Interesting People mailing list archives
Analysis of DoT's Privacy Act Comments
From: Dave Farber <dave () farber net>
Date: Sun, 02 Mar 2003 19:46:43 -0800
------ Forwarded Message From: Christopher Effgen <build () gci net> Date: Sun, 02 Mar 2003 13:54:51 -0900 To: dave () farber net Cc: jmorris () cdt org Subject: Analysis of DoT's Privacy Act Comments Dear Dave Farber, Below is an analysis of comments submitted in response to DoT's proposed System of Records. Following the analysis is a summary of a case that I have been pursuing for the last three years, which will I believe, at the very least, result in the program being withdrawn. Christopher Effgen This is a compilation of the Privacy Act statutes cited in the major responses to DoT's proposed System of Records. It is anticipated that one or more of the responders is preparing a legal challenge to the proposed System of Records, and that this compilation be of some assistance to that objective. Center For Democracy And Technology 5 U.S.C. §552a(b)(7) The Privacy Act allows a data collector to provide information to law enforcement officials upon a written request for specific information, see 5 U.S.C. 552a(b)(7); TSA indicates that it will volunteer potentially vast amounts of information to law enforcement officials under Routine Uses 1 and 7. TSA must clearly explain how it will decide whether to provide other agencies and private entities with access to its information. Vague assertions about "security" are simply inadequate. Privacy Act statutes cited Jim Harper, Editor, Privacilla.org http://dmses.dot.gov/docimages/pdf84/234486_web.pdf 5 U.S.C. 552a(k)(1) and (k)(2) The Department invokes Privacy Act sections 5 U.S.C. 552a(k)( 1) and (k)(2) to deny notice to individuals when they are part of the database and to deny individuals access to data about themselves in the database. The Department may not create a database of all air travelers in the United States, shield the database from public view using national defense and law enforcement exceptions to the Privacy Act, and simultaneously claim that it is not treating all travelers as suspects. This is a "suspects" database. Electronic Privacy Information Center http://dmses.dot.gov/docimages/pdf84/233868_web.pdf 5 U.S.C. §552a(e)(1)(7) 5 U.S.C. §552a(d) 5 U.S.C. §552a(k) 5 U.S.C. §552a(e)(d) The Privacy Act requires the agency to collect data directly from the subject as far as possible, and to provide rights of access and correction.3 5 U.S.C. §552a(k) However, the TSA has provided no information about where the data will be collected from, whether those sources are accurate, whether the data will be collected following lawful procedures based upon a showing of particularized suspicion, and whether the data subject will have rights of access and correction. In fact, the TSA notice explicitly denies the right provided by the Privacy Act to access the system of record for the "purposes of determining if the system contains a record pertaining to a particular individual." 5 U.S.C. §552a(e) The Privacy Act also limits the collection of information by requiring that only relevant data be collected for a limited purpose.5 The TSA has not provided any clarity on the actual purpose of this data collection, or whether the creation of a Passenger Database is narrowly tailored to that purpose. Electronic Frontier Foundation 5 U.S.C. 552a(e)(2)(4)(B)(C)(9)(10) 5 U.S.C. 552a(k)(1)(2) 5 U.S.C. 552a(e)(4) The purpose of this notice require provide the public with meaningful information about the system of records. Unfortunately, the current notice includes some many vaguely-defined, open-ended and inconsistent statements that it should not be considered such a notice. Under 552a(e)(4)(B), an agency must publish "the categories of individuals on which are maintained in the system." This description of "categories" is too vague to be valid. The proffered description is so broad that it could be interpreted to include all passengers (since after all, any passenger is a possible risk and potential threat). Categories of records (C) Under 552a(e)(4)(C), an agency must publish "the categories of records" maintained in the system. The information stored for "deemed" individuals contains several categories that are unbounded; the information "may include" such extremely broad categories of risk a reports, financial and transactional data, public source information, proprietary data, information from law enforcement and intelligence sources. are such broad categories as to be open-ended in practice. Routine uses (D) "Because it is difficult to envision an agency that does not have some investigative unit one could only conclude . . . that the [agency] might disclose any information it possessed to virtually any agency in the executive branch. Such breadth