Recently in Government Category

Great long-form product from CRS detailing U.S. - EU privacy and data protection history, updates with Privacy Shield and GDPR, as well as forward looking considerations published on May 19, 2016.

Dancing madly on the lip of a volcano

John Oliver spent 18 minutes discussing the latest iteration of the crypto wars sparked by the recent Apple v. FBI case. In his summation, he provided a fantastic metaphor for cybersecurity, "dancing madly on the lip of a volcano". I think this metaphor is especially pointed as we see a greater increase in regulatory intervention by bodies with very limited views or education into security. There is no global consensus on cyber security and the house is on fire as of late.  

Security researcher Matt Blaze (@mattblaze), who was featured in Oliver's piece, tweeted the following:

Verizon Supercookies

The Federal Communications Commission has settled its Verizon Wireless "supercookie" probe, resulting in better consumer controls and transparency between the provider and its customers. The FCC's investigation found that the company had inserted unique, undeletable identifiers into web traffic and used these to identify customers in order to deliver targeted ads from Verizon and other third parties. As a result of this settlement and the FCC investigation, Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers' opt-in consent before sharing UIDH with third parties, and will obtain customers' opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family. The company will also pay a fine.

EU Data Breach update

EU Commission Regulation No 611/2013 (PDF) outlines measures applicable to data breach notification under the amended 2009 EU e-Privacy Directive 2002/58/EC (PDF) of the European Parliament and of the Council on privacy and electronic communications.

Brian Owsley, former United States Magistrate Judge for the Southern District of Texas and current professor at Texas Tech University School of Law, published an article in the University of Pennsylvania Journal of Constitutional Law, Vol. 16, 2013 titled "The Fourth Amendment Implications of the Government's Use of Cell Tower Dumps in its Electronic Surveillance (PDF)". The paper addresses novel issues about electronic surveillance using cell tower dumps. 

Privacy concerns resonate with the American people. Although the right to privacy is not explicitly protected in the United States Constitution, the Supreme Court has found the right to privacy rooted within the Constitution based on various amendments. In the modern era, with rapid advances in technology, threats to privacy abound including new surveillance methods by law enforcement. There is a growing tension between an individual's right to privacy and our collective right to public safety. This latter right is often protected by law enforcement's use of electronic surveillance as an investigative tool, but may be done at times inconsistent with constitutional rights. 

Recently, the American Civil Liberties Union brought to light the popular use of government surveillance of cell phones, including the gathering of all cell phone numbers utilizing a specific cell site location. Known as a "cell tower dump," such procedures essentially obtain all of the telephone number records from a particular cell site tower for a given time period: "A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time." State and federal courts have barely addressed cell tower dumps. However, the actions by most of the largest cell phone providers, as well as personal experience and conversations with other magistrate judges, strongly suggest "that it has become a relatively routine investigative technique" for law enforcement officials. 

No federal statute directly addresses whether and how law enforcement officers may seek a cell tower dump from cellular telephone providers. Assistant United States Attorneys, with the encouragement of the United States Department of Justice, apply for court orders authorizing cell tower dumps pursuant to a provision in the Electronic Communications Privacy Act of 1986. The pertinent provision poses a procedural hurdle less stringent than a warrant based on probable cause, which in turn raises significant constitutional concerns. 

This article provides a brief description of cellular telephone and cell-site technology in Part I. Next, Part II addresses the evolution of Fourth Amendment jurisprudence and argues that the reasonable expectation of privacy standard applies to electronic surveillance such as cell tower dumps. In Part III, the discussion follows the development of statutes addressing electronic surveillance and argues that cell tower dumps request more information than simply just telephone numbers. Part IV analyzes records from both cellular service providers and the federal government to conclude that cell tower dumps routinely occur. Part V assesses the few decisions that even discuss cell tower dumps and argues that the analysis is either non-existent or flawed regarding the use of the Stored Communications Act to permit cell tower dumps. Next, Part VI asserts that cell tower dumps cannot be analyzed pursuant to the Stored Communications Act because the language of the statute is inapplicable and the amount of information sought requires a warrant based on probable cause and concludes by proposing some protocols to safeguard individual privacy rights.

