The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week” posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

The Social Security Number: Legal Developments Affecting Its Collection, Disclosure, and Confidentiality
#RL30318
October 2nd, 2008

It is well known that Social Security Numbers (SSNs) should not be used as authenticators. A new study demonstrating the ease with which SSNs can be predicted serves as further evidence to this fact.  Simply put, SSNs weren’t designed to be authenticators. The problem with SSNs is that they have become both the de facto national identifier and authenticator for private industry.  This is analogous to using your name (an identifier) as your password (an authenticator). Identifiers are simply a reference to who you are and, thus, are often public.  Authenticators, on the other hand, are used to prove identity, and should not be known publicly.  These dual uses of SSNs as identifiers and authenticators has worried identity experts for some time because of this difference in security levels.  The new research steps over those concerns and suggest that SSNs should never be used as authenticators not just because of the risk an individual’s SSN might be disclosed, but because SSNs are predictable based upon publicly available information.  Ultimately, it does not matter how vigilant one is in protecting his or her SSN.  It can easily be discovered.

(more…)

This post was originally made on the PrivacyCamp Blog.

PrivacyCampDC is in the books and it was fantastic! A collection of people representing interests in both the public and private sector gathered together to share knowledge and expertise on a number of topics including (but certainly not limited to) the future of privacy rights in a Government 2.0 world, surveillance technologies, digital signage, updating the 1974 federal Privacy Act (something CDT is pushing for citizen feedback on with their Privacy Act Wiki if you want to check it out), and how we achieve a greater level of transparency and openness without compromising ones privacy. With attendees representing privacy organizations, federal agencies, security companies, information technology and even Congress, there were a lot of great ideas shared during the event.

One of the most important takeaways that nearly everyone walked away with was the notion that collaborative discussion is vital to protecting privacy in the digital age. The more voices and interests at the table from the beginning, the more likely concerns will be addressed as legislation is crafted, regulations are made, and the intersection between government and new and emerging technologies grows.

The event was tweeted under the hashtag #privacydc and a video slideshow featuring photos from the event’s Flickr page is available. Can’t wait for the next one!

At the Department of Homeland Security’s Workshop Government 2.0: Privacy and Best Practices this morning, the Federal CIO, Vivek Kundra, spoke about a range of issue regarding the federal government’s use of new technologies. In particular, Kundra strongly emphasized the important message that innovation, privacy and security are not competing values.

Kundra’s main strategy to address these values simultaneously is to bake all of them into the technology early in the process. Part of his solution is to better utilize the procurement process for privacy and security. One questioner asked if this meant strengthening Part 24 of the Federal Acquisition Regulations, which oversees privacy and freedom of information compliance. Kundra said this was part of the discussion. It is interesting to point out that Part 24 only uses the antiquated definitions from the Privacy Act to identify privacy risks and does not specifically require privacy impact assessments. These are issues that CDT is working to address in our E-Privacy Act Amendments Wiki, which is now in its last official week.

Another example that came up in the Q&A was the use of authentication technology. Kundra mentioned that too much authentication was being aimed at “military grade” identity. He urged for a more “progressive credentialling” by which he meant finding a full range of authentication solutions from anonymity to psuedonymity. This is the same principle that CDT calls “proportionality” in our Privacy Principles for Identity.

When the White House released its review and recommendations for the current state of cybersecurity policy, CDT applauded the Administration for showing attentiveness to the concerns of privacy and civil liberties groups by constructing the report in a collaborative and open manner. The level of transparency and knowledge sharing demonstrated in the creation of the report will need to be illustrated in the implementation of these recommendations as well. Now comes the hard part, living up to the hype and honoring the “action items� contained in that report while ensuring that a cybersecurity policy is implemented that keeps the nation safe from threats without jeopardizing the openness of the Internet or the privacy of its citizens.

To help keep the process moving, CDT has created a report tracking the progress of this “cybersecurity to-do list.�  The action items outlined in our report were derived from the Administration’s review as well as the President’s remarks on the document.  The original document is based on three broad, though essential themes.

The first of those themes is promoting the value of privacy.  As the report notes, protections for individual privacy are essential to reaping the benefits from advancements in informational technology.  The second is that privacy rights must be clearly defined and enumerated.  Clear, detailed policies are needed, as privacy rights are extremely vulnerable to advances in technology.  Lastly, making sure that any plan aimed at protecting privacy rights be the product of a coordinated effort between the technology side and the policy side.

Using the report we released today as a benchmark, CDT will continue to push the Administration to honor the pledges made in that report and to maintain the same openness and attention to privacy concerns as were shown during the information gathering phase of he report.

This Saturday, June 20th in Washington, DC is PrivacyCampDC, an opportunity for researchers, developers, practitioners, citizens and other enthusiasts to connect, collaborate and share knowledge with a particular focus on electronic privacy and government policy.

When:  Saturday, June 20th, 2009 from 8am to 5pm (the weekend prior to the Department of Homeland Security’s Government 2.0: Privacy and Best Practices conference).
Where: Center for American Progress Action Fund, 1333 H Street, NW, DC 20005
Metro access: Metro Center
Happy Hour:  5:45pm at Le Bar. (Sofitel).  806 15th Street NW, Washington DC 20005, USA | (202) 730-8700

(more…)

Ari Schwartz recently spoke with Information Security Media Group’s Eric Chabrow about updates needed to the federal Privacy Act and how Internet users can get involved in the discussion by visiting www.eprivacyact.org and making their own edits to the legislation.

