Opening Remarks

• The Honorable Gordon Smith

• U.S. Senator Conrad Burns
  Read statement

  Opening Remarks

  U.S. Senator Conrad Burns

  I thank the Chair for holding today’s reauthorization hearing, as the Federal Trade Commission has been the centerpiece of numerous recent policy discussions. Given the heightened attention to the high tech sector in particular, it is fitting that we examine the role that the FTC plays today and may play in the future. This reauthorization hearing will allow us to focus on several issues, but the most important in my view are the requests by the FTC for common carrier jurisdiction and a grant of rulemaking over “abusive and deceptive” practices concerning spam. The request put forward by the FTC for common carrier jurisdiction strikes me as misguided and over-reaching. I agree with the well-reasoned, commonsense position of FCC Consumer Affairs Bureau Chief Snowden, who in a recent letter to the FTC indicated that the FCC has far greater resources available to deal with common carrier issues and also a greater scope for enforcement. For example, if the FCC takes action against a common carrier it may revoke licenses, unlike the FTC. While the Commissions should work together for the benefit of the consumer, I simply do not believe that having two federal agencies performing essentially the same core functions is effective. Rather, I am supportive of the idea of a Memorandum of Understanding between the Commissions that would clarify the role of each agency to prevent the inefficiencies and duplication of work which inevitably arise from overlapping jurisdictions. I also want to discuss a topic which is of great concern to me, the spiraling problem of spam. This volume of this “digital dreck” has become so overwhelming that it is expected to overtake regular email this very summer. While I am pleased that the FTC has been addressing spam, including holding a very productive Spam Forum recently, I am troubled by the direction the Commission has taken in its testimony today. Rather than a broad grant of rulemaking over “abusive and deceptive” practices as exists in the FTC’s telemarketing authority, I believe that the best way to proceed in this area is with specific requirements set forth by the Congress. Senator Wyden and I have been working on antispamming legislation for several years now and in fact the CAN-SPAM bill is scheduled for the June 19 markup in the Committee. We have been working to identify appropriate guidelines for legitimate businesses and strong enforcement tools to combat bad actors and I am confident that the right balance has been struck in the CAN-SPAM bill. While focused rulemaking may provide assistance by following specific provisions set forth by the Congress, I am extremely wary of wide grants of vague additional authority. I value the expertise of the Commission and look forward to working with it on both technical and legal ways to resolve the increasingly damaging problem of spam. Thank you. ###

Testimony

• The Honorable Thomas B. Leary

  Commissioner

  Federal Trade Commission
  Read statement

  Testimony

  The Honorable Thomas B. Leary

  Please see Mr. Muris's testimony for submitted joint FTC statement.

• The Honorable Timothy Muris
  Read statement

  Testimony

  The Honorable Timothy Muris

  Click here for a Word Perfect version of the FTC's joint statement.

• The Honorable Mozelle W. Thompson
  Read statement

  Testimony

  The Honorable Mozelle W. Thompson

  Please see Mr. Muris's testimony for submitted joint FTC statement.

• The Honorable Orson Swindle
  Read statement

  Testimony

  The Honorable Orson Swindle

  Please see Mr. Muris's testimony for submitted joint FTC statement.