SOPA Hearing Transcript

The transcript (PDF) from the December 15, 2011 House Judiciary Committee markup of H.R. 3261, Stop Online Piracy Act (SOPA). This was one of the most infuriating sessions to watch live and reviewing the testimony and comments, in writing, a month later still boils my blood. There is a PrivacyWonk hosted copy available (PDF) in case the House moves the copy that is hosted there.

The markup session produced 495 pages of text, including the following gems:

Mr. Watt.  I thank the gentleman for yielding, and I just want to make a couple of points.  First of all, I want to go back to what my friend, Ms. Lofgren's comments she made and discourage any of us from talking about who has been bought off or even experts.  There has been a lot of money floating around in a lot of different places on this issue, and I just don't think it is worthy of us to be talking about who got bought off and who got hired by whom, especially when we start identifying the people.

Mr. Chaffetz.  Thank you, Mr. Chairman.  I have the greatest respect for you and for Ranking Member Conyers.  I do appreciate the manager's amendment.  I do think it is certainly better.   There is clearly a problem.  I understand that there is a problem, but I worry that this is the wrong remedy.  I was trying to think of a way to try to describe my concerns with this bill, but basically we are going to do surgery on the Internet, and we haven't had a doctor in the room tell us how we going to change these organs.  We are basically going to reconfigure the Internet and how it is going to work without bringing in the nerds, without bringing in the doctors.

Ms. Jackson Lee. ... And then, Mr. Chairman, if I might have a moment of personal privilege and just cite for my colleagues, because I do think that we should be respectful of each other, I am reading a tweet that has gone out from "GOP Rep King, Bored by the dialogue of Representative Jackson Lee."  I have no reason to think that anybody cares about my words, but I would offer to say that Mr. King owes the committee an apology, said that we are debating the Stop Online Piracy Act and that he is killing time by surfing the Internet.  I have never known Mr. King to have a multi-task capacity, but if that is his ability, I do think it is inappropriate while we are talking about serious issues, to have a member of the Judiciary Committee be so offensive.  So I am putting on the record, he is not here -- I -- 
Mr. Sensenbrenner.  Chairman, I demand the gentlewoman's words be taken down.  
Ms. Jackson Lee.  Well, I am not taking them down, so you can break this hearing because I am not.  I would ask Mr. --  ...

There is much more contained within the transcript. It is an almost 500 page demonstration of special interest lobbying, willful ignorance of the outside-the-beltway world and the internet.

For more on SOPA, please see the opposition letter. Please use this letter and send to your representatives to add your voice to the debate.

My SOPA Opposition Letter

I like participating and love what the Center for Democracy and Technology and others are doing at the American Censorship Project. However, this is an issue I feel very strongly about and decided to sit down and compose my own letter & e-mail to my representative. There are two versions of the letter -- one for you to read and interact with on this blog and one for you to copy and paste and send to your representative. The second version removes formatting to ensure sources (URLs) transition through the "Write your Representative" pages.

To the Honorable <<Representative>>,

I am writing to express my staunch disapproval to H.R. 3261: Stop Online Piracy Act (SOPA) and S. 968: Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PROTECTIP). There is no substantial disagreement with the goal of combating the online infringement of copyrights and trademarks; that is a valid and important aim. However, these bills are incredibly dangerous to the country. Some of the specific provisions are far more controversial and would do far more damage than the authors (the MPAA and other lobbying arms of the entertainment industry) of the bill or the "expert" testimony would suggest. A Politico article by Jennifer Martinez titled "Shootout at the digital corral" published on November 16, 2011, provides excellent detail on the bills and the simple fact that the entertainment lobby has outspent the technology lobby for the past two years. The entertainment lobby has bought and paid for these bills, spending over $200M in 2010 and 2011, that will substantially harm the still growing and increasingly important digital economy: making it impossible to innovate, killing start-ups, and any jobs associated with them.

The public reaction to these bills in the United States has been visceral. Opponents of the bill include: Google, Yahoo!, Facebook, Twitter, AOL, LinkedIn, eBay, Mozilla Corporation, the Brookings Institution and human rights organizations such as Reporters Without Borders, the Electronic Frontier Foundation, the ACLU, Human Rights Watch, and the Center for Democracy and Technology.

Sandia National Laboratories, a part of the U.S. Department of Energy, concluded that the SOPA legislation would "negatively impact U.S. and global cybersecurity and Internet functionality." Sandia joins Republican Representative Dan Lungren, who also worried that SOPA would undercut efforts to secure the internet with DNSSEC.

Harvard Business Review blogger James Allworth wrote, "Is this really what we want to do to the internet? Shut it down every time it doesn't fit someone's business model?" concluding that the bill would "give America its very own version of the Great Firewall of China." I do not believe this quote is hyperbole. The bill will significantly impair the freedom of the internet that we as a country have advocated very publicly. See Hillary Clinton's speech on Internet Freedom at GW University.

There has also been international outcry to the bills. The European Parliament passed (by a large majority) a resolution criticizing SOPA. The resolution emphasizes "the need to protect the integrity of the global Internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The United States has great allies in Europe and we would not be doing ourselves any favors by passing a bill that does *nothing* to protect us and everything to antagonize Europeans.

We cannot legislate an internet that protects everyone, everywhere, at every second. But we also cannot take the interests of a few companies' antiquated business models over the interest and rights of our citizens. SOPA and PROTECTIP are bad pieces of legislation. This fact is highlighted in the poor grasp of internet technology the bills put forward; the entertainment industry spent millions of dollars to produce pieces of legislation that *break* the internet. These bills represent the last throes of an industry failing to adapt to a new marketplace. These companies would have done better to take their $200M+ of lobbying and invest it in innovation, research and development, and job creation around that R&D.

Please help stop this bill.

Thank you,

USMC Social Media Handbook

The United States Marine Corps has released a social media handbook (PDF) outlining acceptable uses of social media for Marines across the globe. "The social media principles provided in this handbook are intended to outline how our core values should be demonstrated, to guide Marines through the use of social media whether personally involved or when acting on behalf of the Marine Corps."

This is one of the more comprehensive social media handbooks I have come across. The Marines did a great job covering the uses of social media and the behavior the Corps expects in personal, family, and professional uses. It also, importantly, covers operational security (OPSEC), using social media for crisis communication, and provides safety tips.

This is a big step forward for the Marine Corps, which, in August of 2009, caused a controversy by outright "banning" social media on their unclassified, war fighting, network. This ban was smart; the media in their coverage of the ban, however, was not. The media took an overly dramatic viewpoint that the order, MARADMIN 458-09, would prevent Marines from using social media services to contact their families and friends, cutting off deployed Marines worldwide. This was far from the fact or intent of the order. The order sought a default-to-secure posture and offered a waiver process that would allow commands and units to engage on social media while also gathering data on legitimate uses throughout the Corps to make more informed decisions down the road (hence the one-year time frame). The ban affected operational networks, not the networks used for morale and welfare (USO, internet cafes, etc) -- a critical distinction missed by the press. Nonetheless, it started a ground swell within the DoD community that ended with the use of social media being green-lit by the DepSecDef in February of 2010. Full disclosure, I had a hand in the creation of the referenced maradmin as noted within the document.

Kudos to the Marine Corps for this excellent handbook and for embracing a new style of engagement for Marines, their families, their friends, and the world.

