State Cannot Force Removal of SSNs From Privacy Advocate's Site

jvatcw brings us a story about Betty Ostergren, who operates a website dedicated to pointing out the social security numbers visible in public records. The purpose of the site is to raise awareness of privacy concerns regarding the personal information shared in Virginia's governmental websites. Legislation was introduced in Virginia to combat Ostergren's website, but last Friday a judge shot down the attempt to censor her, writing, "It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

How about something better?

[dsginter (104154)]

Can the states force the credit reporting agencies to allow citizens to lock their credit reports? The whole idea of identity theft is crazy - it could be trivially fixed with one-time passwords that people give out only when they need to.

But then we couldn't make money on credit monitoring services, now, could we?

Re:How about something better?

[MarkvW (1037596)]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

In "identity theft" the thief is the bad guy and the credit card company's responsibility is ignored.

Re:How about something better?

[davolfman (1245316)]

To be honest the credit reporting agency and the bank filing the report should be liable for libel every time they record a false entry.

Re:

[Hyppy (74366)]

It would be hard to prove intent, though.

Re:How about something better?

[berashith (222128)]

what about negligence. If you ask for something to be removed that gets replaced in an automated fashion the next month, then there is a proveable disregard for accuracy. It isnt libel, but taking the cheap and easy way can provide known incorrect information.

Re:How about something better?

[Stellian (673475)]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

The artificial distinction of allowing trusted people (banks, the phone company) access to your identity, while keeping it a secret for the general public (that includes identity thieves) is childish. As it is the attempt to criminalize the act of compiling a list of people's identity using public data - all identity data is public to some extent, by definition; if it's not public, it does not identify you. Compiling lists of public information is a clear example of free speech.

The term of "identity theft" is a copious misnomer perpetrated on the public by the credit industry. The identity of a person cannot be stolen, only duplicated or impersonated. The real crime here is identity fraud. The distinction might not seem much, but it's of key importance: it shifts the victimization from the impersonated person to the banker/stock agent/realtor/whatever that accepts the fake identity.

After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ? The bank has little incentive to properly authenticate the guy: they want as much customers as possible, and be competitive: they reduce fraud to acceptable levels, until fighting against it is more costly than the actual money saved. The devastating consequences that "ID theft" has over an individual's live becomes an externality for banks. Meanwhile, I can do nothing to protect myself: my identity is in hundreds of public and private databases, out of my control: it's how I register to vote, how I get medical care, and how I install an Internet connection. I cannot function in this society without making my identity public, so It's unreasonable to require me to protect my identity from "theft".

You can find an excellent written article about the distinction between identity theft and fraud here, by noted security expert Bruce Schneier:
http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html [schneier.com]

The solution against identity fraud is making the enablers pay for it, breaking the externality. For example, a maximal 15-day clearing period of any wrong information on your credit report, after which the bank can be charged with libel.
Devising more intricate ways to keep our identity data "secret" is just band-aid.

(I fully agree there are other reasons to wanting to have your data private, such as, well... privacy; ID "theft" should not be one of them)

Re:How about something better?

[PPH (736903)]

The 'other' problem with SSNs is that they are a ubiquitous form if identification in society today.

Certainly, they are not useful for authentication purposes. But what they were intended for, a unique identification for the purposes of tax and Social Security data becomes a problem when it slips out into other parts of people's lives. Aside from entities (banks, employers, etc.) who have a legislated need to identify me as a unique individual, not many other people do. I have the right to receive my monthly p0rn subscription, contribute to Greenpeace, call all those 1-900 numbers for $5.99/min, and enroll my children in that hoity-toity private Christian school while maintaining deniability that the PPH engaged in one activity is the same as the others.

There are very few cases in which private businesses have the right to link my identity to the relationship I have with anyone else. I can give most a business who requests my SSN a phony number so long as I do so with no intent to commit fraud and the legal consequences are minimal.
 

Re:How about something better?

[rgviza (1303161)]

>After all, why should *I* pay for the fact that some bank lends money to someone who says it's me ?

You don't.
You will get a collection call.
At that point, you can ask them to fax you a copy of the signature they have, where you agreed to the credit contract.

They won't have it. Then you call the bureaus, and request your free copy of the report. When you get it, call back and talk to someone on the phone. They'll take it right off your report.

It took me less than an hour each of the 3x that Household Bank got ripped off by someone using my info. Never paid a single penny...

-Viz

Re:How about something better?

[DavidTC (10147)]

I wonder whether "identity theft" is not just an utterly brilliant public relations tactic used by the credit card companies to deflect responsibility away from themselves.

Don't just wonder about it. Refuse to use the term, like I do.

The correct term is fraud, and the victim is the business that got defrauded.

These businesses use the term 'identify theft' so their reaction to their own defrauding, which 'blame some random person who has nothing to do with it', isn't recognized as the criminal action it is. But the injury to 'victims' isn't coming from the person who committed the fraud. People whose identities are 'stolen' are not the victims of identity thieves. They're the victims of the victims of identity thieves.

People who have had their 'identity stolen' need a good lawyer to sue the ass off everyone who, when they got defrauded, didn't immediately fix the issue. It is in no way your responsibility that other individuals and businesses do not have stricter checking of identity, and you should be able to sue that business for every second of time and money their lax policies cost you in cleaning it up.

They can, of course, then sue to recover that money from the person who defrauded them, but that's not relevant to the 'identity theft' 'victim'.

If someone steals my car, I do not have the right to steal your car. Even if the person stealing my car used your name to do so. Even if I'm clever enough to invent the term 'indirect car thief' for the original thief, and 'indirect car thief victim' for you, and hope that no one catches on that he didn't steal your car, I did.

They already do allow that for free

[bigtallmofo (695287)]

Can the states force the credit reporting agencies to allow citizens to lock their credit reports?

http://www.google.com/search?hl=en&q=how+to+freeze+credit+report [google.com]

This is already available, and it's free. Just like opting out of marketing offers.

Re:They already do allow that for free

[Ambiguous Puzuma (1134017)]

The fees (if any) associated with credit freezes vary from state to state.
http://www.consumersunion.org/campaigns/learn_more/003484indiv.html [consumersunion.org]

Re:

[roaddemon (666475)]

I didn't pay any credit cards for a year, now I have an old fashioned credit freeze.

Re:How about something better?

[nine-times (778537)]

How about we just stop using social security numbers as though they're some sort of magical security token? It was never designed for that purpose, and if you put the slightest bit of thought into it, you immediately realize that it's not secure at all. People act like it's some sort of super-secure password that authenticates who you are, but then you're basically required to give out that password to random people on a semi-regular basis.

In modern times, with ubiquitous computing, it seems like there must be a better way. Hell, issue every man, woman, and child something comparable to an SSL certificate and have the government (or credit agencies) run the analog of the root servers. It may not be a perfect idea, but it'd be better than this.

Re:

[nine-times (778537)]

although implementing it would cost billions of dollars to the government, banking, and insurance industries (among many others) that use SSNs to identify clients

Sure, it would cost money. Then again, how much money is lost to identity theft, including the money spent on identity theft protection and money spent on investigating identity theft claims. Given a long enough timeline of dealing with these issues, building a better solution might just save money.

Do you really think that Mom & Pop Bank in rural North Dakota has any ability to modify their banking systems to work with such a scheme when they can't even make a web site? I don't.

So give small banks a tax break on hiring an IT guy trained to deal with this stuff. I don't really know the best solution there, but it doesn't seem like an insurmountable problem.

Re:

[jedidiah (1196)]

Being willing and able to monitor your own credit still isn't enough.

Not being willing to accept or use "credit" isn't sufficient either.

All it takes is one abusive merchant to initiate a "collection" against
you. It won't matter if it's a genuine billing dispute or not. That
"black mark" will end up in your report. The relevant parties will be
unwilling to remove it, and everyone else will use it against you.

Re:How about something better?

[Archangel Michael (180766)]

IF I don't use credit, then a "black mark" is meaningless.

