from the time-to-get-some-press-training dept
But given the conflicting messages -- openness over here, extreme secrecy over there -- it was inevitable that someone would be asked a question about this. Fast Company has an interview with the current federal CIO, Steve Van Roekel, where he's asked about the NSA's surveillance and the "conflict" between openness and privacy. Van Roekel seems to go out of his way to not actually say anything about the NSA, while at the same time (we assume) inadvertently pointing out that tiny bits of metadata, when combined with other tiny bits of metadata can reveal a ton of information about someone -- something that defenders of the "just metadata" regime have been trying to pretend isn't true:
I think this notion of the U.S. government treating data as an asset that’s open to everyone is interesting. I’d be remiss if I didn’t mention what’s happening with the NSA controversy--it seems like you have to walk a fine line between being open while also protecting citizens’ privacy.Note the bolded part of the first answer above. That's the very point that critics of the fact that the government has been collecting so much metadata have been pointing out -- but it's a point that the federal government, including Van Roekel's boss, have been actively denying for months. They keep insisting that "just metadata" doesn't violate anyone's privacy. Yet here is Van Roekel, who understands this stuff, straight up admitting what plenty of people have realized: metadata can reveal an awful lot, especially when you have a few different collections of metadata that you can overlay with one another.
One of the important parts of formulating the digital strategy and open data policy was to be very clear to people on two fronts. One was that with government data, you need to have a process by which we are not releasing any data that is confidential, that violates any citizens’ or Americans’ privacy, or has any national security implications.
The second part is examining something called the mosaic effect. That means if I released some data independently, there is high likelihood that that data released doesn’t have any private or publicly identifiable information in it. But if I release that data along with another piece of data, and overlay those two sources, then I could garner some identifiable information. For example, if I have a report on geographically dispersed diseases in this relatively unpopulated state, like North Dakota, then release another piece of data that details who lives in certain census blocks, you could suddenly tell who has that disease. That’d break personally identifiable information guidelines. So we’ve asked agencies to set up governance and be very diligent on issues related to privacy, confidentiality, or national security.
How have the recent NSA leaks affected that strategy? Have you tweaked anything in your approach?
Our conversation today isn’t about the NSA, but I can say that our diligence hasn’t waned even before any of this related to protecting confidentiality. The mission here--the mission of government--is how do we best serve the American people, and make sure they are safe, secure, and getting benefits from the services the government provides. That requires a lot of good governance, good security, good cyber-security, and really smart thinking about how we release data--making sure we don’t release any personally identifiable information or anything that would lose the trust of the American citizen.