Testimony on the President's Proposal for a Homeland Security Department, "The Homeland Security Act of 2002," Before Congressional Committees

Testimony on the President’s Proposal for a Homeland Security Department, “”The Homeland Security Act of 2002,” Before Congressional Committees

American Civil Liberties Union

Testimony on the President’s Proposal for a Homeland Security Department: “”The Homeland Security Act of 2002″”

Before the

Senate Committee on the Judiciary
Senate Committee on the Judiciary, Subcommittee on Immigration
Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism and Government Information
Senate Committee on Governmental Affairs

House Committee on Agriculture
House Committee on Armed Services
House Committee on the Judiciary
House Committee on the Judiciary, Subcommittee on Immigration and Claims
House Committee on Ways and Means
House Select Committee on Homeland Security

Submitted by Timothy H. Edgar,
Legislative Counsel

June 25-28, 2002

On behalf of the American Civil Liberties Union (ACLU) and its approximately 300,000 members, we welcome this opportunity to provide this testimony for the record on the President’s proposed legislation to create a Department of Homeland Security, the Homeland Security Act of 2002 (“”HSA””). We commend you for examining these issues in today’s hearing.

The ACLU is a non-partisan, non-profit organization dedicated to preserving civil liberties and the principles of our constitutional democracy, including open and accountable government.

The proposed Department of Homeland Security will be a massive Cabinet-level department, containing over 170,000 employees and twenty-two federal agencies.[1] It will have substantial powers, and will include more armed federal agents with arrest power than any other agency. In considering the proposed Department, Congress should ask itself not only whether the proposal represents sound public management, but also whether the Department will have structural and legal safeguards in place that are sufficient to keep the agency open and accountable to the public.

Unfortunately, the draft legislation not only fails to provide such safeguards, it eviscerates many of the safeguards that are available throughout the government and have worked well to safeguard the public interest. As proposed, the plan:

• Hobbles FOIA – Any information voluntarily submitted to the department about terrorist threats to the nation’s infrastructure are exempt from Freedom of Information Act disclosure, drastically limiting the agency’s responsibility to answer public questions about how well it is addressing these threats. (HSA § 204).
  
• Limits citizen input – Advisory committees to the department, which normally include citizen input, hold open meetings and must be balanced in viewpoint would be immune from these safeguards of the Federal Advisory Committee Act, further undercutting the agency’s accountability to the public. (HSA § 731).
  
• Muzzles whistleblowers – Employees of the new agency could be stripped of the protections contained in the federal Whistleblower Protection Act. This would eliminate guarantees that — were the agency to overreach its mandate or engage in questionable activities – such abuse would be disclosed and the agency held accountable to Congress and the American public. Protection for the bravery like that displayed by FBI Agent Coleen Rowley would not exist in the new agency. (HSA § 731).
  
• Lacks strong oversight – Given the enormous potential power of the proposed agency, its Inspector General must not be hampered like those in other federal law enforcement agencies. Currently, the cabinet secretary in charge would have veto power over the IG’s audits and investigations. (HSA § 710).
  
• Threatens personal privacy and constitutional freedoms – Many of the information sharing provisions in the HSA are vague and do not provide sufficient guarantees to protect privacy or constitutional freedoms.

Finally, we firmly reject proposals to include in the Department of Homeland Security the intelligence gathering functions of the Central Intelligence Agency (CIA), other foreign intelligence agencies, or the Federal Bureau of Investigation (FBI). Intelligence gathering operations abroad are, as a practical matter, largely immune from constitutional constraints. The CIA and other agencies that gather foreign intelligence abroad operate in a largely lawless environment. To bring these agencies into the same organization as the FBI risks further damage to Americans’ civil liberties. As a result, Congress should resist any attempt to endow the Department of Homeland Security with new intelligence gathering powers or to fold the FBI and CIA into the new agency. Instead, Congress should put in place clear limits to prevent the Department from permanently retaining files on Americans that relate to First Amendment activities and have no connection to any criminal activity.

