Check out this pretty outrageous story that clever AP reporter Ken Maguire came up with. Maguire’s story calls Secretary of State Bill Galvin out for a failing that is startlingly reminiscent of the DevalPatrick.com privacy flap. Awkward for Galvin, since he was the one banging the drum for DP.com to be taken down.
It turns out, you see, that it’s really really easy to dig up lots of personal information — home addresses, bank account numbers, even social security numbers — right on Galvin’s state website. In particular, Galvin’s site makes publicly available all of the Uniform Commercial Code (UCC) financing statements that are on record with the state. These statements are used in secured lending — whenever a lender secures a loan with personal (as opposed to real) property, the lender has to file a UCC form with the state in order to inform other potential lenders that the property is encumbered.
The problem is that these UCC forms often contain sensitive personal information, including social security numbers and bank account numbers. That problem could be minimized by Galvin not making the database publicly available to anyone with access to the internets. Or by scrubbing the electronic versions of the forms before posting them. Or by not making them available on his site at all, instead requiring lenders to do whatever they did before the internet. (The problem can’t be eliminated completely, because UCC forms have to be publicly available in some fashion if they’re to serve the function they’re designed to serve.) But Galvin has not chosen any of those courses.
To see if the AP story checked out, I typed in a couple of random names into the database. It took me exactly one try to bring up a UCC form that listed the borrower’s home address and social security number. Oops.
Here are Galvin’s lame explanations.
“This is standard practice in the business world,” he said. “It’s necessary for commerce. There are people who are reliant upon this system.” …
“[DevalPatrick.com is] very different from what we’re talking about here,” Galvin said, who was aware of his office’s policy when he criticized Patrick. “The governor’s site is a political committee. Our site is a governmental function. This is an essential part of commerce.”
Sorry Bill, but that’s crap. Yes, access to the UCC forms is important for lenders. But no, you don’t have to make them publicly available, in a single database, accessible to everyone in the world with no security. Remember, all the information in the DP.com database was publicly available too — the big criticism was that it hadn’t been so readily accessible in a single place before. And as for DP.com being a “political committee,” I don’t think the identity thieves much care who is paying the site’s hosting bills.
DP.com’s privacy issues have been fixed — took them about a day to do it. How’s your site doing, Bill, now that this has been called to your attention?
Galvin said his office would remove the Social Security numbers of any individual who calls and requests it. He said a software program would eventually remove the private information.
How comforting.
Addresses on DP.com were one thing (which I complained about at the time), but posting SSNs are a whole nother level of privacy gone awry. Not smart, Galvin. Identity theft is a big and ugly problem. Sad that it is being facilitated by the sec’y of state.
<
p>
It’s worth reminding people, since we’re on the subject, that many health insurers use SSNs as default ID numbers. You can request a non-SSN # be issued. Also, doctors offices routinely ask for SSN. I always say “I don’t give out that number”, and I never ever get an arguement. They like to have it, but they can’t demand it. Worth keeping in mind…
that “eventually” part. Nice sense of urgency, Mister Secretary of State.
The state agencies have no standards on data security. Anything goes. I’ve been told that ITD will be hiring someone soon to head a data security element there. Let’s hope they get a real professional that can develop some standards and get other agencies to go along. A big sell there.
<
p>
Too, Massachusetts laws seem to handle computer crime much like spitting on the street. Not much incentive to clean up an agency’s act. Although, hats off to the RMV for doing away with Social numbers on Driver’s Licenses. A small start.
While I don’t think that Social Security numbers should be posted on any website, I’m a little frightened that this could swing the pendulum too far backward. I think it is a great thing that public information is available on the internet. It allows the average citizen to become a watchdog (check those deed transactions), it allows people to make more sound decisions (zoning information freely available), people can get a handle on what their police are up to (arrest reports available), they can find out just who is behind that corporation that just signed a contract with local government. It basically allows anyone to find out what only the connected once knew.
<
p>
I would think that the issue is not about the internet here – it is about Social Security numbers being left in the public view. If anyone can go to whatever agency and find them, that’s just as bad as someone going onto the internet to find them.
