What is E-Government?

Class 3 April 6, 2012Part 1: IT Policies PrivacyPart 2: IT Policies Privacy Personally Identifiable Information

Privacy concernsNational Association of State Chief Information Officers (NASCIO):Privacy is a particularly daunting challenge for state governments, because citizens have an expectation of openness and transparency. Yet, at the same time, states must foster citizens' trust by ensuring that their private information remains that way.Privacy concernsPrivacy issues are pervasive in e-governmentGovernments gather large amount of private data (e.g. social security information, health information, driver license)Data once collected can be mined (i.e. patterns or habits could be identified)most common for security (terrorism threats)Reports of local governments losing data on private citizens (or unknowingly publishing the data) exist104 military and government breaches in 2010 1.9 million personal records released.2009 79.4 million records released!!!Privacy concernsBusiness still accounted for most breaches:Business 42.1%Medical and healthcare facilities 24.2%Federal/State agencies and military 15.7%Educational institutions 9.8%Banking industry 8.2%

Source Nextgov.com at:http://www.nextgov.com/nextgov/ng_20110107_8262.phpComputer SurveillanceMass surveillance was once impossible due to the cost and practical impossibility of carrying it outThe central issue of electronic surveillance is how the laws governing surveillance are used and enforced. Do law enforcement agencies follow the traditional model of investigation after a crime, or do they use technology for surveillance in an attempt to prevent crime?Traditional model:Evidence of crime obtainedInvestigation ensuesWarrant sought from judge for surveillance of particular individuals for good causeComputer SurveillanceTraditional model altered by electronic surveillance techniques. Lyon (2002) surveillance as social sorting - online profiling, smart cards, biometrics, closed circuit television creating a new model of law enforcement.New model:Law enforcement with no evidence of a crime but have an interest in a particular type of crime and knowledge of indicatorsMass surveillance looking for indicators no warrant requiredSocial sorting (filtering and profiling) to identify specific suspects who become targets of more intensive surveillance warrant still may not be required under Patriot ActComputer SurveillanceTechnological Determinists warranted surveillance replaced by mass unwarranted surveillance through the force of technology alone.Panopticon concept complete compliance with rules due to total surveillanceIdeal prison where compliance guaranteed by inescapable surveillance clear view of every inmate Jeremy Bentham and Michael FoucaultPrivacy is an issue because people have good reason to believe that data collected on them for one purpose may be appropriated and used for altogether different purposes. Computer SurveillanceEmployees generally do not have privacy rights at workAgency policies clearly define the employees rights and the lack of privacy with respect to activities conducted on agency computer systemsSplash screens are used to remind employees at each loginPrivacy LegislationKatz v. United States (1967)Long term surveillance was a violation of the Fourth AmendmentShort term generally met the test of Constitutionality if prior judicial approval obtainedPrivacy Act, 1974 [amended: Computer Matching and Privacy Protection Act, 1988]Regulates Federal agencies record keeping and disclosure practices. Individuals can seek access to Federal agency records about themselves. Stated purpose: Requires that agencies obtain information directly from the subject and that information gathered for one purpose may not be used for another purpose Civil remedies for individuals whose rights may have been violated. Provides that the subject may challenge the accuracy of information. Privacy LegislationPrivacy Act, 1974 [amended: Computer Matching and Privacy Protection Act, 1988] (continued)Requires that each Federal agency publish a description of each system of records maintained by the agency that contains personal information. Restricts the disclosure of personally identifiable informationCase of Terry Dean Rogan. Identity stolen by state prison escapee. Arrested 5 times because his identity associated with criminal. Not unique. Quite a few similar situations. Ultimately sued and was compensated. National