WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, and John Thune (R-SD), ranking member of the Commerce Committee’s Subcommittee on Communications, Media and Broadband, led a group of 12 bipartisan senators to introduce the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act, legislation that will comprehensively address the ongoing threat posed by technology from foreign adversaries by better empowering the Department of Commerce to review, prevent, and mitigate information communications and technology transactions that pose undue risk to our national security.

“Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S. Before TikTok, however, it was Huawei and ZTE, which threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” said Sen. Warner. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”

“Congress needs to stop taking a piecemeal approach when it comes to technology from adversarial nations that pose national security risks,” said Sen. Thune. “Our country needs a process in place to address these risks, which is why I’m pleased to work with Senator Warner to establish a holistic, methodical approach to address the threats posed by technology platforms – like TikTok – from foreign adversaries. This bipartisan legislation would take a necessary step to ensure consumers’ information and our communications technology infrastructure is secure.”

The RESTRICT Act establishes a risk-based process, tailored to the rapidly changing technology and threat environment, by directing the Department of Commerce to identify and mitigate foreign threats to information and communications technology products and services.

In addition to Sens. Warner and Thune, the legislation is co-sponsored by Sens. Tammy Baldwin (D-WI), Deb Fischer (R-NE), Joe Manchin (D-WV), Jerry Moran (R-KS), Michael Bennet (D-CO), Dan Sullivan (R-AK), Kirsten Gillibrand (D-NY), Susan Collins (R-ME), Martin Heinrich (D-NM), and Mitt Romney (R-UT).

The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act would:

• Require the Secretary of Commerce to establish procedures to identify, deter, disrupt, prevent, prohibit, and mitigate transactions involving information and communications technology products in which any foreign adversary has any interest and poses undue or unacceptable risk to national security;
• Prioritize evaluation of information communications and technology products used in critical infrastructure, integral to telecommunications products, or pertaining to a range of defined emerging, foundational, and disruptive technologies with serious national security implications;
• Ensure comprehensive actions to address risks of untrusted foreign information communications and technology products by requiring the Secretary to take up consideration of concerning activity identified by other government entities;
• Educate the public and business community about the threat by requiring the Secretary of Commerce to coordinate with the Director of National Intelligence to provide declassified information on how transactions denied or otherwise mitigated posed undue or unacceptable risk.

“We need to protect Americans’ data and keep our country safe against today and tomorrow’s threats. While many of these foreign-owned technology products and social media platforms like TikTok are extremely popular, we also know these products can pose a grave danger to Wisconsin’s users and threaten our national security,” said Sen. Baldwin. “This bipartisan legislation will empower us to respond to our fast-changing environment – giving the United States the tools it needs to assess and act on current and future threats that foreign-owned technologies pose to Wisconsinites and our national security.”

“There are a host of dangerous technology platforms – including TikTok – that can be manipulated by China and other foreign adversaries to threaten U.S. national security and abuse Americans’ personal data. I’m proud to join Senator Warner in introducing bipartisan legislation that would put an end to disjointed interagency responses and strengthen the federal government’s ability to counter these digital threats,” said Sen. Fischer.

“Over the past several years, foreign adversaries of the United States have encroached on American markets through technology products that steal sensitive location and identifying information of U.S. citizens, including social media platforms like TikTok. This dangerous new internet infrastructure poses serious risks to our nation’s economic and national security,” said Sen. Manchin. “I’m proud to introduce the bipartisan RESTRICT ACT, which will empower the Department of Commerce to adopt a comprehensive approach to evaluating and mitigating these threats posed by technology products. As Chairman of the Senate Armed Services Subcommittee on Cybersecurity, I will continue working with my colleagues on both sides of the aisle to get this critical legislation across the finish line.”

“Foreign adversaries are increasingly using products and services to collect information on American citizens, posing a threat to our national security,” said Sen. Moran. “This legislation would give the Department of Commerce the authority to help prevent adversarial governments from introducing harmful products and services in the U.S., providing us the long-term tools necessary to combat the infiltration of our information and communications systems. The government needs to be vigilant against these threats, but a comprehensive data privacy law is needed to ensure Americans are able to control who accesses their data and for what purpose.”

“We shouldn’t let any company subject to the Chinese Communist Party’s dictates collect data on a third of our population – and while TikTok is just the latest example, it won’t be the last. The federal government can’t continue to address new foreign technology from adversarial nations in a one-off manner; we need a strategic, enduring mechanism to protect Americans and our national security. I look forward to working in a bipartisan way with my colleagues on the Senate Select Intelligence Committee to send this bill to the floor,” said Sen. Bennet.

“Our modern economy, communication networks, and military rely on a range of information communication technologies. Unfortunately, some of these technology products pose a serious risk to our national security,” said Sen. Gillibrand. “The RESTRICT Act will address this risk by empowering the Secretary of Commerce to carefully evaluate these products and ensure that they do not endanger our critical infrastructure or undermine our democratic processes.”

“China’s brazen incursion of our airspace with a sophisticated spy balloon was only the most recent and highly visible example of its aggressive surveillance that has targeted our country for years.  Through hardware exports, malicious software, and other clandestine means, China has sought to steal information in an attempt to gain a military and economic edge,” said Sen. Collins. “Rather than taking a piecemeal approach to these hostile acts and reacting to each threat individually, our legislation would create a wholistic, government-wide response to proactively defend against surveillance attempts by China and other adversaries.  This will directly improve our national security as well as safeguard Americans’ personal information and our nation’s vital intellectual property.”

"Cybersecurity is one of the most serious economic and national security challenges we face as a nation. The future of conflict is moving further away from the battlefield and closer to the devices and the networks everyone increasingly depends on. We need a systemic approach to addressing potential threats posed by technology from foreign adversaries. This bill provides that approach by authorizing the Administration to review and restrict apps and services that pose a risk to Americans’ data security. I will continue to push for technology defenses that the American people want and deserve to keep our country both safe and free,” said Sen. Heinrich.

“The Chinese Communist Party is engaged in a multi-generational, multi-faceted, and systematic campaign to replace the United States as the world’s superpower. One tool at its disposal—the ability to force social media companies headquartered in China, like TikTok’s parent company, to hand over the data it collects on users,” said Sen. Romney. “Our adversaries—countries like China, Russia, Iran—are increasingly using technology products to spy on Americans and discover vulnerabilities in our communications infrastructure, which can then be exploited. The United States must take stronger action to safeguard our national security against the threat technology products pose and this legislation is a strong step in that direction.”

A two-page summary of the bill is available here. A copy of the bill text is available here.

### 

WASHINGTON – Today, Chairman of the Senate Select Committee on Intelligence U.S. Sen. Mark R. Warner (D-VA) appeared on FOX News Sunday to discuss the how the U.S. needs to tackle rising threats posed by the Communist Party of China. 

On the how the United States needs to address the rise of the Chinese Communist Party on the world stage:

“We have never had a potential adversary like China. The Soviet Union, Russia, was military or ideological, China is investing in economic areas. They have $500 billion in intellectual property theft, and we are in a competition not just on a national security basis but on a technology basis. That's why national security now includes telecommunications, satellites, artificial intelligence, quantum computing. Each of these domains, we have got to make the kind of investments to stay ahead. I think we are starting that in a bipartisan way. We did the CHIPS bill to try to bring semiconductor manufacturing back, we have kicked out Huawei out of our telecom systems. This week, I have a broad bipartisan bill that I am launching with my friend John Thune, the Republican lead, where we are going to say, in terms of foreign technology coming into America, we’ve got to have a systemic approach to make sure we can ban or prohibit it when necessary.”

