1.

HATCHING THE EGGS IN THE SERPENT'S NEST
By Jim O. Madison

** EPIC describes how, with almost no public discussion, a full-blown national network of state-and-corporate intelligence "fusion centers" has been set up and is now in use **

United for Peace of Pierce County (WA)
May 18, 2008

The term "fusion center" is almost unknown to the general public. The reason: the mainstream media in the United States have, with rare exceptions, totally ignored the growth of this extraordinary and unprecedented institution, a growth that is regarded with apprehension by civil liberties organizations like the ACLU.

But a D.C. privacy group, the Electronic Privacy Information Center (EPIC), has posted a fine backgrounder on the history of the fusion center movement.[1] Since it is long (5,600 words), cumbersome, and difficult to read, we summarize it here.

EPIC's summary suggests that the Total Information Awareness project that Congress supposedly killed in 2003 has never died, and is now almost complete. --

"A NATIONAL NETWORK OF INFORMATION HIVES"

Congress's shutting down in September 2003 of a "Total Information Awareness" data-mining project that was outed in November 2002 and that became controversial in part because it was headed by a controversial figure, convicted felon Adm. John Poindexter, failed to put a stop to "other government data-mining initiatives that are similar to TIA," EPIC explains.[2]

In particular, a Dept. of Justice project called the National Criminal Intelligence Sharing Plan, to be managed by something called the Global Justice Information Sharing Initiative ("Global" for short), led to the formation of a group that in December 2004 published a framing document. Global published guidelines in August 2005 that defined the "principal role of the fusion center." Under these guidelines, the terrorism focus was replaced by a generalized interest in "efforts to anticipate, identify, prevent, and/or monitor criminal/terrorist activity" as part of a movement in law enforcement called "intelligence-led policing."

Also disturbing was the militarist mindset evident in the way in which, in two sentences, "intelligence and information" morphed into "criminal information and intelligence" to be used for "strategic" and "tactical" purposes. Although a Congressional Research Service Report on Fusion Centers pointed out a number of problems with the guidelines, the Department of Homeland Security nevertheless set an objective to, in EPIC's words, "create by 2008 a network of fusions centers as a unique law enforcement and threat information resource that could facilitate 'across jurisdictions and functions' supported by 'multidisciplinary teams' dispersed throughout a national network of information hives."

"NATIONAL-LEVEL INTEROPERABLE INFORMATION SHARING AND DATA EXCHANGE"

Through the August 2005 guidelines, what had, supposedly, originally been an effort to create *local*, more supple informational fusion centers, moved toward becoming “national-level interoperable information sharing and data exchange" according to a "National Information Exchange Model," with an additional goal of "institutionalizing the relationships between the fusion center and the public safety and private sector partners." "The goal," EPIC explained, is not so much to create local intelligence fusion centers as to "get local, state, federal law enforcement, and government agencies, and private sector data warehouses into the same project."

So extensive is the data-gathering enterprise that "[i]t would be very difficult to imagine someone living within the United States who would not have one or multiple points of information confluence in the proposed system," EPIC observed.

Under the Intelligence Reform and Terrorism Prevention Act of 2004, "national intelligence" includes everything, without any limits whatsoever: "all intelligence, regardless of the source from which derived and including information gathered within or outside the United States."

Total Information Awareness, it is clear, was never ended after all. And the system is up and running, as EPIC's dispassionate concluding sentence states: "Fusion Centers are in use without appropriate oversight or justification for their application for routine law enforcement matters or the vast collection, processing, and analysis of privacy and public information databases."

***

2.

INFORMATION FUSION CENTERS AND PRIVACY -- BACKGROUND

Electronic Privacy Information Center
[2008]

http://epic.org/privacy/fusion/#news

"Fusion centers" are a means of bringing together information from distributed sources for the purpose of collection, retention, analysis, and dissemination. The term "fusion center" seems to have originated from the Department of Defense (DoD), and refers to the fusing of information for analysis purposes. On November 9, 2002, the New York Times disclosed a massive DoD fusion center project managed by the Defense Advanced Research Project Agency (DARPA) known as Total Information Awareness (TIA). DARPA was developing a tracking system intended to attempt to detect terrorists through analyzing troves of information.

The project called for the development of "revolutionary technology for ultra-large all-source information repositories," which would contain information from multiple sources to create a "virtual, centralized, grand database." This database would be populated by transaction data contained in current databases such as financial records, medical records, communication records, and travel records, as well as new sources of information. Also fed into the database would be intelligence data.

A key component of the TIA project was headed by Admiral John Poindexter, former National Security Advisor to President Reagan. TIA was to develop data-mining or knowledge discovery tools that would sort through the massive amounts of information to find patterns and associations. TIA would also develop search tools such as Project Genoa, which Admiral Poindexter's employer, prior to his return to the federal government, Syntek Technologies, assisted in developing. TIA aimed to fund the development of more such tools and data-mining technology to help analysts understand and even "preempt" future action.

A further crucial component was the development of biometric technology to enable the identification and tracking of individuals. DARPA had already funded its "Human ID at a Distance" program, which aimed to positively identify people from a distance through technologies such as face recognition or gait recognition.

In August 2002, the International Association of Chiefs of Police released the recommendations of its Criminal Intelligence Summit held March 7-8, 2002, with the final document coming from the DoJ's office of Community Oriented Policing Services (COPS). The report acknowledged that the problems identified following the September 11, 2001, terrorist attacks were found to be with "intelligence exchange between national agencies . . ." Then the report quickly endorsed the creation of a Criminal Intelligence Coordinating Council to implement the National Intelligence Plan that would engage local, state, and federal law enforcement agencies in a database sharing environment. The plan addressed the legal impediments to the effective transfer of criminal intelligence between authorized local, state, and federal law enforcement agencies. This plan became the superstructure for the next domestic Fusion Center effort by advocating for the creation of the Criminal Intelligence Coordinating Council and charged it with accomplishing a number of goals: ''Ensure compatible policy standards, guidelines and operating procedures in the further development and integration of existing intelligence sharing systems (including standards for the collection, analysis, dissemination, storage, and purging of information); create standards for participation in the Council and coordinated intelligence network; promulgate standards and guidelines; publicize and enforce sanctions for the misuse of information from the coordinated network . . . Create a funding plan . . . eliminate barriers in . . . laws and polices that limit intelligence sharing . . ."

The Criminal Intelligence Summit participants stressed the need to not limit the data sharing to terrorism or terrorist related activity, but to extend it to all criminal intelligence under the general heading of "Intelligence-Led Policing." Criminal intelligence was defined as ''the combination of credible information with quality analysis -- information that has been evaluated and from which conclusions have been drawn." The report supported the expanding of the information's sharing database effort to be extended to court records, emergency management personnel, and "specialized security forces of particular situation-relevant intelligence."

The plan to overcome barriers to intelligence sharing included the following: "The 'hierarchy' within the law enforcement and intelligence communities. In some cases real and in others only perceived, the hierarchical organization of law enforcement and intelligence agencies (with federal agencies being at the 'top' of the pyramid and local, state, county, and tribal agencies further down) leads to organizational incentives against intelligence sharing and even anti-sharing cultures. At best, the disaggregation of activity means that managers in one agency might not imagine that others would find their intelligence data useful. At worst, the structure creates an 'us' versus 'them' mentality that stands in the way of productive collaboration."

A key goal of the proposal establishes the need to "[c]reate a marketing strategy to increase stakeholder participation in the intelligence sharing process and conduct public education to promote acceptance of the system overall."

In September 2003, Congress eliminated funding for the controversial TIA project and closed the Pentagon's Information Awareness Office, which had developed TIA. It was not believed to signal the end of other government data-mining initiatives that are similar to TIA. Projects such as the Novel Intelligence from Massive Data within the Intelligence Community Advanced Research and Development Activity (ARDA) moved forward. The FBI and the Transportation Security Administration were also working on data-mining projects that fused commercial databases, public databases, and intelligence data, and had meetings with TIA developers.

