computers can produce massive amounts of data in a short time span, the attendant large-scale risks of compromise of personnel data will warrant upgrading of the afforded protection, perhaps even equivalent to that used for national defense information. This means that the full panoply of protection used for national security matters may be necessary, including the screening of personnel; physical security measures such as combination locks, guards, and electronic alarms; and scramblers, encoding devices and other safeguards designed to be compatible with the elements of a computer-communications sytem. Currently, thousands of employees (clerks and others) have access to and process personnel records. Once the proposed system is under way the number of persons needed to process and store personnel data should be fewer. Since the cost and effectiveness of security precautions are in part a function of the number of persons involved in operating the system, the anticipated reduction in the number of people who "need to know" should facilitate attainment of the security goal. Little information is available about the costs of the kinds of security precautions which are discussed below. About a year and a half ago, a computer expert estimated that the construction of appropriate safeguards for the telecommunications link of a computer system would augment its costs in the order of magnitude of 3 to 10 times. Within the past few months, however, two estimates concerning more significant and costly elements of the computer complex indicate that an order of magnitude of about 10% of construction and operating costs is more likely. One such estimate was stated in terms of the additional time needed by programmers to devise program limitations on access to various areas of the memory facility of a computer system in use by a large industrial concern. The other is based on actual experience with a functioning computer system handling national defense classified information. We suggest that as design and construction of the system under study develops, its architects also develop standards to guide judgments on different levels of security as applied to each element of the system expressed in terms of cost-benefit ratios. THE COMPUTER/COMMUNICATIONS SYSTEM No determination has been made as to even the general configuration of the Federal Manpower Information System. Because of the number of personnel whose files will be involved, agency habits on maintenance of such files, and agency needs for data, we anticipate a nationwide system using existing computer systems or having perhaps a half-dozen computer centers-linked to each other by a communications network, each being accessible through communications links to subordinate offices within the using agencies. The basic ingredient in the system, the computer, is a conglomerate of various pieces of equipment performing discrete functions. If all of these functions were performed in a single building, and if access to information processed by the computer was limited to those who came to the building, the security problem would take its simplest form. Physical security of the space and proper operation of the facility by cleared personnel would be adequate. A host of problems arises when the functions are removed from a single center. Basically, the modern computer consists of the following devices: An input device, capable of sensing or reading data for the purpose of incorporating it in the storage or memory facilities of the system. Associated equipment includes machines for punching cards or otherwise processing information so that it may be read or sensed by the input device. A memory device which stores information, usually in the form of magnetic tapes, cores, drums or discs. A processing device that performs such functions as addition, subtraction, multiplication and comparison of data items. An output device which either prints data so that it can be read or makes it available in some other usable form; for example, by placing it on a magnetic tape so that it can be stored or used, or by reflecting it on a cathode ray tube. The output from a computer can be in the form of input for another computer. For security purposes output can take the form of electronically closing a door, making or breaking an electrical circuit, lighting a bulb, ringing a bell, etc. A control device which supervises the functioning of the entire system, orders the sequence for performance of different computer functions and mandates the performance of programs. It is possible to design a computer so that any one or more of its functions is spatially separated from any other function. Arrangements in current use reflect that the memory, processing and control devices are normally placed in a central location while input and output devices may be many miles removed. These remote input or output terminals are connected to the central units by communication lines. Communication with the central unit is often performed by teletype, although other devices like dataphones, are also used. It is obvious that the security of private data depends on the security precautions taken at each stage of the processing or transmission of data. We will not dwell on the kinds of physical security precautions applicable here which are used for classified national defense information subject to Executive Order 10501. These are well known and would be applied to the space (and its contents) used for housing computer equipment and storing such material as files, punch cards, tapes, print-outs, etc. Similar considerations permit us to ignore the subject of security clearance of personnel. Neither will we concern ourselves with the encrypting and scrambling techniques used by the National Security Agency for long-range transmission of classified information. We will survey only those areas of protection about which doubts have been expressed to see whether adequate protection in such areas is feasible. LIMITATIONS ON ACCESS TO THE SYSTEM The problems of protection of private data in the proposed system can be stated in terms of limitations on access to data, the chief variables being the persons to whom specified access levels are authorized, the equipment through which access is sought, and differences in the kinds of data being sought. For example, each agency should be able, as now, to retrieve information concerning its own employees, access within the agency being restricted to persons who "need to know" the information sought. As a general rule, however, no agency should be able to obtain private data, or perhaps any data identifiable with specific individuals, concerning another agency's employees. At the same time, an agency like the Civil Service Commission or the Bureau of the Budget should be able to retrieve statistical data from the system (such as the number of employees reaching retirement age in 1969) so long as information identifiable with specific individuals is not made available. There may also be occasions where the Commission or Bureau would be entitled to reach information so identifiable. Equipment designers, manufacturers and programmers have used the following means of permitting selective access by different hierarchies of users to different grades of information. 