USA PATRIOT Act: FBI Is Underreporting Their Use Of This Law To Order Businesses to Monitor Email, Phone Calls and Financial Information
CNN reported today that a U.S. Department of Justice (DoJ) audit finds the FBI is has not kept good track of how many times they have ordered businesses monitoring of emails, telephone records and financial information. The report has not yet been posted to the DoJ site but is supposed to be released sometime today.
According to the CNN report:
* The FBI report that in 2005 they had delivered
"a total of 9,254 national security letters" (NSLs, basically orders for surveillance) to businesses "seeking e-mail, telephone or financial information on 3,501 U.S. citizens and legal residents over the previous two years."
The DoJ audit found this number was at least 20% too low; so that would make the actual number of times the FBI used the USA PATRIOT Act in 2005 to order businesses to turn over records containing large amounts of PII to around 11,568 times on around 4,376 people, assuming this 20% underreporting applied to both. The number of individuals could actually be quite higher if the underreporting was only referencing the number of NSLs.
*
"Sen. Charles Schumer, a member of the Senate Judiciary Committee that oversees the FBI, called the reported findings "a profoundly disturbing breach of public trust."
A big problem with the USA PATRIOT Act is that it was created and passed so quickly, with very good intentions and goals, but failed to include any required controls or privacy preservations for the data collected. And when the Act was renewed, these important issues were not addressed.
This underreporting is just the tip of the lack of accountability and controls problem. It will be interesting to see if the actual audit also covers how the FBI protects all this data they accumulate during their surveillance.
Strong controls need to be in place to protect the PII of individuals, as well as the businesses from whom they gathered this massive amount of data. The FBI must be accountable.
*
"One government official who read the report said it concluded the problems appeared to be unintentional and that FBI agents would probably face administrative sanctions instead of criminal charges. The FBI has taken steps to correct some of the problems, the official said."
*
"A federal appeals judge in New York warned in May that government's ability to force companies to turn over information about its customers and keep quiet about it was probably unconstitutional."
The FBI, and other government agencies who are supposed to be protecting civil rights and citizen interests, need to be held to at least the same information security and privacy requirements as businesses, if not higher.
Until they are, businesses need to be sure they have planned how to respond if they ever get an NSL demanding surveillance or copies of sensitive information. I've discussed this in the past here, here and here.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
"The FBI, and other government agencies who are supposed to be protecting civil rights and citizen interests, need to be held to at least the same information security and privacy requirements as businesses, if not higher."
Exactly. It's almost amusing when you hear about government organizations losing sensitive data, when they're the ones that are supposed to be working to assure citizens' security. I also find it shocking that so many institutions - government and corporate - can't even keep TRACK of sensitive information and where it is stored!
Posted by: Mila | March 9, 2007 2:00 PM
Yes, most organizations do not have a handle on first, identifying and labeling their sensitive data (classification) and then second, inventorying it and keeping the inventory up-to-date. Most cite lack of resources and comprehensive tools to help them accomplish these tasks.
The preponderance of mobile computing and storage devices creates huge challenges, and most organizations I speak with say few tools can incorporate these into their inventory management process.
Posted by: Rebecca | March 10, 2007 11:27 AM