My one criticism is the section on facebook privacy and tracking. My assumption is that the handbook will not be updated as often as facebook, so the information will quickly become stale. A general overview or perhaps a common sense approach to privacy concerns on social networking sites would have been better suited in the document with a more expansive, and more easily updated, website showing Marines the specific steps needed to protect themselves.

My two favorite parts of the manual are the introduction of the term "social media Marine" and a motto found on the last page of text in the handbook that reads:

"Engage the Community   •   Maintain Operations Security   •   Be Smart - Set the Example: In Life and Online"

A great message and motto for all DoD/Government social media engagements.

This is a great template/starting point for other DoD components and government agencies currently without a social media handbook/policy. I'd also urge the Marine Corps to embrace new media to deliver the content of this handbook. For example, using video to disseminate the policy.
"Why (Special Agent) Johnny (Still) Can't Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System," (PDF) by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze.

Abstract: APCO Project 25a ("P25") is a suite of wireless communications protocols used in the US and elsewhere for public safety two-way (voice) radio systems. The protocols include security options in which voice and data traffic can be cryptographically protected from eavesdropping. This paper analyzes the security of P25 systems against both passive and active adversaries. We found a number of protocol, implementation, and user interface weaknesses that routinely leak information to a passive eavesdropper or that permit highly efficient and difficult to detect active attacks. We introduce new selective subframe jamming attacks against P25, in which an active attacker with very modest resources can prevent specific kinds of traffic (such as encrypted messages) from being received, while emitting only a small fraction of the aggregate power of the legitimate transmitter. We also found that even the passive attacks represent a serious practical threat. In a study we conducted over a two year period in several US metropolitan areas, we found that a significant fraction of the "encrypted" P25 tactical radio traffic sent by federal law enforcement surveillance operatives is actually sent in the clear, in spite of their users' belief that they are encrypted, and often reveals such sensitive data as the such sensitive data as the names of informants in criminal investigations.

You may remember the awesome work Matt has done with Voting machine security (PDF), law enforcement wiretaps (PDF), and testifying about location-based technologies and services.

112th Privacy Legislation

| 1 Comment
Updated September 27, 2011.
Updated November 8, 2011.
Updated January 31, 2012.
Updated February 7, 2012. Please see changes below.

The post below details the current pieces of draft/for discussion bills proposed by Representatives and Senators of the 112th Congressional Session. This will be a living post as it is expected there will be hearings happening before the July 4th recess.  For your reading pleasure and enjoyment (because what privacy-focused person doesn't love reading policy?) the items detail the sponsors, bill name and number, and provide links to PDF copies of the bill and to Thomas for official bill statuses.  Enjoy.  Sometime soon, expect a post from PrivacyWonk comparing all of these bills (where applicable/appropriate).

9/27/2011: Three Senate bills have moved far ahead of the pack being passed out of the Senate Judiciary Committe. Senators Blumenthal, Leahy, and Feinstein all have bills (see below) that will now appear on the legislative calendar. CDT's Harley Geiger has great write up on them here.

1/31/2012: While SOPA/PIPA dominated much of December 2011 and January 2012, a privacy issue arose around CarrierIQ -- tracking software installed in millions of smart phones on multiple carriers -- in early December. Senator Al Franken demanded answers to questions, CarrierIQ put out a press release, and other Congress members have asked for a formal investigation. Coming out of all this, Representative Edward Markey (D-MA) published a draft cellphone privacy bill. Lastly, two bills have seen an increase in support. H.R. 1895, Do Not Track Kids Online and H.R. 1981, Protecting Children From Internet Pornographers Act of 2011. Details below.

Quick Stats
Pieces of Legislation: 19 introduced, 1 discussion draft
Representatives: 9
Senators: 9

Representative Bobby L. Rush (D-IL) reintroduced his privacy focused legislation from last year on Thursday, February 10th, 2011.  Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (PDF). (H.R. 611).
Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade, no cosponsors have signed on.

