A very important government report on privacy and cybersecurity programs flew under the radar last week.
Produced following President Obama's executive order from last February, agencies were directed to explain how they share our private information, and what they do to protect it. Overwhelmingly, agencies offered little to no information, and what they did share was discouraging.
With one exception: the Department of Homeland Security (DHS).
DHS issued a thorough report about past and present activities and the results are impressive. In no uncertain terms, it says that personal identifying information (PII) will not be shared unless it is "necessary" to address a cyber threat. It expressly recognizes that information on a cyber "victim" is different from information on a cyber "attacker" and the operative question isn't whether personal data was legally collected, but whether it is "material" to an investigation. It's refreshing to see an intelligence agency recognize publicly that "collecting unnecessary data is unlikely to advance an investigation or technical assistance effort, and may in fact hinder it."
If DHS is the paragon of unexpected transparency here, then the rest of the federal government is pulling down the shades on how they share and protect our sensitive information. Many agencies simply wrote a couple of pages to confirm they are working on it – without any information on what that means or what privacy protections are presently in place. The Departments of Energy, Transportation, and Health and Human Services – despite holding a treasure trove of sensitive U.S. data – had no meaningful disclosures to judge whether they are in fact following the president's order to incorporate the Fair Information Practice Principles.
Others mentioned just enough to raise huge red flags.
The Department of Justice, for example, briefly mentioned the FBI's iGuardian program, which accepts tips on suspicious cyber activity. With a straight face, DOJ reports that privacy is protected because the FBI only retains and shares personal information that is "relevant" to an investigation. As Edward Snowden informed us nine months ago, the administration's official, court-sanctioned position is that all data can be relevant to an investigation in the digital world. If the FBI is collecting and using cyber data in the same way the NSA deals with phone calls – we are in trouble.
The Defense Department also carries the "relevance" torch. You may remember that in 2012, it created a program for its private sector partners to share cyber information. While these companies are part of the Defense Industrial Base – and are not necessarily processing general consumer information – it is heart-stopping to learn that there can be "incidental" collection of personal information, which can be shared with the DoD when "relevant." Cue more NSA references.
This is an annual report, and hopefully next year we'll have more useful information on non-DHS practices. I've testified before Congress about how important it is that DHS be the lead agency for domestic cyber programs. This report only further proves that no other agency even vaguely compares to DHS when it comes to privacy.