Privacy groups challenge proposal expanding access to terrorist watch list

The Homeland Security Department's plan to centralize and expand in-house access to the FBI's database of suspected terrorists has prompted a letter of protest from a coalition of Washington privacy organizations.

In public comments submitted Aug. 5, a coalition led by the Electronic Privacy Information Center challenged a proposed rule under which Homeland Security would duplicate an existing system of records to create the DHS Watchlist Service. It will contain individuals' names, dates and places of birth, biometric and photographic data, passport information, driver's license information and "other available identifying particulars."

Homeland Security during the past year has been reviewing the eight-year-old terrorist screening database used at airports and is preparing, as set out in the July 6 proposal, to widen employee access to a mirror copy of the records created by the FBI and Justice Department "in order to automate and simplify the current method for transmitting" the data to DHS component agencies including the Transportation Security Administration. TSA uses the terrorist watch list for the Secure Flight program, which allows it to instantly check passenger names that airlines were given by ticket purchasers against a consistent national watch list of suspected terrorists.

David Heyman, assistant Homeland Security secretary for policy, told the Senate Homeland Security and Governmental Affairs Committee in July that DHS had identified screening gaps during a review of the terrorism suspect database. Hence the department "has transitioned the Secure Flight program to use all terrorist watch list records containing a full name and a full date of birth and designates matches to those records as selectees subject to enhanced physical screening prior to boarding a flight," Heyman said.

Most notably, in the view of the privacy advocates, the proposed rule stated, "The department proposes to exempt portions of the system of records from one or more provisions of the Privacy Act because of criminal, civil and administrative enforcement requirements."

In their joint letter, the groups argued that the new system carried risks both to security and privacy and noted that the 1974 Privacy Act "requires DHS to notify subjects of government surveillance in addition to providing a meaningful opportunity to correct information that could negatively affect them."

The plan is problematic, the letter said, because "secretive government lists without any meaningful safeguards present a very real risk of 'mission creep,' in which a system is pressed into unintended or unauthorized uses. Under this proposal, the agency would have the right to maintain and rely upon information it does not know to be accurate, relevant, timely, or complete without recourse -- the right to subject citizens to arbitrary decisions."

The letter demanded that Homeland Security reconsider and narrow the proposal. "Rather than claiming blanket exemptions, the DHS could promulgate rules that would require notification only after an active investigation had been concluded, or with sensitive information, such as the identity of confidential informants, redacted prior to release," it stated. "Given the centrality of individual rights to notice, access and correction, DHS should withdraw its proposed exemptions and narrow the grounds on which it purports to avoid its obligations under the Privacy Act."

Groups joining with the Electronic Privacy Information Center include the American Library Association's Washington office, the Bill of Rights Defense Committee, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, Consumer Action, the Consumer Federation of America, the Cyber Privacy Project, the Electronic Frontier Foundation, the Liberty Coalition, OMBWatch, OpenTheGovernment.org, Patient Privacy Rights, Privacy Activism, the Privacy Journal, Privacy Rights Clearinghouse and the Privacy Rights Now Coalition.

In response, Homeland Security spokesman Chris Ortman told Government Executive "the introduction of the Watchlist Service is a positive step for privacy." Under the previous system, checks against the terrorist screening database "were done via CD-ROM and involved multiple copies -- a process that was vulnerable to inefficiencies, delays and inaccurate information," he said.

The new system "streamlines the process throughout the department, and guarantees that DHS components have the most up-to-date information," Ortman said in an email, "improving speed and efficiency, reducing the possibility for misidentification and other errors, and in compliance with the Fair Information Practice Principles laid out in the Privacy Act." Gavin Baker, federal information policy analyst at OMBWatch, wrote Monday in a blog that "DHS' approach twists the purpose of the Privacy Act exemptions almost beyond recognition. Exemptions should be limited to the time when they're needed, and no longer. But the proposed exemptions would never expire, even if the subjects in the database aren't under active investigation. This isn't necessary to protect the integrity of investigations, and it invites abuses."

Baker noted that the proposal would allow Homeland Security "to waive the exemptions 'on a case-by-case basis.' While this may sound like a reasonable approach," he wrote, "it would radically undermine the right to know."