DHS Panel Seeks Review of Border Search, REAL ID, Other Programs
REAL ID and similar identification cards still pose privacy problems, and so do border searches and seizures of digital information, the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security told Secretary Janet Napolitano and acting Chief Privacy Officer John Kropf in a letter completed Tuesday. The letter outlines recommendations on central privacy matters for the new administration to review.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The committee made recommendations about REAL ID in 2007, it said, but the final rule still doesn’t “fully address privacy and data security.” States must leave their residents’ personal information at the mercy of the weakest protections among the states, the letter said. The rule should be reviewed, since it hasn’t taken effect, and “the rule’s provision allowing for the placement of unencrypted personal information in the machine-readable zone, which encourages inappropriate data collection and mission creep, should be reviewed and considered for revision,” the letter said.
The committee added a notation about passport cards and enhanced drivers’ licenses raising similar problems and concerns. Jim Harper, the director of information policy studies at the Cato Institute, pressed for this broadening of the letter by proposing the addition of a fuller expression of concern that concluded that the programs “should be reviewed carefully in light of their policy and data security consequences.” Others, however, wondered whether the additions weren’t clear enough in explaining the problem, were outside of DHS’ scope, or weren’t worthwhile to raise because the passport cards and enhanced drivers’ licenses are already being issued. Harper said the enhanced drivers’ licenses are a DHS product and the passport cards, though issued by the State Department, are used extensively by DHS. He cited a video that demonstrates how easily someone can illicitly pick up information from the radio-frequency identification cards embedded in enhanced identification - allowing for tracking. “Just because it’s up and running doesn’t mean we shouldn’t be telling them what they're running into,” he said. Howard Beales, an associate professor of strategic management and public policy at George Washington University, suggested the committee consider the matter at its next meeting. But ultimately the committee agreed to add a line to the REAL ID recommendation noting the similar problems and concerns.
The letter also recommends that DHS invest in research about and development of applications and technologies to facilitate privacy. Lance Hoffman, computer science professor at George Washington University, said the letter should emphasize the importance of developing a research agenda so funding is based on a plan, rather than who asks for money first or loudest. The letter says the research agenda should be developed with help from others, such as academics and businesspeople.
The privacy office and privacy officers also feature in the letter. The committee recommended that every division within DHS have its own privacy officer, reporting to the head of the division. The letter cites Customs and Border Protection, the National Protection and Programs Directorate, the Office of Intelligence and Analysis, the U.S. Coast Guard and the U.S. Secret Service as agencies that should have their own privacy officers.
Further, the DHS privacy office shouldn’t merge with the Office for Civil Rights and Civil Liberties, the letter says. Although the committee debated whether to include this recommendation, since discussion of a merger seems to have died down, it decided to keep the recommendation because the question keeps coming back. “We've heard about this issue rearing its head, I think, time and time again … I'd like to see us say something publicly about the fact we'd like to see the two offices remain independent,” said Lisa Sotto, head of the privacy and information management practice at Hunton & Williams.
The letter recommends review of border searches and seizures of stored digital information. Though there may be legal authority for border searches, “there is a significant difference between looking at paper documents and searching through the volume of digital information that can be carried by travelers,” the letter says. “The Privacy Office should have a role in reviewing current policies and practices for searches and seizures of digital information and developing guidelines to integrate privacy protections into these processes.”
Other recommendations include a department-wide effort for a rigorous approach to data integrity; reduction in fraud vulnerabilities in the E-Verify system before it’s expanded; the development of best practices, with consultation from the privacy office, for credentialing programs so they're interoperable and consistent; and a holistic approach to data governance that includes regular communication and cooperation between the chief information security officer and the chief privacy officer.