Schneier on Security
A blog covering security and security technology.
« Pentagon Hacked by Chinese Military |
| "Cyber Crime Toolkits" Hit the News »
September 04, 2007
NASA Employees Sue over Background Checks
This is a big deal:
Jet Propulsion Laboratory scientists and engineers sued
NASA and the California Institute of Technology on Thursday,
challenging extensive new background checks that the space exploration
center and other federal agencies began requiring in the wake of the
Sept. 11 terror attacks.
But according to the lawsuit, the Commerce Department and NASA
instituted requirements that employees and contractors permit sweeping
background checks to qualify for credentials and refusal would mean the
loss of their jobs.
NASA calls on employees to permit investigators to delve into
medical, financial and past employment records, and to question friends
and acquaintances about everything from their finances to sex lives,
according to the suit. The requirements apply to everyone from janitors
to visiting professors.
The suit claims violations of the U.S. Constitution's 4th Amendment
protection against unreasonable search and seizure, 14th Amendment
protection against invasion of the right to privacy, the Administrative
Procedure Act, the Privacy Act, and rights under the California
Those in more sensitive positions are asked to disclose financial
records, list foreign trips and give the government permission to view
their medical history.
Workers also must sign a waiver giving investigators access to virtually all personal information.
"Many of the plaintiffs only agreed to work for NASA with the
understanding that they would not have to work on classified materials
or to undergo any type of security clearance," the suit said.
More details here (check out the "Forum" if you're really interested) and in this article.
Posted on September 04, 2007 at 12:56 PM
Digg this • Add to del.icio.us • Technorati: 5 links to this item
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is curious: if they wanted everyone to have a security clearance to work at JPL, then fine -- make it a requirement.
To require someone to go through the same kinds of checks as a
clearance requires, but not actually require or grant a clearance as a
result is foolish and unethical.
Posted by: radiantmatrix at September 4, 2007 01:51 PM
Background checks are only part of it. How do they know who logs in to the NASA network at any given time?
They need NAC! with SafeAccess by Stillsecure.
Posted by: Mitch Ashley at September 4, 2007 03:42 PM
I've got an idea for the perfect way to protest this action.
Show up for work in the nude!
After all, if you have nothing to hide and no right to privacy, then why not?
Posted by: Jim Ramsey at September 4, 2007 03:46 PM
All the B.S. of getting a clearance with none of the benefits... of
course that assumes there are benefits--I'm not so sure of that.
Posted by: blah at September 4, 2007 04:02 PM
Every NON-government job that I've had in over thirty years of
employment has required that I allow my employer carte blanche to my
medical files, my credit records, my police record, former landlords,
past employers, and so on. Why are NASA employees privileged? This is
just part of working for hire. If you don't like it, start your own
Privacy: You don't have any. Ever. Get over it.
Posted by: Another Kevin at September 4, 2007 04:39 PM
Another Kevin:"Privacy: You don't have any. Ever. Get over it."
Where I work all they officially know of me is my name, date of
birth, address, tax number and where to send the money. Medical records
are only transferable even between doctors when I give permission. My
police record is not open to anyone but the police.
Everything is protected under privacy laws.
How? Because we voted it that way.
If you don't like all your records to be public, then vote people
into government who will pass laws to make these records private.
If you'd rather have people in government who will tap your phone
without a warrant and who will invade your privacy in every possible
way then keep voting the way you did in the past.
You *can* make a difference. We did.
Posted by: Kees at September 4, 2007 05:10 PM
@ Kees :
I've *tried* to vote and lobby for privacy laws with teeth. So far,
it hasn't worked. In fact, it seems to get worse irrespective of what
party is in power. The US, for all its public image of "individualism"
is a nation of conformists.
Posted by: Another Kevin at September 4, 2007 05:22 PM
Kevin in short:
Surrender! Bend Over and take it like a man!
Sheesh, what proud Americans we are raising today.
Posted by: UNTER at September 4, 2007 05:57 PM
Maybe you need more support. Vote Ron Paul for President. He seems
to want to protect privacy and repeal some of the silly laws that make
everything open to the Federal govt.
Posted by: quksilver at September 4, 2007 07:04 PM
I'm one of the people who may lose their job over this. I'd rather quit than submit.
Amongst other details that are being glossed over here. In addition
to medical records, talking to everybody I've ever known, etc.
