Now, I’m certainly no technical expert when it comes to these systems, but luckily I happen to work with a few who are. Experts like Carl Malamud and Peter Swire, who work at the Center for American Progress. Some of you may know Peter from his work as the chief Privacy Officer at the Office of Management and Budget. Peter has a new paper on Immutable Audit Logs that will come out from the Markle Foundation in about two weeks.
Simply put, audit logs record activity that takes place on any given information sharing network, such activity may include queries made by users, information accessed, information shared between systems, and date and time markers for those activities. With immutable audit logs, the data that is recorded cannot be changed, creating clear evidence of what happened and when it happened.
Typically, audit logs that are used today are mutable. That is, the data logged can be changed by both authorized users within the system and by unauthorized users trying to hack into the system from outside. These standard logging practices allow insiders to cook their digital books and allow outsiders to remotely tamper with the records.
But with immutable logs, where all activity is recorded regardless of access, there is much less incentive even to try and cheat the system—because you know you’re going to get caught. All attempts to cover illegal activity or policy violations are recorded along with normal activity.
Without logging of user activity in government information sharing networks, there is no way to really demonstrate clearly for oversight and accuracy purposes that there is compliance with established policies and laws. The resulting lack of trust can lead to a situation where reasonable and desirable uses of information are blocked for fear of misuse.
This type of immutable system, then, is one the public can count on to set the record straight and keep the record straight. And those that keep the records will be held accountable.
Implementing immutable audit logs is one step the federal government can take to improve its own practices when it comes to keeping data accurate, secure and when it comes to holding public officials accountable for their use of our data.
But it is not an end all solution. Other steps need to be taken.
Today, due to corporate scandals at Enron, Arthur Anderson, WorldCom and others, the public is increasingly wary of business’ ability to look out for their consumers, employees, and industry’s best interests above their own.
As a few bad corporate apples have bred suspicion about our business leaders around the country and on Capitol Hill, lawmakers have seen the need to try and implement some safeguards.
One such safeguard is the so-called Sarbanes-Oxley bill, a piece of legislation requiring all public companies to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission. CEOs and chief financial officers must personally vouch for the accuracy and honesty of their company’s disclosures.
Corporate executives can no longer hide behind a veil of ignorance and they are the ones who are ultimately responsible for their company’s actions.
Beyond Sarbanes-Oxley, businesses have always taken the lead in instituting its own safeguards. Corporate executives are subject to review by their shareholders—who can request documents, authorize audits, and demand answers in an effort to ensure accountability. The shareholders are the proper owners of the company’s data, and they have the right to access it when needed.
The federal government has a similar system in place—but we call it the Freedom of Information Act. As federal agencies amass data and disperse it, the public has the right to request documents and audit what is done with that data in an effort to ensure accountability. The public is the proper owner of a lot of agency data, and just like shareholders, the public has the right to demand openness and accountability when needed.
Today, as more data is collected and distributed in the name of national security, some in our federal government are trying harder and harder to deny the public that right of access. As a result, the need to uphold the principles set out by FOIA is more important than ever before.
Consider that it was FOIA that allowed us to discover that the government had collected more than 275 million passenger records from major airlines.
It was FOIA that allowed us to discover that the Census Bureau provided the Homeland Security Department with data on people who identified themselves as being of Arab ancestry.
And it was FOIA that allowed us to discover the extent of the data sharing relationship between ChoicePoint and government agencies.
As the government tries to take more data from us, FOIA has taken on a new importance, and the some in the federal government know this. That’s why former Attorney General Ashcroft told the agencies that they should use every exemption from FOIA that they could find, and the Justice Department would defend this new secrecy. That’s why they do their level best to process requests slowly, black out anything that can be construed as confidential, and hold back all information that they reasonably can.
Without FOIA, our ability to hold our federal government accountable for its actions is severely diminished. Government officials should stop hiding and start helping the public access data of concern, and that starts by pledging to uphold the principles set out by FOIA and the Privacy Act. When the public can no longer trust those in power to keep their information confidential, secure and accurate, they must be able to trust in a system to check that the system is working and check their own personal information for themselves.
And ultimately, that’s what the issue of data integrity comes down to: trust.
As consumers, do we trust business to protect our personal data?
As investors, do we trust our executives to keep accurate and fair records?
As citizens, do we trust our government to protect our interests rather than their own when it comes to the collection and use of data?
The private sector has taken steps—many on its own—to restore the public trust, but so far our federal government has lagged behind. Instead, it has chosen to collect, distribute and use our data in a way that can only breed fear and suspicion. And when public suspicion replaces public trust, no technical tools or legal maneuvers will soon get it back.
The time has come for the federal government to focus on getting that trust back. The time has come for the government to focus on improving data integrity in a way that inspires the faith and confidence of the American people and the American business industry. Because, when it comes to implementing better security, accuracy and accountability measures where data is concerned, a small group of government insiders hidden from public scrutiny will never have all the answers.
Quite the contrary, the problems can only solved by all of us--working together--and holding each other accountable.
Thank you.
