Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Gov't Makes a Mess of Classifying Sensitive Data

Posted by Soulskill on from the bureaucracy-at-its-finest dept.

coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information." This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

100 comments

  1. Protecting what? by turbidostato · · Score: 4, Insightful

    "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard"

    I know the historical context that makes social security numbers to be declared "sensitive information" in the USA but when will you start to attack the real problem?

    Your social security number is an identification token; it should be the exact opposite to sensitive information! No wonder you have so many problems related to SSNs.

    1. Re:Protecting what? by DarkKnightRadick · · Score: 1

      The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    2. Re:Protecting what? by socsoc · · Score: 4, Informative

      If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.

    3. Re:Protecting what? by by+(1706743) · · Score: 5, Insightful

      The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

      I'm not positive that's the problem -- as turbidostato pointed out, it's supposed to be an identification token, not a password. Trouble is, banks, CC companies, etc. commonly use this (perhaps coupled with something lame like DOB) as just that.

      For example, from your clearly visible email address, I know you have a livejournal account (contains your birthdate, hometown, full name, etc.), you frequent Amazon (which shows a picture of you, some personal info, etc.), and so forth -- all from a simple google search.

      Thing is, I can't easily steal your identity, because you've only supplied your handle, but no password. I believe that's what turbidostato's saying; we should be able to talk about our SSN the same as our email address, as our handle and password should be (but aren't) separate.

    4. Re:Protecting what? by AfroTrance · · Score: 2, Interesting

      What is the exact purpose of a SSN? In Australia, we have a tax file number (TFN), which seems equivalent. This is only used for taxation purposes. You would never use it for ID, unless you are identifying yourself to the tax department. You only give it to your bank if you earn interest, but you don't have to if you don't want to. Birth certificates are used as a baseline ID.

    5. Re:Protecting what? by Anonymous Coward · · Score: 0

      No, it's not just an "identification token". Because not much more information than your social security number and your name are required to open a credit card account in your name, it MUST be protected as sensitive information, and not just used as an open-text ID. Doing that is the mark of an uncaring and incompetent software system designer, of which the government apparently has far too many.

    6. Re:Protecting what? by Isao · · Score: 1
      This is correct, the SSN is an identifier. (Yes, I know the card is marked not to use as identification, but that's different. The problem is that a secure transaction (on-line or off), requires an identifier and an authenticator. An identifier is like a username - it identifies who the party is. An authenticator is like a password - it attempts to confirm the entity supplying the identifier is the real one.

      The problem is that the SSN is used as both identifier and authenticator, which is an inherent flaw. The SSN is a de-facto identifier. Any attempt to use it as a shared secret authenticator is doomed.

    7. Re:Protecting what? by afidel · · Score: 3, Informative

      It was originally intended to be used only for purposes of tracking hours worked for social security benifits, and in fact the original social security act made it illegal to use it for any other purpose. Along came computers and relational databases and suddenly everyone needed a unique foreign key to keep records straight, the only record that was guaranteed to stay the same over time (mostly) was the SSN or TIN (social security number or taxpayer identification number). This made the SSN ideal for the primary foreign key and hence businesses and government both broke the law and used it to sort records, so much so that the law had to be amended to make it legal to use it as an identifier.

      Are birth certificates serialized at the national level in Australia? Because in the US they are granted by the county health departments and there is no national system of tracking them. In fact prior to the IRS requiring SSN's to prove dependent status for minors it was not at all unusual to not have an SSN until your first legit job or turning 18 when males were required to get one for selective services (draft) purposes.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    8. Re:Protecting what? by turbidostato · · Score: 1

      "The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy."

      That's exactly my point. I could accept that common use of SSN would make nowadays for easy identity *tracking* but never identity *theft*, which is made so easy because you are using your SSN as an auth token, not an identity one.

    9. Re:Protecting what? by turbidostato · · Score: 1

      "No, it's not just an "identification token"."

      I'm with you. It's not just an "identification token": it's a *misused* identification token.

      "Because not much more information than your social security number and your name are required to open a credit card account in your name".

      Which is the real problem: an identification token -which your SSN certainly is, shouldn't be used that way. Just look around you: there's a world beyond USA and it seems it's only USA the one having problems with disclosed SSNs. Have you thought why?

    10. Re:Protecting what? by AfroTrance · · Score: 1

      I believe they would be. I think they became federal in 86. But the number isn't used like an SSN. I believe the only time you would absolutely need a birth certificate is for your passport, TFN, welfare and a public health care card. All other things can be a mix of other stuff. For example, you could use a birth certificate to get a driver's licence, then use the driver's licence to get a bank account. So the bank doesn't have your birth certificate details.

