Thursday

Electronic Privacy Information Center demands DOD recruiting database be immediately suspended

EPIC Releases Memorandum on DOD Recruiting Database, Privacy Act Violations. EPIC has drafted a memorandum (pdf) describing the Department of Defense (DOD) recruiting database. The memorandum discusses the sources of the data and the Privacy Act violations in the creation of the database. Of particular concern is the use of commercial data brokers and Social Security Numbers. EPIC concludes with specific recommendations. Pending resolution of these issues, it is the view of EPIC that the use of the database should be immediately suspended. (Jul. 27)

Recruiting Database Established in Violation of Privacy Act.
In a media roundtable Department of Defense officials admitted to consolidating a massive database of student information for recruiting in 2003, however the agency did not list this database in the Federal Register until May 2005. The Privacy Act requires that new systems of records be published in the Federal Register before they become operational. Last week, EPIC urged the agency to scrap the database, as it collected unnecessary information, offered no opt-out rights, and was to be housed at a private-sector direct marketing company. (Jun. 27)

Groups: DOD Should Scrap Massive Database. In comments to the Department of Defense, EPIC and 8 privacy and consumer groups objected to the creation of a massive database for military recruitment purposes. The database would contain the Social Security Numbers, race, and educational information on up to 25 million people as young as 16 years old. The database would be operated by a commercial data marketing company, and individuals would not be able to opt-out. The groups called upon the Department of Defense to terminate the database program, as the database is fundamentally incompatible with the government's responsibilities under the Privacy Act. (Jun. 21)

Introduction

In May 2005, the Department of Defense (DOD) announced that it was going to create a massive database for recruiting. The DOD's "Joint Advertising and Market Research" system proposed to combine student information, Social Security Numbers (SSN), and information from state motor vehicle repositories into a mega database housed at a private direct marketing firm. Approximately 25 million individuals' information would be in the database, and there is no way to opt out. In June 2005, EPIC and 8 privacy and consumer groups objected to the creation of the database, arguing that it violated the Privacy Act and was unnecessarily invasive.

In reaction to the EPIC comments and significant media attention, DOD held a media roundtable in June 2005 where the agency admitted that it had already created the database. This is a clear violation of the Privacy Act, which requires federal agencies to announce and seek public comment on systems of personal information before they are created.

It's not too late to do something about this database. Read on for information about the database and what you can do to protect your privacy.

  • DOD Privacy Act Notice. This document, filed in the Federal Register, is required by the Privacy Act, and describes the recruiting database "system of records" that will be used for military recruiting.
  • DOD Media Roundtable. This is a transcript of a press event held by DOD to discuss the recruiting database.
  • EPIC Student Privacy Page. This page has information about how students are profiled by commercial information vendors and by military recruiters.

Overview of the DOD Database

According to the DOD's Privacy Act notice, the database contains:

Full name, date of birth, gender, address, city, state, zip code, and where available Social Security Number (SSN), e-mail address, ethnicity, telephone number, high school name, graduation date, Grade Point Average (GPA) code, education level, college intent (if documented), military interest (if documented), field of study, current college attending, ASVAB Test date, ASVAB Armed Forces Qualifying Test Category Score.

This information is collected from:

Individuals; state Department of Motor Vehicle offices; commercial information brokers/vendors; Selective Service System; Defense Manpower Data Center (DMDC); United States Military Entrance Processing Command for individuals who have taken the ASVAB test; and the Military services and Congressional offices for individuals who have asked to be removed from any future recruitment lists.

The information will be used by the "Joint Advertising, Market Research and Studies (JAMRS)" to:

provide a single central facility within the Department of Defense to compile, process and distribute files of individuals who meet age and minimum school requirements for military service. The information will be provided to the Services to assist them in their direct marketing recruiting efforts. The system also provides JAMRS with the ability to measure effectiveness of list purchases through ongoing analysis and to remove the names of individuals who are currently in, or are enlisting, in the Armed Forces or who have asked that their names be removed from future recruitment lists.

But, the DOD has specified that the information can be used for a number of other "routine uses:"

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, These records or information contained therein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows: The DoD `Blanket Routine Uses' set forth at the beginning of OSD's compilation of systems of records notices apply to this system.

This means that under 32 CFR 318.14, DOD can take the information in the database and give it to the following entities without telling you or gaining your consent:

  • Law enforcement.

  • To other agencies when DOD requesting information in order to engage in hiring and firing decisions.

  • To other agencies when requested for a variety of government decision making.

  • To Congress in response to Member inquiries.

  • To foreign law enforcement.

  • To state and local taxing authorities.

  • To the Office of Personnel Management for pay, leave, and benefits administration.

  • To the Department of Justice for litigation.

  • To military banking facilities.

  • To the General Services Administration for records management inspections.

  • To the National Archives and Records Administration.

