns. the allies had been told some of the mightiest of these guns were

here and they would be trained on the beaches to stop the allied advance. the rangers looked up and saw the enemy soldiers at the edge of the cliff shooting down at them with machine guns and throwing grenades, and the american rangers began to climb. >> this weekend, american history tv will mark the 70th anniversary of the d-day invasion of normandy saturday at 10:30 eastern. watch from the memorial in washington. that's followed at 11:30 by author simons. he'll take your questions and comments live. at 1:30, a look back at presidential speeches commemorating the day, all on american history tv saturday on c-span3. next, senator al franken chairs a hearing on legislation he introduced that would outlaw the use of tracking apps on

smart phones and other devices without the user's consent. the bill would ban stalking apps that allow predators to track a potential victim's movements. >> this hearing will be called to order. welcome to the senate judiciary sub committee on privacy, technology and the law. this is a hearing on my bill to protect sensitive location information, the location, privacy protect act of 2014. three years ago, i held a hearing to look at how our laws were protecting the location information generated by smart phones, cell phones, and tablets. the first group they heard from was the minnesota coalition for battered women. they told me that across minnesota, victims were being followed through so-called stalking apps. specifically designed to help stalkers secretly track their

victims. i started investigating these stalking apps. let me read you some of their -- from some of their websites. here's from one call spy era. it says, quote, most of the time you think your spouse is being unfaithful, you are right. spy era will be your spy in their pocket. you will need to sneak your spouse's phone and download it to their phone. after the software is downloaded, you'll be able to see where they are gee rafically. if your husband is two counties over from where you live, spy era will tell you that. and of course husband can mean wife or ex or whatever you want to put in there. here's another, this is from flexy spy. flexy spy gives you total control of your partner os phone

without them knowing it. see exactly where they are, or were, at any given date in time, unquote. here's another quote that's since been taken down. quote, worried about your spouse cheating? track every text, every call, and every move they make, using our easy cell phone spy software. these apps can be found online in minutes and abusers find them and use them to stalk thousands of women around the country. the minnesota coalition for battered women submitted testimony about a northern minnesota woman who was the victim of domestic violence and the victim of one of these stalking apps. this victim had decided to get help. so she went to a domestic violence program located in a county building. she got to the building and within five minutes, she got a

text from her abuser asking her why she was in the county building. the woman was terrified and so an advocate took her to the courthouse to get a restraining order. as soon as she filed for the order, she got a second text from her abuser asking why she was at the county courthouse and whether she was getting a restraining order against him. they later figured out she was being tracked through a stalking app installed in her phone. this doesn't just happen in minnesota. a national study conducted by the national network to end domestic violence found that 72% of victims service programs across the country had seen victims who were tracked through a stalking app or a stand-alone gps device. without objection i'll add to

the record the accounts of a view other victims. here's one from the victim in illinois. she was living in kansas with her abuser. she fled to elgin, illinois, a town three states away. she didn't know the whole time her cell phone was transmitting her precise location to her abuser. he drove the 700 miles to elgin, tracked her to a shelter and then to the home of her friend, where he assaulted her and tried to strangle her. here's one from a victim in scottsdale, arizona. her husband and she were going through a divorce. her husband tracked her for over a month, through her cell phone. eventually he murdered their two children in a rage. in most of these cases, the perpetrator was arrested because it's illegal to talk someone. but it's not clearly illegal to make and to market and to sell a stalking app.

so nothing happened to the companies making money off of the stalking. nothing happened to the stalking apps. my bill will shut down these apps once and for all. it would clearly prohibit, making, running, and selling apps and other devices that are designed to help stalkers track their victims. it would let police seize the money that these companies make and use this money to actually prevent stalking. my bill will prioritize grants to the organizations that train and raise awareness around gps stalking and it would make the department of justice get up to date statistics on gps stalking. that's a big deal. because the latest statistics we have from doj are from 2006. and at that point, they estimated over 25,000 people were being gps-stalked annually, back in 2006.