Witness Panel 2

• Mr. Ari Schwartz

  Associate Director

  Center for Democracy and Technology
  Read statement

  Witness Panel 2

  Mr. Ari Schwartz

  Chairman Smith and Members of the Subcommittee, the Center for Democracy and Technology (CDT) is pleased to have this opportunity to testify about the Federal Trade Commission (FTC) and its role in consumer and privacy protection. We thank the Chairman for the opportunity to participate in this hearing and look forward to working with the Committee to develop policies supporting civil liberties and a vibrant communications infrastructure. Over the past eight years the FTC’s activities in the area of information privacy have expanded. The Commission has convened multiple workshops to explore privacy, issued several reports, conducted surveys, and brought several important enforcement actions in the area of privacy. The Commission's work has played an important role in bringing greater attention to privacy issues and pushing for the adoption of better practices in the market place. Three years ago, CDT testified that “(t)he work of the Federal Trade Commission -- through its public workshops, hearings… provides a model of how to vet issues and move toward consensus.” Chairman Muris has successfully continued the consultation and education process, working with public interest groups and industry on key issues and taking enforcement actions or instituting rulemakings on several important new fronts. CDT and other public interest and consumer groups have been pleased with the Commission’s thoughtful approach to creating a National “Do Not Call Registry.” The registry will provide consumers with an easy way to cut down on unwanted telephone calls and will offer industry a streamlined means of complying with the growing number of state and self-regulatory “Do Not Call” lists. CDT has also been pleased with the Commission’s extensive educational efforts with the public and industry on spam, privacy technologies, privacy notices, ID theft, wireless privacy, and other issues. It should be noted that each of these areas is clearly within the FTC’s jurisdiction to prevent deceptive trade practices. However, CDT would like to see the Commission use its resources to address unfair information practices as well as deceptive ones. These unfair practices include: lack of meaningful notice and choice; the ability to correct and amend personal information; and inadequate security safeguards. It has long been CDT’s belief that unfair information practices are already covered by the Commission’s current authority. Yet, the long-standing hesitancy of the Commission to proceed has made it necessary for Congress to confirm this authority in law. Although Chairman Muris has suggested that general federal privacy legislation is unnecessary, CDT sees an urgent need for legislation similar to the Online Privacy Protection Act that was passed by the full Senate Commerce Committee last year. Privacy protections in law — enforced by the FTC — are an essential ingredient of building and maintaining consumer confidence in the networked economy. We thank you, Chairman Smith, as well as Senator Hollings and the other Senators who worked so hard to move the issue forward in the Committee last year. CDT looks forward to continuing to work with you to see such a measure passed again this Congress and signed into law. II. About CDT CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values on the Internet. One of our core goals is to enhance privacy protections for individuals in the development and use of new communications technologies. III. The Role of the FTC as the Federal Government’s Leader on Consumer Privacy Issues The FTC has used its current jurisdiction to take basic steps to protect the privacy of Americans in several innovative and balanced ways. The Commission is the government’s leader in consumer privacy policy and should be commended for its current work in the area given its limited view of its own jurisdiction. In October 2001, Chairman Muris said that the Commission would increase privacy enforcement by 50%. According to internal figures, the Commission says it is on track to reach this goal. This dramatic increase was on top of the new attention given to privacy issues. In particular, over the past two years, the Commission has worked in ten areas of interest to CDT: 1. Unsolicited Commercial Email (Spam) This year, the Commission held a three day-long workshop on spam that addressed many of the key issues and focused attention on possible solutions to a problem that has become a plague on Internet communications. The Commission taken several useful steps: · The Commission has created an educational Web site for consumers and businesses. The site provides consumers with helpful information on how spam works, why they get spam, and how to decrease the amount of spam they receive. The site advises businesses on how to comply with a user’s unsubscribe request. · The FTC has also conducted several studies to test whether “unsubscribe” or “remove me” requests were being honored. The study reported that the majority of consumer requests were not getting through. The Commission thereupon sent out warning letters to spammers. These studies also helped to inspire a wider range of research on this understudied issue, including CDT’s well-received report “Why am I Getting All of this Spam?” · The FTC has taken action against several spammers who allegedly sent out deceptive, unsolicited commercial emails and participated in Web fraud, including a 2002 case where the FTC joined several state law enforcement officials in the United States as well as four Canadian law enforcement agencies in bringing 63 different actions against various Web schemes and scams that targeted victims through spam. While the Commission, given its limited view of its jurisdiction, has taken these exemplary first steps in research, education and enforcement regarding unsolicited commercial email, CDT would like to see it given more power to tackle fraudulent spam Further appropriate steps could be taken under some of the provisions in the CAN SPAM Act (S. 877),sponsored by Senators Burns and Wyden. CDT is hopeful that we can begin to turn the tide on spam while still protecting the First Amendment right of anonymous non-commercial/political speech online. 2. Telemarketing Sales Rule – “Do Not Call” Registry Under the 1994 Telemarketing and Consumer Fraud and Abuse Prevention Act, the Commission was given the authority to regulate telemarketing sales. The Commission’s regulations, named the Telecommunications Sales Rules (TSR), were put into effect in 1995. The TSR placed some basic time, place and manner restrictions on calls and left the door open to revisiting the rule if it was not adequately protecting consumers. Some have said that telemarketing is merely an annoyance and not a privacy concern and therefore stronger rules are not necessary. CDT disagrees. We define privacy as individual control over one’s personal information. Control over one’s telephone number and other personal information is central to privacy in the modern world. The American public seems to agree with us. An AARP study of New Jersey residents showed that 77% viewed telemarketing first and foremost as an invasion of privacy; 10% a consumer rip-off, and only 2% a consumer opportunity. The Commission responded to the public concern about telemarketing with the creation of a “do not call” registry, similar to those already in existence in 15 states. On this proposal, by the way over 50,000 public comments were submitted to the Commission. Over 90% of them support the registry. CDT believes the “do not call” list offers the best, balanced solution for unwanted telemarketing. Telemarketing in banned, but consumers can decide what kind of marketing calls they want and when they want to receive them. In our comments supporting the FTC’s “Do-Not-Call” initiative we stressed that the list should not dilute or undercut the protections afforded consumers by the states against invasive telemarketing. Further, as we pointed out, it is critical that consumers are not charged a fee to be placed on the “Do-Not-Call” list -- consumers’ ability to protect the privacy of their personal information should not be contingent upon their ability to pay a fee. CDT has been pleased with how the public process on this important issue has progressed. It has been a model example of how a complex but important issue can be addressed through an open, public process. The fact that the “Do-Not Call” list will open in two weeks is a testament to the Commission’s commitment to this issue. We hope that the committee will continue to help monitor the roll out of the list in its oversight role. 3. Privacy Education The FTC has generally played a valuable role working with and educating the business community about privacy best practices and implementation of fair information practices. This year the Commission has held two workshops on privacy technologies — one aimed at consumer technologies and one at businesses. CDT participated in both and used the first as a forum to introduce a set of Authentication Privacy Principles developed in cooperation with a large working group of companies and consumer groups. FTC Forums such as these are important tool in highlighting specific privacy issues and encouraging efforts to address them. CDT is encouraged by discussions with the Commission, which indicate that these workshops will continue to tackle issues arising in the marketplace, including the difficult issue of the future of identity management in the networked economy. 4. Identity Theft and Identity Fraud The FTC has been a leading agency in the prevention and prosecution of identity theft through. The Commission’s identity theft program contains three key elements: the Identity Theft Data Clearinghouse; consumer education and assistance resources; and collaborative enforcement efforts involving criminal law officers and private industry. The most recent reports indicate that the Identity Theft Clearinghouse holds more than 170,000 victim complaints and serves as an important tool for 46 federal and 306 state and local law enforcement agencies, including the US Secret Service, the Department of Justice, the US Postal Inspection Service, and the International Association of Chiefs of Police. The FTC has also been increasing outreach programs to educate law enforcement officials on how the Clearinghouse database can be used to enhance investigations and prosecutions. In regards to consumer education and assistance resources, the FTC has held training seminars for law enforcement officials at all levels in an attempt to give law enforcement the necessary tools they will need to combat identity theft. The FTC has also implemented a nationwide, toll-free hotline that consumers can call if they have become a victim and a Web site that consumers can access to file a complaint and gain helpful prevention tips. The Commission’s efforts in this area show that it can be a leader with other law enforcement agencies, serving as the main contact to the public. We hope that the Commission’s work can help to cut down on what many believe to be the fastest growing crime in the country. 