State Cannot Force Removal of SSNs From Privacy Advocate's Site

jvatcw brings us a story about Betty Ostergren, who operates a website dedicated to pointing out the social security numbers visible in public records. The purpose of the site is to raise awareness of privacy concerns regarding the personal information shared in Virginia's governmental websites. Legislation was introduced in Virginia to combat Ostergren's website, but last Friday a judge shot down the attempt to censor her, writing, "It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

How about something better?

[dsginter]

Can the states force the credit reporting agencies to allow citizens to lock their credit reports? The whole idea of identity theft is crazy - it could be trivially fixed with one-time passwords that people give out only when they need to.

But then we couldn't make money on credit monitoring services, now, could we?

Re:How about something better?

[MarkvW]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

In "identity theft" the thief is the bad guy and the credit card company's responsibility is ignored.

Re:How about something better?

[jedidiah]

Being willing and able to monitor your own credit still isn't enough.

Not being willing to accept or use "credit" isn't sufficient either.

All it takes is one abusive merchant to initiate a "collection" against
you. It won't matter if it's a genuine billing dispute or not. That
"black mark" will end up in your report. The relevant parties will be
unwilling to remove it, and everyone else will use it against you.

Re:How about something better?

[nine-times]

How about we just stop using social security numbers as though they're some sort of magical security token? It was never designed for that purpose, and if you put the slightest bit of thought into it, you immediately realize that it's not secure at all. People act like it's some sort of super-secure password that authenticates who you are, but then you're basically required to give out that password to random people on a semi-regular basis.

In modern times, with ubiquitous computing, it seems like there must be a better way. Hell, issue every man, woman, and child something comparable to an SSL certificate and have the government (or credit agencies) run the analog of the root servers. It may not be a perfect idea, but it'd be better than this.

Re:How about something better?

[Archangel+Michael]

IF I don't use credit, then a "black mark" is meaningless.

And, with all those "black marks" on my credit, then anyone accepting my SS# and credit history, gets what they deserve.

But you raise an interesting point, though it is obscured. If I don't use credit, and someone issues credit in my name to someone other than me, how would I prove it? How would I even know it?

In that case, the credit companies have broken system (yeah, we all know it too). In this case, I'd sue everyone involved ruining my reputation.

I'm wondering why nobody has gone after them for slander or libel (which ever applies), in a civil tort?

Re:How about something better?

[russotto]

credit reports exist to put you at the mercy of the debt collection industry.

No, credit reports exist to help lenders decide how much of a risk you are. By the time a debt ends up in the hands of the debt collection industry, your credit report is already fucked.

The system is perverse, requiring you to go into debt in order to qualify for a mortgage, but providing no recourse when they make mistakes.. even though those mistakes can be as horrific for the victims as false accusations of pedophilia

That's certainly not true; there is recourse for erroneous information on your credit report. You can argue that it isn't good enough, or it is too cumbersome, but it isn't "no recourse".

As for going into debt to qualify for a mortagage.. eh. All you have to do is put your routine expenses on a credit card and pay it off in full each month. You get free use of money and you build credit history. If you can't do that (other than in a number of exceptional situations), you probably shouldn't qualify for a mortgage.

Re:How about something better?

[davolfman]

To be honest the credit reporting agency and the bank filing the report should be liable for libel every time they record a false entry.

Re:How about something better?

[Stellian]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

The artificial distinction of allowing trusted people (banks, the phone company) access to your identity, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the attempt to criminalize the act of compiling a list of people's identity using public data - all identity data is public to some extent, by definition; if it's not public, it does not identify you. Compiling lists of public information is a clear example of free speech.

The term of "identity theft" is a copious misnomer perpetrated on the public by the credit industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.

After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible, and be competitive: they reduce fraud to acceptable levels, until fighting against it is more costly than the actual money saved. The devastating consequences that "ID theft" has over an individual's live becomes an externality for banks. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".

You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html

The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I fully agree there are other reasons to wanting to have your data private, such as, well... privacy; ID "theft" should not be one of them)

Re:How about something better?

[ChaosAddict]

Even better, it puts some of the responsibility on the victim. If someone takes your laptop, then there's always the idea that you didn't guard it well enough. How are you supposed to protect from theft something that everyone has access to, and that you're required to give out constantly?

Re:How about something better?

[DavidTC]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

Don't just wonder about it. Refuse to use the term, like I do.

