Analysis of DoT's Privacy Act Comments

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Christopher Effgen <build () gci net>
Date: Sun, 02 Mar 2003 13:54:51 -0900
To: dave () farber net
Cc: jmorris () cdt org
Subject: Analysis of DoT's Privacy Act Comments

Dear Dave Farber,

Below is an analysis of comments submitted in response to DoT's proposed
System of Records.  Following the analysis is a summary of a case that I
have been pursuing for the last three years, which will I believe, at the
very least, result in the program being withdrawn.

Christopher Effgen

This is a compilation of the Privacy Act statutes cited in the major
responses to DoT's proposed System of Records.  It is anticipated that one
or more of the responders is preparing a legal challenge to the proposed
System of Records, and that this compilation be of some assistance to that
objective.

Center For Democracy And Technology
5 U.S.C. §552a(b)(7)
The Privacy Act allows a data collector to provide information to law
enforcement officials upon a written request for specific information, see 5
U.S.C. 552a(b)(7); TSA indicates that it will volunteer potentially vast
amounts of information to law enforcement officials under Routine Uses 1 and
7. TSA must clearly explain how it will decide whether to provide other
agencies and private entities with access to its information. Vague
assertions about "security" are simply inadequate.

Privacy Act statutes cited
Jim Harper, Editor, Privacilla.org
http://dmses.dot.gov/docimages/pdf84/234486_web.pdf
5 U.S.C. 552a(k)(1) and (k)(2)

The Department invokes Privacy Act sections 5 U.S.C. 552a(k)( 1) and (k)(2)
to deny notice to individuals when they are part of the database and to deny
individuals access to data about themselves in the database.  The Department
may not create a database of all air travelers in the United States, shield
the database from public view using national defense and law enforcement
exceptions to the Privacy Act, and simultaneously claim that it is not
treating all travelers as suspects. This is a "suspects" database.


Electronic Privacy Information Center
http://dmses.dot.gov/docimages/pdf84/233868_web.pdf
5 U.S.C. §552a(e)(1)(7)
5 U.S.C. §552a(d)
5 U.S.C. §552a(k)

5 U.S.C. §552a(e)(d)
The Privacy Act requires the agency to collect data directly from the
subject as far
as possible, and to provide rights of access and correction.3
5 U.S.C. §552a(k)
However, the TSA has provided no information about where the data will be
collected from, whether those sources are accurate, whether the data will be
collected following lawful procedures based upon a showing of particularized
suspicion, and whether the data subject will have rights of access and
correction. In fact, the TSA notice explicitly denies the right provided by
the Privacy Act to access the system of record for the "purposes of
determining if the system contains a record pertaining to a particular
individual."
5 U.S.C. §552a(e)
The Privacy Act also limits the collection of information by requiring that
only relevant data be collected for a limited purpose.5 The TSA has not
provided any clarity on the actual purpose of this data collection, or
whether the creation of a Passenger Database is narrowly tailored to that
purpose.

Electronic Frontier Foundation
5 U.S.C. 552a(e)(2)(4)(B)(C)(9)(10)
5 U.S.C. 552a(k)(1)(2)
5 U.S.C. 552a(e)(4) The purpose of this notice require provide the public
with meaningful information about the system of records. Unfortunately, the
current notice includes some many vaguely-defined, open-ended and
inconsistent statements that it should not be considered such a notice.
Under 552a(e)(4)(B), an agency must publish "the categories of individuals
on which are maintained in the system." This description of "categories" is
too vague to be valid. The proffered description is so broad that it could
be interpreted to include all passengers (since after all, any passenger is
a possible risk and potential threat).
Categories of records (C)
Under 552a(e)(4)(C), an agency must publish "the categories of records"
maintained in the system. The information stored for "deemed" individuals
contains several categories that are unbounded; the information "may
 include" such extremely broad categories of risk a reports, financial and
transactional data, public source information, proprietary data, information
from law enforcement and intelligence sources. are such broad categories as
to be open-ended in practice.
Routine uses (D)
"Because it is difficult to envision an agency that does not have some
investigative unit one could only conclude . . . that the [agency] might
disclose any information it possessed to virtually any agency in the
executive branch. Such breadth fails to constrain in a meaningful manner the
[agency's] discretion to disclose information."
Policies and practices regarding storage, retrievability, access controls,
retention, and disposal of records (E)
The regulations here specify minimum safeguards substantially weaker than
industry best practices.. As to retention and disposal, we also believe that
the ASSR notice is inadequate. The records of a "deemed" individual may be
retained for up to 50 years.
The notice of "routine uses" does not meet the (a)(7) requirement Sec.
552a(a)(7) of the Privacy Act defines a "routine use" as "a use of a record
for a purpose which is compatible with the purpose for which it was
collected." Several of the "Routine Uses" of information described in these
regulations go so far beyond the stated purpose of facilitating an aviation
security-screening program or more generally ensuring aviation security that
they should be regarded as "incompatible."  The statutory requirement of
compatibility requires "a dual inquiry into the purpose collection of the
record in the specific case and the purpose of the disclosure." Britt:
548-549 F.2d at 844

