Q: Hi, I’m Mike German, I’m a fellow with the Brennan Center for Justice at NYU Law School and today I’m talking with Mary Ellen Callahan. Mary Ellen Callahan is chair of the Privacy and Information Governance Program at Jenner & Block. From 2009 to August of 2012, served as the Chief Privacy Officer for the Department of Homeland Security. Can you tell me what the role of the Chief Privacy Officer in a security agency is and why it’s so important to have somebody working on privacy within these agencies?
CALLAHAN: Sure. Homeland Security actually was the first statutorily created privacy officer. And it embedded it within the Department of Homeland Security when Homeland Security was set up in 2002 because there was going to be a lot of information being collected. And because they wanted to have some sort of awareness of what information was being collected. The position itself is created as a policy position, but I also had supervisory authority over all of the different programs, systems and privacy impact assessments — anything that collected personal information from anyone, I had oversight of and had to approve it. So that was great because it provided a systemized oversight. You have different segments of Homeland Security, TSA, Customs and Border Protection. Intelligence and analysis, all who look at the things only with their own myopic way and this way I could look across the issues, making sure we were consistent, making sure we were following privacy protection.
With regard to why it’s important in the intelligence community in particular, and I think we’ll talk about this more later, the intelligence community by its nature is set up to be very secretive. You have to make sure that you protect those state secrets. And you needed to have people, and I had a whole lot of people, who had top-secret FBI clearance, who understood the issues, who were able to analyze the issues from the analysts’ perspective, but also looked to try to embed privacy protections.
Q: These were your staff?
CALLAHAN: These were my staff who would work in a couple of different ways. We had reports on suspicious activities. It wasn’t a SAR per se, but it was suspicious activities that went to all the states and fusion centers. And in those types of scenarios we reviewed them all and had to approve them before they went out. Now we did it in a timely fashion and we turned it around quickly. But I think it was really important to make sure that you don’t use inflammatory language or you’re precise in what you’re talking about the potential threat is. Furthermore, you’re not saying, “This was a dark skinned man and therefore I’m concerned.” But there was a reasoned basis for the analysis to inform people on the state and local fusion center environment.
Q: And what are the significant accomplishments you feel like you achieved while you were there?
CALLAHAN: At Homeland Security? So overall I would that my whole goal when I was at DHS- first to be clear, I had a phenomenal staff — and they were great, and they still are great.
Q: Now this is the third largest federal agency.
Q: How big was your staff?
CALLAHAN: When I started, I had and I did both the FOIA — Freedom of Information Act — as well as privacy, I had 18 people. And when I left, I had 47, because I changed the way the contracts were. So there were a lot of contractors who were there, but they weren’t necessarily beholden or embedded into the organization. And so I tried to expand it. So I had 47 direct reports. On the privacy side, there were 120 other staff throughout the department, which is by far the largest agency that has that. And then on the Freedom of Information Act side we had about 380 additional staff that were kind of dotted line to me.
Q: So you feel like you had the staff to do the work?
CALLAHAN: Yeah I think so. You could always have more staff, but what I tried to do with my staff was to first get it embedded into the processes and the bureaucracies of the department, making sure it reviews these reports we talked about that were going out to fusion centers; that it reviewed all of the international agreements for information sharing; that it was part of the information sharing review process for any new policy decisions that may have privacy implications; at least even indirectly, that we were part of that review and analysis. That hadn’t taken place before. Before, we relied on personal relationships and someone picking up the phone and saying, “Hey Mary Ellen, this is going on. You should be aware.” But what I tried to do is systematize it, because bureaucracy loves bureaucracy and if you’re in the process, then it’s much harder to get you removed than it is to rely on personal relationships.
Q: And you can’t wait till the phone to ring sometimes?
CALLAHAN: Right, exactly. And what putting into the bureaucracy helped do was to highlight where the issues were, and also to highlight that my staff and I were willing to try to find solutions. So I would have guys who would come up to me and say” We need to stop terrorists.” Great, we want you to do that. How do you plan to do that? And they would say things for example, collect facial recognition on every person in the United States. Well, that might be a little bit too much to stop terrorists. So let’s try to figure out what your authority is, what you’re supposed to do, how you’re supposed to do it and how you can do it in a more privacy protective way.
Q: And what were some of the impediments that affected privacy?