Representative Jackie Speier (D-CA) introduced two pieces of legislation on Friday, February 11th, 2011, aimed at protecting personal information.  The Do Not Track Me Online Act of 2011 (H.R. 654) would give consumers the ability to prevent the collection and use of data on their online activities.  The Financial Information Privacy Act of 2011 (H.R. 653) would give consumers control of their own financial information.
H.R. 654 Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 22 cosponsors have signed on.
H.R. 653 Status: Referred to the House Subcommittee on Financial Institutions and Consumer Credit. Seven cosponsors have signed on.

Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (PDF) (S. 799) on April 12, 2011. This bill aims to establish a baseline code of conduct for how personally identifiable information and information that can uniquely identify an individual or networked device are used, stored, and distributed.
Status: Referred to Committee on Commerce, Science, and Transportation. Two cosponsors have signed on.

Representative Cliff Stearns (R-FL) introduced the Consumer Privacy Protection Act of 2011 (H.R. 1528) on April 13, 2011, which seeks to "protect and enhance consumer privacy" both online and offline by imposing certain notice and choice requirements with respect to the collection and use of personal information. 
: Referred to the Committee on Commerce, Science, and Transportation. Five cosponsors have signed on.

Representative Bobby L. Rush (D-IL) reintroduced the Data Accountability and Trust Act (PDF) (H.R. 1701) (formerly H.R. 2221 from the 111th) on May 4, 2011, which directs companies to establish policies on the use (collection, storage, sale, disposition, etc) of consumer personal information.  It also has a 60-day breach notification requirement.  Minimal changes to the original, the only substantial update was the definition of service provider.
Status: Referred to the House Committee on Energy and Commerce. Four cosponsors have signed on.

Senator Jay Rockefeller (D-WV), the Chairman of the Senate Committee on Commerce, Science and Transportation, introduced the "Do-Not-Track Online Act of 2011" (S. 913) on May 9, 2011. The bill requires the Federal Trade Commission to prescribe regulations regarding the collection and use of personal information obtained by tracking the online activity of an individual, and for other purposes (Do Not Track).
Status: Referred to the Committee on Commerce, Science, and Transportation. Two cosponsors have signed on.

Representative Cliff Stearns (R-FL) and Representative Jim Matheson (D-UT) introduced the Data Accountability and Trust Act of 2011 (H.R. 1841) on May 11, 2011, which seeks to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach. This bill is built on Representative Bobby Rush's original DATAct from the 111th.
Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. One cosponsor has signed on.

Representatives Ed Markey (D-MA) and Joe Barton (R-TX) introduced the Do Not Track Kids Act of 2011 (PDF) (H.R. 1895) on May 13, 2011. The bill amends the historic Children's Online Privacy Protection Act of 1998 (COPPA), will extend, enhance and update the provisions relating to the collection, use and disclosure of children's personal information and establishes new protections for personal information of children and teens.
Status: Referred to the House Subcommittee on Commerce, Manufacturing, and Trade. 18 cosponsors have signed on.

Senator Patrick Leahy (D-VT) introduced two Senate Bills to address both consumer privacy and citizen privacy. The first, introduced on May 17, 2011 to modernize and update the Electronic Communications Privacy Act titled Electronic Communications Privacy Act Amendments Act of 2011 (PDF) (S. 1011).  The second bill, introduced on June 6, 2011, titled Personal Data Privacy and Security Act of 2011 (PDF) (S.1151). This is an update and reintroduction of Leahy's 2009 bill of the same title.
S. 1011 Status: Read twice and referred to Committee on the Judiciary, no cosponsors have signed on.
S. 1151 Status: Placed on Senate Legislative Calendar under General Orders. Calendar No. 181. Four cosponsors have signed on. On 11/7/2011, Senator Leahy filed Additional/Minority views in Senate Report 112-091, the DHS Appropriations Bill of 2012.

