Greetings. Before the U.S. government proceeds at all with their controversial and risky Trusted Identities in Cyberspace Internet ID scheme, perhaps they should demonstrate their ability to follow for themselves the most basic of Internet security procedures.

Very large numbers of persons tour the White House every year. All prospective tour guests 14 years of age and older are required to pre-submit their Social Security Numbers (SSNs) for security checks (apparently it is common for children under the age 14 to have their SSNs submitted as well).

One might assume that information as sensitive as SSNs would be handled by the associated authorities with the same care and diligence as, say, a typical bank Web site -- using SSL/TLS encryption for the protection of this data that is so often abused for identity fraud.

But that assumption would apparently be false. An array of Congressional Web sites instruct would-be White House tour guests to submit their personal information (names, dates of birth, social security numbers, etc.) via standard unencrypted email to (for example) various addresses @mail.house.gov!

Here are just a few randomly selected examples where (apparently customized by Congressional district in these cases) White House Tour "xls" (spreadsheet format) Security Forms are provided for download (Form Image) along with instructions for emailing them in for processing:

Congressman Steve King

Congressman Raul M. Grijalva

Congressman John Kline

And so on. Search around a bit for yourself -- you'll easily find others. In fact, it appears that emailing back the Security Forms -- with absolutely no Internet transit protection for the personal information included such as SSNs, is the standard mechanism that Congress is mostly using -- and presumably the White House has approved -- for White House tour requests.

If an insurance company, bank, or even a local school were caught telling persons to submit required personal information such as Social Security Numbers via easily diverted, observed, and otherwise abused unencrypted email channels, there would likely be investigations and hell to pay.

But Congress and the White House -- the same entities who presumably wish to play such important "Cybersecurity" roles, apparently can't even handle this basic aspect of Internet security correctly. Yet we're supposed to trust their judgment relating to the creation of a vast and complex Internet Trusted Identities infrastructure.

It would actually be quite funny -- if it weren't so utterly frightening.

--Lauren--