Citizens' Protection in Federal Databases Act Introduced

SewersOfRivendell writes "Quote from http://boingboing.net/: 'EFF, EPIC, CDT, ACLU and Free Congress have drafted a bill that's been introduced by Senator Wyden today, for a new law called "The Citizens' Protection in Federal Databases Act." This is a hell of a law. It finds that various species of spooks are making avid use of commercial and governmental databases, merging them and aggregating them, without transparency, accountability, or any real understanding of the danger to civil liberties involved in this practice. Accordingly, it requires any Fed agency using non-Fed databases to cut it out and make a full report to Congress on who they're buying database and database-services from, what they're doing to preserve privacy, why they're doing what they're doing, and whether they actually have a realistic chance of catching any bad guys. And it calls into account Feds who abuse their authority and limits the kind of doomsday hypotheticals that can be used to justify such abuse.' PDF draft of the bill here."

Better link ...?

[Arthaed]

I am looking at Senator Ron Wyden's website right now and I don't see anything mentioning this possible bill. Hmmmm. Does anyone have a link to a .gov version of this so called bill?

Accountability?

[Empiric]

The "accountability" thing is going to be quite a trick. This is the same government, after all, whose own GAO (General Accounting Office) concluded that government agency accounting is so bad, there's no way they can determine how much the government is actually spending--and that if this degree of lax accounting was taking place in a private corporation, the owners would face legal action.

Re:Accountability?

[beacher]

As their senior DBA, I have 4 words for you.

"I do not recall"

-B

Re:Accountability?

[nolife]

"Do Not Recall" pretty much sums up the last few years of business practice in the US.

There was a really good editorial on this in my local newspaper last week. This phrase seems to have replaced "pleading the 5th", and outright lying in court. It is funny how Enron, Worldcomm and a few other executives, working with outside specialists helped produced hundreds of shell companies and transferred money around for years to avoid stating loses and paying taxes but when confronted about specifics, they seemed to claim "I don't recall". Funny that they had no problem remembering to swap the funds around at tax time and earnings reporting time but suddenly it is all a blank. Maybe the CDC, AMA, or FDC should fund a study to see what happens to the memory of a perfectly functioning executive when they come under investigation. I wonder if any of these "DO NOT RECALL" statements were on thier resume when they applied for the $500 million jobs.

Likely responses...

• cut it out - "Ok, whatever you say."
  
• make a full report to Congress - "We ran MySQL. But we stopped, umkay?"
  
• what they're doing to preserve privacy - "We have self signed SSL certificates for our intranet."
  
• why they're doing what they're doing - "To protect and serve."
  
• whether they actually have a realistic chance of catching any bad guys - "Yep. Those bad guys never stood a chance...umkay?"

ACLU

[pizen]

Glad to know my ACLU membership dollars aren't going to waste.

Obviously..

[grub]

It's obvious that the EFF, EPIC, CDT, ACLU, Free Congress and Senator Wyden are terrorist sympathizers

A good start

[thomas.galvin]

This is a good start. Now, what can we do about all of the non-government entites that are doing the same thing?

Re:A good start

[SecGreen]

Buy stock in them, since if the government isn't allowed to collect and analyze the data, they will simply outsource the analysis to the private companies who aren't subject to the new law.

Bill Is Not Going to Happen

[Valence_99]

Spooks have to justify what they are doing? It will be a cold day in Hell before, unfortunately its still summertime

It'll be a hell of a law...

...when I can sue for damages.

Good.

[James+A.+A.+Joyce]

This will protect against one of the most effective, obvious and yet least legislated and obvious data harvesting technique of all: triangulation. Even though in general only certain data columns from detailed personal information databases is available, one can combine and merge the data from multiple such subsets of databases to reformulate the data in a coherent whole. For example:

There is a medical database, an edited down version of which is available, giving just gender, date of birth, a list of medical defects, and a list of medical injuries (with the remainder omitted for privacy). Then there is also the employment database of the company you work at, an edited version of which is available, giving name, gender, date of birth and phone number. If you were a manager at this company you could use the two databases together, using the "gender" and "date of birth" fields to merge the two. This data could then be used, say, leaked to insurance or marketing companies, or you could even use it yourself for other nefarious purposes.

