Yesterday, I wrote a short piece on my blog about a co-worker's experience getting on a White House tour. Essentially, his Senator's office wanted him to email his Social Security Number to them for the background check and they admitted that they were going to email it around to the offices of other Senators and Representatives to organize tour groups.
I bring this up here because the post generated quite a bit of interest. The questions and comments covered areas like
- the intelligence of politicians,
- why anyone would use SSNs for this purpose in the first place, and
- the insecurity of faxes.
This isn't a problem of stupid politicians This isn't a problem of stupid politicians, it's really a lack of an enterprise approach to security and privacy. Each congressional office is acting as an independent entity and consequently, they're making security and privacy decisions on their own, with no system support for the work they want to do. So, they use email as a workflow tool. This isn't a government IT problem. You can experience this problem in lots of organizations in one form or another.
Moreover, I don't think there's anything odd about using the SSN. The SSN is useful here for the same reason it's interesting to criminals: it's the key to lots of other data. I suspect that the congressional office sends the SSN off to Capitol Police or some other law enforcement agency and they use it, the name, and the date of birth as the basis for a search of a criminal justice network. Works great.
The answer, of course, isn't faxes. A regime based on using faxes for this is just as shaky and, as the staffer pointed out, won't keep the SSN out of email or other dangerous places.
The answer is a workflow application, available to every congressional office, that let's people apply online (either themselves or with the help of a staffer) over an SSL connection, stores the data in protected database fields, ensures it's transmitted to the proper law enforcement agencies securely, and puts tours together. Anything short of this will ensure sensitive data is stored on hard drives, just waiting to be lost or stolen.