The Privacy Challenges of U.S. Fusion Centers
By Rebecca Andino, PMP, CIPP/G
Consider these scenarios:
Scenario #1: Officials suddenly notice a pattern of individuals trespassing in unusual areas of a subway. They take action and successfully prevent a terrorist attack, saving dozens of lives.
Scenario #2: A large corporation partners with a state fusion center and quietly uses its databases to screen prospective employees. When the media reports this, citizens are outraged, authorities and officials are scrambling, and Congress is planning hearings.
These are just two examples of the opportunities and privacy risks involved in U.S. fusion centers.
Fusion centers have existed in various forms for decades, but since 9/11, their role has expanded and evolved. Recent actions, such as the Implementing Recommendations of the 9/11 Commission Act of 2007 ("The 9/11 Act") (P.L. 110-53), passed by Congress August 3, 2007, and the president's October 2007 National Strategy on Information Sharing, which announced federal funding and technical support for fusion centers, have underscored the importance of their role in the U.S. counter-terrorism mission.
Fusion centers may increase public safety because they facilitate information sharing between different levels of government and between the public and private sectors. A fusion center, as defined by the Department of Justice (DOJ) in the Fusion Center Guidelines, is a "collaborative effort between two or more agencies that provide resources, expertise, and information to the center with the goal of maximizing their ability to detect, prevent, investigate and respond to criminal and terrorist activity."
However, complex lines of authority, the variety of implementations and the fact that 58 centers are already fully operational, create privacy challenges and opportunities.
Current Status of Fusion Centers
According to the interactive map on the American Civil Liberties Union (ACLU) Web site, fusion centers exist in every state except Idaho and Hawaii. The Congressional Research Service (CRS) report "Fusion Centers: Issues and Options for Congress," reports that the majority are co-located with a state police headquarters; fewer than 20 percent of fusion centers are regional or local in jurisdiction.
Fundamentally, fusion centers are not federal entities; they are operated by state, regional, or local law enforcement entities. According to the CRS report, the Department of Homeland Security (DHS) has provided about $380 million in funding since 2001. It estimates fusion centers are funded about 80 percent by states and 20 percent by the federal government. Each fusion center has a different funding and governance structure. As a result, each fusion center is subject to a unique combination of state and federal laws governing criminal intelligence information collection and handling and information sharing.
There are numerous federal touch-points to fusion centers. The official federal liaison to fusion centers is the State and Local Program Office in the Intelligence and Analysis Office of the DHS. The DHS provides staffing, technical, and privacy and civil liberties training to fusion centers and collaborates with the Global Justice Information Sharing Initiative ("Global"), a DOJ entity, to deliver training. In addition, the FBI provides special agents and other staff; more than a dozen fusion centers are collocated with FBI entities. Finally, because fusion centers are part of the Information Sharing Environment (ISE), the Program Manager of the ISE, from the Office of the Director of National Intelligence (ODNI), provides the overall information sharing framework, privacy guidance and resources.
The key privacy challenges related to fusion centers stem from the complex governance structures, and the need to apply the appropriate levels of transparency to this high-profile security mission.
There is no lack of guidance; the federal government has provided substantial privacy guidelines and resources to fusion centers, including those listed in the sidebar. Instead, the challenges are related to how the guidance will be implemented, and the roles, responsibilities and accountability assignments.
Currently, there is forward momentum and cooperation between Federal agencies and fusion centers, demonstrated by joint participation in the DHS Data Privacy and Integrity Advisory Committee, joint press releases and well-attended fusion center conferences. However, it is a work in progress; the relationships between DHS and each of the 58 fusion centers are still being established. The agencies are currently in the process of defining how privacy and civil liberties guidance provided from the federal government will be ensured.
Federal agencies must use influence, not authority, to achieve fusion center compliance with the federal privacy guidelines. The ISE guidelines do not apply to fusion centers, but do require federal entities to ensure that any fusion center with which they share information has privacy protections that are at least as comprehensive as the ISE guidelines. The DOJ Fusion Center Guidelines are completely voluntary, although, according to a DHS official, all fusion centers have agreed to follow them.
Typical non-compliance actions, such as withholding funding or revoking network connectivity would halt information sharing, harming the overall counter-terrorism mission. Instead, the federal government has engaged fusion centers in a collaborative partnership to achieve alignment with the guidelines. DHS, DOJ and the ISE are offering training and other resources such as sample privacy policies and procedures, through the Global Fusion Process Technical Assistance Program.
Transparency and the Fair Information Practices
The second major privacy challenge of fusion centers is to achieve the appropriate balance between transparency and the protection of sensitive, mission-critical information.
As non-federal entities, fusion centers are not bound by the Privacy Act or E-Government Act, although the DHS and National Governors Association recommend all fusion centers develop a Privacy Impact Assessment (PIA) as a privacy management tool. The DHS is providing PIA training and assistance to each of the fusion centers through the Global program. Whether the PIAs will be made available to the public is up to the leadership of each individual fusion center.
At the federal level, DHS is required to perform an overall PIA on fusion centers. In the 9/11 Act, Congress directed the DHS privacy officer to deliver a Concept of Operations that includes an initial privacy and civil liberties assessment by November 2007, and a PIA on August 8, 2008. The PIA is currently in draft form and under review for submission to Congress.
All fusion centers are different. Some are extremely open about their information practices, even providing their standard operating procedures to the public. Others are not as open. Privacy issues will be discussed in each fusion center's PIA, if fusion centers choose to create them, and will address their approach to the Fair Information Practices (FIPs). Issues include:
Many fusion centers have not shared with the public what databases they use. This was demonstrated in an April 2, 2008 article in The Washington Post titled "Centers Tap into Personal Databases." It revealed that several fusion centers in the northeast have access to millions of people's information including unlisted cell phone numbers, insurance claims, driver's license photographs and credit reports. Although these resources are common to state and local law enforcement agencies, the fact that fusion centers had access to such a wide variety of commercial databases was previously unknown to the public.
In March 2008, EPIC filed a Virginia FOIA lawsuit against the Virginia State Police for refusing to provide information on meetings with the DHS and the DOJ regarding funding, operations and information-sharing governance.
While many fusion centers do adhere to 28 CFR, Part 23, which requires "reasonable suspicion" in collecting information on individuals, some fusion centers may not. PIAs, if developed and published, will describe the conditions under which personal information is collected.
In its article "What's Wrong with Fusion Centers," the ACLU equates the fusion process to data mining on innocent individuals, a practice they claim is both unfair and ineffective for predicting or preventing acts of terrorism.
To comply with the FIPs, fusion centers should ensure that personal information will be shared with other entities only for its lawfully-stated purpose. Fusion centers will share information with the private sector. In a warning similar to the example scenario at the beginning of this article, the ACLU cautions that protections against improper private sector use must be built in to ensure people will not be unfairly fired from a job, evicted from an apartment, denied a loan or otherwise unfairly treated based on information shared between a fusion center and the private sector.
Individual participation—in particular, redress—in fusion centers is challenging, for two reasons. First, information collected about individuals in fusion centers is often exempt from State Freedom of Information laws, so limited if any individual participation is possible. Second, the complex network of fusion centers and the federal government may make it particularly difficult for an individual to determine which entity "owns" his or her information in order to submit a redress request to that entity.
The Fusion Center Guidelines do not recommend a specific redress policy, but state that fusion centers should consider implementing the Fair Information Principles, including the "Individual Participation" principle. Section 8 of the ISE's 2006 Privacy Guidelines directs federal agencies that participate in the ISE to implement redress processes.
Who is ultimately accountable for protecting privacy? Larry Ponemon of The Ponemon Institute asked this question at the September 19, 2007 DHS Advisory Committee meeting. One panelist responded that the fusion center director would be responsible and accountable; another said the "buck stops" with the governor of each state. Because all states have different governance models and internal oversight processes, they said there is no "cookie-cutter approach."
The DHS Privacy Office is completing the fusion center PIA and will submit it to Congress. The majority of DHS PIAs are made available to the public, although the DHS has not stated whether this PIA will be released. The DHS is in the process of identifying the privacy point of contact at each fusion center; representatives are traveling to meet individuals at each fusion center. The DHS and Global will continue to deliver privacy and civil liberties training to analysts assigned to fusion centers. As one DHS official stated, "Protecting privacy in fusion centers is a continuous process. There is no finish line."
Rebecca Andino, PMP, CIPP/G, is president and founder of Highlight Technologies, a firm providing program management and privacy consulting services to national security programs. Contact Rebecca Andino at firstname.lastname@example.org or 202-271-0469.