fails to constrain in a meaningful manner the [agency's] discretion to disclose information." Policies and practices regarding storage, retrievability, access controls, retention, and disposal of records (E) The regulations here specify minimum safeguards substantially weaker than industry best practices.. As to retention and disposal, we also believe that the ASSR notice is inadequate. The records of a "deemed" individual may be retained for up to 50 years. The notice of "routine uses" does not meet the (a)(7) requirement Sec. 552a(a)(7) of the Privacy Act defines a "routine use" as "a use of a record for a purpose which is compatible with the purpose for which it was collected." Several of the "Routine Uses" of information described in these regulations go so far beyond the stated purpose of facilitating an aviation security-screening program or more generally ensuring aviation security that they should be regarded as "incompatible." The statutory requirement of compatibility requires "a dual inquiry into the purpose collection of the record in the specific case and the purpose of the disclosure." Britt: 548-549 F.2d at 844 There is a substantial likelihood that ASSR violates (e)(2) The basic purpose of (e)(2) is to "reflect[] the basic principle of fairness . . . that where government investigates a person, it should not depend on hearsay or 'hide under the eves,' but inquire directly of the individual about matters personal to him or her." S. Rep. No. 93-1183, 47 (1974), reprinted in 1974 U.S.C.C.A.N. 6916,6962. There is a substantial likelihood that ASSR violates (e)(9) and (e)(lO) . the notice simply states that the computer system from which records could be accessed is policy and security based with real time auditing" and that "[I]nformation in this system is safeguarded in accordance with applicable rules and policies, including the Department's automated systems security policies." The (k)(1) and (k)(2) exemptions are insufficiently supported TSA claims that this system of records is exempt from various Privacy Act requirements pursuant to 5 U.S.C. $552a(k)(l) and (k)(2). Neither claim, however, is adequately supported. Even if the (k)(2) exemption is justified, the stated access procedures are insufficient The Routine Uses include several ways in which the information in this system may be used to deny an individual access to a right, privilege, or benefit to which he would otherwise be available, so the access described in 5 USC 552a(k)(2) must be provided. American Civil Liberties Union 5 U.S.C. 552a(a)(2)(7) 5 U.S.C. 552a(d)(1)(2)(4) 5 U.S.C. 552a(e)(2)(4) 5 U.S.C. 552a(f) 5 U.S.C. 552a(k)(l)(2) 552a(e)(2)(4) The Privacy Act makes plain that federal agencies should "collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs" and, if personal information is not directly collected from an individual, notify the public as to the "source" of the information. 552a(k)(l) and (2) The stated purpose of the ASSR database, however, is for an "aviation security screening" program. The purpose is not to conduct intelligence or law enforcement investigations of air passengers and the notice makes clear that lots of unclassified information would be contained in the database. Therefore, DOT appears to be in error when it relies on these exceptions. 552a(a)(7). The Privacy Act provides limited exceptions to this rule for specific government functions. The "routine use" exception allows for "the use of such record for a purpose which is compatible with the purpose for which it is collected." 552a(f) AS a general rule, the Privacy Act requires federal agencies to provide any individual notice that the individual is listed in the database. 552a(d)(1) The opportunity "to gain access to his record or any information pertaining to him contained in the system.. .." 552a(d)(2)-(4) And, the opportunity to both request an amendment to his record and challenge the refusal of an agency to amend the record upon request. 552a(k)(l) and (2) Once again, however, the DOT errantly attempts to apply the same exceptions for "investigatory material compiled for law enforcement purposes" and classified information to avoid the Privacy Act's full public accountability requirements. because the DOT relies on the (k)(l) and (2) exceptions, there is no guarantee an individual will ever get a response from the government. DOT stretches these exceptions too far. Even under the exception for "investigatory material" in (k)(2), the Privacy Act requires that "if any individual is denied any right, privilege, or benefit that he would otherwise be entitled to under Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual . . ." 552a(a)(2) As the Act articulated in its findings, "the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information." 