FBI’s New Guidelines Further Loosen Constraints on Monitoring
The New York Times‘s Charlie Savage reports that the FBI is preparing to release a new Domestic Investigations and Operations Guide (DIOG), further relaxing the rules governing the Bureau’s investigation of Americans who are not suspected of any wrongdoing.
This comes just three years after the last major revision of FBI manual, which empowered agents to employ a broad range of investigative techniques in exploratory “assessments” of citizens or domestic groups, even in the absence of allegations or evidence of wrongdoing, which are needed to open an “investigation.” The FBI assured Congress that it would conduct intensive training, and test agents to ensure that they understood the limits of the new authority—but the Inspector General found irregularities suggestive of widespread cheating on those tests.
Agents can already do quite a bit even without opening an “assessment”: They can consult the government’s own massive (and ever-growing) databases, or search the public Internet for “open source” intelligence. If, however, they want to start digging through state and local law enforcement records, or plumb the vast quantities of information held by commercial data aggregators like LexisNexis or Acxiom, they currently do have to open an assessment. Again, that doesn’t mean they’ve got to have evidence—or even an allegation—that their target is doing anything illegal, but it does mean they’ve got to create a paper trail and identify a legitimate purpose for their inquiries. That’s not much of a limitation, to be sure, but it does provide a strong deterrent to casual misuse of those databases for personal reasons. That paper trail means an agent who might be tempted to use government resources for personal ends—to check up on an ex or a new neighbor—has good reason to think twice.
Removing that check means there will be a lot more digging around in databases without any formal record of why. Even though most of those searches will be legitimate, that makes the abuses more likely to get lost in the crowd. Indeed, a series of reports by the Inspector General’s Office finding “widespread and serious misuse” of National Security Letters, noted that lax recordkeeping made it extremely difficult to accurately gauge the seriousness of the abuses or their true extent—and, of course, to hold the responsible parties accountable. Moreover, the most recent of those reports strongly suggests that agents engaged in illegal use of so-called “exigent letters” resisted the introduction of new records systems precisely because they knew (or at least suspected) their methods weren’t quite kosher.
The new rules will also permit agents to rifle through a person’s garbage when conducting an “assessment” of someone they’d like to recruit as an informant or mole. The reason, according to the Times, is that “they want the ability to use information found in a subject’s trash to put pressure on that person to assist the government in the investigation of others.” Not keen into being dragooned into FBI service? Hope you don’t have anything embarrassing in your dumpster! Physical surveillance squads can only be assigned to a target once, for a limited time, in the course of an assessment under the current rules—that limit, too, falls by the wayside in the revised DIOG.
The Bureau characterizes the latest round of changes as “tweaks” to the most recent revisions. That probably understates the significance of some of the changes, but one reason it’s worrying to see another bundle of revisions so soon after the last overhaul is precisely that it’s awfully easy to slip a big aggregate change under the radar by breaking it up into a series of “tweaks.”
We’ve seen such a move already with respect to National Security Letters, which enable access to a wide array of sensitive financial, phone, and Internet records without a court order—as long as the information is deemed relevant to an “authorized investigation.” When Congress massively expanded the scope of these tools under the USA Patriot Act, legislators understood that to mean full investigations, which must be based on “specific facts” suggesting that a crime is being committed or that a threat to national security exists. Just two years later, the Attorney General’s guidelines were quietly changed to permit the use of NSLs during “preliminary” investigations, which need not meet that standard. Soon, more than half of the NSLs issued each year were used for such preliminary inquiries (though they aren’t available for mere “assessments”… yet).
The FBI, of course, prefers to emphasize all the restrictions that remain in place. We’ll probably have to wait a year or two to see which of those get “tweaked” away next.
Stop ‘n’ Frisk Databases
Via Adam Serwer, New York governor David A. Paterson is expected to sign a bill today doing away with data collection on people the police stop and question, but who have done nothing wrong.
The Transportation Security Adminstration’s “SPOT” program—recently the subject of a scathing Government Accountability Office critique—does similar data collection about innocent people.
From late May 2004 through August 2008, “behavior detection officers” referred 152,000 travelers to secondary inspection at airports. Of those, TSA agents referred 14,000 people to law enforcement, which resulted in approximately 1,100 arrests. None had links to terrorism or any threat to aviation.
The data TSA collects “when observed behaviors exceed certain thresholds”—that is, when a traveler garners TSA suspicion—includes:
- first, middle, and last names
- aliases and nicknames
- home and business addresses and phone numbers
- employer information
- identification numbers such as Social Security Number, drivers license number or passport number
- date and place of birth
- languages spoken
- nationality
- age
- sex
- race
- height and weight
- eye color
- hair color, style and length
- facial hair, scars, tattoos and piercings, clothing (including colors and patterns) and eyewear
- purpose for travel and contact information
- photographs of any prohibited items, associated carry-on bags, and boarding documents
- identifying information for traveling companion.
Would PASS ID Really Save States Money?
The proposed PASS ID Act is a national ID just like REAL ID, and it threatens privacy just as much. Some argue that a national ID under PASS ID should be palatable, though, because it reduces costs to states.
But savings to states under PASS ID are not at all clear. Let’s take a look at the costs of creating a U.S. national ID.
The REAL ID Act, passed in May 2005, required states to begin implementing a national ID system within three years. In regulations it proposed in March 2007, the Department of Homeland Security extended that draconian deadline. States would have five years, starting in May 2008, to move all driver’s license and ID card holders into REAL ID-compliant cards.
The Department of Homeland Security estimated the costs for this project at $17.2 billion dollars (net present value, 7% discount). Costs to individuals came it at nearly $6 billion – mostly in wasted time. Americans would spend more than 250 million hours filling out forms, finding birth certificates and Social Security cards, and waiting in line at the DMV.
The bulk of the costs fell on state governments, though: nearly $11 billion dollars. The top three expenditures were $5.25 billion for customer service at DMVs, $4 billion for card production, and $1.1 billion for data systems and IT. Getting hundreds of millions of people through DMVs and issuing them new cards in such a short time was the bulk of the cost.
To drive down the cost estimate, DHS pushed the implementation schedule way back. In its final rule of January 2008, it allowed states a deadline extension to December 31, 2009 just for the asking, and a second extension to May 2011 for meeting certain milestones. Then states would have until the end of 2017 to replace all cards with the national ID card. That’s just under ten years.
Then the DHS decided to assume that only 75% of people would actually get the national ID. (Never mind that whatever benefits from having a national ID drop to near zero if it is not actually “national.”)
The result was a total cost estimate of about $6.85 billion (net present value, 7% discount). Individual citizens would still spend $5.2 billion worth of their time (in undiscounted dollars) on paperwork and waiting at the DMV. But states would spend just $1.5 billion on data and interconnectivity systems; $970 million on customer service; and $953 million on card production and issuance—a total of about $2.4 billion. (All undiscounted—DHS didn’t publish estimates for the final rule the same way it published their estimates for the proposed rule.)
Maybe these cost estimates were still too high. Maybe they weren’t believable. Or maybe Americans’ love of privacy and hatred of a national ID explains it. But the lower cost estimate did not slow the “REAL ID Rebellion.” Given the costs, the complexity, the privacy consequences, and the dubious benefits, states rejected REAL ID.
Enter PASS ID, which supposedly alleviates the costs to states of REAL ID. But would it?
At a Senate hearing last week, not one, but two representatives of the National Governors Association testified in favor of PASS ID, citing their internal estimate that implementing PASS ID would cost states just $2 billion.
But there is reason to doubt that figure. PASS ID is a lot more like REAL ID – the original REAL ID – in the way that most affects costs: the implementation schedule.
