|
|
Information Policy and Technology Branch
Office of Management and Budget
Room 10236
New Executive Office Building
Washington, DC 20503
Filed electronically at: gpea@omb.eop.gov
Comments on Proposed Implementation of the Government Paperwork Elimination Act 64 Fed. Reg. 43 (March 5, 1999).
Summary
The Government Paperwork Elimination Act (GPEA, Title XVII of Pub. L. 105-277), was enacted to make government service delivery more efficient while ensuring baseline standards for electronic signatures across federal agencies. Electronic service delivery offers taxpayer savings of time and money. However, a greater reliance on identity-based authentication techniques could lead to larger storehouses of information collected by the government and its private sector contractors. Congress recognized this privacy concern in GPEA and took steps to address it, yet the implementation of the law will still ultimately decide whether electronic service delivery will provide individuals with greater privacy protections or greater privacy concerns.
OMB's guidance frames privacy appropriately, instructing agencies that the best way to comply with the privacy component of the law is to: 1) limit the use of identity based authentication systems to those where it is absolutely necessary; 2) limit the amount of information collected; and 3) maximize user control over their information when is necessary. The proposed guidance reflects OMB's growing engagement in this critical issue. However, the Center for Democracy and Technology (CDT) would like to see the Guidance move further in three key areas to ensure that agencies truly integrate privacy in their implementations of the law:
1) Privacy must play an essential role in all aspects of the law's implementation and should be reflected through appropriate references throughout the document.
2) Identification should not be portrayed as the only type of authentication.
3) Technologies employed to comply with the law should, in their very design, address privacy concerns.
Goals of GPEA
The Center for Democracy and Technology (CDT) actively worked on the drafting of the GPEA. CDT saw the early draft of the bill as an opportunity to make government more responsive by putting government forms online and making electronic submissions acceptable. Despite these noble goals, CDT believed that the draft still needed to address two major concerns:
* First, we were concerned that the government would opt, or perhaps be forced, to favor a certain technology before the market had grown to include multiple choices of technologies. This could have severe negative ramifications, of greatest concern to CDT was the potential for a single technology that would necessitate the large warehousing of personal data and cause an escalation in the need for personal identity to be used to validate transactions. We were troubled by a scenario where agencies would use a single technology that validated the maximum amount of identity information simply because they needed that information in a single instance for an isolated collection.
* Second, we were also concerned that, authentication schemes involving third party verification would create additional data trails of citizen interactions with government and centralize data collection in non-government warehouses. Combined, this could lead to a blurring of "systems of records" as defined by the Privacy Act of 1974 (5 U.S.C. 552a). Simply put, CDT believes that individuals should receive the same privacy protections if they submit forms electronically as they do with paper submissions, even if some of the information collected is held by non-governmental third parties. New data, not created in the paper world, must be afforded protections that reflect the goals of the Privacy Act.
As passed, the bill addresses these concerns and directs OMB to do the same. Specifically:
* To ensure the neutrality of technology, Section 1703(b)(1) was added to make clear that the guidance "(B) may not inappropriately favor one industry or technology" and "(E) shall, to the extent feasible and appropriate, require an Executive agency that anticipates receipt by electronic means of 50,000 or more submittals of a particular form to take all steps necessary to ensure that multiple methods of electronic signatures are available for the submittal of such form."
* To address concerns about greater warehousing and centralization of data, Section 1708 was added. This section, titled "Disclosure of Data," states: "Except as provided by law, information collected in the provision of electronic signature services for communications with an executive agency, as provided by this title, shall only be used or disclosed by persons who obtain, collect, or maintain such information as a business or government practice, for the purpose of facilitating such communications, or with the prior affirmative consent of the person about whom the information pertains."
Yet, even with the inclusion of this language, the guidance of OMB is critical to ensure that individuals filing online received the same privacy protections as those filing through paper submissions. OMB's guidance and the implementations of individual agencies will have profound impact on individual privacy.
OMB's Proposed Procedures and Guidance on GPEA
OMB's proposed procedures and guidance proscribe the most important piece of privacy guidance in the section on Privacy and Disclosure (Part II, Section 4), asserting that: "Electronic authentication should only be required where needed. Many transactions do not need, and should not require, detailed information about the individual" and "When electronic authentication is required for a transaction, do not collect more information from the user than is required for the application." In other words, if agencies do not need information, they should not be collecting it. While this sounds like common sense advice, CDT believes that directing agencies to limit data collection, is critical. Agencies may take a 'better safe than sorry' approach placing the burden on the individual to prove who they are by collecting large amounts of information. As OMB notes in the guidance the use of multiple mechanisms to ensure greater individual choice and control over personal information and compliance with the Privacy Act and Computer Security Act (40 U.S.C. 759), are also essential concerns for implementors. In fact, CDT believes this advice should be reflected throughout the rest of the procedures in three specific ways:
1) Privacy must play an essential role in all aspects of the law's implementation and should be reflected through appropriate references throughout the document.