There is a substantial likelihood that ASSR violates (e)(2)
The basic purpose of (e)(2) is to "reflect[] the basic principle of fairness
. . . that where government investigates a person, it should not depend on
hearsay or 'hide under the eves,' but inquire directly of the individual
about matters personal to him or her." S. Rep. No. 93-1183, 47 (1974),
reprinted in 1974 U.S.C.C.A.N. 6916,6962.
There is a substantial likelihood that ASSR violates (e)(9) and (e)(lO)
. the notice simply states that the computer system from which records could
be accessed is policy and security based with real time auditing" and that
"[I]nformation in this system is safeguarded in accordance with applicable
rules and policies, including the Department's automated systems security
policies."
The (k)(1) and (k)(2) exemptions are insufficiently supported
TSA claims that this system of records is exempt from various Privacy Act
requirements pursuant to 5 U.S.C. $552a(k)(l) and (k)(2). Neither claim,
however, is adequately supported.
Even if the (k)(2) exemption is justified, the stated access procedures are
insufficient
The Routine Uses include several ways in which the information in this
system may be used to deny an individual access to a right, privilege, or
benefit to which he would otherwise be available, so the access described in
5 USC  552a(k)(2) must be provided.



American Civil Liberties Union
5 U.S.C. 552a(a)(2)(7)
5 U.S.C. 552a(d)(1)(2)(4)
5 U.S.C. 552a(e)(2)(4)
5 U.S.C. 552a(f)
5 U.S.C. 552a(k)(l)(2)

552a(e)(2)(4)
The Privacy Act makes plain that federal agencies should "collect
information to the greatest extent practicable directly from the subject
individual when the information may result in adverse determinations about
an individual's rights, benefits, and privileges under Federal programs"
and, if personal information is not directly collected from an individual,
notify the public as to the "source" of the information.

552a(k)(l) and (2)
The stated purpose of the ASSR database, however, is for an "aviation
security screening" program. The purpose is not to conduct intelligence or
law enforcement investigations of air passengers and the notice makes clear
that lots of unclassified information would be contained in the database.
Therefore, DOT appears to be in error when it relies on these exceptions.
552a(a)(7).
The Privacy Act provides limited exceptions to this rule for specific
government functions. The "routine use" exception allows for "the use of
such record for a purpose which is compatible with the purpose for which it
is collected."
552a(f)
AS a general rule, the Privacy Act requires federal agencies to provide any
individual notice that the individual is listed in the database.
552a(d)(1)
The opportunity "to gain access to his record or any information pertaining
to him contained in the system.. .."
552a(d)(2)-(4)
And, the opportunity to both request an amendment to his record and
challenge the refusal of an agency to amend the record upon request.
552a(k)(l) and (2)
Once again, however, the DOT errantly attempts to apply the same exceptions
for "investigatory material compiled for law enforcement purposes" and
classified information to avoid the Privacy Act's full public accountability
requirements. because the DOT relies on the (k)(l) and (2) exceptions, there
is no guarantee an individual will ever get a response from the government.
DOT stretches these exceptions too far. Even under the exception for
"investigatory material" in (k)(2), the Privacy Act requires that "if any
individual is denied any right, privilege, or benefit that he would
otherwise be entitled to under Federal law, or for which he would otherwise
be eligible, as a result of the maintenance of such material, such material
shall be provided to such individual . . ."
552a(a)(2)
As the Act articulated in its findings, "the increasing use of computers and
sophisticated information technology, while essential to the efficient
operations of the government, has greatly magnified the harm to individual
privacy that can occur from any collection, maintenance, use, or
dissemination of personal information."
552a(e)(4)
Given the current debate over CAPPS I1 and other similar data mining and
surveillance tools, the DOT should be clear about what program is at issue
and disclose the connection between ASSR and the CAPPS. To do otherwise is
to obscure public debate on a controversial topic that cuts to the core of
privacy and freedom and could run afoul of the Privacy Act's notice
requirements.



