Bridging the divide

Agencies must resolve difficult cultural and policy challenges to get homeland security and law enforcement information flowing freely

Ask before you share

Agencies must resolve difficult cultural and policy challenges to get homeland security and law enforcement information flowing freely

Homeland security officials should weigh the potential benefits and risks of any new data-sharing activities. Here’s a checklist and comments from Peter Swire, professor of law at Ohio State University and a senior fellow at the Center for American Progress, a think tank.

1. Will the proposed sharing tip off adversaries?
SWIRE: “It’s easy to be optimistic that only good things will happen, but in sharing information, it’s possible bad guys might get the data also.”

2. Does the proposal improve security cost-effectively?
SWIRE: “You don’t want to merge sensitive personal data just for the sake of merging it. Work through what the actual security payoff is.”

3. Is the proposal substantive?
SWIRE: “How much does it provide only the appearance of security? Sometimes your managers feel they have to do something for security or information sharing. But if it only gives the appearance of security but creates the reality of harming privacy, that’s a bad deal.”

4. Are there novel aspects to the proposed surveillance and sharing? What risks, if any, accompany these novel aspects?
SWIRE: “If something has never been done before, sometimes there’s a reason. It may be a bad idea.”

5. Are there relevant lessons from historical instances of abuse?
SWIRE: “Ask, ‘Did we see problems in a similar program before?’ and ‘What checks and balances would mitigate risks of such abuse?’ ”

6. Do fairness and anti-discrimination concerns reduce the desirability of the proposed program?
SWIRE: “If the program only targets a certain ethnic group, for instance, that might lead to pushback.”

7. Are there ways that the proposed measure could make the security problems worse?
SWIRE: “Again, proponents often emphasize the upside. Somebody should play devil’s advocate and examine if there is a downside.”

8. What are the ramifications internationally and with other stakeholders?
SWIRE: “If you are only sharing among five entities, will there be a problem with other allies or stakeholders? You might not care, but if others are likely to complain, you’d better get ready for it.”

9. Are there additional privacy-based harms from the proposed measure?
SWIRE: “Do individuals have access to the data to correct mistakes? What about the false positives? How do people get off a watch list when they don’t deserve to be on it? When you combine data [from multiple sources] the number of false positives often rises.”

10. Will bad publicity undermine the program?
SWIRE: Basically, can the program survive in the light of day? If you are too embarrassed to go public with it, there might be a reason. It might be doing something that’s not good.”

— Alan Joch

Whether it’s a new regional fusion center or a venerable storehouse such as the FBI’s National Crime Information Center, there’s no shortage of ways for federal, state and local officials to share information about criminal or possible terrorist activity.

But as the troubled Homeland Security Information Network shows, creating centralized clearinghouses of information doesn’t guarantee that they will be widely used.

The Government Accountability Office criticized the Homeland Security Department in a report last April for neglecting to provide basic policies and training on how to use HSIN.

Homeland security and law enforcement officials must grapple with numerous management and policy challenges when they set up data-sharing programs. Those challenges include agency cultures predisposed to hoarding data and fears about how data might be mishandled or abused.

For managers, setting policies so that sharing initiatives can overcome those roadblocks is daunting. However, some law enforcement agents and security analysts say the solution lies in a combination of controls and incentives that can get around most roadblocks to communication and collaboration.

Here are some of the most common obstacles to sharing and suggested ways to bypass them.

Challenge: Lack of trust
Departmental silos and long-standing turf battles can discourage officials from freely sharing information that might be important for preventing or prosecuting terrorist activities.

“If departments do not have effective structures for managing cooperative relationships, existing ‘silo’ thinking is difficult to overcome,” said Natalie Tarry, director of research at the Social Market Foundation, a think tank in the United Kingdom that specializes in homeland security issues.

SOLUTION
Breaking down the walls that block sharing should involve a two-part strategy, experts say.

First, do not underestimate the value of personal relationships.

Develop programs based on personal interactions among related jurisdictions to promote trust.

Second, establish controls to let agencies choose how their information is distributed and used.

Tom Bush, assistant director of the FBI’s Criminal Justice Information Services Division, said he experienced firsthand the importance of forging professional relationships to combat turf battles.