>>>THEY ALSO WANT TO FINGERPRINT EVERYONE!!<<<
What do I get in exchange for this? Another day of employment.
Another minute? There's no quid-pro-quo here. They can sack me the
second after I sign the forms.
What do I lose? Anybody remember what the feds did with Mr.
Mayfield's fingerprints? (The Madrid bomb suspect out of Portland,
Oregon who had never visited Spain but had the misfortune to partially
As for privacy...
There are some things are best not shared outside of those few
members of the medical profession who absolutely must know. (Unless one
can discuss them anonymously. Tor has its uses!)
Things such as my abusive and traumatic childhood. Leading to
clinical depression and multiple suicide attempts. Abusive to the point
of psychogenic dwarfism. Which required half a decade of testosterone
shots to correct. (Concurrently with a decade and a half of
psychotherapy, and some really good meds.)
Most of my remaining scars are physical, and easily concealed by
long pants and long-sleeved shirts. (For example, I have only one
remaining testicle.) The psychological ones are pretty esoteric. I
don't eat certain foods because of painful memories and associations.
I'm really reluctant to have my bones broken or set again without the
benefits of anesthesia. That sort of thing.
Some of us didn't have a happy childhood.
But I've fought too long and too hard and I've worked my damn ass
off overcoming that hellish background. I've made a life for myself. I
do what I love. My work is a pleasure. And I'm very good at it.
These people would take all that away.
Once I sign those forms, Pandora's box is opened. It will never be
closed again. My life will be an open book to anyone who wants to look.
(Are you actually foolish enough to believe that our government will
keep my history secure?)
Posted by: Anonymous at September 4, 2007 09:08 PM
Privacy is one of the strong holds of our western civilization.
There are many intellectual reasons to keep it that way. AS long as we
still want the right to be individuals.
If we'd give up individualism, we'd just as well move to other
civilizations where you are only a group member, easily replaced.
I suspect privacy to end up in the bin, and we will all be monitored,
mapped and interned at will of the local or national government. It is
not the first time - just go back to any war the past century. It will
not be the last time, as war is the excuse this time too.
Personally I am at ease with my past. Certainly there are stuff I'd
rather kept silent, but there is nothing I can't live with (until of
course the investigators or government decided otherwise!).
But I defend YOUR right to keep your history, your background and your past to yourself if you so choose.
Posted by: Kai Roer at September 4, 2007 11:44 PM
So can NASA workers get background checks done on the folks that
demanded the checks? Or on the people doing the background checks?
Posted by: BothWays at September 5, 2007 01:20 AM
Sure, let's NOT get any background checks on them let everyone shoot hte rockets to space just because they sued.
If they whine about those background checks, they should go thru the
same the LEGAL emigrants get before they even get to the country. What
Posted by: alice at September 5, 2007 01:21 AM
For all the ethical and privacy questions (which are important in
themselves) the real question is, How is this process going to improve
security and which threat models does it block?
From the published article, it would appear to do nothing to improve
security or even identify a specific threat that might be blocked.
It smells of security theatre. It smells of ass-covering.
Posted by: Nomen Publicus at September 5, 2007 02:00 AM
The funny thing is that as a form of ass-covering, it sucks. Suppose
they have all this background information on everyone. And then suppose
something Bad happens. Immediately, there's a wealth of evidence
available that those in authority SHOULD have noticed and DID know
about because it's in the background files. How could they have been so
irresponsible as to let this engineer work on the fuel tanks, when his
record clearly shows that he consistently tips 30% to the Iraqi
waitress at his favorite restaurant? How could they possibly have given
for-official-use-only information to an administrator who attended
Firing everyone who has anything even remotely suspicious isn't
feasible because there would be nobody left to do the work. So they
will have to look the other way. And then their pants will be down when
the witchhunt begins.
Posted by: Richard Braakman at September 5, 2007 02:17 AM
>. Where I work all they officially know of me is my name, date
of birth, address, tax number and where to send the money. Medical
records are only transferable even between doctors when I give
permission. My police record is not open to anyone but the police.
I do not have a security clearance, but I know an awful lot of Real Sensitive Stuff.
My employer maintains a personnel file on me with address, credit
ratings, etc. They also maintain a medical file with drug test results,
doctor's notes, etc.
Not only is my police and motor vehicle record wide open to my
employer, but I am required as a condition of employment to notify my
line manager AT ONCE if I am served in a civil or criminal action, am
arrested, or otherwise come into a legal situation which could in the
future impair my ability to perform my duties.