I. The Homeland Security Department Must Be Open and Accountable

The President’s plan does not contain sufficient structural guarantees to ensure that this vast new Department will be accountable to the public, both to ensure it is doing its job and to ensure against abuse. Instead, the plan eviscerates many of the existing safeguards for government agencies. These provisions should be eliminated, and a strong mechanism should be put in place to ensure against abuse.

Freedom of Information Act (FOIA) Exemption

The ACLU strongly opposes section 204 of the proposed legislation, which creates a broad new exemption to the Freedom of Information Act (FOIA), 5 U.S.C. § 552. Section 204 provides that information that companies or others voluntarily provide to the Department about “”infrastructure vulnerabilities”” and other information said to be relevant to terrorism will be exempt from FOIA. These terms are not defined by the proposed legislation and could potentially cover a host of information. This is a deeply misguided proposal, and it should be rejected.

The FOIA is the bedrock statute designed to preserve openness and accountability in government and new exemptions to its provisions should not be created lightly. As the Supreme Court has made clear, “”Disclosure, not secrecy, is the dominant objective of the Act.””[2] Open government is a core American value. It should not be set aside for reasons other than genuine necessity.

The FOIA already contains a number of common sense exemptions that would cover critical infrastructure information the disclosure of which could result in harm. The FOIA does not require the disclosure of national security information (exemption 1), sensitive law enforcement information (exemption 7), or confidential business information (exemption 4).

Courts have carefully weighed the public’s need for disclosure against the possible harms of disclosure under FOIA’s traditional exemptions. In deciding whether to disclose technical information voluntarily submitted by private industry, courts have given substantial – many in the public interest and FOIA requester community would say excessive – deference to industry demands for confidentiality of business information under exemption 4.

Generally, information that a business voluntarily submits to the government on the basis that it be kept confidential is already exempt from disclosure if the company does not customarily release such information to the public and preserving confidentiality is necessary to ensure that the government will continue to receive industry’s cooperation. See, e.g., Critical Mass Energy Project v. Nuclear Regulatory Commission, 975 F.2d 871 (D.C. Cir. 1992). It is difficult to see how any truly sensitive business information that was voluntarily submitted by a company concerning the vulnerabilities of its critical infrastructure could be released under this standard.

Indeed, supporters of a new FOIA exemption for critical infrastructure information have, when pressed, been forthright in admitting that such legislation simply is not needed to protect sensitive information from disclosure. For example,

• Senator Bennett, chief sponsor of legislation creating a new critical infrastructure exemption, has admitted that “”[t]he Freedom of Information Act itself”” currently allows sensitive information to be protected. “”That is, there are provisions in the Act that say information need not be shared”” with the public.[3]
• John S. Tritak, Director of the Critical Infrastructure Assurance Office of the U.S. Chamber of Commerce, says “”You could say that [in the] current environment, if you’re very careful and you watch out, the old existing exemptions will cover any concerns that may arise under FOIA, not to worry.””[4]
• Ronald L. Dick, Director of the National Infrastructure Protection Center of the Federal Bureau of Investigation (FBI), has said “”[M]any legal authorities have agreed that the federal government has the ability to protect information from mandatory disclosure under the current statutory framework.””[5]
• VeriSign public policy director Michael Aisenberg has said worries about disclosure were overblown because FOIA already protects sensitive information, and new legislation is simply not needed “”substantively.””[6]

Rather than put forward evidence that some information about critical infrastructure exists that is not adequately protected, supporters of a new exemption have said “”it doesn’t matter”” whether current law provides adequate protection. Rather, it is said, a new exemption is needed because of a “”perception”” in private industry that there is some risk, however remote, that information that is voluntarily submitted to the government might be at risk of disclosure under FOIA.

If industry is unwilling to provide information to the government, despite adequate legal protection, the solution is not to change the law but to change the misperception by issuing legal guidance making clear the parameters of the FOIA as it currently exists. If a misperception exists that truly sensitive information that is given to the government cannot be protected from disclosure, it is hard to see how that will change if another exemption is enacted.