Christopher Effgen


5 USC 552a(b)(7)(8)(B)(11)
5 USC 552a(c)
5 USC 552a(e)(2)(3)(4)(A)(B)(C)(9)(10)
5 USC 552a(o)(2)(C)(D)
5 USC 552a(i)(2)
5 USC 552a(k)(1)(k)(2).
5 USC
552a(o)(I)(A)(B)(C)(D)(i)(ii)(E)(F)(G)(H)(I)(J)(K)(2)(A)(i)(ii)(B)(C)(D)
5 USC 552a(p)(1)(A)(i)( ii)( iv)(B)(C)(i)( ii)(2)( A)( B)(C)
5 USC 552a(q)(l)(2)(A)(B)
5 USC
552a(u)(1)(2)(A)(B)(C)(D)(i)(ii)(iv)(v)(vi)(E)(F)(G)(H)(4)(A)(B)(C)(5)(A)(B)
(i)(ii)(iii)(C)(D)(6)
5 USC 552a(m)
5 USC 553(c)


5 USC 552a(o)(2)(C)(D).
The program may not become effective until 30 days after publication of
notice of a Matching Agreement(s). An expiration date needs to be
established for any Matching Agreement(s) under the terms set out in
5 USC 552a
(o)(1)(A)(B)(C)(D)(i)(ii)(E)(F)(G)(H)(I)(J)(K)(2)(A)(i)(ii)(B)(C)(D)
The Privacy Act has procedures that require that no record in a System of
Records be disclosed to a recipient agency or non-Federal agency except
pursuant to a written agreement between the source agency and the recipient
agency or non-Federal agency, when used for computer data matching.
5 USC 552a (p)(1)(A)(i)(ii)(iv)(B)(C)(i)(ii)(2)(A)(B)(C)
The Privacy Act requires that individuals have an opportunity to contest
findings where individual records are used in a matching program and used to
suspend, terminate, reduce, or make a final denial of any Federal benefit or
to take other adverse action against an individual.
5 USC 552a (q)(1)(2)(A)(B)
The failure to comply with these procedures subjects the agency to sanctions
under
5 USC
552a(u)(1)(2)(A)(B)(C)(D)(i)(ii)(iv)(v)(vi)(E)(F)(G)(H)(4)(A)(B)(C)(5)(A)(B)
(i)(ii)(iii)(C)(D)(6)
Data integrity boards must be established to oversee and coordinate the
implementation of the program under:
5 USC 552a(b)(7)
Each of the sources of information used to compile information is considered
to be source agencies for purposes of the Privacy Act. Individuals are
entitled to access these records except where subject to
5 USC 552a(e)(3)(C).
Under the Privacy Act, Routine Uses do not have to be disclosed to the
individual who is subject to a lawful Routine Use. However, at the time the
information is collected individuals are required to be informed of the
Routine Uses
Under 5 USC 552a(m)
Contractors are to be subject to the agency regulations adopted under the
Privacy Act and subject to criminal penalties under 5 USC 552a(i).
5 USC 552a(e)(9)(10)
the TSA is required to establish rules of conduct and safeguards to ensure
the security of the records. The agency is required to protect against any
anticipated threats or hazards to the record's security or integrity, which
could result in substantial harm, embarrassment, inconvenience, or
unfairness to any individual.
5 USC 552a(b); (e)(2)(3)(A)(B)(C)(10)
Employment is a regulated activity under the Privacy Act, and under 5 CFR
731.101. There are no Routine Uses of information related to employment the
issuance of a license, contract, grant, or other benefit. Applicants for
employment, a license, contract, grant or benefit must be informed and give
consent to the use of their personal information in data matching for these
purposes. They must also be given the opportunity to dispute any negative
determination.
5 USC 552a(b)(11)
5 USC 552a(c)
The Privacy Act may not be used as a shield to regulate Court ordered
discovery Records compiled are required by 5 USC 552a(c) to be maintained
for 5 years. This provision of the Privacy Act is intended to preserve
evidence of actions by agencies involving violations of the law and of the
rights of people. In the information age our digital identity plays an
unprecedented role in determining our rights and the scope of our liberty.
This proposal involves data matching with multiple databases that begins
with a form of identification that is not a positive form. It proposes that
an individual's identity may be to all extent and purposes permanently
associated with information that may or may not be related to the individual
whose rights and liberty are affected.
5 USC 552a(k)
Given the proposed uses of this System of Records, individuals are required
to give consent and be informed of the uses that will be made of the
information that they provide. Exemption (k) does not operate to exempt the
System of records from meeting the requirements of 5 USC 552a(b);
(e)(2)(3)(A)(B)(C)(10)  Exemption (k) only applies to records complied after
the commencement of a law enforcement investigation.
5 USC 552a(7)
There are issues here dealing freedom of speech 5 USC 552a(7), with the
fundamental nature of individual liberty. A government can act
irresponsibly, incompetently and without regard to law when the disclosure
of such actions are protected by the justification that those sources need
not be disclosed.
5 USC 553(c)
There needs to be a concise general statement of the basis and purpose for
the application of these exemptions, as required under 5 USC 553(c) by 5 USC
552a (k). The implications of this proposal are so far reaching that the
agency should consider providing interested parties the opportunity for a
hearing as would be required under 5 USC 553(c).
5 USC 552a(k)(1)(2)
Information related to a background investigation is not exempt from this
provision unless compiled as a result of a specific criminal investigation.
That investigation must be based on a legitimate concern that federal laws
have been violated or there is a legitimate belief that national security
has been breached.
Given the inapplicability of the claimed exemptions under 5 USC
552a(k)(1)(2) the exempted sections do not apply to this System of Records.
The application of the exempted sections needs to be address with respect to
this System of Records as a matter of law.

