The feds are collecting more and
more personal information about you -- and its mammoth, piecemeal
databases are poorly guarded and wide open to hackers.
Poll Americans on
the issue of privacy, and most will recite a litany of
aggravations that includes digital spam, persistent telemarketers
and plain old-fashioned junk mail. Only a few will mention risk
from their own government, which collects data on millions of
citizens and then fails to protect it adequately.
But a sharpened, centralized collection of information by our
government -- inspired by the new focus on homeland security --
could lead to a situation where personal data, while more secure,
is used in more politically pointed ways.
This comes at a time when technology makes it easier than ever to
violate someone’s privacy, while Americans look increasingly to
their government for protection. That reliance strikes many
privacy advocates as more than a little ironic.
“It’s the government sector that has greater power to collect
information and greater power to use it against you,” says Jim
Harper, a consumer-protection consultant who has created a Web
site, privacilla.org, devoted to privacy issues.
Proliferation of confusion
What Harper and others have found is that what the federal
data collection effort currently lacks in the way of a political
agenda, it more than makes up for in breadth -- and in the breadth
of its confusion.
Instead of Big Brother, Americans find their privacy threatened by
Bumbling Uncle. Actually, it’s not just one uncle, but many;
there seem to be almost as many information-gathering efforts as
there are agencies and sub-agencies in the executive branch of
government.
What unites these fragmented efforts is the generally low level of
protection afforded the information that’s collected. With a few
exceptions, agencies fail even the most basic tests of security,
and certainly cannot meet standards to which they would hold the
private sector.
It is difficult if not impossible to gauge the exact volume of
data being collected. When House Majority Leader Dick Armey,
R-Texas, asked the Congressional Research Service to produce a
comprehensive survey of the personal information being collected
by the federal government, the result was a stack of printouts
several inches high.
A database on elementary school
students
A “raw data dump” is how Armey spokesman Richard Diamond
describes the product, delivered in the fall of 2000.
“The most useful thing we got out of it,” Diamond says, “was
an awareness that there’s a lot of information they’re
collecting, and a lot of it’s being shared. All the agencies are
doing it.”
Solveig Singleton, a senior analyst with the Competitive
Enterprise Institute, a Washington think tank, says that after
reviewing the major federal databases a few years ago, she was
“surprised by how many databases there were in places I never
expected them to be,” including the departments of Labor,
Agriculture and Education. The last of these, she says, has
compiled a database on elementary school students.
“Most people think of Social Security, the IRS and Medicare”
when they think of personal databases, says Singleton. “But
they’re all over the place.”
Moreover, the government is augmenting its own information
collection with databases purchased from the private sector.
Calling the trend an “emerging issue,” Harper says it is one
thing to sell privately collected data to a marketer, quite
another to sell it to the government.
If the volume of information is striking, so are the disparities
in the way it is classified and safeguarded by the various
agencies that collect it.
Old law doesn’t make rules clear
The controlling legal document in this area is the federal
Privacy Act of 1974, which seeks to define both the type of data
collected and the manner in which it can be used. The law’s
guiding principle, like that of the U.S. Constitution, is
decentralization: Data collection, like political power, should be
diffuse so that no one authority is able to exercise undue
control.
“The Privacy Act was created so we won’t have a single
database that can be used as point for social control,” says Ari
Schwartz, associate director of the Center for Democracy and
Technology, a Washington policy shop. Instead, he says, the
Privacy Act attempts to build “walls that allow the right
information to go to the right people at the right time.”
Where national security or ongoing law enforcement investigations
are concerned, the right time is all the time; there is no bar to
access. Other interagency sharing theoretically takes place within
the context of “routine use.”
Trouble is, Schwartz says, “They did not have the Web or
relational databases in mind when they put together the law.”
And what was not envisioned is not covered by the Privacy Act,
which requires agencies to give public notice when personal
information is being collected or shared.
When the Clinton administration attempted to determine the methods
each agency used to comply with the law, it discovered as many
standards as there were agencies. A report never was completed,
but the Center for Democracy and Technology obtained the agency
comments under a Freedom of Information Act request.
Says Schwartz: “There is no uniform idea of what should be
reported and what shouldn’t be. The situation is very confused
right now.”
This, despite a 1988 update to the law intended to rationalize the
exchange of personal information between agencies. However, notes
privacilla.org’s Harper, who last year completed a review of the
update -- The Computer Matching and Privacy Protection Act -- many
more types of data exchange are exempt under the act than are
covered.
The tip of the information-trading
iceberg
Still, in the 18 months reviewed by privacilla.org, federal
agencies filed notice 47 times in the Federal Register that they
would exchange and merge personal information from databases about
American citizens. Considering the law’s limited scope, not to
mention the general confusion concerning the Privacy Act’s
application, there seems to be validity to Harper’s claim that
the exchanges he documented are merely the “tip of an
information-trading iceberg.”
Though the Bush White House has promised to make privacy standards
uniform across the federal landscape, there are still the state
and local levels, where most recordkeeping actually takes place
and where an almost structural confusion prevails.
“There are literally hundreds of different kinds of records out
there with different standards,” Schwartz says, many of them
delineated in antiquated laws that never anticipated the digital
age.
More serious than the misclassification and underreporting of
personal information is its vulnerability. Part of this is
unavoidable, stemming from a sea change in the way records are
kept.
Before, a record might be available to the public, but if it
existed as a piece of paper tucked away in a filing cabinet in a
government annex, it was not practically accessible. The digital
age has changed all that, giving anyone with a computer and modem
access to a vast array of information, some of it sensitive. Court
records are particularly at risk, and the Administrative Office of
the U.S. Courts has taken steps to exclude certain types of data
from public filings.
Much of the poor security, however, is attributable to sheer
ineptitude.
When the FTC sought to impose privacy standards on the private
sector a couple of years ago, Armey asked the GAO to apply the
proposed standards to federal Web sites, including the FTC’s.
Of 65 government sites reviewed in July 2000 -- 32 of them
“high-impact” sites that handle most of the government’s
public traffic -- only 3% incorporated all four elements the FTC
wanted to make mandatory for private firms. Tellingly, 77% failed
to meet the security requirement.
A related and nearly simultaneous effort, a report card on the
federal government’s computer security issued by the House
Subcommittee on Government Management, Information, and
Technology, awarded the government an overall grade of D-. Seven
of the 24 agencies reviewed received Fs.
Wide open to hackers
A separate GAO audit of the IRS’ electronic filing system
found that “e-file” was wide-open to hackers. However,
security of the system had improved significantly when the GAO
revisited the matter some months later.
What these investigations show, Schwartz says, is that
“government is particularly bad at doing security.” That is a
conclusion, he adds, that has serious implications for homeland
security.
And, in turn, homeland security could have serious implications
for Americans’ privacy, and not solely because tighter computer
controls may result.
The USA Patriot Act, passed in the wake of Sept. 11, makes it
easier for government officials to fling aside the veil of privacy
that protects the personal and financial lives of citizens. In
addition to making it easier for federal law enforcement to
conduct searches and tap the phones and monitor the Internet
communications of suspects, the bill also directs U.S. banks to
monitor daily financial transactions of their customers -- all
customers.
“At least since Watergate,” says Singleton, “the government,
as far as major abuses of privacy, has been fairly well behaved.
By and large Americans feel they can trust government with data.
Over time the potential for abuse adds up.”
There is no doubt that the government’s fight against terrorism
is well-intended. If a side benefit of this fight is better
security for Americans’ personal data, so much the better. No
one should mourn the passing of Bumbling Uncle, unless he’s
replaced by Big Brother.
|
