CDT POLICY POST Volume 8, Number 28, December 13, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) Homeland Security Department Faces Steep Challenges, Poses Momentous Potential and Risk

(2) New Department Has Essentially Unlimited Access to Information for Data Mining and Data Analysis

(3) Act Includes Privacy Oversight Mechanisms

(4) Privacy Guidelines, Careful Oversight Required

(5) FOIA Exemption and Email Disclosure Provisions Also of Concern

(1) Homeland Security Department Faces Steep Challenges, Poses Momentous Potential and Risk

The Homeland Security Act signed by President Bush on November 25, 2002 creates the new Department of Homeland Security (DHS) and grants it momentous responsibilities and powers. It is earnestly hoped that DHS will provide needed coordination to government anti-terrorism efforts. The new Department will have wide-ranging authority to compile, analyze, and mine the personal information of Americans. Important issues of oversight and control remain to be addressed. CDT is urging the Administration and Congress (even while in recess) to immediately begin setting out privacy guidelines and oversight mechanisms to ensure that the new department's data analysis activities are focused, controlled and accountable, both for effectiveness in preventing terrorism and for the protection of liberties.

The DHS consolidates 22 separate agencies into a new Cabinet department with 170,000 employees. The components being transferred to DHS include:

• Coast Guard;
• Customs Service;
• Secret Service;
• Immigration and Naturalization Service (INS);
• the recently-formed Transportation Security Administration.

The new Department is structured around four directorates, whose titles give some idea of the agency's mission and scope:

• Information Analysis and Infrastructure Protection;
• Science and Technology;
• Border and Transportation Security;
• Emergency Preparedness and Response.

The DHS will absorb five components with computer security responsibilities:

• National Infrastructure Protection Center (NIPC) of the FBI http://www.nipc.gov
• National Communications System of the Defense Department;
• Critical Infrastructure Assurance Office (CIAO) of the Department of Commerce http://www.ciao.gov;
• National Infrastructure Simulation and Analysis Center of the Energy Department;
• Federal Computer Incident Response Center (FedCIRC) of the General Services Administration.

Yielding to concerns of the computer industry, the transfer does not include the Computer Security Division of the National Institutes of Standards and Technology.

The combination of NIPC and FedCIRC is noteworthy, in that it combines in one entity the federal computer system intrusion detection activities of FedCIRC and the private sector protection activities of the FBI. If a broader intrusion detection program like the FIDNet system proposed several years ago is to be constituted, this would be the basis for it.

The text and legislative history of the Act are at http://thomas.loc.gov/cgi-bin/bdquery/z?d107:H.R.5005:

(2) New Department Has Essentially Unlimited Access to Information for Data Mining and Data Analysis

The new Department is tasked to "access, receive, and analyze" a wide array of information that includes "law enforcement information, intelligence information, and other information from agencies of the Federal Government, State and local government agencies (including law enforcement agencies), and private sector entities."

Strictly speaking, the new Department has no new collection authorities, but many of the components being consolidated into DHS (such as Secret Service, Customs, and INS) have investigative and intelligence collection units of their own. There is no doubt that the new agency will have wiretap authority and other intrusive powers. Moreover, the Department can call upon information for any other intelligence or law enforcement agency. Indeed, when you string together the authorities of the DHS, you get an agency that will help control the collection priorities of other agencies and then be able to access electronically their entire files of undigested intelligence:

• DHS will have a say in deciding what other agencies, including the CIA and the NSA, collect at home and abroad. (Sec. 201(d)(10).)
• DHS can access and receive law enforcement information, intelligence information and other information from Federal State and local government agencies and the private sector.
• Except as otherwise directed by the President, the Department "shall" have access to "unevaluated intelligence." (Sec. 202(a)(1).)
• The Secretary may obtain access "on a regular or routine basis ... [to] broad categories of material, access to electronic databases, or both." (Sec. 202(b)(1).) Broadly read, this means that DHS can have online access to the files of the FBI, the CIA and the signals intelligence agencies.
• The new DHS is expressly authorized to receive wiretap information and grand jury information collected by any other agency.

The potential scope of this data gathering and analysis is enormous, and both the challenge of analysis and the potential for abuse are apparent. While the Act does provide some structures for safeguarding privacy, rigorous oversight will be needed.

These provisions must be viewed in the context of inadequate privacy protections in law, the enhanced surveillance authorities already granted in the PATRIOT Act and new "data mining" initiatives underway.

The most ambitious and potentially far-reaching of these data mining is known as Total Information Awareness (TIA), a new R&D effort being managed by the Defense Advanced Research Projects Agency (DARPA) to aggregate and analyze information from a wide array of public and commercial databases. The program is just one of a number of government data mining efforts, including the FBI's Trilogy program and the Transportation Security Administration's Computer Assisted Passenger Profiling System (CAPPS II).

