Way to go DHS! And Shame on the Rest of You

A very important government report on privacy and cybersecurity programs flew under the radar last week.

Produced following President Obama's executive order from last February, agencies were directed to explain how they share our private information, and what they do to protect it. Overwhelmingly, agencies offered little to no information, and what they did share was discouraging.

With one exception: the Department of Homeland Security (DHS).

DHS issued a thorough report about past and present activities and the results are impressive. In no uncertain terms, it says that personal identifying information (PII) will not be shared unless it is "necessary" to address a cyber threat. It expressly recognizes that information on a cyber "victim" is different from information on a cyber "attacker" and the operative question isn't whether personal data was legally collected, but whether it is "material" to an investigation. It's refreshing to see an intelligence agency recognize publicly that "collecting unnecessary data is unlikely to advance an investigation or technical assistance effort, and may in fact hinder it."

If DHS is the paragon of unexpected transparency here, then the rest of the federal government is pulling down the shades on how they share and protect our sensitive information. Many agencies simply wrote a couple of pages to confirm they are working on it – without any information on what that means or what privacy protections are presently in place. The Departments of Energy, Transportation, and Health and Human Services – despite holding a treasure trove of sensitive U.S. data – had no meaningful disclosures to judge whether they are in fact following the president's order to incorporate the Fair Information Practice Principles.

Others mentioned just enough to raise huge red flags.

The Department of Justice, for example, briefly mentioned the FBI's iGuardian program, which accepts tips on suspicious cyber activity. With a straight face, DOJ reports that privacy is protected because the FBI only retains and shares personal information that is "relevant" to an investigation. As Edward Snowden informed us nine months ago, the administration's official, court-sanctioned position is that all data can be relevant to an investigation in the digital world. If the FBI is collecting and using cyber data in the same way the NSA deals with phone calls – we are in trouble.

The Defense Department also carries the "relevance" torch. You may remember that in 2012, it created a program for its private sector partners to share cyber information. While these companies are part of the Defense Industrial Base – and are not necessarily processing general consumer information – it is heart-stopping to learn that there can be "incidental" collection of personal information, which can be shared with the DoD when "relevant." Cue more NSA references.

This is an annual report, and hopefully next year we'll have more useful information on non-DHS practices. I've testified before Congress about how important it is that DHS be the lead agency for domestic cyber programs. This report only further proves that no other agency even vaguely compares to DHS when it comes to privacy.

Learn more about cybersecurity and other civil liberty issues: Sign up for breaking news alertsfollow us on Twitter, and like us on Facebook.

Add a comment (2)
Read the Terms of Use

Anonymous

I think some of it is unmitigated bullshit, especially when you consider that because of a "privacy" law, the Virginia Tech shooter was able to "fly under the radar" until the day he attacked and killed 31 people, wounding 17 more.
The "privacy" law in his case was grossly and disgustingly abused.
NObody should have to DIE BY GUNSHOT because some jackass bastard "has all the rights of a law-abiding citizen" right before he kills 31 people, wounds 17 and then kills himself because he didn't want to own what he did.
I know a person whose son was shot at Virginia Tech and I found out yesterday that a privacy law prevented people from knowing the shooter's condition before he went on his insane rampage of death and destruction.

I think the people touting "privacy over EVERYthing," even to the point that they appear not to even care that 50 student lives were endangered (and 31 were taken) are the ones who should be saying shame on themSELVES.
I think that information is one of the worst things I've ever discovered. It disgusts me beyond belief. I feel furious at people who are all or nothing, no in between, black or white and no shades of gray. I have no use for a person like that. Most of the students who died were under 22 years old.
They had hardly begun to live before they were blasted out of the world.

Anonymous

The DHS and FBI does not collect however the NSA gives data to anyone that request it. So these facts are indeed bs and twisting. They only need one data collector and that collector made it clear it shares the data not only to the DHS, FBI but also the Fusion centers and police departments.

Sign Up for Breaking News