US Gov't Makes a Mess of Classifying Sensitive Data 100
coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information."
This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may
remain at risk of unauthorized disclosure or misuse."
Protecting what? (Score:5, Insightful)
"Protecting and classifying sensitive information such as social security numbers shouldn't be that hard"
I know the historical context that makes social security numbers to be declared "sensitive information" in the USA but when will you start to attack the real problem?
Your social security number is an identification token; it should be the exact opposite to sensitive information! No wonder you have so many problems related to SSNs.
Re: (Score:2)
The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.
Re:Protecting what? (Score:5, Informative)
Re: (Score:2, Interesting)
What is the exact purpose of a SSN? In Australia, we have a tax file number (TFN), which seems equivalent. This is only used for taxation purposes. You would never use it for ID, unless you are identifying yourself to the tax department. You only give it to your bank if you earn interest, but you don't have to if you don't want to. Birth certificates are used as a baseline ID.
Re:Protecting what? (Score:4, Informative)
Are birth certificates serialized at the national level in Australia? Because in the US they are granted by the county health departments and there is no national system of tracking them. In fact prior to the IRS requiring SSN's to prove dependent status for minors it was not at all unusual to not have an SSN until your first legit job or turning 18 when males were required to get one for selective services (draft) purposes.
Re: (Score:1)
I believe they would be. I think they became federal in 86. But the number isn't used like an SSN. I believe the only time you would absolutely need a birth certificate is for your passport, TFN, welfare and a public health care card. All other things can be a mix of other stuff. For example, you could use a birth certificate to get a driver's licence, then use the driver's licence to get a bank account. So the bank doesn't have your birth certificate details.
I believe the government here has problems becau
Re: (Score:2)
You mean Australia did something right? Say it isn't so :p
Keep on fighting against national id, we already have it and don't yet know it.
Re: (Score:2)
Re: (Score:2)
3,086 counties... 3,086. But they also change boundaries and merge and split. It would be a nightmare to try to do anything national with them.
Re: (Score:2)
Re: (Score:2)
Payrole is 1,000 times easier. There you have voluntary relationships (between firms). When the USG or even an organization of counties starts to standardize there are counties that will object just because they don't want to play nice.
There are counties with no roads, counties with less than 100 inhabitants,they don't all have an email address, etc.
Re: (Score:2)
Re: (Score:2)
Every so often, there's talk of issuing a national ID card in the US, which ends up portrayed as some sort of move towards a police state. I've never fully understood the reasoning on that -- among other things, given the lack of such a national ID, other documents are used in its place.
For instance, when one is officially hired for a job in the US, one is required to present their "I-9 documents" [wikipedia.org], to demonstrate that they are legally privileged to work in the US. That requirement is usually met with the co
Re: (Score:2)
try getting a job without giving it (and I'm not talking about filling out the w-4, I'm talking about when they ask for ID).
Re: (Score:2)
Re: (Score:2)
You've never worked for T.J. Maxx where you had to have one at the time you fill out all your forms and they take a copy of your SS card and DL/ID (mandatory to have SS card according to T.J. Maxx policy, at least in 2k1).
Re: (Score:2)
Re: (Score:2)
nope, because if I don't provide it during the application process (the card, not the number) they won't even consider me for an interview.
Re:Protecting what? (Score:5, Insightful)
The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.
I'm not positive that's the problem -- as turbidostato pointed out, it's supposed to be an identification token, not a password. Trouble is, banks, CC companies, etc. commonly use this (perhaps coupled with something lame like DOB) as just that.
For example, from your clearly visible email address, I know you have a livejournal [livejournal.com] account (contains your birthdate, hometown, full name, etc.), you frequent Amazon [amazon.com] (which shows a picture of you, some personal info, etc.), and so forth -- all from a simple google search.
Thing is, I can't easily steal your identity, because you've only supplied your handle, but no password. I believe that's what turbidostato's saying; we should be able to talk about our SSN the same as our email address, as our handle and password should be (but aren't) separate.
Re: (Score:1)
Re: (Score:2)
um, no one said anything about passwords.
And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification.
Re: (Score:2)
"And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification."
