tommasina-va
commented
2 weeks ago Notes from Lisa: https://dsva.slack.com/archives/C04KW0B46N5/p1724259085961149 Info we learned from Jeremy Haas: Are Veterans familiar with what a BIRLS ID is? No, generally not. Is there another term that BIRLS ID might go by that is more familiar to Veterans and would make sense to the Help Desk? Not that I am aware of. On a VA site it refers to BIRLS as “A tool the Center For Verification and Evaluation (CVE) uses to verify an applicant is an eligible Veteran” How would the Help Desk describe it to the Veteran (or wouldn’t they) if a message displayed that said it was missing and was needed? It is a database similar to DEERS that contains military history, used to verify is the applicant is an eligible veteran Does the Help Desk know what to do if the BIRLS ID is missing? What if we called it something different? Ideally the error description would be modified to something along the lines of “An error occurred, we’ve found a mismatch in your BIRLS Record” Notes from Thomas: EVSS requires a SSN, DoB, EDIPI, BIRLS ID & Participant ID just to submit an ITF When we pass the data downstream, MPI is used to find the eFolder. If they can’t find the PID in MPI, then they can’t find the efolder to associate with Intent To File (ITF) Once Lighthouse takes over the ITF, most of those ID requirements will go away. I believe only an ICN is needed Additional Notes: The Beneficiary Identification Records Locator Subsystem (BIRLS) is a tool the Center for Verification and Evaluation (CVE) uses to verify an applicant is an eligible Veteran. Fact Sheet What I do recall hearing was that BIRLS may NOT always be the SSN. The when and why I don’t recall. I have some slack channels with some discussions around these, but it was mainly focusing on the PID. Just let me know if you want me to share them so you can check them out.
Issue Description
When we had a production tester examine the submission request in the dev console, he informed us that his social security number as the BIRLS ID was viewable in the response. (For most Veterans, the BIRLS ID is their SSN.)
We want to understand if this data is necessary, or if something should change to protect this information.
DSVA Slack thread
Jonathan Kamens said: "My first thought here is that BIRLs should not be using SSN as its default identifier. It's a violation of the Congressional mandate to reduce the usage of social security numbers throughout government and the corresponding VA mandate. VA started working on deprecating the SSN and replacing it with the ICN in 2010. If BIRLs is still using SSN as the primary identifier 14 years later, why is that?
Aside from that, it is not ipso facto a security issue that the BIRLs ID cum SSN is being transmitted down to the user's browser. If the user has authenticated and the value isn't being saved in persistent browser storage, and there's a legitimate business justification why this identifier is needed on the client side, then it's potentially a legitimate use. I would prefer for us to find a different way to do this, but to determine whether this is justified use I would need to know more details about why we're doing it and how much more work / less functional it would be if we didn't."
Rules for transmission from FE to BE: "Regardless, no unique identifier for the user should be transmitted from the server to the browser unless it's actually needed for something in the browser, so if the birlsId or any of the other identifier fields in the response is being transmitted "just because" of how the API was designed, as opposed to because it's actually needed for something on the client side, then we should stop transmitting it."
Tasks
Acceptance Criteria
[ ] complete above tasks
How to configure this issue
product support,analytics-insights,operations,service-design,Console-Services,tools-fe)backend,frontend,devops,design,research,product,ia,qa,analytics,contact center,research,accessibility,content)bug,request,discovery,documentation, etc.)