Spike: Research policy issues re: required permit information permittee needs to enter online

[MelissaBraxton]

Background This story is about researching information permittees using the online system will be "required" to enter. We want to understand what's currently required, what flexibility we may have to revise requirements and handbooks so that our system requires the minimal info entry for users and avoids repetition.

USFS is currently revising handbooks, aiming for completion by end of summer 2020. We want to identify and recommend any handbook changes that may be needed to (1) support the new online process and (2) ensure parity between the online and in office experiences as soon as possible so that they can be written into the revised handbook.

Acceptance criteria

• [x] We have documented policy implications and recommended handbook changes
• [x] We have clearly articulated user needs statements and acceptance criteria for #109
• [x] Documentation is findable in the wiki

Tasks

• [x] Review service blueprint and policy/handbook sections that correspond to where our system will intervene
• [x] Review requirements set out in FSH 2409.18 Chapter 50
• [x] Research guidance for frontliners
• [x] Research forest planning guidance related to fuelwood permit planning
• [x] Check in w/ FS SMEs to understand policy POV
• [x] Document findings

Definition of done

• [ ] Acceptance criteria met

[cmajel]

Adding a few notes from initial research.

Resources we've come across: https://docs.google.com/spreadsheets/d/1ISNa2ysGwk2nc0AR_qiLcmlbMABdYeEd441d_WoNHOs/edit#gid=0

Definitions of manuals vs handbooks: https://www.fs.fed.us/im/directives/dughtml/overview.html

3. What is the difference between direction issued in the Manual and that issued in Handbooks? Direction is issued in the Directive System based on the scope of the direction and the intended audience. Forest Service Manual (FSM). The FSM contains legal authorities, objectives, policies, responsibilities, instructions, and guidance needed on a continuing basis by Forest Service line officers and primary staff in more than one unit to plan and execute assigned programs and activities. Forest Service Handbooks (FSH). Handbooks are the principal source of specialized guidance and instruction for carrying out the direction issued in the FSM. Specialists and technicians are the primary audience of Handbook direction. However, some FSHs include significant procedural direction needed by line officers and/or primary staff officers; examples include Handbooks on land management planning, appeals, litigation, and environmental analysis. Handbooks may also incorporate external directives (such as the Federal Property Management Regulations in FSH 6409.31) with related USDA and Forest Service directive supplements.

4. Is Manual or Handbook direction more binding on employees? The words used to issue direction, not whether the direction is located in the Manual or Handbook component of the Directive System, determine how binding the direction is on Forest Service employees. The use of the helping verbs “must” and “shall” or imperative mood (where the subject “you” is understood) convey mandatory compliance; “ought” and “should” convey required compliance, except for justifiable reasons; and “may” and “can” convey optional compliance. In general, the Manual contains the more significant policy and standards governing Forest Service programs, and thus the consequence of not complying with Manual direction is generally more serious than noncompliance with Handbooks. However, procedural direction in a number of Handbooks is often equally important.

[MelissaBraxton]

Consider looking into state regulations in states that we know require load tags. E.g. Washington.

[cmajel]

Also, a link to the highlighted version of FSH 2409.18 Chapter 50, which covers personal use firewood permits.

https://drive.google.com/drive/folders/14f1QsVIFTO9rD58PfSDY4WABBTOHgahj

[MelissaBraxton]

Removing milestone, since this task is ongoing.

[MelissaBraxton]

A mermaid diagram that we created in the early stages of the Christmas tree module. Might be a useful thing to aim for as an output of this research spike: Xmas tree mermaid_1.3.18.pdf. Also relevant to #134 and other reporting stories and may be helpful in discussion re: integrations with FPFS and POSS. (cc @smahmudFS and @mwreiss)

[MelissaBraxton]

We will need to understand if/how the fact that we're using login.gov for identity verification changes the minimum amount of information that we need to collect via the permittee data entry form.

[MelissaBraxton]

@bboddiger and @csstarling - With the sorn call today (#84), it sounds like we are circling in on only including permittee name and address info on the permit--not license or ID#, and that we don't need to include lic/ID# in the .csv export.

However, license/ID# is information that permit purchasers are required to provide, per the handbook. The remaining Q is, can (a) we proceed with not asking folks for their ID info? If so, do we need to request a handbook change or can we get a temporary dispensation to not ask for this info for online sales or the pilot? OR (b) do we need to ask purchasers to enter their license/ID# as part of the purchase process, have the option to include it in the .csv, yet not print it on the permit?

