September 19, 2003

Privacy advocates turn tide in homeland security debate

By Drew Clark, CongressDaily

Ever since the 2001 terrorist attacks, policymakers have pursued a balance between two oft-competing desires: keeping the nation secure and protecting people's privacy rights. The status of two technology-based security initiatives indicates that the scales still can tip either way.

On one hand, a controversial Pentagon project to create technologies that could scour databases and aggregate financial, medical, travel and government records on millions of Americans has been effectively given up for dead by its foremost advocates. On the other hand, a full-court publicity campaign by officials in the Homeland Security Department—including the hiring of a chief privacy officer in May—appears for the moment to have saved another program designed to conduct background checks on airline passengers.

But few observers doubt that the likely death of the data-mining program dubbed Terrorism Information Awareness, or TIA, shows how quickly the tide has turned in the battle between national security and privacy. An additional sign of the times is the half-dozen new bills that would curtail elements of the 2001 anti-terrorism law known as the

USA PATRIOT Act, one of which already has been incorporated into a fiscal 2004 appropriations bill.

"I think the agencies, as well as congressmen, are starting to understand that the landscape has shifted somewhat in the public," said Lisa Dean of the Electronic Frontier Foundation.

The problems for TIA began in January, when Sen. Ron Wyden, D-Ore., attached to the Senate version of an omnibus spending bill for fiscal 2003 language to block TIA funding until the Defense Advanced Research Projects Agency, overseeing the data-mining plan, better explained its purpose and assessed the potential impact on civil liberties.

The House agreed to the Senate language in February, and in DARPA's May report, Defense Department officials repeatedly emphasized that the project was experimental and had only been tested using foreign intelligence information. They also said they were developing privacy protections.

Privacy advocates and congressional critics were not satisfied, and Wyden attached to the 2004 bill to fund the Defense Department an amendment that would require congressional approval before any implementation of any technologies developed by the DARPA office overseeing TIA. The House approved similar language.

Senate Appropriations Committee Chairman Ted Stevens, R-Alaska, and Sen. Daniel Inouye, D-Hawaii, went further, halting all funding for TIA-related projects. The two chambers are expected to reconcile the bills in September.

In a five-page, Aug. 12 letter resigning as head of the DARPA office overseeing TIA, former Adm. John Poindexter defended the initiative. But noting that the Senate version of the Defense bill "eliminates funding for most of the counter-terrorism programs of my office," he simply expressed "hope" that "at least the non-controversial parts" of TIA would not be sacrificed.

A new public outcry over another TIA-related project—the development of a "futures market" to predict instances of terrorism—appeared to have sealed the resignation of Poindexter. One day after Wyden and Sen. Byron Dorgan, D-N.D., hosted a conference to call attention to FutureMAP, DARPA halted the program, and Poindexter announced his resignation two days later.

That same day, Wyden and Dorgan restated their opposition to TIA, saying that it "would still be the biggest spying and surveillance overreach in America's history, and it should be shut down."

The two senators also introduced legislation that would require each law enforcement and intelligence agency to prepare reports on data-mining efforts, including contracts for personal data from private firms and what privacy rules the agencies follow. The measure also would bar the use of databases to explore "hypothetical scenarios" about who may commit a crime.

Although slightly more limited than an earlier bill that would place a moratorium on data mining, Wyden and Dorgan's measure would keep government agencies from searching bank records and travel plans without a specific tip in mind.

"Without a rudder, and without a mission, it is hard to see how [TIA] should continue," said Jerry Berman, president of the Center for Democracy and Technology. But he said Congress still must be wary that the program "will be restarted under different guises" unless privacy guidelines are put into place from the beginning.

In July, Homeland Security officials hoping to avoid TIA's fate in their work toward the Computer-Assisted Passenger Prescreening System, known as CAPPS II, proposed new rules governing airline-passenger data. Privacy Officer Nuala O'Connor Kelly characterized the rules as a victory for limiting the collection of personal information.

Privacy advocates had been concerned about the original notice in January, which said the Transportation Security Administration might use health and financial data and that it might retain the data for up to 50 years.

Those provisions are gone from the new notice. "TSA will not use measures of credit worthiness ... and individual health records in the CAPPS II traveler-risk determination," it reads. Privacy groups generally expressed pleasure with the announcement.