Class 3
–
April 6, 2012
Part 1: IT
Policies
–
Privacy
Part 2: IT Policies
–
Privacy
–
Personally Identifiable Information
Privacy concerns
National Association of State Chief Information
Officers (NASCIO):
Privacy is a particularly daunting challenge for state
governments, because citizens have an expectation of
openness and transparency. Yet, at the same time,
states must foster citizens' trust by ensuring that their
private information remains that way.
Privacy concerns
Privacy issues are pervasive in e
-
government
Governments gather large amount of private data (e.g.
social security information, health information, driver
license)
Data once collected can be mined (i.e. patterns or habits
could be identified)
—
most common for security
(terrorism threats)
Reports of local governments losing data on private
citizens (or unknowingly publishing the data) exist
104 military and government breaches in 2010
–
1.9 million
personal records released.
2009
–
79.4 million records released!!!
Privacy concerns
Business still accounted for most breaches:
Business
–
42.1%
Medical and healthcare facilities
–
24.2%
Federal/State agencies and military
–
15.7%
Educational institutions
–
9.8%
Banking industry
–
8.2%
Source
–
Nextgov.com at:
http://www.nextgov.com/nextgov/ng_20110107_8262.php
Computer Surveillance
Mass surveillance was once impossible due to the cost
and practical impossibility of carrying it out
The central issue of electronic surveillance is how the
laws governing surveillance are used and enforced.
Do law enforcement agencies follow the traditional
model of investigation after a crime, or do they use
technology for surveillance in an attempt to prevent
crime?
Traditional model:
Evidence of crime obtained
Investigation ensues
Warrant sought from judge for surveillance of particular
individuals for good cause
Computer Surveillance
Traditional model altered by electronic surveillance
techniques.
Lyon (2002)
–
“surveillance as social sorting”
-
online profiling,
smart cards, biometrics, closed circuit television creating a new
model of law enforcement.
New model:
Law enforcement with no evidence of a crime but have an interest
in a particular type of crime and knowledge of indicators
Mass surveillance looking for indicators
–
no warrant required
Social sorting (filtering and profiling) to identify specific
suspects who become targets of more intensive surveillance
–
warrant still may not be required under Patriot Act
Computer Surveillance
Technological Determinists
–
warranted surveillance
replaced by mass unwarranted surveillance through the
force of technology alone.
Panopticon concept
–
complete compliance with rules
due to total surveillance
Ideal prison where compliance guaranteed by inescapable
surveillance
–
clear view of every inmate
–
Jeremy Bentham
and Michael Foucault
Privacy is an issue because people have good reason to
believe that data collected on them for one purpose may
be appropriated and used for altogether different
purposes.
Computer Surveillance
Employees generally do not have privacy rights at work
Agency policies clearly define the employees rights and
the lack of privacy with respect to activities conducted
on agency computer systems
Splash screens are used to remind employees at each
login
Privacy Legislation
Katz v. United States (1967)
Long term surveillance was a violation of the Fourth Amendment
Short term generally met the test of Constitutionality if prior
judicial approval obtained
Privacy Act, 1974 [amended: Computer Matching and Privacy
Protection Act, 1988]
Regulates Federal agencies’ record keeping and disclosure practices.
Individuals can seek access to Federal agency records about
themselves.
Stated purpose: Requires that agencies obtain information directly
from the subject and that information gathered for one purpose
may not be used for another purpose
Civil remedies for individuals whose rights may have been violated.
Provides that the subject may challenge the accuracy of
information.
Privacy Legislation
Privacy Act, 1974 [amended: Computer Matching and Privacy
Protection Act, 1988] (continued)
Requires that each Federal agency publish a description of each system of
records maintained by the agency that contains personal information.
Restricts the disclosure of personally identifiable information
Case of Terry Dean Rogan. Identity stolen by state prison escapee.
Arrested 5 times because his identity associated with criminal. Not unique.
Quite a few similar situations. Ultimately sued and was compensated.
National Crime Information Center database updated with field to indicate
use of stolen identities to prevent future occurrences. Lesson
–
Sometimes
too little information is the problem rather than too much.
Some agencies specifically prohibited from dissemination of individual
-
level information by law, such as IRS, Census, and Social Security. On state
level, same with DOR.
Exceptions for publicizing tax cheats, pedophiles, sex offenders, criminal
records, etc. Some not necessarily statutory, but accepted as exceptions
generally.