1. Limitation to one of a series of computers, or to a particular area of a computer's memory.—In a recent article on Computer Safeguards: "How Safe are They" (System Development Corporation Magazine, July-August, 1967, p. 28) Charles Fanwick concludes "that it is possible to design and build the hardware so as to provide any desired degree of prohibition of privacy-violating accessions." The author there poses a hypothetical problem involving data stored in two linked computers in such fashion as to prohibit cross-linking of specific bits of information (such as income and name, or income and social security number), and resolves the problem at costs for additional hardware only "somewhat higher than that of a single monolithic unit designed conventionally without barriers." While a limitation on use of this kind of design is that as the number of impermissible combinations rises, the costs rise exponentially, the technique may be adaptable to the proposed system. A variant of such multiple computer use for the segregation of classified information from other information is provision of a manually operated switch which permits making one computer's memory storage and processing unavailable to the terminals of the other computer. Since ultimately the men who operate the computer center control the system, all manner of devices can be designed for their use which will permit the most severe restrictions on access, once they are alerted to the need for special limitations. In a single computer the blocking off of parts of its memory, or the prohibition against linkage of specific items of data, is controllable through special programming. The accumulation of special programming techniques into a cohesive security monitoring device controlling the processing of classified data at the National Security Agency is described in "Security Considerations in a Multiprogrammed Computer System" by Bernard Peters (Report of the Spring Joint Computer Conference, 1967, p. 283). 2. The security of remote terminals.—Aside from physical security, remote terminals present the problem of identification of authorized users. In current use are passwords, identifying numbers and card keys assigned only to authorized personnel. In one demonstration to some members of the study group, a user at a remote teletype machine dialed a prescribed unlisted phone number to gain ac 20-550-74-vol. 1-15 cess to the computer facility, and communicated an incorrect identification number to the computer. It performed as it was programmed to do by cutting his connection, necessitating his redialing of the number. Some terminals are equipped to read special perforated cards, similar to credit cards, to permit access. Research is currently being conducted to see whether fingerprints or voice prints can be developed for more positive identification of specific authorized persons. Refinements of such techniques are limited only by imagination. A computer can be programmed, for example, to refuse information to a remote terminal which exceeds a given frequency of false starts, seeks information from memory areas it is not authorized to explore, or asks otherwise invalid questions. Similar behavior can trigger an alarm or alert those in control to order immediate physical examination of the facility. 3. Auditing of computer transactions.-A computer can be programmed to keep a log of each transaction any part of the total system is made to perform, or of selected transactions only. Such logs can identify the user, the time of day, the part of the memory explored, etc. Programs can be devised for the examination of such data by computer to facilitate determination of the need for additional security precautions if certain information seems subject to overuse. Audit programs and devices can be subjected to constant pressure from "friendly" crews of knowledgeable computer operators, designers and programmers who use their best efforts to compromise the security of the system in order, ultimately, to upgrade its security. CONCLUSION We are at a very early stage in the process of determining whether it is feasible to construct a computerized Federal Manpower Information System having "real-time" capability and permitting adequate protection of private data. Our review of the current state of the art indicates there are no insurmountable technological barriers to construction of such a system. RECOMMENDATION We note briefly above the importance we ascribe to the protection of privacy. The recommendation we are about to make is an expression of our awareness of the serious debate currently raging concerning the degree to which erosions in the protection of privacy will have dehumanizing social effects and will permit attainment of an Orwellian political state even prior to 1984. That debate occurs in the context whether a statistical computerized data bank which would perform clearly desirable functions should be constructed at all, unless there can be full assurance that it will not be used as an “intelligence" system, i.e., assurance that private data necessarily incorporated into the system can and will be protected from inadvertent or deliberate disclosure. The proposed system being studied by Interagency Group 246 presents the hard question most directly. Manpower management requires the feared intelligence system. Accordingly, we think desirable, and we recommend, that the Civil Service Commission consider formation in the immediate future of an advisory group on the protection of privacy in the proposed system. This group should have access to all information concerning development of the proposed system, and should report directly to the Chairman of the Civil Service Commission. Its members should be persons of stature who have access to, and will solicit the views of, the leading spokesmen for the various sectors of interest identified in the current debate, such as the Congress, the public, the computer industry and the Executive branch. The working staff of such a committee should include persons versed in the following disciplines: constitutional law, sociology, psychology, management, mathematical and descriptive statistics, computer science, and the design, manufacture, operation and programming of computers. Study Group 5 report submitted by: DECEMBER 22, 1967. ANTHONY L. MONDELLO, Department of Justice. EDWARD N. JOHNSON, National Bureau of Standards. Civil Service Commission. ENCLOSURE 3c-1 INTRODUCTION TO THE FEDERAL PERSONNEL MANAGEMENT INFORMATION SYSTEM (FPMIS) STANDARDIZATION OF DATA ELEMENTS AND CODES (PHASE I) Since late 1967, the Civil Service Commission has been actively engaged in identifying data elements required for the processing of personnel data and has been developing and coordinating standard definitions and codes for these elements. To date, 48 standards and 4 FIPS standards have been completed and are nearing readiness for publication. Standards will be developed for all data elements to be included in the standard statistical system by the time it is installed. PAPERWORK SIMPLIFICATION-(PHASE II) The personnel paperwork system in use today has remained essentially unchanged since 1950, with the exception of a