[MelissaBraxton]

We could consider collecting the ID number up front and then print the partial number on the permit (last for characters or something). @mtlaney and @aQuib what are your thoughts on the technical feasibility of this? (We would need to modify the permit order form to include a license #). @tram based on your chats with LEOs, what do you think?

[carlsonem]

@tram Can I move this to in progress? Based on the conversations, appears to have started

[tram]

based on your chats with LEOs, what do you think?

Last four characters might just do the trick to serve as a check between the permit and ID. @bboddiger I remember hearing that we'll need to stick to the 2400-1 for the MVP. Have you heard anything else? Just want to double-check that's the latest.

[csstarling]

@tram , @bboddiger , Talking to LEO's, I'm in favor of using last four digits of the ID number, If we can't easily use the entire number.

[bboddiger]

I have not heard anything that would make me think we might be able to use anything but the 2400-1. Given the time we have to pilot, I think we need to stick to the 2400-1. Have the security folks been able to give a thumbs-up on the last four digits scenario?

From: Mark Trammell notifications@github.com Sent: Tuesday, September 1, 2020 10:54 AM To: USDAForestService/USFS-timber-permitting USFS-timber-permitting@noreply.github.com Cc: Boddiger, Beth -FS beth.boddiger@usda.gov; Mention mention@noreply.github.com Subject: Re: [USDAForestService/USFS-timber-permitting] Spike: Research policy issues re: required permit information permittee needs to enter online (#33)

based on your chats with LEOs, what do you think? Last four characters might just do the trick to serve as a check between the permit and ID. @bboddigerhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fbboddiger&data=02%7C01%7C%7Ce1dce7c1e3f54105ba7808d84e97984b%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637345760287912955&sdata=rNVhuxr9WtTxX9aPpuqmZwfubQFJ0%2BeTs3ll9zAOwL8%3D&reserved=0 I remember hearing that we'll need to stick to the 2400-1 for the MVP. Have you heard anything else? Just want to double-check that's the latest.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FUSDAForestService%2FUSFS-timber-permitting%2Fissues%2F33%23issuecomment-684996593&data=02%7C01%7C%7Ce1dce7c1e3f54105ba7808d84e97984b%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637345760287922913&sdata=z7ouagzKGXnKMltP0Qq%2BXjwDLxbKhJ7N6h%2FGBBJjdI8%3D&reserved=0, or unsubscribehttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAN4LDROY47GYMEDLGHCGIBLSDURJVANCNFSM4JJ35PRA&data=02%7C01%7C%7Ce1dce7c1e3f54105ba7808d84e97984b%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637345760287922913&sdata=pj6%2BJ%2B1TJTY71sJe%2FQZn46N2wuAw3lSEw91q8S8rMto%3D&reserved=0.

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

[tram]

It looks like a full driver's license or state ID number is considered PII, but potentially not the last few characters. From NARA's PII description…

b. Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements:

• Truncated SSN (such as last four digits)
• Date of birth (month, day, and year)
• Citizenship or immigration status
• Ethnic or religious affiliation
• Sexual orientation
• Criminal history
• Medical information
• System authentication information such as mother's maiden name, account passwords, or personal identification numbers

What say you, @JonathanLerner54?

[carlsonem]

@tram Is this card done? Can it be moved to awaiting acceptance?

[MelissaBraxton]

It looks like we are waiting on insight from @JonathanLerner54 on the security implications of a truncated license/ID number. (for a government issued ID, not an SSN)

[JonathanLerner54]

We seem to be cherry picking our data to find any reason to not have to protect the PII by calling it by another name. STAND-ALONE. We can not use any of this as we are asking for name, address and email on the permit. So we are not STAND-ALONE.

The reason last 4 of a social security number is considered STAND-ALONE PII is because the first five numbers represent when and where your Social Security card was issued. Scammers can get those numbers by knowing your birth date and hometown. Then just google the person for their yearbook and graduation data (thanks Facebook) and the complete SSN can be determined with fewer than 32 guesses.

As to using a partial driver licenses number. How many characters are we collecting? Just as with SSN some states do not use a random number and have until as recently as 5 years ago used some forms of geolocation relationship in the leading characters of their Licenses. I do not have a list any those at this time, but here is a link for Washington State and how they formulate their Driver's Licenses. http://www.highprogrammer.com/alan/numbers/dl_us_wa.html. And based on what characters we collect for the permit, I can also have the person's date of birth according to this source.

