US Gov't Panel Calls for New Privacy Rules
The U.S. government needs to rewrite the rules it has been using for 35 years to govern its use of personal data by focusing on new technologies for storing and retrieving data, a government advisory board recommended.
It's time for the U.S. Congress to overhaul the Privacy Act of 1974 by revamping arcane privacy notices called systems of records notices (SORNs), by requiring chief privacy officers at 24 major U.S. agencies and by creating a privacy.gov site where privacy notices from all agencies are available, members of the Information Security and Privacy Advisory Board (ISPAB) said Thursday.
Only 10 major agencies currently have chief privacy officers, and SORNs can be difficult to understand even for privacy experts, said Ari Schwartz, a member of ISPAB and vice president at the Center for Democracy and Technology (CDT), an advocacy group focused on privacy and online civil liberties.
The law is "stupid and way too narrow," said Peter Swire, former chief privacy counselor in President Bill Clinton's administration. "It's really out of touch with the way modern computers work."
The safeguards covered in the Privacy Act largely focus on government's use of paper records, but the government's ability to access personal data now far exceeds the limits of paper, said Dan Chenok, ISPAB chairman and senior vice president and general manager at IT solutions provider Pragmatics.
"We're no longer in the area of flat files," Chenok said.
In the past 35 years, the government has gained access to commercial databases, conducted data mining, used location and tracking technologies and has begun to experiment with social networking, Chenok said.
The continued use of SORNs represent a major problem, Schwartz said. A SORN is a group of any records from which information is retrieved by the name of person or by some other identifier assigned to a person. But many government searches, including data mining, don't start with searches for one person, he said.
The Privacy Act needs to cover database searches and data mining, he said. "The idea of a terabyte of data didn't exist in 1974."
The ISPAB also recommended that the White House Office of Management and Budget appoint a chief privacy officer to oversea all federal privacy issues, and it should rewrite the government's near ban on Web cookies, instead allowing cookies when Internet users opt in.
The Privacy Act established a set of fair information practices governing the collection, use and sharing of personal data held by federal agencies. The legislation requires that agencies give public notice of their data collection and sharing activities, and it prohibits the disclosure of information from a system of records without written consent from the people affected, with 12 exceptions.
Center for Democracy and Technology
Receive the latest security news as it breaks.