Review of the Big REAL ID Hearing
The Senate Homeland Security and Governmental Affairs Committee held a hearing yesterday on the REAL ID Act and the REAL ID revival bill, known as PASS ID. I attended and want to share with you some highlights.
Good News!
Little good came from the hearing, as it was primarily focused on how to get the states and people to accept a national ID. But there is some good news.
First, Department of Homeland Security Secretary Janet Napolitano declared REAL ID dead (much as I did in my testimony two-plus years ago). “DOA” is how she referred to it.
She also said that no state will be in compliance with REAL ID by the current December 31, 2009 deadline. This is important because a lot of people think that states doing anything about the security of drivers’ licenses and ID cards are complying with REAL ID.
Another highlight was the commentary of Senator Roland Burris (D-IL). He is a beleaguered outsider to the Senate and evidently wasn’t coached on the talking points around REAL ID and PASS ID. So he flat out asked why we shouldn’t just have “a national ID.”
Senator Susan Collins’ (R-ME) nervous smile was particularly noticeable when Burris asked why the emperor had no clothes. No one was supposed to talk about national IDs at this hearing! But that’s what PASS ID is.
REAL ID and PASS ID are two versions of the same national ID system, and nobody is denying it. That’s good news because the effort to rebrand REAL ID through PASS ID has failed.
Does the PASS ID Act Protect Privacy?
I’ve written about PASS ID here a couple of times before – first on whether or not it’s a national ID and, second, on the politics of this REAL ID revival bill. Now I’ll take a look at whether it fixes the privacy issues with REAL ID. Privacy is complicated. Buckle up.
The day the bill was introduced, the Center for Democracy and Technology issued a press release giving it a privacy stamp of approval.
“The PASS ID Act addresses most of the major privacy and security concerns with REAL ID,” said Ari Schwartz, Vice-President of CDT. The release cited four ways that PASS ID was an improvement over the bill it’s modeled on, REAL ID.
Interstate Data Sharing?
First, CDT said, PASS ID “[r]emoves the requirement that states ‘provide electronic access’ allowing every other state to search their motor vehicles records.” It’s technically true: The language from REAL ID directly requiring states to share information among themselves came out of PASS ID. But the requirements of the law will cause that information sharing to happen all the same.
Like REAL ID did, PASS ID would require states to confirm that “a person submitting an application for a driver’s license or identification card is terminating or has terminated any driver’s license or identification card” issued by another state.
How do you do that? You check the driver license databases of every other state. Maybe you do this by directly accessing other states’ databases; maybe you do this indirectly, through a “pointer system” or “hub.” But to confirm that you’re talking about the right person, you don’t just compare names. You compare names, addresses, pictures, and other biometrics.
Social Control as a Profit Center
Here’s an idea that should be killed in the crib: scanning automobiles for up-to-date insurance.
Says Gizmodo (via ars technica and the Chicago Sun-Times):
The system is anticipated to raise yearly earnings “well in excess” of $100 million (possibly even double that figure or more), with InsureNet taking a modest 30% for their services. Of course, all of this cash would be contingent on uninsured drivers actually paying their fines.
There will be thousands more reasons like this put forward for mass public surveillance. The answer should almost always be no because of the accumulations of data about law-abiding citizens such programs would collect in government (and government-contractor) databases.
Congress on Privacy: Schizophrenic or Lagging?
In the same bill that Congress limited the use of whole-body imaging or “strip-search machines” at airports (text of the amendment here), it required the Transportation Security Administration to study using facial and iris recognition to identify people in line for airport security checkpoints (Sec. 242 of House-passed version here).
So glimpses at de-identified bodies are a privacy outrage while massive biometric databases and records of people’s travels are good to go?
Not necessarily. Average people (and members of Congress) understand better what a look at the body is, but they don’t understand as well what biometric tracking and databasing of our movements means. So they’re quick to object to the former and lagging on the latter.
Those of us who understand the privacy consequences of government-deployed facial recognition and tracking must press to educate our less-well-versed fellow Americans.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
