The American View: On Incomprehensibly Relaxed Security
28 March 2019 |
Job applicants should never be asked (or pressured!) to expose their sensitive personal information in order to be considered. Business Reporter's resident U.S. 'blogger shares a story of a major government agency demanding exactly that, in open contravention of its own security regulations.
Mozilla rolled out a new service called ‘Firefox Send’ last week, and I think it’s the greatest tool offered to job seekers’ in the last five years …at least. Maybe the last ten. This service is brilliant, it’s necessary, it’s overdue, and I’m going to be advocating for every job seeker I know to use the hell out of it. So … I should probably explain what this is and why I’m so excited about its arrival. That, in turn, requires an anecdote.
Back in 2015, my department at a Very Large Corporation  was made redundant thanks to a restructuring. Most of us who were affected weren’t surprised; we’d been waiting for the bad news to drop for months. The VLC hadn’t been subtle about its intentions. There wasn’t any shouting or weeping. Everyone getting laid off politely signed their severance agreement and got back to work. Nice and professional-like.
In turn, the VLC made us laid-off workers a very generous offer: they’d allow us to stay on until the end of the year (two months hence) or leave immediately if we preferred. Our choice. If we opted to stay on, our management chain would give us considerable latitude to research, apply for, and interview for new positions – both within the VLC and externally. This was a darned good deal. Everyone in my department accepted it and worked the rest of the year in good faith … while applying like mad for new gigs.
During that period, I applied for 106 jobs and completed interviews with 10 different companies. I applied for another 139 jobs and completed another 3 interviews in the six weeks after my last working day with the VLC. I eventually secured a fully-acceptable contractor role with an excellent company and got on with my life.
I was ‘on the bench’ for less than six weeks between gigs and was back in action. I had nothing to complain about.
One of my applications had been for a civil service security position with a Large Federal Agency.  I was never interviewed. The LFA went silent. Then, six months later, I received an e-mail from an employee of the LFA congratulating me that I’d been accepted for the role. it was … weird. Dead silence, no interview, and suddenly I’m ready to be made an offer? That … wasn’t how most federal agencies worked.
To be clear, this contact came months after I’d taken a contractor job. At first, I thought I should ignore it. Then I realized though that a civil service job with benefits would prove better for me over the long run. I already had ~15 years credit towards a government pension. I replied with my thanks and asked about next steps.
‘We’ll need to get some supplement documentation from you,’ the LFA’s rep explained. ‘We’ll need you to send us your previous civil service records.’
I replied that I’d uploaded those exact records to their AMS when I’d applied. The rep sheepishly admitted that their AMS had ‘lost’ my attachments. We’d have to start over.
‘No problem,’ I said. ‘What options do you have for encrypting those files? They contain Personally-Identifiable Information after all, and U.S. Government regulations require all PII to be encrypted, both in-transit and at-rest.’
I love how stock photo artists imagine e-mail encryption to be magic, with gloating holograms and iconography. It’s just math. Lots of math. Math that you make the computer handle for you.
The rep blithely told me that the LFA didn’t have any encryption options; that I should just e-mail scans of the forms as attachments. I balked. First, that was a violation of the LFA’s own (supposedly inviolable) regulations. Second, voluntarily exposing my PII naked on the Internet would surely prove that I was unfit to serve in a security expert role in the security department of an already paranoid federal agency.
I asked the rep about secure file upload sites. ‘No, we don’t use those.’ Fax machines? ‘Nope.’ Commercial encryption services? ‘No, sorry.’ The bloody U.S. Postal Service? ‘No, we can’t accept paper mail; it’s okay. Everyone just e-mails us their forms.’
I eventually got the rep to grudgingly agree to accept an encrypted, password-protected .ZIP file as an attachment. I secured my documents, sent them … and the rep complained that he couldn’t unzip them. We did this dance four times. Every time that I sent a clean, tested, known-good archive, the rep – this supervisory security engineer – was unable to enter a password into a prompt to decrypt it. I was stunned.
By this point I’d had my fill of the LFA. If this was indicative of the team’s technological sophistication, then I knew there was no way that I’d be either sane or productive working there. Further, if these people were always that blasé about protecting citizens’ PII, then we’d inevitably come to blows over their consistent violation of regulations. I wrote them off as an unacceptable employer and never looked back.
I quite enjoy what I do now, and I probably never would’ve been able to do it if I’d take the role with the Large Federal Agency. No federal pension, mind, but a much better work environment. I’m calling it a ‘win.’
Flash forward to earlier this year: my son recently applied for a municipal job at our town hall. He made it through screening and was invited to submit a much longer application package to support a thorough background check. This Very Small Agency made it crystal clear in their notification e-mail that they recognized the risk of exposing PII over the Internet and gave applicants the option to hand-deliver their package or else mail it. Very professional and fully compliant with USG standards. I approve.
Still, it would have been much less cumbersome for both the VSA and for the applicants to be able to complete the required forms electronically and then transmit them over the Internet. If only there was a safe, secure, and reliable way to do that …
Meet Mozilla’s ‘Firefox Send.’ Per this excellent summary from TheRegister’s Thomas Claburn, Firefox Send is a free, encrypted file-sharing service that runs ‘from the cloud’  at send.firefox.com. Users upload files to a Mozilla’s service which generates a unique and shareable one-time-use URL. The user e-mails, IMs, or even scrawls the URL on a postcard and then shares it with the intended recipient.
Nick Nguyen, Mozilla's VP of Firefox Product, explained on the Mozilla ‘blog that the user ‘… can choose when your file link expires, the number of downloads, and whether to add an optional password for an extra layer of security.’ The receiver gets a link, clicks a link, and downloads the content. No account required. That’s it. No drama. No muss, No fuss.
Considering how many needlessly-complicated ‘solutions’ we’ve endured over the last decade, any tool that doesn’t trigger spasms of irrepressible rage is a huge improvement.
Had this tool been around back when the LFA asked me for my sensitive civil service records, I could have used Firefox Send to deliver my content immediately with no worries about interception en route. On the one hand, that’s great for protecting user information. On the other, I’m sort of glad that it wasn’t available … My exhausting back-and-forth with the rep helped me realize that working at their office would have been awful. So, there’s that. Still, I’d rather have had the secure transmission option.
That aside, it’s here now. That means that my son can use it to finish applying for his municipal job and can use it or every other application he complete in the coming months. So can all of his friends … and their friends … and their friends. Am I laying it on too thick here? No … no … I don’t think so.
This new service could prove to be a significant improvement in the protection of personal information for job seekers. No doubt it’ll also greatly help families sharing medical information, schools sharing student information, vendors sharing classified business information … everyone. We’ve all needed something free, simple, and reliable like this for a long time. That being said, I’m most interested in its potential to eliminate the completely-preventable danger involved in trying to get hired. There’s no reason left for any employer to ask an applicant to expose their sensitive personal information in order to be considered. That practice was always irresponsible and it needs to be eliminated for good. Now, maybe it can be. Here’s hoping.
 No, I’m not going to reveal the name of the company. There’s nothing to be gained from it.
 Ibid, although you might be able to suss it out from some mildly difficult clues scattered throughout the article. If you do, don’t tell anyone.
 Ugh. Cloud = a bunch of servers accessible over the Internet. Don’t @ me.
Title Allusions: None
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.