Government may be the worst threat to privacy

In a recent post on airport security over at the Civil Liberties Examiner site, I mentioned that the Transportation Security Administration recently announced the loss of an unencrypted laptop computer containing pre-enrollment records for approximately 33,000 people, intended for use in the Clear registered traveler program.

I wish I could say that was an isolated incident, or the sort of bumbling confined to a single government program, but it's not. In fact, a report in the latest issue of Consumer Reports finds that "government is among the biggest sources of ID leaks and that penalties are rarely imposed on those who are negligent."

The magazine reports that, just from 2005 to mid-June of this year, 44 million consumer records containing sensitive personal information were lost or exposed by government missteps.

The worst offender appears to be the Department of Veteran Affairs, which leaked 28 million records. The state of Ohio exposed 1.3 million records. Other guilty agencies include the IRS -- and the TSA, which, prior to the recent privacy fiasco, had already lost 100,000 records including sensitive information.

Government missteps include posting information, like Social Security numbers, in public records that are easily available to identity thieves. In fact, a November 2004 GAO report said (PDF):

[A]gencies in 41 states and the District of Columbia reported that SSNs are accessible in at least some of the public records they hold and a few reported this to be the case for as many as 10 or more different records. Additionally, we estimate that more than three-quarters of U.S. counties hold at least one type of record that displays SSNs, which has implications for the 94 percent of the U.S. population that we estimate live in those counties.

Those Social Security numbers may be just a mouse click away, since the GAO reported that "records with SSNs are accessible on the Internet in 15 to 28 percent of U.S. counties. We estimate that 34 to 48 percent of the population lives in these counties."

Often, government agencies seem adept at storing extraordinarily sensitive information on unsecured computers and backup devices, which are then misplaced or stolen. Consumer Reports notes that the 1.3 million records lost by Ohio were stored on a backup device which was taken from the home of a college intern.

A simple Web search found the following news stories, in no particular order, about the loss of government laptop computers containing personal data:

• Patients Data on Stolen Laptop (NIH: 2,500 records)


• Computer Theft Puts Floridians at Risk (Florida DOT: 133,000 records)


• Hospital spied on in LA, laptop stolen in SF (SF Airport: 33,000 records)


• Seniors’ data on stolen Pennsylvania government laptop (PA Department of Aging: 21,000 records)


• Fla. Natl. Guard laptop with soldier data stolen (FL National Guard: 100 records)

That's only a sample, of course, and doesn't begin to address other forms of data loss.

Government ineptitude with data security may become an increasing problem, now that Homeland Security, with the courts' blessing, has ruled that border agents may seize and search electronic devices without cause. Jeff Vining, writing for Gartner Group, warns that a seized storage device may pass through the hands of any number of agents, working for a variety of agencies. "The only legal limitations to this scenario are to avoid causing exceptional damage to the laptop's hard drive and to conduct the search and investigation in an inoffensive manner. This means that digital information can be downloaded by government agents, never returned or destroyed."

We already know what the government does with its own data; anybody care to bet that it will take better care of information stored on privately owned laptops and flash drives?

And then there's E-Verify, the great hope of border-defenders across the United States. Intended to confirm job-seekers' eligibility to be emplyed in this country, the system necessarily holds an enormous amount of data on Americans -- with more planned. The GAO reports (PDF) that "USCIS and the Department of State have begun exploring ways to include visa and U.S. passport documents in the tool, but these agencies have not yet reached agreement regarding the use of these documents. ...USCIS is negotiating with state motor vehicle associations to incorporate driver’s license photographs into E-Verify, and is seeking state motor vehicle agencies that are willing to participate in an image-sharing pilot program."

Who has access to that treasure trove of data in E-Verify? The GAO reveals that a 2007 review conducted by Westat found "anyone wanting access to the system could pose as an employer and obtain access by signing a MOU with the E-Verify program. USCIS officials told us that taking actions to ensure that employers are legitimate when they register for E-Verify is a long term goal for the program. However, according to USCIS officials, implementing such controls to verify employer authenticity may require access to information from other agencies, such as Internal Revenue Service-issued employer identification numbers..."

It's common to point to malicious actions on the part of government officials when warning of the dangers of state power. Equally dangerous, though, may be the banal incompetence and lack of concern government officials often display in handling the affairs of the people for whom they supposedly work.