U.S. SENATOR PATRICK LEAHY
CONTACT: Office of Senator Leahy, 202-224-4242
The Honorable John Ashcroft
United States Department of Justice
Main Justice Building, Room 5137
950 Pennsylvania Avenue, N.W.
Washington, D.C. 20530
Dear Attorney General Ashcroft:
I am writing to inquire about the current "data mining" operations, practices and policies at the Department of Justice. Improved access to and the sharing of information among intelligence and law enforcement agencies at the federal, state and local levels is crucial in promoting our national security interests. These national security interests are most effectively and efficiently served, however, when the information being collected and shared is relevant, reliable, timely and accurate. As one recent expert report observed, “Data mining, like any other government data analysis, should occur where there is a focused and demonstrable need to know, balanced against the dangers to civil liberties. It should be purposeful and responsible.” (Protecting America’s Freedom in the Information Age, A Report of the Markle Foundation Task Force, October, 2002, p. 27.)
Adequate oversight by the Congress, and especially by the appropriate committees of jurisdiction, is essential in helping to ensure that adequate standards are set and met, so that these activities can be both effective and respectful of the constitutional rights of the American people. Accordingly, I am interested in learning the extent to which the Department is relying on data mining to deal with the terrorism threat or other criminal activity, and how this technology is being used.
I raise this inquiry against the backdrop of public concern over the Total Information Awareness System (TIA) being developed under the supervision of Admiral Poindexter within the Defense Advanced Research Project Agency (DARPA). TIA is intended, according to Department of Defense officials, to generate tools for monitoring the daily personal transactions by Americans and others, including tracking the use of passports, driver’s licenses, credit cards, airline tickets, and rental cars. The Administration’s goal is to turn these tools over to law enforcement agencies. According to press reports, one such tool, a software program called “Genoa,” has already been delivered by DARPA to the Department of Justice.
Advances in the technological capability to search, track or “mine” commercial and government databases and Americans’ consumer transactions have provided powerful tools that have dramatically changed the ways that companies market their products and services. Collection and use by government law enforcement agencies of such commercial transactional data on law-abiding Americans poses unique issues and concerns, however. These concerns include the specter of excessive government surveillance that may intrude on important privacy interests and chill the exercise of First Amendment-protected speech and associational rights.
Moreover, as Federal law enforcement agencies obtain public source and proprietary data for mining, the sheer volume of information may make updating the data and checks for reliability and accuracy difficult, if not impossible. Reliance on data mining by law enforcement agencies may produce an increase in false leads and law enforcement mistakes. While the former is a waste of resources, the latter may result in mistaken arrests or surveillance. Such mistakes do occur, even without data-mining.1 In short, while the only ill effect of business reliance on outdated or incorrect information may be misdirected marketing efforts, data mining mistakes made by a law enforcement agency may result in misdirection or misallocation of limited government resources and devastating consequences for mistakenly targeted Americans.
I am interested in determining the extent to which the Justice Department is relying on data-mining and how the Department is addressing these concerns with appropriate safeguards on the collection, use and dissemination of information obtained through data mining. Specifically, I ask for and would appreciate your responses to the following questions.
1. Data-Mining Operations Underway Within the Department of Justice.
(A) Please identify any private sector or proprietary databases obtained or being used by the Department of Justice for data-mining or pattern-recognition activities.
(B) Have any private sector or proprietary databases referred to in (A) above been aggregated by the Department with any data from government agency databases for data-mining or pattern-recognition activities?
(C) Is the Department using any data-mining tools to obtain information for law enforcement purposes unrelated to the detection and prosecution of terrorism?
(D) To the extent that the Department is using proprietary data provided by private intermediaries, (i) what procedures are you using to preserve the confidentiality policies of these intermediaries? (ii) Is the Department compensating the private intermediaries for assisting in the data mining? (iii) Has the Department taken any steps to shield the private intermediaries from liability for their cooperation with the government?
(E) What procedures, if any, does the Department follow to ensure the accuracy and reliability of information currently collected and stored in databases used for data-mining?
(F) By contrast to the use of private sector or proprietary databases, in the search for proper data mining tools, to what extent is the Department of Justice developing new tools and to what extent is it making use of existing tools developed in the private sector or used by other government agencies (such as search engines and data mining software)? What are the pros and cons of these differing approaches?