In October 2003, the National Criminal Intelligence Sharing Plan was published by the Justice Department's project, the Global Justice Information Sharing Initiative ("Global"). The report states that 75% of the law enforcement agencies within the United States have less than 24 sworn officers. The report's goal is to provide these small law enforcement agencies with the same ability as big city, state, and federal law enforcement offices to develop, gather, access, receive, and share intelligence information. "The need to increase availability of information, from classified systems to local and state law enforcement agencies, for the prevention and investigation of crime in their jurisdictions . . . The need to identify an intelligence information sharing capability that can be widely accessed by local, state, tribal, and federal law enforcement and public safety agencies."

The proposal recommended the establishment of a Criminal Intelligence Coordinating Council (CICC or Council) composed of local, state, tribal, and federal law enforcement executives. The Council was recommended to operate under the direction of the Global Advisory Committee and would be charged with monitoring the implementation of the National Intelligence Sharing Plan. A few members of the Global Advisory Committee include: Administrative Office of the U.S. Courts, American Association of Motor Vehicle Administrators, American Corrections Association, American Probation and Parole Association, Conference of State Court Administrators, Executive Offices for U.S. Attorneys, FBI Criminal Justice Information Services Division, International Association of Chiefs of Police, INTERPOL-USNCB, National Conference of State Legislatures, National Council of Juvenile and Family Court Judges, National District Attorneys Association, National Governors Association, National Legal Aid and Defender Association, Department of Homeland Security, Department of Justice-Justice Management Division, and the U.S. Drug Enforcement Agency.

The report also moved the goal to not just involve law enforcement, the courts, and emergency management databases, but to extend its reach to private entities.

During this same period of time, another fusion center initiative came under public scrutiny in the National Criminal Intelligence Sharing Plan as a data warehouse -- the Multi-state Anti-Terrorism Information Exchange (MATRIX) project which acted as a prototype database system run by the State of Florida and Seisint, a private company. Built by a consortium of state law enforcement agencies, MATRIX proposed to combine public records and private record data from multiple databases with data analysis tools. MATRIX was established with the assistance of the Institute for Intergovernmental Research’s Global Justice Information Sharing Initiative. The program collapsed when it was disclosed to the public, and states were pressured by residents to withdraw from the program.

In March 2004, the MATRIX project was on its last gasp, when the states of New York and Wisconsin withdrew their participation in the project. By May 14, 2004, the Criminal Intelligence Coordinating Council proposed by the National Criminal Intelligence Sharing Plan became an official project of the Department of Justice.

LATEST GOVERNMENT INFORMATION FUSION CENTER INITIATIVE

May 2004, the Department of Justice announced its progress in implementing the National Criminal Intelligence Sharing Plan. The announcement made public the decision to create a Criminal Intelligence Coordinating Council (CICC) that would be managed by Global. By December 2004, the push for a national Fusion Center initiative received a boost when the Department of Justice sponsored Global Infrastructure/Standards Working Group published A Framework for Justice Information Sharing: Service Oriented Architecture (SOA). States using local, state, and federal funds created information Fusion Centers. In August 2005, Global published the Fusion Center Guidelines: “The principal role of the fusion center is to compile, analyze, and disseminate criminal/terrorist information and intelligence and other information (including, but not limited to, threat, public safety, law enforcement, public health, social services, and public works) to support efforts to anticipate, identify, prevent, and/or monitor criminal/terrorist activity. This criminal information and intelligence should be both strategic (i.e., designed to provide general guidance of patterns and trends) and tactical (i.e., focused on a specific criminal event).”

A Congressional Research Service Report on Fusion Centers outlined several fundamental problems with the Guidance on Fusion Center development: first, adherence is voluntary, second, the philosophy outlined is generic and does not translate theory into practice, and third, they are oriented toward the mechanics of Fusion Center establishment. The majority of regional Fusion Centers are concentrated in large urban areas. The jurisdiction of these centers are also covered by state Fusion Centers, but there is a question regarding how overlapping jurisdictions are managed.

