Introduction: The Problem of Policy Laundering

A new challenge has emerged in the democratic battle to preserve civil liberties in the United States and around the world. This challenge is what has been dubbed policy laundering the use of foreign and international forums as an indirect means of pushing policies that could never win direct approval through the regular domestic political process. In a rapidly globalizing world, this technique is becoming a central means by which the United States (and other nations) seek to overcome civil liberties objections to privacy-invading policies.

Just as money laundering describes the cycling of illegitimate funds through outside institutions in order to enter them into legitimate circulation, so does policy laundering involve the cycling of policies that lack political legitimacy through outside intuitions in order to enter them into circulation despite their lack of acceptance.

Policy laundering takes advantage of the fact that the institutions Americans have created for ensuring democratic control and input into the Executive's policymaking process have not yet grown to cover most international bodies. Every nation must reach a balance between direct democratic control over policymaking and the granting of discretionary freedom to its administrators. In the United States, that balance was set through our Constitutional framework to include such elements as the creation of the legislative branch with its power of the purse and attendant oversight functions, and has been finely honed over time to include institutions such as public comment periods, open-meeting and open-records laws, and appeals processes of various stripes. In addition, other important institutions such as the press and public interest groups long ago figured out how to work within this system.

Much of this democratic infrastructure has not yet been extended to international forums, however. Reporters, NGOs, and other important institutions such as Congressional Committees that are used to working on domestic issues do not always adapt well when consideration of those issues moves to international forums. Open-meetings laws and other rules to ensure accountability may be absent or impossible to enforce.

As a result, the government is increasingly turning to international forums where those counterweights are not yet developed.

The United States appears to be pursuing a more or less conscious strategy of policy laundering when it comes to efforts to increase the surveillance of its citizens and others. Two examples of this trend include the push for global biometric identity documents, and the effort to increase the monitoring of air passengers.

Cybercrime Treaty

The ACLU received its introduction to policy laundering techniques via an instrument known as the Council of Europe Cybercrime Treaty. This agreement, purportedly an effort to improve international coordination in combating online crime (but actually far broader), was finalized in November 2001 and will go into effect this summer now that it has been ratified by the minimum number of signatories (five Central European nations have ratified). The convention was drafted by the 43-member Council of Europe, with the U.S., Canada, Japan, and other countries participating as observers, although in actuality the United States was a major impetus behind the agreement.

Introduced at a time when domestic controversy over the FBI's Internet wiretapping device Carnivore was at a peak, this treaty would require the United States to approve the use of such devices to capture the content of communications a power it does not have clear authority for under U.S. law. Under cover of an unobjectionable banner helping the police combat cybercrime the treaty would also expand police search powers without corresponding privacy or due process protections, and require police in the United States to cooperate with foreign police even when the behavior under investigation is not actually illegal here.

It would be hard to find a clearer example of an attempt by the government to gain new law enforcement powers through international channels that would probably not be granted through the regular domestic political process.

Although internal disagreements within the administration appear to have slowed the treaty, it is moving steadily toward ratification. In November 2003 Bush sent the treaty to the Senate, and the Foreign Relations Committee began holding hearings in June 2004.

The push for a global ID

In the wake of the September 11 terrorist attacks, some in the United States began to push for creation of National Identity cards. These efforts collided headlong, however, into a fierce backlash from Americans who did not want to see the creation of a tool that would inevitably be used to track and monitor average citizens.

So the Bush Administration turned to international forums. It prompted Congress to pass a law (the Enhanced Border Security and Visa Entry Reform Act, or EBSA) requiring our allies whose citizens do not need visas for entry into the U.S. to begin including biometrics on their passports, with the threat that any nations that failed to comply would lose their status as visa-waiver countries.

For the citizens of other nations, the U.S. created a system called US VISIT, under which foreigners visiting this country would be fingerprinted and photographed, and their information stored in a biometric database for decades.

Neither of these measures is targeted at the U.S. population at least directly. But many other nations appear to resent these measures, and foreign governments will inevitably reciprocate, with the result that Americans will find themselves similarly treated as they travel abroad. One nation, Brazil, reacted swiftly by putting similar measures into effect for just their American visitors.