The correct term is fraud, and the victim is the business that got defrauded.

These businesses use the term 'identify theft' so their reaction to their own defrauding, which 'blame some random person who has nothing to do with it', isn't recognized as the criminal action it is. But the injury to 'victims' isn't coming from the person who committed the fraud. People whose identities are 'stolen' are not the victims of identity thieves. They're the victims of the victims of identity thieves.

People who have had their 'identity stolen' need a good lawyer to sue the ass off everyone who, when they got defrauded, didn't immediately fix the issue. It is in no way your responsibility that other individuals and businesses do not have stricter checking of identity, and you should be able to sue that business for every second of time and money their lax policies cost you in cleaning it up.

They can, of course, then sue to recover that money from the person who defrauded them, but that's not relevant to the 'identity theft' 'victim'.

If someone steals my car, I do not have the right to steal your car. Even if the person stealing my car used your name to do so. Even if I'm clever enough to invent the term 'indirect car thief' for the original thief, and 'indirect car thief victim' for you, and hope that no one catches on that he didn't steal your car, I did.

Re:How about something better?

[JoJo's883]

Trying to get thru life in the US without "credit" today is near impossible. Cars, mortgage, college loans, etc Regarding the abusive merchant, I went thru 14 years (yes years) of fighting Amex to get them to stop billing me for an ISP bill out of Australia, on a card that had been cancelled 3 years prior to them accepting the ISP charges. This made it all the way to a collection agency even though Amex readily admitted they were not my charges. After submitting complaints thru the Better Business Bureau, FDIC, and any other agency they finally stopped. The down side is that the black mark made it into one of the three major credit reporting agencies. Getting it off has been another round of headaches. The best part of the whole adventure was when I spoke with Amex on the phone and they told me it was too small of an amount for them to waste time on resolving it...

Re:How about something better?

[Hyppy]

It would be hard to prove intent, though.

Re:How about something better?

[nine-times]

although implementing it would cost billions of dollars to the government, banking, and insurance industries (among many others) that use SSNs to identify clients

Sure, it would cost money. Then again, how much money is lost to identity theft, including the money spent on identity theft protection and money spent on investigating identity theft claims. Given a long enough timeline of dealing with these issues, building a better solution might just save money.

Do you really think that Mom & Pop Bank in rural North Dakota has any ability to modify their banking systems to work with such a scheme when they can't even make a web site? I don't.

So give small banks a tax break on hiring an IT guy trained to deal with this stuff. I don't really know the best solution there, but it doesn't seem like an insurmountable problem.

Re:How about something better?

[berashith]

what about negligence. If you ask for something to be removed that gets replaced in an automated fashion the next month, then there is a proveable disregard for accuracy. It isnt libel, but taking the cheap and easy way can provide known incorrect information.

Re:How about something better?

[PPH]

The 'other' problem with SSNs is that they are a ubiquitous form if identification in society today.

Certainly, they are not useful for authentication purposes. But what they were intended for, a unique identification for the purposes of tax and Social Security data becomes a problem when it slips out into other parts of people's lives. Aside from entities (banks, employers, etc.) who have a legislated need to identify me as a unique individual, not many other people do. I have the right to receive my monthly p0rn subscription, contribute to Greenpeace, call all those 1-900 numbers for $5.99/min, and enroll my children in that hoity-toity private Christian school while maintaining deniability that the PPH engaged in one activity is the same as the others.

There are very few cases in which private businesses have the right to link my identity to the relationship I have with anyone else. I can give most a business who requests my SSN a phony number so long as I do so with no intent to commit fraud and the legal consequences are minimal.
 

Re:How about something better?

[rgviza]

>After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ?

You don't.
You will get a collection call.
At that point, you can ask them to fax you a copy of the signature they have, where you agreed to the credit contract.

They won't have it. Then you call the bureaus, and request your free copy of the report. When you get it, call back and talk to someone on the phone. They'll take it right off your report.

It took me less than an hour each of the 3x that Household Bank got ripped off by someone using my info. Never paid a single penny...

-Viz

Re:How about something better?

[torkus]

Have you read the small print you sign when filling out any credit app?

No, neither have I.

I'll bet you some karma that it includes a liability waiver for the company you're applying with and the reporting credit bureaus as well.

Re:How about something better?

[Matt+Perry]

But I live above my means, because I don't pay interest on things I don't need. I don't buy things before I can afford them.

