Data Dilemma – Privacy in an Age of Security
Revealing Terror
By Dalia Naamani-Goldman, August 24, 2006
WASHINGTON – The Internal Revenue Service’s law enforcement arm is using a data mining program that digs through tax returns and financial transactions of millions of Americans, using the extensive records to assemble dossiers on individuals in search of terrorist activity.
Reveal System allows the IRS’ Criminal Investigation unit to use at least 16 IRS and Treasury Department databases in concert with counterterrorism information and other records from corporate aggregators ChoicePoint Inc. and LexisNexis Group. The system also allows room for users to add more databases.
Using the system, the criminal investigation can search all of the data quickly, sifting through account numbers and balances and analyzing financial transactions over time. It matches the records with individual, corporate and charity tax filings. Post-Sept. 11 changes to confidentiality protections built into the IRS code over 30 years make it easier for the Criminal Investigation unit to share information about terrorist investigations with other agencies.
General auditing by IRS revenue agents, a civil procedure, is intended to determine if individuals are entitled to take the deductions they claim. Criminal Investigation, which examines whether individuals have willfully made an effort to hide income, looks even closer for criminal and terrorist activity and can result in criminal prosecution if the case is forwarded to the Justice Department. Criminal investigators have both accounting and law enforcement training.
In a May 2004 report compiled by the Government Accountability Office that was not made public, the agency said it used Reveal for counterterrorism investigations. Among the first places it was used was the Garden City Counterterrorism Lead Development Center in New York. The E-Government Act of 2002 requires agencies to show how electronic data collection works and how it impacts individuals’ privacy. Reveal’s current privacy impact assessment does not describe its role in tracking terrorist suspects. A 2005 GAO report criticized the IRS for this omission.
An inaccurate privacy assessment that does not tell taxpayers how their information is used could lead to abuse, said Marc Rotenburg, executive director of the Washington-based Electronic Privacy Information Center. Departing from privacy laws deprives taxpayers of the full protection once available, Rotenburg said.
“At some level that’s probably going to make it more difficult to ensure…oversight in making sure the IRS is doing what it claims to be doing,’’ Rotenburg said.
Terrorism exemptions inserted into the IRS code in 2002 allow the Treasury Department to disclose some taxpayer information to law enforcement agencies engaged in investigations and responses. The law also allows the Treasury Department to pass information to intelligence agencies if a written request is received. Termination clauses for the exemptions written into the code have been renewed every year since 2002.
About a month after 9/11, the Right to Financial Privacy Act of 1978 was amended to permit the disclosure of financial banking information to any intelligence or counter-intelligence agency investigating international terrorism. The IRS has had unfettered access to this information for years. It also maintains the government’s Currency and Banking Retrieval System, the online database that tracks large or suspicious transactions as determined by the Bank Secrecy Act.
The IRS maintains extensive financial information about millions of American taxpayers. So do private data aggregators, which comb public records to compile databases of home purchases, credit histories and former employment. The IRS is spending about $43.3 million in contracts through 2010 with ChoicePoint for credit reporting services, according to federal records.
Criminal investigators who have access to Reveal also have access to ChoicePoint and can verify leads, said Kevin Hohn, Reveal’s former project manager who retired from the IRS in June 2005. They also are able to include more databases that can be searched by Reveal, though most users don’t know how, Hohn said.
Reveal searches through databases of individual and corporate tax returns, and the records of financial institutions, accountants, charities, banks and casinos, all of which are required to file reports with the Treasury and the IRS.
With so much aggregated data, the IRS can see connections and patterns, something the agency misses when it’s only focused on individuals.
“It refines the way they’re able to view and identify people,” said Jesus Mena, a consultant to the Department of Homeland Security’s Office of Inspector General and former employee in the IRS’ research department. “There’s red flags that data mining can discover. It’s a process that makes you more efficient, more effective.”
David Perry, the supervisory special agent of the Garden City lead development center supervises 20 analysts who regularly use Reveal as part of their investigative tools.
“Reveal is kind of like a Google or Yahoo,” Perry said. “[It's] a search engine that sits on top of the databases.”
“Reveal is more of a pointer for us,” Perry said. “It let’s us know how complicated the case is going to be.”
