PCLOB was established in 2004 and had one term, starting in 2006 – but the terms of the members of the board expired in January of last year, and President Obama has not nominated new members to the board. This letter asks President Obama to nominate members to the board quickly. Once members to the board are nominated, they must be confirmed by the Senate, and the office will need to be set up and staff must be hired. All in all, it will take months to reconstitute the board before it can begin advising the President and agencies.

Currently, the federal government lacks independent privacy oversight. Reconstituting PCLOB is one of the ways that privacy and civil liberties can be better protected by the federal government. In fact, the Cybersecurity Policy Review specifically called for PCLOB to be reconstituted, and possibly to expand its purview to include more cybersecurity topics, as an important oversight body. As an existing mechanism to protect privacy and civil liberties, it is an important and relatively simple way to provide oversight and advice for the government.

The Troubled Asset Relief Program – or TARP – has been in the news a lot lately, as the program designed to strengthen the financial sector comes under scrutiny from the media and the public to figure out whether or not the program is actually working. Unfortunately, there hasn’t been an effective way to track TARP funding, in part because so many agencies are involved in distributing the money. One of the bills we discussed, H.R. 1242 (and companion bill S. 910), would create a centralized database for TARP information. It’s surprising that a program of this size doesn’t already have a way to consolidate the information around it’s expenditures, but not even the oversight committee has an easy time tracking the dollars. TARP funds are distributed by 25 agencies, using incompatible and outdated systems to track spending. The H.R. 1242 database would not only centralize this information for easy access, but would require almost real-time updates to the information.

We believe that the database needs to be made public in order to allow the media, watchdogs, and citizens to see how TARP money is being spent. A good example to follow is the Recovery.gov website, which pulls together information from the 28 agencies distributing Recovery Act funds. The site allows users to sift through stimulus contracts in useful ways and, though not perfect, it is an incredibly important step in keeping the public in-the-know. The lack of a similar site for TARP has made it difficult for the public to understand the program – so it’s a perfect opportunity to make a government database public.

Another bill we talked about in our testimony, H.R. 932 looks to improve technology for oversight on housing issues by linking location information to mortgage information, making it easier to track foreclosures, abusive lending practices, and vacancies. Currently, land parcel information is kept by counties, but centralizing them would allow regional analyses of the housing crisis and regional responses. Of course, if regional geo-databases are created, they may not fall under the privacy protections imposed on the federal government. In that case, it will be vital to ensure that the databases are subject to privacy and security protections. The financial information that can be correlated to land parcels is both personally identifiable and sensitive, as financial information is defined as sensitive by almost all definitions.

So, if we are worried about the privacy implications of geospatial databases, why aren’t we worried about the privacy implications of making TARP information – including possibly information about the top executives at each institution – public? It’s because there are already protections on information that is held by the government, and because all the information that goes into the H.R. 1242 database is already gathered and maintained by the government. The Privacy Act, the Freedom of Information Act, and the E-Government Act form a strong framework of privacy protections for information that is held by the government.

The main law governing how government protects and uses the personal information it holds is the Privacy Act of 1974. This law prohibits the disclosure of records to other agencies or third parties without the consent of the individual to whom the record pertains. The Freedom of Information Act (FOIA), passed in 1966, also includes some important privacy provisions to protect information about individuals that is held by the government. In particular, agencies are not to release personal data under FOIA.

CDT has raised concerns about the current status of Privacy Act coverage in other contexts, including the location data and images in government housing databases from the same hearing. In these cases, information is held in a relational or distributed database and key hooks in the Privacy Act may not be met. However, personal information about corporate employees under the TARP would most certainly be protected under the law.

The more recent E-Government Act of 2002, instituted provisions to protect privacy as new, digital information collections are created for use in government. Most notably under the Act, Federal agencies are required to perform privacy impact assessments (PIAs) on all new collections of 10 or more persons. These PIAs are intended to be public documents that clarify the ways that federal agencies collect, manage and use personal information. In the case of the TARP database, a PIA would be required and would be publicly available. Even if the other protections fail, we would be aware of what would be posted before it happened and privacy advocates would work with Congress and others to ensure that all personal identifiers are removed before posting data about TARP online.

