US Gov't Makes a Mess of Classifying Sensitive Data

coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information." This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

Re:Protecting what?

[socsoc]

If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.

Article way off base

[Anonymous Coward]

Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.

Re:Protecting what?

[afidel]

It was originally intended to be used only for purposes of tracking hours worked for social security benifits, and in fact the original social security act made it illegal to use it for any other purpose. Along came computers and relational databases and suddenly everyone needed a unique foreign key to keep records straight, the only record that was guaranteed to stay the same over time (mostly) was the SSN or TIN (social security number or taxpayer identification number). This made the SSN ideal for the primary foreign key and hence businesses and government both broke the law and used it to sort records, so much so that the law had to be amended to make it legal to use it as an identifier.

Are birth certificates serialized at the national level in Australia? Because in the US they are granted by the county health departments and there is no national system of tracking them. In fact prior to the IRS requiring SSN's to prove dependent status for minors it was not at all unusual to not have an SSN until your first legit job or turning 18 when males were required to get one for selective services (draft) purposes.