Lawmakers have tough questions for largely unregulated data firms.
FBI officials spent $75 million last year for information from data aggregators, a fast-growing and largely unregulated market. But congressional leaders appear ready to impose restrictions on the industry following a series of high-profile security breaches in recent weeks.
The incidents revealed weak security and privacy controls at ChoicePoint and LexisNexis Group, two of the nation’s largest data aggregators.
Such companies provide a useful service for law enforcement agencies, officials testified at an April 13 Senate Judiciary Committee hearing. By outsourcing data-collection activities to aggregators, however, federal agency officials sidestep their obligations under the Privacy Act, a privacy expert told lawmakers.
And agencies that rely on data aggregators know little about the accuracy of the data they purchase, others testified.
Some security experts say, however, that data collected by ChoicePoint and LexisNexis is too useful for federal law enforcement agencies to forgo and that such companies should protect personal information by encrypting it.
The FBI buys information from data aggregators ChoicePoint, credit bureau reporting companies, Dun and Bradstreet, LexisNexis, the National Insurance Crime Bureau and Westlaw, which agents use mainly for convenience, said Chris Swecker, assistant director of the FBI’s Criminal Investigative Division.
“Twenty-three years ago when I first came to the FBI, I had to walk down to the courthouse to get courthouse records and go other places to collect these records,” Swecker said. “Being able to make one query and get all these records at one time saves investigative time and saves resources,” he said.
Records that the FBI finds useful include driver’s license information, last known address, date of birth, court filings, liens and newspaper records, Swecker said, adding that FBI officials conducted 1.2 million queries in the ChoicePoint database in 2004.
Privacy experts say federal agencies’ use of commercial databases creates a problem. “It allows them, in essence, to outsource data-collection activities,” said James Dempsey, executive director of the nonprofit Center for Democracy and Technology. If federal officials start a new collection of data, they must comply with the Privacy Act, which requires agencies to perform a privacy impact assessment, Dempsey told the committee.
But when government officials buy that data or subscribe to data that they don’t pull into a government database, none of the Privacy Act rules apply, Dempsey said. It is a loophole that he advised lawmakers to close as they consider legislation to regulate data aggregators.
Dempsey also said the federal government bears some responsibility for the accuracy of the commercial data it uses for law enforcement and other purposes.
Concerning the extent to which FBI officials check the accuracy of public records that it purchases, Swecker said they conduct no formal audits of the data. Instead, FBI officials buy data from four or five brokers. They compare information that the different commercial databases have on particular people as an accuracy check.
“We compare it with our own information as well,” Swecker said, adding that each of the data aggregators has different strengths in terms of data quality.
Sen. Russell Feingold (D-Wis.), a committee member, said he is concerned there are no guidelines to ensure that information in commercial databases is used responsibly. Without restrictions, there is nothing to prevent federal agencies from using commercial data “for privacy-intrusive data-mining programs,” he said.
Responding to Feingold’s concerns, Swecker said FBI officials do not use commercial databases for data mining.
“Each query is predicated on an investigation — at least the preliminary inquiry is — so we don’t data mine through the data brokers’ information,” Swecker said. Investigators sometimes make large batch queries against the databases by submitting 40 to 50 names at once. “But as far as just mining through the data, that does not happen,” he said.
Companies from which the FBI buys data have assured agency officials that the names of people who are the subjects of FBI queries are kept private, Swecker said. “They collect the number of queries, but they do not collect the subject of the queries,” he said.
But they are the same companies that data thieves targeted to obtain personal information about several hundred thousand people. The thieves were successful because the companies lacked adequate security and privacy controls for protecting the data, said Sen. Patrick Leahy (D-Vt.), the committee’s ranking member. Leahy blamed data aggregators for sloppy business practices that he said compromise law enforcement and homeland security.
The committee’s chairman, Sen. Arlen Specter (R-Pa.), suggested that lawmakers pass comprehensive legislation this year to regulate data aggregators, which currently are subject to a patchwork of laws under the jurisdiction of the Federal Trade Commission. “I believe that there will be some very firm federal legislation coming out of this issue,” Specter said.
After the terrorist attacks in 2001, LexisNexis was one of the first companies federal officials used. “They immediately pulled down 60 pages of information on the hijackers they suspected were involved,” said Jody Westby, managing director at PricewaterhouseCoopers.
Information collected by companies such as LexisNexis and ChoicePoint is enormously useful to government officials, Westby said. But to protect people from harmful privacy breaches, she said, lawmakers might have to set a minimum security standard for data aggregators that collect personal information.
Field-level encryption is an effective way of protecting database fields containing personally identifiable information without degrading the speed of database searches, Westby said.
“It’s a viable option that hasn’t been pursued,” she added.