Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Government Security United States Your Rights Online

US Gov't Makes a Mess of Classifying Sensitive Data 100

coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information." This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."
This discussion has been archived. No new comments can be posted.

US Gov't Makes a Mess of Classifying Sensitive Data

Comments Filter:
  • Protecting what? (Score:5, Insightful)

    by turbidostato ( 878842 ) on Monday September 13, 2010 @07:15PM (#33567678)

    "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard"

    I know the historical context that makes social security numbers to be declared "sensitive information" in the USA but when will you start to attack the real problem?

    Your social security number is an identification token; it should be the exact opposite to sensitive information! No wonder you have so many problems related to SSNs.

    • The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

      • Re:Protecting what? (Score:5, Informative)

        by socsoc ( 1116769 ) on Monday September 13, 2010 @07:34PM (#33567814)
        If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.
        • Re: (Score:2, Interesting)

          by AfroTrance ( 984230 )

          What is the exact purpose of a SSN? In Australia, we have a tax file number (TFN), which seems equivalent. This is only used for taxation purposes. You would never use it for ID, unless you are identifying yourself to the tax department. You only give it to your bank if you earn interest, but you don't have to if you don't want to. Birth certificates are used as a baseline ID.

          • Re:Protecting what? (Score:4, Informative)

            by afidel ( 530433 ) on Monday September 13, 2010 @08:31PM (#33568204)
            It was originally intended to be used only for purposes of tracking hours worked for social security benifits, and in fact the original social security act made it illegal to use it for any other purpose. Along came computers and relational databases and suddenly everyone needed a unique foreign key to keep records straight, the only record that was guaranteed to stay the same over time (mostly) was the SSN or TIN (social security number or taxpayer identification number). This made the SSN ideal for the primary foreign key and hence businesses and government both broke the law and used it to sort records, so much so that the law had to be amended to make it legal to use it as an identifier.

            Are birth certificates serialized at the national level in Australia? Because in the US they are granted by the county health departments and there is no national system of tracking them. In fact prior to the IRS requiring SSN's to prove dependent status for minors it was not at all unusual to not have an SSN until your first legit job or turning 18 when males were required to get one for selective services (draft) purposes.
            • I believe they would be. I think they became federal in 86. But the number isn't used like an SSN. I believe the only time you would absolutely need a birth certificate is for your passport, TFN, welfare and a public health care card. All other things can be a mix of other stuff. For example, you could use a birth certificate to get a driver's licence, then use the driver's licence to get a bank account. So the bank doesn't have your birth certificate details.

              I believe the government here has problems becau

              • You mean Australia did something right? Say it isn't so :p

                Keep on fighting against national id, we already have it and don't yet know it.

            • Birth certificates are issued at the time/location of birth and registered at the state/territory level in Australia. They carry no succinct, unique identifier information suitable for use in foreign systems. As I suspect is the case in the US, getting states to do things in a consistent way is nigh on impossible. I can only imagine what a PITA dealing with umpteen hundreds of counties would be like.
              • 3,086 counties... 3,086. But they also change boundaries and merge and split. It would be a nightmare to try to do anything national with them.

                • by tsm_sf ( 545316 )
                  Well, every payroll company works with data that's at least an order of magnitude more complicated. I'm not saying it isn't a nightmare, but at least it's possible.
                  • Payrole is 1,000 times easier. There you have voluntary relationships (between firms). When the USG or even an organization of counties starts to standardize there are counties that will object just because they don't want to play nice.

                    There are counties with no roads, counties with less than 100 inhabitants,they don't all have an email address, etc.

                    • by tsm_sf ( 545316 )
                      I was thinking of the byzantine local, state, national, and international tax codes they have to deal with. Picture a company that straddles two counties and has employees working in different countries. EVERYONE wants a piece of the pie, and they don't go out of their way to make it easy.
            • Every so often, there's talk of issuing a national ID card in the US, which ends up portrayed as some sort of move towards a police state. I've never fully understood the reasoning on that -- among other things, given the lack of such a national ID, other documents are used in its place.

