Schneier on Security
A blog covering security and security technology.
« Pentagon Hacked by Chinese Military |
| "Cyber Crime Toolkits" Hit the News »
September 4, 2007
NASA Employees Sue over Background Checks
This is a big deal:
Jet Propulsion Laboratory scientists and engineers sued NASA and the California Institute of Technology on Thursday, challenging extensive new background checks that the space exploration center and other federal agencies began requiring in the wake of the Sept. 11 terror attacks.
But according to the lawsuit, the Commerce Department and NASA instituted requirements that employees and contractors permit sweeping background checks to qualify for credentials and refusal would mean the loss of their jobs.
NASA calls on employees to permit investigators to delve into medical, financial and past employment records, and to question friends and acquaintances about everything from their finances to sex lives, according to the suit. The requirements apply to everyone from janitors to visiting professors.
The suit claims violations of the U.S. Constitution's 4th Amendment protection against unreasonable search and seizure, 14th Amendment protection against invasion of the right to privacy, the Administrative Procedure Act, the Privacy Act, and rights under the California Constitution.
Those in more sensitive positions are asked to disclose financial records, list foreign trips and give the government permission to view their medical history.
Workers also must sign a waiver giving investigators access to virtually all personal information.
"Many of the plaintiffs only agreed to work for NASA with the understanding that they would not have to work on classified materials or to undergo any type of security clearance," the suit said.
More details here (check out the "Forum" if you're really interested) and in this article.
Posted on September 4, 2007 at 12:56 PM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is curious: if they wanted everyone to have a security clearance to work at JPL, then fine -- make it a requirement.
To require someone to go through the same kinds of checks as a clearance requires, but not actually require or grant a clearance as a result is foolish and unethical.
Why not just stop working for the government and get a real job?
Background checks are only part of it. How do they know who logs in to the NASA network at any given time?
They need NAC! with SafeAccess by Stillsecure.
I've got an idea for the perfect way to protest this action.
Show up for work in the nude!
After all, if you have nothing to hide and no right to privacy, then why not?
All the B.S. of getting a clearance with none of the benefits... of course that assumes there are benefits--I'm not so sure of that.
Every NON-government job that I've had in over thirty years of employment has required that I allow my employer carte blanche to my medical files, my credit records, my police record, former landlords, past employers, and so on. Why are NASA employees privileged? This is just part of working for hire. If you don't like it, start your own business!
Privacy: You don't have any. Ever. Get over it.
Another Kevin:"Privacy: You don't have any. Ever. Get over it."
Where I work all they officially know of me is my name, date of birth, address, tax number and where to send the money. Medical records are only transferable even between doctors when I give permission. My police record is not open to anyone but the police.
Everything is protected under privacy laws.
How? Because we voted it that way.
If you don't like all your records to be public, then vote people into government who will pass laws to make these records private.
If you'd rather have people in government who will tap your phone without a warrant and who will invade your privacy in every possible way then keep voting the way you did in the past.
You *can* make a difference. We did.
@ Kees :
I've *tried* to vote and lobby for privacy laws with teeth. So far, it hasn't worked. In fact, it seems to get worse irrespective of what party is in power. The US, for all its public image of "individualism" is a nation of conformists.
Kevin in short:
Surrender! Bend Over and take it like a man!
Sheesh, what proud Americans we are raising today.
14th Amendment? What the hell? The writer of that article better actually read the 14th Amendment. The right to privacy exists only in limited case law.
Maybe you need more support. Vote Ron Paul for President. He seems to want to protect privacy and repeal some of the silly laws that make everything open to the Federal govt.
I'm one of the people who may lose their job over this. I'd rather quit than submit.
Amongst other details that are being glossed over here. In addition to medical records, talking to everybody I've ever known, etc. >>>THEY ALSO WANT TO FINGERPRINT EVERYONE!!
What do I get in exchange for this? Another day of employment. Another minute? There's no quid-pro-quo here. They can sack me the second after I sign the forms.
What do I lose? Anybody remember what the feds did with Mr. Mayfield's fingerprints? (The Madrid bomb suspect out of Portland, Oregon who had never visited Spain but had the misfortune to partially match?)