5. COPPA Compliance In 1998, Congress passed the Children’s Online Privacy Protection Act (COPPA) in order to protect children’s personal information in interactions with commercial sites. The FTC was required to enact a rule to implement COPPA and in doing so it clarified issues concerning coverage and liability, modified several definitions that would have interfered with children’s ability to participate, speak and request information online, and made every effort to create a predictable and understandable environment for the protection of children’s privacy online. Since issuing its final Rule implementing COPPA, the FTC has taken several effective and necessary steps to enforce and enhance compliance with COPPA. In February 2003, the FTC took its most aggressive action yet to ensure children’s privacy online by filing separate settlements with Mrs. Field’s Cookies and Hershey Food Corporation for violating the law. While there is still work to be done, we believe that COPPA has been successful in improving protection of children’s privacy online. This experience demonstrates that the FTC can develop workable privacy rules in complex and sensitive areas that go well beyond its traditional arenas. 6. Gramm-Leach-Bliley Compliance It is generally recognized that, across the financial service industry, the privacy provisions of GLB have proven unsatisfactory in scope and implementation — specifically on the issue of notice. A range of institutions have provided consumer notice that is so detailed and legalistic as to be largely worthless. If nothing else, the experience offers a lesson to policymakers seeking to impose and enforce privacy notice requirements. Under GLB, the Commission has jurisdiction over important financial institutions such as insurance and mortgage companies. In an August 2001 survey, CDT found that these companies were among the worst in posting privacy notices on Web sites. That month, we filed a complaint with the FTC about several mortgage companies that were not posting notices as required by the FTC’s GLB regulations. While the Commission has not officially closed the case, the five remaining Web sites have now posted privacy policies. CDT believes that there is more basic, but important enforcement work that the Commission could to do in the area of privacy notices for insurance and mortgage companies. Especially, the Commission could play a leadership role in moving the companies under its GLB jurisdiction toward simple clear and more meaningful notices. 7. Computer Security Education The FTC has taken several steps to educate consumers on computer security. In addition to holding workshops, the FTC has created a helpful guide for consumers on how to stay safe online using a high-speed Internet connection. The guide details how users can protect their computers from viruses and hackers by explaining security features such as firewalls and updating virus protection software. The FTC has worked diligently to make the report both understandable and appealing to the average consumer through careful analysis and easy to read text. Led by Commissioner Orson Swindle, the Commission has continued to work with consumer groups to ensure that the guide is easy to use and contains the necessary information. 8. Internet Privacy Sweeps Last year, the Commission continued its ongoing assessment of the state of Internet privacy which began five years ago and has been repeated twice since. The Commission embraced a report organized by the Progress and Freedom Foundation and conducted by the Ernst and Young accounting firm. The results show significant improvement in the number of privacy policies posted and the growth of the new privacy protocol, the Platform for Privacy Preferences (P3P). This positive growth is due, in part, to the educational work of the Commission. On the other hand, the study found that self-regulatory seal programs have actually been shrinking. This is mainly due to the bankruptcy of many dot com players, but it also indicates that we are entering a time of a major privacy gap. Some companies are actively involved in the privacy issue and are doing their best to build trust . Meanwhile, a small number of free-rider companies are doing no work on privacy. The marketplace has remained confusing to the average consumer and many prefer to sit on the sidelines until baseline privacy is assured. CDT hopes that Congress will continue to support and monitor the FTC’s privacy sweeps — and we urge the Commission to work with a wide range of organizations and academics, including consumer groups, when preparing the parameters and methodology for future sweeps. 9. Wireless Privacy In December 2000, the Commission held a workshop entitled "The Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues." As this subcommittee knows well, the wireless privacy issues have been a growing concern for consumers due to the emerging use of location tracking technologies to provide consumers with enhanced services. It was clear from the workshop that the staff and Commissioners have the understanding and skills necessary to undertake a serious investigation of privacy and security in this area. However, the Commission has taken little action in this area since the workshop. CDT urges the Commission to follow-up with another workshop in this area as wireless technologies and location applications progress. 10. Online Profiling and Data Mining Online profiling is the practice of aggregating information about consumers' preferences and interests, gathered primarily by tracking their movements online. It remains one of the most complex and opaque issues in privacy. Consumers are concerned because they know someone is watching, but they don’t know who, how or to what end. In November 1999, FTC examined online profiling, focusing on the use of the resulting profiles to create targeted advertising on Web sites. In July 2000, the FTC issued a two-part report on online profiling and industry self-regulation. The Commissioners unanimously commended the Network Advertising Initiative (NAI) for its self-regulatory proposal that seeks to implement Fair Information Practices for the major Internet advertisers' collection of online consumer data. The July report also asked Congress to enact baseline legislation to protect consumer privacy. In addition to its several reports, the FTC has also held a series of public workshops on data mining in an effort to educate consumers as well as it itself. Especially important are the issues of government mining of commercial databases in the name of national security or other objectives. FTC examination of data quality issues could serve to be extremely useful. The reports and workshops that the FTC has undertaken in this area have represented the best work done in this area internationally. Unfortunately, since Chairman Muris has taken office, little public work has been continued in this area. We hope that the Commission will return to this area, one that causes concern to so many consumers. III. The Future Role of the FTC in Privacy Issues While the Commission’s privacy work has been successful, it has also been limited mainly to areas of deceptive or fraudulent practices. CDT believes that this limited focus is preventing the Commission from taking on urgently needed actions in the privacy area. · Proposed Privacy Legislation CDT believes that a comprehensive, effective solution to the privacy challenges posed by the information revolution must be built on three components: best practices propagated through self-regulatory mechanisms including nonprofit, commercial and governmental education efforts; privacy as a design feature in products and services; and some form of federal legislation that incorporates Fair Information Practices — long-accepted principles specifying that individuals should be able to "determine for themselves when, how, and to what extent information about them is shared." Legislation need not impose a one-size-fits-all solution. For broader consumer privacy, there need to be baseline standards and fair information practices to augment the self-regulatory efforts of leading Internet companies, and to address the problems of bad actors and uninformed companies. Finally, there is no way other than legislation to raise the standards for government access to citizens' personal information increasingly stored across the Internet, ensuring that the 4th Amendment continues to protect Americans in the digital age. On May 17, 2002 the Senate Commerce Committee passed the Online Privacy Protection Act. This important legislation would have set a true baseline of privacy protection and would give the FTC the clear authority to go after companies engaging in unfair information practices. During the Committee process, Senator McCain asked the FTC Commissioners to give their views on the Online Privacy Protection Act. In response, Chairman Muris gave five reasons that such a bill was not necessary at that time. CDT disagrees respectfully but strongly with the Chairman. While CDT continues to work with the FTC to help advance self-regulatory efforts, privacy enhancing technologies and public education, we believe that these efforts alone are not and cannot be enough to protect privacy or instill consumer confidence on their own. CDT commends the Senate Commerce Committee for its excellent work on privacy issues. We hope that this Committee continues to push for the FTC’s expanded jurisdiction in this area. · Proposed Rescinding of Common Carrier Exemption The Committee also asked CDT to address the issue of rescinding the exemption that prevents the Commission from exercising general jurisdiction over telecommunications “common carriers.” The idea of creating a level playing field is appealing, particularly when some communications services fall within the jurisdiction of the FTC. In particular, lifting the restriction in certain areas — such as billing, advertising and telemarketing —could ensure that the agency with the most expertise in these areas is taking a leading role. However, rescinding the exemption completely could lead to duplication of government regulation and/or confusion for consumers in certain areas. For example, telecommunications companies are already subject to the Customer Proprietary Network Information (CPNI) rules administered by the Federal Communications Commission, which limit reuse and disclosure of information about individuals' use of the phone system including whom they call, when they call, and other features of their phone service. At this point, we are not sure it would be wise to take this issue away from the FCC. Similar questions may arise with other issues: Which agency would take the lead? By which rules would a complaint about deceptive notice be addressed? How will these decisions be made? The Commission has been thoughtful in these areas in the past. Before any jurisdictional proposal moves forward the Commission would need to have a detailed examination of the issues and pan for dealing with areas of overlap. Conclusion The FTC is to be commended for taking some very laudatory steps to address the serious and widely shared concerns of the American public about privacy. Indeed, as the foregoing review of issues demonstrates, the FTC already has sufficient expertise to take on general privacy protection responsibilities. However, the Commission has, in our view, taken an unduly narrow view of its jurisdiction, such that Congressional action is needed to establish a baseline of fair information practices in law. We will continue to work with this Committee and the Commission to find innovative, effective and balanced solutions to the privacy problems posed by the digital age.

• Ms. Sarah Deutsch
  Read statement

  Witness Panel 2

  Ms. Sarah Deutsch

  Thank you Mr. Chairman and members of the Committee for the opportunity to testify on the issue of cross-border fraud contained in the proposed Federal Trade Commission reauthorization legislation. Verizon Communications is one of the world’s leading providers of wireline and wireless communications in the United States. Verizon also has a significant presence in over 30 countries in the Americas, Europe, Asia and the Pacific. The issue of cross-border fraud is a serious and growing problem. Verizon was pleased to participate this past February in the FTC’s Public/Private Partnership Workshop to combat cross-border fraud. Verizon has had considerable experience working with law enforcement to fight Internet fraud and to protect our customers and the public. Internet fraud harms innocent consumers and communications providers. If not addressed, Internet fraud ultimately undermines consumers’ confidence in the Internet as secure medium through which to communicate and do business. As an Internet service provider, we have most commonly encountered credit card fraud schemes, a host of Nigerian fraud scams, and of course, a huge amount of unsolicited commercial email or spam, including email that fraudulently contains “spoofed” domain names falsely addressed as originating from Verizon or another service provider. We have carefully studied the proposed legislation to expand the FTC’s authority in assisting foreign law enforcement agencies in investigating or enforcing fraudulent, deceptive or unfair commercial practices. We offer today a few suggestions on how to strengthen such legislation. As an initial matter, however, we believe this particular legislation would be more effective if it was introduced together with an international agreement that binds foreign governments to provide mutually corresponding assistance to the United States. A cross-border fraud treaty, for example, could better clarify all signatories’ obligations to provide mutual legal assistance, create ground rules on what is considered a “fraud,” set certain financial thresholds for the investigation of such frauds and clarify the roles and obligations of the parties. Verizon believes that one critical, missing prerequisite in the proposed legislation is a concept called “dual illegality.” Before the FTC conducts investigations or assists in enforcement for any foreign counterpart, the underlying activity must, at a minimum, be considered illegal in both the foreign country requesting assistance and in the United States. Section 4 of the proposed legislation, however, permits the FTC to provide assistance to foreign law enforcement agencies even if the underlying conduct is considered legal in the United States. U.S. companies could be the targets of unintended consequences if the concept of “dual illegality” is not included in this legislation. For example, in many European countries, advertising laws prohibit activities such as comparative advertising, money-back guarantees (like that offered by the Lands End catalog), sales promotions, giveaways or advertising particular professions such as medicine or law. In France, a directory provider was found liable for misleading advertising by inadvertently depicting the wrong brand in a line drawing of a product for sale in its customer’s advertisement. The global reach of content on the Internet means that legal activity originating from one country can result in liability in another. Foreign courts have recently issued a number of troubling international jurisdictional decisions affecting U.S. companies. Many of these countries have tried to impose liability on U.S. companies simply because the Internet sites they hosted in the United States contained information that was “accessible” in another country. For example, in Australia, Dow Jones was successfully sued for defamation because a website it hosted in New Jersey contained an article that an Australian citizen found offensive. Yahoo was found liable in France for auctioning items on its U.S. auction site that were considered illegal in France yet protected under the First Amendment here at home. Common sense dictates that U.S. taxpayer dollars should not be spent investigating legal activities that could be later used by foreign governments to harm U.S. companies. The FTC, as the gatekeeper through which requests for foreign assistance are channeled, should be conducting an initial substantive review of each request to make sure that the underlying activity is first considered illegal in the U.S. The FTC should also validate the authenticity of a request for foreign assistance to ensure that it originates from a legitimate foreign counterpart to the FTC. We believe that the proposed legislation should better define which entities qualify as a “Foreign Law Enforcement Agency.” Section 2 of the proposed bill broadly defines a foreign law enforcement agency to include multinational organizations and even private organizations that can be vested with authority by undefined “political subdivisions” of a foreign state. “Private organizations” might include (1) foreign collecting societies, who currently seek to extort levies from U.S. companies in Canada for the protected act of Internet “caching”; or (2) the EU, which has proposed a controversial new “IPR enforcement directive,” which could subject U.S. companies to broad injunctions and monetary damages. In order to prevent the resources of the FTC and others parties from being diverted or diluted by numerous entities seeking assistance, a “Foreign Law Enforcement Agency” should be narrowly defined as the foreign legal equivalent of the FTC. This should include only those agencies that serve as an official instrumentality of the state for the specific purpose of engaging in consumer protection. Verizon has reservations about extending the obligation of the FTC to assist ambiguously defined “multinational organizations.” Qualifying multinational organizations should therefore be limited to those organizations whose primary purpose is to protect consumers against fraud and are explicitly authorized by their member states’ law enforcement agencies to do so. Verizon looks forward to cooperating with the FTC, in its role as a civil enforcement agency, in investigations under the Electronic Communications Privacy Act in the same manner that we assist criminal law enforcement agencies today. We are concerned that Section 6(d) of the proposed legislation would allow the FTC to obtain, using its own administrative subpoena, the text of email messages (or “stored communications”) without prior notice to the subscriber or customer, as currently required by Section 2703(b)(1)(B). This provision is inconsistent with the preceding provision in ECPA (Section 2703(b)(1)((A)), which does not permit criminal law enforcement agencies (or any other “governmental entity”) to obtain this same information without notice to the customer in the absence of a judicially-ordered search warrant. There is no reason why the FTC should operate under different rules than that required for other law enforcement agencies. As you may know, Verizon is currently defending the due process and privacy rights of our Internet subscribers in a highly publicized copyright lawsuit currently on an expedited appeal to the DC Circuit Court of Appeals. This case also involves the issue of when a judge must issue a subpoena. The RIAA sued Verizon arguing that any private party claiming to be a copyright owner should be entitled to the right to obtain an Internet user’s identity without first filing a lawsuit in court or obtaining a subpoena from a judge or magistrate. RIAA argues that anyone who makes a mere allegation of infringement can obtain a subpoena, not from a real judge or magistrate, but from the clerk of a court, who has no discretion but to stamp a one page form. The fallout from RIAA case, if not overturned on appeal, is that any person armed with a user’s Internet Protocol (“IP”) has an unprecedented shortcut to learn any consumer’s name, address and phone number without notice to the subscriber. This process will certainly result in instances of consumer fraud and privacy abuses, and many complaints will ultimately wind up on the FTC’s doorstep. We are looking to Congress to offer a legislative fix to the RIAA case before consumers suffer from misuses of this process. With respect to this provision in the FTC legislation, we would strongly urge amending the legislation to first require, if not a search warrant, at the very least, an order issued by a judge before granting the FTC, alone of all governmental entities, unprecedented new rights to obtain the contents of email communications without prior notice to the subscriber. Finally, third parties who cooperate in good faith with the FTC in its cross-border fraud investigations should enjoy a broad exemption against liability. Section 2703(e) of ECPA, for example, broadly exempts providers from liability for providing information, facilities, or assistance to law enforcement. Section 6(e) of the proposed legislation could be misread as providing an exemption only when a person has either provided information to the FTC or failed to provide notice to another. Parties cooperating in good faith with the FTC should benefit from the same broad exemption from liability whether they provide assistance to a civil or criminal law enforcement agency. We would also recommend that the legislation include specific language providing for reimbursement of the provider’s costs in assisting the FTC in its investigations on behalf of foreign governments. Providers are currently reimbursed for their costs under ECPA (and other statutes) and should be similarly compensated under this bill. Thank you for the opportunity to testify today. Verizon looks forward to working with the Committee and the FTC on this important issue.