<
p>
Online availability of information is a great source of sunshine.
how do you feel about CORI reform?
I think the distinction here is data that is considered prejudicial. It’s not prejudicial to know the owner of a corporation. It’s not prejudicial to be able to look up the guy who just bought the house next door to you and let it become run down. It’s not prejudicial to know that your neighbor paid $350,000 for her house. It’s not prejudicial to know that a property down the street has been reported to code enforcement.
<
p>
Things like divorce proceedings, criminal proceedings, bankruptcies (which are currently printed in the newspapers) are different in my eye. So are social security numbers, credit card numbers, etc. I have no problem with birthdates or addresses, those are widely available now and we’re not seeing any ill effects.
<
p>
I would agree that an arrest log is a grey area. I’d have no problems if names were redacted.
<
p>
Regarding CORI, I think that arrests, but no conviction should not be available to anyone but law enforcement personnel. I think that other crimes should be available based on the nature of the employment. While I think that the words “sex crime” should pop up when someone is being considered to work with sensitive groups — women, children, etc, — it shouldn’t come up to the local warehouse operator for a guy driving a forklift. But drunk driving quite possibly should, in that case.
<
p>
Think about this — if it is possible for every employer to check CORI for crimes, does it become negligence if someone does not check CORI and their employee causes some kind of trouble? Or does it become negligence if the local bakery hires someone with a record for assault, and he proceeds to assault a fellow employee?
<
p>
At what point do we just decide that we lock up every criminal for life, since letting them back on the streets without any chance for employment, housing, etc., is more cruel punishment?
1) The SSN should have been scrubbed. Just because Galvin’s office was stupid, doesn’t mean Deval is absolved.
<
p>
2) There is also a matter of degrees here. Who on earth knew about this website. It took a full week and a half before somebody even came across it. The Deval Patrick website was advertised with a bang to the entire state through the media.
<
p>
2. I’m guessing the identity thieves knew all about Galvin’s little security slip, even if you didn’t. Furthermore, everyone knows about Galvin’s problem now. So that’s much of a defense.
“that’s NOT much of a defense”
I think David beat me to most of the punch, but let me just say this:
<
p>
1) Indeed, just because Galvin does something stupid doesn’t mean Patrick should make a similar mistake. Except Patrick’s website wasn’t releasing Social Security Numbers, and everything DP.com released was already public information. The criticism of Galvin isn’t just that this website wasn’t secure. It’s that Galvin criticized Patrick’s website for being insecure in almost the same way that the website he himself is in charge of is insecure.
<
p>
2) Wait, so, as long as it’s annoying enough to stalk somebody we don’t need to protect that information online? Look, anybody who really wants to can find somebody’s address. It’s just the world we live in, DP.com or no, state’s website or no. The point is–what level of information can somebody find? Is it all public information? Or is it something that could be used for identity theft? Your subdued response at this blunder (it was stupid) versus you calling this same concern Deval’s “biggest screwup to date” is telling.
<
p>
Look, as I said earlier, many websites have privacy problems. Rudy’s website had problems, as I mentioned somewhere awhile back, and they fixed them they moved on. DP.com had problems, they fixed them, they moved on. The site Galvin has problems, they will presumably fix them….eventually…and they will move on. This is all just to say that your previous commentary seems like it springs from politics, not genuine privacy concerns.
Come on, home address vs social security numbers? No contest– would you rather be sent junk mail, or have someone take out a credit card in your name? DP did make a mistake, and he fixed it immediatly. Galvin doesn’t seem to realize that there is a whole online industry that has likely mined his site, and is now selling off the personal information of many people. Not too encouraging from a man who is supposed to act as a guardian our privacy. Another whoops, I guess.
The level of Galvin’s hypocrisy is astounding. Imagine, the Globe gave him a resounding endorsement last election – and ‘couldn’t think of any reasons to criticize him’ (seriously, that’s a pretty close paraphrase).
Unlike DevalPatrick.com, it appears that the web site that you are describing is a state website, not a personal one like DP.com. It may be that the information that you are describing as being available at “Galvin’s” web site shouldn’t be freely available over the Internet (make it available on a “need-to-know” basis, which is not difficult to do), but it is not clear that Galvin himself was aware of the fact that all that information was available when it was initially made available.
<
p>
That said, it is stupid for Galvin’s office, after being notified of the privacy issues, not to take down the web site to correct the privacy problem.
Why bend over backward to not come down on him too hard?
<
p>
Galvin said he was aware of his office’s policy when he criticized Patrick’s site. So in his mind there is no hypocrisy. He’s made some distinction in his mind.
<
p>
I think he’s wrong. I agree with what some have said here: it’s worse.
<
p>
Saying it’s a state site so maybe Galvin wasn’t personally aware of every detail is weak. Is there any evidence Patrick was in on more details of the site development than Galvin? Public or private, they are both the top person responsible for what their offices do. For better or or worse.
<
p>
It’s not fatal to either of them. I’m a bit more bothered by Galvin downplaying the importance of putting SS#s out there so readily available, though.
The Secreatary of State site serves an important and commercially useful function of the state government– and is similar to other sites maintained by other states, whereas the DP site was for purely political cheerleading purposes.
how long has galvin been sec’y of state? how long have ssns been plastered up on the internets? simply pathetic. so much for “the buck stops here”.
I’m sure it’s a very useful tool that for-profit companies require to keep the world from falling apart.
<
p>
But that ends does not justify putting social security numbers on an easily accessible website, for anyone to abuse.
<
p>
Have we gone this far?
<
p>
I’m sorry, we need to eliminate pensions for the financial health of the company.
<
p>
I’m sorry, health care is no longer available in order to maintain cost certainty.
<
p>
I’m sorry, we need to move your job to India to satisfy share holder profit demands.
<
p>
I’m sorry, most experienced valued employees, wage management requires laying you off in favor of newer, cheaper workers.
<
p>
I’m sorry, we need to post your social security number online so we can reduce the cost of business research.
<
p>
Why make it so easy for evil doers to get SS#s or other like information? If it’s not needed, take it out. If it’s needed, put tight restrictions on who can get at it.
<
p>
I don’t care if it’s a political site, a state site or a private, for-profit site. That’s irrelevant to me.
I’m actually just as interested in a process question here, in determining the level of hypocrisy. Did Galvin approach the Patrick people privately first and say, hey, I think there’s a problem here, please take care of it. Or did he go right to the press, something I would find unsavory, given that we’re supposed to be on the same team. Either way, Galvin is not making many friends.
I wonder how we can find out. Anyone got a contact inside the DP committee?
They’re the Secretary of State UCC and business entity records. I use these almost every day, and it would be lousy if they’re downgraded to paper records like the old days. Computerization of these records streamlines the process of commercial transactions; taking these sites down would be, IMO, far more business unfriendly than [closing tax loopholes/raising taxes on selected disfavored businesses].
<
p>
Bankruptcy records, FWIW, have been always been publicly available. For the past six or seven years, they have been available to anyone with an internet connection. A few years ago, the privacy issue was addressed, and social security numbers were scrubbed in cases filed after a certain date.
<
p>
Galvin has to get some software that will scrub terabytes of data of certain numbers, without causing a massive disruption in commerce. “Eventually” is probably about as quickly as that can be done.
<
p>
Also, this is probably an issue in most states; there are only a few that don’t make these records available on the web.
Give. Me. A. Break.
<
p>
Look — it’s a huge issue, because the SSN is the key to a person’s database. It grants the anonymous user tremendous power over a person’s life, unlike publicly available name, town, phone number data.
<
p>
That Galvin’s site is a .gov demands that it’s under greater scrutiny, not less. That the website is useful for business doesn’t justify leaving the data online.
<
p>
1. Take it offline.
2. Work your butt off to get it fixed as quickly as possible.
3. Put it back online.
4. Get re-elected.
<
p>
Anything less is an embarrassment and far less than an adequate job.
