An Unexpected Lack of Privacy
A look at the unexpected lack of privacy that affects us all:
Originally by Luther Martin, Chief Security Architect.
The US government has to be careful with any sensitive information that it gathers, right? After all, isn’t that what the Privacy Act was all about?
But it turns out that the fine print for the Privacy Act may result in it giving less protection to your personal information than you might think that it does. At least that’s what I’m led to believe after reading the Privacy Impact Analysis (PIA) for the government’s E3A program.
The E3A program (Einstein 3 – Accelerated) is a big intrusion detection/intrusion prevention system for all of the U.S. government’s internet-facing systems that’s planned by the Department of Homeland Security’s Office of Cybesecurity and Communications. Because this system will collect all internet traffic going to or from government web sites, there’s the possibility that it will collect personal information that you might use to identify yourself to a government agency. But according to the PIA for E3A, any personal information gathered by E3A isn’t protected by the Privacy Act because, the “Privacy Act does not apply to information regarding known or suspected cyber threats.”
So because the IDS/IPS function of the E3A system collects information your personal information for the purpose of looking for “known or suspected cyber threats,” any personal information that it collects isn’t actually covered by the Privacy Act. I was a bit surprised to learn that. And I had to wonder what other sensitive information the government is collecting that you might think is protected in some way but really isn’t.