552a(e)(4) Given the current debate over CAPPS I1 and other similar data mining and surveillance tools, the DOT should be clear about what program is at issue and disclose the connection between ASSR and the CAPPS. To do otherwise is to obscure public debate on a controversial topic that cuts to the core of privacy and freedom and could run afoul of the Privacy Act's notice requirements. Christopher Effgen 5 USC 552a(b)(7)(8)(B)(11) 5 USC 552a(c) 5 USC 552a(e)(2)(3)(4)(A)(B)(C)(9)(10) 5 USC 552a(o)(2)(C)(D) 5 USC 552a(i)(2) 5 USC 552a(k)(1)(k)(2). 5 USC 552a(o)(I)(A)(B)(C)(D)(i)(ii)(E)(F)(G)(H)(I)(J)(K)(2)(A)(i)(ii)(B)(C)(D) 5 USC 552a(p)(1)(A)(i)( ii)( iv)(B)(C)(i)( ii)(2)( A)( B)(C) 5 USC 552a(q)(l)(2)(A)(B) 5 USC 552a(u)(1)(2)(A)(B)(C)(D)(i)(ii)(iv)(v)(vi)(E)(F)(G)(H)(4)(A)(B)(C)(5)(A)(B) (i)(ii)(iii)(C)(D)(6) 5 USC 552a(m) 5 USC 553(c) 5 USC 552a(o)(2)(C)(D). The program may not become effective until 30 days after publication of notice of a Matching Agreement(s). An expiration date needs to be established for any Matching Agreement(s) under the terms set out in 5 USC 552a (o)(1)(A)(B)(C)(D)(i)(ii)(E)(F)(G)(H)(I)(J)(K)(2)(A)(i)(ii)(B)(C)(D) The Privacy Act has procedures that require that no record in a System of Records be disclosed to a recipient agency or non-Federal agency except pursuant to a written agreement between the source agency and the recipient agency or non-Federal agency, when used for computer data matching. 5 USC 552a (p)(1)(A)(i)(ii)(iv)(B)(C)(i)(ii)(2)(A)(B)(C) The Privacy Act requires that individuals have an opportunity to contest findings where individual records are used in a matching program and used to suspend, terminate, reduce, or make a final denial of any Federal benefit or to take other adverse action against an individual. 5 USC 552a (q)(1)(2)(A)(B) The failure to comply with these procedures subjects the agency to sanctions under 5 USC 552a(u)(1)(2)(A)(B)(C)(D)(i)(ii)(iv)(v)(vi)(E)(F)(G)(H)(4)(A)(B)(C)(5)(A)(B) (i)(ii)(iii)(C)(D)(6) Data integrity boards must be established to oversee and coordinate the implementation of the program under: 5 USC 552a(b)(7) Each of the sources of information used to compile information is considered to be source agencies for purposes of the Privacy Act. Individuals are entitled to access these records except where subject to 5 USC 552a(e)(3)(C). Under the Privacy Act, Routine Uses do not have to be disclosed to the individual who is subject to a lawful Routine Use. However, at the time the information is collected individuals are required to be informed of the Routine Uses Under 5 USC 552a(m) Contractors are to be subject to the agency regulations adopted under the Privacy Act and subject to criminal penalties under 5 USC 552a(i). 5 USC 552a(e)(9)(10) the TSA is required to establish rules of conduct and safeguards to ensure the security of the records. The agency is required to protect against any anticipated threats or hazards to the record's security or integrity, which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual. 5 USC 552a(b); (e)(2)(3)(A)(B)(C)(10) Employment is a regulated activity under the Privacy Act, and under 5 CFR 731.101. There are no Routine Uses of information related to employment the issuance of a license, contract, grant, or other benefit. Applicants for employment, a license, contract, grant or benefit must be informed and give consent to the use of their personal information in data matching for these purposes. They must also be given the opportunity to dispute any negative determination. 5 USC 552a(b)(11) 5 USC 552a(c) The Privacy Act may not be used as a shield to regulate Court ordered discovery Records compiled are required by 5 USC 552a(c) to be maintained for 5 years. This provision of the Privacy Act is intended to preserve evidence of actions by agencies involving violations of the law and of the rights of people. In the information age our digital identity plays an unprecedented role in determining our rights and the scope of our liberty. This proposal involves data matching with multiple databases that begins with a form of identification that is not a positive form. It proposes that an individual's identity may be to all extent and purposes permanently associated with information that may or may not be related to the individual whose rights and liberty are affected. 5 USC 552a(k) Given the proposed uses of this System of Records, individuals are required to give consent and be informed of the uses that will be made of the information that they provide. Exemption (k) does not operate to exempt the System of records from meeting the requirements of 5 USC 552a(b); (e)(2)(3)(A)(B)(C)(10) Exemption (k) only applies to records complied after the commencement of a law enforcement investigation. 