A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES

jaykaykay

(I have been taking this news letter for some time and find it extremely interesting for many reasons. I would suggest that anyone interested in doing so subscribe to it as well as the topics it covers are extremely timely in every way. I found this one this AM to be the usual, most informative. Some will say that it is biased. Of course it is, but I share many of its views. Please read it for yourself and see what you think. This issue seemed to scream out to be posted here!)

CDT POLICY POST Volume 8, Number 28, December 13, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

Contents:
(1) Homeland Security Department Faces Steep Challenges, Poses Momentous
Potential and Risk
(2) New Department Has Essentially Unlimited Access to Information for Data
Mining and Data Analysis
(3) Act Includes Privacy Oversight Mechanisms
(4) Privacy Guidelines, Careful Oversight Required
(5) FOIA Exemption and Email Disclosure Provisions Also of Concern
___________________________________________

(1) Homeland Security Department Faces Steep Challenges, Poses Momentous
Potential and Risk

The Homeland Security Act signed by President Bush on November 25, 2002
creates the new Department of Homeland Security (DHS) and grants it momentous
responsibilities and powers. It is earnestly hoped that DHS will provide needed
coordination to government anti-terrorism efforts. The new Department will have
wide-ranging authority to compile, analyze, and mine the personal information of
Americans. Important issues of oversight and control remain to be addressed. CDT
is urging the Administration and Congress (even while in recess) to immediately
begin setting out privacy guidelines and oversight mechanisms to ensure that the
new department's data analysis activities are focused, controlled and accountable,
both for effectiveness in preventing terrorism and for the protection of liberties.

The DHS consolidates 22 separate agencies into a new Cabinet department with
170,000 employees. The components being transferred to DHS include:

* Coast Guard;
* Customs Service;
* Secret Service;
* Immigration and Naturalization Service (INS);
* the recently-formed Transportation Security Administration.

The new Department is structured around four directorates, whose titles give some
idea of the agency's mission and scope:

* Information Analysis and Infrastructure Protection;
* Science and Technology;
* Border and Transportation Security ;
* Emergency Preparedness and Response.

The DHS will absorb five components with computer security responsibilities:

* National Infrastructure Protection Center (NIPC) of the FBI http://www.nipc.gov
* National Communications System of the Defense Department;
* Critical Infrastructure Assurance Office (CIAO) of the Department of Commerce
http://www.ciao.gov ;
* National Infrastructure Simulation and Analysis Center of the Energy Department;
* Federal Computer Incident Response Center (FedCIRC) of the General Services
Administration.

Yielding to concerns of the computer industry, the transfer does not include the
Computer Security Division of the National Institutes of Standards and Technology.

The combination of NIPC and FedCIRC is noteworthy, in that it combines in one
entity the federal computer system intrusion detection activities of FedCIRC and the
private sector protection activities of the FBI. If a broader intrusion detection
program like the FIDNet system proposed several years ago is to be constituted,
this would be the basis for it.

The text and legislative history of the Act are at
http://thomas.loc.gov/cgi-bin/bdquery/z?d107:H.R.5710:

___________________________________________

(2) New Department Has Essentially Unlimited Access to Information for Data
Mining and Data Analysis

The new Department is tasked to "access, receive, and analyze" a wide array of
information that includes "law enforcement information, intelligence information,
and other information from agencies of the Federal Government, State and local
government agencies (including law enforcement agencies), and private sector
entities."

Strictly speaking, the new Department has no new collection authorities, but many
of the components being consolidated into DHS (such as Secret Service, Customs,
and INS) have investigative and intelligence collection units of their own. There is
no doubt that the new agency will have wiretap authority and other intrusive
powers. Moreover, the Department can call upon information for any other
intelligence or law enforcement agency. Indeed, when you string together the
authorities of the DHS, you get an agency that will help control the collection
priorities of other agencies and then be able to access electronically their entire
files of undigested intelligence:

* DHS will have a say in deciding what other agencies, including the CIA and
the NSA, collect at home and abroad. (Sec. 201(d)(10).)
* DHS can access and receive law enforcement information, intelligence
information and other information from Federal State and local government
agencies and the private sector.
* Except as otherwise directed by the President, the Department "shall" have
access to "unevaluated intelligence." (Sec. 202(a)(1).)
* The Secretary may obtain access "on a regular or routine basis ... [to] broad
categories of material, access to electronic databases, or both." (Sec. 202(b)(1).)
Broadly read, this means that DHS can have online access to the files of the FBI,
the CIA and the signals intelligence agencies.
* The new DHS is expressly authorized to receive wiretap information and grand
jury information collected by any other agency.

The potential scope of this data gathering and analysis is enormous, and both the
challenge of analysis and the potential for abuse are apparent. While the Act does
provide some structures for safeguarding privacy, rigorous oversight will be
needed.

These provisions must be viewed in the context of inadequate privacy protections
in law, the enhanced surveillance authorities already granted in the PATRIOT Act
and new "data mining" initiatives underway.

The most ambitious and potentially far-reaching of these data mining is known as
Total Information Awareness (TIA), a new R&D effort being managed by the
Defense Advanced Research Projects Agency (DARPA) to aggregate and analyze
information from a wide array of public and commercial databases. The program is
just one of a number of government data mining efforts, including the FBI's Trilogy
program and the Transportation Security Administration's Computer Assisted
Passenger Profiling System (CAPPS II).