Perhaps most importantly, creating an overbroad exemption for “”critical infrastructure information”” would undermine, rather than enhance, security. Such an exemption would permit private industry and the government to shield from the public the actions they are taking – and, more importantly, the actions they are not taking – to protect the public from attacks on critical infrastructures.

Secrecy can hinder anti-terrorism efforts. Earlier this year in Israel, the media obtained a government report that discussed the potential vulnerability of a fuel depot to terrorists – exactly the sort of information about “”infrastructure vulnerabilities”” that might be exempt from FOIA under the proposed legislation. Military censors blocked publication of the report, and persuaded the mayor of Tel Aviv not to go public with a campaign to fix the problem. Nothing was done. Terrorists then attacked the fuel depot. In that case, public debate might well have forced action to address the problem.[7] The United States should not make the same mistake.

For the all of the above reasons, ACLU opposes the enactment of a new FOIA exemption for critical infrastructure information. At the very least, however, any new exemption that Congress enacts should be subject to the following responsible limits:

First, any new exemption must be limited to clearly marked cyber-security documents, i.e., reports that describe cyber-attacks on a company’s computer systems that have resulted or could result in some harm to its critical infrastructure. It should not apply to information about all vulnerabilities in critical infrastructure. Proposals to exempt information that is voluntarily shared with the government were developed to deal with the discrete and relatively new problem of cyber-attacks. To expand the scope of information that is exempted to include information about vulnerabilities to traditional physical attacks would interfere with a host of environmental and public safety regulatory regimes that have been developed over decades.

Second, any new exemption must be for written documents only, not “”information”” of all sorts. It would be virtually impossible to determine if information possessed by the government was the result of some oral conversation with a private sector company, making a FOIA exemption that covered such information unworkable and potentially devastating to the public’s right to know.

Third, any new exemption must be limited in time, and should last for months, not years. A company which controls infrastructure that is vital to the public must have an incentive not only to share information, but also to do something to make itself less vulnerable to such attacks. A time limited exemption will give responsible companies and government agencies an incentive to fix their problem with due speed. Without a time limit, companies and the government can simply sit on the problem without any pressure to act.

Fourth, a new exemption should be an alternative to existing FOIA protections, not a new club to wield against FOIA requesters. Companies that wish to take advantage of the new exemption should clearly state on the relevant document they are requesting confidentiality under that exemption. Companies that fail to fix their vulnerabilities within a reasonable time limit, even with the protection of the new exemption, should not be allowed to take advantage of FOIA’s other potentially applicable exemptions to cover up their failure to act after that time limit has expired. If companies believe the information they desire to share is protected under another FOIA exemption, they should be required instead to rely on that other exemption at the time of submission.

Finally, strict reporting requirements and a sunset clause should be included in the legislation to determine whether the new regime is working.

Federal Advisory Committee Act (FACA) Exemption

Section 731 of the HSA provides that advisory committees established by the Secretary of the Department of Homeland Security are exempt from the Federal Advisory Committee Act (FACA), and that members of such advisory committees are not subject to certain restrictions on federal employees’ conduct.

The FACA was passed in 1972 to promote the values of openness, accountability, and balance of viewpoints, and to ensure administrative efficiency and cost reduction. FACA imposes requirements on agencies[8] when they establish or utilize any advisory committee, which is defined as a group of individuals, including at least one non-federal employee, which provides collective advice or recommendations to the agency. 5 U.S.C. App. II, § 3(2). When an agency seeks to obtain such advice or recommendations, it must ensure the advisory committee is “”in the public interest,”” id. at § 9(2), is “”fairly balanced in terms of points of view represented and the function to be performed,”” id. at § 5(b)(2), and does not contain members with inappropriate special interests. Id. at § 5(b)(3). If these criteria are satisfied, the agency must file a charter for the committee. Id. at § 9(c).

