The Office of Management and Budget has been quietly ramping up its privacy requirements. Since the security scare of having a Veteran Affairs laptop containing the personal information of 26.5 million veteran and active-duty military stolen was resolved, OMB has offered no less than six memos related to privacy:

M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007) (43 pages, 251 kb);

M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (22 pages, 228 kb);

Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) (12 pages, 1,903 kb);

M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 17, 2006) (42 pages, 301 kb);

M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006) (2 pages, 41 kb);

M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006) (2 pages, 50 kb).

And on Friday they issued an eighth memo:

M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008). Among other things, this guidance requires agencies to report on privacy issues including those that are not covered by the Privacy Act.

While this is a positive step and shows that OMB is indeed beginning to show real leadership on privacy issues (in contrast to GAO’s June 2003 report entitled Privacy Act: OMB Leadership Needed to Improve Agency Compliance), CDT is still urging OMB to move forward, including efforts toward best practices for privacy impact assessments (PIAs) as we explained in our recent testimony on E-Government Act Reauthorization in front of the Senate Homeland Security and Government Affairs Committee. OMB has been supportive of the passage of this legislation, but could move forward with best practices even without it.

This week’s highlighted report:

The Foreign Intelligence Surveillance Act: A Brief Overview of Selected Issues
RL34279 Dec. 7th, 2007

From the report’s summary:

This report briefly outlines three such issues and touches upon some of the perspectives reflected in the ongoing debate. These issues include the inherent and often dynamic tension between national security and civil liberties, particularly rights of privacy and free speech; the need identified by the Director of National Intelligence (DNI), Admiral Mike McConnell, for the Intelligence Community to be able to efficiently and effectively collect foreign intelligence information from the communications of foreign persons located outside the United States in a changing, fast paced, and technologically sophisticated international environment, and the differing approaches suggested to meet this need; and limitations of liability for those electronic communication service providers who furnish aid to the federal government in its foreign intelligence collection.

CDT’s OpenCRS project collects and indexes Congressional Research Service (CRS) reports and makes them available to the public free of charge. Each week, PolicyBeta features a CRS report on an important topic. For more reports, or to help contribute new reports to the OpenCRS database, visit the Web site.

Recently, some strong criticism has been voiced about a Congressional proposal entitled “The Violent Radicalization and Homegrown Terrorism Prevention Act.” While some valid points are being made, the fervor and attention being given the bill is disproportionate in light of greater and more urgent threats to civil liberties. Moreover, there is actually a good intent behind the bill: to study the potential problem of homegrown terrorism and develop a rational response. The bill would create a study commission. Rather than opposing the bill, civil liberties advocates should work to improve it and then, if it becomes law, to show the Commission and the public why dissent is an antidote to terrorism, not a precursor to it.

Summary of the Violent Radicalization Bill
The bill that is drawing attention is H.R. 1955, written by Rep. Jane Harman (D-CA), who happens to be one of the most thoughtful and approachable Members of Congress on issues of national security and civil liberties. The bill passed the House on October 23, 2007, by a vote of 404 to 6. A companion bill in the Senate is S. 1959, introduced by Sen. Susan Collins (R-ME), another respected and responsible lawmaker.

The House version would do two things: It would establish a National Commission, variously called the “National Commission on the Prevention of Violent Radicalization and Homegrown Terrorism” or the “National Commission on the Prevention of Violent Radicalization and Ideologically Based Violence.” And it would direct the Secretary of Homeland Security to establish or designate a university-based Center for Excellence “to study the social, criminal, political, psychological, and economic roots of violent radicalization and homegrown terrorism in the United States and methods that can be utilized by Federal, State, local, and tribal homeland security officials to mitigate violent radicalization and homegrown terrorism.”
(more…)

The REAL ID boondoggle drags on. The REAL ID Act was passed in 2005 yet the Department of Homeland Security still has not issued implementing regulations. Proposed regulations were published by DHS in March of this year. Now there are rumblings that the final regulations, initially expected late summer, will be released around Christmas or even after the New Year.

Back in May we submitted extensive comments to DHS highlighting the utter lack of meaningful privacy and security standards for the protection of personal information in the proposed regulations. Now some believe that the final regulations will be even more stripped down than the proposed regulations were. This doesn’t bode well for privacy or security, and underscores what CDT and many other civil liberties advocates have been saying for a long time: the REAL ID Act itself is fundamentally flawed and must be revisited by Congress.

In particular, the REAL ID Act paves the way for making centrally accessible highly sensitive personal information on virtually every American, including copies of birth certificates, Social Security Cards, passports and other personal documents. This will create an extremely valuable central source of identification data that would be vulnerable to terrorists, ID thieves, and unscrupulous DMV or other state and federal employees.

(more…)

I have nothing against the French. I never ordered “Freedom Fries” with my hamburger; the French Foreign Legion helped fuel my adolescent fantasies of adventure and wanderlust; and much later Brigitte Bardot helped fuel my… well, you get my drift. But I admit to being peeved at them for the hubris contained in the recent announcement of a three-way pact among the French government, Internet Service Providers, and the entertainment industry to try and crack down on illegal file sharing.

