The ever-growing pile of evidence that privacy is dead just got a bit larger.
Last week, privacy advocates lost another round with the US Department of Justice (DOJ) in the battle over the relatively unfettered collection, analysis and distribution of massive amounts of personal data of those both in and outside of government.
The DOJ’s goal is both laudable and necessary – the mitigation of insider threats. But, its method of reaching that goal involves eliminating significant protections for another crucial goal of a free society – personal privacy.
In a “final rule”, the DOJ excused its insider threat database – officially the “DOJ Insider Threat Program Records” – from multiple provisions of the 1974 Privacy Act.
The Electronic Privacy Information Center (EPIC), which filed objections to the exemptions when they were first proposed in June, noted that the database includes:
… detailed, personal data on a large number of individuals who have authorized access to DOJ facilities, information systems, or classified information, including present and former DOJ employees, contractors, detailees, assignees, interns, visitors, and guests. The scope of ‘insider threat’ is broad and ambiguous; the extent of data collection is essentially unbounded.
It added that the DOJ, “proposes to disclose information within the Database to multiple entities not subject to the Privacy Act, including state, local, tribal, or foreign law enforcement, private organizations, contractors, grantees, consultants, and the news media.”
Most of the people whose data is being collected, analyzed and shared, EPIC noted, aren’t under suspicion or the target of any investigation. And the “insider threat” information collected is not just used for law enforcement or intelligence purposes. It can then be shared with other agencies for what amounts to human resources purposes like hiring, retention, promotions and deployments.
The DOJ, which rejected all of EPIC’s requests to narrow or eliminate the exemptions, said they are all necessary to, “avoid interference with efforts to detect, deter, and/or mitigate insider threats.”
In response to EPIC’s request that only “relevant and necessary” records are maintained to detect and prevent insider threats, DOJ argued that it is impossible to say at the time data is collected whether some of them might become relevant later.
It said it protects the security and confidentiality of the data with, “appropriate administrative, technical and physical safeguards,” and is in compliance with multiple security standards, including those of NIST (National Institute of Standards and Technology) and the federal Office of Management and Budget (OMB).
That draws some intense skepticism from Shahid Buttar, director of grassroots advocacy at the Electronic Frontier Foundation (EFF), who said because he was recruited in 1999 by the State Department and submitted an application, he was one of the 22 million current, former and even potential federal employees, “whose information submitted through the security clearance process ended up in the hands of Chinese intelligence agents” – the result of the notorious 2014 Office of Personnel Management breach.
“The relatively unbounded information that DOJ seeks for the Insider Threat system is not only overbroad, but also creates unnecessary security risks given its tremendous sensitivity,” he said.
Still, in response to EPIC saying that those whose personal information is collected ought to be able to have access to it and amend things that are incorrect, the DOJ said doing so:
… could compromise or lead to the compromise of information classified to protect national security; disclose information that would constitute an unwarranted invasion of another’s personal privacy; reveal a sensitive investigative or intelligence technique; disclose or lead to disclosure of information that would allow a subject to avoid detection or apprehension; or constitute a potential danger to the health or safety of law enforcement personnel, confidential sources, or witnesses.
The DOJ, noting that its data collection is, “for authorized law enforcement and intelligence purposes,” said it “follows lawful, vetted investigative practices and procedures.”
It claimed that it, “takes seriously its obligations to protect the privacy of Americans,” and said it might even waive one or more of the exemptions on occasion. But, of course, the decision to do that would be, “in its sole discretion” – a phrase that appears several times in the document.
Along with EPIC, other privacy advocates like Buttar say “final rules” like this make the DOJ essentially an unaccountable law unto itself.
Buttar suggested that government collection of data on “insiders” is as much, or more, about protecting itself as it is about protecting the nation:
“The Insider Threat program is itself a threat to the national security of the United States, by insulating from public accountability executive agencies that have repeatedly violated their constitutional and statutory limits,” he said. “Whistleblowers are conscientious public servants who advance the public interest by revealing fraud, waste, and abuse. They are heroes, not threats.”
Those arguments have obviously not swayed the DOJ. But that doesn’t mean privacy advocates are entirely out of options.
Final rules can be challenged through “judicial review” – a lawsuit.
And EPIC president Marc Rotenberg said Congress, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Chief Privacy Officer (CPO) for the DOJ all have some oversight authority for enforcement of the Privacy Act and reviewing government agency surveillance.
“EPIC has frequently written to Congress, PCLOB, and agency CPOs about similar issues,” he said. “And we will now add the DOJ Insider Threat database to our list of programs that we expect officials charged with oversight of the DOJ to investigate.”Follow @NakedSecurity