340 likes | 354 Views
This keynote presentation by Professor Peter Swire explores the need for better institutions and procedures for privacy and national security. It reviews past administration actions, discusses the MATRIX case study, and highlights the 9/11 Commission Recommendation of a Civil Liberties Board.
E N D
“Keynote on Privacy and National Security:What Still Needs to Be Done” Professor Peter Swire Ohio State University Consultant, Morrison & Foerster LLP IAPP Forum on Privacy & National Security September 30, 2004
Overview • Brief review of Administration actions on privacy and national security • MATRIX as a case study • Current issue: 9/11 Commission Recommendation of a Civil Liberties Board • Theme: we need better institutions and procedures for accountability
I. Administration Actions • Privacy controversies hit the Clinton Administration • Encryption (from Clipper chip to 1999 change) • Carnivore • Privacy & computer security (FIDNet) • Law enforcement & national security provisions in other laws, such as HIPAA • I was involved in each of these as Chief Counselor for Privacy, not as privacy “advocate”
Privacy controversies since 2001 • USA-PATRIOT Act and other enhanced law enforcement & intelligence powers • FISA wiretaps now outnumber law enforcement • Total Information Awareness • CAPPS II • Stricter ID (enhanced drivers licenses & passports) • Data mining & “information sharing” as major themes for change • No White House or government-wide officials on privacy and civil liberties
Positive Steps Since 2001 • E-Gov Act of 2002 and privacy impact assessments • Sen. Lieberman took the lead; not vetoed • DHS Chief Privacy Officer • Administration acquiesced but did not propose • DOJ is appealing Councilman case on “intercepts” of e-mails • Victory there will protect individuals and ease prosecutions for illegal interceptions
II. The Challenge Federal official, involved in funding information sharing systems, recently asked me: “What can we do to address the concerns of privacy proponents so that they will stop complaining about MATRIX and other needed systems?” • This was a good-faith question from an honorable person. • He was sobered by my answer.
MATRIX • Multi-State Anti-Terrorism Information Exchange (MATRIX) • $12 million from DHS & DOJ • Project security and access in Florida • First proposed after 9/11 • At the peak,12 states had agreed to participate • Currently FL, CT, MI, OH, PA are in program • States that have left or decided not to join after actively considering it: AL, CA, CO, GA, LA, KY, OR, SC, TX, UT, WV • Privacy and cost cited as reasons not to do it
The Current MATRIX “Information accessible includes criminal history records, driver’s license data, vehicle registration records, and incarceration/corrections records, including digitized photographs, with significant amounts of public records data. This capability will save countless investigative hours and drastically improve the opportunity to successfully resolve investigations. The ultimate goal is to expand this capability to all states.” Official site: www.matrix-at.org
2 Early Objections • System was created and pushed by admitted drug smuggler, Herb Asher of Seisent • This is not relevant to how we should view the current system • It made it harder to say “Trust Us” on MATRIX • After 9/11, 120,000 names sent to law enforcement for “high terrorism factor” • This is data mining, without individualized suspicion, with no transparency or known checks against abuse • Today, “MATRIX is not a data mining application.”
Jan. 2003 Seisent Documents HTF based on factors including: • Age, gender & ethnicity • “What they did with their driver’s licenses” • Pilots or associations to pilots • Proximity to “dirty addresses/phone numbers” • Investigational data • SSN anomalies • Credit histories
Seisent Documents • “The associative links, historical residential information, and other information, such as an individual’s possible relatives and associates, are deeper and more comprehensive than other commercially available database systems presently on the market.”
Answering the Federal Official • Privacy experts (not necessarily “advocates”) will have a list of questions: • About current configuration of system and its compliance with fair information practices • About system as designed (it had original, broader functions) • How system could easily evolve over time (mission creep)
Florida, Other States Police & Other State Subscribers More States Supply Data MATRIX Intel (?) “Public” Records Feds (?) “Private” Records (?)
The Inputs Florida, Other States Police & Other State Subscribers More States Supply Data MATRIX Intel (?) “Public” Records Feds (?) “Private” Records (?)
Florida, Other States Questions on Inputs: Data Quality: 2003 FBI announcement that NCIC data could no longer be subject to “accuracy” requirements of the Privacy Act Are state criminal, prison, and similar records more accurate? If record are fixed in one place, is that correction spread to all the other databases? More States Supply Data “Public” Records “Private” Records (?)
Florida, Other States Questions on Inputs: Sensitive data: Sources of identity theft -- SSNs are listed in many public records; bank account records in bankruptcy “public” records Known privacy concerns of American people on medical, financial, children’s, & other “sensitive” records More States Supply Data “Public” Records “Private” Records (?)
