As a result, since 2008, there have been at least 78 breaches of information held by federal agencies. These 78 breaches add up to at least 77 million records, according to Christopher Calabrese, legislative counsel at the American Civil Liberties Union.
“The Privacy Act of 1974 was a landmark statute that has provided significant privacy protections but now needs to be updated,” said Calabrese.
An example of one breach occurred in March of this year at the Environmental Protection Agency in Washington, DC.
According to Privacy Rights Clearinghouse, a computer security breach exposed the Social Security Numbers, bank routing numbers and home addresses of a total of 5,100 current employees. There were also 2,700 other people whose information was exposed by the unspecified computer breach.
Notification of the breach was not sent until July.
The ACLU endorsed setting a statute of limitations on the length of time federal agencies can hold personally identifiable information about employees or civilians.
Paul Rosenzweig, a cybersecurity consultant and former senior homeland security official in the Bush administration, agreed on the need to protect people’s rights but not through a statute of limitations. He said, something more dramatic is needed.
“I would not advise the Congress to undertake the task of updating the Privacy Act. Since I think that its entire structure is mismatched to technological reality, I would advocate a more extended consideration that leads to a complete rewrite of the statute,” Rosenzweig said in his testimony.
The “technological reality” Rosenzweig speaks of is the fact that as technology advances it is inevitable that our reliance on the Internet and global communications systems will increase.
“One leaves an electronic trail almost everywhere you go,” he said.
Protecting the informational cookie crumbs we leave behind is exactly what most citizens worry about, but they have no idea how to toss their cookies while surfing the web.
More plainly described, cookies allow websites to track and store your comings and goings, any information you load onto a site and information from the web browser someone is using.
Advertising agencies figure out that they can target ads to consumers by collecting information about what they are clicking on while they are browsing the Internet.
Committee Chairman Daniel Akaka, D-Hawaii, worried about government agencies using private sector databases, such as ad agencies, for law enforcement and other purposes that may infringe on individuals’ rights.
“This is not covered by federal privacy laws, which creates a loophole that allows agencies to avoid privacy requirements,” he said. This can adversely impact the rights on consumers.
Akaka emphasized that “we should require privacy impact assessments on agencies’ use of commercial sources of Americans’ private information.
He also said agencies need to be transparent with their use of commercial databases to ensure that Americans have the right protections, like access (who uses their information), notice (when its being used), correction (when information is being changed) and purpose of use (how its being used).
On the other hand Rosenzweig said that to bring the government up to speed with technology, it should not focus on use and limitations, “which requires the use of advanced data analytics, we should focus on the admittedly more difficult question of defining when it is and is not appropriate to impose adverse consequences on citizens.”
Along with defining the right and wrong times the government can use your information, Rosenzweig said, there is the difficult “task of building a comprehensive oversight and audit system that constrains government activity effectively.”
Rosenzweig final words left a lingering question mark hanging in the hearing room, is the government the one we should really be afraid of?
“At the DEFCON [community of professional hackers] conference in Vegas, the crowd was asked which they feared more, the government or Google. Six to one the crowd said they feared the power of Google to gather our private information over the government.”
Follow Malena @mcaruso2 on Twitter
Pingback: Connect What? | The State of Security