COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER, CONSUMER ACTION, PRIVACYACTIVISM, COMMERCIAL ALERT, PRIVACY JOURNAL, WORLD PRIVACY FORUM, PRIVACY RIGHTS CLEARINGHOUSE, PROFESSOR OSCAR GANDY, AND JUNKBUSTERS ON THE DOD DHRA 04 JOINT ADVERTISING AND MARKET RESEARCH RECRUITING DATABASE
June 22, 2005
Introduction
The Department of Defense proposes to create a military recruiting database containing the personal information of tens of millions of Americans as young as 16 years of age, including their Social Security Numbers, race, and educational information, and entrust this information to a commercial direct marketing company.[1] The direct marketing company chosen by the DOD, Benow, does not even have a privacy policy, nor has it troubled itself to enlist in a privacy seal program.[2] DOD proposes a wide range of "routine uses" for this database, including disclosure of records contained in the database for functions wholly unrelated to recruitment. Although individuals can opt-out recruitment solicitations, they cannot opt-out of this enormous database.
We support the U.S. Armed Forces, and understand that DOD faces serious challenges in recruiting for the military. But we strongly object to the creation of this Joint Advertising database. The collection of this information is not consistent with the Privacy Act, which was passed by Congress to reduce the government's collection of personal information on Americans. The collection of individuals' Social Security Numbers presents risks to privacy, and is unnecessary for operation of the database. The "routine uses" for disclosure of information in the database is unjustified. The DOD proposes to ignore the law and its own regulations by collecting personal information from commercial data brokers and state registries rather than directly from individuals.
This database represents an unprecedented foray of the government into direct marketing techniques previously only performed by the private sector. These techniques simply are not compatible with the Privacy Act, as direct marketing tactics increasingly call for massive amounts of personal information. And while numerous laws protect individuals from commercial direct marketing techniques, these protections only apply in commercial transactions, leaving individuals with little recourse against harassing or unwanted junk mail, telemarketing, and spam from the government.
This database is a bad idea. The DOD should scrap its proposal to create this mega database of young Americans and rely upon traditional mass-media advertising to reach potential recruits.
The Privacy Act of 1974
In enacting the Privacy Act,[3] Congress found that:
(1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies;
(2) the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information;
(3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endangered by the misuse of certain information systems;
(4) the right to privacy is a personal and fundamental right protected by the Constitution of the United States; and
(5) in order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information by such agencies.
In passing the Privacy Act, Congress sought to restrict the amount of personal information that federal agencies could collect and required agencies to be transparent in their information practices.[4] The Privacy Act is intended "to promote accountability, responsibility, legislative oversight, and open government with respect to the use of computer technology in the personal information systems and data banks of the Federal Government[.]"[5]
Few, if any, of these goals are reflected in this proposal to create a Joint Advertising database. For the reasons enumerated below, the DOD should withdraw its proposal to create the database.
DOD Should Not Collect the Social Security Number
DOD Cannot Rely on E.O. 9397 to Collect or Use the Social Security Number
The DOD relies upon a 1943 Executive Order, signed by President Franklin Roosevelt, for authority to collect the Social Security Number (SSN).[6] Reliance on this Executive Order is inappropriate. It was issued in a context where the government was establishing accounts for individuals for public benefits, not the general enumeration of individuals in a database.[7] Individuals in the proposed database will not have an "account" with the DOD.
Because the DOD is not administering an account system for the benefit of individuals, but rather an enumeration system for the benefit of the agency, it cannot rely upon E.O. 9397 for the collection and use of the SSN. The DOD lacks authority to collect the SSN for this system, and therefore, the SSN should not be included as a category of information in the system.
Collection of the SSN is Unnecessary for Enumeration of Data Subjects
The Privacy Act mandated that each agency “shall maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency.”[8] However, the DOD proposes to maintain the SSNs of tens of millions of individuals—even those who opt-out of solicitations for military recruitment. This is an unnecessary and risky collection of personal information. The DOD could follow the lead of many private-sector organizations, and employ a different number to uniquely identify the individuals in the database. In fact, even direct marketing organizations do not use the SSN to uniquely identify prospects—many companies have developed their own identifier or rely upon basic contact information, such as the telephone number, to manage lists.
There simply is not sufficient justification for DOD to collect the SSN. The DOD’s advertising activities do not create tax implications for the average person that require IRS reporting, nor do they convey benefits that have traditionally justified the use of the SSN. While it would be reasonable to collect the SSN of an individual who is actually enlisting in the military, the vast majority of individuals in this database will not enlist, and this vast majority should not be subjected to heightened risks of identity theft for the administrative ease of the DOD.
Collection of the SSN Heightens Risk of Identity Theft
The 1943 Executive Order was signed decades before the Privacy Act, which limited the collection of the SSN; and the advent of identity theft. Identity theft affects millions of Americans, and access to the SSN is almost always necessary to commit the crime. In the past year, over ten million Americans have been affected by security breaches, most of which involved the improper disclosure of the SSN. It is now understood that safeguarding the SSN is critical to prevention of identity theft.
Despite the risk of identity theft, DOD proposes to collect SSNs on all high school students aged 16 – 18, all college students, all Selective Service System registrants, all Active Duty and Reserve members of the Armed Forces as well as several other large categories. While the size of any database is not an inherent flaw, any breach of security or change in policy will impact an enormous number of Americans. The size of the database also makes it an attractive target for identity thieves.
Simply put, any advantage that the DOD would gain by using the SSN for data linkage or unique enumeration does not outweigh the risk that this practice imposes on individuals.
Transferring the SSNs of Tens of Millions of Americans to a Direct Marketing Company is Inappropriate
The Government is collecting and giving a gigantic amount of sensitive information to a private company. Unlike the vast majority of Privacy Act systems of records, this database will be located and managed by a direct marketing company, BeNow. No justification is given for this aberration, and no procedures are outlined to prevent abuse. The company, which prides itself on its database management expertise, has no privacy policy available on its website. It does not appear to even be a member of any of the self-regulatory privacy “seal” groups.
It is a serious breach of trust for the government to transfer the SSNs of tens of millions of Americans, without their consent, to a private company. In other contexts, companies that maintain SSNs must comply with substantial security standards rules, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, banking safety and soundness regulations, and state laws requiring disclosure of security breaches. It is unclear whether any of these standards will be employed in this context, as the DOD has only devoted three sentences to the security of the system. Further, the Privacy Act notice does not specify whether Benow will be subject to the Privacy Act under § m.
At a minimum, the DOD must answer the following questions before proceeding with a plan to warehouse tens of millions of SSNs at a private company:
- Why cannot this database be administered by government employees, who are subject to civil and criminal penalties under the Privacy Act for misuse of personal information?
- How will the DOD exercise adequate supervision over the employees of this private company?
- What qualifies the employees of this company to handle the SSNs of tens of millions of Americans?
- How can we trust that the employees of this company will not misuse the data?
- How can we trust that this company has appropriate administrative, physical, and electronic safeguards to prevent and detect misuse of the data?
- If a security breach does occur, will individuals receive notice, as is required when a bank inappropriately gives access to customer information?
- How will individuals obtain an auditing of disclosures of their personal information?
Access to One’s Record Should Not Be Conditioned on Providing a SSN
Under the access provisions to this database, an individual must provide their full name, address, and SSN to obtain their file. It is unnecessary to condition access on provision of a SSN. If the DOD maintains accurate address information, it can simply send an individual's file to the address within the database.
The Record Sources for the Database Are Inappropriate
The Privacy Act requires the agency to collect data directly from the subject as far as possible, and to provide rights of access and correction.[9] However, the DOD proposal seems to maximize collection of information from third party sources, and is silent on correction rights.
The DOD should not obtain personal information from commercial vendors when the same data can be obtained from data subjects through surveys or interactions with recruiters. Commercial sellers of personal information are major threats to personal privacy, they maintain inaccurate databases, and as recent events make clear, they sometimes sell personal information to criminals. The DOD should not be in the business of enriching these companies while significant attention is being focused on them by state attorneys general, the Federal Trade Commission, and the media.
