State Cannot Force Removal of SSNs From Privacy Advocate's Site

← Back to Stories (view on slashdot.org)

State Cannot Force Removal of SSNs From Privacy Advocate's Site

Posted by Soulskill on Thursday August 28, 2008 @04:17AM from the sanity-check-successful-for-once dept.

jvatcw brings us a story about Betty Ostergren, who operates a website dedicated to pointing out the social security numbers visible in public records. The purpose of the site is to raise awareness of privacy concerns regarding the personal information shared in Virginia's governmental websites. Legislation was introduced in Virginia to combat Ostergren's website, but last Friday a judge shot down the attempt to censor her, writing, "It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

29 of 262 comments (clear)

How about something better? by dsginter · 2008-08-28 04:19 · Score: 5, Insightful

Can the states force the credit reporting agencies to allow citizens to lock their credit reports? The whole idea of identity theft is crazy - it could be trivially fixed with one-time passwords that people give out only when they need to.
But then we couldn't make money on credit monitoring services, now, could we?

--
More
1. Re:How about something better? by MarkvW · 2008-08-28 04:25 · Score: 5, Interesting
  
  I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.
  In "identity theft" the thief is the bad guy and the credit card company's responsibility is ignored.
2. Re:How about something better? by nine-times · 2008-08-28 04:46 · Score: 5, Insightful
  
  How about we just stop using social security numbers as though they're some sort of magical security token? It was never designed for that purpose, and if you put the slightest bit of thought into it, you immediately realize that it's not secure at all. People act like it's some sort of super-secure password that authenticates who you are, but then you're basically required to give out that password to random people on a semi-regular basis.
  In modern times, with ubiquitous computing, it seems like there must be a better way. Hell, issue every man, woman, and child something comparable to an SSL certificate and have the government (or credit agencies) run the analog of the root servers. It may not be a perfect idea, but it'd be better than this.
3. Re:How about something better? by Archangel+Michael · 2008-08-28 04:57 · Score: 4, Interesting
  
  IF I don't use credit, then a "black mark" is meaningless.
  And, with all those "black marks" on my credit, then anyone accepting my SS# and credit history, gets what they deserve.
  But you raise an interesting point, though it is obscured. If I don't use credit, and someone issues credit in my name to someone other than me, how would I prove it? How would I even know it?
  In that case, the credit companies have broken system (yeah, we all know it too). In this case, I'd sue everyone involved ruining my reputation.
  I'm wondering why nobody has gone after them for slander or libel (which ever applies), in a civil tort?
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
4. Re:How about something better? by davolfman · 2008-08-28 05:09 · Score: 5, Insightful
  
  To be honest the credit reporting agency and the bank filing the report should be liable for libel every time they record a false entry.
5. Re:How about something better? by Stellian · 2008-08-28 05:10 · Score: 5, Insightful
  
  I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.
  The artificial distinction of allowing trusted people (banks, the phone company) access to your identity, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the attempt to criminalize the act of compiling a list of people's identity using public data - all identity data is public to some extent, by definition; if it's not public, it does not identify you. Compiling lists of public information is a clear example of free speech.
  The term of "identity theft" is a copious misnomer perpetrated on the public by the credit industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.
  After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible, and be competitive: they reduce fraud to acceptable levels, until fighting against it is more costly than the actual money saved. The devastating consequences that "ID theft" has over an individual's live becomes an externality for banks. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".
  You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
  http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html
  The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
  Devising more intricate ways to keep our identity data "secret" is just band-aid.
  (I fully agree there are other reasons to wanting to have your data private, such as, well... privacy; ID "theft" should not be one of them)
6. Re:How about something better? by DavidTC · 2008-08-28 05:15 · Score: 5, Insightful
  
