Remarks to Cyber Security Alliance’s 1st Annual Data Integrity Conference
Thank you Paul for that introduction, and thank you for the invitation to be here today at the first annual data integrity conference.
Data integrity is something I know a little about from my experience in government. When I entered the White House in 1993 as Staff Secretary, I got my first and most comprehensive introduction to the issue. In that position, it was my responsibility to keep track of all the data the White House produced and consumed. And when I took the job, I not only inherited a huge pile of data, but I inherited a lawsuit about that data too.
This particular lawsuit had originated in the Reagan era, when his Administration attempted to delete emails at the National Security Council during Ollie North’s tenure there. I will leave it up to you to figure out why they would want those emails deleted. The case had been contested for years, but I managed to settle it by agreeing to keep an electronic archive of both Presidential and federal records, which, of course, included all emails.
As a newly minted hero to archivists everywhere, I soon found out that the system I agreed to keep would keep me mired in lawsuits for quite some time. In one such suit involving access to emails, my staff and I were surprised to discover a minor glitch in the way emails were being archived.
For some technical reason, one particular person’s emails were not being captured by the system. It may not have mattered so much if that person didn’t happen to be the Vice President of the United States. Needless to say, I soon found myself in front of a federal judge defending myself against accusations that my promises to implement a comprehensive system were not ones I intended to keep.
That particular experience taught me two things: one, the old saying is true, “No good deed goes unpunished,” and two, the government’s efforts to ensure the integrity of its data need careful consideration.
That’s why, I here to talk to you today—not as someone who speaks from business experience, but as someone who speaks from government experience. Because, the government is failing when it comes to data integrity, and its failures are all of our concern.
We know that with its elaborate bureaucracy, budget and time, government may not be able to keep pace with the private sector’s innovation when it comes to keeping information accurate and secure. But that does not mean that the federal government should be held to a lower standard—especially since it takes pride in setting such high standards for all of you. No, the government should set a good standard for its own actions. It should define what it means to make a commitment to data integrity and show what practices are necessary to make good on that commitment. The government should lead by example.
This would be in stark contrast to the example they have set over the past few years—where the government’s bad practices are continually exposed and many are left only needing to do the bare minimum to avoid being at the bottom of the barrel.
Well, now more than ever, it is time for government to climb to the top.
Since September 11th, some in the federal government have been on a feeding frenzy for data—from names and ethnicity to addresses and social security numbers—they have been amassing data in the name of national security. And more often than not, they are using private sector databases as a one-stop shopping center to skirt around laws and score lots of information.
From the government’s standpoint it makes sense: private companies collect more data, more often, and from more people than most government agencies can or have the authority to do. And all the government has to do is ask for it, because in the aftermath of 9/11 no company wants to appear unpatriotic or become the focus of a government investigation. But what happens when the government asks and receives data from the private sector is of growing public concern.
Take the case of JetBlue Airlines.
In 2002, the airline handed over 5 million customer records to a private data mining service hired by the Department of Defense. The Transportation Security Administration, which facilitated the information exchange, said that the data was to be used for improving security on military bases around the country. Instead, though, the data mining company took that passenger information, matched it with social security numbers, credit and other personal information to build a prototype profiling system very similar to CAPPS II. It then presented the system at a public technology conference complete with individual social security numbers and addresses–I guess just to prove the point that it could be done.
I hope that none of you at today’s conference will look up from your program and find your confidential company data on a panelist’s Power Point slide, or like JetBlue, you can expect to spend a good portion of time fighting with the FTC and fighting class action lawsuits.
But in the case of JetBlue, maybe the government’s bad practices weren’t all that bad when we consider that they at least made some attempt to ask for the data—“ask and you shall deceive” was perhaps its motto in this case. Nowadays, though, the government doesn’t feel the need to even make an insincere ask before it just outright takes the data it wants.
A case in point is the National Security Agency’s domestic wiretapping operation.
About a month ago, we found out that President Bush had authorized the National Security Agency to eavesdrop on international phone calls and e-mails of people within the United States without seeking warrants from courts, as required for domestic surveillance under prevailing statutes.
The President has defended his actions by invoking security concerns and by trying to reassure us that the wiretaps within the United States were done on a limited basis—targeting only international communications of people inside the United States with "a clear link" to terrorist organizations.
But why did the scooping up of this data have to be done outside the law? And how does the NSA determine the origin of a cell phone call in a highly complex, globalized network? What happens to the information once it is gathered? How does the President define a “clear link” to act on?
The answers to these questions are not only troubling because the wiretaps were illegal, ill-conceived and ill-managed, but it is troubling because there is evidence that they just didn’t work. There is evidence that the wiretaps created an information overflow, leading the FBI on a wild goose chase to investigate our school teachers rather than real terrorists. With this new evidence, reassuring the public is very difficult.
And there’s nothing the public needs right now more than reassurance. We know that the public has distrusted the government for a long time, but with each new day and with each new bad practice exposed, the public is finding a valid reason for that distrust.
Private sector companies know the consequences of public distrust.
When investors lose trust in a company, they stop investing. Stocks decline as confidence declines. For a company, a loss in the court of public opinion can be just as costly as a loss in a court of law. And with a growing connection between the public and private sector when it comes to collecting, sharing and using data, the government’s bad practices can spell bad business for you.
Now is the time to turn the tide. The federal government must take steps now to ensure the integrity of its own data or it will suffer the consequences—we will all suffer the consequences—soon.
Congress has seen the need to address data integrity issues in the private sector and has passed legislation.
One such piece of legislation is the Graham Leach Bliley Act. This law requires financial institutions to notify their customers on how their information is shared. Financial companies are also required to identify security risks to their data and come up with a plan to meet those risks. There are ideas on Capitol Hill about extending this to all public companies. In my view, it’s a matter of good corporate governance and might make sense.
