EPIC v. DEA - Privacy Impact Assessments
- EPIC Recommends Scrutiny of DEA Surveillance Programs: In a letter to the House Judiciary Committee for an oversight hearing, EPIC highlighted civil liberties problems with DEA programs. In 2014, EPIC sued the DEA for information about the agency's Hemisphere program, a massive telephone record database. More recently, EPIC prevailed in a FOIA lawsuit that revealed the DEA's failure to conduct privacy assessments required by law, for the agency's license plate scanning program. In the letter EPIC urged the Committee to investigate the Hemisphere program and determine whether the agency will complete privacy impact statements for agency programs as required by law. (Apr. 4, 2017)
- EPIC FOIA Lawsuit Reveals Failure to Conduct Privacy Assessments for DEA Surveillance Programs: In response to an EPIC FOIA lawsuit, EPIC has learned that the Drug Enforcement Administration never completed privacy impact assessments for the agency's massive license plate reader program, a telecommunications records database, and other systems of public surveillance. Despite a federal judge instructing the agency to search for records in response to the FOIA lawsuit, the DEA failed to produce the privacy assessments required by law. The outcome of EPIC v. DEA raises questions about the privacy review of the agency systems funded by Congress. EPIC is currently litigating a similar lawsuit against the FBI. (Nov. 7, 2016)
- EPIC Sues Drug Enforcement Administration For Release of Privacy Assessments: EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Drug Enforcement Administration’s surveillance programs. The agency is required to publish privacy impact assessments for its data collection programs. However, the agency has failed to make available privacy impact assessments for many of its programs, including the massive cell phone metadata program "Hemisphere" and a nationwide license plate reader program. EPIC has a related lawsuit against the Federal Bureau of Investigation for that agency’s privacy impact assessments for several programs including "Next Generation Identification." (May. 1, 2015)
On February 20, 2015, EPIC filed a Freedom of Information Act (FOIA) request with the Drug Enforcement Administration for all its Privacy Impact Assessments (PIAs) that are not currently publicly available as well as all the Initial Privacy Assessment (IPA) and Privacy Threshold Analysis (PTA) documents since January 2007. The PTAs, and later the IPAs, are used to determine whether a more thorough PIA is required for the use of new information technology.
Over the past several years, the DEA has initiated several new programs that should have resulted in the completion of PIAs, IPAs, or PTAs. As of the writing of EPIC's FOIA request, however, those documents are not publicly available.
As the result of news media reports, several DEA programs that ought to have triggered the production of privacy analyses have been revealed. The Hemisphere program, about which EPIC has filed a related lawsuit, has given law enforcement direct access to an AT&T database of telephone call records since 2007. However, no PTA, IPA, or PIA for Hemisphere is publicly available.
The DEA also has a license plate reader program which should have triggered privacy analysis. In May 2012 DEA agent Douglas W. Coleman indicated in a prepared statement for a Congressional hearing that the DEA had launched a National License Plate Reader Program (“LPR”) in 2008 in response to the smuggling of illicit drug monies out of the United States. According the Mr. Coleman’s statement, the DEA’s LPR program monitors and targets vehicles, uses existing database technology, and promotes information sharing. Senators Charles Grassley and Patrick Leahy sent a letter to Attorney General Eric Holder describing their privacy concerns related to the government’s use of LPRs. However, no PTA, IPA, or PIA for the DEA’s LPR program is publicly available.
During the May 2012 hearing references in paragraph 20, Mr. Coleman identified a program entitled DEA Internet Connectivity Endeavor (“DICE”) that “…enables any participating federal, state, local and tribal law enforcement agency to de-conflict investigative information, such as phone numbers, email addresses, bank accounts, plane tail numbers and license plates, to identify investigative overlaps.” DICE provides access to information collected through the LPR program, and makes that data available through the internet. Reuters has reported that DICE contains approximately one billion records, including phone log data. There is no publicly available PTA, IPA, or PIA for DICE, either.
During the same Congressional hearing referred to in paragraph 20, Mr. Coleman claimed that in order to promote information sharing amongst the DEA and over 20 different agencies, the DEA created the Special Operations Division (“SOD”). SOD is a multi-agency, operational coordination center whose mission is to establish seamless law enforcement strategies and operations aimed at dismantling national and international trafficking organizations by attacking their command and control communications. Mr. Coleman claimed that the DEA’s information sharing is such that there is virtually no piece of non-classified information that the DEA has that state, local, or tribal law enforcement agencies cannot access. There is no publicly available PTA, IPA, or PIA for the SOD program.
In a January 15, 2015 declaration filed with the U.S. District Court for the District of Columbia, DEA Agent Robert Patterson referred to a law enforcement database no longer in use, whose name had been redacted. Agent Patterson stated in his declaration that the database consisted of telecommunications metadata obtained from United States telecommunications service providers pursuant to administrative subpoenas. Agent Patterson also stated in his declaration that the database could be used to query telephone numbers by federal law enforcement officials who have a reasonable articulable suspicion that the phone number being queried was related to a current criminal investigation. There is no publicly available PTA, IPA, or PIA for the DEA’s unnamed program.
The E-Government Act of 2002 requires agencies to perform Privacy Impact Assessments for new information technology collects personally identifiable information. As the Department of Justice notes in its guidance to DOJ components, the PIA "helps promote trust between the public and the Department increasing transparency of the Department’s systems and missions."
EPIC has long worked to bring transparency and accountability to the efforts of law enforcement to use new surveillance and information technology that collects and stores personal information about citizens. EPIC previously filed suit for FOIA documents regarding the FBI’s surveillance programs.EPIC has also filed suit for documents related to the DEA's Hemisphere telephone metadata collection program, one of several programs for which the DEA ought to have conducted a Privacy Impact Assessment.
Privacy assessments are a critical part of assessing the level of intrusiveness new technologies could have on ordinary citizens. The assessments are required by law and provide transparency to the public. EPIC’s FOIA litigation is designed to reveal where this transparency is lacking and highlight those privacy-evasive programs that still lack proper assessments of their impact on privacy.
On February 20, 2015, EPIC submitted a FOIA request asking for:
(1) All Privacy Impact Assessments the DEA has conducted that are not publicly available at http://www.dea.gov/FOIA/PIA.shtml.
(2) All Privacy Threshold Analysis documents and Initial Privacy Assessments the DEA has conducted since 2007 to present.
- EPIC FOIA Request (February 20, 2015)
- DEA Response (July 23, 2015)
- DEA Final Response (August 27, 2015)
- FOIA Documents:
- EPIC's Complaint (May 1, 2015)
- DEA's Answer (June 10, 2015)
- Joint Status Report (July 15, 2015)
- Joint Status Report (October 1, 2015)
- DEA Motion for Summary Judgment (Dec. tv 22, 2015)
- Declaration of Katherine L. Myrick
- Statement of Material Facts
- EPIC Cross Motion for Summary Judgment (Jan. 22, 2016)
- DEA Opposition and Reply (Mar. 9, 2016)
- EPIC Reply (Mar. 23, 2016)
- Memorandum Opinion (Sept. 13, 2016)
- Court Order (Sept. 13, 2016)
- DEA Renewed Motion for Summary Judgment (Oct. 27, 2016)
- EPIC Motion to Vacate Current Briefing Schedule (Nov. 9, 2016)
- Court Order (Nov. 10, 2016)
- OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
- DOJ Privacy Impact Assessments: Official Guidance
- DOJ Initial Privacy Assessment (IPA) Instructions & Template
- Brad Heath, U.S. secretly tracked billions of calls for decades, USA Today (Apr. 7, 2015).
- Scott Shayne and Colin Moynihan, Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.’s, NY Times (Sept. 1, 2013)
- Shawn Musgrave Do the FBI’s Drones Invade Your Privacy? Sorry, That’s Private Motherboard (July 24, 2014)
- Brianna Ehley FBI’s Billion Dollar Facial Recognition Falls Short of Facebook’s Fiscal Times (July 11, 2014)
- Tom Risen Could the FBI See Your Selfies? U.S. News (July 8, 2014)