      I believe the government here has problems because it can't put everyone in a master database connecting everything to everything, and they wanted to introduce a "national ID card" to fix this, but no one wanted it so they trashed the idea. I guess the current system is better for us in terms of privacy.

    11. Re:Protecting what? by Ryanrule · · Score: 1

      The solution is to impose some XTREME liability laws when it comes to identity. Like, they lose your data, they owe you 1 million a case. You bet your sweet as they will watch the data then.

    12. Re:Protecting what? by GumphMaster · · Score: 1

      Birth certificates are issued at the time/location of birth and registered at the state/territory level in Australia. They carry no succinct, unique identifier information suitable for use in foreign systems. As I suspect is the case in the US, getting states to do things in a consistent way is nigh on impossible. I can only imagine what a PITA dealing with umpteen hundreds of counties would be like.

      --
      Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
    13. Re:Protecting what? by Gim+Tom · · Score: 1
      Until the last couple of decades the Social Security Number in the US was only an identifier with NO financial value at all. It was an accounting identifier for the Social Security System initially, but had become a general "unique" identifier for many systems by the 1980's

      It has not been that long ago that police departments all over the country would loan one an engraver with which you could permanently mark your valuable possessions so that, in the event of theft, they could be more easily returned to you.

      Until the early 1990's at least, it was very common at many places for out of date computer generated reports on the nice wide green bar paper, common at the time, to be taken home by employees as scrap paper on which their children could draw on the back with crayons. Many of these reports had names, addresses, and Social Security Numbers on the front! Some even had salary and other now taboo information.

      I personally used large stacks of old green bar paper the same way to draw flow charts and system diagrams. It is really so much easier to follow a flow chart that can be 30 feet long if need be without page connectors!

      What happened though was that COMPANIES, yes private companies, started using the Social Security Number as a SUFFICIENT identifier in the granting of credit. This is what gave a stolen Social Security Number value, and made "Identity Theft" possible. Crooks are smart, they do not steal things with no value.

      If ANYONE that granted credit without properly verifying the identity of who was getting that credit were held liable for any and all damages resulting from such fraud then the "crime" and problem of "Identity Theft" would disappear over night.

    14. Re:Protecting what? by Decker-Mage · · Score: 1

      Actually, no more than an SSN is required. I just searched Google on my SSN and turned up some interesting information, such my full name and that it was in use in New Mexico at one time, as well as my current location. I've never been to New Mexico. That could explain some recent phone calls concerning credit cards and addresses that I never lived at.

      --
      "[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
    15. Re:Protecting what? by gumbi+west · · Score: 1

      3,086 counties... 3,086. But they also change boundaries and merge and split. It would be a nightmare to try to do anything national with them.

    16. Re:Protecting what? by gumbi+west · · Score: 1

      I have mod points, but I can't find "+1 just sad" or should it be -1 so others don't have to read it... not sure.

    17. Re:Protecting what? by tsm_sf · · Score: 1

      Well, every payroll company works with data that's at least an order of magnitude more complicated. I'm not saying it isn't a nightmare, but at least it's possible.

      --
      Literalism isn't a form of humor, it's you being irritating.
    18. Re:Protecting what? by Anonymous Coward · · Score: 1, Interesting

      And yet, it says right on the card, that the number is not to be used for any sort of identification.

      That's government honesty for you: if they declare in the law that something is a fee rather than a tax, then they have not raised taxes.

    19. Re:Protecting what? by Gilmoure · · Score: 1

      I live in New Mexico.

      --
      I drank what? -- Socrates
    20. Re:Protecting what? by DarkKnightRadick · · Score: 1

      Exactly, and what is it used for? To establish identity by the government's own rules!

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    21. Re:Protecting what? by DarkKnightRadick · · Score: 1

      try getting a job without giving it (and I'm not talking about filling out the w-4, I'm talking about when they ask for ID).

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    22. Re:Protecting what? by DarkKnightRadick · · Score: 1

      You mean Australia did something right? Say it isn't so :p

      Keep on fighting against national id, we already have it and don't yet know it.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    23. Re:Protecting what? by DarkKnightRadick · · Score: 1

      um, no one said anything about passwords.

      And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    24. Re:Protecting what? by DarkKnightRadick · · Score: 1

      No, identity theft is not because of SSN use as an auth token (not entirely anyway).

      Identity theft is because your SSN is used as an identity token (at the employer level; not many employers will accept ID without having a copy of your SS card, some won't take anything but your DL/ID and SS card even if your SSN is on the DL/ID).

