Privacy groups challenge proposal expanding access to terrorist watch list

The Homeland Security Department's plan to centralize and expand in-house access to the FBI's database of suspected terrorists has prompted a letter of protest from a coalition of Washington privacy organizations.

In public comments submitted Aug. 5, a coalition led by the Electronic Privacy Information Center challenged a proposed rule under which Homeland Security would duplicate an existing system of records to create the DHS Watchlist Service. It will contain individuals' names, dates and places of birth, biometric and photographic data, passport information, driver's license information and "other available identifying particulars."

Homeland Security during the past year has been reviewing the eight-year-old terrorist screening database used at airports and is preparing, as set out in the July 6 proposal, to widen employee access to a mirror copy of the records created by the FBI and Justice Department "in order to automate and simplify the current method for transmitting" the data to DHS component agencies including the Transportation Security Administration. TSA uses the terrorist watch list for the Secure Flight program, which allows it to instantly check passenger names that airlines were given by ticket purchasers against a consistent national watch list of suspected terrorists.

David Heyman, assistant Homeland Security secretary for policy, told the Senate Homeland Security and Governmental Affairs Committee in July that DHS had identified screening gaps during a review of the terrorism suspect database. Hence the department "has transitioned the Secure Flight program to use all terrorist watch list records containing a full name and a full date of birth and designates matches to those records as selectees subject to enhanced physical screening prior to boarding a flight," Heyman said.

Most notably, in the view of the privacy advocates, the proposed rule stated, "The department proposes to exempt portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil and administrative enforcement requirements."

In their joint letter, the groups argued that the new system carried risks both to security and privacy and noted that the 1974 Privacy Act "requires DHS to notify subjects of government surveillance in addition to providing a meaningful opportunity to correct information that could negatively affect them."

The plan is problematic, the letter said, because "secretive government lists without any meaningful safeguards present a very real risk of 'mission creep,' in which a system is pressed into unintended or unauthorized uses. Under this proposal, the agency would have the right to maintain and rely upon information it does not know to be accurate, relevant, timely, or complete without recourse -- the right to subject citizens to arbitrary decisions."

The letter demanded that Homeland Security reconsider and narrow the proposal. "Rather than claiming blanket exemptions, the DHS could promulgate rules that would require notification only after an active investigation had been concluded, or with sensitive information, such as the identity of confidential informants, redacted prior to release," it stated. "Given the centrality of individual rights to notice, access and correction, DHS should withdraw its proposed exemptions and narrow the grounds on which it purports to avoid its obligations under the Privacy Act."

Groups joining with the Electronic Privacy Information Center include the American Library Association's Washington office, the Bill of Rights Defense Committee, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, Consumer Action, the Consumer Federation of America, the Cyber Privacy Project, the Electronic Frontier Foundation, the Liberty Coalition, OMBWatch,, Patient Privacy Rights, Privacy Activism, the Privacy Journal, Privacy Rights Clearinghouse and the Privacy Rights Now Coalition.

In response, Homeland Security spokesman Chris Ortman told Government Executive "the introduction of the Watchlist Service is a positive step for privacy." Under the previous system, checks against the terrorist screening database "were done via CD-ROM and involved multiple copies -- a process that was vulnerable to inefficiencies, delays and inaccurate information," he said.

The new system "streamlines the process throughout the department, and guarantees that DHS components have the most up-to-date information," Ortman said in an email, "improving speed and efficiency, reducing the possibility for misidentification and other errors, and in compliance with the Fair Information Practice Principles laid out in the Privacy Act." Gavin Baker, federal information policy analyst at OMBWatch, wrote Monday in a blog that "DHS' approach twists the purpose of the Privacy Act exemptions almost beyond recognition. Exemptions should be limited to the time when they're needed, and no longer. But the proposed exemptions would never expire, even if the subjects in the database aren't under active investigation. This isn't necessary to protect the integrity of investigations, and it invites abuses."

Baker noted that the proposal would allow Homeland Security "to waive the exemptions 'on a case-by-case basis.' While this may sound like a reasonable approach," he wrote, "it would radically undermine the right to know."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.


When you download a report, your information may be shared with the underwriters of that document.