              For instance, when one is officially hired for a job in the US, one is required to present their "I-9 documents" [wikipedia.org], to demonstrate that they are legally privileged to work in the US. That requirement is usually met with the co

        • try getting a job without giving it (and I'm not talking about filling out the w-4, I'm talking about when they ask for ID).

          • by socsoc ( 1116769 )
            I've never had that has a condition of being offered employment. It comes later once you start and they need to confirm that you are a citizen along with filling out your w4. I don't see how that's relevant. Hell I know foreign citizens that have jobs (legally).
            • You've never worked for T.J. Maxx where you had to have one at the time you fill out all your forms and they take a copy of your SS card and DL/ID (mandatory to have SS card according to T.J. Maxx policy, at least in 2k1).

      • by by (1706743) ( 1706744 ) on Monday September 13, 2010 @07:34PM (#33567824)

        The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

        I'm not positive that's the problem -- as turbidostato pointed out, it's supposed to be an identification token, not a password. Trouble is, banks, CC companies, etc. commonly use this (perhaps coupled with something lame like DOB) as just that.

        For example, from your clearly visible email address, I know you have a livejournal [livejournal.com] account (contains your birthdate, hometown, full name, etc.), you frequent Amazon [amazon.com] (which shows a picture of you, some personal info, etc.), and so forth -- all from a simple google search.

        Thing is, I can't easily steal your identity, because you've only supplied your handle, but no password. I believe that's what turbidostato's saying; we should be able to talk about our SSN the same as our email address, as our handle and password should be (but aren't) separate.

        • The solution is to impose some XTREME liability laws when it comes to identity. Like, they lose your data, they owe you 1 million a case. You bet your sweet as they will watch the data then.
        • um, no one said anything about passwords.

          And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification.

          • "And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification."

            Do you mean that eligibility for SS benefits depends in some characteristic of the SSN, like being odd or prime? Of course it is an identity token!!! It's the means by which the Social Security identificates their subjects: you can *track* benefits because you can *identificate* beneficiaries by means of their SSN.

            What you probably meant was that SSN was meant to be an identity token to be used only within

      • "The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy."

        That's exactly my point. I could accept that common use of SSN would make nowadays for easy identity *tracking* but never identity *theft*, which is made so easy because you are using your SSN as an auth token, not an identity one.

        • No, identity theft is not because of SSN use as an auth token (not entirely anyway).

          Identity theft is because your SSN is used as an identity token (at the employer level; not many employers will accept ID without having a copy of your SS card, some won't take anything but your DL/ID and SS card even if your SSN is on the DL/ID).

          I keep my SSN card under lock and key and don't give it out unless I'm forced to (school, federal benefits such as pell grant, employment, banks). Unfortunately an increasing amount

          • "No, identity theft is not because of SSN use as an auth token"

            Of course it is.

            "Identity theft is because your SSN is used as an identity token [...] I keep my SSN card under lock"

            If it is not an authentication/authorization token, why do you try to keep it secret and under lock? And if it is not an identity token, whose identity is being stolen if not the one identified by that very SSN?

            You identify yourself as 123-12-1234 (your SSN) and then you probe your authenticity... by knowing your own SSN. That's

            • way to leave out my parenthetical aside.

              You and I are apparently dealing with two different definitions of auth/identity token.

              When I say authorization token, I'm talking about a password/phrase what have you. When I say it's an identity token I mean it's something used to identify you as you. Saying that the SSN hasn't become an identity token is to ignore the last 20+ years of it being used as such.

              I'm not addressing anything else you said because you aren't making sense.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        And yet, it says right on the card, that the number is not to be used for any sort of identification.

        That's government honesty for you: if they declare in the law that something is a fee rather than a tax, then they have not raised taxes.

    • SSNs are used as an example. The real problem, alluded to in the article, is that the government attempts to classify personally sensitive, business sensitive, and military critical information (to name a few) under the same system. Unfortunately there is plenty of overlap and specific cases within these categories, resulting in a ridiculous number of labels - thereby resulting in mass confusion. However, this situation is often the case when one attempts to take a single system and apply it to such a wi
    • by Isao ( 153092 )
      This is correct, the SSN is an identifier. (Yes, I know the card is marked not to use as identification, but that's different. The problem is that a secure transaction (on-line or off), requires an identifier and an authenticator. An identifier is like a username - it identifies who the party is. An authenticator is like a password - it attempts to confirm the entity supplying the identifier is the real one.