Thus, it is possible to obtain a good deal of data even from just small portions if one uses a sufficiently large number of different databases. Someone did a study on this, but right now I can't find the link. I'll be greatful to anyone who replies to this comment with it. This Act can only be a good thing.

As much as I'd love to see this bill pass...

[7x7]

I think I'll start the official R.I.P. thread here. BushCo seems to hate the word privacy as much as the term Wind Power.

On the other hand, does this law apply to the private sector?

I already emailed my Rep. to support it. You should do the same.

Interesting law

[chrisgeleven]

Question is, how likely is it that it will pass or even come up for a vote?

Whoa, this is bad

[helix400]

Where I work, our job is to collect *public* information in government databases. We make it possible so people can research a property in just a minutes, rather than a few hours.

According to the ACLU, because I'm consolidating public information, I'm a national security threat. I should also be forced to submit to even more beaurocratic loopholes to get data that's already public, or be stopped from accessing to much public data to begin with. And I thought the ACLU was all about personal freedom and open governments

Re:Whoa, this is bad

[nomadic]

According to the ACLU, because I'm consolidating public information, I'm a national security threat. I should also be forced to submit to even more beaurocratic loopholes to get data that's already public, or be stopped from accessing to much public data to begin with. And I thought the ACLU was all about personal freedom and open governments

Good. You may be inconvenienced, but in the long run it's a lot more advantageous for us to gain some protection from overzealous spooks than it is for us to be able to research properties a little faster. Annoying for you, maybe, but just because the governmental agency you work for is benign, doesn't mean they all are.

What I want to see

[Dachannien]

I'd like to see some corporate accountability added into those sorts of databases. I want to be able to walk into the front door at Citibank and say, give me a printout on all the information you have on me.

Then I want to be able to read the printout, walk back up to the desk, and say, Okay, now delete it. All of it.

Re:What I want to see

[Torgo's+Pizza]

Yes, and while you're at it, also erase all those numbers that say that I owe you money for my Visa and Mastercard. Thank you Citibank!

Re:What I want to see

[Zathrus]

Fine. As long as you understand that they then have the right to say "Certainly sir. And how would you like to pay your outstanding mortgage balance of $235702.46?"

Or to give you whatever money of yours they have, or do whatever's necessary to sever all financial ties with you immediately.

You're not a customer? Then they're not going to have crap for information on you. They may send you solicitations, but that information is acquired from the credit bureau. You can tell Citibank to be put on their do not solicit list, and then your data will get flushed early in the process whenever it gets pulled from the bureaus. Yes, I've worked in this field, doing this exact thing. If you don't want your data to be sold by the bureaus, you can request that from the bureaus as well. There are three major ones (Equifax, Experian, Trans Union) and a few hundred thousand small ones (all of whom feed the big three).

You don't actually expect a company to do business with you if they're not allowed to keep records, right? Might I suggest you do some research into how godawful the banking industry was prior to the introduction of the credit bureaus? Think "Good Ole Boys Network" and you'll have a start on it... but it was considerably worse.

I'm not saying that some additional protections on consumer privacy shouldn't be in place (as a bare minimum everyone should be entitled to viewing their own credit report on demand, for no more than cost of mailing or free online). And I'm also not saying that the pendulum hasn't swung too far in the wrong direction (the law a couple years ago allowing companies unprecedented sharing of consumer information went way too far). But anyone who makes statements like that generally has no clue how the financial system, particularly the credit portion of it, actually works.

Re:What I want to see

[4of12]

It's amazing how much they can ask you to give up in the way of privacy these days.

If you want to rent a car, have a VISA card, you're going to have to part with as much privacy as they demand of you.

