CNN reported today that a U.S. Department of Justice (DoJ) audit finds the FBI is has not kept good track of how many times they have ordered businesses monitoring of emails, telephone records and financial information. The report has not yet been posted to the DoJ site but is supposed to be released sometime today.
According to the CNN report:
* The FBI report that in 2005 they had delivered
“a total of 9,254 national security letters” (NSLs, basically orders for surveillance) to businesses “seeking e-mail, telephone or financial information on 3,501 U.S. citizens and legal residents over the previous two years.”
The DoJ audit found this number was at least 20% too low; so that would make the actual number of times the FBI used the USA PATRIOT Act in 2005 to order businesses to turn over records containing large amounts of PII to around 11,568 times on around 4,376 people, assuming this 20% underreporting applied to both. The number of individuals could actually be quite higher if the underreporting was only referencing the number of NSLs.
*
“Sen. Charles Schumer, a member of the Senate Judiciary Committee that oversees the FBI, called the reported findings “a profoundly disturbing breach of public trust.”
A big problem with the USA PATRIOT Act is that it was created and passed so quickly, with very good intentions and goals, but failed to include any required controls or privacy preservations for the data collected. And when the Act was renewed, these important issues were not addressed.
This underreporting is just the tip of the lack of accountability and controls problem. It will be interesting to see if the actual audit also covers how the FBI protects all this data they accumulate during their surveillance.
Strong controls need to be in place to protect the PII of individuals, as well as the businesses from whom they gathered this massive amount of data. The FBI must be accountable.
*
“One government official who read the report said it concluded the problems appeared to be unintentional and that FBI agents would probably face administrative sanctions instead of criminal charges. The FBI has taken steps to correct some of the problems, the official said.”
*
“A federal appeals judge in New York warned in May that government’s ability to force companies to turn over information about its customers and keep quiet about it was probably unconstitutional.”
The FBI, and other government agencies who are supposed to be protecting civil rights and citizen interests, need to be held to at least the same information security and privacy requirements as businesses, if not higher.
Until they are, businesses need to be sure they have planned how to respond if they ever get an NSL demanding surveillance or copies of sensitive information. I’ve discussed this in the past here, here and here.
Tags: awareness and training, corporate governance, DoJ, email, government, Information Security, IT compliance, National Security Letters, NSA, Patriot Act, personal data protection, phone calls, privacy, surveillance, USA PATRIOT Act