As for privacy...
There are some things are best not shared outside of those few members of the medical profession who absolutely must know. (Unless one can discuss them anonymously. Tor has its uses!)
Things such as my abusive and traumatic childhood. Leading to clinical depression and multiple suicide attempts. Abusive to the point of psychogenic dwarfism. Which required half a decade of testosterone shots to correct. (Concurrently with a decade and a half of psychotherapy, and some really good meds.)
Most of my remaining scars are physical, and easily concealed by long pants and long-sleeved shirts. (For example, I have only one remaining testicle.) The psychological ones are pretty esoteric. I don't eat certain foods because of painful memories and associations. I'm really reluctant to have my bones broken or set again without the benefits of anesthesia. That sort of thing.
Some of us didn't have a happy childhood.
But I've fought too long and too hard and I've worked my damn ass off overcoming that hellish background. I've made a life for myself. I do what I love. My work is a pleasure. And I'm very good at it.
These people would take all that away.
Once I sign those forms, Pandora's box is opened. It will never be closed again. My life will be an open book to anyone who wants to look. (Are you actually foolish enough to believe that our government will keep my history secure?)
Privacy is one of the strong holds of our western civilization. There are many intellectual reasons to keep it that way. AS long as we still want the right to be individuals.
If we'd give up individualism, we'd just as well move to other civilizations where you are only a group member, easily replaced.
I suspect privacy to end up in the bin, and we will all be monitored, mapped and interned at will of the local or national government. It is not the first time - just go back to any war the past century. It will not be the last time, as war is the excuse this time too.
Personally I am at ease with my past. Certainly there are stuff I'd rather kept silent, but there is nothing I can't live with (until of course the investigators or government decided otherwise!).
But I defend YOUR right to keep your history, your background and your past to yourself if you so choose.
So can NASA workers get background checks done on the folks that demanded the checks? Or on the people doing the background checks?
Sure, let's NOT get any background checks on them let everyone shoot hte rockets to space just because they sued.
If they whine about those background checks, they should go thru the same the LEGAL emigrants get before they even get to the country. What privacy??
For all the ethical and privacy questions (which are important in themselves) the real question is, How is this process going to improve security and which threat models does it block?
From the published article, it would appear to do nothing to improve security or even identify a specific threat that might be blocked.
It smells of security theatre. It smells of ass-covering.
The funny thing is that as a form of ass-covering, it sucks. Suppose they have all this background information on everyone. And then suppose something Bad happens. Immediately, there's a wealth of evidence available that those in authority SHOULD have noticed and DID know about because it's in the background files. How could they have been so irresponsible as to let this engineer work on the fuel tanks, when his record clearly shows that he consistently tips 30% to the Iraqi waitress at his favorite restaurant? How could they possibly have given for-official-use-only information to an administrator who attended Woodstock?
Firing everyone who has anything even remotely suspicious isn't feasible because there would be nobody left to do the work. So they will have to look the other way. And then their pants will be down when the witchhunt begins.
>. Where I work all they officially know of me is my name, date of birth, address, tax number and where to send the money. Medical records are only transferable even between doctors when I give permission. My police record is not open to anyone but the police.
I do not have a security clearance, but I know an awful lot of Real Sensitive Stuff.
My employer maintains a personnel file on me with address, credit ratings, etc. They also maintain a medical file with drug test results, doctor's notes, etc.
Not only is my police and motor vehicle record wide open to my employer, but I am required as a condition of employment to notify my line manager AT ONCE if I am served in a civil or criminal action, am arrested, or otherwise come into a legal situation which could in the future impair my ability to perform my duties.
What my employer CANNOT do is ask me certain personal questions or delve into my private life. This the US Government can do to its employees and contractors, and does on a regular basis.
To Andrew (and the other US-ians):
How much reliable, useful information is extracted from all of the data (credit ratings, medical information, etc.) that your employer keeps?
What is the cost of maintaining that data?
How does it increase the risk of "identity theft" or extortion?
What percentage of the integrity issues can be predicted by looking at this data? Are there other, more effective, ways to prevent integrity issues?
Some of the social techniques used in Europe are trying to bind employees to a company for longer times an giving employees collective responsibility for the quality of their work.
If you create a social environment where cheating your colleague is the norm, the company can go down quickly.
This affects not just the people in California at JPL, but anyone who does work with them. I worked for a university on the east coast. We had contracts with JPL. I never even visited California. They wanted my history (and fingerprints) too.
Oh, and this was all to work on a project that JPL was open sourcing...
I'm curious as to what asset is being protected. Is the actual JPL complex so 'open-campus' that a non-classified employee has access to computers and locations that fall within classified purviews?
And how does the data being collected apply to security?
Just a little too broad and general to seem good policy.
@ anonymous "abusive childhood"
Damn, you are 100% right about this. Keep fighting, don't submit. You are right! They are wrong. That's how simple it is.
Well, if this is anything like what the NSA use to do, then I can totally understand why NASA wants to dig deep. If you're being entrusted with billions of dollars in taxpayer money, then I'd like to know that you aren't going to sabotage the next space launch or sell some secrets to some nutbag.
If you wanna work with secrets, be prepared to deal with people digging in your past. If you're a shady and unscrupulous liar, then why should NASA continue to keep you employed?
Don't like it, quit and move on. You worked at NASA, you'll probably have no problem finding another job.
> to question friends and acquaintances about everything
> from their finances to sex lives
Dumb question. If you were a friend of someone and some Men in Black knocked on your door and started to ask you weird questions about that someone, wouldn't you politely tell them to fuck off and shove their questions where the sun doesn't shine? I sure as hell would.
I'm a federal employee and have a security clearance. They did a very comprehensive background check on me. They talked to friends and family, checked my credit records, and checked for criminal history. They looked at all foreign travel and contacts. I had to submit to a polygraph and am subject to random drug testing.
What they did not do is check the details of my medical record or any of my sex life. Sure, they asked if I had ever had mental health counseling, but even if I had, there's a form they would have sent to the provider with simple questions like "would you trust this guy with state secrets?" and that's about it. If NASA asked for medical records and asked questions about sexual history from employees/contractors with no clearances, those guys are right to be upset.
"wouldn't you politely tell them to fuck off and shove their questions where the sun doesn't shine? I sure as hell would"
Well, see, the 'someone' has given their permission for those questions to be asked. And, by telling the MiBs to have sex and travel, you'd be jeopardising the job that your friend wants badly enough to be jumped through those hoops. You are explictily doing what your friend does NOT want you to do, even if they are uncomfortable with the process themselves.
That isn't a very nice thing for a friend to do.
Such perverse incentives are created when the state decides that privacy has no value.
I hear this canard of "being entrusted with billions of dollars" quite often. It's foolish to consider the budget allocation of NASA (or JPL) to be something that is granted to _any_ individual who works for the organization.
Not a single person at NASA receives the "billions of dollars" that is given to the agency. Not a single person has the authority to misuse the entire budget of NASA.
And for the specific issue that underlies your exaggeration, that of fiscal control of project budgets, there are checks and balances at all levels within these agencies that are specifically designed to identify and counteract fraudulent activity. They work very well nearly all of the time.
To claim otherwise is merely to exercise an authoritarian streak of controlling other peoples lives for the simple reason that you feel, as a taxpayer, you have the moral right. Clearly you don't.
The first problem with the MiB claiming your friend is willing to have you tell all is obvious. I hope at the very least that you'd ring your friend first.
The other thing is that *I* have never consented to discussing my friendship with them. Nor given consent for them to do so. If the MiB pushed the issue I would be much inclined to say that I don't trust them now and don't expect to trust them in the future. After what they've just done to to me now, why would I?
And as for the "how much does my employer know" question... not a lot. Enough to find almost any public information about me, but most of what I want to keep private is difficult to find out. I'd rather pay for certain services in cash and use them anonymously than have my employer pay for them, regardless of any chinese walls they claim to have in place.
That said, I have some faith in the lack of time and enthusiasm my employer has for that sort of digging. And there are things that are easy enough to find out that would probably lead them to ask questions of me, and they haven't.
fed Government's credit is worse than all american citizens put together. Our deficit is higher than it has been in the history of the USA. Gas prices have risen 133% in the past ten years but, Fed workers have received less than a 15% raise to keep up with inflation over the same period of time. Just goes to show that us "BABY BOOMERS" are about to 'CLEAN THE CLOCK" OF Social Security and Retirement Funds.
Who had Loyalty? The Work Force NOT the Employers. Their looking to get rid of those of us who came to work and did our jobs. Let them know that they may have what they THINK is power but, will find out who truely has the POWER when the time comes.
I used to hold a high clearance. The one I got to work in the FBI (first, I fixed computers for them and needed access) was far more thorough or at least obtrusive than the "bigger" one I later got to work with NSA.
My friends, some of whom I hadn't seen in many years (and who were pretty unsavory types from the biker years -- can't believe that alone didn't mess things up for me, and wonder how they found them) told the MiB I was an angel, then called me up to warn me the MiB had some strange interest in me.
I got the clearances. Interestingly, the NSA accepted the one I'd gotten from the FBI for a few years, then suddendly figured out I'd never been polygraphed. They didn't like everything I told them (I told truth, but not all of it was stuff they like to hear). But, too late! I already knew all the secrets (mostly boring). So my local security officer went to bat for me and I stayed cleared anyway. They didn't want it noised around that telling them the truth could be a problem.
National Security blah blah blah don't let our sacrifice be in vain blah blah blah trust us we know what we're doing blah blah blah.
And my favorite: An honest man has nothing to hide.
Bull! When you hear that, it really means an honest man has nowhere to hide.
It's time remind these bozos that they - and their boss - work for us.
We have those rights and liberties which we claim and exercise. When we willingly lay down and give up our rights and liberties, we are no longer entitled to them.
I'm a graduate student who does some work at JPL and now have to decide whether to submit to these investigations or quite possibly lose my ability to continue work on my project. The project is not secret, has no secret components, does not involve launching anything into space, and is freely collaborated on by groups at other institutions, including foreign ones, where no one is required to submit to any investigations at all. I do not have (nor do I want) any access to any secret information, and I have no capability to misuse any taxpayer money.
There is no justification for demanding access to my background information. I would tolerate a reasonable check that my identification checks out -- I have already done this as part of obtaining my current JPL badge. That is what HSPD-12 requires -- reliable proof of identification. What is unreasonable is using this as an excuse to go on a fishing expedition, looking not for identity but for evidence of "suitability" for employment. HPSD-12 does NOT require this, NASA has simply decided they want to do that also. They don't even have the stones to be honest about that... instead, they hide behind an unrelated executive order.
Here is a snippet from one of the waivers, http://hspd12jpl.org/files/sf85.pdf
"I Authorize any investigator, special agent, or other duly accredited representative of the authorized Federal agency conducting my background investigation, to obtain any information relating to my activities from schools, residential management agents, employers, criminal justice agencies, retail business establishments, or other sources of information. This information may include, but is not limited to, my academic, residential, achievement, performance, attendance, disciplinary, employment history, and criminal history record information."
The loose language suggests the waiver allows NASA to designate some agent, perhaps a private security contractor (Blackwater USA?) to do the background investigations. And that that the type of information that can be gathered is unbounded.
Indeed this seems to be the reality. For the hspd12jpl forum mentions that a source has reported that Choicepoint is doing HSPD-12 credit and identity checks at the NASA Johnson Space Center.
Choicepoint is the company that "sold personal information on at least 145,000 Americans to a criminal ring engaged in identity theft" in 2005.
Just came across this and looks like it hasn't been commented on in months but I'm noticing that almost every job I apply for wants to conduct a criminal background check, sometimes credit check and drug testing. I'm shocked that this is happening and that so many people are just going along with it. I'm actually trying to start my own business now because I don't feel comfortable revealing personal details about my life to some unscrupulous employer (ironically, many employers are implicated in criminal behavior, but I guess that's okay). It used to be employers were only allowed to consider info that was job-related they found out about employees. Former employers were only allowed to confirm dates of employment, job titles, work completed, etc. but now the Privacy Act is no longer enforced and we're becoming like the former Soviet Union. Wake up, America, please!
your book was very enthusiastic thanx for publishing it
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.