WASHINGTON — Cybersecurity became a very public top priority for the federal government after the 2014 theft of 21 million records from the Office of Personnel Management, but government bureaucracy itself may be a privacy threat to the rest of the country – and that’s not likely to change any time soon.
The U.S. government collects a lot of data on its citizens. Though there’s no official number, a 2012 survey by MeriTalk of federal government information technology employees placed the amount of data stored by the government at 1.61 petabytes — or nearly 2 million gigabytes – and that was four years ago. This number may not reflect data collected by agencies like the Department of Defense, which doesn’t discuss its data for national security reasons, and most likely doesn’t include the estimated yottabyte data capacity — roughly 1 quadrillion gigabytes — of the National Security Agency’s new Utah storage site.
Americans generally value their privacy. A 2015 Pew survey found 74 percent of Americans felt strongly about being able to control who accesses their information.
“There’s a lot of sharing of information in the government that is routine and normal and there’s nothing wrong with it,” said Bob Gellman, a privacy consultant who has worked extensively on Capitol Hill and with federal agencies. “The sharing of information is not an inherently evil act.”
But some privacy groups worry that there is little oversight of the data sharing.
Government collection and sharing of data is governed by the 1974 Privacy Act, which requires federal agencies to publish something called a system of records notice when they share certain data with other agencies or third parties. While most information requires consent from an individual or group to disclose, information sharing that falls into the category of so-called routine use — loosely defined as using data in line with the reason it was initially collected — can waive the need for consent.
These rules cover personally identifiable information, such as any data associated with a name or Social Security number. When this type of data is shared with outside groups, all personally identifiable information must be stripped through a process called de-identification.
However, the act only applies to systems where records are accessed by searching by name or other identifiable information. Records that can be searched by other means, yet that may still include identifiable information, do not fall under the act.
Defining what constitutes a routine use lies largely with the federal agencies themselves. Without any concrete guidance, agency employees are left to navigate a patchwork of federal statutes, internal agency rules and potentially their own instincts when deciding what data can be shared.
“This is meaningless as it turns out,” Gellman said. “Most agencies use it as ‘If I want to share this data, it is a routine use.’”
Though many agencies have a privacy officer, or some senior official designated for handling data privacy, it may be an assistant secretary who has numerous other responsibilities, Gellman said
Under the Privacy Act, there’s no enforcement authority that monitors how well agencies adhere to the law’s provisions. The Office of Management and Budget has some responsibility for issuing guidance, but like other agencies it lacks both the resources and interest to do so, Gellman said.
The OMB released a report on the Privacy Act and its requirements in 2010. However, the report mostly focused on the procedure for writing a notice, rather than advice on what information is appropriate to share.
“It’s really hard to write these rules…how do you write a rule that governs all of the disclosures that go on for any particular set of information?” Gellman said.
For example, Gellman estimates the Department of Veterans Affairs has close to 50 routine uses for its health records. With such a wide variety of approved uses for the data it collects, the VA can’t follow one general rule.
Another problem is that frequently the system of records notices agencies do publish are outdated or incorrect.
One agency that Gellman consulted with hadn’t updated their system of records notices in years, and even after he did the work of updating and revising their disclosures it took them three years to start disclosing — by which time the new notices were already outdated. Another agency Gellman consulted for hadn’t looked at their disclosures since they had been written nearly 25 years prior, and they were unsure what data they were required to disclose.
According to the Privacy Act, neither data collection nor data sharing are allowed if they haven’t been disclosed in the Federal Register. However, the penalty for violating the act usually wouldn’t rise above a misdemeanor, Gellman said.
A bigger concern, according to Timothy Yim, director of data and privacy at the Startup Policy Lab, is the threat is something called onward transfer.
“Once you have information and you share it with a third party, it is hard to track who they share it with and how it is handled,” Yim said.
Given the patchwork nature of privacy laws in both the public and private sectors, it is hard to predict whether another agency or outside group will use similar privacy protections to the group that shared the information, he said.
The Department of Health and Human Services has a goal of minimizing the number of system of records notices, seeking to improve new notices rather than updating old ones. Every notice passes through both HHS executives and OMB for review before being published.
A 2013 report from the Office of the Chief Information Officer states that HHS not only collects the minimum amount of data necessary, but that it assesses potential privacy risks for every data collection and gives individuals the right to learn how their data is being used.
But, under a 2004 Supreme Court ruling, individuals must prove any wrongful disclosure of their personal information was damaging if they want to take action against a government agency. And, according to Gellman, there are very few lawsuits.
And as more and more data becomes available to be cross-referenced, the more likely it is that your personal information will be able to be tracked back to you, Yim said.
“We say de-identify even though we don’t really mean it,” he said. “Information that’s public is continually going to stay out there. Something that isn’t, even with best practices, re-identifiable today may be in two years as more information becomes available.”
While Yim suggested the creation of one department responsible for sharing data between agencies and third parties. By centralizing the data, we can make sure groups receive only as much information as they require and the transfer of data can be monitored, he said.
Another possibility is data minimization, he said, which is the practice of collecting only as much data as is needed and disposing of it properly after use.
Data minimization runs counter to the current open data trend, which sprung from an executive order signed by President Barack Obama in 2013 that requires that government data be available to the public.
It is unlikely that any ideas like Yim’s will take root on a large scale, Gellman said.
“The Privacy Act is wildly out of date, technologically stuck in papers and mainframe computers,” Gellman said. “It needs to be rewritten, and that’s been true for at least the past 30 years.”
The last attempt to update the 1974 Privacy Act was led by then-Sen. Daniel Akaka, D-Hawaii, in 2011.
A former congressional staffer involved with the Privacy Act update said Akaka secured promises of support from then-Chairman Sen. Joe Lieberman and ranking Republican member Sen. Susan Collins of the Senate Committee on Homeland Security and Government Affairs.
The staffer said Akaka created a working group comprising both privacy groups and government agencies to come to a consensus on a draft bill. However, the staffer said parties on both sides of the debate — privacy advocates and law enforcement groups — were concerned about re-opening discussion on the Privacy Act.
“Both sides were nervous…because it could cut both ways,” the staffer said. “Privacy groups could lose parts of the act that they really liked, and law enforcement and intelligence feared more hoops to jump through.”
In the end, nobody was overly eager to move forward, fearing a floor fight over some controversial amendments, the staffer said. The bill died in committee.
In February, President Obama issued an executive order creating a federal privacy council to coordinate best practices across agencies.