Sorting the personal from the public

Cleaning up personal data inadvertently posted on government sites is no easy task

A man in Ohio filed a lawsuit against the secretary of state, claiming that personal information posted on the state’s Web sites violated his right to privacy. An opinion issued by the Texas attorney general found that disclosure of Social Security numbers on the Web is a criminal offense in violation of state and federal privacy laws. In Virginia, a self-proclaimed government watchdog incited fellow citizens to rally against county Web sites that post private information. And in Florida, the legislature passed a law requiring county clerks to scrub Web sites of any personally identifiable information — then twice extended the deadline for compliance. In the Internet era, the line between the public’s right to know and individuals’ right to privacy is as fine as a dulcimer string — and twice as tense. States, counties and municipalities in the past decade have posted to the Web tens of millions of electronic documents, some of which contain Social Security numbers, credit card numbers and other personal data. Agency Web sites were intended to make the machinery of government more efficient and more transparent. But whatever benefit has accrued to government and law-abiding citizens, the proliferation of personal information online has also been a boon to criminals engaged in identity theft, credit and real-estate fraud, and similarly nefarious activities, privacy activists say. “In the last 12 months, 200 million personal records were exposed on the Internet,” said Steven Domenikos, founder and CEO at IdentityTruth, a company that crawls billions of records. “That is a gold mine for identity thieves.” Debugging the online records of 50 states, more than 3,000 counties, approximately 36,000 municipalities and townships, and more than 48,000 special and independent school districts is an arduous task. “It’s a very complicated issue with lots of layers of local governments, and I think it’s going to take quite a long time to sift through it and solve it,” said Peter Vogel, a lawyer who has served as chairman of the Texas Supreme Court Judicial Committee on Information Technology. “We really don’t have a clue where the hell we’re going.” In the era following the Vietnam War and Watergate, interpretation of the country’s open-record laws has tended to err on the side of disclosing more rather than less. With the advent of the Internet, many government officials viewed the new technology as a natural extension of the public domain and rushed to put information online. Documents that had languished in dusty file cabinets — property deeds, licenses, divorce and bankruptcy proceedings — suddenly were accessible to anyone with a computer modem. “Everything from dog licenses to death certificates,” said Anne Wallace, executive director of the Identity Theft Assistance Center, which has helped 22,000 victims of identity theft since its creation by the financial services industry three years ago. Court clerks and other officials who put records online typically don’t have an obligation to screen for sensitive data or the resources to do so. Customers of government services like the convenience of electronic records, and certain industries have come to rely on easily accessible public information — and governments have been willing to provide it. “The cost of collecting, storing, indexing, cross-referencing and disseminating information has fallen almost to zero,” said Paul Kocher, president at Cryptography Research. Now, governments are seeking to clean up those files. But retroactively redacting records to hide sensitive data that has appeared online or been sold to third parties, including large credit bureaus and foreign governments, amounts to “ putting the genie back in the bottle,” Kocher said. Perhaps no one has done more to draw attention to the issue of personal information on government Web sites than B.J. Ostergren, who describes herself as being “like a pit bull on steroids.” She began her crusade to keep public records off-line in 2002, when she learned that Hanover County, Va., was planning to put public documents on the Internet. Ostergren waged a letter-writing campaign that marshaled enough resistance to stop the county’s initiative in its tracks. Emboldened by that success, she has waged other battles, at times prevailing on local governments to remove online records and take down entire Web sites. Public officials who cross Ostergren run the risk of having their personal information posted on her Web site. She recently took Federal Computer Week on a guided tour of government Web sites, such as one maintained by Escambia County, Fla., that post personal information. Pointing and clicking, Ostergren pulled up warranty deeds, marriage records, court judgments, tax liens, deeds of trust and dissolution-of-marriage documents containing Social Security numbers, financial and personal information, even fingerprints. Since beginning her crusade, she has found John Travolta’s marriage license and Colin Powell’s Social Security number. The most egregious thing she has found online was a name-change document filed by a woman who had been stalked and feared for her life. The public record disclosed the woman’s Social Security number, current address, telephone number, her mother’s maiden name and other identifying information. The site was shut down within 24 hours. “We are really a stupid country to let this happen,” Ostergren said. States have struggled at times to implement legislative solutions for disseminating public records via the Internet while protecting privacy. The Florida Legislature passed a law several years ago that requires localities to scrub Web sites of personally identifiable information in public records. Lack of funds and other impediments have resulted in two extensions of the compliance deadline. Localities now have until 2011 to abide by the law. In Texas, the attorney general issued an opinion earlier this year that made county and court clerks liable for the distribution of credit information. Panicked clerks shut down Web sites, a move that disrupted commercial data firms like LexisNexis and credit and title companies that rely on the information. In the end, the attorney general retracted his opinion, and Texas lawmakers passed a bill that essentially relieves clerks from liability associated with the posting of personal information. “Technology always outpaces our legal system,” said Mike Osbourn, planning coordinator of Cumberland County, N.C. By linking various databases, Cumberland provides one-stop, online availability of information that in the past was scattered in several physical locations. Despite the challenges, some localities have nonetheless succeeded in filtering out sensitive information. David Ellspermann, clerk of the Circuit Court for Marion County, Fla., removed Social Security, credit card and bank numbers from more than seven million records. The good news is that less than 3 percent of the documents contained a Social Security number. But “if you were that person, that didn’t matter,” he said.

Mass. flubs e-data release

A glitch in the implementation of new software resulted in a Massachusetts state agency releasing 28 computer disks in September that contained the Social Security numbers of 450,000 professional people licensed by the state.

The state’s Division of Professional Licensure began using new software Sept. 11 that failed to extract Social Security numbers when transferring information from databases to disks mailed to private companies, the agency said in a written statement.
The state routinely provides information on licensed professionals — without Social Security numbers — to marketing agencies and
other private companies that request it in
accordance with Massachusetts public-records law.

Licensed professionals whose private information was compromised included nurses, pharmacists, real estate brokers, hairdressers and psychologists.

The state’s Office of Consumer Affairs and Business Regulation disclosed the security breach in an Oct. 3 news release, more than three weeks after the error occurred.

The last of the missing disks, which contained thousands of nursing home administrators’ Social Security numbers, was recovered Oct. 19.
Some but not all recipients of the disks have certified that they purged sensitive data downloaded to their systems.

Pending a review of security protocols, the state suspended fulfillment of similar requests for public information.
“We plan to implement strict guidelines and create protocols to ensure the personal information of the commonwealth’s license holders is protected,” said Dan O’Connell, state secretary of Housing and Economic Development, the office with oversight of the affected agencies.

— John Pulley

Download

Find a link to a Web extra
article on automated
redaction tools and services on FCW.com’s Download at www.fcw.com/download.





















The road to nowhere






































Pulley is a freelance writer based in Arlington, Va.
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.