GAO Report: Feds Not Protecting Our Privacy Rights.
A new GAO report (pdf) finds that federal agencies that buy personal data on Americans from data collectors and sellers and resellers like Choice Point and Lexis Nexis are not complying with privacy rules to protect the information.
[The federal]agencies often do not limit the collection and use of information about law-abiding citizens, as required by the Privacy Act of 1974 and other laws. The agencies also don't ensure the accuracy of the information they are buying, according to the GAO report. That's in part because of a lack of clear guidance from the agencies and the Office of Management and Budget on guidelines known as "fair information practices," the report said.
The report was requested after last year's revelation of security breaches at the companies. From the report:
In light of concerns raised by recent security breaches involving resellers, GAO was asked to determine how the Departments of Justice, Homeland Security, and State and the Social Security Administration use personal data from these sources. In addition, GAO reviewed the extent to which information resellers' policies and practices reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. GAO also examined agencies' policies and practices for handling personal data from resellers to determine whether these reflect the Fair Information Practices.
Flashback to the security breaches:
In a well-publicized incident, in February 2005, ChoicePoint disclosed that unauthorized individuals had gained access to personal information by posing as a firm of private investigators. In the following month, LexisNexis disclosed that unauthorized individuals had gained access to personal information through the misappropriation of user IDs and passwords from legitimate customers.
Back to the present and the report, while much of it focuses on activity of the resellers, I'm more interested in which federal agencies are collecting information on us and for what. Here's what the report says:
The Department of Justice is the largest user of reseller information. Within DOJ, the largest users are the FBI and the DEA.
Components of the Department of Justice (the largest user of resellers) used such information in performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The Department of Homeland Security used reseller information for immigration fraud detection and border screening programs. Uses by the Social Security Administration and the Department of State were to prevent and detect fraud, verify identity, and determine eligibility for benefits. The agencies spent approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information. About 91 percent of the planned fiscal year 2005 spending was for law enforcement (69 percent) or counterterrorism (22 percent).
What's a reseller?
We use the term "information resellers" to refer to businesses that vary in many ways but have in common the fact that they collect and aggregate personal information from multiple sources and make it available to their customers.
How do the resellers get the information? From public records, publicly available information and non public information:
Nonpublic information is derived from proprietary or nonpublic sources, such as credit header data, product warranty registrations, and other application information provided to private businesses directly by consumers.
What is the Justice Department, the FBI and DEA doing with the information?
Tasked to protect and defend the United States against terrorist and foreign intelligence threats and to enforce criminal laws, the FBI is Justice's largest user of information resellers, with about $11 million in contracts in fiscal year 2005. The majority of FBI's use involves two major programs, the Public Source Information Program and the Foreign Terrorist Tracking Task Force (FTTTF).
In support of the investigative and intelligence missions of the FBI, the Public Source Information Program provides all offices of the FBI with access via the Internet to public record, legal, and news media information available from various online commercial databases. These databases are used to assist with investigations by identifying the location of individuals and identifying alias names, Social Security numbers, relatives, dates of birth, telephone numbers, vehicles, business affiliations, other associations, and assets.
....The FBI's FTTTF also contracts with several information resellers (1) to assist in fulfilling its mission of assisting federal law enforcement and intelligence agencies in locating foreign terrorists and their supporters who are in or have visited the United States and (2)provide information to other law enforcement and intelligence community agencies that can lead to their surveillance, prosecution, or removal.
As for the DEA:
DEA, the second largest Justice user of information resellers in fiscal year 2005, obtains reseller data to detect fraud in prescription drug transactions. Through these data, DEA agents can detect irregular prescription patterns for specific drugs and trace this information to the pharmacy and prescribing doctor. DEA also uses an information reseller to locate individuals in asset forfeiture cases. Reseller data allows DEA to identify all possible addresses for an individual in order to meet the agency's obligation to make a reasonable effort to notify individuals of seized property and inform them of their rights to contest the seizures.
Moving on from DOJ to Department of Homeland Security, the biggest user in DHS is ICE, the U.S. Immigration and Customs Enforcement. The TSA also uses it.
the Transportation Security Administration (TSA), tasked with protecting the nation's transportation systems, used data obtained from information resellers as part of a test associated with the development of its domestic passenger prescreening program, called "Secure Flight."35 TSA's plans for Secure Flight involve the submission of passenger information by an aircraft operator to TSA whenever a reservation is made for a flight in which the origin and destination are domestic airports. In the prescreening of airline passengers, this information would be compared with federal watch lists of individuals known or suspected of activities related to terrorism. TSA conducted a test designed to help determine the extent to which information resellers could be used to authenticate passenger identity information provided by air carriers.
The State Department uses it too, to aid in deteection of passport fraud.
For example, several components of State accessed personal information to validate information submitted on immigrant and nonimmigrant visa petitions, such as marital or familial relationships, birth and identity information, and address validation. A major use of reseller data at State is by investigators acquiring information on suspects in passport and visa fraud cases. According to State, information reseller data are increasingly important to its operations, because the number of passport and visa fraud cases has increased, and successful investigations of passport and visa fraud are critical to combating terrorism.
< Brian Doyle Hearing Update | Duke Lacrosse Coach Resigns; Post-Party E-mail Revealed > |