DHS privacy director: We're paying attention

WASHINGTON - Peter Sand, the new director of privacy technology at the U.S. Department of Homeland Security (DHS), walked into a lunch meeting with what could have been a hostile crowd and told privacy advocates the agency is working hard to make sure privacy rights are respected as the DHS fights terrorism.

A privacy discussion is part of every new technology DHS considers, Sand told attendees of the Electronic Privacy Information Center's (EPIC) Freedom 2.0 conference Friday.

"The people who are building technologies really want to talk to the people working on privacy, and that happens on a daily basis," said Sand, who joined the DHS privacy office three weeks ago. The DHS employees working on technologies such as biometrics want to make sure they're complying with privacy regulations before the technology is rolled out, said Sand, a former chief information officer in the Pennsylvania Attorney General's Office.

Sand also encouraged technologists in private industries to develop privacy policies at the same time they develop software, not after the fact. Companies and U.S. agencies need "internal dialogs on privacy to make sure that as we're picking technical standards, we're picking privacy standards," Sand said.

The Transportation Security Administration, part of DHS, has been criticized by some privacy advocates for its efforts to create a new airline passenger screening program, called the Computer Assisted Passenger Pre-Screening System, or CAPPS II. Sand didn't address CAPPS II, and it didn't come up in a brief question-and-answer session, but he followed an introduction by Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., who suggested that law enforcement agencies shouldn't be responsible for monitoring their own privacy procedures.

Law enforcement and antiterrorism agencies have no incentive to engage the public in a debate on the trade-offs between law enforcement and privacy if they believe they're doing a good job at protecting privacy, Schneier said. "You don't want to put a justice organization in charge of justice trade-offs, because they'll always want more," he said.

Sand defended the DHS privacy office by saying the office has to report to the U.S. Congress as well as to the agency director. The privacy office "in a very real way is an independent office within DHS," he said.

DHS has to comply with the Privacy Act of 1974, which requires U.S. agencies to comply with requests from U.S. residents about what information is being collected about them, Sand said. Along with the Freedom of Information Act, which allows U.S. residents to request agency documents, and the E-Government Act of 2002, which focuses on how electronic data is collected, the agency has strong rules in place requiring it to protect privacy, Sand said.

U.S. agencies will find the right balance between privacy and security, and debates about the line between the two are healthy, Sand said. "It's the difference between 'could' versus 'should,'" he said. "There's a lot of things we could do, but the question is, should we do them?"

The climate in the U.S. right now is a "perfect storm" combination of emerging powerful technologies like biometrics and the effort to fight terrorism, Sand said.

U.S. residents need to be able to feel they have the space to be free, he added. "The challenge is how to balance the protection of that space without losing the progress we've had in the information age," he said.