Feds propose consolidation of personal info in databases
The U.S. government is working to consolidate how it collects, uses, and protects personal data about citizens and federal employees.
WASHINGTON--The federal government is trying to find better ways to standardize and coordinate personal information about American citizens that is currently spread across thousands of databases, according to a White House official.
There are more than 3,000 programs or databases in the federal government that hold personal information--Social Security numbers, addresses, fingerprints, and so on--yet the government is only beginning to develop a plan for collecting, protecting, and using such information.
"You have a lot of duplication of data" among various agencies, said Duane Blackburn, a policy analyst in the White House's Office of Science and Technology Policy. Moreover, he said, privacy controls and security measures vary from agency to agency.
At a forum here Tuesday hosted by the Information Technology Association of America, representatives from the federal government and the tech industry discussed how the government conducts identity authentication--either for federal employees or regular citizens--and how it can improve.
Blackburn helped establish an Identity Management Task Force that examined the government's current identity management architecture and how to consolidate the personal information collected.
Chartered by the National Science and Technology Council's subcommittee on biometrics and identity management, the task force released a report (PDF) in September. The report offers a set of recommendations, including possibly creating a position within the executive branch that would be responsible for coordinating identification management across all agencies.
Blackburn said the report presents "a vision--it's not a policy."The task force's report--the first of its kind--was produced after a six-month analysis of information management across all departments and agencies.
The government's current IT architecture consists of standalone repositories, many of which duplicate what is dubbed PII, or personally identifiable information.
"As such, differences exist in the ways the same PII and other information are retained, portrayed, weighted, and valued across the total data architecture," the report says. "Further, the existence of these duplicative and nonstandard data increases opportunity for data exploitation and unauthorized access."
To address those weaknesses, the task force presented the idea of a federated "network of networks," with cross-organizational and cross-domain interoperability. The task force breaks down PII into two categories: "basic information" and application-specific data. The architecture laid out by the task force would support the basic information, but not application specific data.
An agency, such as the Defense Department, would retain application-specific data (such as a special clearance) itself and would not share it across the network. However, it could access basic information--now often duplicated across agencies--in the supported data stores using a predefined querying process.
There will always be privacy concerns when personally identifiable information is being collected, the task force acknowledges. The "basic information" about an individual would be supported by the network, conceivably accessible to any government agency.
Blackburn maintained, however, that such information would be more secure with standardized privacy stipulations and methods of access. He also reiterated that information required for specific applications would only be accessible to the relevant agencies.
"It cannot be emphasized enough that this centralized data store approach is NOT being recommended," the report says. "The applications supported by this architecture will be enormously diverse, as will the nature of the content-specific data they use and retain. At the same time, the scale of the object architecture will be global and massive, as needed to support the full range of federal government activities and enrolled participants."
To approach this vision, the task force recommends tackling a number of issues, such as standards and guidelines that would have to be in place to support a federated network, the appropriate technologies to use, and how to best coordinate interagency efforts.
Blackburn said the task force stayed away from policy prescriptions because "if you try to specify that now, you run the risk of someone trying to do it now when it's not fully thought through--you run the risk of these recommendations being politicized."
Government agencies will face a test in the development of coordinated authentication programs on October 27, when every federal employee and contractor is expected to have a government "smart card," as required by a presidential directive.
With no common authentication system within the federal government, employees currently may have four or five credentials to gain access to various buildings and may only be expected to flash those credentials at a security guard. By contrast, the smart cards will be equipped with microchips, will hold biometric data like fingerprints, and will eliminate the need for multiple credentials.
"If you don't use the cards to change the way you do business, we have all wasted a lot of effort and money to produce cards people stick in their desk," warned Mary Dixon, director of the defense manpower data center for the Defense Department.