Congressional Record: July 29, 2003 (Senate)
Page S10142-S10153
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
[...]
By Mr. WYDEN:
S. 1484. A bill to require a report on Federal Government use of
commercial and other databases for national security, intelligence, and
law enforcement purposes, and for other purposes; to the Committee on
the Judiciary.
Mr. WYDEN. Mr. President, I believe the United States can fight
terrorism ferociously without gutting civil liberties. The point of the
legislation I am introducing today is to address concerns that have
arisen about the second part of this equation: an area of privacy that
has gotten short shrift. That is the personal financial, medical and
other data on millions of Americans that today is less than a
mouseclick away from the computers of thousands of Federal bureaucrats.
Access to and the use of that personal information by Federal
bureaucrats is not protected by any comprehensive law.
The power of technology that allows the Federal Government to pry
into the personal lives of millions of Americans is only beginning to
be understood. It is a breath-taking power, and it has come partly to
light through the Defense Department's Terrorism Information Awareness
Program (TIA), and through the Transportation Security Administration's
Computer Assisted Passenger Profiling System II or CAPPSII Program.
These and more than two dozen other agencies wield that power with
little or no restraint.
The legislation I am introducing with the support of a bipartisan
group of privacy watchdog organizations, the Citizens' Protection in
Federal Databases Act, will put the breaks on unchecked Federal data
sweeps. It requires the Federal agencies with law enforcement or
intelligence authority to share with Congress exactly what they are
doing with private or public databases, why they are doing it, and most
importantly, what, if any, privacy protections the agencies are
affording the individuals' whose sensitive information is caught up in
those databases.
The Citizens' Protection in Federal Databases Act also prohibits
searches based on hypothetical scenarios.
Apparently, some government agencies are using valuable Federal
resources chasing hypothetical situations dreamed up without regard to
actual intelligence or law enforcement information.
The TIA Report to Congress in May of this year explained at length
the program's intent to construct possible terrorist "scenarios"
based on "historical examples, estimated capabilities, and
imagination." These scenarios would then be fed into database searches
in an effort to substantiate the hypotheticals.
This Act bans such searches. This prohibition will promote the
efficient use of Federal law enforcement time and money and help
protect Americans from being subject to "virtual goose chases."
Since 9/11, there has been an abundance of stories regarding
Americans being stopped, searched, or detained due to some mistaken
information. For example, after 9/11, the FBI decided to share with
companies across the country a list with names of people wanted for
possible association with terrorism. This list, as part of "Project
Lookout," was sent to thousands of corporations, some of whom now use
the list in lieu of background checks.
Here's the problem--this list is not necessarily accurate. First of
all, the list quickly became obsolete as the FBI checked people off.
That means even if people were cleared by the FBI of suspicion, their
names were still on this list. Secondly, the list has been shared so
many times, and passed from person to person, group to group--many
names have become misspelled and now folks, due to one or two typos,
are being stopped as suspected terrorists.
That story is just one example of what can happen when information is
[[Page S10150]]
mishandled. It is Congress's job to make sure mistakes like these do
not happen.
The Citizens' Protection in Federal Databases Act is not the end of
this issue. After shedding some light on what exactly is happening with
personal information--the Congress must then address how to protect
Americans from the misuse of this information.
I am happy to be working with a strong group of privacy advocates.
The group includes the Electronic Privacy Information Center, the
Electronic Frontier Foundation, the Center for Democracy and
Technology, People for the American Way, the Free Congress Foundation,
and the American Civil Liberties Union, and they have been instrumental
in getting strong safeguards enacted against abuses in the TIA and
other programs. I look forward to working with these groups, and my
Senate colleagues, to see that this bill is enacted into law.
When tens of thousands of bureaucrats have at their fingertips all-
too-easy access to such personal information from private and public
databases as the use of passports, driver's licenses, credit cards,
ATMs, airline tickets, and rental cars, the American people want to
know what is happening to their information. They want to know who
wants access to it and why. Their personal information deserves strong
privacy protection, and that is what this legislation is all about.
I ask unanimous consent that the text of the bill be printed in the
Record.
There being no objection, the bill was ordered to be printed in the
Record, as follows:
S. 1484
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the "Citizens' Protection in
Federal Databases Act".
SEC. 2. FINDINGS.
Congress makes the following findings:
(1) Many Federal national security, law enforcement, and
intelligence agencies are currently accessing large
databases, both public and private, containing information
that was not initially collected for national security, law
enforcement, or intelligence purposes.
(2) These databases contain personal and sensitive
information on millions of United States persons.
(3) Some of these databases are subject to Federal privacy
protections when in private sector control.
(4) Risks to personal privacy are heightened when personal
information from different sources, including public records,
is aggregated in a single file and made accessible to
thousands of national security, law enforcement, and
intelligence personnel.
(5) It is unclear what standards, policies, procedures, and
guidelines govern the access to or use of these public and
private databases by the Federal Government.
(6) It is unclear what Federal Government agencies believe
they legally can and cannot do with the information once
acquired.
(7) The Federal Government should be required to adhere to
clear civil liberties and privacy standards when accessing
personal information.
(8) There is a need for clear accountability standards with
regard to the accessing or usage of information contained in
public and private databases by Federal agencies.
(9) Without accountability, individuals and the public have
no way of knowing who is reading, using, or disseminating
personal information.
(10) The Federal Government should not access personal
information on United States persons without some nexus to
suspected counterintelligence, terrorist, or other illegal
activity.
