Slashdot Mirror

← Back to Stories (view on slashdot.org)

State Cannot Force Removal of SSNs From Privacy Advocate's Site

Posted by Soulskill on from the sanity-check-successful-for-once dept.

jvatcw brings us a story about Betty Ostergren, who operates a website dedicated to pointing out the social security numbers visible in public records. The purpose of the site is to raise awareness of privacy concerns regarding the personal information shared in Virginia's governmental websites. Legislation was introduced in Virginia to combat Ostergren's website, but last Friday a judge shot down the attempt to censor her, writing, "It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

15 of 262 comments (clear)

  1. How about something better? by dsginter · · Score: 5, Insightful

    Can the states force the credit reporting agencies to allow citizens to lock their credit reports? The whole idea of identity theft is crazy - it could be trivially fixed with one-time passwords that people give out only when they need to.

    But then we couldn't make money on credit monitoring services, now, could we?

    --
    More
    1. Re:How about something better? by MarkvW · · Score: 5, Interesting

      I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

      In "identity theft" the thief is the bad guy and the credit card company's responsibility is ignored.

    2. Re:How about something better? by nine-times · · Score: 5, Insightful

      How about we just stop using social security numbers as though they're some sort of magical security token? It was never designed for that purpose, and if you put the slightest bit of thought into it, you immediately realize that it's not secure at all. People act like it's some sort of super-secure password that authenticates who you are, but then you're basically required to give out that password to random people on a semi-regular basis.

      In modern times, with ubiquitous computing, it seems like there must be a better way. Hell, issue every man, woman, and child something comparable to an SSL certificate and have the government (or credit agencies) run the analog of the root servers. It may not be a perfect idea, but it'd be better than this.

    3. Re:How about something better? by davolfman · · Score: 5, Insightful

      To be honest the credit reporting agency and the bank filing the report should be liable for libel every time they record a false entry.

    4. Re:How about something better? by Stellian · · Score: 5, Insightful

      I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

      The artificial distinction of allowing trusted people (banks, the phone company) access to your identity, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the attempt to criminalize the act of compiling a list of people's identity using public data - all identity data is public to some extent, by definition; if it's not public, it does not identify you. Compiling lists of public information is a clear example of free speech.

      The term of "identity theft" is a copious misnomer perpetrated on the public by the credit industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.

      After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible, and be competitive: they reduce fraud to acceptable levels, until fighting against it is more costly than the actual money saved. The devastating consequences that "ID theft" has over an individual's live becomes an externality for banks. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".

      You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
      http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html

      The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
      Devising more intricate ways to keep our identity data "secret" is just band-aid.

      (I fully agree there are other reasons to wanting to have your data private, such as, well... privacy; ID "theft" should not be one of them)

    5. Re:How about something better? by DavidTC · · Score: 5, Insightful

      I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

      Don't just wonder about it. Refuse to use the term, like I do.

      The correct term is fraud, and the victim is the business that got defrauded.

      These businesses use the term 'identify theft' so their reaction to their own defrauding, which 'blame some random person who has nothing to do with it', isn't recognized as the criminal action it is. But the injury to 'victims' isn't coming from the person who committed the fraud. People whose identities are 'stolen' are not the victims of identity thieves. They're the victims of the victims of identity thieves.

      People who have had their 'identity stolen' need a good lawyer to sue the ass off everyone who, when they got defrauded, didn't immediately fix the issue. It is in no way your responsibility that other individuals and businesses do not have stricter checking of identity, and you should be able to sue that business for every second of time and money their lax policies cost you in cleaning it up.

      They can, of course, then sue to recover that money from the person who defrauded them, but that's not relevant to the 'identity theft' 'victim'.

      If someone steals my car, I do not have the right to steal your car. Even if the person stealing my car used your name to do so. Even if I'm clever enough to invent the term 'indirect car thief' for the original thief, and 'indirect car thief victim' for you, and hope that no one catches on that he didn't steal your car, I did.

