Privacy in the Public Domain
Government agencies view confidentiality as a top priority, but caution is still warranted.
The Internet has been a boon for some businesses and a bust for others. Government officials, on the other hand, view the World Wide Web as another tool to serve the citizenry better. Agencies nationwide, from the federal level down, have opened portals that allow access to information on programs and services. Rather than spending hours visiting numerous offices to track down the answer to a single question, citizens can click their way through the maze of bureaucracy in a matter of minutes.
The U.S. Congress knows privacy is a hot topic. Last year’s legislative session saw approximately 400 bills introduced on the issue, and it is estimated that this year as many as 600 will be proposed. Even bills that do not directly address privacy, such as those that propose legislation on gun control or human cloning, include sections that relate to the issue.
While the bills wend their way through various congressional committees and subcommittees, one thing is becoming abundantly clear to people who are tracking the issue: Privacy is so important to the American public that following the letter of the law is not enough. The perception that privacy can be invaded is enough to cause alarm.
Several organizations focus on ensuring that no one loses sight of the ramifications of taking a byte out of a person’s privacy. Ari M. Schwartz is an associate director at the Center for Democracy and Technology (CDT), Washington, D.C. Established in 1994, CDT grew out of the Electronic Frontier Foundation and functions as an educational organization, think tank and public awareness group. Members have testified on the privacy issue before Congress.
Schwartz points out that while current laws protect privacy, they were not framed to cover the Internet. For example, law enforcement agencies do not need a warrant to view telephone records. However, to listen into conversations they must show probable cause and obtain judicial permission for a wiretap. This standard does not translate well to the Internet, Schwartz explains. Telephone records show only the number that was called; in cyberspace, knowledge of what site has been visited also divulges the content or message the visitor has viewed.
Because government agencies are closely scrutinized and a breach of privacy could be a public embarrassment, they have been more forward-thinking than some commercial entities about protecting privacy, he adds.
The Internal Revenue Service (IRS) is one organization that is well aware of its in-the-spotlight status. As a result, the service has instituted policies within the organization and on its Web site that go above and beyond what current law requires. Recognizing that citizens already have a certain degree of distrust of the IRS’ handling of information, in 1993 the service became the first government agency to create the position of privacy advocate. Not surprisingly, the U.S. Department of Health and Human Services, another entity that collects personal information to carry out its mission, was the second agency to designate an individual to focus exclusively on that issue.
Peggy Irving, director, privacy advocacy, IRS, Washington, D.C., believes that the service was very farsighted in realizing that it needed one person positioned at the executive level to administer privacy concerns. “Just by organizational placement, this position is given some clout,” she relates.
But the IRS’ dedication to ensuring privacy did not stop with putting a person in charge, Irving says. Although the collection and dissemination of information is strictly regulated by the Privacy Act of 1974, which has been amended several times since enacted, the service acknowledges that its policy must surpass that law. “Our focus is not [just] to look at what the law requires but to look at what we should do. We’re going a step beyond and constantly anticipating … looking at the ethical issue,” she relates.
In some ways, this extreme caution limits the IRS’ ability to provide services to citizens, but it is a sacrifice Irving says is worth making if it means that privacy concerns are better addressed. “We want to educate our taxpayer. We would like to customize our services, but we just don’t do it because it would require asking for too much private information. And that’s one way we’re different from private industry,” Irving declares.
Working with the Office of Management and Budget (OMB), the service designed its home page while taking the straightforward position that individual visitors will not be tracked or profiled. The site does not use Web tracking cookies.
Like the traffic at most sites, however, visitors do not come and go in total anonymity. Data on general network flow is tracked to improve the usefulness of the site. Information collected includes the domain name from which the visitor accessed the Internet, the Internet protocol number and the date and time of the visit. This information is retained for a minimum of 90 days in compliance with National Archives and Records Administration (NARA) requirements.
If a visitor chooses to voluntarily supply private information on the IRS site when submitting questions or providing comments, the data is destroyed after the purpose of the communication has been addressed and after fulfilling NARA record-keeping requirements. Because the confidentiality of Internet transmissions cannot be guaranteed, personal information is not e-mailed to a user.
In addition to these policies, the IRS has instituted a privacy impact assessment (PIA) process. Similar to the environmental impact assessment, which evaluates the effect certain actions would have on the environment, the PIA measures how releasing information would affect privacy.
As part of the assessment, agencies requesting data must answer approximately 30 questions that all focus on the information they propose to collect, Irving explains. They must explain the type of access they will need, how the information will be used with other databases, and whether all the information that is being requested is relevant and necessary to the program’s goals.
The PIA is part of the E-Government Act of 2001, a bill introduced by Sen. Joseph I. Lieberman (D-CT). The bill is co-sponsored by 13 senators including Sen. John McCain (R-AZ) and has been referred to the Senate Governmental Affairs Committee. Among other requirements, the legislation would establish an office of information policy within the OMB that would provide direction, coordination and oversight of the development, application and management of information resources by the government. Each executive government agency would be required to comply with standards established by a federal chief information officer and support efforts to develop and maintain an integrated Internet-based system for delivering government information services to the public.
While legislation such as the E-Government Act would codify acceptable practices, like the IRS, many other government agencies have taken it upon themselves to gain public confidence by instituting strong privacy policies without being compelled to do so by law.
One such site is FirstGov.gov, which is celebrating its one-year anniversary this month. William C. Piatt, director of public sector e-strategy, Booz•Allen & Hamilton, McLean, Virginia, was the chief information officer at the General Services Administration (GSA) when the idea of creating a one-stop shop for government information was first conceived. The goal was to develop a site where visitors could find what they wanted without necessarily knowing government organizational structure. From the very beginning, Piatt says, ensuring privacy was a key concern.
During the design stages of FirstGov.gov, a Web site that Piatt describes as the concierge of government home pages, organizations were invited to become partners, and the FirstGov site would act as the referring mechanism. These groups had to follow certain guidelines set by FirstGov’s architects. The first condition of participation, according to Piatt, was that visitors’ personal identification information could not be tracked. In addition, sites had to allow free access, safeguard against visitors’ changing home page content and provide fair access to people with disabilities. Originally, banner ads were prohibited; however, this condition was repealed after some discussion, Piatt says.
FirstGov’s designers set their sights for high quality because they wanted the site to be an example of the best government has to offer, he explains. “If FirstGov could become the easiest, cheapest way to access information, then we could set the model for privacy. If it became accepted as the standard, and a site was not FirstGov-certified, then visitors would wonder why,” he relates.
Piatt and his FirstGov.gov team delved deeply into privacy issues as they were designing the site. As a result, Piatt became aware of some of the problems government agencies face in ensuring that information is kept confidential.
“People don’t know how to do privacy. Privacy is tough because it implies that an agency has a level of control over its information that really doesn’t exist. In a sense, it was the advent of the personal computer that has caused the loss of control over the information. Before PCs, whatever was known about an individual by an agency was generally kept in one place. But now no one knows what is known because it could be in three places. It could be different in each one, and no one knows which one is right,” Piatt states.
One contributing factor to this confusion is the downsizing of government agencies. Information is now stored on hard drives, and the filing systems are not as robust as they once were. In addition, there is little appreciation of the importance of deciding what data should or should not be kept, he adds.
“So, just like two or three years ago we had to elevate the role of security, now we have to recognize that records management is a whole lot more than keeping files. Until we get a handle on it, we don’t have true security because if we don’t know what we have, how can we protect it? It’s not that government agencies are not concerned. It’s just—where do you get started? How do you get the systems in place so that you get a handle on it without management becoming too unruly? The concern about privacy, whether real or perceived, is the single largest inhibitor to achieving e-gov,” Piatt observes.
Schwartz agrees that one of the biggest challenges to ensuring privacy is conducting an assessment. But his organization is calling for an audit of current systems to decipher the privacy concerns. Government agencies have different standards, and reviewing records can be very difficult, he says.
CDT also recommends that new systems undergo a privacy impact assessment approach such as the one the IRS currently uses. “This is a good first step and could become the model,” Schwartz indicates.
Finally, CDT proposes that government agencies employ a platform for privacy practices. This technique would make privacy policies clear, concise and easy for Web site visitors to read and understand.
“People have to realize that any time they are dealing with a third party, they have limited protections right now. People have to think of information technology as a public, not a private space,” Schwartz advises.
This is the first of a three-part series examining the privacy issue as it relates to cyberspace. Next month’s segment will take a look at privacy in the e-commerce sphere.