The government is increasingly using corporations to do its surveillance work, allowing it to get around restrictions that protect the privacy and civil liberties of Americans, according to a report released Monday by the American Civil Liberties Union, an organization that works to protect civil liberties.
Data aggregators -- companies that aggregate information from numerous private and public databases -- and private companies that collect information about their customers are increasingly giving or selling data to the government to augment its surveillance capabilities and help it track the activities of people.
Because laws that restrict government data collection don't apply to private industry, the government is able to bypass restrictions on domestic surveillance. Congress needs to close such loopholes, the ACLU said, before the exchange of information gets out of hand.
"Americans would really be shocked to discover the extent of the practices that are now common in both industry and government," said the ACLU's Jay Stanley, author of the report. "Industry and government know that, so they have a strong incentive to not publicize a lot of what's going on."
Last year, JetBlue Airways acknowledged that it secretly gave defense contractor Torch Concepts 5 million passenger itineraries for a government project on passenger profiling without the consent of the passengers. The contractor augmented the data with passengers' Social Security numbers, income information and other personal data to test the feasibility of a screening system called CAPPS II. That project was slated to launch later this year until the government scrapped it. Other airlines also contributed data to the project.
Information about the data-sharing project came to light only by accident. Critics like Stanley say there are many other government projects like this that are proceeding in secret.
The ACLU released the Surveillance-Industrial Complex report in conjunction with a new website designed to educate the public about how information collected from them is being used.
The report listed three ways in which government agencies obtain data from the private sector: by purchasing the data, by obtaining a court order or simply by asking for it. Corporations freely share information with government agencies because they don't want to appear to be unpatriotic, they hope to obtain future lucrative Homeland Security contracts with the government or they fear increased government scrutiny of their business practices if they don't share.
But corporations aren't the only ones giving private data to the government. In 2002, the Professional Association of Diving Instructors voluntarily gave the FBI the names and addresses of some 2 million people who had studied scuba diving in previous years. And a 2002 survey found that nearly 200 colleges and universities gave the FBI information about students. Most of these institutions provided the information voluntarily without having received a subpoena.
Collaborative surveillance between government and the private sector is not new. For three decades during the Cold War, for example, telegraph companies like Western Union, RCA Global and International Telephone and Telegraph gave the National Security Agency, or NSA, all cables that went to or from the United States. Operation Shamrock, which ran from 1945 to 1975, helped the NSA compile 75,000 files on individuals and organizations, many of them involved in peace movements and civil disobedience.
These days, the increasing amount of electronic data that is collected and stored, along with developments in software technology, make it easy for the government to sort through mounds of data quickly to profile individuals through their connections and activities.
Although the Privacy Act of 1974 prohibits the government from keeping dossiers on Americans unless they are the specific target of an investigation, the government circumvents the legislation by piggybacking on private-sector data collection.
Corporations are not subject to congressional oversight or Freedom of Information Act requests -- two methods for monitoring government activities and exposing abuses. And no laws prevent companies from voluntarily sharing most data with the government.
"The government is increasingly ... turning to private companies, which are not subject to the law, and buying or compelling the transfer of private data that it could not collect itself," the report states.
A government proposal for a national ID card, for example, was shot down by civil liberties groups and Congress for being too intrusive and prone to abuse. And Congress voted to cancel funding for John Poindexter's Total Information Awareness, a national database that would have tracked citizens' private transactions such as Web surfing, bank deposits and withdrawals, doctor visits, travel itineraries and visa and passport applications.
But this hasn't stopped the government from achieving the same ends by buying similar data from private aggregators like Acxiom, ChoicePoint, Abacus and LexisNexis. According to the ACLU, ChoicePoint's million-dollar contracts with the Justice Department, Drug Enforcement Administration and other federal agencies let authorities tap into its billions of records to track the interests, lifestyles and activities of Americans.
By using corporations, the report said, the government can set up a system of "distributed surveillance" to create a bigger picture than it could create with its own limited resources and at the same time "insulate surveillance and information-handling practices from privacy laws or public scrutiny."
Most of the transactions people make are with the private sector, not the government. So the amount of data available through the private sector is much greater.
Every time people withdraw money from an ATM, buy books or CDs, fill prescriptions or rent cars, someone else, somewhere, is collecting information about them and their transactions. On its own, each bit of information says little about the person being tracked. But combined with health and insurance records, bank loans, divorce records, election contributions and political activities, corporations can create a detailed dossier.
And studies show that Americans trust corporations more than they trust their government, so they're more likely to give companies their information freely. A 2002 phone survey about a proposed national ID plan, conducted by Gartner, found respondents preferred private industry -- such as bank or credit card companies -- to administer a national ID system rather than the government.
Stanley said most people are unaware how information about them is passed on to government agencies and processed.
"People have a right to know just how information about them is being used and combined into a high-resolution picture of (their) life," Stanley said.
Although the Privacy Act attempted to put stops on government surveillance, Stanley said that its authors did not anticipate the explosion in private-sector data collection.
"It didn't anticipate the growth of data aggregators and the tremendous amount of information that they're able to put together on virtually everyone or the fact that the government could become customers of these companies," Stanley said.
Although the report focused primarily on the flow of data from corporations to the government, data flow actually goes both ways. The government has shared its watch lists with the private sector, opening the way for potential discrimination against customers who appear on the lists. Under section 314 of the Patriot Act, the government can submit a suspect list to financial institutions to see whether the institution has conducted transactions with any individuals or organizations on the list. But once the government shares the list, nothing prevents the institution from discriminating against individuals or organizations on the list.
After the terror attacks of Sept. 11, 2001, the FBI circulated a watch list to corporations that contained hundreds of names of people the FBI was interested in talking to, although the people were not under investigation or wanted by the FBI. Companies were more than happy to check the list against the names of their customers. And if they used the list for other purposes, it's difficult to know. The report notes that there is no way to determine how many job applicants might have been denied work because their names appeared on the list.
"It turns companies into sheriff's deputies, responsible not just for feeding information to the government, but for actually enforcing the government's wishes, for example by effectively blacklisting anyone who has been labeled as a suspect under the government's less-than-rigorous procedures for identifying risks," the report states.
Last March, the Technology and Privacy Advisory Committee, created by Secretary of Defense Donald Rumsfeld to examine government data mining, issued a report (PDF) stating that "rapid action is necessary" to establish clear guidelines for responsible government data mining.
The ACLU's Stanley said companies are in the initial stages of the Homeland Security gold rush to get government contracts, and that the public and Congress need to do something before policies and practices of private-sector surveillance solidify.
"Government security agencies always have a hunger for more and more information," said Stanley. "It's only natural. It makes it easier for law enforcement if they have access to as much info as they want. But it's crucial that policy makers and political leaders balance the needs of law enforcement and the value of privacy that Americans have always expected and enjoyed."