      The problem is that the SSN is used as both identifier and authenticator, which is an inherent fl

    • by Gim Tom ( 716904 )
      Until the last couple of decades the Social Security Number in the US was only an identifier with NO financial value at all. It was an accounting identifier for the Social Security System initially, but had become a general "unique" identifier for many systems by the 1980's

      It has not been that long ago that police departments all over the country would loan one an engraver with which you could permanently mark your valuable possessions so that, in the event of theft, they could be more easily returned to

  • by siddesu ( 698447 ) on Monday September 13, 2010 @07:20PM (#33567720)

    Protecting and classifying the odd few petabytes that probably move daily in different formats across several hundred collecting agencies and several thousand user organizations is a tad more involved.

  • at least at the state level is the horrible pay for tech folks. Senior level positions that barely pay 49k. When I see ads in the local paper for state jobs that pay terrible and then read about data getting exposed, lost, etc. I'm not surprised.
    • Re: (Score:3, Insightful)

      by Dragoniz3r ( 992309 )
      Yeah, but then everyone bitches if they try to raise taxes... I mean, obviously, the solution is for governments to be more efficient with the money they do have, and to pay their people properly, but for some reason it's easier to cut people than programs...
    • "Senior level positions that barely pay 49k"

      I don't know about you, but 49k sounds good to me!

      • "Senior level positions that barely pay 49k"

        I don't know about you, but 49k sounds good to me!

        Uh-huh. Except my first tech job out of college paid more than that. It's not a horrible salary, but I wouldn't consider a full-time job with pay that "low" unless there was something else spectacular about it.

        • I'd say it's a good salary. The key is to not spend every last penny on a giant house and useless things that you don't need. Lots of people would love making that much money each year. While they obviously can make more money, that's still a good salary.

    • by AHuxley ( 892839 )
      This is not new. Sending young people with eg. language skills around the world or not vetting anyone ect is an old problem.
      Low pay, very isolated, tending machines all day makes for unhappy young people. At best they get very drunk all the time. If not the KGB/FSB offers cash and a better life when rotated back home. Expansion during wars and time of need lets many people in who should never have been allowed.
      On the outside you have that once in a generation 'press' types that do real work and are no
    • Are you suggesting that the staff are selling the information because their pay is so low? Or that because of the low pay they only attract useless staff?

      Just curious.
  • Your fellow citizens are asking you for this number every day, day in and day out, like it's nothing. The social security office will tell you not to give it to anyone except official government personnel and so on, but everybody wants it. I think for the most part, businesses are the culprits when it comes to stolen identity, not our government.

  • There seems to be a concerted effort to make the government as useless as possible.
    • Re: (Score:3, Funny)

      by T Murphy ( 1054674 )
      Well, duh. One side wants the government to do very little, while the other side wants the government to spend lots of money on stuff, so the politicians do as they're told and spend a lot of money getting nothing done.
      • Except in the U.S. both 'sides' spend the same amount of money and want to expand gov't power. The difference is where to spend and expand.
    • Don't attribute to malice that which can be easily explained by bureaucracy.
  • Article way off base (Score:5, Informative)

    by Anonymous Coward on Monday September 13, 2010 @07:40PM (#33567864)

    Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.

    • "Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue."

      Let's see.

      "Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing"

      Which seems to be exactly (part of) his point. If they are all the same thing, why they have four different names? Make it more complex than needed and you'll have it more fragile than needed.

      • not really. The US government is huge and (hold on to your hat) is actually reasonably efficient. Most of this efficiency comes from not making things completely uniform unless it helps a lot. So, the name given to things that are not subject to FOIA requests but are not classified is a good example. Why make one standard? Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only." You could make a commission to argue over it and then f

        • "Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only.""