A name is not a positive form of identification.

Before I became involved in a complaint with the Census Bureau, most of my
waking hours was spent developing the Disaster Center
(www.disastercenter.com).  As my involvement with that complaint continued,
my involvement with the development of the site gradually came to a
standstill.  The reason that I pursued my complaint with the Census Bureau
was because I foresaw that this proposal or something much like it would be
developed.

There are a few stories about what happened. There are my stories, what
happened to me. There is the story of what the Census Bureau did, and the
stories about what happened to the other people involved. There are also
stories about the agencies that I complained to, and how they responded to
the complaints. There is the story of the Government cover-up and how deep
within the administration it goes. At this point I believe that it goes at
least to the Attorney General.

The story I think you want to hear is the story about is what the Census
Bureau did.

You can think of the Census Bureau as you would a priest in a confessional.
The Census Bureau is the Federal government's total information agency. The
Bureau has access to virtually every bit of information about you, both
public and private. In addition the Census Bureau has the power to compel
respondents to answer questions truthfully. This access and the power to
compel truthful testimony are grants of power, that if not tempered by rules
prohibiting the use of the information in courts of law, is the power the
Inquisition. To make sure that the information that the Census Bureau was
given access to was not used, Congress made a promise to the people of the
United States that they could trust the government and made such a use a
felony, punishable by five years imprisonment.

In preparing to conduct the Year 2000 Census the Bureau had a problem of
needing to hire a large number of people quickly. One of the records that we
have is a note from a meeting in which the problem was discussed. (See
attached) In that meeting it was determined to use the FBI's named based
criminal history system to run named-based background checks on applicants
for employment. Yet, because of fears that the FBI would not approve the use
of their database for such a purpose, the Census Bureau decided to use their
privileged access to that database. This determination meant that every
background check performed would be a felony and violation of the trust
reposed in the Census Bureau. The determination not to contact the FBI and
make an agreement about the use of their database was also a violation of
the Privacy Act.