Reveal, which cost $6.5 million to install and requires $600,000 in annual maintenance, can take a suspicious pattern of behavior and lead investigators to all individuals who fit it by allowing searches based on specific criteria. It also can search for a particular person. Most queries at the counterterrorism lead development center are reactive and come from field agents, Perry said.
Using programs called VisuaLinks and the Digital Information Gateway, Reveal can detect and visually depict connections buried in mountains of tax documents, linking employees with employers and charities with donors, by cutting and grouping data using defined models. It uses large quantities of data and finds common patterns among databases, organizing it in a diagram that shows links established among individuals, addresses, Social Security numbers, and other personal and financial information.
While Reveal has helped criminal investigators become more efficient, it’s difficult to say whether it has been effective in counterterrorism and catching tax cheats, Reid said. Though the program has audit trails used to deter casual browsing, there is no way to discover whether Reveal was used in a particular case, she said. But overall Criminal Investigation case numbers were up 9 percent in 2005 to about 4,300, which may be attributed in part to Reveal, Reid said. Hohn, Reveal’s project manager, surmised that it was most often used in money laundering cases.
Although one of Reveal’s first tests was in counterterrorism, Criminal Investigation now uses it in investigations of money laundering, tax fraud and criminal activity. One way criminal investigators use it is to generate terrorist leads by examining charitable giving, said Patty Reid, a Criminal Investigation spokeswoman.
“What we’re finding in our work is the majority of counterterrorism mostly has to do with charitable organizations that have been established in the United States that are sending money back to countries that support terrorism,” Reid said. “We have actually found and prosecuted some cases where charities have been misused for terrorism purposes.”
Reveal has access to 990 forms, which are returns for tax-exempt organizations. Some attachments include lists of major donors. But today when the IRS is investigating a charity it suspects of aiding terrorist groups, those lists of donors can provide helpful information.
These investigations have caused some discomfort in the Muslim-American community. Individuals are aware that their charitable giving is being monitored and that has had lingering effects on their willingness to donate, said Arsalan Iftikhar, legal director of the Council on American-Islamic Relations.
“It had a severely chilling effect on American Muslims’ First Amendment right to free association,” Iftikhar said. “And it’s something that obviously American Muslims became very reticent about in terms of the ability to give money to charities, which is a central part of Islam and the lives of most Muslims.”
Since Sept. 11, five Muslim-American charities have been shut down and their assets frozen, according to a February 2006 report by OMB Watch, a Washington-based government watchdog group. While some people associated with the organizations have been convicted, the organizations have not been charged, according to the report.
Reveal’s capabilities improve Criminal Investigation’s ability to participate in Joint Terrorism Task Forces, according to Reid. These 35 nationwide task forces bring together in one office individuals from different agencies such as the FBI and the CIA to coordinate efforts. Criminal Investigation plays an active role on these task forces and frequently assists in investigations.
About 100 of CI’s 2,800 special agents mainly working in lead development centers have access to Reveal, Reid said. Each user has received training and has specific access privileges, Reid added.
Information flows both ways on the task forces, according to Reid. Agents working on the task forces pass information to Criminal Investigation that is later incorporated into Reveal, creating a more complete profile of individuals, Reid said. Under certain circumstances the IRS can provide information to the task forces as well, she added. While the IRS can search for profiles, task force members can only query by name, Social Security number or address, Reid said.
Combining so many diverse sources of information and using them in ways that have little to do with tax collection while failing to inform citizens that the information is being used in new ways is concerning, said Harper of Cato.
“The starting use of this kind of thing is going to be for terrorism, and we’re all going to be in favor of fighting the terrorists,” Harper said. “The finishing point of this is going to be for catching `deadbeat’ dads and enforcing student loans, unpaid parking tickets. It’s basically the beginning of comprehensive financial surveillance.”
Social Security Data a Major Source in Terrorism Probes
By Carlos Roig, November 9, 2006
Special to The Washington Post
Friday, November 10, 2006
Sohaib Bin Lateef left Pakistan for the United States more than 25 years ago and fulfilled his dreams with a suburban home, a family and a string of gas stations and convenience stores in St. Louis. But along the way, he says, he took some bad advice and obtained a Social Security number under a false name.