Crime Information Center database updated with field to indicate use of stolen identities to prevent future occurrences. Lesson Sometimes too little information is the problem rather than too much.Some agencies specifically prohibited from dissemination of individual-level information by law, such as IRS, Census, and Social Security. On state level, same with DOR.Exceptions for publicizing tax cheats, pedophiles, sex offenders, criminal records, etc. Some not necessarily statutory, but accepted as exceptions generally.Privacy LegislationCommunications Assistance for Law Enforcement Act of 1994 (CALEA)Intended to preserve the ability of law enforcement to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers modify and design their equipment, facilities, and services to ensure they have the necessary surveillance capabilities.Conduct lawfully-authorized electronic surveillance while preserving public safety, right to privacy, and telecom competitivenessRequires Telecommunications carriers to ensure:Expeditious isolation and interception of communications content;Expeditious isolation and access to call-identifying information;Delivery of communications content and call-identifying information;Unobtrusive interception and access to call-identifying informationProtection of the privacy and security of communications not authorized to be intercepted.Telecom carriers: Common carriers, broadband providers, and VOIPPrivacy LegislationPatriot Act, 2001Enables governments to monitor telephone, e-mail communications, medical, financial, and other records Also partially repealed laws against domestic spying and allowed government to monitor Web surfing, obtain records from ISPs, and the use of roving wiretaps to monitor phone calls. NOT limited to terrorism:Can monitor legitimate protest groupsMonitor computer network traffic without court orderTake DNA from anyone convicted of a crime of violence (e.g. scuffling in a protest march)Wiretapping anyone SUSPECTED of violating the Computer Fraud and Abuse ActAuthorizes sneak and peak search warrants for any federal crime, including misdemeanors. Officers can enter private premises without informing occupants or obtaining permission, and do not have to inform absent occupants that a search was conducted.Essentially, Patriot Act applies lower standards of privacy under the Foreign Intelligence Surveillance Act domestically to U.S. citizensPrivacy LegislationPatriot Act, 2001 continued763 sneak and peek warrants in 20083 issued in relation to alleged terrorist offenses62% to investigate drug-trafficking offenses

Agency Data Sharing and MatchingSome agencies are specifically prohibited from disclosing individual level data (US Census Bureau and IRS)Organization for Economic Co-operation and Development Code of Information PracticesCollection Limitation Principle - Limits on collection of personal data; should be obtained by lawful and fair means; where possible with consent of subject.Data Quality Principle personal data should be relevant to purpose for which it is collected, and should be accurate, complete, and kept up to date.Purpose Specification Principle - Purpose of personal data collection should be specified at time of data collection and subsequent use limited to those purposes or compatible purposes as specified on each change of purpose.Use Limitation Principle - Personal data should not be disclosed, made available or used or otherwise used for purposes other than those specified in the Purpose Specification Principle unless consent of the subject is obtained or unless required under authority of law.Agency Data Sharing and MatchingOrganization for Economic Co-operation and Development Code of Information Practices (continued)Security Standards Principle - Personal data should be protected by reasonable security safeguardsOpenness Principle - Policy of openness about developments, practices, and policies related to personal data. Ability to easily establish existence and nature of personal data, purpose of use, and identity and residence of individual responsible for control of the data.Individual Participation Principle - Individual should be able to obtain confirmation whether or not controller has data relating to him; have the data provided to him at reasonable cost; be able to challenge any denial; and be able to challenge data related to him.Accountability Principle - Data controller should be accountable for complying with above measures.