      I keep my SSN card under lock and key and don't give it out unless I'm forced to (school, federal benefits such as pell grant, employment, banks). Unfortunately an increasing amount of web sites that don't really need your SSN are asking for it (or even requiring it) without proper encryption (both of the connection AND the resulting record). Granted even with proper encryption, one socially engineered employee later and all your uber-encryption is useless.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    25. Re:Protecting what? by socsoc · · Score: 1

      I've never had that has a condition of being offered employment. It comes later once you start and they need to confirm that you are a citizen along with filling out your w4. I don't see how that's relevant. Hell I know foreign citizens that have jobs (legally).

    26. Re:Protecting what? by turbidostato · · Score: 1

      "And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification."

      Do you mean that eligibility for SS benefits depends in some characteristic of the SSN, like being odd or prime? Of course it is an identity token!!! It's the means by which the Social Security identificates their subjects: you can *track* benefits because you can *identificate* beneficiaries by means of their SSN.

      What you probably meant was that SSN was meant to be an identity token to be used only within the SS.

    27. Re:Protecting what? by turbidostato · · Score: 1

      "No, identity theft is not because of SSN use as an auth token"

      Of course it is.

      "Identity theft is because your SSN is used as an identity token [...] I keep my SSN card under lock"

      If it is not an authentication/authorization token, why do you try to keep it secret and under lock? And if it is not an identity token, whose identity is being stolen if not the one identified by that very SSN?

      You identify yourself as 123-12-1234 (your SSN) and then you probe your authenticity... by knowing your own SSN. That's plain stupid!!!

      -Who are you?
      -I'm John Doe.
      -How can I be sure you are in fact John Doe instead of a liar?
      -Because I know my own name: John Doe.
      -I see.

      Do you see?

    28. Re:Protecting what? by kmoser · · Score: 1

      Actually, older cards said that but ones issued more recently (1960s and later?) say no such thing.

    29. Re:Protecting what? by FoolishOwl · · Score: 1

      Every so often, there's talk of issuing a national ID card in the US, which ends up portrayed as some sort of move towards a police state. I've never fully understood the reasoning on that -- among other things, given the lack of such a national ID, other documents are used in its place.

      For instance, when one is officially hired for a job in the US, one is required to present their "I-9 documents", to demonstrate that they are legally privileged to work in the US. That requirement is usually met with the combination of a state government-issued driver's license and a Social Security card. Drivers' licenses are used as ID in many circumstances; so states also issue official state IDs through their Departments of Motor Vehicles, and the state IDs are very similar to drivers' licenses.

      That last, by the way, reminds me of what part of the issue may be. According to the US Constitution, citizenship is determined by the state governments, and a US citizen is a citizen of a US state. That goes back to the idea hinted at in the early history of the US, that the states were national governments, and the federal government was just a loose association of the different states. That broke down quickly, but was still an issue in the American Civil War; a lot of conservatives still raise a fuss over states' rights, from time to time. This was particularly the case during the Civil Rights movement; thus, a lot of liberals interpret any talk of states' rights as coded language for segregation -- which it frequently is, but not always.

      Social Security cards are simply black print on light blue card stock -- anyone could make a passable forgery with standard office equipment -- so it would normally be absurd to rely on just that card for identification. Drivers' licenses and state IDs have some security built into the cards -- holograms and so forth -- so they're much harder to forge.

      One thing that bugs me about the use of Social Security numbers for identification is that, "for security purposes," many institutions will refrain from asking for your full SSN, just the last four digits, paired with some easily verified personal information like your street address or your mother's "maiden name." How that's more secure, I don't know, as it makes it easier to steal someone's identity, not harder.

    30. Re:Protecting what? by DarkKnightRadick · · Score: 1

      That's exactly what I said.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    31. Re:Protecting what? by DarkKnightRadick · · Score: 1

      You've never worked for T.J. Maxx where you had to have one at the time you fill out all your forms and they take a copy of your SS card and DL/ID (mandatory to have SS card according to T.J. Maxx policy, at least in 2k1).

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    32. Re:Protecting what? by DarkKnightRadick · · Score: 1

      way to leave out my parenthetical aside.

      You and I are apparently dealing with two different definitions of auth/identity token.

      When I say authorization token, I'm talking about a password/phrase what have you. When I say it's an identity token I mean it's something used to identify you as you. Saying that the SSN hasn't become an identity token is to ignore the last 20+ years of it being used as such.

