2012 11 29 NYT Ex-NASA Scientist’s Effort to Protect Privacy Is Frustrated by Courts and Thi eves – NYTimes.com
Losing in Court, and to Laptop Thieves, in a Battle With NASA Over Private Data
In 2007, Robert M. Nelson, an astronomer, and 27 other scientists at the Jet Propulsion Laboratory sued NASA arguing that the space agency’s background checks of employees of government contractors were unnecessarily invasive and violated their privacy rights.
Privacy advocates chimed in as well, contending that the space agency would not be able to protect the confidential details it was collecting.
The scientists took their case all the way to the Supreme Court only to lose last year.
This month, Dr. Nelson opened a letter from NASA telling him of a significant data breach that could potentially expose him to identity theft.
The very thing he and advocates warned about had occurred. A laptop used by an employee at NASA’s headquarters in Washington had been stolen from a car parked on the street on Halloween, the space agency said.
Although the laptop itself was password protected, unencrypted files on the laptop contained personal information on about 10,000 NASA employees — including details like their names, birth dates, Social Security numbers and in some cases, details related to background checks into employees’ personal lives.
Millions of Americans have received similar data breach notices from employers, government agencies, medical centers, banks and retailers. NASA in particular has been subject to “numerous cyberattacks” and computer thefts in recent years, according to a report from the Government Accountability Office, an agency that conducts research for Congress.
Even so, Dr. Nelson, who recently retired from the Jet Propulsion Laboratory, a research facility operated by the California Institute of Technology under a contract with NASA, stands out as a glaring example of security lapses involving personal data, privacy advocates say.
“To the extent that Robert Nelson looks like millions of other people working for firms employed by the federal government, this would seem to be a real problem,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, an advocacy group which filed a friend-of-the-court brief for Dr. Nelson in the Supreme Court case.
In a 2009 report titled “NASA Needs to Remedy Vulnerabilities in Key Networks,” the Government Accountability Office noted that the agency had reported 1,120 security incidents in fiscal 2007 and 2008 alone.
It also singled out an incident in 2009 in which a NASA center reported the theft of a laptop containing about 3,000 unencrypted files about arms traffic regulations and wind tunnel tests for a supersonic jet.
“NASA had not installed full-disk encryption on its laptops at all three centers,” the report said. “As a result, sensitive data transmitted through the unclassified network or stored on laptop computers were at an increased risk of being compromised.” Other federal agencies have had similar problems. In 2006, for example, the Department of Veteran’s Affairs reported the theft of an employee laptop and hard drive that contained personal details on about 26.5 million veterans. Last year, the G.A.O. cited the Internal Revenue Service for weaknesses in data control that could “jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.”
Also last year, the Securities and Exchange Commission warned its employees that their confidential financial information, like brokerage transactions, might have been compromised because an agency contractor had granted data access to a subcontractor without the S.E.C.’s authorization.
On Wednesday, Dr. Nelson, the astronomer, and several other scientists in the NASA case held a news conference in which they asked members of Congress to investigate NASA’s data collection practices and the recent data breach.
Robert Jacobs, a NASA spokesman, said the agency’s data security policy already adequately protected employees and contractors because it required computers to be encrypted before employees took them off agency premises. “We are talking about a computer that should not have left the building in the first place,” Mr. Jacobs said. “The data would have been secure had the employee followed policy.”
The government argued in the case Dr. Nelson filed that a law called the Privacy Act, which governs data collection by federal agencies, provided the scientists with sufficient protection. The case reached the Supreme Court, which upheld government background checks for employees of contractors. The roots of Dr. Nelson’s case against NASA date to 2004 when the Department of Homeland Security, under a directive signed by President George W. Bush, required federal agencies to adopt uniform identification credentials for all civil servants and contract employees. As part of the ID card standardization process, the department recommended agencies institute background checks.
Several years later, when NASA announced it intended to start doing background checks at the Jet Propulsion Laboratory, Dr. Nelson and other scientists there objected.
Those security checks could have included inquiries into medical treatment, counseling for drug use, or any “adverse” information about employees such as sexual activity or participation in protests, said Dan Stormer, a lawyer representing Dr. Nelson.
But Dr. Nelson and other long-term employees of the lab challenged the legality of those checks, arguing that they violated their privacy rights. NASA, they said, had not established a legitimate need for such extensive investigations about low-risk employees like themselves who did not have security clearances or handle confidential information. Dr. Nelson, for example, specializes in solar system science — concerning, for example, Io, a moon of Jupiter, and Titan, a moon of Saturn — and publishes his work in scientific journals
“It was an invitation to an open-ended fishing expedition,” Dr. Nelson said of the background checks.
In friend of the court briefs for Dr. Nelson, privacy groups cited many data security problems at federal agencies, arguing that there was a risk that NASA was not equipped to protect the confidential details it was collecting about employees and contractors.
In 2008, the United States Court of Appeals for the Ninth Circuit in San Francisco temporarily halted the background checks, saying that the case had raised important questions about privacy rights. But last year, the Supreme Court upheld the background investigations of employees of government contractors.
Dr. Nelson said he retired from the Jet Propulsion Laboratory last June rather than submit to a background check. He now works as a senior scientist at the Planetary Science Institute of Tucson.
NASA has contracted with ID Experts, a data breach company, to help protect employees whose data was contained on the stolen laptop against identity theft. Mr. Jacobs, the NASA spokesman, said the agency has encrypted almost 80 percent of its laptops and plans to encrypt the rest by Dec. 21. He added that he too received a letter from NASA warning that his personal information might have been compromised by the laptop theft.