Over the past several months we’ve been lamenting the massive data breach on the Office of Personnel Management. In the latest data breach, however, it seems federal employees and service members have no one to blame but themselves. This week’s high profile release of online information about users of Ashley Madison, an online dating site focused on extramarital affairs, included an estimated 15,000 .gov and .mil email addresses.
A few of the ‘outed’ agencies include the Transportation Security Administration, Naval Intelligence, and State Department. Divorce attorneys in the nation’s capital are rejoicing – the D.C. metro was found to have the highest concentration of users.
Several high-profile tech bloggers have been culling the data released from the Ashley Madison hack and using it to publicly ‘out’ high profile government figures – several of whom have active federal security clearances. The fact that they’re both using a site designed for marital indiscretions and using their government-issued email addresses to do so is impropriety, stupidity and a security fiasco, all in one package.
The Dangers of Mixing Business and Pleasure
Historically, there has never been a ‘ban’ on using your work email address for limited personal purposes – many people use work email addresses – including .gov and .mil addresses – for personal uses such as setting up social media accounts, exchanging information with a spouse, or corresponding with a friend. Your annual security refresher likely gives an overview on the kinds of activities specifically prohibited via email, including anything related to elections, side-businesses, or potentially prohibited activities for the federal government.
Given the nature of what Ashley Madison does, it’s no surprise some federal employees and service members opted to register using their work accounts. In comparison to personal email addresses, they’re less likely to be accessible or checked by an unknowing spouse. For federal employees with an active federal security clearance or active duty service members, however, that attempt at discretion could spell serious problems.
Your Work Email Isn’t Private
As we addressed in an article on the site this week, you have no right to privacy from a workplace email address. Emails can be copied into your personnel file and potentially used in administrative action against you, as well as presented as evidence in a denial or revocation of a security clearance. For Ashley Madison users who used their work email addresses, emails from the site could be pulled and used as supporting evidence in a clearance denial based on Adjudicative Guideline D: Sexual Behavior.
What does your sex life have to do with your security clearance? Not much. Guideline D is rarely used in the denial or revocation of a security clearance. Unfortunately for Ashley Madison users, however, the rare times it is used are typically instances where a security clearance holder or applicant was participating in an extramarital affair their spouse didn’t know about. If a clearance holder has already taken steps to hide an affair from his or her spouse (using a website that promises anonymity and discretion, using a work email a spouse doesn’t have access to, etc), the government has reason to think that person may go to additional steps to hide the affair – including potentially disclosing classified information if blackmail becomes an issue.
Service members have even more to be concerned about – adultery is a cause for military punishment under the Uniform Code of Justice, and service members who cheat can face a dishonorable discharge or worse. Like clearance holders, taking steps to hide the affair only make it appear worse.
Work vs. Personal
The individuals whose data was disclosed in the Ashley Madison hack could have done themselves a huge favor and simply used a personal email address to sign-up for the site. We can debate the morality of using the site another day – for now, let’s simply consider the stupidity of registering using a work email address. Discretion is something seriously valued in the government and clearance community. And a key reason some are even opting out of social networking at all.
By using a work email address on the site, federal employees and service members were literally giving foreign intelligence assets a guide to their vulnerabilities – right down to what kind of foreplay they prefer and what their ideal match looks like. All of this is made worse on a site that literally caters to extramarital affairs. The data breach includes email addresses, user names, passwords, credit cards, addresses, and a trove of personal data. It’s the kind of information a foreign intelligence agency would love to get – and they know have it for at least some government employees, in a highly public and searchable format.
It goes without saying – keep your work email address for work purposes, and your personal email for personal purposes. And never forget that for clearance holders, anyway, there remains a standard to stay a cut above the rest – discretion, trustworthiness and accountability aren’t just buzzwords, they’re critical to maintaining access to classified information. If you are a clearance holder who had a profile on the site, it would be a good idea to let your spouse know – regardless of whether or not you used a personal or work email address to register for the site. If you used a work email address to register for the site, I would swallow my pride and self-report that fact to my facility security officer. Better to face a little embarrassment today than find myself out of a job tomorrow. Given the fact that the main issue with any extramarital affair is an attempt to hide the indiscretion, going public now will look much better than trying harder to hide your involvement.