Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Feds Lack Privacy Protection Safeguards

GAO cites data breaches, improper uses of personal information, paltry citizen notification as ongoing government problems.

10 New Mobile Government Apps
10 New Mobile Government Apps
(click image for larger view and for slideshow)
Federal agencies are falling short in protecting personally identifiable information (PII) collected and used throughout the government, may not be adhering fully to key privacy principles, and may not be effectively notifying citizens about government use of personal information.

Those are key conclusions presented by Greg Wilshusen, director of information security issues with the Government Accountability Office (GAO), in written testimony for a hearing of the Senate Homeland Security subcommittee on oversight of government management, the federal workforce, and the District of Columbia.

Wilshusen recommended that Congress consider updating federal laws to reflect changes in how agencies collect and use personal information, and consider the appropriate balance between citizens' privacy and the government's need to collect that information. He also pointed to recurring problems in preventing data breaches and suggested that agencies need to act on guidance, issued by GAO, the Office of Management and Budget (OMB), and inspectors general at numerous agencies, to tighten their data security measures.

[ The feds are trying to cut down on the information private business collects about you. See FTC Sets Consumer Data Collection Limits. ]

The watchdog agency identified ongoing issues in three major areas.

First, the Privacy Act of 1974 established protections for personal information, but limited it to when the information is part of a "system of records" defined by the act. Changes in IT, however, allow agencies to retrieve information in ways that fall outside that definition. For instance, data-mining systems may retrieve information without using an identifier, something not covered by the Privacy Act.

"Factors such as these have led experts to agree that the Privacy Act's system-of-records construct is too narrowly defined," Wilshusen's statement read. "An alternative for addressing these issues could include revising the ... definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government."

The second issue identified by GAO is ensuring that PII is used only for stated purposes. Current laws, including the E-Government Act of 2002 and guidance provided by OMB, set modest requirements for describing reasons for collecting personal information and how it will be used. For instance, Wilshusen said, agencies are not required to be specific in describing the purpose of information gathering in their public notices. While some law enforcement and anti-terrorism systems may need to use broad statements to keep from revealing details of open cases or investigative techniques, allowing unnecessarily broad purpose statements raise the question of whether meaningful limits are in place at all.

"Examples for alternatives for addressing these issues include setting specific limits on the use of information within agencies and requiring agencies to establish formal agreements with external government entities before sharing" PII, Wilshusen testified.

Finally, Wilshusen questioned the effectiveness of requiring agencies to publish notices in the Federal Register regarding the information they collect, the categories of individuals covered, and how the information will be used, among other things.

"An expert panel convened for GAO questioned whether system-of-records notices published in the Federal Register effectively inform the public about government uses of personal information," Wilshusen testified. He suggested alternatives such as revising the Privacy Act to require that privacy notices be published on a standard website.

In addition to the potential misuse of PII by government agencies, Wilshusen pointed to serious security breaches in federal IT systems that have jeopardized personal information. Over the past six years, incidents reported by agencies to US-CERT have increased nearly 680%, he said, from 5,503 incidents in fiscal 2006 to 42,887 in fiscal 2011. Of the incidents in 2011, more than 36% involved unauthorized disclosure of PII, he testified.

Wilshusen credited OMB for issuing extensive guidance to agencies on protecting PII, including the use of encryption to protect data and requirements to report security breaches and loss of or unauthorized access to PII. He noted that both GAO and inspectors general throughout the government "have made hundreds of recommendations to resolve similar previously identified significant control deficiencies.

Nonetheless, "it is unclear the extent to which all agencies, including smaller agencies such as the Federal Retirement [Thrift] Investment Board, are adhering to OMB's guidelines," he testified.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
8/1/2012 | 7:15:27 PM
re: Feds Lack Privacy Protection Safeguards
I am aware that the government is allowed to collect and use that data for its intended purposes; I was unaware that they use that same Information for other reasons. I think that in order to keep up with the technological advances and as rapidly as they occur the government needs to keep revisions of such policies up to date with the technology. Those are some scary statistics that were laid out in this article. The fact that Gǣhundreds of recommendations to resolve similar previously identified significant control deficienciesGǥ is clear that there is a major delay in response time to revise these issues. Hopefully that Wilhusen has publicly spoken about the flaws and lackadaisical attitude of the government these policies will change to better protect my privacy.

Paul Sprague
InformationWeek Contributor
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.