Do you mean that eligibility for SS benefits depends in some characteristic of the SSN, like being odd or prime? Of course it is an identity token!!! It's the means by which the Social Security identificates their subjects: you can *track* benefits because you can *identificate* beneficiaries by means of their SSN.
What you probably meant was that SSN was meant to be an identity token to be used only within
Re: (Score:2)
That's exactly what I said.
Re: (Score:2)
"The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy."
That's exactly my point. I could accept that common use of SSN would make nowadays for easy identity *tracking* but never identity *theft*, which is made so easy because you are using your SSN as an auth token, not an identity one.
Re: (Score:2)
No, identity theft is not because of SSN use as an auth token (not entirely anyway).
Identity theft is because your SSN is used as an identity token (at the employer level; not many employers will accept ID without having a copy of your SS card, some won't take anything but your DL/ID and SS card even if your SSN is on the DL/ID).
I keep my SSN card under lock and key and don't give it out unless I'm forced to (school, federal benefits such as pell grant, employment, banks). Unfortunately an increasing amount
Re: (Score:2)
"No, identity theft is not because of SSN use as an auth token"
Of course it is.
"Identity theft is because your SSN is used as an identity token [...] I keep my SSN card under lock"
If it is not an authentication/authorization token, why do you try to keep it secret and under lock? And if it is not an identity token, whose identity is being stolen if not the one identified by that very SSN?
You identify yourself as 123-12-1234 (your SSN) and then you probe your authenticity... by knowing your own SSN. That's
Re: (Score:2)
way to leave out my parenthetical aside.
You and I are apparently dealing with two different definitions of auth/identity token.
When I say authorization token, I'm talking about a password/phrase what have you. When I say it's an identity token I mean it's something used to identify you as you. Saying that the SSN hasn't become an identity token is to ignore the last 20+ years of it being used as such.
I'm not addressing anything else you said because you aren't making sense.
Re: (Score:1, Interesting)
And yet, it says right on the card, that the number is not to be used for any sort of identification.
That's government honesty for you: if they declare in the law that something is a fee rather than a tax, then they have not raised taxes.
Re: (Score:2)
Exactly, and what is it used for? To establish identity by the government's own rules!
Re: (Score:1)
Article is not about SSNs (Score:2, Interesting)
Re: (Score:2)
"No, it's not just an "identification token"."
I'm with you. It's not just an "identification token": it's a *misused* identification token.
"Because not much more information than your social security number and your name are required to open a credit card account in your name".
Which is the real problem: an identification token -which your SSN certainly is, shouldn't be used that way. Just look around you: there's a world beyond USA and it seems it's only USA the one having problems with disclosed SSNs. H
Re: (Score:2)
Re: (Score:2)
I have mod points, but I can't find "+1 just sad" or should it be -1 so others don't have to read it... not sure.
Re: (Score:2)
I live in New Mexico.
Re: (Score:2)
The problem is that the SSN is used as both identifier and authenticator, which is an inherent fl
Re: (Score:1)
It has not been that long ago that police departments all over the country would loan one an engraver with which you could permanently mark your valuable possessions so that, in the event of theft, they could be more easily returned to
Protecting a single piece of data is easy (Score:3, Insightful)
Protecting and classifying the odd few petabytes that probably move daily in different formats across several hundred collecting agencies and several thousand user organizations is a tad more involved.
Re: (Score:1)
Something I've noticed... (Score:1)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:1)
"Senior level positions that barely pay 49k"
I don't know about you, but 49k sounds good to me!
Re: (Score:2)
"Senior level positions that barely pay 49k"
I don't know about you, but 49k sounds good to me!
Uh-huh. Except my first tech job out of college paid more than that. It's not a horrible salary, but I wouldn't consider a full-time job with pay that "low" unless there was something else spectacular about it.
Re: (Score:1)
I'd say it's a good salary. The key is to not spend every last penny on a giant house and useless things that you don't need. Lots of people would love making that much money each year. While they obviously can make more money, that's still a good salary.
Re: (Score:2)
Low pay, very isolated, tending machines all day makes for unhappy young people. At best they get very drunk all the time. If not the KGB/FSB offers cash and a better life when rotated back home. Expansion during wars and time of need lets many people in who should never have been allowed.
