State Cannot Force Removal of SSNs From Privacy Advocate's Site

jvatcw brings us a story about Betty Ostergren, who operates a website dedicated to pointing out the social security numbers visible in public records. The purpose of the site is to raise awareness of privacy concerns regarding the personal information shared in Virginia's governmental websites. Legislation was introduced in Virginia to combat Ostergren's website, but last Friday a judge shot down the attempt to censor her, writing, "It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

How about something better?

[dsginter]

Can the states force the credit reporting agencies to allow citizens to lock their credit reports? The whole idea of identity theft is crazy - it could be trivially fixed with one-time passwords that people give out only when they need to.

But then we couldn't make money on credit monitoring services, now, could we?

Re:How about something better?

[nine-times]

How about we just stop using social security numbers as though they're some sort of magical security token? It was never designed for that purpose, and if you put the slightest bit of thought into it, you immediately realize that it's not secure at all. People act like it's some sort of super-secure password that authenticates who you are, but then you're basically required to give out that password to random people on a semi-regular basis.

In modern times, with ubiquitous computing, it seems like there must be a better way. Hell, issue every man, woman, and child something comparable to an SSL certificate and have the government (or credit agencies) run the analog of the root servers. It may not be a perfect idea, but it'd be better than this.

Re:How about something better?

[plasmacutter]

can the states make credit reports illegal?

that would be better than band-aiding a broken system.

credit reports exist to put you at the mercy of the debt collection industry.

The system is perverse, requiring you to go into debt in order to qualify for a mortgage, but providing no recourse when they make mistakes.. even though those mistakes can be as horrific for the victims as false accusations of pedophilia

Re:How about something better?

[russotto]

credit reports exist to put you at the mercy of the debt collection industry.

No, credit reports exist to help lenders decide how much of a risk you are. By the time a debt ends up in the hands of the debt collection industry, your credit report is already fucked.

The system is perverse, requiring you to go into debt in order to qualify for a mortgage, but providing no recourse when they make mistakes.. even though those mistakes can be as horrific for the victims as false accusations of pedophilia

That's certainly not true; there is recourse for erroneous information on your credit report. You can argue that it isn't good enough, or it is too cumbersome, but it isn't "no recourse".

As for going into debt to qualify for a mortagage.. eh. All you have to do is put your routine expenses on a credit card and pay it off in full each month. You get free use of money and you build credit history. If you can't do that (other than in a number of exceptional situations), you probably shouldn't qualify for a mortgage.

Re:How about something better?

[davolfman]

To be honest the credit reporting agency and the bank filing the report should be liable for libel every time they record a false entry.

Re:How about something better?

[Stellian]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

The artificial distinction of allowing trusted people (banks, the phone company) access to your identity, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the attempt to criminalize the act of compiling a list of people's identity using public data - all identity data is public to some extent, by definition; if it's not public, it does not identify you. Compiling lists of public information is a clear example of free speech.

The term of "identity theft" is a copious misnomer perpetrated on the public by the credit industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.

After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible, and be competitive: they reduce fraud to acceptable levels, until fighting against it is more costly than the actual money saved. The devastating consequences that "ID theft" has over an individual's live becomes an externality for banks. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".

You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html

The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I fully agree there are other reasons to wanting to have your data private, such as, well... privacy; ID "theft" should not be one of them)

Re:How about something better?

[ChaosAddict]

Even better, it puts some of the responsibility on the victim. If someone takes your laptop, then there's always the idea that you didn't guard it well enough. How are you supposed to protect from theft something that everyone has access to, and that you're required to give out constantly?

Re:How about something better?

[DavidTC]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

Don't just wonder about it. Refuse to use the term, like I do.

The correct term is fraud, and the victim is the business that got defrauded.

These businesses use the term 'identify theft' so their reaction to their own defrauding, which 'blame some random person who has nothing to do with it', isn't recognized as the criminal action it is. But the injury to 'victims' isn't coming from the person who committed the fraud. People whose identities are 'stolen' are not the victims of identity thieves. They're the victims of the victims of identity thieves.

People who have had their 'identity stolen' need a good lawyer to sue the ass off everyone who, when they got defrauded, didn't immediately fix the issue. It is in no way your responsibility that other individuals and businesses do not have stricter checking of identity, and you should be able to sue that business for every second of time and money their lax policies cost you in cleaning it up.

They can, of course, then sue to recover that money from the person who defrauded them, but that's not relevant to the 'identity theft' 'victim'.

If someone steals my car, I do not have the right to steal your car. Even if the person stealing my car used your name to do so. Even if I'm clever enough to invent the term 'indirect car thief' for the original thief, and 'indirect car thief victim' for you, and hope that no one catches on that he didn't steal your car, I did.

Re:How about something better?

[Hyppy]

It would be hard to prove intent, though.

Re:How about something better?

That's a great idea. Once they are notified, should you get any grief after that point in time, I can't see how they are not liable. At that point in time, they are knowingly providing false information in writing which directly and financially harms you. Seems to me some needs to nail them hard with this. Hopefully class action status can be obtained. A couple 100-million in damages and I'd bet the credit agencies would suddenly given a dang that they are knowingly screwing people over.

Re:How about something better?

[nine-times]

although implementing it would cost billions of dollars to the government, banking, and insurance industries (among many others) that use SSNs to identify clients

Sure, it would cost money. Then again, how much money is lost to identity theft, including the money spent on identity theft protection and money spent on investigating identity theft claims. Given a long enough timeline of dealing with these issues, building a better solution might just save money.

Do you really think that Mom & Pop Bank in rural North Dakota has any ability to modify their banking systems to work with such a scheme when they can't even make a web site? I don't.

So give small banks a tax break on hiring an IT guy trained to deal with this stuff. I don't really know the best solution there, but it doesn't seem like an insurmountable problem.

Re:How about something better?

[PPH]

The 'other' problem with SSNs is that they are a ubiquitous form if identification in society today.

Certainly, they are not useful for authentication purposes. But what they were intended for, a unique identification for the purposes of tax and Social Security data becomes a problem when it slips out into other parts of people's lives. Aside from entities (banks, employers, etc.) who have a legislated need to identify me as a unique individual, not many other people do. I have the right to receive my monthly p0rn subscription, contribute to Greenpeace, call all those 1-900 numbers for $5.99/min, and enroll my children in that hoity-toity private Christian school while maintaining deniability that the PPH engaged in one activity is the same as the others.

There are very few cases in which private businesses have the right to link my identity to the relationship I have with anyone else. I can give most a business who requests my SSN a phony number so long as I do so with no intent to commit fraud and the legal consequences are minimal.
 

Re:How about something better?

[hey!]

You've got the right kind of idea, but probably the wrong terminology.

What you are saying (if I may interpret broadly) is that credit reporting agencies have a duty of care towards the people whose information they traffic in. Naturally it would not be libel unless they were knowingly publishing defamatory information in a malicious or wildly irresponsible manner. Posting incorrect records in and of itself isn't anywhere near this standard.

And, in general, one is not liable for the criminal actions of others. So the falsehood being perpetrated by the identity thieves is not the responsibility of the agencies, who in a manner of speaking are a co-victim in that crime.

However, it is arguable that the agencies have a special duty to take reasonable care to prevent identity theft and to respond with prompt and reasonable action to any evidence or reports of identity theft. They have this duty because by trading in personal information, they exercise great power over the lives and reputations of others, a power from which they derive considerable economic benefit.

So the word you're looking for is negligence.

The problem with suing over this is putting a dollar figure on the damage done by the credit agencies' negligence. No dollar figure, nothing to sue for. What may be needed is for the legislature to create a statutory figure which could be used to sue the agencies.

Re:How about something better?

[mxs]

You never paid a single penny, other than your time invested. You got it taken care of in less than three hours. That is not guaranteed to be the case.

