Analysts urge senators to force agencies to better protect Americans' data.
The federal government needs to update laws and technologies to better protect the public's privacy and to avoid new forms of identity theft, privacy and security professionals told a Senate panel on Wednesday.
Comment on this article in The Forum.Among the actions recommended was amending the 1974 Privacy Act to limit agencies' use of the public's personal information stored in databases.
"The American public is quickly losing faith in the government's ability to protect its sensitive information," said Sen. Tom Carper, D-Del., a member of the Homeland Security and Governmental Affairs Committee. "In the wrong hands, compromised personal and sensitive information can leave an individual vulnerable to identity theft or worse."
Privacy advocates and analysts told the committee that the 30-year-old Privacy Act has not kept up with advances in technology. The law's protections are limited to systems of records, which were defined at the time as databases where information was retrieved using a name or some other personal information identifying the individual. That definition is too narrow for today's networks, in which searchable databases allow records to be accessed without using any personally identifiable information, said Ari Schwartz, chief operating officer for the Center for Democracy and Technology. "The basic problem is that we set up this law with an idea of what databases looked liked in the 1970s where you searched by name," he said.
In his opening statement, Schwartz said an agency contacted by the center said it had lost half of its records, which numbered in the millions. He also said an Interior Department official told him the department was "promiscuous with our data," and called the loss of taxpayer information a "public failure."
Schwartz said the Privacy Act's routine-use exemption, which allows agencies to share personal information under limited circumstances based on the frequency in which an agency needs to access the information, has been exploited. Agencies insert generic routine-use clauses into privacy impact statements, effectively allowing them to access information when they please. "It's basically giving a complete loophole to people," Schwartz said.
He added that agencies often list 30 to 40 routine-use exemptions for every new collection of information, including several blanket uses that are inserted into every statement. "Department of Defense has 16 routine uses they use for every collection of information," he said. "Obviously every collection is not being used in the same way."
Agencies should use only personally identifiable information for the purposes it was collected, agreed Linda Koontz, director of information management issues at the Government Accountability Office. She said the routine-use exemption often allows agencies to avoid stating why they are collecting personal data. Koontz also said it was important that agencies place constraints on how the information could be used.
Hugo Teufel, chief privacy officer for the Homeland Security Department, said his agency did not have a blanket routine-use clause it inserts into explanations for collecting personal data. He said DHS considers each notice separately and tries to use the exemptions appropriately.
The government's increasing use of biometrics also poses a threat to privacy that the government has yet to adequately address, said Peter Swire, a professor at Moritz College of Law at Ohio State University who served for two years as chief counselor for privacy under President Bill Clinton. Advances in technology allow a criminal to replicate someone's fingerprints easily, and unlike passwords or identification cards, once someone steals a fingerprint, it is lost forever as a secure form of identity verification.
"It's not that hard to fake a fingerprint," he said. "Google it and you can find a way to fake one for less than 10 bucks."
Swire called fingerprints the new data breach waiting to happen and said if steps were not taken to secure databases, an entire generation could face the loss of their biometric information. He suggested amending the 2002 E-Government Act to require encryption of all biometric information that is transmitted or stored by both the public and private sectors.
Swire disagreed with the theory that biometrics are a near foolproof technology. "Biometric firms have long lists of vulnerabilities," he said. "We need to look at this so the eagerness to do things might be tempered a bit."