Contrary to published reports, there is nothing in the DHS Act directly concerning
TIA. TIA was launched before this Act was even drafted, with relatively small
amounts of funding in DARPA's budget. TIA is not under the authority of the new
DHS. However, it is clear that the results of TIA's research, as well as other similar
research being performed by the contractors working for other agencies, will be
made available to DHS.

TIA website http://www.darpa.mil/iao/
_______________________________________

(3) Act Includes Privacy Oversight Mechanisms

The DHS Act includes important new oversight mechanisms, including

* Privacy Officer, a senior official with "primary responsibility for privacy policy"
(sec. 222);
* Officer for Civil Rights and Civil Liberties, who shall review and assess
information alleging abuses of civil rights, civil liberties, and racial and ethnic
profiling by employees and officials of the Department (sec. 705);
* Inspector General, who, unlike IGs in most other agencies, is under the authority,
direction, and control of the Secretary and prohibited from investigating matters
placed off-limits by the Secretary - these provisions are similar to those applicable
to the IG for the Defense Department (sec. 811);
* Citizenship and Immigration Services Ombudsman, who shall assist individuals
and employers in resolving immigration problems (sec. 452).

Section 221 of the Act requires the Secretary to "establish procedures" concerning
the use of information "shared" under the Act that

* limit the redissemination of such information to ensure that it is not used for an
unauthorized purpose;
* ensure the security and confidentiality of such information;
* protect the constitutional and statutory rights of any individuals who are subjects
of such information; and
* provide data integrity through the timely removal and destruction of obsolete or
erroneous names and information.

In addition, the Act includes other provisions intended to protect privacy:

* Prohibition of TIPS - Section 880 expressly states that "any and all activities of
the Federal Government to implement the proposed component program of the
Citizen Corps known as Operation TIPS (Terrorism Information and Prevention
System) are hereby prohibited." TIPS was a proposed program that would have
enlisted delivery men and other civilians to report on any suspicious conduct of
their customers.
* National ID not authorized - Sec. 1514 states "Nothing in this Act shall be
construed to authorize the development of a national identification system or
card." That is different from a prohibition.

Other provisions weigh against oversight. Section 871 allows the Department to
form advisory committees with industry representatives that are exempt from the
Federal Advisory Committee Act (FACA), an open government law that requires
open meetings and puts limits on special interests.
________________________________________

(4) Privacy Guidelines, Careful Oversight Required

While information technology appropriately has a major role to play in preventing
terrorism, it is incumbent on the President, the new DHS Secretary and Congress to
match expanded information gathering and analysis powers with expanded
guidelines and oversight. The creation of a Privacy Office within DHS is one step,
but the process also requires the adoption of rules and guidelines that the new
office can enforce.

As noted, the Act calls for the adoption of privacy guidelines. In developing these
guidelines, attention must be paid to basic questions of fair information practices,
including what information is used, who has access to it, what standards of
accuracy and timeliness are required, how "hits" will be verified, and how results
will be characterized and disseminated. There must be effective audit trails and
robust review mechanisms to protect against unauthorized access and
inappropriate use of information. Questions to be addressed also include how the
government will obtain the data - by compulsory process, by purchase, by
subscription, or by voluntary sharing. The analysis must take into account the fact
that there are few constraints on government access to records held by private
corporations and that the federal Privacy Act imposes few meaningful constraints
on the sharing among government agencies of information once it is obtained for
national security purposes.

For more information on the use of information technologies and the need for
guidelines, see the report of the Markle Task Force on National Security in the
Information Age: http://www.markletaskforce.org/

_______________________________________________

(5) FOIA Exemption and Email Disclosure Provisions Also of Concern

The Act includes a new FOIA exemption for "voluntarily shared critical infrastructure
information" submitted to the new Department. (Sec. 212-215.) The provision, long
supported by some IT companies, may limit the ability of small businesses and
members of the public to learn about threats and vulnerabilities that affect their
computer systems. Under the provision, information about infrastructure
vulnerabilities that companies submit to the government must be withheld from
disclosure under the FOIA. The new provision goes so far as to make it a crime for a
federal official to disclose critical infrastructure information to the public or to
affected companies if the disclosure is not "authorized."

Sen. Patrick Leahy (D-VT) called the exemption "the most severe weakening of the
Freedom of Information Act in its 36-year history." He said it "would hurt and not
help our national security, and along the way it would frustrate enforcement of the
laws that protect the public's health and safety." A more narrowly circumscribed
Senate version of the exemption was rejected in favor of a broader House version.
However, it should be stressed that the new exemption applies only to information
submitted to the DHS.

A key question will be whether the exemption actually spurs the increased
disclosure of vulnerability information to the government that its proponents
promised.

The Homeland Security Act also includes what had been a free-standing bill, the
Cyber Security Enhancement Act, which includes a provision undermining privacy
online by greatly expanding the ability of ISPs to "voluntarily" disclose information
government officials. (Sec. 225.) Under the provision, the contents of email
messages or instant messages can be given to any government official in an
"emergency" even when there is no factual basis stated for the emergency and
there is no imminent threat of injury.

CDT's more detailed analysis of the Act is online at
http://www.cdt.org/security/homelandsec...0cdt.shtml
_______________________________________________

Detailed information about online civil liberties issues may be found at
http://www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_8.28.shtml.

Excerpts may be re-posted with prior permission of

Policy Post 8.28 Copyright 2002 Center for Democracy and Technology

--
To subscribe to CDT's Activist Network, sign up at:
http://www.cdt.org/join/


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1139 pages served in previous 5 minutes. Page Rendered: 0.348 seconds.