Furthermore, you have absolutely no idea what other databases this information has since been incorporated to. Hard to "fix" something you don't know exists.

It's sad this had to go to court.

[Trojan35]

I wonder, if it was a newspaper or CNN doing this, if this would have ever gotten that far.

Re:It's sad this had to go to court.

[gnick]

A newspaper (depending on the newspaper) or CNN would likely have published the story, but censored the SSNs. Otherwise their readers/viewers would have been angry with their news source for publicizing their information rather than the government for mishandling it.

Now if Ms Ostergren had censored the SSNs like the main stream media would have, I doubt that she would have been able to garner the attention that this story deserves.

Re:It's sad this had to go to court.

[Spy+der+Mann]

This has nothing to do with privacy. There is nothing "private" about a number used as a unique identifier in government databases. This is a security matter, and what she is doing is no different than posting an exploit.

Wrong. This is not just posting an exploit. This is like using an exploit, getting people's passwords and and posting them.

Re:It's sad this had to go to court.

[gnick]

Also, it doesn't sound like she's just shot-gunning out every SSN she finds. FTA:

Ostergren routinely posts the Social Security numbers of high-profile individuals that she claims to have easily obtained from county and state government Web sites. The list includes former Florida Gov. Jeb Bush, former U.S. Secretary of State Colin Powell, former U.S. House Majority Leader Tom DeLay, former Missouri Sen. Jean Carnahan and several county clerks in Virginia.

That doesn't say explicitly that she's not posting everything, but it does seem to imply that she's just calling out very public government figures. Sure it's a bid for attention, but it's an effective one. And, since it was the State that publicized them, it seems like she's re-publicizing just enough to call the appropriate level of attention to the issue. Good on her.

Re:It's sad this had to go to court.

[apoc.famine]

If by "exploit" you mean "looking at something through a window designed to allow you to do that and then posting a picture of what's inside", I'd agree. There is no "exploit" - the system was DESIGNED to be transparent. What she's pointing out is that if you design it like that, then put things you don't want people to see inside, PEOPLE CAN SEE THOSE THINGS!

It's like putting in a plate glass window, then hanging your underwear in front of it. When someone takes a picture of it and posts it, you complain and sue, rather than A) Removing the underwear, or B) covering the window. The window was your doing, and the underwear was your doing - all they did was draw attention to the fact that you might not want to do one of the two.

In case this poor analogy isn't completely clear, the state could have either A) Disallowed access to this information all together, or B) not have included the SSNs. Instead they tried to use legal means to fix their stupidity.

Re:It's sad this had to go to court.

[avandesande]

To her benefit it should be noted that these SSNs really don't hurt anyone, since they are very public figures.
I think a 15 year old cracker would have a hard time impersonating Colin Powell.

Serious Push Back

[curmudgeon99]

How refreshing it is to see judges finally waking up to the abuses our government is making. In the past year the judicial branch has made me want to stand up and cheer, with the pushback against the Bush administration and now--here--trying to stop legislatures from hiding their mistakes.

Re:Serious Push Back

[holmedog]

Not me. It's not the judicial branches job to make legislation, and every time they do they make more power for themselves. I'm glad when they do like this judge and simply strike something down. I'm sad when they do you like you suggest and "pushback".

Re:Serious Push Back

[orgelspieler]

Absolutely couldn't agree more. When I hear people say "activist judges" I just want to scream. Would they prefer lazy judges who don't take their role in the balance of power seriously?

If people want judges to stop interpreting the law (which is their job), then they need to demand that the legislative branch do a better job of writing laws that don't need interpretation. Just think, if the Bill of Rights had been elaborated just a bit as to the meaning of each phrase and clause, we wouldn't need to have judges and lawyers arguing about 18th century word definitions and grammatical comma placement practices.

But writing better laws would only fix part of the problem. These complainers need to demand that the executive branch do a better job enforcing the laws, too. They could start by kindly asking the President to stop making signing statements for everything that crosses his desk.