Sen. Ron Wyden (D-OR) and Rep. Jason Chaffetz (R-Utah) introduced Geolocation Privacy and Surveillance ("GPS") Act (PDF). (S. 1212) and (H.R.2168) on June 15, 2011 that creates a legal framework designed to give government agencies, commercial entities and private citizens clear guidelines for when and how geolocation information can be accessed and used.
S.1212 Status: Referred to the Senate Committee on the Judiciary, one cosponsor has signed onto the bill.
H.R. 2168 Status: Referred to the Subcommittee on Crime, Terrorism, and Homeland Security. 10 cosponsors have signed on.

Senators Mark Pyyor (D-AR) and Senator Jay Rockefeller (D-WV) introduced the Data Security and Breach Notification Act (PDF) (S. 1207) on June 15, 2011.  This is a reintroduction of a bill originally proposed by Senator Pryor in 2010.  The bill aims to require businesses and nonprofit organizations that store consumers' personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances. 
Status: Referred to the Committee on Commerce, Science, and Transportation. One cosponsor has signed on.
NB: Politico featured a story with S. 1207 as the center piece, describing the Senator's efforts to arrive a consensus and expressing their hopes to hit the December markup.

Senators Al Franken (D-MN) and Richard Blumenthal (D-CT) introduced the Location Privacy Protection Act of 2011 (PDF),  one-page overview (PDF) (S. 1223) on June 16, 2011 that would require companies/app developers to receive express consent from users of mobile devices like smartphones and tablets before sharing information about those users' location with third parties. Will update this post as more information becomes available. Franken gets the best headline out of this: Congress to Device Makers: Don't Track Me, Bro
Status: Read twice and referred to the House Committee on the Judiciary. Six cosponsors has signed on.

Representative Mary Bono Mack (R-CA) introduced the Secure and Fortify (SAFE) Data Act  (PDF) (H.R. 2577) on July 18, 2011.  The bill aims to establish standards of breach notification and would require organizations to notify people affected by a data breach and the Federal Trade Commission (FTC) within 48 hours. This bill was previously discussed during a House Energy and Commerce Committee panel/mark-up session held on June 15, 2011.
Status: Referred to House Commerce Subcommittee on Commerce, Manufacturing and Trade. No cosponsors have signed on.

Senator Dianne Feinstein (D-CA) introduced the Data Breach Notification Act of 2011 (PDF) (S. 1408) on July 22, 2011.  This is the same legislation Senator Feinstein has introduced in the 111th session (see: S. 139). The legislation is focused only on breach notification and does not introduce security requirements. It mandates multiple notifications depending on the severity of the breach (i.e., individual, secret service, FTC, etc) and gives States AGs power to bring civil suits and does not offer any private right of action.
Status: Committee on the Judiciary. Ordered to be reported with an amendment in the nature of a substitute favorably. No cosponsors have signed on. 2/6/2012: Placed on Senate Legislative Calendar under General Orders. Calendar No. 310.

The Congressional Budget Office (CBO) has scored S. 1408. The report, released October 31, 2011, "estimates that implementing S. 1408 would cost about $3 million annually for the FTC and federal law enforcement agencies to specify how the required notification procedures would work. CBO expects that most government agencies would incur negligible costs to implement the legislation."

Representative Lamar Smith (R-TX) introduced the Protecting Children From Internet Pornographers Act of 2011 (PDF) (H.R. 1981) on May 25, 2011. This bill mandates that Internet Service Providers keep incredibly detailed logs, for up to 18 months, on all customers to facilitate the prosecution of child pornography, including internet protocol addresses (i.e. all IP addresses assigned), customer names, addresses, phone records, type and length of service, and credit card numbers, and more.  Status: On July 28, 2011 the House Judiciary Committee conducted a final roll call vote (PDF) and approved the bill, 19-10 to move before the entire House for a vote. 39 cosponsors have signed on. On November 10, 2011 house report 112-281 Part 1 discussing the bill was published. On December 16, 2011 the bill was placed on the Union Calendar, Calendar No. 224.

