Amid Government Data Gathering, Businesses Mull Their Options
A Justice Department proposal that ISPs retain records for two years is just the latest in a growing list of data collection initiatives by federal agencies.
With safety at issue, the airline industry understands the need to participate in government-mandated data sharing. But industry officials in the States and Europe are urging the U.S. government to better organize its efforts. Airlines don't want to be subject to both the TSA Secure Flight program and Customs and Border Protection's Advanced Passenger Information program, which requires that passenger information be communicated to the government within 15 minutes of a flight's departure to the United States.
"Both should be designed to function through coordinated information feeds and avoid unnecessary duplication of communications, programming, and information requirements," James May, CEO of the Air Transport Association, and Ulrich Schulte-Strathaus, secretary general of the Association of European Airlines, wrote in an October letter to Homeland Security Secretary Michael Chertoff. May and Schulte-Strathaus requested that Secure Flight and Advanced Passenger Information supersede the government's no-fly lists and that the amount of redundant data required from the airlines be reduced.
Financial services companies are likewise no strangers to handing data to the government, and the hunt for terrorist financing has only added to the burden. Suspicious Activity Report filings to the Treasury Department's Financial Crimes Enforcement Network have increased every year since they were first required in 1996, with 919,000 such reports sent last year alone.
Banks have expressed anxiety over Suspicious Activity Reports, especially in light of the Patriot Act, which punishes noncompliant companies with fines of up to $1 million a day or, in the extreme, by taking away bank charters. "It's definitely changed the compliance environment for banks since 9/11," says Kelly Etherington, corporate compliance manager for Zions Bancorp, which operates more than 450 branches and offices. Like other banks, Zions has always reported suspicious activity, but it finds law enforcement requests are up in the last few years.
Suspicious Activity Reports "create a very significant burden" on financial services companies without any clear benefits to them, says John Carlson, a director with BITS, a consortium of the 100 largest U.S. financial services companies. Given the industry's heavy regulations and what Carlson calls its culture of protecting customer privacy, he says financial services companies generally wouldn't provide data to a government agency unless required to by law or a court-issued document.
What might government agencies do with all the business and Internet data they're collecting? Some skeptics worry about a single massive database where all kinds of information gets crunched together, providing a complete picture of Joe Citizen. That seems a remote possibility, though researchers at the Defense Advanced Research Projects Agency did work on a system several years ago that would have mined data in that way to identify terrorists. That program, dubbed Total Information Awareness, was scrapped more than two years ago under public pressure.
A different but related concern is that data collected for one purpose could get used for another. USA Today last week reported that the FBI plans to use its database of DNA evidence, collected from convicted criminals and some others upon arrest, to help identify thousands of dead people whose identities aren't known.
There's also the concern that once the feds gets their hands on data, they can't be trusted to secure it. Look no further than last month's news of a stolen laptop and external hard drive containing data on 26.5 million military veterans and family members. The Veterans Affairs Department has been fingered for its lack of security before, but it's not the only agency with low marks. Security becomes even more of an issue as more data accumulates and gets retained longer.
Encryption is one solution, but encrypted data can't be searched easily and is thus less useful to the government. Nothing, it seems, about data sharing between businesses and government is destined to be easy.
--With Thomas Claburn, J. Nicholas Hoover, and Rick Whiting
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.