I just spoke to Peter on the phone. He tells me the hearing was cancelled in a few minutes ago since the White House (OMB and OPM) was not ready to show up. The bill in question: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.05005: -Declan --- Date: Thu, 27 Jun 2002 11:39:33 -0400 From: Peter Swire <pswireat_private> To: declanat_private Subject: Swire testimony on Homeland Security, Privacy, FOIA, etc. Declan: Attached is testimony I will present on Friday to a House Judiciary Subcommittee. The testimony gives a detailed critique of the Administation's Homeland Security proposal, especially on issues of privacy, Freedom of Information, and cybersecurity. Best, Peter Prof. Peter P. Swire, Ohio State University Visiting, George Washington Law School, 2001-02 Former Chief Counselor for Privacy, U.S. Office of Management & Budget (301) 213-9587, www.osu.edu/units/law/swire.htm --- Written Statement of Professor Peter P. Swire Moritz College of Law of the Ohio State University Submitted to the Subcommittee on Commercial and Administrative Law of the House Committee on the Judiciary June 28, 2002 "Administrative Law, Adjudicatory Issues, and Privacy Ramifications of Creating the Department of Homeland Security" Introduction Chairman Barr, Congressman Watt, and other distinguished members of the Committee on the Judiciary, it is an honor and a serious responsibility to be asked to testify today on the topic of "Administrative Law, Adjudicatory Issues, and Privacy Ramifications of Creating the Department of Homeland Security." I share the views of many Americans that it is vital to take new measures to protect against terrorism, including by improving the security of our critical infrastructures and other computer systems. Indeed, a major focus of my recent academic research has been in the area of improving computer security in networked systems. In the time available to testify today, however, I will focus on my concerns with the recent Administration proposal of the Homeland Security Act of 2002, introduced as H.R. 5005. I also look forward to responding to any questions you may have where I can be of assistance. Background of the witness. I am Professor of Law at the Moritz College of Law of the Ohio State University. I reside in the Washington, D.C. area and head the new summer program of the law school. As a professor, I teach courses on privacy, the law of cyberspace, and other subjects, and serve as the editor of the Cyberspace Law Abstracts. My web page is at www.osu.edu/units/law/swire.htm, and many of my writings are available there. My e-mail is swire.1at_private, and phone at (240) 994-4142. Relevant to today's topic, I am currently researching privacy and technology issues for the Liberty and Security Initiative of the Constitution Project. This Initiative is a bipartisan effort of prominent citizens who are seeking ways to achieve both security and civil liberties in the wake of the events of September 11. I also act as a consultant to the law firm of Morrison & Foerster, primarily on issues of medical privacy. In my testimony today I am reflecting solely my personal views, and I have not been paid in any way to prepare this testimony. From March, 1999 until January, 2001 I served as the Clinton Administration's Chief Counselor for Privacy, in the U.S. Office of Management and Budget. This position was in OMB's Office of Information and Regulatory Affairs ("OIRA"), which has long had important responsibilities under the Privacy Act, the various computer security statutes, and for federal information policy more generally. Relevant to today's topic, I played a lead role in coordinating federal agency practices with respect to privacy and personal information. I served on the White House E-Commerce Working Group, worked extensively on critical infrastructure issues including the Federal Intrusion Detection Network (FIDNet), and worked more generally at the intersection of computer security and privacy issues. In 2000 I chaired a White House Working Group on how to update wiretap and surveillance laws for the Internet age. General Comments on the Homeland Security Act of 2002. I have studied the Homeland Security Act of 2002, H.R. 5005 as proposed by the Administration, and offer two metaphors for what I have found. First, the truck metaphor. I believe the proposal is all accelerator when it comes to information sharing, but with no brakes. The bill puts the pedal down when it comes to spreading around sensitive personal information in hopes of reducing terrorism. But the bill has essentially no safeguards that put on the brakes -- either to prevent harm to individuals or to stop a power grab by an unaccountable anti-terror agency. For a vehicle as big as the new Homeland Security Department, nonstop acceleration and no brakes may lead to a mighty big crash in the future. Second, the haystack metaphor. I share the concern, expressed in this Committee recently, that the new information sharing proposals are like piling more hay on top of an already enormous haystack. All that new hay makes it that much harder to find the needle. Better analysis of existing data is likely the key to success here, and the Congress should probe hard to learn whether adding new piles of information and reshuffling the bureaucratic boxes will really add to the quality of the analysis. Taking the haystack image a bit further, the extra-big piles of hay are likely to get old and dried-up sitting in those government storage facilities. When a drought or dry season comes around, as it inevitably will, the fires will be far worse than otherwise. Lots and lots of Americans may get burned if there is careless storage or handling of all that additional hay. The unprecedented collection and dissemination of personal information about Americans puts us at new risk when there is next a drought of self-control or common sense in the Department of Homeland Security. The Department's Skewed Incentives and Lack of Institutional Safeguards. Moving from metaphors to the usual language of Washington policy debates, my central point today concerns the skewed incentives of the new Department when it comes to information gathering and sharing. Having served in the federal government, I am acutely aware that where one sits often determines where one stands. For instance, the CIA thinks that intelligence information is paramount, the FBI stresses effective law enforcement above all other values, and the Commerce Department instinctively understands the effects of a policy proposal on business. For employees of the new Homeland Security Department, a simple look at the name of their department will tell them all they need to know about how their success or failure will be measured. Why would any rational person in the Department fall on their sword to protect privacy, civil liberties, commerce, the rights of immigrants, or any other value except for anti-terrorism? All of the incentives are to place anti-terrorism efforts at the pinnacle. And that mandate will continue for many years, until a future Congress one day takes up the arduous task of reorganization. A related, key point is the lack of institutional safeguards to keep the instincts of the new Department in check. In my specific comments below, I suggest a number of ways to create institutional safeguards both within the Department and in other parts of the federal government. At this point in the testimony, I highlight two proposals. First, a senior official should be appointed within the Executive Office of the President to coordinate policymaking on privacy issues, including as they relate to homeland security. Second, a Chief Privacy Officer should be included among the statutory offices in the new Homeland Security Department, alongside the Chief Financial Officer and Chief Information Officer. Based on my two years as essentially the Chief Privacy Officer for the federal government, (perhaps not surprisingly) I believe that having an official tasked with privacy protection offers significant benefits. The goal is emphatically not to have privacy trump all other values. Instead, the goal is to help ensure that issues of proper handling of personal information are well vetted in the decisionmaking process. Many of the worst surveillance proposals occur when no one in the process has rigorously considered the potential negative effects of a proposal that also offers some advantages. If everyone in the process is concerned, for instance, with short-term gains to homeland security, then who will air the long-term concerns about erosion of civil liberties? Who will make sure that the process considers alternatives that are effective on the security side while also respecting privacy and other values? To take one example, there is little or no evidence in H.R. 5005 itself that privacy values were even discussed among the drafters. If privacy had been discussed, then there were numerous places where clarifying language, of the sort I propose below, might easily have been included. With the Office of Management and Budget testifying here today, I hope they will not take it amiss if I suggest that OMB, and especially its Office of Information and Regulatory Affairs, is likely the single best place to house this sort of privacy official. OMB has long had responsibility for overseeing agency compliance with the Privacy Act. Its responsibility for the clearance of agency Congressional testimony and other statements gives OMB important leverage in ensuring that single-mission agencies, such as Homeland Defense, make policy while considering a broader range of concerns. OMB also has, in my experience, an exceptionally dedicated and capable group of civil servants. For these reasons and others, I believe OMB can play a constructive role going forward in checking the runaway tendencies of the Department of Homeland Security. Privacy and other values can be considered better in the OMB setting, where there is longstanding experience in balancing competing concerns. OMB's role in the budget process and its oversight of agency regulations also mean that agencies will resist some of the temptation to advance their pet causes without regard to other concerns. One particular reform to consider is whether proposed Homeland Security changes in data flows within the federal government or especially outside of the federal government should be subjected to cost/benefit requirements along the lines of Executive Order 12, 291 (issued by President Reagan) and Executive Order 12,866 (issued by President Clinton). The current Administration has insisted on rigorous cost/benefit analysis of other federal agency proposed actions, and we deserve to hear the Administration's views on whether this sort of careful analysis should be skipped for issues of Homeland Security. Aspects of such analysis would presumably include the direct economic burdens created by new Homeland Security initiatives, as well as the burdens placed on privacy, civil liberties, and other values of an open society. Commission on Privacy and Personal Freedom The last comprehensive review of privacy issues at the federal level was conducted in the mid-1970s, resulting in passage of the Privacy Act and the creation of the Privacy Protection Study Commission, which issued its report in 1977. The President or the Congress should create a new Commission on Privacy and Personal Freedom to review privacy issues in the context of homeland security and new information technologies and recommend changes in law and policy. I have previously had my doubts about the usefulness of proposals to create privacy study commissions, in part due to my perception that such commissions could be used as an excuse to delay implementation of effective privacy protections. In light of the events of September 11, however, and the pressing issues those events have posed for homeland security, surveillance, and privacy, I believe this sort of study commission is now appropriate. Administrative Law and Rule of Law Concerns Before turning to some specific textual concerns with H.R. 5005, permit me to comment briefly on some administrative law aspects of the proposal. I am concerned that this major reorganization would reduce the effectiveness of the legislation that Congress has enacted over time to specify how the various agencies should carry out their functions. Even if we assume that officials in the new Department wish to follow every Congressional enactment to the letter, there will inevitably be some play in the joints as the officials seek to make old language work in new settings. The scope of agency discretion is likely to increase as a result of the reorganization. The reorganization thus poses risks to the effectiveness of existing legislation and of judicial review to assure the rule of law within the new Department. For instance, the famous Chevron case requires judges to give deference to any agency that adopts any "permissible" interpretation of a statute. Because all current statutes will need to be interpreted in the context of the changed circumstances of a new agency, and because H.R. 5005 treats anti-terrorism to be the "primary" mission of the Department, a logical consequence is that judges will find a broader range of anti-terrorist action to be "permissible" under the circumstances. Further study may be needed of the savings provision in Section 804(d) to determine whether there are textual changes that would reduce the risk to the effectiveness of existing statutes and judicial review. Some Lessons from Current Research into Homeland Security and Privacy. Current research for the Liberty and Security Initiative of the Constitution Project sheds light on possible pitfalls from the current version of the Homeland Security Act of 2002. One of my efforts with the Constitution Project has been to study the way that wiretap laws operate at the state level. I have learned, to my surprise, that a majority of all domestic wiretaps take place under state law, under orders signed by state judges. A study released this spring also found that the number of state wiretaps has jumped a startling 50 percent in the past year alone. A preliminary survey of state wiretap laws, along with proposals to amend those laws, is now available at the web page of the Constitution Project, www.constitutionproject.org. A substantially more detailed 50-state survey will be available there shortly. This topic of state wiretap laws is important in its own right, and it helps us consider how to achieve both security and privacy when USA-PATRIOT Act provisions sunset in 2005. For the topic of homeland security, the study of state wiretap laws indicates the crucial importance of institutional checks and balances within a surveillance and security process. The states vary widely in whether they have any institutional mechanisms to assure a high quality in wiretap orders. The standards for a judge issuing a wiretap order are the same for federal and state wiretaps under the Electronic Communications Privacy Act. At the federal level, we have a history of scrutiny of wiretap orders by the Congress, the press, and civil liberties groups and we have had institutional protections such as approval by senior Justice Department officials and significant training required of the agents and prosecutors who seek such wiretaps. This set of institutional safeguards has often been much less developed, however, at the state level. Proposals to amend state wiretap laws should seek effective ways to build institutional checks and balances into the surveillance process. Effective institutional checks, beginning but not ending with strong Congressional oversight, will be needed as well for the new