All this being said, we are trying to do a best case identity validation. So if we keep the number of characters down to last 4 digits of the Driver's License Number. When we print the permit up how will this number be presented in the form? Maybe prepend or append the for digits to the permit number? Is there a format of the Permit numbers or just a One-Up number from the system?

[tram]

That's super helpful to better understand why we wouldn't want to use a truncated SSN, @JonathanLerner54. Thanks! Some good news is—at least in Washington state's Department of Licensing—it looks like the move to REAL ID has done away with the old formulation that used any PII. From https://www.wsiada.com/item/drivers-license-numbering-changes…

The randomly generated [Driver License Number] will not relate to an individual’s name or birthdate – it is more secure because it does not use protected personal information.

(I just looked at my old WA driver license and my current one and that checks out.) From the map on the REAL ID site, it looks like REAL ID has been implemented in all the states and inhabited territories except Oklahoma. That said, due to COVID, Department of Homeland Security's REAL ID enforcement has been delayed to October 2021.

As for "When we print the permit up how will this number be presented in the form?", since we're not deviating from the 2400-1 for the MVP, I'd assume a truncated license number would be under Permittee Identification and printed something like …1234 where 1234 are the last four characters and the ellipsis is printed in lieu of all the truncated stuff. Does that sound right to you, @aQuib and @bboddiger?

[aQuib]

@tram - That sounds accurate from my understanding.

[bboddiger]

Agreed, that sounds correct, Mark

From: aQuib Sylvester notifications@github.com Sent: Thursday, September 10, 2020 4:42 PM To: USDAForestService/USFS-timber-permitting USFS-timber-permitting@noreply.github.com Cc: Boddiger, Beth -FS beth.boddiger@usda.gov; Mention mention@noreply.github.com Subject: Re: [USDAForestService/USFS-timber-permitting] Spike: Research policy issues re: required permit information permittee needs to enter online (#33)

@tramhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftram&data=02%7C01%7C%7C6a78beba336d489290a208d855dabc5d%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353745235174599&sdata=l9aWbkOUtERiBBUMyjWHV%2FE18%2Fj6b4n77G764b9DXbk%3D&reserved=0 - That sounds accurate from my understanding.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FUSDAForestService%2FUSFS-timber-permitting%2Fissues%2F33%23issuecomment-690769827&data=02%7C01%7C%7C6a78beba336d489290a208d855dabc5d%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353745235184555&sdata=dcrhUV%2FdZnEAAGG%2Fra%2B%2FBIvdmh4QARkYcExSD15Jy7U%3D&reserved=0, or unsubscribehttps://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAN4LDRIG42MEPS7JPMKQ3A3SFFI3TANCNFSM4JJ35PRA&data=02%7C01%7C%7C6a78beba336d489290a208d855dabc5d%7Ced5b36e701ee4ebc867ee03cfa0d4697%7C0%7C0%7C637353745235184555&sdata=fypNnsK3pbjFAMK7tEvpNqPgRrG9dH9HBt3MH4ZqBqk%3D&reserved=0.

This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

[MelissaBraxton]

It sounds like we have resolution on the ID# issue and we're going with truncated driver's license #.

Coming back to this, since it impacts acceptance criteria on #141 and #140 . The remaining issue is whether we auto-populate permittee address information on the permit. I know we have a call with cyber on Thursday to go over it, but I thought it might be helpful to lay out some of the tradeoffs we're facing in advance of that discussion:

Pros/cons of autopopulating permittee address on permit

Pros:

• Enforcement is easier--LEOs in the field can tie a permit to a permittee with greater confidence

Cons: We can't save permittee address info in the system until we have a SORN. So,

• Permittees won't be able to print their info from the confirmation page url after the fact (because that would require storing the permit and the PII)--the url will need to expire.
• We have yet to receive confirmation from USFS privacy folks that emailing a permittee a permit that contains their own PII that they enter themselves will be allowed. (We hope to get an answer on Thurs)

@csstarling and @bboddiger - Depending on what we hear from cyber on Thursday about emailing people their own data, we could revisit the idea of not auto-populating the data and instead requiring folks to write in their address after printing.

It still leaves the issue of collecting address info and how we'll dump it from the system and make it available to frontliners and LEOs with a need to know for enforcement purposes, but it would remove some of the possible issues around emailing the permits and letting folks return to the url to print them in the event they lose their email or something.

cc @aQuib

[aQuib]

Finding is documented here