1984, Civil Liberties and the National Security State

In the particular case that you refer to, complex transactions between two and three, and perhaps four organizations, it is interesting to note that we don't have the expertise in our society to find out precisely how many of those kinds of transactions are going on. Mr. KASTENMEIER. There is also another, I suppose, technical aspect. Some information may be available on a transitory basis from one system to another. And that may be qualitatively different if the recipient system downloads that information when the original system thought it was only available on a transitory, ephemeral basis. Retention and the development of additional data bases with sensitive information may also, I think, constitute a complicating fact.

Mr. LAUDON. It gets also more complicated if you mention downloading, if you consider downloading large files from a hospital to an insurance carrier, within the insurance carrier downloading that information to micro computers or small mini computers where it is worked on on small diskettes-what happens is eventually control is lost over the flow of that information, so that it becomes impossible to trace.

We ran into this problem and have continually run into the problem, at the IRS and at the FBI, trying to keep track of secondary and tertiary disseminations of data; trying to find out, and to answer the simple question: Who had what information at what point, when, and what did it look like? Can you trace this flow of information through organizations?

In many States, in certain areas like criminal records, they have given up. They basically tell State legislators and courts that we can't tell what happened to information once we sent it down to an agency, and it was subsequently disseminated within that agency. Now we would like to make a correction in the record. Maybe there was a mistake in the record, we would like to correct it.

Who do we talk to to correct that record? Who got it? Who made a judgment based on it that perhaps it should be corrected?

Well, here is an excellent example where we are operating technology beyond our management control, because we can't correct that record. If somebody lost a job because of a bad arrest on an arrest record in California, and we would like to rectify the situation, good luck; we can't do that. We are being forced to keep information on pieces of information. In order to keep track of information you have to know who had it, who saw it when. As it turns out that is more complicated than what we are willing to pay for. Therefore, we don't have those management capabilities.

That is an excellent example of what I mean when I say we are operating systems beyond our control and accountability. And I think Congress ought to be aware of that when it passes legislation which, for instance, asks us to build systems which can keep track of the flow of information for security reasons or for due process reasons. Building those systems is expensive and tends not to be done.

So the information could be sitting in a drawer somewhere, it could have been disseminated to a user somewhere, but nobody will know it. It could be on somebody's home micro computer, but nobody will know. There is no way of tracing that information currently, at least not in the way we build systems today.

I also want to point out in my testimony that there is literally only a handful of scholars in this country who work in this area. No major school of public administration can be of much assistance to you because they don't have any programs in national information systems, or even information systems. Only a handful of the business schools in this country have such major programs which would permit Congress to turn to an on-line group of experts for advice on how to build responsible systems. That expertise is not to be found in universities.

In my written testimony I called for a National Defense Information Systems Education and Research Act-one purpose of which is to help create the expertise in our schools of public administration. I also called for a Privacy Protection Commission, just to give Americans a sense that some group has authority and interest in keeping track of these complex interactions among systems; in protecting their rights in the information age just as protect their consumer rights.

We need to amend in particular the "routine use" clause of the Privacy Act so that data surveillance can be more closely monitored. The routine use clause, with some of the strongest language in the Privacy Act, in which Congress specifically said that information collected for one purpose should not be used for another purpose unless specifically authorized by Congress. There was a very clear-cut statement.

There is no way, it seems to me, that that could be so misinterpreted, but it is, and has been for the last 10 years, by administrations on both sides. That clause, the routine use clause, has essentially been thrown out, and that opens up the whole Pandora's box of general purpose national information systems.

If that clause is not amended, then hearings such as this will, it seems to me, be irrelevant, because the gates will be open for a flood of systems based on the principles of modern data base management and technology, which is indeed to use information collected for one purpose to use it for another purpose.

Mr. KASTENMEIER. In your view, Professor Laudon, is that statutory language being misused or ignored, or does it in fact need to be amended to achieve the purpose you seek?

Mr. LAUDON. I don't have an answer to that question. I have fought with myself about ways that language could be strengthened, but it already seems to me so clear. And the willingness of the executive branch to abuse it seems to be simply a decision made by them and has nothing to do with the lack of clarity in the original legislation.

On the other hand, I would point out that that clause is so powerful, because it goes right to the heart of why we build systems. I mean, we build systems in the Federal Government, as in the private sector, in order to be efficient managers of data, and efficient users of data.

It does happen to be efficient to take information collected in one place and use it in another place. That happens to be in the private sector one of the major advantages of modern systems: the ability to transport information across organizational boundaries.

Therefore, the routine use clause makes a powerful statement. It says that the Federal Government will not avail itself of the most

advanced principle in the grab bag of data processing technology. We will forsake that efficiency in order to preserve a democratic republic.