Now Bin Lateef, 47, faces deportation and stands to lose everything, even though he insists he has no ties to terrorists. The Justice Department lists his case as terrorism-related.
Since the Sept. 11, 2001, attacks, the Social Security Administration’s vast databases of personal information have become a resource for federal investigators, who have asked the agency to check tens of thousands of records for number misuse and identity fraud — potential precursors to terrorist activity. Bin Lateef is one of hundreds of people convicted as a result.
The Social Security Administration is “literally the Fort Knox of identity information in the United States,” said James Huse, the agency’s inspector general from 1998 to 2004. “That’s a pretty impressive investigative tool that no other agency possesses.”
From just after Sept. 11 through 2005, Social Security officials sent prosecutors 456 referrals that were classified as terrorism-related, according to statistics compiled by Syracuse University’s Transactional Records Access Clearinghouse. The review shows that 91 percent of those referrals led to prosecutions.
Only the departments of Justice and Homeland Security have referred more terrorism-related cases for prosecution, according to the Syracuse records, which are based on data compiled by the Justice Department’s Executive Office for United States Attorneys.
Still, few if any suspects in Social Security cases are ever linked publicly to alleged terrorist activity. Most cases referred to prosecutors in the months after Sept. 11 involved document fraud by Latino immigrants working at airports.
Previous studies by the Syracuse center found that thousands of cases have been referred by all agencies for prosecution under the labels of “international terrorism” or “antiterrorism.” However, senior Justice officials instead usually cite the criminal division’s much smaller list of terrorism-related cases, which as of June included 441 defendants and 261 convictions. Most on that smaller list were charged with crimes unrelated to terrorism, an earlier Washington Post analysis found.
Prosecutors generally will not discuss individual cases. Law enforcement officials have said that even if they have evidence of terrorist activity, it does not need to be made public if suspects can be arrested or deported on lesser charges, such as document fraud or immigration violations.
“Prosecution of terrorism-related targets on these types of charges is often an effective method — and sometimes the only available method — of deterring and disrupting potential terrorist planning and support activities without compromising national security information,” Deputy Attorney General Paul J. McNulty wrote in a Justice Department white paper in June.
The federal law prohibiting misuse of Social Security numbers is “a very easy statute from a prosecution standpoint,” said Jonathan Lasher, deputy chief counsel to the Social Security Administration’s inspector general. “We don’t have to prove a lot in the way of motive or intent. If you represent a number to be yours that isn’t yours, you’ve essentially met the burden.”
Tapping the Data
After the 2001 attacks, authorities tapped the two main Social Security databases for information on suspected terrorists. “We were given taskings and requests, and we were responding to them as best we could in the wake of this national tragedy,” said Richard A. Rohde, the Social Security Administration’s assistant inspector general for investigations.
One database lists basic application information from people seeking Social Security numbers. The other contains wage and earnings histories compiled by the agency that are used to determine Social Security benefits.
The Internal Revenue code normally prohibits Social Security from releasing information in the wage and earnings database, even to law enforcement agencies. But IRS and Social Security officials are permitted to waive that rule in “life-threatening situations.” A 30-day waiver was granted immediately after the Sept. 11 attacks and was extended four times by the IRS through early 2002, Lasher said.
Huse said he asked Congress several times unsuccessfully for permanent authority to release information in the wage database to federal law enforcement officials investigating potential terrorist activity.
One of the earliest uses of Social Security data in homeland security investigations came before the 2002 Winter Olympics in Salt Lake City. Ronald Ingleby, resident agent in charge of the Social Security inspector general’s office there, worked with the U.S. attorney’s office to acquire about 10,000 employee records from the local airport authority and had his staff search Social Security records. As a result, 69 workers were indicted for alleged misuse of Social Security numbers on their applications for airport security badges.
The program, which was expanded to many of the nation’s airports as well as ports and other facilities, resulted in hundreds of guilty pleas, largely from Latino workers with no discernible links to terrorist groups. The workers had used fake or stolen Social Security numbers to gain employment or acquire access badges.
