Comment by throwup238

I do my best at work, and if my employer tells me to do something I don't agree with I continue choosing my actions, at the risk of getting fired. Point is, it's on them to fire me. I've only ever resigned when I don't want to do the work anymore or I'm moving away.

I've never made over ~$60k/year, and I'm fine with that; many ways to be rich.

Also, I like the idea of public luxury, private sufficiency.

The practice of resigning rather than follow illegal/immoral orders seems ill suited to operating in a context where the leadership is an active adversary and can instantly replace you with someone who will just do the thing. I feel like civil servants need to internalize that the old customary practices are based on a context where there are checks and balances in the system, as well as standards of decency and democratic accountability, that make these sorts of formal actions have teeth. When none of that exists a principled resignation is basically just saying “My principles make me a hurdle to your attempts at violating the Constitutional rights of the public, so let me just get out of the way so you can sprint towards that goal more easily.”

Obviously though, it’s the dirty hands problem. 99% of the time we don’t want civil servants to do this because 99% of the time the President isn’t actively trying to unmake the Constitutional order. It’s very problematic to have civil servants thinking their judgement should overrule their leadership, but we’re in extraordinary times and there is no leadership of an opposition movement that can coordinate to set any sort of guardrails around that kind of willful insubordination.

> for the government to have access to government data

It is very much under dispute whether or not the data has been used/shared in a legal manner.

Imagine a new CEO arrives at <b2b platform tech company> and has stated their top goal is to cut costs and improve efficiency.

Then imagine this CEO brings in outside technical people and instructs the existing security team to grant full access to all customer data. They plan to analyze this data to assess how customer’s use of the platform impacts operating costs.

This would be insanely inappropriate and would likely breach customer contracts and break privacy laws. It is of little comfort that the “breach” is wholly “inside” the company.

In almost every large organization, there are numerous internal boundaries that large amounts of data should never cross for any reason. Framing this as “the government having access to government data” is problematic, for the same reason a tech company allowing unfettered access to customer data for some analysis project could not be described in good faith as “the company having access to company data”.

Exactly who it is within the organization that has access to the data and how that access aligns with existing laws/policies is extremely important.

> it's not a data breach for the government to have access to government data

This absurd oversimplification needs to be called out.

The 'government' is not a single individual, nor should 'government data' be treated without regards to specifics.

The exact entity doing the accessing, and the exact data that's being accessed, all need to be accounted for, and the appropriateness of the access will change depending on the context.

DOGE hasn't been transparent in any of this, which is my chief complaint at the moment.

Then why do we have different levels of security clearance?

Obviously we have an extensive framework for data security within the government that is built upon the idea that compartmentalization of data and limiting access is incredibly important.

Even in situations where it is unavoidable that someone have access to data as a function of their job requirements, we very frequently have strict logging and auditing of access to that data. You might not be able to reasonably prevent a DBA from having access to the information in a database and allow them to still perform their work, but plenty of places will log and audit every action they take and review them accessing that data.

We know there are people in DOGE that clearly would not pass security screenings for access to the data that they have - one of them was recently fired for leaking data from their previous employer!

Acting like the fact that they are nominally part of the government so it is OK for them to have basically unfettered access to all sots of sensitive information is bizarre to me.

It can very much so be a data breach for government to "have access to" other agencies' data. Check whether U.S.C. § 3552(b)(2) contains any exceptions or carve-outs for government agencies!

One of the main points of privacy legislation is to functionally limit the government's ability to collect, use, disclose, and retain personal information in the first place. That's entirely contrary to the idea that government departments can share or access it pell-mell.

you have a lot of faith that Big Balls hasn't been compromised. Because surely none of them are using their personal smartphones or laptops and are following strict access protocols. Seeing that they are so so careful with everything else they've been doing.

I feel like this is a bad episode of the Twilight Zone.

"the front door and all windows are open, but don't worry. No one robbed the house yet so it's not a robbery "

I wouldn't discount such reckless vulnerabilities happening here. Any decent IT department would faint imagining the overtime needed to fix such issues.

What is the data classification of the data that they're accessing? Are they authorized to view it? Did they follow the normal procedures for accessing that data? Was their access limited to the information they needed to perform their stated function and nothing else? Was the data stored on or transferred through any systems that were not adequately secured?

It is entirely possible for an insider or internal data incident to be a "breach," regardless of whether the data leaked outside the org or they had the permission of the President. If someone came in to my office with an employee badge, said that they had been personally hired by the CEO, and demanded super admin access to all systems, I would laugh in their face. If anyone actually agreed to that person's demands, it would be a massive, all-hands-on-deck incident to figure out what they touched and how much we were going to get fined for the breach in security controls.

It's a data breach because DOGE is a bunch of random people chosen by Elon Musk, who act arbitrarily and completely outside the law.

If the Treasury gets access to the CIA’s data that’s a data breach. Treasury does not have a compelling need to use that data and if they do, there are processes to determine that need and agreements to ensure appropriate safeguards are in place to handle and manage that data.

Yeah in theory they’re both parts of “the government” but “government” is a big umbrella that comprises a bunch of separate entities, each with varying degrees of independence from each other. We’re used to thinking of it all as one entity because we’re used to operating under political leadership that isn’t actively trying to destroy the government. But now that they are, the separation of duties matters a lot more. All of this stuff is happening either in violation of, or indifference to the actual law.

[dead]

We can be all but certain that the CCP has its tendrils into Big Balls' phone and computers. A bunch of idiots with no opsec skills makes for easy pickings.

Although authorised by some members of the executive branch, it is missing some of the oversight the executive branch is supposed to have.

It's like if your CEO sent you an email saying you should give the production DB credentials, and any encrypted at rest keys to their cousin.

Probably you wouldn't do that.

You can have data breaches within an organization.

It is if it's actually to a foreign adversary.

[dead]

[dead]

Technically yes. I'd still be just as worried as a breach given the context though.