Nevada Legislature needs a moratorium on data collection

It’s hard not to seem like a luddite, a naysayer, or a nut while assessing the new and expanded uses of technology proposed in the Nevada legislature.

And what a shame to feel uneasy, not appreciative for a proposed DMV database that would help police locate family members quickly when someone is rushed to the hospital after an accident.

County coroners and the Department of Public Safety are supporting a bill to create an emergency contact registry. It would save money and man hours when they’re looking for next of kin. Who wouldn’t jump on board? Why apply the brakes to a plan that could help loved ones arrive in time to make critical medical decisions, or spare them agonizing hours wondering what’s happened to someone who’s unconscious or dead?

But privacy advocates identified holes in the provision of SB3 that describes the management of this personal data. They asked for tighter guidelines.

What could go wrong with this database? Maybe nothing. Depends on who’s minding the data, and how.

But suppose a criminal gets access, and calls next-of-kin to report a fake accident. He prods panicky relatives for personal information to get proper emergency care for the “victim” — insurance policy numbers, physician’s name, and prescription drug information. Family members comply, desperate to help. This is not far-fetched. Similar schemes are rampant, and profitable.

Take comfort in knowing the registry would be optional. Nevadans who love the idea more than they fear a security breach would opt in.

Carson City is awash in bills conceived to make life safer or more convenient by collecting more personal information, or by inducing Nevadans to engage with the state’s information systems. Many have useful goals, but also provide fertile ground for unintended consequences.

In another example, an election procedures bill would allow election departments to send sample ballots by email to voters who opt in. Voter registrars say it will save money mailing paper ballots, and political activists believe it will stimulate civic involvement.

Proponents submitted a “privacy amendment” that puts the burden on voters to submit written requests to keep their email addresses private. Rather than provide privacy by default, the state will require voters who opt in for email ballots to subsequently opt out of a public listing.

What could go wrong? Depends on the sophistication of the data custodians, the technical rigor of their system, and the savvy of the citizens.

Confoundingly, while making some airy statements that raise questions about current security on the Clark County election website, Voter Registrar Joe Gloria also testified that sample ballots are available online. So why not encourage voters to download an electronic version, rather than solicit email addresses?

All of this should give pause to lawmakers. Their confidence should be conditional on absolute clarity by the data collector. And every goal should be accomplished in the least intrusive manner.

But some members of the elections committee gushed over the sheer gee-whiz-we’re-digital factor. Others were no doubt persuaded by the cost savings. Clark County alone would save $1,670 for every thousand voters who choose email over paper mailing.

If you believe your state-sponsored data custodians have privacy and security locked down, recall that we recently saw the inadvertent exposure of social security numbers belonging to 114 retired judges by an entity with fiduciary responsibility. PERS, the Public Employee Retirement System, emailed a spreadsheet with unencrypted social security numbers in response to a public information request. The breach was reported by the recipient, the Nevada Policy Research Institute, which had sought the data for a study of pensions.

It’s a stunning mistake. Although no names accompanied the data, and the recipient behaved responsibly, things might have been worse. Identities can be reverse engineered using a couple of the other data points that appeared on the spreadsheet.

In 2015, government and the private sector are both lagging in their grasp of how to protect privacy and security. There’s even less awareness of where potential danger might lie.

“Because we can” is not a good reason to expand data gathering by the state. Nevada might benefit from a two-year moratorium on such initiatives while public understanding catches up with technology.