Protecting Privacy in the Digital Age

Overview

The data revolution provides powerful new tools for homeland security. Using commercial databases, law-enforcement officials can search vast amounts of information to instantly locate terrorism suspects. This capability promises to make it more difficult for terrorists to operate within our borders and easier for law enforcement to prevent attacks and save lives.

Yet there are also dangers to personal privacy. Because of ambiguities in the law, government has decided not to apply privacy protections to commercial databases. While a federal agency must conduct a Privacy Impact Assessment if it compiles a new database, it can subscribe to personal data assembled by private companies without considering the privacy implications. There are few limits in place on how this information can be used and no requirement that Congress, let alone the public, be notified of the agency's practices. If information is inaccurate, individuals have no recourse to correct it and could be wrongly targeted for investigation or scrutiny, or suffer other adverse consequences.

The Center for American Progress offers the following recommendations to extend privacy protections to personal information assembled by government contractors (as well as private companies that voluntarily hand over information to the government).[1] Consistent with established privacy principles, we recommend that privacy implications be publicly evaluated up front; that individuals be given the opportunity to correct inaccurate information; and that standards be developed to place limits on the use of personal information. In short, concern for privacy must be an integral part of homeland security. This will help foster public confidence in government actions, avoid the squandering of valuable security resources on misguided projects, and protect personal information from unwarranted intrusion.

Background

Americans surrender vast amounts of personal data through everyday commercial interactions – from filling a prescription to buying groceries to signing up for a credit card. Private data brokers, such as ChoicePoint, Seisint (recently acquired by LexisNexis), and Acxiom, aggregate this information and merge it with "public source" data from government records, including courthouse and criminal records. These companies have their roots in direct marketing and credit verification, but they are now heavily relied upon for law enforcement and homeland security. Their growth has been staggering. ChoicePoint alone has made over 50 separate acquisitions of smaller database companies just since 1997, and the number of records in its databases has increased enormously. Thousands of agencies at all levels of government spend hundreds of millions of dollars on contracts with private data brokers. The Justice Department, for instance, has a $67 million contract with ChoicePoint.[2]

The result has been a transformation in law enforcement. Information that previously might have taken months to assemble can now be called up through high-speed computers in a matter of seconds, while seemingly insignificant data can be pieced together to draw correlations and make "the invisible become visible," as a Seisint brochure put it.[3] Such a capability has obvious benefits. Seisint's Matrix system, for instance, was used to pick out D.c= sniper John Williams from a list of 21,000 John Williamses nationwide.[4]

Yet with this new capability come new concerns over privacy. There are few protections in place to ensure that personal information is not misused. Information collected by the federal government is subject to the Privacy Act, which among other things requires government to analyze privacy implications before collecting personally identifiable information, give public notice of such collections, and limit the use of this information to the original purpose for which it was collected.[5] However, the Bush administration has maintained the position of previous administrations that this protection does not extend to personal data assembled by government contractors,[6] so long as the data was initially collected for private purposes.[7] Thus, federal authorities are able to use contractors, as well as private-sector actors that voluntarily hand over information, to sift through vast amounts of personal data without giving any consideration to privacy.

This has given government an unprecedented ability to monitor the lives of American citizens, immigrants and visitors. Since 9/11, there has been justified emphasis placed on anticipating and preventing terrorist attacks. Yet this has not just meant anticipating likely targets; it has also meant anticipating likely perpetrators, with heavy reliance on government contractors combing personal data. Seisint, for instance, created a "terrorism quotient" that it said could tag people considered a high terrorist risk, relying on variables such as ethnicity and religion; shortly after 9/11, the company handed over to law enforcement officials a list of 120,000 names with the highest scores.[8] The danger is that people are being singled out and investigated simply for talking to the wrong person, belonging to the wrong house of worship, visiting the wrong website, or living next to the wrong person – even if there is no evidence of actual wrongdoing or intent to cause harm.

Sometimes people may be singled out simply because of mistakes in the data. Data brokers are under no federal obligation to ensure accuracy or to correct errors once notified of them. The Privacy Act and the Freedom of Information Act provide citizens the ability to view their own personal information collected by government and the opportunity to correct any inaccuracies. However, these protections do not apply to information collected by private data brokers that might be used for law enforcement purposes, leaving few options available to those who find themselves victimized by inaccurate information. The repercussions can be severe, from travel restrictions to wrongful arrest to disenfranchisement. During the 2000 elections, Florida relied on ChoicePoint to identify convicted felons who were illegally registered to vote – despite the company's warning about possible errors. After the election it was learned that hundreds of legal voters were expunged from the rolls because of inaccurate information. The U.S. Commission on Civil Rights concluded that as many as one in seven of those excluded were actually legal voters.[9]

The digital aggregation of personal data has also left Americans increasingly vulnerable to identity theft. Recently, it was revealed that sham businesses purchased from ChoicePoint the personal records of 145,000 people, hundreds of whom have already fallen victim to identity theft, while computer hackers stole records on 32,000 individuals from LexisNexis's Seisint database. With millions in taxpayer funds going to these companies, government has a special obligation to make sure this data is secure. Yet again, private data brokers are under no federal obligation to properly secure personal data or to disclose data theft. The public learned about the security breech at ChoicePoint only because of a California law that required disclosure.

