|They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver's license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access.
The exposure follows the failure to redact sensitive information from land records and other public documents posted on the Internet and makes county Web sites a veritable treasure trove of information for identity thieves and other criminals, according to a number of privacy advocates.
“These sites are just spoon-feeding criminals the information they need,” said B.J. Ostergren, a privacy advocate based in Richmond, Va. “But no one appears to be seeing it and nobody’s changing the laws,” she said.
Among the pieces of personally identifiable information from county Web sites made available to Computerworld by Ostergren and other privacy advocates were: Rep. Tom Delay’s Social Security number on a tax lien document; the Social Security numbers for Florida Gov. Jeb Bush and his wife on a quit claim deed from 1999; driver’s license numbers, addresses, vehicle registration information, height and race of individuals arrested for traffic violations; names and dates of birth of minors from final divorce decrees and family court documents; and even complete copies of death certificates with Social Security numbers, dates of birth and cause of death. (The Social Security numbers for Bush and his wife have been redacted and are no longer available online.)
“All of this information is available to anyone sitting in a cafe in Nigeria or anywhere else in the world,” said David Bloys, a retired private investigator who publishes a newsletter called "News for Public Officials" in Shallowater, Texas. “It’s a real security threat.”
Those concerns follow news that personally identifiable information belonging to an unknown number of current and former residents of Florida are available online because sensitive information has not been removed from public records posted on county Web sites in that state.
It’s unclear exactly how many of the 3,600 county governments in the United States do the same thing, said Mark Monacelli, president of the Property Records Industry Association, a Durham, N.C.-based industry group set up to facilitate the recording of, and access to, public property information.
But it’s safe to assume that many of them are posting sensitive data online, based on the trend by local governments to provide Web-based access to public records, said Darity Wesley, CEO of Privacy Solutions, a privacy consultancy for the real estate industry based in San Diego. “I think a lot of [county] recorders have been putting [images of] public land records on the Internet without any concern about who has access to it,” Wesley said.
But while the public access efforts raise privacy concerns, those worries need to be tempered with an understanding of the benefits from easier access to public land records, according to both Wesley and Monacelli.
“This whole topic of access to information is an issue that we as a nation are facing,” Monacelli said. “We have real estate professionals, title companies, attorneys and lenders who need this information for commerce purposes.” He argued that easier information-sharing enables more efficient mortgage and loan processes, for example.
“There’s a real need to keep the information flowing,” Wesley said, adding that while there’s a real need to protect data “at all costs,” there’s little evidence so far that the public availability of personal information on government sites has contributed to identity theft. For most identity thieves, the effort involved in sifting through millions of public records for sensitive information is simply not worth it, she said.
“There’s a lot of value in public records, and shutting down access to them” over privacy concerns would be a step backward, she said. “Rather than wrap a lot of fear and sensationalism” around the issue, what is needed is an informed discussion of the issue by legislators and privacy advocates.
The list of document images posted on county Web sites as part of the public record includes copies of property and tax records, motor vehicle information and court files. In some cases, documents relating to military discharges, family court records, juvenile court records, probate law documents and death certificates are also available. Much of the information has been freely available for public purchase and inspection at county offices for a long time, said Sue Baldwin, director of the Broward County Records Division.
“Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized marketing lists, which they sell,” she said. So, too, have title insurance underwriters and credit-reporting agencies. “Land records are public all over the country. This is not a new situation.”
Even so, privacy advocates say the move to post public records on the Web without removing personally identifiable information has greatly broadened access to sensitive data and the potential for misuse. “The simple truth is these records were safe in the courthouse for 160 years,” Bloys said. Now, all it takes is Internet access and a very rudimentary idea of how to look for data to find all sorts of information, he said.
Ostergren, for instance, claims to have harvested more than 17,000 Social Security numbers simply by “messing around” in county Web sites over the past two years. Among the countless nuggets Bloys turned up was the complete medical history of a terminally ill county official.
“I understand people’s concerns, but a lot of this information has been freely available for public inspection since Plymouth Rock,” said Carol Fogelsong, the assistant comptroller for Orange County, Fla.
She argued that the number of documents containing sensitive information may be lower than people assume. Orange County, for example, is in the midst of inspecting about 30 million pages dating back to 1970 for Social Security numbers, bank account numbers, credit card numbers and debit card numbers. So far, 7 million pages covering 2.2 million documents recorded between June 1, 2002, and April 30, 2005, have been inspected: Out of those pages, 119,000, or 1.63%, have information that needed to be redacted.
Fogelsong noted that people who want information removed can request that it be redacted. Very few documents filed in the public realm require sensitive data anyway -- but it is up to inviduals to make sure that it doesn't get into these records to begin with. "I would love if people would check their records on their own" to ensure no private information is publicly disclosed, she said.
Most counties around the country allow residents to immediately have their personal information expunged from public records on the Web. But indviduals have to usually make a written request and provide details on the Book and Page number where the information exists. In fact, consumers have a responsbility to ensure that public records do not carry Social Security numbers and other personally identifiable information, she said.
Computer World Security