and we know what smart phone technology has done since then. but my bill doesn't just protect victims of stalking. it protects everyone who uses a smart phone, an in-car navigation device, or any mobile device connected to the internet. my bill makes sure that if a company wants to get your location or give it out on others, they need to get your permission first. i think that we all have a fundamental right to privacy, a right to control who gets your sensitive information, and with whom they share it. someone who has a record of your location doesn't just know where you live. they know where you work and where you drop your kids off at school. they know the church you attend and the doctors that you visit. location information is extremely sensitive, but it's not being protected the way it should be. in 2010, "the wall street journal" found that half of the most popular apps were

collecting their users' location information and then sending it to third-parties, usually without permission. since then, some of the most popular apps in the country have been found disclosing their users' precise location to third-parties without their permission. and it's not just apps. the nissan leafs on-board commuters was found to be sending driver's locations. onstar threatened even after they canceled the service. they only stopped when i and other senators called them out on this. and a whole new industry has grown up of tracking the movements of people going shopping, without their permission and sometimes when they don't even enter a store. the fact is that most of this is totally legal with only a few exceptions, if a company gets your location over the internet, they are free to give it to almost anyone they want. my bill closes these loopholes. if a company wants to collect or

share your information, it has to get your permission first. and put up a post online saying what the company is doing with your data. once the company is tracking you, it has to be transparent or else has to send you a reminder that you're being tracked. those requirements apply only to the first company getting location information from your device. for any other company getting large amounts of location dat a all they have to do is put up a post online explaining what they're doing with their data. that's it. these rules are built on existing industry best practices. and they have exceptions for emergencies, theft prevention and parents tracking their kids. the bill is backed by the leading anti-domestic violence and consumer groups without objection. i will add letters to the record from the minnesota coalition for

battered women, the national center for victims of crime, the national women's law center, the online trust alliance and consumers union, all in support of my bill. this bill is just common sense. before i turn it over to my friend, the ranking member, i want to make one thing clear. location-based services are terrific. i use them all the time. when i drive across minnesota. they save time and money and they save lives. 99% of companies that get your information, your location information are good, legitimate companies. so i've already taken into account many of the industry's concerns that i heard when we debated this bill in the last congress. i've capped liability, i've made compliance easier. and if folks still have issues with the bill, i want to address. so with that, i will turn it over to senator flake. >> thank you, mr. chairman.

thank you again to the witnesses for being here. i know you have busy schedules and appreciate you doing this. i think we can all agree that stalking and domestic violence are serious concerns. that's why i was pleased to support the reauthorization of violence against women act. i agree with those who will testify today that, like mrs. southworth of the national network to end domestic violence and detective hill, second panel, that domestic vile ins and stalking are serious problems that need to be addressed. i'm not aware of any concerns that have been expressed about some of the sections of this bill, those that address the stalking apps and directing the government to study gps stalking and prioritize grants to educate law enforcement about this problem. having said that, there are sections of the bill i think that are still a bit concerning. the bill before us regulates the commercial collection of geolocation information. some concerns have been raised

about its effect on businesses and applications that use geolocation information to provide consumers with services that they now rely on. i'd like to enter into the record letters from the national retail federation and the interactive advertisement bureau if that's okay. >> sorry. without objection. >> in our efforts to protect the privacy of americans, which is extremely important, we have to be careful not to stifle innovation in dynamic sectors in the economy. a lot of the concerns that have been expressed are about static regulations that deal with a dynamic sector of the economy, and we want to make sure that we don't hamper development of new products and technologies. with that, i look forward to the witnesses. thanks. >> thank you, senator flake. um, while the first panel of

witnesses has seated themselves, thank you. bea hanson is the principal deputy director of the united states department of justice office on violence against women. before that, she was director for emergency services and the chief program officer for safe horizon, a crime victim's service organization in new york city. miss hanson is a minnesota an by birth and was raised in st. paul. jessica rich is the director of the ftc's bureau of consumer protection. during her time at the ftc, miss rich has led major policy initiatives related to privacy, data security and emerging technology, overseen actions and developed significant ftc rules. she also received the chairman's award in 2011 for her contributions to the ftc's mission. mark goldstein is the director of physical infrastructure issues for the u.s. government

