Tuesday, August 21, 2007

Protecting Privacy

The data revolution provides powerful new tools for homeland security. Using commercial databases, law-enforcement officials can search vast amounts of information to instantly locate terrorism suspects. This capability promises to make it more difficult for terrorists to operate within our borders and easier for law enforcement to prevent attacks and save lives.
Yet there are also dangers to personal privacy. Because of ambiguities in the law, government has decided not to apply privacy protections to commercial databases. While a federal agency must conduct a Privacy Impact Assessment if it compiles a new database, it can subscribe to personal data assembled by private companies without considering the privacy implications. There are few limits in place on how this information can be used and no requirement that Congress, let alone the public, be notified of the agency's practices. If information is inaccurate, individuals have no recourse to correct it and could be wrongly targeted for investigation or scrutiny, or suffer other adverse consequences.
The Center for American Progress offers the following recommendations to extend privacy protections to personal information assembled by government contractors (as well as private companies that voluntarily hand over information to the government).[1] Consistent with established privacy principles, we recommend that privacy implications be publicly evaluated up front; that individuals be given the opportunity to correct inaccurate information; and that standards be developed to place limits on the use of personal information. In short, concern for privacy must be an integral part of homeland security. This will help foster public confidence in government actions, avoid the squandering of valuable security resources on misguided projects, and protect personal information from unwarranted intrusion.
Background
Americans surrender vast amounts of personal data through everyday commercial interactions – from filling a prescription to buying groceries to signing up for a credit card. Private data brokers, such as ChoicePoint, Seisint (recently acquired by LexisNexis), and Acxiom, aggregate this information and merge it with "public source" data from government records, including courthouse and criminal records. These companies have their roots in direct marketing and credit verification, but they are now heavily relied upon for law enforcement and homeland security. Their growth has been staggering. ChoicePoint alone has made over 50 separate acquisitions of smaller database companies just since 1997, and the number of records in its databases has increased enormously. Thousands of agencies at all levels of government spend hundreds of millions of dollars on contracts with private data brokers. The Justice Department, for instance, has a $67 million contract with ChoicePoint.[2]
The result has been a transformation in law enforcement. Information that previously might have taken months to assemble can now be called up through high-speed computers in a matter of seconds, while seemingly insignificant data can be pieced together to draw correlations and make "the invisible become visible," as a Seisint brochure put it.[3] Such a capability has obvious benefits. Seisint's Matrix system, for instance, was used to pick out D.c= sniper John Williams from a list of 21,000 John Williamses nationwide.[4]
Yet with this new capability come new concerns over privacy. There are few protections in place to ensure that personal information is not misused. Information collected by the federal government is subject to the Privacy Act, which among other things requires government to analyze privacy implications before collecting personally identifiable information, give public notice of such collections, and limit the use of this information to the original purpose for which it was collected.[5] However, the Bush administration has maintained the position of previous administrations that this protection does not extend to personal data assembled by government contractors,[6] so long as the data was initially collected for private purposes.[7] Thus, federal authorities are able to use contractors, as well as private-sector actors that voluntarily hand over information, to sift through vast amounts of personal data without giving any consideration to privacy.