Panel: Industry, government must cooperate on privacy, policy

Government agencies and information technology companies must work together to identify and prevent ethical violations and threats to privacy as the use of new technologies grows in the federal sector, a panel of public policy professionals said today.

The call comes as more IT companies sell advanced applications to the government, especially for intelligence- and security-related functions.

The potentially thorny issues in the government's procurement and use of new IT systems are the handling of personal information and business confidentiality, assurance of the availability of systems and the integrity of databases, the "openness" of information, intelligence property laws and equality and access policies, said Frank Reeder, an information policy consultant.

"It's a partnership issue; those on the private side must help us on the public side to think through the larger implications [of using technology] before they come back to bite you," Reeder said. He was part of a panel hosted by the Association for Federal Information Resources Management at the FOSE technology trade show in Washington. FOSE is operated by PostNewsweekTech Media, which also owns Washington Technology.

IT firms, some of which are unaccustomed to dealing with the federal government, have been pitching new technologies to agencies, such as the Homeland Security Department, raising questions about who should have access to the IT systems and for what purposes they can be used.

"For every technology solution rolled out, there is a constituency questioning the utility and ethics of it, so policy swirls around the CIOs office like never before," said Scott Hastings, chief information officer for the U.S. Visit Program Management Office at the Department of Homeland Security. Under the U.S. Visit program, border guards verify the identities of foreign visitors with fingerprint scans and digital photographs.

Using new technology applications can be risky business for federal government workers. Those who misuse private information are in danger of being called before oversight committees to explain their actions or winding up in jail, Reeder said. They also destroy public trust in federal agencies, especially those such as the IRS, which have moved certain document-filing abilities online to be more efficient, he said.

As an example, Reeder cited lax security safeguards on the Social Security Administration's Web site in 1997 for citizens who checked their earnings history and projected benefits estimates online. The Web site required five authenticating pieces of information: the user's name, Social Security number, date and place of birth and the maiden name of the user's mother. This was deemed a violation of privacy, as the security of such data was called into question. Within a few weeks of starting the online application, Social Security had to dismantle it and undergo a number of congressional hearings on privacy violations, he said.

The question of just how far IT companies should have to go to point out potential technological threats to federal agencies that buy their systems is moot, said Alan Paller, director of research at the SANS Institute, a research organization for people who secure and mange information systems.

The government cannot expect IT companies to undertake the task, since they are focused on selling their systems and are "drilled with [providing] satisfying answers to customers," he said. He recommended that the government enact explicit regulations to compel companies to inform agencies about the rules of delivering and using their technologies.