Keynote on Privacy and National Security: What Still Needs to Be Done Professor Peter Swire Ohio State University Consultant, Morrison & Foerster LLP IAPP

“Keynote on Privacy and National Security:

What Still Needs to Be Done”

Professor Peter Swire

Ohio State University

Consultant, Morrison & Foerster LLP

IAPP Forum on Privacy & National Security

September 30, 2004

Overview

• Brief review of Administration actions on privacy and national security

• MATRIX as a case study

• Current issue: 9/11 Commission Recommendation of a Civil Liberties Board

• Theme: we need better institutions and procedures for accountability

I. Administration Actions

• Privacy controversies hit the Clinton Administration– Encryption (from Clipper chip to 1999 change)– Carnivore– Privacy & computer security (FIDNet)– Law enforcement & national security

provisions in other laws, such as HIPAA– I was involved in each of these as Chief

Counselor for Privacy, not as privacy “advocate”

Privacy controversies since 2001

• USA-PATRIOT Act and other enhanced law enforcement & intelligence powers– FISA wiretaps now outnumber law enforcement

• Total Information Awareness• CAPPS II• Stricter ID (enhanced drivers licenses &

passports)• Data mining & “information sharing” as major

themes for change• No White House or government-wide officials on

privacy and civil liberties

Positive Steps Since 2001

• E-Gov Act of 2002 and privacy impact assessments– Sen. Lieberman took the lead; not vetoed

• DHS Chief Privacy Officer– Administration acquiesced but did not propose

• DOJ is appealing Councilman case on “intercepts” of e-mails– Victory there will protect individuals and ease

prosecutions for illegal interceptions

II. The Challenge

Federal official, involved in funding information sharing systems, recently asked me:

“What can we do to address the concerns of privacy proponents so that they will stop complaining about MATRIX and other needed systems?”

• This was a good-faith question from an honorable person.

• He was sobered by my answer.

MATRIX

• Multi-State Anti-Terrorism Information Exchange (MATRIX)– $12 million from DHS & DOJ– Project security and access in Florida

• First proposed after 9/11• At the peak,12 states had agreed to participate

– Currently FL, CT, MI, OH, PA are in program– States that have left or decided not to join after

actively considering it: AL, CA, CO, GA, LA, KY, OR, SC, TX, UT, WV

– Privacy and cost cited as reasons not to do it

The Current MATRIX

“Information accessible includes criminal history records, driver’s license data, vehicle registration records, and incarceration/corrections records, including digitized photographs, with significant amounts of public records data. This capability will save countless investigative hours and drastically improve the opportunity to successfully resolve investigations. The ultimate goal is to expand this capability to all states.”

Official site: www.matrix-at.org

2 Early Objections

• System was created and pushed by admitted drug smuggler, Herb Asher of Seisent– This is not relevant to how we should view the current

system– It made it harder to say “Trust Us” on MATRIX

• After 9/11, 120,000 names sent to law enforcement for “high terrorism factor”– This is data mining, without individualized suspicion,

with no transparency or known checks against abuse– Today, “MATRIX is not a data mining application.”

Jan. 2003 Seisent Documents

HTF based on factors including:• Age, gender & ethnicity• “What they did with their driver’s licenses”• Pilots or associations to pilots• Proximity to “dirty addresses/phone numbers”• Investigational data• SSN anomalies• Credit histories

Seisent Documents

• “The associative links, historical residential information, and other information, such as an individual’s possible relatives and associates, are deeper and more comprehensive than other commercially available database systems presently on the market.”

Answering the Federal Official

• Privacy experts (not necessarily “advocates”) will have a list of questions:– About current configuration of system and its

compliance with fair information practices– About system as designed (it had original,

broader functions)– How system could easily evolve over time

(mission creep)

Florida,Other States

More StatesSupply Data

“Public”Records

“Private”Records (?)

MATRIX

Police &Other State Subscribers

Intel (?)

Feds (?)



“Public”Records


MATRIX


Intel (?)

Feds (?)

The Inputs



“Public”Records


Questions on Inputs:

Data Quality: 2003 FBI announcement that NCIC data could no longer be subject to “accuracy” requirements of the Privacy Act

Are state criminal, prison, and similar records more accurate?

If record are fixed in one place, is that correction spread to all the other databases?



“Public”Records



Sensitive data:

Sources of identity theft -- SSNs are listed in many public records; bank account records in bankruptcy “public” records

Known privacy concerns of American people on medical, financial, children’s, & other “sensitive” records



“Public”Records



Private sector data.

Was there notice & consent for these uses? For medical, credit history, and other sensitive data? Are these “secondary” uses appropriate?

