The New York Times reported today that the Transportation Security Administration sent a letter to at least four graduate students at MIT informing them that the agency turned down their request for an identification card to work at the nation’s ports. The letters noted the students were “security threats.”

The students had applied for a so-called Transportation Worker Identification Credential, or TWIC, card, a program the federal government created after 9/11 to tighten security at the nation’s ports. The deployment of TWIC has been delayed for months for numerous reasons.

The Times article cites two cases, one involving a German student, the other a British student. In the rejection letters, John Busch, who is identified as a security administration official, wrote, “I have determined that you pose a security threat.”

If your agency’s auditor concluded that because your networks didn’t have the ability to monitor which employees were accessing personally sensitive information – say, like, Social Security and tax identification numbers – would you respond to the audit by saying that such a security practice was adequate and that to do monitoring wasn’t worth the time and effort?

That’s how John Guhl, New Jersey’s Medicaid director, responded when the state’s auditor concluded that New Jersey’s Department of Human Services lacks the security policies and procedures to protect personal information on the computer system it uses to process claims for more than 1 million Medicaid patients, according to an article posted by Newsday.

Here’s an excerpt from Newsday on what Guhl wrote in response to the auditor’s report:

In a written response to the audit, [Guhl] … said all employees take training in federal requirements for personal health information.

But he wrote even the best procedures would not guarantee security and said he believes "the current security provisions are adequate."

"As indicated by the auditors, the implementation of this recommendation would require substantial time and effort," Guhl wrote. "This cost would be continuous as resources and time would be needed to monitor and maintain this function."

He told senators during a recent budget hearing that employees cannot access the entire system, only the areas in which they work. He said supervisors know what employees logged into the system and when but not what record was viewed.

"We don't have that level of detail," Guhl said.

Computer forensics is becoming more important to law enforcement agents as criminals use computers to commit crime. Microsoft has made it easier for officers to get that information off a computer by providing, for free, a USB thumb drive that can bypass all Windows security programs. "The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime," according to an article published by the Seattle Times. "It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer." Microsoft first distributed the thumb drives last year and now more than 2,000 officers in 15 countries are using them.

As expected, privacy experts and techies aren’t too keen on this development.

Hat tip: Slashdot

Bruce Schneier recently wrote a wonderful explanation of why the dichotomy between security and privacy is artificial. I recommend it to the privacy officials who must confront security as the rationale for poor privacy practices and to security officials who must find ways to integrate privacy into their thinking and program planning.

So how does FedWorld see this topic? With no subtlety at all, of course.

Many of us in the information technology world have worked hard to achieve the state of affairs in which we find ourselves. We are now much freer to transact business in an un-tethered fashion, enabling us to contribute more and more of our otherwise non-productive personal time to more gainful activities.

However, nagging and unintended consequences that threaten further progress are dogging us. We confront headlines about the proliferation of our most personal information throughout cyberspace. Our ages, physical characteristics (at least the ones we record), yearbook pictures, traffic violations, credit histories, failed relationships all seem to be readily available, and subject to violation by a growing number of predators, some benign, others felonious. Cyber outlaws are capturing our identities, compromising our finances, and promulgating false information about us.

Federal News Radio reported yesterday that they had uncovered a spreadsheet with social security numbers of 25 active service members on the Army Web site hidden only through the "hidden columns" feature of Excel. Supposedly, the Army had been told about the page months ago.

Aside from the probable violation of the Privacy Act and the clear violation of the recent OMB memo urging an end to unnecessary uses of SSNs, the most shocking thing to me is how easily this problem could have been fixed months ago simply by saving the document as a pdf rather than posting a spreadsheet in Excel.

Am I missing something?

When Sen. John McCain was told of the snooping into his passport files, he said in indignant tones, "The United States of America values everyone's privacy ..."

Sen. Arlen Specter, ranking Republican on the Judiciary Committee, spewed forth that, "I think privacy is a very fundamental matter..."

This got me to thinking about what Principal Deputy Director of National Intelligence, Dr. Donald Kerr, said last year, "Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture."

That's apparently no longer a valid or reasonable idea. "In our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past. ... Protecting anonymity isn’t a fight that can be won."

So, do McCain and Specter agree with this definition of privacy or America's deeply rooted traditional value of privacy?

The ho-hum response from the Hill concerning private contractor employees accessing the passport files of Sens. Barack Obama, D-Ill., Hillary Clinton, D-N.Y., and John McCain, R-Ariz., is a bit surprising -- or on second thought, is it?

As Ari Schwartz, deputy director of the Center for Democracy and Technology, pointed out in his Nextgov blog and in a Nextgov article, the point here is the lax attitude many agencies have taken in developing privacy impact assessments, which are required by the 2002 E-Government Act. In the assessments, agencies are supposed to analyze how they collect, store, share and manage personal information in federal networks. The idea is for agencies to develop policies that limit access to information before setting up a database.

State, Schwartz says, has done only cursory assessments. And a State agency official says the department believes they "have seen the last of this."

None of the congressmen in the Congress Daily article (link above) mentioned the privacy impact assessments or the E-Government Act. This may be an opportune time to investigate how well agencies have complied with the law's requirement to properly protect the private information they have stored on databases.

Revelations today that contractors at the State Department read Barack Obama's passport history with no authorization in possible violation of the Privacy Act come as no great shock to the privacy community.

In fact, the only reason that this serious breach was caught was because of the high visibility of the victim. Contractors who decide to look up old girlfriends, or worse, regularly use the information for stalking may never be caught, as we have seen in other agencies that do a slightly better job of privacy control.