Once an advisory committee is operating, the agency also must comply with requirements designed to ensure public access and participation. FACA requires an agency to provide adequate public notice that it is establishing an advisory committee, id. at § 9(a)(2), conduct open meetings, id. at § 10(a), keep minutes of those meetings, id. at § 10(c), make available for public inspection and purchase all documents prepared for or by advisory committees, id. at §§ 10(b), 11(a), and permit all interested persons to attend, appear before, or file statements with any advisory committee. Id. at 10(a)(3). These openness requirements ensure public monitoring of advisory committees and reduce the likelihood that advisory committees can serve as secretive channels for special-interest access to government agencies. FACA’s right of access to advisory committee records is subject to the same nine exemptions that apply to access to agency records under the FOIA, which we believe are sufficient to guard against any disclosure of truly sensitive information.

By exempting from FACA requirements any advisory committees established by the Secretary of the Department of Homeland Security, the HSA severely undermines the openness and public-access goals of FACA. Although the HSA provides that the Secretary shall publish notice in the Federal Registrar announcing the establishment of an advisory committee and identifying its purpose and membership, the meetings will not be open to the public, formal minutes of committee activity during those meetings will not be kept, and the public will not have access to view or purchase documents prepared for or by those advisory committees. Public access to and participation in advisory committees are essential to guarding against special-interest access to advisory committees and influence upon government decision-making.

In addition, the HSA exempts members of advisory committees established under the Department of Homeland Security from federal laws restricting federal employees and officers (including members of advisory committees) from participating in or advising the government upon matters about which there exists a conflict of interest. See 18 U.S.C. §§ 203, 205, 207. Combined with the lack of public access to and participation in advisory committee proceedings, exemption from these laws threatens to erode FACA’s requirement that advisory committees’ memberships reflect a balance of viewpoints, and undermines the goal of accountability.

Waiver of Whistleblower Protection Act (WPA) and other Title 5 Protections

The federal Whistleblower Protection Act (WPA) was enacted to ensure that federal employees[9] who believe that a violation of law, mismanagement or other abuse has occurred may come forward and disclose that information without fear of summary dismissal or punitive action. The WPA protects federal employees from adverse action on the basis of a disclosure of information if the employee “”reasonably believes [the information] evidences a violation of any law, rule, or regulation or gross mismanagement, gross waste of funds, an abuse of authority or a substantial and specific danger to public health and safety.”” 5 U.S.C. § 2302(b)(8). An employee is not protected if the disclosure involves classified information or if the disclosure is specifically prohibited by law. Id. The Act contains administrative remedies, administered by the Merit System Protections Board, and an employee may also seek judicial review in the United States Court of Appeals for the Federal Circuit. 5 U.S.C. §§ 1221, 7703(b). In this way, the WPA guarantees that federal agencies are held accountable to the American public if they overreach their mandate or engage in questionable activities.

The HSA permits the Secretary to sweep away the Whistleblower Protection Act, and all other protections for federal employees under Title 5, for the purpose of establishing a “”Human Resources Management System”” (HSA § 730) that is “”flexible, contemporary, and grounded in the public employment principles of merit and fitness.”” By allowing the Secretary to make these personnel rules “”[n]otwithstanding any other provision of this title,”” i.e., Title 5, the HSA does not guarantee employees of the Department of Homeland Security the protections of the WPA. Without such protection, employees who are in the best position to spot problems, violations of the law or dangers to the public are effectively silenced.

The Homeland Security Department’s Inspector General May Lack Authority

We are concerned that the Homeland Security Act does not adequately provide for a fully functioning Inspector General (IG). Section 103(b) provides for the creation of an Inspector General pursuant to the Inspector General Act of 1978. However, section 710 of the HSA gives the Secretary of Homeland Security authority to override Inspector General Investigations in several areas including: (1) intelligence, counterintelligence, or counter terrorism matters; (2) ongoing criminal investigations or proceedings; (3) undercover operations; (4) the identity of confidential sources, including protected witnesses; (5) matters that constitute a threat to persons or property protected by the United States Secret Service and (6) other matters that constitute a serious threat to national security. Given the mission of the Homeland Security Agency, it is conceivable that many of the functions performed by this new agency could be said to fall under one of these exempted categories.

