Technology Can Boost Privacy, but Standards Needed
No matter how technology improves, govt. agencies will compromise individual privacy unless they have clear data use policies, lines of authority and accountability, speakers told a Homeland Security Dept. (DHS) privacy workshop. Regarding individual data, agencies must “take a step back and bring some discipline back in,” DHS Metadata Program Mgr. Michael Daconta said. Consistent rules and standards are sorely lacking in and among agencies, and DHS especially needs “a set of privacy decision trees” to ensure the buck stops somewhere, he said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Privacy strategist John Bliss’s IBM team is working on “anonymizing” technologies, which Bliss said could encourage agencies to share data and ensure sensitive data are seen only in search results, not during searches. Calling it “knowledge disclosure without discovery,” Bliss said anonymizing uses “one-way hash technology” that permanently encrypts data, yet can perform analytics on encrypted data to reveal requested information or profiles. Though such technology probably wouldn’t lead foreign govts. and the U.S. to share more information with the U.S., it could reduce interagency turf wars and obfuscation arising from institutional jealousies, he said. Stevens Institute of Technology Assoc. Prof. Rebecca Wright said such computing models go back 20 years, but are “not really practical” yet, with complications that puzzle even a PhD such as her, and far from efficient.
Privacy controls’ vulnerability lies in end recipients’ potential to abuse authority, speakers said. An “immutable audit” could go a long way to creating a trail of transaction data on sensitive information, Bliss said. But that would be vulnerable to hacks of the auditing tools themselves, he added.
Data privacy focuses mostly on “producer controls” -- an information collector’s right to set rules for its use, said Daconta. But widespread availability of data on individuals should encourage a “consumer controls” mentality, in systems with the “ability to model context.” The Semantic Web project at the W3C, which aims to transform the “human readable Web to a machine readable Web,” is an example, he said. Perhaps the best tool for consumers to learn what data the govt. has on them would be an automated Freedom of Information Act (FOIA) request, Daconta said. This would involve a Web-based search, similar to Google’s, in which users enter their names with other identifying data and pull up matching records. Though likely to make erroneous matches, such a system would let users “know precisely what [the govt. is] doing with my data,” he said. The public will cede some privacy when it has an incentive, such as security or economics, but society is moving toward a new idea of the right to privacy, Bliss said: The right to not have data aggregated without consent.
Speakers disagreed -- mostly in semantics -- on whether privacy functions incorporate into computing systems would render them obsolete when rules change. Northrop Grumman Dir.-Security & Identity Management Bill Gravell urged central management of rules, with as little physical deployment as possible, so a configuration change applies systemwide. That assumption is faulty, Daconta said, calling modularity a basic tenet of engineering no firm should ignore.
A framework for govt. use of commercial data should focus on requiring detailed explanations for obtaining wide ranges of data, Center for Democracy & Technology (CDT) Exec. Dir. Jim Dempsey said. Offices first should define their operational goals for such requests; as an example, he said, the Transportation Security Administration hasn’t even defined its Secure Flight airline screening program’s goal. Agencies now seek data in “very broad, vague, general ways,” said Fred Cate, Indiana U. dir.-Center for Applied Cybersecurity Research. Privacy implications can be deduced once an agency justifies a request, such as analyzing the “richness of the data set.” Cate said unless information is detailed enough to avoid reams of matches in a targeted search, “we're not going to be able to add any light to this heat.”
Three questions should underpin agency requests for and use of sensitive data, Center for Strategic & International Studies (CSIS) Senior Fellow Mary DeRosa said: (1) What kind of analysis will be performed on the data, and how broad will its results be? (2) How will the results be used -- as input for further analysis, or as the sole basis for detaining someone, perhaps a suspect? The latter is a “much bigger hurdle,” she said. (3) What protections are in place to limit inconvenience or worse for those wrongly identified? Pattern-based analysis in airline screening, with its vague matching criteria and immediate impact on identified people -- keeping them off planes -- is especially objectionable, DeRosa said. Dempsey criticized the previous day’s citation of terrorist Mohammed Atta’s “4th-class life” and first-class ticket on 9/11 to justify pattern-based analysis (WID Sept 9 p1).
“It sounds so tantalizing when you think about it for 5 seconds,” but what if such patterns turn up in the lives of innocents that cause them to be suspected unfairly? DeRosa asked. Cate said agencies using that method largely have ignored studies by the Pentagon and other entities into the effectiveness of pattern-based analysis.
Civil liberties groups mainly want audit trails as a means of protecting data privacy, said Chris Hoofnagle, Electronic Privacy Information Center (EPIC) dir.-West Coast. Auditing provisions in Cal.’s landmark identity theft law were attacked by data brokers, which gave “every excuse in the book” as to their impracticality, he said. EPIC’s FOIA requests for auditing rules in the govt. showed most attention is paid to preventing improper data access between agencies, not within them, he added.
Independent oversight of agency data requests and use and a redress mechanism may be needed, Cate said. Steven Adler, IBM program dir.-data governance solutions, suggested “maybe we ought to bond database administrators with data” as bank tellers are bonded for their currency handling.
Asked by Toby Levin, DHS Privacy Office senior adviser, how DHS should access data, speakers said the agency needn’t wait for Congress to update the Privacy Act. Hoofnagle said DHS could order data contractors to follow the Fair Credit Reporting Act (FCRA). That would limit firms using “means that border on deception,” he said, such as data brokers surreptitiously acquiring data from customer service centers or seeking more data than needed in help calls, eventually selling them to aggregators. Privacy controls are “relatively easy” to add to the system, and to ease the burden of storage an agency periodically could dump audit trails and other data, DHS Program Mgr.-IT Martin Smith said. Adler said the agency needs to examine its “data supply chain,” for instance by verifying rules on state & local law enforcement entities that send data to the federal govt. Cate and Adler disagreed on whether the govt. can fix inference errors arising from technically accurate data, as when outcome of a series of misinterpreted data points is to keep someone from flying. Adler said a redress mechanism such as Cate proposed would be difficult to create.