Data Grab

To protect the public from terrorism and other hazards, the U.S. government mines its vast databases for signs of trouble. Increasingly, the feds are requesting-even demanding-that businesses share their data, too. But such cooperation isn't cheap or easy, and several industries are pushing back to protect their customers' privacy.

Not long after forcing Internet companies to submit search terms, search result URLs, and other information as part of its enforcement of the Child Online Protection Act, the Justice Department is going a step further. Attorney General Alberto Gonzales is now asking the likes of Google, AOL, and Verizon to keep subscriber information and other customer data for at least two years, just in case the government needs it for criminal investigations. Currently, Internet companies are under no obligation to save that data at all.

People want the government to have the data needed to fight crime and terrorism; it's the potential misuse of personally identifiable data-names, addresses, Social Security numbers, Web search histories-that is deeply worrisome.

Just last week, the European Court of Justice ruled that an airline passenger data-sharing agreement between the European Commission and the Department of Homeland Security's Customs and Border Protection division violates European privacy law. The arrangement was crafted in 2004 to keep out terrorists. The two sides have four months to rethink the terms of how data gets shared, at the risk of disrupting trans-Atlantic travel if they don't.

These are only the latest examples of federal harvesting of company data. The National Security Agency is reportedly building a massive database of phone call records provided by AT&T and other telecom companies. Trucking companies share electronic manifests as their rigs cross into the United States, an information exchange that will become mandatory later this year. Financial firms report suspicious transactions. Subpoenas are used to get data from individual companies.

The feds have been mostly successful in getting businesses to cooperate. Following the 9/11 terrorist attacks, the government looked to transportation companies, especially airlines, to hand over information that can be used to match passengers and transportation workers with names on terrorist watch lists. However, while they initially complied with Homeland Security projects such as the Computer Assisted Passenger Pre-Screening System and Secure Flight, some airlines have said they're uneasy with the government's ability to safeguard their data from loss or misuse.

Privacy advocates worry about the volume of data being collected (millions of records and many terabytes of data), the length of time it's stored, and the level of detail. Under the existing agreement, participating European airlines provide Customs and Border Protection with up to 34 bits of information on each passenger, ranging from name and method of payment to meal requests. Homeland Security can keep the data up to 3-1/2 years. Those terms are now subject to renegotiation before the Sept. 30 deadline set by the EC court.

Yet even as one data-sharing arrangement comes under scrutiny, another arises. The U.S. Centers for Disease Control and Prevention has requested that international airlines store passenger emergency contact information for six months in the event of a bird flu outbreak. "This requires still more manpower and more costs," says David Henderson, manager of information for the Association of European Airlines.

SUBPOENA POWER

Government requests for data come in the form of a subpoena or a "national security letter." A subpoena must be approved by a judge and can be fought in court if it's too vague or burdensome to a business, as Google did earlier this year. A national security letter is a special type of subpoena issued by the FBI without the need for a judge's signature, entitling the FBI to bank, insurance, phone, ISP, and credit report records (but not medical records). Unlike a subpoena, a company receiving a national security letter cannot discuss the fact that it has received one.

The FBI appears to be liberal in its use of national security letters. The Washington Post reported last year that the government issues 30,000 such letters annually. A Justice Department spokesman said that's inaccurate but declined to provide a better estimate. The Justice Department doesn't track the number of subpoenas issued by its own agencies or by the 94 U.S. attorneys' offices.

Nor does Justice monitor the costs those subpoenas impose on recipients, which can be considerable. At AOL, a dozen employees handle about 12,000 law enforcement requests a year, a spokesman says. About one in five of those requests results in some form of information sharing.

Meantime, the ground rules are changing. Presaging the U.S. push for mandated electronic archives from ISPs, the European Parliament and Council in December approved rules that require telecom companies to retain phone and Internet records for two years for anti-terror investigations. Microsoft, in a statement, says it's reviewing its internal data-retention policies "in light of European Union data-retention regulations."

Businesses sometimes resist government requests for archived data and other information. Google did and, following a court ruling, ended up providing less data than the Justice Department originally requested. "What the ruling means is that neither the government nor anyone else has carte blanche when demanding data from Internet companies," Google associate general counsel Nicole Wong writes on the company blog.

Brett Glass, owner of Lariat.net, a small ISP in Laramie, Wyo., says his company has never been asked for customer data and would put up a fight if it were. "If the federal government-be it Congress, the FCC, or an executive branch agency-were to mandate that we supply it, we'd consider filing suit or joining a suit to void such a request," he says. "We owe it to our users."

