Protecting personal info raises the cost of security<@VM>Privacy Act of 1974 is showing its age<@VM>With 'crazy leap,' Kelly jumps into privacy
- By Alice Lipowicz
- May 21, 2005
Nuala O'Connor Kelly of DHS dismissed fears that the agency will try to evade the Privacy Act. "That is not going to happen on my watch," she said.
Edward Hammersla isn't bothered by the prospect of handing over his name and birth date to airport screeners under the Homeland Security Department's new "Secure Flight" passenger screening program that launches this summer.
As chief operating officer of Trusted Computer Solutions Inc. of Herndon, Va., Hammersla is an expert in IT solutions for exchanging data between networks. He has no qualms about sharing his own personal information, which Secure Flight will check against a list of suspected terrorists.
"These are facts everyone knows," Hammersla said.
But he does worry about privacy, primarily its mounting costs to those who build anti-terrorist systems such as Secure Flight. With privacy advocates calling for more protection in how personal information is collected, stored and shared, Hammersla and other IT contractors anticipate that Congress and state lawmakers will require even more stringent controls over personal information.
Privacy requirements are "adding enormous costs," Hammersla said. "It is more work for companies, and it's forcing them to have better security."
The tension between homeland security and privacy is creating uncertainty among contractors as to how the government intends to reconcile these two often-competing goals. Contractors that try to tackle privacy concerns solely as an IT or data security issue may quickly find their projects undermined by privacy's political or policy dimensions.
Congress has installed a privacy officer at DHS, but critics question whether the position has sufficient clout to be effective. The road ahead is not well marked, and Congress may need to play a larger role.
"There are some basic issues about privacy and identity that need new ways of thinking before all the mechanics can fall into place," Hammersla said.
BIG BROTHER IS WATCHING
The right of privacy, although not listed in the Bill of Rights, nonetheless is viewed as a fundamental right implicit in the First Amendment, which protects freedom of speech, and in the Fourth Amendment, which protects against unreasonable searches and seizures.
What has inspired the most passion is the prospect of "Big Brother" government able to track an individual's behavior by accessing records for credit cards, travel, law enforcement, professional licenses, finances and corporate information, among others. The sophisticated data mining techniques used for profiling terrorists could be abused and used against ordinary people, advocates fear.
"Private data in private hands is fine, but having the government use private data to make decisions is a different ball of wax," said James Harper, director of information policy studies at the Cato Institute, a think tank in Washington, and a member of Homeland Security's Data Privacy and Integrity Advisory Committee. "You have to be very concerned about due process."
Complicating the picture is the secrecy granted to the FBI and intelligence agencies -- in compiling watch lists of suspected terrorists -- and to DHS, which uses the lists in its screening and identity verification programs. Details on how the watch lists are created, as well as the thousands of names on the lists, are secret.
"What we have created are privacy-intrusive data systems with very little transparency and little oversight or accountability," said Lee Tien, senior staff attorney for non-profit advocacy group Elec-tronic Frontier Foundation.
National security goals and privacy rights frequently have clashed, impelling Congress, when it created the Homeland Security Department in 2002, to order that a Privacy Officer be named to safeguard privacy rights.
IT contractors often view privacy primarily as a data protection, or information security, issue. IT security is viewed as a necessary condition for privacy. "You cannot be assured of privacy if you don't have data security," Harper said.
But improved data security is not sufficient to quiet widespread concerns regarding privacy.
A CONTRACTOR'S NIGHTMARE
Privacy travails have dogged homeland security IT programs. That trend looks to be continuing. It has led to enhanced scrutiny and revamps of existing programs, and may lead to additional compliance requirements for IT contractors.
Privacy concerns have slowed or blocked several major Bush administration anti-terrorism initiatives:
- Funding for the Pentagon's Total Information Awareness data mining program was yanked by Congress in 2003 after an uproar over its potential to intrude on privacy. Defense analysts had planned to use computers to sift through huge amounts of personal data, including medical records, credit card purchases and travel records, and to use algorithms to recognize patterns that could show a terrorist plot.
- The Justice Department withdrew plans in 2002, after a flurry of protests from civil rights groups, to implement its Terrorist Information and Prevention System, which asked mail carriers and meter readers to report suspicious activity near homes.
- The Multistate Anti-Terrorism Information Exchange (Matrix) law enforcement database, created in 2002 with funding from the Justice Department, dwindled from 13 states to four states because of public outcry over its invasive powers. The program quietly died in April when its federal funding ran out. However, Florida is considering creating a successor system.