      I'm not addressing anything else you said because you aren't making sense.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    33. Re:Protecting what? by socsoc · · Score: 1

      And that is after you've been offered employment, right?

    34. Re:Protecting what? by DarkKnightRadick · · Score: 1

      nope, because if I don't provide it during the application process (the card, not the number) they won't even consider me for an interview.

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
    35. Re:Protecting what? by gumbi+west · · Score: 1

      Payrole is 1,000 times easier. There you have voluntary relationships (between firms). When the USG or even an organization of counties starts to standardize there are counties that will object just because they don't want to play nice.

      There are counties with no roads, counties with less than 100 inhabitants,they don't all have an email address, etc.

    36. Re:Protecting what? by tsm_sf · · Score: 1

      I was thinking of the byzantine local, state, national, and international tax codes they have to deal with. Picture a company that straddles two counties and has employees working in different countries. EVERYONE wants a piece of the pie, and they don't go out of their way to make it easy.

      --
      Literalism isn't a form of humor, it's you being irritating.
  2. Protecting a single piece of data is easy by siddesu · · Score: 2, Insightful

    Protecting and classifying the odd few petabytes that probably move daily in different formats across several hundred collecting agencies and several thousand user organizations is a tad more involved.

    1. Re:Protecting a single piece of data is easy by rakuen · · Score: 1

      On the other other hand, classifying the few odd PETAbytes is pretty easy. *ba-dum-pish*

  3. Something I've noticed... by jimmyfrank · · Score: 1

    at least at the state level is the horrible pay for tech folks. Senior level positions that barely pay 49k. When I see ads in the local paper for state jobs that pay terrible and then read about data getting exposed, lost, etc. I'm not surprised.

    1. Re:Something I've noticed... by Dragoniz3r · · Score: 2, Insightful

      Yeah, but then everyone bitches if they try to raise taxes... I mean, obviously, the solution is for governments to be more efficient with the money they do have, and to pay their people properly, but for some reason it's easier to cut people than programs...

    2. Re:Something I've noticed... by cheekyjohnson · · Score: 1

      "Senior level positions that barely pay 49k"

      I don't know about you, but 49k sounds good to me!

      --
      Filthy, filthy copyrapists!
    3. Re:Something I've noticed... by AHuxley · · Score: 1

      This is not new. Sending young people with eg. language skills around the world or not vetting anyone ect is an old problem.
      Low pay, very isolated, tending machines all day makes for unhappy young people. At best they get very drunk all the time. If not the KGB/FSB offers cash and a better life when rotated back home. Expansion during wars and time of need lets many people in who should never have been allowed.
      On the outside you have that once in a generation 'press' types that do real work and are not fooled by "access" or a job for life. They dig and uncover so much thats out in the open. Mix in tell all books, Microsoft networking and the 'internet' its a real wonder more is not leaking.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Something I've noticed... by clarkkent09 · · Score: 2, Insightful

      On the contrary, the government pays people too much. On average, public sector pay is higher than the private sector pay for equivalent jobs: http://www.usatoday.com/news/nation/2010-03-04-federal-pay_N.htm

      --
      Negative moral value of force outweighs the positive value of good intentions.
    5. Re:Something I've noticed... by Blink+Tag · · Score: 1

      "Senior level positions that barely pay 49k"

      I don't know about you, but 49k sounds good to me!

      Uh-huh. Except my first tech job out of college paid more than that. It's not a horrible salary, but I wouldn't consider a full-time job with pay that "low" unless there was something else spectacular about it.

    6. Re:Something I've noticed... by tehcyder · · Score: 1

      Are you suggesting that the staff are selling the information because their pay is so low? Or that because of the low pay they only attract useless staff?

      Just curious.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    7. Re:Something I've noticed... by cheekyjohnson · · Score: 1

      I'd say it's a good salary. The key is to not spend every last penny on a giant house and useless things that you don't need. Lots of people would love making that much money each year. While they obviously can make more money, that's still a good salary.

      --
      Filthy, filthy copyrapists!
  4. SS No. is sooo totally not protected by eyenot · · Score: 1

    Your fellow citizens are asking you for this number every day, day in and day out, like it's nothing. The social security office will tell you not to give it to anyone except official government personnel and so on, but everybody wants it. I think for the most part, businesses are the culprits when it comes to stolen identity, not our government.

    --
    "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
  5. Article is not about SSNs by godunc · · Score: 2, Interesting

    SSNs are used as an example. The real problem, alluded to in the article, is that the government attempts to classify personally sensitive, business sensitive, and military critical information (to name a few) under the same system. Unfortunately there is plenty of overlap and specific cases within these categories, resulting in a ridiculous number of labels - thereby resulting in mass confusion. However, this situation is often the case when one attempts to take a single system and apply it to such a wide audience. The US fed is going through a similar situation in IT and HR Management; at some point the benefits of consolidation result in less efficiency...