And, with all those "black marks" on my credit, then anyone accepting my SS# and credit history, gets what they deserve.

But you raise an interesting point, though it is obscured. If I don't use credit, and someone issues credit in my name to someone other than me, how would I prove it? How would I even know it?

In that case, the credit companies have broken system (yeah, we all know it too). In this case, I'd sue everyone involved ruining my reputation.

I'm wondering why nobody has gone after them for slander or libel (which ever applies), in a civil tort?

Re:How about something better?

[Matt Perry (793115)]

But I live above my means, because I don't pay interest on things I don't need. I don't buy things before I can afford them.

You mean you live below your means. If you lived above your means, you'd be spending more than you earn.

Re:How about something better?

[cayenne8 (626475)]

While I applaud not living beyond your means, not buying things before you can afford them (and this works I think on 99% of all things)....I'm wondering how you do own a house, and take care of say and emergency without at least some form of credit.

I was in horrible credit card debt hell post-Katrina. But, I got good settlements on my lost car and other things...and along with some other good fortune that came out of all that mess...I"m virtually debt free. All cards paid off, only a car and motorcycle note right now. I never intend to go into hard debt again. For 99% of all purchases I do, I pay cash.

But, I do have credit cards. I keep them mostly for emergencies, and for buying gas at places like Sam's that don't take cash at the pumps. What I do charge, I pay off in full each month, so that is basically like using cash.

I'm actually wanting to trade a card or so in for ones that earn cash back or airline mileage...which actually pay you to use them.

I'm curious how you go totally without credit. I have mine, and use it sparingly, and responsibly...I'm not sure I could go completely off them. I'd always want one around, just for an emergency....say like the coming hurricane. Last time for Katrina, I rode out with friends. After a period, I had to rent a car, and that is virtually impossible to do these days w/o a credit card.

I'd be interested in hearing the details of how you go completely without them....

Thanks...

Re:

[russotto (537200)]

credit reports exist to put you at the mercy of the debt collection industry.

No, credit reports exist to help lenders decide how much of a risk you are. By the time a debt ends up in the hands of the debt collection industry, your credit report is already fucked.

The system is perverse, requiring you to go into debt in order to qualify for a mortgage, but providing no recourse when they make mistakes.. even though those mistakes can be as horrific for the victims as false accusations of pedophilia

That's cer

It's sad this had to go to court.

[Trojan35 (910785)]

I wonder, if it was a newspaper or CNN doing this, if this would have ever gotten that far.

Re:It's sad this had to go to court.

[gnick (1211984)]

A newspaper (depending on the newspaper) or CNN would likely have published the story, but censored the SSNs. Otherwise their readers/viewers would have been angry with their news source for publicizing their information rather than the government for mishandling it.

Now if Ms Ostergren had censored the SSNs like the main stream media would have, I doubt that she would have been able to garner the attention that this story deserves.

Re:It's sad this had to go to court.

[TubeSteak (669689)]

The ends don't justify the means. She's trying to advocate privacy by decreasing individual's privacy if I'm understanding this. She's saying "this is wrong that your social security number is printed on X public document, so I'm going to post it online to dramatically increase the amount of people who can see it and increase your chances of identity theft."

You missed one important detail.
The records she is putting up on her website are already online.
That pretty much knocks the bottom out of your argument.

Re:It's sad this had to go to court.

[gnick (1211984)]

Also, it doesn't sound like she's just shot-gunning out every SSN she finds. FTA:

Ostergren routinely posts the Social Security numbers of high-profile individuals that she claims to have easily obtained from county and state government Web sites. The list includes former Florida Gov. Jeb Bush, former U.S. Secretary of State Colin Powell, former U.S. House Majority Leader Tom DeLay, former Missouri Sen. Jean Carnahan and several county clerks in Virginia.

That doesn't say explicitly that she's not posting everything, but it does seem to imply that she's just calling out very public government figures. Sure it's a bid for attention, but it's an effective one. And, since it was the State that publicized them, it seems like she's re-publicizing just enough to call the appropriate level of attention to the issue. Good on her.

Mod my comment down!

[philspear (1142299)]

Er, I'd really like to retract this post. It's not insightful, it's me not being awake and not RTFA. So this will probably be a /. first, but I would request someone to mod my own post (the one above) "overrated." She's not doing this to private citizens, the SSNs are already online, this doesn't seem like a bid for attention now that I have the facts straight.

I'm not sure why you can't delete your own post, but there should at least be a "mod my own comment down to '-1: redacted'" option.

Re:

[Spy der Mann (805235)]

This has nothing to do with privacy. There is nothing "private" about a number used as a unique identifier in government databases. This is a security matter, and what she is doing is no different than posting an exploit.

Wrong. This is not just posting an exploit. This is like using an exploit, getting people's passwords and and posting them.

Re:It's sad this had to go to court.

[apoc.famine (621563)]

If by "exploit" you mean "looking at something through a window designed to allow you to do that and then posting a picture of what's inside", I'd agree. There is no "exploit" - the system was DESIGNED to be transparent. What she's pointing out is that if you design it like that, then put things you don't want people to see inside, PEOPLE CAN SEE THOSE THINGS!

It's like putting in a plate glass window, then hanging your underwear in front of it. When someone takes a picture of it and posts it, you complain and sue, rather than A) Removing the underwear, or B) covering the window. The window was your doing, and the underwear was your doing - all they did was draw attention to the fact that you might not want to do one of the two.

In case this poor analogy isn't completely clear, the state could have either A) Disallowed access to this information all together, or B) not have included the SSNs. Instead they tried to use legal means to fix their stupidity.

Serious Push Back

[curmudgeon99 (1040054)]

How refreshing it is to see judges finally waking up to the abuses our government is making. In the past year the judicial branch has made me want to stand up and cheer, with the pushback against the Bush administration and now--here--trying to stop legislatures from hiding their mistakes.

Re:Serious Push Back

[orgelspieler (865795)]

Absolutely couldn't agree more. When I hear people say "activist judges" I just want to scream. Would they prefer lazy judges who don't take their role in the balance of power seriously?

If people want judges to stop interpreting the law (which is their job), then they need to demand that the legislative branch do a better job of writing laws that don't need interpretation. Just think, if the Bill of Rights had been elaborated just a bit as to the meaning of each phrase and clause, we wouldn't need to have judges and lawyers arguing about 18th century word definitions and grammatical comma placement practices.

But writing better laws would only fix part of the problem. These complainers need to demand that the executive branch do a better job enforcing the laws, too. They could start by kindly asking the President to stop making signing statements for everything that crosses his desk.

If well-written constitutionally valid laws were enforced impartially and regularly, judges would have a lot less to be "activist" about.

Re:Serious Push Back

[Nimey (114278)]

You're mistaken. Judicial activism is defined as what a judge does which the speaker does not like.

I'm still waiting for those complainers to start using the phrase "executive activism". I predict it'll start once a Democrat takes office.

Meanwhile...

[bigtallmofo (695287)]

In other news, the IRS reports that they are finally cracking down on long-time tax evader Betty Ostergren for failure to report as income the $10 her grandmother gave her in a birthday card in 2005. Ms. Ostergren faces up to 10 years in prison and a fine of $300,000.

Private information??

[homer_s (799572)]

demonstrate the lack of care being taken by government to protect the private information of individuals."

Why is a social security number, a number that helps the social security administration track payments, 'private information'?
Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

Re:Private information??

[i.r.id10t (595143)]

Because some programmers and record keepers decided years ago that it would make a good primary key for their db...

Re:Private information??

[DavidTC (10147)]

It is a good primary key.

The problem is that quite a few places decided to use it as authentication, which isn't a programming or indexing issue at all.

Re:Private information??

[k2enemy (555744)]

Isn't that the bigger problem? Instead of spending more and more money to hide this number (or blame companies who lose such data), intelligent people should be asking why this number should be private.

Exactly. I wish the govt would just announce that on January 1, 2009 they will put up a website that publicly reveals everyone's SSN. Banks and other institutions have until then to work out some other means of authentication.

Re:

[metamatic (202216)]

Yeah, I had exactly the same idea over 3 years ago [ath0.com]. It doesn't even need to be the government that does it.

Plan for a post-SSN America

[StreetStealth (980200)]

I don't think that's quite the way to go about it, but I think it would be good to start by outlawing (with penalties this time) its use for anything other than, you know, Social Security.

But we're just getting started here. Once the SSN has returned to the single use for which it was created, we need a vastly more secure system to replace it. Not a national ID number, but a transparent, authenticated system of personal financial metadata kept in a vault maintained by a consortium of Experian, TransUnion, and Equifax, under tight regulation by the feds.

Users would always be able to securely check the entirety of their personal data to ensure its correctness, would have a federally-mandated path of action to contest errors, and would have a simple method of offering disposable keys to financial institutions to verify their credit history.

Government

[suck_burners_rice (1258684)]

Yes, the judge is right about this one. Censorship of this type is the classic way that government can sweep the bad things it does under the rug. We have to always keep in mind that "the government" is not some sort of ethereal force out there. It's a bunch of guys (and women) who happen to have been placed in a position of power, whether it's someone elected to office or that clerk at the local [insert government office here] who likes to be a jerk and inconvenience people because it gives him a power trip to feel like he's the king of some tiny kingdom. We always have to remember that. Just because someone is in "the government" does not make that person special or give that person any special rights whatsoever. Thus, the judge should not do anything about that website, but should force the government to fix its problems.

Re:

[Jason Levine (196982)]

We have to always keep in mind that "the government" is not some sort of ethereal force out there. It's a bunch of guys (and women) who happen to have been placed in a position of power, whether it's someone elected to office or that clerk at the local [insert government office here] who likes to be a jerk and inconvenience people because it gives him a power trip to feel like he's the king of some tiny kingdom. We always have to remember that. Just because someone is in "the government" does not make that

Assume

[Archangel Michael (180766)]

The problem is that we tend to assume that SS# is "private". It isn't.

We (collectively everyone) ought to just assume that our SS# and lives are being tracked, because we are.

I live my life as if I'm being tracked. I don't own a Credit Card because of it. I don't want my purchases being tracked and traced. I pay cash, which is getting harder and harder to do.

And that stupid VISA commercial where everything stops when a person uses cash, is not helping.

And the loss of community has really pushed the anonymity movement. In days of old, you had to have a "relationship" with the people who bought and sold. Somewhere along the way, that was lost in favor of cheaper prices. We have, collectively, started to see the repercussions of this throughout society.

Now, to buy big ticket items, all you need is a fake ID, a Good SS#, and be gone, and nobody seems to care that we've lost the humanity in the process.

Re:

[kabocox (199019)]

And the loss of community has really pushed the anonymity movement. In days of old, you had to have a "relationship" with the people who bought and sold. Somewhere along the way, that was lost in favor of cheaper prices. We have, collectively, started to see the repercussions of this throughout society.

Now, to buy big ticket items, all you need is a fake ID, a Good SS#, and be gone, and nobody seems to care that we've lost the humanity in the process.

Define "big ticket items." I'd define it as cars, houses

Re:Assume

[Archangel Michael (180766)]

You assume too much.

I own my cars, paid cash for each of them. I own my house, never had a loan on it.

Just because 99.99999% of the population does it one way, doesn't mean everyone does.

I'll tell you the next hardest thing to do without credit (cards) is rent a car. It can be done, but not easily.

And no, I don't own a tin foil hat.

If only they spent as much effort...

[txoof (553270)]

Instead of playing whack-a-mole-legislation with reporters and privacy advocates that point out problems, wouldn't our lawmakers efforts be better directed to fixing the privacy holes?

Someone has blown the whistle and turned on the flashing yellow klaxons to alert Virginia citizens and lawmakers to shoddy privacy practices. She's not trying to profit, she's probably not even trying to benefit from this work (except, perhaps in a very professional way). This woman is doing her civic and professional duty to solve what she sees as a problem.