Far from being concerned that such systems would lead to the retaliatory creation of systems for tracking Americans elsewhere in the world, Bush Administration officials have embraced such reciprocation. We welcome other countries moving to this kind of system, Department of Homeland Security undersecretary Asa Hutchinson declared. We fully expect that other countries will adopt similar procedures.

The U.S. assigned responsibility for the crucial question of exactly how biometric passports would be implemented to a heretofore-obscure international group, the International Civil Aviation Organization (ICAO), which is nominally sponsored by the United Nations, and made up primarily of representatives of advanced-industrial nations. ICAO developed these standards over a period of months in meetings held around the world. The ACLU and Privacy International tried but failed to arrange attendance for a representative at a March 2004 meeting held in Cairo. An open letter to the ICAO on privacy concerns over the biometric standards met with no response. The ACLU again wrote to ICAO asking to attend a May 2004 meeting in Montreal, and received no response.

In short, despite the importance of technical and interoperability standards, which can mean the difference between a use of biometrics that poses enormous problems for privacy, or one that poses little, ICAO has ignored attempts by privacy and civil liberties groups to join in their process. To a degree that would not be possible with a domestic government decision-making body, they have rebuffed NGO attempts to provide input on the privacy implications of the particular standards being considered, or even to just attend the meetings.

The resulting standards provide for the use of the unreliable face-recognition biometric technology, as well as the inclusion of Radio Frequency Identification chips, which emit radio signals that can be used to read a passport holder's identity at a distance. A retail store or restaurant, for example, might gain the ability to capture the identities of those who walk through a portal; a government official could instantly sweep the room to discover who is attending a political meeting.

By skipping right over the politically untenable proposals for a National ID card, the U.S. government with its push for a biometric passport has set a course toward the creation of a global identity document or, at least, toward a set of global standards for identity that can be incorporated into a wide variety of national identity documents. Once created, these passports will likely come to be seen as the gold standard of identity verification around the world. In the U.S. they will become either the template for standardized versions of the driver's license that amount to a de facto National ID card, or displace them altogether. Such documents will increasingly be demanded for more and more purposes, not only around the world, but domestically as well. Features such as the inclusion of a remotely readable RFID chip would greatly enhance the private sector's tendency to piggyback on the perceived trust value of these documents. Eventually they may become what are effectively necessities advancing the government's interest in tracking and controlling the movement of citizens.

Or innocent citizens, at any rate. As the perceived trust value of such documents rises, and as their adoption becomes more widespread, the payoff for counterfeiting them also rises perhaps even more steeply with the result that counterfeit or fraudulently acquired real documents will continue to remain available to determined and well-financed wrongdoers.

Airline passenger data

An example of another stripe of policy laundering can be seen in the Bush Administration's efforts to demand access to passenger-records data on Europeans flying to the U.S. But the American government's demands have run up against the Europeans' privacy laws, which are far more comprehensive than anything in force in the U.S. today.

Like every advanced-industrial democracy except the U.S., Europe has in place an overarching privacy directive that gives the force of law to a set of privacy principles that are recognized around the globe as core to the dignity and freedom necessary for a democratic citizenry. Unlike the primitive privacy protections that Americans still live under, European privacy law does not permit its citizens' personal information to be shared and traded willy-nilly by any corporation or government agency with a claim to a role in the war against terrorism.

Sadly, our government's response to this conflict has been to bully and cajole the Europeans into betraying their own privacy laws. In fact, the Bush Administration is asking the Europeans for data sharing on terms that go well beyond what is needed for the airline security purposes it claims to be pursuing, and well beyond anything directed by Congress. The U.S. demands include:

  • A broad array of information about each traveler, including information that under European law is classified as sensitive and cannot be shared;
  • The right to retain data for 3.5 years;
  • Broad forms of access to information, including the right to direct electronic access to airlines' computer systems;
  • Weak forms of due process for any Europeans who are mistakenly or unfairly targeted by the system.

After months of U.S. pressure, negotiators at the European Commission finally buckled under to American demands and betrayed their own citizens' privacy interests. After extended negotiations, the European Commission in December 2003 announced that an agreement had been reached with the U.S. Under the agreement, the Europeans:

  • Declared U.S. privacy protections adequate, despite the fact that the U.S. clearly does not meet the criteria for such a finding.
  • Allowed the U.S. to use European information for regular crimes, even though the E.U. legal regime only permits data transfer for combating terrorism.
  • Accepted the U.S. offer to retain European data for 3.5 years, far in excess of what E.U. regulations permit.
  • Accepted a weak due process procedure that is entirely internal to the Department of Homeland Security, where E.U. rules require a true right to redress for citizens who believe their data is being abused.

Given its clear violation of E.U. requirements, the deal reached by the European Commission has been challenged by the European Parliament, which in April 2004 passed a resolution asking the European Court of Justice to rule on whether the agreement violates European law. (Also at issue is whether the Commission's deal can go into effect without the Parliament's approval).

Americans interested in protecting civil liberties have always seen Europe as a shining example of the kind of legal regime that we need to fight for here; unfortunately, instead of the Europeans' civilized privacy regime rubbing off on the U.S., it appears that our Wild West legal regime is instead rubbing off on them.

Of course, as European critics have pointed out, the European Commission may have its own interests in weakening E.U. privacy standards that is, the American and European governments may have been using each other to overcome the respective domestic obstacles faced by each to an increase in the extension and rationalization of their own identity-tracking systems. And once again, the US government is embracing reciprical arrangements; at the June 2004 G8 summit of major industrialized nations, Bush administration officials announced a new, recipricol aviation-security plan under which personal data about American travelers would be shared with other nations, beginning with the G8 nations but soon expanding to the rest of the world.

In addition to the U.S.-E.U. negotiations and the G8 agreement, the U.S. and the European Union are also cooperating through secret meetings like the E.U.-U.S. Task Force and the Senior Level Officials Group under the New Transatlantic Agenda (agreed to in Barcelona in 1995). The goal is to present common demands on bodies like the ICAO and the International Maritime Organization (IMO). Plans are also afoot to draft a multilateral accord among the 55 members of the Organization for Security and Cooperation in Europe (OSCE).

The ACLU and European groups such as Privacy International have been working to penetrate this international process. We met with the European Commission negotiators, prepared a detailed report laying out how the E.U.-U.S. passenger-data agreement fell short of European privacy laws, and worked to bring the poor privacy practices of U.S. airlines to the attention of European officials through meetings and letters.



What the European passenger data and biometric passport cases tell us is that national policies are increasingly being made through international means, especially when it comes to policies that involve greater government surveillance and oversight of individuals. If the ACLU and other organizations that have traditionally served as a countervailing influence against the government's tendency to expand the tracking of citizens for administrative and security purposes are to continue to be effective, we must begin to adapt. In our globalizing world, the levers of power are no longer the same, and decisions being made by obscure international groups like the ICAO that can operate in secret and without public input may in some areas end up affecting our lives more than the decisions of our elected representatives in Congress.

It is vital that the ACLU and other privacy groups rapidly bring up to speed their capabilities for monitoring and influencing international forums where so many vital decisions are now being made, and precedents being set. That includes the need to develop the expertise and organizational capacity to monitor and influence such forums, and the need for NGOs in different nations to cooperate with each other and with affected corporations and other institutions.



Unlike telephone wiretaps, which are set up by the telephone company on behalf the authorities to listen to one line, Carnivore allows law enforcement agents direct access to ISPs' entire networks for surveillance, with only their unsupervised self-restraint preventing them from inspecting the vast flow of other data in the network.

See e.g. Kevin G. Hall, Brazil ratifies fingerprinting, photographing of U.S. visitors, Knight Ridder, Feb. 12, 2004; available online at .

Rachel L. Swarns, Millions More Travelers to U.S. to Face Fingerprints and Photos, New York Times , April 3, 2004.

See ACLU et. al., An Open Letter to the ICAO, March 30, 2004; online at .

See James Moyer, Security Document Theory White Paper, online at .

Privacy International, Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection, February 2004; online at .