On the influence of TikTok:

“Listen, you have 100 million Americans on TikTok, 90 minutes a day…They are taking data from Americans, not keeping it safe, but what worries me more with TikTok is that this could be a propaganda tool. The kind of videos you see would promote ideological issues. If you look at what TikTok shows to the Chinese kids, which is all about science and engineering, versus what our kids see, there’s a radical difference.”

On China’s support for Putin’s war in Ukraine:

“…if China moves forward to support Russia in Ukraine, I can't understand some of my colleagues who are willing to say, ‘I don't really care about Ukraine, but I'm concerned about China.’ Well, China and Russia, these authoritarian regimes, are linked, and we have to make sure Putin is not successful in Ukraine and that Xi doesn't further his expansion plans around Taiwan.”

Video of Sen. Warner on FOX News Sunday can be found here. A transcript follows.

FOX News Sunday 

SHANNON BREAM: Joining is now, Virginia Democratic Senator Mark Warner, Chairman of the Senate Intelligence Committee, welcome back. This week, you all have a hearing on worldwide threat assessments. You will have the DNI, the director of the CIA there. You have long been warning about China on multiple fronts. Do you think that we have lost valuable time in assessing the threat accurately? Will you talk about that this week?

SENATOR MARK WARNER: Well I think for a long time conventional wisdom was, the more you bring China into the world order, the more they’re going to change. That assumption was just plain wrong. China even changed their laws in 2016 to make it explicitly clear that every company in China, their first obligation is to the Communist Party. So we have never had a potential adversary like China. The Soviet Union, Russia, was military or ideological, China is investing in economic areas. They have $500 billion in intellectual property theft, and we are in a competition not just on a national security basis but on a technology basis. That's why national security now includes telecommunications, satellites, artificial intelligence, quantum computing. Each of these domains, we have got to make the kind of investments to stay ahead. I think we are starting that in a bipartisan way. We did the CHIPS bill to try to bring semiconductor manufacturing back, we have kicked out Huawei out of our telecom systems. This week, I have a broad bipartisan bill that I am launching with my friend John Thune, the Republican lead where we are going to say, in terms of foreign technology coming into America, we’ve got to have a systemic approach to make sure we can ban or prohibit it when necessary.

BREAM: Does that mean TikTok?

SEN. WARNER: That means TikTok is one of the potentials. Listen, you have 100 million Americans on TikTok, 90 minutes a day. Even you guys would like that kind of return, 90 minutes a day. They are taking data from Americans, not keeping it safe, but what worries me more with TikTok is that this could be a propaganda tool. The kind of videos you see would promote ideological issues. If you look at what TikTok shows to the Chinese kids, which is all about science and engineering, versus what our kids see, there’s a radical difference.

BREAM: We will watch that, because that's a bipartisan offering potentially this week. This past week we got information, it was revealed that both the Department of Energy and FBI believe that the origins of COVID were most likely a leak from the Wuhan Institute for Virology. This is something that early on this was called a conspiracy theory, you were racist if you talked about it. The Senate has actually unanimously passed a measure that would call on this administration to declassify information that we have about the origins. The White House won't say whether the president will veto it or not if it gets to his desk. Do Americans, worldwide, do people not have a right to see that information?

SEN. WARNER: Shannon, here is again an example of what we are dealing with, with the Communist Party in China. If this virus had originated virtually anywhere else, we would have had world scientists there. The Chinese Communist Party has been totally opaque about letting in outside scientists to figure this out. Now, you’ve still got of some parts of the intelligence community that think it originated in a wet market, others saying that it could have gotten out from a lab, although I would say that one entity says it came from one lab in Wuhan, another said from another. At the end of the day, we’ve got to keep looking and we've got to make sure, in terms of future pandemics, that we can have access to the source of where these diseases originate a lot earlier on in the system. We’re three and half later, we still don't have access to Wuhan.

BREAM: They're not going to cooperate with that, especially if they assess internally they were at fault. How do they pay for this? Now, billions probably trillions in damages and losses for people, millions and millions of lives. How do they pay?

SEN. WARNER: Well I think again, this is where we’ve got to have that united front of countries all around the world, that there has to be consequences. There has to be consequences potentially in terms of sanctions, it’s one of the reasons why, if China moves forward to support Russia in Ukraine, I can't understand some of my colleagues who are willing to say, “I don't really care about Ukraine, but I'm concerned about China.” Well, China and Russia, these authoritarian regimes, are linked, and we have to make sure Putin is not successful in Ukraine and that Xi doesn't further his expansion plans around Taiwan.

BREAM: Well, we know that even if they are not sending bullets over to Russia, they are buying up copious amounts of Russian oil. They are sending dual-use products that could actually be used on the battlefield. Xi doesn't seem very worried about the warnings from the U.S. at this point. They haven't even acknowledged or apologized for the balloon that went across America, we think capturing information as it went. It Xi afraid of this administration? To our warnings mean anything?

SEN. WARNER: Well I think Xi, as Putin thought, thought that with the invasion of the Ukraine, that the West would basically throw in the towel. The fact that we’ve not, the fact that you've got, for example, the German chancellor here just this past week, Germany’s dramatically increasing their defense budget. The fact that we've got nations like Finland and Sweden trying to join NATO. I think Putin made a major miscalculation and I do think Xi is watching the West stand up against Putin and is taking some lessons from that.

BREAM: You're just back from India, among many other countries you visited. They abstained from the U.N. vote that condemned Russia's invasion of Ukraine and called for an end to this. How important is it, a critical place like India, that they choose a side, and with the West?

SEN. WARNER: I think it’s time. Look, India is a great nation, as a matter of fact, I’m chair of the India Caucus, I'm a big supporter of India. India is now a major, major power. Fifth-largest economy in the world, and a place where remarkable things are happening. My message to the Indians has been, we understand that you have historic ties to Russia, and you still get a lot of your arms, but you cannot be a world leader, and attempt to be a moral world leader, without picking a side. And in this case, I think the younger Indians get that. Some of the older generation, I think we still have work to do.

BREAM: Okay, let's turn to continued funding for Ukraine. Another $400 million was announced on Friday. There are questions, there'll be more requests from Congress no doubt in the coming weeks about that. While there is strong support, here across the U.S. and across the West, the polls show that it's pulling back a little bit. Here's the reality from one analyst, “funding for the Ukrainian government has not demanded any tough bureaucratic trade-offs between funding priorities. It's not requiring bouncing needs for Ukraine against a domestic spending.” We’ve hit our ceiling, we have some kind of negotiation that’s got to happen very shortly. There are competing needs and they are very real, so where do we assess our financial commitment?

SEN. WARNER: Well Shannon, let's look at this. We have allocated $113 billion to Ukraine. We have actually only given them actually less than half of that, and on the military side, about $30 billion of roughly $60 billion. We’ve still got some runway to go there. But I think we need to keep that commitment, and the truth is the Russian army is being chewed up by the Ukrainians. We spent $800 billion a year on defense, in most of my lifetime to prevent Russia from exploiting that. We are having Ukrainians do that right now, in a sense, for us. I think we need to continue that. I think we will see the vast majority of members of Congress in both parties, there are some loudmouths on both sides that are pulling back, but if we are going to keep in this competition against Russia and China, Putin cannot be successful. At the same time, we have to realize as we look at China that national security is no longer simply tanks and trucks and guns and ships. It's also telecom and AI and quantum computing and advanced synthetic biology. We have to make investments in those domains, as well, which is both an economic investment and I believe, national security investment.

BREAM: Speaking of another national security interest, Iran, this report on their nuclear capabilities came out this week and it’s kind of getting lost in all the other foreign policy headlines, but basically what the International Atomic Energy Agency told us is that they have hit 84% as far as enriching uranium. They said that’s just short of the 90% that you would need for a weapon. Britain, France, and Germany say they want to censure Iran over this. The U.S. is kind of hesitant. The reporting is that the Biden administration doesn’t want to go there. Are we now then softer on Iran's new program then Europe?

SEN. WARNER: I do not believe that. We have made it explicitly clear – and I was just in Israel recently with a group of senators  – that we agree with Israel. Iran cannot be a nuclear power. I think, that has been our policy it will continue to be our policy. There are two steps in this process, one is the enrichment issue, and I believe we will be tougher than the Europeans. We always historically always have been –

BREAM: So then why are we against censuring, reportedly?

SEN. WARNER: We have already sanctioned and censured more Iranian companies by far than our European friends. But there is also a question around delivery systems. Again, I think we and our Israeli friends are following this very closely. Again, we will not allow Iran to become a nuclear power.

BREAM: I've got to hit this, Havana Syndrome. The reporting out this week, an assessment from several intelligence agencies that they don't think –  that it's unlikely there was a foreign adversary carrying out these attacks, whatever they were, where our people, diplomats or Intel officers around the world in U.S. missions have suffered really debilitating symptoms from this. Senator Rubio, your colleague tweeted this: “The CIA took the investigation of Havana syndrome seriously. But when you read about the devastating injuries it's hard to except that it was by AC units and loud cicadas. Something happened here and just because we don’t have all the answers doesn’t mean it didn’t happen.” Will you continue trying to pursue answers?

SEN. WARNER: Absolutely. First of all, the most important thing is anyone who got sick, whatever the source was, whether they are CIA, DoD, State Department officials, we owe them the world's best health care and I think we are providing that now. Initially frankly, under the last administration, this whole issue was attempted to be swept under the rug. We are now making sure that health care is provided. I know how, particularly the CIA, how extensive the investigation has been. And I've made very clear to them, if they need to continue that investigation, if new facts come to light, they ought to pursue that. But at this moment in time, I know how thorough they have been, and they have not found the evidence that I think perhaps they thought they would have found. We've got to follow the facts. At the end of the day that's what we owe the members of this intel community, who protect our nation, and that means giving them the health care. If it ends up sensing some other source then what has been discovered so far, we have to pursue it.

BREAM: Senator, Chairman, thanks for coming back to Fox News Sunday.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) and Rep. Elissa Slotkin (D-MI) wrote to Sundar Pichai – the CEO of Alphabet Inc. and its subsidiary Google – urging him to curb deceptive advertisements and ensure that users receive accurate information when searching for abortion services on the platform. This letter comes on the heels of an investigation that reveals how Google regularly fails to apply disclaimer labels to misleading ads by anti-abortion clinics. It also follows a successful effort by Sen. Warner and Rep. Slotkin who previously urged Google to take action to prevent misleading search results for anti-abortion clinics. This push ultimately led Google to clearly label facilities that provide abortions and prevent users from being misled by fake clinics or crisis pregnancy centers.

“We are encouraged by and appreciative of the recent steps Google has taken to protect those searching for abortion services from being mistakenly directed to clinics that do not offer comprehensive reproductive health services. However, we ask you to address issues with misrepresentation in advertising on Google’s site and take a more expansive, proactive approach to addressing violations of Google’s stated policy,” wrote the lawmakers.

“According to an investigation by Bloomberg News and the Center for Countering Digital Hate (CCDH), depending on the search term used, Google does not consistently apply disclaimer labels to ads by anti-abortion clinics.  CCDH recently conducted searches that returned 132 misleading ads for such clinics that lacked disclaimers. Specifically, researchers found that queries for terms such as ‘Plan C pills,’ ‘pregnancy help,’ and ‘Planned Parenthood’ often returned results with ads that are not labeled accurately,” they continued. “Furthermore, the Tech Transparency Project found that some ads from ‘crisis pregnancy centers,’ even when they were properly labeled, the ads themselves included deliberately deceptive verbiage aimed at tricking users into believing that they offer abortion services.  For example, ads for ‘crisis pregnancy centers’ were found to contain language such as ‘Free Abortion Pill’ and ‘First Trimester Abortion.’ Such deceptive advertising likely reduces the effectiveness of labels and may lead to detrimental health outcomes for users who receive delayed treatment.”

In addition to urging Google to rectify these issues, the lawmakers also requested answers to the following questions:

1. What specific search terms does Google consider related to “getting an abortion”?
2. What criteria does Google use to determine whether specific queries are related to “getting an abortion”?
3. What additional steps will Google take to identify and remove ads with misleading verbiage that violates Google’s policies against misrepresentation?

A copy of the letter is available here and full text of the letter can be found below:

Dear Mr. Pichai,

We write today regarding the responsibility that Google has to ensure users receive accurate information when searching for abortion services on your platform. We are encouraged by and appreciative of the recent steps Google has taken to protect those searching for abortion services from being mistakenly directed to clinics that do not offer comprehensive reproductive health services. However, we ask you to address issues with misrepresentation in advertising on Google’s site and take a more expansive, proactive approach to addressing violations of Google’s stated policy.

On June 17, 2022, we wrote to you, along with 19 other senators and representatives, regarding research that showed Google results for searches such as “abortion services near me” often included links to clinics that are anti-abortion, sometimes called “crisis pregnancy centers.”   We were extremely concerned with this practice of directing users toward “crisis pregnancy centers” without any disclaimer indicating those businesses do not provide abortions.

We were pleased to see the changes you have made in response to our letter, such as the new refinement tool that allows users to only see facilities verified to offer abortion services, while still preserving the option to see a broader range of search results.  The steps you have taken will help prevent users from mistakenly being sent to organizations that attempt to deceive individuals into thinking they provide comprehensive health services and instead, regularly provide users with disinformation regarding the risks of abortion.  As many states are increasingly narrowing the window between getting a positive pregnancy test and when you can terminate a pregnancy, every day counts.

But we find ourselves again asking that Google live up to its promises with regards to preventing misleading ads on its platform. According to an investigation by Bloomberg News and the Center for Countering Digital Hate (CCDH), depending on the search term used, Google does not consistently apply disclaimer labels to ads by anti-abortion clinics.  CCDH recently conducted searches that returned 132 misleading ads for such clinics that lacked disclaimers. Specifically, researchers found that queries for terms such as “Plan C pills,” “pregnancy help,” and “Planned Parenthood” often returned results with ads that are not labeled accurately.  We believe Google’s failure to apply disclaimer labels to these common searches appears to be a violation of your June 2019 policy that requires “advertisers who want to run ads using keywords related to getting an abortion” to go through a verification process and be labeled as a provider that “Provides abortions” or “Does not provide abortions.”

Furthermore, the Tech Transparency Project found that some ads from “crisis pregnancy centers,” even when they were properly labeled, the ads themselves included deliberately deceptive verbiage aimed at tricking users into believing that they offer abortion services.  For example, ads for “crisis pregnancy centers” were found to contain language such as “Free Abortion Pill” and “First Trimester Abortion.” Such deceptive advertising likely reduces the effectiveness of labels and may lead to detrimental health outcomes for users who receive delayed treatment. These ads appear to violate Google’s policy on misrepresentation, which prohibits ads that “deceive users.”  Your responsiveness to our first letter gives us hope that you are willing to see this issue through. We, therefore, would appreciate answers to the following questions:

1. What specific search terms does Google consider related to “getting an abortion”?
2. What criteria does Google use to determine whether specific queries are related to “getting an abortion”?
3. What additional steps will Google take to identify and remove ads with misleading verbiage that violates Google’s policies against misrepresentation?

