Bushwhacking Privacy

OVER THE NEXT few months, the U.S. government plans to roll out a series of initiatives to enhance the nation's security, each carrying the potential to strip away more and more of your privacy in the name of protecting your liberty.

In theory, all these projects should have been planned, designed and launched with input from the Privacy and Civil Liberties Oversight Board, which was created last year by near-unanimous congressional assent at the urging of the 9/11 Commission, to protect against overly intrusive security practices in all federal agencies.

In reality, however, the Bush administration has delayed staffing and funding the interagency privacy board while its pet projects have moved to fruition, including the following:

• Secure Flight, a new air-travel passenger-screening system set to debut will put a host of "watch list" information, possibly including criminal records, at the fingertips of airline employees.

• New passports will soon be fitted with radio-frequency identification (RFID) tags that transmit all the holder's personal information ... a desirable target for identity thieves using "skimming" equipment.

• States will now be required to meet national-security standards for drivers' licenses, increasing the amount of information collected and displayed.

• A new Homeland Security Operations Center Database will compile governmental intelligence, law-enforcement files, private-sector data, financial records, media reports and material from commercial databases, and analyze them for suspicious activity or correlations.

Meanwhile, privacy advocates are already questioning the effectiveness and sincerity behind recent administration moves, which include establishing a weak Department of Homeland Security privacy-advisory board, and halfhearted attempts by other federal agencies to name privacy officers and ad hoc privacy committees. Add to that the current debate in Congress over reauthorization of the USA Patriot Act, which has long angered civil libertarians with its provisions permitting the FBI warrentless access to medical, student and library records. "This year will pretty much determine whether we have any kind of privacy at all, because all of these things are coming to a head," says Bob Barr, former Republican congressman from Georgia.





FEW AMERICANS can precisely define what they expect of their government with regard to privacy, but, as with pornography, they know an intrusion when they see it. A privacy intrusion happens when you give information to one entity, and it hands it to another without your knowledge. It happens when information you give for one purpose gets used for another. It happens when your name appears on a watch list without a fair chance to prove that it doesn't belong there. And it happens when a government agent looks into your activities without a good reason ... one approved by a judge.

All these things have taken place over the last few years, as the federal government, understandably, moves zealously to implement systems and policies to stop potential terrorists. Which is precisely why last July's 9/11 Commission Report recommended the creation of the interagency Privacy and Civil Liberties Oversight Board, and Congress created it as part of intelligence-reform legislation in December.

But George W. Bush has yet to nominate a single member to the board or provide it with a single dollar. For the 2006 fiscal year, the first when it will be funded, its budget is a pitiful $750,000.

Frustrated by the inaction, four senators ... including Republican Susan Collins of Maine ... sent an open letter of complaint to Bush's chief of staff last month, while other congressmen are seeking to start over by creating a new privacy-oversight board. The administration has given no public reaction to the letter, and would not comment for publication.

But the delay should come as no surprise, because despite claiming publicly to support the idea of privacy protection, the administration has fought against it all along. "I think it's fair to say that this is an administration that doesn't care that much about privacy," says Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University and author of Privacy in the Information Age (Brookings, 1997). Cate recently served on a privacy-advisory committee for the Department of Defense, which, like the 9/11 Commission, called for the establishment of a government-wide privacy-oversight board. Its final recommendations, presented a year ago, have not been implemented.

In fact, soon after the release of the 9/11 Commission Report, Bush set out to undermine the suggestion, by creating the toothless President's Board on Safeguarding Americans' Civil Liberties by executive order in August 2004. The powerless entity, which never got off the ground, would have consisted only of executive-branch personnel ... "the same people the board was supposed to be advising and keeping in check," says Tim Edgar, legislative counsel for the American Civil Liberties Union, in Washington, D.C.

The leaders of the Senate Committee on Homeland Security, Collins and Joseph Lieberman of Connecticut, demanded something stronger. Several close observers, including Rep. Tom Udall of New Mexico, say that the negotiations ended with a quid pro quo: the senators agreed to give Bush the interagency-information-sharing powers he wanted in the intelligence-reform bill, and in return he let them create the privacy board, albeit a heavily watered-down version, to oversee the use of those powers.

