Thursday, June 29, 2006

Data security — a bureaucracy's solution

Reacting to the recent problems (see here and here) about federal data getting lost, the US Office of Management and Budget (OMB) has now issued guidelines about how to protect sensitive agency information in the future. As the Washington Post reports, civilian agencies will have 45 days to implement the new measures which essentially are encryption of all movable data (on laptops and handheld computers) and keeping detailed records of all information downloaded from databases containing sensitive information.

The guidelines are available as a pdf document here, and they are instructive less for their substance (see above) than for the insight they provide into the workings of a bureaucracy's mindset: One page of instructions is followed by nine (!) pages of a security checklist that includes a flowchart, a checklist and excessively detailed prescriptions about procedures that I can only describe as mind-boggling...

Care for a snippet? Here is one chosen at random:

"Action item 2.3: Revise/develop organizational policy as needed, including steps 3 and 4.

Guidance: Based upon the results from the previous action items, the organizational policy is revised or developed to fully address the questions posed in the previous action items.

Related SP 800-53 controls and associated SP 800-53A assessment procedures:
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
SP 800-53A: AC-1.1, AC-1.2, AC-1.3, AC-1.4 (for high impact add: AC-1.5, AC-1.6, AC-1.7)
"

And this goes on page after page after page…

Update: Fiittingly, today it was announced that the stolen laptop with the soldiers' and veterans' data that triggered this all has been recovered (see CNN report here). Apparently there are have been no reports of identity thefts from the data concerned so far. And since much of the blame was initially put on the analyst from whose house the laptop was stolen, it is interesting to note that this employee apparently had approval dating back from 2002 to use the data with specially written software in his home. He now is challenging his dismissal from the Dept. of Veteran Affairs.

Technorati Tags: ,

Friday, June 23, 2006

US administration obtained international financial records in fight against terror

The Bush administration obtained records about financial transactions from a Belgian cooperative that routes money between international banks in an attempt to fight terrorists, the New York Times writes today in a big story. The Society for Worldwide Interbank Financial Telecommunication or SWIFT is described by the NYT as "the nerve center of the global banking industry" as it passes $6 trillion daily between banks, brokerages and stock exchanges.

After 9/11, the CIA subpoenaed SWIFT and initially obtained their whole database of transactions. After 2003, SWIFT managed to insist on there being SWIFT representatives present when records were analysed and to block searches they considered inappropriate.

While safeguards seem to have been imposed to protect against unwarranted searches of Americans' records, no such protection seems to exist for citizens of other countries. It also seems that American laws restricting government access to private financial records do not apply because SWIFT is considered a messenger service and not a bank or financial institution.

This case links to the Bush administration's other high tech snooping operation that came to light some six weeks ago, namely the NSA building up a giant database of phone calls in America (see the blog entry here). Whether any of these massive data mining operations have yielded valuable information against terrorists that could not have otherwise been obtained we do not know at this point. What we know for certain is that millions and millions of records containing private information have been obtained by government officials, and that the further uses these records will be put to are unknown. Will they get lost, like those of the Army veterans and currently serving personnel?

Update: In the meantime, SWIFT has published a statement on its compliance policy on its website, detailing the process from its point of view and emphasizing that its role was not voluntary. And the NYT reports that Vice-President Cheney has assailed the press for publishing the story, implying that this endangered US national security (a point strongly refuted by the NYT's executive editor). Cheney also described the administration's actions as "good, solid, sound programs" that are "absolutely essential in terms of protecting us against attacks". Privacy advocates like Privacy International's Simon Davies have complained that "our data has been effectively hijacked by the U.S. under cover of secret agreements and entirely undisclosed terms."

Technorati Tags: ,

Monday, June 19, 2006

The European Parliament: a pyrrhic victory on passenger name records?

It looks as if the European Parliament's much touted victory in the case of the US-EU agreement on passenger name record (PNR) transmission (see the blog entry from 3 weeks ago here) may turn out to be a pyrrhic one. The reason is that the European Commission has today adopted two initiatives that will renew the agreement, but under a procedure that excludes the European Parliament from the decision making (namely Art. 38 of Title VI of the Treaty on European Union for the Euro-experts among my readers).

Much as data protection aficionados will not like this, it is not a sinister move by the Commission. Rather, as the European Court had declared the legislation invalid under internal market rules, a new way had to be found, and that is now in the "intergovernmental" part of the European Union — the part where governments agree among themselves without participation from the European Parliament.

However, the Court did not pronounce on the compatibility of the PNR agreement with European level data protection legislation. It may thus be that a new attempt will be made to bring the agreement before the Court, disputing its substance. Since the Commission wants to keep the content of the agreement with the US as it stands at the moment, privacy action group lawyers can already sit down and start writing their briefs…

Technorati Tags: ,

Wednesday, June 07, 2006

US Army data loss also affects active soldiers

Two weeks ago it emerged that a laptop and an external hard disk containing the data of some 26 million US veterans had been stolen from the home of an employee in early May 2006. The employee had violated Department of Veteran Affairs rules in taking the data home. (See the blog posting covering that event here and the latest information from the US government here).

Now the US Department of Defense has announced that the hard drive may in addition have contained the data of as many as 1.1 million active-duty servicemembers, 430,000 National Guardsmen, and 645,000 members of the Reserves.

In the meantime, the political battle over legislation concerning the issue of identity theft continues. Interestingly, a bill before Congress (HR 3997) seems to weaken rather than strengthen consumer rights in this field.

Update: As the Washington Post writes, the data stolen cover nearly 80 per cent (!) of the active duty force. Using them would enable the targeting of service members and their families in the U.S. through ZIP codes, or on foreign travels. There is a $ 50,000 reward for information allowing authorities to recover the laptop. And apparently heads have been rolling in the Department of Veteran Affairs, including that of the employee (who had been taking data home for three years) and his boss. A class action suit has been filed, demanding $ 1,000 for each veteran affected. At 26 mio. records, this could become very expensive for the administration if successful!

It is still not known whether the burglars know of the nature of the data in their possession; however, I would assume that not only the law enforcement side is now urgently interested in this hard disk...

Technorati Tags: