09-02-2000

TECHNOLOGY: Government: Casting the Widest Net

The federal government has long been the most pervasive collector


of Americans' sensitive personal information. The 1974 Privacy Act, passed
in the wake of the Nixon White House's release of individual Internal
Revenue Ser-


vice and FBI records, restricts the dissemination of personal information
by federal agencies and requires


that when the information is collected, the individual be told of the ways
in which it could be used.


The Privacy Act put in place checks on the transfer of information from
one agency to another. But the law also set up 12 exceptions, including
one that permits law enforcement agencies to obtain records without a
subpoena and another that allows federal agencies to share any information
for what they designate as "routine uses" after publishing in
the Federal Register a statement of their intent to release the
information.


Critics say that the law, which was designed in an era of mainframe
computers but which now operates in an era of networked personal
computers, is out of date by at least three generations of computer
technology. That criticism, along with the increased interest in Internet
privacy issues, prompted the Clinton Administration to require a privacy
policy covering all federal agency Web sites. The Office of Management and
Budget is responsible for enforcing the policy.


In a sternly worded June letter, the office's director, Jacob Lew, said
that software "cookies," which track Internet users' movements
among Web sites, were not to be used on federal Web sites unless the
agency had explicit approval from its chief, provided clear notice to the
site's users, and publicized the safeguards for handling information
collected from the cookies. The memo came after revelations that the White
House Office of Drug Control Policy had used cookies on its Web site to
track users' visits to other drug-oriented Web sites. As a result of the
criticism, House Commerce Telecommunications Subcommittee Chairman W.J.
"Billy" Tauzin, R-La., requested a General Accounting Office
study to determine whether federal Web sites meet the same privacy
standards that the Federal Trade Commission is seeking to apply to private
Web sites. And House Majority Leader Dick Armey, R-Texas, has asked the
accounting office to see how well agencies are living up to the Privacy
Act.


Peter Swire, the Clinton Administration's chief adviser on privacy issues,
was the impetus for the cookie crackdown. "One of the reasons for
creating the [advisory] position was to coordinate policy for government
and private use of information," Swire said in an interview.
"The creation of the position was a recognition of the need for
strong and consistent privacy rules across agencies."


Privacy advocates are scrutinizing two other areas of federal data
collection:


The Directory of New Hires


One of the most sweeping databases in the hands of the federal government
is the Directory of New Hires. It is an electronic compilation to which
every employer in the country must report the names, addresses, Social
Security numbers, and incomes of all new hires. Created under the 1996
landmark welfare reform bill known as the Personal Responsibility and Work
Opportunity Reconciliation Act, the database is used to track down
parents, primarily fathers, who renege on child-support payments.


Privacy advocates point out that the names in the registry are not limited
to people who receive public assistance or who pay or receive child
support. They say that Congress, by requiring that the name of every
employed American be entered into the database, has created a monster lode
of personal information whose purpose will gradually but inevitably expand
beyond its original intent.


Here's how the database works: Each employer provides the required
personnel information to state officials, who feed the data into a state
directory of new hires. Each state then turns these data over to the
national directory, which is a part of the Health and Human Services
Department's Federal Parent Locator Service. State child-support
enforcement officials then match information from the federal database
against their child-support cases. When a match is found and a deadbeat
parent is located, child-support officials can force an employer to
withhold wages from the parent's paycheck.


The IRS, the Social Security Administration, and the Justice Department
all have access to the information in the database. Swire said that the
Office of Management and Budget wrote regulations governing the system in
an effort to ensure that the data would remain confidential.


But the fears of privacy advocates were heightened last year when Congress
expanded the use of the database to include tracking down defaulters on
student loans. Language inserted into the appropriations bill for the
Labor, Health and Human Services, and Education departments permitted such
a use and also allowed employers to withhold wages to pay off the loans.
Rep. Nancy L. Johnson, R-Conn., has proposed an additional expansion that
would give state unemployment insurance officials access to the federal
database, as part of her proposed Child Support Distribution Act. (Johnson
dropped another provision of her bill that would have given child-support
collection agencies access to the database, after privacy advocates Edward
J. Markey, D-Mass., and Joe Barton, R-Texas, objected.)


"I'm not prepared to say that [a child-support database] is a
terrible idea," said privacy consultant Robert Gellman, who has
closely followed the history of the Privacy Act. "Be that as it may,
we have agreed to set up a database of every working American, and no one
debated that. If you start a system for one purpose, Congress can't keep
its hands off it."


The Financial Crimes Enforcement Network


In April 1999, when the Federal Deposit Insurance Corp. and other major
banking regulators announced they were withdrawing their proposed
"Know Your Customer" rules requiring banks to closely monitor
their customers' financial transactions, the regulators acknowledged the
importance of the 256,634 letters they had received arguing against the
proposal.


"We need to take privacy concerns into account in any regulatory
proposal that touches upon the personal finances of bank customers,
regardless of our objectives," said FDIC Chairwoman Donna Tanoue.
"When bank regulations can excite and unite individuals across the
country, and in all walks of life, we have to pay attention."


What the regulators didn't back away from was the requirement that
financial institutions file Suspicious Activity Reports on any customer
who engages in an activity that "is not the sort in which the
particular customer would normally be expected to engage."


In addition to the Suspicious Activity Reports, Currency Transaction
Reports are required for any cash transaction of $10,000 or more-the
triggering level is $5,000 when the transaction is accompanied by
"suspicious behavior." The transactions are automatically
reported to the Treasury Department's Financial Crimes Enforcement
Network, known as FinCEN. Its computerized database shares information
with federal and state law enforcement agencies.


Although Treasury Department officials describe the financial crimes
database as a crucial tool in combating money laundering, critics note
that 77 million transaction reports have resulted in only 580 convictions.
And from 1994-98, the number of money-laundering prosecutions brought by
the main law enforcement agencies dropped more than 24 percent, in spite
of the new Suspicious Activity Reports, according to the Transactional
Records Access Clearinghouse, a private research center at Syracuse
University. Among those who say the federal government's financial rules
are excessive is Lawrence Lindsay, a former Federal Reserve governor and
the top domestic policy adviser to Republican presidential nominee George
W. Bush.


Gregory Nojeim, legislative council for the American Civil Liberties
Union, said "the theory is [that such reports] are supposed to be the
tip, and [law enforcement] uses the tip to get the subpoena." The
ACLU's "biggest objection," he said, "is that personal
financial information is routinely turned over to the government without
having to show evidence of crime."


House Banking Committee Chairman Jim Leach, R-Iowa, and the Clinton
Administration have proposed measures that would expand the scope of the
financial crimes database. Leach's initial approach would have opened the
database to groups such as the National Association of Securities Dealers
that police their members for financial fraud. Although the proposal was
dropped from the Leach-sponsored measure introduced by the Clinton
Administration, the bill would still expand Treasury Department authority
by imposing reporting requirements on any transaction involving a foreign
bank. The full House has yet to vote on the bill, known as the
International Counter-Money Laundering and Foreign Anticorruption
Act.


"Banking is an industry that is built on trust, and FinCEN's mission
undermines that public confidence," said Rep. Ron Paul of Texas, one
of four House Republicans to vote against the Clinton-Leach bill in
committee, on the grounds that it would further erode consumer financial
privacy. "What they really need to do is to stop deputizing bank
tellers as law enforcement agents."


Drew Clark

National Journal