CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Sidelining Homeland Security's privacy chief

CNET's Declan McCullagh explains why the Department of Homeland Security's privacy officer is unable to do her job.

The Department of Homeland Security's privacy officer can't do her job. You can thank Congress for that strange state of affairs.

When politicians were concocting the massive bureaucracy a few years ago, they handed the privacy officer impressive-sounding tasks such as "assuring" that new technologies do not erode privacy and "evaluating" the impact of new government programs.

But Congress also neglected to give the job holder the power to twist arms and actually investigate privacy violations.

Nuala O'Connor Kelly
Nuala O'Connor
Kelly, privacy officer,
Department of
Homeland Security

Nuala O'Connor Kelly, who got the post in April 2003, seems to be honestly trying to report on the sprawling bureaucracy's privacy performance. To her credit, she's also spoken out against national identity cards. (While Kelly's choice of advisory committee members is slightly bizarre, let's put that aside for the moment.)

But internal DHS documents show that Kelly does not have the authority that any true privacy officer needs.

"Although the chief privacy officer by statute is required to investigate complaints of privacy violations, she does not have subpoena authority," Department of Homeland Security lawyer Elizabeth Withnell wrote in a declaration filed in a lawsuit. "She must therefore rely on voluntary submissions of information in order to conduct her investigation."

In other words, if Homeland Security employees don't want to answer uncomfortable questions, they can simply shut up.

Another internal DHS document (PDF)--obtained by the Electronic Privacy Information Center--reveals the difficulties that Kelly has encountered when asking recalcitrant bureaucrats to disgorge potentially embarrassing information.

Kelly was looking into how the Transportation Security Administration was involved with the transfer of passenger data from JetBlue Airways to the Defense Department. She started asking questions. She was rebuffed.

"I had sent my first inquiry to TSA public affairs, my second to (the agency's risk assessment office), but information has not been forthcoming," Kelly said in e-mail to Carol DiBattiste, the transportation security agency's deputy administrator, in November 2003. "This is particularly disturbing...We're getting better information from outside then we have from our own folks at this time."

The department's privacy officer doesn't even have the clear ability to report abuses to Congress directly.

DiBattiste sounded like she was replying to a pesky reporter when she wrote back: "TSA Public Affairs has no information in response to your request."

How fitting, then, that DiBattiste landed a plum $500,000-a-year job last month with privacy-impaired company ChoicePoint. (Remember this figure the next time you hear about purportedly underpaid government bureaucrats.)

The Department of Homeland Security's privacy officer doesn't even have the clear ability to report abuses to Congress directly. Because the law is ambiguous, Kelly provided her last annual privacy report (PDF) to then-Secretary Tom Ridge for his office to review before it became public.

Another Homeland Security officer, an ombudsman tasked with resolving immigration-related complaints, is far more independent. Federal law says that the ombudsman's annual report "shall be provided directly to (Congress) without any prior comment or amendment from the Secretary, Deputy Secretary, Director of the Bureau of Citizenship and Immigration Services, or any other officer or employee of the department."

A modest proposal
So how can this be fixed? If Congress and the Bush administration actually wanted additional scrutiny of any Department of Homeland Security wrongdoing, here's how they could tweak the law:

• Grant the privacy officer the authority to require Homeland Security employees to produce documents and answer relevant questions. This is akin to the power that the security department's inspector general already has.

• Improve the independence of the privacy officer by appointing her for a specific term. Canada appoints its federal privacy commissioner for seven years.

• Extend the same privilege of reporting directly to Congress that the department's ombudsman enjoys.

A more radical approach would be to reward the privacy officer for blowing the whistle on official malfeasance. If Kelly or her successors expose privacy violations and the program were terminated, the offending departmental agency would see its budget shrink, while the privacy office's budget would increase proportionately. That would nicely align privacy protections with the bureaucratic urge to maximize budgets.

Michael Chertoff became the second Homeland Security secretary in February. After the JetBlue fiasco and other civil liberties missteps at his agency, Chertoff might find that giving some muscle to the privacy officer would be an easy way to restore confidence in it.