My organization has expressed concern about the State Department's privacy program frequently over the past two years. They simply do not have the resources to do an effective job. It seems that the goal is to meet the obviously low standard of "satisfactory" in the annual FISMA report.

If State is "satisfactory" today, think how bad things must be at the Defense Department, the only department to receive a "failing" rating on their privacy impact assessment implementation according to the inspectors general.

According to senior officials inside and outside the national security establishment, the Nation is at war in cyberspace.

This war, like many things in cyberspace, confounds traditional boundaries. It is occurring in part on U.S. soil, where many of the attacked public and private sector computers are located. While some attacks are coming from foreign powers, others are from terrorist groups, and still others come from organized crime. Often the identity and intent of the attackers is unclear.

As Samuel Adams said in 1768, “Even when there is a necessity of military power, within the land . . . a wise and prudent people will always have a watchful & jealous eye over it.” Indeed, it is longstanding policy in this country that the military not be used to enforce the law on U.S. soil, except in major emergencies. This division between national security and civilian law enforcement activities is maintained in electronic surveillance as well. It colors the current FISA extension debate.

Few observers believe these divisions work in cyberspace. Yet there is no clear vision of how to proceed while guarding the underlying principles. For that reason, this matter deserves a considered public conversation. While a national cyber security initiative is necessary and timely, the secrecy surrounding the Administration’s program does not serve the Nation's long term interest.

Former Defense Secretary Robert McNamara said, speaking of Vietnam, "We failed to draw Congress and the American people into a full and frank discussion and debate of the pros and cons of a large-scale military involvement . . . before we initiated the action." We still have the opportunity to avoid that mistake in cyberspace.

In a recent piece, Allan Holmes cites:

... an editorial in the New York Times Thursday, [which] calls the 2007 Secure America Through Verification and Enforcement Act, "a bad idea compounded by the notoriously bad state of federal government records."

This reminded me about the continued hysteria about Social Security numbers in federal records, with officials hurrying to the microphone or the hearing room to decry how privacy is at risk because government agencies use Social Security Numbers as identifiers. Though apocryphal, I find it easy to believe the story about the congressman who tried to introduce a measure forbidding the Social Security Administration from maintaining records that would include a person's SSN.

I wonder if Executive Order 9397, Numbering System for Federal Accounts Relating to Individual Persons, has ever been repealed (or retracted, or whatever happens to executive orders that no longer seem a good idea). The salient paragraph in EO 9397 is the first one:

Hereafter any federal department, establishment, or agency shall, whenever the head thereof finds it advisable to establish a new system of permanent account numbers pertaining to individual persons, utilize exclusively the Social Security Act account numbers assigned …

Signed by Franklin Roosevelt, November 1943.

Richard Clarke, former special adviser on cybersecurity for President Bush and an outspoken critic of the Bush administration, recently criticized Bush's national electronic security initiative Bush signed in January. According to an article posted by InfoWorld today, Clarke raised the specter that Americans' privacy could be at stake because the imitative focuses on "securing the government's own computing and communications networks, and adopting a more proactive approach to engaging in cyber-warfare," according to the article.

If that is true, Clarke says:

There's the idea that somehow these are government networks that we're talking about, but they really aren't, all these government sites are running through the same network of routers and the same fiber channels as everything else, there's no segmentation on these carrier networks. This means that [the plan's authors] either don't know that and merely think they need to reinforce security on state-owned servers, or data in their own facilities, in which case thy are missing most of the problem, or that they plan to do monitoring of everything going through the carriers' systems.

Traditionally, privacy experts cringe at any sentence that uses "security and privacy" together as a pairing. It is usually a cover for protecting personal information from outside misuse while creating new questionable practices for internal use of personal data.

OMB's ever-increasing privacy reporting within FISMA seem to be a clear example of where tying the two together has benefited privacy accountability within agencies. The 2007 FISMA report released earlier this month offered more detailed accounting of privacy activity than at any time since Chief Privacy Counsel Peter Swire left as OMB at the end of the Clinton Administration and showed that some agencies are making improvements.

At a Government Reform Committee Hearing yesterday, E-Government Administrator Karen Evans made a persuasive case that privacy reporting was going to improve even more in 2008 now pointing to the January Memo requiring even greater measures to be tied into FISMA reports. Evans deserves credit for standing steadfast in this strategy that has failed before, but is clearly working today.

U.S. News & World Report outlines in an article posted today five ways you use your PC can get you fired. Of course, there's the viewing of inappropriate content and playing games like Solitaire. (New York City Mayor Michael Bloomberg fired an employee after seeing the game on his computer monitor.) But also included on the list are some not-so-obvious uses, such as blogging, posting photos on your social network site and writing inappropriate or offensive emails. These offenses happen more than you may think: "Nearly one third of bosses have fired workers for misusing the Internet, according to a recent study by the American Management Association and the ePolicy Institute," U.S. News reports.

Concerns that the Total Information Awareness system (a network to sift through Americans' personal data) never truly was killed, was resurrected (again) by the Wall Street Journal in an article published March 10. "According to current and former intelligence officials, the spy agency [National Security Agency] now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, credit-card transactions, travel and telephone records," according to the article. The Journal cites a Federal Bureau of Investigation program to track telecommunications data called the Digital Collection System, which has attracted the attention of Congress.

One of those speculating that this has been going on for some time has been National Journal's Shane Harris.

The Government Accountability Office recently reiterated its designation of information security as a governmentwide “high-risk issue” in its report, Information Security: Protecting Personally Identifiable Information. The high-risk designation for information security in the federal government has been included in GAO reports to Congress each year since 1997. Along with its own audits, GAO’s most recent high-risk assessment was based on consideration of annual reporting by federal agencies of their own assessments of risk, including certain material risks reported regarding information security.

