Congressional Record: July 29, 2003 (Senate) Page S10142-S10153 STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS [...] By Mr. WYDEN: S. 1484. A bill to require a report on Federal Government use of commercial and other databases for national security, intelligence, and law enforcement purposes, and for other purposes; to the Committee on the Judiciary. Mr. WYDEN. Mr. President, I believe the United States can fight terrorism ferociously without gutting civil liberties. The point of the legislation I am introducing today is to address concerns that have arisen about the second part of this equation: an area of privacy that has gotten short shrift. That is the personal financial, medical and other data on millions of Americans that today is less than a mouseclick away from the computers of thousands of Federal bureaucrats. Access to and the use of that personal information by Federal bureaucrats is not protected by any comprehensive law. The power of technology that allows the Federal Government to pry into the personal lives of millions of Americans is only beginning to be understood. It is a breath-taking power, and it has come partly to light through the Defense Department's Terrorism Information Awareness Program (TIA), and through the Transportation Security Administration's Computer Assisted Passenger Profiling System II or CAPPSII Program. These and more than two dozen other agencies wield that power with little or no restraint. The legislation I am introducing with the support of a bipartisan group of privacy watchdog organizations, the Citizens' Protection in Federal Databases Act, will put the breaks on unchecked Federal data sweeps. It requires the Federal agencies with law enforcement or intelligence authority to share with Congress exactly what they are doing with private or public databases, why they are doing it, and most importantly, what, if any, privacy protections the agencies are affording the individuals' whose sensitive information is caught up in those databases. The Citizens' Protection in Federal Databases Act also prohibits searches based on hypothetical scenarios. Apparently, some government agencies are using valuable Federal resources chasing hypothetical situations dreamed up without regard to actual intelligence or law enforcement information. The TIA Report to Congress in May of this year explained at length the program's intent to construct possible terrorist "scenarios" based on "historical examples, estimated capabilities, and imagination." These scenarios would then be fed into database searches in an effort to substantiate the hypotheticals. This Act bans such searches. This prohibition will promote the efficient use of Federal law enforcement time and money and help protect Americans from being subject to "virtual goose chases." Since 9/11, there has been an abundance of stories regarding Americans being stopped, searched, or detained due to some mistaken information. For example, after 9/11, the FBI decided to share with companies across the country a list with names of people wanted for possible association with terrorism. This list, as part of "Project Lookout," was sent to thousands of corporations, some of whom now use the list in lieu of background checks. Here's the problem--this list is not necessarily accurate. First of all, the list quickly became obsolete as the FBI checked people off. That means even if people were cleared by the FBI of suspicion, their names were still on this list. Secondly, the list has been shared so many times, and passed from person to person, group to group--many names have become misspelled and now folks, due to one or two typos, are being stopped as suspected terrorists. That story is just one example of what can happen when information is [[Page S10150]] mishandled. It is Congress's job to make sure mistakes like these do not happen. The Citizens' Protection in Federal Databases Act is not the end of this issue. After shedding some light on what exactly is happening with personal information--the Congress must then address how to protect Americans from the misuse of this information. I am happy to be working with a strong group of privacy advocates. The group includes the Electronic Privacy Information Center, the Electronic Frontier Foundation, the Center for Democracy and Technology, People for the American Way, the Free Congress Foundation, and the American Civil Liberties Union, and they have been instrumental in getting strong safeguards enacted against abuses in the TIA and other programs. I look forward to working with these groups, and my Senate colleagues, to see that this bill is enacted into law. When tens of thousands of bureaucrats have at their fingertips all- too-easy access to such personal information from private and public databases as the use of passports, driver's licenses, credit cards, ATMs, airline tickets, and rental cars, the American people want to know what is happening to their information. They want to know who wants access to it and why. Their personal information deserves strong privacy protection, and that is what this legislation is all about. I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: S. 1484 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Citizens' Protection in Federal Databases Act". SEC. 2. FINDINGS. Congress makes the following findings: (1) Many Federal national security, law enforcement, and intelligence agencies are currently accessing large databases, both public and private, containing information that was not initially collected for national security, law enforcement, or intelligence purposes. (2) These databases contain personal and sensitive information on millions of United States persons. (3) Some of these databases are subject to Federal privacy protections when in private sector control. (4) Risks to personal privacy are heightened when personal information from different sources, including public records, is aggregated in a single file and made accessible to thousands of national security, law enforcement, and intelligence personnel. (5) It is unclear what standards, policies, procedures, and guidelines govern the access to or use of these public and private databases by the Federal Government. (6) It is unclear what Federal Government agencies believe they legally can and cannot do with the information once acquired. (7) The Federal Government should be required to adhere to clear civil liberties and privacy standards when accessing personal information. (8) There is a need for clear accountability standards with regard to the accessing or usage of information contained in public and private databases by Federal agencies. (9) Without accountability, individuals and the public have no way of knowing who is reading, using, or disseminating personal information. (10) The Federal Government should not access personal information on United States persons without some nexus to suspected counterintelligence, terrorist, or other illegal activity. SEC. 3. LIMITATION ON USE OF FUNDS FOR PROCUREMENT OR ACCESS OF COMMERCIAL DATABASES PENDING REPORT ON USE OF INFORMATION. (a) Limitation.--Notwithstanding any other provision of law, commencing 60 days after the date of the enactment of this Act, no funds appropriated or otherwise made available to the Department of Justice, the Department of Defense, the Department of Homeland Security, the Central Intelligence Agency, the Department of Treasury, or the Federal Bureau of Investigation may be obligated or expended by such department or agency on the procurement of or access to any commercially available database unless such head of such department or agency submits to Congress the report required by subsection (b) not later than 60 days after the date of the enactment of this Act. (b) Report.--(1) The Attorney General, the Secretary of Defense, the Secretary of Homeland Security, the Secretary of the Treasury, the Director of Central Intelligence, and the Director of the Federal Bureau of Investigation shall each prepare, submit to the appropriate committees of Congress, and make available to the public a report, in writing, containing a detailed description of any use by the department or agency under the jurisdiction of such official, or any national security, intelligence, or law enforcement element under the jurisdiction of the department or agency, of databases that were obtained from or remain under the control of a non-Federal entity, or that contain information that was acquired initially by another department or agency of the Federal Government for purposes other than national security, intelligence or law enforcement, regardless of whether any compensation was paid for such databases. (2) Each report shall include-- (A) a list of all contracts, memoranda of understanding, or other agreements entered into by the department or agency, or any other national security, intelligence, or law enforcement element under the jurisdiction of the department or agency for the use of, access to, or analysis of databases that were obtained from or remain under the control of a non-Federal entity, or that contain information that was acquired initially by another department or agency of the Federal Government for purposes other than national security, intelligence, or law enforcement; (B) the duration and dollar amount of such contracts; (C) the types of data contained in the databases referred to in subparagraph (A); (D) the purposes for which such databases are used, analyzed, or accessed; (E) the extent to which such databases are used, analyzed, or accessed; (F) the extent to which information from such databases is retained by the department or agency, or any national security, intelligence, or law enforcement element under the jurisdiction of the department or agency, including how long the information is retained and for what purpose; (G) a thorough description, in unclassified form, of any methodologies being used or developed by the department or agency, or any intelligence or law enforcement element under the jurisdiction of the department or agency, to search, access, or analyze such databases; (H) an assessment of the likely efficacy of such methodologies in identifying or locating criminals, terrorists, or terrorist groups, and in providing practically valuable predictive assessments of the plans, intentions, or capabilities of criminals, terrorists, or terrorist groups; (I) a thorough discussion of the plans for the use of such methodologies; (J) a thorough discussion of the activities of the personnel, if any, of the department or agency while assigned to the Terrorist Threat Integration Center; and (K) a thorough discussion of the policies, procedures, guidelines, regulations, and laws, if any, that have been or will be applied in the access, analysis, or other use of the databases referred to in subparagraph (A), including-- (i) the personnel permitted to access, analyze, or otherwise use such databases; (ii) standards governing the access, analysis, or use of such databases; (iii) any standards used to ensure that the personal information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate Government purpose; (iv) standards limiting the retention and redisclosure of information obtained from such databases; (v) procedures ensuring that such data meets standards of accuracy, relevance, completeness, and timeliness; (vi) the auditing and security measures to protect against unauthorized access, analysis, use, or modification of data in such databases; (vii) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongfully incurred due to the access, analysis, or use of such databases; (viii) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and (ix) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases. SEC. 4. GENERAL PROHIBITIONS. (a) In General.--Notwithstanding any other provision of law, no department, agency, or other element of the Federal Government, or officer or employee of the Federal Government, may conduct a search or other analysis for national security, intelligence, or law enforcement purposes of a database based solely on a hypothetical scenario or hypothetical supposition of who may commit a crime or pose a threat to national security. (b) Construction.--The limitation in subsection (a) shall not be construed to endorse or allow any other activity that involves use or access of databases referred to in section 3(b)(2)(A). SEC. 5. DEFINITIONS. In this Act: (1) Appropriate committees of congress.--The term "appropriate committees of Congress" means-- (A) the Select Committee on Intelligence and the Committee on the Judiciary of the Senate; and (B) the Permanent Select Committee on Intelligence and the Committee on the Judiciary of the House of Representatives. (2) Database.--The term "database" means any collection or grouping of information about individuals that contains personally identifiable information about individuals, such as individual's names, or identifying numbers, symbols, or other identifying [[Page S10151]] particulars associated with individuals, such as fingerprints, voice prints, photographs, or other biometrics. The term does not include telephone directories or information publicly available on the Internet without fee. (3) United states person.--The term "United States person" has the meaning given that term in section 101(i) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801(i)). ______