2. Foreign Terrorist Tracking Task Force. On October 29, 2001, the President directed the Department to establish the Foreign Terrorist Tracking Task Force (FTTTF) to “ensure that, to the maximum extent permitted by law, Federal agencies coordinate programs to . . . 1) deny entry into the United States of aliens associated with, suspected of being engaged in, or supporting terrorist activity; and 2) locate, detain, prosecute, or deport any such aliens already present in the United States.” Your April 11, 2002, order establishing the FTTTF would do more than ensure that agencies “coordinate programs” and requires the FTTTF to have “electronic access to large sets of data, including the most sensitive material from law enforcement and intelligence sources.” In response to my request for more detailed description of the mission and activities of the FTTTF, you stated in response to written questions that:
“The FTTTF has identified a number of specific projects which it can coordinate or run to fill gaps in existing government efforts relating to prevention of terrorist activities. For example, the FTTTF is pursuing projects to: 1) create a unified, cohesive lookout list; 2) identify foreign terrorists and their supporters who have entered or seek to enter the U.S. or its territories; and 3) detect such factors as violations of criminal or immigration law which would permit exclusion, detention or deportation of such individuals. In addition, the FTTTF is in the process of identifying other intelligence-related projects that it can support through its collaborative capability to co-locate data from multiple agency sources.”
(A) Redundancy within government programs can be both expensive and ineffective. The “projects” of the FTTTF appear to overlap other initiatives underway within the Department. For example, the FBI has an Information Sharing Task Force and participates in 47 Joint Terrorism Task Forces (JTTF) to unify all levels and branches of law enforcement in preventing and investigating terrorist activity and helps coordinate the JTTF in Regional Terrorism Task Forces (RTTF). Director Mueller has also created a permanent Terrorism Watch List, a new Office of Intelligence, a new Integrated Intelligence Information Application (IIIA) database, and new hiring and recruiting initiatives. Please explain how the Department’s FTTTF “lookout list” differs in substance and use from the FBI’s Terrorism Watch List and how the FTTTF’s “other intelligence-related projects” will differ from the functions of the FBI’s JTTF, and IIIA database, and new Office of Intelligence.
(B) The FBI’s new Office of Intelligence is intended to provide strategic analysis and gather information from current and past cases and other agencies, to look for patterns and analyze risks, and to meet the needs of other organizations responsible for homeland security. The separate FTTTF supervised by the Deputy Attorney General is required, with a budget of over $20 million, to conduct its own intelligence analysis projects and create and maintain its own databases and lookout list. Since Director Mueller routinely briefs the President with the CIA Director on terrorist threats, please explain why you decided to place the FTTTP in the Deputy Attorney General's office rather than within the FBI as part of its new Office of Intelligence? 2
(C) The FBI has traditionally performed the critical intelligence-gathering mission under the supervision of a Director appointed for a ten-year term in a structure designed, in part, to insulate the exercise of Bureau powers from political considerations, and pursuant to formal guidelines and Congressional oversight. Are the investigative restrictions applicable to FBI agents also applicable to employees conducting data mining and operating the FTTTF under the guidance of the Deputy Attorney General?
(D) What information is necessary to trigger a data-mining inquiry on a particular individual or targeted activity to ensure that this technique is only being used for purposes relevant to detecting, preventing or punishing terrorism or other criminal activity?
3. Admiral Poindexter’s Total Information Awareness Project (TIA). According to the Department of Defense, the Defense Advanced Research Project Agency (DARPA) has established the Total Information Awareness (TIA) Project to develop technologies for rapid language translation, commercial transaction data mining, and interagency analysis and decision-making tools.
(A) To what extent are you and the Department of Justice consulting or collaborating with Admiral Poindexter or the Department of Defense in designing and implementing TIA surveillance tools and related programs?
(B) Have any TIA generated or developed technologies been delivered to the Department of Justice and, if so, (i) are any being used? (ii) describe the purposes for which they are being used; and (iii) are any of the tools for data mining and pattern recognition?
(C) TIA has programs called Genoa I and II. Has this program been delivered in whole or in part to the Department of Justice and, if so, (i) is it being used? (ii) Describe the purposes for which it is being used; and (iii) is this a tool for data mining or pattern recognition?
