Class 3 – April 6, 2012 Part 1: IT Policies – Privacy Part 2: IT Policies – Privacy – Personally Identifiable Information Class 3 – April 6, 2012

Privacy concerns National Association of State Chief Information Officers (NASCIO): Privacy is a particularly daunting challenge for state governments, because citizens have an expectation of openness and transparency. Yet, at the same time, states must foster citizens' trust by ensuring that their private information remains that way.

Privacy concerns Privacy issues are pervasive in e-government Governments gather large amount of private data (e.g. social security information, health information, driver license) Data once collected can be mined (i.e. patterns or habits could be identified)—most common for security (terrorism threats) Reports of local governments losing data on private citizens (or unknowingly publishing the data) exist 104 military and government breaches in 2010 – 1.9 million personal records released. 2009 – 79.4 million records released!!!

Privacy concerns Business still accounted for most breaches: Medical and healthcare facilities – 24.2% Federal/State agencies and military – 15.7% Educational institutions – 9.8% Banking industry – 8.2% Source – Nextgov.com at: http://www.nextgov.com/nextgov/ng_20110107_8262.php

Computer Surveillance Mass surveillance was once impossible due to the cost and practical impossibility of carrying it out The central issue of electronic surveillance is how the laws governing surveillance are used and enforced. Do law enforcement agencies follow the traditional model of investigation after a crime, or do they use technology for surveillance in an attempt to prevent crime? Traditional model: Evidence of crime obtained Investigation ensues Warrant sought from judge for surveillance of particular individuals for good cause

Computer Surveillance Traditional model altered by electronic surveillance techniques. Lyon (2002) – “surveillance as social sorting” - online profiling, smart cards, biometrics, closed circuit television creating a new model of law enforcement. New model: Law enforcement with no evidence of a crime but have an interest in a particular type of crime and knowledge of indicators Mass surveillance looking for indicators – no warrant required Social sorting (filtering and profiling) to identify specific suspects who become targets of more intensive surveillance – warrant still may not be required under Patriot Act

Computer Surveillance Technological Determinists – warranted surveillance replaced by mass unwarranted surveillance through the force of technology alone. Panopticon concept – complete compliance with rules due to total surveillance Ideal prison where compliance guaranteed by inescapable surveillance – clear view of every inmate – Jeremy Bentham and Michael Foucault Privacy is an issue because people have good reason to believe that data collected on them for one purpose may be appropriated and used for altogether different purposes.

Computer Surveillance Employees generally do not have privacy rights at work Agency policies clearly define the employees rights and the lack of privacy with respect to activities conducted on agency computer systems Splash screens are used to remind employees at each login

Privacy Legislation Katz v. United States (1967) Long term surveillance was a violation of the Fourth Amendment Short term generally met the test of Constitutionality if prior judicial approval obtained Privacy Act, 1974 [amended: Computer Matching and Privacy Protection Act, 1988] Regulates Federal agencies’ record keeping and disclosure practices. Individuals can seek access to Federal agency records about themselves. Stated purpose: Requires that agencies obtain information directly from the subject and that information gathered for one purpose may not be used for another purpose Civil remedies for individuals whose rights may have been violated. Provides that the subject may challenge the accuracy of information.

Privacy Legislation Privacy Act, 1974 [amended: Computer Matching and Privacy Protection Act, 1988] (continued) Requires that each Federal agency publish a description of each system of records maintained by the agency that contains personal information. Restricts the disclosure of personally identifiable information Case of Terry Dean Rogan. Identity stolen by state prison escapee. Arrested 5 times because his identity associated with criminal. Not unique. Quite a few similar situations. Ultimately sued and was compensated. National Crime Information Center database updated with field to indicate use of stolen identities to prevent future occurrences. Lesson – Sometimes too little information is the problem rather than too much. Some agencies specifically prohibited from dissemination of individual-level information by law, such as IRS, Census, and Social Security. On state level, same with DOR. Exceptions for publicizing tax cheats, pedophiles, sex offenders, criminal records, etc. Some not necessarily statutory, but accepted as exceptions generally.