5 USC 552a(7) There are issues here dealing freedom of speech 5 USC 552a(7), with the fundamental nature of individual liberty. A government can act irresponsibly, incompetently and without regard to law when the disclosure of such actions are protected by the justification that those sources need not be disclosed. 5 USC 553(c) There needs to be a concise general statement of the basis and purpose for the application of these exemptions, as required under 5 USC 553(c) by 5 USC 552a (k). The implications of this proposal are so far reaching that the agency should consider providing interested parties the opportunity for a hearing as would be required under 5 USC 553(c). 5 USC 552a(k)(1)(2) Information related to a background investigation is not exempt from this provision unless compiled as a result of a specific criminal investigation. That investigation must be based on a legitimate concern that federal laws have been violated or there is a legitimate belief that national security has been breached. Given the inapplicability of the claimed exemptions under 5 USC 552a(k)(1)(2) the exempted sections do not apply to this System of Records. The application of the exempted sections needs to be address with respect to this System of Records as a matter of law. A name is not a positive form of identification. Before I became involved in a complaint with the Census Bureau, most of my waking hours was spent developing the Disaster Center (www.disastercenter.com). As my involvement with that complaint continued, my involvement with the development of the site gradually came to a standstill. The reason that I pursued my complaint with the Census Bureau was because I foresaw that this proposal or something much like it would be developed. There are a few stories about what happened. There are my stories, what happened to me. There is the story of what the Census Bureau did, and the stories about what happened to the other people involved. There are also stories about the agencies that I complained to, and how they responded to the complaints. There is the story of the Government cover-up and how deep within the administration it goes. At this point I believe that it goes at least to the Attorney General. The story I think you want to hear is the story about is what the Census Bureau did. You can think of the Census Bureau as you would a priest in a confessional. The Census Bureau is the Federal government's total information agency. The Bureau has access to virtually every bit of information about you, both public and private. In addition the Census Bureau has the power to compel respondents to answer questions truthfully. This access and the power to compel truthful testimony are grants of power, that if not tempered by rules prohibiting the use of the information in courts of law, is the power the Inquisition. To make sure that the information that the Census Bureau was given access to was not used, Congress made a promise to the people of the United States that they could trust the government and made such a use a felony, punishable by five years imprisonment. In preparing to conduct the Year 2000 Census the Bureau had a problem of needing to hire a large number of people quickly. One of the records that we have is a note from a meeting in which the problem was discussed. (See attached) In that meeting it was determined to use the FBI's named based criminal history system to run named-based background checks on applicants for employment. Yet, because of fears that the FBI would not approve the use of their database for such a purpose, the Census Bureau decided to use their privileged access to that database. This determination meant that every background check performed would be a felony and violation of the trust reposed in the Census Bureau. The determination not to contact the FBI and make an agreement about the use of their database was also a violation of the Privacy Act. The Privacy Act was established to govern the use of personal information by Federal agencies. It came into being in 1974, following the abuses of personal information practiced under the Nixon administration. There are a number of abuses of personally identifiable information by Federal agencies that the Privacy Act was intended to prevent. The Privacy Act is one of the few Federal laws to which the Federal government has waved its immunity. Because it is possible for the Executive branch to wrongly use a persons personal information without their knowledge or consent, the Privacy Act has a statute of limitations that starts when people are informed of the wrongdoing. The Census Bureau simply ignored every requirement of the Privacy Act in establishing its computer-based name-matching program. One of the requirements is for the establishment of data-matching agreements and the establishment of data integrity boards between data source agencies and