---

Published: October 2009

DHS privacy report falls short

Coalition: Privacy

Consumer Action signed on to a letter detailing specifically how the Department of Homeland Security's Chief Privacy Officer has failed to safeguard the privacy of Americans.

Download a copy of the Department of Homeland Security's 2009 Privacy Report

Below is an excerpt from the coalition letter:

We are writing to you regarding the Chief Privacy Officer of the Department of Homeland Security and the recently released Privacy Report to Congress.   As you know, the operation of this office is particularly important with respect to the privacy rights of Americans, and accordingly, the Officer is required to assure that technologies, deployed by the DHS,  “do not erode” the privacy of American citizens.   No federal agency has greater budget authority to develop systems of surveillance directed toward the American public here in the United States than the Department of Homeland Security. It is for this reason that we call your attention to the adequacy of the work of the office, as reflected in the most recent Privacy Report.

Having now reviewed the most recent annual report, it is our view that the Chief Privacy Officer for DHS has failed to fulfill her statutory obligations and that the Congress must consider the establishment of alternative oversight mechanisms, including the creation of an office that is independent of the agency it purports to oversee.  Without such an independent office,  it will be impossible to ensure the proper protection of privacy rights, because the decisions of the Chief Privacy Officer will continue to be subject to the oversight of the Secretary and the rest of the Executive branch.

Discussion

The primary statutory duty of the Chief Privacy Officer is to assure “that the use of technologies sustain, and do not erode, privacy protections.”   The CPO has not done so, focusing instead almost exclusively on the fourth statutory duty, conducting a “privacy impact assessment”  on each Department action. 

It is true that the assessment process is a possible avenue for the Office to protect privacy.  The report gives at least one example of this taking place: the PIA for the USCIS Fraud Detection and National Security System Data System (FDNS-DS).  According to the report, the PIA identified a risk and set forth a solution: procedures that USCIS must follow in certain circumstances to mitigate the risk.  The report only describes a handful of other PIAs, leaving the full list to an appendix, but in none of the other examples cited does the Office report that the PIA actually had a meaningful effect on the Department’s activities.

Fusion Centers and the Information Sharing Environment

In May 2004, the Department of Justice announced its progress in implementing the National Criminal Intelligence Sharing Plan. The announcement made public the decision to create a Criminal Intelligence Coordinating Council (CICC) that would be managed by Global.  States using local, state, and federal funds created information Fusion Centers.

A Congressional Research Service Report on Fusion Centers outlined several fundamental problems with the Guidance on Fusion Center development: first, adherence is voluntary, second, the philosophy outlined is generic and does not translate theory into practice, and third, they are oriented toward the mechanics of Fusion Center establishment.  The majority of regional Fusion Centers are concentrated in large urban areas. The jurisdictions of these centers are also covered by state Fusion Centers, but there is a question regarding how overlapping jurisdictions are managed.

Whole Body Imaging

Airport security has undergone significant changes since the terrorist attacks of Sept. 11, 2001. Recently, the Transportation Security Administration (TSA) announced a proposal to purchase and deploy “Whole Body Imaging” X-ray machines to search air travelers at all airports. TSA said it believes that use of the machines is less invasive than pat-down searches. However, these machines, which show detailed images of a person’s naked body, are equivalent to a “virtual strip search” for all air travelers. This proposal, along with the agency’s controversial plan to profile air travelers, shows extraordinary disregard for the privacy rights of air travelers.

In 2009, the TSA announced that Whole Body Imaging would replace metal detectors at airport security checkpoints.  This was a marked departure from the earlier promises by the agency that the technology would only be used for secondary screening of air travel passengers.  In response to a statement  from the Privacy Coalition, a nonpartisan coalition of consumer, civil liberties, educational, family, library, labor, and technology organizations, the TSA issued a statement of its own, promising that the agency would “continue to listen to the public, and . . . constantly look for ways to improve our outreach and education.”   Rather than take the opportunity to review privacy concerns, the agency has chosen to address the issue only as a matter of outreach and education. 

Perhaps most troubling about the whole body imaging program is its almost complete absence from the CPO’s annual report.  It is mentioned only twice: once in passing as a topic of an outreach briefing,  and again in a list of security programs undertaken by TSA in a discussion of component programs.   This second mention highlights the same features of the program described in the PIA, but does not discuss the April 2009 policy change.  With that announcement, the scope of whole body imaging dramatically increased in the months between the PIA’s release almost a year ago and the Annual Report’s release last month.  Surely the report should have noted this change and its effects.

Closed-Circuit Television (CCTV) Surveillance

In December 2007, the Privacy Office conducted a two-day workshop to discuss and examine “best practices” for use of closed-circuit television (CCTV) surveillance by the government.  The resulting report summarized the various panels and presented some useful conclusions for how to best protect privacy while implementing such programs.   While this report contained a number of recommendations, it is not clear from either the activities of the Department or the Annual Report that the recommendations have been implemented in any way.

Conclusion

The DHS CPO has shown an extraordinary disregard for the statutory obligations of her office and the privacy interests of Americans.  Outreach is certainly important, but the job of Chief Privacy Officer is not to provide public relations for the Department of Homeland Security.  The job as defined in the statute is to protect the privacy of American citizens, through investigation and oversight.  If this cannot be achieved by an internal office, then the situation calls for an independent office that can truly evaluate these programs and make recommendations in the best interests of the American public.

We urge the Committee to promptly open an investigation into this simple question:
Has the Chief Privacy Officer of the Department of Homeland Security complied with the statutory obligations of the office?

Lead Organization

Electronic Privacy Information Center

Download PDF

No Download Available