The New Homeland Security Department - Challenge, Potential and Risk - Privacy Guidelines, Careful Oversight Required

December 10, 2002

The Homeland Security Act signed by President Bush on November 25, 2002 creates the new Department of Homeland Security (DHS) and grants it momentous responsibilities and powers. It is earnestly hoped that DHS will provide needed coordination to government anti-terrorism efforts. The new Department will have wide-ranging authority to compile, analyze, and mine the personal information of Americans. Important issues of oversight and control remain to be addressed. CDT is urging the Administration and Congress (even while in recess) to immediately begin setting out privacy guidelines and oversight mechanisms to ensure that the new department's data analysis activities are focused, controlled and accountable, both for effectiveness in preventing terrorism and for the protection of liberties. Powerful intelligence agencies require powerful oversight.

Overview of the New Department

The DHS consolidates 22 separate agencies into a new Cabinet department with 170,000 employees. The components being transferred to DHS include:

• Coast Guard;
• Customs Service (customs revenue functions remain at the Treasury Department);
• Secret Service;
• Federal Protective Service (a police force formerly within the General Services Administration that performs guard functions at federal buildings);
• Immigration and Naturalization Service (INS) - specifically, the INS is split into two (immigration enforcement functions are put into a new Bureau of Border Security, and a new Bureau of Citizenship and Immigration Services is created), both parts are transferred to the new department, and the INS is abolished;
• Federal Emergency Management Agency (FEMA);
• the recently-formed Transportation Security Administration;
• the FBI's National Infrastructure Protection Center (NIPC) and other computer security entities (see details below).

The Bureau of Alcohol, Tobacco and Firearms (BATF) is transferred from the Treasury Department to the Justice Department.

The new Department is structured around four directorates, whose titles give some idea of the agency's mission:

• Information Analysis and Infrastructure Protection (Title II of the Act);
• Science and Technology (Title III);
• Border and Transportation Security (Title IV);
• Emergency Preparedness and Response (Title V)

Some elements of the Act reflect the final haste with which it was put together. For example, there is an Office for Domestic Preparedness within the Directorate of Border and Transportation Security (sec. 430), but there is also a separate Directorate for Emergency Preparedness and Response (Title V), with similar responsibilities.

Drug Interdiction Part of DHS Mission. In an interesting and scarcely noticed provision, the Act states that the primary mission of DHS includes to monitor connections between illegal drug trafficking and terrorism, coordinate efforts to sever such connections, and otherwise contribute to efforts to interdict illegal drug trafficking. (Sec. 101(b)(1)(G).)

Transition Timetable. The new Department comes into existence on January 24, 2003 when the Act takes effect. The Act contemplates a basic transition period of 12 months. A team is already hard at work in the Executive Branch planning the stand up of the agency. In fact, on the very day he signed the Act, the President issued a reorganization plan for the new Department, spelling out what takes place when.

The text and legislative history of the Act are at http://thomas.loc.gov/cgi-bin/bdquery/z?d107:H.R.5005:.

The HSD reorganization plan and other White House materials on homeland security are at http://www.whitehouse.gov/homeland/.

Main Areas of Civil Liberties Concern in the Act

Among the issues of concern in the Homeland Security Act:

• All Source Information Analysis - The new Department is tasked to access, receive, and analyze a wide array of information that includes law enforcement information, intelligence information, and other information from agencies of the Federal Government, State and local government agencies (including law enforcement agencies), and private sector entities. (Sec. 201.) Strictly speaking, the new Department has no new collection authorities, but many of the components being consolidated into DHS have investigative and intelligence units (such as Secret Service, Customs, and INS). There is no doubt that the new agency will have wiretap authority and other intrusive powers. Moreover, the Department can call upon information from any other intelligence or law enforcement agency. The potential scope of this data gathering and analysis is enormous, and both the challenge of analysis and the potential for abuse are apparent. While the Act does provide some structures for safeguarding privacy, rigorous oversight will be needed. Discussed in greater detail below.
   