data recipient agencies. The Census Bureau was right to be concerned that the FBI would not approve the use of the named-based criminal history system for criminal background checks. The reason is that the FBI known that named-based criminal history system falsely identifies a person as having a criminal history about as many times as it makes a correct determination. In addition for every hundred people with a criminal history that the system correctly identified it misses 12 who use a different name. The Census Bureau was aware that using the FBI's named-based system would result in the Bureau hiring some applicants with a criminal history. (See attached) The total number of violations of specific laws under the Privacy Act the Census Bureau engage in is over seventy. These include at least two criminal violations. The Census Bureau determined to have at least seven applicants for every job opening. The total number of applicants for hire is estimated at around seven million. Because the Census Bureau was aware that the FBI's named based background check system has an error rate, and did not want to use applicants social security numbers in performing the background check it determine to have applicants complete DoJ/INS Form I-9. This form was originally created to protect those who can lawfully be employed in the United States. On this form employers are required to have employees make a declaration that they can lawfully work in the United States and employers are required to transcribe information from those documents to the form. It is illegal for employers to use the information from that form, and is a law that applies to every entity in every branch of the Federal government. This is where I come into the story. Having been an employer, I knew that it was illegal to require applicants complete the form. I was told that my application would not be accepted unless I completed both the employee and employers sections of the form. To me this evidenced an intention to use the information from the form. The question that naturally arose in my mind was to what purpose would a prospective employer, who happens to be the Census Bureau use personal information? The answer, to conduct a background check on applicants came automatically. Then I asked myself, what database would the Census Bureau use to conduct such a background check? The answer, the FBI's named-based criminal history system, also came naturally. As owner of the Disaster Center web site, I have spent years studying the use of databases and disaster communication techniques that are possible in the digital age. Here was an issue of central importance to our lives in this new age, which is that the quality of a database is more important than the quality of our character. I knew that to construct a named based criminal history system would require that literally tens of thousand of jurisdictions and many agencies with those jurisdictions would have to compile historic data into a database, which would by its complexity result in a huge error rate. I also knew that a name is not a positive form of identification, and that compiling local, State, and Federal databases together would result in the error rates compounding. So I refused to complete Form I-9, but I did complete part of the form and told the person taking the applications that who ever told her not to accept an employment application without a completed Form I-9 had told her to engage in an illegal act. She then took my application and the partially completed Form I-9. The Census Bureau did what it did because it was a more efficient way of hiring applicants. Here too is a problem of the digital age. Given that the Census Bureau had seven million applicants for employment it was cost effective to wrongly deny and estimated 500,000 innocent people for consideration for employment. It did this without their knowledge or consent, and it did this in violation of a trust given to it by Congress. When we consider the number of criminal violations (at least four) and the number of applicants (an estimated seven million) it was and is the greatest crime ever committed by the government of the United States against the people. In their effort to protect the people of the United States from Census takers who may have a criminal history the Census Bureau engaged in approximately twenty-eight million crimes. Christopher Effgen http://ftp.census.gov/dmd/www/text/pl2000.txt www.house.gov/judiciary/loes0518.htm I wish you all well in your efforts to stop the program that DoT is preparing to embark upon if there is anything that I can do to help please let me know. Christopher Effgen 6921 Weimer Anchorage, AK 99502 907-248-8363 ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Analysis of DoT's Privacy Act Comments Dave Farber (Mar 02)