[Congressional Record Volume 149, Number 114 (Tuesday, July 29, 2003)]
[Senate]
[Pages S10149-S10151]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. WYDEN:
  S. 1484. A bill to require a report on Federal Government use of 
commercial and other databases for national security, intelligence, and 
law enforcement purposes, and for other purposes; to the Committee on 
the Judiciary.
  Mr. WYDEN. Mr. President, I believe the United States can fight 
terrorism ferociously without gutting civil liberties. The point of the 
legislation I am introducing today is to address concerns that have 
arisen about the second part of this equation: an area of privacy that 
has gotten short shrift. That is the personal financial, medical and 
other data on millions of Americans that today is less than a 
mouseclick away from the computers of thousands of Federal bureaucrats. 
Access to and the use of that personal information by Federal 
bureaucrats is not protected by any comprehensive law.
  The power of technology that allows the Federal Government to pry 
into the personal lives of millions of Americans is only beginning to 
be understood. It is a breath-taking power, and it has come partly to 
light through the Defense Department's Terrorism Information Awareness 
Program (TIA), and through the Transportation Security Administration's 
Computer Assisted Passenger Profiling System II or CAPPSII Program. 
These and more than two dozen other agencies wield that power with 
little or no restraint.
  The legislation I am introducing with the support of a bipartisan 
group of privacy watchdog organizations, the Citizens' Protection in 
Federal Databases Act, will put the breaks on unchecked Federal data 
sweeps. It requires the Federal agencies with law enforcement or 
intelligence authority to share with Congress exactly what they are 
doing with private or public databases, why they are doing it, and most 
importantly, what, if any, privacy protections the agencies are 
affording the individuals' whose sensitive information is caught up in 
those databases.
  The Citizens' Protection in Federal Databases Act also prohibits 
searches based on hypothetical scenarios.
  Apparently, some government agencies are using valuable Federal 
resources chasing hypothetical situations dreamed up without regard to 
actual intelligence or law enforcement information.
  The TIA Report to Congress in May of this year explained at length 
the program's intent to construct possible terrorist ``scenarios'' 
based on ``historical examples, estimated capabilities, and 
imagination.'' These scenarios would then be fed into database searches 
in an effort to substantiate the hypotheticals.
  This Act bans such searches. This prohibition will promote the 
efficient use of Federal law enforcement time and money and help 
protect Americans from being subject to ``virtual goose chases.''
  Since 9/11, there has been an abundance of stories regarding 
Americans being stopped, searched, or detained due to some mistaken 
information. For example, after 9/11, the FBI decided to share with 
companies across the country a list with names of people wanted for 
possible association with terrorism. This list, as part of ``Project 
Lookout,'' was sent to thousands of corporations, some of whom now use 
the list in lieu of background checks.
  Here's the problem--this list is not necessarily accurate. First of 
all, the list quickly became obsolete as the FBI checked people off. 
That means even if people were cleared by the FBI of suspicion, their 
names were still on this list. Secondly, the list has been shared so 
many times, and passed from person to person, group to group--many 
names have become misspelled and now folks, due to one or two typos, 
are being stopped as suspected terrorists.
  That story is just one example of what can happen when information is

[[Page S10150]]

mishandled. It is Congress's job to make sure mistakes like these do 
not happen.
  The Citizens' Protection in Federal Databases Act is not the end of 
this issue. After shedding some light on what exactly is happening with 
personal information--the Congress must then address how to protect 
Americans from the misuse of this information.
  I am happy to be working with a strong group of privacy advocates. 
The group includes the Electronic Privacy Information Center, the 
Electronic Frontier Foundation, the Center for Democracy and 
Technology, People for the American Way, the Free Congress Foundation, 
and the American Civil Liberties Union, and they have been instrumental 
in getting strong safeguards enacted against abuses in the TIA and 
other programs. I look forward to working with these groups, and my 
Senate colleagues, to see that this bill is enacted into law.
  When tens of thousands of bureaucrats have at their fingertips all-
too-easy access to such personal information from private and public 
databases as the use of passports, driver's licenses, credit cards, 
ATMs, airline tickets, and rental cars, the American people want to 
know what is happening to their information. They want to know who 
wants access to it and why. Their personal information deserves strong 
privacy protection, and that is what this legislation is all about.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1484

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Citizens' Protection in 
     Federal Databases Act''.

     SEC. 2. FINDINGS.

       Congress makes the following findings:
       (1) Many Federal national security, law enforcement, and 
     intelligence agencies are currently accessing large 
     databases, both public and private, containing information 
     that was not initially collected for national security, law 
     enforcement, or intelligence purposes.
       (2) These databases contain personal and sensitive 
     information on millions of United States persons.
       (3) Some of these databases are subject to Federal privacy 
     protections when in private sector control.
       (4) Risks to personal privacy are heightened when personal 
     information from different sources, including public records, 
     is aggregated in a single file and made accessible to 
     thousands of national security, law enforcement, and 
     intelligence personnel.
       (5) It is unclear what standards, policies, procedures, and 
     guidelines govern the access to or use of these public and 
     private databases by the Federal Government.
       (6) It is unclear what Federal Government agencies believe 
     they legally can and cannot do with the information once 
     acquired.
       (7) The Federal Government should be required to adhere to 
     clear civil liberties and privacy standards when accessing 
     personal information.
       (8) There is a need for clear accountability standards with 
     regard to the accessing or usage of information contained in 
     public and private databases by Federal agencies.
       (9) Without accountability, individuals and the public have 
     no way of knowing who is reading, using, or disseminating 
     personal information.
       (10) The Federal Government should not access personal 
     information on United States persons without some nexus to 
     suspected counterintelligence, terrorist, or other illegal 
     activity.

     SEC. 3. LIMITATION ON USE OF FUNDS FOR PROCUREMENT OR ACCESS 
                   OF COMMERCIAL DATABASES PENDING REPORT ON USE 
                   OF INFORMATION.