The CRS Report on Fusion Centers also point out that there is no single legal authority that governs the operation of Fusion Centers.

The Department of Homeland Security set out an objective to create by 2008 a network of fusions centers as a unique law enforcement and threat information resource that could facilitate “across jurisdictions and functions” supported by “multidisciplinary teams” dispersed throughout a national network of information hives.

TURNING FUSION CENTERS INTO HARDWARE AND SOFTWARE

The Global Infrastructure/Standards Working Group's report *A Framework for Justice Information Sharing: Service Oriented Architecture (SOA), stated: "The purpose of this report is to describe the recommendation of the Global Justice Information Sharing Initiative (Global) Advisory Committee (GAC) for the operational requirements of justice agencies and the requirements for a national community."

In August 2005 Global Justice Information Sharing Initiative and Department of Homeland Security, Fusion Center Guidelines were published. The guidelines stated the software of the choice as being Extensible Markup Language (XML), which facilitates efficient and near real time sharing of information resident on geographically dispersed databases. The initiative promotes the data sharing among law enforcement though the use of a common platform that can be used on existing hardware. The goal is to achieve a low cost method of removing barriers to data sharing among beat officers, court records, state records, jails, and prisons, that is efficient and effective.

The Fusion Center Guidelines endorses the use of the new database sharing capability created by the open source XML standards. This open standards programming language provides users with a data sharing capability that would not require the replacement or redesign of existing system. This programming language allows the identification of fields of information through the use of a translation feature that accomplishes its task between the system being asked for information, and the end requester. In this process the source of the data and the recipient do not need to change their system to participate in the information exchange network.

The interesting aspects of the proposal are the promotion of a national collection and analysis of information. The “National Information Exchange Model” proposed for the fusion centers is designed to create the building blocks for “national-level interoperable information sharing and data exchange that will integrate the public safety and private sector entities to the already established law enforcement exchange.”

Exchanging information is only the beginning of the process, the goal is “institutionalizing the relationships between the fusion center and the public safety and private sector partners.” The Global recommendations make the case for distributed and centralized data management systems. Saying that distributed systems will allow the data controller to be in charge of access, while the centralized process would allow the fusion center to manage the data. A white paper examining strategies for enhancing the sharing of information pointed out that successful distributed and centralized information-sharing systems are in operation today. The goal is to get local, state, federal law enforcement, and government agencies, and private sector data warehouses into the same project.

In September 14, 2006 the Department of Homeland Security reported that 38 state and local Information Fusion Centers supported by $380 million in federal dollars were operational. The investment in time, energy, and resources are focused on one objective maximizing access to the greatest amount of information as possible.

WHERE WILL THE DATA COME FROM?

Appendix C of the Guidelines outlines a detailed list of entities that should be included in the local and state fusion center matrix.

Agriculture
Food
Water
Environment
Banking and Finance
Chemical Industry
Hazardous Materials
Criminal Justice
Retail
Real Estate
Education
Emergency Services
Energy
Government
Health
Public Health Services
Social Services
Transportation
Hospitality and Lodging
Information & Telecom
Military Facilities
DOD Industrial Base
Postal and Shipping
Private Security
Public Works

(Source Fusion Center Guidelines: Appendix C)

The proposal directs that information categories could fall into one of two types: strategic and tactical information. Strategic information may provide data on individuals not under criminal investigation or operations that an entity manages, and tactical information may provide data be in support of ongoing criminal investigations. It would be very difficult to imagine someone living within the United States who would not have one or multiple points of information confluence in the proposed system. The Fusion Center guidance said the following about the “Fusion Center Functions”: “ The principal role of the fusion center is to compile, analyze, and disseminate criminal/terrorist information and intelligence and other information (including, but not limited to, threat, public safety, law enforcement, public health, social services, and public works) to support efforts to anticipate, identify, prevent, and/or monitor criminal/terrorist activity. This criminal information and intelligence should be both strategic (i.e., designed to provide general guidance of patterns and trends) and tactical (i.e., focused on a specific criminal event).”