Department of Homeland Security. Another ongoing topic for the Constitution Project concerns national ID proposals and the history of why the federal government has repeatedly decided not to create such an identification system. My current view is that our lack of a national ID card today is due partly to popular sentiment (which has opposed such cards) and partly due to a political dynamic where the proponents faced a heavy burden in creating such a system. My preliminary view is that creation of a Department of Homeland Security would change the political dynamic. The new Department will be under strong internal and external pressure to adopt new biometric and other identification systems. The heavy burden may thus shift to those who are skeptical of a new national identification system. If the large and powerful new Department puts its muscle behind such a system, who inside or outside of the federal government will be similarly well organized to oppose it? My research to date on the history of national ID proposals thus suggests that opposition to such proposals may be a reason to oppose or be more cautious in support of the new Department of Homeland Security. The Congress may wish to consider ways to reduce this concern, such as by stating that no funds shall be spent to create or advocate for a national identification system. Comments on Specific Sections of the Homeland Security Act of 2002, H.R. 5005. Section 101(b)(1), anti-terrorism as the "primary" mission of the Department. The current text says that the Department's "primary" mission will be duties connected to preventing, minimizing the damage from, and assisting in the recovery from terrorist attacks. One problem with this formulation is that it necessarily makes "secondary" all the other functions of the agency components that are transferred into the new Department. As one notable example, administration of the entire enormous body of immigration laws is secondary under this statute to the activities of the INS with respect to terrorism. Similarly, the many domestic responsibilities of FEMA will now all be subordinated, according to this statute, to FEMA's terrorism-related activities. In the event of floods, hurricanes, fires, and the rest, any FEMA activities related to terrorism will be stated by statute to be more important than saving Americans' lives and property threatened by these other sorts of disasters. The new Department would contain a wide range of important government functions, from the Coast Guard to the Customs Service to many others. The proposed reorganization will likely result in less leadership focus, and likely less effective implementation, of the non-terrorism goals in these areas. This concern about less effective government is made worse by the Administration's claim that no additional spending will be needed to fund the Department. Having watched the budget process from up close during my time at OMB, I find this claim disingenuous at best. Turning to privacy as another example, the protection of Americans' privacy and other civil liberties appears to be made secondary, according to this statute, to all anti-terrorism efforts. This hierarchy of values, with terrorism more important than all the other missions of the Department and all the other values implicated by the Department's ongoing activities, is made a permanent part of the statutory charter of the Department. Future Secretaries of the Department may feel constrained to treat these "secondary" activities and values in a "secondary" way according to the Congressional intent as reflected in the text of Section 101(b)(1). My recommendation is thus to rewrite Section 101 to make clear that anti-terrorist activities are a mission of the Department. The "primary"/"secondary" language, however, should be deleted. This amendment would avoid a threat to the rule of law, where future Secretaries of the Department might appeal to the "primary" mission of the Department to trump contrary missions as created by other statutes, such as in the areas of immigration, emergency preparedness, and privacy. Section 103, Other Officers. The current text specifies the creation by statute of various officers, including a Chief Financial Officer and a Chief Information Officer. Due to the special responsibilities of this Department, I believe the statute should also require creation of the office of Chief Privacy Officer. This step would not take the place of effective inter-agency oversight by OMB or some other part of the Executive Office of the President. Having a Chief Privacy Officer, however, would help create a better vetting process within the Department. Proponents of new surveillance plans and data sharing would more consistently have to explain both the benefits of their proposals and why their proposals cannot be carried out in ways that are more consistent with privacy and similar values. Creation of the Chief Privacy Officer position by statute would also increase the likely effectiveness of Congressional oversight of the Homeland Security Department on privacy and related issues. It would be more difficult for the Department to bury these concerns many layers deep in the bureaucracy, and the Chief Privacy Officer would be