Privacy Legislation Communications Assistance for Law Enforcement Act of 1994 (CALEA) Intended to preserve the ability of law enforcement to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers modify and design their equipment, facilities, and services to ensure they have the necessary surveillance capabilities. Conduct lawfully-authorized electronic surveillance while preserving public safety, right to privacy, and telecom competitiveness Requires Telecommunications carriers to ensure: Expeditious isolation and interception of communications content; Expeditious isolation and access to call-identifying information; Delivery of communications content and call-identifying information; Unobtrusive interception and access to call-identifying information Protection of the privacy and security of communications not authorized to be intercepted. Telecom carriers: Common carriers, broadband providers, and VOIP

Privacy Legislation Patriot Act, 2001 Enables governments to monitor telephone, e-mail communications, medical, financial, and other records Also partially repealed laws against domestic spying and allowed government to monitor Web surfing, obtain records from ISPs, and the use of roving wiretaps to monitor phone calls. NOT limited to terrorism: Can monitor legitimate protest groups Monitor computer network traffic without court order Take DNA from anyone convicted of a crime of violence (e.g. scuffling in a protest march) Wiretapping anyone SUSPECTED of violating the Computer Fraud and Abuse Act Authorizes “sneak and peak’” search warrants for any federal crime, including misdemeanors. Officers can enter private premises without informing occupants or obtaining permission, and do not have to inform absent occupants that a search was conducted. Essentially, Patriot Act applies lower standards of privacy under the Foreign Intelligence Surveillance Act domestically to U.S. citizens

Privacy Legislation Patriot Act, 2001 – continued 763 sneak and peek warrants in 2008 3 issued in relation to alleged terrorist offenses 62% to investigate drug-trafficking offenses

Agency Data Sharing and Matching Some agencies are specifically prohibited from disclosing individual level data (US Census Bureau and IRS) Organization for Economic Co-operation and Development Code of Information Practices Collection Limitation Principle - Limits on collection of personal data; should be obtained by lawful and fair means; where possible with consent of subject. Data Quality Principle – personal data should be relevant to purpose for which it is collected, and should be accurate, complete, and kept up to date. Purpose Specification Principle - Purpose of personal data collection should be specified at time of data collection and subsequent use limited to those purposes or compatible purposes as specified on each change of purpose. Use Limitation Principle - Personal data should not be disclosed, made available or used or otherwise used for purposes other than those specified in the Purpose Specification Principle unless consent of the subject is obtained or unless required under authority of law.

Agency Data Sharing and Matching Organization for Economic Co-operation and Development Code of Information Practices (continued) Security Standards Principle - Personal data should be protected by reasonable security safeguards Openness Principle - Policy of openness about developments, practices, and policies related to personal data. Ability to easily establish existence and nature of personal data, purpose of use, and identity and residence of individual responsible for control of the data. Individual Participation Principle - Individual should be able to obtain confirmation whether or not controller has data relating to him; have the data provided to him at reasonable cost; be able to challenge any denial; and be able to challenge data related to him. Accountability Principle - Data controller should be accountable for complying with above measures.

Privacy Impact Statements Federal agencies are required to post a privacy impact statement Some countries require privacy impact studies and statements in conjunction with creation of new IT projects Canada is a leader in this effort OMB Guidelines for Privacy Impact What information is to be collected? Why is the information collected and who will be affected? What notice of opportunities for consent is provided? What security protocols are in place? Does this program create a new system of records under Privacy Act? What is the intended use of the information?

Privacy Impact Statements OMB Guidelines for Privacy Impact (continued) Will the information be retained and for what period? How will the public be able to seek redress? What databases will names be run against? Privacy effects and mitigation measures? FY 2005 all federal agencies required to submit privacy assessments of major IT systems with annual business case submissions.

