The second effect of computerization on personal-data record keeping-that it facilitates access to data within a single organization and across boundaries normally separating organizations-is another source of concern. Quick, cheap access to the contents of a very large automated file often prompts an organization or group of organizations to indulge in what might be called "'dragnet behavior.2
An example of how a very carefully planned data system of ostensible social benefit operates as a dragnet is the National Driver Register of the Department of Transportation (more fully described in Appendix D). It provides a central data facility containing the names of individuals whose driver licenses are denied or withdrawn by a State. The purpose of the Register is to give each State access to the current revocation records of all other States, so that one may, if it wishes, avoid issuing a license to an individual whose license has been denied or withdrawn by another State.
Suppose that Missouri revokes John Doe's license for a serious offense. Doe applies in Illinois for a license, neglecting to mention the Missouri revocation. If Illinois issues Doe a license, it in effect nullifies Missouri's action, without knowing it is doing so. Before the National Driver Register was established, Illinois would have had to make specific inquiry to all other States in order to discover the Missouri record of license withdrawal. Because this was time- consuming, States tended to do it only for blatantly suspicious cases with the presumable result that many fraudulent applications were never detected. Now that Doe's record of license withdrawal goes into the master file of the National Driver Register, however, one query to the Register from Illinois will bring the Missouri action to light within 24 hours, thus permitting Illinois to make a decision to grant or withhold a license based upon the original Missouri record.
How can a system whose only purpose is to prevent fraud by drivers of demonstrated unfitness have any adverse effect? The answer lies in the efficiency of the Register; it has become easier for most States to put all their license applications routinely onto magnetic tape to be searched against the Register's file, rather than to separate out the suspicious cases for special treatment. If one accepts the objectives of the system-to identify irresponsible or incompetent drivers, and thus to reduce the number of traffic fatalities-this is not in itself an objectionable practice. However, automated matching of queries against NDR records generates identity matches so imprecise that subsequent manual ;screening reduces the system's 5000 possible "hits" per day to about 500 probable ones. Of the probable hits, the operators of the Register estimate that about three quarters are true identifications; that is, they definitely relate to an individual who has misrepresented himself in a license application. Arithmetic does the rest; a quarter of the probable hits -- 125 individuals per day -- may find that they are required to prove that their licenses have not been withdrawn. In theory, a reply from the Register is supposed to be treated merely as a "flag" to inform the inquiring State that there may be a record on the individual about whom the query was made in the revocation files of another State. At least one State, however, makes the "flagged" applicant bear the full burden of proving that such a record does not exist. Here, the "dragnet effect" of cheap arid easy data access-the fact that it is cheaper and more efficient to search the NDR on every license application-has resulted in occasional nuisance and potential injustice to some applicants:
The problems that can arise from the operation of the NDR stem from its role as a clearinghouse for information supplied and used by more than 50 independent driver licensing jurisdictions whose operations it does not control. Each jurisdiction using the; Register risks being misled by incomplete or erroneous data submitted. By another participating jurisdiction. Although mistakes propagated by the NDR can usually be corrected at small expense in time and trouble, other mufti jurisdictional clearinghouses can have potentially more serious effects on individuals. The criminal history fileof the FBI's National Crime Information Center (NCIC) is one example.
The NCIC is a computerized clearinghouse of information about wanted persons, stolen property, and criminal history records3 that will eventually provide criminal justice agencies throughout the United States with computer-to-computer access to the dicta in its files. The ultimate objective of the NCIC criminal history file is to enable law enforcement agencies, courts, and correctional institutions to determine, in seconds, whether an individual has a criminal record. The NCIC would appear to lack the potential to be used as a dragnet because inquiries are made only about particular individuals with whom law enforcement agencies have contact under conditions that constitute cause for suspicion of wrongdoing. In this respect, it differs significantly from the operation of the National Driver Register. Furthermore, the problem of mistaken identification in using the criminal history files should not arise because of NCIC's requirement that fingerprints be used to identify arrest and offender records entered into the system. Errors of identification can and do occur in using the records in the wanted persons files because these are not identified by fingerprints. However, the ease with which inquiries can be made from remote terminals located in law enforcement and criminal justice agencies all over the; country could lead to access to the NCIC criminal history files by more users and for checking on more individuals than is socially desirable.
Leaving aside the question of the probative value of arrest records, about which lively controversy exists, the consequences of excessive use of criminal history files might be innocuous if the NCIC records could be completely reliable. In practice, however, the NCIC, like the National Driver Register, does not have effective control over the accuracy of all the information in its files. The NCIC is essentially an automated receiver, searcher, and distributor of data furnished by others. If a subscribing system enters a partially inaccurate record, or fails to submit additions or corrections to the NCIC files (e.g., the recovery of a stolen vehicle or the disposition of an arrest), there is not much that the NCIC can do about it.
