Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Feds Lack Privacy Protection Safeguards

GAO cites data breaches, improper uses of personal information, paltry citizen notification as ongoing government problems.

10 New Mobile Government Apps
10 New Mobile Government Apps
(click image for larger view and for slideshow)
Federal agencies are falling short in protecting personally identifiable information (PII) collected and used throughout the government, may not be adhering fully to key privacy principles, and may not be effectively notifying citizens about government use of personal information.

Those are key conclusions presented by Greg Wilshusen, director of information security issues with the Government Accountability Office (GAO), in written testimony for a hearing of the Senate Homeland Security subcommittee on oversight of government management, the federal workforce, and the District of Columbia.

Wilshusen recommended that Congress consider updating federal laws to reflect changes in how agencies collect and use personal information, and consider the appropriate balance between citizens' privacy and the government's need to collect that information. He also pointed to recurring problems in preventing data breaches and suggested that agencies need to act on guidance, issued by GAO, the Office of Management and Budget (OMB), and inspectors general at numerous agencies, to tighten their data security measures.

[ The feds are trying to cut down on the information private business collects about you. See FTC Sets Consumer Data Collection Limits. ]

The watchdog agency identified ongoing issues in three major areas.

First, the Privacy Act of 1974 established protections for personal information, but limited it to when the information is part of a "system of records" defined by the act. Changes in IT, however, allow agencies to retrieve information in ways that fall outside that definition. For instance, data-mining systems may retrieve information without using an identifier, something not covered by the Privacy Act.

"Factors such as these have led experts to agree that the Privacy Act's system-of-records construct is too narrowly defined," Wilshusen's statement read. "An alternative for addressing these issues could include revising the ... definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government."

The second issue identified by GAO is ensuring that PII is used only for stated purposes. Current laws, including the E-Government Act of 2002 and guidance provided by OMB, set modest requirements for describing reasons for collecting personal information and how it will be used. For instance, Wilshusen said, agencies are not required to be specific in describing the purpose of information gathering in their public notices. While some law enforcement and anti-terrorism systems may need to use broad statements to keep from revealing details of open cases or investigative techniques, allowing unnecessarily broad purpose statements raise the question of whether meaningful limits are in place at all.

"Examples for alternatives for addressing these issues include setting specific limits on the use of information within agencies and requiring agencies to establish formal agreements with external government entities before sharing" PII, Wilshusen testified.

Finally, Wilshusen questioned the effectiveness of requiring agencies to publish notices in the Federal Register regarding the information they collect, the categories of individuals covered, and how the information will be used, among other things.

"An expert panel convened for GAO questioned whether system-of-records notices published in the Federal Register effectively inform the public about government uses of personal information," Wilshusen testified. He suggested alternatives such as revising the Privacy Act to require that privacy notices be published on a standard website.

In addition to the potential misuse of PII by government agencies, Wilshusen pointed to serious security breaches in federal IT systems that have jeopardized personal information. Over the past six years, incidents reported by agencies to US-CERT have increased nearly 680%, he said, from 5,503 incidents in fiscal 2006 to 42,887 in fiscal 2011. Of the incidents in 2011, more than 36% involved unauthorized disclosure of PII, he testified.

Wilshusen credited OMB for issuing extensive guidance to agencies on protecting PII, including the use of encryption to protect data and requirements to report security breaches and loss of or unauthorized access to PII. He noted that both GAO and inspectors general throughout the government "have made hundreds of recommendations to resolve similar previously identified significant control deficiencies.

Nonetheless, "it is unclear the extent to which all agencies, including smaller agencies such as the Federal Retirement [Thrift] Investment Board, are adhering to OMB's guidelines," he testified.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
8/1/2012 | 7:15:27 PM
re: Feds Lack Privacy Protection Safeguards
I am aware that the government is allowed to collect and use that data for its intended purposes; I was unaware that they use that same Information for other reasons. I think that in order to keep up with the technological advances and as rapidly as they occur the government needs to keep revisions of such policies up to date with the technology. Those are some scary statistics that were laid out in this article. The fact that Gǣhundreds of recommendations to resolve similar previously identified significant control deficienciesGǥ is clear that there is a major delay in response time to revise these issues. Hopefully that Wilhusen has publicly spoken about the flaws and lackadaisical attitude of the government these policies will change to better protect my privacy.

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...