• Privacy Erosion in the Cyber Security Enhancement Act - The Homeland Security Act includes what had been a free-standing bill, the Cyber Security Enhancement Act, which includes a provision undermining privacy online by greatly expanding the ability of ISPs to voluntarily disclose information government officials. (Sec. 225.) Under the provision, the contents of email messages or instant messages can be given to any government official in an emergency even when there is no factual basis stated for the emergency and there is no imminent threat of injury. Discussed in greater detail below. The Act also includes provisions significantly increasing the already severe penalties for certain computer trespassing crimes.
   
• New Exemption to the Freedom of Information Act (FOIA) - The Act includes a new FOIA exemption for voluntarily shared critical infrastructure information submitted to the new Department. (Sec. 212-215.) The provision, long supported by some IT companies, may limit the ability of small businesses and members of the public to learn about threats and vulnerabilities that affect their computer systems. Under the provision, information about infrastructure vulnerabilities that companies submit to the government must be withheld from disclosure under the FOIA. The new provision goes so far as to make it a crime for a federal official to disclose critical infrastructure information to the public or to affected companies if the disclosure is not authorized. Sen. Patrick Leahy (D-VT) called the exemption the most severe weakening of the Freedom of Information Act in its 36-year history. He said it would hurt and not help our national security, and along the way it would frustrate enforcement of the laws that protect the public's health and safety. A more narrowly circumscribed Senate version of the exemption was rejected in favor of a broader House version. However, it should be stressed that the new exemption applies only to information submitted to the DHS. A key question will be whether the exemption actually spurs the increased disclosure of vulnerability information to the government that its proponents promised.

Privacy Oversight Mechanisms

The Act includes important new oversight provisions, including

• Privacy Officer, a senior official with primary responsibility for privacy policy (sec. 222), including
  • assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
  • assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974;
  • evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
  • conducting a privacy impact assessment of proposed rules of the Department, including the type of personal information collected and the number of people affected; and
  • preparing an annual report to Congress on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act, internal controls, and other matters;
• Officer for Civil Rights and Civil Liberties, who shall review and assess information alleging abuses of civil rights, civil liberties, and racial and ethnic profiling by employees and officials of the Department (sec. 705);
• Inspector General, who, unlike IGs in most other agencies, is under the authority, direction, and control of the Secretary and prohibited from investigating matters placed off-limits by the Secretary - these provisions are similar to those applicable to the IG for the Defense Department (sec. 811);
• Citizenship and Immigration Services Ombudsman, who shall assist individuals and employers in resolving immigration problems (sec. 452).

Guidelines. Section 221 of the Act requires the Secretary to establish procedures concerning the use of information shared under the Act that

• limit the redissemination of such information to ensure that it is not used for an unauthorized purpose;
• ensure the security and confidentiality of such information;
• protect the constitutional and statutory rights of any individuals who are subjects of such information; and
• provide data integrity through the timely removal and destruction of obsolete or erroneous names and information.

Also, Section 201 provides that the Undersecretary for Information Analysis and Infrastructure Protection shall, among other duties, ensure that any information databases and analytical tools developed or utilized by the Department É treat information in such databases in a manner that compiles with applicable federal law on privacy.

CDT views these provisions as critical and welcome parts of the Act, but the question remains whether they will be implemented to provide substantial privacy protection.

In addition, the Act includes other provisions intended to protect privacy:

• Prohibition of TIPS - Section 880 expressly states that any and all activities of the Federal Government to implement the proposed component program of the Citizen Corps known as Operation TIPS (Terrorism Information and Prevention System) are hereby prohibited. TIPS was a proposed program that would have enlisted delivery men and other civilians to report on any suspicious conduct of their customers.
• National ID not authorized - Sec. 1514 states Nothing in this Act shall be construed to authorize the development of a national identification system or card. That is different from a prohibition.

Other provisions weigh against oversight. Section 892 provides that state and local government police and emergency personnel might be given security clearances so they can receive classified national security information. While sharing more homeland security information with state and local authorities is a desirable goal, using the classified information system could shroud with secrecy a great deal of state and local police, health and safety activity normally subject to oversight by local media and citizens groups. Even as to unclassified information, the Act provides that information obtained by a state or local government from the federal government shall remain under the control of the federal government and that state FOIA or open records laws shall not apply to such information. (Sec. 891(e).)