- The Transportation Security Administration cancelled its CAPPS II airline passenger screening program in August 2004 after it was lambasted by privacy advocates and members of Congress for apparently failing to safeguard privacy. TSA acknowledged in mid-2004 that at least eight airlines had provided sensitive passenger data to contractors working on the screening program. The system drew on commercial databases, as well as government information, to profile travelers and identify those who required additional screening. However, TSA did not adequately enforce privacy protections when in 2002 and 2003 it collected and transferred data on 12 million passengers to contractors developing CAPPS II, according to a report in March 2005 from Acting Inspector General Richard Skinner. In addition, "TSA officials made inaccurate statements regarding these transfers that undermined public trust in the agency," Skinner's report said.
- Secure Flight, the successor to CAPPS II, may not meet its August 2005 rollout date because it has addressed only one of the 10 performance benchmarks ordered as of March by Congress, according to a March 28 Government Accountability Office report. DHS set up an oversight board ? that's the benchmark it did meet ? but it has not yet demonstrated the effectiveness and accuracy of the system, the GAO report said.
"Until TSA finalizes key program documents and completes additional system testing, it is uncertain whether Secure Flight will perform as intended and whether it will be ready for initial operational deployment by August 2005," GAO said.
The backtracking and false starts on these anti-terrorist projects have made some contractors understandably skittish, particularly about DHS programs that use private or commercial databases, which have the most potential to raise privacy concerns.
"The information-sharing between the government and private companies is the issue that ought to be addressed," said Barbara Lawler, chief privacy officer for Hewlett-Packard Co.
DHS OFFICIALS DEFEND PRIVACY
Homeland Security officials defend their record at guarding privacy and say that the agency's privacy office now is playing a stronger role to ensure that privacy concerns are addressed early in programs. "The strongest point in favor of Secure Flight is that the privacy team has been involved from the beginning," Kelly said.
Kelly also helped raise alarms about airline passenger data transfers in early development stages of CAPPS II that likely contributed to the program's cancellation. In a February 2004 report, Kelly said TSA employees improperly helped a defense contractor get computerized passenger data from JetBlue airways in 2001 and 2002 as part of the development of CAPPS II.
"TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974," Kelly wrote.
That report won her some credibility. "Nuala has done a pretty good job because of her own character and force of will," Harper said. "I don't see her as an apologist."
Even so, many view her office as lacking in power. Rep. Bennie Thompson (D-Miss.), ranking Democrat on the House Homeland Security Committee, is pushing for Kelly's office to have subpoena authority, so she would not have to depend on voluntary cooperation from DHS. He offered an amendment last month to that effect, but it was voted down along party lines.
"The chief privacy officer needs the independence and adequate authority to properly evaluate the privacy concerns of the department, outside political pressures," Thompson said.
Asked if she needed more authority, Kelly said she would defer to Congress. "I think we've run as hard and as fast as we can, given the statutory authority we have today," she said.
Earlier this year, Kelly created the data privacy advisory committee, which was criticized by privacy advocates for skewing too much toward industry. She knows there is public mistrust of the department's activities.
"There is a fear that the government is going to set up databases to evade the Privacy Act," Kelly said. "That is not going to happen on my watch."
Kelly said her office is becoming involved increasingly earlier in the formation of new IT programs, including Secure Flight. Her staff had done more than 90 privacy impact assessments as of June 2004.
Even so, advocates say privacy concerns are not going to diminish.
"Secure Flight is CAPPS II by another name," said Bill Scannell, a privacy advocate whose Web sites helped mobilize opposition to CAPPS II.
BALANCING PRIVACY AND SECURITY
It's too early to tell whether privacy concerns will be trumped by national security, or the other way around. Also uncertain is whether DHS programs will be affected by new rules that may be imposed to curb identity theft and privacy in the commercial arena.
Congress is considering several dozen proposals to improve privacy protections and reduce identity theft. One proposal would establish a national privacy and civil rights oversight board. Another would prohibit the government from accessing library use and bookseller records, for example.
Congress and about 30 states also are considering laws modeled on California's disclosure law of 2003 requiring notification of individuals if a company leaks their personal data or if that data is stolen.
IT contractors are afraid that the new law could spur liability lawsuits should a data leak lead to a stolen identity. The California law has "everyone concerned," said John Callas, chief technology officer at PGP Inc. of Palo Alto, Calif.
Some say the government must strike a balance between citizens' right to privacy and their need for security.