(D) TIA has a program called EELD (Evidence Extraction and Link Discovery). Has this program been delivered in whole or in part to the Department of Justice and, if so, (i) is it being used? (ii) Describe the purposes for which it is being used; and (iii) is this a tool for data mining or pattern recognition?
(E) TIA has a program called Genisys. Has this program been delivered in whole or in part to the Department of Justice and, if so, (i) is it being used? (ii) Describe the purposes for which it is being used; and (iii) is this a tool for data mining or pattern recognition?
(F) TIA has a program called TIDES (Translingual Information Detection, Extraction and Summarization. Has this program been delivered in whole or in part to the Department of Justice and, if so, (i) is it being used? (ii) Describe the purposes for which it is being used; and (iii) is this a tool for data mining or pattern recognition?
(G) Is the FTTTF coordinating its work in any way with the TIA?
(H) What safeguards, if any, do you believe should be included in any data mining tools developed by TIA to ensure the accuracy and reliability of the information collected and stored in databases? Have you recommended such safeguards to the Department of Defense?
4. Compliance With The Privacy Act
(A) Does the Privacy Act impose any restriction on data-mining activities by the Department and, if so, what are those restrictions?
(B) Does the Department employ any outside contractors to perform data mining services and, if so, how does the Privacy Act apply, if at all, to the out-sourcing of data mining activities?
(C) The Privacy Act, 5 U.S.C. §552a(e)(4), requires agencies to "publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records." Have you promulgated any regulations regarding the FTTTF?
(D) The Privacy Act, 5 U.S.C. §552a(e)(4)(E), requires publication of the policies and practices of the agency regarding storage, retrievability, access, controls, retention and disposal of the records. Have you published such policies and practices regarding the FTTTF?
(E) Generally, the Privacy Act prohibits governmental agencies from disclosing records to another agency, unless it falls under the "routine use" exception. 5 U.S.C. §552a(b)(3). Does the Department rely on this “routine use” exception to obtain databases from other agencies for aggregation in the FTTTF and other databases within the Department?
(F) The Privacy Act, 5 U.S.C. §552a(e)(4)(D), requires Federal Register publication of “each routine use of the records contained in the system, including the categories of users and the purpose of such use.” If the answer to (E) above is affirmative, has the Department published any Federal Register notice required by the Privacy Act? If so, please provide a copy of any such notice and, if not, please explain why.
(G) The Privacy Act imposes restrictions on “matching” programs conducted by the government or the private sector on behalf of the government, unless the matching is conducted “subsequent to the initiation of a specific criminal or civil law enforcement investigation” or “for foreign counterintelligence purposes.” How does the Department ensure that the FTTTF and other Department databases comprised of aggregated data from other agencies are operated within these restrictions?
(H) Does the Department believe that any amendments to the Privacy Act would be helpful to facilitate data mining by the Department and, if so, does the Department intend to transmit to the Congress any amendments to the Privacy Act to clarify the legality of data-mining by Federal agencies?
5. Coordination With the Department of Homeland Security.
(A) The Homeland Security Act expressly authorizes the new department to request, access, receive, analyze and integrate information from government agencies and private sector entities, and to establish and utilize “a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to assess, receive and analyze data and information. . . .” [P.L. 107-296, Sections 201(d)(1), (13), (14)]. Does the Department of Justice have any such express statutory authority to conduct data mining? If so, please describe that authority.
(B) Do you anticipate the Department of Justice’s data mining operations being transferred to the new Department of Homeland Security? If not, please explain why.
(C) Do you believe it is valuable to have a coordinated data mining effort with one agency clearly held accountable for setting guidelines of data uniformity and reliability and, if so, which agency do you believe should take this primary position in order to avoid duplication of effort?
I appreciate your attention to this important matter.
1 A recently declassified FBI memorandum, dated April 14, 2000, makes this point with startling details about incidents of mistaken surveillance activity, including a Foreign Intelligence Surveillance Act (FISA) order being improperly implemented with unauthorized videotaping of a meeting; wiretapping a cellular telephone that had been dropped by the target and assigned to an innocent user, who “was therefore the target of unauthorized electronic surveillance for a substantial period of time;” unauthorized monitoring of an e-mail account; and “unauthorized searches, incorrect addresses, incorrect interpretation of a FISA order and overruns of ELSUR [electronic surveillance].”