And if your employer wants you to pee in a cup, record your fingerprints in their database and undergo a complete physical to which they obtain all the information, then you have freedom of choice: tolerate the invasion of your privacy, or look for a new job. What a fine choice.

The founding fathers of the United States of America would have understood the need for privacy, even though it was less an issue in their day. If it were quick and easy for the colonial administration to find and squelch them as rapidly as it could be done today, be assured there would be no Declaration of Independence or U.S. Constitution.

The new bill sounds excellent to me, something that Americans could actually be proud of having on their books (rather than the knee-jerk abomination that is the Patriot Act).

Law and Order is great, too, but it shouldn't be Easy and Convenient for anyone to impose Law and Order.

Otherwise, the "Law" and the "Order" that is so effectively imposed might gradually become something different than what the labels say.

What's the limit for?

The Attorney General, the Secretary of Defense, the Secretary of Homeland Security, the Secretary of the Treasury, the Director of Central Intelligence, and the Director of the Federal Bureau of Investigation shall each prepare...

All of the other agencies, particularly the Department of Commerce and it's Bureau of the Census, utilize numerous public databases in the process of their daily work. Why not include reports from them too?

Re:What's the limit for?

[leerpm]

Because when the Bureau of the Census screws up the information in their database for an individual, it makes narry a blip in their aggregrate stats. When the FBI screws this up, you may have agents busting your door down for no legitimate reason other than the computer says you may have links to terrorism.

Thanks for the EFF and ACLU

[joelparker]

Please realize that the bill is VERY useful,
even it fails: the bill encourages dicussion.

ACLU and EFF members will learn more.
The media will write about it, and learn more.

And Congresspeople will read it,
or have their staffers research it,
and maybe learn something.

I thank the EFF and ACLU for this.
And I donate to both of them.

Cheers, Joel

tinfoil

[stupidsocialscientis]

does anyone know where i might purchase tinfoil in sheets wide enough to wrap my house? it only has to be wide enough for the walls, you see the roof is covered with solar collecters so that i am not supporting the evil-power-conspiracy.

Whoops, its only federal

[helix400]

My mistake, this bill only applies to the federal government, not for average private citizens like me.

However, because Slashdotters never like to admit total defeat, I'd like to pose the question. Do you think the the ACLU is still opposed to private citizens like me consolidating so many public government databases about individual people and properties?

Re:Whoops, its only federal

[Irvu]

My understanding is that the issue is not collation of public data so much as the abuse of private data. There a re many laws on the books that restrict the feds from collecting and sharing some types of information (medical records, purchase records, etc.) without some form of judicial oversight. The goal was to erect firewalls between say the IRS's and the FBI and to prevent the growth of TIA-like systems.

However, there are few if any restrictions on the private sector. This is why most of us receive so much junk mail. In recent years, the FBI and others have begun sidestepping their restrictions by turning to private companies to collect and aggregate data for them.

My understanding of this law is that they want to attack that very issue, government sidestepping the very necessary restraints that we have placed on it.

It's just a draft

[Motherfucking+Shit]

This probably won't be on any .gov sites yet as it hasn't been introduced... It's just a draft. If you check the PDF, the date of presentation is still blank.

I'd keep an eye on Thomas over the next week or so. Once it's been read on the floor, it'll wind up there.

Re:It's just a draft

[Frobnicator]

This probably won't be on any .gov sites yet as it hasn't been introduced

Who moderated that thing up to informative? It specifically says "introduced by Senator Wyden today" so of course it isn't on Thomas records yet -- it takes at least 1 day for that. The ACLU has Their announcement up though.

Found the links I needed.

[James+A.+A.+Joyce]

This article, while not specific to the topic I mentioned, did have a specific quote which describes exactly what I was trying to explain:

"Just by knowing the birth date and ZIP code of the governor of Massachusetts, Latanya Sweeney, a computer-privacy researcher at Carnegie Mellon University, was able to retrieve his health records from a supposedly anonymous database of state employee health-insurance claims. Sweeney also demonstrated that she could do the same for 69 percent of the 54,805 people on the voting list of Cambridge, Mass."