  6. They're stealing IP. by Anonymous Coward · · Score: 0

    First they steal public-domain information to convert it into Secret private IP,

    Secondly they unlawfuly convert this IP to proprietary hypothica to be traded like currency
    to competing/competant organizations with it endorsed under their Seal as National Security.

    Third they mishandle it without our knowledge, and will not disclose what they stole from us because
    their defense if 5th amendment to cover their asses.

    I wish all the recent masses of grey-haired White Al'Quaeda detained at the Airports and inter-state Bus Terminals would all rise up with their Social Security benefits to Overnight-deliver a stool sample in protest by FEDEX to these God-damned privileged FELONIOUS CRIMINALS.

  7. On Purpose? by DragonDru · · Score: 1

    There seems to be a concerted effort to make the government as useless as possible.

    --
    20 characters max for the password? How will I use my favorite poems as passwords?
    1. Re:On Purpose? by T+Murphy · · Score: 2, Funny

      Well, duh. One side wants the government to do very little, while the other side wants the government to spend lots of money on stuff, so the politicians do as they're told and spend a lot of money getting nothing done.

      --
      My webcomic
    2. Re:On Purpose? by SilverHatHacker · · Score: 1

      Don't attribute to malice that which can be easily explained by bureaucracy.

      --
      Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
    3. Re:On Purpose? by locallyunscene · · Score: 1

      Except in the U.S. both 'sides' spend the same amount of money and want to expand gov't power. The difference is where to spend and expand.

  8. Article way off base by Anonymous Coward · · Score: 5, Informative

    Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.

    1. Re:Article way off base by turbidostato · · Score: 1

      "Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue."

      Let's see.

      "Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing"

      Which seems to be exactly (part of) his point. If they are all the same thing, why they have four different names? Make it more complex than needed and you'll have it more fragile than needed.

    2. Re:Article way off base by cheater512 · · Score: 2, Interesting

      I cannot see having 3 different types of 'Sensitive' can help efficiency at all.

    3. Re:Article way off base by beakerMeep · · Score: 1

      I Agree.

      1) It's unnecessary to use 3 systems to achieve the same end

      2) Using three systems to do the same thing over and over again is redundant

      3) There really doesn't have to be 3 methods of accomplishing the same task

      --
      meep
    4. Re:Article way off base by Anonymous Coward · · Score: 0

      Same AC as above. They aren't different labels! He's already said that the whole list refers to unclassified data. The only actual categorization of "sensitive but unclassified" is called just that. Calling it "sensitive" is just being lazy, it's not a separate category from "sensitive but unclassified".

      To use a computer analogy, the formal name of the OS is "Windows Vista", but people just call it "Vista" because that's easier -- "Vista" and "Windows Vista" are the same OS, but Cooney's list would treat them separately.

      My original post was agreeing in principle with Cooney's point, but pointing out that his list doesn't show what he says it does.

    5. Re:Article way off base by hAckz0r · · Score: 1

      I cannot see having 3 different types of 'Sensitive' can help efficiency at all.

      Think of it this way:

      - Your credit card information is sensitive , but you have to give it out to some people 'you think you can trust' in exchange for things you want. Once in a while you will get a new number and the old one will no longer be a coveted secret. Your credit is guarded under US law to limit your liability, but its a real pain when your card suddenly no longer works when you are out on a hot date.

      - Your social security number is sensitive but you will often use it for a personal ID. You want to keep it away form identity thieves but the number is all over your insurance bills. Your trash might be dumpster divers heaven. If somebody gets this information you are toast, you can't get another one. You need to expunge all your debt and get back on your feet and hope things are better next time. Now try and buy a house...

      - Your online banking password is sensitive, but you would not give it out to almost anyone, except perhaps your spouse who will need it to pay your bills. But, if you think something is wrong you can always change it, and ought to do so on a regular basis.

      Each of the above types of information has a purpose, and if you stray outside the guide lines of who should have access, and under what conditions, each could have disasterous consequences. Its not about what is sensitive, but how that sensitive information is to be used and guarded.

    6. Re:Article way off base by timeOday · · Score: 2, Insightful
      The parties with 3 different types of 'Sensitive' may or may not ever exchange information in the first place.

      What if we surveyed private industry, how many different ways would we find to label sensitive data? Would the economy be more efficient if time were taken to force everybody onto a single standard?

      People talk about "the government" like it's a single entity. Then they divide up problems in different ways and assume a single department should be responsible for each sub-problem in their arbitrary breakdown. I.e. "six different agencies are responsible for X" (implying that's ridiculous). In practice, no large complex problem can be attacked without some degree of autonomy pushed down the chain of command - which necessarily implies some redundancy and inconsistency. Until everything is controlled by a single massive computer, that will always be the case.

      Don't get me wrong, I recognize the need to constantly search for improvements to the system. But it's not necessary to be shocked and outraged every time some government auditor finds a way to improve whatever he just audited.

    7. Re:Article way off base by gumbi+west · · Score: 1

      not really. The US government is huge and (hold on to your hat) is actually reasonably efficient. Most of this efficiency comes from not making things completely uniform unless it helps a lot. So, the name given to things that are not subject to FOIA requests but are not classified is a good example. Why make one standard? Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only." You could make a commission to argue over it and then force everyone to buy new stamps and go back and restamp everything... but what a waste. Just let each place figure it out and don't mess with success.

    8. Re:Article way off base by flitty · · Score: 1

      Having multiple ways of marking something sensitive I can bet you comes from private industry. I bet Lockheed did it one way, Northrup did it another, and neither wanted to have to go back and fix all of their previous documents to conform to standards. So the government being accomodating said both would work. The big companies in industry have much more weight in things like this than the government does. The government just tries to reduce the number of markings, which is no easy task.

      On the other end, you could have the government mandating 6 separate markings for the different classifications, and you'd have an article on slashdot crying about how the government is going to cost industry billions of dollars to update all of those old documents with new regulations and standards.

      --
      Whether or not there is some sort of god, I'm not supposed to say/god is a word and the argument ends there-Smog
    9. Re:Article way off base by turbidostato · · Score: 1

      "Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only.""

      Because sooner or later you will need to cross data from DoE and DoS and you'll have a nightmare to know which data is crossable privacy-wise to which.

    10. Re:Article way off base by gumbi+west · · Score: 1

      I'm not really sure what your complaint is, or why it has to be. If DOE wants one set of restrictions and DOS wants another... so be it. If the interaction becomes a big deal, then let some high level committee spend time trying to figure it out. Until then, follow KISS.

  9. Sooo by ascari · · Score: 3, Insightful

    From the comments so far one would think the article was about SSNs. If you RTFA it's about procedures and bureacracy surrounding classified information including sometimes conflicting classifications used by different fedarl agencies. SSN was just an example for gods sake.

    1. Re:Sooo by flaming+error · · Score: 2, Funny

      > SSN was just an example for gods sake.
      Then hopefully God will find that example more useful than we have.

  10. Hah! by davmoo · · Score: 1, Insightful

    And this is why I refuse to believe any of the popular conspiracy theories about our government. The United States government can't keep secrets secret.

    --
    I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
    1. Re:Hah! by stms · · Score: 1

      And this is why I refuse to believe any of the popular conspiracy theories about our government. The United States government can't keep secrets secret.

      Your logic makes my head spin. You don't believe that our government can keep secrets therefore you don't believe the secrets that our government can't keep.

    2. Re:Hah! by Charliemopps · · Score: 1

      or tie their own shoes

    3. Re:Hah! by Anonymous Coward · · Score: 0

      No, I think yours is the confusing one. You seem to think conspiracy theories have come about because of leaked government secrets. You have it backwards - most conspiracy theories center around supposed plots and deceits that the government has *successfully* kept secret. That is, unless you're aware of leaked secret government reports about the Grassy Knoll, or production footage of the Moon Landing soundstage.

      But the fact that the US government has tried and failed to hide such mundane things as a hotel break-in and a blowjob destroys any confidence in the idea of giant clandestine projects to deceive the public involving thousands of people which have no leaks whatsoever.

      "Three people can keep a secret so long as two of them are dead." - Benjamin Franklin

    4. Re:Hah! by PolygamousRanchKid+ · · Score: 1

      The United States government can't keep secrets secret.

      Sure they can. That's why we are not squawking about real secrets on Slashdot.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    5. Re:Hah! by rakuen · · Score: 1

      They're just trying to lure you into a false sense of security. Then they'll do absolutely nothing about it!

    6. Re:Hah! by Anonymous Coward · · Score: 0

      Nice non-falsifiable assertion.

    7. Re:Hah! by chill · · Score: 1

      Sorry, no.

