Privacy groups challenge proposal expanding access to terrorist watch list

The Homeland Security Department's plan to centralize and expand in-house access to the FBI's database of suspected terrorists has prompted a letter of protest from a coalition of Washington privacy organizations.

In public comments submitted Aug. 5, a coalition led by the Electronic Privacy Information Center challenged a proposed rule under which Homeland Security would duplicate an existing system of records to create the DHS Watchlist Service. It will contain individuals' names, dates and places of birth, biometric and photographic data, passport information, driver's license information and "other available identifying particulars."

Homeland Security during the past year has been reviewing the eight-year-old terrorist screening database used at airports and is preparing, as set out in the July 6 proposal, to widen employee access to a mirror copy of the records created by the FBI and Justice Department "in order to automate and simplify the current method for transmitting" the data to DHS component agencies including the Transportation Security Administration. TSA uses the terrorist watch list for the Secure Flight program, which allows it to instantly check passenger names that airlines were given by ticket purchasers against a consistent national watch list of suspected terrorists.

David Heyman, assistant Homeland Security secretary for policy, told the Senate Homeland Security and Governmental Affairs Committee in July that DHS had identified screening gaps during a review of the terrorism suspect database. Hence the department "has transitioned the Secure Flight program to use all terrorist watch list records containing a full name and a full date of birth and designates matches to those records as selectees subject to enhanced physical screening prior to boarding a flight," Heyman said.

Most notably, in the view of the privacy advocates, the proposed rule stated, "The department proposes to exempt portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil and administrative enforcement requirements."

In their joint letter, the groups argued that the new system carried risks both to security and privacy and noted that the 1974 Privacy Act "requires DHS to notify subjects of government surveillance in addition to providing a meaningful opportunity to correct information that could negatively affect them."

The plan is problematic, the letter said, because "secretive government lists without any meaningful safeguards present a very real risk of 'mission creep,' in which a system is pressed into unintended or unauthorized uses. Under this proposal, the agency would have the right to maintain and rely upon information it does not know to be accurate, relevant, timely, or complete without recourse -- the right to subject citizens to arbitrary decisions."

The letter demanded that Homeland Security reconsider and narrow the proposal. "Rather than claiming blanket exemptions, the DHS could promulgate rules that would require notification only after an active investigation had been concluded, or with sensitive information, such as the identity of confidential informants, redacted prior to release," it stated. "Given the centrality of individual rights to notice, access and correction, DHS should withdraw its proposed exemptions and narrow the grounds on which it purports to avoid its obligations under the Privacy Act."

Groups joining with the Electronic Privacy Information Center include the American Library Association's Washington office, the Bill of Rights Defense Committee, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, Consumer Action, the Consumer Federation of America, the Cyber Privacy Project, the Electronic Frontier Foundation, the Liberty Coalition, OMBWatch,, Patient Privacy Rights, Privacy Activism, the Privacy Journal, Privacy Rights Clearinghouse and the Privacy Rights Now Coalition.

In response, Homeland Security spokesman Chris Ortman told Government Executive "the introduction of the Watchlist Service is a positive step for privacy." Under the previous system, checks against the terrorist screening database "were done via CD-ROM and involved multiple copies -- a process that was vulnerable to inefficiencies, delays and inaccurate information," he said.

The new system "streamlines the process throughout the department, and guarantees that DHS components have the most up-to-date information," Ortman said in an email, "improving speed and efficiency, reducing the possibility for misidentification and other errors, and in compliance with the Fair Information Practice Principles laid out in the Privacy Act." Gavin Baker, federal information policy analyst at OMBWatch, wrote Monday in a blog that "DHS' approach twists the purpose of the Privacy Act exemptions almost beyond recognition. Exemptions should be limited to the time when they're needed, and no longer. But the proposed exemptions would never expire, even if the subjects in the database aren't under active investigation. This isn't necessary to protect the integrity of investigations, and it invites abuses."

Baker noted that the proposal would allow Homeland Security "to waive the exemptions 'on a case-by-case basis.' While this may sound like a reasonable approach," he wrote, "it would radically undermine the right to know."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.