accountability office. he is a frequent witness before congress and served as senior staff member on the committee for homeland security and government affairs. he'll testify about two studies at gao conducted at my request on the subject of location privacy. like to welcome you all. thank you for appearing. your written testimony will be made part of the record. you each have about five minutes for any opening remarks that you'd like to make. we'll start with miss hanson. >> thank you, so much. good afternoon, chairman franken and ranking member flake and members of the committee. thank you for the opportunity to testify on behalf of the department of justice regarding stalking, mobile devices and location privacy. my name and bea hanson, i'm the principal deputy director at the united states department of justice office on violence geaps women or ovw. one key way that the department of justice has focused on

strengthening the criminal justice response to stalking is through the implementation of the violence against women act our vawa. since the passage of vawa in 1994, we've made strides in enhancing the criminal justice response to stalking. congress has been a strong partner to help us address this issue. since 1994, congress has amended vawa to add stalking to the purpose area of grant programs, broadening the stalking statute to protect victims of sirp stalking and enhancing penalties for repeat offenders. just last year in the most recent reauthorization, congress closed a loophole in the federal cyber stalking statute to permit federal prosecutors to pursue cases pr the offender and victim both lived in the same state. congress also amended the jean cleary campus security act to

require that universities report crime statistics on incidents of stalking. as you both know, stalking is a complex crime and it continues to be misunderstood and very much underestimated. incidents of stalking behavior, whether considered separately, may seem relatively innocuous. however stalking behavior tends to escalate over time, and it's often paired with or followed by sexual assault, physical abuse or homicide, as chairman franken pointed out. its victims feel isolated, vulnerable, and frightened and tend to suffer from anxiety from depression and from insomnia. results of the 2010 national intimate partner and sexual violence survey which was released by the centers for disease control in late 2011 demonstrate the grave scope of this crime. using a conservative definition of stalking, the survey found

6.6 million people were stalked in the previous 12-month period, and that one in six women and 1 in 19 men were stalked at some point in their lifetimes. the survey report noted that although anyone can be a victim of stalking, females were more than three times more likely to be stalked than males. and young adults have the highest rates of stalking victimization. the report also showed the two frequent nexus between stalking and intimate partner abuse. for the overwhelming majority of victims, the stalker is someone that's known to them. an acquaintance, family member, or former intimate partner. the study confirmed most stalking cases involved some form of technology. more than 3/4 of the victim reported receiving unwanted phone calls and text messages. one third of the victims were

watched, followed, or tracked with other kind of listening device. the report noted that they found a higher percentage of stalking than previous studies and hypothesized that it could be due to new technologies that make stalking behavior easier. technology has provided new tools for stalkers, for example, the rapid increase of cellular phones in recent years has created a new market in malicious software that when installed on mobile devices allows perpetrators to intercept victim's communications without their knowledge or consent. through the use of the software, perpetrators can read e-mail, listen to telephone calls, and turn on the microphone to record conversations in the immediate area, all that can be done surreptitiously. a recent study further suggests that technology enhanced

stalking, including the use of mobile devices, is neither novel nor rare. of the more than 750 victim service agencies that responded 72% reported victims who were tracked from these devices. it's critical that professionals who work with stalking victims understand the dynamics of stalking, particularly how stalkers use technology. we know stalking is a precursor to other forms of violence. ovw grant programs support specialized training for police, prosecutors and others to ensure comprehensive seev comprehensive services are available to victims. we're also targeting the inner section of technology and the crime of stalking, sexual assault violence and dating violence. more information on that in my written testimony.

we have some of our grantees that will be talking later here in the second panel. i appreciate the opportunity to testify today and i look forward to a continuing to working with congress, working with you all as it considers these important issues. thank you. >> thank you, mrs. hanson. miss rich? >> good afternoon, chairman franken and ranking member flake. my name is jessica rich and i'm the director of the bureau of consumer protection at the federal trade commission. i very much appreciate this opportunity to present the commission's testimony on consumer protection issues involving geolocation information and to offer initial views on the privacy protection act. protecting consumers privacy is a key focus of the commission's efforts and we commend the committee for its continued attention to this really important issue. products and services that use geolocation data make consumers' lives easier and more efficient as you've noted, chairman franken. consumers can get turn by turn directions to their destinations, find the closest