For companies that do share data, there can be technical challenges, especially if they don't have a central data warehouse, consultant Richard Winter says. Government agencies might seek records scattered across IT systems that are difficult to pull together. Many companies have a hard enough time sifting disparate data for their own use, Winters notes.

Data sharing is a touchy subject. EarthLink, Microsoft, and Visa declined to discuss it. Google admits to receiving government subpoenas, but it won't say how many.

DISARRAY AND DISTRUST

Homeland Security's agreement with the EC is spelled out far better than its Secure Flight program. The Transportation Security Administration admitted in October that Secure Flight's plan to integrate real-time transactional data, such as passengers with boarding passes, with other information, such as terrorist watch lists, would be difficult to implement without major upgrades to airline IT systems.

Some airlines have been publicly chastised for not doing more to protect customer privacy. JetBlue drew criticism when it was revealed in 2003 that it allowed Acxiom, acting as a contractor, to transfer 5 million records for more than 1.5 million passengers to Torch Concepts, which was developing a data mining tool to analyze the characteristics of people seeking access to military installations. JetBlue had agreed to participate after a written request from the TSA. JetBlue CEO David Neeleman later acknowledged that the data transfer was a violation of his company's privacy policy.

With safety at issue, the airline industry understands the need to participate in government-mandated data sharing. But industry officials in the States and Europe are urging the U.S. government to better organize its efforts. Airlines don't want to be subject to both the TSA Secure Flight program and Customs and Border Protection's Advanced Passenger Information program, which requires that passenger information be communicated to the government within 15 minutes of a flight's departure to the United States.

"Both should be designed to function through coordinated information feeds and avoid unnecessary duplication of communications, programming, and information requirements," James May, CEO of the Air Transport Association, and Ulrich Schulte-Strathaus, secretary general of the Association of European Airlines, wrote in an October letter to Homeland Security Secretary Michael Chertoff. May and Schulte-Strathaus requested that Secure Flight and Advanced Passenger Information supersede the government's no-fly lists and that the amount of redundant data required from the airlines be reduced.

Financial services companies are likewise no strangers to handing data to the government, and the hunt for terrorist financing has only added to the burden. Suspicious Activity Report filings to the Treasury Department's Financial Crimes Enforcement Network have increased every year since they were first required in 1996, with 919,000 such reports sent last year alone.

Banks have expressed anxiety over Suspicious Activity Reports, especially in light of the Patriot Act, which punishes noncompliant companies with fines of up to $1 million a day or, in the extreme, by taking away bank charters. "It's definitely changed the compliance environment for banks since 9/11," says Kelly Etherington, corporate compliance manager for Zions Bancorp, which operates more than 450 branches and offices. Like other banks, Zions has always reported suspicious activity, but it finds law enforcement requests are up in the last few years.

Suspicious Activity Reports "create a very significant burden" on financial services companies without any clear benefits to them, says John Carlson, a director with BITS, a consortium of the 100 largest U.S. financial services companies. Given the industry's heavy regulations and what Carlson calls its culture of protecting customer privacy, he says financial services companies generally wouldn't provide data to a government agency unless required to by law or a court-issued document.

BIGGEST FEARS

What might government agencies do with all the business and Internet data they're collecting? Some skeptics worry about a single massive database where all kinds of information gets crunched together, providing a complete picture of Joe Citizen. That seems a remote possibility, though researchers at the Defense Advanced Research Projects Agency did work on a system several years ago that would have mined data in that way to identify terrorists. That program, dubbed Total Information Awareness, was scrapped more than two years ago under public pressure.

A different but related concern is that data collected for one purpose could get used for another. USA Today last week reported that the FBI plans to use its database of DNA evidence, collected from convicted criminals and some others upon arrest, to help identify thousands of dead people whose identities aren't known.

There's also the concern that once the feds gets their hands on data, they can't be trusted to secure it. Look no further than last month's news of a stolen laptop and external hard drive containing data on 26.5 million military veterans and family members. The Veterans Affairs Department has been fingered for its lack of security before, but it's not the only agency with low marks. Security becomes even more of an issue as more data accumulates and gets retained longer.

Encryption is one solution, but encrypted data can't be searched easily and is thus less useful to the government. Nothing, it seems, about data sharing between businesses and government is destined to be easy. -With Thomas Claburn, J. Nicholas Hoover, and Rick Whiting

Write to Larry Greenemeier at lgreenem@cmp.com.

Visit Government Enterprise: governmententerprise.com

http://informationweek.com/

Copyright 2006 CMP Media LLC. All rights reserved.

>

Loading