JURIST Guest Columnist Khaliah Barnes of the Electronic Privacy Information Center argues that federal agencies’ data collection and disclosure activities are marred by a deficiency of meaningful oversight and accountability…

In 2013, the world became privy to unparalleled, covert US government digital surveillance. A 2013 Foreign Intelligence Surveillance Court order (PDF) shows that the National Security Agency (NSA) obtained sensitive call record information of millions of Americans. Previously unreleased government PowerPoint slides expose a maze of government information collection and disclosure. There have been numerous legal challenges to the NSA’s clandestine data collection.

While the NSA revelations have spurned public debate on the importance of government surveillance transparency, oversight and accountability, government agencies routinely publish their surveillance procedures and practices as required by the Privacy Act of 1974. The Privacy Act is a cornerstone of American privacy law. The Privacy Act grants individuals certain rights—like access to and amendment of their records held by government agencies. It also details how federal agencies and government contractors entrusted with personal records must protect that information from unauthorized disclosure. Privacy Act protections extend to “records” held within a database or “system of records.” The statute broadly defines “record” as “any item, collection or grouping of information about an individual that is maintained by an agency” and that contains personally identifiable information (PII). A “system of records” is a group of records over which an agency has control and can retrieve information by individual name or other PII. Federal tax returns held by the IRS, student loan information [PDF] processed by the Education Department and medical information collected by the Social Security Administration are each examples of personal records within systems of records that the Privacy Act protects.

The Privacy Act requires federal agencies to obtain consent before releasing personal records from government databases. The statute does, however, provide various exceptions under which agencies may disclose records without first obtaining consent. For example, agencies may disclose records pursuant to a “routine use”—a disclosure “compatible with the purpose” for which the information was collected. Agencies may also disclose PII to agency employees and contractors who need the PII to perform their jobs, pursuant to a court order or in response to a “showing of compelling circumstances affecting the health or safety of an individual.”

The Privacy Act imposes civil and criminal liability on agencies, agency employees and contractors for Privacy Act violations, including unauthorized disclosures. Nevertheless, agencies may promulgate rules exempting themselves from Privacy Act requirements, like requirements that agencies permit individuals to correct inaccurate information, or the requirement that agencies collect information directly from an individual when the information could adversely affect the individual’s “rights, benefits and privileges under Federal programs.”

Over the last several years, government agencies have increasingly contravened the intent, purpose and plain language of the Privacy Act by collecting excessive information for nebulous purposes, widely disclosing this information to public and private entities and claiming broad Privacy Act exemptions.

For example, in 2012 the Federal Bureau of Investigation (FBI) announced a new sweeping database, aptly entitled the FBI Data Warehouse System [PDF]. The FBI Data Warehouse collects sensitive information, including but not limited to name, sex, race, Social Security Number, biometric information, bank account number, employment information and known associates and affiliations. The FBI gathers this information from a variety of sources including other FBI systems, the Internet and other government agencies like the Department of Defense and Department of Homeland Security. The FBI Data Warehouse applies to an extensive swath of individuals, from suspects, victims and witnesses to “individuals who are identified in open source information or commercial databases” and individuals “who may be relevant” to an investigation or operation.

The FBI states that any of the sensitive information may be disclosed to a variety of public and private individuals and entities, ranging from law enforcement (local, state, federal, territorial, tribal, foreign and international law enforcement), to members of Congress, to commercial entities that are “joint participants” with the FBI and to any other person or entity DOJ deems “necessary” in assisting DOJ perform “law enforcement, national security or intelligence function[s].”

Even though the FBI stores troves of information in its Data Warehouse System, the FBI denies [PDF]. individuals various Privacy Act protections. The Attorney General has exempted the FBI Data Warehouse from fundamental Privacy Act requirements, including the requirement that the FBI only maintain relevant, necessary, accurate, timely and complete records. Practically speaking, the FBI can maintain inaccurate, outdated and incomplete records in its Data Warehouse and disclose those records to various private and public entities, including all levels of law enforcement. And because the FBI has exempted this database from the Privacy Act’s civil remedies provision, the FBI is not accountable to individuals on which it maintains erroneous and flawed records.