This is from another article, reprinted from Newsweek :

"...don't get complacent: anonymity is hard to achieve. Where once a company needed a name, address, phone number, or Social Security number to identify a person, database technology has made that unnecessary. "Eighty-seven percent of the population of the US can be uniquely identified [only] by their date of birth, gender, and five-digit zip code," says Latanya Sweeney, ALB '95 assistant professor of computer science and public policy at Carnegie Mellon University in Pittsburgh."

And finally, from Dr. Latanya Sweeney's CV itself:

"Recent work includes:

* Identifiability server -- a computational system that determines the identifiability of given data sets and/or of individuals in the United States based on either field descriptions of the data set or on actual data values. For example, combinations of values such as {date of birth, gender, 5-digit ZIP} combine to uniquely identify 87% of the population in the United States."

Good.

[softspokenrevolution]

Simply letting federal agencies run around and spy on people simply because they can doesn't seem to be the best idea for a country based on freedom and all of that jazz. Accountability is what keeps things from going bad to worse, look at dictatorships all over the planet, when people aren't held accountable for their actions they go to extremes. Americans or not, I don't fel very secure when someone can peer into any old asset of my life without asking my permission or without being checked in some fashion. I for one, feel more threatened by the current way the administration is going in regards to policy (foreign, fiscal, energy, environmental, copyright, and pretty everything else) than I do by any terrorist threat (then again, like 90% of americans I don't live in a threatened area, I likve in the 'burbs, well, the sort of burbs).

Damn!

[isotope23]

Too bad the pentagon cancelled their "terrorist prediction" market, cause I bet the likelyhood for assassination of "EFF, EPIC, CDT, And ACLU" members just went up!

You sure?

[Lord_Dweomer]

Its been introduced? I can just picture it now:

(Congress)

Random Congresscritter: And now Senator Wyden will be presenting a bill to.....o, excuse me, one moment please (whispers to man in black suit with mirror shades)....Well, it seems Senator Wyden is no longer with us. Moving on to the next piece of business.....

Database integration has a positive side too

[grandmaster_spunk]

Although I'm all for the protection of privacy, I also think it's important to point out that the integration of various government databases has a lot of potential positive effects as well. There are a lot of agencies out there maintaining separate (and redundant) databases that could be combined or used together to make government services easier to obtain. There is also a lot of potential money saved, in terms of government functions currently done manually that could be automated.

Certainly, it is prudent to keep prying eyes from using their power to intrude into our lives. But there is a balance to be struck as well, between protecting privacy and allowing government to make use of tools that I think many /.ers will agree are useful and productive.

Re:The thing you have to realize

[Kombat]

There is only one thing that secures my freedoms, rights and privacy: My .45

I find it highly ironic that you would cling to such a false sense of security, particularly considering your opening statement:

America of 2003 is a far far cry from America of 1776.

The Second Amendment (The right to bear arms one that you reference) was added during a time when the most sophisticated weapons the US military sported were little more than muskets with bayonnettes. The second amendment was intented to ensure that the citizenry was guaranteed access to the exact same firepower and weapons as the military, thus ensuring that should the government ever need to be overthrown, the citizens would win. Same weapons * more people = ensured victory.

However, over the years, the government has slowly castrated the second amendment, insidiously changing its interpretation to guarantee ownership of little more than peashooters, while reserving the real hardware for the "good guys" (i.e., the military). Nowadays, citizens are not allowed to own anywhere near the same firepower as the military.

In an all-out battle of every citizen against the entire military, the military would wipe their collective asses with your piddly little .45.

Combine this with the fact that for any kind of uprising to last more than a few hours, you'd require the support of a large percentage of the population, meaning you'd need to convince the masses that the government has crossed a line, and is finally corrupt enough to warrant violent resistance.

