Privacy in a post-Sept. 11 world

The rapid growth of commercial data brokers and their unregulated influence on people's lives are forcing policy-makers to think about electronic data privacy in new ways. The U.S. government has traditionally been the foremost collector of personal data, but it increasingly relies on data aggregators that operate beyond the reaches of federal privacy laws. Privacy advocates find the trend worrisome.

Immediately after the Sept. 11, 2001, terrorist attacks, data industry officials were eager to voluntarily share information from their databases, especially if such information might help homeland security and law enforcement authorities connect the dots to prevent another terrorist attack.

Sharing data with the government — credit reports, last known addresses, vehicle information and much more — has become a profitable business for data aggregators such as ChoicePoint, LexisNexis and Acxiom. The FBI, for example, spent $75 million last year for information from such companies.

The trend has also raised concerns among federal privacy officials. Nuala O'Connor Kelly, the Homeland Security Department's chief privacy officer, describes national security and data privacy as two sides of the same coin.

"Let me encourage everyone to strike the word 'balance' from their vocabulary when talking about privacy and national security," Kelly said, speaking last month at the Center for American Progress, a nonpartisan think tank in Washington, D.C. "In times of crisis, privacy is going to lose, and that is not OK. Privacy and security are not mutable forces that can rise and fall depending on our level of crisis. They are immutable."

Homeland security is not the only issue causing public officials to rethink their ideas about electronic data privacy. Under pressure to prevent fraud and abuse in multibillion-dollar programs, an increasing number of federal program executives are seeking the authority to use personal information that is now protected from disclosure to help them manage their major programs more effectively.

The Education Department, which administers federal student aid programs, for example, wants lawmakers to grant them access to privacy-protected income figures that families report on their tax returns. Without access to those Internal Revenue Service records, program administrators say they must rely on families to report their income accurately.

The Education Department is also seeking congressional approval to create a database that would track individual students throughout their college careers and give federal officials better information for making policy decisions. College officials and students say that such a database of academic records identified by name would violate students' privacy.

Besides such program management pressures, technological advances are also forcing federal officials to think outside the box about privacy. Technical experts say that almost every software innovation and hardware device that people find interesting today has a potential for exposing personal information in harmful ways — from data-mining algorithms to radio frequency identification scanners, Global Positioning System devices and voice-over-IP networks.

Privacy advocates can usually get a laugh from an audience when they quote Scott McNealy, Sun Microsystems' chairman and chief executive officer, who said in a widely reported quip, "You have no privacy — get over it."

Even privacy policy expert and advocate James Dempsey, executive director of the nonprofit Center for Democracy and Technology, said data privacy is no longer about secrecy. "That's the wrong way to look at information privacy," he said. But privacy experts do care about how personally identifiable information is used "and about what we call fair information practices," he said.

Those practices, widely accepted among privacy advocates, require government agencies or businesses that collect personal information to tell people what they are collecting and how they are collecting and using it.

Following fair information practices, data collectors let people choose whether their personal information can be used for purposes other than those for which it was collected. They give people an opportunity to review the information and correct errors, and they take reasonable security steps to safeguard the information.

Recent thefts from some of the largest commercial data brokers have exposed several hundred thousand people to identity theft. Likewise, people have been prevented from boarding airplanes, stopped from voting and wrongfully arrested as a result of errors in those databases.

Security breaches involving the ChoicePoint and LexisNexis databases have attracted lawmakers' interest, detracting attention from government officials' unrestricted use of data brokers, said Reece Rushing, associate director for regulatory policy at the Center for American Progress. "It's really amazing that there are no privacy protections for the government's use of that data," he said, or any effective regulation of the data brokers.

Some privacy advocates say lawmakers are inching closer to holding data aggregators accountable for safeguarding the information in their databases through a combination of self-regulation and government oversight. They may even force federal agencies to satisfy privacy standards when they use those databases.

Information that the federal government collects is subject to the Privacy Act, which requires agency officials to consider privacy implications before collecting personally identifiable information, give public notice of such collections and limit the use of the information to the original purpose for which it was collected.

Recent administrations, however, have taken a position that such protections do not extend to personal data assembled by government contractors or commercial data aggregators, as long as the federal government did not collect the data in the first place.

For that and many other reasons, the Privacy Act, which has not been updated since it was enacted in 1974, needs a comprehensive review, Rushing said. "A lot has happened since 1974," he said.

Some legal experts now say that federal lawmakers must step in and regulate the companies that aggregate public and private data and sell it to government agencies and businesses. Daniel Solove, an associate professor of law at George Washington University Law School and author of "The Digital Person," said concerns about the potential misuse of that information transcend partisan politics. "The question is: What will be done and how strong is the political will to get something done?" he said.

Many state officials are interested in regulating data aggregators, he said, adding that "if Congress doesn't act, a lot of states will get into the action and act."