You mean you live below your means. If you lived above your means, you'd be spending more than you earn.

Re:How about something better?

[cayenne8]

While I applaud not living beyond your means, not buying things before you can afford them (and this works I think on 99% of all things)....I'm wondering how you do own a house, and take care of say and emergency without at least some form of credit.

I was in horrible credit card debt hell post-Katrina. But, I got good settlements on my lost car and other things...and along with some other good fortune that came out of all that mess...I"m virtually debt free. All cards paid off, only a car and motorcycle note right now. I never intend to go into hard debt again. For 99% of all purchases I do, I pay cash.

But, I do have credit cards. I keep them mostly for emergencies, and for buying gas at places like Sam's that don't take cash at the pumps. What I do charge, I pay off in full each month, so that is basically like using cash.

I'm actually wanting to trade a card or so in for ones that earn cash back or airline mileage...which actually pay you to use them.

I'm curious how you go totally without credit. I have mine, and use it sparingly, and responsibly...I'm not sure I could go completely off them. I'd always want one around, just for an emergency....say like the coming hurricane. Last time for Katrina, I rode out with friends. After a period, I had to rent a car, and that is virtually impossible to do these days w/o a credit card.

I'd be interested in hearing the details of how you go completely without them....

Thanks...

Re:How about something better?

[hey!]

You've got the right kind of idea, but probably the wrong terminology.

What you are saying (if I may interpret broadly) is that credit reporting agencies have a duty of care towards the people whose information they traffic in. Naturally it would not be libel unless they were knowingly publishing defamatory information in a malicious or wildly irresponsible manner. Posting incorrect records in and of itself isn't anywhere near this standard.

And, in general, one is not liable for the criminal actions of others. So the falsehood being perpetrated by the identity thieves is not the responsibility of the agencies, who in a manner of speaking are a co-victim in that crime.

However, it is arguable that the agencies have a special duty to take reasonable care to prevent identity theft and to respond with prompt and reasonable action to any evidence or reports of identity theft. They have this duty because by trading in personal information, they exercise great power over the lives and reputations of others, a power from which they derive considerable economic benefit.

So the word you're looking for is negligence.

The problem with suing over this is putting a dollar figure on the damage done by the credit agencies' negligence. No dollar figure, nothing to sue for. What may be needed is for the legislature to create a statutory figure which could be used to sue the agencies.

Re:How about something better?

[Archangel+Michael]

The fridge went on the fritz last week, and I fixed it myself. I wouldn't be much of a geek if I couldn't fix things that break. Somethings aren't worth fixing, and I have a slush fund for such things, or I miss my next vacation. Or, I'll do a couple extra side jobs to pay for the nicer things in life.

I don't do without. I do without things I don't "need".

Re:How about something better?

[mxs]

You never paid a single penny, other than your time invested. You got it taken care of in less than three hours. That is not guaranteed to be the case.

Furthermore, you have absolutely no idea what other databases this information has since been incorporated to. Hard to "fix" something you don't know exists.

It's sad this had to go to court.

[Trojan35]

I wonder, if it was a newspaper or CNN doing this, if this would have ever gotten that far.

Re:It's sad this had to go to court.

[gnick]

A newspaper (depending on the newspaper) or CNN would likely have published the story, but censored the SSNs. Otherwise their readers/viewers would have been angry with their news source for publicizing their information rather than the government for mishandling it.

Now if Ms Ostergren had censored the SSNs like the main stream media would have, I doubt that she would have been able to garner the attention that this story deserves.

Re:It's sad this had to go to court.

[TubeSteak]

The ends don't justify the means. She's trying to advocate privacy by decreasing individual's privacy if I'm understanding this. She's saying "this is wrong that your social security number is printed on X public document, so I'm going to post it online to dramatically increase the amount of people who can see it and increase your chances of identity theft."

You missed one important detail.
The records she is putting up on her website are already online.
That pretty much knocks the bottom out of your argument.

Re:It's sad this had to go to court.

[Spy+der+Mann]

This has nothing to do with privacy. There is nothing "private" about a number used as a unique identifier in government databases. This is a security matter, and what she is doing is no different than posting an exploit.

Wrong. This is not just posting an exploit. This is like using an exploit, getting people's passwords and and posting them.

Re:It's sad this had to go to court.

