THE DEPARTMENT of Transportation and a number of other departments have now been mandated, in their latest budget authorizations, to appoint a chief privacy officer. But most departments, including Transportation, have simply appended that responsibility to the existing chief information officer. No new watchdogs have been added to the process.
One department, however, has had a real chief privacy officer for two years, and it’s the division that most needs one: the Department of Homeland Security (DHS). Cobbled together from more than 20 agencies, DHS has 180,000 employees and produces many of the most controversial anti-terrorism projects.
Congress mandated the DHS privacy office in the wake of one of the Bush administration’s most notorious efforts to increase its ability to gather, share, and analyze information about private citizens: the Department of Defense’s Total Information Awareness (TIA) project. TIA was supposed to bring together financial, medical, communications, travel, and intelligence records, to be sifted through by sophisticated "data mining" software programs in search of suspicious patterns and associations. When the New York Times reported on the program in late 2002, the public was horrified, and less than a year later Congress killed it.
Nuala O’Connor Kelly, 36, was named DHS chief privacy officer by DHS secretary Tom Ridge in April 2003, but for months she and an assistant constituted the entire operation. It is now a $30 million office with staff that includes several people with strong privacy credentials. Kelly herself, previously with the Commerce Department, learned about privacy when she was hired by Internet-advertising company DoubleClick to mop up after it was caught tracking and analyzing ordinary people’s Web usage.
But despite the budget and personnel, there is little reason to believe that Kelly, a political neophyte and Bush loyalist, has much influence. The DHS privacy office has no real power or authority; even its annual report gets cleared by the department. It has so far mostly produced privacy assessments that focus on technological aspects of project implementation.
Kelly’s impotence became apparent during her investigation into the JetBlue scandal. The DHS’s Transportation Security Agency (TSA) had asked for, and received, five million customer data profiles from the JetBlue airline company, without notifying Congress or the public as required by law. In an internal e-mail obtained by the nonprofit Electronic Privacy Information Center, Kelly is seen begging TSA’s deputy administrator for help obtaining documents and information she has been requesting from TSA staff. The deputy administrator, Carol DiBattiste, replies dismissively that "TSA Public Affairs has no information in response to your request."
Now, as the TSA prepares to implement its controversial Secure Flight passenger-screening initiative, that agency’s disdain for privacy appears unchanged: it has quietly stopped calling meetings of the privacy-advisory group established by Kelly’s staff to advise that project, according to Schwartz.
"I think the privacy officer serves some useful function, at least as a liaison," says the ACLU’s Edgar. "But at the end of the day, it’s just somebody for us to complain to."
It also took two years to put together a privacy-advisory board that is supposed to provide outside scrutiny of DHS privacy practices for Kelly — and when she finally named the members this February, the selections made clear that privacy advocates shouldn’t expect too much. "A lot of these folks work for technology companies that also sell to the government," says James Harper, a member of the committee and director of information-policy studies at the Cato Institute, a libertarian think tank in Washington, DC. "There is an instinct among many on the board that we’re going to look at implementation of specific initiatives on a technical level," rather than question the initiatives or policies themselves, he says.
Then in April, at its inaugural meeting, this external advisory board selected Paul Rosenzweig as its chairman. Rosenzweig, a senior research fellow at the conservative Heritage Foundation, has in the past publicly defended almost every Bush-administration privacy and civil-liberties intrusion, including the TIA project and the denial of legal rights to American citizen and suspected terrorist Jose Padilla.
The DHS privacy office’s advisory board meets for the second time on June 15, at Harvard Law School’s Pound Hall. It’s open to the members of the public, who can also make three-minute statements to the committee. (Pre-registration is required; see www.dhs.gov/interweb/assetlibrary/privacy_advcom_06-2005_inv.pdf.)
Of course, whatever the influence wielded by Kelly and her new advisory board, their scope is limited to DHS. The electronic-passport initiative comes from the State Department; the driver’s-license project began at Transportation (the Real ID Act moved it to DHS).
That’s why the 9/11 Commission and others said that broader oversight was needed — and why it existed under Bill Clinton. Clinton appointed Peter Swire as the country’s first chief counselor for privacy in March 1999. Bush did not maintain the position.
"Nuala Kelly is in one agency, and information sharing happens across multiple agencies," says Swire, now a law professor at Ohio State University. "Someone should be in the room as programs are being developed, to make sure that they bake in civil liberties. That was the role I played." He was part of the Office of Management and Budget (OMB), which gave him authority, Swire adds. "If you don’t respect OMB, you might have some of your budget taken away,"
But even with Swire in office, and before 9/11 electrified the atmosphere, government agencies were able to move forward with some of their privacy-busting initiatives. In the summer of 2000, the Wall Street Journal reported on the FBI’s Carnivore Project, in which specialized computers would intercept and scan all Internet traffic to and from a targeted suspect. Privacy groups threw a fit. So where was the privacy czar? "My office didn’t learn about Carnivore until it was in the papers," Swire says.
Which makes the current situation of such concern. "It’s more likely today that you’ll have an unvetted program," Swire says.
JOHN MCCARTHY, executive director of the Critical Infrastructure Protection Project at George Mason University and a top Bush-administration adviser on privacy and security issues, cautions that the public, and even most privacy advocates, doesn’t know what happens inside the meetings where key decisions are made. "I don’t see a dismissive attitude about privacy," he says. "I see a great deal of concern."
Nevertheless, McCarthy agrees that security-minded government agents need oversight, to help them see the unintended consequences of their projects — the kind of "mission creep" that inevitably leads to the worst privacy intrusions and the loudest protests from the public. McCarthy points to the new Transportation Worker Identification Credential, an electronic identification card meant to improve security at ports. DHS was surprised by resistance to the system among unionized workers in Long Beach, who are concerned that the system will be used to monitor their work hours.
Similarly, the gathering of personal information under CAPPS II — an ill-fated air-traveler-profiling project scrapped due to privacy concerns (computer software would have assigned each passenger a color-coded tag based on collected data) — probably wouldn’t have set off the alarms it did, says Cate, "but [Attorney General] John Ashcroft kept saying, ‘We can use this data for all kinds of other things.’"
These security initiatives, once in place, will be with us for many years to come and will not only affect our privacy, but will likely lower our civil-liberty expectations, leading to further intrusions. "I think in 10 years, we’re going to be talking very differently than we are now about privacy," McCarthy says. Which is why the conversations need to take place now.
David S. Bernstein can be reached at dbernstein[a]phx.compage 1 page 2
Issue Date: June 3 - 9, 2005
Back to the News & Features table of contents
|about the phoenix | advertising info | Webmaster | work for us|
|Copyright © 2005 Phoenix Media/Communications Group|