[Congressional Record Volume 151, Number 73 (Monday, June 6, 2005)]
[Senate]
[Pages S6105-S6106]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. FEINGOLD (for himself, Mr. Sununu, Mr. Leahy, Mr. Akaka, 
        Mr. Jeffords, and Mr. Wyden):
  S. 1169. A bill to require reports to Congress on Federal agency use 
of data-mining; to the Committee on the Judiciary.
  Mr. FEINGOLD. Mr. President, I am pleased today to introduce the 
Federal Agency Data-Mining Reporting Act of 2005. I want to thank 
Senator Sununu for cosponsoring this bill. He has consistently been a 
leader on privacy issues, and I am very pleased to work with him on 
this effort. I also want to thank Senators Leahy, Akaka, Jeffords and 
Wyden for their support of the bill.
  The controversial data analysis technology known as data-mining is 
capable of reviewing millions of both public and private records on 
each and every American. The possibility of government law enforcement 
or intelligence agencies fishing for patterns of criminal or terrorist 
activity in these vast quantities of digital data raises serious 
privacy and civil liberties issues--not to mention questions about the 
effectiveness of these types of searches. But more than two years after 
Congress first learned about the Defense Department's program called 
Total Information Awareness, there is still much we do not know about 
the Federal government's other work on data-mining., We found out last 
year from a GAO report that there are 199 Federal data-mining programs, 
122 of which rely on personal information and 29 of which are for the 
purpose of investigating terrorists or criminals, but we don't know the 
details of those programs. This is information we need to have. 
Congress should not be learning the details about data-mining programs 
after millions of dollars are spent testing or using data-mining 
against unsuspect- ing Americans.
  Coupled with the expanded domestic surveillance already undertaken by 
this Administration, the unchecked, secret use of data-mining 
technology threatens one of the most important values that we are 
fighting for as we combat terrorism--freedom. My bill would require all 
Federal agencies to report to Congress within 90 days and every year 
thereafter data-mining programs developed or used to find a pattern 
indicating terrorist or other criminal activity and how these programs 
implicate the civil liberties and privacy of all Americans. If 
necessary, information in the various reports could be classified.
  Let me clarify what this bill does not do. It does not have any 
effect on the government's use of commercial data to conduct 
individualized searches on people who are already suspects. It does not 
end funding for any program, determine the rules for use of data-mining 
technology, or threaten any ongoing investigation that uses data-mining 
technology.
  My bill would simply provide Congress with information about the 
nature of the technology and the data that will be used. The Federal 
Agency Data-Mining Reporting Act would require all government agencies 
to assess the efficacy of the data-mining technology and whether the 
technology can deliver on the promises of each program. In addition, my 
bill would make sure that Congress knows whether the Federal agencies 
using data-mining technology have considered and developed policies to 
protect the privacy and due process rights of individuals.

  With complete information about the current data-mining plans and 
practices of the Federal government, Congress will be able to conduct a 
thorough review of the costs and benefits of the practice of data-
mining on a program-by-program basis and make considered judgments 
about which programs should go forward and which should not. Congress 
will also be able to evaluate whether new privacy rules are necessary.
  Data-mining could rely on a combination of intelligence data and 
personal information like individuals' traffic violations, credit card 
purchases, travel records, medical records, communications records, and 
virtually any information contained in commercial or public databases. 
Congress must

[[Page S6106]]