Privacy Impact StatementsFederal agencies are required to post a privacy impact statementSome countries require privacy impact studies and statements in conjunction with creation of new IT projectsCanada is a leader in this effortOMB Guidelines for Privacy ImpactWhat information is to be collected?Why is the information collected and who will be affected?What notice of opportunities for consent is provided?What security protocols are in place?Does this program create a new system of records under Privacy Act?What is the intended use of the information?Privacy Impact StatementsOMB Guidelines for Privacy Impact (continued)Will the information be retained and for what period?How will the public be able to seek redress?What databases will names be run against?Privacy effects and mitigation measures?FY 2005 all federal agencies required to submit privacy assessments of major IT systems with annual business case submissions.The National ID ControversyNational ID cards have been suggested as a solution to better security at airports and other public facilities, reduction of voter fraud, and identity theftThere has traditionally been resistance to the idea due to negative historical connotations associated with totalitarian regimesReal ID Act, 2005 [http://www.ncsl.org/standcomm/sctran/Realidsummary05.htm]Uniform federal guidelines on driver license/ identification (DL/ID) standards and issuance proceduresDL/ID standards: At a minimum, a state shall include the following: (1) persons full legal name, (2) persons date of birth, (3) persons gender, (4) DL/ID number, (5) digital photograph, (6), person's address of legal residence, (7) persons signature, (8) physical security features designed to prevent tampering, counterfeiting or duplication for fraudulent purposes, and (9) a common machine-readable technology with defined data elements The National ID ControversyReal ID Act, 2005 (continued)DL/ID issuance procedures: ID is issued based on: (1) A photo-identity document (except that a non-photo identity document is acceptable if it includes both the persons full legal name and date of birth); (2) Documentation showing the persons date of birth; (3) Proof of the persons social security account number (SSN) or verification that the person is not eligible for an SSN; (4) Documentation showing the persons name and address of principal residence The National ID ControversyKent and Millett (2002) list numerous policy problems associated with implementation of a national ID system How intrusive will national Ids be? Just for authentication or data retained to track transactions? Required for commercial transactions?Who could use the data? Agencies? Corporations? Individuals?Would it be mandatory or voluntary? What rights would exist to see your data and have it corrected?What penalties would exist for abuse of the system?How could we prevent forgeries given current forgery capabilities now (currency and passports)?Little evidence that national ID cards have an impact in prevention of attacks where used. Terrorists have used tourist visas (9/11) or have legitimate ID cards (Madrid bombings).Other Privacy issuesOutsourcingA major source of loss of privacy comes from the commercial sector private corporations trade SSNs, purchasing pattern information, and many other types of personal information gathered from the Internet and other sourcesPrivatizationIT makes the commoditization of personal information relatively easyPrivate sector data miningCredit card companies and other companies (e.g. Amazon) track spending behavior. Rare to see cases against corporations for privacy violations. Corporations do with impunity what government cannot do.Class 3 April 6, 2012Part 2: IT Policies Privacy Personally Identifiable InformationPersonally Identifiable InformationAny information about an individual maintained by an agency including:Any information that can be used to distinguish or trace an individuals identity, e.g., name, SS numberAny information that is linked or linkable to an individual, e.g., medical, educational, employment infoLinked information is that which is logically associated with other information about the individualLinkable information is information for which there is a possibility of logical association Personally Identifiable InformationExample of linked and linkable:PII exists on two databases, so someone with access to both may be able to link the data. If the secondary information is on the same system or related system and does not have security to segregate the two databases, then they are linked. If the secondary data is remote or available in public records, or is otherwise easily obtainable, then the information is linkable.Source of information on PII NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)Personally Identifiable InformationExamples of PII DataNames Personal identification numbersAddress informationTelephone informationPersonal characteristics (fingerprints, biometrics)Information regarding personally owned propertyInformation that is linkable through the use of any of the above PIIAggregating PIIThe better ones are not free, but do require some level of authorization to use however, private investigators and bill collectors can get access!Just using free resources can result in obtaining much of the same information available through the aggregatorsUsing Accurint (or similar service) and free resources multiplies data availableInformation available from data aggregators:Names (all) used and social security numbers; names of others using that social security numberAddress summary going back for many years with demographic data for each addressBankruptcy information, liens and judgements, and UCC filingsPhones utilized, including cell phonesCompanies owned and associates at workDrivers license information and historyPossible properties ownedMotor vehicles registered and watercraft ownedFAA