Federal agents also began turning to Social Security to check dubious records brought to their attention or to run down terrorism leads. In one case, a tip that al-Qaeda might try to poison military rations led to checks on workers at a meals-ready-to-eat factory in Texas. Several were convicted in 2004 of possessing or using false documents, though the case files show no evidence of a poisoning plot.
Other cases led to charges against members of document counterfeiting rings in Maryland and New York.
Attracting Notice
Bin Lateef believes he originally came to the attention of investigators because he was a Pakistani national with a check-cashing company among his holdings. He said authorities began looking into his business in 2003. He also said that for a number of years he sent as much as $24,000 to $36,000 annually to his family in Pakistan, sometimes using an unregulated “hawala,” an informal banking network.
His lawyer believes authorities also were concerned about a September 2003 trip Bin Lateef took with his family through Pakistan, Saudi Arabia, the United Arab Emirates and Germany.
Commenting on this type of case, Jimmy Gurul?, a law professor at the University of Notre Dame who was undersecretary for enforcement at the Treasury Department from 2001 to 2003, said a number of issues would have interested investigators. “The combination of the international travel, the combination of the money being transferred abroad through a hawala-type system or certainly the use of false identification documents are all red flags of possible terrorist activity,” he said.
An inquiry turned up Bin Lateef’s Social Security fraud. He had entered the United States on a student visa in 1980 to attend Southern Illinois University. A 1985 application to extend his stay was denied, but he said he became a legal permanent resident alien in 1988 under the Reagan administration’s immigration reform.
However, to get the green card, Bin Lateef said, he used a false name on the application based on bad advice from acquaintances. A year or two later, he obtained a Social Security number with that false name.
Bin Lateef said that he has never had links to terrorist groups — only that he went into business, raised a family and bought a home in O’Fallon, Mo., near St. Louis. “This is the only country in the whole entire world that would give me the opportunity to do what I did,” he said.
William Wynne, Bin Lateef’s lawyer, said, “This guy has a tattoo on his forehead that says ‘productive citizen.’ ”
Bin Lateef pleaded guilty to felony charges of lying to federal authorities and of misusing a Social Security number. Deportation proceedings are ongoing. Prosecutors declined to comment on his case.
Like many other Social Security referrals related to homeland security prosecutions, Bin Lateef’s is classified by the Justice Department as anti-terrorism.
In his white paper, McNulty, the deputy attorney general, signaled that investigators would continue to rely on Social Security and other government statutes not directly related to terrorism.
“There has been some criticism of our use of nonterrorism offenses, such as false statement charges, immigration fraud, and use of fraudulent travel documents, in terrorism cases,” McNulty wrote. “Yet the appropriate charging of such offenses is so important to our disruption of terrorist plans that the Department has urged prosecutors to undertake initiatives to increase their use of these statutes.”
Roig and Kriva were Medill School of Journalism fellows in the News 21 Program of the Carnegie-Knight Initiative on the Future of Journalism Education.
Walt Disney World: The Government’s Tomorrowland?
By Karen Harmel, September 1, 2006
Walt Disney World, which bills itself as one of the happiest and most magical places anywhere, also may be one of the most closely watched and secure.
Walt Disney World, which bills itself as one of the happiest and most magical places anywhere, also may be one of the most closely watched and secure. And control over park entrances is getting even tighter: the nation’s most popular tourist attraction now is beginning to scan visitor fingerprint information.
For years, Disney has recorded onto tickets the geometry and shape of visitors’ fingers to prevent ticket fraud or resale, as an alternative to time-consuming photo identification checks.
By the end of September, all of the geometry readers at Disney’s four Orlando theme parks, which attract tens of millions of visitors each year, will be replaced with machines that scan fingerprint information, according to industry experts familiar with the technology.
“It’s essentially a technology upgrade,” said Kim Prunty, spokeswoman for Walt Disney World. The new scanner, like the old finger geometry scanner, “takes an image, identifies a series of points, measures the distance between those points, and turns it into a numerical value.” She added, “To call it a fingerprint is a little bit of a stretch.”
Prunty said the new system will be easier for guests to use and will reduce wait times. The old machines required visitors to insert two fingers into a reader that identified key information about the shape of the fingers. The new machines scan one fingertip for its fingerprint information. Prunty said the company does not store the entire fingerprint image, but only numerical information about certain points.
