Statement from Gary D. Bass on Privacy Violation in Government Data





STATEMENT OF GARY D. BASS
EXECUTIVE DIRECTOR, OMB WATCH
REGARDING
GOVERNMENT'S DISCLOSURE OF PERSONALLY IDENTIFIABLE INFORMATION IN DATA ABOUT FEDERAL SPENDING

April 20, 2007

It has become public information today that the U.S. Department of Agriculture (USDA) has been including Social Security numbers in a data field that identifies certain public financial transactions with government (e.g., loans). In response, OMB Watch has taken two actions. First, we have temporarily redacted the information in the USDA data field, which serves as a unique identifier, from our online service, FedSpending.org. Second, we call on the federal government to immediately remedy the privacy violation by providing a new unique identifier that does not contain personally identifiable information.

This gross negligence on the part of the federal government is unacceptable. What appears to be a longstanding violation of federal law needs to be fixed without delay to protect the privacy rights of our citizens, and new identifiers need to be immediately generated to replace the current data to maintain the public's ability to track and review the government's spending of tax dollars. This fix is not technically difficult to accomplish and should be done immediately.

The data in question appears in the Federal Assistance Award Data System (FAADS), which is a government database of all federally provided financial assistance (not including procurement). FedSpending.org makes FAADS and publicly available data about government contracts accessible to the public in a searchable format in order to shine a light on government spending patterns. Since its launch on October 10, 2006, FedSpending.org has steadily grown in popularity. In March, over one million searches were conducted on databases that FedSpending.org provides, and the month of April is expected to exceed that number.

In addition, the original FAADS files have been freely available for anyone to download from the U.S. Census Bureau's website for years. Thus, it appears the database containing personally identifiable information has been widely distributed for a long time.

The data field at the heart of the security problem, the Federal Award ID, is vitally important to investigators and researchers tracking specific transactions, as it is the only means for identifying a specific loan or grant. For example, in order to file a Freedom of Information request about a financial transaction, the public needs to provide the Federal Award ID. Unfortunately, in response to the problem, the Census Bureau has deleted the Federal Award IDs for all FAADS records from its publicly downloadable files without any public notice on the website about these changes and has yet to replace the information, eviscerating a key aspect of the data and lessening its value.

The issue first came to our attention on April 13 when a FedSpending.org user notified OMB Watch that her Social Security number was embedded in the Federal Award ID that was publicly available on our site. We confirmed that the data on FedSpending.org was identical to the information being disseminated by the Census Bureau and suggested she contact the Census Bureau to have the problem corrected. The Census Bureau requested we remove the Federal Award ID for this individual, which we did.

On April 16, the U.S. Department of Commerce requested that OMB Watch redact the Federal Award ID for the entire FAADS database on FedSpending.org for 30 days "so that all Federal Departments and agencies involved in this important matter can be contacted." OMB Watch responded to the Department of Commerce's request informing them that we would voluntarily remove the requested information if, within 30 days, we receive a plan on how the Federal Award ID field would be updated without personally identifiable information. Several days then passed with no response from the Department of Commerce.

On April 19, in the wake of pending news stories about this issue, the Office of Management and Budget contacted OMB Watch and indicated we would be receiving a response agreeing to the conditions we identified. If we do receive the letter, we will redact the data field for the entire database on a temporary basis, with the expectation that an adequate plan to correct the problem in a timely manner would be forthcoming from the government within 30 days. If the plan presented by the government is inadequate, we will take appropriate action. (A full chronology of communication with OMB Watch regarding this issue is available here.)

Certainly we can expect more from our government in protecting personally identifiable information than what has happened over the past several years. Moreover, when the problem was discovered, there was no excuse for the government not to contact the people involved to inform them of the error. At the same time, addressing the error of disclosing personally identifiable information should not become an excuse for withholding crucial data from the public. The public has a right to know how the government will quickly remedy the situation with corrected Federal Award IDs.

The government must act quickly in providing a unique identifier without personally identifiable information. On Sept. 26, 2006, President George W. Bush signed into law a requirement that the government create an online database like FedSpending.org by Jan. 1, 2008. The Federal Funding Accountability and Transparency Act, sponsored by Sens. Tom Coburn (R-OK) and Barack Obama (D-IL), requires the government to provide a unique federal identifier for each financial transaction. The Coburn-Obama law also requires the government to insure that no personally identifiable information is disclosed.

We will continue to track this problem and will work to keep the government honest about its efforts to deal with the issue in a competent, efficient manner. We will also continue to operate in a transparent manner, providing you with information about actions we take on FedSpending.org. In the meantime, if any FedSpending.org user discovers additional personally identifiable information on FedSpending.org, please let us and government officials know immediately.

For more information, contact:
Brian Gumm, Communications Coordinator, (202) 234-8494, bgumm@ombwatch.org

Read the full statement, including a chronology of communications.

UPDATE (04/20/07, 5 p.m. Eastern): On April 20, OMB Watch agreed to expand the temporary redaction of the Federal Award ID data field to the entire FAADS database, though no confirmed case of personally identifiable information has yet been discovered outside of USDA data. This measure was taken only because we received a formal commitment from the Department of Commerce that the government would provide a plan for updating the unique identifier without personally identifiable information within 30 days. The Department of Commerce oversees the U.S. Census Bureau, which manages the FAADS database.

April 16 OMB Watch Letter to Department of Commerce

April 20 Department of Commerce Letter to OMB Watch

UPDATE (04/27/07, 11:35 a.m. Eastern): On April 25, Rep. Zack Space (D-OH) announced that the House Agriculture Committee will hold a hearing May 2 on data security breaches at USDA.

# # #

back to Blog