"Both should be designed to function through coordinated information feeds and avoid unnecessary duplication of communications, programming, and information requirements," James May, CEO of the Air Transport Association, and Ulrich Schulte-Strathaus, secretary general of the Association of European Airlines, wrote in an October letter to Homeland Security Secretary Michael Chertoff. May and Schulte-Strathaus requested that Secure Flight and Advanced Passenger Information supersede the government's no-fly lists and that the amount of redundant data required from the airlines be reduced.
Financial services companies are likewise no strangers to handing data to the government, and the hunt for terrorist financing has only added to the burden. Suspicious Activity Report filings to the Treasury Department's Financial Crimes Enforcement Network have increased every year since they were first required in 1996, with 919,000 such reports sent last year alone.
Banks have expressed anxiety over Suspicious Activity Reports, especially in light of the Patriot Act, which punishes noncompliant companies with fines of up to $1 million a day or, in the extreme, by taking away bank charters. "It's definitely changed the compliance environment for banks since 9/11," says Kelly Etherington, corporate compliance manager for Zions Bancorp, which operates more than 450 branches and offices. Like other banks, Zions has always reported suspicious activity, but it finds law enforcement requests are up in the last few years.
Suspicious Activity Reports "create a very significant burden" on financial services companies without any clear benefits to them, says John Carlson, a director with BITS, a consortium of the 100 largest U.S. financial services companies. Given the industry's heavy regulations and what Carlson calls its culture of protecting customer privacy, he says financial services companies generally wouldn't provide data to a government agency unless required to by law or a court-issued document.
What might government agencies do with all the business and Internet data they're collecting? Some skeptics worry about a single massive database where all kinds of information gets crunched together, providing a complete picture of Joe Citizen. That seems a remote possibility, though researchers at the Defense Advanced Research Projects Agency did work on a system several years ago that would have mined data in that way to identify terrorists. That program, dubbed Total Information Awareness, was scrapped more than two years ago under public pressure.
A different but related concern is that data collected for one purpose could get used for another. USA Today last week reported that the FBI plans to use its database of DNA evidence, collected from convicted criminals and some others upon arrest, to help identify thousands of dead people whose identities aren't known.
There's also the concern that once the feds gets their hands on data, they can't be trusted to secure it. Look no further than last month's news of a stolen laptop and external hard drive containing data on 26.5 million military veterans and family members. The Veterans Affairs Department has been fingered for its lack of security before, but it's not the only agency with low marks. Security becomes even more of an issue as more data accumulates and gets retained longer.
Encryption is one solution, but encrypted data can't be searched easily and is thus less useful to the government. Nothing, it seems, about data sharing between businesses and government is destined to be easy.
--With Thomas Claburn, J. Nicholas Hoover, and Rick Whiting
Illegal EU Data-Sharing Deal With The U.S. Shows Transparency Not Always Enough
and IBM Has The Tools For Digging Deeper Into Data