With the federal government’s growing interest in acquiring ever larger amounts of personal information on Americans, I thought FGI readers might be interested in this May 2006 report issued by the nonpartisan Government Accountability Office of the US Congress:
PRIVACY: Key Challenges Facing Federal Agencies
Report GAO-06-777T, May 17, 2006
Full Report at http://www.gao.gov/new.items/d06777t.pdf
As a public federal document, the full summary can be posted here:
What GAO found:
Agencies and their privacy officers face growing demands in addressing privacy challenges. For example, as GAO reported in 2003, agency compliance with Privacy Act requirements was uneven, owing to ambiguities in guidance, lack of awareness, and lack of priority. While agencies generally did well with certain aspects of the Privacy Act’s requirements – such as issuing notices concerning certain systems containing collections of personal information – they did less well at others, such as ensuring that information is complete, accurate, relevant, and timely before it is disclosed to a nonfederal organization. In addition, the E-Gov Act requires that agencies perform privacy impact assessments (PIA) on such information collections. Such assessments are important to ensure, among other things, that information is handled in a way that conforms to privacy requirements. However, in work on commercial data resellers, GAO determined in 2006 that many agencies did not perform PIAs on systems that used reseller information, believing that these were not required. In addition, in public notices on these systems, agencies did not always reveal that information resellers were among the sources to be used. To address such challenges, chief privacy officers can work with officials from OMB and other agencies to identify ambiguities and provide clarifications about the applicability of privacy provisions, such as in situations involving the use of reseller information. In addition, as senior officials, they can increase agency awareness and raise the priority of privacy issues.
Agencies and privacy officers will also face the challenge of ensuring that privacy protections are not compromised by advances in technology. For example, federal agency use of data mining – the analysis of large amounts of data to uncover hidden patterns and relationships – was initially aimed at detecting financial fraud and abuse. Increasingly, however, the use of this tool has expanded to include purposes such as detecting terrorist threats. GAO found in 2005 that agencies employing data mining took many steps needed to protect privacy (such as issuing public notices), but none followed all key procedures (such as including in these notices the intended uses of personal information). Another new technology development presenting privacy challenges is radio frequency identification (RFID), which uses wireless communication to transmit data and thus electronically identify, track, and store information on tags attached to or embedded in objects. GAO reported in 2005 that federal agencies use or propose to use the technology for physical access controls and tracking assets, documents, or materials. For example, the Department of Defense was using RFID to track shipments. Although such applications are not likely to generate privacy concerns, others could, such as the use of RFIDs by the federal government to track the movement of individuals traveling within the United States. Agency privacy offices can serve as a key mechanism for ensuring that privacy is fully addressed in agency approaches to new technologies such as data mining and RFID.
There are some more specific remarks on RFID technology starting on page 17 of the PDF file. I found GAO’s remarks on privacy concerns and “mission creep” to be especially interesting:
A number of specific privacy issues can arise from RFID use. For example, individuals may not be aware that the technology is being used and that it could be embedded in items they are carrying and thus used to track them. Three agencies indicated to us that employing the technology would allow for the tracking of employees’ movements. Tracking is real-time or near-real-time surveillance in which a personâ€™s movements are followed through RFID scanning. Media reports have described concerns about ways in which anonymity is likely to be undermined by surveillance. Further, public surveys have identified a distinct unease with the potential ability of the federal government to monitor individuals’ movements and transactions. Like tracking, profiling – the reconstruction of a person’s movements or transactions over a specific period of time, usually to ascertain something about the individual’s habits, tastes, or predilections – could also be undertaken through the use of RFID technology. Because tags can contain unique identifiers, once a tagged item is associated with a particular individual, personally identifiable information can be obtained and then aggregated to develop a profile of the individual. Both tracking and profiling can compromise an individual’s privacy and anonymity.
Concerns also have been raised that organizations could develop secondary uses for the information gleaned through RFID technology; this has been referred to as “mission-” or “function-creep.” The history of the Social Security number, for example, gives ample evidence of how an identifier developed for one specific use has become a mainstay of identification for many other purposes, governmental and nongovernmental. Secondary uses of the Social Security number have been a matter not of technical controls but rather of changing policy and administrative priorities. As agencies take advantage of the benefits of RFID technology and implement it more widely, it will be critical for privacy officers to help ensure that a full consideration is made of potential privacy issues, both short-term and long-term, as the technology is implemented.
I think in light of the “the innocent have nothing to hide” mentality of the last few administration, full consideration of privacy issues will not be made by the federal government. On the other hand, libraries have a rich history of protecting patron privacy.