Theme park consultant Arnold Tang said parks like Disney use the technology because it is more convenient for guests than showing photo identification and more accurate for theme parks, which have a significant ticket fraud problem.
“There’s a lot of subjectivity,” Tang said about traditional identification checks. “People can look at a photo and identify it differently.”
Prunty said the technology ensures that multiday passes are not resold. A one day, one-park ticket to Walt Disney World costs $67, but the daily price falls dramatically for a 10-day pass. Prunty said multiday pricing is the reason for the scanners. “It’s very important that a guest who purchases the ticket is the guest who uses it,” she said.
However, the use of this technology has riled privacy advocates, who believe Disney has not fully disclosed the purpose of its new system. There are no signs posted at the entrance detailing what information is being collected and how it is being used. Attendants at the entrance will explain the system, if asked.
“The lack of transparency has always been a problem,” said Lillie Coney, associate director of the Electronic Privacy Information Center, who added that Disney’s use of technology “fails a proportionality test” by requiring too much personal information for theme park access.
“What they’re doing is taking a technology that was used to control access to high-level security venues and they’re applying it to controlling access to a theme park,” Coney said.
“It’s impossible for them to convince me that all they are getting is the fact that that person is the ticket-holder,” said George Crossley, president of the Central Florida ACLU.
But Disney’s Prunty downplayed privacy issues, saying the scanned information is stored “independent of all of our other systems,” and “the system purges it 30 days after the ticket expires or is fully utilized.” Visitors who object to the readers can provide photo identification instead – although the option is not advertised at the park entrance.
Scanning fingerprint information isn’t new to private businesses or the government, which scans fingerprints of visitors entering the country.
But surprisingly, after the Sept. 11 attacks the federal government sought out Disney’s advice in intelligence, security and biometrics, a tool that teaches computers to recognize and identify individuals based on their unique characteristics.
The federal government may have wanted Disney’s expertise because Walt Disney World is responsible for the nation’s largest single commercial application of biometrics, said Jim Wayman, director of the National Biometric Test Center at San Jose State University.
“The government was very aware of what Disney was doing,” he said. “Everybody’s interested in a successful project.”
Industry insiders say Disney has expressed interest in an even more advanced form of biometric technology _ automated face recognition. It has been touted as a way to pick criminals and terrorists out of a crowd.
Minnesota-based Identix Inc., which has contracts with the State Department and the Department of Homeland Security, has been in contact with Disney.
“Because it’s an ongoing initiative, Identix is not at liberty to talk about it,” said company spokesman Meir Kahtan said of the work with Disney on a face recognition system.
Another company, California-based A4Vision Inc., confirmed meeting with Disney officials in the past year to present its A4 facial recognition system to Disney. “They were interested,” said A4Vision spokeswoman Suzanne Mattick.
Prunty, however, said face recognition is “not something we’re currently looking at.”
A4Vision is funded in part by the Department of Defense and In-Q-Tel, the CIA’s venture capital firm for new technologies.
Although Disney will not disclose who makes its fingerprint scanners, biometrics experts said the new technology is likely provided by New Mexico-based Lumidigm Inc.
Lumidigm also has received funding from the CIA as well as the National Security Agency and Department of Defense, according to founder and CEO Bob Harbour.
The government has looked to Disney for advice on biometrics in the past. After 9/11, one Disney executive was part of a group convened by the Federal Aviation Administration and other federal agencies to help develop a plan for “Passenger Protection and Identity Verification” at airports, using biometrics.
The executive, Gordon Levin, also was part of a group asked by the National Institute of Standards and Technology and the National Security Agency to develop national standards for the biometrics industry.
Levin is not the only Disney employee to lend his expertise to the government.
Former Disney employees have filled some of the most sensitive positions in the U.S. intelligence and security communities. Eric Haseltine left his post as executive vice president of research and development at Walt Disney Imagineering in 2002 to become associate director for research at the NSA, and he is now National Intelligence Director John Negroponte’s assistant director for science and technology.
