CDT POLICY POST Volume 8, Number 15, July 24, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) Homeland Security Act Moves through Congress

(2) New Department Likely to Gain Authority over Cyber Security and Infrastructure Protection

(3) H.R. 5005 Creates Broad New FOIA Exemption, Criminalizes Leaks

(4) Congress Proposes New Agency Have Internal Watchdog for Privacy and Civil Rights

(5) House Bill Rejects TIPS Program, National ID Card

(1) HOMELAND SECURITY ACT MOVES THROUGH CONGRESS

Congress is moving rapidly to enact legislation to create a new Cabinet-level Department of Homeland Security, with uncertain but potentially large implications for privacy, cyber security and government accountability. The new agency will likely absorb the Coast Guard, the Customs Service, the Secret Service, part of the Immigration and Naturalization Service (INS), and the Federal Emergency Management Agency (FEMA), among nearly two dozen offices and agencies that will be consolidated to improve counter-terrorism efforts.

Here's a brief status report:

In the House, the bill is H.R. 5005. The latest action occurred on Friday, July 19, when a special select committee marked up and reported the bill, drawing on the recommendations of the various standing committees (Judiciary, Government Reform, Transportation, etc). The Rules Committee is meeting today, Wednesday, July 24, to craft a rule for Floor debate, and the full House is expected to consider the legislation on Thursday and/or Friday, July 25 and 26.
The full legislative history of H.R. 5005 will be available at http://thomas.loc.gov/cgi-bin/bdquery/z?d107:HR.5005: but Thomas is lagging a little, so you can access the latest version of the bill, the version reported by the select committee, at http://hsc.house.gov/
In the Senate, the bill is S. 2452, introduced by Senator Joseph Lieberman (D-CT), chairman of the Governmental Affairs Committee, which is marking-up the bill today, Wednesday, July 24.

The Lieberman bill as introduced is posted at http://www.senate.gov/~gov_affairs/072402bill.pdf

(2) NEW DEPARTMENT LIKELY TO GAIN AUTHORITY OVER CYBER SECURITY AND INFRASTRUCTURE PROTECTION

Both House and Senate bills would grant the Department of Homeland Security authority over cyber security and infrastructure protection. Specifically, the bills would transfer to the new department the functions of the following entities:

the National Infrastructure Protection Center of the Federal Bureau of Investigation (excluding the Computer Investigations and Operations Section);
the National Communications System of the Department of Defense;
the Critical Infrastructure Assurance Office of the Department of Commerce;
the National Infrastructure Simulation and Analysis Center of the Department of Energy;
the Federal Computer Incident Response Center of the General Services Administration.

Following objections by the high-tech industry and others, the House bill would not transfer the Computer Security Division of the National Institute of Standards and Technology. The Senate bill as introduced would transfer that NIST component, along with the Energy Security and Assurance Program of the Department of Energy and the Federal Protective Service of the General Services Administration.

Both bills would leave the FBI and CIA untouched by the reshuffling (with the exception of the FBI's NIPC, as noted above).

(3) H.R. 5005 CREATES BROAD NEW FOIA EXEMPTION, CRIMINALIZES LEAKS

H.R. 5005 contains a controversial provision carving out a new exception to the Freedom of Information Act (FOIA), the 1966 law that promotes government accountability and effectiveness by requiring agencies to disclose information of public interest.

Under the bill that is moving through the House, the Department of Homeland Security could withhold information it receives voluntarily from "non-Federal entities or individuals that relates to" the vulnerability of a critical infrastructure, including the computers that are at the heart of communications, banking, transportation, power and other infrastructures. Much of the U.S. infrastructure is privately owned, and no one has proposed requiring companies to disclose information about their systems to the government. The FOIA exception has been justified as necessary to encourage industry to voluntarily share with the government information about the flaws and vulnerabilities of and attacks on these infrastructures. The language in H.R. 5005 is very broad:

The FOIA exception in H.R. 5005 is not limited to information which, if disclosed, could be used to harm a critical infrastructure - the language requires withholding of information even if the public interest and the goal of improving homeland security would benefit from its disclosure.
H.R. 5005 preempts state open government laws, even for information independently obtained by the states.
H.R. 5005 provides civil use immunity for information voluntarily submitted to the government, prohibiting the government from using in litigation information submitted to it, even if the information relates to a faulty system that the government owns.
As we read section 724(h), the bill would also empower the Administration to grant antitrust immunity to selected industries.
Most remarkably, section 724 of H.R. 5005 includes a provision making it a crime for government officials to disclose information about critical infrastructure vulnerability.