Similar in scope to the FBI Data Warehouse is the Department of Homeland Security’s (DHS) Automated Targeting System (ATS) (PDF). Initially designed to screen international cargo, DHS has expanded ATS to screen and assign risk assessments to individuals (PDF). The ATS database “ingests” personally identifiable information from at least thirty federal databases and the Department of Motor Vehicles. DHS then matches this information against “patterns of suspicious activity” and uses these matches to monitor individuals, even if the individuals have no criminal record. ATS amasses PII ranging from names, addresses and Social Security Numbers, to “information that could directly indicate the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life” of individuals. The database applies broadly to individuals that “seek to, or do in fact, enter, exit or transit through the US,” and those who “may pose a threat to the US,” among others.

As with the FBI Data Warehouse, DHS discloses PII within ATS to a host of public and private entities and individuals, including to local, tribal, state, federal and foreign organizations and to “the news media and the public, with the approval of the Chief Privacy Officer in consultation with counsel … when disclosure is necessary to preserve confidence in the integrity of DHS …” DHS has proposed [PDF] to exempt this database from Privacy Act provisions that would permit individuals to access and correct inaccurate information. DHS has also proposed to exempt ATS from the Privacy Act’s civil remedies provisions. My organization, the Electronic Privacy Information Center (EPIC), has repeatedly urged (PDF) DHS to suspend (PDF) ATS data collection and restore (PDF) Privacy Act protections for PII within the database.

The Department of Defense (DOD) maintains a large database on a particularly vulnerable subsection of the population—high school and college students. DOD uses its Joint Advertising Market Research and Studies Recruiting Database (JAMRS) (PDF) to market to and recruit teens between the ages of 16 and 18 and college students, among others. JAMRS contains information including name, gender, address, birth date, telephone number, ethnicity, grade point average, high school name and graduation date, college name and rank and fields of study. Unlike the FBI Data Warehouse and DHS’s ATS, DOD does not exempt this system from the Privacy Act. However, the system still poses substantial risk to student privacy because Epsilon Marketing, a firm that experienced a security breach in 2011, houses the system. Moreover, DOD has compiled this information without express student consent. DOD explains that if students want to be removed from the system, they must opt-out of having their information disclosed to Epsilon Marketing.

The FBI, DHS, and DOD each state that pursuant to litigation proceedings, they will disclose records held in their databases to the DOJ. The Privacy Act, however, sets a higher bar and requires these agencies to obtain a court order to disclose records during litigation proceedings. Therefore, these agencies violate the Privacy Act by disclosing personal records to the DOJ (or any other entity or individual) during court proceedings without first obtaining a court order. Additionally, the Privacy Act permits federal agencies to disclose records to other US agencies or instrumentalities for civil and criminal law enforcement activities, but only pursuant to a written request from the head of the requesting agency, and that request must specify “the particular portion desired and the law enforcement activity for which the record is sought.” Again, the Privacy Act explicitly constrains government information disclosures. And again, DOD and DHS have adopted lower standards. Both DHS and DOD will disclose PII to agencies investigating, prosecuting, and enforcing civil and criminal laws without a written request from the leader of the agency seeking the record.

The aforementioned databases are just three examples out of many where government agencies collect sensitive personal information without adequately safeguarding privacy. Unlike the NSA, these agencies have been somewhat transparent in their data collection and disclosure, but they too suffer the same deficiency of meaningful oversight and accountability. These agencies publish and consider public comment on their databases, which is a good first — and in fact, legally required—step in protecting privacy. However, more must be done. The Senate and House committees in charge of these agencies must investigate these practices and work to restore Privacy Act protections. The Privacy and Civil Liberties Oversight Board, a federal government watchdog agency, must closely review federal databases and make recommendations on how they can safeguard privacy. And finally, agency chief privacy officers (CPOs) must take a more active role in reviewing and approving information collection. In many ways, agency CPOs are one of the last resorts the public has in stopping invasive government surveillance. Accordingly, CPOs should not simply rubberstamp proposed database collections, but rather should closely evaluate the legality and public policy behind agency proposals.

Khaliah Barnes is the Administrative Law Counsel for the Electronic Privacy Information Center. She researches proposed federal agency privacy regulations that pertain to government collection, retention and dissemination of personal information.

Suggested citation: Khaliah Barnes, Agencies Behaving Badly: Government Surveillance and Privacy Act Violations, JURIST – Hotline, Jan. 2, 2014 http://jurist.org/hotline/2014/1/khaliah-barnes-privacy-act.php.