The Fusion Center Guidelines repeatedly stress the importance of collaboration and cooperation, to the success of the center. The focus of the work of fusion centers will not be limited to terrorism or terrorist activity, but will according to the appendices of the Fusion Center Guidelines extend to among other things the investigation of persons on public assistance, illicit drugs, traffic accidents, and aviation accident analysis.

The range of information to be collected by service providers who participate in the fusion center effort could include: all sources of financial records kept by banking institutions; all contacts with the criminal justice system by criminals and non-criminals, all forms of education (day cares, preschools, primary and secondary schools, colleges and universities, and technical schools); government issued licenses and permits, access to medical records held by hospitals, public health, and primary care physicians, hospitality and lodging, information, and telecommunication service providers, military facilities, and defense industrial base; postal and shipping services, private security (alarm companies, armored car companies, investigative firms, corporate security offices); public works; social services; and transportation. The appendices of the Fusion Center Guidelines list the following as data collection targets:

Banking & Finance, IT/Telecom

Banks
Credit Cards Co.
Credit Reports
Securities firms
Financial services
ISPs
Telecommunication
E-mail Providers
Cyber Security Co.

Health & Education

Day Care Centers
Preschools
Colleges/Universities
Technical Schools
Mental Health
Physician Patient Info
Local Hospitals
Private EMS
Veterinary

Jails/Prisons/Court Records

Gang Information
Names of Associates
Relatives
Jail/Prison Visitors
Biographical Info.
Traffic Accident
Tribal Law Enforcement
County Clerk
US Courts

Federal, State, Local Gov. (Permits Licenses)

Game and Fish
DMV Records
Vehicle Registrations
Civil Records
Property Appraiser
Mortgages
Deeds
Civil Suits
Hospitality & Lodging

Gaming Industry
Sports Authority
Sporting facilities
Amusement parks
Cruise lines
Hotels, motels, resorts
Convention Centers

Along with a host of local, state, and federal law enforcement agencies, private companies also participated in the Public Safety Fusion Group, which included Walt Disney World Company, Fidelity Investments, Microsoft, and Archer Daniels Midland. The goal is to, within the fusion center environment, integrate “nontraditional customers of information and intelligence'' with traditional customers of information analysis. Fusing of information based on an identified threat, criminal predicate, or public safety by the seamless collection, collating, blending, analyzing, disseminating, and use of information intelligence is the goal. The intelligence and analysis of information is proposed to be base on the needs of users, with the list of users including all levels and types of law enforcement, intelligence community, DOD, private sector entities -- it appears the official uses could be limitless.

The definition of “national intelligence” was changed by the enactment of the Intelligence Reform and Terrorism Prevention Act of 2004, bill to reform the intelligence community and the intelligence and intelligence-related activities of the United States Government. “The terms ‘national intelligence’ and ‘intelligence related to national security’ refer to all intelligence, regardless of the source from which derived and including information gathered within or outside the United States . . .”

The new law also defines the “information sharing environment,” (ISE) as “The President shall . . . ensure that the ISE provides and facilitates the means for sharing terrorism information among all appropriate Federal, State, local, and tribal entities, and the private sector through the use of policy guidelines and technologies. The President shall, to the greatest extent practicable, ensure that the ISE provides the functional equivalent of, or otherwise supports, a decentralized, distributed, and coordinated environment that . . . connects existing systems, where appropriate, provides no single points of failure, and allows users to share information among agencies, between levels of government, and, as appropriate, with the private sector . . . ensures direct and continuous online electronic access to information . . . facilitates the availability of information in a form and manner that facilitates its use in analysis, investigations, and operations . . . builds upon existing systems capabilities currently in use across the Government.”

The focus of fusion centers is on information collection as a means of determining crime trends with an eye toward predicting crime before it occurs. The “four major desired outcomes” for fusion centers are: the reduction of the [incidence] of crime; suppression of criminal activity; the regulation of noncriminal conduct; the provision of services.