Consequences of real and perceived inadequacies in information security policies and controls

Under what circumstances would U.S. consumers confidently continue to share their data with companies that self report under Sarbanes-Oxley that their operations put customer data at high risk? Frankly, it is hard to imagine the likelihood that such companies could easily maintain the continuing trust and confidence of customers or shareholders without significant costs. In fact, Larry Ponemon, chairman of The Ponemon Institute, has reported that U.S. businesses have seen a steady exodus of customers, a reluctance of some customers to share data and increased costs, including from lost business opportunities, following disclosure of data breaches at their companies. Should we expect the reactions of U.S. citizens to be any different in the federal space? It seems unlikely.

Revealing some of the inside frustration that comes with leaks to the press, John Grimes, chief information officer and assistant secretary of networks and information infrastructure at the Defense Department, said a “disloyal” person was to blame for disclosing information about President Bush’s Cyber Initiative, reportedly totaling several billion dollars.

It was unclear whether the disloyal individual Grimes referred to in his morning session at the Information Processing Interagency Conference was the person inside government that leaked the information or the reporter with The Wall Street Journal that decided to run with the story. Regardless, he seemed to take personally the release of details on the White House cybersecurity directive signed by President Bush in January.

“We did not want this public until we got [various issues] resolved,” including those relating to privacy, Grimes said, referencing the numerous hearings that have been scheduled since the story broke. each hearing requires executives at Defense, the departments of Homeland Security and State, and the Office of National Intelligence to prepare to testify.

“This comes down to political [culture] of decisions,” Grimes said. “Whether an attack is an act of war or criminal -- who makes that decision?”

Reports from news outlets seem to have prompted the release of some details – though not many – about the cybersecurity initiative. Most recently, DHS secretary Michael Chertoff released remarks made to a roundtable of bloggers.

"We are beginning our cyberstrategy," he said. "That will not be done this year, but I'm hoping we can get it, a cybercenter, up and running, and have a full set of plans and a funding budget to move forward over the next several years to get to the next level of cybersecurity."

The Billboard Liberation Front, a group of so-called "culture jammers" who, among other acts, alter the wording of billboard advertisements to make a political or anti-corporate message, have hit again. The group has claimed credit for altering an AT&T billboard in San Francisco to protest AT&T's collaboration with the National Security Agency's warrantless wiretapping of Americans' phones and Internet usage.





















The billboard was a bit too late to influence the telecoms, who've announced this past week to continue the surveillance program.

Hat tip: boingboing

There are reports that the IRS as well as tax authorities in other countries including Canada, Germany, Australia, Italy, Sweden, Spain, the United Kingdom, and New Zealand have purchased stolen information detailing confidential bank accounts in Liechtenstein. Liechtenstein has very strict banking privacy laws, and it is seen by all the above countries as a safe haven for tax evaders. The country, which is a tiny principality next to Switzerland, is one of three countries (Andorra and Monaco being the other two) listed by the Organization for Economic Cooperation and Development as being "uncooperative tax havens."

How did the countries get this information? In one news report, it was said that, "Heinrich Kieber, a 42-year-old computer expert, offered the information for sale to several countries, including Germany, which paid about $6.3-million for it. (Mr. Kieber is said to be hiding in Australia under a new identity.)"

This may not seem like an unusual news story, but an Oklahoma City woman was accused this month for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the federal law that requires companies to properly secure personal medical records of patients and employees, or face fines or criminal prosecution. What's unusual about this story is that in the nearly 12 years HIPAA has been around, the number of HIPAA violations and criminal cases has been extremely low -- almost non-existent.

Consider that a large portion of American corporations -- as much as 40 percent back in 2006 -- were not in compliance with the law, a lone violation seems even more incredulous. The reason for the non-compliance, privacy and security experts say, is because it pays not to comply. The risk of being caught is so low compared with the cost of compliance, which is high, that the business case argues for not complying. The return on investment for securing private health data just isn't there. Privacy experts may have a different point of view.

As noted on Government Executive's Web site, the Government Accountability Office has found that only two federal agencies -- the Treasury and Transportation departments -- have been able to demonstrate that they have implemented the Office of Management and Budget's issued guidance in 2006 and 2007 reiterating governmental agency responsibilities under the Privacy Act of 1974, the E-Government Act of 2002 and the Federal Information Security Management Act of 2002. OMB's guidance drew particular attention to agency security and privacy requirements associated with personally identifiable information. Some 18 agencies met the guidance to some degree, while two -- the Small Business Administration and the National Science Foundation -- didn't meet any of the guidance.

I am so glad to see federal agencies care so much about your or my personal information.

OMB reissued the guidance two years ago in the wake of the many data breaches then occurring throughout government, but especially those that happened at the Veterans Affairs Department.

Google engineering manager Alan Newberger blogged yesterday about the software giant’s pilot program with Cleveland Clinic, which integrates patients’ electronic health records with their Google accounts. The initiative seems the first step in a long-term goal to provide citizens with universal access to their medical histories, and the ability to quickly exchange information with insurance plans, medical groups, pharmacies and hospitals.

Patients don’t have to participate in the program. Those that opt in will give authorization via Google’s “AuthSub” interface. Still, the initiative is sounding the alarm bells for privacy rights groups – the same groups that have spoken out against a national health network and other government-sponsored electronic health efforts.

Maybe a watchful eye on how Google handles the situation, including the very real privacy and confidentiality concerns, will provide the federal government a clue on how to get their own initiatives moving. It certainly wouldn’t be the first time industry paved the road.

Late last year we blogged about a feature from CSO Magazine on the dos and don'ts of disclosure letters, those messages to customers and citizens informing them that their personal information may have been stolen. The feature compared how Monster.com and USA Jobs, the federal government’s site for job openings, informed the public when after a hacker infiltrated monster.com’s database of resumes in August. About 146,000 names and contact information of job seekers on the USA JOBS Web site were stolen.

At the time, CSO hadn't posted the article, but the site recently posted the comparison on line. The interesting take away here is that the federal government, according to public relations experts, did a better job in communicating to the public than Monster did.

The Web site for CSO (that's Chief Security Officer) Magazine recently gave out its "Privvy" awards for 2007 -- dubious recognition for people who utter the most provocative and/or telling statements about privacy. One of the winners is a federal government executive: Deputy Director of National Intelligence Donald Kerr, who won the "Doubleplusgood Newspeak of the Year" award for this quote:

"Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture.... But in our interconnected and wireless world, anonymity—or the appearance of anonymity—is quickly becoming a thing of the past.... We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment. Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that." Privacy advocates seized on Kerr’s Orwellian attempt to singlehandedly change the definition of privacy because, hey, it’s really hard. (Source: Office of the Director of Naval Intelligence.)

Privacy and security has always been a tug-of-war issue: The argument is you have to give up some privacy to get some security. Mike McConnell, the director of national intelligence, is working on a cybersecurity plan that would ask Americans to give up a lot of privacy to get their security, according to a New Yorker article. (Subscription required.)

The proposal that is getting the most attention is giving the government the ability to search "the content of any email, file transfer or web search," according to an article on vnunet.com.

According to that article, the New Yorker author, Lawrence Wright:

suggested that this kind of monitoring is already going on. He spoke to an AT& T employee, Mark Klein, who claimed that he installed data switching systems in the company's exchange that copied all internet traffic to the National Security Agency.

"I know that whatever went across those cables was copied and the entire data stream was copied," said Klein. "We are talking about domestic as well as international traffic."

He added that previous claims by the Bush administration that only international communications were being intercepted are not accurate.

A Wisconsin government agency, like some companies, federal agencies and other organizations, has decided that the way to avoid accidentally exposing Social Security Numbers is to, well, not use them at all to identify citizens. The state's Department of Health and Family Services, which administers the state's Medicaid program, said this week that it would randomly generate ID numbers for the state's 800,000 Medicaid recipients instead of using their Social Security Number. The announcement immediately follows an incident in which EDS, which holds the contract to process the state's Medicaid claims, accidentally printed and mailed the Social Security Numbers of Wisconsin Medicaid recipients on newsletters. Another Wisconsin agency made a similar mistake last year.

Universities, companies and the state of California -- a leader in passing laws to protect personal information -- have issued rules and guidelines to limit the use of Social Security Numbers. The Office of Management and Budget has weighed in as well.

Ironically, Wisconsin was a pioneer in protecting privacy. In 1993, the state established the position of privacy advocate, whose job it was to make sure the state was following policies and procedures that protected Wisconsinites' private information. But just two years later, Wisconsin Gov. Tommy Thompson (R) (who served as secretary of the Department of Health and Human Services from 2001-2004) eliminated the privacy office in his 1995-1997 budget. Now the state's ability to protect privacy has eroded so much, that Carole Doeppers, Wisconsin's only privacy advocate, told the The Capital Times that the state government has no manageable way to protect data. "We've totally lost control of how government collects and uses and reuses and shares and disseminates information. We've just lost all control of that."

California has led the nation in passing laws to protect private data, and it continues to hold true to the role. This past Tuesday, a California law went into effect expanding the state's groundbreaking security breach notification law, the nation's first law requiring companies to notify customers if a cyberattack exposes personal financial information.

The law now applies to personal health records. Security breaches that expose unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses are covered under the law. The law also applies to the insurance industry. If unencrypted insurance policy or subscriber numbers, insurance applications, claims histories or appeals are exposed through a security breach, insurance companies or the medical facilities storing the data must notify the individuals whose records were possibly stolen or viewed.

The law becomes effective at an auspicious moment, notes the San Francisco Chronicle:

In July 2006, Republican Gov. Arnold Schwarzenegger issued an executive order to store medical records on computers, which probably will result in more data breaches, said Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill.

In December, Sutter Lakeside Hospital in Lakeport (Lake County) notified 45,000 patients, doctors and employees after a contractor downloaded their records onto a hospital laptop, took it home and the machine was stolen."

The expanded law led editors of the SANS Institute's “newsbites” section to wonder when Congress will finally pass legislation that protects personal data for all Americans: "Other states will undoubtedly once again follow California's lead. A disturbing question, however, is why the U.S. government has not yet passed legislation with similar provisions."

We think you, the technology manager in the federal government and industry, have a pretty good insight into just what are the hot issues and events that will unfold in 2008 for the federal IT market. Over the past few weeks we've invited you to take an online survey to let us know what you think; we just want to take this opportunity to invite you to take the survey again, if you haven’t.

We are conducting the survey in conjunction with our friends at Government Futures, which is also offering readers a chance to place bets on what’s going to happen in the federal IT community using the prediction markets on Government Future's Web site.

If you have taken the survey and placed your bets, thank you. If you haven't, please visit the site and give us your opinions. The questions cover a number of hot areas, including information security, the next-generation Internet and federal information technology spending.

In January, we’ll host a webinar to discuss the results of the survey and present an analysis of the predictions.