We urge you to take proactive action to rectify these and any additional issues surrounding misleading ads, and help ensure users receive search results that accurately address their queries and are relevant to their intentions.

Thanks for your consideration, and we look forward to your timely response. 

### 

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) wrote to Meta CEO Mark Zuckerberg expressing concern and requesting more information regarding Meta’s practice of collecting user’s health information through tracking applications.

In the letter, Sen. Warner highlighted the need for user privacy and increased transparency around how user data is collected online, which has become increasingly important as the use of telehealth appointments, online appointment booking, and electronic record keeping have risen exponentially over the course of the pandemic.

“As we increasingly move health care online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information,” wrote Sen. Warner.

Specifically, Sen. Warner called attention to Meta Pixel, a tracking tool that sends Meta a packet of data whenever a user clicks a button to schedule a doctor’s appointment – without the knowledge of the individual making the appointment.

He continued, “I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online.  This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments.”

Sen. Warner also noted allegations that this practice of data harvesting and collection has been used by Meta to target advertisements across their platforms. In August of this year, two lawsuits were filed against the company over the alleged unlawful collection and sharing of health data without consent.

To address these concerns, Sen. Warner requested Meta respond to the following questions:

1. What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
2. How does Meta store information received through the Meta Pixel?
3. Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
4. How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
5. What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
6. According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
7. Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?

Sen. Warner has been a leader in Congress pushing for increased transparency and protections surrounding user data and privacy. He introduced the DASHBOARD Act, which works to increase transparency around data collection; the DETOUR Act, which would prohibit companies like Meta from using deceptive dark patterns to manipulate users into handing over their data; and the Public Health Emergency Privacy Act, which would set strong and enforceable privacy and data security rights for health information.

A copy of the letter can be found here and below.

October 20, 2022

Dear Mr. Zuckerberg:

I write to you today to express my concern regarding Meta’s collection of sensitive health information through the Meta Pixel tracking tool without user consent.

As you know, I have long worked to protect user privacy and increase transparency around how user data is collected and shared. This mission is more urgent than ever as the last two years have shown us the importance of health care technology, with many relying on electronic health records, online appointment booking, and virtual patient portals to receive care during the pandemic. As we increasingly move health care online, we must ensure there are strong safeguards in place surrounding the use of these technologies to protect sensitive health information.

I am troubled by the recent revelation that the Meta Pixel was installed on a number of hospital websites – including password-protected patient portals – and sending sensitive health information to Meta when a patient scheduled an appointment online.  This data included highly personal health data, including patients’ medical conditions, appointment topics, physician names, email addresses, phone numbers, IP addresses, and other details about patients’ medical appointments. Additionally, of particular concern are the recent allegations that Meta has used Meta Pixel data to inform targeted advertisements on Meta’s platforms.  The use of the Meta Pixel is widespread, as the tool was installed in the systems of 33 of the top 100 hospitals in the country and inside the patient portals of seven health systems at the time of the investigation.

Unfortunately, privacy issues involving the Meta Pixel are not new, as there has been previous scrutiny of the Meta Pixel outside of the health care context. Reports published earlier this year found that the Pixel sent personal information to Meta that was collected from the Free Application for Federal Student Aid (FAFSA) on the website of the Federal Student Aid (FSA) office within the U.S. Department of Education.  Data sent to Meta includes applicant first and last name, email addresses, and zip codes. Additionally, this is not the first time that your company has been involved in the wrongful collection of sensitive health information. In 2021, an investigation by the New York State Department of Financial Services found that Meta (then Facebook) collected user data from several health and wellness apps, including results from blood pressure and heart rate readings, menstruation and fertility tracking, pregnancy status, and other deeply personal information. 

Meta’s own business guidelines state that the company “[doesn’t] want websites or apps sending [Meta] sensitive information about people,”  including sensitive health information, which Meta identifies as medical conditions, sexual and reproductive health, mental health, details regarding medical devices and trackers, treatments, test results, body specifications or cycles, locations of treatment, and other health-related data.  Yet, in this most recent case and as we have seen previously, Meta is continuing to access this highly sensitive information.

It is critical that technology companies like Meta take seriously their role in protecting user health data. Without meaningful action, I fear that these continuing privacy violations and harmful uses of health data could become the new status quo in health care and public health.

To address the concerns raised in this letter, I request that you provide responses to the following questions by November 3, 2022:

1. What information does Meta have access to or receive directly from the Meta Pixel, either currently or previously?
2. How does Meta store information received through the Meta Pixel?
3. Has information Meta received from the Meta Pixel ever been used to inform targeted advertisements on Meta’s platforms?
4. How does Meta handle sensitive information that it receives from third parties that violate its business guidelines?
5. What steps is Meta taking to safeguard sensitive health information, particularly with third-party vendors? Since the release of The Markup’s report in June, what additional steps have been taken?
6. According to the report released by the New York State Department of Financial Services last year, Meta stated that the filtering system was “not yet operating with complete accuracy.” What improvements have been made to make the filtering system more effective? How is Meta testing and evaluating the filtering system’s ability to identify sensitive health information?
7. Where required by law, does Meta always comply with any and all notification requirements when the Meta Pixel handles or transmits protected information, in the manner and time required by such laws?

I look forward to your prompt responses.

Sincerely,

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA), Pat Toomey (R-PA), Cynthia Lummis (R-WY), Kyrsten Sinema (D-AZ), and Rob Portman (R-OH) today introduced legislation to clarify the digital asset reporting requirements signed into law as part of last year’s Infrastructure Investment and Jobs Act.

Last August, the senators announced an agreement  with the Department of the Treasury (Treasury) on an amendment to the infrastructure package that would have clarified the definition of “broker” with respect to who must report to the government information about a digital asset transaction. The amendment specifically excluded from reporting requirements services like mining and wallet providers who do not take custody of other individuals’ cryptocurrency, nor are able to comply with the reporting requirements of a broker. While the amendment had strong bipartisan support, including from the Biden administration, the Senate was never afforded the opportunity to vote on and pass this amendment last August due to a procedural hurdle. The legislation introduced today is the exact same text introduced as a bipartisan amendment nearly one year ago.

“There’s been a lot of confusion about the reporting requirements included in the bipartisan infrastructure law,” said Sen. Warner. “As a former venture capitalist and someone who’s enthusiastic about innovation, I want to maintain America’s lead in financial innovation, including distributed ledger technologies. This bipartisan bill will underscore that the reporting requirements in the IIJA do not apply to crypto validators and other actors not providing broker-like functions while maintaining sensible guidelines to ensure that financial networks aren’t enabling illicit activity.”

“While there’s no question that digital asset exchanges behaving as brokers should be required to comply with existing reporting requirements, the bill signed into law last year would impose these requirements on many people who don’t even have the information needed to comply with them,” said Sen. Toomey. “By clarifying the definition of a broker, our legislation will protect innovation by exempting miners, network validators, and other service providers from onerous and unworkable requirements. This amendment had strong bipartisan support last August, and there’s no reason it shouldn’t be signed into law.”