Other agencies have similar provisions that require the inspector general to be under the direct authority of the Department Secretary (e.g. Treasury, Department of Justice, Postal Service) when the IG is investigating areas of national security. We understand the need to protect information that if released could pose a danger to national security. However, many of the agencies that are going to become a part of the new Homeland Security Act such as FEMA, the INS, the Animal and Plant Health Inspection Service of the Department of Agriculture and the Coast Guard have functions much broader than dealing with national security. We are concerned that transferring these agencies into a Department whose primary function is to protect the United States against terrorism could erroneously be perceived as elevating their regular duties to those of national security, thereby making such currently non-exempt activities exempt from Inspector General oversight.

We recommend further study of this issue before legislation is approved, regular oversight by Congress and a requirement for the Homeland Security Department to report to Congress concerning how often the Inspector General is prevented from performing its duties due to section 710 exemptions, and the standards by which the Secretary exercises such authority.

II. The Homeland Security Department Should Not Invade the Privacy or Constitutional Rights of Americans

Finally, the creation of a new Homeland Security Department naturally leads to concerns that such a large government agency could abuse its authority by invading the privacy or freedoms that Americans hold dear. Common sense protections can ensure against such abuses.

Because a primary function of the new Department is to receive and analyze information, Congress should insist on appropriate safeguards to protect the privacy of the information and to make sure that it is not used inappropriately. For example, there should be procedures to limit the use and disclosure of the collected information; rules that require the information to be secure and confidential; procedures to remove and destroy old data and remedies for the violation of statutory and constitutional rights and penalties for misuse of personal information.

The Intelligence Gathering Functions of the CIA and FBI Should Remain Separate and Outside the Homeland Security Department

We commend the Administration for leaving the intelligence gathering function out of the new Department. The HSA leaves those functions to the Central Intelligence Agency (CIA) and other intelligence agencies and to the Federal Bureau of Investigation (FBI). While the government must do a better job of analyzing the intelligence information it already collects from both foreign and domestic sources, the Congress should not approve new intelligence gathering powers, much less a new intelligence gathering agency, without a showing that such powers are truly needed and do not unnecessarily tread on Americans’ civil liberties.

Under our system of government, the CIA and other intelligence agencies are tasked with collecting foreign intelligence abroad. As a practical matter, these foreign activities have been largely immune from constitutional limits and from oversight by the federal courts, although they are and must remain subject to oversight by the Congress. On the other hand, the FBI collects foreign intelligence in the United States, and also investigates and prevents criminal activity. These domestic activities are clearly constrained by statute and by the Constitution. The FBI’s intelligence gathering functions are also subject to oversight by the Foreign Intelligence Surveillance Court.

Blurring of domestic and foreign intelligence gathering functions could have a severe impact on civil liberties, potentially leading to widespread spying on Americans constitutionally-protected political and religious activity. This is already a danger under the relaxed FBI guidelines for domestic investigations recently announced by Attorney General Ashcroft.[10] The Congress should resist any attempt to further erode these protections by including substantial intelligence gathering functions in the new Department of Homeland Security.

The Homeland Security Department Should be Barred from Political Spying

Instead of adding to the Homeland Security Department new intelligence gathering powers that could tread on civil liberties, Congress should consider adding provisions that would prevent the Department from maintaining files on Americans that are not linked to any criminal activity, but instead relate solely to political beliefs and associations. Under the draft legislation, while the Department will not gather intelligence information, it will receive such information in the course of its efforts to prevent terrorism.

Without safeguards, these provisions could lead to abuse. No one wants a repeat of the J. Edgar Hoover era, when the FBI was used to collect information about and disrupt the activities of civil rights leaders and others whose ideas Hoover distained.[11] Moreover, during the Clinton Administration, the