Another former Disney employee, Bran Ferren, has served on advisory boards for the Senate Intelligence Committee and offered his technological expertise to the NSA and the DHS.
Lumidigm’s Harbour did not confirm or deny the company’s role as the provider of Disney’s new scanners but said it has a “major theme park” as a client.
Disney’s choice of a fingerprint sensor worries some privacy experts, especially when compared with a finger geometry reader. “It’s more information,” EPIC’s Coney said. “That’s why law enforcement agencies have relied on fingerprints for so long.”
Disney’s Prunty said the company’s system will not be linked to a law enforcement fingerprint database. “Truly the only application is to link the ticket with the numerical value,” she said.
Industry experts, including Anil Jain, who holds six patents in fingerprint matching, believe that Disney’s new machines scan the entire fingerprint, even if they only store the numerical information.
Lumidigm’s Harbour said the system designed for his theme park client is not compatible with a federal law enforcement database, saying, “Their protocols don’t store images.”
However, Raul Diaz, Lumidigm’s vice president of sales and marketing, said it is “easy” to change a system from capturing numerical information to storing an entire fingerprint image. “It’s a software option,” Diaz said. “It’s changing just one command.” Diaz said few, if any, companies store the fingerprint images due to privacy concerns.
Coney fears Disney could share the fingerprint information. “If they maintain that data, it can be used for anything,” Coney said. “If law enforcement shows up, they can gain access to it.” Disney’s privacy policy says that it may disclose personal information when doing so can help “protect your safety or security.”
While Walt Disney World in Orlando is the only Disney location to use this biometric technology at its entrances, other theme parks – such as Sea World and Busch Gardens – have begun to use similar technology.
Civil liberties experts fear the use of biometrics by government and private companies will escalate without proper privacy protections. But industry officials say Disney’s extensive use of the technology is a sign of things to come.
“It helps public perception to have biometrics deployed on a widespread basis,” said Joseph Campbell, the former chairman of the Biometrics Consortium. “The more people use biometrics, the more people are comfortable with it.”
Studying Students
Education Department and FBI scoured millions of student records
By Laura McGann, September 1, 2006
For the past five years an office in the Education Department has scanned through its databases of millions of students’ federal financial aid and college enrollment records in search of terrorist names supplied by the FBI.
The effort, dubbed “Project Strike Back,” was created by the Education Department’s Office of Inspector General after the terror attacks of Sept. 11, 2001, to expand the office’s mission to include counterterrorism.
At the time, investigators believed some funding for the 9/11 attacks came from identity theft and fraud, criminal activity the Education Department had experience investigating, according to an internal memo obtained through a Freedom of Information Act request.
“This program was one of many around the country used by the FBI to identify people of potential interest,” said FBI spokeswoman Cathy Milhoan.
The department’s central database stores information on all of the roughly 14 million students who apply for financial aid each year, even after they have repaid the loans.
To search for “potential terrorist activity,”the FBI gave the department fewer than 1,000 names that the bureau considered suspicious to run through its databases, said bureau spokeswoman Cathy Milhoan. The bureau made requests as recently as February 2006.
In response to the requests, department agents would look for “anomalies” in the data and share the information with the FBI and Justice Department attorneys, according to a letter from an Education Department Office of Inspector General special agent to the assistant inspector general for investigations and a 2004 Government Accountability Office report.
They found and shared personal information including at least names, addresses, dates of birth, Social Security numbers and driver’s license numbers, according to an agency document that was recounted by a government official familiar with the data-mining program.
The joint venture abruptly ended this summer, 10 days after Medill School of Journalism reporters interviewed the special agent who oversaw the data mining program.
Mary Mitchelson, counsel to the inspector general, said it was ended because agents had spent less than 50 hours in the last four years on the project.
Much of the personal information gathered came from the form many students file each year seeking financial aid, called the Free Application for Federal Student Aid, according to an e-mail from Catherine Grant, spokeswoman for the IG’s office.
For most undergraduates, FAFSA requires detailed descriptions of their parents’ personal and financial information, their Social Security numbers, tax returns, savings, investments and business assets.
FAFSA’s online privacy statement says information may be shared with other agencies for “routine uses,” including disclosure to law enforcement.
Many students are unaware of this.
