A Department of Homeland Security advisory committee strongly urged the agency today to proactively start collecting more data about individuals so that, when people request records about themselves, DHS can verify who they are.
That might sound drastic, but it could be the end product of concerns that were almost unanimously voiced Thursday by members of DHS’s Data Privacy and Integrity Advisory Committee at its regular meeting.
In response to a presentation by William Holzerland, the associate director of DHS’s FOIA operations, the committee asked dozens of questions trying to get at whether DHS does enough to protect individual’s privacy in responding to FOIA and Privacy Act requests.
The committee consists of a variety of privacy industry experts — from attorneys at law firms that litigate privacy matters to chief privacy officers for companies like computer giant Oracle.
The committee came to the conclusion that it seemed more could be done to safeguard privacy. One committee member called DHS’s process of requiring a signed Privacy Act waiver “insufficient” to protect individuals’ own privacy interests.
Several members suggested DHS use the same technology and methods to verify the identity of requesters that private credit reporting agencies use when an individual requests his or her credit report. For example, one committee member suggested DHS ask requesters to verify a requester’s identity by answering questions such as, “When did you last cross a border into the U.S.?”
At heart, the members appeared concerned that individuals requesting access to information the government has on them aren’t really who they appear to be — that they are instead identity thieves intent on keeping the information they get for years.
To their credit, DHS personnel, including Holzerland, repeatedly told the committee members that they had not received any complaints about this happening, and that no requesters had expressed such concerns.
But that didn’t stop the committee members, who pressed to find out how DHS could know if it is a problem when the would-be thieves wouldn’t very well come up and tell them.
The answer to that is fairly simple, though no one articulated it at the meeting. Privacy Act waivers require, generally, that an individual swear to his or her identity under penalty of perjury. Fraudulent requesters would be subject to legal penalties. Not to mention, if victims of identity theft could trace their problems back to Privacy Act violations and wrongful disclosure, they could sue under the law for thousands of dollars.
In short, DHS would know if such fraud were a problem.
What the committee members also didn’t appear to realize is that many people requesting their own files from DHS or the Justice Department are being held by the government either for crimes or in immigration detention. It seems as though if fraud were a real concern, it would be pretty easy to verify an identity with a phone call to a jail — cheaper, too, than the technology used by credit reporting companies.
Who knows what radical measures the committee would want taken when a reporter gets a Privacy Act waiver from an individual to file a FOIA request for information related to that person. A blood oath may not be sufficient.