Individuals Should Be Able to Opt Out from the Database
The DOD proposal does not give anyone the ability to opt-out of the database. Even those who have indicated that they do not want to receive military recruitment materials will have their SSN and other data maintained in this system. Individuals should be able to opt-out of the database, and have all personal information removed except for the minimum necessary to ensure that the individual is no longer solicited. This could be accomplished by only maintaining name, address, and telephone number in the system for those who have opted out.
The Routine Uses of Personal Information Are Inappropriate for this Database
The DOD proposes to subject this database to its blanket routine uses. This means that for any of the following 13 reasons, information in this database can be transferred without the individual’s consent to another agency.
- To law enforcement.
- To other agencies when DOD requesting information in order to engage in hiring and firing decisions.
- To other agencies when requested for a variety of government decision making.
- To Congress in response to Member inquiries.
- To foreign law enforcement.
- To state and local taxing authorities.
- To the Office of Personnel Management for pay, leave, and benefits administration.
- To the Department of Justice for litigation.
- To military banking facilities.
- To the General Services Administration for records management inspections.
- To the National Archives and Records Administration.
- To the Merit Systems Protection Board.
- To almost any entity for national security purposes.[10]
The Privacy Act defines the term 'routine use' as “the use of [a] record for a purpose which is compatible with the purpose for which it was collected.”[11] The purpose of this particular database is very clearly laid out - “to assist [the Services] in their direct marketing recruiting efforts.” However, the routine uses defined in this proposal go far beyond its stated purpose. For example, the first category defined in the Department’s Blanket Routine Uses document allows the Department of Defense to notify another agency if a record “indicates a violation or potential violation of law.” Not only is this category unrelated in any way to recruiting efforts, it is also nonsensical in the context of the information stored. While a system of records that tracks entitlements might show evidence of fraud, it is difficult to imagine a scenario where the information in this particular system would indicate a crime. The Department of Defense should reexamine the ways that this database will be used and consider whether any of the blanket routine uses are in fact appropriate.
We also encourage the Department to end its practice of using Blanket Routine Uses in any system of records. This practice violates the 1974 Privacy Act, which defined very specific conditions of disclosure. Using broad routine uses invites mission creep and abuse by making it possible to do much more than originally intended.
Direct Marketing Is not an Appropriate Government Function
Although labeled a "Joint Advertising" database, the level of personal information proposed to be collected by DOD suggests a massive direct marketing campaign. As we noted above, the Privacy Act mandated that each agency “shall maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency.”[12] But this proposal goes far beyond traditional government uses of personal information into activities that are only appropriate for the private sector. Direct marketing to individuals who have expressed no interest in recruitment simply is not an appropriate function for a government agency. The DOD should abandon this approach as it is inconsistent with the Privacy Act, and will lead to increasing demands for individuals’ personal information.
Individuals Lack Protections Against Government Direct Marketing Abuses
Americans are now intimately familiar with the unfair and pushy sales tactics employed by direct marketers. These tactics resulted in a wave of consumer protection legislation aimed at shielding individuals from direct marketing, such as the Telephone Consumer Protection Act of 1991, the Telemarketing Do-Not-Call Registry, anti-spam legislation, and sectoral privacy laws that limit the use of personal information for marketing. Consumers also can rely upon private litigation, state attorneys general, and the Federal Trade Commission to address invasive marketing practices. It is critical to understand that these protections cannot be relied upon when the government itself engages in direct marketing, because military recruiting may not be considered to be "commerce" for purposes of consumer protection law.