In September 14, 2006, the Department of Homeland Security reported that 38 state and local Information Fusion Centers supported by $380 million in federal dollars were operational. The investment in time, energy, and resources are focused on one objective -- maximizing access to the greatest amount of information as possible. States with operational fusion centers as of June 2007, (source State and Regional Intelligence Fusion Center Contact Information) include:

Alabama
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
District of Columbia
Florida
Georgia
Illinois
Indiana
Iowa
Kansas
Louisiana
Maine
Maryland
Massachusetts
Minnesota
Missouri
Montana
New Jersey
New York
North Dakota
Ohio
Oregon
Pennsylvania
South Carolina
Tennessee
Texas
Vermont
Virginia
Washington
West Virginia

States in the process of developing information fusion centers include: Kentucky, Michigan, Mississippi, North Carolina, Rhode Island, South Dakota, and Wisconsin.

On March 8, 2006, the following states did not have and were not in the process of developing fusion centers: Hawaii, Idaho, Nebraska, Nevada, New Hampshire, New Mexico, Oklahoma, and Wyoming.

WHERE IS THE FUNDING COMING FROM TO SUPPORT FUSION CENTERS

The Fusion Center Guidelines Chapter 14 is titled "Offer a variety of intelligence services and products to customers." The output of the fusion center process is called "product," and it is recommended that the work of the centers not be limited to "intelligence product dissemination." The National Criminal Intelligence Sharing Plan states that "Criminal intelligence results from a process that begins with planning and direction, followed sequentially by: information collection, processing/collation, analysis, dissemination, and reevaluation (feedback) of information on suspected criminals and/or organizations."

The Guidelines recommend that Fusion Centers "produce both strategic and tactical" information and suggest a list of services and products to produce:

Investigative and tactical response
Proactive strategic analysis
Intelligence support for investigations
Visual investigative analysis
Alerts and notifications
Deconfliction
Target identification
Critical Infrastructure analysis
Training Opportunities
Geospatial Imaging
Criminal backgrounds and profiles
Case correlation
Crime-pattern Analysis
Association, link, and network analysis
Telephone-toll analysis
Flowcharting
Financial analysis
Intelligence reports and briefings
Threat assessments
Terrorism calendar

The initial support for the program came from federal funding, but the Fusion Center Guidelines include advice on keeping the doors open once up and running. The Fusion Center Guidelines Chapter 17 recommends that centers leverage existing resources and funding from participants. One means suggested for accomplishing this is found in Chapter 5 of the Guidelines, which supports the use of "Utilize Memoranda of Understanding (MOUs) and Non-Disclosure Agreements (NDAs), or other types of agency agreements . . ."

MOUs are seen as a means of ensuring resource commitments from participants. The guidance also states the importance of identifying the return on investments made by Fusion Center partners.

Memorandum of Understanding are informal agreements that are not contracts. The MOU is a policy document, used to establish ground rules for a particular purpose, project, or effort. In the case of Fusion Centers an MOU is reached among participating entities. A representative of each participating organization must sign the agreement on the entities behalf. A series of internal directives may also be used to further refine the goals, purposes, and objectives of the Fusion Center.

Unlike MOUs NDAs do have a legal consequence if violated -- these agreements are often associated with sensitive or proprietary information. The NDA offers a another level of protection for those who engage in the sharing of secret or protected information. In this context the guidelines specifically mention the vulnerability of private sector participants who engage in the sharing of sensitive information. According to the Guidelines, "[T]he NDA provides private sector entities an additional layer of security, ensuring the security of private sector proprietary information and trade secrets." One of the types of information sought that is not related to physical protection of facilities are customer and client lists.

In March 2007, in a speech given by John S. Pistole Deputy Director of the Federal Bureau of Investigation at the National Fusion Center Conference held in Destin, Florida revealed that 200 FBI agents had been assigned to 33 Fusion Centers.