      "Sensitive" is not "Classified". The GAO report listed only addressed slipshod contractor access to SBU (Sensitive, But Unclassified) information. Examples are business proprietary, attorney-client and personable identifiable information.

      Once it hits "Secret" classification, the process is different and more stringent. "Top Secret" involves many (locked) hoops to jump thru for access. "Top Secret - SCI" is a major nightmare.

      Honestly, you'll find very few accidental disclosures of Classified information and the higher you go in the classification levels, the fewer you'll find. Up there, in cases like what is going on with Wikileaks, the disclosures are NOT accidental.

      --
      Learning HOW to think is more important than learning WHAT to think.
    8. Re:Hah! by gumbi+west · · Score: 1

      What about the Valery Plame scandal? There it turned out that all these white house officials had access to all this S/TS info and weren't really even paying attention to what was S and TS and didn't pay for it at all.

    9. Re:Hah! by slick7 · · Score: 1

      The United States government can't keep secrets secret.

      Sure they can. That's why we are not squawking about real secrets on Slashdot.

      Sure they can't. Wikileaks

      --
      The mind conceives, the body achieves, the spirit manifests.
  11. Easy way to make sure no one accesses your data... by Anonymous Coward · · Score: 2, Funny

    Make it into a PDF and put it on /.

  12. it could be worse by Ryanrule · · Score: 1

    I am currently writing some software for an advertising company. They deal mainly in yellowpages type stuff. They track over 100 attributes per item, for small cards with a few lines of text on them. I predict they crater in 5 years tops.

  13. More work to do by c0lo · · Score: 1
    TFS:

    It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines,

    then

    "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

    Therefore, I reckon the near future will see (at least) 101 unique markings and 131 labeling/handling routines - that's how the govs work, folks!

    --
    Questions raise, answers kill. Raise questions to stay alive.
  14. Context by Ransak · · Score: 1

    The DoD has issues with classifying data, yes, but they have to deal with some odd situations. A good example is a well known (publicly) Air Force project that I can't remember the acronym of but someone Googling could find it in a few minutes I'd imagine. This project used a 30 node Teradata system (NCR) with a combined total of 18TB (36TB if you count the mirror). None of the data was even classified as 'sensitive' on it's own, but after several years of gathering data it was decided by an audit that in aggregate the data was Top Secret. This meant physically moving the servers and logically moving the data along with network/load balancers/IDS and combing through Jiggabytes of data and labeling each... and no, only the data owners could do that so just running some SQL queries against it and going away for the weekend wasn't sufficient.

    Don't get me wrong, I've seen plenty of WTF issues with data classification and many other OT issues, but the DoD is a big, constantly moving animal and not all of the appendages talk to one another. I've come to accept something Douglas Adams tried to teach me back in 1987 with Bureaucracy: this is how the government works and changing it would only result in more paperwork.

    --
    "Powers. I have them."
  15. Re:Can't hide SSN, wait till it is your health inf by Sarten-X · · Score: 1

    Meh. Recorded health information is already of such awful quality that it's practically useless without a long interview verifying major points.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  16. Re:Can't hide SSN, wait till it is your health inf by Dragoniz3r · · Score: 1

    Heck, they LOST (JUST LOST!) Billions of the stimulis money that they have no accounting for

    It sounds awful, but frankly I think this fact is blown out of proportion. I occasionally lose the odd dollars in my own budget, which is MUCH less complex than the national budget. It's the same thing, just a bigger scale. Nothing so ridiculous about losing a few billion here or there when you're dealing with a budget of nearly 4 trillion dollars...
    Is it a good thing? No, not at all. But it's not something you should keep parroting anytime the subject of government comes up.

  17. Give it to somebody with experience by horza · · Score: 3, Funny

    If US government wants to store large amounts of confidential information, have it efficiently sorted and distributed, with practically no down time, then surely they should outsource it to Wikileaks?

    Phillip.

    --
    Property for sale in Nice, France
  18. US Gov't Makes a Mess of... by Charliemopps · · Score: 1

    US Gov't Makes a Mess of...

    Why did we need to read any further than that?

    1. Re: US Gov't Makes a Mess of... by AHuxley · · Score: 1

      For every public US agency in the press, eg CIA Church report, COINTELPRO, black sites... Hidden DIA are types working well with contractors, other groups, fully funded and very happy.

      --
      Domestic spying is now "Benign Information Gathering"
  19. Three can keep a secret if... by Simonetta · · Score: 1

    Secrecy is horseshit. Document classification is horseshit. If something needs to be secret, don't put it into a document. If something needs to be secret and you know it, then don't tell anybody. Three can keep a secret if two are dead and the other is scared shitless about what will happen if he tells the secret. And notice the pronoun 'he' in the last sentence. For God's sake, if you are serious about keeping a secret, don't tell it to a woman.

