Volume 22 Number 21, November 19, 2002

Legislation to create a Dept. of Homeland Security is expected to improve federal ability to engage in electronic and database surveillance and to crack down on computer hackers. On the other hand, the bill includes what might be the first statutorily created, senior privacy officer charged with conducting privacy impact assessments and other duties. It also would ban a contemplated federal spy program, enlisting the help of everyone from Postal carriers to utility workers, called TIPS.

The measure, which is expected to be passed by the Senate November 19 and later signed by President Bush, also would exempt from Freedom of Information Act disclosure records provided voluntarily by companies that relate to the nation's "critical infrastructure." The defeat of proposed amendments by Senate Democrats meant that the bill would also exempt the new department's advisory committees from an open meetings law, the Federal Advisory Committee Act (FACA).

Contrary to some published reports, the bill contains no authorization for a "Total

Information Awareness," a comprehensive data-mining effort proposed by the Pentagon that would break down long-established barriers against domestic surveillance (see story below).

But the proposed agency would combine several surveillance efforts under one roof, from airline-passenger screening programs to immigration databases and criminal financial investigations. An office would oversee and coordinate their efforts.

The House added a measure that would boost penalties for cyber crimes and make it easier for Internet providers to report suspicious activity on their networks. Hackers could face life in prison if their activities were found to put human lives at risk, while Internet providers could hand over logs of customer activity without fear of lawsuits.

The Secretary of Homeland Security would "appoint a senior official . . . to assume primary responsibility for privacy policy, including:

• Assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information;
• Assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974;
• Evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
• Conducting a privacy impact assessment of proposed rules of the dept. or that of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected;
• Preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters."

Recognizing the sensitive nature of anti-terrorist data, the bill would require the new

Secretary to limit re-dissemination of such data and to ensure that they are not used for an unauthorized purpose, and to ensure their security and confidentiality. The Secretary would also be tasked with protecting the constitutional and statutory rights of any individuals who are subjects of such information; and providing data integrity through the timely removal and destruction of obsolete or erroneous names and information.

In terms of dissemination, the department could issue alerts and advisories, but could withhold "information that is proprietary, business sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain." The FOIA exemption for critical infrastructure data extends to state openness laws and to disclosure in civil discovery.

The legislation imposes on each federal agency new information security duties in the form of a "Federal Information Security Management Act." It creates a coordinating director within the Administration. While it recognizes the utility of commercial products, the statute adds, "The selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products."

The bill's text is available at http://news.findlaw.com/hdocs/docs/terrorism/hr5710homsecbil.pdf

Senior privacy officer section (Pages 49-50); FOIA and CII (Pages 42-44); information security standards (Pages 323-330).