Yes, folks, it literally is this bad.

This is so completely asinine that I have to pass this along unedited. I’m quite literally.. gobsmacked

This item is from a mailing list I subscribe to regarding privacy issues.  For those who have some interest in the subject, it’s a great list to be on, and you should subscribe posthaste.  Lauren is quite a sensible fellow, and rarely is one to “cry wolf”, so the insights he posts to his mailing lists and other forums are always informative.

White House Tour Cybersecurity: Send In Your SSN
– Via Unencrypted, Unprotected Email!

http://lauren.vortex.com/archive/000799.html

Greetings.  Before the U.S. government proceeds at all with their
controversial and risky Trusted Identities in Cyberspace Internet ID
scheme ( http://bit.ly/eZug4M ), perhaps they should demonstrate their
ability to follow for themselves the most basic of Internet security
procedures.

Very large numbers of persons tour the White House every year.  All
prospective tour guests 14 years of age and older are required to
pre-submit their Social Security Numbers (SSN) for security checks
(apparently it is common for children under the age 14 to have their
SSNs submitted as well).

One might assume that information as sensitive as SSNs would be
handled by the associated authorities with the same care and diligence
as, say, a typical bank Web site — using SSL/TLS encryption for the
protection of this data that is so often abused for identity fraud.

But that assumption would apparently be false.  An array of
Congressional Web sites instruct would-be White House tour guests to
submit their personal information (names, dates of birth, *social
security numbers*, etc.) via *standard unencrypted e-mail* to
(for example) various addresses @mail.house.gov!

Here are just a few randomly selected examples where (apparently
customized by Congressional district in these cases) White House Tour
“XLS” Security Forms are provided for download along with instructions
for emailing them in for processing —

( Form: http://bit.ly/frTSn4 [house.gov] ):

Congressman Steve King: http://bit.ly/gqPG5L [house.gov]

Congressman Raul M. Grijalva: http://bit.ly/gQbUyV [house.gov]

Congressman John Kline: http://bit.ly/dUT4YY [house.gov]

And so on.  Search around a bit for yourself — you’ll easily find
others.  In fact, it appears that emailing back the Security Forms —
with absolutely no Internet transit protection for the personal
information included such as SSNs, is the standard mechanism that
Congress is mostly using — and presumably the White House has
approved — for White House tour requests.

If an insurance company, bank, or even a local school were caught
telling persons to submit required personal information such as Social
Security Numbers via easily diverted, observed, and otherwise abused
unencrypted email channels, there would likely be investigations and
hell to pay.

But Congress and the White House — the same entities who presumably
wish to play such important “Cybersecurity” roles, apparently can’t
even handle this basic aspect of Internet security correctly.  Yet
we’re supposed to trust their judgment relating to the creation of a
vast and complex Internet Trusted Identities infrastructure.

It would actually be quite funny — if it weren’t so utterly frightening.

–Lauren–
Lauren Weinstein (lauren@vortex.com)
http://www.vortex.com/lauren
Tel: +1 (818) 225-2800
Co-Founder, PFIR (People For Internet Responsibility): http://www.pfir.org
Founder, NNSquad (Network Neutrality Squad): http://www.nnsquad.org
Founder, GCTIP (Global Coalition for Transparent Internet Performance):
http://www.gctip.org
Founder, PRIVACY Forum: http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren’s Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://bit.ly/lauren-buzz

Leave a Reply