Privacy Legislation
Communications Assistance for Law Enforcement Act of
1994 (CALEA)
Intended to preserve the ability of law enforcement to conduct electronic
surveillance by requiring that telecommunications carriers and
manufacturers modify and design their equipment, facilities, and services
to ensure they have the necessary surveillance capabilities.
Conduct lawfully
-
authorized electronic surveillance while preserving
public safety, right to privacy, and telecom competitiveness
Requires Telecommunications carriers to ensure:
Expeditious isolation and interception of communications content;
Expeditious isolation and access to call
-
identifying information;
Delivery of communications content and call
-
identifying information;
Unobtrusive interception and access to call
-
identifying information
Protection of the privacy and security of communications not
authorized to be intercepted.
Telecom carriers: Common carriers, broadband providers, and VOIP
Privacy Legislation
Patriot Act, 2001
Enables governments to monitor telephone, e
-
mail communications,
medical, financial, and other records
Also partially repealed laws against domestic spying and allowed
government to monitor Web surfing, obtain records from ISPs, and the use
of roving wiretaps to monitor phone calls. NOT limited to terrorism:
Can monitor legitimate protest groups
Monitor computer network traffic without court order
Take DNA from anyone convicted of a crime of violence (e.g. scuffling in a
protest march)
Wiretapping anyone SUSPECTED of violating the Computer Fraud and
Abuse Act
Authorizes “sneak and peak’” search warrants for any federal crime,
including misdemeanors. Officers can enter private premises without
informing occupants or obtaining permission, and do not have to inform
absent occupants that a search was conducted.
Essentially, Patriot Act applies lower standards of privacy under the Foreign
Intelligence Surveillance Act domestically to U.S. citizens
Privacy Legislation
Patriot Act, 2001
–
continued
763 sneak and peek warrants in 2008
3 issued in relation to alleged terrorist offenses
62% to investigate drug
-
trafficking offenses
Agency Data Sharing and Matching
Some agencies are specifically prohibited from disclosing individual
level data (US Census Bureau and IRS)
Organization for Economic Co
-
operation and Development Code of
Information Practices
Collection Limitation Principle
-
Limits on collection of personal data;
should be obtained by lawful and fair means; where possible with consent
of subject.
Data Quality Principle
–
personal data should be relevant to purpose for
which it is collected, and should be accurate, complete, and kept up to date.
Purpose Specification Principle
-
Purpose of personal data collection
should be specified at time of data collection and subsequent use limited to
those purposes or compatible purposes as specified on each change of
purpose.
Use Limitation Principle
-
Personal data should not be disclosed, made
available or used or otherwise used for purposes other than those specified
in the Purpose Specification Principle unless consent of the subject is
obtained or unless required under authority of law.
Agency Data Sharing and Matching
Organization for Economic Co
-
operation and Development
Code of Information Practices (continued)
Security Standards Principle
-
Personal data should be protected by
reasonable security safeguards
Openness Principle
-
Policy of openness about developments,
practices, and policies related to personal data. Ability to easily
establish existence and nature of personal data, purpose of use, and
identity and residence of individual responsible for control of the
data.
Individual Participation Principle
-
Individual should be able to
obtain confirmation whether or not controller has data relating to
him; have the data provided to him at reasonable cost; be able to
challenge any denial; and be able to challenge data related to him.
Accountability Principle
-
Data controller should be accountable for
complying with above measures.
Privacy Impact Statements
Federal agencies are required to post a privacy impact statement
Some countries require privacy impact studies and statements in
conjunction with creation of new IT projects
Canada is a leader in this effort
OMB Guidelines for Privacy Impact
What information is to be collected?
Why is the information collected and who will be affected?
What notice of opportunities for consent is provided?
What security protocols are in place?
Does this program create a new system of records under Privacy
Act?
What is the intended use of the information?
Privacy Impact Statements
OMB Guidelines for Privacy Impact (continued)
Will the information be retained and for what period?
How will the public be able to seek redress?
What databases will names be run against?
Privacy effects and mitigation measures?
FY 2005 all federal agencies required to submit privacy
assessments of major IT systems with annual business
case submissions.