The National ID Controversy National ID cards have been suggested as a solution to better security at airports and other public facilities, reduction of voter fraud, and identity theft There has traditionally been resistance to the idea due to negative historical connotations associated with totalitarian regimes Real ID Act, 2005 [http://www.ncsl.org/standcomm/sctran/Realidsummary05.htm] Uniform federal guidelines on driver license/ identification (DL/ID) standards and issuance procedures DL/ID standards: At a minimum, a state shall include the following: (1) person’s full legal name, (2) person’s date of birth, (3) person’s gender, (4) DL/ID number, (5) digital photograph, (6), person's address of legal residence, (7) person’s signature, (8) physical security features designed to prevent tampering, counterfeiting or duplication for fraudulent purposes, and (9) a common machine-readable technology with defined data elements

The National ID Controversy Real ID Act, 2005 (continued) DL/ID issuance procedures: ID is issued based on: (1) A photo-identity document (except that a non-photo identity document is acceptable if it includes both the person’s full legal name and date of birth); (2) Documentation showing the person’s date of birth; (3) Proof of the person’s social security account number (SSN) or verification that the person is not eligible for an SSN; (4) Documentation showing the person’s name and address of principal residence

The National ID Controversy Kent and Millett (2002) list numerous policy problems associated with implementation of a national ID system How intrusive will national Ids be? Just for authentication or data retained to track transactions? Required for commercial transactions? Who could use the data? Agencies? Corporations? Individuals? Would it be mandatory or voluntary? What rights would exist to see your data and have it corrected? What penalties would exist for abuse of the system? How could we prevent forgeries given current forgery capabilities now (currency and passports)? Little evidence that national ID cards have an impact in prevention of attacks where used. Terrorists have used tourist visas (9/11) or have legitimate ID cards (Madrid bombings).

Other Privacy issues Outsourcing Privatization A major source of loss of privacy comes from the commercial sector – private corporations trade SSNs, purchasing pattern information, and many other types of personal information gathered from the Internet and other sources Privatization IT makes the commoditization of personal information relatively easy Private sector data mining Credit card companies and other companies (e.g. Amazon) track spending behavior. Rare to see cases against corporations for privacy violations. Corporations do with impunity what government cannot do.

Part 2: IT Policies – Privacy – Personally Identifiable Information Class 3 – April 6, 2012

Personally Identifiable Information Any information about an individual maintained by an agency including: Any information that can be used to distinguish or trace an individual’s identity, e.g., name, SS number Any information that is linked or linkable to an individual, e.g., medical, educational, employment info “Linked” information is that which is logically associated with other information about the individual “Linkable” information is information for which there is a possibility of logical association

Personally Identifiable Information Example of linked and linkable: PII exists on two databases, so someone with access to both may be able to link the data. If the secondary information is on the same system or related system and does not have security to segregate the two databases, then they are linked. If the secondary data is remote or available in public records, or is otherwise easily obtainable, then the information is linkable. Source of information on PII – NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Personally Identifiable Information Examples of PII Data Names Personal identification numbers Address information Telephone information Personal characteristics (fingerprints, biometrics) Information regarding personally owned property Information that is linkable through the use of any of the above PII

Aggregating PII Information available from data aggregators: Names (all) used and social security numbers; names of others using that social security number Address summary going back for many years with demographic data for each address Bankruptcy information, liens and judgements, and UCC filings Phones utilized, including cell phones Companies owned and associates at work Driver’s license information and history Possible properties owned Motor vehicles registered and watercraft owned FAA certifications and aircraft owned Possible criminal records and sexual offenses Automobile accident details Professional licenses Voter registration, hunting permits, concealed weapons permits Possible associates Possible relatives Neighbors Services exist that make it very simple to pull together a tremendous amount of personally linked data once sufficient information exists to identify the individual The better ones are not free, but do require some level of authorization to use – however, private investigators and bill collectors can get access! Just using free resources can result in obtaining much of the same information available through the aggregators Using Accurint (or similar service) and free resources multiplies data available

