Employee Privacy in an Era of Homeland Security

Even before the terrorist attacks in New York and Washington, the Federal Bureau of Investigation was working aggressively to keep pace with the law enforcement challenges posed by the rapid pace of technological developments. One of the FBI's significant goals is to develop closer relationships with businesses and corporations. While these closer relationships are proving valuable in the fight against cyberterrorism, an inevitable consequence is that the FBI is gaining unprecedented access to private employee information in the name of national security.

The FBI's role in responding to cyberattacks was formalized in July 1996, with the creation of the Computer Investigations and Infrastructure Threat Assessment Center (CITAC). According to the FBI's website:

... the formation of alliances with both the public and private sectors was absolutely necessary to ensure a free flow of critical knowledge, as well as to coordinate responses to attacks on critical infrastructure components.

InfraGard and the Coming "Digital Storm"

On February 26, 1998, using a $64 million appropriation from Congress, Attorney General Janet Reno and FBI Director Louis Freeh created a new multiagency group called the National Infrastructure Protection Center (NIPC, pronounced "nip-see"). According to NIPC's first director, Michael Vatis, the group was based at the FBI because of the need for the agency's investigative resources when an unauthorized intrusion is detected.

Later that spring, on May 22, 1998, President Clinton signed Presidential Decision Directive 63, which charged NIPC with the responsibility of assessing the potential for cyberthreats, conducting investigations, issuing warnings, and evaluating infrastructure vulnerabilities. As designed by Reno and Freeh, NIPC will employ more than 500 people around the country; Vatis told Wired magazine in the fall of 1998 that "[a]t least half of our staff will come from the Secret Service, National Security Agency, CIA, NASA, Department of Defense, state and local law enforcement, Department of Treasury, Department of Energy, and the Department of Transportation." ^[12]

A central focus of NIPC has been to expand and build upon a program called InfraGard, which was developed by the Cleveland FBI office in the summer of 1996. On its website, the FBI describes InfraGard as follows:

InfraGard is a cooperative effort to exchange information between the business community, academic institutions, the FBI, and other government agencies to ensure the protection of the information infrastructure through the referral and dissemination of information regarding illegal intrusions, disruptions, and exploited vulnerabilities of information systems.

By the beginning of 2001, all fifty-six FBI field offices around the country were running InfraGard chapters, and more than 518 private businesses had signed up. In order to persuade companies to participate, NIPC provides them with a secure website on which information is posted and secure e-mail for exchanging information about intrusions and threats.

The FBI is steadily increasing its capability for gathering, storing, and cross-matching the detailed information it receives from the business community. As an extension of its work with NIPC, the FBI asked Congress in 2000 to appropriate $75 million to upgrade the Bureau's information technology. Under a program dubbed "Digital Storm," the FBI is planning to replace all of its analog wiretap equipment with digital intercepts, running off of specially modified PCs. As the FBI makes the transition to digital technology, it will gain the ability to do keyword searches on thousands of pages of wiretap transcripts; currently, agents must wade through lengthy audio tapes or hard-copy transcripts. The upgrade from analog to digital technology will also improve the FBI's data mining capabilities for the information contained in its myriad databases.

The USA Patriot and Homeland Security Acts

The relationships the FBI is developing with businesses through InfraGard and the data mining capabilities inherent in a program like "Digital Storm" have taken on a particular significance in the wake of the 9/11 terrorist attacks.

In an action that mirrors its reaction to the turbulence of the 1960s, Congress recently adopted sweeping changes to the rules governing government wiretaps. The changes were included in the "Uniting and Strengthening America By Providing Appropriate Tools Required To Intercept and Obstruct Terrorism" Act, better known as the USA Patriot Act. Among its various provisions are a number of significant changes to how surveillance is conducted in this country:

• Government Agents and the Foreign Intelligence Sueveillance Act. The Act permits government agents to use the Foreign Intelligence Surveillance Act (FISA) to intercept communications and engage in surveillance even if the primary purpose of the surveillance is a criminal investigation. The benefit to law enforcement is that the standards for obtaining authority to do surveillance under FISA are far less onerous than those applied to surveillance of U.S. citizens suspected of committing a crime.

• Law Enforcement and Access to Websites. Although the parameters for doing so are still unclear, the Patriot Act apparently authorizes law enforcement to obtain access to a list of websites visited by an individual under investigation, as long as law enforcement agents can obtain a U.S. District Court order.

Most disturbingly for employees, the Patriot Act also gives the Federal Bureau of Investigation a virtually unfettered right to demand any records maintained by a business about an employee under investigation. Specifically, the law states:

The Director of the Federal Bureau of Investigation or a designee ... may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities....

If a federal judge or magistrate approves the government's application, an order is entered without any advance notice to the business or employee, and the business is forbidden from telling anyone that the FBI has even made a request for an employee's records. Not surprisingly, it's unclear how extensively this provision has been used over the past year, but it's clear that from both a legal and practical point of view, the FBI's ability to compile data about employees is steadily expanding.

Following the election in November 2002, the recapture of the Senate by the Republican Party helped spur passage of the Homeland Security Act on terms more acceptable to President George W. Bush. Among the more controversial provisions of the Act is the creation of a project called "Total Information Awareness" (TIA). The goal of TIA is to build a massive governmental database containing, among other things, every commercial, consumer, and financial transaction, every academic grade, and the title of every book or video rented or purchased in this country. It's unclear just yet how much information will be drawn from employers, but the potential scope of TIA is not encouraging.

