Online extra: Legal impediments to data sharing
- By Wilson P. Dizard III
- Apr 21, 2003
While the administration plans to assign intelligence analysis activities to the Terrorist Threat Integration Center, the Homeland Security Department retains responsibility for gathering information about vulnerabilities in the nation's infrastructure.
And that won't be particularly easy. More than 80 percent of that information is in the hands of industry, which could be reluctant to give it up.
James A. Lewis, a senior fellow and director of technology policy at the Center for Strategic and International Studies in Washington, predicted problems. 'I don't think there has been any change in [industry's] unwillingness to share information about their vulnerabilities,' he said. 'It is a new kind of information gathering.'
Lewis noted that the department's authority to gather information is hazy.
'Normally, if the government is going to collect information, you need either a regulation that says you have a right to collect this information or a warrant. HSD doesn't have either: Show the regulation, show me the warrant-otherwise [industry cooperation] is going to be sporadic,' he said.
As the department is grappling with questions about its authority to gather new information, it also has been sizing up the many restrictions federal law places on using information the government has already gathered.
'We are looking at the legal barriers and legal restraints' to sharing data across systems, said Steve Cooper, Homeland Security's CIO. 'If we find there are constraints, we need to engage in a dialogue' to see if legislative change is necessary.
Among the laws most oft cited as restricting sharing information among federal databases is the Privacy Act, which appears in 5 U.S. Code section 552a.
It specifies procedures for law enforcement access to personal information. The roots of the law go back to the early 1970s, when Congress moved to squelch proposals to build databases that would gather information about citizens.
'Basically the act says that if an agency maintains a system of records, it has to define how those records can be disclosed. They can only be disclosed, or shared with another agency, for compatible purposes,' Washington privacy consultant and GCN columnist Robert Gellman said.
'The USA Patriot Act didn't amend the Privacy Act,' Gellman noted, referring to counterterrorism legislation passed in October 2001. 'Either the Privacy Act isn't a barrier, or they didn't think of it. The Patriot Act was a law enforcement and intelligence wish list, and the Privacy Act wasn't included.'
Income tax records are protected under the confidentiality provisions of Section 6103 of Title 26 of the U.S. Code, and health records are protected by the Health Insurance Portability and Accountability Act of 1996-but both contain exceptions that allow disclosure for law enforcement purposes. The confidentiality of Social Security records can be breached only for law enforcement purposes, too.
One of the most restrictive laws governs Census Bureau data. Section 9 of Title 13 of the U.S. Code protects for 72 years the confidentiality of all information collected by the bureau, with penalties of up to five years in prison and fines of up to $250,000 for wrongful disclosure.
In response to an inquiry about privacy procedures, a Census spokesman said, 'Unlike any other employee of the federal government, every Census staffer takes a sworn oath to protect the absolute confidentiality of our records.'
Many other legal restrictions on federal information sharing flow from statutes that limit the purposes for which information can be gathered.
Much of the information sharing at Homeland Security will be carried out within its Information Analysis and Infrastructure Protection Directorate, which will be led by undersecretary-designate Robert P. Liscouski, director of information assurance for the Coca-Cola Co.
To coordinate the directorate with other intelligence agencies, the administration plans to have it help set priorities for intelligence gathering, especially with regard to mapping intelligence gathering to infrastructure protection needs.