“The first thing that comes to mind with a system like this is the word ‘scary,’” said Rebecca Thompson, legislative director of the country’s largest student advocacy group, the United States Student Association.
Thompson filed for financial aid every year she attended the University of Northern Michigan. She did not know the Education Department ran terrorist suspects’ information against her own.
“All we know is that we are filling out this form to get financial aid,” she said. “It’s scary that in the name of the war on terror our personal information can be used for things that have nothing to do with higher education.”
Rob Glushko, a law student at UC Berkeley, said he is leery of an invasive program that has the potential to affect millions of students with no relationship to terrorism and leaves out only the wealthiest students who do not need financial aid.
“I’m being investigated for the potential crime of being a student,” Glushko said. “It makes me uncomfortable and I wonder what purpose it serves.”
Jim Harper, a scholar at the libertarian Cato Institute who advises the Department of Homeland Security on privacy issues as a member of the Data Privacy and Integrity Advisory Committee, said his panel asks a series of questions when evaluating a program that uses personal information.
“The number one question we came across was to ask the question, ‘Does it work?’” Harper said. “Does the program address a genuine threat directly?”
It is unclear how effective the data mining was in rooting out potential terrorists.
“We cannot address whether any specific FBI cases resulted from the data we provided,” said Grant.
The FBI declined to comment on whether any official investigations resulted from giving the Education Department potential terrorist’s names, a bureau spokeswoman said.
During the nearly five years the data-mining program was in effect, the Education Department did not refer any terrorism cases to the Justice Department for prosecution, according to a comprehensive database of federal case referrals maintained by Syracuse University.
It is unclear whether the Education Department is still mining and sharing student information with the FBI. Grant said the Education Department does not confirm or deny the existence of “any particular investigative activity.”
The data-sharing relationship between the department and the FBI may have been a useful way to “develop intelligence on a student”before there was enough evidence of wrongdoing to get a subpoena, said FBI special agent Michael Gneckow, who was not aware of the program.
Gneckow investigated many students during the course of a high-profile terrorism case at the University of Idaho in 2003. The case ended with a jury acquitting a University of Idaho graduate student of terrorism charges that stemmed from his maintenance of Islamic Web sites. Gneckow said the school adhered to federal law and required him to subpoena students’ personal records.
The student-record privacy law that requires the FBI to obtain court orders before accessing school records was passed in 1974. It was intended to address the “growing evidence of the abuse of student records across the nation,” the bill’s sponsor, Sen. James Buckley, a member of the Conservative Party of New York State, said at the time.
Under current law, if an FBI agent wants copies of FAFSA records from a school, a court order is required.
“They’d have to have a piece of paper in their hands,” said Barmak Nassirian of the American Association of Collegiate Registrars and Admissions Officers.
It is unclear if the Education Department must comply with the law the same way a school must, said several legal experts, including former Education Department General Counsel Judith Winston.
Addressing the concerns of students such as Thompson who, like millions of others, have personal and financial information in the department’s databases, Michael Deshields, the deputy inspector general who oversaw the data-mining program, downplayed the operation, saying the operation’s title carries more bark than bite.
“We always have some nice, sexy title,” Deshields said in June, 10 days before the program was canceled. “Strike Back is not mass sharing of people’s personal information.”
The department’s Office of Inspector General has already expanded its records system to include more electronic information, such as photos, scanned documents and audio and video from its investigations.
And a draft report from the Secretary of Education’s Commission on the Future of Higher Education envisions a database that would track individual students’ enrollment, performance and financial aid information for years, through college and beyond to ensure greater accountability from colleges and universities that receive substantial federal grants.
The National Association of Independent Colleges and Universities firmly opposes such a database.
“I find it hard to believe that so many would walk so casually into an Orwellian world in which some all-seeing eye is tracking what each of our citizens is reading and studying,” said David Warren, the president of the higher education association.
“What’s happened to a nation that’s prized the freedom of the individual?”
The joint effort with the FBI was just one of 24 data mining initiatives run by the Education Department, which ranks fourth out of all federal agencies in terms of the number of data mining programs it runs, according to a 2004 survey by the Government Accountability Office, Congress’s auditing branch.