CALLAHAN: So I will say we had a lot of senior support for the privacy office, and I think that was in part because we were being creative and we were helping find solutions. We weren’t just saying no. But the impediments were human nature. One would be that it’s such a big organization, their largest department, that there was a lot of diffused activities going on. And so it was hard to necessarily know what was going on. In addition, you know, people’s initial reactions were such that they would say “Oh I’m not, I’m not going to pay attention to you, you’re wrong, you’re trying to help the terrorists.” I’ve said this before in public, which is, I got called a terrorist every month that I was there. I got called [that] more early in the time, but I definitely got it called at the end. That was by my DHS colleagues, by members of the intelligence community and by others who were in the process. Because the knee jerk reaction is, if you’re trying to put in some obstacles or slow this down, the terrorists are going to win. Are you trying to aid and abet the terrorists? Obviously I wasn’t trying to do that, and obviously I wasn’t trying to slow things down, but I was trying to make things more tightly hewn and more privacy protective.
Q: And it seems that in every other element of our government and even of our lives, it’s sort of having somebody looking over your shoulder and checking your work is considered important and essential to actually doing a good job at what you’re going to accomplish, but it seems in the intelligence community they tend to want to avoid that kind of oversight?
CALLAHAN: Well I would actually argue that in our daily lives, we don’t want someone looking over our shoulders. You don’t want someone second guessing you, you don’t want someone being critical, you don’t want your boss to come down on you. But it does happen. And so parents look at children, bosses look at subordinates and colleagues look at each other’s work, even though our instinct is to not want that. And so that was the point I was saying is when they would get mad at me, it was very much an instinctual response, that I don’t want you to question what I’m doing. But, once you talk to them and try to get them to understand the value proposition you provided, how you could be helpful and help solve some of the problems they had, then all of a sudden they realize that additional review actually benefited not just me personally, but their product as well as the department. And that’s where, I think we got to at the end, was to go and say, “Listen, this is a real value-add.” And you have to have somebody within the system to be able to do that, to build up the trust, to build up the repeat processes, to understand the issues.
Q: And the privacy office is just one element to the oversight of intelligence agencies and other government agencies. How well did your office work with the other components, Inspectors General, and particularly Congressional oversight? Did they look at you as an ally?
CALLAHAN: That’s an interesting question. We did not work with IGs all that much. They were somewhat separate. There were a couple of times where I actually investigated the
Inspector General because they had a data breach where they didn’t follow DHS policy, and they inspected themselves. And I layered on it a privacy review of what the privacy concerns were. And there a couple of other times where we worked with the IG on stuff, but not that often. The IG pretty much stands alone. At Homeland Security, the Office for Civil Rights and Civil Liberties, we worked with very closely. For example CRCO would do help do those reviews of intelligence reports that I mentioned earlier. So it was the two of us, along with the Office of General Counsel who would review the products before they would go out.
With regard to Congressional Oversight, it’s an interesting question, because as you know, Homeland Security has whatever it is, 120 different committees and sub-committees that it reports to. From my perspective as a Privacy Officer, I was brought on to the Hill every two months saying “What are you doing now? What are you doing now?” from the privacy people. In a similar vein, the intelligence committees wanted nothing to do with me. They had no interest in talking to me. And in fact there were several times during my tenure that the House Intelligence Committee and the Senate Intelligence Committee brought intelligence and analysis from Homeland Security down and said ‘Why are you guys delaying information sharing? I hear from the intelligence community that you’re delaying information sharing and that you are grossly negligent in your information sharing responsibilities, why is that?’ The answer to that was because we had been working on an agreement and because we had been worried about the privacy protections. The answer was, the intelligence community elements just went and complained to the Hill. So the Hill would go and say, “Why are you doing that, you know, are you a terrorist? Are you aiding and abetting terrorists?” So my point on that is each sub-section of Congressional oversight thought their section was the most important and therefore, “why are you not doing more on privacy, why are you doing too much on privacy?” were the questions we were getting on the Hill pretty much monthly.
Q: And did you feel like that the reports that your office produced were relied on.
CALLAHAN: Well there are a lot of reports that are statutorily required. Nobody ever read those. I mean they went and admitted as much to us.
Q: Right, of course.