Florida, Other States Questions on Inputs: Private sector data. Was there notice & consent for these uses? For medical, credit history, and other sensitive data? Are these “secondary” uses appropriate? Federal data under the Privacy Act, with public oversight. What similar checks and balances for how private data is gathered and used? More States Supply Data “Public” Records “Private” Records (?)
Questions on Outputs: For secret/confidential data, assume good security in data center. How many people have access to the outputs of MATRIX? 800,000 uniformed police, for traffic stops, etc. Non-uniformed? Firefighters? Others? Police & Other State Subscribers Intel (?) Feds (?)
Questions on Outputs: • How to secure outputs to 1 million • people? • Assume few/no secrets for what the • million can see about the system – • Swire paper on security/obscurity • Training • Audit trails • Anti-browsing laws & enforcement • But, what can terrorist or organized • crime group learn by bribing one • out of the million? Police & Other State Subscribers Intel (?) Feds (?)
Questions on the Data Center/System: • A principle: the more important the decisions made, the more important it is to have due process and fair information practices. E.g., denied for mortgage or job, so have FCRA. • Decisions here might include: • Arrest the person (my student Greg Smith) • Deny ability to travel, enter secured spaces • Deny job, on a background check • Suspicion on a person’s “associates”? • Other uses over time?
Questions on the Data Center/System: • Access and correction as key fair information practices. • Currently no access by individual to data held in MATRIX. Instead, individual told to go to every data source and get access there. • Problems include: • Burdensome to go to numerous sources • Data sources not all publicly listed. • Even if correct mistake once, it often reappears
Questions on the Data Center/System: • Transparency & Governance • No privacy policy posted until recently • No individual identified as CPO • Perhaps have outside experts or advisory board? • Most generally, how provide public oversight, accountability, assurance?
The Sobering List of Privacy Issues for the Federal Official • Inputs: data quality • Inputs: sensitive data • Inputs: private-sector data • Outputs: secrets when thousands or a million receive data • Outputs: anti-browsing and good security at the edges • Important decisions by government require due process • Access and correction (when secrecy unlikely to work) • Transparency and governance, to reduce mistakes and improve public acceptance
Is It Worth Answering Those Questions? • If the privacy homework assignment seems too burdensome, then temptation is to minimize or ignore privacy issues • But the privacy homework is good policy and good government • Markle report and the need to do the privacy homework or else watch public opposition undermine the potential benefits of a system • Transparent, good governance as the touchstone
III. Privacy Governance and National Security • From MATRIX to the U.S. government • 9/11 Commission recommended Civil Liberties Board in the executive branch • The Bush Executive Order • The Senate alternative as better governance
Bush Executive Order • Aug. 2004 Executive Order to create “President’s Board to Safeguard Civil Liberties” • It is good to address the issue. Why now? • WH press office: “We’ve already moved on 36 of the 41 recommendations of the 9/11 Commission”
Bush Executive Order • Chaired by Deputy AG (enforcement officer) • Vice-chair Under Sec. DHS for border (enforcement officer) • No new powers to the committee to investigate or take action • Is that a good structure for protecting privacy and civil liberties?
Justice Lewis Powell, in national security wiretapping case:"It is, or should be, an important working part of our machinery of government … to check the well-intentioned but mistakenly over-zealous executive officers who are a party of any system of law enforcement.“So, don’t have enforcement officers in charge of civil liberties protection.
Collins-Lieberman Bill • A better alternative is being considered in the Senate • Create a government-wide mechanism, in the Executive Office of the President • Information sharing involves multiple agencies, so single-agency CPOs, acting alone, won’t succeed • Could be an individual; 9/11 Commission & the bill creates a “Board”
The Senate Bill • Pre-clearance of policy proposals • Regular reports to Congress and the public • If lack of action, that will be apparent • Name the officers in the statute, to ensure they will testify before Congress • Power to create advisory committees of experts on technology, law, etc. • Subpoena/investigative powers, so that whistleblowers and others can prompt investigations
Conclusion • National security and privacy intersection has been and will be an ongoing part of U.S. governance • MATRIX analysis here shows real issues that should be considered in creating any system • The official who questioned me was surprised and sobered by the number of significant and difficult privacy issues in MATRIX
Conclusion • Despite positive efforts by Nuala Kelly and other federal officials, there has been too little government-wide policy leadership on privacy and civil liberties • The Bush Executive Order creates a structure that is designed to be powerless • There is still no leadership from the White House/EOP on these issues
Finally • I believe it is good public policy to work through the sorts of issues shown here for MATRIX • I believe it is wise political strategy to do so, to reduce the likelihood that good systems will be blocked • Let us, as participants in this conference, work together on information systems, to help achieve both national security and civil liberties
Contact Information • Professor Peter Swire • Moritz College of Law of the Ohio State University • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net