ATF forgot to comply with policy, accidentally creating gun owner database
The government’s top watchdog revealed in a new report that the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) essentially maintained a database of law-abiding gun owners by ignoring its own policies.
According to Government Accountability Office (GAO) auditors, ATF failed to remove the names of gun purchasers from its Multiple Sales (MS) database and another system called Access 2000 which allowed it to stockpile information on lawful gun owners by scouring the records of out of business federal firearms license holders.
FFLs are required to report to the ATF the names of customers who purchase multiple firearms at once. ATF is supposed to keep the names on file for no longer than two years, after which policies require that the agency remove identifying information about the buyers if the firearms haven’t been linked to a crime.
But for more than two decades, the agency has failed to comply with the privacy protection policies with regularity.
From the GAO report:
In September 1996, we reported that ATF had not fully implemented its 2-year deletion requirement. During the course of our 1996 review, ATF provided documentation that it had subsequently deleted the required records and that it would conduct weekly deletions in the future. Similarly, as a result of our current review, according to ATF documentation, in May 2016, the agency deleted the 10,041 records that should have been deleted earlier. However, given that this has been a 20-year issue, it is critical that ATF develop consistency between its deletion policy, the design of the MS system, and the timeliness with which deletions are carried out. By aligning the MS system design and the timeliness of deletion practices with its policy, ATF could ensure that it maintains only useful purchaser information while safeguarding the privacy of firearms purchasers.
ATF’s Access 2000 system was set up as a voluntary way for FFL-holders to more easily comply with ATF requests for information. GAO noted in its report that the system works well for in-business FFLs from both a convenience and a privacy perspective.
From the report:
Industry members—not ATF—retain possession and control of their disposition records and, according to ATF officials, they may withdraw from A2K and remove their records from the servers at any time. A2K includes a secure user web interface to each of the servers and ATF may only obtain A2K disposition information by searching individual industry member servers by exact firearm serial number. Through this search, ATF obtains the same information from each industry member as it would otherwise obtain by phone, fax, or e-mail, and in similar disaggregated form
The situation is different, however, for FFLs that have gone out of business and no longer subject to ATF requirements. ATF officials essentially made the decision to gather up the records of defunct FFLs and store them in a government-controlled database.
The GAO report noted:
Beginning in 2000, ATF maintained A2K disposition data from out-of-business industry members on a single partitioned server within NTC, and removed the records from the server in March 2016. ATF’s maintenance of the disposition records in this manner violated the appropriations act restriction on consolidation or centralization.
According to the GAO’s auditors, ATF has since removed the policy-violating records associated with both systems.
But don’t expect the ATF to give up on trying to find ways to quietly patch together a de facto national gun owner registry anytime soon. Just last weekend, ATF Deputy Director Thomas Brandon complained that the agency isn’t able to build such a database in plain sight.
“There’s a lot of things that don’t make sense in this town, you know?” he told CBS. “And, so, yeah, would it be efficient and effective? Absolutely. Would the taxpayers benefit with public safety? Absolutely. Are we allowed to do it? No.”