      --
      If corporations are people, aren't stockholders guilty of slavery?
    6. Re:How about something better? by rgviza · · Score: 5, Informative

      >After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ?

      You don't.
      You will get a collection call.
      At that point, you can ask them to fax you a copy of the signature they have, where you agreed to the credit contract.

      They won't have it. Then you call the bureaus, and request your free copy of the report. When you get it, call back and talk to someone on the phone. They'll take it right off your report.

      It took me less than an hour each of the 3x that Household Bank got ripped off by someone using my info. Never paid a single penny...

      -Viz

      --
      Don't kid yourself. It's the size of the regexp AND how you use it that counts.
  2. Meanwhile... by bigtallmofo · · Score: 5, Funny

    In other news, the IRS reports that they are finally cracking down on long-time tax evader Betty Ostergren for failure to report as income the $10 her grandmother gave her in a birthday card in 2005. Ms. Ostergren faces up to 10 years in prison and a fine of $300,000.

    --
    I'm a big tall mofo.
  3. They already do allow that for free by bigtallmofo · · Score: 5, Informative

    Can the states force the credit reporting agencies to allow citizens to lock their credit reports?

    http://www.google.com/search?hl=en&q=how+to+freeze+credit+report

    This is already available, and it's free. Just like opting out of marketing offers.

    --
    I'm a big tall mofo.
  4. Private information?? by homer_s · · Score: 5, Insightful

    demonstrate the lack of care being taken by government to protect the private information of individuals."

    Why is a social security number, a number that helps the social security administration track payments, 'private information'?
    Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

    1. Re:Private information?? by k2enemy · · Score: 5, Interesting

      Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

      Exactly. I wish the govt would just announce that on January 1, 2009 they will put up a website that publicly reveals everyone's SSN. Banks and other institutions have until then to work out some other means of authentication.

  5. Re:ID Theft Field Day? by be951 · · Score: 5, Insightful

    Uh, that's the whole point. The state is providing the numbers online already. She's just drawing attention to it.

  6. Re:It's sad this had to go to court. by gnick · · Score: 5, Insightful

    Also, it doesn't sound like she's just shot-gunning out every SSN she finds. FTA:

    Ostergren routinely posts the Social Security numbers of high-profile individuals that she claims to have easily obtained from county and state government Web sites. The list includes former Florida Gov. Jeb Bush, former U.S. Secretary of State Colin Powell, former U.S. House Majority Leader Tom DeLay, former Missouri Sen. Jean Carnahan and several county clerks in Virginia.

    That doesn't say explicitly that she's not posting everything, but it does seem to imply that she's just calling out very public government figures. Sure it's a bid for attention, but it's an effective one. And, since it was the State that publicized them, it seems like she's re-publicizing just enough to call the appropriate level of attention to the issue. Good on her.

    --
    He's getting rather old, but he's a good mouse.
  7. Mod my comment down! by philspear · · Score: 5, Interesting

    Er, I'd really like to retract this post. It's not insightful, it's me not being awake and not RTFA. So this will probably be a /. first, but I would request someone to mod my own post (the one above) "overrated." She's not doing this to private citizens, the SSNs are already online, this doesn't seem like a bid for attention now that I have the facts straight.

    I'm not sure why you can't delete your own post, but there should at least be a "mod my own comment down to '-1: redacted'" option.

  8. Just publish them all already by Antibozo · · Score: 5, Interesting

    It's high time the government simply published all SSNs. We are constantly forced to hand our SSNs over to banks, employers, phone companies, doctors, insurers, etc, and we have no way of knowing how many people have access to them. SSN is just an account number, but it's being used both as a unique identifier for individuals and as an authenticator, mostly because financial institutions are too lazy to develop their own authentication system. What's more, substantial parts of SSN are predictable with decent confidence given knowledge of a person's approximate place and time of birth. Meanwhile, SSN is next to impossible to change, so once it's compromised you're permanently screwed. It should be obvious that using SSN as an authenticator of any kind is pathologically stupid. It lacks every property good authenticators should have.

    SSNs are not secret. Let's stop pretending that they are.