Vendor practices raise data protection questions

Over the course of the last four years, the White House’s vision for using innovation to improve government services has fostered a rising tide of change in the government IT enterprise. Now, President Obama’s election to a second term presents an opportunity for the administration’s IT leaders to take stock of their progress and assess the work that remains.

Supported by the Obama administration’s vision for making government IT more mobile and efficient, public sector entities are adopting smartphones, tablets and cloud storage services at a quickening pace. However, IT leaders have not done enough to remedy the security and privacy issues they present. Specifically, current U.S. policy and legislation lack the full complement of tools necessary to minimize or prevent vendor data collection for commercial purposes. As more government agencies expand the use of cloud-based and mobile IT platforms, this problematic dynamic could threaten the protection of government information.

U.S. government information systems store a variety of unclassified but still sensitive materials regarding government programs, individuals and companies. The Department of Veterans Affairs, for example, stores troves of individual health records for its beneficiaries. Government agencies evaluate proprietary information from thousands of companies to award contracts for goods and services. All agencies house mission-critical information regarding policies and organizational plans.

The introduction of cloud and mobile services introduces new variables to the protection of these systems. As a part of their services, some vendors may be collecting and processing government information. At stake in this growing trend are the potentially negative implications of the secondary use of government information by contracted service providers—a risk that the current government standards do not adequately confront.

Existing U.S. laws and regulations identify specific types of protected information such as citizens’ Social Security numbers, financial records and biometric information that cannot be disclosed without authorized consent. Government contracts for Internet services such as cloud-based email mandate compliance with these regulations.

Still, neither current law nor existing contracts clearly specify data protection principles that would prohibit the use of other government information for commercial purposes. Publicly-available guidance for purchasing cloud computing services affirms the need for government to claim ownership of its data, but does not specify terms regarding how agencies should address the collection and processing of government information and metadata in mobile and cloud services contracts. And, while major providers remove targeted advertisements from their government cloud offerings, these actions do not necessarily indicate a change in underlying data collection and processing practices.

This narrow definition of data protection does not appear to recognize the expanding ways in which vendors can potentially profit from or even misuse government information. Even when sanitized of sensitive content, government communications could still reveal significant information regarding policy priorities and future government actions. For example, procurement communications could refer to future acquisition plans and proprietary information. These types of information should not be mined to serve to benefit any one company, particularly in the event that this data could be misused.
 
In this transition period, U.S. policymakers need to fully assess the risks of data collection by contracted services providers and prevent the mining of government information for all non-government purposes. To do so, they should update existing standards and enforcement mechanisms, shifting away from a narrow focus on compliance to instead account for a more comprehensive, dynamic definition of data protection. Currently, the extent to which agencies are accounting for these risks remains unclear, and agencies need to publicly clarify what steps they are taking to mitigate these concerns.

New data protection principles should better define government ownership of data and metadata. Associated guidance should specify control mechanisms and provide example contract terms to prevent the mining of government data for any purpose outside of the organizational mission.

Given the advancement of vendor practices and monetization of data collection, U.S. policymakers must develop a more nuanced and dynamic understanding of data protection that adequately safeguards government information. The world of information-sharing is constantly evolving, and government must be vigilant to enact controls that ensure the protection of personal and sensitive information. These measures may enable government to adopt a forward-looking approach to data protection that appropriately confronts the implications of technological change.