  • To the Merit Systems Protection Board.

  • To almost any entity for national security purposes.

EPIC estimates that approximately 25 million citizens' personal information is in the database.

Coalition Opposition to the Database

EPIC and 8 groups filed comments opposing the creation of the database. The groups' comments objected to the enormity of the database, and the plethora of privacy-invasive design choices that DOD has taken to implement it. Six aspects are worth highlighting:

  • First, according to the Privacy Act notice announcing the system of records, the database was to be stored at "Benow" a private-sector direct marketing company. This company has no apparent privacy policy or person designated to oversee security of personal information. It is a serious breach of trust for the government to transfer the SSNs of tens of millions of Americans, without their consent, to a private company. In other contexts, companies that maintain SSNs must comply with substantial security standards rules, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, banking safety and soundness regulations, and state laws requiring disclosure of security breaches. It is unclear whether any of these standards will be employed in this context, as the DOD has only devoted three sentences to the security of the system.

  • Second, relying upon an Executive Order signed by President Roosevelt in the 1940s, DOD claimed that it had the authority to index the database by citizens' Social Security Numbers (SSNs) to eliminate duplicate records. However, SSNs are not necessary to purge a database of duplicates, and direct marketing companies no longer use them to clean their databases. For reasons that are now obvious, collecting the SSN is a bad idea unless it is necessary for some legitimate agency function.

  • Third, the DOD exercised all of its "blanket routine uses," meaning that information in the database could be transferred to other agencies for thirteen different reasons, including law enforcement and counterintelligence activities. The purpose of this particular database is very clearly laid out - "to assist [the Services] in their direct marketing recruiting efforts." However, the routine uses defined in this proposal go far beyond its stated purpose. For example, the first category defined in the Department’s Blanket Routine Uses document allows the Department of Defense to notify another agency if a record "indicates a violation or potential violation of law." Not only is this category unrelated in any way to recruiting efforts, it is also nonsensical in the context of the information stored. While a system of records that tracks entitlements might show evidence of fraud, it is difficult to imagine a scenario where the information in this particular system would indicate a crime. The Department of Defense should reexamine the ways that this database will be used and consider whether any of the blanket routine uses are in fact appropriate.

  • Fourth, while a citizen can opt out of military solicitation, one cannot opt out of this database. This means that even the citizen who is ineligible for military service could be included in the database. Individuals should be able to opt-out of the database, and have all personal information removed except for the minimum necessary to ensure that the individual is no longer solicited. This could be accomplished by only maintaining name, address, and telephone number in the system for those who have opted out.

  • Fifth, the Privacy Act and the DOD's internal regulations require the agency to collect information directly from the citizen where possible. However, the database would be largely populated from other sources, including from state motor vehicle department databases, school enrollment data, and commercial information vendors. The main commercial vendors that sell students' data, American Student List and Student Marketing Group, were both pursued recently by consumer protection authorities for setting up front groups that tricked students into revealing their personal information. The DOD should not obtain personal information from commercial vendors when the same data can be obtained from data subjects through surveys or interactions with recruiters.

  • Finally, the database plans represent a government foray into direct marketing practices. EPIC argued that direct marketing is not an appropriate government function, and that existing laws to address direct marketing practices would not apply to military recruiters. We have laws to protect us against commercial telemarketers and spammers, but we don't have protections against military recruiters who engage in abusive marketing techniques. Voice of America reported that "…U.S. Army officials report more than 300 substantiated cases of allegedly improper recruiting tactics last year, a 60% increase in 5 years. Many recruiters reportedly have resorted to aggressive tactics because they've had a hard time meeting the Army's recruiting quota of 2 enlistees a month." Recent headlines recount other abusive recruitment techniques; these techniques could become significantly more pervasive when the efficiencies of private-sector direct marketing techniques are brought to bear on those in the database. Indeed, just a few months ago, an Indiana National Guard recruiter’s access to personal information was credited with his ability to efficiently target women for sexual assault: "Investigators say he [the recruiter] picked out teens and young women with backgrounds that made them vulnerable to authority. As a military recruiter, he had access to personal information, making the quest easier."

.

Military Access to Students and Student Information

Two laws were passed in 2001 which make it easier for military recruiters to access high school students' contact information. The laws changed schools' previous ability, under the Family Educational Rights and Privacy Act (FERPA), to choose to whom they would release such information.

Under the FERPA, schools may release "directory" information about students ? such as phone numbers and addresses ? as long as parents or adult students have an opportunity to opt out of such disclosure at the beginning of the school year. This represents an exception to the FERPA's general restriction on the public release of student records, and was meant to provide schools with the ability to publish students' names in honor rolls, yearbooks and the like, and to provide contact information to outside groups like class ring companies. Schools, or their districts or boards, have traditionally decided what directory information would be released, for what purposes, and to what groups.