As an FBI field agent, Bush worked with local task forces on violent crimes and drugs. Buy-in from officers involved in joint operations came through trips to local police departments to inquire about the kind of help they expected from the FBI.

“Clearly, that level of trust has to be established,” Bush said about interactions between the FBI and local law enforcement agencies.

Bush and the FBI applied that lesson with N-DEx, an information exchange system set to launch this month for sharing incident and arrest reports created by local authorities.

Local departments can decide the types of files and the level of detail they make available to N-DEx. Each department also can view audits that show who is using the data.

“The bottom line is they’re your agency’s records to maintain,” Bush said. “It’s your responsibility for putting the information in and keeping it current and accurate. [Local agencies] need to be close to the security of their data.”

Challenge: Inadequate vetting and feedback
Local law enforcement incident reports, quickly becoming the first line of defense against criminal activity, could distribute inaccuracies throughout data-sharing networks or, conversely, represent missed opportunities.

For example, a police officer might question a driver who has stopped his ve icle outside a nuclear facility, ostensibly to check a mechanical problem with his car.

Even though no formal police action might be warranted, the officer describes the encounter and enters the driver’s name and license number in a field report. The incident could prove to be insignificant, or it might help reveal a pattern of suspicious activity if officers in other areas match it to similar activities at nearby power plants.

But because the information resides in informal field reports rather than formal arrest and conviction records, suspicions often go unvalidated.

SOLUTION
Agencies need to institute a series of checks and balances for further evaluating information.

“If a local law enforcement organization sees suspicious activity, there needs to be validation at that level by pulling in managers, supervisors and experts,” said Harold Relyea, who writes about data-sharing challenges as a U.S. government specialist at the Congressional Research Service.

If that information is sent to a fusion center and is determined to have implications for anti-terrorism activities, it should be shared.

“After some period of time, the law enforcement officials who receive this information should report back as to how they used it and correct and update the information so you get another stab at quality control,” Relyea said.

Challenge: Protecting privacy
Privacy advocates worry about violations of the spirit, if not the letter, of the Privacy Act, which restricts federal agencies from directly sharing certain personal information about people. For example, questions can arise when agencies acquire aggregated information from commercial data brokers.

“Some agencies are going out to the private sector to ask them to do data mining and assisting them with getting information that would be in the hands of other agencies,” said Lillie Coney, associate director of the Electronic Privacy Information Center.

“It’s a completely opaque process” because citizens might be unaware of how their information is being handled, she added.

SOLUTION
Audit trails that show people how their records are being used could help them monitor government and third-party activity and ease concerns, Tarry said.

Several experts suggested a system that citizens could use to monitor data sharing in much the same way that consumers can check their credit histories.

Also, frameworks that index existing state and local law enforcement records might be less prone to privacy breaches than composite dossiers built from a mix of government and public data.

Similarly, new distributed data management architectures might be better suited to the task of reducing privacy risks than older data-sharing approaches that rely on centralized data warehouses run by the government and fed by federal, local and state users.

“The FBI has long said, ‘Give us all your information, and we’ll put it in this huge supercomputer warehouse and be responsible for taking care of it.’ That is a political problem that will not ever lead to any successful integration,” said Barry Bellue, chief executive officer of Think- Stream, which specializes in collaboration technology for law enforcement agencies.

“It has to be a distributed model, and it has to be subject to local control and supervision,” Bellue said. “Otherwise, a lot of officials are scared to share simply because they don’t want confidential information getting into the wrong hands.”

Challenge: Semantic confusion
Inconsistencies in how agencies mark sensitive documents with labels such as for official use only or confidentia can be confusing when the files travel to other law enforcement organizations. Such labels can inhibit officials from taking advantage of potentially important data.

“I’m not going to take the initiative because I might get in trouble,” Relyea said.

SOLUTION
Clarify classifications and reduce their use, as the Defense Department is doing, Relyea said.

“By cutting down on the use of these markings or otherwise making it clear what activity can be done with information under those rubrics, we get a lot farther down the [information-sharing] road,” he said.

As an alternative, agencies could mandate the use of the access controls included with content management systems that rely on passwords and biometric identifiers to limit distribution to certain individuals or job functions.

Joch (ajoch@worldpath.com) is a business and technology writer based in New England.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above