X

The anxious new dawn of cybersnooping

Privacy expert Nancy Libin says Congress can't afford to ignore a loophole in federal privacy law.

4 min read
For years, government agencies have been exploiting a loophole in federal privacy law that allows them to buy personal data about American citizens from commercial data brokers, rather than collecting and storing that information themselves. A recent report by the Government Accountability Office illustrates how this loophole has undermined one of the key laws protecting Americans from government snooping.

In 2005, four government agencies--the Social Security Administration and the Justice, State and Homeland Security Departments--spent roughly $30 million in taxpayer money to buy personal information from data brokers. Although the Privacy Act of 1974 requires the government to abide by explicit privacy standards when it collects personal information from citizens and creates its own databases of personal information, the law--written before the rise of private data brokers--does not provide the same privacy protections when government agencies purchase personal data from private companies that collect, aggregate and sell personal information.

The laws governing how private companies collect and share Americans' personal data are dangerously outdated. Companies like ChoicePoint and LexisNexis are able to compile detailed dossiers about millions of Americans with few restrictions. This in itself constitutes a serious privacy concern, as Americans are asked to surrender ever-increasing amounts of personal data as a cost of doing business in the digital age.

Companies like ChoicePoint and LexisNexis are able to compile detailed dossiers about millions of Americans with few restrictions.

That concern is compounded exponentially when the government takes advantage of lax privacy standards to obtain information to which it may not otherwise have access. Congress must act to restore this essential bulwark of privacy protection, first by closing the Privacy Act loophole, and second by enacting broad consumer privacy legislation that limits how companies collect, store and share our personal data.

At the core of the Privacy Act is a set of internationally accepted principles called Fair Information Practices, which establish how the government may collect personal data and how agencies are permitted to use that data.

The Privacy Act established a delicate but appropriate balance, ensuring that the government would have access to the information it needed for law enforcement, counterterrorism and basic administrative responsibilities, while at the same time protecting the sensitive personal information of law-abiding Americans from broad, unfocused government dragnets.

That government agencies would simply begin purchasing the personal information they sought, and thus shirk the responsibility of abiding by the Fair Information Practices codified in the Privacy Act, was not something the drafters of the 1974 law could have foreseen.

Over the past 10 years, the amount of personal data collected, stored, shared and sold by private companies has skyrocketed thanks to the decreased cost of data storage, the rise of Internet communication and the emergence of large data brokerage companies.

That government agencies would simply begin purchasing the personal information they sought, and thus shirk the responsibility of abiding by the Fair Information Practices codified in the Privacy Act, was not something the drafters of the 1974 law could have foreseen.

Prior to the Sept. 11 terrorist attacks, a bipartisan coalition of lawmakers was close to passing legislation that would have required private companies to abide by Fair Information Practices.

Such legislation would not solve completely the problem of the government buying personal information from data brokers, since private companies would not be held to the same strict standards that apply to government agencies under the Privacy Act. But Congress could lessen the danger posed by that practice by requiring all entities that collect personal information to follow some baseline statutory obligations to handle that data with care, limit its further distribution and provide some transparency about their storage practices.

Last year, Microsoft and eBay joined a growing chorus of major technology companies that support the enactment of broad-based consumer privacy legislation. The revelations contained in the GAO report should provide yet another motivation for lawmakers to update our privacy protections to reflect the nature of our modern information society.

Crafting a measure that protects privacy without causing undue disruption to the information economy won't be easy, but for every moment Congress doesn't act, our insufficient consumer privacy standards put more citizens at risk.

More immediately, Congress is already considering a measure that would limit the ability of government agencies to buy personal information from data brokers. Last year in response to the highly publicized breaches at ChoicePoint and LexisNexis, Sens. Arlen Specter, R-Pa., and Patrick Leahy, D-Vt., crafted legislation that among other things would prevent the government from avoiding data privacy and security requirements in the Privacy Act by simply purchasing information collected by data brokers.

Data breach legislation is likely to move this year, and there is some danger that it could pass without the Specter-Leahy language that closes the Privacy Act loophole. If Congress is serious about protecting the privacy rights of Americans, it must at least take the simple common sense step of closing the loophole by approving the Specter-Leahy legislation.

Once the loophole is closed, Congress can turn to the challenging task of crafting consumer privacy protections appropriate for the digital age.