The OPM’s new e-government initiative, e-QIP may be the scariest thing I’ve seen in a long time. Sure it looks all nice and pretty and convenient, but the OPM may be playing with fire. Security clearance data will be accessible online for applicants starting in June 2003. How long before the site becomes target number one for hackers? Credit card stuff is bush league compared to the kind of dirt you could pull from these files. Of course security will be high, but the data will sit there forever. Even OPM acknowledges that you typically fill out the form, and don’t revisit the information for years.
Anyone who has ever filled out a security clearance form (SF-86) knows the gory detail of your life that they get into. They also know that maintaining the data to complete the form is hard, and an electronic means to fill out the form is the preferred method of completing this monstrosity. There is a piece of software called EPSQ to fill out the forms, and their are Word and PDF versions of OPM form SF-86 available.
For those of you who have no experience with the form or process, here’s a list of some of the section headings:
|Name/Address/Etc.||Your Military Record|
|Where You Have Lived||Your Selective Service Record|
|Where You Went To School||Your Medical Record|
|Your Employment Activities||Your Employment Record|
|People Who Know You Well||Your Police Record|
|Your Spouse||Your Use Of Illegal Drugs And Drug Activity|
|Your Relatives and Associates||Your Use Of Alcohol|
|Citizenship Of Your Relatives and Associates||Your Investigations Record|
|Your Military History||Your Foreign Activities|
|Your Foreign Activities||Your financial Delinquencies|
|Foreign Countries You Have Visited||Public Record Civil Court Actions|
|Your Association Record|
These questions cover a period of 7 to 15 years depending on clearance and agency. The form is designed to be comprehensive. That’s a serious list of personal information to be stored in an Internet accessible database. If you are applying for a clearance would you use this system?
Update: After discussing this site with James at OTB, it might not be as bad as it looks, at least to begin with, but there my guess it that there will still be plenty of hackworthy data behind the site.
The e-OIP site indicates that you can enter, update, and retrieve (print) your data – although it appears that when the site comes online you will only be able to do this during the process of completing a form. It does look like initially your data is saved in a holding database until you send it to the agency. Once send, it would in theory be “out” of the system then and harder to hack (of course the devil is in the details – rarely is information really deleted from databases). It looks like the capability to get at your data will be in the systems at some point (from the e-QIP FAQ).
20. I have completed this form in the past. Why doesn’t this system have that data?
In the future e-QIP will be able to retrieve the data you are entering now. Earlier data has not
been loaded into this system.
There will probably be a manual process to get the data back from the last agency you submitted a form to. The security posture of the site may rest on whether or not your data remains accessible to this web app. The trade off for the site is that if you can’t easily get to your previous submission(s) what’s the point of using it. It’s not like they are going to stop using the paper form anytime soon. It is the functionality (which is alluded to) that allows authenticated users to get at previous data that would allow for hacking attempts…