Data Grab

The feds want data for security and crime fighting, and businesses have what they need. The trick is knowing what to share and where to draw the line.

To protect the public from terrorism and other hazards, the U.S. government mines its vast databases for signs of trouble. Increasingly, the feds are requesting-even demanding-that businesses share their data, too. But such cooperation isn't cheap or easy, and several industries are pushing back to protect their customers' privacy.

Not long after forcing Internet companies to submit search terms, search result URLs, and other information as part of its enforcement of the Child Online Protection Act, the Justice Department is going a step further. Attorney General Alberto Gonzales is now asking the likes of Google, AOL, and Verizon to keep subscriber information and other customer data for at least two years, just in case the government needs it for criminal investigations. Currently, Internet companies are under no obligation to save that data at all.

People want the government to have the data needed to fight crime and terrorism; it's the potential misuse of personally identifiable data-names, addresses, Social Security numbers, Web search histories-that is deeply worrisome.

Just last week, the European Court of Justice ruled that an airline passenger data-sharing agreement between the European Commission and the Department of Homeland Security's Customs and Border Protection division violates European privacy law. The arrangement was crafted in 2004 to keep out terrorists. The two sides have four months to rethink the terms of how data gets shared, at the risk of disrupting trans-Atlantic travel if they don't.

These are only the latest examples of federal harvesting of company data. The National Security Agency is reportedly building a massive database of phone call records provided by AT&T and other telecom companies. Trucking companies share electronic manifests as their rigs cross into the United States, an information exchange that will become mandatory later this year. Financial firms report suspicious transactions. Subpoenas are used to get data from individual companies.

The feds have been mostly successful in getting businesses to cooperate. Following the 9/11 terrorist attacks, the government looked to transportation companies, especially airlines, to hand over information that can be used to match passengers and transportation workers with names on terrorist watch lists. However, while they initially complied with Homeland Security projects such as the Computer Assisted Passenger Pre-Screening System and Secure Flight, some airlines have said they're uneasy with the government's ability to safeguard their data from loss or misuse.

Privacy advocates worry about the volume of data being collected (millions of records and many terabytes of data), the length of time it's stored, and the level of detail. Under the existing agreement, participating European airlines provide Customs and Border Protection with up to 34 bits of information on each passenger, ranging from name and method of payment to meal requests. Homeland Security can keep the data up to 3-1/2 years. Those terms are now subject to renegotiation before the Sept. 30 deadline set by the EC court.

Yet even as one data-sharing arrangement comes under scrutiny, another arises. The U.S. Centers for Disease Control and Prevention has requested that international airlines store passenger emergency contact information for six months in the event of a bird flu outbreak. "This requires still more manpower and more costs," says David Henderson, manager of information for the Association of European Airlines.

This content continues onto the next page...

We Recommend