Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Gov't Makes a Mess of Classifying Sensitive Data

Posted by Soulskill on from the bureaucracy-at-its-finest dept.

coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information." This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."

4 of 100 comments (clear)

  1. Protecting what? by turbidostato · · Score: 4, Insightful

    "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard"

    I know the historical context that makes social security numbers to be declared "sensitive information" in the USA but when will you start to attack the real problem?

    Your social security number is an identification token; it should be the exact opposite to sensitive information! No wonder you have so many problems related to SSNs.

    1. Re:Protecting what? by socsoc · · Score: 4, Informative

      If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.

    2. Re:Protecting what? by by+(1706743) · · Score: 5, Insightful

      The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

      I'm not positive that's the problem -- as turbidostato pointed out, it's supposed to be an identification token, not a password. Trouble is, banks, CC companies, etc. commonly use this (perhaps coupled with something lame like DOB) as just that.

      For example, from your clearly visible email address, I know you have a livejournal account (contains your birthdate, hometown, full name, etc.), you frequent Amazon (which shows a picture of you, some personal info, etc.), and so forth -- all from a simple google search.

      Thing is, I can't easily steal your identity, because you've only supplied your handle, but no password. I believe that's what turbidostato's saying; we should be able to talk about our SSN the same as our email address, as our handle and password should be (but aren't) separate.

  2. Article way off base by Anonymous Coward · · Score: 5, Informative

    Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.