Friday, March 11, 2016

Hillary Clinton's use of her own email server parallels some situations in my own career; here is a perspective on what matters


Hillary Clinton’s email server “scandal” still is unsettled legally – I don’t think it will stop her nomination or candidacy, but the possibility is still conceivable.
 
What I want to focus on here is some observations in my own workplaces in the past that seem relevant to what Hillary claims.

In a number of jobs, I had access to consumer PII, particularly in the area of production support.

 Consumer privacy is a bigger issue today than it was in the 1980s and 1990s, partly because all of the security hacks and incidents at major retailers. So the problem of access to consumer PII is comparable to access to classified information, even though it usually doesn’t require a formal clearance.

The first time I supported production from home was in 1990.  We were given small dumb terminals we could take home to connect to a mainframe, and they didn’t work too well.  Soon I used my own PC (which at the time was an AST Research and later an IBM PS-1) with Procomm-plus.  I think I got mine somehow when I bought the computer almost free, but copies were available at work.  (The licensing of these copies became controversial for a while in 1992).

That could mean that consumer data would be available in my own computer’s memory or caches.

It was also common practice to do systems testing with copies of production data.  Many times listings of tests with production consumer data were retained, even if this meant clutter.  I even kept some listings at home as verification at any time that my work was done properly (CYA stuffed under the pillow).  But these were destroyed (probably winding up in a landfill) before I moved to Minnesota in 1997.

In fact, in 1987, we did a major parallel of production for a month with full listings of all reports from both systems.  Someone in quality control actually took the listings home and checked them on her kitchen table in Dallas.  This was acceptable in those days.

It’s  also noteworthy that there a customer service jobs from home where people work on their own home computers (companies like Alpine Access, Live Ops, etc).  Although these companies would require home computers to be properly equipped with anti-virus software, it’s apparent that this practice could lead to vulnerabilities.

When I worked for Census in 2010 and 2011, we were issued a Census laptop, and could use a Census cellular wireless connection.  But it was permissible to use your own cable connection if you wanted.

My point here is that standards for protecting sensitive information used to be quite loose.  It has generally been acceptable to use employee-owned devices for workplace support, although in recent years, concerns have grown.  I can understand how Hillary and other employees could believe that what she was doing was OK if the information wasn’t classified yet.

In fact, when I worked for USLICO in the early to mid 1990s, there was a possibility that I could see military officer PII.  Although the issue never came up, it would sound plausible that this information could subsequently become classified, in a manner analogous to Hillary Clinton’s problem.  We were never screened for formal clearances.
 
There was also a requirement that I made in the period from 1997-2003, when in Minneapolis, that all equipment on my premises belong to me.  This was to avoid a possible conflict of interest problem that would not occur today (details ).

It is also noteworthy that companies gradually became more security conscious throughout the mid to late 1980s into the 1990s, in requiring programmers to have special access to update production files.
 
 However, there were holes (such as, for a while, Top Secret could not talk to the Central Version of IDMS, or to MSA, at least in the mid 1990s).  By the early 1990s, elevation procedures (of programs from test into production) became more secure, forcing integrity.

No comments: