[mpyne]

As I understand it security clearance screening is done by blacklisting, not whitelisting.

That's what would make sense for a nation with due process, but it does lead to increased risk of leaks from people with no obvious red flags that come up during the background check or in-person interviews.

[rdl]

Even "better", there are things which are highly correlated with "likely to be a security problem" which are NOT allowed to be included, or which get adjudicated away.

Generally IMO the security clearance process is not up to the task in a world with more than one threat. It worked ok against USSR when we largely could use full spectrum of information AND could assume most people without black marks were anti-USSR (due to existential threat from nuclear weapons and essentially an undeclared state of war).

Doesn't work so well now when 1) IC really had no mission in the 1990s and 2) IC today is grossly oversized and overresourced for the anti-Islamism mission. The "anti-China, anti-Russia" stuff is much more like a real peacetime intelligence service, i.e. the <<500 people we had before WW2.

[mpyne]

Yeah, though I can't give specifics we had an admin issue where I worked that got briefed to the level of a "Presidental appointee confirmed by the Senate" that was related to screening requirements (or rather, the lack thereof).

[rdl]

I'm assuming both criminal/terrorist organizations (well, and hacker groups, etc.) and tech startups actually surpass USG for a lot of personnel screening, mainly because they're small. If you only hire people you've personally known for a long time, that goes a long way. Hiring 20 trusted people is a lot easier than hiring 20k.

(Obviously USG does a better job in certain areas; generally I'd say most military facilities do a decent job on most physical security.)

[coopdog]

There are different levels. Up to a point they take everything you declare as true in conjunction with some basic checks. At the highest levels they assume everything you say is false, until investigated and proven true.

I still think the article makes a good point though, you just don't know who the hell has access to your data unless you keep it on your own servers or host the data in a country with extremely transparent privacy and law enforcement governance.