If well-written constitutionally valid laws were enforced impartially and regularly, judges would have a lot less to be "activist" about.

Re:Serious Push Back

[Nimey]

You're mistaken. Judicial activism is defined as what a judge does which the speaker does not like.

I'm still waiting for those complainers to start using the phrase "executive activism". I predict it'll start once a Democrat takes office.

Private information??

[homer_s]

demonstrate the lack of care being taken by government to protect the private information of individuals."

Why is a social security number, a number that helps the social security administration track payments, 'private information'?
Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

Re:Private information??

[i.r.id10t]

Because some programmers and record keepers decided years ago that it would make a good primary key for their db...

Re:Private information??

[metamatic]

Yeah, I had exactly the same idea over 3 years ago. It doesn't even need to be the government that does it.

Re:Private information??

[DavidTC]

It is a good primary key.

The problem is that quite a few places decided to use it as authentication, which isn't a programming or indexing issue at all.

Government

[suck_burners_rice]

Yes, the judge is right about this one. Censorship of this type is the classic way that government can sweep the bad things it does under the rug. We have to always keep in mind that "the government" is not some sort of ethereal force out there. It's a bunch of guys (and women) who happen to have been placed in a position of power, whether it's someone elected to office or that clerk at the local [insert government office here] who likes to be a jerk and inconvenience people because it gives him a power trip to feel like he's the king of some tiny kingdom. We always have to remember that. Just because someone is in "the government" does not make that person special or give that person any special rights whatsoever. Thus, the judge should not do anything about that website, but should force the government to fix its problems.

Assume

[Archangel+Michael]

The problem is that we tend to assume that SS# is "private". It isn't.

We (collectively everyone) ought to just assume that our SS# and lives are being tracked, because we are.

I live my life as if I'm being tracked. I don't own a Credit Card because of it. I don't want my purchases being tracked and traced. I pay cash, which is getting harder and harder to do.

And that stupid VISA commercial where everything stops when a person uses cash, is not helping.

And the loss of community has really pushed the anonymity movement. In days of old, you had to have a "relationship" with the people who bought and sold. Somewhere along the way, that was lost in favor of cheaper prices. We have, collectively, started to see the repercussions of this throughout society.

Now, to buy big ticket items, all you need is a fake ID, a Good SS#, and be gone, and nobody seems to care that we've lost the humanity in the process.

Re:Amazing

[joelwyland]

You apparently missed the whole point. This information is already out there because the government is mishandling it. The reason the judge isn't forcing them off the web is because it's the perfect way to show the government is incompetent so that it can be FIXED. It won't be fixed if it gets buried.

Re:ID Theft Field Day?

[mapsjanhere]

Good idea - as long as they waive their sovereign immunity, and that of their employees, in the same law. Otherwise all it does is censor the critics and allow business as usual.

Re:ID Theft Field Day?

[be951]

Uh, that's the whole point. The state is providing the numbers online already. She's just drawing attention to it.

Why bother protecting SSNs?

That horse is well out of the barn. They're widely available anyway. The real problem is that people accept "knowledge of SSN" as authentication, not that SSNs get disclosed. Fundamentally, your SSN is your (disambiguated) name, and we don't expect names to be kept off public records.

What should be done is legislation to require better authentication.

Let me get this straight.

[k1e0x]

* A concerned citizen found SSN Numbers in public that the goons government didn't care to protect.

* Government goons ignored her when she brought this to their attention (over several years).

* She then created a website to expose this act of government incompetence to the public. She posted SSN number of people like Colin Powell and Jeb Bush.

* The Government goons intended to crack down on her and make the act of exposing their incompetence illegal. Essentially saying that it was illegal for her to do exactly the same thing they were already doing, and were undoubtedly going to continue to do.

That is insane

No longer is government concerned with addressing problems it has, now it wants to shut people up who air their dirty laundry. This is *exactly* like the MIT Subway hacker case. This lady is a hero, Government MUST be accountable for its actions when they are operating in error.