"The question is: How do you do what you need to do while minimizing the damage to civil liberties and rights?" said Ramon Barquin, president of IT consultancy Barquin International, Bethesda, Md., and a member of the DHS privacy advisory panel.
But Thompson, who is pushing for greater protections of personal data, rejects the notion of trade-offs between privacy and security. "Homeland security is designed to protect the constitutional rights of our citizens and the strength and security of our nation," he said. "It is not a balancing act between security and the liberties and rights our citizens enjoy."
Staff Writer Alice Lipowicz can be reached at email@example.com.
When the Privacy Act of 1974 was written, most records were pieces of paper, and a system of records was a stack of files in a cabinet.
The act does not mention databases, networks, algorithms or even the Internet.
The 31-year-old law stipulating how government records on individuals may be collected and maintained is a good foundation for protecting privacy, but it does not recognize many modern terms associated with data management and information security, according to Nuala O'Connor Kelly, chief privacy officer for the Homeland Security Department. One of her duties is to enforce the Privacy Act.
"The principals are sound," Kelly said. "Every American should know what data is being collected."
But, she added, "the legal frameworks under the Privacy Act -- systems of records, for example ? reflect technology that was current in 1974, not today. The law doesn't reflect today's technologies and abilities to move data in very large and very small quantities in an increasingly faster and easier manner."
Still, the Privacy Act is the central tool for ensuring the protection of personal data collected by the government in the very modern war on terrorism, including terrorist watch lists, passenger screening operations and biometric identification programs.
Under the act, personal data is referred to as "records" and "system of records." The privacy law prohibits agencies from disclosing personal records to anyone without written consent, with few exceptions.
It also lets individuals review their records and request a correction -- provisions that are "incredibly underutilized," Kelly said.
? Alice Lipowicz
Five years ago, online marketing firm DoubleClick Inc. was facing privacy lawsuits and trouble with the Federal Trade Commission for its plans to collect names and addresses and connect them with shopping data via Internet programs viewed as invasive. Banking attorney Nuala O'Connor Kelly was hired to fix the mess.
"It was a crazy headlong leap," Kelly, 36, said of her move.
She quickly discovered the problems were not only legal in nature, but also involved compliance and corporate culture. DoubleClick's response: "Go start a privacy department."
So she did. Within months, Double-Click changed its plans, and the FTC ended its investigation.
That experience eventually led Kelly to her current position as the first chief privacy officer for the Homeland Security Department, where she has served since April 2003. Kelly and 25 privacy office personnel set policy, review the impact on privacy of departmental programs and implement the Privacy Act of 1974, which regulates how federal data is held and secured.
Congress established the DHS Privacy Office when it created the department in 2002 and in many ways, its work is similar to her role at DoubleClick, Kelly said.
However, many privacy advocates are skeptical of the office's effectiveness because Kelly has limited authority to compel cooperation in investigating privacy complaints. "She is no idiot, but she is pretty powerless over there," said Bill Scannell, a citizen activist whose Web sites have spurred public outcries on privacy concerns at DHS.
Kelly and her staff have done more than 90 privacy assessments on department programs and investigated several privacy complaints related to controversial programs such as the Computer-Assisted Passenger Prescreening System.
Kelly said she is reviewing new IT programs earlier in their development, to incorporate privacy safeguards from the beginning, as she has done with Secure Flight, the successor to CAPPS II.
"More and more, privacy is a driver," Kelly said. "It's a litmus test."
That is why she predicts Secure Flight will not be plagued by the privacy outcry that beleaguered its predecessor. "We should be mindful that with heightened, more accurate screening, it will help us not only fight the bad guys but also protect the privacy of innocent people," she said.
Her office does not buy technology, but she said that "if technology complies with the Privacy Act and international privacy laws, it will have an edge."
Originally from Belfast, Ireland, Kelly came to the United States as a child and earned a bachelor's degree from Princeton University, a master's degree in education from Harvard University and a law degree from Georgetown University. Although she started her career as a banking attorney, she discovered her inner "Internet geek" while assisting banking clients such as Wells Fargo and Bank of America as they put banking services online in the mid-1990s, she said.
After her stint at DoubleClick, she served at the Commerce Department in positions including chief counsel for technology for the Technology Administration.
She is married to Glenn Kelly, president and founder of Kelly Public Strategies, a public relations and consulting firm in Washington. They have one child.
"I think [Glenn] is proud of my dot-com days, though the stock options didn't quite work out," Kelly said with a laugh.
Staff Writer Alice Lipowicz can be reached at alipowicz@postnewsweektech.