This unprecedented government foray into direct marketing comes at a time when reports of recruiting improprieties abound. Improprieties occurred so frequently this year that the DOD suspended recruitment efforts for a day so that individuals could review the legal and ethical regulations on recruiting.[13] Voice of America reported that "…U.S. Army officials report more than 300 substantiated cases of allegedly improper recruiting tactics last year, a 60% increase in 5 years. Many recruiters reportedly have resorted to aggressive tactics because they've had a hard time meeting the Army's recruiting quota of 2 enlistees a month."[14] Recent headlines recount other abusive recruitment techniques; these techniques could become significantly more pervasive when the efficiencies of private-sector direct marketing techniques are brought to bear on those in the database.[15] Indeed, just a few months ago, an Indiana National Guard recruiter’s access to personal information was credited with his ability to efficiently target women for sexual assault: “Investigators say he [the recruiter] picked out teens and young women with backgrounds that made them vulnerable to authority. As a military recruiter, he had access to personal information, making the quest easier.”[16]
The Directive on Use of Directory Information Should Be Updated to Reflect New Recruiting Techniques
The DOD Directive[17] controlling use of personal information should be updated to address the risk of abuses from direct-marketing style recruitment techniques. When commercial entities use databases to assist in making telemarketing calls, a regulatory framework helps protect individuals from harassing or unwanted calls. For instance, the Telemarketing Sales Rule prohibits harassing series of calls and any attempt to frustrate the call recipient’s attempt to opt-out from solicitation.[18] Similar regulations should be in place for military recruiters who use direct marketing technology.
Finally, the definition of “student” in section 3.3 pertains only to individuals who are 17 or older. However, the proposed database will include students as young as 16. The Directive should be updated to address this inconsistency.
Conclusion
For the reasons explained above, we strongly oppose the creation of this database. The DOD faces serious challenges in staffing the military. However, these challenges should be overcome through traditional advertising channels. The foray of government into direct-marketing style recruitment violates the norms of the Privacy Act and subjects Americans to risk of identity theft. The DOD should withdraw its plan to create the Joint Advertising database.
If DOD continues the Joint Advertising database, we request that the agency publish a revised notice answering the objections raised in these comments for further public feedback. We also urge DOD to fully comply with the E-Government Act of 2001, and make it possible for the public to comment electronically.
Respectfully submitted,
Chris Jay Hoofnagle
Director
EPIC West Coast OfficeLinda Sherry
Editorial Director
Consumer ActionDeborah Pierce
Director
PrivacyActivismGary Ruskin
Director
Commercial AlertRobert Ellis Smith
Publisher
Privacy JournalPam Dixon
Director
World Privacy ForumBeth Givens
Director
Privacy Rights ClearinghouseOscar H. Gandy, Jr.
Professor
University of PennsylvaniaJason Catlett
Founder
Junkbusters
[1] Notice to add a system of records; DHRA 04--Joint Advertising and Market Research Recruiting Database., 70 Fed. Reg. 29486 (May 23, 2005), available at http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-10216.htm
[2] A Google site search performed on June 14, 2005 for the word "privacy" on benow.com returns no responsive pages.
[3] P.L. 93-579, 88 Stat. 1896 (1974).
[4] S. Rep. No. 93-1183, at 1 (1974).
[5] Id.
[6] E.O. 9397, Numbering System for Federal Accounts Relating to Individual Persons, Nov. 22, 1943.
[7] "…Hereafter any Federal department, establishment, or agency shall, whenever the head thereof finds it advisable to establish a new system of permanent account numbers pertaining to individual persons, utilize exclusively the Social Security Act account numbers assigned pursuant to Title 26, section 402.502 of the 1940 Supplement to the Code of Federal Regulations and pursuant to paragraph 2 of this order." Id.
[8]5 U.S.C 552(e)(1).
[9] 5 U.S.C. §552(d)-(e).
[10] 32 CFR 318.14 (2005).
[11] 5 USCS § 552a(a)(7)(2005).
[12]5 U.S.C 552(e)(1)
[13] Andrew J. Baroch, Army Recruiters Take Day to Reflect on Ethics of Job, Voice of America News, May 22, 2005, available at http://www.voanews.com/english/AmericanLife/2005-05-22-voa20.cfm.
[14] Id.
[15] "In Texas recently, an Army recruiter allegedly threatened a high school student with arrest if the student changed his mind and decided not to enlist." Id.
[16] James Gillaspy & Dan McFeeley, Recruiter accused of sex assaults;
Counts against guardsman involve 6 young women, Indianapolis Star, Mar. 1, 2005.
[17] Department of Defense Directive 1304.24, Use of Directory Information on Secondary School Students for Military Recruiting Purposes, Apr. 20, 1984.
[18] See 16 CFR 310.
EPIC Privacy Page | EPIC Home Page Last Updated: June 21, 2005
Page URL: http://www.epic.org/privacy/profiling/dodrecruiting.html