I spent yesterday as a ‘special government employee’ — for no salary. This was the start of my two-year term as a member of the DHS Data Privacy and Integrity Advisory Committee (the DPIAC — pronounced “dippie-ack”) — some two years after being asked to apply — and I attended my first meeting today in Washington DC, which was a public meeting of the committee. Advisory committees are a pretty mixed bag in DC, but the people I knew who were already involved in the process assured me that the committee actually helps influence outcomes, if only by helping build a record for things to happen. There’s nice short description of the committee at the IT Law Wiki and the DPIAC Charter is online too.
The committee’s primary contact in DHS is Mary Ellen Callahan, the Chief Privacy Officer (CPO) for the DHS, and she opened the meeting. She noted that the DPIAC published a Federal Register notice at 76 Fed Reg 39406 (July 6, 2011) asking for new members, for two-year terms ending 2014; applications are due August 15, 2011. Be advised that membership requires a Secret clearance, and filling out the forms is a royal pain if you have done any substantial foreign travel, or have any recurring foreign contacts (I fit both descriptions).
The meeting was ably chaired by Richard Purcell, who among other things is the Chair of TRUSTEe, and was formerly CPO of Microsoft. In addition to the committee members, there were about 45 people in the audience, about half of whom, I was told, were either from DHS or from privacy offices in other agencies.
The first item on the agenda was an address by Jane Holl Lute, the Deputy Secretary of the DHS, who spoke about International Information Sharing Programs — ie data sharing with the EU over PNR. (Although she was extraordinarily eloquent, parts of it made me want to channel Ed Hasbrouck.)
Deputy Secretary Lute framed ‘data sharing’ as being in the service of ‘security’. But, she said the EU said, we don’t want security at the expense of our rights. To which she says she replied that ‘security is one of our rights’. (This seemed to me to leave out the possibility of there being costs of information sharing.) “We are trying to build a safe secure resilient place where the American way of life can thrive.” In 10 years of dealing with PNR, she said, “we haven’t had a single privacy incident.” (A ‘privacy incident’, it later transpired, is measured by the OMB definition — an unauthorized access or disclosure ie a data breach. This doesn’t of course tell us anything about what is going on with the authorized uses.) We didn’t want to re-open negotiations…we had a perfectly functioning agreement…it just wasn’t as good as some voices in Europe thought it could be in terms of privacy principles.
In the Q&A I asked what effect recent work on the failure of de-anonymization would have on the work of her department. Deputy Sec Lute’s long and elegant reply boiled down to saying tht the nature of the beast is that law and regulation are always going to lag the technology, which I found pragmatic but unsatisfying.
Another panel member asked what the policy was regarding other governments copying the US policies and doing to US citizens what we do to them — getting US person data and using it? Again the answer was the elegant form of cagey, although DepSec Lute did mention that the law enforcement community had told DHS that it needed to keeping all data that it thought might be relevant to possible international conspiracy for 15 years. (I wondered what fraction of the data collected on foreign travelers that would be?)
Mary Ellen Callahan, the DHS CPO spoke second, and provided an acronym-rich account of her department’s recent work. The office is certainly busy, both on projects it seems to have initiated to ensure that PII is handled carefully within DHS, and on projects that arise out of data sharing agreements, e.g. five new information sharing agreement (ISAAs) with the national counter-terrorism center (NCTC) — oh joy. I suspect that rather than mis-transcribing this rapid-fire account, I’ll have to wait for the meeting minutes (there were verbatim transcripts of previous meetings, but we were told these are being discontinued due to the budget cuts; the Federal Advisory Committee Act (FACA) only requires minues so that’s what we’ll have henceforth).
CPO Callahan also does FOIA for DHS, and its seems the DHS is the government leader in FOIA requests, having already gotten over 100,000 this year (the Dept of Defense had only 75,000 last year). 75% of the FOIA traffic is CIS — immigration related. Part of increase is due to fact that response time is better, so it encourages people to file. Some of the bulk is also from communities worried about immigration reform and/or enforcement activities.
Emily Andrew, Senior Privacy Officer, National Protection and Programs Directorate (NPPD), DHS spoke third, and described an office that had been a team of one when she started there, but has been growing rapidly.
Current DPIAC members are: Chair Richard V. Purcell (Corporate Privacy Group), Members: Joseph Alhadeff (Oracle), Ana Anton (NC State Computer Science), Ramon Barquin (Barquin Int’l), J. Joward Beales III (GWU Management & Public Policy), Renard Francois (Caterpillar Inc.), Yours Truly, Joanna L. Grama (Purdue IT), David Hoffman (Intel), Lance Hoffman (GWU Computer Science), Joanne McNabb (Cal Dept. of Consumer Affairs), Lisa S. Neslon (U. Pitt, Public & Int’l Affairs), Greg Nojeim (CDT), Charles Palmer (IBM), Lydia Parnes (Wilson Sonsini & ex-FTC), Christopehr Pierson (Citizens Financial Group/RBS), Jules Polonetsky (Future of Privacy Forum), John Sabo (CA Technologies), Ho Sik Shin (Millennial Media, Inc), Lisa J.Sotto (Hunton & Williams), Barry Steinhard (Privacy International, ex-ACLU).
It seems as if the DPIAC will have a busy fall. All of its work product, and all discussions other than subcommittee deliberations, are public documents, presented for discussion in public meetings, so I intend to at least blog pointers to them here as they come onstream.
Thanks for the meeting report, and for the mention and link.
If you want to know what I would have said (and did say) to Ms. Callahan of DHS about data “sharing” between the EU and DHS, there’s video of a panel discussion at the CFP conference last month with her, me, and others, moderated by your fellow DPIAC member Barry Steinhardt, here:
I won’t repeat here the points I made in that panel. Ms. Callahan had to leave early, so I wasn’t able to get answers to many of my questions.
As for the proposed 15 year retention period for personal data transferred to DHS, which didn’t come up in the panel at CFP, keep in mind that this is only for the *copy* of the data held by the DHS. It’s actually completely irrelevant, since (1) PNR data is stored (in most cases) or accessible to (in essentially all cases) reservation systems with servers or offices in the USA, (2) PNR data transferred to those commercial entities in the USA is subject to no US privacy law whatsoever, and can be (and is) kept fotrevere by the CRSs and freely passed on to the US or nay other government or other entity worldwide, (3) CRSs have no geographic controls on PNR retrieval and keep no access logs of which PNRs have been retrieved, by which system users (including DHS users with CRS terminal emulators), or from where in the world, and (4) even if a CRS declined to “voluntarily” give DHS access to its PNR archives, DHS could get a new copy of them, in secret, at any time (even long after 15 years and after the DHS had deleted its earlier copy) with an NSL or under Patriot Act provisions.
Nothing said about allegations in Wikileaks that the US was horsetrading Polish support for PNR with the visa waiver programme, then? Seriously, wonderful to hear that DHS is listening to you, “Voice of Reason” (with all due respect to deceased Woodrow Wyatt of the deceased NOTW, whose journalists and spies stole the book on data breaches).