Last week, the federal government announced a pilot project to develop digital identity solutions for federal websites, working with OpenID and Information Cards technologies. This will allow government agencies authenticate the public (for low and no security uses) and provide personalization and services. Online industry leaders have signed up as identity providers, and will allow citizens to use their existing identity online to interact with the government. Even six years ago, one third of online users logged in to government sites. The proliferation of online services and websites surely means that the identity program is something that agencies will be quick to take advantage of. Using a federated identity solution will allow agencies to stop developing and investing in independent solutions and instead use a plug-and-play system for identity. However, linking identities across the .gov web – let alone with the commercial web – carries new issues to be addressed.

There are 300 million Americans, any number of whom may want to do business with government at any time of the day or night. Often, this may just be looking up an address or printing forms, but many interactions will require some way to identify the citizen who is asking for services from the website.

Last week at the Gov 2.0 Summit, federal CIO Vivek Kundra noted that identity is crucial if government websites are to move beyond ‘brochureware” and provide services to and interact with the public. Making government websites more interactive and useful is a key component to the Open Government Initiative, and identity is a step towards that goal.
(more…)

In late August, the Dept. of Health and Human Services (HHS) released an interim final rule on health data breach notification. Through the rule, HHS establishes data security standards that HHS believes are strong enough to eliminate the need to notify consumers of a data breach. That is, if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients. Some of the rule’s security processes are quite good, such as strong encryption standards. Unfortunately, however, HHS packed an overly broad and unreliable standard in with the good ones: the “harm standard.”

(CDT had issued comments to the HHS rulemaking in May 09. For more information about the interim final rule and CDT’s comments, please see our earlier blog post.)

The American Recovery and Reinvestment Act of 2009 (ARRA) required HHS to issue a rule on breach notification. In its interim final rule, HHS established a harm standard: breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to individual.” In the event of a breach, HHS’ rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.

The primary purpose for mandatory breach notification is to provide incentives for health care companies to protect data. Breach notification is costly to health care companies, both in financial and reputational terms. Therefore, health care companies naturally seek to avoid this expense. In its interim final rule, HHS gave health care companies the opportunity to avoid notification if the companies protect the data through strong encryption or destruction methodologies.
(more…)

The digital signage industry is rapidly becoming aware of the privacy issues raised by interactivity and audience measurement techniques. There is, however, no industry-wide consensus about how to address those concerns. Some industry figures agree that privacy guidelines need to be adopted if audience measurement and other digital signage applications are to progress. Others, though, have referred to calls for the industry to be sensitive to privacy as “attacks” and have condemned privacy concerns as a lot of hype over nothing.

(What is digital signage? Please see my earlier post, Digital Wallpaper.)

It is true that no one should blow the privacy issue out of proportion. The industry’s present level of privacy infringement is not especially high because only a small percentage of digital signage units have audience measurement, identification or interactive capabilities. Nonetheless, the privacy issue is real, particularly if one considers the big picture of where digital out-of-home (DOOH) media is headed.

The industry trend is clearly towards greater identification and surveillance capability, not less. It is very likely that DOOH media will one day routinely identify individual consumers for the simple reason that it will be profitable to do so. If that prediction is correct, it puts the digital signage industry on a collision course with consumer privacy. All parties would be best served by setting credible, transparent privacy standards before digital signage becomes a center-stage problem.
(more…)

Facebook took major steps today in protecting user privacy by announcing significant changes to the way third-party applications can access user data. Whereas developers previously had access to all profile data on a user, the new system will require applications to specify categories of information they wish to access and obtain express consent before data is shared. Users will have to specifically approve any applications access to their friends’ information and that information would still be subject to the friend’s privacy and application settings.

This is a big win for protecting user privacy on social networks as often times, users do not know how much of their data is being shared with third party applications. Now developers will only have access to user information relevant to the application, which will decrease the amount of personal data transmitted between user and developer and web site. It will also help curb developers or ad networks that purposely create misleading applications for the sole purpose of taking user data for advertising.

The blog Inside Facebook has a great post on this development here.

Yesterday, the New York Times published an editorial on the revising the tracking policy on federal government web sites. This piece aligns closely with recommendations CDT and EFF made recently about updating the “cookie” policy to provide both transparency and privacy protection.

As mentioned in a blog post from EFF’s Tim Jones, this piece really nails it in terms of what the administration needs to do to ensure that citizen privacy is taken into account in web site measurement and tracking. It is important to note from the CDT and EFF recommendations that this type of notice does not need to be legalistic to be useful. We recommend that agencies have regular for users on each page that users can find more information about.

For some years now, when speaking about privacy, I have often told my audience: “Everyone in this room, whether they know it or not, is carrying a tracking device.”  I was referring to their cellphones.  Every few seconds, whenever it is turned on, a cellphone sends out a signal registering its location — and its user’s location — with the nearest towers.  I used the example to illustrate the way in which consumer-driven changes in technology and the way we use it are dramatically eroding privacy, creating more and more data about our daily activities, held by services providers, shared for advertising and other purposes, and available to the government, often under very weak controls.

Expanding on this theme, Jeff Jonas has pulled together in his latest blog post some of the implications of the growing prevalence of what he calls “space-time-travel” data.  Jonas highlights trends CDT has been talking about for some time – see our report on digital search and seizure and our recent Policy Post on the location-enabled web — but he sure says it in a much more interesting way than we have been.
(more…)

The federal government has recently announced its intention to revise the current policy governing how federal agency web sites use cookies and other tracking technologies on the web. This is a really significant development for those interested in technology, open government, and privacy, because it has the potential to change the way that federal agencies interact with citizens online. It’s so important that we’d like to demystify some of the rumors floating around out there about the current policy, the new policy, and what it all means for privacy.

First things first: the government already has a policy governing how federal web sites can use cookies and other persistent tracking technologies. As established in 2000 (and updated in 2003 — see our previous post for a brief history), the policy prohibits federal agencies from using persistent tracking technologies unless there’s a compelling need, that usage is disclosed, and the agency head (or a delegate) personally approves that use. While that last provision about agency head approval may have stymied many agencies’ efforts to use cookies, that doesn’t mean there is currently an outright ban on cookie use. There isn’t. Today, if an agency head wanted to approve the use of cookies to track and record intimate details about how citizens engage with the agency’s site, the current policy would not stand in the way.
(more…)

The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week�? posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping and Electronic Eavesdropping
Report Number: 98-327
Date: September 02, 2008

Wiretapping and electronic eavesdropping laws are important knowledge for anyone concerned about privacy. This CRS Report offers a brief introduction to what the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) actually mean. The report covers what is prohibited, the procedure for court ordered wiretapping (and how FISA is different), and the Protect America Act. The section on the history on the evolution of wiretapping is particularly interesting as it shows the piecemeal development of wiretap law. This provides a glimmer of insight into how the current situation of incomplete protections developed. CDT’s work on warrantless surveillance and wiretap can offer information on the most recent developments in the area.

The detail-oriented may have noticed that this CRS Report is an abbreviated outline. For the determined, the original 164 page overview is available here.

Federal agents attending this year’s DefCon hacker convention were in for a surprise when top RFID researchers revealed that they scanned five convention attendees’ and potentially one Federal agent’s RFID-enabled cards. Researchers set up an RFID reader with a web camera that skimmed RFID-enabled cards and took a picture of their owners as they passed within two to three feet. Using information read on an RFID chip, a hacker could clone the chip and impersonate the card’s owner. Depending on the chip, a hacker could also discover personal information about the owner. Federal agents, including those from the FBI and Department of Defense, only found out about this project when they were told by a DefCon staffer. One former agent’s response: “I saw a few jaws drop when he said that.�?

RFID chips aren’t just found in government IDs–several states are currently issuing enhanced drivers’ licenses (EDLs) that incorporate vicinity-read RFID chips as part of the Western Hemisphere Travel Initiative. The State Department’s new PASScard (passport card) also incorporates the same RFID technology. We have seen independent demonstrations of how easily RFID chips can be skimmed using inexpensive, off-the-shelf equipment. Vicinity-read RFID chips in particular are more vulnerable to being scanned because of their ability to be read at a greater distance. The security researchers at DefCon have once again highlighted the risks insecure, long-range chips may pose to the privacy and security of the cardholder.

Vicinity-read RFID technology was developed for tracking inventory; the risks to privacy and security the technology poses to EDL and PASScard holders far outweighs the justifications asserted for its use in human identification credentials. Citizens should be given the option of applying for cards without vicinity-read RFID—or at least consider more secure RFID technologies. The privacy and identity theft implications are why CDT urges Congress to reject the use of vicinity-read RFID technology in PASS ID.

Earlier this week, CDT co-hosted an appearance by the nation’s new Chief Technology Officer, Aneesh Chopra. Speaking at the Computer History Museum in Silicon Valley, Chopra outlined how he wants to use technology to address the critical issues facing the nation and how he thinks the federal government can best support innovation. The video of Chopra’s remarks is up courtesy of our co-host, the Churchill Club.

Tim O’Reilly explained at length earlier this year why Chopra was such a good choice to shape technology policy in Washington, and it was impossible not to agree after hearing Chopra speak this week. Chopra is an opportunist in the best sense of the word. He has a grand vision of how technology can contribute to issues ranging from health care to education to the environment, but he also understands the value of incremental steps and short-term results. His talk was peppered with examples from his tenure as Virginia’s Secretary of Technology and his first months in the White House, where he is already in charge of an overhaul of the case status system for the US Citizenship and Immigration Services, among other projects promising immediate pay-out.

CDT is working on many of the issues Chopra mentioned, including health IT, cyber-security, broadband deployment, and, of course, government transparency. At times, we will be pushing the Administration to go further that it might otherwise be inclined to go in terms of openness and privacy, and we will criticize the Administration when it falls short, but we couldn’t want a smarter, more receptive official to engage with than Aneesh Chopra.

If I had one criticism of Chopra’s remarks, it would be his repeated emphasis on accomplishing things without changing the underlying laws. On the one hand, working within existing frameworks is consistent with his attractive opportunism. However, it is clear that some laws need to be updated to ensure deep, government-wide change. One example is the Privacy Act, which applies to federal databases; CDT has a major project underway to bring this 1974 law into the 21st century. Getting legislation passed will require White House leadership, and we hope that Chopra, while developing practical tools to make government more transparent and participatory, will also lend his credibility to improving the legislative framework for privacy in government systems.

Update: Here are the slides Aneesh Chopra used in his August 4, 2009 presentation in Silicon Valley. [pdf]