Passport system breach highlights shortcomings in agency privacy practices

The disclosure this week that employees working for contractors processing passports for the State Department had inappropriately accessed the passport files of the three presidential hopefuls is no surprise because the department has conducted only "cursory assessments" of its privacy practices, a privacy expert said.

This incident is "no great shock to the privacy community," said Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology, an advocacy group in Washington that promotes privacy protection.

On March 21, State Department officials announced that contractors that process passports for the department had fired two employees and disciplined another for inappropriately accessing the passport files of Sens. Barack Obama, D-Ill., Hillary Clinton, D-N.Y., and John McCain, R-Ariz. State did not identify the contractors or the employees. The department's inspector general is conducting an investigation into the breach.

Rep. Henry Waxman, D-Calif., chairman of the House Oversight and Government Reform Committee, sent a letter on Friday to Secretary of State Condoleezza Rice requesting that the names of the contractors be released to the committee and to the public by March 24.

State confirmed that Obama's passport file had been accessed by unauthorized users after a news reporter contacted senior officials on March 20 asking about the breach. State officials later announced that Obama's file had been breached on three separate occasions -- Jan. 9, Feb. 21 and March 14.

Agencies can reduce the chance of a privacy breach by conducting thorough privacy impact assessments, Schwartz said. The 2002 E-Government Act requires agencies to conduct analyses of how they collect, store, share and manage personal information in federal networks. Agencies should develop policies that limit access to information before setting up a database rather than after a breach has occurred, Schwartz said.

"This is why privacy impact assessments are so important, and State has only been doing cursory assessments," Schwartz said. "We've heard the State Department's resources for the privacy team are stretched extremely thin."

For example, the privacy impact assessment for State's e-passport program, which attaches to a passport a computer chip containing the holder's biographical information, was a page and a half, Schwartz said. That was a typical privacy assessment for many State programs, he said. In contrast, Schwartz said privacy assessments from the Homeland Security Department are typically 30 to 40 pages. He said the Center for Democracy and Technology expressed its concerns to State about its privacy practices in a letter dated last year but never received a reply.

Additionally, the E-Government Act requires agencies to appoint an employee to oversee privacy issues. DHS has a chief privacy officer, which Schwartz pointed to as a model every agency should embrace.

"One of the issues is that there are a lot of agencies like this," Schwartz said. "We think about State and Defense most frequently because there are lots of cause for concern, but many agencies got bad grades" on information privacy from the Office of Management and Budget during reviews on how they complied with the Federal Information Security Management Act, Schwartz said.

Obama campaign spokesman Bill Burton, in a statement released March 20, called the access to Obama's passport information "an outrageous breach of security and privacy, even from an administration that has shown little regard for either over the last eight years." He called for an investigation, saying, "We demand to know who looked at Senator Obama's passport file, for what purpose, and why it took so long for them to reveal this security breach."

"None of us wants circumstances in which an American citizen's passport is looked at in an unauthorized fashion," Rice said Friday, adding that she had apologized personally to Obama.

McCormack said senior officials at State were made aware of the breaches March 20 after the reporter contacted the department. Patrick F. Kennedy, acting undersecretary for management at State, said the information should have been passed "up the line" but the flagging of the breaches was evidence that "the system worked."

McCormack said State has other precautions in place to ensure that contractors and employees don't inappropriately access the files of citizens, but he declined to elaborate.