STATEMENT
OF
JOHN T. BENTIVOGLIO
CHIEF PRIVACY OFFICER
BEFORE THE
SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY
COMMITTEE ON THE JUDICIARY
UNITED STATES HOUSE OF REPRESENTATIVES
CONCERNING
ELECTRONIC PRIVACY DISCLOSURE PRACTICES

PRESENTED ON
MAY 27, 1999




My name is John Bentivoglio. I serve as the Chief Privacy Officer for the U.S. Department of Justice, where I am responsible for coordinating the Department's efforts to protect individual privacy rights. I appreciate this opportunity to present the Department's views on the issue of electronic privacy disclosure practices.

Before I do so, however, I would like to briefly describe what the Department of Justice (DOJ) is doing to ensure we, as a Department, engage in appropriate privacy practices and set a good example for others in both the public and private sector. Last year, the Attorney General created the position of Chief Privacy Officer and established a Privacy Council within the Department. The Council, which I chair, is composed of senior officials from the FBI, DEA, the Criminal and Civil Divisions, and other DOJ components. The Attorney General directed that the Council "serv[e] as a clearinghouse for privacy-related legislative, regulatory and policy initiatives, provid[e] advice to senior Department officials on privacy matters, and provid[e] a forum for exchanging information about important developments in the field of privacy." The Council is currently reviewing a number of important issues, including the Department's compliance with the federal Privacy Act; the sharing of information among federal, state, and local law enforcement agencies; and the impact of new law enforcement technology on individual privacy. I am also pleased to note that we have posted a privacy policy on the Department's web site.

In addition, the Department has enacted internal policies and procedures to ensure strict adherence to communications privacy protections and we have a record of aggressively pursuing violations of the Electronic Communications Privacy Act. That Act establishes a number of substantive and procedural safeguards on law enforcement access to electronic communications, which is sometimes required in the course of the investigation of federal crimes.

Turning to the primary subject of today's hearing, electronic privacy disclosure policies raise a host of important issues, including law enforcement issues of concern to the Department of Justice. There has been a great deal of discussion over public concern about the loss of online privacy and the adequacy of industry self-regulatory efforts with respect to the collection, use, and disclosure of personal information online. We share these concerns. We believe, however, that industry has made substantial strides, as evidenced by the recently reported results of the draft Georgetown Internet Privacy Policy Survey. As you know, that survey -- based on a sample of more than 360 of the most popular web sites -- found that 65.7% - nearly two thirds of the sites surveyed - posted a privacy policy or an information practice statement. Contrasted with the 14% rate of privacy policy disclosure found by the Federal Trade Commission's similar survey in 1998, the dramatic one-year improvement reflects a determined effort on the part of industry to improve its information practices. This progress follows calls by the President and Vice President for industry to lead the way in protecting online privacy, and many industry leaders, including the Online Privacy Alliance and its members, deserve special recognition for their efforts.

While we are encouraged by these results, we would also point out another important finding in the Georgetown study - less than 10 percent (9.4%) of the most frequently visited sites and less than 15 percent (14.7%) of the sites that collect personal information had a comprehensive privacy policy that includes a posted privacy policy and addresses five key principles of fair information practices - notice, choice, access, security, and contact information. Thus, while we are pleased at the significant progress made by industry in the past 12 months, we need the final third of web sites to post privacy policies that adhere to all the principles of fair information practices. Posting a privacy policy is an essential first step to protecting privacy in cyberspace, but to be effective, privacy policies must be ubiquitous and comprehensive. We believe more can and should be done by industry to safeguard the privacy of online consumers.

The Department strongly supports industry efforts to enhance and safeguard online privacy. In addition to protecting online privacy, the use of third-party certifications, such as those developed by TRUSTe, BBBOnline, and CPA Webtrust can help consumers avoid web sites that have inadequate privacy safeguards, including web sites operated by scam artists - a growing concern to the Department of Justice.