[gnick]

Also, it doesn't sound like she's just shot-gunning out every SSN she finds. FTA:

Ostergren routinely posts the Social Security numbers of high-profile individuals that she claims to have easily obtained from county and state government Web sites. The list includes former Florida Gov. Jeb Bush, former U.S. Secretary of State Colin Powell, former U.S. House Majority Leader Tom DeLay, former Missouri Sen. Jean Carnahan and several county clerks in Virginia.

That doesn't say explicitly that she's not posting everything, but it does seem to imply that she's just calling out very public government figures. Sure it's a bid for attention, but it's an effective one. And, since it was the State that publicized them, it seems like she's re-publicizing just enough to call the appropriate level of attention to the issue. Good on her.

Re:It's sad this had to go to court.

[apoc.famine]

If by "exploit" you mean "looking at something through a window designed to allow you to do that and then posting a picture of what's inside", I'd agree. There is no "exploit" - the system was DESIGNED to be transparent. What she's pointing out is that if you design it like that, then put things you don't want people to see inside, PEOPLE CAN SEE THOSE THINGS!

It's like putting in a plate glass window, then hanging your underwear in front of it. When someone takes a picture of it and posts it, you complain and sue, rather than A) Removing the underwear, or B) covering the window. The window was your doing, and the underwear was your doing - all they did was draw attention to the fact that you might not want to do one of the two.

In case this poor analogy isn't completely clear, the state could have either A) Disallowed access to this information all together, or B) not have included the SSNs. Instead they tried to use legal means to fix their stupidity.

Re:It's sad this had to go to court.

[avandesande]

To her benefit it should be noted that these SSNs really don't hurt anyone, since they are very public figures.
I think a 15 year old cracker would have a hard time impersonating Colin Powell.

Serious Push Back

[curmudgeon99]

How refreshing it is to see judges finally waking up to the abuses our government is making. In the past year the judicial branch has made me want to stand up and cheer, with the pushback against the Bush administration and now--here--trying to stop legislatures from hiding their mistakes.

Re:Serious Push Back

[holmedog]

Not me. It's not the judicial branches job to make legislation, and every time they do they make more power for themselves. I'm glad when they do like this judge and simply strike something down. I'm sad when they do you like you suggest and "pushback".

Re:Serious Push Back

[plasmacutter]

"betamax" under your definition is also "judicial activism".

rulings like that are a common function of the judicial system, and if congress finds it objectionable they can specifically address it with legislation.

Re:Serious Push Back

[orgelspieler]

Absolutely couldn't agree more. When I hear people say "activist judges" I just want to scream. Would they prefer lazy judges who don't take their role in the balance of power seriously?

If people want judges to stop interpreting the law (which is their job), then they need to demand that the legislative branch do a better job of writing laws that don't need interpretation. Just think, if the Bill of Rights had been elaborated just a bit as to the meaning of each phrase and clause, we wouldn't need to have judges and lawyers arguing about 18th century word definitions and grammatical comma placement practices.

But writing better laws would only fix part of the problem. These complainers need to demand that the executive branch do a better job enforcing the laws, too. They could start by kindly asking the President to stop making signing statements for everything that crosses his desk.

If well-written constitutionally valid laws were enforced impartially and regularly, judges would have a lot less to be "activist" about.

Re:Serious Push Back

[Nimey]

You're mistaken. Judicial activism is defined as what a judge does which the speaker does not like.

I'm still waiting for those complainers to start using the phrase "executive activism". I predict it'll start once a Democrat takes office.

Meanwhile...

[bigtallmofo]

In other news, the IRS reports that they are finally cracking down on long-time tax evader Betty Ostergren for failure to report as income the $10 her grandmother gave her in a birthday card in 2005. Ms. Ostergren faces up to 10 years in prison and a fine of $300,000.

They already do allow that for free

[bigtallmofo]

Can the states force the credit reporting agencies to allow citizens to lock their credit reports?

http://www.google.com/search?hl=en&q=how+to+freeze+credit+report

This is already available, and it's free. Just like opting out of marketing offers.

Re:They already do allow that for free

[Ambiguous+Puzuma]

The fees (if any) associated with credit freezes vary from state to state.
http://www.consumersunion.org/campaigns/learn_more/003484indiv.html

Private information??

[homer_s]

demonstrate the lack of care being taken by government to protect the private information of individuals."

Why is a social security number, a number that helps the social security administration track payments, 'private information'?
Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

Re:Private information??

[i.r.id10t]

Because some programmers and record keepers decided years ago that it would make a good primary key for their db...

Re:Private information??

[k2enemy]

Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

Exactly. I wish the govt would just announce that on January 1, 2009 they will put up a website that publicly reveals everyone's SSN. Banks and other institutions have until then to work out some other means of authentication.

Re:Private information??

[metamatic]

Yeah, I had exactly the same idea over 3 years ago. It doesn't even need to be the government that does it.

Re:Private information??

[DavidTC]

It is a good primary key.

The problem is that quite a few places decided to use it as authentication, which isn't a programming or indexing issue at all.

Re:Private information??

[Sentry21]

I often wonder why the SSN in the US is so dreadfully pervasive as 'proof of identity' (which it's not), and why people insist on using it. Sure, it's globally unique, but that doesn't mean anything.

In Canada, our equivalent, the Social Insurance Number (SIN), has somewhat evolved into a de facto ID, the same way the SSN has, but there are restrictions. Unless a company is asking for your SIN for a reason specifically permitted by law (or no other ID would suffice), it may not refuse products or services as a result of refusal to provide your SIN.

The Office of the Privacy Commissioner of Canada has a fact sheet on the SIN and its use in Canada, which is worth reading for any Canadians with a SIN, or any Americans who wish their governments had a clue.

Government

[suck_burners_rice]

Yes, the judge is right about this one. Censorship of this type is the classic way that government can sweep the bad things it does under the rug. We have to always keep in mind that "the government" is not some sort of ethereal force out there. It's a bunch of guys (and women) who happen to have been placed in a position of power, whether it's someone elected to office or that clerk at the local [insert government office here] who likes to be a jerk and inconvenience people because it gives him a power trip to feel like he's the king of some tiny kingdom. We always have to remember that. Just because someone is in "the government" does not make that person special or give that person any special rights whatsoever. Thus, the judge should not do anything about that website, but should force the government to fix its problems.

Re:Government

[Jason+Levine]

We have to always keep in mind that "the government" is not some sort of ethereal force out there. It's a bunch of guys (and women) who happen to have been placed in a position of power, whether it's someone elected to office or that clerk at the local [insert government office here] who likes to be a jerk and inconvenience people because it gives him a power trip to feel like he's the king of some tiny kingdom. We always have to remember that. Just because someone is in "the government" does not make that person special or give that person any special rights whatsoever.

(Not to drift too far OT, but....)

This was just the argument I was making to a friend of mine during a discussion of anti-terrorism laws. He was of the opinion that we shouldn't disallow warrantless surveillance just because it "might" be abused "someday" since it would definitely (in his opinion) help us catch terrorists. He thought that doing otherwise was shackling the hands of law enforcement. I countered that, while law enforcement might like to conduct surveillance without a warrant, it was too ripe for abuse. Our Founding Fathers knew what it was like to live under a government that didn't listen to the people and abused its power. That's why our government is designed with checks and balances. Any law/policy that removes the checks and balances from a governmental agency (say, no warrants required) is highly dangerous and likely unconstitutional.

Of course, my friend chose not to see the danger and just assumed that: 1) he and I wouldn't be targeted, 2) if we were we would have recourse, and 3) the government would give up the powers after the fight was won. I pointed out the flaws in these arguments, but either I didn't do a good enough job or his mind was closed to all debate (probably the latter) because he remains convinced that giving the government unlimited power to "stop the terrorists" is a good idea. In fact, he went so far as to say that he wouldn't forgive me if I supported removal of those governmental powers and we got hit with another terrorist attack.

Then again, this friend also thinks that the fact that Obama's middle name is "Hussein" and his first name rhymes with "Osama" is just too coincidental to not mean something. It's really sad that the future of this country may be decided by people who think that being Conservative means unlimited Federal government power and wanting to curtail the Federal government is a sign of dangerous liberalism.

Assume

[Archangel+Michael]

The problem is that we tend to assume that SS# is "private". It isn't.

We (collectively everyone) ought to just assume that our SS# and lives are being tracked, because we are.

I live my life as if I'm being tracked. I don't own a Credit Card because of it. I don't want my purchases being tracked and traced. I pay cash, which is getting harder and harder to do.

And that stupid VISA commercial where everything stops when a person uses cash, is not helping.