JUSTIFYING FUSION CENTER DEVELOPMENT

The National Criminal Intelligence Sharing Plan released in October 2003 suggest that the events of September 11, 2001, were related to barriers that prevented information and intelligence sharing by local and state law enforcement agencies. This conclusion runs counter to the findings of the report by the National Commission on Terrorists Attacks released in July 2004. The Commission's report recounted that by July 2001 the heightened number of threat advisories had reached a level not seen since the Millennium bomb plot of 1999, which was averted. The report's Chapter 8, "The System was Blinking Red," stated that on July 2 the FBI issued a general threat advisory to local and state law enforcement agencies regarding the possibility of a terrorist attack; they were directed to "exercise extreme vigilance and report suspicious activities to the agency." On July 5, the Immigration and Naturalization Service (INS), the FAA, the Coast Guard, the Secret Service, Customs, the CIA, and FBI met with the White House on the threat situation and were told not to share with others the threat information they received.

In April 2004, it was reported to the 9-11 Commission that the CIA and the FBI still could not search each other’s terrorist databases. The barriers were a lack of interoperability among databases used by the two agencies.

Some point to Hurricane Katrina and its aftermath as a motivation for Fusion Center development.

WHERE DOES PRIVACY AND CIVIL LIBERTIES PROTECTION FIT?

A July 2007 CRS report on Fusion Centers stated that ''[c]urrently, the states' legal authorities recognizing or establishing a fusion center range from nonexistent, to memorandum of agreements by the partnering agencies, and in one case a state statue, which defines the center and its responsibilities." The Fusion Center development process has originate[d] from existing local and state law enforcement agencies.

There are questions about the focus on privacy and civil liberties considerations within the development of the Global Justice Information Sharing Initiative and Department of Homeland Security Fusion Center Guidelines. The guidelines were published in the summer of 2005, but the Global Privacy and Information Quality Working Group issued its final report a Privacy Policy Development Guide and Implementation Templates in October 2006. While the report lauded the importance of privacy protections from conception through implementation of a information sharing initiative, it said this about building of a project team, “The project team should have access to subject-matter experts in areas of privacy law and technical systems design and operations, as well as skilled writers, but these individuals do not necessarily have to be team members.”

The 28 Code of Federal Regulations (CFR) Part 23 also known as (28 CFR Part 23) is cited in the National Criminal Intelligence Sharing Plan as the rule that allegedly provide "privacy protection for data subjects. The regulation addresses the management of inter- and multi-jurisdictional criminal intelligence sharing systems operated by local and state law enforcement or on their behalf. For example, on the issue of data accuracy, source information can be "Reliable," " Usually Reliable," or " Unreliable"; while the content accuracy can be deemed to be "Confirmed," "Probable," or "Doubtful." Further, when local and state criminal data sharing entities are faced with the following question, "Can the names of individuals or organizations not reasonably suspected of involvement in criminal activity be included in a criminal intelligence database?" the answer is yes. Regarding when the system can be accessed, the code is said to support unlimited reasons for use of the database, adding that there is no need to have reasonable suspicion.

Federal rules regarding the accuracy of criminal databases does not fare better than the state guidance. In 2003 the FBI established a new rule exempting the National Crime Information Center (NCIC) system from the accuracy requirements of the Privacy Act of 1974. The NCIC database provides over 80,000 law enforcement agencies with access to a computerized network of more than 39 million records regarding criminal activity. For the past thirty years, the FBI has operated the NCIC database with the Privacy Act accuracy requirement in place. The relevant provision requires that any agency that maintains a system of records "maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individuals in the determination." Circumventing that statutory obligation poses significant risks not only for individuals whose record files may be part of this data system, but also for communities that rely on law enforcement to employ effective, reliable tools for ensuring public safety.

In March 2002, the FBI set a new record for inquiries processed in one day, responding to 3,295,587 requests. On average, there are 2.8 million transaction processed each day, with an average response time of 0.16 seconds. As a result, any error in the NCIC database can spread across the country in less than a second.

Several well publicized incidents demonstrate the consequences of inaccurate and incomplete information in the NCIC. In one case, a Los Angeles man was arrested five times, three at gunpoint, due to an error in the NCIC [see Rogan v. Los Angeles, 668 F. Supp. 1384 (C.D. Cal. 1987)]. In this case an escaped prisoner assumed the identity of an innocent person and then committed a robbery and murder. In another instance of criminal database error, a Phoenix resident who was pulled over for driving the wrong way down a one-way street was arrested after an NCIC inquiry erroneously revealed an outstanding misdemeanor arrest warrant that had been quashed weeks earlier.