The interview is available in streaming audio online, which you can list to here.  Enjoy!

When the Open Government Dialog began on May 21st, we were waiting to see what kind of discussion would be fostered by the brainstorming process. As it turned out, almost 2,500 ideas were submitted and hundreds of thousands of votes were cast. There is even a transparency map that visually portrays the interconnection and complexity of the ideas submitted, which was made by the OSTP team.  OMB Watch has released an in-depth analysis of the ideas as well, based on the categories of openness highlighted in the 21st Century Right to Know report. The results of the brainstorm are relatively predictable; the open government community and the public both want accessible, usable government data and have submitted ideas for increasing citizen participation in government. Many of these ideas are overarching and theoretical, so now it’s time to get to the nitty gritty of real, actionable ideas and principles for opening the government.

The second phase of the Open Government Initiative will be a discussion around the ideas distilled from the brainstorm and comments from agencies and other groups. Moving away from one-way idea brainstorming (from the public and agencies and directed to the Open Government team) to a more two-way discussion is a key part to keeping this process collaborative and participatory as we “dig deeper” into the most promising and complex ideas; the first post up for discussion will be the principles for government transparency.

The discussion will include conversation with the Open Government team, a key component to actually starting a public dialog around this issue. An interactive discussion of ideas will build on the brainstorm ideas in a much more concrete and helpful way than simply voting on ideas submitted.  Even the organizers of the brainstorm process said in their final analysis that they were not lending a great deal of weight to the vote counts. There’s already a healthy number of comments, given that it has been up only a few hours, so head over and join the discussion.

We’ve been talking about Regulations.gov for quite a while- both the good and the bad. While the website’s goal to centralize the federal system for public comment and make it easier to use, is laudable- the site has lagged in usability. The site serves as the public face of federal rulemaking, but hasn’t really made it easier for the public to find or comment on the rulemaking processes. Hopefully, the discussion on the new Regulations Exchange are evidence that this will soon be changing.

The Regulations Exchange launched on May 21st, along with other open government projects. The site has not garnered the public’s attention like the Open Government Brainstorm website; it’s simply not as sexy a topic. I will note that the last four days, if published reports are accurate, have seen almost three thousand comments in four topic areas, hardly a lackluster showing. However, the structure of the Exchange and the kinds of comments that they are getting may make this discussion a much more fruitful one. In addition, they have a two-month window for users to discuss and give suggestions, giving users time to read others’ suggestions and reply thoughtfully.
(more…)

What do disco music, eight-track audio systems and beta videocassette tapes all have in common? They’re all examples of technologies and fads that have come and gone since the Privacy Act of 1974 was last updated. Yesterday, the NIST Information Security and Privacy Advisory Board, tasked with identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy, released a report on working towards federal privacy policies that reflect the 21st century technological environment. CDT Vice President Ari Schwartz sits on the board, and helped develop the report.

It seems clear that federal privacy standards written during a time when “data storage facility� literally referred to file cabinets is due for an update in the digital era.  While the basic framework of the Privacy act has held up well over the past 35 years, changes need to be made to insure that the advent of new technologies do not threaten to undermine the protections that have been put in place.

Today, the Center for Democracy & Technology unveiled an in-depth set of draft amendments to update the federal Privacy Act and address the challenges of the digital age as part of a panel discussion with government and privacy leaders. You can check it out on our UStream Channel here, or see some of the points that were made on our live Twitter feed.

The announcement of our draft E-Privacy Act came as part of a panel discussion featuring government and privacy leaders that coincided with the release of the National Institute of Standards and Technology’s federal Information Security and Privacy Advisory Board’s report on its findings on government privacy rules. ISPAB has also called for significant changes to the existing federal privacy framework, and we think that our amendments address many of these concerns.
(more…)

It’s been 120 days since President Obama signed a memorandum asking for unprecedented openness in government. This day-one transparency memo required that OMB, GSA, and the federal CTO would provide the president with recommendations for an Open Government Directive today. While the day is not yet over, it looks like these open government recommendations, ironically, aren’t being made public. Fortunately, that’s not the end of the story.

Today the White House is launching a new Open Government initiative, and starting by asking the public questions about what we want from an open government using the current “request for comment” process. In addition, citizens are being asked to “brainstorm” ideas via government site called the “Open Government Dialogue.” However, the site sits on a .COM domain and it’s not all that clear it has the imprimatur of the White House, save for a poorly rendered graphic of Presidential Seal. Go figure. While the origin of the site is opaque, the execution of soliciting public feedback via an interactive environment is excellent.

We welcome this request for comments. A week ago, we signed on to a letter asking Beth Noveck, who has been heading up the Open Government Directive process, to take advantage of the public input processes we already use in government every day. We asked for a formal process for public input on these recommendations, and we are pleased that public input is now formally a part of the process of opening the government, both through the traditional notice in the Federal Register and new online tools. While we are discussing the new tools and innovative uses of the Internet that will make government more transparent and participatory, it’s important not to abandon those proven processes that allow public input today.

In addition to the launch of the Open Government Initiative, several new tools, websites, and ideas are being released today, some of which we will be discussing in future blog posts. Here are a few:

–The White House Open Government Initiative;
–An exchange on how e-Rulemaking can be improved;
–The much-anticipated Data.gov;
–A rundown of a few of the ways that the Executive Branch is using new media;
–Open Government Innovations gallery, highlighting open government tools