I love some of the examples for people discussing routine "over classification" ...

racbart · on March 20, 2013

I believe that they (government) are just in a business where it's better to overclasify 100 documents than underclasify one.

Think of it from web development perspective. Years ago SSL were used only for financial transactions, then for e-commerce transactions. Nowadays it's considered a good practice to use it anywhere you transfer any user data or session. Isn't that our industry's equivalent of their over-classification routine? I think they basically do the same what we do with SSL - they apply their security layer to all content produced by all their users. It's exactly what we do with our security layers in software development.

jkimmel · on March 20, 2013

I enjoy this analog, and it works very well from a purely developer/intel analyst perspective.

It seems to me that the key difference here would be that no one is harmed by overuse of SSL, whereas over classification of information can have far-reaching negative effects. Failure by the intelligence community to realize such, or a systemic issue that incentivizes over classification, lead to our current situation where a FOIA is required to read a parking ticket.

derefr · on March 20, 2013

> no one is harmed by overuse of SSL

Serving everything over SSL has removed HTTP's whole notion of "caching proxies." Now a website can be cached by your browser, or by the remote (i.e. through a CDN which they'll hand their X.509 cert to), but never by, say, your ISP.

And this is a shame, because HTTP's method idempotency semantics and Expire headers allowed intermediary caching to work perfectly--when something was set to expire from your local cache, it would also expire from any intermediary caches at the same time.

Sadly, some ISPs overreached and started modifying the content they proxied, at which point SSL-everything became the clear winner. Additionally, that kind of caching kind of screws things up when you serve any HTML that has been customized per-user on a generic cacheable endpoint (say "GET /timeline")--even though proper HATEOAS strongly indicates against this.

mseebach · on March 20, 2013

CDNs have really assumed the role of ISP-level caching - the good CDNs are co-located with the big ISPs anyway, so the effect is the same. IMO, it's a better solution because it allows the content-server much better control over the exact details of the caching and allows stuff like partial caches. The problem with ISP-level caching is just what you suggest: they screw it up.

justinsteele · on March 20, 2013

There is a time cost using SSL. So, maybe not on the same level of impact as over classification of documents.. but still there!

jjoonathan · on March 20, 2013

My guess is that the cumulative time cost of SSL doesn't exceed millions of dollars. On the other hand, if you believe that over-classification undermines the democratic process to the extent that wars have consequently been fought against the USA's self interest, the cost of over-classification could easily wander into the trillions of dollars (and tens to hundreds of thousands of lives).

I think it's reasonable to neglect the time cost of SSL in this comparison.

olympus · on March 20, 2013

Documents are classified at the highest classification of any single piece inside the document. In the cryptolog you linked to, there are two large redacted sections. It's not that the book review was classified, it was just published next to stuff that was classified. If you filed a FOIA request, they would have given you the book review with minimal fuss, but kept the redacted parts out of the FOIA. You can tell the information that is unclassified because it is marked (U). Classified info will be marked with different letters depending on the level of classification, and will likely be heavily redacted in anything released to the public.