In response to these data thefts, Congress has held a number of hearings and is beginning to explore legislative remedies. However, there has still been little attention given to the broader questions surrounding the federal government's reliance on private data brokers for domestic surveillance. What limits should be placed on the government's ability to search personal information collected by private data brokers? What privacy standards should be applied to government contractors? What recourse should be provided to citizens to correct inaccurate information assembled by data brokers and relied on by government? Until these questions are answered, Americans remain highly vulnerable to unwarranted intrusions on their personal privacy and civil liberties.

Recommendations

As the discussion above implies, information privacy is about more than just keeping personal data confidential. It is also about providing individuals a degree of control over their personal information, including the ability to correct inaccurate information, and ensuring fairness in how personal data is collected, shared and used to make decisions.[10] These principles are embodied in the Privacy Act and other federal protections, but currently do not extend to information gathered by private entities and used by government. This concern is especially acute in the area of homeland security, where there has been an explosion of new initiatives that seek to gather personal information from data brokers and sift through it to identify potential terrorists. Accordingly, we recommend the following steps to extend privacy protections to commercial databases:

• Privacy implications should be publicly evaluated before federal agencies search personal information. Agencies should assess the privacy implications when they subscribe to or acquire commercial databases of personal information. The E-Government Act of 2002[11] requires government agencies to undertake a Privacy Impact Assessment (PIA) for any new collection of information concerning 10 or more individuals. In its guidance in implementing this provision, the Office of Management and Budget (OMB) suggested to agencies that "systematically incorporat(ing)" information from commercial databases into government information systems should trigger a PIA, but that "querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement."[12] Congress should amend the E-Government Act to remove this loophole. In doing so, Congress should specify standards for proportional implementation (i.e., the greater the privacy impact, the more detailed justification provided by the PIA) and public disclosure of PIAs (with appropriate exceptions for law enforcement and national security interests). Where PIAs currently apply, most agencies have ignored OMB's guidelines for proportional implementation and disclosure.[13] PIAs should ensure that the public is informed of collections of personal information and the purpose (or purposes) for which that information is being used (again, with appropriate exceptions for law enforcement and national security interests).

  Congress should also incorporate public participation in the development of PIAs. Currently, agencies are under no obligation to seek public input during the development phase or even provide the opportunity for public feedback once PIAs are completed. The Department of Homeland Security, to its credit, voluntarily solicited public comment on the privacy implications of its CAPPS II[14] system for airline-passenger screening. The public response pushed the administration to postpone implementation and narrow the program to reduce privacy impacts.

• Contractors should meet federal standards for protecting personal privacy. Congress should instruct OMB and the Department of Justice to develop privacy guidelines for data contractors. Before awarding federal dollars, agencies should evaluate the privacy practices of prospective contractors, and contractors should have to certify that data is being collected and managed in accordance with these guidelines.
• Standards should be set for the acquisition and use of personal information. Congress should amend the Privacy Act to include standards for the acquisition and use of commercial databases containing personal information. These standards should guide what type of information can be acquired and how, and set limits on the use of personal information in proportion to the impact on privacy – in other words, the higher the impact on privacy, the more stringent the standards for use. As a general principle, personal information should only be used for the purpose communicated to the public and this information should be retained no longer than necessary to achieve the stated purpose.

  The Department of Justice should also add privacy protections to the FBI's guidelines on data mining of commercial databases. In May 2002, Attorney General John Ashcroft announced revisions to the FBI's domestic surveillance guidelines.[15] These guidelines permit routine mining of commercial databases containing personal information on U.S. citizens – even where no wrongdoing is suspected – without consideration of privacy. They also place no limits on FBI warehousing or sharing of such information and provide no criteria for how data is to be evaluated and used (i.e., what actions are permitted in response to data queries). This opens the door to fishing expeditions through the personal information of every American. The new attorney general, Alberto Gonzales, should revise these guidelines to strengthen privacy protections.