What my employer CANNOT do is ask me certain personal questions or
delve into my private life. This the US Government can do to its
employees and contractors, and does on a regular basis.
Posted by: Andrew at September 5, 2007 02:45 AM
To Andrew (and the other US-ians):
How much reliable, useful information is extracted from all of the
data (credit ratings, medical information, etc.) that your employer
What is the cost of maintaining that data?
How does it increase the risk of "identity theft" or extortion?
What percentage of the integrity issues can be predicted by looking
at this data? Are there other, more effective, ways to prevent
Some of the social techniques used in Europe are trying to bind
employees to a company for longer times an giving employees collective
responsibility for the quality of their work.
If you create a social environment where cheating your colleague is the norm, the company can go down quickly.
Posted by: MathFox at September 5, 2007 05:02 AM
This affects not just the people in California at JPL, but anyone
who does work with them. I worked for a university on the east coast.
We had contracts with JPL. I never even visited California. They wanted
my history (and fingerprints) too.
Oh, and this was all to work on a project that JPL was open sourcing...
Posted by: LongReach at September 5, 2007 05:49 AM
I'm curious as to what asset is being protected. Is the actual JPL
complex so 'open-campus' that a non-classified employee has access to
computers and locations that fall within classified purviews?
And how does the data being collected apply to security?
Just a little too broad and general to seem good policy.
Posted by: Nick Lancaster at September 5, 2007 06:46 AM
@ anonymous "abusive childhood"
Damn, you are 100% right about this. Keep fighting, don't submit. You are right! They are wrong. That's how simple it is.
Posted by: John at September 5, 2007 08:49 AM
Well, if this is anything like what the NSA use to do, then I can
totally understand why NASA wants to dig deep. If you're being
entrusted with billions of dollars in taxpayer money, then I'd like to
know that you aren't going to sabotage the next space launch or sell
some secrets to some nutbag.
If you wanna work with secrets, be prepared to deal with people
digging in your past. If you're a shady and unscrupulous liar, then why
should NASA continue to keep you employed?
Don't like it, quit and move on. You worked at NASA, you'll probably have no problem finding another job.
Posted by: Rounin at September 5, 2007 09:17 AM
> to question friends and acquaintances about everything
> from their finances to sex lives
Dumb question. If you were a friend of someone and some Men in Black
knocked on your door and started to ask you weird questions about that
someone, wouldn't you politely tell them to fuck off and shove their
questions where the sun doesn't shine? I sure as hell would.
Posted by: Anonymous at September 5, 2007 10:05 AM
I'm a federal employee and have a security clearance. They did a
very comprehensive background check on me. They talked to friends and
family, checked my credit records, and checked for criminal history.
They looked at all foreign travel and contacts. I had to submit to a
polygraph and am subject to random drug testing.
What they did not do is check the details of my medical record or
any of my sex life. Sure, they asked if I had ever had mental health
counseling, but even if I had, there's a form they would have sent to
the provider with simple questions like "would you trust this guy with
state secrets?" and that's about it. If NASA asked for medical records
and asked questions about sexual history from employees/contractors
with no clearances, those guys are right to be upset.
Posted by: Shane at September 5, 2007 03:14 PM
"wouldn't you politely tell them to fuck off and shove their questions where the sun doesn't shine? I sure as hell would"
Well, see, the 'someone' has given their permission for those
questions to be asked. And, by telling the MiBs to have sex and travel,
you'd be jeopardising the job that your friend wants badly enough to be
jumped through those hoops. You are explictily doing what your friend
does NOT want you to do, even if they are uncomfortable with the
That isn't a very nice thing for a friend to do.
Such perverse incentives are created when the state decides that privacy has no value.
Posted by: Jon Sowden at September 5, 2007 04:57 PM
I hear this canard of "being entrusted with billions of dollars"
quite often. It's foolish to consider the budget allocation of NASA (or
JPL) to be something that is granted to _any_ individual who works for
Not a single person at NASA receives the "billions of dollars" that
is given to the agency. Not a single person has the authority to misuse
the entire budget of NASA.
And for the specific issue that underlies your exaggeration, that of
fiscal control of project budgets, there are checks and balances at all
levels within these agencies that are specifically designed to identify
and counteract fraudulent activity. They work very well nearly all of
To claim otherwise is merely to exercise an authoritarian streak of
controlling other peoples lives for the simple reason that you feel, as
a taxpayer, you have the moral right. Clearly you don't.
Posted by: Jerry Harker at September 6, 2007 12:59 AM
The first problem with the MiB claiming your friend is willing to
have you tell all is obvious. I hope at the very least that you'd ring
your friend first.
The other thing is that *I* have never consented to discussing my
friendship with them. Nor given consent for them to do so. If the MiB
pushed the issue I would be much inclined to say that I don't trust
them now and don't expect to trust them in the future. After what
they've just done to to me now, why would I?
Posted by: Moz at September 6, 2007 03:08 AM
And as for the "how much does my employer know" question... not a
lot. Enough to find almost any public information about me, but most of
what I want to keep private is difficult to find out. I'd rather pay
for certain services in cash and use them anonymously than have my
employer pay for them, regardless of any chinese walls they claim to
have in place.
That said, I have some faith in the lack of time and enthusiasm my
employer has for that sort of digging. And there are things that are
easy enough to find out that would probably lead them to ask questions
of me, and they haven't.
Posted by: Moz at September 6, 2007 03:13 AM
fed Government's credit is worse than all american citizens put
together. Our deficit is higher than it has been in the history of the
USA. Gas prices have risen 133% in the past ten years but, Fed workers
have received less than a 15% raise to keep up with inflation over the
same period of time. Just goes to show that us "BABY BOOMERS" are about
to 'CLEAN THE CLOCK" OF Social Security and Retirement Funds.
Who had Loyalty? The Work Force NOT the Employers. Their looking to
get rid of those of us who came to work and did our jobs. Let them know
that they may have what they THINK is power but, will find out who
truely has the POWER when the time comes.
Posted by: old timer at September 6, 2007 09:44 AM
I used to hold a high clearance. The one I got to work in the FBI
(first, I fixed computers for them and needed access) was far more
thorough or at least obtrusive than the "bigger" one I later got to
work with NSA.
My friends, some of whom I hadn't seen in many years (and who were
pretty unsavory types from the biker years -- can't believe that alone
didn't mess things up for me, and wonder how they found them) told the
MiB I was an angel, then called me up to warn me the MiB had some
strange interest in me.
I got the clearances. Interestingly, the NSA accepted the one I'd
gotten from the FBI for a few years, then suddendly figured out I'd
never been polygraphed. They didn't like everything I told them (I told
truth, but not all of it was stuff they like to hear). But, too late! I
already knew all the secrets (mostly boring). So my local security
officer went to bat for me and I stayed cleared anyway. They didn't
want it noised around that telling them the truth could be a problem.
Posted by: DougC at September 9, 2007 03:01 PM
National Security blah blah blah don't let our sacrifice be in vain
blah blah blah trust us we know what we're doing blah blah blah.
And my favorite: An honest man has nothing to hide.
Bull! When you hear that, it really means an honest man has nowhere to hide.
It's time remind these bozos that they - and their boss - work for us.
We have those rights and liberties which we claim and exercise. When
we willingly lay down and give up our rights and liberties, we are no
longer entitled to them.
Posted by: Joel walker at September 12, 2007 01:04 AM
I'm a graduate student who does some work at JPL and now have to
decide whether to submit to these investigations or quite possibly lose
my ability to continue work on my project. The project is not secret,
has no secret components, does not involve launching anything into
space, and is freely collaborated on by groups at other institutions,
including foreign ones, where no one is required to submit to any
investigations at all. I do not have (nor do I want) any access to any
secret information, and I have no capability to misuse any taxpayer
There is no justification for demanding access to my background
information. I would tolerate a reasonable check that my identification
checks out -- I have already done this as part of obtaining my current
JPL badge. That is what HSPD-12 requires -- reliable proof of
identification. What is unreasonable is using this as an excuse to go
on a fishing expedition, looking not for identity but for evidence of
"suitability" for employment. HPSD-12 does NOT require this, NASA has
simply decided they want to do that also. They don't even have the
stones to be honest about that... instead, they hide behind an
unrelated executive order.
Posted by: JLR at September 12, 2007 11:21 AM
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane.
If you prefer to receive Bruce Schneier's comments on security as a
monthly e-mail digest, subscribe to Schneier on Security's sister
publication, Crypto-Gram. |