Shostack + Friends Blog Archive


Avoid ID theft: Don’t run for President

The Washington Post reports:

The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file.
Obama’s presidential campaign immediately called for a “complete investigation.”
State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a “high-profile person” are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
“The State Department has strict policies and controls on access to passport records by government and contract employees,” Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.

My translation is that the State Department, “in order to serve you better”, violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton’s file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative — too obvious), but these only work for important people.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:

“This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”

One way to learn some of that, as I am sure Mr. Burton’s boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to “incentivize good behavior”.

4 comments on "Avoid ID theft: Don’t run for President"

  • To give the State department a small amount of credit though, they actually detected this. How many places would actually detect this sort of unauthorized access?
    Hospitals and the IRS are generally the only places that ever implement this sort of account access tracking. It is nice to know that they noticed for Obama, but only because he was specially labeled. What about anyone else whose records might have been looked at improperly?

  • Chris says:

    They say they log all such accesses (even for us peons), and “spot check” that they are kosher. Whether those checks are effective in suppressing the idly curious (or worse) is a question.

  • robs sama says:

    Drudge is reporting that McCain and HRC also had their passport files accessed…

  • PHB says:

    I have had a couple of looks at this myself.
    I don’t think you can say that ‘the problem’ is X. There are so many problems here. Looks to me as if the problem is much more in the realm of least privilege than separation of duties.
    Its an accountability based security scheme, there is nothing wrong with that in principle, it is probably impossible to anticipate all the rules that should be implemented in an ACL scheme. The duty of reviewing access to the files and access to the files appear to have been separated (albeit in a highly unsatisfactory manner).
    Part of the problem is that they ONLY have accountability. Although I do make the case for accountability in The dotCrime Manifesto, I have never advanced it as a substitute for access control. It should be a supplement, not a replacement.
    So one question would be why they don’t have access control on the system. I suspect that the answer is (1) its a civilian system, the information is confidential, not classified and (2) when the system was designed the only information security choices available were all designed for military use and utterly unusable.
    But the bigger issue here is responsibility. ‘Trust me’ is not an acceptable infrastructure design. This administration is very much a ‘trust me’ administration, they refuse accountability and the Republican party has been a willing accomplice.
    We know that we cannot trust the competence or truthfulness of this administration. They have given us no reason to trust them for any other reason. They can be as indignant as they like but there is absolutely no reason for anyone to trust Condi ‘mushroom cloud’ Rice.

Comments are closed.