CALLAHAN: Or they would say, “Oh your Section 803 report which is about basically privacy incidents, when you did disclosures and stuff, it’s better written now. Okay, thank you.” But there was a lot of those statutorily required reports that weren’t all that useful. I tried to make our annual report a really substantive piece. That may have gotten a little out of hand, but trying to be transparent and trying to have more disclosures. And I think that some of my investigations — I mentioned the Inspector Generation investigation — that that was well received. The DHS privacy officer is the only officer within the federal government, only privacy officer within the Federal government, who had independent investigatory authority. And that actually helped me a lot.
Q: And would that be something you would recommend the other privacy officers get?
CALLAHAN: Absolutely. I would absolutely do. I didn’t use it often, I used it three times, because it’s hard to invest a lot of investigations, but I’ll tell you what, each time I used it, I was right. And each time I used it, it fundamentally changed the way the Department was doing stuff. One was on, as I said, data breaches, one was on information — excuse me — on use of social media and we had a management directive that was derived out of that; and the third one was related to misuse of information by the Customs and Border Protection Internal Affairs Officer, who has subsequently been removed from his job. So it was all judicious use of authority, but just having that sword helps when people say, “Well, why should I help you? Why should I talk to you?” Well, because I can demand whatever information is necessary.
Q: You mentioned information sharing, and after 9/11, information sharing became the central element of what we needed to do differently to make sure that all agencies had all the information. But of course that their information practices, which I know you know very well, include an element which says if the government collects information for one purpose it shouldn’t share that for another purpose without notifying. So is the information sharing that modern intelligence agencies require incompatible with the Fair Information Practice?
CALLAHAN: I think they are to a certain extent and I don’t think that that issue has been fully weighed or analyzed. So as you pointed out, the Privacy Act requires you to say okay, disclose routine uses, and the routine uses must be compatible with the original collection. The first part when information sharing started right after 9/11 it was sharing what I called bad guy data, sharing bad guy data between bad guy databases, and I don’t think anyone has a problem with that. There’s a question about data quality, right? That’s a different issue.
Q: And when you say bad guy data, you mean law enforcement type?
CALLAHAN: Law enforcement data, known or suspected terrorists, some sort of predicate. We can debate on what the level of predicate should be but some sort of way of like, hey you might want to pay attention to this issue, or we’re seeing this pattern or practice. And so that type of information sharing on its face makes sense. But then you get to the next question which is one that I have serious problems with, which is data that’s collected in the ordinary course of the government doing its job, border crossing information, small business loans, whatever it may be, adoption applications. This is a role that the government has played since there were governments. And that information is collected. And it’s collected for a particular civil non-litigious, non-terrorist base purpose. And now the way that the, particularly the intelligence community is thinking about the information sharing, all of those assets should be analyzed for the possibility of finding a terrorist nexus. And one, I don’t think that the terrorist nexus is there. Two, I don’t think that the intelligence community has the ability to analyze a small business loan or any of the other things, border crossing information. The farther removed you get from the data, the worse the data quality. And it fundamentally changes the way the government interacts with the citizens.
Q: And to be clear, the agencies, the law enforcement agencies, the FBI, that I worked for always had the ability — if I suspected there were documents within this data set that were relevant to an investigation — to obtain those.
Q: With subpoenas or other legal process, but we’re talking about taking the entire database.
CALLAHAN: Right. My concern with this information sharing, is the bulk information sharing without a predicate, so I’m going to absorb or take the whole database without analyzing it and then comparing it to some other database in order to determine a potential pattern or process. My concern is unfiltered bulk sharing.
Q: And part of the issue with that unfiltered bulk sharing is whether it’s actually effective to find those very few bad guys that are within the data. Part of the statutory report requirements are privacy impact assessments that your office had to do. The Privacy and Civil Liberties Oversight Board recently came out with a report and one of their recommendations for the intelligence community was to actually have methods to determine the effectiveness of your programs and it was sort of shocking to see that. Were you aware of whether they were doing that sort of research and analysis to find empirical evidence to support that these programs actually worked? In other words, you had to find the privacy impact of them, but you weight that against the effectiveness.
CALLAHAN: So I guess the way I would answer that question is part of the privacy analysis is whether or not the approach would actually be effective. And so, when analyzing particularly bulk information sharing, I think any good privacy officer would have asked for examples, you know, success stories, why this was necessary. I believe that there is a quote for me that challenged some of those methods, that’s in the public domain. That may be worthwhile to look at, because I kept saying, “Why is this new proposal different from what you can do right now?” and the examples they gave me were irrelevant. But they were all that they could point to. And again, defining how this could be effective is something that particularly in the post-9/11 scenario, was not a priority in the intelligence community. They wanted more data is what they wanted to do and I get why and I understand that. But if you have so much data that you can’t filter it, you have to go and say, “Well, if this piece of this data or this piece of data? Which one is going to be effective?” And there was nobody doing that. Small business loans versus border crossings. I’m going to probably bet that border crossings is going to be better for that, but it’s also more, so is that relevant and should we factor that in? And having some statistics or examples or even some sort of relevancy standard would be really important.
