Board: DHS system doesn't guarantee privacy

The Homeland Security Department’s privacy policy for its Einstein intrusion-detection system that monitors government computer network gateways does not safeguard the privacy of information collected from visitors to federal Web sites, according to a federal advisory board.

DHS’ Privacy Impact Assessment for Einstein suggests that visitors to federal Web sites have no expectation of privacy in the “to/from” address of their messages or in the Internet Protocol addresses of the sites they visit,  Ari Schwartz, vice president at the Center for Democracy and Technology wrote the White House in a recent letter.

Schwartz, wrote the undated letter on behalf of the federal Information Security and Privacy Advisory Board, which operates under the National Institute of Standards and Technology.

DHS’ statements in the privacy impact assessment represent a change from previous government policy that has suggested that there is an expectation of privacy in such activities, Schwartz wrote. He cited guidelines from the Office of Management and Budget that indicate visitors to government Web sites should always be informed that their IP addresses may be collected and shared.

Schwartz said in the past, agencies used a privacy exemption to the Freedom of Information Act to deny requests for the IP addresses of visitors to federal Web sites.

“We urge OMB to recommend that DHS clarify the above language in the privacy impact assessment to explain that any privacy interest in IP address and other header information is being adequately addressed by DHS through fair information practices, considering the significant law enforcement and national security interest in use of this information by Einstein2,” Schwartz wrote.

Schwartz also suggested that federal agency executives draft other documents that would be attached to the DHS privacy assessment, discussing how each agency works with DHS and how each agency handles personally identifiable information. The agencies soon will be posting notices on their Web portals that computer security information is being collected and monitored, he added.

Einstein and the Comprehensive National Cybersecurity Initiative ought to have greater clarity and transparency to allow better oversight of privacy and security law and policy, Schwartz wrote in the letter that became public Dec. 4.

Because the letter was not addressed to DHS, and has not been received by DHS, the department cannot respond directly to the letter, DHS Spokeswoman Amy Kudwa said. The network is still in the testing and development phase, she said, and the department will be updating its privacy impact assessment for the program as it continues to test the system.
 
An OMB spokeswoman said the department has not yet received the letter.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.