The people at Waco felt they were resisting tyranny. So did the people at Ruby Ridge. And the government crushed both of those "problems."

So in summary, I guess what I'm saying is, your .45 won't protect your "freedoms, rights, or privacy" if the government decides otherwise, even if the entire population were behind you. The second amendment has been gutted. Its present interpretation is nowhere near the spirit your forefathers intended.

But hey, if it gives you a warm, fuzzy false sense of security, then who am I to rain on your parade.

Jaded Cynicism

[Hamstaus]

I can't believe the crap I'm reading on this one, although I guess I shouldn't really be surprised. It seems that most Slashdot posters are grumpy, bitter and jaded. This bill is a really good thing, and yet the majority of the responses are "Pfff, like that'll happen". With the likes of you folks, it'll never happen. It seems you'd rather sit around and simply be negative about everything! You're simply part of the problem that you like to grump about. Get off your ass and write a quick email to your representative. Then go find a puppy or something to play with for god's sake, and quit being so damned negative.

Read the law, visit senate.gov, and make it a law.

[Frobnicator]

The law is tiny (1500 words, smaller than many /. articles) and is easy to understand.

If everyone on /. would just spend 2 minutes we could get this passed.

1. Click here to go to senate.gov.
2. Pick your state from the list.
3. Click on both of your senator's e-mail contact links, each link opens a new window.
4. Fill out your name and address in the form, then paste the following:

   Senator [ senator's name],
   I am a citizen of [your state] who is concerned about my rights. A bill was proposed today by Mr. Wyden with the short title "CITIZENS' PROTECTION IN FEDERAL DATABASES ACT".
   The bill is simple and easy to understand. It improves our security and will improve our ability to fight terrorism, which you have stated is your goal.
   I urge you to SUPPORT this bill.
   [your name]

Fill in the blanks, and get this passed! The statement about it improving security is true, and since it's the big thing in congress lately, they want to do everything to help that out.

frob

The workings of a police state

[Dalcius]

I think, in short, the biggest issue against things like the TIA is this:

The TIA was thought of as a means to search for patterns among public data on American citizens. This equates to the government (computer program or not) evaluating you and your habits for potential trends. It is, in effect, a way for the government to stake-out its citiziens.

Rights to privacy and due process state clearly: you are innocent until proven guilty, and you have a right to be left alone. What the TIA is doing is investigating every citizen regardless of their behavior.

A good analogy is putting up cameras in every public place. The place is public, and they're not targeting YOU specifically, so what's there to worry about, right?

For one, I want to live my life without knowing someone is looking over my shoulder unless they have a reason to look over my shoulder. Playing big-brother to all citizens is not where we want things to go.

Secondly, the argument "if you're not doing anything wrong, you have nothing to worry about" shows logical ineptitude. The first step in any police state is the ability to monitor citizens. The next step is to deem minority actions illegal (e.g. possessing communist doctorines [see McSurely v. McClellan, Supreme Court]).

When a single body controls both the laws and the force that enforces those laws, the only things they lack are the tools to find those breaking their laws.

History has shown that the public won't stop a government from enacting laws against minorities, especially if the law and/or enforcement of that law are vague, so instead of trust our government not to abuse their information gathering tools, I'd rather just not give them those tools.

If terrorists are on every street corner, either we should be having a lot more bombings (how hard is it to strap TNT to your chest and walk into a Burger King?), or the government has been doing a damn good job in the last decade without these tools.

If you folks want guarantees that terrorists can't do anything to us, enjoy living in a police state, I'll be buying a private island.

PS: To any trolls wanting to call me a liberal whiner who doesn't want my ID checked in an airport, I'll save you some time and humiliation. I typically agree with conservatives over liberals, I believe in airport ID checking and the like. Where do I draw the line? Going to an airport is not generally a regular experience for the vast majority of Americans and often involves international travel. Airports are a good place to scan, IMO. However, if I can be watched just by going through a normal week, I have issues.