Senator Richard Blumenthal (D-CT) introduced the Personal Data Protection and Breach Accountability Act of 2011 (PDF) (S.1535) on September 8, 2011. The 100-page bill aims to regulate companies that store information for more than 10,000 people. The bill aims to deter preventable breaches, minimize consumer harm, promote a robust security platform, and uses a very big stick for compliance. Individuals found to consistently violating these provisions face a maximum sentence of five years in prison and/or a $1 million fine. This is one the most severe penalties put forward in a privacy focused bill. Further, the bill requests coordination between the FBI and Secret Service to produce reports on enforcement actions, breach trends, and the efficacy of post-breach notifications.
Status: Placed on Senate Legislative Calendar under General Orders. Calendar No. 182. One cosponsor has signed on.

Representative Ed Markey (D-MA) released a discussion draft of Mobile Device Privacy Act (PDF) on January 30, 2012. The bill would require companies to disclose if they are using tracking software (i.e. CarrierIQ), what information the software collects, and whom it shares the information with. Consumers would have to provide express consent to any data collection or transmission, and third parties would have to have documented policies in place to secure the data they collect. Companies that want to transfer data to third parties would have to file applications with the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC). Enforcement falls under FTC Unfair and Deceptive trade practices.
Status: Discussion Draft, not officially introduced.

If you would like to voice concern or support for any of the bills, you can easily find you Representative and/or Senator through

Special thanks to:
Hunton and Williams privacy blog for providing some quick source material --
ThreatLevel --
Cecilia Kang --
PrivacyLives for the draft of the Franken bill --
Privacy Insider -
CDT/ABC News Opinion:

UPDATE 6/15/2011:
  • House hearing to discuss draft of Rep. Mary Bono Mack's data security bill starting now. Watch livestream at:
  • Senator Wyden and Representative Chaffetz dropped their bipartisan geolocation bill
  • Senators Franken and Blumenthal release a one-page overview of their legislation...
  • Senators Pryor and Rockefeller reintroduced data breach legislation
  • Fixed broken Thomas links above
UPDATE 6/16/2011:
  • Received final version of Al Franken's bill that was introduced on June 16, 2011.
UPDATE 6/29/2011:
  • Updated with Rep. Rush and Stearns/Matheson's versions of the Data Accountability and Trust Act of 2011
  • Updated cosponsor stats for all bills
  • Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, John D. Rockefeller, held a full committee hearing on privacy and data security. Archived webcast available: Privacy and Data Security: Protecting Consumers in the Modern World
UPDATE 8/2/2011:
  • Added H.R. 2577, S. 139, and H.R. 1981
UPDATE 9/27/2011:
  • Updated Status and cosponsors for all bills.
  • Added S.1535
UPDATE 11/7/2011:
  • Updated sponsor count on H.R. 654 (19 to 20)
  • Updated sponsor count on H.R. 1528 (4 to 5)
  • Added link to S. 1151, Senator Leahy's additional/minority views on DHS Appropriations bill
  • Updated sponsor count on S.1212 (0 to 1)
  • Updated sponsor count on H.R. 2168 (6 to 8)
  • Added Politico link on S.1207
  • Added CBO Score on S.1408
UPDATE 01/31/2012:
  • Added Rep. Markey's Discussion Draft
  • Updated sponsor count on H.R. 654 (20 to 22)
  • Updated sponsor count on H.R. 1707 (3 to 4)
  • Updated sponsor count on H.R. 1895 (6 to 18)
  • Updated sponsor count on H.R. 2168 (8 to 10)
  • Updated sponsor count on S. 1223 (5 to 6)
  • Updated sponsor count on H.R. 2168 (25 to 39)
UPDATE 02/07/2012:
  • Updated status of S. 1408, placed on Senate Legislative Calendar under General Orders. Calendar No. 310 as of 2/6/2012.