bank, check the weather when they're traveling, among many other examples. at the same time, the increasing collection, use, and disclosure of this data prevents serious privacy concerns. for this reason, the commission considers gee wro location data to be sensitive, warranting opted consent prior to collection from a consumer's mobile device. why is this data so sensitive? a device's geolocation can reveal consumers movements in real time and over time and thus develop inlt matt personal details about them, such as the doctor's office they visit, how often they go, their place of worship and when and what route their kids walk to school in the morning and return home in the afternoon. this data can be accessed and used in many ways consumers don't expect. for example, collected through stalking apps, sold to third-parties for unspecified uses, paired with other data to build profiles of consumers

activities or stolen by hackers. can result in unwanted tracking to stalking. using its authority of the ftc act, the commission has brought cases against companies engaged in unfair and deceptive practices involving geolocation data. one example is our settlement with snap chat, the developer ofa a popular mobile messaging app. in that case, the ftc alleged that in addition to representing that photo and video messages sent through the service would disappear, which was what was publicized most about that case, snap chat also collected and transmitted geolocation data from its app, even though its privacy policy claimed it didn't track users or access such information at all. in other case, this one involving the developer of a popular flashlight app, the ftc allege the developer told users it would collect diagnostic and

technical information to assist with product support, but failed to disclose that the app transmit the the device's location and unique device i.d. to ad networks. finally with retailer aaron's and its affiliates. the use of software on rental computers that tracked consumers, violated the ftc app. it could log key strokes, capture screen shots all unbeknownst to users. the ftc acknowledged that installing tracking twidevices the rented computers was an unfair and illegal practice. in addition to enforcement, the commission has conducted studies and held workshops in this area. in 2012, ftc staff issued two

reports about the disclosures provided in mobile apps for kids. the reports showed that the apps collected data from the kids' devices, including unique device i.d. and geolocation data and shared it with third-parties, often without notice to parents. in february of last year, ftc staff issued a report providing specific recommendations about how all players in the mobile eco-system, platforms, app developers, analytics companies and trade associations can and must ensure that consumers have timely, easy to understand disclosures and choices about what data companies collect and use, including geolocation data. >> now turning to a discussion of the location privacy protect act, the commission very much supports the goals of this bill, which seeks to improve the transparency and consumer control over the collection and use of sensitive geolocation data. the bill represents an important

step forward, notably by requiring clear and accurate disclosures and opting con sent from consumers before the sensitive data can be collected. the bill contains both civil and criminal provisions and gives the department of justice sole authority to enforce both. we very much support strong remedies for violations. however, as the federal government's leading privacy endorsement agent, we recommend the committee be responsible for enforcing the civil provisions of the bill. thank you very much for this opportunity. the ftc is very committed to protecting the privacy of consumers geolocation and we look to working with the committee and congress on this issue. >> thank you, mrs. rich. i noted your recommendation in your written testimony and again just now. >> okay, thank you. >> mr. goldstein. >> thank you for the opportunity

to be here this afternoon and provide testimony on consumers location data. smart phones and in-car navigation systems give consumers access to useful location-based services. >> okay, sorry. i'm sorry. >> he actually sounded very good. very sonarous. [ laughter ] go ahead. sorry you were interrupted by miss rich. [ laughter ] >> right. however questions about privacy can arise if companies use or share location data without their knowledge. several agencies have responsibility to address consumers privacy issue, including the ftc which has authority to take action against unfair deceptive acts and the ntia which advises the president on telecommunications issues. my testimony addresses company's use and sharing of data.

two, consumers location privacy risks. and three, actions taken by agencies to protect consumers location data. our findings were as follows in two reports that we released over the last couple years. first, that 14 mobile companies and ten in-car navigation providers that goa examine inned the reports, including mobile carriers and auto manufacturers, collect location data and use or share them to improve consumer services. for example, mobile carriers and application developers use location data to provide social networking services to are linked to consumers location. in-car navigation use location data to provide services such as turn by turn directions, or roadside assistance. location data can also be used and shared to enhance the functionality of services such as search engines to make search results more relevant.

