Lessons from Las Vegas: What happens in the database should stay in the database.
Any shred of information about the daily lives of citizens not currently contained in a government database will certainly be captured soon, as federal stimulus dollars create new opportunities for state and local agencies to track the activities of the average guy.
Raise any questions about whether the average guy wants to be tracked – and you will also raise the eyebrows of folks who view the “race to the database” as a tool for better government, or a way to meet energy needs, or a jobs program. Building citizen databases is the twenty-first century equivalent of building Hoover Dam.
Raising digital privacy concerns does not make you a luddite, or a member of the Tin Foil Hat Brigade that fears government above plagues, floods, and earthquakes. No question technology can be applied to make government more efficient, and save resources in all the ways envisioned. The problem is that government agencies have a terrible track record when it comes to protecting the data they collect. That goes for government agencies at all levels, all over the nation, especially the feds. If you have doubts, ask the federal government’s own auditors at the GAO, which consistently gives low marks for federal database security.
Perhaps you’ve been watching as the Las Vegas Sun chronicles the data breaches at University Medical Center and the Las Vegas Metropolitan Police Department. Two weeks, two stories that make a privacy curmudgeon’s skin crawl.
At the county-owned medical center, employees have allegedly received thousands of dollars selling confidential patient records to personal injury attorneys. Medical insiders told the Sun it’s been going on for a long time, and that hospital management mostly shrugged its shoulders after receiving tips about the privacy violations. The Sun also reports that the hospital’s chairman of the Board of Trustees – a county commissioner – was told about the activity, which is both a civil and a criminal HIPAA infraction, but he said he didn’t respond because he was not familiar with HIPAA, the federal health care regulation that lays out stringent patient privacy requirements.
Meanwhile, in court proceedings, Las Vegas Metro has confirmed that police personnel have improperly grabbed citizen information from a restricted database. This, arising from a lawsuit claiming that confidential data about ordinary Nevadans was leaked by police to a private investigator. The investigator was working on behalf of a politically well-connected person. The citizens were not suspected of any crime, but their names, dates of birth, and social security numbers were turned over the investigator, the lawsuit says, and have been in turn disseminated to third parties.
The Sun’s report included the assertion by Metro that Metro is not responsible for the actions of miscreant officers, who were violating Metro policy.
And so, with these events as a backdrop, let’s look at the future of private citizen information.
Smart energy meters are on the way, to monitor each household’s electrical activity, allowing numerous inferences. Inferences by whom? It depends on how public policy is crafted, but the interested parties might include divorce lawyers, insurance companies, law enforcement, and others who benefit from an orderly snapshot of private activity. If you can afford lots of energy use, perhaps you can afford more alimony. If your house was dark during the third week of August, and your wife’s best friend was also out of town, well?… And by the way… could that extra juice continuously drawn from the garage circuit be powering the plant lights used by pot growers?
If the Regional Transportation Commissions and NDOT get their wish, Nevadans will install a custom on-board gizmo in their cars to report mileage, facilitating a shift from the per-gallon tax to the per-mile tax. A simple odometer reading at the time of the pre-registration smog check would allow such taxation. But the transportation agencies would also like to gather data on when and where the mileage occurs, paving the way for a higher tax on folks who drive through bottlenecks at rush hour. And, as a byproduct, creating daily activity logs about vehicle owners.
The transportation agencies acknowledge that privacy is a concern among the taxpayers, but appear to view the concern primarily as a political obstacle to be overcome.
There’s more. Electronic medical records. The liabilities speak for themselves, and examples are plentiful. Online reporting requirements for businesses that receive stimulus funding include taxpayer ID numbers. The state databases link to the federal database, creating, in effect, one gigantic target for cybercriminals, poorly guarded, if federal database history is any guide.
The Reasonable Reporter, observing up-close the manner in which digital progress is approached by government agencies, ventures that government workers are not inherently bad guardians of the citizen, but that the building process is consistently focused on the gathering of information, rather than the protection of information. Security and privacy are often an afterthought, and, by the way, strong security and privacy cost money. Legislators and agency heads frequently wage hard fights for the money to accomplish the projects themselves, never mind the additional cost for protecting the citizen data.
After the data is collected, we arrive at the intersection – no, let’s call it a freeway cloverleaf – of politics, policy, and those few careless or profit-seeking human beings who would wander astray in the absence of internal policy enforcement. When the data leaves the database and the press comes knocking, predictable statements from management ensue.
“We view security as a top priority,” they say. Or “We have a policy,” or “We are now changing our policy.” The most commonly used statement, however, was unavailable to the agencies in the Las Vegas cases: “There is no evidence that anyone has been harmed.”Explore posts in the same categories: Uncategorized