The following report was released by the Privacy and Civil Liberties Oversight Board on May 26, 2015.
DHS Privacy Office and the Office for Civil Rights and Civil Liberties
- 153 pages
- April 2015
Section 5 of Executive Order 13636 (Executive Order) requires the DHS Chief Privacy Officer and Officer for Civil Rights and Civil Liberties to assess the privacy and civil liberties impacts of the activities the Department of Homeland Security (DHS, or Department) undertakes pursuant to the Executive Order and to provide those assessments, together with recommendations for mitigating identified privacy risks, in an annual public report. In addition, the DHS Privacy Office and the Office for Civil Rights and Civil Liberties (CRCL) are charged with coordinating and compiling the Privacy and Civil Liberties assessments conducted by Privacy and Civil Liberties officials from other Executive Branch departments and agencies with reporting responsibilities under the Executive Order.
The first annual report, covering activities conducted by the Department during 2013, along with Privacy and Civil Liberties Assessments conducted by other departments was released as a combined document in April 2014.
This year’s assessment covers Department activities conducted during fiscal year 2014. It includes a civil liberties assessment of new activities under Sections 9(a) and 9(c) of the Executive Order and also follows up on outstanding items and recommendations discussed in last year’s assessment of activities under Sections 4(a), 4 (b), 4(c), and 4(e) of the Executive Order. As in last year’s assessment, the scope of this year’s assessment is limited to those DHS activities that were undertaken as a result of the Executive Order or substantially altered by it. Section 5 of the Order directs the assessment of “the functions and programs undertaken by DHS as called for in this order,” and the scope of the assessment is therefore limited to those functions and programs, rather than attempting to assess the many DHS cybersecurity programs and activities conducted under other authorities. Attempting to include that wide array of programs and activities within this assessment would be impractical, straining oversight office resources, and diluting the in-depth focus on the activities which are driven by the Executive Order.
…
DHS Methodology for Conducting Executive Order (EO) 13636 Assessments
Section 5(b) of the Executive Order directs senior agency privacy and civil liberties officials of agencies engaged in activities under the order to perform an “evaluation of activities against the Fair Information Practice Principles [(FIPPs)] and other applicable privacy and civil liberties policies, principles, and frameworks.” DHS has evaluated its activities against the FIPPs and other applicable privacy and civil liberties policies, principles, and frameworks. More information on this evaluation process is described below.
…
Civil Liberties Risks and Impacts
As noted above, there has been no substantial programmatic change in the operation of the Enhanced Cybersecurity Services program since the 2014 Assessment, other than the addition of new participants, and the development of additional policy to manage and govern the program
As we found in last year’s assessment, the risks of the Enhanced Cybersecurity Services program to civil liberties remain modest, as long as the Enhanced Cybersecurity Services program stays within the established parameters of the program including: 1) voluntary participation by commercial service providers and critical infrastructure entities; 2) no Government monitoring or access to private communications, including content; and 3) no Government receipt of the results of monitoring, other than metrics relating to the cyber threats encountered by the commercial service providers.
Although the policies and procedures discussed herein still reflect the program’s relative youth, they provide appropriately detailed procedural tools to help Enhanced Cybersecurity Services program and CS&C operational staff operate the program within appropriate boundaries protective of individual rights. Specifically, the Policy Principles, Government Furnished Information Data Verification and Vetting Process and the Service Expansion Workflow Process work to provide rules of the road governing program operation, with individual rights protections embedded in those policies. Moreover, they require the systematic vetting of major program decisions by the oversight offices, and even though governing the activities of the commercial service providers is beyond the scope of the DHS role in this program, the policies governing the program’s receipt of information limits the materials received by the program office to the metrics data described above.
The ongoing collaboration of DHS’s advisory and oversight offices also helps to ensure the program maintains appropriate protections of individual rights as it grows and evolves. In our routine oversight and advisory involvement with the program during Fiscal Year 2014, CRCL found no irregularities and no instances of non-compliance with the policies described above, and the annual review conducted for this assessment of those materials (including all classified and unclassified metrics shared with DHS) and program policies, along with and additional fact-finding discussions with program staff, confirmed the program is in compliance with applicable policy guidelines. The voluntary nature of Enhanced Cybersecurity Services participation by commercial service providers and critical infrastructure entities – which is a key civil liberties protection – makes it impossible to require those participants to adopt specific privacy or civil liberties protective policies. Nevertheless, a review of all unclassified and classified metrics information produced from the program provided assurance to CRCL that the cybersecurity providers themselves – who are beyond the oversight reach of this office – were participating in the Enhanced Cybersecurity Services program in a way that complied with the written policies discussed above. Of particular relevance to civil liberties, the ECS program does not receive the content of communications from the commercial service providers.
As a result of the program office’s inclusion of CRCL in all relevant program and policy activities, and CRCL’s resulting visibility into the relationship with the commercial service providers, CRCL concludes that the risks to civil liberties, characterized as “modest” in last year’s Assessment report, have been further addressed and mitigated. Consistent with our findings in last year’s assessment, CRCL notes that ongoing vigilance is necessary due to the ever present threat of mission creep, and because as programs evolve and grow, new and unanticipated civil liberties concerns may arise. The Department and the ECS Program have addressed civil liberties concerns appropriately at this stage in the program’s development, but must continue to build policies that preserve the voluntary nature of program participation, and which protect individual rights as the program is implemented and continues its growth.