WASHINGTON – With a rash of massive security breaches resulting from the recent thefts of government laptops, errant information posted on public Web sites and hacks of government computer security systems, some lawmakers have reignited their call for legislation to hike penalties for unauthorized access of personal information.
"Because of this administration’s recklessness and incompetence when it comes to data security and its refusal to admit and learn from its mistakes, millions of Americans — including our veterans and our active-duty service members who, at this very moment, are risking their lives in Iraq, Afghanistan and elsewhere — now have to worry about whether their personal information and the personal information of their loved ones is safe in the hands of the Bush-Cheney administration. That is not something they should have to worry about," Sen. Patrick Leahy, D-Vt., said last week.
But when the dust settles on the recent torrent of security breaches, privacy watchdogs say they are just as concerned about what the federal government is doing with the massive amounts of data it collects and uses as they are about how it plans to protect that data from falling into the wrong hands.
"It's been very clear and it's becoming more clear to the public that there are gaps in privacy protection," said Leslie Reis, an adjunct law professor at the John Marshall Law School in Chicago. She runs the Center for Information Technology and Privacy Law housed at the school and also sits on a privacy advisory board that is part of the Commerce Department.
"The law, the framework, has not kept pace with the technology and practice," she said.
The May theft of a Veterans Affairs Department staffers' laptop computer, which was recovered late last month, exposed up to 26.5 million veterans and their family members to the possibility of identity theft and fraud. Officials say no reports of identity theft yet have been traced to the stolen information.
But identity theft is just one hot-button issue that coincides with data privacy, or the lack thereof. Privacy advocates say they fear that government could keep uncomfortably close tabs on its citizens by comparing and contrasting the mountains of data it collects. And with the rapid changes in technology, an infinite number of other possibilities could surface.
"The whole purpose of privacy law is to respect the right of an individual to retain, in effect, autonomy in their lives and their dealings with government, their dealings with companies, to basically retain control of their personal information," said John Sabo, a security and privacy analyst with the company Computer Associates.
Privacy Not Protected Enough
Reis said data technology has moved from punch-card devices and storage buildings the size of football fields to wireless-transfer machines that can store volumes of information in pocket-sized drives. These changes have outpaced the 1974 Privacy Act, the most comprehensive law so far created to protect citizens against government intrusions.
Sabo, who also sits on a Homeland Security Department privacy advisory board, agreed that a host of technological developments have surpassed an array of privacy laws that have been cobbled together over time.
For instance, commercial airline passenger data is now regularly used in the government security sector. In fact, the government frequently relies on third-party data — information collected by businesses or state and local governments — to make decisions.
Additionally, commercial data aggregators glean information from public databases about as many people as possible, making more information than ever available about and to the general public. Sabo warned that no guarantees are made that any of the information collected through third parties is accurate.
Laws now regulate federal government agencies' collection of data, but third-party information is not covered. So while a federal agency in most cases must notify citizens why it's collecting data and how it plans to use it, the outside data collectors have no such obligation.
Another wrinkle exists in some government agencies' use of new radio-identification chips — radio frequency identification, or just RFID — for document tracking, building security and other measures. According to a Government Accountability Office report last year, questions have been posed about whether the chips could cause privacy problems for government employees.
All those applications of technology lead to a greater number of points along the line of transmission where a breach or a hack or a mistaken data release could occur, Sabo said.
"What was a mainframe [computer] closed environment — a mainframe behind a door, lines running from terminals, card readers, right? Essentially like a silo and stovepipe system back in the early '70s, now suddenly what are you doing? Third party cookies. Government systems ...[where a] mainframe interfaces with data to sift, to pull data from various other agency systems, or from non-agency systems, from state systems ... Data is going everywhere," Sabo said.
"Technology and practices have accelerated in the last decade to the point where ... not just security, but privacy obligations have been left behind in the dust," he said.
Where Government Should Go
Analysts say that despite all the problems posed by new technology, government agencies must strive for more efficient systems and balance fears against the risk those systems pose. A threat to a Treasury or Homeland Security Department database, for instance, should be considered more heavily than a threat of a hack to a non-critical Web site.
