Sens. Rob Portman, R-Ohio, and Ron Wyden, D-Ore., urged the National Science Foundation (NSF) in a Dec. 20 letter to secure Americans’ information within the National Secure Data Service (NSDS) platform using advanced encryption technology.
The two senators worked across the aisle to write the privacy requirements for the recently authorized NSDS together, and are now calling on NSF to ensure government agencies can use data for research while protecting citizens’ privacy and security.
“The NSDS program will only live up to its promise if it facilitates research while protecting Americans’ data from hackers, foreign spies, and misuse by government agencies,” Sens. Portman and Wyden wrote to NSF Director Sethuraman Panchanathan.
They continued, “To ensure identifiable data within the platform is inaccessible to any agency other than the one who originally provided it – including NSF itself – NSF should require agencies to encrypt the information using an encryption key only they control.”
If sensitive data is encrypted, individuals who appear in that data will be protected in the event of a hack or breach of the NSDS system. The senators referenced the 2014 data breach at the Office of Personnel Management, saying that event demonstrated that government databases are a target for hacking by cyber adversaries.
Sens. Portman and Wyden also urged NSF to not hold a “master key” that can access all data in the NSDS system, to avoid creating a massive cyber-target for hackers.
The letter asks NSF to use privacy-enhancing technologies like multi-party computation that make it possible for organizations to collaborate on research without sharing unencrypted data – which, the senators pointed out, is already in use in the commercial sector.
With these technologies, “the NSDS program can support vital research that relies on sensitive data, such as studying the efficacy of programs to help our nation’s veterans, without requiring agencies to share individuals’ sensitive data,” the letter says.
The senators requested NSF provide answers to two questions by Jan. 31, 2023:
- Will NSF commit to using multi-party computation, or another privacy-enhancing technology that prevents unencrypted data from being available within the NSDS system?; and
- Will NSF commit to having agencies encrypt their own data within the NSDS platform, preventing NSF from holding a “master key” that would be a target for hacking?
“As NSF begins to implement the NSDS demonstration project, we want to ensure that you are aware of the privacy and security requirements that Congress enshrined in statute, and of our intention that you implement the NSDS using technology – not just policies and promises – to protect Americans’ data,” the senator said, adding, “We will continue to work with NSF to ensure that these standards are upheld.”