WASHINGTON – The Department of Homeland Security violated the law by failing to assess the privacy impact of new technology set to be deployed at airports next month, Governmental Affairs Committee Ranking Member Joe Lieberman, D-Conn., said Thursday. In a letter to DHS Secretary Tom Ridge, Lieberman said DHS failed to conduct and make public a “privacy impact assessment”on biometric technology developed for use by a new entry-exit checking system known as US VISIT.
“Completing and publishing PIAs could go a long way towards reassuring the public that new technologies have not been developed at the expense of privacy safeguards,” Lieberman wrote. The E-Government Act of 2002, authored by Lieberman, requires federal agencies to conduct privacy impact assessments before developing and purchasing new technologies that will collect personal information electronically. DHS has now begun an assessment, but the technology that will make the US VISIT system work has already been purchased and sent to airports around the country. US-VISIT, announced in April 2003, will use digital technology to scan the fingerprints of anyone entering the U.S. on a visa into a database to verify the visa holders’ identities when they enter or leave the country. The system is supposed to be fully operational by the end of the year. “In order for the privacy impact assessment to serve its intended purpose, the PIA must be conducted before the agency develops or procures information technology for the program,” said Lieberman. “If the assessment is not conducted until the system is on the verge of becoming operational, the PIA becomes a pro forma exercise.” The following is a copy of the letter: December 4, 2003 The Honorable Tom Ridge Secretary U.S. Department of Homeland Security Washington, DC 20528 Dear Secretary Ridge: The E-Government Act of 2002 requires federal agencies to conduct and publish privacy impact assessments (PIAs) before developing or procuring information technology that will collect or store personal information electronically. It has come to my attention that in the past year the Department of Homeland Security has developed and procured new biometric technologies for the US VISIT system without having completed a PIA, as required by law. I understand the pressing importance of implementing an effective entry-exit system, but compliance with our privacy laws is not incompatible with that goal. In fact, the PIA requirement in the E-Government Act is designed to facilitate the development of new technologies, as it requires program managers and other agency officials to appropriately address privacy concerns while the systems are being designed, and to make public the results of that assessment. Completing and publishing PIAs could go a long way towards reassuring the public that new technologies have not been developed at the expense of privacy safeguards. I urge you to ensure that in the future the Department of Homeland Security fully comply with the PIA mandate. The US-VISIT program will use new biometric technologies to capture more complete arrival and departure data for those who require a visa to enter the United States. Visa holders’ fingerprints will be scanned digitally and entered into a database, which will be used to verify the visitors’ identity whenever they enter and depart the country. Clearly, the US-VISIT program will effect a significant expansion of the types of personal information collected by the federal government. Accordingly, Section 208 of the E-Government Act required program officials to conduct a PIA before developing or procuring the information technology that program will deploy. DHS officials have explained that development of the new biometric systems began soon after you unveiled the plans for US-VISIT on April 29, 2003, and that the new equipment needed for the system has already been purchased and sent to airports around the country. The system will be operating on a pilot basis this month, and is scheduled to be operational nationwide by the end of the year. Although program managers have been working on a draft PIA, it has not yet been finalized or approved by the Department’s Privacy Officer. I am concerned that the deployment of biometric technologies has proceeded this far without the PIA required by law. In order for the privacy impact assessment to serve its intended purpose, the PIA must be conducted before the agency develops or procures information technology for the program. The PIA serves as a checklist of privacy considerations, requiring program managers to consider what privacy protections are needed and to ensure that appropriate privacy safeguards are incorporated into the system they design. If the assessment is not conducted until the system is on the verge of becoming operational, the PIA becomes a pro forma exercise. After hundreds of millions of dollars have been invested in the deployment of the next phase of US VISIT, it seems highly unlikely that agency officials would reconsider the system’s design or configuration, on the eve of deployment. I understand that the PIA mandate is a relatively new one, and that federal agencies were initially hampered by the Office of Management and Budget’s delayed release of PIA guidance. Nevertheless, I hope that the Department of Homeland Security will endeavor to fully comply with the law when developing new information technology that could impact personal privacy. In order to win public acceptance of new systems and technologies that collect and store personal information, it is essential that the American people trust that their personal privacy is being appropriately considered and protected. I have been pleased to hear past assurances from you and from other Department officials that privacy is a paramount priority. I would be interested in any explanation of why a Privacy Impact Assessment was not prepared by the Department before new biometric technologies had been purchased, and what you believe to be consequences of this omission. Also, please provide the status of the US VISIT PIA, when it will be released and the Department’s response to any issues identified in the PIA process. Finally, please let me know what the Department of Homeland Security will do to ensure that in the future Department officials complete PIAs in a timely manner as required by law. Thank you for your attention to this matter. Sincerely, Joseph I. Lieberman Ranking Democrat