“The Infrastructure Investments and Jobs Act placed unnecessary burdens on digital asset mining and wallet providers, and we must fix these reporting requirements,” said Sen. Lummis. “I’m proud to join my colleagues in introducing this important legislation which will ensure our tax system reflects the realities of the digital asset industry.”

“As more Arizonans utilize digital assets, our commonsense, bipartisan legislation ensures that everyday users of crypto – miners, stakers, and software developers – won't be subjected to reporting requirements that are intended for brokers of digital assets,” said Sen. Sinema.

“This legislation is designed to ensure that the digital asset reporting requirements signed into law as part of last year’s Infrastructure Investment and Jobs Act are implemented as intended,” said Sen. Portman. “I am pleased to see the Senate come together in bipartisan fashion to ensure that we provide clarity in the law and guidance around cryptocurrencies to maintain our edge in financial innovation.”

In addition to maintaining strong bipartisan support in the Senate, this legislation is widely supported by the digital asset industry.

“Coin Center supports any effort to improve the status quo created by the ill-advised crypto tax provisions in the Infrastructure Investment and Jobs Act,” said Jerry Brito, Executive Director of Coin Center. “We applaud Sen. Toomey for leading a bipartisan effort to address some of these issues and appreciate the support of Senators Warner, Sinema, Lummis and Portman.”

"We thank Senators Toomey, Sinema, Portman, Lummis, and Warner for their bipartisan leadership in this nuanced space,” said Sheila Warren, Chief Executive Officer of the Crypto Council for Innovation. “Clarifying how people can use and report on digital assets is important for the industry. We look forward to supporting the continued growth of innovation in the U.S. and working with policymakers on this issue."

“The Chamber of Digital Commerce commends Senator Toomey and co-sponsors for listening to the concerns of the digital asset community and continuing to advocate for regulatory clarity,” said Cody Carbone, Director of Policy, Chamber of Digital Commerce. “The infrastructure bill included burdensome reporting requirements for nearly every participant within the ecosystem and this bipartisan bill will ensure digital asset reporting requirements match the technology’s operation. We urge that this legislation is swiftly passed into law and look forward to working with all interested parties on policy that provides additional certainty for the digital asset space.”

"ADAM applauds Senators Toomey, Sinema, Portman, Lummis, and Warner for their continued bipartisan leadership to provide clarification on the definition of a broker as it relates to the 2021 Infrastructure Bill,” said Robert Baldwin, Head of Policy, Association for Digital Asset Markets. “Definitions matter and an overly broad interpretation of the broker definition as passed has the potential to dampen innovation and lead to the offshoring of various digital assets projects in the rapidly growing sector. This bill fixes the tax definitional issue. ADAM looks forward to continued bipartisan cooperation on this bill and other policy topics so that the U.S. can ensure a long-term position of leadership in digital assets.”

“Global DCA applauds the tireless efforts to clarify the definition of a broker with respect to the digital asset markets,” said Gabriella Kusz, CEO, Global Digital Asset and Cryptocurrency Association. “This common-sense solution will protect innovation while ensuring that those who are buying and selling cryptocurrency pay legitimate taxes that are owed. We look forward to continuing to work with Senator Toomey, Senator Sinema, Senator Portman, Senator Lummis, and Senator Warner to ensure there is responsible regulation without excessive federal overreach.”

“The proposed revisions to Internal Revenue Code regarding Information Reporting for Brokers and Digital Assets marks a key legislative opportunity that we believe will begin to unlock the best benefits of digital assets and blockchain,” said Ron Quaranta, Chairman of the Wall Street Blockchain Alliance. “By clarifying what it means to be a broker in light of this important innovation, the bi-partisan legislation paves the way for further innovations that can evolve markets and ultimately improve the overall financial lives of Americans. We are thankful for the continued effort and thought leadership of Senators Lummis, Portman, Sinema, and Warner, and on behalf of our members look forward to continued dialogue and collaboration with policymakers in the future.”

“Americans need common sense and fair guidance for engaging with blockchain protocols,” said Alison Mangiero, the Executive Director of The Proof of Stake Alliance (POSA). “POSA appreciates Sen. Toomey, Sen. Sinema, Sen. Warner, Sen. Lummis, and Sen. Portman’s, leadership and efforts to make clear that validators, those who do important work to secure blockchain protocols, are recognized appropriately for tax reporting purposes.  We urge the Senate to take up and pass this simple but important bill to provide much-needed clarity and help America grow its web3 economy.”

To read the full text of the bill click here.  

 ###

WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) and Vice Chairman Marco Rubio (R-FL) urged the Federal Trade Commission (FTC) to formally investigate TikTok and its parent company, ByteDance. The call comes in response to recent reports that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China (PRC) to repeatedly access private data of US users despite repeated claims to lawmakers and users that this data was protected. This includes instances where staff based in the United States had to consult with their China-based colleagues for information about U.S. user data as they did not have access to the data on their own. These revelations undermine longstanding claims by TikTok’s management that the company’s operations were firewalled from demands of the Chinese Communist Party.

“We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021,” the senators wrote in a letter to FTC Chair Lina Khan. “In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.”

The report also highlights TikTok’s misrepresentation of the company’s relationship to ByteDance and its subsidiaries, including Beijing-based ByteDance Technology, which is partially owned by the Chinese Communist Party (CCP). 

The senators continued, “TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.”

As Chairman and Vice Chair of the Senate Select Committee on Intelligence, Sens. Warner and Rubio have been vocal about the cyber and national security threats posed by the CCP. In 2019, the senators introduced legislation to combat tech-specific threats to national security posed by foreign actors like China.

A copy of the letter is available here and below. 

Dear Chairwoman Khan:

We write in response to public reports that individuals in the People’s Republic of China (PRC) have been accessing data on U.S. users, in contravention of several public representations, including sworn testimony in October 2021. In an interview with the online publication Cyberscoop, the Global Chief Security Officer for TikTok’s parent company, ByteDance, made a number of public representations on the data security practices of TikTok, including unequivocal claims that the data of American users is not accessible to the Chinese Communist Party (CCP) and the government of the PRC. As you know, TikTok’s privacy practices are already subject to a consent decree with the Federal Trade Commission, based on its improper collection and processing of personal information from children. In light of this new report, we ask that your agency immediately initiate a Section 5 investigation on the basis of apparent deception by TikTok, and coordinate this work with any national security or counter-intelligence investigation that may be initiated by the U.S. Department of Justice.

Additionally, these recent reports suggest that TikTok has also misrepresented its corporate governance practices, including to Congressional committees such as ours. In October 2021, TikTok’s head of public policy, Michael Beckerman, testified that TikTok has “no affiliation” with another ByteDance subsidiary, Beijing-based ByteDance Technology, of which the CCP owns a partial stake. Meanwhile, as recently as March of this year, TikTok officials reiterated to our Committee representations they have previously made that all corporate governance decisions are wholly firewalled from their PRC-based parent, ByteDance. Yet according to a recent report from Buzzfeed News, TikTok’s engineering teams ultimately report to ByteDance leadership in the PRC. 

According to this same report, TikTok’s Trust and Safety department was aware of these improper access practices and governance irregularities, which – according to internal recordings of TikTok deliberations – offered PRC-based employees unfettered access to user information, including birthdates, phone numbers, and device identification information. Recent updates to TikTok’s privacy policy, which indicate that TikTok may be collecting biometric data such as faceprints and voiceprints (i.e. individually-identifiable image and audio data, respectively), heighten the concern that data of U.S. users may be vulnerable to extrajudicial access by security services controlled by the CCP.

A series of national security laws imposed by the CCP, including the 2017 National Intelligence Law and the 2014 Counter-Espionage Law provide extensive and extra-judicial access opportunities for CCP-controlled security services. Under these authorities, the CCP may compel access, regardless of where data is ultimately stored. While TikTok has suggested that migrating to U.S.-based storage from a U.S. cloud service provider alleviates any risk of unauthorized access, these latest revelations raise concerns about the reliability of TikTok representations: since TikTok will ultimately control all access to the cloud-hosted systems, the risk of access to that data by PRC-based engineers (or CCP security services) remains significant in light of the corporate governance irregularities revealed by BuzzFeed News. Moreover, as the recent report makes clear, the majority of TikTok data – including content posted by users as well as their unique IDs– will remain freely accessible to PRC-based ByteDance employees.

In light of repeated misrepresentations by TikTok concerning its data security, data processing, and corporate governance practices, we urge you to act promptly on this matter.

Sincerely, 

### 

WASHINGTON – U.S. Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence, was joined by U.S. Sens. Steve Daines (R-MT) and Thom Tillis (R-NC) in urging Senate Committee on Appropriations leadership to include significant funding to modernize federal information technology (IT) systems for Fiscal Year (FY) 2023. This request includes at least $300 million in funding for the Technology Modernization Fund (TMF), created through a Warner-led bill in 2017.

“It is widely acknowledged that our federal government needs to make significant and urgent investments in replacing outdated and insecure legacy IT systems,” the senators wrote. “Each year, the federal government spends roughly $90 billion on IT systems. Significant portions of this funding go toward the maintenance of older, legacy systems, which over time grow increasingly costly, and often present concerning cybersecurity vulnerabilities.”

“In addition to the urgent security concerns, ignoring these needed modernization efforts hinders the public’s ability to interact with the government in an efficient and responsive way. We saw this issue magnified during the course of the pandemic, as added demands at times overwhelmed our government’s ability to continue providing effective customer service and critical benefits to Americans. We have heard repeatedly from constituents how these strains have slowed the processing of benefits and claims, in many cases hindering their ability to access critical resources and needed assistance that Congress has put in place,” they continued.

Sen. Warner has long pushed for the federal government to improve IT infrastructure. Last year, Sen. Warner applauded the Biden Administration for taking steps to more quickly and effectively help agencies address technology-related issues, after having previously called for them to do so. In 2020, Sen. Warner joined colleagues in calling on the Appropriations Committee to include funding for IT modernization in future COVID-19 relief packages.

A copy of this year’s bipartisan letter is available here and below.

Chairman Leahy, Vice Chairman Shelby, Chairman Van Hollen, and Ranking Member HydeSmith: 

As your committee begins consideration of appropriations for Fiscal Year (FY) 2023, we write to urge you to include significant and critically needed funding to modernize federal information technology (IT) systems. In particular, we request that you provide funding of at least $300 million for the Technology Modernization Fund (TMF).

Congress created the TMF as part of the Modernizing Government Technology (MGT) Act, in response to pressing needs for federal agencies to modernize outdated IT systems and address critical vulnerabilities. The TMF – a revolving fund governed by a board of experts with backgrounds in IT, cybersecurity, financial management, and federal acquisition – is unique in its ability to rapidly evaluate agencies’ technology modernization proposals, assign funding in an agile manner that prioritizes high-need and cost-saving projects, and do all of this in a transparent and accountable manner.

In the roughly four years since it was established, the TMF has delivered approximately $400 million in funding to 20 modernization projects across the government, funding projects that the TMF Board identified as having significant impact on agencies’ security, program operability, and ability to efficiently and effectively deliver results for taxpayers. As the TMF is a revolving fund, agencies that receive funding are given repayment terms that vary based on the project, which allows the TMF to recover a portion of the funds – often through direct cost savings.

It is widely acknowledged that our federal government needs to make significant and urgent investments in replacing outdated and insecure legacy IT systems. Each year, the federal government spends roughly $90 billion on IT systems. Significant portions of this funding go toward the maintenance of older, legacy systems, which over time grow increasingly costly, and often present concerning cybersecurity vulnerabilities.

In addition to the urgent security concerns, ignoring these needed modernization efforts hinders the public’s ability to interact with the government in an efficient and responsive way. We saw this issue magnified during the course of the pandemic, as added demands at times overwhelmed our government’s ability to continue providing effective customer service and critical benefits to Americans. We have heard repeatedly from constituents how these strains have slowed the processing of benefits and claims, in many cases hindering their ability to access critical resources and needed assistance that Congress has put in place.

In 2021 Congress appropriated $1 billion to the TMF to address government IT challenges. While this served as a sizable investment towards these efforts, the demand for these funds was more than double their availability, and the Administration confirms that the TMF will allocate the majority of these funds by the end of this current fiscal year.

By necessity, efforts to modernize and improve the security of IT systems require ongoing and sustained effort by agencies. Congress has a similar responsibility to continue to fund modernization efforts, so that legacy systems aren’t left to grow increasingly costly and insecure over time. The TMF presents agencies with a funding vehicle that is agile and allows them to amortize modernization costs, and that makes technical experts available to agencies throughout the proposal and implementation phases. It also provides Congress a tool with additional accountability and oversight, in the form of board-review of proposals, incremental funding based on outcome-based milestones, and regular follow-up with funding recipients during funding implementation.

We appreciate your consideration of our request for at least $300 million for the Technology Modernization Fund – the level requested by the Administration – and we look forward to continuing to work with you, and with our other colleagues here in the Senate, to ensure that we are providing necessary investment in our federal government’s IT systems.

Sincerely,

###

WASHINGTON - As the U.S. Securities and Exchange Commission (SEC) works to finalize policy changes to modernize and enhance the agency’s rules relating to cybersecurity, a bipartisan group of leading U.S. Senators is urging the SEC to increase transparency for investors in an age of persistent cybersecurity threats with rising economic costs. 

In March, the SEC published proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The proposed rules seek to enhance and standardize disclosures regarding public companies ’ cybersecurity risk governance, including disclosure of whether any directors on a company’s board have cybersecurity expertise.  The proposed rules would affect public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.

This week, U.S. Sens. Mark Warner (D-VA), Jack Reed (D-RI), Catherine Cortez Masto (D-NV), Kevin Cramer (R-ND), Angus King (I-ME), Ron Wyden (D-OR), and Susan Collins (R-ME) sent a comment letter to the SEC urging the agency to finalize rules regarding disclosures of the board’s oversight of cybersecurity risks. 

The seven Senators, all cosponsors of the Cybersecurity Disclosure Act (S. 808), have urged the SEC to issue the exact rules that the agency proposed in March to require publicly traded companies to disclose whether they have cybersecurity expertise on their boards of directors.

The Senators wrote: “The Proposal would implement bipartisan legislation that we have introduced called the Cybersecurity Disclosure Act.  That legislation directs the SEC to issue rules requiring each public company to disclose, in its annual report or annual proxy statement, whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience.  And if no member has such expertise or experience, a company would be required to describe what other aspects of the company’s cybersecurity were considered by any person, such as an official serving on a nominating committee, who is responsible for identifying and evaluating nominees for membership to the governing body.

“The Proposal follows the intent of our bill by encouraging directors to play a more effective role in cybersecurity risk oversight at public companies, and we commend the SEC for issuing a Proposal that would achieve this important goal.” 

Full text of the letter follows:

May 9, 2022

Re: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (SEC File No. S7-09-22).

Dear Ms. Countryman:

                We write to respectfully request that the Securities and Exchange Commission (SEC) finalize, as proposed, rules requiring periodic disclosures by public companies regarding cybersecurity expertise on their boards of directors and management’s role in implementing cybersecurity policies and procedures (the Proposal). 

The Proposal would implement bipartisan legislation that we have introduced called the Cybersecurity Disclosure Act.  That legislation directs the SEC to issue rules requiring each public company to disclose, in its annual report or annual proxy statement, whether any member of its governing body has expertise or experience in cybersecurity, including details necessary to describe fully the nature of that expertise or experience.  And if no member has such expertise or experience, a company would be required to describe what other aspects of the company’s cybersecurity were considered by any person, such as an official serving on a nominating committee, who is responsible for identifying and evaluating nominees for membership to the governing body.

The Proposal follows the intent of our bill by encouraging directors to play a more effective role in cybersecurity risk oversight at public companies, and we commend the SEC for issuing a Proposal that would achieve this important goal. 

We respectfully request that the SEC finalize Items 106(c) and 407(j) of Regulation S-K as proposed.  Item 106(c) would require disclosure about public companies’ cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant experience of management, and its role in implementing cybersecurity policies, procedures, and strategies. Item 407(j) would require disclosure about the cybersecurity expertise of members of the board of directors, if any, including the name of any director, and details to describe the nature of the expertise.

I.             Cybersecurity is an important component of long term shareholder value.

Cybersecurity incidents have never been more frequent, complex, and costly.  Last year, the overall number of data breaches reached an all-time high of 1,862, up 23% year-over-year. Almost all of these data breaches were caused by cyberattacks.  The average cost of a data breach has also reached an all-time high last year of $4.24 million, up 10% year-over-year. To take one concrete example at the high end of this scale, the Equifax breach in 2017 ultimately cost the company over $1.7 billion. Companies of all sizes and in many industries have experienced serious cybersecurity incidents with significant impacts on customers, counterparties, and investors. 

Investors often bear the costs associated with these incidents.  The Proposal details a number of specific costs to companies and shareholders, including payments to meet ransom, liability for stolen information, increased insurance premiums, lost revenues due to theft of intellectual property, reputational damage, and litigation costs. These costs culminate in damage not only to a company’s profitability, but also to its stock price.  According to a report by leading economic consulting firms, a severe cybersecurity breach causes an average permanent decline in a company’s valuation of 1.8%.[5]  The Proposal would provide investors with the disclosure they deserve regarding how public companies plan to guard against these risks before they materialize.

II.            The Proposal provides powerful incentives for public companies to bolster cybersecurity, preserving long-term shareholder value. 

Prudent management of cybersecurity risk is important to maintaining long-term shareholder value.  Directors therefore have a responsibility to manage this risk and contribute to a company’s cybersecurity.  But corporate boards are struggling to meet this important obligation.  Only 40% of boards have a director with cybersecurity experience.  And a recent survey by consulting firm EY confirmed a “deficiency of cybersecurity expertise at the C-suite level.” Indeed, according to a recent survey, 60% of directors “don’t believe that cybersecurity should get in the way of business operations.” The Proposal appropriately recognizes that boards must be more vigilant because cybersecurity is among the most significant challenges companies face. 

The Proposal would create powerful incentives for public companies to pay greater attention to cybersecurity risks.  According to a report by the prior Administration’s Council of Economic Advisors, “mandatory disclosure requirements were previously shown to incentivize firms to adopt better cybersecurity measures.” The Proposal’s board level expertise disclosure requirement is a prime example of such an incentive.  The North American Securities Administrators Association agrees that “[i]ncentivizing publicly traded companies to consider whether or not they have appropriate cybersecurity expertise on their governing body is a common-sense way to promote greater attention to cybersecurity risk by public corporations. Investors and customers are well-served by policies that encourage companies to consider such risks proactively, as opposed to after a data breach has already occurred, when such investors and customers have already been harmed.” Proposed Item 106(c) of Regulation S-K would direct public companies to provide these exact disclosures. 

The disclosures in the Proposal will also enable investors to hold public companies accountable.  In a letter of support for the Cybersecurity Disclosure Act, the Council of Institutional Investors stated its belief that “cybersecurity is an integral component of a board’s role in risk oversight.” In another letter of support, the California Public Employees’ Retirement System said that this approach will “ensure that investors have access to decision useful information to better assess the ability of corporate management to adequately address cybersecurity risks.” And according to consulting firm EY, “remaining cyber-resilient and building stakeholder trust in the company’s data security and privacy practices is a strategic imperative. Public disclosures can help build trust by providing transparency and assurance around how boards are fulfilling their cybersecurity risk oversight responsibilities.” If public companies provide the market with more insights into their governance of cybersecurity risks, then investors will be better equipped to decide whether to invest in a public company and how to vote in elections for directors.

III.           Cybersecurity poses unique risks to public companies, which justify the disclosures required by the Proposal.

The unique harms caused by cybersecurity breaches justify the Proposal.  According to testimony by Professor John Coates of Harvard Law School before the Senate Banking Committee:

[T]here is maybe going to be some suggestion that there is a slippery slope and there is all kinds of risks and that cyber is one of them and so on. I really do want to emphasize that cyber is unique. Other than financial risk, where we already have an obligation for boards to say do they have financial expertise on the board or not, other than financial risk, cyber risk is, I believe, the one type of risk that is almost universal among public companies. It is very hard to think of a public company in this network age that is not at least somewhat exposed to cyber risk.

This is precisely why cybersecurity risk warrants special attention from the SEC.  The Proposal is narrowly tailored to require disclosure of board-level expertise that is important to mitigating this singular risk to public companies’ profitability and valuation. 

Moreover, the Proposal accomplishes this goal while providing appropriate discretion to public companies to define what constitutes “cybersecurity expertise” and to address cybersecurity risks through any means they see fit.  The Proposal, like our legislation, does not mandate that any company’s board actually have a person with expertise in cybersecurity or require companies to take any actions other than to provide this disclosure.  We respectfully request that the SEC adopt this flexible disclosure approach over mandating any set of best practices, in order to encourage boards to develop approaches that are tailored to mitigate risks to the specific set of shareholders to which they are accountable.

 ###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, issued the following statement after the Senate unanimously passed the Strengthening American Cybersecurity Act of 2022, which would require companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government:

“At a time when we are facing significant threats of Russian cyberattacks against our institutions and our allies, it’s more important than ever that the government have an idea of what those threats are. I am glad the Senate has passed our bipartisan cyber incident reporting bill, and I look forward to working with my colleagues in the House to get a final version of this legislation to the president’s desk as soon as possible.”

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, issued the following statement today:

“Earlier today, the U.S. Commerce Department reported that manufacturers that rely on semiconductor chips have less than five days’ supply on hand, leaving vital supply chains extremely vulnerable to delays that are increasing prices for consumers on everything from automobiles to home appliances. Months ago, the Senate passed the U.S. Innovation and Competition Act, which would invest $52 billion in domestic semiconductor production, by an overwhelming bipartisan vote. The Senate bill also invests in R&D for 5G technologies and takes other critical steps to secure our supply chains, improve innovation, and ensure that the U.S. can compete with China and the rest of the world. Today’s introduction in the House of Representatives of the America COMPETES Act is an important step in setting up a conference with the Senate so that we can finally get a bill to President Biden’s desk to sign.”

###

WASHINGTON – Ahead of Wednesday’s Senate hearing with the head of Instagram, U.S. Sens. Mark R. Warner (D-VA), Deb Fischer (R-NE), Amy Klobuchar (D-MN), and John Thune (R-SD) along with Reps. Lisa Blunt Rochester (D-DE-AL) and Anthony Gonzalez (R-OH-16) have re-introduced the Deceptive Experiences to Online Users Reduction (DETOUR) Act to prohibit large online platforms from using deceptive user interfaces, known as “dark patterns,” to trick consumers into handing over their personal data. The DETOUR Act would also prohibit these platforms from using features that result in compulsive usage by children.

The term “dark patterns” is used to describe online interfaces in websites and apps designed to intentionally manipulate users into taking actions they would otherwise not. These design tactics, drawn from extensive behavioral psychology research, are frequently used by social media platforms to mislead consumers into agreeing to settings and practices advantageous to the company. 

“For years dark patterns have allowed social media companies to use deceptive tactics to convince users to hand over personal data without understanding what they are consenting to. The DETOUR Act will end this practice while working to instill some level of transparency and oversight that the tech world currently lacks,” said Sen. Warner, Chairman of the Senate Select Committee on Intelligence and former technology executive. “Consumers should be able to make their own informed choices on when to share personal information without having to navigate intentionally misleading interfaces and design features deployed by social media companies.” 

“Manipulative user interfaces that confuse people and trick consumers into sharing access to their personal information have become all too common online. Our bipartisan legislation would rein in the use of these dishonest interfaces and boost consumer trust. It’s time we put an end to ‘dark patterns’ and other manipulative practices to protect children online and ensure the American people can better protect their personal data,” said Sen. Fischer, a member of the Senate Commerce Committee.

“Dark patterns are manipulative tactics used to trick consumers into sharing their personal data. These tactics undermine consumers’ autonomy and privacy, yet they are becoming pervasive on many online platforms. This legislation would help prevent the major online platforms from using such manipulative tactics to mislead consumers, and it would prohibit behavioral experiments on users without their informed consent,” said Sen. Klobuchar, a member of the Senate Commerce and Judiciary Committees.

“We live in an environment where large online operators often deploy manipulative practices or ‘dark patterns’ to obtain consent to collect user data,” said Sen. Thune, ranking member of the Senate Commerce Committee’s Subcommittee on Communications, Media, and Broadband. “This bipartisan legislation would create a path forward to strengthen consumer transparency by holding large online operators accountable when they subject their users to behavioral or psychological research for the purpose of promoting engagement on their platforms.”

“My colleagues and I are introducing the DETOUR Act because Congress and the American public are tired of tech companies evading scrutiny and avoiding accountability for their actions. Despite congressional hearings and public outcries, many of these tech companies continue to trick and manipulate people into making choices against their own self-interest,” said Rep. Lisa Blunt Rochester. “Our bill would address some common tactics these companies use, like intentionally deceptive user interfaces that trick people into handing over their personal information. Our children, seniors, veterans, people of color, even our very way of life is at stake. We must act. And today, we are.”

“Social media has connected our communities, but also had detrimental effects on our society. Big tech companies that control these platforms currently have unregulated access to a wealth of information about their users and have used nontransparent methods, such as dark patterns, to gather additional information and manipulate users,” said Rep. Anthony Gonzalez. “The DETOUR Act would make these platforms more transparent through prohibiting the use of dark patterns. We live in a transformative period of technology, and it is important that the tech which permeates our day to day lives is transparent.”

Dark patterns can take various forms, often exploiting the power of defaults to push users into agreeing to terms stacked in favor of the service provider. Some examples of these actions include: a deliberate obscuring of alternative choices or settings through design or other means; the use of privacy settings that push users to ‘agree’ as the default option, while users looking for more privacy-friendly options often must click through a much longer process, detouring through multiple screens. Other times, users cannot find the alternative option, if it exists at all, and simply give up looking.

The result is that large online platforms have an unfair advantage over users and potential competitors in forcing consumers to give up personal data such as their contacts, messages, web activity, or location to the benefit of the company.

“Tech companies have clearly demonstrated that they cannot be trusted to self-regulate.  So many companies choose to utilize manipulative design features that trick kids into giving up more personal information and compulsive usage of their platforms for the sake of increasing their profits and engagement without regard for the harm it inflicts on kids,” said Jim Steyer, CEO of Common Sense. “Common Sense supports Senators Warner and Fischer and Representatives Blunt Rochester and Gonzalez on this bill, which would rightfully hold companies accountable for these practices so kids can have a healthier and safer online experience.”

“'Dark patterns' and manipulative design techniques on the internet deceive consumers. We need solutions that protect people online and empower consumers to shape their own experience. We appreciate Senator Warner and Senator Fischer's work to address these misleading practices,” said Jenn Taylor Hodges, Head of U.S. Public Policy at Mozilla.

“Manipulative design, efforts to undermine users’ independent decision making, and secret psychological experiments conducted by corporations are everywhere online. The exploitative commercial surveillance model thrives on taking advantage of unsuspecting users. The DETOUR Act would put a stop to this: prohibiting online companies from designing their services to impair autonomy and to cultivate compulsive usage by children under 13. It would also prohibit companies from conducting online user experiments without consent. If enacted, the DETOUR Act will make an important contribution to living in a fairer and more civilized digital world,” said Katharina Kopp, Director of Policy at Center for Digital Democracy.

The Deceptive Experiences To Online Users Reduction (DETOUR) Act aims to curb manipulative behavior by prohibiting the largest online platforms (those with over 100 million monthly active users) from relying on user interfaces that intentionally impair user autonomy, decision-making, or choice. The legislation:

• Prohibits large online operators from designing, modifying, or manipulating user interface with the purpose or substantial effect of obscuring, subverting, or impairing user autonomy, decision-making, or choice to obtain consent or user data
• Prohibits subdividing or segmenting consumers for the purposes of behavioral experiments without a consumer’s informed consent, which cannot be buried in a general contract or service agreement. This includes routine disclosures for large online operators, not less than once every 90 days, on any behavioral or psychological experiments to users and the public. Additionally, the bill would require large online operators to create an internal Independent Review Board to provide oversight on these practices to safeguard consumer welfare.
• Prohibits user design intended to create compulsive usage among children under the age of 13 years old (as currently defined by the Children’s Online Privacy Protection Act).
• Directs the FTC to create rules within one year of enactment to carry out the requirements related to informed consent, Independent Review Boards, and Professional Standards Bodies.

Sen. Warner first introduced the DETOUR ACT in 2019 and has been raising concerns about the implications of social media companies’ reliance on dark patterns for years. In 2014, Sen. Warner asked the FTC to investigate Facebook’s use of dark patterns in an experiment involving nearly 700,000 users designed to study the emotional impact of manipulating information on their News Feeds.

Sen. Warner is one of Congress’ leading voices in demanding accountability and user protections from social media companies. In addition to the DETOUR Act, Sen. Warner has introduced and written numerous bills aimed designed to improve transparency, privacy, and accountability on social media. These include the Safeguarding Against Fraud, Exploitation, Threats, Extremism and Consumer Harms (SAFE TECH) Act – legislation that allow social media companies to be held accountable for enabling cyber-stalking, targeted harassment, and discrimination across platforms; the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, bipartisan legislation that would require data harvesting companies to tell consumers and financial regulators exactly what data they are collecting from consumers and how it is being leveraged by the platform for profit; and the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, legislation that would encourage market-based competition to dominant social media platforms by requiring the largest companies to make user data portable – and their services interoperable – with other platforms, and to allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose.

Full text of the bill is available here. 

###