Archive for the ‘American Community Survey notices’ Category

Back in 2006, CB was ready to roll out the American Community Survey after almost a decade of fiddling around with the program.  In order for any Federal agency to maintain databases with PII (personally-identifiable information), the Privacy Act requires a Federal Register notice outlining the purpose, scope, and protections for each PII database.  The full notice can be viewed here

However, this notice exposes the deficencies of the ACS database.  The Privacy Act requires that databases containing PII (Personally Identifiable Information) use an identifier that is separate from any PII to maintain the data.  Contrary to statutory requirements, the ACS Privacy Act notice clearly states that the ACS database will maintained by NAME and ADDRESS.  Additionally, there are no restrictions on the computers, cds, portable drives, etc. on which ACS data is stored.  This means ACS data could be on any computer with internet or wireless capabilities, unencrypted cds or portable drives, cloud accessible computers, etc.

If you aren’t scared now, you have never been a victim of id-theft, or have never worked with secured data.  I have.  The holes in this system you could pilot the space shuttle (if we had any operational ones left) through.  There have already been multiple thefts of Census Bureau notebooks & drives, and postings of ACS data on PUBLIC websites by employees.

“Your data is secure.”  Yeah, and I’ve got a bridge in some swampland that’s selling cheap as well. 

The data is IN NO WAY secure.  Unless Census starts taking PII security seriously, no sane person would ever fill this form out.  Look, I’m actually not an IT security person, but I do understand the difference between secure and unsecured data.  I can also find no evidence of who can look at or manage the PII data– Census Bureau FTEs only?  Contractors with security clearances?  Do the ACS employees have HSPD12 (cleared) credentials?  Their laptops seem to be wireless– what kind of connections are they running?  What kind of security does the data they do get in the field have, if any?

Again, just don’t even play.  This is identity theft waiting to happen.




Read Full Post »