I wonder if this problem is really all that severe.
<
p>
Secured loans in consumer transactions are rare, because it costs money to file all the documents, and it just isn’t worth it for a lawn mower or dishwasher. In order for the process to be worthwhile, the transaction has to be for some serious money–that is, with someone likely sophisticated to know what a Tax ID number is.
<
p>
Most of this kind of lending happens in a commercial setting. Sure, individuals borrow all the time in this context. The above poster makes a good point about the potential confusion on the UCC-1. But people engaged in business are held to a non-knucklehead standard. They put this information on a piece of paper that they KNEW would be viewable by anyone at anyime. They should know better.
<
p>
So it sure seems to me that this is a problem that is relatively small in scope and probably exists in every state (they all use the same form, and used to use similar forms), in contrast to the DP site that listed every voter in the Commonwealth. So, Galvin’s response is appropriate. The problem certainly doesn’t warrant taking the system down.
<
p>
So it seems to me that the solution should be: (1) advocate for a change in the standard form (it is not in Galvin’s power to change it); (2) post a warning on the “file” screen to remind people; and (3) to begin sweeping old records, whether manually or by software.
<
p>
I’ve been bewildered by the screeching about this until I read Dan Kennedy’s site and was reminded that it was Galvin that pointed out the issues with the DP site. Now, I suspect reaction is a touch of revenge served by what is increasingly seeming like a cult of personality.
<
p>
The uniform commercial code does not require an individual debtor to put his or her social security number on a UCC-1 filing, but it does require a business entity debtor to put its “organizational ID” on the form (see here and click on File UCC-1 to see how the Massachusetts website requests the information). However, there is no guidance online saying that an individual should NOT put their SSN on the form.
<
p>
Furthermore, if one were to file a written UCC-1, the standard form (i.e., not controlled by Galvin or the state in general) DOES request (even though it is not required) a debtor’s SSN. So I suspect what has happened over time is that people, not knowing better (or being advised to the contrary), simply filled in all the boxes on the form, including their SSN. Then the data is automatically uploaded to the SoS website for all the world to see.
<
p>
I agree that UCC records must be publicly available, but both Galvin and the national monitors of the UCC should do the following:
(1) Alert filers of UCC-1 financing statements that they should NOT put their SSN on the form. This should be stated explicitly on the SoS website (this could be done today with a quick code update).
(2) The standard printed UCC-1 form should delete all references to SSNs and should also make clear that SSNs should never be put on the form.
<
p>
As for SSNs that are already available, both in Massachusetts and elsewhere, a concerted effort should be made to go through all currently effective UCC-1s and purge SSN information. Access to terminated financing statements could be restricted until the states could go through those at a later time. Unfortunately, not all UCC-1s have been filed electronically (those should be easy to fix), so fixing printed UCC-1s will be a time (and money) consuming task.
The simple thing would be to delete the requirement that social security numbers be provided on the UCC form. (I don’t believe it is required by the UCC, but I could be wrong.) Even if the filings are not on the internet, they are accessible by the public. So, installing software on the Secretary of State’s website to scrub the socials from the online versions will not solve the privacy problem.
<
p>
By the way, why is it easy to get private information about people from the Secretary of State’s website, but it costs money to download copies of the state regulations? Shouldn’t that be free since we already paid for them with our taxes?
He answered my question and described a solution more elegantly than I did. He must have posted while I was writing my previous post. Sorry.
The real problem is that companies still act like your SSN is private. Your SSN should not count as identity confirmation for any purpose. It should be used by the federal government to track you for social security and income taxes. It should not be used for anything else.
<
p>
It isn’t Galvin’s fault that banks are stupid enough to consider a SSN sufficient proof of who you are that they will give you a loan. The banks should be forced to write the whole thing off as a bad loan if they didn’t bother to confirm who you are. They should also be required to pay for all your legal expenses if they try to claim that they loaned you money when they actually loaned it to somebody else. Making the banks fully liable for all fraudulent loans would get them to come up with a solution real quickly. There are some things where the free market really is the best way to solve a problem.