On the outside you have that once in a generation 'press' types that do real work and are no
Re: (Score:2)
Just curious.
SS No. is sooo totally not protected (Score:1)
Your fellow citizens are asking you for this number every day, day in and day out, like it's nothing. The social security office will tell you not to give it to anyone except official government personnel and so on, but everybody wants it. I think for the most part, businesses are the culprits when it comes to stolen identity, not our government.
On Purpose? (Score:1)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Article way off base (Score:5, Informative)
Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.
Re: (Score:2)
"Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue."
Let's see.
"Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing"
Which seems to be exactly (part of) his point. If they are all the same thing, why they have four different names? Make it more complex than needed and you'll have it more fragile than needed.
Re: (Score:2)
not really. The US government is huge and (hold on to your hat) is actually reasonably efficient. Most of this efficiency comes from not making things completely uniform unless it helps a lot. So, the name given to things that are not subject to FOIA requests but are not classified is a good example. Why make one standard? Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only." You could make a commission to argue over it and then f
Re: (Score:2)
"Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only.""
Because sooner or later you will need to cross data from DoE and DoS and you'll have a nightmare to know which data is crossable privacy-wise to which.
Re: (Score:2)
I'm not really sure what your complaint is, or why it has to be. If DOE wants one set of restrictions and DOS wants another... so be it. If the interaction becomes a big deal, then let some high level committee spend time trying to figure it out. Until then, follow KISS.
Re: (Score:3, Interesting)
I cannot see having 3 different types of 'Sensitive' can help efficiency at all.
Re: (Score:2)
1) It's unnecessary to use 3 systems to achieve the same end
2) Using three systems to do the same thing over and over again is redundant
3) There really doesn't have to be 3 methods of accomplishing the same task
Re: (Score:2)
Think of it this way:
- Your credit card information is sensitive , but you have to give it out to some people 'you think you can trust' in exchange for things you want. Once in a while you will get a new number and the old one will no longer be a coveted secret. Your credit is guarded under US law to limit your liability, but its a real pain when your card suddenly no longer works when you are out on a hot date.
- Your soc
Re: (Score:3, Insightful)
What if we surveyed private industry, how many different ways would we find to label sensitive data? Would the economy be more efficient if time were taken to force everybody onto a single standard?
People talk about "the government" like it's a single entity. Then they divide up problems in different ways and assume a single department should be responsible for each sub-problem in their arbitr
Re: (Score:2)
On the other
Sooo (Score:4, Insightful)
Re: (Score:3, Funny)
> SSN was just an example for gods sake.
Then hopefully God will find that example more useful than we have.
Hah! (Score:2, Insightful)
And this is why I refuse to believe any of the popular conspiracy theories about our government. The United States government can't keep secrets secret.
Re: (Score:1)
And this is why I refuse to believe any of the popular conspiracy theories about our government. The United States government can't keep secrets secret.
Your logic makes my head spin. You don't believe that our government can keep secrets therefore you don't believe the secrets that our government can't keep.
Re: (Score:2)
Re: (Score:2)
The United States government can't keep secrets secret.
Sure they can. That's why we are not squawking about real secrets on Slashdot.
Re: (Score:2)
The United States government can't keep secrets secret.
Sure they can. That's why we are not squawking about real secrets on Slashdot.
Sure they can't. Wikileaks [wikileaks.org]
Re: (Score:1)
Re: (Score:2)
Sorry, no.
"Sensitive" is not "Classified". The GAO report listed only addressed slipshod contractor access to SBU (Sensitive, But Unclassified) information. Examples are business proprietary, attorney-client and personable identifiable information.
Once it hits "Secret" classification, the process is different and more stringent. "Top Secret" involves many (locked) hoops to jump thru for access. "Top Secret - SCI" is a major nightmare.
Honestly, you'll find very few accidental disclosures of Classified in
Re: (Score:2)
What about the Valery Plame scandal? There it turned out that all these white house officials had access to all this S/TS info and weren't really even paying attention to what was S and TS and didn't pay for it at all.