In the GPEA guidance, OMB emphasizes the importance of privacy by pulling out a separate section on Privacy and Disclosure. While this is an essential step to highlight the importance of privacy, CDT believes that agencies should be reminded of the role of privacy throughout the document. Specifically:
Part I Section 2. Procedures
a. The GPEA recognizes that adoption of electronic systems should be
consistent with the need to ensure that investments in information
technology are economically prudent to accomplish the agency's mission and
give due regard to privacy and security.
The term "give due regard" should be replaced by the word "protect" to show that it is the affirmative responsibility of the agency to learn about and find the best technologies to use to protect citizen's privacy.
Part I Section 2. Procedures
b. An agency's determination of which technology is appropriate for a given
transaction must include a risk assessment, and an evaluation of targeted
customer or user needs. Performing a risk assessment to evaluate electronic
signature alternatives should not be viewed as an isolated activity or an
end in itself. These agency risk assessments should draw from and feed into
the interrelated requirements of the Paperwork Reduction Act, the Computer
Security Act, the Government Performance and Results Act, the Clinger-Cohen
Act, the Federal Managers Financial Integrity Act, and the Chief Financial
Officers Act.
The Privacy Act should be included in this list of applicable laws.
Part I Section 3. Agency Responsibilities
2. consider whether an appropriate combination of information security
practices, authentication technologies and management controls for each
application will be practicable, and if so, which combination will minimize
risk and maximize benefits in a cost effective manner;
"Privacy practices" should also be a consideration in this cost-benefit analysis.
Part I Section 3. Agency Responsibilities
6. (b) Department of Commerce.
The Department of Commerce shall promulgate Federal Information
Processing Standards as appropriate to further the specific goals of the
GPEA. The Department should also develop best practices in the area of
authentication technologies and implementations, including cryptographic
digital signature technology, with assistance from the Government
Information Technology Services Board, the Chief Information Officers
Council and the President's Management Council.
The Chief Counselor for Privacy should also lend assistance to the development of best practices.
In Section 7. Summary of Procedures and Checklist, there should be a separate step suggesting the evaluation of the privacy implications of the collection and the technical means being considered with a recommendation of a consultation with privacy experts and authorities.
2) Identification should not be portrayed as the only type of authentication.
Although one of the main purposes of the GPEA was to ensure agencies had guidance on the use of technologies to authenticate the identity of individuals, using the terms identity and authentication synonymously throughout the guidance undermines the goals of the rest of the Privacy guidance. Agencies should be using multiple kinds of authentication and should be encouraged to use authentication technologies that are not identity dependant when possible.
In fact, there are at least three distinct categories of authentication:
* Identity - Birth certificates and state issued identification cards prove that we are who we claim ourselves to be. * Eligibility - Various keys allow us or those with whom we share them to enter our home, car or office. Documents such as a frequent flyer numbers allow us to prove membership in an organization. * Value - Currency acts as one form of certifier, performing the narrow function of proving that an individual is able to pay for a good or service. [1]
Agencies should be encouraged to use authentication technologies that do not ascertain identity. For example, if digital cash applications become more widely available, there would be no need to verify the identity of individuals who are simply purchasing a government report to be sent to a certain address.
Specifically, this would mean changing:
Part II,Section 4. Privacy and Disclosure
a. Electronic authentication should only be required where needed. Many
transactions do not need, and should not require, detailed information
about the individual.
b. When electronic authentication is required for a transaction, do not
collect more information from the user than is required for the application.
to include the statement that "agencies are encouraged to use methods of electronic authentication that do not require identity when possible."
3) Technologies employed to comply with the law should, in their very design, address privacy concerns.
Policy guidance is essential in assuring that agencies are fully informed and implementing the law as intended, but the choices that agencies make in purchasing and designing technology will ultimately determine the outcome. OMB's guidance identifies six types of technologies that could be used to authenticate individuals in different ways. CDT is concerned that, while the rest of the guidance makes clear that privacy is a major concern, the privacy and security pitfalls of each technology are only touched on briefly. While a brief privacy and security analysis should be added for each technology, CDT is particularly concerned about the following two sections:
1. Smart Cards
Part II, Section 5. a.
2) Smart Card: A smart card is a plastic card the size of a credit card
which contains an embedded chip that can generate, store, and/or process
data. It can be used to facilitate various authentication technologies. A
user inserts the smart card into a card reader device attached to a
microcomputer or network input device. In the computer, information from
the card's chip is read by security software only when the user enters a
PIN, password, or biometric identifier. This method provides greater
security than use of a PIN alone, because a user must have both (a)
physical possession of the smart card and (b) knowledge of the PIN. Good
security requires that the smart card and the PIN never be kept together.