• Individuals should be able to correct inaccurate information provided by private companies to the government. As pointed out above, the Privacy Act provides recourse for information collected by government. Under the act, an individual can ask an agency to amend his or her record.[16] Within 10 working days of receiving this request, the agency must either correct the information or inform the individual of its reason for refusing the request, as well as procedures for administrative appeal. The individual can appeal a refusal and is entitled to a response in 30 working days. If this review again concludes in refusal, the individual is allowed to submit a statement of disagreement that must be included in any subsequent disclosure of the record. Where the agency has made prior disclosures of the record, the agency must inform the prior recipients of any correction or dispute.

  Congress should amend the Privacy Act to extend these basic protections to personal information provided by private companies to the government. Such recourse is especially important when personal information is used by the government in making decisions about an individual (e.g., whether someone is subjected to travel restrictions). The federal government should not be relying on inaccurate information whether maintained internally or by a corporation. Accordingly, government should insist that its contractors take responsibility for ensuring the maximum possible accuracy, including investigating disputed information.

• Congress should update Privacy Act terminology in light of new technology and the government's reliance on the private-sector data brokers. The central law protecting privacy of personal information in the hands of the U.S. government has been essentially unchanged since 1974. Key definitions in the act no longer correspond to the reality of computerized information exchange, collection and use. This basic confusion over terminology has given rise to loopholes that subvert the intent of the law.

  The Privacy Act applies to any "system of records," which is defined as databases held by the government where information is searched using a single identifier such as a record locator or ID number. In the 1970s, government generally collected and managed personal data itself, and it was common for databases to be keyed on single identifiers. Today, in a world where government relies on private-sector data brokers to link, search, copy, and reconfigure multiple databases, the definition simply does not capture the data sets of greatest privacy concern. Likewise, the Privacy Act's exemption for "routine use" of information is being invoked in ways that go far beyond the original intent of the law – so that information can be shared across multiple agencies for multiple purposes. For example, the Bush administration originally planned to use data assembled by Acxiom for the CAPPS II initiative for a host of unrelated purposes, such as identifying illegal aliens and tracking down criminals.[17] Before postponing implementation, the administration claimed "routine use" allowed this information to be broadly shared and used for other purposes without triggering the Privacy Act.

• Agencies should install chief privacy officers to oversee implementation of privacy standards. In 2004, Congress passed a provision requiring statutory chief privacy officers (CPOs) at every agency. While this law may have been too broad in places, it has not been implemented at all. Congress should hold the Bush administration accountable for implementing the law. With proper implementation, CPOs could help address many of the issues around government use of commercial databases. Full-time high-level CPOs should immediately be put in place at cabinet-level agencies, such as the Justice Department, the State Department and other agencies that regularly handle personally identifiable information. The CPOs should be responsible for (1) overseeing and reviewing the agency's implementation of applicable privacy laws and policies, including the Privacy Act and PIAs; (2) promoting the use of technologies that sustain – and do not erode – privacy protections; (3) promoting fair information practices, such as use limitations; (4) evaluating legislative, regulatory and other policy proposals involving personally identifiable information; and (5) training and educating employees and contractors on privacy and data protection policies and practices. Congress should also act to strengthen the Privacy and Civil Liberties Board – created by the recent intelligence reform bill[18] – to ensure independent oversight of privacy protections. Among other things, this means separating the board from the White House and ensuring the board has the necessary information to carry out its work.[19]

Conclusion

Given the political controversy over government's inability to "connect the dots" prior to 9/11, it is an understandable instinct for agencies to see technological advances as a potential "silver bullet." Technology is part of the solution, but the ever-increasing array of personal data also presents grave dangers of government overreach and unwarranted intrusion into the lives of law-abiding citizens.

Homeland security and privacy must not be seen as conflicting goals. One will be sustainable only if there is respect for the other. A homeland security system that gives short shrift to privacy erodes public confidence, without which the system cannot succeed. Several recent false starts demonstrate this point. In 2003, in response to privacy concerns, Congress ended the Pentagon's Total Information Awareness data-mining initiative for domestic surveillance, which had consumed tens of millions of dollars over the previous two years of development. In the summer of 2004, privacy concerns again forced the administration to postpone implementation[20] of the CAPPS II system for airline-passenger screening after more than $100 million was spent on its development. The result has been a dangerous delay in the implementation of an effective passenger screening program that draws on consolidated terrorist watch lists. In the meantime, Americans suffer the consequences, caught up in a less effective screening program and subject to additional security measures and personal inconvenience.

More careful analysis of privacy implications up front likely would have identified problems before they developed and stopped the diversion of valuable homeland security resources. Americans need to be able to trust that government will not violate their privacy and misuse personal information. Privacy should not be seen as in competition with homeland security; it must be a critical component of homeland security. This will help build public confidence, make sure our money is well spent, and uphold our bedrock values.