Agencies told to beef up privacy protection

The federal government has long been the most pervasive collector of Americans' sensitive personal information. The 1974 Privacy Act, passed in the wake of the Nixon White House's release of individual Internal Revenue Service and FBI records, restricts the dissemination of personal information by federal agencies and requires that when the information is collected, the individual be told of the ways in which it could be used.

The Privacy Act put in place checks on the transfer of information from one agency to another. But the law also set up 12 exceptions, including one that permits law enforcement agencies to obtain records without a subpoena and another that allows federal agencies to share any information for what they designate as "routine uses" after publishing in the Federal Register a statement of their intent to release the information.

Critics say that the law, which was designed in an era of mainframe computers but which now operates in an era of networked personal computers, is out of date by at least three generations of computer technology. That criticism, along with the increased interest in Internet privacy issues, prompted the Clinton Administration to require a privacy policy covering all federal agency Web sites. The Office of Management and Budget is responsible for enforcing the policy.

In a sternly worded June letter, the office's director, Jacob Lew, said that software "cookies," which track Internet users' movements among Web sites, were not to be used on federal Web sites unless the agency had explicit approval from its chief, provided clear notice to the site's users, and publicized the safeguards for handling information collected from the cookies.

The memo came after revelations that the White House Office of Drug Control Policy had used cookies on its Web site to track users' visits to other drug-oriented Web sites. As a result of the criticism, House Commerce Telecommunications Subcommittee Chairman W.J. "Billy" Tauzin, R-La., requested a General Accounting Office study to determine whether federal Web sites meet the same privacy standards that the Federal Trade Commission is seeking to apply to private Web sites. And House Majority Leader Dick Armey, R-Texas, has asked GAO to see how well agencies are living up to the Privacy Act.

Peter Swire, the Clinton Administration's chief adviser on privacy issues, was the impetus for the cookie crackdown. "One of the reasons for creating the [advisory] position was to coordinate policy for government and private use of information," Swire said in an interview. "The creation of the position was a recognition of the need for strong and consistent privacy rules across agencies."

Privacy advocates are scrutinizing two other areas of federal data collection:

The Directory of New Hires

One of the most sweeping databases in the hands of the federal government is the Directory of New Hires. It is an electronic compilation to which every employer in the country must report the names, addresses, Social Security numbers, and incomes of all new hires. Created under the 1996 landmark welfare reform bill known as the Personal Responsibility and Work Opportunity Reconciliation Act, the database is used to track down parents, primarily fathers, who renege on child-support payments.

Privacy advocates point out that the names in the registry are not limited to people who receive public assistance or who pay or receive child support. They say that Congress, by requiring that the name of every employed American be entered into the database, has created a monster lode of personal information whose purpose will gradually but inevitably expand beyond its original intent.

Here's how the database works: Each employer provides the required personnel information to state officials, who feed the data into a state directory of new hires. Each state then turns these data over to the national directory, which is a part of the Health and Human Services Department's Federal Parent Locator Service. State child-support enforcement officials then match information from the federal database against their child-support cases. When a match is found and a deadbeat parent is located, child-support officials can force an employer to withhold wages from the parent's paycheck.

The IRS, the Social Security Administration, and the Justice Department all have access to the information in the database. Swire said that the Office of Management and Budget wrote regulations governing the system in an effort to ensure that the data would remain confidential.

But the fears of privacy advocates were heightened last year when Congress expanded the use of the database to include tracking down defaulters on student loans. Language inserted into the appropriations bill for the Labor, Health and Human Services, and Education departments permitted such a use and also allowed employers to withhold wages to pay off the loans. Rep. Nancy L. Johnson, R-Conn., has proposed an additional expansion that would give state unemployment insurance officials access to the federal database, as part of her proposed Child Support Distribution Act. (Johnson dropped another provision of her bill that would have given child-support collection agencies access to the database, after privacy advocates Edward J. Markey, D-Mass., and Joe Barton, R-Texas, objected.)

"I'm not prepared to say that [a child-support database] is a terrible idea," said privacy consultant Robert Gellman, who has closely followed the history of the Privacy Act. "Be that as it may, we have agreed to set up a database of every working American, and no one debated that. If you start a system for one purpose, Congress can't keep its hands off it."

The Financial Crimes Enforcement Network

In April 1999, when the Federal Deposit Insurance Corp. and other major banking regulators announced they were withdrawing their proposed "Know Your Customer" rules requiring banks to closely monitor their customers' financial transactions, the regulators acknowledged the importance of the 256,634 letters they had received arguing against the proposal.

"We need to take privacy concerns into account in any regulatory proposal that touches upon the personal finances of bank customers, regardless of our objectives," said FDIC Chairwoman Donna Tanoue. "When bank regulations can excite and unite individuals across the country, and in all walks of life, we have to pay attention."

What the regulators didn't back away from was the requirement that financial institutions file Suspicious Activity Reports on any customer who engages in an activity that "is not the sort in which the particular customer would normally be expected to engage."

In addition to the Suspicious Activity Reports, Currency Transaction Reports are required for any cash transaction of $10,000 or more-the triggering level is $5,000 when the transaction is accompanied by "suspicious behavior." The transactions are automatically reported to the Treasury Department's Financial Crimes Enforcement Network, known as FinCEN. Its computerized database shares information with federal and state law enforcement agencies.

Although Treasury Department officials describe the financial crimes database as a crucial tool in combating money laundering, critics note that 77 million transaction reports have resulted in only 580 convictions. And from 1994-98, the number of money-laundering prosecutions brought by the main law enforcement agencies dropped more than 24 percent, in spite of the new Suspicious Activity Reports, according to the Transactional Records Access Clearinghouse, a private research center at Syracuse University. Among those who say the federal government's financial rules are excessive is Lawrence Lindsay, a former Federal Reserve governor and the top domestic policy adviser to Republican presidential nominee George W. Bush.

Gregory Nojeim, legislative council for the American Civil Liberties Union, said "the theory is [that such reports] are supposed to be the tip, and [law enforcement] uses the tip to get the subpoena." The ACLU's "biggest objection," he said, "is that personal financial information is routinely turned over to the government without having to show evidence of crime."

House Banking Committee Chairman Jim Leach, R-Iowa, and the Clinton Administration have proposed measures that would expand the scope of the financial crimes database. Leach's initial approach would have opened the database to groups such as the National Association of Securities Dealers that police their members for financial fraud. Although the proposal was dropped from the Leach-sponsored measure introduced by the Clinton Administration, the bill would still expand Treasury Department authority by imposing reporting requirements on any transaction involving a foreign bank. The full House has yet to vote on the bill, known as the International Counter-Money Laundering and Foreign Anticorruption Act.

"Banking is an industry that is built on trust, and FinCEN's mission undermines that public confidence," said Rep. Ron Paul of Texas, one of four House Republicans to vote against the Clinton-Leach bill in committee, on the grounds that it would further erode consumer financial privacy. "What they really need to do is to stop deputizing bank tellers as law enforcement agents."