          Because sooner or later you will need to cross data from DoE and DoS and you'll have a nightmare to know which data is crossable privacy-wise to which.

          • I'm not really sure what your complaint is, or why it has to be. If DOE wants one set of restrictions and DOS wants another... so be it. If the interaction becomes a big deal, then let some high level committee spend time trying to figure it out. Until then, follow KISS.

    • Re: (Score:3, Interesting)

      by cheater512 ( 783349 )

      I cannot see having 3 different types of 'Sensitive' can help efficiency at all.

      • I Agree.

        1) It's unnecessary to use 3 systems to achieve the same end

        2) Using three systems to do the same thing over and over again is redundant

        3) There really doesn't have to be 3 methods of accomplishing the same task
      • by hAckz0r ( 989977 )

        I cannot see having 3 different types of 'Sensitive' can help efficiency at all.

        Think of it this way:

        - Your credit card information is sensitive , but you have to give it out to some people 'you think you can trust' in exchange for things you want. Once in a while you will get a new number and the old one will no longer be a coveted secret. Your credit is guarded under US law to limit your liability, but its a real pain when your card suddenly no longer works when you are out on a hot date.

        - Your soc

      • Re: (Score:3, Insightful)

        by timeOday ( 582209 )
        The parties with 3 different types of 'Sensitive' may or may not ever exchange information in the first place.

        What if we surveyed private industry, how many different ways would we find to label sensitive data? Would the economy be more efficient if time were taken to force everybody onto a single standard?

        People talk about "the government" like it's a single entity. Then they divide up problems in different ways and assume a single department should be responsible for each sub-problem in their arbitr

      • by flitty ( 981864 )
        Having multiple ways of marking something sensitive I can bet you comes from private industry. I bet Lockheed did it one way, Northrup did it another, and neither wanted to have to go back and fix all of their previous documents to conform to standards. So the government being accomodating said both would work. The big companies in industry have much more weight in things like this than the government does. The government just tries to reduce the number of markings, which is no easy task.

        On the other
  • Sooo (Score:4, Insightful)

    by ascari ( 1400977 ) on Monday September 13, 2010 @07:41PM (#33567868)
    From the comments so far one would think the article was about SSNs. If you RTFA it's about procedures and bureacracy surrounding classified information including sometimes conflicting classifications used by different fedarl agencies. SSN was just an example for gods sake.
  • Hah! (Score:2, Insightful)

    by davmoo ( 63521 )

    And this is why I refuse to believe any of the popular conspiracy theories about our government. The United States government can't keep secrets secret.

    • by stms ( 1132653 )

      And this is why I refuse to believe any of the popular conspiracy theories about our government. The United States government can't keep secrets secret.

      Your logic makes my head spin. You don't believe that our government can keep secrets therefore you don't believe the secrets that our government can't keep.

    • or tie their own shoes
    • The United States government can't keep secrets secret.

      Sure they can. That's why we are not squawking about real secrets on Slashdot.

      • by slick7 ( 1703596 )

        The United States government can't keep secrets secret.

        Sure they can. That's why we are not squawking about real secrets on Slashdot.

        Sure they can't. Wikileaks [wikileaks.org]

    • by rakuen ( 1230808 )
      They're just trying to lure you into a false sense of security. Then they'll do absolutely nothing about it!
    • by chill ( 34294 )

      Sorry, no.

      "Sensitive" is not "Classified". The GAO report listed only addressed slipshod contractor access to SBU (Sensitive, But Unclassified) information. Examples are business proprietary, attorney-client and personable identifiable information.

      Once it hits "Secret" classification, the process is different and more stringent. "Top Secret" involves many (locked) hoops to jump thru for access. "Top Secret - SCI" is a major nightmare.

      Honestly, you'll find very few accidental disclosures of Classified in

      • What about the Valery Plame scandal? There it turned out that all these white house officials had access to all this S/TS info and weren't really even paying attention to what was S and TS and didn't pay for it at all.

  • by Anonymous Coward

    Make it into a PDF and put it on /.