That was a very courageous statement. I am not sure how maintainable that is going to be, and increasingly there is going to be a lot of pressure on that. The Privacy Act does say that you can have the most efficient taxation system in the world; within the IRS you can transfer all the information you want and you can use the most advanced technology, but you can't use tax data to support the Selective Service System, you can't do that. And that kind of efficiency we foresake, Congress said in 1974.

So the question you raise is can we go on? Can we be an efficient government without foresaking that routine use clause? And my answer to that is yes, we can, I think we can, I think we can design systems.

Now, there are going to be exceptions to routine use. The legislation in 1974 clearly says that Congress may authorize exceptions, and it did, the next day. It authorized the Parent Locator Service in 1974 to combine tax information and other information.

So there are certain circumstances under the right oversight mechanism where we will have to, perhaps, allow exceptions. Maybe the exceptions will grow in number; nevertheless, I will have some confidence if we have an oversight mechanism—a Privacy Protection Commission.

Mr. KASTENMEIER. In your view, we need oversight. Does the 1974 Privacy Act have any penalty clause associated with misuse or unauthorized use within the frame of reference of this statute? Mr. LAUDON. Yes; it does have, but the penalties are rather minimal. It is a misdemeanor offense, I think, punishable by a thousand dollars or less, for abusing the Privacy Act. Of course, that only applies to Federal agencies; but many States have similar laws in the privacy area. But in general, one would say that-I have never in 10 years seen a prosecution at any level for a violation of the Privacy Act.

In conclusion, I can say that it seems to me that in the recent past, in the last 5 years, that we have tended to overestimate the gains in efficiency to be obtained by allowing information technology to have such a free rein. That has been my experience when you look at systems very closely. The FBI systems and IRS systems have been installed-some of those which are most objectionable in a civil liberties ground, are barely justifiable on a cost effective and cost efficiency basis.

Therefore, it has been disappointing for me at times-expecting great advances in efficiency, to find out that great costs in civil liberties had been incurred for very small advances in management efficiency.

I think there are alternative ways and alternative systems to achieving many of the same goals that the executive branch has outlined in its system development proposals.

I think we have to search for proper mechanisms for achieving those goals, and that we should not forsake our liberty out of fear for our security, or decrease our freedom in the pursuit of efficiency. I don't think we have to do that.

That concludes my testimony.

[The statement of Mr. Laudon follows:]

PREPARED STATEMENT of Prof. Kenneth C. LAUDON, NEW YORK UNIVERSITY, GRADUATE SCHOOL OF BUSINESS, COMPUTER APPLICATIONS AND INFORMATION SYSTEMS

My name is Kenneth C. Laudon. I am a sociologist and Professor in the Department of Computer Applications and Information Systems at the Graduate School of Business, New York University, where I teach on management information systems, and courses on the social and organizational impacts of information systems. I welcome this opportunity to testify before the Subcommittee on the question of civil liberties, security, and information technology.

I have worked in the area of information systems since the late 1960's when, with Alan Westin at Columbia University, I began a study of how third generation computers changed public decision making at state, local and federal levels. This resulted in a book entitled Computers and Bureaucratic Reform. Since this time I have participated as a consultant, researcher, and director in many of the major technology assessments concerned with information technology, organizational power, and civil liberties.

At the federal level I was a consultant to the Office of Technology Assessment's 1977 project on the Internal Revenue Service's Tax Administration System; in 1978 I was a member of the research group which examined the civil liberties implications of the Social Security Administration's proposed "Future Process" System. And, in 1979 I began a three year effort as a major contractor to the Office of Technology Assessment's study of the FBI's proposed national computerized criminal history system (CCH).

In a forthcoming book I have described my experiences with national information systems-especially the FBI's criminal history system. This book is titled "Security, Freedom, and Efficiency. Value Choices in the Design of National Information Systems."

I am delighted that you are interested in these subjects. In the hula hoop atmosphere which surrounds the marvelous technology of micro computers and integrated circuits it is frequently forgotten that the most important questions of the information age center about how people will be treated by information systems and the organizations which use them.

In my view, we, and members of Congress in particular have some difficult decisions to make about which values will reign supreme in the design of systems: international and domestic security, efficiency, or civil liberties. In my experience with specific national information systems, I found many aspects which were threatening to civil liberties:

-Major extensions in the data surveillance capability of central bureaucracies for minuscule gains in security and efficiency.

It is unclear to me, for instance, that the FBI really needs a file on 30 million criminals, one-third of the labor force, as opposed to a much smaller file on say a million serious criminals.

-Major enhancements in the ability to merge information from segregated files through data base management technology creating in some instances "general purpose" systems not authorized by Congress.

The 200 or so matching programs being carried out at the federal level are nothing but primitive applications of data base management technology in which information from diverse sources is pooled into a single "data base." Matching programs create shadow data bases. Yet, whenever Congress is given the opportunity to vote yes or no on general purpose data base systems like the National Data Center (1968) or the FEDNET (1972), Congress has rejected such systems.

A National Benefit System has been proposed by HHS several times in recent years, combining information on recipients of any federal aid-including college loans. In conjunction with a truly integrated Tax Information System which contained private market consumption data, a modernized social security system, and a fully capable national criminal history system, we would have the technical elements of a powerful surveillance apparatus.

These kinds of systems are only a few years off. They are far more powerful than anything this government or society has dealt with in the past. For reasons of efficiency in the administration of data, and for reasons of program efficiency and effectiveness, it may be desirable to build these systems. But powerful checks and balances and oversight mechanisms must also be installed to assure their accountability.

Other troubling aspects of some recent designs of national systems are:

ity

-A lack of concern for due process enfringements created by poor data qual

-A lack of understanding of how equity and fairness should or could be built into systems

-Inability to conform to existing law and regulation to assure the accountability of the system to managers and Congress.

I have come to the general conclusion that it is not computer technology per se which is the villain. Computer technology cannot of course be separated from its uses-any more than nuclear technology can be discussed without considering the bomb. Still, as with other technologies, the underlying problem is learning how to control and regulate the technology to assure its accountability to democratic institutions.

In the 1970's we made a start at controlling information technology in the Privacy Act of 1974-and related legislation. Since then, changes in technology have made this positive start technologically obsolete. Since 1984, we have developed micro computers that sit on a desk top which are as powerful as main frame computers I used as a graduate student in the 60's. In a few years, I can put on this table a computer equal in capability to today's large mini computers. In telecommunications we have gone from twisted copper wire, to optic fiber and satellites which transfer data in the mega and geiga bit range-that's millions and billions of bits per second. In a few years, we will put the Library of Congress on this table and connect you to most of the other libraries in the world.

Along with this technical change, the appetite of large bureaucracies—both public and private-for more and more data on individuals has also grown. There is no longer a meaningful distinction between physical surveillance, electronic surveillance, and data surveillance. Give me the right telephone numbers, a few of my graduate students, and my IBM XT personal computer and I will tell you where many of the members of the Subcommittee were last evening. In a few hours I could also find out a host of interesting details about your background-military records, medical, social security, employment, taxation, criminal and deviant behavior of you or any of your relatives. These capabilities are not lost on the large public bureaucracies-they are after all charged by Congress and the American public to give us efficiency, security, and effective administration.

The difficult question is this: in order to be maximally efficient, in order to protect against any and all foreign intelligence activity, in order to maximize the apprehension of domestic criminals, is it necessary to infringe on the traditionally defined civil liberties of Americans? To some extent this has already happened-few Americans have an expectation of privacy in foreign mails, telex, telephone or digital transmissions. Few knowledgeable Americans even have such expectations about domestic telecommunications-I don't. These rights have been sacrificed to national security-surely a laudable goal in itself.

In the 1970's we thought we had put the information technology genie in a bottle. The Privacy Act after all did have a very important clause-the routine use clause which said in essence the federal government could develop whatever systems it wanted to within functional areas defined by Congress but it could not create general purpose information systems in which information collected for one purpose would be used for entirely different purposes. An efficient tax system was permitted, but not a system which merged tax information with Social Security data, Department of Defense Data, Veterans Data, and on and on.

The information technology genie is out of the bottle again and its time Congress takes another bipartisan look at how the federal government uses information technology.

In closing, let me say that I do not believe we can go backward in history or prevent the federal government from utilizing advance information technology. Neither must we sit idly by as our civil liberties are sacrificed. I believe we can have systems which are accountable to Congress, which advance not retard civil liberties, and which achieve high levels of efficiency and security. These systems are not easy to build, they are more expensive to design and operate, but they are appropriate to a democratic society.

In order to build these systems for the 1990's we need to encourage our graduate schools to train experts and conduct research on information systems and organization. It is ridiculous that no major school of public administration has a program in information systems, and only two or three major business schools have such a program. There is literally only a handful of scholars in this bountiful country who work in this area. We need a National Defense Information Systems Education and Research Act so that we have the expertise to answer the kinds of questions you and other members of Congress are raising today. We need a Privacy Protection

« السابقة متابعة »

كتب

1984, Civil Liberties and the National Security State: Hearings Before the ...