       (a) Limitation.--Notwithstanding any other provision of 
     law, commencing 60 days after the date of the enactment of 
     this Act, no funds appropriated or otherwise made available 
     to the Department of Justice, the Department of Defense, the 
     Department of Homeland Security, the Central Intelligence 
     Agency, the Department of Treasury, or the Federal Bureau of 
     Investigation may be obligated or expended by such department 
     or agency on the procurement of or access to any commercially 
     available database unless such head of such department or 
     agency submits to Congress the report required by subsection 
     (b) not later than 60 days after the date of the enactment of 
     this Act.
       (b) Report.--(1) The Attorney General, the Secretary of 
     Defense, the Secretary of Homeland Security, the Secretary of 
     the Treasury, the Director of Central Intelligence, and the 
     Director of the Federal Bureau of Investigation shall each 
     prepare, submit to the appropriate committees of Congress, 
     and make available to the public a report, in writing, 
     containing a detailed description of any use by the 
     department or agency under the jurisdiction of such official, 
     or any national security, intelligence, or law enforcement 
     element under the jurisdiction of the department or agency, 
     of databases that were obtained from or remain under the 
     control of a non-Federal entity, or that contain information 
     that was acquired initially by another department or agency 
     of the Federal Government for purposes other than national 
     security, intelligence or law enforcement, regardless of 
     whether any compensation was paid for such databases.
       (2) Each report shall include--
       (A) a list of all contracts, memoranda of understanding, or 
     other agreements entered into by the department or agency, or 
     any other national security, intelligence, or law enforcement 
     element under the jurisdiction of the department or agency 
     for the use of, access to, or analysis of databases that were 
     obtained from or remain under the control of a non-Federal 
     entity, or that contain information that was acquired 
     initially by another department or agency of the Federal 
     Government for purposes other than national security, 
     intelligence, or law enforcement;
       (B) the duration and dollar amount of such contracts;
       (C) the types of data contained in the databases referred 
     to in subparagraph (A);
       (D) the purposes for which such databases are used, 
     analyzed, or accessed;
       (E) the extent to which such databases are used, analyzed, 
     or accessed;
       (F) the extent to which information from such databases is 
     retained by the department or agency, or any national 
     security, intelligence, or law enforcement element under the 
     jurisdiction of the department or agency, including how long 
     the information is retained and for what purpose;
       (G) a thorough description, in unclassified form, of any 
     methodologies being used or developed by the department or 
     agency, or any intelligence or law enforcement element under 
     the jurisdiction of the department or agency, to search, 
     access, or analyze such databases;
       (H) an assessment of the likely efficacy of such 
     methodologies in identifying or locating criminals, 
     terrorists, or terrorist groups, and in providing practically 
     valuable predictive assessments of the plans, intentions, or 
     capabilities of criminals, terrorists, or terrorist groups;
       (I) a thorough discussion of the plans for the use of such 
     methodologies;
       (J) a thorough discussion of the activities of the 
     personnel, if any, of the department or agency while assigned 
     to the Terrorist Threat Integration Center; and
       (K) a thorough discussion of the policies, procedures, 
     guidelines, regulations, and laws, if any, that have been or 
     will be applied in the access, analysis, or other use of the 
     databases referred to in subparagraph (A), including--
       (i) the personnel permitted to access, analyze, or 
     otherwise use such databases;
       (ii) standards governing the access, analysis, or use of 
     such databases;
       (iii) any standards used to ensure that the personal 
     information accessed, analyzed, or used is the minimum 
     necessary to accomplish the intended legitimate Government 
     purpose;
       (iv) standards limiting the retention and redisclosure of 
     information obtained from such databases;
       (v) procedures ensuring that such data meets standards of 
     accuracy, relevance, completeness, and timeliness;
       (vi) the auditing and security measures to protect against 
     unauthorized access, analysis, use, or modification of data 
     in such databases;
       (vii) applicable mechanisms by which individuals may secure 
     timely redress for any adverse consequences wrongfully 
     incurred due to the access, analysis, or use of such 
     databases;
       (viii) mechanisms, if any, for the enforcement and 
     independent oversight of existing or planned procedures, 
     policies, or guidelines; and
       (ix) an outline of enforcement mechanisms for 
     accountability to protect individuals and the public against 
     unlawful or illegitimate access or use of databases.

     SEC. 4. GENERAL PROHIBITIONS.

       (a) In General.--Notwithstanding any other provision of 
     law, no department, agency, or other element of the Federal 
     Government, or officer or employee of the Federal Government, 
     may conduct a search or other analysis for national security, 
     intelligence, or law enforcement purposes of a database based 
     solely on a hypothetical scenario or hypothetical supposition 
     of who may commit a crime or pose a threat to national 
     security.
       (b) Construction.--The limitation in subsection (a) shall 
     not be construed to endorse or allow any other activity that 
     involves use or access of databases referred to in section 
     3(b)(2)(A).

     SEC. 5. DEFINITIONS.

       In this Act:
       (1) Appropriate committees of congress.--The term 
     ``appropriate committees of Congress'' means--
       (A) the Select Committee on Intelligence and the Committee 
     on the Judiciary of the Senate; and
       (B) the Permanent Select Committee on Intelligence and the 
     Committee on the Judiciary of the House of Representatives.
       (2) Database.--The term ``database'' means any collection 
     or grouping of information about individuals that contains 
     personally identifiable information about individuals, such 
     as individual's names, or identifying numbers, symbols, or 
     other identifying

[[Page S10151]]

     particulars associated with individuals, such as 
     fingerprints, voice prints, photographs, or other biometrics. 
     The term does not include telephone directories or 
     information publicly available on the Internet without fee.
       (3) United states person.--The term ``United States 
     person'' has the meaning given that term in section 101(i) of 
     the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 
     1801(i)).
                                 ______