PII Impact Levels Low – limited adverse effect – minor loss to individual or organization – having to change your phone number Moderate – serious adverse effect – significant financial loss or significant harm but not loss of life. Identity theft, public humiliation High – severe or catastrophic adverse effect on organizational operations, assets or individuals – major financial loss; severe or catastrophic harm to individuals involving loss of life or life-threatening injuries

Factors for Determining PII Confidentiality Impact Levels Factors will vary by organization based on mission and nature of PII maintained Identifiability - how easily can PII be linked to an individual? Some data can directly identify individuals and linked data. Other data can be used to significantly narrow large datasets and make identification more likely. Quantities of PII - very small vs. very large datasets represent differing levels of risk. You cannot ignore privacy considerations for small data sets, but impact level will generally be higher for datasets containing large numbers of records. Data Field Sensitivity - must evaluate each field separately, plus sensitivity of all fields together. SSN or financial data more sensitive than a telephone number. Data can be sensitive in ways other than intended use, e.g., mother’s maiden name can be used can be used for authentication for password recovery

Factors for Determining PII Confidentiality Impact Levels Context of Use - purpose for which information is collected, stored, used, processed, disclosed, or disseminated. Examples include eligibility for benefits, tax administration, and law enforcement. Simple disclosure that information is being collected might in itself be dangerous. Consider three lists, each containing name, address and phone number. The first is subscribers to a newsletter; the second people who have applied for retirement benefits; the third undercover law enforcement agents. Same information, very different impact levels. Obligations to protect confidentiality - Obligations vary by organization based on the laws applicable to that organization’s PII activity. IRS data, for example, is subject to extremely strict confidentiality requirements. Access to and location of PII - How many people have access? Is information accessible using mobile devices? Is information regularly transported offsite, say on a laptop? Is information available online?

Operational Safeguards Policy and Procedure Creation Access rules for PII within the system - just because the information exists in an agency database does not mean everyone within that agency should have access. PII retention schedules and procedures - Data should not be kept indefinitely. When it has served its purpose it should be purged. PII incident response and data breach notification - Data incidents represent serious problems for an agency. Response and notification planning is crucial so that any damage can be contained quickly.

Operational Safeguards Policy and Procedure Creation (continued) Privacy in the system development life cycle process - Data obtained during the development of IT systems may be available to contractors as well as employees. Protection of data during development and data conversion activities is just as important as after the implementation, and data may be easier to steal during development. Limitation of collection, disclosure, sharing and use of PII - Do not collect anything that is not specifically needed; do not disclose or share any data without proper authorization and demonstrated need. Consequences for failure to follow policy - without consequences there is little to deter sloppy information protection.

Operational Safeguards Awareness, training, and education Awareness training designed to change behavior or reinforce PII practices. Focuses attention on protection of PII Training builds knowledge and skills to enable staff to protect PII Education builds a common body of knowledge covering all specialties and aspects of PII protection

Topics for PII Training The definition of PII Applicable privacy laws, regulations, and policies Restrictions on data collection, storage, and use of PII Roles and responsibilities for using and protecting PII Appropriate disposal of PII Sanctions for misuse of PII Recognition of a security or privacy incident involving PII Retention schedules for PII Roles and responsibilities in responding to PII-related incidents and reporting

Privacy-Specific Safeguards Minimizing the use, collection, and retention of PII Basic privacy principle What does the organization need to fulfill its mission? “Minimum necessary principle” When no longer relevant – dispose of securely Previously discussed Privacy Impact Assessments De-identifying information – e.g., remove identifiers for researchers using a protected and secured algorithm that can re-link data when necessary

Privacy-Specific Safeguards Anonymizing information – de-identified information for which no algorithm for re-identification exists. Anonymizing to insure inability to re-identify: Generalizing the information – less precise and grouped Suppressing the data – deleting entire records or parts of records Introduction of noise – adding small amounts of variation to the data Swapping the data – exchanging certain information from one record with another, e.g. zip code fields Replacing the data with an average value Anonymized data very useful for systems testing and development. Randomly generated data tends not to share a realistic distribution and may not represent a proper testing of the system.