On February 20, 2015, EPIC filed a Freedom of Information Act (FOIA) request with the Drug Enforcement Administration for all its Privacy Impact Assessments (PIAs) that are not currently publicly available as well as all the Initial Privacy Assessment (IPA) and Privacy Threshold Analysis (PTA) documents since January 2007. The PTAs, and later the IPAs, are used to determine whether a more thorough PIA is required for the use of new information technology.
Over the past several years, the DEA has initiated several new programs that should have resulted in the completion of PIAs, IPAs, or PTAs. As of the writing of EPIC’s FOIA request, however, those documents are not publicly available.
As the result of news media reports, several DEA programs that ought to have triggered the production of privacy analyses have been revealed. The Hemisphere program, about which EPIC has filed a related lawsuit, has given law enforcement direct access to an AT&T database of telephone call records since 2007. However, no PTA, IPA, or PIA for Hemisphere is publicly available.
The DEA also has a license plate reader program which should have triggered privacy analysis. In May 2012 DEA agent Douglas W. Coleman indicated in a prepared statement for a Congressional hearing that the DEA had launched a National License Plate Reader Program (“LPR”) in 2008 in response to the smuggling of illicit drug monies out of the United States. According the Mr. Coleman’s statement, the DEA’s LPR program monitors and targets vehicles, uses existing database technology, and promotes information sharing. Senators Charles Grassley and Patrick Leahy sent a letter to Attorney General Eric Holder describing their privacy concerns related to the government’s use of LPRs. However, no PTA, IPA, or PIA for the DEA’s LPR program is publicly available.
During the May 2012 hearing references in paragraph 20, Mr. Coleman identified a program entitled DEA Internet Connectivity Endeavor (“DICE”) that “…enables any participating federal, state, local and tribal law enforcement agency to de-conflict investigative information, such as phone numbers, email addresses, bank accounts, plane tail numbers and license plates, to identify investigative overlaps.” DICE provides access to information collected through the LPR program, and makes that data available through the internet. Reuters has reported that DICE contains approximately one billion records, including phone log data. There is no publicly available PTA, IPA, or PIA for DICE, either.
During the same Congressional hearing referred to in paragraph 20, Mr. Coleman claimed that in order to promote information sharing amongst the DEA and over 20 different agencies, the DEA created the Special Operations Division (“SOD”). SOD is a multi-agency, operational coordination center whose mission is to establish seamless law enforcement strategies and operations aimed at dismantling national and international trafficking organizations by attacking their command and control communications. Mr. Coleman claimed that the DEA’s information sharing is such that there is virtually no piece of non-classified information that the DEA has that state, local, or tribal law enforcement agencies cannot access. There is no publicly available PTA, IPA, or PIA for the SOD program.
In a January 15, 2015 declaration filed with the U.S. District Court for the District of Columbia, DEA Agent Robert Patterson referred to a law enforcement database no longer in use, whose name had been redacted. Agent Patterson stated in his declaration that the database consisted of telecommunications metadata obtained from United States telecommunications service providers pursuant to administrative subpoenas. Agent Patterson also stated in his declaration that the database could be used to query telephone numbers by federal law enforcement officials who have a reasonable articulable suspicion that the phone number being queried was related to a current criminal investigation. There is no publicly available PTA, IPA, or PIA for the DEA’s unnamed program.
The E-Government Act of 2002 requires agencies to perform Privacy Impact Assessments for new information technology collects personally identifiable information. As the Department of Justice notes in its guidance to DOJ components, the PIA “helps promote trust between the public and the Department increasing transparency of the Department’s systems and missions.”
EPIC has long worked to bring transparency and accountability to the efforts of law enforcement to use new surveillance and information technology that collects and stores personal information about citizens. EPIC previously filed suit for FOIA documents regarding the FBI’s surveillance programs.EPIC has also filed suit for documents related to the DEA’s Hemisphere telephone metadata collection program, one of several programs for which the DEA ought to have conducted a Privacy Impact Assessment.
Privacy assessments are a critical part of assessing the level of intrusiveness new technologies could have on ordinary citizens. The assessments are required by law and provide transparency to the public. EPIC’s FOIA litigation is designed to reveal where this transparency is lacking and highlight those privacy-evasive programs that still lack proper assessments of their impact on privacy.
Freedom of Information Act Documents
On February 20, 2015, EPIC submitted a FOIA request asking for: