For the good of homeland security or other law enforcement use, would most Americans give their Social Security and driver's license numbers, among other personally identifying information, to the FBI or other law enforcement agencies?
The fact is, Americans release such information daily, whether they mean to or not. Send a package via FedEx and it usually gets there on time. End of story, right? Wrong.
FedEx keeps people's personally identifying information in a database and makes it available to the FBI for homeland security purposes.
Furthermore, a growing number of data aggregators -- otherwise known as data brokers -- collect citizens' personally identifying information and sell it for profit. Among the organizations buying this information are law enforcement agencies, which increasingly turn to the private sector for help with improving intelligence and aiding criminal investigations.
Collect and Sell
The practice of aggregating and selling data gained notice recently when data broker ChoicePoint acknowledged that crooks had duped the company out of the personal data of nearly 145,000 people. ChoicePoint is not the only victim of this type of scam, and not the only company to lose private citizens' information. Those who want to see changes in the way personally identifiable information is bandied about contend it's too easy for this information to fall into the wrong hands.
"Thirty years ago, we were concerned about the big, bad federal government and what it was doing," said Lee Strickland, director of the Center for Information Policy at the University of Maryland and former Central Intelligence Agency analyst. "Now it's really the commercial entities, and not just the data aggregators, but any company."
Data aggregators such as ChoicePoint, LocatePLUS and Seisint -- which was acquired in 2004 by LexisNexis -- collect information from a multitude of public and private source, and assemble dossiers on many, if not most, Americans. Then they sell that information to government agencies, such as 50 different Massachusetts police departments and the Florida Department of Law Enforcement (FDLE), which use it for everyday law enforcement investigations.
Florida uses a software application called the Factual Analysis Criminal Threat Solution (FACTS), which is the same software system used by the defunct Multistate Anti-Terrorism Information Exchange (MATRIX) that once linked several states to data about possible terrorists. The MATRIX, which included a central database where states deposited data, was created after 9/11 to thwart potential terrorist attacks. Federal funding for the MATRIX was halted in April, mostly because of privacy concerns.
The MATRIX database is gone, but the FACTS software continues to run -- and Florida, Ohio, Pennsylvania and Connecticut take advantage of its commercial data-gathering capabilities. The system accesses multiple commercial databases when queried about specific data. Law enforcement officials say it's foolish not to take advantage of all the data available to them, whether it comes from commercial databases or not.
Mark Zadra, the FDLE agent in charge of FACTS, said the system simply provides law enforcement with information that's already available to the public, only more quickly. The exceptions are criminal history records and driver's license photos, both of which law enforcement is entitled to anyway. Law enforcement also has access to Social Security numbers through drivers' licenses.
What they don't have, according to Zadra, is credit information. Law enforcement can get "credit headers" from credit bureaus to obtain recent addresses, but that information is limited to name, address, date of birth and Social Security number. Zadra said he doesn't have access to information about what people are buying or what naughty movies they're renting.
The key advantage to using commercial databases is time. It would take days or weeks to gather data on an individual without this access, whereas law enforcement can now get data in real time.
"The information we make available to law enforcement is what we call public filing or public domain," said ChoicePoint Vice President Jim Zimbardi. "The dilemma [for law enforcement] is the time and effort needed to go get it."
Narrow It Down
The FACTS system doesn't tell law enforcement where to go or who to arrest, nor does it monitor or track people, Zadra said. "It's an application loaded onto my computer. It's query based. It doesn't run at night and say, 'Here's the top 10 terrorists in Florida' when I come in in the morning."
For instance, Zadra said, if a child was abducted in a white van and somebody saw that it had a Florida tag with the number seven in it, and it was driven by a middle-aged white man, the system could narrow the search to white males who are registered sex offenders, and drive white vans licensed in Florida. It would take minutes rather than days, which could mean life or death for the child.
"Does that mean I can serve a search warrant or make an arrest? Absolutely not," Zadra said. "But it can tell me I need to find these people to possibly eliminate them quickly and begin focusing on the right people."
Solving crimes still comes down to good police work, Zadra said. "Investigators and analysts solve crimes. The system doesn't solve crimes. It's a tool. It produces investigative leads. We go through the same time-honored investigative techniques we always did. I'm a citizen and a law enforcement officer. The truth is, I don't know what the problem is with law enforcement having that data."
What About Privacy?
Privacy advocates, including Carol Rose, executive director of the Massachusetts American Civil Liberties Union, do have a problem with law enforcement's access to personally identifying information.
"When we have the government outsourcing data aggregation to other companies, the question is, do the restrictions that apply to the government apply to the companies as well? And of course, the answer is, only if we know what information the government is accessing," Rose said.
Under the federal Privacy Act, said Rose, citizens have the right to make sure data held by the government is correct. It's unclear, however, whether data accessed by government officials from commercial databases is covered under the act.
Privacy concerns surround financial and health information, and some wonder whether data aggregators collect such information. "They can say they don't have that, but we don't know," Rose said. "A lot of them say they collect everything."