Top government officials are proposing short-term solutions that are aimed at filling the most prevalent gaps. The White House Office of Management and Budget recently issued a new government-wide directive on laptop security. Veterans Affairs Secretary Jim Nicholson has hired a new information security adviser and has let go a number of employees who were directly involved with his agency's breach.
Other agencies are taking more novel approaches to hammer home the need for data privacy.
Gerald Gates, the chief privacy officer for the U.S. Census Bureau, said his agency continuously struggles to consider privacy concerns in the performance of its functions. With around 10,000 employees nationwide, not including the additional workers the agency takes on for its decennial work, a constant turnover of employees need to be indoctrinated into the culture.
"For Census, privacy is critical. We depend on the public's trust," Gates said.
Since January, the Census Bureau has been running a program designed to raise employees' awareness of citizens' privacy. The agency has designed posters, bookmarks, freestanding cards that sit on cafeteria tables and computer-based Flash-presentations that pepper employees as often as possible with privacy-minded messages.
"Basically, it gives the employees the sort of awareness why ... maintaining the public's trust is so important, [and] what their role is," Gates said.
He said the public often questions how his agency presents data on its Web site, and whether people are identified individually. He said the agency will manipulate data in a way to protect individuals, but not skew aggregated data.
New concerns will need to be addressed before the next census, when the bureau sends out data collectors with wireless devices that will automatically update the bureau's massive database. While the machines will make it much easier to collect data, administrators have to make sure that they can't be hacked or corrupted.
Gates said the machines likely will need fingerprint verification before they can be used, and any data sent from the machines will be encrypted with special codes preventing easy hacking.
The Game of Catch-Up Continues
Reis said that because government has gotten so far behind on the privacy issue, it's time for a more in-depth look at how government handles privacy.
"You can't take a Band-Aid approach to this. There are so many different needs for information," Reis said.
Reis said she is planning a study of the government's privacy approach, and hopes in the coming months to submit recommendations through the Information Security and Privacy Advisory Board, of which she is a member. The group was established by federal law to monitor privacy and report to both the administration and Congress. It is housed in the National Institutes of Standards and Technology, a Commerce Department agency.
She said the basic question is: "Are the laws really doing what they're supposed to be doing?"
Many laws in addition to the 1974 Privacy Act deal with privacy issues — some compete with one another — so it's time to take a comprehensive look and figure out where the gaps are, and where potential gaps could arise, she said.
Sabo said legislators might want to consider stiffer penalties for people whom either negligently or purposefully expose data. He said some good examples of tough provisions can be found in the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley financial reporting bill that arose out of the Enron fiasco. Gates said specific penalties have been created for Census Bureau workers who violate privacy rules.
"If there's no consequences, then the law won't be treated with respect," Sabo said.
Sabo said another question government must continually ask itself is whether the information is necessary to have. It's an important question, he said, because by reducing the amount of information collected, government can reduce the likelihood that useful information can be stolen for malicious purposes.
Peter Swire, an Ohio State University law professor who spoke to the Commerce Department advisory group last month, said that question is being factored into a discussion that the Justice Department is having with Internet companies over data storage. The government is asking companies like Google to maintain search records for up to two years in an effort to combat child pornography and other predatory Internet crimes.
But Swire said that Justice Department officials apparently hadn't considered the fact that search information on their own FBI agents investigating crimes would be logged also, and could possibly put the agents at risk. He said it's an example of the wide implications of data collection.
"It was clear they hadn't thought of that," Swire said.
Daniel Chenok, the chairman of the Commerce Department advisory group and a security analyst for the consulting firm SRA International, said that government's role ultimately is multi-pronged with respect to protecting privacy.
"It's leading by example, and providing notice as to how information is used. [It includes] providing rapid response and notice when there's an incident," Chenok said. He said federal government can have a great impact by using its weight as a purchaser of information systems, and requiring certain security and privacy requirements.
"Before, people stole wallets, and now people steal data streams. It's just a question of adjusting and responding to the new risks," Chenok said.