Easy way to make sure no one accesses your data... (Score:2, Funny)
Make it into a PDF and put it on /.
it could be worse (Score:1)
More work to do (Score:2)
It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines,
then
"found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."
Therefore, I reckon the near future will see (at least) 101 unique markings and 131 labeling/handling routines - that's how the govs work, folks!
Re: (Score:2)
Re: (Score:2)
Heck, they LOST (JUST LOST!) Billions of the stimulis money that they have no accounting for
It sounds awful, but frankly I think this fact is blown out of proportion. I occasionally lose the odd dollars in my own budget, which is MUCH less complex than the national budget. It's the same thing, just a bigger scale. Nothing so ridiculous about losing a few billion here or there when you're dealing with a budget of nearly 4 trillion dollars...
Is it a good thing? No, not at all. But it's not something you should keep parroting anytime the subject of government comes up.
Re: (Score:2)
Yes, but you have a few billion here, and a few billion there, pretty soon it starts adding up to real money.
Context (Score:2)
The DoD has issues with classifying data, yes, but they have to deal with some odd situations. A good example is a well known (publicly) Air Force project that I can't remember the acronym of but someone Googling could find it in a few minutes I'd imagine. This project used a 30 node Teradata system (NCR) with a combined total of 18TB (36TB if you count the mirror). None of the data was even classified as 'sensitive' on it's own, but after several years of gathering data it was decided by an audit that in a
Give it to somebody with experience (Score:4, Funny)
If US government wants to store large amounts of confidential information, have it efficiently sorted and distributed, with practically no down time, then surely they should outsource it to Wikileaks?
Phillip.
US Gov't Makes a Mess of... (Score:2)
Why did we need to read any further than that?
Re: (Score:2)
Three can keep a secret if... (Score:2)
Secrecy is horseshit. Document classification is horseshit. If something needs to be secret, don't put it into a document. If something needs to be secret and you know it, then don't tell anybody. Three can keep a secret if two are dead and the other is scared shitless about what will happen if he tells the secret. And notice the pronoun 'he' in the last sentence. For God's sake, if you are serious about keeping a secret, don't tell it to a woman.
99.99999% of everything in the world classified as sec
Our beloved schools are to blame. (Score:1)
And this is newsworthy why?? (Score:1)
I can fix the problem. (Score:2)
It's simple. Declassify everything.
Nothing secret, nothings top secret, nothing is hidden from the public.
Just how the government should be, and needs to be.
Solved: Use a spam filter and get 99.9% accuracy (Score:1)
You can do this automagically with a spam filter, with an accuracy around 99.9%
See the BlackHat 2010 paper "Keeping the Good Stuff In: Confidential Information
Firewalling with the CRM114 Spam Filter and Text Classifier".
Here's the URL to the PDF:
https://media.blackhat.com/bh-us-10/whitepapers/Yerazunis/BlackHat-USA-2010-Yerazunis-Confidential-Mail-Filtering-wp.pdf [blackhat.com]
Re: (Score:2)
You can do this automagically with a spam filter, with an accuracy around 99.9%
Was it a spam filter that delayed the Japanese declaration of war, ten days before Pearl Harbor?
Programs as well as filters are only as good as the people using them. Infallible? Not likely.
DARPA has a BAA open for this problem (Score:2)
source: https://www.fbo.gov/index?s=opportunity&mode=form&id=06a877fddd2dedaf6a52520345f64eda&tab=core&_cview=0 [fbo.gov]
from the fedbizops:
"Promotion of new technologies to support declassification. Striking the critical balance between openness and secrecy is difficult but a necessary part of our democratic form of government. Striking this balance becomes more difficult as the volume and complexity of the information increases. Improving the capability of departments and agencies to identif
Usual for government (Score:2)
The US government makes a mess of a lot of stuff that do. That's why a lot of us don't want them taking over health care.
right IS wrong (Score:2)
The reason for security classifications is to protect the guilty.
Politicians who are "in bed" with the oil companies, big pharma, the banksters, utilities, lobbyists, special interest groups. The biggest lie [riotusa.org] stands as a testament to this truth.
Why else would the videos of what really happened at the Pentagram have not been seen by anyone outside the "elite"?
Questions about Ch
salm (Score:1)