In a recent report to Congress, the General Accounting Office audited computer security at 20 federal agencies. Fully 18 agencies received a grade of C or less–and seven got Fs. Among the flunked agencies are the Department of Justice, the Department of Labor, and the Department of Health and Human Services, all of which house some of the most sensitive data on American citizens.
Thankfully, many in Congress are taking this threat seriously. At a hearing to discuss the GAO report, Rep. Stephen Horn (R‑Calif.) declared, “Obviously there is a great deal of work ahead… [federal agencies] must take the necessary steps to mitigate [privacy] threats. There is no room for complacency.” But instead of taking the threat seriously, most agency officials were quick to pass the buck, blaming security breaches on a lack of federal funding and lack of cooperation among agencies and oversight committees.
The fact that this information resides in databases accessible across the country makes federal agencies especially appealing targets for Internet hackers and disgruntled employees. Rep. John Conyers (D‑Mich.) asked, “So should we now be comfortable with a ‘trust us, we’re the government’ approach? I don’t think anybody on the committee has that view.”
Conyers isn’t paranoid. The ability of the government to exploit citizens’ private information has often had terrible consequences. For example, the internment of Japanese-Americans during World War II was made possible largely because the government maintained (and still does maintain) Census data specifying race. More recently, in 1995, more than 500 IRS agents were caught illegally snooping through the tax records of thousands of Americans, including personal friends and celebrities. Only five were fired for that gross misconduct. In 1998 numerous Arizonans’ credit card information was exposed on a state-run Web site established to make registering cars more convenient.
Information obtained from the Library of Congress illustrates in greater detail how federal databases imperil citizens’ privacy. Those databases show that our government is not only warehousing sensitive information that could enable a hacker to put together a complete profile of an individual but that those data are not stored as securely as they need to be. The following is a sample of findings, with a summary of sensitive data held by the agency and GAO report card grades:
- The Department of Commerce maintains databases that contain an individual’ s name, age, birth date and place, sex, race, home and business phone numbers and addresses, family size and composition, patterns of product use, drug sensitivity and medical history. Grade: C minus.
- The Department of Health and Human Services possesses data on Medicaid enrollment, claims histories, and billing and collection records. Grade: F.
- The Department of Housing and Urban Development keeps research on single families, mortgages, and income patterns. Grade: C minus.
- The Department of Justice maintains the FBI’s central records system, which includes witness-security information. Grade: F.
- The Department of Education stores national student loan data and maintains a national registry of deaf and blind children. Grade: C.
- The Department of Labor maintains a race and national-origin database and credit information on debtors. Grade: F.
- The Department of the Treasury has files on, among other things, relocated witnesses and electronic surveillance. Grade: D. ’
Concerns about the security of federally held data could be dramatically reduced if the federal bureaucracy were scaled back to its proper, constitutionally limited role. At the very least, the federal government should adopt the new security technologies prevalent in the private sector to reduce the exposure of personal records to unwanted eyes.
Will it happen? I’d like to think so, but if the FBI’s refusal to rein in its “Carnivore” e‑mail surveillance system is any indication of government willingness to vigilantly defend our privacy, we have great cause for concern.