Amid Government Data Gathering, Businesses Mull Their Options
A Justice Department proposal that ISPs retain records for two years is just the latest in a growing list of data collection initiatives by federal agencies.
To protect the public from terrorism and other hazards, the U.S. government mines its vast databases for signs of trouble. Increasingly, the feds are requesting--even demanding--that businesses share their data, too. But such cooperation isn't cheap or easy, and several industries are pushing back to protect their customers' privacy.
Not long after forcing Internet companies to submit search terms, search result URLs, and other information as part of its enforcement of the Child Online Protection Act, the Justice Department is going a step further. Attorney General Alberto Gonzales is now asking the likes of Google, AOL, and Verizon to keep subscriber information and other customer data for at least two years, just in case the government needs it for criminal investigations. Currently, Internet companies are under no obligation to save that data at all.
Attorney General Gonzales wants Internet companies to keep customer data--just in case
Photo by Joshua Roberts/Reuters
People want the government to have the data needed to fight crime and terrorism; it's the potential misuse of personally identifiable data--names, addresses, Social Security numbers, Web search histories--that is deeply worrisome.
Just last week, the European Court of Justice ruled that an airline passenger data-sharing agreement between the European Commission and the Department of Homeland Security's Customs and Border Protection division violates European privacy law. The arrangement was crafted in 2004 to keep out terrorists. The two sides have four months to rethink the terms of how data gets shared, at the risk of disrupting trans-Atlantic travel if they don't (see story, "Illegal EU Data-Sharing Deal With The U.S. Shows Transparency Not Always Enough").
These are only the latest examples of federal harvesting of company data. The National Security Agency is reportedly building a massive database of phone call records provided by AT&T and other telecom companies. Trucking companies share electronic manifests as their rigs cross into the United States, an information exchange that will become mandatory later this year. Financial firms report suspicious transactions. Subpoenas are used to get data from individual companies.
The feds have been mostly successful in getting businesses to cooperate. Following the 9/11 terrorist attacks, the government looked to transportation companies, especially airlines, to hand over information that can be used to match passengers and transportation workers with names on terrorist watch lists. However, while they initially complied with Homeland Security projects such as the Computer Assisted Passenger Pre-Screening System and Secure Flight, some airlines have said they're uneasy with the government's ability to safeguard their data from loss or misuse.
Privacy advocates worry about the volume of data being collected (millions of records and many terabytes of data), the length of time it's stored, and the level of detail. Under the existing agreement, participating European airlines provide Customs and Border Protection with up to 34 bits of information on each passenger, ranging from name and method of payment to meal requests. Homeland Security can keep the data up to 3-1/2 years. Those terms are now subject to renegotiation before the Sept. 30 deadline set by the EC court.
Yet even as one data-sharing arrangement comes under scrutiny, another arises. The U.S. Centers for Disease Control and Prevention has requested that international airlines store passenger emergency contact information for six months in the event of a bird flu outbreak. "This requires still more manpower and more costs," says David Henderson, manager of information for the Association of European Airlines.
Government requests for data come in the form of a subpoena or a "national security letter." A subpoena must be approved by a judge and can be fought in court if it's too vague or burdensome to a business, as Google did earlier this year. A national security letter is a special type of subpoena issued by the FBI without the need for a judge's signature, entitling the FBI to bank, insurance, phone, ISP, and credit report records (but not medical records). Unlike a subpoena, a company receiving a national security letter cannot discuss the fact that it has received one.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.