Threat is a function of physical security measures and their enforcement. High degree of risk of exposure to intruders. Greatly expanded threat of unauthorized access due to potential vulnerability of communications. Low risk of exposure. Potential for masquerading as any of the authorized users quite high. Threat to data confidentiality primarily that of misusing data otherwise authorized for access. Access control based on personal identification. Same as T2 plus risk of misdirecting data; control of access to data (products) generally based on personal identification by operations staff. Procedures to assure proper data handling must be available and strictly enforced. Somewhat expanded threat because of substitution of automated Same as T5 with increased opportunity to masquerade if identifier/authenticator is compromised. Risk of data misroute present. Producers constitute roughly the same threat as consumers except that they have the technical capability to siphon off data through corrupted programs. Degree of threat is a function of where they reside organizationally. If under same management control as consumers, threat is about the same as the consumer threat. An increased threat to data over T, but generally dependent on the operating system design. Cán frequently spoof the operating system to gain unauthorized access to data. Same as Tg (and T7) except greatly reduced risk of exposure plus increased opportunity for anonymous bypass of access controls. Some increased risk of masquerading depending on organization and physical set-up of remote sites. It would be impossible to enumerate all of the data systems involving personal or otherwise valuable data or resources. However, in order to provide an operational framework for discussion of the privacy and security issues, the Conference did provide illustrations of such personal recordkeeping functions in governmental units and the kinds of data confidentiality and computer resource security problems that are faced by Federal, State and local governments. No significance should be attached to the order in which these illustrations appear. 3.2. State of California Mr. Kent Gould, Chief, EDP Development, Department of Finance, State of California, described the organization of data processing in California. California expects to spend approximately $100 million for data processing activities in 1973, a figure that is growing at the rate of 20% per year. Eighty (80) state departments and agencies use data processing equipment for just about every application conceivable except command and control. The Department of Finance has absolute EDP authority in California, approving individual DP budget requests for equipment and personnel. In this role, the Finance department has the responsibility for enforcing compliance with security and privacy requirements. California is presently attempting to consolidate data processing activities into five (5) major centers. Gould estimated that between 8000 and 10,000 data bases are processed by the State of California, of which approximately 45% contain personal data. He estimated that it costs between $200,000 and $400,000 per center to provide for security and privacy requirements. In reviewing the privacy issue as seen in California, Gould indicated that it is the responsibility of the legislature to provide policy direction in this matter and to identify the confidentiality requirements of various data. Where there is no legislative mandate, the Executive branch will take action in its best view of the problem to protect data from unauthorized dissemination and use. It will monitor the data processing practices to insure that confidentiality requirements are met. In connection with the last point, he mentioned that California was developing a master audit package that "correlates to security/privacy requirements" and will be used to measure security/privacy compliance by the operating departments and agencies. Finally, he noted that the primary security/confidentiality problem in California is how to prevent unauthorized use of data by people having authorized access to it. The essential question is the balance between management responsibility and public responsibility. 3.3. Law Enforcement Assistance Administration Mr. George Hall, Acting Assistant Administrator, Law Enforcement Assistance Administration, Department of Justice, reviewed the development of LEAA's activities in the development of computerized criminal information files. This activity was conceived as a network of State defined and operated systems dedicated to maintaining criminal activity information. The project grew from a feasibility demonstration project, SEARCH, that had 20 States participating by sharing criminal histories through a central data index. Hall noted that the development posed a number of design and policy questions of serious import to the question of privacy and constitutional rights of individuals. As a result of serious consideration of the problem, it was decided that: (a) the system(s) should be decentralized to eliminate the appearance (and reality) of Big Brother data banks; (b) only "serious" offenders should be included in the files; (c) only criminal and public record information should be kept. noted that the policy decision to decentralize the system(s) has added to the costs of privacy. He In discussing the problems currently perceived with the system, a number of important problems/questions impinging on the issues of privacy/confidentiality/security were noted. Specifically, he cited the problem of who should be able to access criminal history data as one that needs joint Federal/State legislative action. Currently, most State statutes permit virtually anyone to access the records. Another problem is the integrity and validity of the data itself. Arrest records are maintained, but the disposition of the arrest is often not entered. In order to maintain properly valid and accurate data in such systems, it may be necessary to create new information collection systems (a move that appears to complicate the problem). Still another problem is the right of the individual to access and/or validate his records, along with questions of how long such records should be maintained. Finally, the question of file separation or merging for efficiency reasons looms large as a potential future danger to civil liberties. (NOTE: The comments and problems noted above are better understood in the perspective Finally, Hall noted a severe need for rational uniform standards regulating the collection and use of information. Mr. Jerry Hammett, Deputy Director, Department of Finance, State of Ohio, gave a brief review of automated recordkeeping activities in Ohio. The Ohio Department of Administrative Services either provides ADP services or authorizes the use of outside suppliers. In describing data of security concern to Ohio State Government, he cited the following files as typical: Personal Income Tax Records; Driver's License Records; Arrest and Conviction Indicating that the concern over the security and confidentiality of data is not exaggerated, he cited the case where a Deputy Sheriff in an Ohio county was conducting an investigation business on the side and used his access to State criminal history records to supply data to his clients. In another case, personnel in the Motor Vehicles Department were found to be expunging data of serious traffic violations from offenders' records. He also posed the hypothetical threat of having individual (and corporate) tax liability modified in an unauthorized way. Hammett stressed his view that interactive processing threatens system security. In discussing directions for possible solutions, he indicated the need for model (and eventually real) legislation concerning privacy and confidentiality and security standards and for the vendors to provide hardware and software security in their products. 3.5. State of Illinois In a talk on managing computer operations, Mr. Robert Caravella, Management Information Division, Department of Finance, State of Illinois, presented highlights of some of the results of the joint State of Illinois - IBM study of the applicability of IBM's Resource Security System (RSS). He began by noting (as did other speakers) that the HEW study and Canadian Task Force on Computer Security and Systems marked the beginning of a "new era" in providing safeguards for privacy and data confidentiality. In discussing the need for confidentiality/security provisions, he cited a number of potential (and real) exposures found in contemporary systems. These include: He then went on to outline an Information "Privacy" Action Plan. The plan outline consisted of the following steps: Finally, in discussing the benefits to be expected from the joint Illinois - IBM security study, he noted that the project was "well-balanced" in its approach--that the vital areas of legislation, technology, administration and education were all covered in the study. In the legislative area, model legislation has been produced covering individuals' rights to privacy and regulating the collection and use of information in the State. The technology activity was focusing on the areas of performance measurement and cost analysis of using RSS. In the administrative area, the work is concentrated on monitoring the application of RSS to determine how well it meets the needs of State governments and what additional safeguards may be needed. The educational aspect is being served by the development of 10 video tape training programs aimed at diverse audiences from management to the technical support staff of ADP operations. |