The Privacy Act was established to govern the use of personal information by
Federal agencies. It came into being in 1974, following the abuses of
personal information practiced under the Nixon administration. There are a
number of abuses of personally identifiable information by Federal agencies
that the Privacy Act was intended to prevent. The Privacy Act is one of the
few Federal laws to which the Federal government has waved its immunity.
Because it is possible for the Executive branch to wrongly use a persons
personal information without their knowledge or consent, the Privacy Act has
a statute of limitations that starts when people are informed of the
wrongdoing.

The Census Bureau simply ignored every requirement of the Privacy Act in
establishing its computer-based name-matching program. One of the
requirements is for the establishment of data-matching agreements and the
establishment of data integrity boards between data source agencies and data
recipient agencies. The Census Bureau was right to be concerned that the FBI
would not approve the use of the named-based criminal history system for
criminal background checks. The reason is that the FBI known that
named-based criminal history system falsely identifies a person as having a
criminal history about as many times as it makes a correct determination. In
addition for every hundred people with a criminal history that the system
correctly identified it misses 12 who use a different name. The Census
Bureau was aware that using the FBI's named-based system would result in the
Bureau hiring some applicants with a criminal history. (See attached)

The total number of violations of specific laws under the Privacy Act the
Census Bureau engage in is over seventy. These include at least two criminal
violations. The Census Bureau determined to have at least seven applicants
for every job opening. The total number of applicants for hire is estimated
at around seven million.

Because the Census Bureau was aware that the FBI's named based background
check system has an error rate, and did not want to use applicants social
security numbers in performing the background check it determine to have
applicants complete DoJ/INS Form I-9.

This form was originally created to protect those who can lawfully be
employed in the United States. On this form employers are required to have
employees make a declaration that they can lawfully work in the United
States and employers are required to transcribe information from those
documents to the form. It is illegal for employers to use the information
from that form, and is a law that applies to every entity in every branch of
the Federal government.

This is where I come into the story. Having been an employer, I knew that it
was illegal to require applicants complete the form. I was told that my
application would not be accepted unless I completed both the employee and
employers sections of the form. To me this evidenced an intention to use the
information from the form. The question that naturally arose in my mind was
to what purpose would a prospective employer, who happens to be the Census
Bureau use personal information? The answer, to conduct a background check
on applicants came automatically. Then I asked myself, what database would
the Census Bureau use to conduct such a background check? The answer, the
FBI's named-based criminal history system, also came naturally.

As owner of the Disaster Center web site, I have spent years studying the
use of databases and disaster communication techniques that are possible in
the digital age. Here was an issue of central importance to our lives in
this new age, which is that the quality of a database is more important than
the quality of our character. I knew that to construct a named based
criminal history system would require that literally tens of thousand of
jurisdictions and many agencies with those jurisdictions would have to
compile historic data into a database, which would by its complexity result
in a huge error rate. I also knew that a name is not a positive form of
identification, and that compiling local, State, and Federal databases
together would result in the error rates compounding. So I refused to
complete Form I-9, but I did complete part of the form and told the person
taking the applications that who ever told her not to accept an employment
application without a completed Form I-9 had told her to engage in an
illegal act. She then took my application and the partially completed Form
I-9.

The Census Bureau did what it did because it was a more efficient way of
hiring applicants. Here too is a problem of the digital age. Given that the
Census Bureau had seven million applicants for employment it was cost
effective to wrongly deny and estimated 500,000 innocent people for
consideration for employment. It did this without their knowledge or
consent, and it did this in violation of a trust given to it by Congress.
When we consider the number of criminal violations (at least four) and the
number of applicants (an estimated seven million) it was and is the greatest
crime ever committed by the government of the United States against the
people.

In their effort to protect the people of the United States from Census
takers who may have a criminal history the Census Bureau engaged in
approximately twenty-eight million crimes.

Christopher Effgen
http://ftp.census.gov/dmd/www/text/pl2000.txt
www.house.gov/judiciary/loes0518.htm

I wish you all well in your efforts to stop the program that DoT is
preparing to embark upon if there is anything that I can do to help please
let me know.

Christopher Effgen
6921 Weimer
Anchorage, AK 99502
907-248-8363








------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/