Although law enforcement says all that information is available to them anyway, Rose insists, "We don't know that, because for the most part, the data aggregators keep that proprietary. We don't know what processes private companies are using because they don't have the same restrictions as government does."
James Lee, ChoicePoint's chief marketing officer, said the company does sometimes provide credit reports to government agencies, but that they are truncated reports, meaning they don't have account numbers. "They don't have the information you need to see what a person does with their finances," he said. "They don't have mortgage or buying information. Our information is nonfinancial."
A law enforcement agency could get its hands on that information, and since privacy restrictions don't appear to apply to government's use of commercial data, this creates the possibility of abuse, Rose said. She called this an end run around the First and Fourth amendments.
Rose said law enforcement is free to use that data for whatever it wants, even personal exploits. "When [law enforcement] can do it in their official capacity and for free, the potential for abuse becomes greater and there don't appear to be any restrictions on the information the government can access, on who gets the information and on what they can do with it," Rose said.
Zadra has a different view.
"If I could monitor everywhere you went by your expenditures, I could understand [the concern]," he said. "But we don't have access to that information."
A Secure Situation
Perhaps a larger problem is the data's security in the hands of the data brokers. When ChoicePoint was duped, it put nearly 145,000 people at risk of identity fraud. That incident, and others like it, stimulated interest in legislation to restrict data aggregators.
Some states -- including California, Washington, Arkansas, Georgia, Montana and North Dakota -- already have laws that penalize companies for failing to alert customers that their personal or financial information has been lost or stolen. Indiana just passed legislation that would alert residents if their Social Security numbers had been divulged, and legislation in Florida, if signed by the governor, would impose a $1,000 fine for each day of the first month that a company fails to disclose a data breach. For each month thereafter, the company would pay a $50,000 fine.
At the federal level, legislation proposed by U.S. Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would restrict the sale or publication of Social Security numbers and prohibit businesses from requiring Social Security numbers except in a few circumstances.
For its part, ChoicePoint says it now takes unprecedented steps to protect its databases. The company recently created an independent Credentialing, Compliance and Privacy office, and hired Carol DiBattiste as its chief officer. DiBattiste is a former prosecutor, former undersecretary of the Air Force, and most recently worked for the Department of Homeland Security on transportation security.
She said the information ChoicePoint provides to law enforcement agencies lets them link one bad person to another and could help uncover a terrorist group. That said, the company does restrict who has access to personally identifiable information and how they will get it.
ChoicePoint limited its business to customers that fall into just three categories, where the potential buyer's product must either: support consumer-driven transactions, such as insurance, banking and mortgage lending; be used for fraud detection or as an authentication tool for insurance, banking or mortgage lending entities; or be used by law enforcement.
ChoicePoint now authenticates the customer with a personal visit, something that wasn't done before. "That's one procedure to help tighten the credentialing procedure," DiBattiste said. "We will use many sources to verify customer authenticity, to verify they are who they say they are. We've also tightened our user ID and password protections."
The company hired consultants to help DiBattiste develop a best practices study. "At the end of the day, they'll help me do the framework for my compliance program, which I'll be instituting corporatewide," she said.
That probably won't be enough to stave off federal legislation protecting personal data, which Strickland said is due.
"This is very valuable information that could contribute significantly to homeland security, and we would be foolish not to take advantage of it," Strickland said. "At the same time, we have to have policies in place to make certain we don't become a surveillance state or a police state."
Strickland said the Privacy Act, which developed a framework in 1974 for the control of personal information held by the federal government following Watergate and other FBI excesses, might be out of date and not applicable under some of these circumstances.
"If the government receives this information, it becomes subject to the Privacy Act," Strickland said. "That's my view as a lawyer, but you have people making arguments, for one reason or another, that it doesn't." He said the courts have generally upheld those arguments and that as long as the company in question is not a credit bureau, it can virtually take over ownership of personal data.
"Really, the problem is that the courts are inclined to recognize that your information, once it gets into the hands of a private company, is no longer your information. It's their information," Strickland said. "It's absolutely necessary that we get a law in place that provides people with the basic rights of notice, access and opportunity to challenge and correct -- redress in other words. The most fundamental question is notice. The public needs to have notice."
Past, Present, Future
It's important to develop privacy policies, Strickland said, so the country can move forward with programs that protect the safety of Americans, like the defunct Total Information Awareness, a system developed by the Defense Advanced Research Projects Agency after 9/11 that linked to databases of public and private information throughout the country for intelligence purposes.
The Computer Assisted Passenger Pre-Screening System (CAPPS II) was an airline security system that was grounded by privacy concerns. Secure Flight, another screening system introduced last summer by the Transportation Security Administration, is also being delayed because of privacy concerns.
"All of these ideas were inherently good in the sense that they had the potential to enhance homeland security, but nobody gave enough thought to privacy so it became a political issue," Strickland said. "We've got a totally dysfunctional system because we didn't get CAPPS II and Secure Flight is being delayed. It's almost as if government is shooting itself in the foot by not being more aggressive on the privacy issue."