When the Privacy Band-aid Fails

March 26, 2008 — -- The revelation that State Department contract employees breached the privacy of the three remaining presidential candidates' passport files came as no great shock to the community of privacy advocates.

Although the media is consumed with the warp and woof of presidential campaign implications, there are larger questions that shouldn't fall victim to the 24-hour news cycle.

The only reason that the breach of Sen. Barack Obama's passport file was caught was because of a system inside the State Department's computers that monitors the files of high-visibility persons. That system flags certain records of high profile people and sends an alert to supervisors if those records are accessed without proper authorization. The system was put in place as a "fix" for previous privacy failures, most notably the 1992 episode in which Bill Clinton's files were accessed. However, something went wrong in this latest incident because the system didn't alert senior officials at the State Department; a State Department spokesman called the breakdown "a failing."

The broader question here is, what about people further down the VIP food chain? Under the current system, no one below some amorphous "important person" criteria will have their file "flagged" if a contractor decides to look up old girlfriends, or worse, regularly uses the information to feed a stalking habit.

The acknowledgement of the breach is welcome, but it's also contradictory. My organization has frequently expressed concern about the State Department's privacy program over the past two years. The department has failed to publish Privacy Impact Assessments, which are sort of environmental impact reports for privacy-related programs, for the electronic passport and the PASS card programs. Both programs depend heavily on embedded, machine-readable electronic chips. We sent a letter last May to Secretary Condoleezza Rice pointing out this failure; we never received an answer.

The State Department simply does not have the resources to do an effective job. Instead, it appears that when judged by the standards of the annual federal security management evaluation, the department is satisfied with its meager "satisfactory" rating. As an aside, if the State Department garnered a satisfactory rating, one shudders to think of the unknown privacy fiascoes that lay hidden in the Department of Defense, which found itself tagged with a "failing" rating.

Already there is a bi-partisan demand for an investigation in the State Department breach. There's nothing like a tense campaign season to fuel a good controversy and provide an ample platform for righteous anger.

There are some obvious questions: How could this happen? Why did these people have access?" And don't we do background investigation on these people working in sensitive positions? But beyond those, there are larger, overarching questions this systemic government failure brings to light. This most recent incident magnifies the gap that exists between the promise and practice of the landmark Privacy Act of 1974, and it shines the national spotlight on the question of why enforcement of the Act's provisions has atrophied.

It is inevitable here that technology will fall victim as collateral damage. Talk show hosts will rage, and the blogosphere will rumble about the ill effects of a world in which an increasing amount of our lives — and therefore our personal, private information — traffics online. And maybe such a fiery dialog does some good, if only to place the issue of privacy for personal information in the spotlight. But such a dialog must continue and somehow translate to real world results.

Technology is the innocent bystander here. There is nothing inherently bad about placing personal information online, and in many cases doing so provides advantages across a wide range of fields, and yes, even for government. Too often, however, the privacy aspect of a new policy is an afterthought, a talking point scrawled in the margin of a prepared text.

The key is that privacy protection has to be a part of the process from the beginning, not a patchwork fix, applied in the harsh light of a spiking news cycle.

Leslie Harris is president and CEO of the Center for Democracy & Technology.