Download
1 / 29

- PowerPoint PPT Presentation


  • 114 Views
  • Updated On :

Outline of Report. Executive Summary Introduction Overview of process to develop recommendations Recommendations are provided to the Legislature and may or not be incorporated into legislation Issues identified during the public hearing process

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - mick


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Outline of report l.jpg

Outline of Report

Executive Summary

Introduction

Overview of process to develop recommendations

Recommendations are provided to the Legislature and may or not be incorporated into legislation

Issues identified during the public hearing process

Inconclusive nature of information presented regarding RFID privacy issues

Recommendations are not being exclusively made for RFID technologies

Overview of the structure of the remainder of the report

Applicability of Recommendations for non-State Government Agencies


Outline of report cont l.jpg

Outline of Report (cont)

Need/Adequacy/Design

Background

Need:

Current Requirements for California State Agencies

Recommendations for non-State Government Agencies

Technology Assessment

Current Requirements for California State Agencies

Recommendations for California State Agencies

Recommendations for non-State Government Agencies

Design

Recommendations for California State and non-California State Agencies


Outline of report cont4 l.jpg

Outline of Report (cont)

Public Participation/User Awareness/Feedback Mechanisms

Background

Forum for the Public

Recommendations for California State and non-California State Agencies

Public Education

Recommendations for California State and non-California State Agencies

Public Feedback

Recommendations for California State and non-California State Agencies

Data Management and Access

Background

Forum for the Public

Current Requirements for California State Agencies

Recommendations for non-California State Agencies

Penalties for Noncompliance

Current Requirements for All Computer Data and Computer Systems in California

Recommendations for Penalties for Noncompliance

Appendix: Comment Letters from Panel Members


Applicability of recommendations for non state government agencies l.jpg

Applicability of Recommendations for Non-State Government Agencies

Applicability: All county or municipal governments or subdivisions or agencies thereof (hereinafter referred to as “non-State government agencies”) when implementing a new government-issued identification system that will allow the association of data with a particular human being or when making changes to identification documents or related systems that will create new privacy risks.

Exemption: County or municipal governments or subdivisions or agencies thereof can choose to implement new systems or modify existing systems without meeting the recommendations where the government-issued identification system relates to internal government operations, has been previously assessed under an evaluation similar to the recommendations, or where privacy issues are unchanged.


Determine the need background l.jpg

Determine the Need - Background Agencies

Testimony was provided stating that an agency should identify the specific needs for a new publically-issued government-issued identification system. These needs can range from issues regarding the reliability of a previous system to concerns regarding counterfeiting.

The users of the new publically-issued government-issued identification system will also have needs. These can range from ease of use to security and privacy concerns.

To adequately assess which technologies should be utilized in a new publically-issued government-issued identification system, a government agency must have clearly-established objectives for the new system.

Without information regarding the purpose, needs, or objectives, an analysis of the general suitability of a technology for government-issued identification documents has rendered inconclusive results.


Determine the need current requirements for california state agencies l.jpg

Determine the Need – AgenciesCurrent Requirements for California State Agencies

The deployment of a publically-issued government-issued identification system by a California State Government department, office, board, commission, institution and special organization entity (except UC, CSU, the State Compensation Insurance Fund, community college districts, agencies provided in Article VI of the Constitution (Judicial entities) , or the Legislature) are currently required to follow the provisions of Chapter 4800 of the State Administrative Manual. These provisions include the identification of information technology needs during a feasibility study process. As part of the process, an agency must:

Develop an understanding of a problem (or opportunity) in terms of its effect on the agency’s mission and programs

Develop an understanding of the organizations, managerial, and technical environment within which a response to the problem or opportunity will be implemented

Establish programmatic and administrative objectives

Prepare concise functional requirements


Determine the need recommendations for non state government agencies l.jpg

Determine the Need – Recommendations for Non-State Government Agencies

Identify information technology needs during a feasibility study process. As part of the process, an agency shall:

Develop an understanding of a problem (or opportunity) in terms of its effect on the agency’s mission and programs

Develop an understanding of the organizations, managerial, and technical environment within which a response to the problem or opportunity will be implemented

Establishing programmatic and administrative objectives

Prepare concise functional requirements


Technology assessment background l.jpg

Technology Assessment - Background Government Agencies

An agency issuing a new type of government-issued identification document should select a technology that best meets the objectives of the program, is cost effective, and actually works in the real world.

Members of the public have expressed reservations and benefits over certain types of technologies that should be addressed in a public input process where the public can express their concerns or provide recommendations.

Because contactless technologies are constantly changing, an analysis of the strengths and weaknesses of any particular technology has rendered inconclusive results. Without information regarding the operating parameters of any technology that may be developed in the future, insufficient data exists for an analysis.


Technology assessment current requirements for california state agencies l.jpg

Technology Assessment – Current Requirements for California State Agencies

The deployment of a publically-issued government-issued identification system by a California State Government department, office, board, commission, institution and special organization entity (except UC, CSU, the State Compensation Insurance Fund, community college districts, agencies provided in Article VI of the Constitution (Judicial entities) , or the Legislature) are currently required to follow the provisions of Chapter 4800 of the State Administrative Manual. These provisions include a technology assessment during a feasibility study process. As part of the process, an agency must:

Identify and evaluate alternative systems

Prepare an economic analysis for each alternative that meets the established objectives and functional requirements

Select the alternative that is the best response to the problem or opportunity


Technology assessment draft recommendations for california state agencies l.jpg

Technology Assessment – Draft Recommendations for California State Agencies

During the Feasibility Study Process, the agency shall:

Consider feasible alternative systems, including, but not limited to:

-RF Technologies -Bar Codes (linear and 2D)

-Color Shifting Ink -Watermarks

-Holograms -Security Threads

-Microprinting -Guilloche printing

-UV Sensitive Printing -Color

-Magnetic Strips -Serial Numbers

-Smart Cards

Perform a privacy impact assessment that includes the following:

What information will be on the document.

What information will be collected and/or stored.

Why the information is on the document.

Why the information is being read, collected, and/or stored.

The intended use of the information.

With whom the information will be shared (e.g., another agency for a specified programmatic purpose).

What opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how individuals can grant consent.

How the information will be secured (e.g., administrative and technological controls).


Technology assessment draft recommendations for california state agencies cont l.jpg

Technology Assessment – Draft Recommendations for California State Agencies (cont)

Perform an analysis of the privacy impact assessment that includes the following:

An identification of what choices the agency made regarding the new or modified government-issued identification document system as a result of performing the privacy impact assessment.

A privacy impact analysis related to systems development, including, as warranted and appropriate, statement of need, functional requirements analysis, alternatives analysis, feasibility analysis, benefits/cost analysis, and, especially, initial risk assessment.

An analysis of the impact the system will have on an individual’s privacy, specifically identifying and evaluating potential threats relating to each, to the extent these elements are known at the initial stages of development.

The privacy impact assessment may need to be updated before deploying the system to consider elements not identified at the concept stage (e.g., retention or disposal of information), to reflect a new information collection, or to address choices made in designing the system or information collection as a result of the analysis.


Technology assessment draft recommendations for california state agencies cont13 l.jpg

Technology Assessment – Draft Recommendations for California State Agencies (cont)

When deployinga new technology, an agency can only select the technology that provides the appropriatelevel of security and privacy by:

Analyzing the potential technologies under consideration against, but not limited to, the following security/privacy concerns:

-Cloning -Counterfeiting -Reliability

-Tampering -Tracking -Spoofing

-Skimming -Replay/relay -Read range

-Ability to be read without user knowledge

A consideration of the necessity of the following features to ensure security/privacy:

-Encryption -Farraday cage -Sensor detection alerts

-PIN number -On/off switch -Opt out/in options

-Authentication-Basic access controls


Technology assessment recommendations for non state government agencies l.jpg

Technology Assessment – Recommendations for Non-State Government Agencies

Process will be similar to that outlined for California State Government Agencies. The process can be integrated into a component or components of the agency’s existing procurement process.


Design background l.jpg

Design - Background Government Agencies

Advisory panel members and the public expressed an interest in the continuing security of a new system after the end of its useful life. These times include when the document is lost, stolen, or disposed.


Design draft recommendations for california state agencies and non state government agencies l.jpg

Design – Draft Recommendations Government Agenciesfor California State Agencies and Non-State Government Agencies

When selecting a new technology, an agency must enact rules to ensure that the user’s privacy is protected if the card is lost, stolen, or disposed:

When a document is lost or stolen, the agency shall have a process in place to prevent the unauthorized use of the document and to limit access to personal information that may be contained within the document.

Agencies must develop rules or protocols for the public to follow to protect the users privacy and security when disposing of the identification document. This may include, but is not limited to, procedures to deactivate, destroy, or otherwise render the document unreadable or unusable. Users of the document must be provided clear instructions when the document is delivered or received by the user.


Forum for the public background l.jpg

Forum for the Public - Background Government Agencies

The public has expressed the desire to participate in a discussion on the benefits versus the concerns of a government-issued identification document system.


Slide18 l.jpg

Forum for the Public – Draft Recommendations Government Agenciesfor California State Agencies and Non-State Government Agencies

To increase public participation and improve the quality of the privacy impact assessment, government agencies shall involve parties in public discussions regarding the adequacy of the privacy impact assessment.

Agencies shall publish and distribute a public notice for the proposed privacy impact assessment and a statement of the time, place, and nature of a public hearing.

At the public hearing, both oral and written statements, arguments, or contentions shall be permitted.

The agency will consider any comments received and make changes to the privacy impact assessment as warranted.

The agency will prepare a draft “determination statement” summarizing each objection or recommendation regarding the specific amendment proposed together with an explanation of how the final privacy impact assessment has been changed to accommodate each objection or recommendation, or the reasons for making no change. The statement shall also contain a written determination that no alternative considered by the agency would be more effective in carrying out the programmatic and administrative objectives and functional requirements of the new or modified system.

The draft determination statement will be posted and publically noticed at least 30 days before the agency will be allowed to complete a final “determination statement”.


Public education background l.jpg

Public Education - Background Government Agencies

Currently, government-issued identification documents may be issued to users with little or no information on the nature or use of the document.

Users may not be routinely informed of the nature of the document, nor of privacy or security measures in place, if any.

The public would like to take a more active role in the use of the document, demanding full disclosure, user rights, and the inclusion of active controls whenever possible.


Slide20 l.jpg

Public Education – Government AgenciesCurrent Requirements for California State Agencies and Draft Recommendation for Non-State Government Agencies

Article 8 of the Information Practices Act of 1977 (California Civil Code Sections 1798.30-1798.44) provides the public access to records and administrative remedies. The section does not apply to non-State government agencies.

It is recommended that non-State government agencies allow the user of government issued identification documents to have the right to inquire and be notified as to whether the agency maintains a record about himself or herself and to make those records available in accord with the provisions of the Information Practices Act.


Slide21 l.jpg

Public Education – Draft Recommendations Government Agenciesfor California State Agencies and Non-State Government Agencies

During the period of time that a new document or modified is being issued or used, the agency willprovide information to the user regarding how the system works and how personal data will be used or managed

The agency will provide information to the user when the document is issued that includes:

- The reason for issuance of the ID

- The personalinformation, if any,that is contained in the

document or is being collected, transmitted, or stored

- Description of transmittal, privacy, security measures

- User rights, including proactive measures that the user can

take to prevent unauthorized use

- Contact number for questions

At those agency operated locations where a card will be read remotely using radio waves, the agency will post a notice or display a clear and conspicuous sign, placard, poster, or other similar written notice at each reader’s actual location indicating that the agency has placed an identification document reader at that location.


Public feedback background l.jpg

Public Feedback - Background Government Agencies

Agencies that issue identification documents should provide the public with a means of offering feedback, giving recommendations, and reporting fraud and abuse.

If feedback were solicited from users, an agency would have the means of analyzing the effectiveness of a government-issued identification system after implementation. Such analysis could be transparent, allowing the public and other agencies to gauge the effectiveness of the system.

Feedback would allow an agency to enhance privacy and security based on user’s experiences. The agency should develop a method to receive feedback and establish a process to evaluate the comments they receive.


Slide23 l.jpg

Public Feedback – Draft Recommendations Government Agenciesfor California State Agencies and Non-State Government Agencies

An agency must provide the opportunity for the public to offer suggestions, alternatives, and other types of feedback to the agency

Agency using ID must put in place a process to receive feedback from users. The process shall include:

- Providing users a method to report unauthorized use, abuse, or

fraud

- Providing users a method to have questions answered.

- An occasionalsurveys of users

Any claimed effectiveness of the government-issued identification document must be based on analysis and shall be made publically available


Data management and access background l.jpg

Data Management and Access - Background Government Agencies

Members and the public expressed that any agency that utilizes a new or modified government-issuedidentification document should promulgate data management rules to ensure data privacy to the greatest extent possible and that restricts access to the data to authorized users only.


Data management and access current requirements for california state agencies l.jpg

Data Management and Access – Government AgenciesCurrent Requirements for California State Agencies

The deployment of a publically-issued government-issued identification system by a California State Government department, office, board, commission, institution and special organization entity (except UC, CSU, the State Compensation Insurance Fund, community college districts, agencies provided in Article VI of the Constitution (Judicial entities) , or the Legislature) are currently required to follow the provisions of Chapter 4800 of the State Administrative Manual. These provisions include provisions to provide integrity and security of its information assets. An agency must:

Identify all automated files and databases for which the agency has ownership responsibility

Ensure that responsibility for each automated file or database is defined

Enter into agreements with non-state entities for security

Establish appropriate policies and procedures to protect and secure IT infrastructure


Data management and access recommendations for non state government agencies l.jpg

Data Management and Access – Recommendations for Non-State Government Agencies

Process will be similar to that outlined for California State Government Agencies


Penalties for noncompliance background l.jpg

Penalties for Noncompliance - Background Non-State Government Agencies

It was suggested that organizations that collect data should be responsible for safeguarding the data and that guidelines should be used to ensure data privacy are promulgated. Since a breach of privacy can have severe economic or social consequences for the user, it was suggested that there should be high fines or penalties when data security is breached.


Slide28 l.jpg

Penalties for Noncompliance – Non-State Government AgenciesCurrent Requirements for All Computer Data and Computer Systems in California

Section 502 0f the California Penal Code contains penalties for individuals, businesses, and government agencies that tamper, interfere, damage, or obtain unauthorized access to lawfully-created computer data and “computer systems”. The most serious criminal penalties are a $10,000 fine and imprisonment for 2-3 years. Section 502 also provides for civil action for compensatory damages and injunctive relief.

“Computer systems” include (but are not limited to) input/output devices, databases and transmission networks. However, government-issued identification documents are not specifically addressed.


Penalties for noncompliance draft recommendations l.jpg

Penalties for Noncompliance – Draft Recommendations Non-State Government Agencies

Amend California Penal Code Section 502(b) to include government issued identification documents containing electronic data as an input device for “computer systems”.

Amend California Penal Code Section 502(c) to include the theft, interference with, or unauthorized access to data from government-issued identification documents containing electronic data as a specific public offense.

Amend California Penal Code Section 502(d)(1) to include the public offense noted above as a crime punishable by up to 2-3 years of prison and a $10,000 fine.

Amend California Penal Code Section 502.6(a) (fraudulent use of information from magnetic stripe credit and debit cards) to include all government-issued identification technologies utilizing electronically-coded personal data.

Amend California Civil Code Section 1798.90.1 (drivers license data contained on magnetic stripe) to include all government-issued identification technologies utilizing electronically-coded personal data.

Amend California Penal Code Section 630, et seq. (criminal penalties for unauthorized wiretapping, electronic eavesdropping, intercepting cellular telephone communications, and electronic tracking of individuals) to include all government-issued identification technologies utilizing electronically-coded personal data.


ad