The National ID Controversy
National ID cards have been suggested as a solution to better
security at airports and other public facilities, reduction of voter
fraud, and identity theft
There has traditionally been resistance to the idea due to negative
historical connotations associated with totalitarian regimes
Real ID Act, 2005
[http://www.ncsl.org/standcomm/sctran/Realidsummary05.htm
]
Uniform federal guidelines on driver license/ identification (DL/ID)
standards and issuance procedures
DL/ID standards: At a minimum, a state shall include the following:
(1) person’s full legal name, (2) person’s date of birth, (3) person’s
gender, (4) DL/ID number, (5) digital photograph, (6), person's
address of legal residence, (7) person’s signature, (8) physical
security features designed to prevent tampering, counterfeiting or
duplication for fraudulent purposes, and (9) a common machine
-
readable technology with defined data elements
The National ID Controversy
Real ID Act, 2005 (continued)
DL/ID issuance procedures: ID is issued based on: (1) A
photo
-
identity document (except that a non
-
photo
identity document is acceptable if it includes both the
person’s full legal name and date of birth); (2)
Documentation showing the person’s date of birth; (3)
Proof of the person’s social security account number
(SSN) or verification that the person is not eligible for an
SSN; (4) Documentation showing the person’s name
and address of principal residence
The National ID Controversy
Kent and Millett (2002) list numerous policy problems associated
with implementation of a national ID system
How intrusive will national Ids be? Just for authentication or data
retained to track transactions? Required for commercial
transactions?
Who could use the data? Agencies? Corporations? Individuals?
Would it be mandatory or voluntary?
What rights would exist to see your data and have it corrected?
What penalties would exist for abuse of the system?
How could we prevent forgeries given current forgery capabilities
now (currency and passports)?
Little evidence that national ID cards have an impact in prevention
of attacks where used. Terrorists have used tourist visas (9/11) or
have legitimate ID cards (Madrid bombings).
Other Privacy issues
Outsourcing
A major source of loss of privacy comes from the commercial sector
–
private corporations trade SSNs, purchasing pattern information,
and many other types of personal information gathered from the
Internet and other sources
Privatization
IT makes the commoditization of personal information relatively
easy
Private sector data mining
Credit card companies and other companies (e.g. Amazon) track
spending behavior.
Rare to see cases against corporations for privacy violations.
Corporations do with impunity what government cannot do.
Class 3
–
April 6, 2012
Part 2: IT
Policies
–
Privacy
–
Personally Identifiable Information
Personally Identifiable Information
Any information about an individual maintained by an agency
including:
Any information that can be used to distinguish or trace an
individual’s identity, e.g., name, SS number
Any information that is linked or linkable to an individual, e.g.,
medical, educational, employment info
“Linked” information is that which is logically associated with
other information about the individual
“Linkable” information is information for which there is a
possibility of logical association
Personally Identifiable Information
Example of linked and linkable:
PII exists on two databases, so someone with access to
both may be able to link the data. If the secondary
information is on the same system or related system and
does not have security to segregate the two databases,
then they are linked. If the secondary data is remote or
available in public records, or is otherwise easily
obtainable, then the information is linkable.
Source of information on PII
–
NIST Special
Publication 800
-
122, Guide to Protecting the
Confidentiality of Personally Identifiable Information
(PII)
Personally Identifiable Information
Examples of PII Data
Names
Personal identification numbers
Address information
Telephone information
Personal characteristics (fingerprints, biometrics)
Information regarding personally owned property
Information that is linkable through the use of any of
the above PII
Aggregating PII
The better ones are not free, but do
require some level of authorization
to use
–
however, private
investigators and bill collectors can
get access!
Just using free resources can result
in obtaining much of the same
information available through the
aggregators
Using Accurint (or similar service)
and free resources multiplies data
available
Information available from data aggregators:
Names (all) used and social security
numbers; names of others using that
social security number
Address summary going back for many
years with demographic data for each
address
Bankruptcy information, liens and
judgements, and UCC filings
Phones utilized, including cell phones
Companies owned and associates at work
Driver’s license information and history
Possible properties owned
Motor vehicles registered and watercraft
owned
FAA certifications and aircraft owned
Possible criminal records and sexual
offenses
Automobile accident details
Professional licenses
Voter registration, hunting permits,
concealed weapons permits
Possible associates
Possible relatives
Neighbors
Services exist that make it very simple
to pull together a tremendous amount
of personally linked data once sufficient
information exists to identify the
individual
PII Impact Levels
Low
–
limited adverse effect
–
minor loss to individual
or organization
–
having to change your phone
number
Moderate
–
serious adverse effect
–
significant
financial loss or significant harm but not loss of life.