Section 871 allows the Department to form advisory committees with industry representatives that are exempt from the Federal Advisory Committee Act (FACA), an open government law. FACA promotes openness and accountability through requiring the recording of minutes, notice of meetings, procedures for holding open meetings, limits on special interests, and balance of viewpoints.

Data Mining - Data Analysis

One of DHS's main roles will be to analyze information collected by the government from a range sources, including intelligence agencies, law enforcement agencies, and the private sector and to integrate such information in order to identify and assess terrorist threats. DHS will be an all source intelligence analysis center. The Act itself includes no new authority to collect information. But not only does the DHS absorb agencies with their own collection authority, provisions of the Act give the Department effective access to any other terrorism-related information collected by any other government agency:

• The Under Secretary of DHS shall consult with the Director of Central Intelligence and other intelligence, law enforcement, or other federal agencies to establish collection priorities, which means that the DHS will have a say in deciding what other agencies collect at home and abroad. (Sec. 201(d)(10).)
• DHS can access and receive law enforcement information, intelligence information and other information from Federal State and local government agencies and private sector entities (Sec. 201(d)(1)), and can enter into cooperative agreements to obtain such information (Sec. 201(d)(13), covering a wide range of contractual or mutual sharing arrangements.
• Except as otherwise directed by the President, the Department shall have access to unevaluated intelligence. (Sec. 202(a)(1).)
• Moreover, except as otherwise directed by the President, the Secretary may obtain access on a regular or routine basis, using cooperative agreements with other agencies involving broad categories of material, access to electronic databases, or both. (Sec. 202(b)(1).) Broadly read, this means that DHS can have online access to the raw files of the FBI, the CIA and the signals intelligence agencies.
• The new DHS is expressly authorized to receive wiretap information and grand jury information collected by any other agency.
• DHS can accept as paid or unpaid staff analysts from the private sector (Sec. 202(e)(2), which means that corporate employees could have access to all information available to the Department. Analysts can also be detailed to the DHS from FBI, CIA, National Security Agency, Defense Intelligence Agency and any other federal agency. (Sec. 202(f).)
• The Secretary is deemed to be a Federal law enforcement, intelligence, protective, national defense, immigration or national security official (Sec. 202(c), which means, among other things, that any other official falling within those categories can readily share information with DHS without the constraints of the Privacy Act, since the sharing is with a comparable official.

These provisions must be viewed in the context of:

• Inadequate privacy protections in law - Contrary to many Americans' expectations, the Fourth Amendment offers essentially no protection for personal data held by third-parties - from credit card statements, to travel records, to logs of automated tollbooths, to library records. In the Information Age, these inadequate legal protections give investigators access to unprecedented amounts of personal information without adequate judicial oversight. In addition, the federal Privacy Act, largely unchanged from its adoption in 1974, is in many ways unresponsive to the privacy challenges of the Internet age. The Privacy Act's central concept - the system of records - is not readily applicable to distributed, private sector databases. And the Act's routine use exception has been broadly interpreted to allow much sharing of information among agencies.
   
• Enhanced surveillance authorities already granted - The USA-PATRIOT Act, passed just one year ago, granted substantial new authorities for collection of information about Americans. In May, the Attorney General Ashcroft loosened long-standing FBI investigative guidelines to lift restrictions on FBI surveillance and data mining activities, even when no criminal activity is suspected. Both of these initiatives diminish privacy and potentially chill political speech. In both cases, Congress has not established effective mechanisms for oversight. As a result, a great deal of activity that could reduce American's privacy has gone on behind closed doors.
   
• New data-mining initiatives underway - Among the data analysis initiatives of broadest scope and risk are the various data mining projects underway. The most ambitious and potentially far-reaching is known as Total Information Awareness, a new R&D effort being managed by the Defense Advanced Research Projects Agency (DARPA) to aggregate and analyze information from a wide array of public and commercial databases. The fruits of this program will be available to DHS and other government agencies, military and civilian. The program is just one of a number of government data mining efforts, including the FBI's Trilogy program and the Transportation Security Administration's Computer Assisted Passenger Profiling System (CAPPS II).

Watch listing. One result of these data analysis activities will be the production of watch lists - lists of names of persons not wanted for arrest but suspected, on the basis of some information or pattern, of some involvement in terrorism. Various government agencies already maintain a variety of terrorism watch lists, but it is clear that there is little consistency among these lists and how they are disseminated or interpreted. One of the first actions on the new secretary's agenda will be to grapple with the compilation and use of these lists. Without moving toward a single watch list, it will be possible to virtually consolidate this information; with greater sharing of information and analyses, it will be possible for gatekeepers or investigators to access multiple watch-out lists.

For information about how one watch list works (or doesn't), see Grounded, By Dave Lindorff, Salon Magazine http://www.salon.com/news/feature/2002/11/15/no_fly/print.html

TIA Not Actually in the Homeland Security Act. Contrary to published reports, there is nothing in the Act directly concerning the Total Information Awareness (TIA) program of the Pentagon's Defense Advanced Research Projects Agency (DARPA). TIA was launched before this Act was even drafted, with relatively small amounts of funding in DARPA's budget. TIA is not under the authority of the new DHS. However, it is clear that the results of TIA's research, as well as other similar research being performed by the contractors working for other agencies, will be made available to DHS.

TIA website http://www.darpa.mil/iao/.

Statement of Sen. Carl Levin on overlap between DHS and the CounterTerrorism Center at the CIA: http://levin.senate.gov/floor/111902fs1.htm

Privacy Guidelines Needed

While information technology appropriately has a major role to play in preventing terrorism, it is incumbent on the President, the new DHS Secretary and Congress to match expanded information gathering and analysis powers with expanded guidelines and oversight. The creation of a Privacy Office within DHS is one step, but the process also requires the adoption of rules and guidelines that the new office can enforce.

As noted above, Section 221 of the Act requires the Secretary to establish procedures concerning the use of information shared under the Act that limit the redissemination of such information to ensure that it is not used for an unauthorized purpose; ensure the security and confidentiality of such information; protect the constitutional and statutory rights of any individuals who are subjects of such information; and provide data integrity through the timely removal and destruction of obsolete or erroneous names and information.

In developing these guidelines, attention must be paid to what information is used, who has access to it, what standards of accuracy and timeliness are required, how hits will be verified, and how results will be characterized and disseminated. There must be effective audit trails and robust review mechanisms to protect against unauthorized access and inappropriate use of information. Questions to be addressed also include how the government will obtain the data - by compulsory process, by purchase, by subscription, or by voluntary sharing. The analysis must take into account the fact that there are few constraints on government access to records held by private corporations and that the federal Privacy Act imposes few meaningful constraints on the sharing among government agencies of information once it is obtained for national security purposes. Finally, the guidelines should take into account the fact that there will be overlapping compilations of data and analyses prepared by different agencies from somewhat different perspectives; while potentially beneficial in some regards, such overlapping efforts have consequences for accuracy, reliability and weight, and thus for both security and civil liberties.

Likewise, there is a need for carefully considered guidelines on the compilation and use of watch-out lists. How do names get added to a list and how does one get off it? Who should have access to the lists? What is the proper balance between secrecy and sharing? What uses are the lists to be put to? How is inclusion on a list to be interpreted and what action can be taken against a person on a list? Distinctions must be drawn among people wanted for arrest, for questioning, or just for surveillance. How is the reliability of a list to be characterized? What are the best means of ensuring that the lists are accurate and updated?

As additional attention is focused on key gates where individuals can be screened, there will be increasing use of biometrics for positive identification. However, there are issues of accuracy to be considered, of both the matching technology and, more importantly, of the underlying database (e.g., how large a database is there of good biometrics of known or suspected terrorists?). Consideration also needs to be given to the role of fraud, especially insider fraud, in the issuance of biometrically-based IDs, especially driver's licenses. Questions of access, verification, and accountability must be addressed. Guidelines must standardize the conditions under which the biometric data is gathered and compared by various agencies, how any biometric identifier is issued, and regulate what actions will be taken if a person at a gate is a match. Increasing use of video surveillance (with and without face recognition) to monitor places and events poses its own questions. Guidelines should address such issues as the selection of surveillance targets, the retention of videotapes, access to the videotapes, reporting requirements and program monitoring. Additional issues are raised if the video surveillance system has the capacity to use face recognition or other technologies to search for individuals.

