My name is John Bentivoglio. I serve as the Chief Privacy Officer for the U.S. Department of Justice, where I am responsible for coordinating the Department's efforts to protect individual privacy rights. I appreciate this opportunity to present the Department's views on the issue of electronic privacy disclosure practices.
In addition, the Department has enacted internal policies and procedures to ensure strict adherence to communications privacy protections and we have a record of aggressively pursuing violations of the Electronic Communications Privacy Act. That Act establishes a number of substantive and procedural safeguards on law enforcement access to electronic communications, which is sometimes required in the course of the investigation of federal crimes.
The Department strongly supports industry efforts to enhance and safeguard online privacy. In addition to protecting online privacy, the use of third-party certifications, such as those developed by TRUSTe, BBBOnline, and CPA Webtrust can help consumers avoid web sites that have inadequate privacy safeguards, including web sites operated by scam artists - a growing concern to the Department of Justice.
Although there are strong market incentives to develop privacy disclosure policies, and we support industry self-regulatory efforts, some practices involving the collection and use of personal information may run afoul of federal and state laws. Under the Federal Trade Commission Act, for example, the FTC may pursue injunctive relief against businesses whose information collection and use practices constitute an unfair or deceptive trade practice, such as the failure to comply with a web site's posted privacy policies. The FTC has brought enforcement actions in this area.
Although the Department of Justice has no authority to sanction businesses that fail to establish privacy disclosure policies, we are concerned about the interplay between online privacy and consumer fraud. The disclosure of personal information in the online environment may unwittingly expose individuals to a host of on- and offline dangers. For example, posting personal information in a chat room can expose a person to solicitations for fraudulent investments, electronic harassment or stalking (both on and offline), and, in the case of minors, attempts to establish an illicit sexual relationship or contact. Since the Internet offers anonymity not available in the offline world, some individuals are not sufficiently aware of the dangers of disclosing sensitive information in the online environment. The Department has launched a number of initiatives to respond to these issues, including a new Internet Fraud Initiative, which is designed to increase federal prosecution of Internet fraud scams and to prevent such scams through consumer education and prevention.
We also are concerned about the growing problem of "identity theft," the use of another person's identifying information to commit an offense (such as using a Social Security number to obtain a credit card fraudulently). In some instances, this information is obtained without any contact with the victim of the fraud, such as when sham information brokers obtain personal financial information through pretext calls. In other instances, the information is obtained from the victim online when the perpetrator poses as a business person and gains the victim's trust through frequent and seemingly innocent communications. Armed with such information as a person's social security number, bank account information, and date of birth, scam artists have been stealing thousands of dollars from individual consumers - without any contact whatsoever with the victim. Last year, Congress enacted legislation aimed at this problem, and the Administration has announced an enforcement and prevention initiative that contemplates referral of cases among federal, state, and local law enforcement and regulatory agencies, and development of a private-public partnership to educate consumers on ways to protect themselves.
In addition, at our request, the U.S. Sentencing Commission amended its guidelines to allow for increased penalties for fraudulent offenses that involve a significant invasion of individual privacy. The Commission also is charged with amending the guidelines, as appropriate, to provide penalties for each offense under 18 U.S.C. § 1028, including the new identity theft statute. We hope the new statute and these enhanced penalties will serve as a deterrent to fraud artists who invade individual privacy in order to commit their scams.
Finally, we are working closely with the FTC and others to ensure aggressive enforcement of federal laws designed to protect individual privacy. For example, the Fair Credit Reporting Act provides criminal penalties for knowing and intentional violations of the Act. The FTC receives consumer complaints about potential violations of the Act and refers potential criminal violations to the Department for appropriate follow-up, and we are working with the FTC to better identify cases suitable for criminal prosecution.
Significantly, ubiquitous electronic privacy disclosure policies should help educate consumers about the dangers associated with the unguarded disclosure of sensitive personal information. If privacy disclosure policies and third-party privacy certifications become the norm, consumers may be more cautious about disclosing personal information to web sites that may not be privacy sensitive or are merely electronic fronts for scam artists. In educating consumers about online personal privacy, and in promoting informed disclosure by consumers based on individual choice, such private-public partnerships will also serve to inform Internet users about the potential risks of unguarded disclosure of personal information. In sum, our hope is that enhanced public awareness, brought about in part through the educational efforts of the private sector, will promote responsible decision-making among Internet users about when and to whom to disclose personal information, thereby reducing harassment and misuse.
In closing, I want to reiterate the Department's commitment to furthering the Administration's principles as outlined in the Framework for Global Electronic Commerce in July 1997. The Framework urged a multi-pronged approach to privacy protection, relying on a combination of industry self-regulation, sector-specific legislation (as for fraudulent "pretext calls" used by unscrupulous data brokers to obtain private financial records), and enforcement efforts to prevent unfair or deceptive trade practices. In addition, the Department will vigorously enforce federal laws designed in whole or in part to protect individual privacy, including the new identity theft statute.
We look forward to working with Congress and private industry to achieve these goals. I would be happy to answer any questions you might have.