And to follow that lead, one step the federal government can and should take to ensure the integrity of its own data is to institute a system that lessens the risk of data manipulation, increases the accuracy of recorded data, and more thoroughly tracks the use of data.
Immutable audit logs are a system that can do that.
Now, I’m certainly no technical expert when it comes to these systems, but luckily I happen to work with a few who are. Experts like Carl Malamud and Peter Swire, who work at the Center for American Progress. Some of you may know Peter from his work as the chief Privacy Officer at the Office of Management and Budget. Peter has a new paper on Immutable Audit Logs that will come out from the Markle Foundation in about two weeks.
Simply put, audit logs record activity that takes place on any given information sharing network, such activity may include queries made by users, information accessed, information shared between systems, and date and time markers for those activities. With immutable audit logs, the data that is recorded cannot be changed, creating clear evidence of what happened and when it happened.
Typically, audit logs that are used today are mutable. That is, the data logged can be changed by both authorized users within the system and by unauthorized users trying to hack into the system from outside. These standard logging practices allow insiders to cook their digital books and allow outsiders to remotely tamper with the records.
But with immutable logs, where all activity is recorded regardless of access, there is much less incentive even to try and cheat the system—because you know you’re going to get caught. All attempts to cover illegal activity or policy violations are recorded along with normal activity.
Without logging of user activity in government information sharing networks, there is no way to really demonstrate clearly for oversight and accuracy purposes that there is compliance with established policies and laws. The resulting lack of trust can lead to a situation where reasonable and desirable uses of information are blocked for fear of misuse.
This type of immutable system, then, is one the public can count on to set the record straight and keep the record straight. And those that keep the records will be held accountable.
Implementing immutable audit logs is one step the federal government can take to improve its own practices when it comes to keeping data accurate, secure and when it comes to holding public officials accountable for their use of our data.
But it is not an end all solution. Other steps need to be taken.
Today, due to corporate scandals at Enron, Arthur Anderson, WorldCom and others, the public is increasingly wary of business’ ability to look out for their consumers, employees, and industry’s best interests above their own.
As a few bad corporate apples have bred suspicion about our business leaders around the country and on Capitol Hill, lawmakers have seen the need to try and implement some safeguards.
One such safeguard is the so-called Sarbanes-Oxley bill, a piece of legislation requiring all public companies to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission. CEOs and chief financial officers must personally vouch for the accuracy and honesty of their company’s disclosures.
Corporate executives can no longer hide behind a veil of ignorance and they are the ones who are ultimately responsible for their company’s actions.
Beyond Sarbanes-Oxley, businesses have always taken the lead in instituting its own safeguards. Corporate executives are subject to review by their shareholders—who can request documents, authorize audits, and demand answers in an effort to ensure accountability. The shareholders are the proper owners of the company’s data, and they have the right to access it when needed.
The federal government has a similar system in place—but we call it the Freedom of Information Act. As federal agencies amass data and disperse it, the public has the right to request documents and audit what is done with that data in an effort to ensure accountability. The public is the proper owner of a lot of agency data, and just like shareholders, the public has the right to demand openness and accountability when needed.
Today, as more data is collected and distributed in the name of national security, some in our federal government are trying harder and harder to deny the public that right of access. As a result, the need to uphold the principles set out by FOIA is more important than ever before.
Consider that it was FOIA that allowed us to discover that the government had collected more than 275 million passenger records from major airlines.
It was FOIA that allowed us to discover that the Census Bureau provided the Homeland Security Department with data on people who identified themselves as being of Arab ancestry.
And it was FOIA that allowed us to discover the extent of the data sharing relationship between ChoicePoint and government agencies.
As the government tries to take more data from us, FOIA has taken on a new importance, and the some in the federal government know this. That’s why former Attorney General Ashcroft told the agencies that they should use every exemption from FOIA that they could find, and the Justice Department would defend this new secrecy. That’s why they do their level best to process requests slowly, black out anything that can be construed as confidential, and hold back all information that they reasonably can.
Without FOIA, our ability to hold our federal government accountable for its actions is severely diminished. Government officials should stop hiding and start helping the public access data of concern, and that starts by pledging to uphold the principles set out by FOIA and the Privacy Act. When the public can no longer trust those in power to keep their information confidential, secure and accurate, they must be able to trust in a system to check that the system is working and check their own personal information for themselves.
And ultimately, that’s what the issue of data integrity comes down to: trust.
As consumers, do we trust business to protect our personal data?
As investors, do we trust our executives to keep accurate and fair records?
As citizens, do we trust our government to protect our interests rather than their own when it comes to the collection and use of data?
The private sector has taken steps—many on its own—to restore the public trust, but so far our federal government has lagged behind. Instead, it has chosen to collect, distribute and use our data in a way that can only breed fear and suspicion. And when public suspicion replaces public trust, no technical tools or legal maneuvers will soon get it back.
The time has come for the federal government to focus on getting that trust back. The time has come for the government to focus on improving data integrity in a way that inspires the faith and confidence of the American people and the American business industry. Because, when it comes to implementing better security, accuracy and accountability measures where data is concerned, a small group of government insiders hidden from public scrutiny will never have all the answers.
Quite the contrary, the problems can only solved by all of us–working together–and holding each other accountable.
John Podesta is the President and Chief Executive Officer of the Center for American Progress.
The positions of American Progress, and our policy experts, are independent, and the findings and conclusions presented are those of American Progress alone. A full list of supporters is available here. American Progress would like to acknowledge the many generous supporters who make our work possible.