Once again the U.S. government has failed to protect sensitive personal information, this time highly sensitive information on 4,000 Air Force officers. This information, contained in extensive 127-page individual security questionnaires known as SF-86 were found on a backup hard drive that was neither password protected or encrypted. In addition, extensive information on high-profile visitors to sites in Afghanistan was also on the same drive along with gigabytes of Outlook emails whose content has yet to be assessed.
This follows a number of other similar cases, the most notorious was the highly successful penetration of SF-86 files and other data held by the Office of Personnel Management (OPM) in June, 2015. In that case, 21.5 million American’s personal data was compromised, again involving the SF-86 security questionnaire. On top of that, 5.6 million fingerprints were also stolen. In applying for a security clearance, the government collects fingerprint data and photos.
Full disclosure: my personal data was also compromised in the OPM hack and I received an OPM letter and some worthless “free for a year” coverage of my personal data going forward.
Does the government have any responsibility to protect sensitive information?
Apparently, anyone who believes that the government has this responsibility is sadly misguided. Not only does the government not protect personal information, it hands it around to other agencies routinely and gives it to private contractors for “processing.”
Like your passport! You go to a passport office, fill out all the information, provide a birth certificate and all the requisite contact information, and you give the passport office photos, one of which will wind up embossed into your passport. Then the Passport Office sends all that (how, by mail?) to a private contractor to “process.” Who has access to it is anyone’s guess. The information is not classified and therefore is not formally protected in any manner.
The same holds true for your tax return, which you send in to the IRS. nowadays electronically. Maybe it is semi-encrypted when you electronically transmit the form, or your accountant does it for you, but when it arrives at the IRS it is stored as an ordinary file with no protection.
The SF-86 form is an especially pernicious example because it contains a vast amount of information, everything from every place you may have worked, who your friends and colleagues are, to your business involvements and who your family members and relatives may be. All of this provides hugely valuable information to potential adversaries who may be nation-states, but who also could be terrorist organizations.
We are now approaching two years since the OPM hack. What has Congress done? The answer is, absolutely nothing. What has been done by the executive branch to protect information? Once again the answer is absolutely nothing. Zero. Nada. Niente. etc.
What is wrong here? Why the inaction?
Part of the answer must be that the government really could care less about protecting personal information. A government that anyway is routinely spying on its constituents, without warrants and often without any discernable cause, or with half-baked suspicions that mostly fail to pan out, is not likely to consider that it has a sacred trust to protect its citizens. The lack of care shows.
It is a very bad and dangerous habit to disregard the security of a country’s citizens.
Then there is a fairly modern but nonetheless pernicious and stupid legal framework that begs to be changed. It was somewhat modified to account for the seeming sanctity of medical information — thus we have the Health Insurance Portability and Accountability Act of 1996, familiarly known as HIPAA. HIPAA provides for some important privacy standards, but it does not provide for encryption, only for access controls. But otherwise most data, like that in the SF-86, is not protected, just as the latest Air Force case makes clear.
The problem arises because personal information is not classified information. Government separates everything into two boxes: classified and not classified. And while it has recognized in recent years that some information is “sensitive but not classified,” such as technical information or law enforcement data, that recognition does not extend to protecting the “sensitive” information in the same way classified information is protected. Above all, the use of encryption is not allowed because only classified information is supposed to be encrypted, and the encryption methodology closely regulated by the National Security Agency (NSA) which also generously holds the keys to decryption.
The two-box approach to security is inherently flawed and dangerous, but it persists because that is the way it has been done during and since World War II. But as anyone who tells its Alexa to wake him or her each morning, who taps out text messages on his or her smartphone, or who talks to his Smart TV knows, the world has changed dramatically. Today you don’t need a spy to filch papers from a government office: the government office is at your fingertips anywhere in the world. The only thing standing in front of us and preventing total ruin is that the plethora of data must give the world’s data thieves nightmares of inadequacy.
Isn’t it time to demand radical change in how our government protects our private, sensitive, personal information and thus help to safeguard our security and survival? Shame on the executive branch and the Congress for failing to do the right thing, and shame on ourselves for tolerating this dangerous nonsense.