Privacy-related comments on Hastert bill on intelligence reform

[David Farber <dave () farber net>]

Begin forwarded message:

From: Peter Swire <peter () peterswire net>
Date: September 27, 2004 9:42:19 AM EDT
To: "Dave@Farber. Net" <dave () farber net>
Subject: Privacy-related comments on Hastert bill on intelligence reform

Dave:
 
    Some congressional staffers asked me to analyze the bill that  
Speaker Hastert introduced on Friday on how to do intelligence reform.   
The bill is scheduled for markup this Wednesday in the House Judiciary  
Committee.  Perhaps the following comments can highlight some  
particular problems with the current bill. (There are undoubtedly more  
problems with the bill, but this is a start.)
 
    Overall, the most glaring privacy problem with the bill is that it  
does not create any mechanism government-wide to serve as a watchdog on  
privacy and civil liberties.  A huge theme of the bill is "information  
sharing."  But its approach is silo-by-silo, with a separate privacy  
officer in various agencies and a "civil liberties protection officer"  
for the National Intelligence Director.  There is little reason to  
think that this bill will allow any inter-agency, coordinated control  
on privacy or civil liberties.
 
    By contrast, the current Senate bill understands that there needs  
to be a function within the Executive Office of the President that  
coordinates privacy and information sharing across agencies.  It  
creates a Civil Liberties Board as specifically called for by the 9/11  
Commission.  Offering that provision as a substitute for Section 1022  
would be a big improvement.
 
    Perhaps the majority is trying to have the inter-agency management  
of these issues be done through the civil liberties board created  
recently by Executive Order by President Bush.  My editorial at  
http://www.americanprogress.org/site/pp.asp? 
c=biJRJ8OVF&b=180251 explains why the Executive Order is so badly  
flawed.
 
    Here are some more specific comments:
 
    Sec. 1022 on Civil Liberties Protection Officer. What is missing  
here is what is included in the Collins-Lieberman draft, such as: an  
annual report; stronger subpoena powers; power to get advisory  
committees of experts on information privacy and civil liberties, and  
so on.  Include the Senate bill provision as a substitute, or add the  
powers piece-by-piece.
 
    Section 2001.  Strike the "lone wolf" provision.  FISA orders  
outnumbered all law enforcement wiretap orders in 2003, for the first  
time.  A long-term wiretap is now allowed under FISA for any "agent of  
a foreign power", which includes international terrorist groups.   
Without the requirement of a link to a foreign power, there are grave  
constitutional questions about whether this secret wiretap is allowed  
under the Fourth Amendment.  Furthermore, the "lone wolf" provision  
opens the door wide to surveillance of citizens for  
domestic surveillance and law enforcement purposes.  Searches within  
the U.S. should still presumptively be done in compliance with the  
Fourth Amendment.  My article on "The System of Foreign Intelligence  
Law", with a detailed history of FISA and many reform proposals, is at  
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=586616 .  (That  
article is too detailed for use at markup this week, but addresses many  
issues relevant to updating of the Patriot Act.)
 
    Section 2023.  False Statements in Terrorism Cases.  This provision  
increases penalties for false statements in "terrorism" cases.  The  
problem here is that an ordinary identity theft case can become a  
"terrorism" or "material assistance to terrorism" case if someone gets  
false immigration papers and then there is a small link to alleged  
terrorist funding sources such as a charity.  There is no evidence that  
the problem has been the lack of penalties for people properly  
convicted of being involved in terrorism.  The problem is that the  
Justice Department has essentially found no cases that are really  
terrorist cases.  Strike the provision.
 
    Section 2142.  Criminal History Information Checks.  This provision  
lacks all of the checks and balances one would expect to see: (1) There  
are no re-disclosure limits.  That means the employer can place the  
criminal history information up on the Internet after receiving the  
record from the government. (2) There are no requirements that the  
employer be in good faith when seeking the information from the  
government.  False requests for records would be ridiculously easy to  
do. Fraudulent requests for records would also be easy.  (3) There is  
no required notice to or consent by the employee who applies that the  
background check will be run, with notice of where to get access and  
correction if there are mistakes about the employee's records.
    In general, the Fair Credit Reporting Act has the provisions in  
place to prevent abuse.  The criminal history provision has not begun  
to grapple with the basic due process for criminal records and  
fingerprints that we of course require when people (including  
employers) seek a credit history.
 
    Section 2183.  Registered Traveler Program.  Prominent security  
experts have made compelling arguments about how the registered  
traveler program would actually decrease security.  In short,  
enrolling a member in the program would become the logical target for  
every terrorist group.  Once the group had a member in the group, there  
would be a guaranteed easy route to getting on a plane with less  
scrutiny.  Instead of "expediting" the program, the program should  
receive much more careful scrutiny.
  
    Section 5091.  Rulemakings require privacy impact assessments.   
This is a promising provision.  The scope of the PIAs should include:  
"(v) an explanation of what legal and other mechanisms will assure  
compliance with the privacy protections described in the assesment."   
The current draft requires the PIA to set forth the protections for  
notice, consent, access, etc., but does not contemplate any discussion  
about how the supposed protections will actually be implemented over  
time.
 
    Section 5091.  Disclosure of PIAs to the public.  Currently the  
bill allows a national security determination when a PIA cannot be made  
public.  That approach basically follows the E-Government Act of 2002  
for not having some PIAs be made public for national security  
purposes.  The bill should also have the provisions of the E-Gov Act,  
though, that requires the agency to send such PIAs in full to the  
Office of Management and Budget.  That way the agency still has some  
accountability to persons outside of the agency, and Congressional  
oversight is possible by asking OMB for information (available to  
Congress in closed session) about the PIAs that are kept secret.
 
    Section 5092. Chief Privacy Officers for Agencies with Law  
Enforcement or Anti-Terrorism Functions.  I support this provision --  
having specific persons with responsibility to watch for information  
privacy problems is essential to helping each agency think through the  
issues before they implement systems.  Once again, however, there is NO  
inter-agency coordination or White House leadership.  It is crazy in an  
"information sharing" environment to have no policy process to handle  
privacy issues that cross agency lines.  There needs to be a position  
in the Executive Office of the President (or at a minimum an  
inter-agency council with some specified and competent leadership) to  
handle the inter-agency issues.
 
    Peter
 
   
  
  

Prof. Peter P. Swire
Moritz College of Law of the
   Ohio State University
John Glenn Scholar in Public Policy Research
(240) 994-4142; www.peterswire.net
  

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/