Shopping for data

Lawmakers have tough questions for largely unregulated data firms

FBI officials spent $75 million last year for information from data aggregators, a fast-growing and largely unregulated market. But congressional leaders appear ready to impose restrictions on the industry following a series of high-profile security breaches in recent weeks.

The incidents revealed weak security and privacy controls at ChoicePoint and LexisNexis Group, two of the nation’s largest data aggregators.

Such companies provide a useful service for law enforcement agencies, officials testified at an April 13 Senate Judiciary Committee hearing. By outsourcing data-collection activities to aggregators, however, federal agency officials sidestep their obligations under the Privacy Act, a privacy expert told lawmakers.

And agencies that rely on data aggregators know little about the accuracy of the data they purchase, others testified.

Some security experts say, however, that data collected by ChoicePoint and LexisNexis is too useful for federal law enforcement agencies to forgo and that such companies should protect personal information by encrypting it.

The FBI buys information from data aggregators ChoicePoint, credit bureau reporting companies, Dun and Bradstreet, LexisNexis, the National Insurance Crime Bureau and Westlaw, which agents use mainly for convenience, said Chris Swecker, assistant director of the FBI’s Criminal Investigative Division.

“Twenty-three years ago when I first came to the FBI, I had to walk down to the courthouse to get courthouse records and go other places to collect these records,” Swecker said. “Being able to make one query and get all these records at one time saves investigative time and saves resources,” he said.

Records that the FBI finds useful include driver’s license information, last known address, date of birth, court filings, liens and newspaper records, Swecker said, adding that FBI officials conducted 1.2 million queries in the ChoicePoint database in 2004.

Privacy experts say federal agencies’ use of commercial databases creates a problem. “It allows them, in essence, to outsource data-collection activities,” said James Dempsey, executive director of the nonprofit Center for Democracy and Technology. If federal officials start a new collection of data, they must comply with the Privacy Act, which requires agencies to perform a privacy impact assessment, Dempsey told the committee.

But when government officials buy that data or subscribe to data that they don’t pull into a government database, none of the Privacy Act rules apply, Dempsey said. It is a loophole that he advised lawmakers to close as they consider legislation to regulate data aggregators.

Dempsey also said the federal government bears some responsibility for the accuracy of the commercial data it uses for law enforcement and other purposes.

Concerning the extent to which FBI officials check the accuracy of public records that it purchases, Swecker said they conduct no formal audits of the data. Instead, FBI officials buy data from four or five brokers. They compare information that the different commercial databases have on particular people as an accuracy check.

“We compare it with our own information as well,” Swecker said, adding that each of the data aggregators has different strengths in terms of data quality.

Sen. Russell Feingold (D-Wis.), a committee member, said he is concerned there are no guidelines to ensure that information in commercial databases is used responsibly. Without restrictions, there is nothing to prevent federal agencies from using commercial data “for privacy-intrusive data-mining programs,” he said.

Responding to Feingold’s concerns, Swecker said FBI officials do not use commercial databases for data mining.

“Each query is predicated on an investigation — at least the preliminary inquiry is — so we don’t data mine through the data brokers’ information,” Swecker said. Investigators sometimes make large batch queries against the databases by submitting 40 to 50 names at once. “But as far as just mining through the data, that does not happen,” he said.

Companies from which the FBI buys data have assured agency officials that the names of people who are the subjects of FBI queries are kept private, Swecker said. “They collect the number of queries, but they do not collect the subject of the queries,” he said.

But they are the same companies that data thieves targeted to obtain personal information about several hundred thousand people. The thieves were successful because the companies lacked adequate security and privacy controls for protecting the data, said Sen. Patrick Leahy (D-Vt.), the committee’s ranking member. Leahy blamed data aggregators for sloppy business practices that he said compromise law enforcement and homeland security.

The committee’s chairman, Sen. Arlen Specter (R-Pa.), suggested that lawmakers pass comprehensive legislation this year to regulate data aggregators, which currently are subject to a patchwork of laws under the jurisdiction of the Federal Trade Commission. “I believe that there will be some very firm federal legislation coming out of this issue,” Specter said.

After the terrorist attacks in 2001, LexisNexis was one of the first companies federal officials used. “They immediately pulled down 60 pages of information on the hijackers they suspected were involved,” said Jody Westby, managing director at PricewaterhouseCoopers.

Information collected by companies such as LexisNexis and ChoicePoint is enormously useful to government officials, Westby said. But to protect people from harmful privacy breaches, she said, lawmakers might have to set a minimum security standard for data aggregators that collect personal information.

Field-level encryption is an effective way of protecting database fields containing personally identifiable information without degrading the speed of database searches, Westby said.

“It’s a viable option that hasn’t been pursued,” she added.

Lawmakers fight data theft

Federal lawmakers have introduced 18 cybersecurity bills and state legislators have offered 30 bills to regulate the use of personal information and to respond to growing online threats stemming from spyware, phishing and other pernicious activities on the Internet.

Here are a few highlights from bills proposed by Sen. Dianne Feinstein (D-Calif.) and Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.):

S. 751 (Feinstein):

  • Would require any agency or company that collects personal information to notify potential victims of identity theft when a security breach is discovered.
  • Would impose a fine of up to $50,000 a day for each day that a company fails to notify victims about unauthorized access to personal information.

    S. 768 (Schumer-Nelson):

  • Would create an Office of Identity Theft at the Federal Trade Commission to help victims of identity theft.
  • Would require any company that holds sensitive personal information to take reasonable steps to protect it.
  • Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above