available to testify before the oversight committees. Section 201, Under Secretary for Information Analysis and Infrastructure Protection. The current text defines seven responsibilities of the Under Secretary for Information Analysis and Infrastructure Protection. I have myself worked extensively on infrastructure protection issues, as a government official, as a private citizen, and as an academic researcher on encryption, firewall, and other topics. I agree wholeheartedly that the United States government and the private sector must continue to strive mightily to improve all aspects of infrastructure protection and computer security. With that said, the current statutory text addresses only a fraction of the crucial issues that the new Under Secretary should consider. The current text essentially focuses on assessing and correcting the vulnerabilities of the critical infrastructure and increasing information flow among those involved in computer security. Entirely absent is any discussion of the many other values at stake in the construction of the information infrastructure. For instance, there is no concern stated for educational or commercial benefits that result from the Internet or other information technologies. There is no mention of the importance of protecting individual privacy in the exchange of all this information. There is no mention of the values of government accountability, the Freedom of Information Act, or the many other ways that well-designed information structures can enhance an open society and the preservation of civil liberties. In response, supporters of the current text might say "that's not my Department." The bill concerns the Department of Homeland Security, and the concerns about education, commerce, privacy, government accountability, and civil liberties should simply be handled elsewhere in the government. I respond, however, that the Department centrally tasked with "a comprehensive national plan" for information infrastructure should clearly be tasked to include those other issues and values in the process. My recommendation is to rewrite Section 201 to take explicit account of these and similar values in defining the mission of the Under Secretary for Information Analysis and Infrastructure Protection. Consideration of the values mentioned here should be included explicitly within the definition of the Under Secretary's responsibilities. The Under Secretary might also be tasked, for instance, to consult with the other relevant agencies (Commerce, Education, Justice, etc.) when making plans for critical infrastructure and information sharing. The new language should not reduce the existing responsibilities of other agencies to take action in these areas. As the Committee looks for language that achieves these goals, one helpful source would be the National Plan for infrastructure protection released in early 2000. That Plan was prepared under the supervision of Dick Clarke, who now leads the Bush Administration's cyber-security efforts. In both the Plan's overview and in its chapter on privacy and civil liberties, there is extensive discussion of the ways that multiple values should be considered in decisions about how to construct the Internet of the future and the nation's critical infrastructures more generally. Section 203, Access to Information. The current text, in Section 203(3), states that "the Secretary shall ensure that any material received pursuant to this section is protected from unauthorized disclosure and handled and used only for the performance of official duties." The text also discusses the importance of protecting intelligence sources and sensitive law enforcement information. At first read, it might appear that the language about "unauthorized disclosure" and "performance of official duties" might offer protections for individual privacy, by limiting the ways that data in the hands of the Department might be used. Upon a closer read, however, protections are almost entirely lacking. First, the limit on "unauthorized disclosure" does nothing to limit "authorized disclosure." Because the bill in general places few or no limits on authorized disclosure, the Department in the future would be essentially free to authorize almost any information sharing. Second, the requirement that data be used "for the performance of official duties" is similarly weak. Persons working in the Department, seeking in some way to fight terrorism, could justify almost any use or disclosure of information as part of the performance of official duties. For example, releasing data to a state or local official might in some way help detect a terrorist, justifying almost any release of data. Third, the bill provides no apparent remedy or enforcement action if releases are made beyond those permitted under Section 203(3). Fourth, as discussed elsewhere in this testimony, the Department is currently proposed in a form where essentially all the incentives are in the direction of sharing sensitive personal information widely, in hopes that the sharing may incrementally help detect or prevent terrorist action. These incentives are likely to push in the direction of greater "authorized" use over time. Taking these factors together, Section 203(3) becomes