When the Privacy Band-aid Fails
Digitizing personal records is all the rage, but protecting them should be too.
March 26, 2008 — -- The revelation that State Department contract employees breached the privacy of the three remaining presidential candidates' passport files came as no great shock to the community of privacy advocates.
Although the media is consumed with the warp and woof of presidential campaign implications, there are larger questions that shouldn't fall victim to the 24-hour news cycle.
The only reason that the breach of Sen. Barack Obama's passport file was caught was because of a system inside the State Department's computers that monitors the files of high-visibility persons. That system flags certain records of high profile people and sends an alert to supervisors if those records are accessed without proper authorization. The system was put in place as a "fix" for previous privacy failures, most notably the 1992 episode in which Bill Clinton's files were accessed. However, something went wrong in this latest incident because the system didn't alert senior officials at the State Department; a State Department spokesman called the breakdown "a failing."
The broader question here is, what about people further down the VIP food chain? Under the current system, no one below some amorphous "important person" criteria will have their file "flagged" if a contractor decides to look up old girlfriends, or worse, regularly uses the information to feed a stalking habit.
The acknowledgement of the breach is welcome, but it's also contradictory. My organization has frequently expressed concern about the State Department's privacy program over the past two years. The department has failed to publish Privacy Impact Assessments, which are sort of environmental impact reports for privacy-related programs, for the electronic passport and the PASS card programs. Both programs depend heavily on embedded, machine-readable electronic chips. We sent a letter last May to Secretary Condoleezza Rice pointing out this failure; we never received an answer.
The State Department simply does not have the resources to do an effective job. Instead, it appears that when judged by the standards of the annual federal security management evaluation, the department is satisfied with its meager "satisfactory" rating. As an aside, if the State Department garnered a satisfactory rating, one shudders to think of the unknown privacy fiascoes that lay hidden in the Department of Defense, which found itself tagged with a "failing" rating.