The program will be administered by the Information Awareness Office, located in the Defense Advanced Research Projects Agency and headed by former Reagan national security adviser John Poindexter. ^[13] The Homeland Security Act provides him with a $200 million budget to begin implementing Total Information Awareness.

In a column describing Poindexter's new role as the government's official Peeping Tom, columnist William Safire noted that the Latin motto at the entrance to the Information Awareness Office reads Scientia est potentia or "Knowledge is power." ^[14]

The Nose of the Camel? The National Transportation ID

As we've seen, the debate over a national identification card has been percolating for more than half a century. The first serious attempt came in 1948, when the U.S. National Office of Vital Statistics proposed the adoption of a national birth certificate number.

The debate reached its highest pitch in the mid-1990s, during the lengthy and often fierce debate over the national health care plan spear-headed by then-First Lady Hillary Clinton (now a U.S. Senator). Included in the proposal was the suggestion that each person be issued a unique health care identifier, which could be used to track the provision of health care services to that person and facilitate the handling of records and payments. Although the original proposal was rejected by Congress, a some-what more limited version was passed in 1996 under the awkward title of the Health Insurance Portability and Accountability Act (HIPAA). The concept of a unique health identifier survived in the HIPAA, and work continues on the design and implementation of an appropriate identifier.

As with so many other areas of security, the concept of a national ID received a boost from the terrorist attacks. Long before the dust had cleared, legislators were renewing calls for the creation of a national driver's license, an idea that had been included in at least three pieces of legislation in 1996: HIPAA, PRWORA, and the Illegal Immigration Reform and Immigration Responsibility Act.

In each of those earlier bills, language was included that instructed the U.S. Department of Transportation to work with the American Association of Motor Vehicle Administrators to develop standards for the driver's licenses issued by each state. Among the standards to be established was a system for assigning each driver a unique numerical identifier; under the terms of the legislation, the licenses would eventually become a national ID. However, legislation introduced by Senator Richard Shelby (Alabama) in early 2000 blocked implementation of the license number proposal.

But the concept is far from dead. The U.S. House of Representatives is considering a bill introduced by Representatives Jim Moran and Tom Davis (Virginia) called the "Driver's License Modernization Act of 2002" (H.R. 4633). Under the terms of the proposed law, each state would be required to create a driver's license that uses a microchip to store the license-holder's fingerprint or retinal scan. So far, there's no sign that H.R. 4633 is gaining any traction, but a more modest proposal in the works may prove to be a test case for a civilian national ID.

Not surprisingly, the 9/11 attacks focused intense scrutiny on the security of America's transportation system, and it is among the employees of that industry that a national ID card will find its first widespread use. The new Transportation Security Administration is in the process of creating a smart identification card that would be issued to every transportation worker who has access "to secure areas of the [U.S.] transportation system." The card will contain some type of biometric identifier, although no decision had been made as to which one to use.

In late August 2002, the TSA's website displayed a mock-up of a possible version of the transportation worker's ID card (known by its acronym, TWIC), using virtually every trick in the ID manufacturer's arsenal:

... the ID card would probably be the size of a credit card and include microprinting, an intricate background pattern, ultraviolet ink, optical devices, and a thick laminate to prevent tampering or counterfeiting. In addition to a worker's photo, which would be shot in high-resolution digital film, the card would include the holder's name, employer, an identification number, issue date, expiration date, and the agency's name and logo. The back of the card would feature a swipe strip, various bar codes, a microchip cavity, another optical image device, and a ghost image of the cardholder. ^[15]

Less than a month later, however, the mock-up was no longer available on the TSA website. One likely reason for its removal is that the TSA's program to implement a transportation worker's ID hit a serious roadblock when Representative Harold Rogers (Kentucky), the Chairman of the House Appropriations transportation subcommittee, ordered acting TSA chief James M. Loy to put a hold on the TWIC project.

The hold stemmed from Congress's strong interest in the creation of an ID for so-called "trusted travelers, those willing to undergo an extensive background check in return for being allowed to bypass lengthy security checks at the airport." The TSA's transportation worker's ID is supposed to serve as a model for the trusted traveler ID. However, in Chairman Rogers's view, the Department of Defense technology on which TSA is reportedly basing its ID is not yet sophisticated enough to support biometric identification, which is viewed as a critical element of a trusted traveler ID program. ^[16]

If and when the transportation worker and trusted traveler IDs are implemented—most likely within the next eighteen months to two years—they will establish a new standard for worker identification, both in terms of the structure of the cards themselves and the scope of the background checks required to obtain the cards.

^[12]Niall McKay, "Cyber Terror Arsenal Grows," Wired magazine (October 1998). Viewed online at wired.com/news/news/politics/story/15643.html.

^[13]Poindexter was convicted in 1990 on five felony counts of misleading Congress and making false statements, but his conviction was overturned by an appeals court on the grounds that Congress had granted him immunity for his testimony.

^[14]William Safire, "You Are a Suspect," The New York Times (November 14, 2002).

^[15]Raphael Lewis, "Transport worker ID in the works," Boston Globe (August 24, 2002) p. A1. The Transportation Security Administration website can be viewed at tsa.gov.

^[16]David Bond, "TSA's Fresh Start Has a Price Tag," Aviation Week & Space Technology (September 16, 2002).