Note that the PIN, password or biometric identifier in this case is a
secret shared between the user and the smart card, not between the user and
a local or remote computer.
While this description of smart cards does indicate that there will be various authentication applications on an individual card, it does not point to the significant privacy and security dangers that could be presented if the particular implementation of the smart card does not use the proper precautions. If designed well, smart cards have the potential to give users greater control over their information. Yet if designed poorly, smart cards could undermine the goals put forth by OMB of limiting information collection to only what is necessary.
Authentication technologies have often been compared to keys. Drawing that same analogy in this case, agencies should use technologies that are more like a set of keys (the applications) on a key ring (the card) rather technologies that utilize a single key (a single PIN or other identifier that would allow open access to more information on the card than needed to complete the transaction). [2]
2. Biometrics
Part II, Section 5. b.
(4) Biometrics: Individuals have unique physical characteristics that can
be converted into digital form and then interpreted by a computer. Among
these are voice patterns (where an individual's spoken words are converted
into a special electronic representation), fingerprints, and the blood
vessel patterns present on the retina (or rear) of one or both eyes. In
this technology, the physical characteristic is measured (by a microphone,
optical reader, or some other device), converted into digital form, and
then compared with a copy of that characteristic stored in the computer and
authenticated beforehand as belonging to a particular person. If the test
pattern and the previously stored patterns are sufficiently close (to a
degree which is usually selectable by the authenticating application), the
authentication will be accepted by the software, and the transaction
allowed to proceed. Biometric applications can provide very high levels of
authentication especially when the identifier is obtained in the presence
of a third party (making spoofing difficult), but as with any shared
secret, if the digital form is compromised, impersonation becomes a serious
risk. Thus, just like PINs, such information should not be sent over open
networks unless it is encrypted. Moreover, measurement and recording of a
physical characteristic can raise privacy concerns.
While OMB notes the general privacy considerations of measuring and recording personal characteristics, the use of biometrics raise specific concerns.[3] Agencies should not be storing any of the actual physical characteristics. Historically, biometric identifiers have been a major concern to privacy advocates. The idea of fingerprinting every citizen and storing this information in a central database held by the government is the privacy nightmare of most American's realized. These concerns have been magnified by the ongoing national debate over the use of genetic information. Yet recently, some privacy advocates have noted that a certain application of an encrypted biometric could resolve some of these concerns. This application would allow the information collector to save only the encrypted hash of the biometric in a database. On the user's end, the biometric is recorded and encrypted but not stored. Using this means, there is much less concern for corruption or misuse of biometric data. While these technologies are still being perfected, they offer the only acceptable use of a biometric technology by a government agency.
The next few years will offer a whole new series of innovative technologies designed specifically to offer individuals more control over their information. CDT has been working on a standard, the Platform for Privacy Preferences (P3P), with the World Wide Web Consortium (W3C) that may serve as a basis for privacy enhancing tools.[4] OMB should be encouraging agencies to use innovative technologies that are specifically designed to give citizens more control and options as they are created.
We look forward to working with OMB and the agencies to make sure that GPEA is implemented in a way that provides greater interaction between the government and the citizen while ensuring privacy protections.
Respectfully submitted,
Deirdre Mulligan
Staff Counsel
Ari Schwartz
Policy Analyst
Center for Democracy and Technology
1634 Eye Street, N.W., Suite 1100
Washington, D.C. 20006
(202) 637-9800
http://www.cdt.org
[1] Roger Clarke, of Xamax Consultancy Pty. Ltd. in Australia, defined these three types as 'value authentication,' 'eligibility authentication' and 'person authentication' as in his August 13, 1997 paper "Promises and Threats in Electronic Commerce." His electronic commerce Web site http://www.anu.edu.au/people/Roger.Clarke/EC/ links to this and other innovative papers on the role of authentication.
[2] A deeper discussion of privacy and smart cards: Schwartz, Ari. Smart Cards at the Crossroads: Authenticator or Privacy Invader? "The Smart Card: Is Your Privacy Compromised?" At Home With Consumers. Volume 19/Number 3/December 1998. is available at http://www.cdt.org/digsig/idandsmartcards.shtml.
[3] Most notably, Ontario Information and Privacy Commissioner, Ann Cavoukian, see Privacy and Biometrics: Oxymoron or Time to Take A 2ND Look? at: http://www.ipc.on.ca/web_site.eng/matters/sum_pap/PAPERS/cfp98.htm
[4] For more information on P3P see: http://w3.org/P3P.