Contrary to published reports, there is nothing in the DHS Act directly concerning TIA. TIA was launched before this Act was even drafted, with relatively small amounts of funding in DARPA's budget. TIA is not under the authority of the new DHS. However, it is clear that the results of TIA's research, as well as other similar research being performed by the contractors working for other agencies, will be made available to DHS.

TIA website http://www.darpa.mil/iao/

(3) Act Includes Privacy Oversight Mechanisms

The DHS Act includes important new oversight mechanisms, including:

• Privacy Officer, a senior official with "primary responsibility for privacy policy" (sec. 222);
• Officer for Civil Rights and Civil Liberties, who shall review and assess information alleging abuses of civil rights, civil liberties, and racial and ethnic profiling by employees and officials of the Department (sec. 705);
• Inspector General, who, unlike IGs in most other agencies, is under the authority, direction, and control of the Secretary and prohibited from investigating matters placed off-limits by the Secretary - these provisions are similar to those applicable to the IG for the Defense Department (sec. 811);
• Citizenship and Immigration Services Ombudsman, who shall assist individuals and employers in resolving immigration problems (sec. 452).

Section 221 of the Act requires the Secretary to "establish procedures" concerning the use of information "shared" under the Act that

• limit the redissemination of such information to ensure that it is not used for an unauthorized purpose;
• ensure the security and confidentiality of such information;
• protect the constitutional and statutory rights of any individuals who are subjects of such information; and
• provide data integrity through the timely removal and destruction of obsolete or erroneous names and information.

In addition, the Act includes other provisions intended to protect privacy:

• Prohibition of TIPS - Section 880 expressly states that "any and all activities of the Federal Government to implement the proposed component program of the Citizen Corps known as Operation TIPS (Terrorism Information and Prevention System) are hereby prohibited." TIPS was a proposed program that would have enlisted delivery men and other civilians to report on any suspicious conduct of their customers.
• National ID not authorized - Sec. 1514 states "Nothing in this Act shall be construed to authorize the development of a national identification system or card." That is different from a prohibition.

Other provisions weigh against oversight. Section 871 allows the Department to form advisory committees with industry representatives that are exempt from the Federal Advisory Committee Act (FACA), an open government law that requires open meetings and puts limits on special interests.

(4) Privacy Guidelines, Careful Oversight Required

While information technology appropriately has a major role to play in preventing terrorism, it is incumbent on the President, the new DHS Secretary and Congress to match expanded information gathering and analysis powers with expanded guidelines and oversight. The creation of a Privacy Office within DHS is one step, but the process also requires the adoption of rules and guidelines that the new office can enforce.

As noted, the Act calls for the adoption of privacy guidelines. In developing these guidelines, attention must be paid to basic questions of fair information practices, including what information is used, who has access to it, what standards of accuracy and timeliness are required, how "hits" will be verified, and how results will be characterized and disseminated. There must be effective audit trails and robust review mechanisms to protect against unauthorized access and inappropriate use of information. Questions to be addressed also include how the government will obtain the data - by compulsory process, by purchase, by subscription, or by voluntary sharing. The analysis must take into account the fact that there are few constraints on government access to records held by private corporations and that the federal Privacy Act imposes few meaningful constraints on the sharing among government agencies of information once it is obtained for national security purposes.

For more information on the use of information technologies and the need for guidelines, see the report of the Markle Task Force on National Security in the Information Age: http://www.markletaskforce.org/

(5) FOIA Exemption and Email Disclosure Provisions Also of Concern

The Act includes a new FOIA exemption for "voluntarily shared critical infrastructure information" submitted to the new Department. (Sec. 212-215.) The provision, long supported by some IT companies, may limit the ability of small businesses and members of the public to learn about threats and vulnerabilities that affect their computer systems. Under the provision, information about infrastructure vulnerabilities that companies submit to the government must be withheld from disclosure under the FOIA. The new provision goes so far as to make it a crime for a federal official to disclose critical infrastructure information to the public or to affected companies if the disclosure is not "authorized."

Sen. Patrick Leahy (D-VT) called the exemption "the most severe weakening of the Freedom of Information Act in its 36-year history." He said it "would hurt and not help our national security, and along the way it would frustrate enforcement of the laws that protect the public's health and safety." A more narrowly circumscribed Senate version of the exemption was rejected in favor of a broader House version. However, it should be stressed that the new exemption applies only to information submitted to the DHS. A key question will be whether the exemption actually spurs the increased disclosure of vulnerability information to the government that its proponents promised.

The Homeland Security Act also includes what had been a free-standing bill, the Cyber Security Enhancement Act, which includes a provision undermining privacy online by greatly expanding the ability of ISPs to "voluntarily" disclose information government officials. (Sec. 225.) Under the provision, the contents of email messages or instant messages can be given to any government official in an "emergency" even when there is no factual basis stated for the emergency and there is no imminent threat of injury. CDT's more detailed analysis of the Act is online at http://www.cdt.org/security/homelandsecuritydept/021210cdt.shtml

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_8.28.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Policy Post 8.28 Copyright 2002 Center for Democracy and Technology