second, while consumers can benefit from the location-based services their privacy may be at risk when companies collect and share location data. for example, in both our reports, we found when consumers are unaware that their location data are shared and for what purpose that data may be shared, may may be unable to judge whether the data is shared with trustworthy parties. they can create detailed profiles of individual behavior, including habits, preferences and routes traveled, private information that could be exploit exploited. additionally, there could be increased risks for identity theft. companies can anon miz location data that they use or share in part by removing personally identifying information. however, in our 2013 report, we found that in-car navigation providers that goa examined use

different identification methods that may lead to varying levels of protection for consumers. third, consumer companies have not consistently implemented practices to protect consumers' location privacy. some steps have been taken. for example, all of the companies we examined, used privacy policies or other disclosures to inform consumers about the collection of location data and other information. however, companies did not consistently or clearly disclose to consumers what the companies do with this data or third-parties which they might share that data, leaving consumers unable to effectively judge whether such uses of their location data might violate their privacy. in our 2012 report, we found federal agencies have taken steps to address this through educational outreach events, reports with recommendations and guidance for industry. for example, the department of

commerce has brought stakeholders together to develop codes of conduct for industry, which goa found lacks specific goals and performance measures making it unclear whether the effort would address location privacy. additionally, in response to a recommendation gao's 2012 report, the ftc issued guidance in 2014 to inform companies on the commission's views on the appropriate actions companies should take to disclose privacy actions and obtain consent. gao recommended that nta develop goals and milestones that measure for stakeholder initiative. gao will continue to monitor this effort in the future. this concludes my oral statement. i'd be happy to respond to any comments. thank you. >> thank you, mr. goldstein. and thank you all for your.

miss hanson and miss rich, your agencies have already done important work to combat gps stalking and cyber stalking, but i want to press you to do more. i want to challenge you to investigate and shut down these smart phone stalking apps. they are tens of thousands of people every year. they market themselves directly and brazenly to stalkers and they're easily available on the internet. my bill will give you even more tools to go after these guys, but will you pledge to me today that you will use all of your existing tools to investigate and shut down these apps? >> yes, i will, within my powers. we do have a commission that needs to approve things, but i run the bureau of consumer protection. i will note that we did bring a case against a similar service

called remote spy. we litigated a case against them that was providing this very same type of service to spy on people and we obtained a strong order against the company and we can use similar tools to pursue these types of stalking apps. >> thank you. >> you know, my role at the office of violence against women. we're a grant-funded organization and really want to work with you and work together to address these issues around stalking applications. this has been a huge, big priority for the department. i would like to bring this back to those folks who actually do the prosecution and want to share the concerns of the criminal division, specifically the computer crime and intellectual property section, as well as the u.s. attorney's office, executive office of the u.s. attorney, who handles the criminal prosecutions and i'll bring that back to them.

>> well, thank you. and there is bipartisan agreement on this. in 2011, i sent a letter by senators grassley, klobuchar, white house, shumar and feinstein asking your agencies to crack down on these apps, i want to ask each of you to everything you can to shut them down. mr. goldstein, some of the witnesses on the second panel urge us to be cautious about regulating. they favor self-regulation. as part of your investigation you looked at best practices for the collection and sharing of location data. in an interview, you said there weren't very many rules in place and that in many ways, this was still, quote, the wild west of the electronic era, unquote. did you find that industry best practices were being implemented consistently and did you find that consumers were being given the information they needed to make choices about their

privacy? >> thank you, mr. chairman. our reports clearly indicate that there is no comprehensive approach, that some companies do pay attention very consistently to the rules, the self-regulating rules that are out there, and some do not. and that there is a great variety. and not a lot of transparency. those seem to be the two principal problems that some pay attention to some rules and not others and the lack of transparency and the consumers don't always have enough information to make choices about what kind of information is being retained, how long it's being retained, by whom it's being retained and used, things like that. so there are quite a lot of problems still out there with the application of the rules. >> and i see you're nodding, miss rich? >> yes. many industry groups and individual companies, um, say

they implement opt in or have opt in as best practice, but our enforcement even more broadly outside of stalking apps, related to the collection of geolocation information, including the snap chat case, the flashlight case, our case against aaron's and also our survey of kids' apps shows that this opt in standard is not being complied with in a regular basis. >> yeah, i found the snap chat particularly ironic because their whole selling point was that once you post a video or a photo, that it would disappear. >> and we allege that wasn't true, among other things. >> but other than that, it was exactly what it said. >> yeah. >> okay. i'm running out of my time. i'll ask one more question and we want to get to our other

