Privacy Progress

I am pleased to announce the publication of the fourth DHS Privacy Office Annual Report to Congress, which covers the reporting period from July 2007 – July 2008. It is the office’s fourth annual report and the third issued under my tenure as Chief Privacy Officer.

As we predicted in our 2007 report, this year afforded the Department a “significant opportunity” to expand the presence of Privacy Officers and Privacy Points of Contact (PPOCs) within DHS components. We’ve added Privacy Officers in USCIS, ICE, and E-Verify to name a few components and programs. I am proud of our achievements during the last year, and there are a few more I would like to highlight.

The Office continues to grow to meet increasing responsibilities at the Department, doubling in size from Fiscal Year (FY) 2007 to FY08, increasing from 16 positions to 32, and from a budget of $4.55 million to one of $5.5 million. At the close of the reporting period, the Office was recruiting and hiring additional staff and continues to promote growth in component privacy programs as a critical means of addressing privacy requirements throughout the Department.

We are reviewing over 200 legacy agency Privacy Act Systems of Records Notices (SORN) and retiring or revising them, as necessary. This task supports Secretary Chertoff’s priority goal # 5: Strengthen and Unify DHS Operations and Management by utilizing the already established resources in the PPOC network, and communication with component Privacy Officers, program managers, and system owners to streamline and consolidate legacy SORNs. Additionally, this effort supports the Department’s objective to become "One-DHS" by using the resources of every DHS component to streamline processes and ensure that DHS complies with the Privacy Act. It is critical that the Department continues to uphold public trust in daily operations to secure the homeland while protecting the privacy the public’s personal information.

Additional activities undertaken by my office this year include

• New Congressional requirements to build the Department privacy processes
• Increased outreach and collaboration within the Department and with the intelligence community, federal, state, local, and international communities, Congress, and the public
• Increased responsibilities and authorities of the Chief Privacy Officer and the Department as defined by the Implementing Recommendations of the 9/11 Commission Act of 2007
• DHS Privacy Office support of the State and Local Fusion Centers
• Management of privacy complaints received by the Department
• The first year of implementing the Privacy Incident Handling Guidance (PIHG), and privacy incident management
• Expanded focus on technology to protect the homeland
• Expansion of required and optional privacy training, including targeted workshops and training as needed throughout the Department.

The privacy professionals in my office work hard every day to build privacy protections into the activities of the Department. It has been a pleasure working with these individuals over the past two years. Together, we have strengthened the culture of privacy throughout the Department. I encourage you to read our report.

Hugo Teufel
Chief Privacy Officer

Why the Country Needs the National Applications Office

It is unfortunate that recent articles and blog postings have chosen to spend so much time complaining about the past instead of the critical and substantive benefits the National Applications Office (NAO) will provide the American people in the future. We need to move forward, get the NAO fully operational, and demonstrate how this 21st century capability will greatly aid the work of our scientists, our nation’s first responders, and others charged with protecting the United States.

The NAO will act as a clearinghouse for available technologies such as overhead imagery to better serve the scientific, homeland security and, eventually, law enforcement communities, with a solid framework to protect privacy, civil rights and civil liberties. It is a good-government solution to assist those users, and there is nothing secretive or mysterious about its mission. In fact, the scientific work of the NAO has been done for more than 30 years by the Civil Applications Committee (CAC), which itself will become part of the NAO. But the CAC model is 30 years old, and the world we live in is far different and, in many ways, more complex than when the CAC was first formed.

In 2005, the Office of the Director of National Intelligence and the U.S. Geological Survey, which chairs the CAC, chartered a blue-ribbon commission to review how the CAC facilitated, managed and oversaw capabilities and resources of the Intelligence Community for appropriate domestic applications. The commission concluded that there is “an urgent need for action because opportunities to better protect the nation are being missed.” It recommended the creation of an entity “to provide a focal point and act as a facilitator to [overhead imagery and other resources] on behalf of civil, homeland security and law enforcement users.” The Commission’s report is available in its entirety to the public. This was quite a public birth of the NAO.

The NAO will provide an excellent tool to help keep all Americans secure. Examples of how NAO will use overhead imagery for appropriate domestic purposes include:

• Saving lives through support to forest firefighters, as we saw with the wild fires in California last year and again this year
• Preparing for National Special Security Events such as this year’s political party conventions
• Assisting preparedness, response and recovery efforts of catastrophic flooding
• Helping to secure our nation’s borders
• Supporting the U.S. Coast Guard in its search and rescue operations and oil spill response
• Assessing the readiness in advance of a natural disaster
• Assessing damage following natural disasters such as hurricanes, earthquakes and floods
• Geospatial mapping
• Preparing environmental studies relating to geologic features, forestation, studies of wildlife, and other environmental research.

NAO will facilitate access only to geospatial intelligence (e.g., overhead imagery and mapping), measurement and signature intelligence (e.g., seismic acoustic sensors used to identify seismic activity such as earthquakes and tsunamis), and electronic intelligence (e.g., using emitters to rescue ships at sea during Hurricane Katrina). NAO will not accept requests to use capabilities to intercept verbal communications, whether written or oral.

I am not sure what some commentators meant when they said the NAO lacks for champions. All they needed to do was ask a homeowner whose home was saved by the kind of overhead imagery NAO will be able to provide firefighters. Or they could have spoken to me, who has served this country as an intelligence officer for 50 years, or to my bosses, Department of Homeland Security Secretary Michael Chertoff and Director of National Intelligence Michael McConnell. The homeowner or any one of us in government service would have been happy to explain how the NAO will benefit the American people.

The Department of Homeland Security, with the assistance of a number of partner agencies, has designed the NAO with an extraordinary amount of scrutiny and oversight to ensure that the civil liberties, civil rights and privacy of Americans are protected. A National Applications Executive Council will oversee the NAO. It will be chaired by the Deputy Secretary of DHS, the Deputy Secretary of Interior, and the Principal Deputy Director of National Intelligence, and aided by their policy, legal, privacy, and civil liberties and civil rights advisers.

Both the Privacy and Civil Rights and Civil Liberties offices of DHS thoroughly reviewed the NAO Charter and other plans, and completed privacy and civil liberties impact assessments. In addition, DHS’ Inspector General reviewed the NAO’s privacy stewardship and issued a very favorable report. (download PDF reader)

The NAO will safeguard privacy, civil rights and civil liberties by ensuring that its procedures are in accordance with laws, policies and procedures that protect privacy, civil rights and civil liberties, including:

• The U.S. Constitution
• Executive Order 12333 and the procedures for intelligence community members under that order that have been approved by the Attorney General
• The Posse Comitatus Act
• The Privacy Act of 1974, as amended
• The E-Government Act of 2002, Section 208
• Any other applicable laws, policies or procedures that have the purpose or effect of safeguarding privacy, civil rights, or civil liberties

Because it is a part of DHS, the NAO is subject to compliance oversight by the DHS Inspector General, Chief Privacy Officer, and the Officer for Civil Rights and Civil Liberties. Additional oversight will be provided by the Civil Liberties Protection Officer for the Office of the Director of National Intelligence.

Secretary Chertoff and I have fully and frequently briefed all the relevant committees of Congress, and remain committed to answering any further questions they may have. We look forward to the completion of the Government Accountability Office’s review of the Secretary’s certification that privacy and civil rights/civil liberties are addressed by NAO, so that the NAO can begin its civilian and homeland security applications.

I work every day to help keep the homeland safe. The NAO, with the privacy, civil rights, and civil liberties built in as described above, is not only good government but needed now to help the nation respond and recover from all disasters – natural or man-made.

Charlie Allen
Under Secretary for Intelligence & Analysis

Privacy Report

Perhaps no other condition is more important between a government and its citizens than trust. That trust is earned through consistently being open and honest—in short, being transparent. Indeed, the government’s work in the privacy field is especially built upon a foundation of transparency.

That’s why I’m pleased to announce that the Department of Homeland Security Privacy Office recently issued its third Annual Report covering July 2006 through July 2007. This report is the centerpiece of our transparency obligation and summarizes how DHS protects the privacy of personally identifiable information.

During this past reporting cycle, my staff and I made significant progress in our development of privacy resources and outreach within the department, as well as externally to other agencies, privacy advocates, and international data protection officials.

As the DHS Chief Privacy Officer, I have worked to build upon the strong privacy foundation established by my predecessor. My focus has been to formalize the processes and operations of this important office to ensure that we can fulfill our statutory requirements and support the Department’s vital mission.

Among our recent accomplishments, we’ve continued to increase internal DHS privacy compliance. Some of our efforts include conducting Privacy Threshold Analyses, Privacy Impact Assessments, and Privacy Act System of Records Notices. We also updated and disseminated our popular DHS Privacy Impact Assessment Guidance for 2007 and conducting tutorial workshops to train federal employees and contractors on the development and use of PIAs.

In response to growing federal attention to privacy issues, DHS has been a leader in issuing specific privacy guidance. We developed privacy documents regarding the use of Social Security numbers, protections afforded to non-U.S. persons, and a privacy incident response plan for the department. Additionally, we’ve implemented an inventory process aimed at reducing the use of social security numbers within the Department.

We are also working closely with our colleagues to ensure that privacy protections are integrated into DHS programs and rulemakings. Through our efforts to increase the transparency of high-profile department initiatives, we have participated in the rulemaking process, and actively sought to address privacy concerns raised by Congress, the privacy community, and the public. In addition, we continue to work with our international partners, expanding both our international outreach, as well as DHS and Federal involvement in international privacy initiatives.

Looking ahead, we see our next Annual Reporting cycle as a period of significant opportunity for the department to expand the presence of Privacy Officers and Privacy Points of Contact within DHS operational components. Our Disclosure and Freedom of Information practice will continue to substantially reduce Freedom of Information Act (FOIA) request backlogs in components and improve the efficiency of the Department’s FOIA process. I encourage you to read our report (PDF).

Our work is far from over, but my dedicated team of privacy professionals is up to the challenge of working in a global environment where appropriate privacy protections are critical to fulfilling the Department’s mission.

Hugo Teufel
Chief Privacy Officer

A Question of Balance

DHS representatives are often asked whether it is true that whatever is done to strengthen security must be at the expense of privacy, as if it were a zero-sum game. As Secretary Chertoff said in Montreal before an international conference of the data privacy community, such a balance is subjective and fails to recognize that privacy can and must be preserved while securing the homeland. Reasonable people want security and privacy, and would prefer not to assign a relative value to each fundamental right.

Moreover, adopting the balance paradigm effectively denies the ability of our leaders and institutions to craft policies that achieve both of these aims. Why assume the tradeoff, when we can adopt policies and employ new technologies that support privacy and security alike?

DHS policy is to uphold both privacy and security, because both are fundamental rights and one positively impacts the other.

Consider for example, the fair-information practice principle of transparency. DHS posts its System of Record Notices and Privacy Impact Assessments on our website. These documents inform the public what personal information the government is collecting; how it will be used and shared; what consent, access and redress rights the individual may have; how the information will be protected; and how compliance with these protections is audited. Privacy is enhanced by revealing what the government is doing, and security is enhanced by DHS supporting systems intended to protect the public.

In his prepared remarks to the Privacy and Civil Liberties Oversight Board on December 5, 2006, Fred Cate, Distinguished Professor and Director of the Center for Applied Cybersecurity Research at Indiana University, noted that he had been “struck by how closely connected privacy and security really are.” The thrust of Cate’s remarks was that good privacy protection not only can help build support for the appropriate use of personal data to enhance security, it can also contribute to making security tools more effective. I agree with Professor Cate. Protecting privacy while protecting the homeland builds public trust in our institutions. I see privacy and security as compatible and supporting partners in our mission to use information effectively to protect the homeland.

Hugo Teufel
Chief Privacy Officer

Privacy And Security

Scott McNealy, Chairman of Sun Microsystems, once said, “Privacy is dead, get over it.” He was referring to the unprecedented ability of people and organizations to access information about any one of us.

Privacy is certainly not dead, but our society must go the second mile to protect it. The question that my Department faces is how to do that in our post-9/11 world where the need for greater security is paramount.

I addressed that question today at a conference of privacy commissioners in Montreal. As I noted, part of the answer is obvious. The same terrorist organizations which plot to attack us want to wipe out our liberty, and we don’t intend to make their job any easier by doing it ourselves.

We view privacy as a fundamental human right and that’s why preserving it is an integral part of our mission. Ours is the first federal department with a mandated Chief Privacy Officer. Both here and abroad, DHS is highly acclaimed for its efforts to ensure that our programs are fully vetted for potential privacy violations.

But what about the tension between privacy and security? Is it true that whatever we do to strengthen our security must be at the expense of privacy?

It is not. Our efforts to secure our homeland need not harm our privacy. Rather, in many cases they can actually strengthen it.

A great example is our efforts to create secure identification. By creating secure driver’s licenses and travel documents, we can reduce the egregious privacy violation of identity theft.

Another example is the way we screen the estimated 80 million travelers who fly here annually from other countries. Our strategy is to collect a little information about each visitor--just enough to help us decide who might be a potential security risk. When compared to the alternatives–-searching everyone, searching no one, or the hit-or-miss strategy of random searches--we’ve found that this is the best way to maximize security while at the same time maximizing privacy.

Privacy and security are fundamental rights and we will continue to defend both in our post-9/11 world.

Michael Chertoff