  I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.
  Don't just wonder about it. Refuse to use the term, like I do.
  The correct term is fraud, and the victim is the business that got defrauded.
  These businesses use the term 'identify theft' so their reaction to their own defrauding, which 'blame some random person who has nothing to do with it', isn't recognized as the criminal action it is. But the injury to 'victims' isn't coming from the person who committed the fraud. People whose identities are 'stolen' are not the victims of identity thieves. They're the victims of the victims of identity thieves.
  People who have had their 'identity stolen' need a good lawyer to sue the ass off everyone who, when they got defrauded, didn't immediately fix the issue. It is in no way your responsibility that other individuals and businesses do not have stricter checking of identity, and you should be able to sue that business for every second of time and money their lax policies cost you in cleaning it up.
  They can, of course, then sue to recover that money from the person who defrauded them, but that's not relevant to the 'identity theft' 'victim'.
  If someone steals my car, I do not have the right to steal your car. Even if the person stealing my car used your name to do so. Even if I'm clever enough to invent the term 'indirect car thief' for the original thief, and 'indirect car thief victim' for you, and hope that no one catches on that he didn't steal your car, I did.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
7. Re:How about something better? by PPH · 2008-08-28 06:09 · Score: 4, Insightful
  
  The 'other' problem with SSNs is that they are a ubiquitous form if identification in society today.
  Certainly, they are not useful for authentication purposes. But what they were intended for, a unique identification for the purposes of tax and Social Security data becomes a problem when it slips out into other parts of people's lives. Aside from entities (banks, employers, etc.) who have a legislated need to identify me as a unique individual, not many other people do. I have the right to receive my monthly p0rn subscription, contribute to Greenpeace, call all those 1-900 numbers for $5.99/min, and enroll my children in that hoity-toity private Christian school while maintaining deniability that the PPH engaged in one activity is the same as the others.
  There are very few cases in which private businesses have the right to link my identity to the relationship I have with anyone else. I can give most a business who requests my SSN a phony number so long as I do so with no intent to commit fraud and the legal consequences are minimal.
  
  --
  Have gnu, will travel.
8. Re:How about something better? by rgviza · 2008-08-28 06:35 · Score: 5, Informative
  
  >After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ?
  You don't.
  You will get a collection call.
  At that point, you can ask them to fax you a copy of the signature they have, where you agreed to the credit contract.
  They won't have it. Then you call the bureaus, and request your free copy of the report. When you get it, call back and talk to someone on the phone. They'll take it right off your report.
  It took me less than an hour each of the 3x that Household Bank got ripped off by someone using my info. Never paid a single penny...
  -Viz
  
  --
  Don't kid yourself. It's the size of the regexp AND how you use it that counts.
Serious Push Back by curmudgeon99 · 2008-08-28 04:23 · Score: 4, Insightful

How refreshing it is to see judges finally waking up to the abuses our government is making. In the past year the judicial branch has made me want to stand up and cheer, with the pushback against the Bush administration and now--here--trying to stop legislatures from hiding their mistakes.
Meanwhile... by bigtallmofo · 2008-08-28 04:25 · Score: 5, Funny

In other news, the IRS reports that they are finally cracking down on long-time tax evader Betty Ostergren for failure to report as income the $10 her grandmother gave her in a birthday card in 2005. Ms. Ostergren faces up to 10 years in prison and a fine of $300,000.

--
I'm a big tall mofo.
Re:It's sad this had to go to court. by gnick · 2008-08-28 04:25 · Score: 4, Insightful

A newspaper (depending on the newspaper) or CNN would likely have published the story, but censored the SSNs. Otherwise their readers/viewers would have been angry with their news source for publicizing their information rather than the government for mishandling it.
Now if Ms Ostergren had censored the SSNs like the main stream media would have, I doubt that she would have been able to garner the attention that this story deserves.

--
He's getting rather old, but he's a good mouse.
They already do allow that for free by bigtallmofo · 2008-08-28 04:29 · Score: 5, Informative

Can the states force the credit reporting agencies to allow citizens to lock their credit reports?

http://www.google.com/search?hl=en&q=how+to+freeze+credit+report

This is already available, and it's free. Just like opting out of marketing offers.

--
I'm a big tall mofo.
1. Re:They already do allow that for free by Ambiguous+Puzuma · 2008-08-28 04:38 · Score: 4, Informative
  
  The fees (if any) associated with credit freezes vary from state to state.
  http://www.consumersunion.org/campaigns/learn_more/003484indiv.html
Private information?? by homer_s · 2008-08-28 04:29 · Score: 5, Insightful

demonstrate the lack of care being taken by government to protect the private information of individuals."

Why is a social security number, a number that helps the social security administration track payments, 'private information'?
Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.
1. Re:Private information?? by i.r.id10t · 2008-08-28 04:35 · Score: 4, Insightful
  
  Because some programmers and record keepers decided years ago that it would make a good primary key for their db...
  
  --
  Don't blame me, I voted for Kodos
2. Re:Private information?? by k2enemy · 2008-08-28 04:39 · Score: 5, Interesting
  
  Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.
  Exactly. I wish the govt would just announce that on January 1, 2009 they will put up a website that publicly reveals everyone's SSN. Banks and other institutions have until then to work out some other means of authentication.
3. Re:Private information?? by DavidTC · 2008-08-28 05:19 · Score: 4, Insightful
  
  It is a good primary key.
  The problem is that quite a few places decided to use it as authentication, which isn't a programming or indexing issue at all.
  
  --
  If corporations are people, aren't stockholders guilty of slavery?
Government by suck_burners_rice · 2008-08-28 04:30 · Score: 4, Insightful

Yes, the judge is right about this one. Censorship of this type is the classic way that government can sweep the bad things it does under the rug. We have to always keep in mind that "the government" is not some sort of ethereal force out there. It's a bunch of guys (and women) who happen to have been placed in a position of power, whether it's someone elected to office or that clerk at the local [insert government office here] who likes to be a jerk and inconvenience people because it gives him a power trip to feel like he's the king of some tiny kingdom. We always have to remember that. Just because someone is in "the government" does not make that person special or give that person any special rights whatsoever. Thus, the judge should not do anything about that website, but should force the government to fix its problems.

--
McCain/Palin '08. Now THAT's hope and change!
Assume by Archangel+Michael · 2008-08-28 04:32 · Score: 4, Insightful

The problem is that we tend to assume that SS# is "private". It isn't.
We (collectively everyone) ought to just assume that our SS# and lives are being tracked, because we are.
I live my life as if I'm being tracked. I don't own a Credit Card because of it. I don't want my purchases being tracked and traced. I pay cash, which is getting harder and harder to do.
And that stupid VISA commercial where everything stops when a person uses cash, is not helping.
And the loss of community has really pushed the anonymity movement. In days of old, you had to have a "relationship" with the people who bought and sold. Somewhere along the way, that was lost in favor of cheaper prices. We have, collectively, started to see the repercussions of this throughout society.
Now, to buy big ticket items, all you need is a fake ID, a Good SS#, and be gone, and nobody seems to care that we've lost the humanity in the process.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
1. Re:Assume by Archangel+Michael · 2008-08-28 05:06 · Score: 4, Interesting
  
  You assume too much.
  I own my cars, paid cash for each of them. I own my house, never had a loan on it.
  Just because 99.99999% of the population does it one way, doesn't mean everyone does.
  I'll tell you the next hardest thing to do without credit (cards) is rent a car. It can be done, but not easily.
  And no, I don't own a tin foil hat.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Re:ID Theft Field Day? by mapsjanhere · 2008-08-28 04:34 · Score: 4, Insightful

Good idea - as long as they waive their sovereign immunity, and that of their employees, in the same law. Otherwise all it does is censor the critics and allow business as usual.

--
I'm aging rapidly, I bought a new game and had no idea if my machine was good for it.
Re:ID Theft Field Day? by be951 · 2008-08-28 04:35 · Score: 5, Insightful

Uh, that's the whole point. The state is providing the numbers online already. She's just drawing attention to it.
The problem is... by afabbro · 2008-08-28 04:39 · Score: 4, Informative
- It is very difficult to change your SSN. No, being a victim of identity theft and having money stolen from your accounts is not sufficient reason.
- SSNs are often available even from people who've been careful.
To take a simple example: until 5-10 years ago, it was common to list SSNs in divorce filings. Get divorced and your SSN was listed in the filings, which are public records and can be looked at by anyone. Even today, in some states, you have to file a motion to have the SSN suppressed from the public version (routinely granted, but still it illustrates how common SSN publication is).
Publishing SSNs found in public certainly advertises the problem, but it also creates problems for innocent, even cautious people who have no way of fixing them.
Of course, the real problem is why we have tied so much personal information to a single government-issued number...perhaps because it's the only nationally unique identification number issued by the Federal government...
--
Advice: on VPS providers
Re:It's sad this had to go to court. by TubeSteak · 2008-08-28 05:06 · Score: 4, Informative

The ends don't justify the means. She's trying to advocate privacy by decreasing individual's privacy if I'm understanding this. She's saying "this is wrong that your social security number is printed on X public document, so I'm going to post it online to dramatically increase the amount of people who can see it and increase your chances of identity theft."
You missed one important detail.
The records she is putting up on her website are already online.
That pretty much knocks the bottom out of your argument.

--
[Fuck Beta]
o0t!
Re:It's sad this had to go to court. by gnick · 2008-08-28 05:14 · Score: 5, Insightful

Also, it doesn't sound like she's just shot-gunning out every SSN she finds. FTA:

Ostergren routinely posts the Social Security numbers of high-profile individuals that she claims to have easily obtained from county and state government Web sites. The list includes former Florida Gov. Jeb Bush, former U.S. Secretary of State Colin Powell, former U.S. House Majority Leader Tom DeLay, former Missouri Sen. Jean Carnahan and several county clerks in Virginia.
That doesn't say explicitly that she's not posting everything, but it does seem to imply that she's just calling out very public government figures. Sure it's a bid for attention, but it's an effective one. And, since it was the State that publicized them, it seems like she's re-publicizing just enough to call the appropriate level of attention to the issue. Good on her.

--
He's getting rather old, but he's a good mouse.
Mod my comment down! by philspear · 2008-08-28 05:40 · Score: 5, Interesting

Er, I'd really like to retract this post. It's not insightful, it's me not being awake and not RTFA. So this will probably be a /. first, but I would request someone to mod my own post (the one above) "overrated." She's not doing this to private citizens, the SSNs are already online, this doesn't seem like a bid for attention now that I have the facts straight.
I'm not sure why you can't delete your own post, but there should at least be a "mod my own comment down to '-1: redacted'" option.
Just publish them all already by Antibozo · 2008-08-28 05:55 · Score: 5, Interesting

It's high time the government simply published all SSNs. We are constantly forced to hand our SSNs over to banks, employers, phone companies, doctors, insurers, etc, and we have no way of knowing how many people have access to them. SSN is just an account number, but it's being used both as a unique identifier for individuals and as an authenticator, mostly because financial institutions are too lazy to develop their own authentication system. What's more, substantial parts of SSN are predictable with decent confidence given knowledge of a person's approximate place and time of birth. Meanwhile, SSN is next to impossible to change, so once it's compromised you're permanently screwed. It should be obvious that using SSN as an authenticator of any kind is pathologically stupid. It lacks every property good authenticators should have.
SSNs are not secret. Let's stop pretending that they are.
Let me get this straight. by k1e0x · 2008-08-28 06:32 · Score: 4, Insightful

* A concerned citizen found SSN Numbers in public that the goons government didn't care to protect.
* Government goons ignored her when she brought this to their attention (over several years).
* She then created a website to expose this act of government incompetence to the public. She posted SSN number of people like Colin Powell and Jeb Bush.
* The Government goons intended to crack down on her and make the act of exposing their incompetence illegal. Essentially saying that it was illegal for her to do exactly the same thing they were already doing, and were undoubtedly going to continue to do.
That is insane
No longer is government concerned with addressing problems it has, now it wants to shut people up who air their dirty laundry. This is *exactly* like the MIT Subway hacker case. This lady is a hero, Government MUST be accountable for its actions when they are operating in error.

--
Bringing liberty to the masses. - http://freetalklive.com/