Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Gov't Makes a Mess of Classifying Sensitive Data

Posted by Soulskill on from the bureaucracy-at-its-finest dept.

coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information." This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

17 of 100 comments (clear)

  1. Protecting what? by turbidostato · · Score: 4, Insightful

    "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard"

    I know the historical context that makes social security numbers to be declared "sensitive information" in the USA but when will you start to attack the real problem?

    Your social security number is an identification token; it should be the exact opposite to sensitive information! No wonder you have so many problems related to SSNs.

    1. Re:Protecting what? by socsoc · · Score: 4, Informative

      If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.

    2. Re:Protecting what? by by+(1706743) · · Score: 5, Insightful

      The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

      I'm not positive that's the problem -- as turbidostato pointed out, it's supposed to be an identification token, not a password. Trouble is, banks, CC companies, etc. commonly use this (perhaps coupled with something lame like DOB) as just that.

      For example, from your clearly visible email address, I know you have a livejournal account (contains your birthdate, hometown, full name, etc.), you frequent Amazon (which shows a picture of you, some personal info, etc.), and so forth -- all from a simple google search.

      Thing is, I can't easily steal your identity, because you've only supplied your handle, but no password. I believe that's what turbidostato's saying; we should be able to talk about our SSN the same as our email address, as our handle and password should be (but aren't) separate.

    3. Re:Protecting what? by AfroTrance · · Score: 2, Interesting

      What is the exact purpose of a SSN? In Australia, we have a tax file number (TFN), which seems equivalent. This is only used for taxation purposes. You would never use it for ID, unless you are identifying yourself to the tax department. You only give it to your bank if you earn interest, but you don't have to if you don't want to. Birth certificates are used as a baseline ID.

    4. Re:Protecting what? by afidel · · Score: 3, Informative

      It was originally intended to be used only for purposes of tracking hours worked for social security benifits, and in fact the original social security act made it illegal to use it for any other purpose. Along came computers and relational databases and suddenly everyone needed a unique foreign key to keep records straight, the only record that was guaranteed to stay the same over time (mostly) was the SSN or TIN (social security number or taxpayer identification number). This made the SSN ideal for the primary foreign key and hence businesses and government both broke the law and used it to sort records, so much so that the law had to be amended to make it legal to use it as an identifier.

      Are birth certificates serialized at the national level in Australia? Because in the US they are granted by the county health departments and there is no national system of tracking them. In fact prior to the IRS requiring SSN's to prove dependent status for minors it was not at all unusual to not have an SSN until your first legit job or turning 18 when males were required to get one for selective services (draft) purposes.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  2. Protecting a single piece of data is easy by siddesu · · Score: 2, Insightful

    Protecting and classifying the odd few petabytes that probably move daily in different formats across several hundred collecting agencies and several thousand user organizations is a tad more involved.

  3. Article is not about SSNs by godunc · · Score: 2, Interesting

    SSNs are used as an example. The real problem, alluded to in the article, is that the government attempts to classify personally sensitive, business sensitive, and military critical information (to name a few) under the same system. Unfortunately there is plenty of overlap and specific cases within these categories, resulting in a ridiculous number of labels - thereby resulting in mass confusion. However, this situation is often the case when one attempts to take a single system and apply it to such a wide audience. The US fed is going through a similar situation in IT and HR Management; at some point the benefits of consolidation result in less efficiency...

  4. Article way off base by Anonymous Coward · · Score: 5, Informative

    Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.

    1. Re:Article way off base by cheater512 · · Score: 2, Interesting

      I cannot see having 3 different types of 'Sensitive' can help efficiency at all.

    2. Re:Article way off base by timeOday · · Score: 2, Insightful
      The parties with 3 different types of 'Sensitive' may or may not ever exchange information in the first place.

      What if we surveyed private industry, how many different ways would we find to label sensitive data? Would the economy be more efficient if time were taken to force everybody onto a single standard?

      People talk about "the government" like it's a single entity. Then they divide up problems in different ways and assume a single department should be responsible for each sub-problem in their arbitrary breakdown. I.e. "six different agencies are responsible for X" (implying that's ridiculous). In practice, no large complex problem can be attacked without some degree of autonomy pushed down the chain of command - which necessarily implies some redundancy and inconsistency. Until everything is controlled by a single massive computer, that will always be the case.

      Don't get me wrong, I recognize the need to constantly search for improvements to the system. But it's not necessary to be shocked and outraged every time some government auditor finds a way to improve whatever he just audited.

  5. Sooo by ascari · · Score: 3, Insightful

    From the comments so far one would think the article was about SSNs. If you RTFA it's about procedures and bureacracy surrounding classified information including sometimes conflicting classifications used by different fedarl agencies. SSN was just an example for gods sake.

    1. Re:Sooo by flaming+error · · Score: 2, Funny

      > SSN was just an example for gods sake.
      Then hopefully God will find that example more useful than we have.

  6. Easy way to make sure no one accesses your data... by Anonymous Coward · · Score: 2, Funny

    Make it into a PDF and put it on /.

  7. Re:On Purpose? by T+Murphy · · Score: 2, Funny

    Well, duh. One side wants the government to do very little, while the other side wants the government to spend lots of money on stuff, so the politicians do as they're told and spend a lot of money getting nothing done.

    --
    My webcomic
  8. Re:Something I've noticed... by Dragoniz3r · · Score: 2, Insightful

    Yeah, but then everyone bitches if they try to raise taxes... I mean, obviously, the solution is for governments to be more efficient with the money they do have, and to pay their people properly, but for some reason it's easier to cut people than programs...

  9. Give it to somebody with experience by horza · · Score: 3, Funny

    If US government wants to store large amounts of confidential information, have it efficiently sorted and distributed, with practically no down time, then surely they should outsource it to Wikileaks?

    Phillip.

    --
    Property for sale in Nice, France
  10. Re:Something I've noticed... by clarkkent09 · · Score: 2, Insightful

    On the contrary, the government pays people too much. On average, public sector pay is higher than the private sector pay for equivalent jobs: http://www.usatoday.com/news/nation/2010-03-04-federal-pay_N.htm

    --
    Negative moral value of force outweighs the positive value of good intentions.