NASA’s Data Valdez: Thousands of Employees’ Personal Information Compromised in Embarrassing Data Breach
For years, NASA has been collecting information on the intimate lives of their contract employees over the objections of civil liberties groups. Now a major data breach may have compromised the sensitive personal data of thousands of employees. Yesterday, employees of the Jet Propulsion Laboratory in La Canada Flintridge called for a congressional investigation into the data breach resulting from the theft of an employee’s laptop holding unencrypted data about thousands of NASA contract workers collected as a result of invasive background checks. The lesson here is clear: NASA should never have collected deeply intimate data about low-security contract employees when it couldn’t even properly protect the data.
In 2007, NASA instituted invasive background checks for “low risk” employees who did not have access to classified materials. Employees at the California Institute of Technology Jet Propulsion Laboratory—many of them long-term employees—had to submit forms to determine their “suitability” for their positions. The forms included listing three personal references such as “good friends, peers, colleagues, college roommates, etc.” Personal references would then be asked to fill out a form which solicited a range of intimate facts about the applicant’s life, including her drug or alcohol abuse, financial integrity, general behavior, violations of law, and mental or emotional stability. The suitability matrix NASA used to judge employees listed factors such as homosexuality, sodomy, carnal knowledge, incest, bestiality, indecent exposure or proposals, illegitimate children, cohabitation, adultery, mental or emotional issues, minor traffic violations, displaying obscene material, acting drunk, and making obscene phone calls.
EFF criticized these invasive screening procedures, submitting an amicus brief in support of the employees’ right to privacy in a Supreme Court case about the matter. We argued that these new procedures violated the employees’ privacy in two ways:
- Associational privacy—Upheld by the Supreme Court in NAACP v. Patterson, this is the right of an individual to have privacy in their groups, memberships and political affiliations.
- Informational privacy—Resting on the Supreme Court’s decision in Whalen v. Roe, this constitutional right upholds an individual’s interest in avoiding disclosure of personal matters.
Unfortunately, the Supreme Court failed to protect the privacy of the employees in this case, and the invasive security procedures have now been in place for a number of years. That means that huge quantities of intimate knowledge about NASA contract employees—potentially including details about sexuality, drug use, financial history and family relationships—are collected and stored in databases. And apparently, NASA didn’t bother to encrypt these databases. This is all the more offensive because, as the ACLU noted in a recent blog post, the government argued that the privacy concerns of such invasive background checks were minimized because it is obligated by the Privacy Act of 1976 to keep private any information that it collected.
If NASA hadn’t been collecting this treasure trove of personal information, it would never have been available to be breached. And when, against the protests of civil liberties groups like EFF, EPIC, and the ACLU, NASA was empowered to collect all of this sensitive information, it should at least have respected its employees’ privacy by appropriately securing the data. We support the Jet Propulsion Laboratory’s demand for a congressional hearing on the matter, and hope that NASA will use this opportunity to demonstrate its concern for the privacy of employees by stopping the invasive background checking procedures altogether.