Identity theft, public humiliation
High
–
severe or catastrophic adverse effect on
organizational operations, assets or individuals
–
major financial loss; severe or catastrophic harm to
individuals involving loss of life or life
-
threatening
injuries
Factors for Determining PII Confidentiality Impact
Levels
Factors will vary by organization based on mission and nature of PII
maintained
Identifiability
-
how easily can PII be linked to an individual? Some
data can directly identify individuals and linked data. Other data can
be used to significantly narrow large datasets and make identification
more likely.
Quantities of PII
-
very small vs. very large datasets represent differing
levels of risk. You cannot ignore privacy considerations for small data
sets, but impact level will generally be higher for datasets containing
large numbers of records.
Data Field Sensitivity
-
must evaluate each field separately, plus
sensitivity of all fields together. SSN or financial data more sensitive
than a telephone number. Data can be sensitive in ways other than
intended use, e.g., mother’s maiden name can be used can be used for
authentication for password recovery
Factors for Determining PII Confidentiality Impact
Levels
Context of Use
-
purpose for which information is collected, stored,
used, processed, disclosed, or disseminated.
Examples include eligibility for benefits, tax administration, and law
enforcement. Simple disclosure that information is being collected might
in itself be dangerous. Consider three lists, each containing name, address
and phone number. The first is subscribers to a newsletter; the second
people who have applied for retirement benefits; the third undercover law
enforcement agents. Same information, very different impact levels.
Obligations to protect confidentiality
-
Obligations vary by
organization based on the laws applicable to that organization’s PII
activity. IRS data, for example, is subject to extremely strict
confidentiality requirements.
Access to and location of PII
-
How many people have access? Is
information accessible using mobile devices? Is information regularly
transported offsite, say on a laptop? Is information available online?
Operational Safeguards
Policy and Procedure Creation
Access rules for PII within the system
-
just because the
information exists in an agency database does not mean
everyone within that agency should have access.
PII retention schedules and procedures
-
Data should
not be kept indefinitely. When it has served its purpose
it should be purged.
PII incident response and data breach notification
-
Data incidents represent serious problems for an agency.
Response and notification planning is crucial so that any
damage can be contained quickly.
Operational Safeguards
Policy and Procedure Creation (continued)
Privacy in the system development life cycle process
-
Data
obtained during the development of IT systems may be available to
contractors as well as employees. Protection of data during
development and data conversion activities is just as important as
after the implementation, and data may be easier to steal during
development.
Limitation of collection, disclosure, sharing and use of PII
-
Do not
collect anything that is not specifically needed; do not disclose or
share any data without proper authorization and demonstrated
need.
Consequences for failure to follow policy
-
without consequences
there is little to deter sloppy information protection.
Operational Safeguards
Awareness, training, and education
Awareness training designed to change behavior or
reinforce PII practices. Focuses attention on protection
of PII
Training builds knowledge and skills to enable staff to
protect PII
Education builds a common body of knowledge covering
all specialties and aspects of PII protection
Topics for PII Training
The definition of PII
Applicable privacy laws, regulations, and policies
Restrictions on data collection, storage, and use of PII
Roles and responsibilities for using and protecting PII
Appropriate disposal of PII
Sanctions for misuse of PII
Recognition of a security or privacy incident involving PII
Retention schedules for PII
Roles and responsibilities in responding to PII
-
related incidents
and reporting
Privacy
-
Specific Safeguards
Minimizing the use, collection, and retention of PII
Basic privacy principle
What does the organization need to fulfill its mission?
“Minimum necessary principle”
When no longer relevant
–
dispose of securely
Previously discussed Privacy Impact Assessments
De
-
identifying information
–
e.g., remove identifiers
for researchers using a protected and secured
algorithm that can re
-
link data when necessary
Privacy
-
Specific Safeguards
Anonymizing information
–
de
-
identified information for which
no algorithm for re
-
identification exists. Anonymizing to insure
inability to re
-
identify:
Generalizing the information
–
less precise and grouped
Suppressing the data
–
deleting entire records or parts of records
Introduction of noise
–
adding small amounts of variation to the
data
Swapping the data
–
exchanging certain information from one
record with another, e.g. zip code fields
Replacing the data with an average value
Anonymized data very useful for systems testing and development.
Randomly generated data tends not to share a realistic distribution
and may not represent a proper testing of the system.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment