Board: DHS system doesn't guarantee privacy
- By Alice Lipowicz
- Dec 12, 2008
The Homeland Security Department’s privacy policy for its Einstein
intrusion-detection system that monitors government computer network
gateways does not safeguard the privacy of information collected from
visitors to federal Web sites, according to a federal advisory board.
DHS’
Privacy Impact Assessment for Einstein suggests that visitors to
federal Web sites have no expectation of privacy in the “to/from”
address of their messages or in the Internet Protocol addresses of the
sites they visit, Ari Schwartz, vice president at the Center for
Democracy and Technology wrote the White House in a recent letter.
Schwartz,
wrote the undated letter on behalf of the federal Information Security
and Privacy Advisory Board, which operates under the National Institute
of Standards and Technology.
DHS’ statements in the privacy
impact assessment represent a change from previous government policy
that has suggested that there is an expectation of privacy in such
activities, Schwartz wrote. He cited guidelines from the Office of
Management and Budget that indicate visitors to government Web sites
should always be informed that their IP addresses may be collected and
shared.
Schwartz said in the past, agencies used a privacy
exemption to the Freedom of Information Act to deny requests for the IP
addresses of visitors to federal Web sites.
“We urge OMB to
recommend that DHS clarify the above language in the privacy impact
assessment to explain that any privacy interest in IP address and other
header information is being adequately addressed by DHS through fair
information practices, considering the significant law enforcement and
national security interest in use of this information by Einstein2,”
Schwartz wrote.
Schwartz also suggested that federal agency
executives draft other documents that would be attached to the DHS
privacy assessment, discussing how each agency works with DHS and how
each agency handles personally identifiable information. The agencies
soon will be posting notices on their Web portals that computer
security information is being collected and monitored, he added.
Einstein
and the Comprehensive National Cybersecurity Initiative ought to have
greater clarity and transparency to allow better oversight of privacy
and security law and policy, Schwartz wrote in the letter that became
public Dec. 4.
Because the letter was not addressed to DHS,
and has not been received by DHS, the department cannot respond
directly to the letter, DHS Spokeswoman Amy Kudwa said. The network is
still in the testing and development phase, she said, and the
department will be updating its privacy impact assessment for the
program as it continues to test the system.
An OMB spokeswoman said the department has not yet received the letter.
About the Author
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.