In the December issue of Government Executive, we discuss some trends that IT experts told us would be important. Now, we want your opinion. So, please take the survey and join the government futures market to help us figure it out.

This news item certainly will heap more suspicion on the Bush administration’s tactics for fighting terrorism.

A law firm in Vermont, which represents a client in Afghanistan and a prisoner at Guantanamo Bay, is accusing the federal government of tapping its phones and hacking into a computer used by one of the firm's partners, according to an article posted by the Burlington Free Press. Three partners in the law firm Gensburg, Atwell & Broderick recently sent a letter to clients telling them the firm "can't guarantee their communications were confidential," according to the article. The firm said it had found its phone lines crossed and that a computer forensic examination of the computer used by Robert Gensburg "found an application that disabled all security software and would have given someone access to all information on the computer," according to the article.

Gensberg said there may be an innocent explanation for the problems -- such as he may have accidentally downloaded some malware from the Internet -- but "we are quite confident that it is the United States government that has been doing the phone tapping and computer hacking," the lawyers wrote in their Oct. 2 letter to clients.

According to the article, there's no comment from U.S. officials or Verizon, which operates the phone lines for the law firm and is one of the telecommunication firms named in the Bush administration’s wiretapping program after 9/11:

U.S. Attorney Thomas D. Anderson, the federal government's top law enforcement official in Vermont, said Thursday that he couldn't comment. Verizon has consistently refused to comment on whether it is involved with national security issues, spokeswoman Beth Fastiggi said Thursday.

An article on a Web site operated by the Detroit Free Press about a driver's license fraud scheme in Michigan's Secretary of State's office raises an interesting question.

This month, a pair of Michigan state employees was caught selling fake driver's licenses, license plates and vehicle registration tags. The employees would identify a customer interested in obtaining the fake licenses and registration, would take the person's photo and then "use the name and personal information of an unwitting person already in the Secretary of State computer system" to produce the fake documents, according to the article.

This is the unnerving part: "The case broke after a sheriff's deputy noticed a fraudulent temporary license plate during a routine traffic stop," according to the article. The two employees' illegal activity on the state computer system was never flagged by the network. With the knowledge that most computer crimes come from within an organization, not from outside hackers, why wasn't the state system programmed to flag this unusual activity?

In addition, the article quotes Wayne County Sheriff Warren Evans musing about how "it is incredible in a post-Sept. 11 world that a government employee would provide anyone with picture identification under a false name." Maybe it's not that incredible, as illustrated by this Washington Post article. (As was the situation in the Michigan fraud case, this case was not broken by the state Department of Motor Vehicles but by the U.S. State Department's Bureau of Diplomatic Security.)

In the end, this Michigan case is what the Homeland Security Department can point to in its ongoing effort to enforce Real ID.

That’s just one of the messages delivered yesterday by Hugo Teufel III, chief privacy officer of the Department of Homeland Security, at a Radio Frequency Identification (RFID) conference in Washington.

Teufel said the privacy Web site, shows the agency is as serious about protecting privacy as it is about protecting borders. But Teufel wishes more people would visit the site; he said it may be one of the least visited federal Web sites out there.

Tuefel, who has the only privacy gig in any federal agency or department mandated by law, turns out to be a passionate advocate for privacy. DHS, Tuefel said, needs to ensure it protects privacy and civil liberties so it can succeed in its mission in combating terrorism. Teufel says this includes transparency, data minimization and accountability to make sure projects such as those that would use RFID for personal identification (like the planned Western Hemisphere Travel Initiative), don’t erode civil liberties through technology assessments such as last year’s paper on the use of RFID for human technology verification.

Teufel says he is well aware that the United States was founded by “people with a profound distrust of the government” and strives to insure that DHS policies and practices do not cause distrust today.

I admire his strong stance and position, but have to contrast it with DHS efforts to ram through the Real ID Act, which requires high-tech driver's licenses meet federal standards and which is opposed by an increasing number of states. This summer DHS Secretary Michael Chertoff told the National Conference of State Legislatures that residents of states who do not comply with the REAL ID Act by May 2008 will need to show their passports for all "federal purposes,” including, presumably, entering any federal building including local post offices.

Somehow, the thought of having to produce a passport to buy a stamp at the post office in my hometown of Las Vegas, N.M., (if New Mexico does not adopt Real ID driver's licenses) does not make me feel more secure, or that DHS really cares about privacy or that top DHS management understands citizens still have a deep distrust of government.

Scientists and engineers at the Jet Propulsion Laboratory are suing NASA and the California Institute of Technology, which manages JPL, over what they say are unwarranted and overly personal background checks under the governmentwide access cards required under Homeland Security Presidential Directive - 12, according to an article by the Associated Press.

The lawsuit was filed by 28 plaintiffs, many of whom “have worked on such projects as the Mars rovers, the Galileo probe to Jupiter and the Cassini mission to Saturn, but none are involved in classified work, according to the suit,” AP reports. “It seeks class-action status to represent similar JPL employees.”

The Department of Commerce also has been named in the suit because the department promulgates federal identification standards. To obtain an identification card, which will give employees access to federal buildings and computers, employees must fill out a form asking them about employment history, past residences and any illegal drug use.

More from the article:

The suit claims the directive was concerned "exclusively with the establishment of a common identification standard" and "contemplates no additional background investigation or suitability determination beyond that already required by law."

But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.

NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.

The suit is structured so that it can become a class action suit. Could this just be the tip of the iceberg?

It's one thing to have a hacker stealthily navigate past your firewall, slither by your intrusion detection software, and fiendishly gain access to a database to steal customers' personal information. It's another to have your operations department just send the information out through the mail.

That's exactly what the California Public Employees' Retirement System, better known as CalPERS, did this month when it sent about 400,000 brochures containing members' Social Security numbers clearly visible through the address window. A CalPERS spokesman downplayed the incident, saying the Social Security numbers printed on the brochure did not have hyphens, making it more difficult to identify the string of numbers as a Social Security number.

CalPERS sent a letter to members apologizing for the mistake and is conducting an investigation to find out why the SSNs were printed on the brochures. The organization also is providing privacy security awareness training for employees.

Hat tip: Pensions and Investments

Federal agencies increasingly have been the subject of phish scams this summer, and there seems to be no end to it. Below is an email I received late last night in my Outlook inbox. The email successfully eluded the spam filter.

The IRS confirms that the email is a fraud, making it part of the 161 phishing scams that the IRS has identified this year, an IRS spokeswoman says. The IRS has received 14,000 emails from individuals who have forwarded on suspicious looking emails to phishing@irs.gov, a mailbox the IRS set up last year for individuals to send emails that look like they may be scams.

IRS has issued a number of warnings in the past 18 months warning individuals about fraudulent emails coming form the IRS.

Phishers are also using the Justice Department and Federal Trade Commission to launch attacks designed to trick individuals to give up personal information or to download malware. The agencies report that emails look quite sophisticated. However, this email doesn't look professional enough to come from the IRS, although I would hazard to guess that many individuals would be fooled by the official IRS logo and the screened copyright statement at the bottom.

But I'm not too convinced that the IRS would use phrases such as "the last annual calculations of your fiscal activity," and the pedestrian Courier font gives the email more than a hint of illegitimacy.

Again, sadly, it must be working.

Police departments nationwide continue to push their local jurisdictions to provide more surveillance cameras mounted throughout cities to capture images of crowds and traffic in hopes of solving crimes. The latest request comes from Alameda Co., Calif., where the county seat is Oakland. County police chiefs have asked the Alameda County Congestion Management Agency to begin recording the traffic from about two dozen cameras that stream images of traffic on San Pablo Ave., a major thoroughfare through the county, according to an article in The Oakland Tribune.

The police say if the traffic on the avenue had been recorded (the congestion agency does not store traffic video streams), they could have identified cars used in crimes and then worked from there to identify suspects. Police Chief Scott Kirkland in El Cerrito, Calif., in Alameda Co. says the footage could have helped the police department solve the 2005 killings of a gas station clerk, a customer of a hamburger joint, a teenager, a restaurateur in 2007, and a robbery victim last month.

Ever since cameras in London helped police there identify and arrest in June the suspected plotters of the foiled car bomb attacks, many public policy experts have argued for more cameras in U.S. cities. Here's a recent Tech Insider post on the subject.

But privacy advocates have raised concerns, similar to the objections raised in Alameda Co. Privacy advocates there say that if the county's cameras stored the footage, and if the cameras were upgraded so that license plates and other details of the cars and traffic could be viewed, the police may be tempted to use the information for other purposes that infringe on our right to privacy.

An interesting note about the Oakland Tribune article is that no one in the article made the argument against the privacy advocates' position by saying that drivers and pedestrians who have nothing to hide shouldn't worry about the cameras. I bring up again a recent post about a compelling paper (access to paper here) written on that very subject by George Washington University law professor Daniel J. Solove. The paper, "'I've Got Nothing to Hide' and Other Misunderstandings of Privacy," is worth a read and its arguments are too detailed to go into here. One quick quote, however: "The key misunderstanding is that the 'nothing to hide' argument views privacy in a particular way – as a form of secrecy, as the right to hide things. But there are many other types of harm involved beyond exposing one’s secrets to the government."

To find out what those might be, read the paper.

We've all heard the argument before: "Why should you worry about the government looking into your personal records if you have nothing to hide?" Daniel J. Solove, an associate professor of law at The George Washington University Law School, analyzes that argument in a recently published paper titled "I've Got Nothing to Hide and Other Misunderstandings of Privacy."

Solove argues that "the question assumes faulty assumptions about privacy and its value." Those who make the "nothing to hide" argument fail to understand the chilling effect that surveillance has on public discourse, the fact that small bits of private data (which an individual may not object to being uncovered) when put together form a larger and more intimate profile (which an individual may object to), and the mistake of having one's profile mistakenly associated with a group that is labeled as threatening.

Here's an excerpt from the paper, which was published in the latest issue of the San Diego Law Review:

[T]he problem with the “nothing to hide” argument is that it focuses on just one or two particular kinds of privacy problems – the disclosure of personal information or surveillance – and not others. It assumes a particular view about what privacy entails, and it sets the terms for debate in a manner that is often unproductive.

It is important to distinguish here between two ways of justifying a program such as the NSA surveillance and data mining program. First is to not recognize a problem. This is how the “nothing to hide” argument works. It denies even the existence of a problem. The second manner of justifying such a program is to acknowledge the problems but contend that the benefits of the NSA program outweigh the privacy harms. The first justification influences the second, for the low value given to privacy is based upon a narrow view of the problem.

The key misunderstanding is that the “nothing to hide” argument views privacy in a particular way – as a form of secrecy, as the right to hide things. But there are many other types of harm involved beyond exposing one’s secrets to the government.

British Prime Minister Gordon Brown has proposed new legislation that would relax the United Kingdom's strict privacy laws (as compared with U.S. laws) to allow for greater information sharing among British authorities, according to Intergovworld.com. Brown's predecessor, Tony Blair, also called for similar legislation, but a significant difference, the article points out, is that Blair called for relaxation of the laws to allow for greater efficiency in administering welfare programs. Brown's proposals are unabashedly embedded in proposed new laws to fight terrorism and to support education, in which "data sharing powers would 'help report on whether the system as a whole is delivering economically valuable skills' - a statement that may suggest the government will seek to check individuals' employment status or income after training," according to the article. Foiled car bomb attacks make political sensitivities less so, it would seem.

You've heard your fair share of scary stories about how the lack of proper security processes and equipment can make personal information an easy target for criminals, rogue hackers or just the plain curious. We've got another one for you; this one having to do with voice over Internet Protocol (VoIP), which an increasing number of government agencies (federal, state and local) have installed or are considering installing to reduce telecommunications costs.

Law.com posted an article today by Todd Nugent, a chief technology officer for a law firm in Chicago, who related his experiences with the firm's VoIP system. Here's one of the more scary discoveries he made:

In the process of installing the conference room system, our programmers found that not only could they place conference room calls, they could also arrange to place the call silently, by muting the speaker on the calling phone. This could effectively turn any speakerphone in the firm into a clandestine monitoring device. In other words, running this program would cause any selected speakerphone in the firm to call the conference room, monitoring what was being said in the other room.

Nugent offers this advice: "As with any network connected computer, it is important to change default passwords, apply security updates in a timely way and install security firewalls, intrusion detection and prevention."

As a side note, Nugent cites the National Institute of Standards and Technology's Special Publication 800-50, which specifies "security guidelines for the installation of IP phones" and "is the basis for many government IP phone procurements." The NIST publication advises agencies to separate data and voice networks for IP phones. But Nugent writes that, "of course, one of the attractions for IP phones is the cost savings associated with eliminating dedicated phone wiring, so this is not a welcome recommendation."

The list of states rebelling against the Real ID Act continues to increase. The Tennessee legislature last night voted to not comply with the Real ID Act of 2005 unless it is fully funded, according to a press release issued today by the American Civil Liberties Union of Tennessee.

Tennessee becomes the 16th state to pass a resolution saying it will not comply with the law because the act requires each state to spend millions of dollars on upgrading computer systems to meet the law's requirements, which include adding security features to driver's licenses such as bar codes and digital photographs to make it harder to obtain a fraudulent driver's license. The federal government will eventually require that Americans use the new licenses to gain entry to federal buildings, nuclear power plants and commercial airlines.

The resolution "urges the Tennessee congressional delegation to support measures to repeal the Real ID Act, and states that 'there be no implementation of the Real ID Act until full funding is provided by the federal government,'" according to the ACLU press release.

California tends to lead the nation in many instances, signaling trends that can eventually head east. The state was the first to enact a security breach notification law, which required organizations to notify customers if a security breach could have exposed personal information such as Social Security, credit card and driver's license numbers.

Now California is considering a bill that would require organizations that accept credit and debit cards to follow some of the Payment Card Industry (PCI) Data Security Standard or face paying the costs associated with any security breach. The standard, developed by the five big credit card companies, are rules organizations should follow in protecting credit card transactions, such as installing a firewall and encrypting the transmission of sensitive information across public networks, among other requirements.

The rules are not mandatory, although credit card companies can levy fines or suspend the credit card processing services for merchants who do not follow the rules. Still, the vast majority of organizations that accept credit-card payments do not fully comply with the standard. Visa reported last month that of the largest merchants in the United States (those accepting more than 6 million credit-card transactions a year), only 35 percent are compliant. That's why the California legislature is considering a bill, known as AB 779, which would make the standard mandatory.

The bill has the support of the California Credit Union League. Banks typically have to shoulder the financial cost of notifying customers that their credit card numbers could have been stolen and the cost of replacing the cards -- all of which can cost more than $1 million per breach, according to a California State Senate report.

The bill would apply only to California residents, but because one out of 10 Americans live in California, the law would become a defacto standard for the nation. If any organization wants to do business with a California resident (and in today's online business world, the chances are high that that would happen), then they would have to follow the law. Minnesota passed a similar law earlier this year.

Because so few private-sector companies follow the PCI standard, it is most likely that government agencies that accept credit-card payments do not follow the standard as well. As it has happened with past state information security and privacy bills, a similar federal bill that could apply to federal agencies may be in the future.

As expected, New Hampshire will soon join a dozen other states that refuse to comply with a federal law requiring security features to driver's licenses, Reuters reported last week.

New Hampshire Gov. John Lynch says he plans to sign the New Hampshire law that the state Senate passed last week banning implementation of the Real ID Act of 2005, which will require states to invest billions of dollars into upgrading information systems to add security features to driver's licenses such as bar codes and digital photographs. The federal government will eventually require that Americans use the new licenses to gain entry to federal buildings, nuclear power plants and commercial airlines.

In March, the New Hampshire House Transportation Committee, in passing the one-page bill opposing the Real ID Act, called the federal law "repugnant." New Hampshire estimated it would cost the state $10 million to comply with the Real ID Act, of which the federal government would have paid $3 million, according to a ComputerWorld report.

The strong opposition has Sen. Patrick Leahy, D-Vt., chairman of the Judiciary Committee, considering introducing legislation to repeal the provisions of the Real ID Act pertaining to driver's license requirements.

Most of the press accounts about a security and privacy memo that the Office of Management and Budget issued this month focused on OMB's request that agencies reduce the use of Americans' Social Security numbers as much as possible.

The memo, written by OMB Deputy Director for Management Clay Johnson, also gave agencies 120 days to come up with a security breach notification policy. That particular issue has been a sore point for privacy and security advocates.