The nexus between government transparency and protecting citizen privacy can be a tricky issue. However, here it seems that there are some common sense ways to make sure the public stays informed about TARP, and some important protections that should be put in place to protect databases of information about the housing crisis. CDT looks forward to continuing to be involved in discussions like these as Congress continues to examine new ways to use technologies and data to be more transparent and efficient.

Apps.gov is billed as a storefront for cloud services for government agencies. Many of these are apps for internal use only, and the website notes that internal agency users have no expectation of privacy. However, there are some external facing social media tools that are listed within the Apps.gov catalog, and I hope that they make it clear as they work with these social media sites that user privacy is important. While amended terms of service for the social media tools are included on the site, we’d also like to see the contracts that GSA has entered into with third party vendors. Of particular interest are details about what types of social media tools will be available to interact with citizens. Apps.gov’s social media section would be an excellent place to put a repository of tips and best practices for user privacy, for example- an example Privacy Impact Assessment for agency use of Facebook could be one of the resources at Apps.gov.

We are excited to see government begin to harness the cloud, and begin to take advantage of centralized services within agencies. Hopefully we’ll see Apps.gov turn into a repository of information on how to use cloud tools internally and with the public as well as serving as a storefront for agencies.

There are 300 million Americans, any number of whom may want to do business with government at any time of the day or night. Often, this may just be looking up an address or printing forms, but many interactions will require some way to identify the citizen who is asking for services from the website.

Last week at the Gov 2.0 Summit, federal CIO Vivek Kundra noted that identity is crucial if government websites are to move beyond ‘brochureware” and provide services to and interact with the public. Making government websites more interactive and useful is a key component to the Open Government Initiative, and identity is a step towards that goal.

Identity, privacy, and security are related in any realm, but for government they pose a set of special problems. Government is not well equipped to deal with extra information about citizens, and is typically not allowed to track users. Using third parties and shared protocols to credential users is one solution to this problem, at least for relatively simple applications.

While this could be a move forward in terms of using identity online in government websites and services, there are still quite a few details left to work out before integrating digital identity into government websites. These pilots bring up many questions around privacy and implementation of the identity. A Trust Framework has been developed to assess identity providers against federal requirements. These federal requirements, most accessibly laid out in an OMB Memo in 2004, have been well explained in the materials at IDmanagement.gov, but we have more questions around the implementation and privacy protections as the government moves forward with these pilot programs.

As mentioned in a blog post from EFF’s Tim Jones, this piece really nails it in terms of what the administration needs to do to ensure that citizen privacy is taken into account in web site measurement and tracking. It is important to note from the CDT and EFF recommendations that this type of notice does not need to be legalistic to be useful. We recommend that agencies have regular for users on each page that users can find more information about.

A new project from Princeton University’s Center for Information Technology Policy aims to “turn PACER around” with a Firefox extension called RECAP. This extension is crowd-sourcing the task of making documents available, letting users know when a document can be had for free at the RECAP archive and letting users donate documents they purchase to the free collection.

As I noted in February, these opinions and documents often form the basis for our understanding of legislation and law. They are currently locked behind a pay wall. RECAP is working with Public.Resource.Org and Justia to build on their existing free court documents, consolidating them with user submissions at the Internet Archive. This is exactly the kind of project that we need in order to show that the courts shouldn’t rely on high user fees to make information public – in fact, the information can and should be shared easily.

Transparency advocates are not the only people pushing PACER to modernize it’s system; Senator Lieberman continues to question the fees levied on users. He’s right- the courts are not making documents “freely available to the greatest extent possibleâ€? as mandated in 2002 as part of the E-Government Act. When the government won’t free information, third parties stepping in to compile and share information is the next best thing.

RECAP will be presenting on their new extension as well as the policy context of their work at the O’Reilly Gov 2.0 Expo next month, and I’m looking forward to hearing more about it.

Tim O’Reilly explained at length earlier this year why Chopra was such a good choice to shape technology policy in Washington, and it was impossible not to agree after hearing Chopra speak this week. Chopra is an opportunist in the best sense of the word. He has a grand vision of how technology can contribute to issues ranging from health care to education to the environment, but he also understands the value of incremental steps and short-term results. His talk was peppered with examples from his tenure as Virginia’s Secretary of Technology and his first months in the White House, where he is already in charge of an overhaul of the case status system for the US Citizenship and Immigration Services, among other projects promising immediate pay-out.

CDT is working on many of the issues Chopra mentioned, including health IT, cyber-security, broadband deployment, and, of course, government transparency. At times, we will be pushing the Administration to go further that it might otherwise be inclined to go in terms of openness and privacy, and we will criticize the Administration when it falls short, but we couldn’t want a smarter, more receptive official to engage with than Aneesh Chopra.

If I had one criticism of Chopra’s remarks, it would be his repeated emphasis on accomplishing things without changing the underlying laws. On the one hand, working within existing frameworks is consistent with his attractive opportunism. However, it is clear that some laws need to be updated to ensure deep, government-wide change. One example is the Privacy Act, which applies to federal databases; CDT has a major project underway to bring this 1974 law into the 21st century. Getting legislation passed will require White House leadership, and we hope that Chopra, while developing practical tools to make government more transparent and participatory, will also lend his credibility to improving the legislative framework for privacy in government systems.

Update: Here are the slides Aneesh Chopra used in his August 4, 2009 presentation in Silicon Valley. [pdf]

Access to Broadband Networks: The Net Neutrality Debate
R40616
June 1, 2009

July 21st has passed, which means just one thing: Reply Comments to the Federal Communications Commission (FCC) Broadband Plan are in! Anyone interested in digging in and reading the Reply Comments can do so by searching the FCC’s website using the parameters Proceeding 09-51 and Document Type RC (CDT’s Reply Comments can be found here). This CRS Report on the Net Neutrality Debate might come in handy before you dive in. It was written very recently, which makes it even more useful.

The Report offers a summary of the regulatory history of broadband Internet access services from its classification as a Title I information service, which meant that it faced a less stringent regulatory environment, to the FCC Internet Policy Statement, the Comcast Order, and the American Recovery and Reinvestment Act that started the FCC Notice of Inquiry process. In addition, the Report tries an evenhanded explanation of what network management actually entails, including prioritization and deep packet inspection. There is also a short section on the debate around net neutrality that rather accurately sums up many of the arguments being made at least in the first round of comments. However, if you choose to go through the Reply Comments, be on the lookout for the application of net neutrality to wireless. It is not covered in the Report, but is definitely a debate that we’ll be seeing more of in the future.

The REAL ID Act of 2005: Legal, Regulatory, and Implementation Issues
RL34430
April 1, 2008

REAL ID is an issue that, if you have not been following from the beginning, can be daunting to understand. With the introduction of the PASS ID Act, the debate becomes even more confusing to a newcomer. This CRS Report provides an overview of REAL ID, covering its history, a few provisions, relevant constitutional questions, debates, and selected regulatory requirements. However, the Report does not highlight many of the implications on the privacy and security side, so take a look at CDT’s REAL ID Primer to get filled in on that. However, this Report’s analysis of the potential constitutional objections (pgs 6 – 14) to REAL ID are worth a look and the cases mentioned read like a greatest hits list of important Supreme Court cases. The section explaining selected regulatory requirements of REAL ID (pgs 20-28) is also informative.

Where this report starts becoming relevant to PASS ID is when it explains what happens to citizens of states that are not compliant with REAL ID (pgs 17-20) at various implementation stages. The numbers the Report cites on how many states have refused to comply with REAL ID is outdated — at last count, now thirteen — but the ramifications of non-compliance are still the same. In addition, states can now seek an extension for full compliance (until May 10, 2011), but only if they meet all eighteen benchmarks in DHS’s Material Compliance Checklist, which states must fulfill by December 31st, 2009. So unless something changes, citizens of states that cannot or will not meet the next implementation December 2009 deadline may be faced with the prospect that they will not be able to use their state-issued driver’s license or ID to board airplanes or enter federal facilities. PASS ID could be a fix for at least some of the major problems of REAL ID and would give states more time to shore up standards for issuing driver’s licenses and build in the appropriate governance mechanisms that will better protect privacy of DMV information than what may currently exist. Make sure to check out the Policy Post on the reforms PASS ID offers over REAL ID and Ari Schwartz’s testimony on PASS ID. Ari’s testimony also offers suggestions for how PASS ID could be further strengthened.