Furthermore, the risk of propagating information that may lead to unjust treatment of an individual by law enforcement authorities in subscribing jurisdictions cannot be fully prevented.4
The NCIC checks on records being entered into its files, and periodically audits its files to try to assure that system standards for completeness and accuracy of records are being met. When it detects errors or points of incompleteness, it can seek corrective action and can flag its records to warn users of possible deficiencies. In the cases of an arrest record, however, even if the source agency does eventually submit information about the disposition of the arrest, there is no way that the NCIC can assure that all those who have had access to the record in the interim will receive the disposition information. Once a subscribing police department contributes an arrest report to the NCIC, that report is available to any qualified requestor in the system. In some States, this means that employers and licensing agencies (for physicians, barbers, plumbers, and the like) will have access to the record under State laws that require an arrest-record check on candidates for certain types of occupational certification. Thus, unless a criminal record information system is designed to keep track of all the ultimate users of each record released, and of every person who has seem it, any correction or emendation of the original record can never be certain to reach each holder of a copy.
Systems like the NCIC and the National Driver Register illustrate one of the potentially most significant effects of computerization on personal-data record keeping-the enhanced ability to gather, package, and deliver information from one organization to ;another in circumstances where lines of authority and responsibility are overlapping or ambiguous, and where the significance attached to data disseminated by the system may vary among subscribing organizations. Unless all organizations in a mufti jurisdictional system can be counted on to interpret and use data in the same way, the likelihood of unfair or inappropriate decisions about the individual to whom any given record pertains will be a problv;m, and a particularly acute problem whenever records are incomplete or compressed. The records of school children, for instance, while highly comparable within a single school district, will be less so among the districts of a single State, and even more disparate among different States. Thus, data systems that are established deliberately to pass information across jurisdictional lines must be very carefully designed so as to foster sensitive, discriminating use of personal data.
The untoward effects of such systems (or of any system, :for that matter) do not stem in the main from poor technical security. Although public mistrust of the computer often centers on the possibility of unauthorized access to a central data bank for purposes of blackmail or commercial exploitation (such as the clandestine copying of a list of names and addresses), the. purely technical difficulties that can be placed in the path of any but the most well-equipped intruder can make almost every computer installation more secure than its manual counterpart. Unless an intruder has detailed technical knowledge of the system, and possibly also clandestine access to the facility itself, most systems can be quite well defended against "unauthorized" access (although at the present time many systems may not be well-defended). The problem is how to prevent "authorized" access for "unauthorized" purposes, since most leakage of data from personal data systems, both automated and manual, appears to result from improper actions of employees either bribed to obtain information, or supplying it to outsiders under a "buddy system" arrangement.
Concern about abuses of authorized access to "integrated" data systems maintained by State and local governments can have a particularly debilitating effect on people's confidence in their governmental institutions. Ambitiously conceived integrated systems, no matter how secure technically, may have the effect of blurring, either in fact or appearance, established lines of political accountability and constitutionally prescribed boundaries between branches of government. When different branches arrange to share an integrated data-processing facility and its data, the executive usually will operate it. This happens partly because operational functions are normal for the executive, and partly because executive agencies usually have more experience with computer systems. It leads people to fear, however, that the needs of executive claimants may be met before the needs of legislative bodies and the judiciary. The priority system for allocating computer support will, of course, look fair on paper, but in practice the result may often be to shortchange the passengers on the system in favor of the driver.5 The recent development of mini-computers, much cheaper than the big systems of only five years ago but of comparable power, is providing an attractive economic alternative to . large integrated systems. Large systems, however, are also becoming less expensive and there is no assurance that they will not become even more so as the result of new technological advance.
Finally, in terms of the historical classification of records in Chapter I, we recognize that combining bits and pieces of personal data from various records is one way of creating an intelligence record, or dossier. The possibility of using a large computer to assemble a number of data banks into a "master file" so that a dossier on nearly everybody could then be extracted is currently remote, since the ability to merge unrelated files efficiently depends heavily upon their having many features of technical structure in common, and also on having adequate information to match individual records with certainty.6 These technical obstacles are avoided if the capability to merge whole files is designed into a group of systems at the outset, a practice now characteristic of only a few multi-jurisdictional systems but perhaps becoming more prevalent. At the present time, however, compiling dossiers from a number of unrelated systems presents problems that few organizations, and probably no organizations outside of government, have the resources to solve.7
Nonetheless, public concern about such combinations of data through linkings and mergers of files is well founded since any compilation of records from other records can involve crossing functional as well as geographic and organizational boundaries. When data from an administrative record, for example, become part of an intelligence dossier, neither the data subject nor the new holder knows what purpose the data may some day serve. Moreover, the investigator may believe that no detail is too small to put into dossier, while the subject, for his part, can never know when some piece of trivia will close a noose of circumstantial evidence around him. Public sensitivity to the possibility of such situations argues strongly for preserving the functional distinctions between different classes of personal data systems.