A Data Stream for Identity Thieves

The federal government recently contracted out the job of creating a new information system for the Civilian Personnel Management Service, which is essentially the Pentagon’s human resources department for its civilian employees. The contractor immediately subcontracted out part of the work to another firm. A treasure trove of information -- home addresses and phone numbers, spouses’ names, children’s names, schools, Social Security numbers, e-mail addresses, information about past employment and education, health records and disciplinary actions -- was suddenly out of the government’s sole control.

Much of this information is highly marketable, and transferring it to the contractor creates an opportunity, given the nature of data in electronic form, to divert it for nefarious purposes. Identity theft is one possibility. Blackmail to gain access and control over Defense Department employees is another.

The government, however, seems less interested in protecting this valuable -- and potentially dangerous -- information than in privatizing its services. The price may be our privacy and financial security.

Government collects and retains a wide range of sensitive information about us, from HIV testing to brushes with the law. Moreover, the Reason Public Policy Institute reports, more and more private companies have government service contracts that enable them to generate and collect highly personal information. This includes social and mental health services; education, medication and psychiatric services; unemployment benefits processing; accounting and information technology; legal services; permit applications, payment of taxes or fines and car registration. If any of this information fell into the wrong hands, it could cause enormous financial loss.

Nevertheless, federal and state governments see their information systems as especially appropriate for privatization. According to the Reason Institute, the Treasury Department has contracted out its “information technology services, including networks, LANs [Local Area Networks], desktop computer setups, help-desk support and system administration.” Pennsylvania has announced it will consolidate and outsource all its agencies’ data centers. Connecticut said it wants to turn over all its information technology functions to the private sector, because it doesn’t view this as a core government function.

Once information is either contracted out or subcontracted, government loses control of it in many ways.

For example, when a contractor provides computer equipment and develops software to run it, personal information is embedded in the software and may be impossible to extract when the contract expires or is terminated. Equally worrisome, digital information, because it is almost infinitely replicable, can be sold or retained by a subcontractor for future use even after it has ostensibly been returned to the government. How can the government, or we, be satisfied that all copies have been returned?

Fortunately, most private contractors that have access to or store confidential government information realize that security is a priority.

But just because most contractors can be trusted doesn’t mean that all can. Policy to protect our privacy cannot simply be based on the competent and conscientious. Private companies already know this, which is why many of them refused to disclose information about their security vulnerabilities to the Office of Homeland Security. They feared that the federal government would not have the same incentives to protect the information’s confidentiality.

Compounding our vulnerability, federal and state governments are increasingly unable to police their information technology contracts for noncompliance. Key to such government oversight is the development and retention of in-house expertise. But because IT is often chosen for privatization, governments, in effect, divest themselves of such expertise.

Recent revelations of corporate impropriety teach an important lesson about who can be trusted. A contractor in financial straits, or one that puts profits above ethics, might find it difficult to resist exploiting the valuable commodity that personal information is. Take the unethical, even illegal lengths some companies will go to, then couple that to mass identity theft, and you get a sense of the potential problems.

But the federal government hasn’t learned these lessons. It plans to continue privatizing huge numbers of government jobs intimately connected to our national security. Government is not taking the complex legal and technical issues raised by information transference seriously. And there will be no solution if the answer is solely left up to chance or market forces.

Can it be that no one in Washington is concerned about protecting this information? That the executive branch is prepared to risk our privacy and hope for the best? That seems to be the case, and Congress can’t remain on the sidelines. For starters, it should hold hearings on how to keep public information secure.

There are two possible outcomes of such a debate. One is that Congress would set clear standards for privatizing the government’s information. At a minimum, these standards should require that all nongovernmental employees handling public information hold high-level security clearances. Congress, furthermore, should appropriate money to ensure that the government can exercise effective oversight of contractors and devise severe penalties for violators.

The second possibility is that Congress would conclude that public information and IT functions should not be contracted out. Cost savings might disappear if private contractors were held to the highest security standards, making it cheaper for the government to keep IT in-house. Even more important, Congress may see that no matter how stiff the penalties are or how certain justice is, the risk that our privacy may be violated to save the government some money is simply not worth taking.