Federal data under the Privacy Act, with public oversight. What similar checks and balances for how private data is gathered and used?

Questions on Outputs:

For secret/confidential data, assumegood security in data center.

How many people have access to the outputs of MATRIX?

800,000 uniformed police, for traffic stops, etc.Non-uniformed? Firefighters? Others?


Intel (?)

Feds (?)

Questions on Outputs:

How to secure outputs to 1 million people?

•Assume few/no secrets for what the million can see about the system – Swire paper on security/obscurity•Training•Audit trails•Anti-browsing laws & enforcement

But, what can terrorist or organized crime group learn by bribing one out of the million?


Intel (?)

Feds (?)

Questions on the Data Center/System:

A principle: the more important the decisions made, the more important it is to have due process and fair information practices. E.g., denied for mortgage or job, so have FCRA.

Decisions here might include:•Arrest the person (my student Greg Smith)•Deny ability to travel, enter secured spaces•Deny job, on a background check•Suspicion on a person’s “associates”?•Other uses over time?


Access and correction as key fair information practices.

Currently no access by individual to data held in MATRIX. Instead, individual told to go to every data source and get access there.

Problems include:•Burdensome to go to numerous sources•Data sources not all publicly listed.•Even if correct mistake once, it often reappears


Transparency & Governance

•No privacy policy posted until recently•No individual identified as CPO•Perhaps have outside experts or advisory board?

•Most generally, how provide public oversight, accountability, assurance?

The Sobering List of Privacy Issues for the Federal Official

• Inputs: data quality• Inputs: sensitive data• Inputs: private-sector data• Outputs: secrets when thousands or a million receive

data• Outputs: anti-browsing and good security at the edges• Important decisions by government require due process• Access and correction (when secrecy unlikely to work)• Transparency and governance, to reduce mistakes and

improve public acceptance

Is It Worth Answering Those Questions?

• If the privacy homework assignment seems too burdensome, then temptation is to minimize or ignore privacy issues

• But the privacy homework is good policy and good government

• Markle report and the need to do the privacy homework or else watch public opposition undermine the potential benefits of a system

• Transparent, good governance as the touchstone

III. Privacy Governance and National Security

• From MATRIX to the U.S. government

• 9/11 Commission recommended Civil Liberties Board in the executive branch– The Bush Executive Order– The Senate alternative as better governance

Bush Executive Order

• Aug. 2004 Executive Order to create “President’s Board to Safeguard Civil Liberties”

• It is good to address the issue. Why now?

• WH press office: “We’ve already moved on 36 of the 41 recommendations of the 9/11 Commission”

Bush Executive Order

• Chaired by Deputy AG (enforcement officer)

• Vice-chair Under Sec. DHS for border (enforcement officer)

• No new powers to the committee to investigate or take action

• Is that a good structure for protecting privacy and civil liberties?

Justice Lewis Powell, in national security wiretapping case:

"It is, or should be, an important working part of our machinery of government … to check the well-intentioned but mistakenly over-zealous executive officers who are a party of any system of law enforcement.“

So, don’t have enforcement officers in charge of civil liberties protection.

Collins-Lieberman Bill

• A better alternative is being considered in the Senate

• Create a government-wide mechanism, in the Executive Office of the President

• Information sharing involves multiple agencies, so single-agency CPOs, acting alone, won’t succeed

• Could be an individual; 9/11 Commission & the bill creates a “Board”

The Senate Bill

• Pre-clearance of policy proposals• Regular reports to Congress and the public

– If lack of action, that will be apparent• Name the officers in the statute, to ensure they

will testify before Congress• Power to create advisory committees of experts

on technology, law, etc.• Subpoena/investigative powers, so that

whistleblowers and others can prompt investigations

Conclusion

• National security and privacy intersection has been and will be an ongoing part of U.S. governance

• MATRIX analysis here shows real issues that should be considered in creating any system

• The official who questioned me was surprised and sobered by the number of significant and difficult privacy issues in MATRIX

Conclusion

• Despite positive efforts by Nuala Kelly and other federal officials, there has been too little government-wide policy leadership on privacy and civil liberties

• The Bush Executive Order creates a structure that is designed to be powerless

• There is still no leadership from the White House/EOP on these issues

Finally

• I believe it is good public policy to work through the sorts of issues shown here for MATRIX

• I believe it is wise political strategy to do so, to reduce the likelihood that good systems will be blocked

• Let us, as participants in this conference, work together on information systems, to help achieve both national security and civil liberties

Contact Information

• Professor Peter Swire

• Moritz College of Law of the Ohio State University

• Phone: (240) 994-4142

• Email: [email protected]

• Web: www.peterswire.net

mailto:[email protected]