Census' Big Phish Story

At a Senate hearing on the 2010 census this week, Census Bureau Director C. Louis Kincannon said one of the reasons why the bureau wasn't using the Internet to allow Americans to file their personal census information directly with the bureau was because the agency feared the Web just isn't secure enough. He also said phishing schemes may trick the public in giving up personal information to ID thieves -- and then the bureau would be in really big trouble.

I'm having a hard time following this line of reasoning. The handheld computers that the bureau is testing for the temporary enumerators to use in the field in 2010 have huge security risks. But the bureau and the handheld contractor, Harris Corp., seem to have solved many of the device's security issues. That was no easy task (although other, much bigger risks face the Census Bureau and the handhelds, as I point out in an article that ran in the July 15 issue of Government Executive, and as my colleague, Tom Shoop, points out in his Fedblog). So, the Census Bureau and its contractors seem to know how to follow best practices to solve big security problems for the handhelds. The same best practices from the biggest e-retailers and online banking also could be followed for a Web-based census app.

As for phishing, the Internal Revenue Service, in its popular electronic tax filing program, which members of Congress (namely Sen. Tom Coburn, R-Okla., who is one of the most outspoken census critics) say the bureau could copy to develop a Web-based census filing app, have come up with ways to defend against phishing attacks. Banks and online merchants also can provide best practices to fight phishing.

It's not like the Census Bureau needs to reinvent the wheel -- which it seems it did when it issued requirements for the proprietary handheld computers, by the way. Much of the work already has been done for them. They just need to borrow it.