The memo had four attachments to guide agencies when creating a notification policy. The memo stated:

In formulating a breach notification policy, agencies must review their existing requirements with respect to Privacy and Security (see Attachment 1). The policy must include existing and new requirements for Incident Reporting and Handling (see Attachment 2) as well as External Breach Notification (see Attachment 3). Finally, this document requires agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information (see Attachment 4).

Both federal and state governments have been criticized for not developing security breach notification policies while they either have passed legislation or are considering bills that require the private sector to do so.

Johnson also suggests to agencies that the "greatest benefit" in dealing with security breaches is to be proactive by "reducing the volume of collected and retained information to the minimum necessary; limiting access to only those individuals who must have such access; and using encryption, strong authentication procedures, and other security controls to make information unusable by unauthorized individuals."

Just two months ago, the Cyber Security Industry Alliance criticized President Bush's Identity Theft Task Force for not recommending in its report that agencies be required, as is the private sector, to notify individuals whose private data may have been stolen or compromised during a security breach.

Johnson's memo lays out five factors -- with a number of vague contingencies -- that agencies consider to determine the level of risk that a particular security breach poses to personal data before notifying the public, including considering the sensitivity of the data elements in their context and how likely the data was stolen or breached.

Hat tip: ComputerWorld

It was just a matter of time before Google and the tough privacy laws in the European Union bumped heads. An independent European Union panel has sent a letter to Google asking it to address numerous concerns, including storing personal data of its users for up to two years, the Associated Press reported Friday. The EU has some of the strictest privacy laws on the books, much more so than U.S. privacy laws. Google's privacy officer says Google stores user information to protect it from hackers.

The Associated Press reported yesterday that the Office of Management and Budget has asked agencies to limit the use of Social Security numbers when collecting information from Americans so that it can reduce the chance of identity theft.

The small step -- OMB is asking agencies to limit the use of Social Security numbers to the "minimum necessary for the proper performance" of their duties -- is still behind what some states and companies did five years ago to eliminate all together the use of Social Security numbers as unique identifiers. A California law, which took effect in 2002, prohibited companies from using California residents' Social Security numbers as an identifier. Universities, such as Stanford, Wisconsin and Arizona, instituted policies years ago that prohibited the use of Social Security numbers, and the movement picked up steam in 2002 when students at other universities began to demand that their schools not use their Social Security numbers. The next year, IBM required its more than 100 health insurance providers to stop printing Social Security numbers on medical ID cards, claims forms and other documents or risk losing its business.

But as in the case of IBM, limiting the policy to just a narrow part of operations will not do much to eliminate the risk of losing personal information. In March IBM announced it had lost computer tapes containing the Social Security numbers of current and former IBM employees.

The following item was posted by Bob Brewin.

Here's more news on health networks.

The Agency for Healthcare Research and Quality, another arm of the Department of Health and Human Services, issued May 21 a request for proposals
for a Network of Patient Safety Databases, which will house information on aggregated patient safety information. The data will not have any personally identifiable information.

The network will contain information submitted by physicians on a confidential basis about “close calls” in clinical procedures. The RFP does not define a “close call," but I imagine it can range from prescribing the wrong drug to surgically removing a healthy, rather than a diseased, organ. The close calls will be reported to Patient Safety Organizations, which are just now being created. The PSOs will use the aggregated information to improve the quality of care.

The network contract will run for three years, and although the Agency for Healthcare Research and Quality did not provide a value for the contract, it probably is big enough to attract the attention of a wide range of systems integrators.

You know you may have a policy problem when one of your own departmental committees questions a departmental program.

That's what has happened at the Homeland Security Department, which just closed this week taking public comments on the department's proposed rules for implementing the Real ID Act of 2005. Among the comments is DHS' own Data Privacy and Integrity Advisory Committee, which "called the Real ID Act 'one of the largest identity management undertakings in history' and said it raises serious privacy, security and logistical concerns," according to a ComputerWorld article. "'These include, but are not limited to, the implementation costs, the privacy consequences, the security of stored identity documents and personal information,' the committee noted. It also cited other concerns such as mission creep, redress and fairness issues."

Opposition to the Real ID law has been strong, with states claiming it will cost billions to implement and many states have either passed laws or are considering bills asking the federal government to repeal Real ID or fully fund it. Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., supports a repeal of the Real ID Act.

We first reported about this dichotomy this week in an article about the heavy criticism that the Real ID law has received.

The federal government should create a position for a federal privacy czar, who would oversee federal employees' information management practices and policies to ensure they do not compromise Americans' privacy, according to a report released last week by the National Research Council.

The recommendations, laid out in a 456-page report that the NRC worked on for seven years, are similar to how some European nations and Australia approach privacy protections, according to an article posted by ars technica.

The report's authors also recommend the federal government undertake a broad and deep review of all national privacy laws and regulations to find gaps in privacy protections and to determine the social and economic impacts of the laws and regulations. The report, "Engaging Privacy and Information Technology in the Digital Age," also recommends Congress to oversee agencies' outsourcing practices to private-sector companies to manage or process Americans' private information.

The State Department today issued its final rule requiring anyone applying for a U.S. visa to provide 10 electronically scanned fingerprints instead of the two it previously required.

The State Department began last month delivering the fingerprint scan systems to all visa issuing posts and expects to complete roll out of the hardware by the end of this year as part of its Biometric Visa program.

In March, Tony Edson, deputy assistant secretary of State for Visa Services, told the Senate Subcommittee on Interstate Commerce, Trade and Tourism that 10 fingerprints provide a greater number of data points and more accurate identification than the two fingerprint system.

Edson added that two fingerprint scans provide a limited am