Privacy laws may not cover key systems

E-Government Act

Information systems that search private data, including the controversial Total Information Awareness (TIA) program, may not be covered under privacy laws, experts inside and outside government said last week.

The Office of Management and Budget is developing guidance to instruct agencies on how to carry out laws designed to protect Americans' privacy.

The E-Government Act of 2002 includes the first major revisions to federal information privacy mandates since the Privacy Act of 1974, which limits federal collection and use of personal information. One change under the E-Government Act requires all new federal systems used for agency-conducted information collection activities to undergo a thorough assessment of how those systems address privacy protection.

But those requirements only apply to information held in databases operated by federal agencies, while more agencies are proposing to tap into private-sector sources for information and analysis, particularly for homeland security. For example, the proposed TIA system, a Defense Advanced Research Projects Agency pilot program, would sift through individual financial data — for example, information held in databases operated by private banks — to find anomalies that could point to possible terrorist activity.

Resolving the issue of whether agencies can search private data will be the real test for the guidance that OMB is now developing to help agencies follow the new privacy mandates, said Peter Swire, a law professor at Ohio State University and chief privacy counselor at OMB under the Clinton administration.

The OMB guidance will address areas such as how to conduct an assessment, how to circulate an agency's privacy policies and how to secure the information collected. But Swire said the protocol should also address the government's use of private-sector systems and databases, where there is no real precedent. "It seems to me that's where the action is and there ought to be guidance," he said.

Increasingly, agencies have hired contractors to run federal systems, complicating whether those systems fall under the privacy provisions of the E-Government Act, said Ari Schwartz, associate director for the Center for Democracy and Technology.

The courts decided that the 1974 Privacy Act applies only to the collection of information on behalf of an agency, said Franklin Reeder, chairman of the National Computer Systems Security and Privacy Advisory Board, which advises both OMB and the National Institute of Standards and Technology.

The courts, however, have also ruled in the past that the act does not apply to agency use of private databases, which is the controversy with many current systems, Reeder said.

The E-Government Act explicitly states that the privacy policies apply to systems that are developed or bought by federal agencies. OMB still intends to address the subject in its guidance, said Dan Chenok, branch chief for information policy and technology at the agency.