Although there are strong market incentives to develop privacy disclosure policies, and we support industry self-regulatory efforts, some practices involving the collection and use of personal information may run afoul of federal and state laws. Under the Federal Trade Commission Act, for example, the FTC may pursue injunctive relief against businesses whose information collection and use practices constitute an unfair or deceptive trade practice, such as the failure to comply with a web site's posted privacy policies. The FTC has brought enforcement actions in this area.

Although the Department of Justice has no authority to sanction businesses that fail to establish privacy disclosure policies, we are concerned about the interplay between online privacy and consumer fraud. The disclosure of personal information in the online environment may unwittingly expose individuals to a host of on- and offline dangers. For example, posting personal information in a chat room can expose a person to solicitations for fraudulent investments, electronic harassment or stalking (both on and offline), and, in the case of minors, attempts to establish an illicit sexual relationship or contact. Since the Internet offers anonymity not available in the offline world, some individuals are not sufficiently aware of the dangers of disclosing sensitive information in the online environment. The Department has launched a number of initiatives to respond to these issues, including a new Internet Fraud Initiative, which is designed to increase federal prosecution of Internet fraud scams and to prevent such scams through consumer education and prevention.

We also are concerned about the growing problem of "identity theft," the use of another person's identifying information to commit an offense (such as using a Social Security number to obtain a credit card fraudulently). In some instances, this information is obtained without any contact with the victim of the fraud, such as when sham information brokers obtain personal financial information through pretext calls. In other instances, the information is obtained from the victim online when the perpetrator poses as a business person and gains the victim's trust through frequent and seemingly innocent communications. Armed with such information as a person's social security number, bank account information, and date of birth, scam artists have been stealing thousands of dollars from individual consumers - without any contact whatsoever with the victim. Last year, Congress enacted legislation aimed at this problem, and the Administration has announced an enforcement and prevention initiative that contemplates referral of cases among federal, state, and local law enforcement and regulatory agencies, and development of a private-public partnership to educate consumers on ways to protect themselves.

In addition, at our request, the U.S. Sentencing Commission amended its guidelines to allow for increased penalties for fraudulent offenses that involve a significant invasion of individual privacy. The Commission also is charged with amending the guidelines, as appropriate, to provide penalties for each offense under 18 U.S.C. 1028, including the new identity theft statute. We hope the new statute and these enhanced penalties will serve as a deterrent to fraud artists who invade individual privacy in order to commit their scams.

Finally, we are working closely with the FTC and others to ensure aggressive enforcement of federal laws designed to protect individual privacy. For example, the Fair Credit Reporting Act provides criminal penalties for knowing and intentional violations of the Act. The FTC receives consumer complaints about potential violations of the Act and refers potential criminal violations to the Department for appropriate follow-up, and we are working with the FTC to better identify cases suitable for criminal prosecution.

Significantly, ubiquitous electronic privacy disclosure policies should help educate consumers about the dangers associated with the unguarded disclosure of sensitive personal information. If privacy disclosure policies and third-party privacy certifications become the norm, consumers may be more cautious about disclosing personal information to web sites that may not be privacy sensitive or are merely electronic fronts for scam artists. In educating consumers about online personal privacy, and in promoting informed disclosure by consumers based on individual choice, such private-public partnerships will also serve to inform Internet users about the potential risks of unguarded disclosure of personal information. In sum, our hope is that enhanced public awareness, brought about in part through the educational efforts of the private sector, will promote responsible decision-making among Internet users about when and to whom to disclose personal information, thereby reducing harassment and misuse.

In closing, I want to reiterate the Department's commitment to furthering the Administration's principles as outlined in the Framework for Global Electronic Commerce in July 1997. The Framework urged a multi-pronged approach to privacy protection, relying on a combination of industry self-regulation, sector-specific legislation (as for fraudulent "pretext calls" used by unscrupulous data brokers to obtain private financial records), and enforcement efforts to prevent unfair or deceptive trade practices. In addition, the Department will vigorously enforce federal laws designed in whole or in part to protect individual privacy, including the new identity theft statute.

We look forward to working with Congress and private industry to achieve these goals. I would be happy to answer any questions you might have.