panel. so i'll give it to senator flake and i'll ask one more question of miss hanson. >> thank you. mr. goldberg, in your testimony, you outlined a series of what ifs. asserting that location data could be used to track consumers. i think we all understand the potential of this. you say -- which can be used to steal identity, stalk them, monitor them without their knowledge. you also say that collection of data, location data poses a threat. we all understand that. you've explained that very well. but in your study, or in your investigation, did you uncover examples of companies stealing customers' identities, or stalking them, or criminals obtaining location data? we know the potential exists, did you actually turn up any nefarious activity. >> no, senator, we did not. it was really a look at the kinds of issues that were out

there. it was not really within the scope, but we also did not find any. >> um, miss rich, are you -- you mentioned a few of them, cases that have been brought. what's been out there in popular media that has caught your attention? or is that usually how you find these cases? or, how do you come on to these cases where you decide to bring action against someone? >> we find cases in a variety of ways. we may be tipped off by an insider. we may be -- get referrals from businesses or consumer groups or tech people. but, um, responding to the question you just asked my colleague, i mean, one thing that our cases do show is that companies, even flashlights, are collecting this data, contrary to the claims they're making and

then they're sharing it. so it is being collected and used and given what it can show, in terms of consumers' private activities, that raises concerns. >> yeah, certainly i think we all recognize that people use it for advertising and some of them aren't disclosing or giving the opportunity to opt out. my question was to mr. goldstein was, do we see criminals using it for purposes that are -- potential certainly exists, but if there are examples of that in a criminal way. we've seen some of the stalking and obviously we want to make sure that we crack down on that, but i know that the potential exists, i was just wondering in the studies if we see it actually occurring. we see some of it on the commercial side, but not so much on the criminal side yet, is that an accurate statement?

>> i think that the stalking apps are the clearest example of the harm that it can do. i agree. >> in my opening statement, i want to make sure that we don't stifle any development of new technologies and new positive uses of this geolocation information. and miss hanson, the department of justice works with law enforcement agencies across the country and broadcasters, transportation eagagencies, ande wireless industry to issue amber alerts. these are obviously only sent when a child is at risk of serious injury or death. would amber alerts fall within one of the exceptions to the bill? >> i think i would have to bring this back to the department about how this would be an exception or not. amber alerts, i know have been

important in identifying missing children. i think we need to look at this issue more broadly and i can bring that back to the department to take a look at it. through our office end on the office of violence against women, weave seen and you'll hear from testimony from folks on the second panel, if you look at the cases of -- of -- of cyber stalking, that we actually look at, when you look at it from the prospective victims of domestic violence, that in actuality we have a large number of victims who have said they have been tracked. my testimony talked about 72% of those reported of looking at victim service agencies, had been tracked by gps through cell phone or gps. so i think those are important issues we need to look at, but i can bring back this issue, question about the amber alert.

>> if you could -- >> i can answer that, but i'll wait. >> a hypothetical some people have talked about and some are working on programs that would send an amber alert to a specific location, if a child was lost in a mall, and you don't need the amber alert at that point because there are certain standards and thresholds at which those are issued, but those you might be able to send it at a lower threshold if it could be confined to a specific location, say a mall, but obviously if the geolocation information of individuals who are in that mall, they would not have consented to receive that amber alert, they would not have opted in, but could -- would this be an exception and how do we work with the exceptions like that? where useful information could go out but not for regulations that could come? does that make sense? i'm sorry. >> no, it makes sense. it's not the area that i work

in. so what i'd like to do is bring that back to other folks in the department and get back to you on that. >> okay. you had a -- >> well, i just wanted to clarify that an amber alert would be in section 3 of the bill, we put in exceptions. and any emergency allowing a parent or legal guardian to locate an emancipated minor or child, and also for fire, medical, public safety or other emergency services. so this is specifically in the bill. it would be exempted. >> okay, there are some that are less clear, i think, mr. atkinson in the second panel will note there are certain programs like circle of 6, siren 7, these apps allow women to share their precise geolocation information with friends who are

in an unsafe situation. these, i think we all agree, can be used to help women in an unsafe situation. we just want to make sure we don't do something that would prohibit those kind of uses. that's a little tougher or fuzzier than amber alert. maybe the second panel can shed light on that as well. but thank you, mr. chairman. >> thank you. senator blumenthal has joined us. >> thank you mr. chairman. thank you to you for having this hearing and for your really instrumental work on a lot of this ledge stratigislation and this panel, particularly bea hanson for your work on sexual assault on campuses and your help to me in the round tables that we worked on and the proposals that we formulated as a result. great work on this issue.

thanks to the wonderful staff that he has working on this issue. and to that point, i wonder if you could talk a little bit about what additional steps colleges and universities ought to be taking with respect to cyber stalking and the relationship of cyber stalking with campus sexual assault. you know, in connecticut, more than 50,000 individuals are stalked every year. a lot of it occurs on campuses because college students tend to be more atune to this technology and yet i found as i went around the state of connecticut that college administrators and officials there often were not as focused as perhaps they should be on this issue of cyber stalking and the technology that's available to enable it.

so perhaps if you could talk a little bit about that issue. >> thank you, senator blumenthal. and thank you for your work on addressing campus sexual assault and the report that you put together as a result of all of the hearings you did in connecticut. um, i think that nexus between campus sexual assault and cyber stalking is important. um, especially when you look at the -- the use of cell phones and smart phones, um, especially among the college campus students. there's work that's being done and there's more work that we need to do in terms of looking at prevention messages and incorporating issues of stalking and cyber stalking, particularly messages around sexual assault, because we know often that stalking isn't something that occurs by itself.

but that it often escalates over time and can often be a precursor to crimes like sexual assault or even homicide. i agree with you on your point about the need to train and talk to administrators about it. i think there's a lot more knowledge among the students than there are among the administrators about the training that's needed to look at cyber stalking and those connections. so we're more than happy to work with you and the rest of the committee if there are ways that we can make those efforts even stronger. >> i thank you. this technology has huge promise, but also tremendous peril. and the awareness of the peril is sometimes difficult among young people who think of themselves as invincible. and yet because of that

illusion, they may be the most vulnerable. and the most vulnerable often to their friends who seemingly want to befriend or support them and yet use this technology, really, to put them in great peril. so i thank you for your focus on that. i'd like to ask miss rich whether you believe under your current authority you can take action against some of the makers, the manufacturers, who may be knowingly or unknowingly promoting misuse or abuse of this technology. >> to date, we have taken action. we did take action and litigated a case against a promoter of -- a seller of spyware that specifically sold it so that you could capture the movements of somebody secretly. and we did that under our

existing authority. we also, i mentioned before you came in, we brought several cases against companies that either under our deception or unfairness authority, shared geolocation without consent or notice to consumers. so we do have authority, but we do need to prove deception or unfairness. and, um, we -- the, across the board noticed consent requirements with exceptions for legitimate use that are in the proposed law, would make it easier for us to enforce. >> so you would welcome this additional measure? >> we very much support the goals and the basic provisions of the bill, yes. >> you plan to have round tables or workshops or other means of increasing awareness among students and others?

>> we recently had a seminar on mall tracking which is not about stalking, but it's about the use of gps to track consumers consur movements in stores. i think that raised awareness about the use of geolocation and we will be issuing a report on that. we continue to have workshops and seminars on consumer protection issues like these. >> thank you. thank you, mr. chairman. >> thank you, senator. i'm going to ask just one little short question of ms. hanson, and it is mainly a short answer, i think, that will be required. the latest statistics we have on the prevalence of gps stalking from a 2006 study conducted by the department, back then an estimated 25,000 people a year were victims of gps stalking. that was, again, 2006, before

the explosion of smartphones. today, the vast majority of adults own a smartphone and most of them -- or cell phone and most of them a smartphone. so we just intuitively know that the rates of gps stalking muffin creased since then. my bill will institute regular reporting on gps stalking, but in the meantime, will doj update statistics on gps stalking as soon as possible and if there are barriers to that, will you tell me what they are? >> yes, thank you for that question. this is a one-time supplement we had put out in 2006 that was funded by the office on violence against women. since then, as i said in my testimony, the national intimate partner sexual violence survey came out in 2011, and the national institute of justice

has been working with the cdc on that. there are questions about stalking and what i would like to do is go back and talk to folks to make sure that -- to identify if there's any additional stalking questions that might be helpful to be asked by the department. but i would be happy to go and look into that and get back to you on that. so thank you. >> thank you very much. i have some questions that i'll submit to you for the written record, but i would like to thank all three of you for your testimony and invite up our second panel. >> all right, thank you.