• Ms. Susan Grant
  Read statement

  Witness Panel 2

  Ms. Susan Grant

  Thank you very much for inviting me to comment on this important legislation. The National Consumers League (NCL) is a nonprofit organization that was founded in 1899 to protect and advance the economic and social interests of consumers and workers. In the early days of NCL’s history, there was no telemarketing or Internet fraud, but there were unscrupulous people promoting bogus investment opportunities, miracle cures, pyramid schemes, phony games of chance, and other types of fraud through newspaper ads, the mail, door-to-door, and other marketing methods of the day. Since then, new marketing channels such as telemarketing and the Internet have been developed. Not surprisingly, con artists have seized on them to widen their reach. Because these scam operators are often in one location and their victims are in others, it is very confusing for consumers to know whom to contact to ask questions or seek help. That’s why in 1992 NCL created the first nationwide toll-free hotline to offer consumers advice about telemarketing solicitations and notify law enforcement agencies quickly about fraudulent telemarketers. In 1996 the Internet fraud component was added to our system. Consumers can call 800-876-7060 to speak to a live counselor or go to www.fraud.org. The Web site has tips about the most common types of telemarketing and Internet scams, a special section on fraud against seniors, fraud statistics, and a complaint form. Consumers can report suspected telemarketing and Internet fraud by telephone or online. That information is automatically transmitted electronically to the appropriate agencies among more than 200 local, state and federal agencies in our system from the United States and Canada, alerting them to scam operators that may merit investigation and victims that need their help. It is also uploaded on a weekly basis to the Federal Trade Commission’s Consumer Sentinel database for use by law enforcement agencies. As the marketplace has become more global, so has telemarketing and Internet fraud. In 1995, only about 5 percent of the telemarketing fraud complaints we received concerned companies in other countries; by 2002 foreign companies accounted for nearly 17 percent of our telemarketing fraud complaints. In 1997, the first full year of our Internet Fraud Watch program, about 6 percent of complaints involved foreign companies; by 2002 it was nearly 15 percent. These statistics probably understate the problem, since in many cases consumers may not be sure where the fraudulent operators are located. Call forwarding, mail drops, and the growing use of electronic payment systems that negate the need to send checks or money orders to vendors make knowing where they actually are very difficult. The Internet and email can also mask the sellers’ true identities and locations. Consumers lose millions of dollars to cross-border scams every year. Businesses are negatively impacted as well. Many telemarketing and Internet frauds are targeted specifically at business victims. Financial institutions and others also suffer damages as a result of disputed credit card charges or debits for fraudulent transactions, nonpayment for services provided to fraudulent vendors, and general loss of consumer confidence. Here is an example of a typical cross-border complaint from our hotline. Michael M. from Brooklyn, New York received a telemarketing call offering him a credit card with a $1,000 line of credit for an upfront fee of $198. We don’t know his particular financial situation, but these types of scams are often targeted to people who are having credit problems. He agreed and gave his bank account number for the fee to be debited. He didn’t get a credit card. What he received was four sheets of paper listing banks that offer credit cards – information that is available free from the local library or on the Internet. The company appears to be in Barbados. We don’t know if this man realized where the company was located, but even when consumers are aware that they are dealing with vendors in other countries, that fact may not discourage them from making purchases – nor should it. We want consumers to feel confident about taking advantage of the global marketplace, whether they are U.S. consumers interested in goods or services from abroad, or consumers in other countries who want to do business with companies here. We know from our direct contact with fraud victims that most don’t understand that recourse will probably be more difficult, perhaps impossible, if the culprits are in other countries. They want and expect their government to help them. They don’t think it’s fair that fraudulent operators may be able to get away with it simply because they’re across the border. It’s not only U.S. consumers who want to shop with confidence and expect their governments to stop the bad actors in the marketplace – consumers in other countries have the same expectations. Last year, the Trans Atlantic Consumer Dialogue, a coalition of consumer organizations from the U.S. and European Union countries, adopted a resolution supporting the efforts by the Organization for Economic Cooperation and Development to craft guidelines for improving enforcement against cross-border fraud and deception. That document can be found at http://www.tacd.org/cgi-bin/db.cgi?page=view&config=admin/docs.cfg&id=179. The U.S., and the Federal Trade Commission in particular, has led the work on these forward-looking guidelines. Now the U.S. is leading again by putting words into action, asking Congress to: remove unnecessary barriers to sharing information about fraud and deception with law enforcement agencies in other countries; provide for assistance in bringing cross-border legal actions; make it easier to obtain information about suspected con artists from the private sector; and give the Federal Trade Commission more flexibility and resources to pursue con artists wherever they are. We believe that these changes are absolutely necessary to protect consumers and legitimate businesses in the marketplace of the 21rst century. We are confident that Congress and the Federal Trade Commission can agree on legislation that will give law enforcement agencies the tools they need to combat cross-border fraud and deception more effectively, with the appropriate safeguards for privacy and due process. Thank you very much for giving us the opportunity to share our views on this matter. We will be happy to provide you with any additional information you may need. Submitted by: Susan Grant, Director National Fraud Information Center/Internet Fraud Watch National Consumers League 1701 K Street NW, Suite 1200 Washington, DC 20006 (202) 835-3323

