Friday, March 21, 2008

The Obama Passport Files Scandal

Before getting into conspiracy theories here, yes a very large number of federal government information systems are in fact configured so that any authorized employee can access any personal information whatsoever. The fact that contractors were able to gain access to Obama's passport files does not by itself indicate a conspiracy.

That does not mean that the situation is acceptable however or that it represents best practice or that the disclosures were not politically motivate or directed. It is an unfortunate fact that the US has a very long history of abuse of executive power for political purposes that long preceded Watergate. And it is somewhat interesting to say the least that there seems to have been rather more urgency in the investigation of Elliot Spitzer for a prostitution scandal than a long list of Republicans who have been investigated for taking bribes for many years now.

The information system in question was not subject to the access controls that might prevent an improper request for the information. Instead the system relies on accountability controls. If someone improperly looks at information they should not a red flag goes off and there are or should be consequences.

That is not a bad system in principle. Celebrities can be guilty of tax dodging too. If inspectors are unable to get access to the information they need a two tier system is created and a privileged elite can rely on their activities to be covered up. It is not possible to track every possible rule in advance, the system has to rely on accountability and consequences for malpractice.

The first problem I have with the implementation here is that for accountability to work it has to be prompt and conspicuous. Was there a delay between the access occurring and the culprits being fired? If so why? Were any investigations made to determine whether there was a conspiracy with political operatives?

The second problem I have is that even in an accountability based system there are cases where you want to employ access control and accountability in parallel. You do not want launch of nuclear missiles to be based on an accountability only regime (though this effectively was the case for many decades as the US missiles were by default set to a key code of 000000)

I don't see a valid reason for allowing a contractor unrestricted access to the files of sitting members of Congress. The fact that this is still the case suggests that the computer systems in question are probably antique relics of the 60s or earlier that should have been replaced long ago.

Update: The events only became public after a press inquiry.

No comments: