September 9, 2005 1:51 PM PDT

Panel: New rules, tech needed for data privacy

WASHINGTON--The feds need new privacy rules and technological methods to police their use of personal data from contractors like ChoicePoint and Acxiom, representatives from within and outside the government suggested Friday.

"There are some valid uses of commercial data," Nuala O'Connor Kelly, chief privacy officer for the Department of Homeland Security, said in closing remarks at a two-day public workshop hosted by the office she runs. She pointed to the roles data brokers have played during Hurricane Katrina's aftermath in providing, for example, information needed to verify the identities of displaced storm survivors seeking their prescription medications.

The best protection against privacy intrusions is "for the government not to have the data for any long amount of time," O'Connor Kelly said. "Let's use basic holding and processing constraints to limit the government's access to data, whatever the source."

But building public trust in the government's intentions is still a major obstacle, a host of workshop panelists said. The Transportation Security Administration, for one, took heat recently for failing to provide adequate disclosures of personal data usage.

To start building that trust, the government must more clearly define its purposes for acquiring certain information, said Jim Dempsey, executive director of the Center for Democracy and Technology. Then it should ask, "Is it accurate enough for this purpose? Is it relevant to this purpose? Are we getting what we need for this purpose?" he said.

The Privacy Act of 1974 already requires government agencies to disclose information about their data use in many cases and to allow people to correct errors in their own data sets. But some panelists noted that the law's wording makes it unclear whether such regulations apply to government interactions with commercial data brokers, which the measure did not anticipate.

Now Congress needs to step in and form privacy rules that apply equally to all government agencies, suggested Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. A handful of measures geared toward data safeguards have been introduced this term, but they primarily address steps data brokers must take in the event of a security breach.

Michael Daconta, Homeland Security's metadata program director, spoke of the need to bring "discipline" to the way that agencies manage personal data. "There are really no strong, consistent rules across the federal government on how to model these things," he said.

He cited, as an example, databases that have a column labeled "identifier," which contains a number that corresponds to a person's set of data. Some systems assign a random number, which wouldn't divulge a person's identity at a glance, but others use a social security number. Creating standardization--in this example, doing away with using social security numbers--would provide privacy benefits, Daconta said.

New techniques on the technology side are also important, though they could raise privacy questions of their own, panelists said.

John Bliss of IBM said the government could consider employing systems that "anonymize" data. Say, for example, the government wanted to compare a cruise passenger list and to a terrorist watch list, but the cruise company feared that turning over the complete list for the sake of a few potential violators would anger its customers. The anonymization system would hash each of the lists so that they would be indecipherable to the opposite parties but, even in this encrypted state, could be programmed to flag matches among the lists.

But if a match did surface, who would be allowed to decode and analyze it? "Ultimately, it becomes a very critical question for which business rules must be implemented and enforced," Bliss said.

Several panelists suggested that any new systems need to be equipped with an immutable audit trail--that is, a tamper-proof, automated way of logging who has accessed data sets and what they have done with them.

"I think we're all saying the same thing," said Steven Adler, also of IBM. "We want effective checks and balances in the use of data."

3 comments

Join the conversation!
Add your comment
wish I had checks and balances
I suppose we could model information design after
healthy social constructs, however, a base
framework that inherently dictates droconian
measures still persists. Remains of a cold age
that refuses to attend job retaining classes?
Perhaps, but I suggest the real problem is much
much worse.
Posted by (187 comments )
Reply Link Flag
Job retention classes
Classes are a good idea. It is getting so hard to keep up with technology that if you don't spend all night on the web keeping updated you're lost. This is what really scares me about having dinosaurs in the supreme court. These people may be the best at ruling on everything else but technological issues are a whole different animal. This also applies to congress.
Posted by ausburng (2 comments )
Link Flag
Here in Australia User Information Over the Internet
My Name Raymond Kirk.
Here in Australia User over 95% of Information Lost or stolding CR car e-mail phome number. How stop International stolding your Information?
Posted by raykirk444 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.