Because she has no direct method for solving this problem, her only recourse is to alert her lawmakers and hope they fix the gigantic hole. Instead of whacking her with legislation, they should be carefully crafting legislation that provides guidelines and most importantly REAL FUNDING to help secure personal informaiton.

The problem is...

[afabbro (33948)]

• It is very difficult to change your SSN. No, being a victim of identity theft and having money stolen from your accounts is not sufficient reason.
• SSNs are often available even from people who've been careful.

To take a simple example: until 5-10 years ago, it was common to list SSNs in divorce filings. Get divorced and your SSN was listed in the filings, which are public records and can be looked at by anyone. Even today, in some states, you have to file a motion to have the SSN suppressed from the public version (routinely granted, but still it illustrates how common SSN publication is).

Publishing SSNs found in public certainly advertises the problem, but it also creates problems for innocent, even cautious people who have no way of fixing them.

Of course, the real problem is why we have tied so much personal information to a single government-issued number...perhaps because it's the only nationally unique identification number issued by the Federal government...

The judge is smart... and dumb

[superdave80 (1226592)]

OK, so he properly ruled that she can list records that are already publicly available. Good for him. Then I read this amazing piece of idiocy:

He noted that the ruling may have been "very different" if Ostergren only listed Social Security numbers copied from records rather than the records themselves.

What?!?!? It's OK to show the whole record, but not part of the record? What the hell is the difference? The record already has the SSN in it.

Just publish them all already

[Antibozo (410516)]

It's high time the government simply published all SSNs. We are constantly forced to hand our SSNs over to banks, employers, phone companies, doctors, insurers, etc, and we have no way of knowing how many people have access to them. SSN is just an account number, but it's being used both as a unique identifier for individuals and as an authenticator, mostly because financial institutions are too lazy to develop their own authentication system. What's more, substantial parts of SSN are predictable with decent confidence given knowledge of a person's approximate place and time of birth. Meanwhile, SSN is next to impossible to change, so once it's compromised you're permanently screwed. It should be obvious that using SSN as an authenticator of any kind is pathologically stupid. It lacks every property good authenticators should have.

SSNs are not secret. Let's stop pretending that they are.

Let me get this straight.

[k1e0x (1040314)]

* A concerned citizen found SSN Numbers in public that the goons government didn't care to protect.

* Government goons ignored her when she brought this to their attention (over several years).

* She then created a website to expose this act of government incompetence to the public. She posted SSN number of people like Colin Powell and Jeb Bush.

* The Government goons intended to crack down on her and make the act of exposing their incompetence illegal. Essentially saying that it was illegal for her to do exactly the same thing they were already doing, and were undoubtedly going to continue to do.

That is insane

No longer is government concerned with addressing problems it has, now it wants to shut people up who air their dirty laundry. This is *exactly* like the MIT Subway hacker case. This lady is a hero, Government MUST be accountable for its actions when they are operating in error.

Re:

[joelwyland (984685)]

You apparently missed the whole point. This information is already out there because the government is mishandling it. The reason the judge isn't forcing them off the web is because it's the perfect way to show the government is incompetent so that it can be FIXED. It won't be fixed if it gets buried.

Re:ID Theft Field Day?

[mapsjanhere (1130359)]

Good idea - as long as they waive their sovereign immunity, and that of their employees, in the same law. Otherwise all it does is censor the critics and allow business as usual.

Re:ID Theft Field Day?

[be951 (772934)]

Uh, that's the whole point. The state is providing the numbers online already. She's just drawing attention to it.

Re:

[Zymergy (803632)]

It's not so simple as that...
People file their SSN in Public Records all the time.
For example, I have seen numerous PUBLIC tax records on file in the County Clerk's Office (as well as the County and District Court Clerk's Offices in my state (Oklahoma).
The same is true for numerous Oil & Gas Leases filed publicly.

A better approach is the one Texas took a few years back, requiring anyone accessing the public documents to sign an sworn and notarized affidavit stating that any and all SSN that may