And the loss of community has really pushed the anonymity movement. In days of old, you had to have a "relationship" with the people who bought and sold. Somewhere along the way, that was lost in favor of cheaper prices. We have, collectively, started to see the repercussions of this throughout society.

Now, to buy big ticket items, all you need is a fake ID, a Good SS#, and be gone, and nobody seems to care that we've lost the humanity in the process.

Re:Assume

[Archangel+Michael]

You assume too much.

I own my cars, paid cash for each of them. I own my house, never had a loan on it.

Just because 99.99999% of the population does it one way, doesn't mean everyone does.

I'll tell you the next hardest thing to do without credit (cards) is rent a car. It can be done, but not easily.

And no, I don't own a tin foil hat.

Re:Assume

[kabocox]

And the loss of community has really pushed the anonymity movement. In days of old, you had to have a "relationship" with the people who bought and sold. Somewhere along the way, that was lost in favor of cheaper prices. We have, collectively, started to see the repercussions of this throughout society.

Now, to buy big ticket items, all you need is a fake ID, a Good SS#, and be gone, and nobody seems to care that we've lost the humanity in the process.

Define "big ticket items." I'd define it as cars, houses or more expensive than that. For that, the normal person takes out a loan with a bank. There is a lot of paper work involved and communications with sales people and folks at the bank. If your idea of "big ticket items" is between $500-3000, then it doesn't take anyone at a bank to stop or question the payment if you are in the habit of spending that kinda of money or the store that sells the item does normal business with the bank. If you bought a stove at sears or an ID theft did with your ID, then the bank or CC wouldn't question it much. If you bought 2+ stoves at sears or mom and pop we've never heard of store, the bank/CC may flag it and question if the store was trying to over charge/double charge their customer.

In the name of preventing ID theft, CC and banks are looking at your buying habits to see if you purchase anything odd. This should ring alarm bells, but doesn't for some reason. Oh well, its not like the CC or banks do well at verifying you are who you claim to be. The banks/CC should just run their own biometric ID network that requires everyone that wants to use said network to submit finger prints, retina scans, DNA, foot prints, and thermal face scans to the issuing agency. The banks/CC could use all that crap to ID you and in the name of ID theft prevention to not give your resources to anyone else.

In the days of yore, the stores ID'd and monitored all their customers and knew exactly where they all worked/how much they made and if they were good for the credit that the store extended them. How is that much different today rather than the min. wage sales person not knowing all that crap about you? The CC and the store in general most likely does know it, it just takes more effort on the stores part to find out the info as long as they get paid by a CC/bank they don't care if it was you or an ID theif though.

Re:Assume

[geekoid]

Yes, but you can't really expect a large group of people to consider the edge case.
The fact that you are in a rare position to ahve enough money to pay cash for houses and cars it really irrelevant to the conversation as a whole.

Re:Assume

[justinlee37]

Credit = interest. Interest = drain on resources.

Your equation is too simplistic. Oftentimes (although not always, especially in the current housing market), the equity gained from simply owning a home (not considering "sweat equity") is greater than the cost of the interest payments. In this context, getting a loan or a mortgage can be profitable.

You may not need credit, but if it can help you build equity profit earlier in life than you could with out it, then it is certainly better to have it than not to.

This even applies to your "sweat equity" argument -- you can get a mortgage to pay for that run-down house much earlier in life than you would without a mortgage, thereby increasing your gains.

My guess is that someone modded you -1 flamebait for displaying such a dismal grasp of investment analysis.

Re:Amazing

[joelwyland]

You apparently missed the whole point. This information is already out there because the government is mishandling it. The reason the judge isn't forcing them off the web is because it's the perfect way to show the government is incompetent so that it can be FIXED. It won't be fixed if it gets buried.

Re:ID Theft Field Day?

[mapsjanhere]

Good idea - as long as they waive their sovereign immunity, and that of their employees, in the same law. Otherwise all it does is censor the critics and allow business as usual.

Re:ID Theft Field Day?

[be951]

Uh, that's the whole point. The state is providing the numbers online already. She's just drawing attention to it.

If only they spent as much effort...

[txoof]

Instead of playing whack-a-mole-legislation with reporters and privacy advocates that point out problems, wouldn't our lawmakers efforts be better directed to fixing the privacy holes?

