White House expands data protections to non-citizens

Data collected by federal agencies on people who are not citizens or permanent residents will be subject to the same privacy protections afforded those groups once the recommendations of the Obama administration's Big Data report are put into effect.

The change in federal information collection is one of the tangible results of the 90-day review of federal privacy rules as they relate to high-volume collection and high-speed analysis of information, typically described as "big data."

The 79-page report said that big data technology is full of promise, while pointing out attendant risks to privacy and the possibility of using analytics to discriminate.

Big data is already being used by government agencies and the military to accelerate and refine medical research, probe educational data for new teaching strategies, and protect U.S. forces deployed in theaters of war. But the ubiquitous collection of data on consumer transactions, internet activity, medical information and financial data -- not to mention the location and personal information collected by mobile devices, sensors and cameras -- could be used in ways not in keeping with the original intent of the collection.

The review was ordered as part of a broader look at privacy and information issues arising from the revelations of the breadth of U.S. domestic and international surveillance programs by former intelligence community contractor Edward Snowden. The review was launched in January, around the time President Barack Obama announced his intent to revamp some intelligence community data collection practices. However, intelligence collection and analysis did not figure into the review published May 1, which was headed by presidential counselor John Podesta and authored in large part by deputy CTO Nicole Wong.

"The principle focus that we had was what's going on with the technologies in the commercial world, what's going on in the rest of government, what's going on in law enforcement, what's going on in the education sector, including the research sector, and we left the intelligence work to the work streams that were laid down in January," Podesta said on a call with reporters.

Still, some observers wondered if the review and recommendations were a way to deflect criticism over surveillance policies.

"Frankly, channeling public outrage over NSA overreach into the debate around commercial privacy regulation is irresponsible," said Ed Black, president and CEO of the Computer and Communications Industry Association.

The White House review recommends that Congress pass legislation to create a national standard for private companies to report data breaches to consumers, and update the Electronic Communications Privacy Act to standardize the disparate privacy protections that apply to email and other communications stored on hard drives and devices, as well as to email stored in the cloud or via other remote virtual applications.

An effort led by Senate Judiciary Chairman Patrick Leahy (D-Vt.)to update the law have gone nowhere, although multiple data breach bills have been introduced by lawmakers inspired by the recent theft of personal and financial data from Target and other retailers.

The administration plans to draft legislation to enshrine the principles of its Consumer Privacy Bill of Rights into law and take steps to make sure that data collected on students is used only for educational purposes. And the report recommends expanding the level of technical expertise at the Federal Trade Commission, the Justice Department, the Consumer Finance Protection Bureau and other agencies with jurisdiction over consumer protection and civil rights, to watch for discriminatory practices that could be fueled by data analytics and prepare investigative and regulatory responses.

Technology industry groups worried that the focus on discrimination could lead to new regulations.

"We appreciate the report's focus on the overall benefits that the effective use of big data can achieve but are somewhat confused as to why the administration has also focused on hypothetical concerns about the use of data," TechAmerica's senior vice president for federal government affairs, Mike Hettinger, in an emailed statement. "This creates uncertainty in the minds of Americans about a technology that has so much potential."

The provision to apply the standards of the Privacy Act to personally identifiable information on non-U.S. persons stored in government databases is a "major undertaking," according to Podesta, and one that will take time to coordinate across agencies.

The report praises the Department of Homeland Security for its efforts to manage data in its systems using tagging that establishes access control for users, and indicates how different types of information collected are protected from disclosure or sharing by law or regulation. The architecture of the DHS data marts are cited as models for law enforcement and other agencies holding sensitive information to follow.

"Most importantly, I think the president has charged us with building the architecture of privacy protection during the remainder of his administration," Podesta said. "[W]ith the recommendations contained in the report and the analysis contained in the report, we have some additional policy development to do, but we are on our way to providing the protections that are necessary to ensure privacy now and into the future."

The White House report was accompanied by a more-technical look at big data analysis by the President's Council of Advisors on Science and Technology. That report gets into the details of how to apply current data collection standards on notice and consent to an increasingly wired and networked world, in which data is collected by sensors and apps and aggregated in ways often beyond the scope of the individual's knowledge or consent.

The PCAST report suggests that consumers have access to a single privacy profile that companies honor when collecting and sharing data. With so many apps, transactions, and collection points it is "all but impossible for an individual to make fine-grained privacy choices for every new situation or app," the report notes.

The institution of such a system is likely to generate pushback from industry.

"Burdensome new legal requirements would only impede data-driven innovation and hurt the ability of U.S. companies to create jobs and drive economic growth, " said Mark McCarthy, vice president of policy for the Software and Information Industry Association.