SEC. 3. LIMITATION ON USE OF FUNDS FOR PROCUREMENT OR ACCESS
OF COMMERCIAL DATABASES PENDING REPORT ON USE
OF INFORMATION.
(a) Limitation.--Notwithstanding any other provision of
law, commencing 60 days after the date of the enactment of
this Act, no funds appropriated or otherwise made available
to the Department of Justice, the Department of Defense, the
Department of Homeland Security, the Central Intelligence
Agency, the Department of Treasury, or the Federal Bureau of
Investigation may be obligated or expended by such department
or agency on the procurement of or access to any commercially
available database unless such head of such department or
agency submits to Congress the report required by subsection
(b) not later than 60 days after the date of the enactment of
this Act.
(b) Report.--(1) The Attorney General, the Secretary of
Defense, the Secretary of Homeland Security, the Secretary of
the Treasury, the Director of Central Intelligence, and the
Director of the Federal Bureau of Investigation shall each
prepare, submit to the appropriate committees of Congress,
and make available to the public a report, in writing,
containing a detailed description of any use by the
department or agency under the jurisdiction of such official,
or any national security, intelligence, or law enforcement
element under the jurisdiction of the department or agency,
of databases that were obtained from or remain under the
control of a non-Federal entity, or that contain information
that was acquired initially by another department or agency
of the Federal Government for purposes other than national
security, intelligence or law enforcement, regardless of
whether any compensation was paid for such databases.
(2) Each report shall include--
(A) a list of all contracts, memoranda of understanding, or
other agreements entered into by the department or agency, or
any other national security, intelligence, or law enforcement
element under the jurisdiction of the department or agency
for the use of, access to, or analysis of databases that were
obtained from or remain under the control of a non-Federal
entity, or that contain information that was acquired
initially by another department or agency of the Federal
Government for purposes other than national security,
intelligence, or law enforcement;
(B) the duration and dollar amount of such contracts;
(C) the types of data contained in the databases referred
to in subparagraph (A);
(D) the purposes for which such databases are used,
analyzed, or accessed;
(E) the extent to which such databases are used, analyzed,
or accessed;
(F) the extent to which information from such databases is
retained by the department or agency, or any national
security, intelligence, or law enforcement element under the
jurisdiction of the department or agency, including how long
the information is retained and for what purpose;
(G) a thorough description, in unclassified form, of any
methodologies being used or developed by the department or
agency, or any intelligence or law enforcement element under
the jurisdiction of the department or agency, to search,
access, or analyze such databases;
(H) an assessment of the likely efficacy of such
methodologies in identifying or locating criminals,
terrorists, or terrorist groups, and in providing practically
valuable predictive assessments of the plans, intentions, or
capabilities of criminals, terrorists, or terrorist groups;
(I) a thorough discussion of the plans for the use of such
methodologies;
(J) a thorough discussion of the activities of the
personnel, if any, of the department or agency while assigned
to the Terrorist Threat Integration Center; and
(K) a thorough discussion of the policies, procedures,
guidelines, regulations, and laws, if any, that have been or
will be applied in the access, analysis, or other use of the
databases referred to in subparagraph (A), including--
(i) the personnel permitted to access, analyze, or
otherwise use such databases;
(ii) standards governing the access, analysis, or use of
such databases;
(iii) any standards used to ensure that the personal
information accessed, analyzed, or used is the minimum
necessary to accomplish the intended legitimate Government
purpose;
(iv) standards limiting the retention and redisclosure of
information obtained from such databases;
(v) procedures ensuring that such data meets standards of
accuracy, relevance, completeness, and timeliness;
(vi) the auditing and security measures to protect against
unauthorized access, analysis, use, or modification of data
in such databases;
(vii) applicable mechanisms by which individuals may secure
timely redress for any adverse consequences wrongfully
incurred due to the access, analysis, or use of such
databases;
(viii) mechanisms, if any, for the enforcement and
independent oversight of existing or planned procedures,
policies, or guidelines; and
(ix) an outline of enforcement mechanisms for
accountability to protect individuals and the public against
unlawful or illegitimate access or use of databases.
SEC. 4. GENERAL PROHIBITIONS.
(a) In General.--Notwithstanding any other provision of
law, no department, agency, or other element of the Federal
Government, or officer or employee of the Federal Government,
may conduct a search or other analysis for national security,
intelligence, or law enforcement purposes of a database based
solely on a hypothetical scenario or hypothetical supposition
of who may commit a crime or pose a threat to national
security.
(b) Construction.--The limitation in subsection (a) shall
not be construed to endorse or allow any other activity that
involves use or access of databases referred to in section
3(b)(2)(A).
SEC. 5. DEFINITIONS.
In this Act:
(1) Appropriate committees of congress.--The term
"appropriate committees of Congress" means--
(A) the Select Committee on Intelligence and the Committee
on the Judiciary of the Senate; and
(B) the Permanent Select Committee on Intelligence and the
Committee on the Judiciary of the House of Representatives.
(2) Database.--The term "database" means any collection
or grouping of information about individuals that contains
personally identifiable information about individuals, such
as individual's names, or identifying numbers, symbols, or
other identifying
[[Page S10151]]
particulars associated with individuals, such as
fingerprints, voice prints, photographs, or other biometrics.
The term does not include telephone directories or
information publicly available on the Internet without fee.
(3) United states person.--The term "United States
person" has the meaning given that term in section 101(i) of
the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C.
1801(i)).
______