  • I am currently writing some software for an advertising company. They deal mainly in yellowpages type stuff. They track over 100 attributes per item, for small cards with a few lines of text on them. I predict they crater in 5 years tops.
  • TFS:

    It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines,

    then

    "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

    Therefore, I reckon the near future will see (at least) 101 unique markings and 131 labeling/handling routines - that's how the govs work, folks!

  • The DoD has issues with classifying data, yes, but they have to deal with some odd situations. A good example is a well known (publicly) Air Force project that I can't remember the acronym of but someone Googling could find it in a few minutes I'd imagine. This project used a 30 node Teradata system (NCR) with a combined total of 18TB (36TB if you count the mirror). None of the data was even classified as 'sensitive' on it's own, but after several years of gathering data it was decided by an audit that in a

  • by horza ( 87255 ) on Monday September 13, 2010 @08:28PM (#33568184) Homepage

    If US government wants to store large amounts of confidential information, have it efficiently sorted and distributed, with practically no down time, then surely they should outsource it to Wikileaks?

    Phillip.

  • US Gov't Makes a Mess of...

    Why did we need to read any further than that?
    • by AHuxley ( 892839 )
      For every public US agency in the press, eg CIA Church report, COINTELPRO, black sites... Hidden DIA are types working well with contractors, other groups, fully funded and very happy.
  • Secrecy is horseshit. Document classification is horseshit. If something needs to be secret, don't put it into a document. If something needs to be secret and you know it, then don't tell anybody. Three can keep a secret if two are dead and the other is scared shitless about what will happen if he tells the secret. And notice the pronoun 'he' in the last sentence. For God's sake, if you are serious about keeping a secret, don't tell it to a woman.

    99.99999% of everything in the world classified as sec

  • How surprising can it be? Just look at all the bloody "geniuses" our schools put out. Eventually some of them go to work for Uncle Sam. Obviously there seem to be a lot of them in the Department of Education as well as other government sectors.
  • The Feds make a botch of nearly everything. The ONLY federal agencies that I think do a consistently good job are BLM, USFS, and NPS, and I think that's because they are the only agencies that really care about what they are doing. The Marines also do a pretty good job ...
  • It's simple. Declassify everything.

    Nothing secret, nothings top secret, nothing is hidden from the public.

    Just how the government should be, and needs to be.

  • You can do this automagically with a spam filter, with an accuracy around 99.9%

    See the BlackHat 2010 paper "Keeping the Good Stuff In: Confidential Information
    Firewalling with the CRM114 Spam Filter and Text Classifier".

    Here's the URL to the PDF:

    https://media.blackhat.com/bh-us-10/whitepapers/Yerazunis/BlackHat-USA-2010-Yerazunis-Confidential-Mail-Filtering-wp.pdf [blackhat.com]

    • by slick7 ( 1703596 )

      You can do this automagically with a spam filter, with an accuracy around 99.9%

      Was it a spam filter that delayed the Japanese declaration of war, ten days before Pearl Harbor?
      Programs as well as filters are only as good as the people using them. Infallible? Not likely.

  • source: https://www.fbo.gov/index?s=opportunity&mode=form&id=06a877fddd2dedaf6a52520345f64eda&tab=core&_cview=0 [fbo.gov]

    from the fedbizops:

    "Promotion of new technologies to support declassification. Striking the critical balance between openness and secrecy is difficult but a necessary part of our democratic form of government. Striking this balance becomes more difficult as the volume and complexity of the information increases. Improving the capability of departments and agencies to identif

  • The US government makes a mess of a lot of stuff that do. That's why a lot of us don't want them taking over health care.

  • It states right on the Social Security card [angelfire.com] that it is NOT to be used for identification, but for all intents and purposes, it is.
    The reason for security classifications is to protect the guilty.
    Politicians who are "in bed" with the oil companies, big pharma, the banksters, utilities, lobbyists, special interest groups. The biggest lie [riotusa.org] stands as a testament to this truth.
    Why else would the videos of what really happened at the Pentagram have not been seen by anyone outside the "elite"?
    Questions about Ch
  • If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask. http://www.linkmol.com/ [linkmol.com]

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...