Keeping it private

The federal government currently can't depend on commercial data to authenticate personal information for electronic transactions, a General Services Administration official said this week.

"If we're going to accept information that we’re going to rely on, it has to be based on the same structure for verifying claimed information," said David Temoshok, director of identity policy and management for GSA's Office of Governmentwide Policy. "Frankly, we're not there today."

Temoshok spoke June 1 at FCW Events’ Web-Enabled Government Conference. FCW Events is a unit of FCW Media Group, which owns Federal Computer Week.

Commercial information could be convenient for verifying transactions such as changes of address, but private sector data collection often falls short of federal privacy standards, Temoshok said.

"Is there sharing of information that is potentially beyond your control as the end user? Yeah, there is,” he said.

Federal agencies must follow the Privacy Act, which requires them to say they will disclose information to other agencies and give reasons for doing so, typically through publicized privacy impact assessments.

Government officials have taken years simply to verify citizens' own credentials online, Temoshok said.

Meanwhile, lawmakers appear ready to impose restrictions on the fast-growing and largely unregulated commercial database market, following a series of high-profile security breaches of late. The incidents revealed security and privacy holes at ChoicePoint and LexisNexis Group, two of the nation’s largest data aggregators.

The FBI buys information from data aggregators ChoicePoint, credit bureau reporting companies, Dun and Bradstreet, LexisNexis, the National Insurance Crime Bureau and Westlaw, which agents use mainly for convenience, FBI officials previously have said.

Recently, lawmakers asked the Government Accountability Office to investigate privacy concerns involving ChoicePoint and other database companies involved with federal contracts.

At the FCW conference, Charles Armstrong, chief information officer for Homeland Security Department Border and Transportation Security, said he could not comment on the government's use of information from specific vendors because of the GAO review. However, federal agencies generally have much more awareness of security than of privacy, Armstrong said.

Some privacy advocates said they support the government's use of commercial information for national security if it is controlled.

Nancy Libin, staff counsel for the Center for Democracy and Technology, said her group is particularly concerned about querying private sector databases for individuals' behavioral patterns.

"You have no reason to believe that they are engaged in terrorist activities except for that they fit a pattern of someone who might be engaged with that," Libin said. "Many people who aren't suspicious at all become suspicious because of the activities they are in engaged in."

Privacy is not just about keeping information secret, but also covers information that individuals disclose to others, Libin said. Privacy is about control, fairness and consequences, she said.