Thursday, 17 May 2007

Chertoff pledges to prosecute crimes against the Privacy Act

Thanks to the heroic efforts of EFF's Erik Josefsson and others in Brussels to obtain and upload gigabytes of video, I've been able to watch the entirety of USA Secretary of Homeland Security Michael Chertoff's testimony before the LIBE Committee of the European Parliament on Monday.

Chertoff's actual testimony was significantly different from what was described in the Europarl's official press release and in news reports.

He didn't actually say anything directly about private or commercial use of passenger name record (PNR) data, but only about data from the Automated Targeting System (ATS), as follows:

It would be against the law [in the U.S.] for ... private parties to be given the data in the ATS. If it were done willfully, it would result in someone going to jail. And if I ever find anybody smuggling that kind of information to a private entity, they will be punished, and I will do my level best to send them to jail.

Unlike what Chertoff was reported to have said, this isn't exactly a lie, and it remains to be seen whether it will be true. It is, however, misleading and largely irrelevant, since much of the information in the ATS -- including all the PNR data -- is obtained by the government from private entities (airlines and CRS's), which are allowed to retain and use it after passing it on to the government. So there is no need for anyone to "give" or "smuggle" this data to the private thrid parties to whom the government has already compelled travellers and others to "give" their personal information. Chertoff's comments would be relevant only if the government collected ATS and other PNR data directly from travellers, rather than forcing them to give this data to private travel companies subject to no data protection law.

The Privacy Act does have, as Chertoff told the European Parliament, criminal provisions. Mostly those relate to operating a system of records (records about U.S. citizens or residents) without proper notice. In practice, it's been almost unheard of for anyone to be prosecuted, much less to go to jail, for violation of these provisions.

The day after Chertoff's appearance before the European Parliament, auditors from the USA Government Accountability Office released a redacted version of a report concluding that Chertoff's own Department of Homeland Security had operated the ATS without the notice required by law . The original, unredacted version of the GAO report was given to the DHS in November 2006, so Chertoff's department has known about this for months. That means that the operation of ATS constituted a crime against the Privacy Act on the part of the responsible DHS officials.

In dealing with these criminals, will Chertoff keep his promise to European legislators?

I'll be watching closely to see if this "will result in someone going to jail", and to see Secretary Chertoff fulfill his public commitment to "do his level best to send ... to jail" those responsible for operating the ATS without giving data subjects the notice required by the Privacy Act.

[Follow-up: Video of the hearing and press conference in a more compact format is now available online, thanks to Erik Josefsson of EFF. For more on Chertoff's testimony that wasn't mentioned in the official report, see: Does the Chicago Convention authorize government demands for PNR's? No. ]

Link | Posted by Edward on Thursday, 17 May 2007, 22:11 (10:11 PM) | TrackBack (0)
Comments

The hearing and the press conference is now available in a somewhat smaller format:

//Erik

Posted by: Erik Josefsson, 19 May 2007, 16:55 ( 4:55 PM)
Post a comment









Save personal info as cookie?