certifications and aircraft ownedPossible criminal records and sexual offensesAutomobile accident detailsProfessional licensesVoter registration, hunting permits, concealed weapons permitsPossible associatesPossible relativesNeighborsServices exist that make it very simple to pull together a tremendous amount of personally linked data once sufficient information exists to identify the individualPII Impact LevelsLow limited adverse effect minor loss to individual or organization having to change your phone numberModerate serious adverse effect significant financial loss or significant harm but not loss of life. Identity theft, public humiliationHigh severe or catastrophic adverse effect on organizational operations, assets or individuals major financial loss; severe or catastrophic harm to individuals involving loss of life or life-threatening injuriesFactors for Determining PII Confidentiality Impact LevelsFactors will vary by organization based on mission and nature of PII maintainedIdentifiability - how easily can PII be linked to an individual? Some data can directly identify individuals and linked data. Other data can be used to significantly narrow large datasets and make identification more likely.Quantities of PII - very small vs. very large datasets represent differing levels of risk. You cannot ignore privacy considerations for small data sets, but impact level will generally be higher for datasets containing large numbers of records.Data Field Sensitivity - must evaluate each field separately, plus sensitivity of all fields together. SSN or financial data more sensitive than a telephone number. Data can be sensitive in ways other than intended use, e.g., mothers maiden name can be used can be used for authentication for password recoveryFactors for Determining PII Confidentiality Impact LevelsContext of Use - purpose for which information is collected, stored, used, processed, disclosed, or disseminated. Examples include eligibility for benefits, tax administration, and law enforcement. Simple disclosure that information is being collected might in itself be dangerous. Consider three lists, each containing name, address and phone number. The first is subscribers to a newsletter; the second people who have applied for retirement benefits; the third undercover law enforcement agents. Same information, very different impact levels.Obligations to protect confidentiality - Obligations vary by organization based on the laws applicable to that organizations PII activity. IRS data, for example, is subject to extremely strict confidentiality requirements.Access to and location of PII - How many people have access? Is information accessible using mobile devices? Is information regularly transported offsite, say on a laptop? Is information available online?Operational SafeguardsPolicy and Procedure CreationAccess rules for PII within the system - just because the information exists in an agency database does not mean everyone within that agency should have access.PII retention schedules and procedures - Data should not be kept indefinitely. When it has served its purpose it should be purged.PII incident response and data breach notification - Data incidents represent serious problems for an agency. Response and notification planning is crucial so that any damage can be contained quickly.Operational SafeguardsPolicy and Procedure Creation (continued)Privacy in the system development life cycle process - Data obtained during the development of IT systems may be available to contractors as well as employees. Protection of data during development and data conversion activities is just as important as after the implementation, and data may be easier to steal during development.Limitation of collection, disclosure, sharing and use of PII - Do not collect anything that is not specifically needed; do not disclose or share any data without proper authorization and demonstrated need.Consequences for failure to follow policy - without consequences there is little to deter sloppy information protection.

Operational SafeguardsAwareness, training, and educationAwareness training designed to change behavior or reinforce PII practices. Focuses attention on protection of PIITraining builds knowledge and skills to enable staff to protect PIIEducation builds a common body of knowledge covering all specialties and aspects of PII protectionTopics for PII TrainingThe definition of PIIApplicable privacy laws, regulations, and policiesRestrictions on data collection, storage, and use of PIIRoles and responsibilities for using and protecting PIIAppropriate disposal of PIISanctions for misuse of PIIRecognition of a security or privacy incident involving PIIRetention schedules for PIIRoles and responsibilities in responding to PII-related incidents and reportingPrivacy-Specific SafeguardsMinimizing the use, collection, and retention of PIIBasic privacy principleWhat does the organization need to fulfill its mission? Minimum necessary principleWhen no longer relevant dispose of securelyPreviously discussed Privacy Impact AssessmentsDe-identifying information e.g., remove identifiers for researchers using a protected and secured algorithm that can re-link data when necessaryPrivacy-Specific SafeguardsAnonymizing information de-identified information for which no algorithm for re-identification exists. Anonymizing to insure inability to re-identify:Generalizing the information less precise and groupedSuppressing the data deleting entire records or parts of recordsIntroduction of noise adding small amounts of variation to the dataSwapping the data exchanging certain information from one record with another, e.g. zip code fieldsReplacing the data with an average valueAnonymized data very useful for systems testing and development. Randomly generated data tends not to share a realistic distribution and may not represent a proper testing of the system.