vices to display. The two primary concerns are whether the transmission of data using the handheld computing devices could be compromised in some manner (or could be lost unintentionally through mistakes and technological problems) and whether the needed interoperability of the components of the management information system could be hampered either by the adapting of software or the acquisition of newer software releases for the various components of the system between the dress rehearsal and the 2010 census.
With respect to the security of the transmissions of the handheld computing devices, the motivation to do harm to the census counts may be relatively modest given the lack of a financial incentive, and this may result in less chance for a security breach. However, this argument is not compelling. Furthermore, not only is there interest in reducing the opportunity for a security breach, there is also the matter of being able to assure census data users that the counts are valid. To accomplish this, the Census Bureau should carry out an independent validation and verification of the functioning of the handheld devices. This could be accomplished in the following ways, either in the 2008 dress rehearsal or in the 2010 census:
Establish a dual recording stream for all data from mail-in, telephone, or handheld devices: one file to go to the contractors and one to be retained by the Census Bureau. In the event of catastrophic failure by a contractor or a serious challenge to the results, it will be important to have all the raw data in the hands of the Census Bureau.
It is practical to develop simple programs, written and run by Census Bureau personnel, that will search large data files for patterns of interest. In this way, unexpected or curious results can be efficiently discovered and checked, and this can contribute to the validation and verification effort.
Related to points (1) and (2), the Census Bureau should develop quantitative validation metrics, a priori, to check for data set self-consistency and comparison of redundant data.
Other important general operational measures that we recommend for the 2010 census, either to determine whether any security breaches have occurred or to prove that the 2010 Census was secure (and which are probably already carried out), include:
Retention of an archive of all raw data with date and time stamps. In the event of serious software failure, it would be important to be able to “replay the census” from these raw data.
Use, by the Census Bureau and contractors, of dedicated processing systems that run no other applications and have highly secured network connections and secure accounts.
Use of periodic system checkpoints to monitor and analyze software systems for intrusions or unauthorized manipulations of data.