Someone has blown the whistle and turned on the flashing yellow klaxons to alert Virginia citizens and lawmakers to shoddy privacy practices. She's not trying to profit, she's probably not even trying to benefit from this work (except, perhaps in a very professional way). This woman is doing her civic and professional duty to solve what she sees as a problem.

Because she has no direct method for solving this problem, her only recourse is to alert her lawmakers and hope they fix the gigantic hole. Instead of whacking her with legislation, they should be carefully crafting legislation that provides guidelines and most importantly REAL FUNDING to help secure personal informaiton.

The problem is...

[afabbro]

• It is very difficult to change your SSN. No, being a victim of identity theft and having money stolen from your accounts is not sufficient reason.
• SSNs are often available even from people who've been careful.

To take a simple example: until 5-10 years ago, it was common to list SSNs in divorce filings. Get divorced and your SSN was listed in the filings, which are public records and can be looked at by anyone. Even today, in some states, you have to file a motion to have the SSN suppressed from the public version (routinely granted, but still it illustrates how common SSN publication is).

Publishing SSNs found in public certainly advertises the problem, but it also creates problems for innocent, even cautious people who have no way of fixing them.

Of course, the real problem is why we have tied so much personal information to a single government-issued number...perhaps because it's the only nationally unique identification number issued by the Federal government...

Re:The problem is...

[winwar]

"Actually, SSNs are never reused by the Social Security Administration. Ever."

That is incorrect. Some SSN's were issued to more than one person. Maybe not recently or correctly but they have existed.

Because asshat lenders are so quick to loan...

[BitterOldGUy]

money. And in this day and age where we can't do business with our local bank - they're all big monster impersonal mega banks that answer only to their shareholders - they lend money with the scantest "proof" of identity. It's no longer knowing personally your banker and your banker personally knowing you. It's all impersonal data in some monster database - we're now just a number: not a person.

I have seen folks who had credit opened in their name WITHOUT the crook using the SSN!

And, I attended a seminar with someone from Equifax. It is VERY common for another person's debt to be on your credit history - even though the SSNs are completely different. How? It happens the most to folks with very common names: example, Smith, Johnson, Andrews, etc....

Our credit system is a huge inaccurate mess. That's why it is extremely important to monitor your credit or, even better, freeze it.

*swish*

Cute, but completely impossible scenario.

I bet you're a sack of laughs at the movies.

"Exhilarating, but the laws of physics make such a maneuver impossible."
"Attractive, but you can clearly see airbrushing on the frames."
"Funny, but technically soda doesn't follow that trajectory when coming out one's nose."

Why bother protecting SSNs?

That horse is well out of the barn. They're widely available anyway. The real problem is that people accept "knowledge of SSN" as authentication, not that SSNs get disclosed. Fundamentally, your SSN is your (disambiguated) name, and we don't expect names to be kept off public records.

What should be done is legislation to require better authentication.

Re:ID Theft Field Day?

[L+Boom]

So to combat the stupidity of the State of Virginia, She goes on a tear of Stupidity of her own?

The next law the State of Virginia should pass in this vein is one that makes it a felony to post SSN's in public.

That's kind of the point: Ms. Ostergren got the numbers from publicly available, online state records in the first place, so the State of Virginia would, in fact, not be complying with its own law. She's doing this to ... wait for it ... attract enough attention to get a law passed so all SSNs would automatically be redacted at the document level so there would be no SSN information to reproduce downstream in the first place.

Government should redefine "privacy"

[ilovesymbian]

The government should redefine the word "privacy". Either reduce the power of the SSN or restrict the use of SSN in instances where it could lead to problems with public use.

And oh, make it illegal for programmers to include SSNs in SQL statements like "select * from records where ssn='xxx-xxx-xxxx'" and pass it through the URL.

We already have a LifeLock guy who goes around trumpeting his SSN and in spite of all his yak and promises, it gets abused. We don't need more people abusing SSNs this way, especially when its not theirs.

Re:ID Theft Field Day?

[Zymergy]

It's not so simple as that...
People file their SSN in Public Records all the time.
For example, I have seen numerous PUBLIC tax records on file in the County Clerk's Office (as well as the County and District Court Clerk's Offices in my state (Oklahoma).
The same is true for numerous Oil & Gas Leases filed publicly.

A better approach is the one Texas took a few years back, requiring anyone accessing the public documents to sign an sworn and notarized affidavit stating that any and all SSN that may be present in the course of their review of Texas public records will not be mis-used. This process was a temporary one where then entire body of records was reviewed for SSN content and numbers of living persons were "blacked out" from the public record documents. Also, if anyone file documents with SSN information they were asked to black it out before filing if the person was not deceased.
It is better to sat up a tax ID with the IRS and use that number for public records. (That way, people legitimately requiring the individual's SSN data must contact the IRS (or the individual) to gain access to said individual's SSN.

Making it a felony would would immediately shut down many county government record departments for years (not to mention the costs to purge the offending data from million sof pages of official public records in every county) and it would otherwise and make felons out of many people who freely file their SSN in the public record.

Also, Todd Davis better hope he does not live in Virginia when your law makes all of his commercials felonious...

Plan for a post-SSN America

[StreetStealth]

I don't think that's quite the way to go about it, but I think it would be good to start by outlawing (with penalties this time) its use for anything other than, you know, Social Security.

But we're just getting started here. Once the SSN has returned to the single use for which it was created, we need a vastly more secure system to replace it. Not a national ID number, but a transparent, authenticated system of personal financial metadata kept in a vault maintained by a consortium of Experian, TransUnion, and Equifax, under tight regulation by the feds.

Users would always be able to securely check the entirety of their personal data to ensure its correctness, would have a federally-mandated path of action to contest errors, and would have a simple method of offering disposable keys to financial institutions to verify their credit history.

The judge is smart... and dumb

[superdave80]

OK, so he properly ruled that she can list records that are already publicly available. Good for him. Then I read this amazing piece of idiocy:

He noted that the ruling may have been "very different" if Ostergren only listed Social Security numbers copied from records rather than the records themselves.

What?!?!? It's OK to show the whole record, but not part of the record? What the hell is the difference? The record already has the SSN in it.

Re:There is a credit freeze. Parent right.

[roaddemon]

I didn't pay any credit cards for a year, now I have an old fashioned credit freeze.

Mod my comment down!

[philspear]

Er, I'd really like to retract this post. It's not insightful, it's me not being awake and not RTFA. So this will probably be a /. first, but I would request someone to mod my own post (the one above) "overrated." She's not doing this to private citizens, the SSNs are already online, this doesn't seem like a bid for attention now that I have the facts straight.

I'm not sure why you can't delete your own post, but there should at least be a "mod my own comment down to '-1: redacted'" option.

Just publish them all already

[Antibozo]

It's high time the government simply published all SSNs. We are constantly forced to hand our SSNs over to banks, employers, phone companies, doctors, insurers, etc, and we have no way of knowing how many people have access to them. SSN is just an account number, but it's being used both as a unique identifier for individuals and as an authenticator, mostly because financial institutions are too lazy to develop their own authentication system. What's more, substantial parts of SSN are predictable with decent confidence given knowledge of a person's approximate place and time of birth. Meanwhile, SSN is next to impossible to change, so once it's compromised you're permanently screwed. It should be obvious that using SSN as an authenticator of any kind is pathologically stupid. It lacks every property good authenticators should have.

SSNs are not secret. Let's stop pretending that they are.

Bravo!!!

[rgviza]

>"It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

A ****ing men. This is a judge that knows what's up.

I love what Betty Ostergren is doing. I've been a fan of hers since a few years ago when she was on 20/20 (I think) and they went over what she is doing. Arizona and Florida immediately started programs to black out people's SSN's on their public records when they saw her site. I guess Virginia would rather expose it's citizens to ID theft and try to squelch Betty than fix the problem.

This is probably the biggest source of SSN's used for ID theft, and Betty is doing something about it.

BRAVO!!!! I'm glad nobody has shut her down yet.

-Viz

Let me get this straight.

[k1e0x]

* A concerned citizen found SSN Numbers in public that the goons government didn't care to protect.

* Government goons ignored her when she brought this to their attention (over several years).

* She then created a website to expose this act of government incompetence to the public. She posted SSN number of people like Colin Powell and Jeb Bush.

* The Government goons intended to crack down on her and make the act of exposing their incompetence illegal. Essentially saying that it was illegal for her to do exactly the same thing they were already doing, and were undoubtedly going to continue to do.

That is insane

No longer is government concerned with addressing problems it has, now it wants to shut people up who air their dirty laundry. This is *exactly* like the MIT Subway hacker case. This lady is a hero, Government MUST be accountable for its actions when they are operating in error.