UPDATE: DHS has announced that 71 of the 72 fusion centers have privacy policies in place.
Fusion centers are state and local programs to gather domestic intelligence. (The Department of Justice defines them (6 MB pdf) as a “mechanism to exchange information and intelligence, maximize resources, streamline operations, and improve the ability to fight crime and terrorism by analyzing data from a variety of sources,” which includes private sector firms and anonymous tipsters.) One of the biggest complaints about these centers, which have been gathering intelligence data for several years, is that there is little information about who is in charge of what and about what exactly is happening in these centers.
Privacy and civil liberties questions were raised, as there were controversial reports issued from fusion centers about legal and peaceful activities. The ACLU issued a 2008 report, “What’s Wrong With Fusion Centers?” It identified problems with fusion centers, including: ambiguous lines of authority, role of private corporations and the military, use of data mining and secrecy surrounding the centers.The Department of Homeland Security Privacy Office issued a privacy impact assessment (DHS pdf; archive pdf) in December 2008, in which it “identified a number of risks to privacy presented by the fusion center program.”
I am pleased to report that Department of Homeland Security Secretary Janet Napolitano recently announced that 69 of the 72 fusion centers nationwide have committed to written privacy policies that are at least as comprehensive as the federal standards (pdf) set out for the Information Sharing Environment. Although more can be done, I appreciate that these policies have been created and made public.
A couple of years ago, the homeland security grant guidance from FEMA, “Homeland Security Grant Program: Guidance and Application Kit” (pdf) included this section:
FY 2010 DHS grant funds may not be used to support fusion center-related initiatives unless the fusion center is able to certify that privacy and civil rights/civil liberties (CR/CL) protections are in place that are determined to be at least as comprehensive as the ISE Privacy Guidelines by the ISE Privacy Guidelines Committee (PGC) within 6 months of the award date on this FY 2010 award. If these protections have not been submitted for review and on file with the ISE PGC, DHS grants funds may only be leveraged to support the development and/or completion of the fusion center’s privacy protections requirements.
DHS tied federal funding to the creation of privacy plans, and now, Napolitano says that almost all fusion centers have policies in place. The National Fusion Center Association has put some of these policies online (I’m told more will be posted). Here are the policies for Missouri (NFCA pdf; archive pdf), Texas (NFCA pdf; archive pdf) and Virginia (NFCA pdf; archive pdf) — states whose fusion centers have been criticized. The privacy policies seem to be based on the Fair Information Practices and OECD Principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. For example, Virginia discusses “information quality assurance,” “sharing and disclosure,” and, surprisingly, “redress,” but the redress process is “for situations when a complaint involves records that have not been disclosed to the complainant under applicable law,” which seems confusing. The Virginia Fusion Center will accept a complaint and process a correction for data that it will not acknowledge having?
Though numerous questions remain about the fusion centers — Have the ambiguous lines of authority and oversight been made clear? If so, will that information be made public? What are the protections, if any, against mission creep? What is the role of the military and private corporations? What is the role of data mining? — I do think it’s a step forward for the centers to have privacy policies that have been made public.