DHS Privacy and Integrity Report

Last year, the Department of Homeland Security finally got around to appointing its DHS Data Privacy and Integrity Advisory Committee. It was mostly made up of industry insiders instead of anyone with any real privacy experience. (Lance Hoffman from George Washington University was the most notable exception.)

And now, we have something from that committee. On March 7th they published their "Framework for Privacy Analysis of Programs, Technologies, and Applications."

This document sets forth a recommended framework for analyzing programs, technologies, and applications in light of their effects on privacy and related interests. It is intended as guidance for the Data Privacy and Integrity Advisory Committee (the Committee) to the U.S. Department of Homeland Security (DHS). It may also be useful to the DHS Privacy Office, other DHS components, and other governmental entities that are seeking to reconcile personal data-intensive programs and activities with important social and human values.

It's surprisingly good.

I like that it is a series of questions a program manager has to answer: about the legal basis for the program, its efficacy against the threat, and its effects on privacy. I am particularly pleased that their questions on pages 3-4 are very similar to the "five steps" I wrote about in Beyond Fear. I am thrilled that the document takes a "trade-off" approach; the last question asks: "Should the program proceed? Do the benefits of the program...justify the costs to privacy interests....?"

I think this is a good starting place for any technology or program with respect to security and privacy. And I hope the DHS actually follows the recommendations in this report.

Posted on March 21, 2006 at 3:07 PM • 13 Comments

Comments

Filias CupioMarch 21, 2006 4:59 PM

The distinction between "prevention" and "interdiction" is unclear to me. For example, strengthening cockpit doors seems to fall under both definitions.

Pat CahalanMarch 21, 2006 7:14 PM

Their questions on pages 3-4 are close enough to your five steps from "Beyond Fear" I think they should have cited you, Bruce.

royMarch 21, 2006 7:38 PM

We used to call it 'plagiarism'. Now I think it's called 'research'. Well, better that they steal it and put it to use than not use it at all.

Bruce SchneierMarch 21, 2006 8:14 PM

"The distinction between 'prevention' and 'interdiction' is unclear to me. For example, strengthening cockpit doors seems to fall under both definitions."

All of those terms are fuzzy. Everything public, for example, has a deterrence effect -- and that's a form of prevention.

Bruce SchneierMarch 21, 2006 8:31 PM

"Their questions on pages 3-4 are close enough to your five steps from 'Beyond Fear' I think they should have cited you, Bruce."

I citation would have been nice, but I'm not bothered by it at all. Good ideas are meant to be used.

Jim HarperMarch 21, 2006 9:26 PM

A lot of credit is due you, Bruce, for an influential (because its understandable) discussion of security and trade-offs in Beyond Fear. It played an important part in the development of my thinking and in the drafting of the document. But it would be unfair to discount the dozens of people - members of the committee, witnesses before the committee, and members of the public - who contributed. Now, like you said, let's hope the DHS (and our committee) follows the recommendations in the report.

packratMarch 22, 2006 1:32 AM

"The distinction between 'prevention' and 'interdiction' is unclear to me. For example, strengthening cockpit doors seems to fall under both definitions."

I always thought that 'interdiction' referred to stopping an ongoing activity, whereas 'prevention' referred to stopping something before it begins. Some things (such as strong cockpit doors) may do both. By way of contrast, a network firewall would interdict hostile traffic, but not prevent it.

KneMarch 22, 2006 8:25 AM

From your article on the five steps: "We don't allow torture (officially, at least). Why not? Sometimes a security measure, even though it may be effective, is not worth the costs."

Congratulations, Bruce, it seems the President himself is reading your articles. Unfortunately, it seems he disagrees with you about whether it's worth the costs.

Bruce SchneierMarch 22, 2006 2:15 PM

"From your article on the five steps: 'We don't allow torture (officially, at least). Why not? Sometimes a security measure, even though it may be effective, is not worth the costs.'

"Congratulations, Bruce, it seems the President himself is reading your articles. Unfortunately, it seems he disagrees with you about whether it's worth the costs."

I think we also disagree about whether or not it's effective.

Dr. Miguel A. ContrerasNovember 18, 2006 6:41 AM

DHS has admitting in its official website the practice of conducting "MAPPINGS" on all U.S. Naturalized citizens. DHS can tell and show where all U.S. Naturalized citizens are. DHS also gives a definition of who a naturalized citizen is: someone who is above a "green card" alien lawful permanent resident with limited citizenship rights. DHS just changed the 14th Amendment first sentence.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..