Tech Bytes – Tid Bits in Tech News: Government’s Fair Information Practices Don’t Measure Up

Earlier this week, the General Accounting Office (GAO), the non-partisan, investigative arm of Congress, released a report on government Web site policies and Internet privacy. It found that the federal government has done an abysmal job of living up to the privacy standards it sets for the private sector.

Only 3 percent of the 65 sites surveyed this past June met all four of the Federal Trade Commission’s (FTC’s) Fair information practices: Notice, Choice, Access, and Security. Following the methodology set out by the FTC in its May 22, 2000 report, the GAO classified Web sites operated by executive branch agencies into two categories: 32 high impact agencies, which handle most of the government’s interaction with the public; and 33 Web sites randomly sampled from the General Service Administration’s (GSA’s) government domain database.

Fair Information Practice Percentage of sites adequately meeting GAO Criteria

High Impact Group Random Sample

Notice 76 63

Choice 55 34

Access 18 16

Security 27 32

Government officials complain that the application of the FTC principles to government-run Web sites is unfair because, unlike, private sector Web sites, they are constrained by the Privacy Act of 1974 as well as several other statutes. Office of Management and Budget (OMB) Deputy Director for Management, Sally Katzen points to another GAO study that shows more favorable compliance with government-mandated privacy policies set out last year in an OMB memorandum. However, the memorandum in question pertains mostly to the Fair Information Practice of Notice, and the study did not verify if agencies actually complied with their stated policies.

In the private sector, if you do not like the data collection practices of one firm, you can take your business elsewhere. With government agencies, there exists no such choice. If you do not disclose data to a government agency you may be punished with a fine or jail.

Consumers should be concerned about how the federal government collects, stores, trades and protects their data. And government agencies should be held to higher standards and greater restrictions than the private sector because of the coercive nature of data collection. In the private sector, if you do not like the data collection practices of one firm, you can take your business elsewhere. With government agencies, there exists no such choice. If you do not disclose data to a government agency you may be punished with a fine or jail.

The GAO report in question is only the tip of the iceberg. It does not cover the information practices of data collected offline through the myriad forms we face every time we get a new job, register a car, or pay our taxes. Governments have sold personal information to private sector companies in the past, often with out prior permission, and sometimes with disastrous results. Rebecca Schaeffer, a Hollywood celebrity, was killed after a deranged fan used DMV information to find her home address.

However, most critics overlook the most frightening part of the GAO report. Only 27 percent of the Web sites in the high impact group have adequate security measures in place. This is by far the biggest threat to consumer privacy posed by government. Incidences of identity theft are more common now that collecting the little bits and pieces of information needed to impersonate someone else and apply for loans, and credit cards, or purchase big-ticket items such as jewelry or automobiles, no longer requires a trip down to the local courthouse, but can be done from a computer terminal.

Consider the findings of another GAO report titled, “Information Security: Serious Widespread Weaknesses Persist at Federal Agencies.”

For most agencies, the weaknesses reported covered the full range of computer security controls. For example, security program planning and management were inadequate. Physical and logical access controls also were not effective in preventing or detecting system intrusions and misuse. In addition, software change controls were ineffective in ensuring that only properly authorized and tested software programs were implemented. Further, duties were not adequately segregated to reduce the risk that one individual could execute unauthorized transactions or software changes without detection. Finally, sensitive operating system software was not adequately controlled, and adequate steps had not been taken to ensure continuity of computerized operations.

Clearly, the government needs to take care of its own data handling practices before lecturing the private sector. Private sector firms compete for, and therefore must satisfy the privacy concerns of, consumers if they are to survive. But government lacks such motivation, and therefore should be the primary concern for politicians who truly want to protect the privacy of American consumers.