​

COUNTERTERRORISM professionals generally view the country’s growing network of intelligence fusion centers as an important tool for helping all levels of government collect and exchange information on potential criminal and terrorist activity. But civil libertarians say they conflict with citizens’ rights to privacy and to access government data.

One skirmish in the ongoing legal wrangling over these issues just played out in Virginia. In Virginia, as elsewhere, government proceedings and documents are open to public view under the state’s Freedom of Information Act (FOIA), except where state officials can demonstrate a reason for an exemption, such as a critical matter of public safety.

Another law, the Government Data Collections and Disseminations Practices Act (GDCDPA), bans secret databases and forbids the government from using personal data for purposes other than that for which it was originally collected. GDCDPA further guarantees citizens the right to query government agencies to find out what personal data of theirs the agency has, and it requires that agencies correct any errors found.

In their Fusion Center Guidelines, issued in 2006, the FBI and the Department of Homeland Security stated that fusion centers should leverage and “obtain access to an array of databases and systems.” The guidelines listed possible data assets, but cited as examples only publicly held assets, such as state motor vehicle databases and government data exchanges.

Earlier this year, however, the Washington Post reported that state fusion centers contract with private data brokers to obtain broad access not only to public records but also to private information, such as unpublished cell phone numbers, or data held by private credit agencies.

In addition, a bill was introduced early this year in the Virginia General Assembly that sought to exempt the Virginia Intelligence Fusion Center from the state’s FOIA and GDCDPA. The bill was stalled in the assembly until lawmakers included a provision requiring an annual review of all data held by the center and removal of any “determined not to have a nexus to terrorist activity.”

It then passed unanimously in both the Virginia House and Senate and was signed into law April 2 by Gov. Tim Kaine, a Democrat. It took effect July 1.

The bill’s introduction prompted the Washington, D.C.-based Electronic Privacy Information Center (EPIC) to file a request under Virginia’s FOIA law, seeking the right to see any correspondence between the Virginia State Police, which runs the Virginia Intelligence Fusion Center, and federal agencies, regarding federal involvement at the fusion center.

State officials rejected the request. EPIC took the matter to court and won the right to obtain the memorandum of understanding (MOU) between state and federal officials, which governed the assignment of an FBI agent to the center.

EPIC learned that one of the conditions of the MOU was that federal, not state, FOIA laws would apply to any requests regarding information on the fusion center related to the FBI’s role.

EPIC’s conclusion, according to staff counsel John Verdi, is that together, the MOU and the exemption law amount to the state ceding FOIA and privacy protections to the federal government.

State FOIA and privacy laws function well as they are, Verdi says. The state law enforcement officials who typically run fusion centers know state laws well and honor them. In the broader sense, EPIC worries that encroachment of federal jurisdiction into these matters will make it more difficult for the public to monitor the activity of fusion centers to ensure that their personal information isn’t being used improperly.