State chief information officers across the country are pushing back against a wave of bills in their states’ legislatures that would require government contractors to install monitoring software that CIOs say would put citizens’ personal information at risk and potentially put states in violation of federal privacy and security regulations.
Similarly written legislation has appeared in at least 23 statehouses since last year. While there are slight local differences, all of them contain language requiring any firm doing at least $100,000 worth of work for the relevant state “use software to verify that all hours billed for work under the contract for services performed on a computer are eligible charges,” as one filed in New Jersey states.
The software, as described by the legislation, would take screenshots of contract workers’ computers at least once every three minutes, with those images then stored for at least seven years. Some states’ bills, like the New Jersey version, also call for constant logging of keystrokes and mouse activity.
But the legislation has alarmed members of the National Association of State Chief Information Officers, which took the unusual step last week of releasing a statement opposing the bills, saying they would create “significant risk” for citizens’ privacy and compliance with federal laws.
“While NASCIO certainly supports contractor productivity, cost efficiency and successful project outcomes, legislation of this nature could introduce unnecessary risks to citizen data by essentially transferring ownership of private citizen data to a third party,” the group’s statement reads. “This type of legislation also has the potential for unintended consequences, such as impacting a state’s cybersecurity insurance policy coverage.”
A rare political move
Doug Robinson, who’s been NASCIO’s executive director for 15 years, told StateScoop last Thursday was the first instance he can recall in which the organization, which typically shies away from statehouse politicking, has made such a blanket declaration.
“This is something we don’t do lightly,” Robinson said. “We all agree that states have that sovereign requirement to do what’s best for each individual state.”
But Robinson said many of his members have been alarmed by a coordinated lobbying effort across state capitols to push the bills. The lobbying push is the work of a software firm called TransparentBusiness, Inc., whose flagship product is a program that captures periodic screenshots and keystrokes of the computers it’s installed on. On its website, the company boasts of hiring state-level lobbyists from coast to coast.
TransparentBusiness’ sample bill language — which the company says is modeled on legislation in Illinois, Minnesota, Missouri, New Jersey and Rhode Island (all of which it’s hired lobbyists in, according to state ethics records) — also requires contractors to install tracking software at no additional cost to the agency they’re serving. The company boasts that it will save states “tens of millions of dollars with zero cost and zero risk.”
A video accompanying the company’s legislative presentation pitches the software as an urgent necessity in an era when computer-based work can be done remotely, away from supervisors’ watchful eyes.
“Managers cannot even be sure if their telecommuters are working or golfing,” the video’s narrator says. But a policy requiring contractors to use software like TransparentBusiness’, she continues, “would save taxpayers taxpayers tens of billions without expense, as the cost of compliance is borne by the contractor.”
NASCIO and its members are dubious.
”That’s crony capitalism at its worst,” Jim Purcell, the acting CIO for Alabama, told StateScoop. “It’s a bad idea all the way around. It assumes that only interaction with your computer is billable time. If you’re not moving your mouse or typing your keys, you’re not working. That’s a very 19th-century approach to work.”
TransparentBusiness and lobbyists working on its behalf say the company would not be the lone beneficiary of the tracking-software bills.
“The bills we support are not vendor-specific,” the company’s founder and chief executive, Alex Konanykhin, told StateScoop in an email.
Joyce Nardulli, the firm’s Illinois lobbyist, said she was told there are “10 or more companies” that offer similar software, though she did not specify any names.
Contractors are ‘side-by-side’
In pushing the bills, TransparentBusiness points to a 2012 case in which Science Applications International Corporation was found to have charged New York City nearly $700 million to build a new payroll-management system under a contract initially budgeted at $63 million. SAIC was ordered to pay the city $500 million in fines, while three of its managers were sentenced to 20 years in federal prison.
“Paying contractors blindly results in massive over-billing,” Konanykhin said. “Some contractors rob their clients blind and will continue to do so for as long as those clients remain blind.”
But Delaware CIO James Collins, who serves as NASCIO’s president, told StateScoop the contracts his office awards include stipulations to ensure the work required by agreements is being completed. He also said that at least in Delaware’s case, the state government is unburdened by what TransparentBusiness is characterizing as the scourge of telework.
“Many of our contractors are working in our environments side-by-side with our employees,” he said. “We use other mechanisms to make sure we’re getting the work we’re paying for. As long as we get the deliverable in the time frame we wanted, I’m OK with that.”
The bills’ stipulation that contractors cover the cost of mandated tracking software could also throw agreements between states and their vendors into jeopardy, Collins said.
“There are a lot of negotiations about terms and conditions and who’s going to assume certain risks,” he said. “When we think about the risk posed by the legislation, that gives me concern that we’re going to add another level of negotiation with the vendor. It could cause vendors to rethink if we’re a good place to do business.”
Collins said any costs incurred by contractors to install the tracking software if the bills became law would inevitably be passed on to states.
‘There aren’t any standards’
While TransparentBusiness claims its product is already used by large private-sector enterprises — Konanykhin declined to cite examples — the government contractors that would be affected by the tracking-software bills are also mobilizing their opposition.
The Computing Technology Industry Association, or CompTIA, which represents members of the IT industry, argues the bills overlook legitimate work that is not performed on computers and that it could push out small, local firms that cannot afford to install the required software on their devices.
Sarah Matz, who directs the organization’s government affairs in the South, said the legislation would also define contract work in terms of hours performed rather than services delivered.
“A big concern is that instead of measuring the success of a contract on delivery of services, the legislation would focus on the process,” she said. “There aren’t any standards based on keystrokes to determine whether work’s being done.”
Purcell, the Alabama CIO, agreed, saying the bills apply a wholesale judgment on state-government vendors, when the fulfillment of contracts is also a responsibility of the officials who issued them.
“It assumes a standard that isn’t true, which is that contractors are screwing the states by over-billing,” he said. “But that’s a management problem. I don’t need a key-logger and a mouse-tracker to know if they’re working or not.”
But Nardulli, TransparentBusiness’ Illinois lobbyist, argued that the screenshot and key-logging mechanism is required to make sure contract work is being done.
“When the state of Illinois buys a desk or something tangible, they can see it in the product,” she said. “But when the people provide services that aren’t tangible, such as contractors, attorneys and auditors, it’s very difficult to verify the billable hours that are sent to the state for payment. This is the first time we’ve had the ability with software to verify the billable hours.”
‘This would just bust them all’
Still, both NASCIO and CompTIA said the biggest concern raised by TransparentBusiness’ lobbying activity is that a mechanism taking at least 20 screenshots per hour would swallow up mountains of sensitive information.
“It’s not possible to take a screenshot every three minutes and not capture personal information,” Matz said. “What if you wanted to check on an insurance claim while you’re at work? All of a sudden this company has your name, personal information and password. What about employees who work on child protective services?”
The sample legislation contains language saying that the tracking software “must not capture any data that is private or confidential on individuals,” but does not specify how that data would exempted.
“It could span numerous state systems,” Collins said. “You could imagine the sensitive information in health and human services, transportation, law enforcement.”
That kind of data being captured by screenshots that are then preserved for seven years or longer could inadvertently cause states and their vendors to run afoul of federal rules privacy and cybersecurity, Robinson said.
“There are strict prohibitions on who can actually see all that data, who can handle all that data,” he said. “If there are contractors involved at all, then you’re violating federal cybersecurity regulations by taking screenshots.”
Purcell put it more bluntly: “We go to great to great lengths to meet those standards and this would just bust them all,” he said.
Konanykhin said screenshots captured by TransparentBusiness’s software can stay on an individual contractor’s server, where, he told StateScoop, it would not become visible to his company.
“The bill results in no dissemination of the information,” he wrote.
Even with Konanykhin’s claims that any information captured by his tracking program would be kept private, the bills’ critics say TransparentBusiness is inventing an unnecessary issue.
“My biggest problem with all these things is that it’s a solution in search of a problem,” said Purcell, who added that he’s relayed his concerns to Alabama Gov. Kay Ivey.
The legislative push is unlikely to slow down as states pummel through their legislative calendars. Nardulli defended the lobbying effort as just another part of the lawmaking process.
“Private businesses bring forth legislation all the time,” she said. “This is how democracy works.”
Colin Wood contributed reporting.