conduct oversight to make sure that government agencies like the 
Department of Homeland Security, the Department of Justice, and the 
Department of Defense use these types of sensitive personal information 
appropriately.
  Furthermore, data-mining is unproven in this area. The government 
argues that data-mining can help locate potential terrorists before 
they strike. But we do not, today, have evidence that data-mining will 
prevent terrorism. In fact, some technology experts have warned that 
data-mining is not the right approach for the terrorism problem. The 
financial world has successfully used data-mining to identify people 
committing fraud because it has data on literally millions, if not 
billions, of historical financial transactions. And the banks and 
credit card companies know, in large part, which of those past 
transactions have turned out to be fraudulent. So when they apply 
sophisticated statistical algorithms to that massive amount of 
historical data, they are able to make a pretty good guess about what a 
fraudulent transaction might look like in the future.
  We do not have that kind of historical data about terrorists and 
sleeper cells. We have just a handful of individuals whose past actions 
can be analyzed, which makes it virtually impossible to apply the kind 
of advanced statistical analysis required to use data-mining in this 
way. That doesn't mean we should stop the Federal government from 
attempting to solve that problem, but it raises serious questions about 
whether data-mining will ever be able to locate an actual terrorist. 
Before the government starts reviewing personal information about every 
man, woman and child in this country, we should learn what data-mining 
can and can't do--and what limits and protections are needed.
  We must also bear in mind that there will inevitably be errors in the 
underlying data. Everyone knows people who have had errors on their 
credit reports--and that is the one area of commercial data where the 
law already imposes strict accuracy requirements. Other types of 
commercial data are likely to be even more inaccurate. Even if the 
technology itself were effective, I am very concerned that innocent 
people could be ensnared because of mistakes in the data that make them 
look suspicious. The recent rise in identity theft, which creates even 
more data accuracy problems, makes it even more important that we 
address this issue.
  Most Americans believe that their private lives should remain 
private. Data-mining programs run the risk of intruding into the lives 
of individuals who have nothing to do with terrorism or other criminal 
activity and understandably do not want their credit reports, shopping 
habits and doctor visits to become a part of a gigantic computerized 
search engine operating without any controls or oversight.
  The Administration should be required to report to Congress about the 
impact of the various data-mining programs now underway or being 
studied, and the impact those programs may have on our privacy and 
civil liberties, so that Congress can determine whether the proposed 
benefits of this practice come at too high a price to our privacy and 
personal liberties.
  I urge my colleagues to support this bill. All it asks for is 
information to which Congress and the American people are entitled.
  I ask unanimous consent that the text of this bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1169

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Federal Agency Data-Mining 
     Reporting Act of 2005''.

     SEC. 2. DEFINITIONS.

       In this Act:
       (1) Data-mining.--The term ``data-mining'' means a query or 
     search or other analysis of 1 or more electronic databases, 
     whereas--
       (A) at least 1 of the databases was obtained from or 
     remains under the control of a non-Federal entity, or the 
     information was acquired initially by another department or 
     agency of the Federal Government for purposes other than 
     intelligence or law enforcement;
       (B) a department or agency of the Federal Government or a 
     non-Federal entity acting on behalf of the Federal Government 
     is conducting the query or search or other analysis to find a 
     predictive pattern indicating terrorist or criminal activity; 
     and
       (C) the search does not use a specific individual's 
     personal identifiers to acquire information concerning that 
     individual.
       (2) Database.--The term ``database'' does not include 
     telephone directories, news reporting, information publicly 
     available via the Internet or available by any other means to 
     any member of the public without payment of a fee, or 
     databases of judicial and administrative opinions.

     SEC. 3. REPORTS ON DATA-MINING ACTIVITIES BY FEDERAL 
                   AGENCIES.

       (a) Requirement for Report.--The head of each department or 
     agency of the Federal Government that is engaged in any 
     activity to use or develop data-mining technology shall each 
     submit a report to Congress on all such activities of the 
     department or agency under the jurisdiction of that official. 
     The report shall be made available to the public.
       (b) Content of Report.--A report submitted under subsection 
     (a) shall include, for each activity to use or develop data-
     mining technology that is required to be covered by the 
     report, the following information:
       (1) A thorough description of the data-mining technology 
     and the data that is being or will be used.
       (2) A thorough description of the goals and plans for the 
     use or development of such technology and, where appropriate, 
     the target dates for the deployment of the data-mining 
     technology.
       (3) An assessment of the efficacy or likely efficacy of the 
     data-mining technology in providing accurate information 
     consistent with and valuable to the stated goals and plans 
     for the use or development of the technology.
       (4) An assessment of the impact or likely impact of the 
     implementation of the data-mining technology on the privacy 
     and civil liberties of individuals.
       (5) A list and analysis of the laws and regulations that 
     govern the information being or to be collected, reviewed, 
     gathered, analyzed, or used with the data-mining technology.
       (6) A thorough discussion of the policies, procedures, and 
     guidelines that are in place or that are to be developed and 
     applied in the use of such technology for data-mining in 
     order to--
       (A) protect the privacy and due process rights of 
     individuals; and
       (B) ensure that only accurate information is collected, 
     reviewed, gathered, analyzed, or used.
       (7) Any necessary classified information in an annex that 
     shall be available to the Committee on Homeland Security and 
     Governmental Affairs, the Committee on the Judiciary, and the 
     Committee on Appropriations of the Senate and the Committee 
     on Homeland Security, the Committee on the Judiciary, and the 
     Committee on Appropriations of the House of Representatives.
       (c) Time for Report.--Each report required under subsection 
     (a) shall be--
       (1) submitted not later than 90 days after the date of the 
     enactment of this Act; and
       (2) updated once a year and include any new uses or 
     development of data-mining technology.
                                 ______