• Mr. Scott Cooper
  Read statement

  Witness Panel 2

  Mr. Scott Cooper

  Senator Smith and Members of the Committee, I am pleased to be here this afternoon to discuss --and support-- the re-authorization of the FTC, as well as to talk about issues of consumer protection before the FTC and this Committee. Hewlett-Packard has long been active with the FTC in partnering on issues of global consumer confidence; HP has served on two recent occasions as the business representative to the U.S. delegation on Consumer Protection to the Organization for Economic Cooperation and Development (OECD). HP also serves as the chair of the Consumer Policy working group of the International Chamber of Commerce (ICC), and the chair of the Consumer Confidence committee of the Global Business Dialogue for electronic commerce (GBDe), an organization of 70 of the largest global businesses engaged in e-commerce. HP believes that the re-authorization of the FTC is important not only because of the key role that the FTC serves in our country's consumer protection infrastructure, but also for the leadership role that the FTC has played on global consumer protection issues as well. The growing importance for world economies of the global marketplace has been in a sense a "forcing mechanism" requiring both government and business to react to rapid change that make old ways of doing business --or regulating business-- are no longer as effective. Governments, businesses and consumers must all feel confident that their interests are being protected in order for the global marketplace to grow and flourish. And the opportunities are there; while developed economies have been growing at a recent rate of 1.5 to 2.5 % a year, electronic commerce in those same countries is growing at a rate of 30 to 40% a year. If approached in a collaborative manner, the global marketplace can empower consumers, expand business opportunities and act as a powerful driver for 21st century economic growth, but consumers and legitimate businesses must be able to confidently find each other in the global marketplace. The FTC’s global leadership is exemplified by the coordinating role that the Agency has played in organizing legal efforts in developed countries to combat global fraud. As well, the FTC has led by example, by finding practicable, collaborative solutions to issues of consumer protection. And part of that collaboration has been to reach out to businesses and consumer groups to include them in the decision-making process. We have seen in recent years a number of cases where other countries have reviewed their consumer protection laws and have concluded that they may be too detailed, too proscriptive to keep pace with the growth and challenges of the global marketplace. But unfortunately, as well, many global consumer agencies still keep business at arms-length rather than looking for opportunities to join forces in combating ‘bad actors’ in the marketplace. This global leadership shown by the FTC is especially pertinent in the area of combating cross-border fraud. In part, through its work in the OECD, the FTC has created a clearinghouse for consumer protection agencies in developed countries to share information about suspected cases of cross-border fraud. This clearinghouse, "econsumer.gov" is a necessary first step in creating a global response to a global problem; joining together the legal resources in both countries where fraudulent businesses reside, and where consumer victims live. However, a problem that needs to be addressed in fighting global consumer fraud is incenting consumers to report disputes where they may have been victimized. This problem takes on many faces. First, consumers may not be aware that they are victims of a fraud until so much time has passed that redress becomes difficult. Second, consumers may be discouraged, embarrassed and/or cynical about the ability of legal authorities to resolve their dispute. And finally, consumers may not be aware of whom to turn to when they are victims. Businesses (as well as consumer organizations) have a vested interest to help legal authorities combat cross-border fraud. If the global marketplace is considered a risky venue to undertake transactions, then neither businesses nor consumers will benefit from opportunities to meet and transact business. A first step towards creating confidence in the global marketplace is to create best practices for merchants who will serve the global marketplace. A second step is to create guidelines for the resolution of those consumer disputes that do arise. I am pleased to say that consumer groups and businesses have been meeting regularly over the past two years to develop just such guidelines. Last month, Consumers International, (representing over 160 consumer groups world-wide), and the Global Business Dialogue for Electronic Commerce (representing 70 of the largest global businesses engaged in electronic commerce), reached an agreement on guidelines for the resolution of disputes that arise between merchants and consumers in cross-border transactions. These 'rules of the road' also include specific recommendations for the development of third-party dispute settlement experts (called ADR for alternative dispute resolution), and recommendations to governments for facilitating the growth of global ADR settlement processes. This now-successful negotiation between consumer groups and business of creating ADR mechanisms has also had the strong support of the FTC, as well as the European Commission, METI in Japan and other government groups. While the resolution of "normal" consumer disputes may seem a far cry from combating hard-core fraud, the development of a dispute resolution infrastructure can help in two important ways: 1) Consumers need to be made aware as quickly as possible when they may be victims of fraud so that authorities can respond effectively. In the United States, the Better Business Bureau handles over 3 million consumer disputes a year. Some of these disputes turn out to be cases of fraud, but could not necessarily be identified as such until a pattern of abuse could be identified by the BBB. Thus ADR providers such as the BBB may hear of fraudulent scams before legal authorities are aware of them. 2) When patterns of abuse are identified, dispute resolution providers must alert legal authorities. Legal authorities will only uncover a fraction of the cases of fraud that may occur. Adding dispute resolution providers as extra 'eyes and ears' to uncover potential fraud can be of great value to law enforcement. Creating this continuum of enforcement -- from simple consumer dispute resolution to uncovering patterns of abuse-- will create a partnership of consumer groups, businesses and legal authorities in combating cross-border fraud. I am therefore pleased that in the FTC's draft legislation recognizes the usefulness of private entities that "voluntarily provides material to the Commission that it reasonably believes is relevant to a possible unfair or deceptive act or practice as defined in Section 5(a) of [the FTC] Act." With the encouragement of the FTC, as well as commensurate legal authorities in Europe, Japan, China, Chile and elsewhere, a number of organizations such as the BBB are joining together to offer consumers dispute resolution services in the global marketplace. And part of their obligation to consumers will be to report suspected cases of fraud or deception to the proper legal authorities. Governments also need to encourage consumers to take advantage of ADR services; not only because resolving consumer disputes with benefit their citizens, but also because in doing so, cases of fraud can be quickly identified and brought to the attention of legal authorities. We have also appreciated the opportunity to review the draft language provided by the FTC on cross-border fraud. Hewlett-Packard is very supportive of the goals of this legislation, and would be pleased to work with the FTC and the Committee in refining the actual language of the proposed legislation. In particular, we are concerned about the seeming wide range of enforcement that could be utilized by foreign agencies against US citizens. There must be a high level of coordination between law enforcement in the US and abroad if efforts to combat global fraud are to be successful, but this collaboration must be based upon two important concepts: 1) That what is being enforced is indeed illegal under US law; and 2) That the foreign law enforcement agency must set forth a compelling legal basis for its request for information sharing. Having said that, HP believes that this legislative proposal is an important step in creating a seamless level of consumer protections in the global marketplace. We look forward to working with the Committee in this effort.