But when Bush failed to staff and fund the board, the quo never materialized. "We thought that the bill actually did a good job creating privacy-oversight mechanisms," says Ari Schwartz, associate director of the Center for Democracy and Technology, a Washington-based government-watchdog group. "But none of them have been put in place."

Udall is now co-sponsoring a bill that would recreate the interagency privacy board with its originally conceived powers, including bipartisan nominations and subpoena power. Meanwhile, Collins and Lieberman, along with Democrats Richard Durbin of Illinois and Patrick Leahy of Vermont, are pressuring the White House to name members to the board and increase its funding. "I think they [the Bush administration] are solely focused on the security issues, with little interest in the protection of civil liberties," says Udall. "We are trying, in a bipartisan way, to restore some balance, and the Bush administration is opposing us."

Udall thinks Congress has leverage now, thanks to the upcoming reauthorization of the 2001 USA PATRIOT Act; many of the law's most controversial portions, including expanded governmental surveillance powers, expire this December. "They want this bill badly," Udall says. Privacy advocates are trying to remove some provisions and add judicial oversight to others, including the notorious authority to snoop into library-borrowing records. The Bush administration, for its part, is trying to add even more snooping powers, including granting the FBI access to business records without a court order. "They're trying to push on these other fronts that they know they won't get, so they can act like they're giving something up and still get their whole ball of wax," Udall says.

Meanwhile, the tug-of-war over the Privacy and Civil Rights Oversight Board is becoming increasingly moot, as privacy-invasive projects get up and running. A perfect example just occurred with the passage of the Real ID Act, signed into law in April. The act requires that every driver's license display the holder's permanent residence. That presents a significant privacy dilemma for the many states that currently exempt certain potential crime targets ... judges, law-enforcement personnel, domestic-violence victims ... who need to keep their addresses private.

A privacy-advisory group might have caught and avoided that problem ... in fact, one was doing so. The Department of Transportation had assembled a committee to help ensure privacy in the new standards, and it was working on solving that exact problem, says Schwartz, who was on the committee. But rather than let the advisory body do its oversight work, Republicans sped the bill into law with the printed-address requirement intact ... and dismantled the privacy committee.







THE DEPARTMENT of Transportation and a number of other departments have now been mandated, in their latest budget authorizations, to appoint a chief privacy officer. But most departments, including Transportation, have simply appended that responsibility to the existing chief information officer. No new watchdogs have been added to the process.

One department, however, has had a real chief privacy officer for two years, and it's the division that most needs one: the Department of Homeland Security (DHS). Cobbled together from more than 20 agencies, DHS has 180,000 employees and produces many of the most controversial anti-terrorism projects.

Congress mandated the DHS privacy office in the wake of one of the Bush administration's most notorious efforts to increase its ability to gather, share and analyze information about private citizens: the Department of Defense's Total Information Awareness (TIA) project. TIA was supposed to bring together financial, medical, communications, travel and intelligence records, to be sifted through by sophisticated "data mining" software programs in search of suspicious patterns and associations. When the New York Times reported on the program in late 2002, the public was horrified, and less than a year later Congress killed it.

Nuala O'Connor Kelly, 36, was named DHS chief privacy officer by DHS secretary Tom Ridge in April 2003, but for months she and an assistant constituted the entire operation. It is now a $30 million office with staff that includes several people with strong privacy credentials. Kelly herself, previously with the Commerce Department, learned about privacy when she was hired by Internet-advertising company DoubleClick to mop up after it was caught tracking and analyzing ordinary people's Web usage.

But despite the budget and personnel, there is little reason to believe that Kelly, a political neophyte and Bush loyalist, has much influence. The DHS privacy office has no real power or authority; even its annual report gets cleared by the department. It has so far mostly produced privacy assessments that focus on technological aspects of project implementation.

Kelly's impotence became apparent during her investigation into the JetBlue scandal. The DHS's Transportation Security Agency (TSA) had asked for, and received, five million customer data profiles from the JetBlue airline company, without notifying Congress or the public as required by law. In an internal e-mail obtained by the nonprofit Electronic Privacy Information Center, Kelly is seen begging TSA's deputy administrator for help obtaining documents and information she has been requesting from TSA staff. The deputy administrator, Carol DiBattiste, replies dismissively that "TSA Public Affairs has no information in response to your request."

Now, as the TSA prepares to implement its controversial Secure Flight passenger-screening initiative, that agency's disdain for privacy appears unchanged: it has quietly stopped calling meetings of the privacy-advisory group established by Kelly's staff to advise that project, according to Schwartz.

"I think the privacy officer serves some useful function, at least as a liaison," says the ACLU's Edgar. "But at the end of the day, it's just somebody for us to complain to."

It also took two years to put together a privacy-advisory board that is supposed to provide outside scrutiny of DHS privacy practices for Kelly ... and when she finally named the members this February, the selections made clear that privacy advocates shouldn't expect too much. "A lot of these folks work for technology companies that also sell to the government," says James Harper, a member of the committee and director of information-policy studies at the Cato Institute, a libertarian think tank in Washington, D.C. "There is an instinct among many on the board that we're going to look at implementation of specific initiatives on a technical level," rather than question the initiatives or policies themselves, he says.

Then in April, at its inaugural meeting, this external advisory board selected Paul Rosenzweig as its chairman. Rosenzweig, a senior research fellow at the conservative Heritage Foundation, has in the past publicly defended almost every Bush-administration privacy and civil-liberties intrusion, including the TIA project and the denial of legal rights to American citizen and suspected terrorist Jose Padilla.

Of course, whatever the influence wielded by Kelly and her new advisory board, their scope is limited to DHS. The electronic-passport initiative comes from the State Department; the driver's-license project began at Transportation (the Real ID Act moved it to DHS).

That's why the 9/11 Commission and others said that broader oversight was needed ... and why it existed under Bill Clinton. Clinton appointed Peter Swire as the country's first chief counselor for privacy in March 1999. Bush did not maintain the position.

"Nuala Kelly is in one agency, and information sharing happens across multiple agencies," says Swire, now a law professor at Ohio State University. "Someone should be in the room as programs are being developed, to make sure that they bake in civil liberties. That was the role I played." He was part of the Office of Management and Budget (OMB), which gave him authority, Swire adds. "If you don't respect OMB, you might have some of your budget taken away,"

But even with Swire in office, and before 9/11 electrified the atmosphere, government agencies were able to move forward with some of their privacy-busting initiatives. In the summer of 2000, the Wall Street Journal reported on the FBI's Carnivore Project, in which specialized computers would intercept and scan all Internet traffic to and from a targeted suspect. Privacy groups threw a fit. So where was the privacy czar? "My office didn't learn about Carnivore until it was in the papers," Swire says.

Which makes the current situation of such concern. "It's more likely today that you'll have an unvetted program," Swire says.







JOHN MCCARTHY, executive director of the Critical Infrastructure Protection Project at George Mason University and a top Bush-administration adviser on privacy and security issues, cautions that the public, and even most privacy advocates, doesn't know what happens inside the meetings where key decisions are made. "I don't see a dismissive attitude about privacy," he says. "I see a great deal of concern."

Nevertheless, McCarthy agrees that security-minded government agents need oversight, to help them see the unintended consequences of their projects ... the kind of "mission creep" that inevitably leads to the worst privacy intrusions and the loudest protests from the public. McCarthy points to the new Transportation Worker Identification Credential, an electronic identification card meant to improve security at ports. DHS was surprised by resistance to the system among unionized workers in Long Beach, who are concerned that the system will be used to monitor their work hours.

Similarly, the gathering of personal information under CAPPS II ... an ill-fated air-traveler-profiling project scrapped due to privacy concerns (computer software would have assigned each passenger a color-coded tag based on collected data) ... probably wouldn't have set off the alarms it did, says Cate, "but [Attorney General] John Ashcroft kept saying, 'We can use this data for all kinds of other things.'"

These security initiatives, once in place, will be with us for many years to come and will not only affect our privacy, but will likely lower our civil-liberty expectations, leading to further intrusions. "I think in 10 years, we're going to be talking very differently than we are now about privacy," McCarthy says. Which is why the conversations need to take place now.