Data Breach Raises Questions About NASA Policy At Issue in Recent Supreme Court Case
We hate to say “I told you so.”
In 2010, the Supreme Court heard a case called NASA v. Nelson, which involved the government’s right to carry out highly intrusive background checks. NASA decided to require its employees—many of whom had already been working for the agency for many years in what the government conceded were “low-risk” and “non-sensitive” positions—to fill out a form in which they were required to disclose any illegal drug use or possession within the previous year, along with details on any treatment or counseling received for such use. These employees were also required to sign an authorization permitting NASA’s security people to obtain
any information relating to [the employee’s] activities from schools, residential management agents, employers, criminal justice agencies, retail business establishments, or other sources of information.
NASA would then decide if the employee was suitable for employment, based on unclear criteria but including (according to a document posted on the agency’s site) factors such as:
- “cohabitation,” “sodomy,” “indecent proposals,” or “adultery”
- “abusive language” or “unlawful assembly”
- “homosexuality ... when indications are present of possible susceptibility to coercion or blackmail”
- “physical health issues”
- “mental, emotional, psychological, or psychiatric issues”
- “issues…that relate to” an associate or relative “of the person under investigation”
A group of NASA employees challenged the constitutionality of this unnecessary, stupid, and shamefully intrusive and disrespectful security procedure as a violation of their right to privacy.
The government argued that the privacy issues would be minimized since under the Privacy Act, NASA would be required to keep what it learned confidential. In an amicus the ACLU filed with the Supreme Court, we argued that “some information is so private and so personal that individuals should not be compelled to disclose it to anyone, including the government, absent an overriding governmental interest.” We argued that the right to privacy is not waived once information is shared with third parties (such as the institutions listed above). We argued that the government had not justified its need to obtain details such as the medical and psychological treatment of employees. And we pointed out that the Privacy Act, which the government claimed would ensure confidentiality, is riddled with exceptions.
We also made another key point: that the government’s terrible record at keeping private information secure and confidential made the Privacy Act irrelevant. We wrote:
Notwithstanding the Privacy Act, moreover, there have recently been numerous high-profile incidents in which, despite government’s best efforts and best intentions, highly personal and sensitive information collected by the government has been disclosed.
We then pointed out to the court numerous examples in which the government had failed to keep private information private—for example this paper by Peter Swire on employee “peeping” at government records, this Chronology of Data Breaches by Privacy Rights Clearinghouse, and years’ worth of GAO reports on continuing privacy and security problems at the IRS. We concluded,
At a minimum, this troubling history of unauthorized disclosures highlights the importance of requiring the government to demonstrate its need for the sort of highly personal and intimate information it is requesting from Respondents in this case.
Unfortunately, the Supreme Court ruled in January 2011 that the Constitution does not make the NASA background checks impermissible.
Lo and behold, yesterday it was reported that NASA had suffered a large data breach in which a laptop belonging to the space agency was stolen. According to a message from the agency to all employees, it contained “records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others.”
The agency said affected workers would receive a letter informing them that their sensitive personally identifiable information was on the stolen laptop. We don’t know how many details were on that laptop concerning workers’ substance abuse or psychological problems, or gossip from landlords and anyone else and about their sexuality, physical health, or emotional issues—or that of their friends and relatives. Hopefully none. But such data should never have been collected in the first place.
Events could not have demonstrated the validity of our argument more clearly. We would take credit for our incredible prescience and insight, if the things we warned against were not so utterly predictable as to make any such insight unnecessary.