• Mr. Marc Rotenberg

  Executive Director

  Electronic Privacy Information Center
  Read statement

  Witness Panel 2

  Mr. Marc Rotenberg

  Mr. Chairman, members of the Committee, thank you for the opportunity to testify today regarding consumer fraud and the reauthorization for the Federal Trade Commission. My name is Marc Rotenberg and I am the executive director of the Electronic Privacy Information Center (EPIC). EPIC works with a wide range of consumer and civil liberties organizations both in the United States and around the world. I would like to begin by thanking the Committee for focusing on the issue of cross-border fraud. One of the consequences of the rapid growth of the Internet has been the dramatic expansion of both commercial opportunity online and of commercial fraud. It is clearly in the interests of businesses and consumers to ensure a stable, growing, and fair online marketplace. Fraudulent and deceptive business practices that would otherwise be prosecuted in the United States should not be beyond the reach of United States law enforcement simply because an operator sets up shop outside the country. In similar fashion, government agencies seeking to protect the interests of consumers in their jurisdictions should expect the cooperation of the Federal Trade Commission when cross-border problems emerge. I would also like to thank the FTC Chairman and the other members of the Commission for their efforts to address this new challenge and for the workshop in February that provided a wide range of important perspectives on this topic. Chairman Muris outlined the plan to pursue cross-border fraud in November of last year. He said that the FTC would advocate the adoption of a recommendation of the Organization for Economic Cooperation and Development (OECD) on cross-border fraud and would seek appropriate legislation. Commissioner Thompson, working through the International Marketing Supervision Network and in cooperation with the FTC’s international counterparts, has helped develop a common understanding of what constitutes core consumer protection in the international realm. The February workshop, organized by the FTC, set out the views of consumer and privacy organizations, businesses and foreign agency officials. Chairman Muris noted that cross-border complaints by US consumers rose from 13,905 in 2001 to 24,313 in 2002. Canadian consumers also report a near doubling of complaints with online commerce between 2001 and 2002. The Consumer Sentinel, the FTC’s central complaint database, records over 72 million dollars lost by U.S. consumers to cross-border fraud in 2002, nearly seventeen percent of all money lost to fraud. According to the FTC, 68% of all fraudulent foreign money offers come from companies located in Africa; 41% of fraudulent advance-fee loans come from Canadian companies, and 61% of fraudulent prize and sweepstakes offers are from companies located in Canada. There was consensus at the February FTC workshop on the need to tackle the problem of cross-border fraud and to enable better cooperation between the FTC and its counterparts. The FTC proposal grows out of the work of the February meeting, the OECD, and the continued efforts to promote international cooperation. EPIC has a particular interest in the protection of consumers in the global economy. We have successfully pursued privacy complaints on behalf of consumers under Section 5 of the FTC Act that have international implications. For example, our earlier work on the privacy implications of Microsoft Passport, the online authentication scheme, was considered favorably by both the Federal Trade Commission and the European Commission. EPIC also work closely with consumer and civil liberties organizations on the development of international policy. In particular, the Trans Atlantic Consumer Dialogue (TACD), a coalition of sixty consumer organizations in the United States and Europe, has urged officials on both sides of the Atlantic to address this challenge. Similar views have been expressed by consumer organizations in other parts of the world. We have also worked with the OECD for more than a decade, in areas such as privacy protection, consumer protection, cryptography, and electronic commerce, to promote the development of policies that promote economic growth and safeguard democratic values. We are pleased that these efforts have come together in the current proposal before the Committee to combat cross-border fraud. In the statement today, I will recommend passage of legislation that will enable the Federal Trade Commission to work more closely with consumer protection agencies in other countries to safeguard the interests of consumers and users of new online services. Nevertheless, in creating these new enforcement authorities, there is a clear need to safeguard important legal safeguards that are central to the US form of government. In particular, certain provisions of the draft International Consumer Protection Enforcement Act, put forward by the FTC, should be revised to safeguard privacy, promote government accountability, and enable the development of reporting standards that will allow this Committee and the public to assess how well the FTC is doing its job and whether further steps may eventually be necessary. Without these changes, the legislation opens the door to abuse in that it creates new enforcement authority without corresponding safeguards. Civil liberties groups in both the United States and Europe have already expressed strong opposition to a proposal of this type that was put forward by the Council of Europe to combat cyber crime. It is particularly important to understand that when the United States provides information about consumers and business in the United States to foreign law enforcement agencies it opens the door to prosecution that may not satisfy the substantive requirements or safeguard the procedural rights that would be available in this country. SPECIFIC PROVISIONS IN THE FTC PROPOSAL Information Disclosure to Foreign Governments (Sections 3 and 4) We recognize that the cross border enforcement of consumer fraud will require cooperation between the FTC and sister agencies in other jurisdictions. To some extent, the sharing of information between agencies will be necessary to pursue violators and enforce judgments. At the same time, it is critical to ensure that only the necessary information is disclosed and that appropriate safeguards are established when such information is disclosed. In our view, the FTC proposal creates too few restrictions on the disclosure of information concerning individuals and entities within the United States. One particular provision is simply offensive. A proposed amendment to Section 6 of the FTC Act that enables the FTC to assist foreign law enforcement agencies states that “such assistance may be provided without regard to whether the conduct identified in the request would also constitute a violation of the laws of the United States.” This provision further should be removed. We further recommend that the disclosure be only to “appropriate” foreign agencies, not “any” foreign agency as is currently specified in the bill, and we urge the FTC to post the names and contact information for any foreign agency that it considers appropriate to receive information. Not only should the FTC share information with appropriate agencies, it should share information only at appropriate times and in connection with a specific investigation. The Custom Service, for example, limits the exchange of information and documents with foreign customs and law enforcement to those instances where the Commissioner “reasonably believes the exchange of information is necessary . . .” 19 C.F.R. sect. 103.33. The FTC should not permit disclosures to any foreign government agency where the public and concerned parties cannot readily identify the agency. We further recommend the recognition of a dual criminality provision to ensure that the United States assists in the prosecution of individuals and entities within the United States only in those circumstances where the crime charged would also be a crime under United States law. Absent such a provision, it is conceivable that a bookseller or music publisher in the United States could be subject to prosecution under foreign law where such government does not provide for strong protections for freedom of expression. This problem could arise in particular with publications that criticize state governments. Amendments to US Privacy Statues (Sections 6 and 7) The FTC legislative proposal would amend two critical US privacy statutes to reduce the likelihood that the target of an investigation would be notified of the investigation. In particular, the International Consumer Protection Enforcement Act would amend the Electronic Communications Privacy Act, and the Right to Financial Privacy Act. But the arguments for denying notice to the target of an investigation could too easily be made with respect to targets in the United States. The proposed changes here not only set a bad precedent but would also send a bad message to consumer protection agencies in other countries about the conduct of investigative actions by democratic governments. We recommend that the provisions that reduce procedural safeguards be removed. Disclosure of Financial Information (Section 8) This provision would give the FTC authority to access financial bank reports and other financial data under the guise of fighting against cross-border consumer fraud and deception. However, there are no reporting or notification requirements that record the exchange of information; there are no audit provisions that oversee the exchange of the information; there is no limit on who within the authorized agencies can exchange information, and there is no limit on what the content of the reports, records or other information shall consist off. These provisions make it too easy for the listed agencies to share financial information. The provision would give the FTC discretion to share financial information without any oversight to make sure it is shared appropriately. This discretion leaves the exchange of information open to abuse. Moreover, there is no limit on what sort of information can be exchanged. There is no provision that states that records or information cannot consist of information identifiable to a particular customer. In this way, the authorized agencies could examine records about customers of financial institutions, without notification requirements, under the guise of examining records regarding the financial condition of the institution. Although the objective of the proposed amendment, to ease the sharing of information amongst agencies involved in protecting consumers against fraud, is laudable, the amendment should include provisions that ensure that personal financial information is shared in an accountable and transparent manner. Acknowledging the FTC’s desire to be able to share information appropriate to real-time law enforcement needs, the following additions to the amendment may be appropriate: · a provision that information exchanged under 1112(e) cannot contain information identifiable to any one individual without triggering a reporting requirement. · a provision that a designated official at the authorized agencies have a log of all personal information that is exchanged under 1112(e). · a provision that such a log is available to the public under FOIA, unless there is a compelling law enforcement reason to exempt it. Adding such provisions would allow an appropriate amount of accountability into the information exchange process, while still allowing the FTC and the other listed agencies to have the flexible use of information for their law enforcement needs. Freedom of Information Act Exemptions (Sections 5 and 7) The FTC proposes to exempt itself from certain open record obligations under the Freedom of Information Act. We believe this change is unnecessary and, if enacted, will reduce government accountability. The current FOIA exemptions for ongoing criminal investigation, § 552(b)(7)(A), and for the protection of confidential sources, (b)(7)(D), would likely prevent the disclosure of information that the FTC seeks to protect without any further amendment. Moreover, three other exemptions may also apply to information collected by the Commission; the exemption for business information under § 552(b)(4); for personal privacy under § 552(b)(6); and for records of financial institutions under § 552(b)(8). EPIC has already pursued an extensive FOIA request with the FTC involving the investigation of privacy complaints under Section 5 of the FTC Act. In that case, the FTC has demonstrated its willingness to apply the current statutory exemptions. Some of the information we sought concerning current matters was withheld. The FTC cited the (b)(7)(A) exemption. Since the existing exemptions already provide adequate protection for the Commission, a new exemption is not necessary and only adds confusion to a long-standing statutory scheme that has been subject to judicial interpretation for almost thirty years. Therefore, we recommend that provisions to limit the application of the Freedom of Information Act be stricken from the FTC proposal, or at the least that a thorough analysis be done to determine whether the current exemptions combined with current case law are sufficient before any new exemption is created. Access to Criminal Justice Records (Section 12) Section 12 of the proposed Act would grant the FTC access to the National Crime Information Center, the nation’s most extensive computerized criminal history database, following an agreement with the Attorney General to (A) establish the scope and conditions of the FTC’s access to the database, and (B) establish the conditions for the use of the data. Section 12 would further permit the FTC to disclose NCIC data to foreign law enforcement agencies pursuant to procedures that require at least prior certification that such information will be maintained in confidence and will be used only for official law enforcement purposes. While we recognize the interest that the FTC may have in accessing the NCIC record systems, there are three problems with this proposal. First, it was never anticipated that the FTC would have access to this record system and it was also never anticipated that the FTC could allow foreign law enforcement agencies access to this record system. This is precisely the type of mission creep that results from the creation of criminal justice databases lacking adequate statutory constraints that civil liberties groups on both the right and the left have opposed. Second, this proposal to expand access to the NCIC follows just a few months after a decision by the FBI to exempt itself from the data quality obligations that would otherwise apply to this system of records under the 1974 Privacy Act. More than 90 organizations and 5,000 individuals across the United States expressed their opposition to this decision by the Bureau. The lack of data quality obligations for the NCIC increases the likelihood that individuals will be wrongly stopped and detained, perhaps even placed in dangerous law enforcement interdictions, because of errors in the most important criminal history record system in the United States that the Department of Justice no longer feels obliged to keep accurate. The further expansion of NCIC use, while this issue remains unresolved, should be postponed until the data accuracy obligation is restored. Finally, it is important to note, particularly in the context of transborder data flows that the NCIC record system does not meet all of the international standards for privacy protection. Most significantly, the proposal does not provide for access by the record subject to inspect and correct records concerning the individual. Further amendments may be necessary to enable first party access to NCIC records. We recommend against providing the FTC with access to the NCIC until the data quality obligation is restored and some right of first party access to the record system is established. In the alternative, we would recommend revisions to the proposed bill that would add a new provision that would require the FTC to “establish with a high degree of confidence that the data obtained by the FTC from the NCIC is accurate.” We further recommend that section 12 more accurately specify the purposes for which the FTC may use NCIC data. In particular, the FTC should be required to show that evidence gathered from the NCIC would likely reveal that the data subject has previously committed an act that would fall within the FTC's jurisdiction or that the data subject may have moved assets across national borders to avoid prosecution. GENERAL RECOMMENDATIONS Reporting We recommend the creation of new reporting requirements that would focus specifically on the FTC’s activities undertaken pursuant to this new legislative authority. There should be an annual report provided to the Congress and made available to the public at the web site of the FTC. This report should include such information as the number of complaints received during the past year, the number of investigations pursued, and the outcome of these investigations including whether any damages were assessed and whether any relief was provided to consumers as a result of the investigation. The report should also indicate which foreign agencies the FTC cooperated with and the nature of the information provided and the information received. The FTC has already begun the process of making some of this information available with the Consumer Sentinel web site. Canada, Australia and the United States, have also established eConsumer project that helps provide similar information on the international front. While both projects are important, we believe that formalizing reporting requirements for investigations as well as complains will make it easier to assess how well the FTC and other agencies are responding to the challenges of cross-border fraud. We would also urge the FTC to consider the creation of an advisory council for the major multilateral law enforcement groups, such as the International Consumer Protection and Enforcement Network, that would allow the participation for a US consumer representative and a US business representative. Participation by representatives of the consumer and business community will help ensure oversight and reduce the risk of unaccountable activities. International Privacy Framework The OECD proposal for protecting consumers in the global economy is consistent with other efforts of the OECD to promote economic growth while safeguarding democratic values. In this spirit, we would like to underscore the need to ensure that new efforts undertaken by the United States in cooperation with other governments should be consistent also with the OECD recommendation on privacy protection. The FTC has already worked to ensure that principles similar to those contained in the OECD Privacy Guidelines were established for transborder data flows between the United States and Europe in the context of the Safe Harbor proposal. That arrangement allows US firms to enter European markets and process data on European consumers on the condition that they follow and enforce strong privacy standards. We urge the adoption of a similar framework to regulate the transfer and use of personal information that will occur between national governments as they pursue joint investigations and prosecutions. Governments, no less than the private sector, should be held to high standards in their use of personal information, particularly because the misuse of such information may subject individuals to unfair and unfounded prosecutions. Continued Focus in Privacy Issues in the United States Even as the Federal Trade Commission pursues its efforts to address the challenge of crossborder fraud, it is important not to lose sight of the important work that must still be done in the United States to safeguard the interests of consumers. We commend the Commission for its leadership in the creation of a national telemarketing "Do-Not-Call" list, and for its victories for consumer privacy in the two Trans Union cases upholding protections in the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. However, as the top consumer watchdog in the government, the Commission must continue to set a high standard to protect individuals' privacy. The Commission only recognizes four Fair Information Practices (notice, choice, access, security) to evaluate individuals' privacy rights. This falls short of the standard set by the Privacy Act of 1974, which recognizes additional rights including use limitations, data destruction, and rights of correction. Internationally, consumer protection watchdogs have adopted eight Fair Information Practices (collection limitation, data quality, purpose specification, use limitations, security, openness, individual participation, and accountability) in order to establish rights and responsibilities in the use of individuals' data. We believe the Commission should endorse best practices for Internet mailing lists and support the opt-in approach. This will have a significant impact in the efforts to reduce spam, or unsolicited commercial e-mail. We also note that the Commission has failed to endorse strong consumer safeguards for the Fair Credit Reporting Act, which is a critical consumer statute now under review by the Congress. Strong leadership on the FCRA is important for the mission of the FTC. Furthermore, the Commission should begin to consider new technologies that have significant privacy implications for consumers in the marketplace. For instance, RFID, or "Radio Frequency Identification" chips may enable tracking of individuals in the physical world the same way that cookies do on the Internet. This week Microsoft announced that it plans to support RFID applications in future versions of its software. It would be appropriate for the FTC to begin the process of exploring how these new tracking techniques may affect consumer confidence and whether new safeguards may be required. CONCLUSION There is a clear need to enable the Federal Trade Commission to work in cooperation with consumer protection agencies in other countries to investigate and prosecute cross-border fraud and deceptive marketing practices. New legislation will be necessary to accomplish the goal. Nevertheless, the bill should be drafted in such a way so as to safeguard important American values, including procedural fairness, privacy protection, and open government. These principles of good government will assist consumer protection agencies around the world combat cyber fraud, and will help strengthen democratic institutions. REFERENCES Statement of Cedric Laurant, EPIC Policy Counsel, on “Potential Partnerships among Consumer Protection Enforcement Agencies and ISPs and Web Hosting Companies” for the Public Workshop on Public/Private Partnerships to Combat Cross-Border Fraud, before the Federal Trade Commission (February 19, 2003) EPIC, “Joint Letter and Online Petition: Require Accuracy for Nation’s Largest Criminal Justice Database” Federal Trade Commission, Consumer Sentinel, Cross-Border Fraud Trends, January – December 2002, (February 19, 2003) Federal Trade Commission, Budget Summary, Fiscal Year 2004, Congressional Justification Federal Trade Commission, Budget Summary, Fiscal Year 2003, Congressional Justification Federal Trade Commission, Consumer Sentinel web site Federal Trade Commission, Cross Border Fraud web site Federal Trade Commission, “FTC Chairman Muris Presents the FTC’s New Five-Point Plan for Attacking Cross-Border Fraud and Highlights Links Between Competition and Consumer Protection” (October 31, 2002) In the Matter of Microsoft Corporation, No. 012-3240, before the Federal Trade Commission International Consumer Protection Enforcement Act of 2003, draft, May 21, 2003 Organization for Economic Cooperation and Development (OECD), Directorate for Science, Technology and Industry, Committee on Consumer Policy, “Cross-Border Co-operation in Combating Cross-Border Fraud: The US/Canadian Experience.” (February 6, 2001) Organization for Economic Cooperation and Development (OECD), Recommendation Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (“OECD Privacy Guidelines”), reprinted in Marc Rotenberg, ed., Privacy Law Sourcebook: United States Law, International and Recent Developments 324-352 (EPIC 2002) Transatlantic Consumer Dialogue, “Resolution on Protecting Consumers from Fraud and Serious Deception Across Borders,” Doc No. Internet-28-02 (November 2002) ABOUT EPIC The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and to promote the Public Voice in decisions concerning the future of the Internet. More information is available online at www.epic.org.