Sales in WSJ: Abuse in Information Sharing

Recent revelations that employees and staff from private contracting firms made unauthorized searches of the passport files of the three remaining 2008 presidential candidates illustrate why Congress and civil liberties organizations have concerns over unauthorized incursions into private information, says Professor Nathan Sales.

Sales, a former senior policy official at the Department of Homeland Security, told the Wall Street Journal, "This is the sort of thing that critics of information-sharing arrangements point to" in criticizing some of the Bush administration's counterterrorism programs, which have allowed U.S. spy agencies greater access to private information than ever before.

Passport Breaches Fuel Concerns, The Wall Street Journal, March 22, 2008. By Jay Solomon and Siobhan Gorman.

"The State Department said the passport system contains as many as 200 million records and isn't connected to any other database. The department acknowledged that laws might have been violated, noting that the 1974 Privacy Act generally prohibits personal information from being disclosed without consent.

"The three candidates released statements demanding an investigation and criticizing the State Department for its lax oversight.

"'I expect a thorough review and a change in procedures as necessary to ensure the privacy of all passport files,' said Mr. McCain, the presumptive Republican nominee.

"Congress and civil-liberties organizations have voiced worries about Washington's ability to access the private information of Americans. This concern has been fed by the administration's counterterrorism programs, which have enhanced the ability of U.S. spy agencies to comb private phone records and financial transactions.

"'This is the sort of thing that critics of information-sharing arrangements point to,' said Nathan Sales, a former senior policy official at the Homeland Security Department.

"Officials said most of the information in the candidates' passport files came from past applications, including their Social Security numbers, home and email addresses and phone numbers. In a minority of cases, they said, passport files also include documents related to citizenship determinations, for instance, for American citizens born outside the U.S. Mr. McCain was born in Panama. The files apparently don't show where individuals have traveled.

"The State Department first said late Thursday that Mr. Obama's file had been accessed without authorization by three individuals working for the two contractors. The disclosure was prompted by a Thursday article in the Washington Times.

"Officials said Mr. Obama's file was accessed Jan. 9, Feb. 21 and March 14, and an internal-security program alerted administrators from the State Department's Office of Passport Services. Two of the contractors' employees were subsequently fired, while a third was reprimanded. It was later learned that this third employee accessed Mr. McCain's file earlier this year, officials said.

"The State employee accessed Mrs. Clinton's passport file last summer during a training exercise on processing passports. At the time, the department faced a backlog of applications. Officials said that backlog -- and the need to train people to process all those applications -- may have caused the breach.

"'We were bringing in people who don't normally do passport work,' said department spokesman Sean McCormack. 'When you're doing training, you need to be able to actually work with the system in order to do a good job.'

"The breach highlights a chronic problem plaguing agencies that oversee national security or gather large quantities of data on Americans. The Government Accountability Office has found problems with information security across the government since 1997, said Gregory C. Wilshusen, director of information-security issues at the GAO, the investigative arm of Congress. The government 'doesn't measure how well or how effectively' its security measures work, he said.

"In a report last year, Mr. Wilshusen found information security lacking at the departments of State, Homeland Security, Justice and Defense. The deficiencies create increased risk 'they will not be able to effectively protect the confidentiality, integrity, and availability of their information and information systems,' Mr. Wilshusen wrote.

"In January, he reported that the Internal Revenue Service had fixed only a third of its security weaknesses. Among them: granting employees access to systems and information they don't need to do their jobs.

"Experts said insiders often are neglected when agencies set security procedures. 'There's been so much emphasis on hacking from the outside; it's the people inside who are just as much of a risk,' said Ellen Libenson, a vice president at Symark International Inc. of Agoura Hills, Calif., a computer-security company. She said contractors can pose a threat because they aren't vetted in the same way as government employees. Private contractors also tend to hide data when their employees are involved in breaches, firing them quietly and allowing them to get a job at other firms.

"One solution, she said, is using software to restrict contractors' access to sensitive data. 'You treat them like an outsider,' she said."

Read the article