These incidents, and others like them, reveal the potential harms that individuals may face if the records in the NCIC database are not accurate. These incidents demonstrate that the FBI should work to improve the accuracy of this system of records, rather than administratively exempt itself of this important duty. Unfortunately, the National Criminal Intelligence Sharing Plan does not endorse data accuracy.

THE PRIVACY ACT OF 1974

The Privacy Act of 1974, Public Law 93-579, was established with the express purpose of guarding against these types of government database abuses by setting standards for the quality of data the government collects about individuals. It safeguards privacy through creating four procedural and substantive rights in personal data. First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called "fair information practices," when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual's data with other people and agencies. Fourth, and finally, it lets individuals sue the government for violating its provisions.

In passing the Act, Congress found that "the opportunities for an individual to secure employment, insurance, and credit, and his rights to due process, and other legal protections are endangered by the misuse of certain information systems," and therefore "it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information by such agencies." To that end, Congress passed the Act to ensure, among other things, that any information held by the government would be "current and accurate for its intended use."

The Privacy Act is a powerful tool for providing protection to people against government abuses when it is applied. Unfortunately, the Act allowed certain government agencies that are engaged in law enforcement the power to excuse themselves from the Act's rules. Agencies have also circumvented information sharing rules by exploiting a "routine use" exemption. It is unclear how the merging of law enforcement purposes with non-law enforcement purposes would play out, but what is clear is that legal challenges would create new areas for local, state, and federal courts to review the fusion center process.

The foundations of the Privacy Act are the elements of the Code of Fair Information Practices that are codified by that law. The Code of Fair Information Practices is cited three times in the Privacy Policy Development Guide and Implementation Templates drafted by the Global Privacy and Information Quality Working Group of the DOJ’s Global Justice Sharing Initiative. None of the citations enumerated the Code of Fair Information Practices or its history.

The Code for Fair Information Practices is the central contribution of the HEW (Health, Education, Welfare) Advisory Committee on Automated Data Systems. The Advisory Committee was established in 1972, and the report released in July. The citation for the report is as follows: "U.S. Dept. of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens viii (1973)." The Code of Fair Information Practices is based on five principles:

1. There must be no personal data record-keeping systems whose very existence is secret.

2. There must be a way for a person to find out what information about the person is in a record and how it is used.

3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.

4. There must be a way for a person to correct or amend a record of identifiable information about the person.

5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.

In the context of fusion centers, no one knows the rules that will bring someone under scrutiny and what the consequences of that scrutiny might be.

• December 2006, an article on the Salt Lake City Police Department’s fusion center efforts described it as “a way of tracking information that comes in from community groups like community councils and neighborhood watch, as well as the mayor’s office. (Source: Deseret Morning News, "Police Idle Community Action Team," December 19, 2006)

• January 2007, an article cites the Sacramento-based intelligence fusion center for indictments filed against California Healthcare Collective for illegal marijuana farming. (Source: Fresno Bee, "Valley Drug-Fighters Honored," January 18, 2007)

• March of 2007, [when] the Governor of California supported the creation of a “Baca Countywide Gang Assessment Center,” he referred to as a fusion center. (Source: Whittier Daily News, "Governor Pledges Help in Battle against Gangs," March 5, 2007)

The Washington Post reported on June 14, 2007, that the agency conducted a self-audit of 10 percent of its records on National Security Letter use and found over 1,000 violations. The majority of the violations were associated with the obtaining of telephone records from telecommunication service providers. The FBI acted in the wake of criticism that resulted from an earlier Department of Justice Inspector General report, which determined that the FBI abused the National Security Letter authority established by the Patriot Act.

Fusion Centers are in use without appropriate oversight or justification for their application for routine law enforcement matters or the vast collection, processing, and analysis of privacy and public information databases.