Data-mining, Oversight and Privacy - (2022)

TechWorld published an interesting and thought-provoking article about data mining today pointing out some of the potential benefits of data mining, but also some of the problems when there is lack of oversight.

"Data mining is a relatively new field within computer science. In the broadest sense, it combines statistical models, powerful processors, and artificial intelligence to find and retrieve valuable information that might otherwise remain buried inside vast volumes of data. Retailers use it to predict consumer buying patterns, and credit card companies use it to detect fraud. In the aftermath of September 11, the government concluded that data mining could help it prevent future terrorist attacks."

In 2004 a Government Accountability Office (GAO) report found that US federal agencies were actively engaged in or planning 199 data mining projects, with 122 of them involving personal information. A 2005 GAO report indicated that there were significant concerns about the lack of following oversight procedures and implementing the recommended (possibly meant to be required) privacy and information security procedures for the data minig initiatives.

A disturbing loophole in the directive covering data mining is nicely summarized in this statement, "While the federal laws and guidance previously outlined provide a wide range of privacy protections, agencies are allowed to claim exemptions from some of these provisions if the records are used for certain purposes." It sounds as though a large number of agencies claim such exemptions.

The GAO report included the following steps the GAO had recommended to protect privacy.

(Video) Data Brokers: Last Week Tonight with John Oliver (HBO)

Table 1: Key Steps Agencies Are Required to Take to Protect Privacy, with Examples of Related Detailed Procedures and Sources
Source: GAO analysis of the Privacy Act, E-Government Act, FISMA, and related guidance.
Key steps to protect privacy of personal information Examples of procedures

1. Publish notice in the Federal Register when creating or modifying system of records
• Specify the routine uses for the system
• Identify the individual responsible for the system
• Outline procedures individuals can use to gain access to their records

2. Provide individuals with access to their records
• Permit individuals to review records about themselves
• Permit individuals to request corrections to their records

3. Notify individuals of the purpose and authority for the requested information when it is collected
• Notify individuals of the authority that authorized the agency to collect the information
• Notify individuals of the principal purposes for which the information is to be used

4. Implement guidance on system security and data quality
• Perform a risk assessment to determine the information system vulnerabilities, identify threats, and develop countermeasures to those threats
• Have the system certified and accredited by management
• Ensure the accuracy, relevance, timeliness, and completeness of information

(Video) Safe and Sorry – Terrorism & Mass Surveillance

5. Conduct a privacy impact assessment
• Describe and analyze how information is secured
• Describe and analyze intended use of information
• Have assessment reviewed by chief information officer or equivalent
• Make assessment publicly available, if practicable

All good recommendations. I wonder, which of the government agencies read, let alone implement, GAO reommendations? What percentage claim exemptions? As the TechWorld report noted:

"Most data mining projects are not subjected to a rigorous business case analysis. Two current intelligence CIOs who were otherwise unable to comment for this story agreed that this is an issue that they struggle with. The US DoD’s Technology and Privacy Advisory Committee (TAPAC) developed a 10-point system of checks and balances that it recommended every agency head apply to data mining projects, but Cate says that it has never been implemented. Similarly, the US National Academy of Sciences recently appointed a committee to develop a methodology that the government can use to evaluate the efficacy of its antiterror data mining projects, but the target date for its report is still more than a year away."

I believe, based upon what I’ve heard from colleagues, clients and other info sec and privacy professionals at meetings and conferences that the use of data mining is going to increase exponentially in the next few years. As widely evidenced by the NSA’s data mining of phone records, and also by the growing data mining of public socializing sites, such as described within the January 2006 CRS U.S. government report, "Data Mining and Homeland Security: An Overview." A couple of snippets to give you a feel for the data mining issues described within report:

"Data mining has become one of the key features of many homeland security initiatives. Often used as a means for detecting fraud, assessing risk, and product retailing, data mining involves the use of data analysis tools to discover previously unknown, valid patterns and relationships in large data sets. In the context of homeland security, data mining can be a potential means to identify terrorist activities, such as money transfers and communications, and to identify and track individual terrorists themselves, such as through travel and immigration records."

(Video) 2020 Webinar on Consumer Data Privacy

"As with other aspects of data mining, while technological capabilities are important, there are other implementation and oversight issues that can influence the success of a project’s outcome. One issue is data quality, which refers to the accuracy and completeness of the data being analyzed. A second issue is the interoperability of the data mining software and databases being used by different agencies. A third issue is mission creep, or the use of data for purposes other than for which the data were originally collected. A fourth issue is privacy. Questions that may be considered include the degree to which government agencies should use and mix commercial data with government data, whether data sources are being used for purposes other than those for which they were originally designed, and possible application of the Privacy Act to these initiatives. It is anticipated that congressional oversight of data mining projects will grow as data mining efforts continue to evolve."

"As additional information sharing and data mining initiatives have been announced, increased attention has focused on the implications for privacy. Concerns about privacy focus both on actual projects proposed, as well as concerns about the potential for data mining applications to be expanded beyond their original purposes (mission creep). For example, some experts suggest that anti-terrorism data mining applications might also be useful for combating other types of crime as well. So far there has been little consensus about how data mining should be carried out, with several competing points of view being debated. Some observers contend that tradeoffs may need to be made regarding privacy to ensure security. Other observers suggest that existing laws and regulations regarding privacy protections are adequate, and that these initiatives do not pose any threats to privacy. Still other observers argue that not enough is known about how data mining projects will be carried out, and that greater oversight is needed. There is also some disagreement over how privacy concerns should be addressed. Some observers suggest that technical solutions are adequate. In contrast, some privacy advocates argue in favor of creating clearer policies and exercising stronger oversight. As data mining efforts move forward, Congress may consider a variety of questions including, the degree to which government agencies should use and mix commercial data with government data, whether data sources are being used for purposes other than those for which they were originally designed, and the possible application of the Privacy Act to these initiatives."

Data mining is nothing new…it’s been used in one way or another since the advent of the "super computer." The differentiators from around 25+ years ago to now are the 1) increasing connectivity of multiple repositories of data and multiple computers…computer grids with seemingly unlimitless data storage and containing what is moving to be unlimited amounts of personal information; and 2) the increasing speed and capabilities of the technology to cull through the data in a blink of an eye to find and correlate personal data.

"With great power comes great responsibility." I use this Spiderman quote often…I think it applies to so many challenges that information security and privacy practitioners face…technology power and related responsibility really do make our professions interesting, important and often infuriating. Data mining is powerful and that power must be contained. You don’t want a data mining effort to turn into an out-of-control privacy destroying Doc Oc monstrosity.

Data mining does not have to invade privacy with proper oversight, established accountability, and enforced procedures. Without these ingredients, however, privacy gets trampled and runs amuck. There have been any incidents resulting from data mining results that were bad, and misuse of the data. The discussion of these incidents is a good topic…for another time.

(Video) Part 1: Why never separate data privacy from GRC

Does your organization have data mining initiatives going, or planned? Be sure you are addressing information security and privacy issues…from the start of the projects and all the way through until the data mining effort is retired…if it ever is. Remember:

1. Your organization risks violating your own privacy policies and agreements when you link the consumer and customer data you collect to carry out different customer-facing processes, and subsequently amass them in different databases.
2. When your organization analyzes web site data and then links the findings with data acquired from other applications or third-party data providers in order to develop lists targeting specific consumers, you are running a high risk of being in noncompliance with your own policies, contracts and applicable laws. This is particularly true for your non-U.S. customers/consumers.
3. Does your organization use the data within your data mining initiatives for other purposes outside the scope of your intended and communicated use? You run a high risk of regulatory noncompliance and potential lawsuits if you do this.
4. Incorporate information security and privacy requirements and checks throughout your entire systems and applications development life cycle. Document them.
5. Document and communicate information security and privacy policies, procedures and standards for data mining projects, initiatives, applications and systems. This demonstrates due diligence in addition to complying with several data protection laws.
6. Learn from the mistakes and recommendations of others. Read the GAO reports covering data mining and implement the recommendations that you could apply within your organization. This demonstrates due diligence particularly in the eyes of regulatory auditors.
7. Conduct privacy impact assessments. Do them while planning the data mining initiative; following implementation; and regularly thereafter.

Technorati Tags
information security
IT compliance
data mining
regulatory compliance
policies and procedures
awareness and training
privacy

This entry was posted on Saturday, August 26th, 2006 at 8:00 pm and is filed under Privacy and Compliance.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

TechWorld published an interesting and thought-provoking article about data mining today pointing out some of the potential benefits of data mining, but also some of the problems when there is lack of oversight.  "Data mining is a relatively new field within computer science. In the broadest sense, it combines statistical models, powerful processors, and artificial …

A 2005 GAO report indicated that there were significant concerns about the lack of following oversight procedures and implementing the recommended (possibly meant to be required) privacy and information security procedures for the data minig initiatives.. The GAO report included the following steps the GAO had recommended to protect privacy.. A third issue is mission creep, or the use of data for purposes other than for which the data were originally collected.. Still other observers argue that not enough is known about how data mining projects will be carried out, and that greater oversight is needed.. Be sure you are addressing information security and privacy issues…from the start of the projects and all the way through until the data mining effort is retired…if it ever is.. Document and communicate information security and privacy policies, procedures and standards for data mining projects, initiatives, applications and systems.

In data mining, the privacy and legal issues that may result are the main keys to the growing conflicts. The ways in which data mining can be used is raising questions regarding privacy. Every year the government and corporate entities gather enormous amounts of information about customers, storing it in data warehouses. Part of the Continue reading

With the technologies that are available today, data mining can be used to extract data from the data warehouses , finding different information and relationships about customers and making connections based on this extraction, which might put customer’s information and privacy at risk.. The definite complexity in data mining is building up accurate models for data analysis without giving the right to use the information in specific customer records, which will secure the database from being used the wrong way.. Security problems in data mining are one of the most popular concerns because of the fact that when using data mining individuals are usually working with large amount of information, and they can have access to it easily.. As data mining guarantees to open up lots of new fields for extracting information from both old databases and future databases that may be developed with data mining as a support purpose, the data mining session in some large companies suggest that there can be serious security issues in data mining.. Data warehousing companies must monitor who has access to the data within and what parts of the data warehouse they have access to.

Data mining collects and analyzes mountains of your personal information and behavior to find patterns and sell you goods and services.

Mining large collections of data can give big companies insight into where you shop, the products you buy and even your health.. People sometimes confuse data mining with big data or with data breaches .. There are companies that specialize in collecting information for data mining.. Profiles created by data miners may include information on millions of people.. Data miners have to walk a line between creating highly useful information and protecting the privacy of the people whose data they gather.. Smart phones, apps, websites and social media can track your browsing habits, online purchases and even where you go or exactly where you are this very minute.. Your Information that Facebook Collects and Mines All current and past Facebook friends All posts or other Facebook activity (likes, shares, etc.). The company got all this information by creating a personality quiz app on Facebook.. A 2019 study in JAMA Network Open found nine out of 10 depression and smoking cessation apps shared user’s data with companies like Facebook or Google, but only two out of three of the apps warned users they were doing it.. The first thing you should do is read over the terms of service before you sign up for any social media account, credit card or website.

Find client news, publications, videos, case studies and more on Morris, Manning & Martin, LLP's media page. Click for more information.

Guidelines for Personal Information Protection (1) Personal data should be collected by fair and lawful means for a direct marketing purpose.. (Article 6) Personal data collected must be --. (Article 7) Personal information may only be processed if --. (Articles 10, 11) The data subject must be provided with the identity of the data controller, the purposes of the data processing and any other information that is necessary to ensure that personal information is processed in a fair and lawful manner.. (Article 14) A data subject has the right to object to personal information processing for direct marketing or other purposes.. Data subjects should be able to opt-out of the use of their data for direct marketing purposes.. Potential Safe Harbors(Article 26) The Directive allows for data transfers to occur involving other countries without an adequate level of protection under the following circumstances, including:. Federal Internet Privacy Protection Act of 1997 (H.R.. Consumer Internet Privacy Protection Act of 1997 (H.R.. Data Privacy Act of 1997 (H.R.. One Stop Opt-Out: The Vice President indicated that the FTC will be sponsoring a new Web site, located at "www.consumer.gov".. In some circumstances, such as medical information or children’s information, data vendors should not use the data without the consent of the appropriate person.. In March 1998, the FTC conducted a survey of commercial Web sites to determine the extent to which they disclose their privacy policies and whether consumers are offered a choice as to the online collection and use of their personal data.. Whether consumers can access their own personal data4.. Your identity (the data controller) The purposes for collecting data How long the data will be kept How the data is kept secure The procedures for keeping the data accurate, including how individuals can correct inaccuracies in their data How individuals can access their personal data, as well as learn who will receive their data Opt-in or opt-out provisions for individuals Dispute resolution procedures

Data mining--a technique for extracting knowledge from large volumes of data--is being used increasingly by the government and by the private sector...

Skip to Recommendations Agency Affected Recommendation Status Department of Agriculture To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of the Risk Management Agency (RMA) to provide the required Privacy Act notices to individuals, including producers, insurance agents, and adjusters, when personal information is collected from them.. Department of Agriculture To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to apply the appropriate information security measures defined in OMB and NIST guidance to the systems used in the RMA data mining effort, specifically, the development of a complete system security plan, a tested contingency plan, and regular testing and evaluation of the systems used in the effort.. Department of Agriculture To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to develop and implement procedures that ensure the accuracy, relevance, timeliness, and completeness of personal information used in the RMA data mining effort to make determinations about individuals.. Department of Agriculture To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to revise the privacy impact assessment for the RMA data mining effort to comply with OMB guidance, including analyses of the intended use of the information it collects, with whom the information will be shared, how the information is to be secured, opportunities for impacted individuals to comment, and the choices made by the agency as a result of the assessment.. Department of Agriculture To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to have the completed privacy impact assessment approved by the chief information officer or equivalent official.. Department of the Treasury To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of the Treasury should direct the Commissioner of the Internal Revenue Service to apply the appropriate information security measures defined in Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance to the systems used in the Reveal data mining effort, specifically, the performance of regular system testing and evaluation against NIST guidance.. Department of the Treasury To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of the Treasury should direct the Commissioner of the Internal Revenue Service to revise the privacy impact assessment for the Internal Revenue Service's Reveal system to comply with OMB guidance, including analyses of the information to be collected, the purposes of the collection, the intended use of the information, how the information is to be secured, and opportunities for impacted individuals to comment.. Department of Justice To ensure that the data mining efforts reviewed include adequate privacy protections, the Attorney General should direct the Director of the Federal Bureau of Investigation to apply the appropriate information security measures defined in OMB and NIST guidance to the systems used in the Foreign Terrorist Tracking Task Force data mining effort, including the development of tested contingency plans.. Department of Justice To ensure that the data mining efforts reviewed include adequate privacy protections, the Attorney General should direct the Director of the Federal Bureau of Investigation to establish a date for the completion of a privacy impact assessment for its data mining effort that complies with OMB guidance, including analyses of the information to be collected, the purposes of the collection, the intended use of the information, with whom information will be shared, how the information is to be secured, opportunities for impacted individuals to comment, and the choices made by the agency as a result of the assessment.. Small Business Administration To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the Small Business Administration should amend the system of records notice regarding its data mining effort to clearly identify the individual responsible for the effort, the process by which individuals can request notification that the system includes records about them, and the procedures individuals should use to review records pertaining to them.. Small Business Administration To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the Small Business Administration should complete a privacy impact assessment for the data mining effort that complies with OMB guidance, including analyses of the information to be collected, the purposes of the collection, the intended use of the information, how the information is to be secured, opportunities for impacted individuals to comment, and the choices made by the agency as a result of the assessment.. General Services Administration To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the General Services Administration should publish a system of records notice for the purchase card program that specifies the name of the system, the categories of individuals and records in the system, the categories of information sources used by the system, the routine uses of the system, how the agency stores and maintains the system, the individual responsible for the effort, the process by which individuals can request notification that the system includes records about them, and the procedures individuals should use to review records pertaining to them.. General Services Administration To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the General Services Administration should ensure that the appropriate information security measures defined in OMB and NIST guidance are applied to the systems used in the Citibank Custom Reporting System data mining effort, including the development of a risk assessment, a system security plan, a tested contingency plan, the performance of regular testing and evaluation, and the completion of certification and accreditation by agency management.

In data mining, the privacy and legal issues that may result are the main keys to the growing conflicts. The ways in which data mining can be used is raising questions regarding privacy. Every year th

With the technologies that are available today, data mining can be used to extract data from the data warehouses, finding different information and relationships about customers and making connections based on this extraction, which might put customer’s information and privacy at risk.. Essay Writing Service Companies such as IBM are working on methods of mining data that will allow for complete individual privacy while still creating accurate models of data.. Privacy concerns are becoming an important issue in data mining because of the risks behind it, especially that many of the consumers who buy products or services are not conscious of data mining technology.. Data mining is the process of creating a sequence of correct and meaningful queries to extract information from large amounts of data in the database.. The definite complexity in data mining is building up accurate models for data analysis without giving the right to use the information in specific customer records, which will secure the database from being used the wrong way.. Security problems in data mining are one of the most popular concerns because of the fact that when using data mining individuals are usually working with large amount of information, and they can have access to it easily.. As data mining guarantees to open up lots of new fields for extracting information from both old databases and future databases that may be developed with data mining as a support purpose, the data mining session in some large companies suggest that there can be serious security issues in data mining.. Data warehousing companies must monitor who has access to the data within and what parts of the data warehouse they have access to.. The act reads that any department of agency of the Federal Government or any agency associated doing work for the Federal Government “shall submit a report to Congress on all such activities of the department or agency under the jurisdiction of that official.” The report must include the activities goals, dates data mining was deployed, a description of how data mining was used and the “the basis for determining whether a particular pattern or anomaly is indicative of terrorist or criminal activity.” As well as a description of data sources, assessment of efficacy of the data mining in providing accurate information, its impact on privacy or civil liberties and laws or regulations that government the information.

Europäische Daten aus dem SWIFT-Finanztransaktionssystem wurden von Europol seit Jahren en gros zur „Durchsuchung“ an das US-Finanzministerium geliefert. Diese Daten landeten bei der CIA.

Der parallel dazu bekannt gewordene Sachverhalt, dass Europol laufend massive Datensätze aus dem europäischen SWIFT-Finanztransaktionssystem zum Data-Mining an die CIA liefert, ging an der Öffentlichkeit bis jetzt vorbei.. Die Datentransfers von Europol in die USA geschehen auf Basis des sogenannten „Terrorist Finance Tracking“- Vertrag zwischen der EU und den USA aus dem Jahr 2009.. Seit der Unterzeichnung des TFTP-Vertrags 2009 wurden Daten aus dem europäischen SWIFT-System von Europol an die USA geliefert, offiziell gingen sie zur „Durchsuchung“ an US Treasury, das Finanzministerium der USA.. Das war der Stand der Dinge bis November 2020, auch dem PCLOB als zuständiger Aufsichtsinstanz war da noch nicht bekannt, dass diese massiven Datenmengen aus Europa spätestens seit 2016 auch in Kopie an die Central Intelligence Agency gingen.. Das Gros muss also von „Third Parties“ stammen, die laufend riesige Datenmengen produzieren, und da ist das SWIFT-System natürlich der erste Kandidat.. Die ominösen „Datensätze aus Drittstaaten“, die in den Begleitdokumenten zur neuen Europol-Regulierung mehrfach ausdrücklich erwähnt werden und einen guten Teil der Daten ausmachen, sollten also großteils die Überweisungen von ausländischen Banken an Konten im EU-Raum sein.. Wie dem obigen Ausriss zu entnehmen ist, wurde dieses Data-Mining-Programm der CIA, in dem mit großer Sicherheit mehrheitlich Datensätze aus dem europäischen SWIFT-System verarbeitet werden, auch an allen Kontrollinstanzen des „Foreign Intelligence Surveillance Act“ (FISA) vorbeigeschleust.. Das wäre auch die plausibelste Erklärung für die absolute Geheimhaltung durch Umgehung aller US-Kontrollinstanzen der CIA.. Im Schlagschatten dieses Kriegs an den EU-Außengrenzen wurden von der Kommission im Zusammenspiel mit der französischen Ratspräsidentschaft nämlich umfassende neue Überwachungskompetenzen in der Europol-Verordnung durchgedrückt.. Man vergleiche diesen Ausriss aus dem ersten „Data Mining Report“ der CIA von 2016 mit der Passage aus dem TFTP-Vertrag weiter oben.. Von diesem Dokument wurde jetzt auch nur die Präambel veröffentlicht, sowie eine Art Abstract des Inhalts: „Der klassifizierte Annex enthält: Beschreibung der Aktivität; Beschreibung der Technologie und der Methoden; Beschreibung der Datenquellen“ etc.. Data-Mining durch die EU-Behörde wurde damit legal, im Kommissionsentwurf für die Verordnung gegen Kindesmissbrauch im Netz von Mitte Mai wird nun versucht, diese nachrichtendienstliche Methode der verdachtslosen Suche nach Mustern und „Anomalien“ in massiven Datensätzen in den normalen Polizeialltag zu transferieren.

Videos

1. Privacy Specialist Responds to John Oliver's "Data Brokers" Segment!
(Techlore)
2. The Watchers: The Rise of America's Surveillance State
(Microsoft Research)
3. Privacy Concerns, Data Mining & Information Security
(Dan Dullea)
4. UNBELIEVABLE!! Report: NSA phone spying program illegal Amazing!!! - HD
(zChannel X)
5. Data Privacy Meets Regulatory Oversight in Debt Collections
(Masterqueue Powered by Intellaegis)
6. Data Discovery & Classification A Swiss Army Knife for Privacy and Security Compliance
(Spirion)

You might also like

Latest Posts

Article information

Author: Fr. Dewey Fisher

Last Updated: 08/15/2022

Views: 5839

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.