Q: And of course, one of the problems that a lot of civil liberties groups, and even some groups that are just talking about the effectiveness and the cost of these programs, talk about with data is that too much data actually creates its own problems. And I thought it was interesting that two examinations of the Boston Marathon bombing, the watch listing system actually worked. Tamerlan Tsarnaev was put on the watch list. The watch list pinged at the appropriate lines. The appropriate DHS and FBI agents at the Joint Terrorism Task Force were informed about potential travel, but simply didn’t react. And one of the reports suggested that there were so many people on the watch list traveling that day that that’s why there wasn’t a reaction. There was too many on the watch list. So is that an example of how this, is something that has a privacy concern because there are so many people on the watch list. Also if we’re not evaluating how effective it is, it’s actually serving less of a security purpose than we want.
CALLAHAN: So I can’t speak to the watch list because FBI holds the watch list and NCTC nominates people. DHS elements can nominate but I wasn’t involved in that. But I’ve certainly seen examples where too much data leads to too much noise. And you can see that in everyday lives, you know. Why am I getting ads for teenage boys’ things? I’m not a teenage boy. I don’t have one. But some database has that. I do think that particularly in the intelligence community too much data and data too far removed from its actual source are both going to be problems as they try to identify what seems to be an innocuous trend versus what seems to be a nefarious one.
Q: You had already mentioned secrecy, and the secrecy demands in law enforcement and intelligence work. How did that impact your ability to get information that you needed to do your assessments?
CALLAHAN: So when I got there and I only had temporary secret clearance. I had two people in particular say, “Well I can’t talk to you. You don’t have three stars. You only have one.” And I said, “Well could you tell me the secret level?’ And no, no, hush, hush. So the day I got three stars, I knocked on the door and I said, “Hi, I have three stars now, I can hear about it.” And what they told me was not significantly different from what it was, but it’s that concept of you’ve got to keep it super-secret. But then, from an ability to analyze it, I needed to make sure that my staff and everybody else had the same ability to analyze significant information. But then I think the third point is that the fact that everything is so secret raises the level of self-importance of the information and so therefore, you’ve got this snowball of, like “I can’t tell you because you don’t know.” Now you know you’ve got to be beholden to a higher standard which is fine but you can’t tell anyone else, which is not necessarily fine depending on what the issue and then you’ve got these little pockets of information that you can’t talk to other people about and say, “DOJ privacy officer, hey, State Department privacy officer, do you know about this?” And that can be a real burden, as well as obviously the public transparency elements.
Q: And how important would it be when you have a privacy issue that you see as a problem but there isn’t any public awareness of that? How does that play in your ability to raise the concerns you have with the appropriate audience, whether within the DHS or Congress?
CALLAHAN: Well that’s a fair question. So my responsibility as Homeland Security Privacy Officer is to the Secretary of Homeland Security. And there were times — five times — I brought issues up to Secretary level and five times I won, and then I lost in the interagency once. But you had to pick and choose and understand when to bring it up, and you also needed to have the support of your supervisor, in this cases the Secretary.
Q: And you felt you had that support?
CALLAHAN: Yeah, absolutely. I absolutely did, and I honestly think that one of the reasons why I had that support was because DHS has been criticized for privacy so many times that it actually made people more aware of it. And that people had had bumps and bruises in 2003 and then in 2005. And you know, there was a recognition of the value even though that wasn’t necessarily the case in other departments. That has changed in the past year and that’s been very interesting to watch. But I think that you have to have the support of your supervisor, you have to have visibility across the agency, and you have to have candidly the infrastructure to be able to do something with it. I would posit that no other privacy officer whether we’re talking intelligence community or in the cabinet level privacy officers has the level of support that DHS does. We’ve got a separate line item. We have our own staff. I’m a direct report and I have this investigatory authority I mentioned to you. Nobody else does. Section 802 of the 9/11 Commission Recommendation says that there needs to be privacy officers in the cabinet level agencies. They need to have certain authority. They need to be able to deal with redress and they need to report to the head of the agency. I’m not sure that any other privacy officer with the exception of possibly the DOJ, meets those standards. And that’s a real gap.