By developing data mining and analysis guidelines, drafted and vetted in full public view, the new Department can establish a balanced approach to both privacy and national security. Ultimately, national security efforts will succeed best when they put privacy principles to good use and respect American values of liberty and freedom. CDT urges Congress to commit itself to strong oversight of the effort to create DHS and associated national security endeavors.

For more information on the use of information technologies and the need for guidelines, see the report of the Markle Task Force on National Security in the Information Age: http://www.markletaskforce.org

Computer Security Functions

The DHS will absorb five components with computer security responsibilities:

• The National Infrastructure Protection Center (NIPC) of the FBI (other than the Computer Investigations and Operations Section) http://www.nipc.gov;
• National Communications System of the Defense Department;
• Critical Infrastructure Assurance Office (CIAO) of the Department of Commerce http://www.ciao.gov;
• National Infrastructure Simulation and Analysis Center of the Energy Department;
• Federal Computer Incident Response Center (FedCIRC) of the General Services Administration.

Yielding to concerns of the computer industry, the transfer does not include the Computer Security Division of the National Institutes of Standards and Technology.

The combination of NIPC and FedCIRC is noteworthy, in that it combines in one entity the federal computer system intrusion detection activities of FedCIRC and the private sector protection activities of the FBI. If a broader intrusion detection program like the FIDNet system proposed several years ago is to be constituted, this woujld be the basis for it.

The HSD Act also included the Federal Information Security Management Act (FISMA), which replaces the Government Information Security Reform Act (GISRA). (Actually, the FISMA was also included in the E-government Act, which will be signed later than the HSD Act, so if there were any differences in language, the E-Gov version replaces the HSD version.) FISMA raises the bar for federal computer security standards. Tougher security standards at federal agencies should help drive innovation among private-sector developers that sell to the federal government. (FISMA is Title X of the HSD Act.)

For CDT's May 2, 2002 testimony on FISMA, see http://www.cdt.org/testimony/020502dempsey.shtml

Anti-Terrorism Technologies Can Be Certified and Liability Limited

In provisions of uncertain scope and effect, the legislation puts the federal government directly in the business of certifying information technologies that have anti-terrorism potential. Criteria for certification include that the technology is important to and immediately deployable for anti-terrorism defense, could result in large or unquantifiable liability exposure, might not be deployed but for certification, has been evaluated by scientific studies, and that there would be high risk to public if the technology were not deployed. (Secs. 861-865.)

The provision requires sellers of such products to obtain reasonable and available liability insurance, but provides that the extent of their liability shall be limited to that insurance coverage. The provision also creates an exclusive federal cause of actionÑapplying principles of state lawÑfor property loss, personal injury or death that are proximately caused by use of qualified anti-terrorism technology, with a rebuttable defense that the technology was certified. Punitive damages are not allowed, and liability is apportioned, not joint. Finally, sellers must enter into reciprocal waivers with contractors and customers under that each assumes burden of losses when certified anti-terrorism technology was deployed and the terrorist act occurred.

Voluntary Disclosures of Email under the Cyber Security Enhancement Act

Section 225(d) of the Homeland Security Act, the so-called emergency disclosure amendment, represents another erosion of privacy protections for electronic communications. It further expands the ability of Internet service providers to voluntarily reveal private communications to government agencies without any judicial authority or any evidence of wrongdoing, just on the say so of a government official.

As Americans move their lives online, the privacy of their sensitive emails, instant messages, and web traffic is a major concern. In general, since 1986, federal law has protected the privacy of electronic communications by prohibiting service providers from revealing the contents of those communications to anyone without a prior judicial order. The law always permitted ISPs to disclose without court order communications they inadvertently discovered that seemed to relate to the commission of crime. Last year, the USA PATRIOT Act added a new emergency disclosure provision, permitting ISPs to reveal communications to law enforcement agencies without a court order on an emergency basis if the service provider reasonably believed that there was an emergency posing an imminent threat of danger to life or limb. The provision was based on a reasonable concept, but CDT was worried that law enforcement agencies would exaggerate the nature of the emergency to ISP and use the provision as an end run around the court order requirement. The PATRIOT Act provision requires no scrutiny by a judge, not even an after-the-fact notification, and no notice is ever provided to the person whose email was disclosed, so there is no opportunity for objective scrutiny in cases of abuse. And the length of time in which the authority can be exercised is not limited. We were concerned that the exception would be invoked in situations where there was actually time to get a court order.