However, a provision inserted into the No Child Left Behind educational act, Section 9528, now requires public and private schools receiving federal educational funds to release secondary students' names, addresses and telephone numbers to military recruiters who request them. (20 U.S.C.S. ?7908). Parents or students may request that the information not be released to recruiters, often by signing a form distributed by schools early in the school year. Even if a school or district previously had a policy of not releasing directory information to outside groups, or even particularly to the military, it must now allow military recruiters to access the information of any students who are not opted out of such disclosure.

Section 9528 also requires schools receiving federal funds to provide the "same access" to its secondary students as it provides to colleges or prospective employers. This presumably means, for instance, that schools would have to allow military recruiters to attend a school-sponsored job fair.

The amendment was introduced by Representative David Vitter (R-La), and was agreed to overwhelmingly by Congress. Congress also legislated near-identical requirements in a provision of the 2002 Defense Department budget authorization bill. (10 U.S.C.S. ? 503).

The requirements of Section 9528 and the Defense budget amendment went into effect in the 2002 school year, and they quickly inspired widespread objections. Students protested in Hackensack, NJ, in January 2003. The Eugene, Oregon, school district distributed forms stating that although it would comply with the laws, it did not support them. And the San Francisco school board adopted a resolution responding to the requirements that began: "Whereas: Soul music legend Curtis Mayfield said: 'We got to have peace/To keep the world alive and war to cease.'"

In October, 2002, The New York Civil Liberties Union appealed to the Chancellor of New York City's education department to require written permission to release student information to the military. The group wrote: "Opt-out features typically receive little attention or response, which means information will be released by default, rather than intention." Although New York City's schools did not adopt the NYCLU suggestion, school districts throughout the country, including the San Francisco school district, did choose to automatically withhold student information from recruiters unless students or parents requested otherwise. The Departments of Education and Defense, however, stated in response that it would not allow such a practice. In a July 2003 letter to various school districts, the Departments wrote that schools may not refuse to disclose student information to the military by default, but may only withhold students' information if they have been notified of this preference by the students or their parents. ?In practice, this will mean that in schools where forms are distributed for students or parents to opt out of information-release to military recruiters, an unreturned form will result in disclosure to interested recruiters.

Since the Departments of Education and Defense issued their letter, the San Francisco school board has modified its policies to comply with the Department's interpretation of the laws.

If an school or district fails to comply with Section 9528, it could lose future federal funding and could even be asked to return funds that it already received from the government. Almost all public schools and many private schools receive federal educational funds. Failure to comply with the similar Defense budget amendment could result in a visit to the school from a senior military officer, and, later, notification of the breach to the governor or even to Congress. The Department of Education wrote in a frequently asked questions document that when a report is made to Congress "the expectation is that public officials will work with the LEA to resolve the problem."

If high school students, or their parents, do not want names, addresses or phone numbers released to military recruiters, they must be sure to fill out and return any opt out form that their school provides regarding military recruiters. Under the Department of Education's interpretation of the law, an unreturned form is supposed to indicate that a student's information may be released. In addition, students or parents may want to encourage their school or school district to provide a way to specifically opt out of disclosure of directory information to military recruiters without having to deny release of such information generally. Schools are required, under FERPA, to allow parents or adult students to opt out of the general release of directory information for listings such as yearbook and honor roll, and high school students may prefer to allow release of their information for this use, but not for military recruitment.

H.R. 551, The Study Privacy Protection Act of 2005

The creation of the database caused many to revisit public policy choices made by Congress on military recruiting. As explained above, under the No Child Left Behind law, Congress forced public and private schools receiving federal educational fund to release secondary students' names, addresses and telephone numbers to military recruiters who request them.

Representative Honda (D-CA) introduced H.R. 551, the Student Privacy Protection Act of 2005 in February to reverse this presumption. If passed, it would require require affirmative consent before personal information is transferred from schools to recruiters.

The legislation would not address the practice of recruiters buying personal information from direct marketing companies, or limit recruiters' access to personal information held by state motor vehicle departments.

What You Can Do to Protect Your Privacy

  • Request to see whether you are in the database. You can do this by writing a letter to requesting access to your file under the Privacy Act. This letter must contain your full name, Social Security Number, date of birth, current address, and telephone number. Send your request to "The Department of Defense, Defense Human Resources Activity, c/o JAMRS, Direct Marketing Program Officer, Defense Human Resources Activity, 4040 N. Fairfax Drive, Suite 200, Arlington, Virginia 22203-1613.

  • Contact your school and request to opt-out. Your school may give you the choice to continue to receive college and university recruitment while opting out from commercial and military solicitation. Opting out will not remove you from the database, but it will end recruitment solicitations.

  • Visit the Web sites of the organizations listed below.

Organizations Concerned About the Database and Military Recruiting


http://www.epic.org/privacy/student/doddatabase.html

No comments: