FBI Legal Memorandum Addresses FBI Use of Internet and Private Databases

May 13, 2003. The Electronic Privacy Information Center (EPIC) published in its web site a heavily redacted copy of a Federal Bureau of Investigation (FBI) memorandum [16 page PDF scan] titled "GUIDANCE REGARDING THE USE OF CHOICEPOINT FOR FOREIGN INTELLIGENCE COLLECTION OR FOREIGN COUNTERTERRORISM INVESTIGATIONS".

The memorandum is dated September 17, 2001, which is several days after the terrorist attacks of September 11, 2001. It is also several months after the Wall Street Journal published an article titled "FBI's Reliance on the Private Sector Has Raised Some Privacy Concerns", by Glenn Simpson, dated April 13, 2001. The FBI memorandum addresses whether the FBI may pay for access to ChoicePoint's database of personally identifiable information about Americans. Were the FBI to collect and maintain such data itself, it might violate the Privacy Act.

Chris Hoofnagle, Deputy Counsel for the EPIC, told Tech Law Journal that the memorandum is important because it "show the thinking of the FBI's General Counsel" on the use of internet materials in its investigations, and the use of ChoicePoint.

The unredacted portions of the memorandum state that the FBI may use the internet to collect publicly available information in foreign counterintelligence investigations (FCI) provided that the FBI complies with the Privacy Act and the Attorney General's Guidelines. See, Department of Justice (DOJ) document [28 pages in PDF] titled "The Attorney General's Guidelines on General Crimes, Racketeering Enterprise and Terrorism Enterprise Investigations". This version was signed by Attorney General John Ashcroft on May 30, 2002.

However, on the question of whether the FBI may use ChoicePoint's private database, the memorandum's key sections are redacted. There is an unredacted statement at the conclusion of the memorandum that states that "Finally, the Attorney General Guidelines do not preclude the use of an Internet resource, such as ChoicePoint, to obtain publicly available identifying data concerning either known or unknown persons."

The unredacted portions of the memorandum further state that use of ChoicePoint does not violate the Fair Credit Reporting Act (FRCA). See, 15 U.S.C. § 1681, et seq.

The memorandum was prepared by the FBI's Office of the General Counsel's National Security Law Unit. However, the names of its authors, reviewers, and recipients have all been redacted. This memorandum pertains to foreign counterintelligence investigations (FCI), not criminal investigations. However, the EPIC also published a copy of a PowerPoint presentation [PDF] that indicates that the FBI also uses for ChoicePoint for criminal investigations.

The EPIC obtained the document in response to a request made pursuant to the Freedom of Information Act (FOIA). The EPIC regularly uses the FOIA to seek government records that relate to the privacy of individuals. The EPIC is also a frequent FOIA litigant. It makes all records that it obtains available to the public.

The EPIC has already filed a complaint under the FOIA relating to records on this topic. Chris Hoofnagle told Tech Law Journal that the FBI has "redacted beyond reason". He added that the EPIC will ask to Court to compel the FBI to make available more of the memorandum.

ChoicePoint. ChoicePoint states in its web site that it is a "provider of identification and credential verification services for making smarter decisions in a world challenged by increased risks". It states that its "database of more than 17 billion public records includes in excess of 63 million criminal convictions and other identity verification data". It further states that it provides "decision-making information that helps reduce fraud and mitigate risk" to financial institutions, insurance companies, government entities, and others.

ChoicePoint's SEC Form 10-Q, for the quarter ended March 31, 2003, filed with the Securities and Exchange Commission (SEC), states that its "businesses are focused on three primary markets -- Insurance Services, Business & Government Services, and Marketing Services."

This filing states that "The Insurance Services group (``Insurance´´) provides information products and services used in the underwriting and claims processes by property and casualty insurers. Major offerings to the personal lines property and casualty market include claims history data, motor vehicle records, police records, credit information and modeling services."

It states that "The Business & Government Services group (``B&G´´) provides information products and services to Fortune 1000 corporations, consumer finance companies, ... and federal, state and local government agencies. Major offerings include employment background screenings and drug testing administration services, public record searches, vital record services, credential verification, due diligence information, Uniform Commercial Code searches and filings, DNA identification services, authentication services and people and shareholder locator information searches."

Finally, this 10-Q states that "The Marketing Services group (``Marketing´´) provides direct marketing services to Fortune 1000 corporations, insurance companies, and financial institutions. Marketing Services offers a full complement of products, including data, print fulfillment, teleservices, database and campaign management services, as well as Web-based solutions."

FBI Use of Internet Sources. The FBI memorandum states, "With respect to the use of the Internet to conduct intelligence investigations, this Office has previously opined that ``[FBI personnel] who are collecting information in support of the FBI's FCI/counterintelligence mission [are permitted] to use the Internet and collect publicly available information ... so long as [the collection of that information] conforms to the requirements of the Privacy Act and relevant Attorney General Guidelines.´´ Our opinion with regard to these issues has not changed." (Brackets in original.)

After some discussion of various DOJ guidelines and principles, and their discussion of publicly available information, the memorandum concludes that "These definitions, we believe, are unambiguous and clearly reflect Departmental policy permitting the use of information gleaned from public sources, including the Internet. Thus, we reiterate our prior conclusion that resources of the Internet may be used to collect publicly available information for FCI investigations ..."

FBI Use of ChoicePoint Database. The memorandum states that "There is, however, the additional legal issue presented here concerning the FBI's use of ChoicePoint: namely, whether the use of a private (i.e., commercial) information resource, such as ChoicePoint, is consistent with the Attorney General Guidelines which place specific restrictions on the use of" ... However, what follows is heavily redacted. Indeed, the entire next page is redacted. What remains does not provide readers an understanding of the FBI's analysis of this question.

However, the conclusion to the memorandum provides some indication. It states "In collecting foreign intelligence and conducting foreign counterintelligence investigations, FBI personnel may not review the ChoicePoint data prior to the [the two following lines are redacted] Finally, the Attorney General Guidelines do not preclude the use of an Internet resource, such as ChoicePoint, to obtain publicly available identifying data concerning either known or unknown persons."

Fair Credit Reporting Act. The FBI memorandum also reviews whether the Fair Credit Reporting Act (FRCA) applies to the FBI's use of ChoicePoint. It concludes that the FCRA does not apply. The facts recited by the FBI memorandum in this analysis may be compared and contrasted with statements made in ChoicePoint's latest 10-Q filing.

The memorandum states, "We also were asked to consider whether the FBI's use of ChoicePoint is consistent with the restrictions of the Fair Credit Reporting Act ... In our opinion, it is."

The FBI memorandum reasons that "The FCRA protects information in consumer (credit) reports compiled by consumer reporting agencies from disclosure except for the permissible purposes described in Section 1681b of the Act. As used in the Act, however, the term ``consumer report´´ is defined, in pertinent part, in Section 1681a(d) as: any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characterizations, or mode of living which is used or expected to be used or collected in whole or in part in establishing the consumer's eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) ..." (Parentheses and emphasis in original.)

The memorandum states that "In this instance, none of the information which the FBI would seek to review has been collected by ChoicePoint for any of the purposes highlighted above."

In contrast, ChoicePoint's SEC Form 10-Q, for the quarter ended March 31, 2003, states that ChoicePoint provides "credit information". This 10-Q also states that this information is provided to "insurers". It also states that ChoicePoint provides "employment background screenings" to businesses, government agencies and others.

The FBI memorandum also states that "Because ChoicePoint does not collect ``public record information´´ for any of the highlighted purposes, ChoicePoint is not acting as a ``consumer reporting agency´´ for the purposes of the FCRA.

In contrast, ChoicePoint's 10-Q states that it provides "public records searches", and that its recent acquisitions "extend ChoicePoint's ... public records business".

Nevertheless, the FBI memorandum concludes, "Consequently, because the information being provided in any particular case is not a ``consumer report´´ as that term is used in the Act, the other requirements of the Act do not apply."

Chris Hoofnagle of the EPIC concludes that "ChoicePoint is selling credit reports" to the FBI.

PowerPoint Presentation. The EPIC also published in its web site a copy of an FBI presentation [14 page PDF scan] titled "The FBI's Public Source Information Program: Fact Versus Fiction".

This item appears to be a PDF scan of a photocopy of a paper printout of a PowerPoint presentation. It contains useful statements, such as, "Information Super Highway was built".

Another page states, in full, "How much has the FBI's use of public source information grown? Usage of public source information systems has increased by 9,600% since 1992." However, following pages are redacted in full.

Another page references an arrest of an FBI Top Ten fugitive as a result of information obtained by ChoicePoint. The presentation also contains information about another criminal case. That section was partly redacted in the copy provided to the EPIC.

Another page states, "Since the Wall Street Journal article in May 2001, there have been other news articles and one television show that have focused on the FBI contract with ChoicePoint and other public records providers. There have also been many privacy websites that have discussed the FBI's use of public source information. There is both fact and fiction contained in these documents." However, the presentation does not list or identify any instances of "fiction".

ChoicePoint Biometrics. The EPIC also published in its web site a complaint [32 page PDF scan] filed by International Biometric Group LLC in U.S. District Court (NDGa) against ChoicePoint alleging breach of contract of misappropriation of trade secrets.

This complaint alleges that "the parties entered into a Consulting Agreement" under which "IBG agreed to develop and write programming code for storing and transmitting biometric data from multiple types of inputs that would result in the creation of a central biometric authority (``CBA´´). The basic capabilities of the CBA are to provide secure and standardized acquisition, matching, and indexing of biometric data; the encrypted transfer of biometric information and results of biometric matches between trusted and non-trusted parties; auditing and logging of biometric transactions; and privacy-sympathetic data retention, management, and usage."

However, ChoicePoint filed an answer (35 page PDF scan) which "specifically denies the characterization" of the Agreement.