Welles: When does privacy rule?

Energy Department rule

How far should we go to protect ourselves and our information if protection risks losing some privacy rights? Energy Department officials may be testing an edge of the privacy issue in a proposed regulation governing access to information on any department computer.

The law establishing DOE's National Nuclear Security Administration required employees to allow officials at investigative agencies to access computers they used for work and for three years after they leave their jobs. Given the agency's mission in protecting U.S. nuclear resources, such cybersecurity requirements might seem understandable.

In a newly proposed regulation, DOE officials have broadened the organization's requirement to all department computers as a good business practice, said William Hunteman, the organization's cybersecurity program manager. It was also broadened in other ways.

The proposed rule makes it clear that no user of a DOE computer, including anyone who sends an e-mail to a DOE computer, would have any expectation of privacy. Every federal and contractor employee with DOE computer access would be required to sign a consent form for use by investigative agencies.

"We have a responsibility that information we process on computer systems is appropriately protected and that the privacy of individuals is protected. "Where the two come together is what we wrestle with on a daily basis," said Bruce Brody, DOE's associate chief information officer for cybersecurity.

DOE officials have also required that a banner inform users that activities on the computer system are subject to interception, monitoring, recording, auditing, inspection and disclosure. The banner notifies users that their continued use of the system indicates their awareness of and consent to this monitoring.

Recent reports suggest the importance and difficulty of regulating cybersecurity and securing e-mail messages. Symantec's latest Internet Security Threat Report finds that attacks on government networks are becoming more sophisticated as hackers look for backdoors into vulnerable computers.

The Internal Revenue Service Inspector General's Office found that IRS officials have controls in place to protect sensitive data, but problems occur in enforcing employees use of secure messaging.

"The rest of the [IRS] has similar security issues," Brody said. "This [requirement] serves as a deterrent on the front end of any suspicious computer use, and on the back end, it allows appropriate authorities to take a look if anything bad has happened."

So you should watch what you write and who you write to when you send e-mail messages. You never know who may be reading them.

Comments on the proposed regulations may be e-mailed by May 16 to connie@hg.doe.gov. Include docket No. NNSA-RM-00-3235 in the subject line of the message.

Welles is a retired federal employee who has worked in the public and private sectors. She lives in Bethesda, Md., and writes about work life topics for Federal Computer WeekShe can be reached at judywelles@fcw.com.