Agencies must reach out to citizens on their data privacy concerns, experts say

'The IRS doesn't need to know who I am if I just want a copy of a publication.'

' The Center for Internet Security's Franklin Reeder

The government must consider citizens' perceptions about privacy when it embarks on e-government and data-sharing initiatives, federal and industry officials said at a recent supercomputer conference.

And if agencies don't, they should expect that Congress will, said Nathaniel S. Heiner, acting chief knowledge officer at the Homeland Security Department.

Consider the controversial Total Information Awareness data-sharing project, he said, adding that it has something in common with the FBI's Carnivore e-mail monitoring effort, later renamed DCS1000.

TIA didn't start out with the oversight controls that Congress later imposed, Heiner said last month at the National High-Performance Computing and Communications Council conference in Newport, R.I. That lack of controls 'tripped a lot of wires' and makes approvals tougher for the Defense Advanced Research Projects Agency project, Heiner said.

Networks and their connected systems are inherently nonprivate, a fact that most people don't understand, he added.

Homeland Security wants to engage vendors about such privacy and security concerns, but the mere act of setting up an outreach Web site for discussion could raise questions about intellectual property and trade secrets, Heiner said.

William Turnbull, deputy CIO of the National Oceanic and Atmospheric Administration, said his agency primarily disseminates data in one direction'outward.

'We're not collecting a lot of information from the public' except for the National Marine Fisheries Service's online permitting, Turnbull said.

NOAA's weather-forecast site, www.weather.gov, strives to present data the public wants, Turnbull said. Unlike commercial weather sites, however, the National Weather Service can't store a user's ZIP code for future reference because agencies are forbidden to place cookies on users' computers.

Automated patch management

NOAA is starting to try out automated patch management to deal with freshly discovered network security holes, but the project is still in the early stages, Turnbull said.

'One of the problems with today's software is that it's so feature-laden that it has a lot of capacity for us to harm ourselves,' said Franklin S. Reeder, chairman of the Center for Internet Security in Hershey, Pa.

Nonmandatory e-government programs can earn their keep only if people trust the government to keep their data private, Reeder said. He cited studies that found many consumers surf e-commerce Web sites for information but prefer the vendors' toll-free numbers for transactions.

Privacy perceptions are individual, Reeder said, so most online government functions should preserve people's ability to have multiple electronic identities and remain anonymous.

'The IRS doesn't need to know who I am if I just want a copy of a publication,' Reeder said. 'Even if you don't think you're dealing with personal information, if you have a customer relationship management system, you are in the personal information business.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above