a recipe for essentially unrestricted sharing of sensitive personal information, with no apparent incentives to limit such sharing and no remedies if the sharing goes too far. My recommendation is that language be added to the text that says that the Secretary "shall ensure that any material received pursuant to this section be used or disclosed in order to minimize the risk to harm to individuals from inappropriate use or disclosure of personally identified information." Because this sort of language will not in itself create remedies or change the incentive structure facing the Department, additional steps are likely warranted to assure careful handling of sensitive personal information. One approach to create accountability is given by H.R. 4561, the "Federal Agency Protection of Privacy Act," which has been introduced by Chairman Barr and supported by the Ranking Member Representative Watt, as well as by a considerable number of other Members of Congress. I support the use of privacy impact assessments, which are the central provision of H.R. 4561, and hope that they will become standard practice within a Department of Homeland Security and in other settings where there is significant use or disclosure of personally identifiable information. Other parts of this testimony discuss ways to create accountability for the handling of personally identifiable information through actions by the Office of Management and Budget. This role for OMB might be spelled out in Section 203 or elsewhere in the bill. Section 204, Information Voluntarily Provided. Section 204 of the bill states that "information provided voluntarily by non-Federal entities or individuals that relates to infrastructure vulnerabilities or other vulnerabilities to terrorism and is or has been in the possession of the Department shall not be subject to section 552 of title 5, United States Code." This provision would create an enormous and unjustified exception to the Freedom of Information Act (FOIA), and should be deleted from the bill. The question of how, if at all, to craft a FOIA exception for critical infrastructure protection information has been the subject of heated debate for the past several years. I worked on this issue while serving in OMB, and have followed the debate in the time since. The text of Section 204 reads like the fantasy of one fringe of the debate the fringe most dedicated to limiting disclosure of information to the public. For instance, information that would clearly be open to the public through FOIA requests to other Federal agencies would be hidden away if the Department happened to receive it. The secrecy would be permanent. There are no procedural limits or review procedures for whether the benefits of releasing the data outweigh the risks. The text uses the "relates to" language that is familiar from other statutes as the broadest possible legislative language; for instance, the same "relates to" language in ERISA is the reason that Congress has been considering the Patients Bill of Rights as a way to stop a large exemption from judicial review and due process. And so on. The text of Section 204 is troubling not only because its substance is so extreme compared to the extensive debate that has already occurred on this topic, in both Houses of Congress. It is troubling as well because of the apparently slipshod manner in which such an important topic was inserted into the Homeland Security bill. Inclusion of this extreme text, without any of the nuance that many federal offices have gained during previous rounds of discussions on the issues, suggests one of two possibilities: Either the text was inserted without the benefit of learning from the experts in the Executive Branch on the subject, or else those with expertise were simply overruled by the drafters. It would be useful to learn, for instance, what role the OMB Office of Information and Regulatory Affairs, the Commerce Department Critical Infrastructure Assurance Office, and the FOIA office in the Department of Justice played in the vetting of this most amazing legislative language. My recommendation is that Section 204 be deleted in its entirety. Conclusion. In conclusion, I thank the Committee for the opportunity to testify and present my views on these issues. Today, less than a year after the horrific events at the World Trade Center and the Pentagon, there is likely no issue on the national agenda more important than deciding how we will change practices within our borders to assure both security and the other important values that define our Nation. As an academic who has studied the history of government institutions, I wonder whether the War on Terrorism will be as defining a mission ten, twenty, or thirty years from now, when the Department of Homeland Security will quite possibly still be governed by the charter that Congress enacts this year. You are writing the charter for an agency with unprecedented powers to keep watch on every American, powers that will endure long after this election cycle is forgotten. I commend this Committee for its careful attention to the issues in the hearing today, and I welcome any questions you may have. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 15:10:16 PDT