Feds propose consolidation of personal info in databases

WASHINGTON--The federal government is trying to find better ways to standardize and coordinate personal information about American citizens that is currently spread across thousands of databases, according to a White House official.

There are more than 3,000 programs or databases in the federal government that hold personal information--Social Security numbers, addresses, fingerprints, and so on--yet the government is only beginning to develop a plan for collecting, protecting, and using such information.

"You have a lot of duplication of data" among various agencies, said Duane Blackburn, a policy analyst in the White House's Office of Science and Technology Policy. Moreover, he said, privacy controls and security measures vary from agency to agency.

At a forum here Tuesday hosted by the Information Technology Association of America, representatives from the federal government and the tech industry discussed how the government conducts identity authentication--either for federal employees or regular citizens--and how it can improve.

Blackburn helped establish an Identity Management Task Force that examined the government's current identity management architecture and how to consolidate the personal information collected.

Chartered by the National Science and Technology Council's subcommittee on biometrics and identity management, the task force released a report (PDF) in September. The report offers a set of recommendations, including possibly creating a position within the executive branch that would be responsible for coordinating identification management across all agencies.

Blackburn said the report presents "a vision--it's not a policy."

The task force's report--the first of its kind--was produced after a six-month analysis of information management across all departments and agencies.

This image represents the vision of a federated 'network of networks' laid out in the Identity Management Task Force's recent report.

(Credit: Office of Science and Technology Policy)

The government's current IT architecture consists of standalone repositories, many of which duplicate what is dubbed PII, or personally identifiable information.

"As such, differences exist in the ways the same PII and other information are retained, portrayed, weighted, and valued across the total data architecture," the report says. "Further, the existence of these duplicative and nonstandard data increases opportunity for data exploitation and unauthorized access."

To address those weaknesses, the task force presented the idea of a federated "network of networks," with cross-organizational and cross-domain interoperability. The task force breaks down PII into two categories: "basic information" and application-specific data. The architecture laid out by the task force would support the basic information, but not application specific data.

An agency, such as the Defense Department, would retain application-specific data (such as a special clearance) itself and would not share it across the network. However, it could access basic information--now often duplicated across agencies--in the supported data stores using a predefined querying process.

There will always be privacy concerns when personally identifiable information is being collected, the task force acknowledges. The "basic information" about an individual would be supported by the network, conceivably accessible to any government agency.

Blackburn maintained, however, that such information would be more secure with standardized privacy stipulations and methods of access. He also reiterated that information required for specific applications would only be accessible to the relevant agencies.

"It cannot be emphasized enough that this centralized data store approach is NOT being recommended," the report says. "The applications supported by this architecture will be enormously diverse, as will the nature of the content-specific data they use and retain. At the same time, the scale of the object architecture will be global and massive, as needed to support the full range of federal government activities and enrolled participants."

To approach this vision, the task force recommends tackling a number of issues, such as standards and guidelines that would have to be in place to support a federated network, the appropriate technologies to use, and how to best coordinate interagency efforts.

Blackburn said the task force stayed away from policy prescriptions because "if you try to specify that now, you run the risk of someone trying to do it now when it's not fully thought through--you run the risk of these recommendations being politicized."

Government agencies will face a test in the development of coordinated authentication programs on October 27, when every federal employee and contractor is expected to have a government "smart card," as required by a presidential directive.

With no common authentication system within the federal government, employees currently may have four or five credentials to gain access to various buildings and may only be expected to flash those credentials at a security guard. By contrast, the smart cards will be equipped with microchips, will hold biometric data like fingerprints, and will eliminate the need for multiple credentials.

"If you don't use the cards to change the way you do business, we have all wasted a lot of effort and money to produce cards people stick in their desk," warned Mary Dixon, director of the defense manpower data center for the Defense Department.

[Dalkorian]

Big brother is watching you and knows what's best. Take it like a sheep.

[skswave]

There is an enourmous opportunity for Goverment to support the Trusted platform module as part of the authentication to PII. The TPM which is now on over more than 250 million PCs world wide cost the goverment nothing to deploy but will hold compatible credentials to the current smart card schemes. This technology which is already manadated by DOD for all contractor computers sing July of 2007 provides an industry standard method for Storing authentication keys and is already in the hands of most Local State and federal workers and contractors. TPM is a key technology to realizing a strong authentication Scheme and Goverment should solidly require the use of this technology.

Steven Sprague

[umbrae]

As long as this information will have a high level of security and will not be hackable by children or mentally disabled like in the past.

[scdecade]

Waste of money. Unconstitutional. Typical.

[TV James]

The only solace we have is that the same groups that allowed 3,000 -- that's all? Must not be counting excel spreadsheets saved on desktops -- databases to proliferate are the ones who will now be charged with fixing it.

If they were to succeed, it would be too cumbersome to use, be 25 years out of date by the time it was complete, trillions over budget, hacked within seconds and accidentally erased by some jury services clerk who impatiently kept clicking their mouse while waiting for the system to respond.

But, like most other large scale projects the government has embarked on (IRS computer system, FBI computer system, Iraq war), it will end up costing millions, produce nothing, make private contractors rich.

[UITD]

I am POSITIVE they'll outsource this to people in India or China or Vietnam.... Why pay Americans to do this work when you can pay cheaper, less qualified people in "CHINDINAM" and get crap quality for it AND ALSO wonder where all of the jobs are going.

Ever notice how NOT ONE of these two running for President mention anything to do with how outsourcing has destroyed our economy? Forget about sub-prime crap. You have outsourcing so rampant that our tax base has been eroded so badly that the government needs to up the tax rate even more just to keep up?

Idiots. Guarantee you that they'll do it. The City of Arizona's idiot IT Director already outsourced their tax-system to India. Nice, eh. Like I said - idiots.