The agreement puts ISPs at the forefront of a scheme requiring the companies to monitor each citizen’s online activity on the chance that illegal file sharing might be happening, an act that instantly turns ISPs into a de facto cyber-police force.
(more…)

It’s a no-brainer that the federal government needs a robust and effective program for protecting its computer networks. However, a new cyber-security initiative being shopped by the White House to Congress and others, including CDT and fellow privacy advocates, raises long-standing concerns over the role of the National Security Agency in securing unclassified computer networks.

The NSA has long had a dual role: Wearing its signals intelligence hat, the agency spies on our adversaries, cracking their computer networks and breaking their codes. Turning that hat around, the NSA also is responsible for protecting U.S. government communications from interception.
(more…)

CDT’s OpenCRS project collects and indexes Congressional Research Service (CRS) reports and makes them available to the public free of charge. Each week, PolicyBeta features a CRS report on an important topic. For more reports, or to help contribute new reports to the OpenCRS database, visit the Web site.

This week’s report addresses the use of “National Security Letters,” an extremely powerful tool that law enforcement can use to onbtain criminal suspects’ personal and business records. CDT Policy Director Jim Dempsey testified before Congress on the use of NSLs in March.

National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments
RS22406 - March 20, 2007

With a week to go before recess, the President used his radio address to challenge Congress to amend the law regulating national security surveillance of domestic and international calls. Democrats have responded with a serious proposal that addresses the problems cited by the Administration.

The proposal, however, includes something the Administration viscerally opposes: judicial checks and balances. The Democratic draft calls for reports to the Foreign Intelligence Surveillance Court and requires the Administration to seek a court order when surveillance activities targeted at foreigners begin to intrude on the rights of U.S. citizens.

The Administration wants amendments to the Foreign Intelligence Surveillance Act that would allow the National Security Agency to intercept, without a court order, any international phone calls and emails of American citizens.

The Administration proposal goes further even than the Terrorist Surveillance Program described by the President in January 2006 when the Administration admitted it was intercepting phone calls and email without a court order. Rest assured, the President said at the time, in every case we have reason to believe that a member of al Qaeda is on the line.

Now, the Administration wants to eliminate even that requirement. Its latest proposal would allow it to intercept any call of any citizen, just on the basis that the citizen is talking to someone overseas.

(more…)

This week, Sen. Lamar Alexander is expected to introduce an amendment to the Homeland Security Appropriations Bill (S. 1644) that would provide $300 million in funding for REAL ID (a program that in total will cost an estimated $23 billion). The debate over REAL ID funding shifts the focus from the more pertinent issue: REAL ID is a fundamentally flawed law that has serious privacy and security problems. Congress must address these problems first before determining how to pay for the program’s implementation.

Senator Alexander’s funding amendment would allocate good money to implement a fundamentally bad law. Furthermore, funding of REAL ID could encourage states that had previously raised privacy and security objections to the law to implement the REAL ID Act in the hopes of receiving more federal funding down the road.

Congress’ foremost focus should be on promoting meaningful driver’s license reform that properly addresses privacy and security concerns, which is exactly what Senator Akaka’s Identification Security Enhancement Act of 2007 does (S. 717). Congress must act immediately — if it waits until the final Department of Homeland Security (DHS) regulations are released this summer, focus will likely shift away from reforming the original statute.

DHS is considering creating a central database of driver’s license and ID card information with no meaningful privacy and security standards. Such an approach would create a single access point to the full identity and personal information of virtually every American including highly sensitive source documents such as birth certificates, Social Security cards, and passports, which REAL ID requires states to scan and store digitally). REAL ID would create a one-stop-shop for terrorists, identity thieves, unscrupulous DMV or other government employees seeking to steal identities or do other harm. These concerns apply equally whether the data is centralized or resides in a system of linked DMV databases without proper safeguards. The weakest state’s security system, if breached, would then allow access to all other databases, even those with much more robust security measures.

REAL ID mandates that each card contain a machine-readable zone (MRZ), which DHS had mandated be standard across all states. The MRZ mandate was intended to aid law enforcement in processing suspects with greater accuracy and efficiency. However, without any use limitations whatsoever, it will be much more likely that government and commercial entities will use the MRZs to log virtually every public and private transaction.

CDT wrote a letter to the Senate expressing these concerns and urging senators to vote against the REAL ID funding amendment.

The Senate Judiciary Committee on Thursday is expected to decide whether to give subpoena authority to Chairman Patrick Leahy (D-VT) so that he can deepen the congressional investigation into the administration’s warrantless wiretapping of Americans.

We held a press briefing here earlier today to discuss the warrantless surveillance program(s), the subpoena process and the status of the administration’s proposal to legalize warrantless surveillance on Americans. In anticipation of possible subpoenas, we also released our lists of the “Most Wanted Documents” and the “Most Wanted Answers” relating to the warrantless wiretapping program.

CDT has long maintained that Congress needs to learn the scope and nature of the warrantless surveillance activities that have been conducted in the wake of September 11, 2001 before it can even begin to consider rewriting the law designed to prevent innocent Americans from being swept up in investigative dragnets. By asking the right questions and obtaining the documents that the administration considered in creating the program, Congress can finally understand how that surveillance impacted the privacy rights of Americans.