Q: Did you ever feel pressure either within the agency from other intelligence community components to water down your criticism or to ignore certain problems?
CALLAHAN: So I think the question is, how would the criticisms be manifested? So you asked, did you feel like you could bring issues to people’s attention, and I did. As I said, I brought them up to the Secretary. I got asked a couple of times, did I really need to be so strident and if I said yes, and people backed off and so that’s a good thing. But it’s also not like I could get a bully pulpit and say, “Hey America… here’s what’s going on.” And so you had to figure out different ways to do it. I didn’t go to Congress all that often for the reasons we talked about. I was there a lot anyways. But, and at times they were helpful, effective. At the time, PCLOB was not stood up yet, and PCLOB is going to be a good safety belt for a lot of privacy officers, Homeland Security and others, that if there’s an issue that they’re not getting executive level attention within a department or it’s an inter-agency one that they can’t deal with, PCLOB should be able to help.
Q: And do you feel the employees within DHS felt that they could come to your office or come to one of the other IG’s?
Q: That they would be protected if they came.
Q: —retaliation… I don’t know if you have any… were any retaliated against?
CALLAHAN: That came to me? No, I mean, I can’t speak to the IG’s but the people who came to me, whether it was in a whistleblower capacity or not, were all protected, I’m pretty sure that’s right. I recently checked.
Q: So this question might be more in your current role in private practice, but obviously the American public has learned over the last 15 months, the scope of some of the spying activities that have happened, not so much at DHS but certainly the other intelligence agencies. How has that affected the tech industry, the computing and communications industry?
CALLAHAN: Well first the vast scope of it was kind of breathtaking and it goes to that collect-first mentality — collect it and then maybe someday it will be useful — which I find to be a pretty immature approach to things. But also what it has done is, it has made people suspicious of anything, whether it be the intelligence community, Department of Homeland Security, technology companies. And this sense of suspicion has really, it clearly has affected international business in terms of working in the EU, but it also has affected people’s confidence, and I would say it affects their confidence in the government which is very alarming and generally in business. They don’t trust that their information isn’t being shared without some predicate and that is something that we’re going to have to deal with for a pretty long time, to try and overcome that.
Q: And you mentioned the immaturity of wanting to collect it all and figure out how we’re going to make sense of it later. But is the failure to look at that long-term consequence part of the problem?
CALLAHAN: So part of the problem is that there wasn’t anyone who asked that question. Like, people at NSA are patriots. They are trying to do the right thing. They are working really hard at it. They’re really smart and there was no one who said, “Is collecting every single phone number dialed in the United States, is that too much?” There was nobody who did that ex-ante analysis and that’s the role of a privacy officer. NSA has a great compliance officer but he was in, “Are we doing the right thing?” after the fact, and I actually think putting in a Privacy and Civil Liberties Officer at NSA will help a lot and I know she is helping a lot because she’s asking those questions up front. The fact that nobody asks it is disappointing, but there was nobody who had that as their spectrum or fulcrum to consider things.
Q: If a member of the public wants to know more about these issues, what materials would you suggest they read?
CALLAHAN: There’ve been a lot of materials in the past year. The PCLOB reports I actually think are very good. They’re pretty dense. I thought that the President’s Review Group was pretty good. Probably I would do a busman’s tour of the issues; it went a little bit all over the map. And I think that those are useful. As much as I like my privacy impact assessments and system of records notices, those may be a little hard to parse because they deal with you know, discrete elements. But I will say that the one thing that surprised me is the change from since June of 2013, is the fact that the Privacy Act may get changed and we may deal with dealing with non-U.S. citizens on the same level as U.S. citizens. I would never have predicted that, in a hundred years, that that would happen, because it deals with the intelligence community and it deals with access and redress. And that was why it was originally only for U.S. citizens and legal permanent residents. So, that’s the one that the past year that surprised me a lot.
Q: And I imagine you see that as a good thing.
CALLAHAN: Oh I do see that as a good thing. It’s more transparent, it’s more upfront and it’s fair, candidly, in this world. The interesting question is how does intelligence collection you know reconcile itself with this?
Q: Well hopefully with people like you, on the inside, asking these hard questions. I really appreciate it.
CALLAHAN: Thank you.