The Senate bill as introduced contained no FOIA language, but at the mark-up today the Governmental Affairs Committee just adopted a FOIA amendment offered by Sen. Robert Bennett (R-UT). The Bennett language, negotiated with FOIA defender Sen Patrick Leahy (D-VT) is much more focused than the House provision and does not include the civil immunity provision, antitrust immunity or any criminal penalties.

(4) CONGRESS PROPOSES NEW AGENCY HAVE INTERNAL WATCHDOGS FOR PRIVACY AND CIVIL RIGHTS

On the surface of both bills, it appears that the Department will have no new intelligence collection authority, although many of the components being transferred to it (Secret Service, Customs, Coast Guard, INS) have intelligence divisions and will carry their investigative and intelligence authority with them.

Moreover, the new Department will have access to the full range of intelligence information about terrorist threats collected domestically and overseas by the FBI, the CIA and other intelligence and law enforcement agencies. The House bill specifies the Department would have access to all reports, assessments, and analytical information and all information concerning the vulnerability of the US to terrorism, whether or not such information has been analyzed, suggesting that the information obtained by the Department would include raw intelligence. Presumably, the Department also will be able to subscribe to private sector databases. The Senate bill as introduced would give the new Department authority to direct the intelligence agencies to provide (and apparently collect) additional information on specific threats. The Senate bill would also expressly authorize the new Department to engage in data mining and to buy or otherwise obtain private sector databases for that purpose.

Clearly, therefore, the activities of the new Department will raise many privacy issues. As a step towards addressing those issues, the bills include several internal oversight mechanisms.

In the House bill --

Section 205 requires the Secretary of the new Department to appoint a senior official to assume primary responsibility for privacy policy, including assuring that the use of information technologies sustains, and does not erode, privacy protections and conducting privacy impact assessments of proposed rules of the Department.
Section 604 requires the Secretary to establish an Office for Civil Rights and Civil Liberties, whose Director shall review and assess information alleging abuses of civil rights, civil liberties and racial and ethnic profiling by the Department.
Section 204 requires the Secretary to establish procedures on the use of information shared to limit its redissemination, ensure its security and confidentiality, and provide data integrity. These requirements overlap with the requirements of the Privacy Act, but could provide additional impetus within the Department for careful attention to privacy issues in the handling of personal information.
Similarly, Sections 110 and 111 of the Senate bill would create a Civil Rights Officer and a Privacy Officer.

CDT believes that these provisions need to be fleshed out, either in the legislation or through subsequent Congressional oversight.
In particular, it should be made clear that guidelines adopted by the new Department on data mining and information privacy should be adopted following public and Congressional consultation and comment.
Further, Congress should require public reporting of statistical information on sensitive issues, such as descriptions of data mining contracts and arrangements. Such descriptions should include the types of databases "mined" and approximate numbers of persons in each database.

(5) HOUSE BILL REJECTS TIPS PROGRAM, NATIONAL ID CARD

At the urging of Rep, Richard Armey (R-TX), chairman of the House select committee, the House bill would reject two privacy-threatening initiatives:

Section 779 of H.R. 5005 prohibits "any and all activities of the Federal Government to implement the proposed Operations TIPS (Terrorism Information and Prevention System)," which would have encouraged delivery men and cable guys to report anything they think may indicate terrorist activity.
Section 815 states that "nothing in this Act shall be construed to authorize the development of a national identification system or card."

CDT has established a special page where we are indexing materials on the homeland security issue: http://www.cdt.org/security/usapatriot/hearings.shtml

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_8.15.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org