Friday, March 21, 2008

Obama's Passport Records - An Exercise in IT Security Analysis But No More

According to this Reuters lead story also covered by CNN, 3 State Department employees improperly accessed Obama's passport records 3 times in the past 3 months. 

Obama's campaign is already calling it an "outrageous breach of security and privacy." 

Hillary's campaign has called it "reprehensible." 

Even Joe Biden has weighed in with his usual verbosity:
 "I am deeply troubled that State Department contract employees sought access to Sen. Barack Obama's passport files. Firing or disciplining those responsible is an important first step. But we need to understand why these employees had access to this information in the first place, why they sought the information, and why it took over two months for this matter to come to light. I urge the Secretary of State to promptly refer this matter to the State Department Inspector General for investigation."

Interestingly, none of these stories cover several pertinent facts relating to the details of the incident, which fortunately AP reported as linked on Breitbart.com:

1) State Department computer systems identify when there is access to files of high-profile persons, and the accesses in this case were flagged. 
2) There does not appear to have been any leakage of data outside of the State Department.
3) The State Department performs background checks on contractors but does not ask about political affiliation. 

From a purely computer security perspective, it is good news that the access was self-discovered, and that there is a process for investigating whether the access was valid, and that this was reported up the management chain. Disciplinary action was taken (firings in this case) as the reason for access was not valid. 

There is however room for improvement. Specifically, access to sensitive persons should be "default deny" and additional clearances and approvals should be necessary for any access. Furthermore, the process of escalating the incidents should have been much faster, ideally the same day. I should also think that members of Congress and the Courts should have special protections on their records, if for no other reason than as a best practice for constitutional separation of powers. 

Now that's the most that departmental administrators can fix. As for the political noise over "why they (the contractors) sought the information" in the first place, we can only speculate. Personally, I doubt it was anything much. After all, what is in passport files anyway? A copy of a birth certificate? An address to mail the passport to? A picture? Personal information should be protected, but I doubt there is much in Obama's file that isn't already public anyway. There certainly couldn't be anything scandalous. Could there? 

This makes for an interesting little exercise in information security analysis, but this isn't a scandal, and hardly a lead story (unlike, say a 20-year association with a racist, America-hating, church). . .the contractors might even have been Obama supporters for all we know. 

Update 3/23/2008: Wow - my last line above was just a throw-away comment and pure speculation. But it seems the head of one of the two contract companies that support the State Departments passport system is an adviser to the Obama campaign! CNN link here.