>> all right. thank you all.

i would like to start by introducing our panel. detective brian has served in the sheriff's office since 2000 and has been a detective with the criminal investigation division sense 2008. detective hill is an expert in digital forensics and trained over 3,000 law enforcement officers, prosecutors, judges and advocates across minnesota on the use of technology that facilitates stalking. he himself was trained by the minnesota bureau of criminal apprehension, the fbi and secret service. he also served our country as a member of the air force reserves and was deployed for two years for the wars in iraq and afghanistan. very grateful for your service at home and abroad, detective hill, and proud to have you here. thank you. mr. lou mestria is the executive

director of the digital advertising alliance. he leads the daa's effort on self-regulation, consumer transparency and consumer choice. he is a certified information privacy professional and served as the chief privacy officer for a range of organizations. thank you for being here. ms. ally greenberg is the executive director of the national consumer's league and has testified before congress on a variety of issues, including fraud and excessive fees on car rentals. previously she worked at the u.s. department of justice in the anti-defamation league. she was born and raised in minnesota and a graduate of southwest high school, close to where i grew up.

dr. robert akenson holds a ph.d. from unc chapel hill and published author on economics and technology policy. before founding itif, he was vice president of the progressive policy institute and director of the new technology project. welcome. ms. cindy southward is the vice president of development in innovation at the national network to end domestic violence and founder of the safety net project. she's one of the nation's leading experts on stalking apps and trained thousands of people across the country on stalking apps and the use of technology to facilitate stalking. thanks to all of you again for joining us. your complete written testimony will be made part of the record.

i will note for the record that ms. southworth's written testimony is also being submitted on behalf of the minnesota coalition for battered women. so why don't we start with detective hill. you each have five minutes for eye opening remarks you would like to make. detective hill, please go ahead. >> chairman franken, and distinguished members, thank you for the to appear to testify about law enforcement support of the location privacy protection act of 2014. since 2008, i've been a detective with the criminal investigation division of the sheriff's office in minnesota. i investigate felony and sexual violence cases with access to the county state of the art forensics lab. i'm a computer mobile device forensics examiner investigator.

the written testimony i submitted details of my training, certifications and professional association memberships. why is this legislation important? imagine the trauma of surviving domestic and sexual violence. now add signer stalking to that trauma. safe as we all use our cell phones to work, bank, text, access the internet, e-mail and pay bills, stalking apps are a tool to isolate victims from the functions and social connections their phones provide. including isolating them from contacting domestic violence advocates or law enforcement. to be rid of a self-stalking app, victims must buy new phones, create new e-mail accounts and change all passwords. victims live with the frightening uncertainty of whether the stealth stalking apps are really gone or if they

will reappear after removal. privacy and peace of mind continue to be violated by this uncertainty often long after they have bought new phones or changed passwords. i worked with a victim who suspected that her estranged boyfriend put spyware on her phone. she stated he knew about private phone conversations and text messages and he would show up randomly where she was. i examined her phone and couldn't determine if there was any spyware. later, i found her computer had accessed a stalking program. there was then proof that the program was installed on her phone. i worked with her on the expensive and complicated task of getting a new phone and e-mail account on a safe computer. in the last three years, our mobile forensic exams in our

office have increased by 220% in three years, averaging 30 exams per month. after seven years of experience, i continue to discover new apps. for instance, we are investigating an attempted murder in the context of domestic violence. t-spy advertises itself as a $7 parental monitoring software which can be installed on smartphones to track text messages, calls, gps location and basically any phone data. as in the case of discovering t-spy, i become engaged in a frep sicks investigation after victims detect signs of digital wrong doing. they notice patterns that the abuser's knowledge of the victim's life and whereabouts when the abuser has no way of knowing. stalking apps areq