Sec. 225(d) of the HSD Act takes this exception even further, making three important changes to the already very generous authorities for these disclosures that Congress gave to law enforcement in the PATRIOT Act just one year ago.

First, it removed the requirement that there be imminent danger of injury or death. Instead it would allow these extraordinary disclosures when there is some danger, which might be far in the future and more hypothetical. As the Attorney General and the President have warned us consistently over the last year, the entire country faces daily risk of future attack. Under this new language, there will now always be a rationale for not seeking a court order.

Second, Section 225(d) removed even the low hurdle that there be a reasonable belief on the part of the ISP that there was a danger. Section 225(d) allows disclosure if there is any good faith belief in the danger danger, whether reasonably grounded in fact or not. We are concerned that the new provision could allow vague, incoherent, or otherwise unsubstantiated claims by government officials can all form the basis for disclosing email and other electronic communications.

Finally, Section 225(d) allows disclosure of sensitive communications to any state, local, or federal government entity, not just law enforcement agents. That could include literally hundreds of thousands of government employees. The potential for abuse is enormous.

However, several points of caution should be noted. Section 225(d) is purely voluntary - ISPs do not have to comply. This could still put ISPs in an awkward position. In the past, ISPs adhered to a simple rule when visited by investigators - always insist on a court order. Henceforth, ISP employees face a much more complex situation. Complying with every emergency request could put them in the position of assisting in government overreaching. The ISPs and their employees are immune from legal liability, but they will not be spared public embarrassment and controversy if they are seen as improperly compromising subscriber policy. The provision is not limited to terrorism cases, so it may not be long before a government official in some jurisdiction invokes the provision in what the officer claims is an emergency of undisclosed nature or seriousness.

Perhaps most significantly, the provision allows ISPs to disclose only communications relating to the emergency. The immunity ISPs enjoy does not extend to overbroad disclosures. The provision does not prohibit ISPs from asking for more information about what is going on. Also, the statute requires ISPs to act in good faith. A wink and a nod or any other evidence of collusion could land ISPs in hot water. So ISPs must still be cautious.

Finally, the new provision requires government entities that receive disclosures under both the new provision and the existing voluntary disclosure provisions to report to the Attorney General on the nature of the disclosure. The Attorney General in turn is required to compile and publish such reports in a single report to be submitted to Congress one year after the date of enactment of the HSD Act. (Government entities receiving disclosures are under an ongoing obligation to report them to the AG, but the AG's obligation to compile them and publish them in a single report to Congress is a one-time requirement. It would seem logical, however, that if the reports are being submitted regularly by government entities, the AG could compile them and publish them without the need of a specific legislative mandate.)

In the name of protecting privacy, Section 225 also increases the penalties for various computer crimes. CDT does not believe that increasing a criminal penalty from 2 years to 10 years will better protect privacy - most privacy problems are not addressed through criminal prosecutions, certainly not governmental privacy abuses.

Section 225(i) grants law enforcement officials the power to install pen register and trap and trace devices without a court order where there is an ongoing attack on a protected computer. Any computer involved in interstate commerce or communications qualifies as a protected computer.

For more on CDT's concerns about this voluntary disclosure provision, see the testimony of Alan Davidson, February 12, 2002 http://www.cdt.org/testimony/020212davidson.shtml

For the analysis of Orin S. Kerr, Associate Professor, George Washington University Law School, and former Justice Department lawyer, focusing on the sentencing and substantive criminal provisions, see: http://volokh.blogspot.com/2002_11_24_volokh_archive.html#85720359

For further information, contact:

Jim Dempsey (202) 637-9800 x 112
Alan Davidson (202) 637-9800 x 110

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam

Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action! Previous Headlines | Legislative Tracking | CDT's Privacy Policy