UPDATE: Privacy Committee Grapples With Need To Know Vs. Need To Protect
The new Data Privacy and Integrity Advisory Committee must help Homeland Security meet security objectives without trampling privacy concerns.
Since its launch in 2003, the Homeland Security Department has been charged with protecting a diverse country that prides itself on individual freedoms from terrorists who would plot and execute attacks under the veil of such freedoms. Early efforts to screen immigrants, travelers, and workers for security risks have led to criticism that the department could trample privacy and misuse data to accomplish its objectives. The newly formed Data Privacy and Integrity Advisory Committee, launched Wednesday, seeks to address those concerns.
The 20-member committee, which includes executives from Computer Associates, IBM, Intel, and Oracle, must now determine how best to help Homeland Security work through privacy concerns as the department's various directorates and agencies seek to apply technology to help meet their objectives.
"We have to fuse a culture around finding the right balance" between security and privacy, Michael Jackson, Homeland Security's deputy secretary, said at Wednesday's inaugural committee meeting. "We have to innovate one step ahead of the ones President Bush calls 'the evil ones,'" he added.
Most members attending the committee's inauguration agreed that a top priority should be to examine the efficiency and ethics of various screening programs under development by the department. Such programs include the U.S. Visitor and Immigrant Status Indicator Technology (US-Visit), Registered Traveler, and Secure Flight, each of which relies on biometric technology and databases to verify identities.
Several committee members and privacy advocates expressed an interest in addressing Secure Flight because the oft-criticized program includes many elements that can be applied to other Homeland Security initiatives. These include interaction with foreign governments, biometric technology, and public and privately held databases.
The Government Accountability Office said in a report last week that, while the Homeland Security Department's Transportation Security Administration is making progress in developing and testing its Secure Flight program, Secure Flight needs more work before it can become operational. Secure Flight's objective is to identify airline passengers who should undergo additional security scrutiny, in place of the prescreening currently conducted by air carriers themselves.
Several Homeland Security leaders impressed upon the committee the need to use technology to meet their objectives, even if it requires handling sensitive information. When asked what keeps him awake at night, Randy Beardsworth, acting undersecretary for the Border and Transportation Security Directorate, told the committee, "Who's getting on airplanes before they take off?" He implored the committee to try to understand the vulnerability issues that cause the department to worry and let that drive their efforts to improve security.
As Homeland Security works to integrate what previously had been 22 independent agencies, it's unclear whether there's a big-picture understanding of how to balance security needs and privacy concerns, said Homeland Security CIO Steve Cooper, who revealed earlier this week that he would step down from his post.
Homeland Security has made a concerted effort to use IT to run its operations efficiently, but such reliance on technology brings government agencies into greater contact with sensitive data. For example, Homeland Security's Emergency Preparedness and Response Directorate, formerly FEMA, has the capability to transfer aid money directly to the bank accounts of people victimized by natural or manmade disasters, Undersecretary Michael Brown told the committee Wednesday. This means the directorate must access identity and bank-account information to confirm that the money is properly deposited, a process made more complicated by the fact that applicants are generally displaced from their homes when they apply. In this case, technology is a means to help these people recover more quickly, but they have to share sensitive information for this to happen.
Homeland Security's Citizenship and Immigration Services manages several databases containing sensitive information about people who've applied for permission to live and work in the United States. Homeland Security personnel rely on this information when determining whether a person should be allowed to stay, while at the same time ensuring that those allowed to stay aren't security threats, said Robert Divine, Citizenship and Immigration Services' chief counsel. Much of the agency's work is challenged by litigation, which slows down the approval and denial process. The agency is "desperate" for a more efficient means of automating background checks without opening the door to additional litigation, Divine said.
Privacy panelists invited to address the committee called for Homeland Security to establish policies that more clearly define and restrict its use of personal information. A big challenge facing both the public and private sector is how to protect individual privacy in a world of data sharing, said Peter Swire, an Ohio State University law professor who also served as the Clinton administration's chief counselor for privacy in the Office of Management and Budget.
The answer isn't simply to apply technology as a means of safeguarding data but to develop policy that governs the use of this technology. One way to ensure that privacy considerations are given adequate attention is to build room for this into agency budgets. Before major new systems are built, security and privacy considerations should be included from the design phase all the way through to deployment.
One place to start is by telling the American people what information you need from them and why it's needed, said James Gilmore, former Virginia governor and head of the Gilmore Commission and now a partner with law firm Kelley Drye & Warren. Gilmore agreed with Swire that, although the committee is comprised of many technology experts, the real emphasis should be on policy.
Gilmore challenged the committee to consider ways to improve upon the freedoms that American's enjoy, rather than looking for ways to compromise. He added, "If balance means there has to be a tradeoff [between privacy and security], than the terrorists have won."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.