    99.99999% of everything in the world classified as secret is just people covering up their mistakes from their superiors. Very, Very little actually needs to be kept secret.

  20. Our beloved schools are to blame. by bocin · · Score: 1

    How surprising can it be? Just look at all the bloody "geniuses" our schools put out. Eventually some of them go to work for Uncle Sam. Obviously there seem to be a lot of them in the Department of Education as well as other government sectors.

  21. And this is newsworthy why?? by mikein08 · · Score: 1

    The Feds make a botch of nearly everything. The ONLY federal agencies that I think do a consistently good job are BLM, USFS, and NPS, and I think that's because they are the only agencies that really care about what they are doing. The Marines also do a pretty good job ...

  22. I can fix the problem. by Nyder · · Score: 1

    It's simple. Declassify everything.

    Nothing secret, nothings top secret, nothing is hidden from the public.

    Just how the government should be, and needs to be.

    --
    Be seeing you...
  23. Solved: Use a spam filter and get 99.9% accuracy by Dr.+Crash · · Score: 1

    You can do this automagically with a spam filter, with an accuracy around 99.9%

    See the BlackHat 2010 paper "Keeping the Good Stuff In: Confidential Information
    Firewalling with the CRM114 Spam Filter and Text Classifier".

    Here's the URL to the PDF:

    https://media.blackhat.com/bh-us-10/whitepapers/Yerazunis/BlackHat-USA-2010-Yerazunis-Confidential-Mail-Filtering-wp.pdf

  24. DARPA has a BAA open for this problem by fwice · · Score: 1

    source: https://www.fbo.gov/index?s=opportunity&mode=form&id=06a877fddd2dedaf6a52520345f64eda&tab=core&_cview=0

    from the fedbizops:

      "Promotion of new technologies to support declassification. Striking the critical balance between openness and secrecy is difficult but a necessary part of our democratic form of government. Striking this balance becomes more difficult as the volume and complexity of the information increases. Improving the capability of departments and agencies to identify still-sensitive information and to make declassified information available to the public are integral parts of the classification system."

  25. Re:Can't hide SSN, wait till it is your health inf by tehcyder · · Score: 1

    Nothing so ridiculous about losing a few billion here or there when you're dealing with a budget of nearly 4 trillion dollars...

    Yes, but you have a few billion here, and a few billion there, pretty soon it starts adding up to real money.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  26. Usual for government by slapout · · Score: 1

    The US government makes a mess of a lot of stuff that do. That's why a lot of us don't want them taking over health care.

    --
    Coder's Stone: The programming language quick ref for iPad
  27. right IS wrong by slick7 · · Score: 1

    It states right on the Social Security card that it is NOT to be used for identification, but for all intents and purposes, it is.
    The reason for security classifications is to protect the guilty.
    Politicians who are "in bed" with the oil companies, big pharma, the banksters, utilities, lobbyists, special interest groups. The biggest lie stands as a testament to this truth.
    Why else would the videos of what really happened at the Pentagram have not been seen by anyone outside the "elite"?
    Questions about Cheney and his participation in the utilities fiasco have never been exposed, however, viewing the documentary,Enron: The Smartest Guys in The Room may illustrate the repercussions of such a meeting.
    The true level of corruption in government will probably never be known unless and/or until the "old guard" have been replaced by honest people. Now, before any of you sheeple start saying any of your lobotomized rantings about conspiracies, BAA, wake up!
    Has all of the tarp money been accounted for?
    Why is a private bankster system profiting from US government borrowing when the US government could borrow from itself interest free.
    The US government IS an employee of the sovereign people of these united states of America, yet these employee never take unannounced drug and alcohol tests, never ASK for a pay raise, don't seem to be in the health care system they want to shove down OUR throats, can't seem to BALANCE the budget, finalizeTERM LIMITS.
    WAKE...UP people!

    --
    The mind conceives, the body achieves, the spirit manifests.
  28. Re:Solved: Use a spam filter and get 99.9% accurac by slick7 · · Score: 1

    You can do this automagically with a spam filter, with an accuracy around 99.9%

    Was it a spam filter that delayed the Japanese declaration of war, ten days before Pearl Harbor?
    Programs as well as filters are only as good as the people using them. Infallible? Not likely.

    --
    The mind conceives, the body achieves, the spirit manifests.
  29. salm by qonast · · Score: 1

    If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask. http://www.linkmol.com/