proliferation of forms and demands for more information at all levels of the government. Forms and procedures were designed for manual processing and have not proven suitable for use in automated systems, thereby limiting the benefits which could be realized through modern technology. The Commission has designed a simplified personnel paperwork system which will reduce the number of forms in use, and will eliminate much of the redundancy of data in the system, and will reduce the workload and cost of paper work processing through more efficient procedures. This system has been tested and procedures and the final drafts should be ready for coordination with agencies and departments in the near future. The target date for beginning implementation of the system is July 1971. GOVERNMENT-WIDE STANDARD PERSONNEL STATISTICAL SYSTEM-(PHASE III) The concept of the statistical system calls for the establishment and maintenance of a standard computerized record on every Federal employee to be maintained at agency or departmental level for agencies with centralized automated systems or on a decentralized basis for agencies whose systems are geographically dispersed. For smaller agencies which have no access to computers, these records will be maintained by a central service bureau. The records will be duplicated at the Civil Service Commission and will be kept up-to-date by scheduled replacement of records through magnetic tape submissions from the various agencies. All agency records will contain a standard minimum essential number of data items prescribed by the Civil Service Commission, but additional data may be added to meet unique requirements of the agencies. Agency files will be used for the preparation of internal statistical reports and for providing personnel management and decision-making information to agency and lower levels. The record at the Commission will contain only that data required for statistical purposes at Commission, lateral, and higher levels. When the system is operational, all Commission reporting requirements on the data contained in these records will be satisfied from the Commission's files and agency reports eliminated-e.g., the SF 113A, Occupational Surveys, Geographical Surveys, etc. Special requests, such as those received from BoB, Congress, planning and regulatory agencies, and non-Federal sources will be satisfied by extracting the required data from the Commission file. A more responsive, flexible, and dynamic statistics program will be developed utilizing techniques heretofore not available-i.e., projection, modeling, simulation, tailored sampling, etc. The Commission will work in close coordination with agencies and departments during the development of the system and maintain constant communication to insure that adequate lead-time is provided for planning, budgeting, and systems development at agencies. Implementation of the system will begin in calendar year 1972. The advantages of FPMIS to the Federal Government include: Increased availability of information on the Federal workforce for management and decision-making; Increased accuracy of personnel information through a strong quality assurance program and automation of the statistical process; Increased responsiveness to the information needs at all levels within the government as well as the public sector; More timely and up-to-date information through a monthly update of appropriate data; Ability to interchange and communicate personnel data through standardization of data elements and codes; Reduction in the personnel paperwork workload through forms designed to eliminate duplication of forms and data and the reduction in the amount of paper in the Official Personnel Folder; and, An estimated reduction in the costs of recording and processing personnel data of about $20 million per year. The Statistical System will permit the correlation, research, storage, and analysis of data on the size, characteristics and make-up of the Federal workforce on a scale never before available except through tedious, slow, and costly surveys. For the first time, all data needed for statistical purposes will be available to agencies and to the Civil Service Commission. Data Elements: To date, 71 data elements have been identified as definite candidates for inclusion in the system. The list of these elements is attached. Maintenance Guidelines: Although the Commission has not yet developed the necessary formal guidelines governing maintenance of the statistical file data, access to it, review, disclosure and distribution, the following are the general controls and constraints we expect to place on the data: Maintenance of the data will be accomplished by submission on magnetic tape of agency data on a monthly basis. This will be done on either a file replacement or a record replacement basis, to provide a "picture" at the Commission of the up-to-date record officially maintained at the agency. Access to the data will be on a controlled, access-authorized basis within the Commission. All requests for information from the Commission's file will flow through one control point where the decision will be made on each individual request. Review and disclosure of the output from the system will be made the responsibility of qualified and competent officials of the various Commission bureaus. Distribution to other agencies will be made on a routine basis for reports prepared in a scheduled recurring cycle as is done today. Distribution of special analyses results will be to authorized recipients only. Individual Review and Supplementation: The individual or his representative will be allowed to review the data on record on a periodic basis through complete print-outs. A mechanism will be provided for making corrections and for adding more up-to-date information. Furthermore, provisions will be made for entering changed data either as it occurs or during the monthly update cycle. These changes can originate with the individual, his supervisor, the official personnel office or, in some instances, the payroll office. Responsibility for Accuracy: A special quality control element will be established, whose primary function will be to insure that the information in the system is accurate. This will be accomplished through (1) inspections by the Commission to ensure that paperwork procedures are being followed; (2) the prescribing of machine edits at agency and service bureau levels; and, (3) by sampling techniques at the Commission. A communications chain will be established to allow for the return of erroneous information to the proper authority for correction prior to entry into the system. Also, as mentioned above, the use of periodic print-outs for review and correction by the individual and/or his personnel office will assist in maintaining the accuracy of the data. Other Agencies' Access to Information: The Commission's government-wide file of employees to be implemented in December 1972 will be the sum of certain prescribed data elements from the Federal agencies. In this respect, the agencies will have access to their data but not the entire file. The national planning agencies (Bureau of the Budget, Government Accounting Office, National Science Foundation, Department of Commerce, |