<
p>
Galvin should have taken the website down as soon as someone told him that it had people’s social security numbers on it. But even if he had done that, even if the website had never had SSNs available, it would still not solve the real problem.
<
p>
I remember seeing something about a bill in the General Court that would require the credit reporting agencies to keep a secret password of yours on file. You would have the freedom to change it whenever you want to (unlike your SSN) and creditors would be required to verify it before giving you a loan. If you really care about identity theft, push for this to become a law. Not just for Mass, but for the whole country.
another password to remember.
<
p>
voice mail desk, voice mail cell, work network, online database, office security system, home computer, email, email2, email3, newsite, newsite2, shopping site, shopping site2, shopping site 3, shopping site4, shopping site 5, photo site, atm, bmg, parents home security, in-laws home security, home locks, sattelite radio account, ipod/itunes and i think there’s a few for things relating to my kids (both under 2)
<
p>
and now a password for social security, which already requires me to memorize the number itself.
<
p>
i have to change some of these periodically and i’m not supposed to use anything obvious, easy to figure out or repeat the use of a password across any of these accounts. and for most i can’t use anything unless it’s between 6 and 12 letters. and i can’t use numbers or characters. except on the ones which require at least one number.
<
p>
pardon me if i don’t register and logon to some online petition and “push” for this, jkw. my memory is taxed more than my income these days.
Not a password for social security, a password for your credit history and for opening new credit accounts. You already have one of these. The problem is that it is assigned by the government the day you are born and it is almost impossible to change. Which means that if at any point in your life, someone steals your password, they have it forever. And so does anyone they sell it to. You are also required to put it on at least one form every year (taxes) and provide it to someone if you want a job.
<
p>
SSNs were created for administrative purposes of tracking people. It is crazy to allow someone to claim that they are some person just because they can provide that person’s SSN. There is no way that you can be reasonably certain that any piece of information about you isn’t available to criminals if you have ever provided it to anyone else.
<
p>
Why are you willing to put more effort into the security of your BMG account and news sites than the security of your finances? Which would you consider worse, someone stealing your BMG account and posting diaries and comments as you or someone stealing your identity and taking out thousands of dollars in loans that you will be responsible for paying off?
<
p>
If you have too many passwords to remember, just make some of them the same. If the consequences of someone stealing a password aren’t very high, there is no good reaon to make it unique or particualrly difficult to guess. But when the consequences are severe and the reward to someone else of stealing your account are high enough, it is worth putting some effort into making it difficult for people to commit fraud. You could probably also set your password to be your SSN if you really wanted to.
ease up on the trigger finger, there pardner.
TIN (Taxpayer ID Numbers) also known as 04- numbers should be on the site. Any DBA with a bank account can and should get an 04- number. All corporations and businesses already have them.
<
p>
Any necessary SS numbers (DBA’s, trustee’s, etc.) should be partially posted, like you see on a receipt you get at a gas station or restaurant. Enough for a person to verify accuracy, not enough to steal an identity.
<
p>
Galvin’s response has been enormously hypocritical, but that does not absolve Deval from the arrogance of telling Rosie’s Place to get over it before complying.
Galvin’s response has been enormously hypocritical
<
p>
Galvin’s response has been stupid. But we’ve seen “stupid” before in a number of governmental officials, haven’t we?
<
p>
After the SoS was notified of the issue, they should have taken the entire web site off line and make the private information available only on a “need to know” basis. That would have been the proper way to handle the problem.
<
p>
Instead, Galvin’s office (apparently) excused his office’s action by saying something to the effect that “well, he did it, too.” Sorry, but that’s stupid.
<
p>
Let’s call it what it really is. It’s not hypocrisy (well, kinda/sorta maybe). It’s stupid.
<
p>
You are correct though, regarding TIN numbers. Regarding SS numbers, the final four digits should suffice on a web site–and if someone wants to have the entire number, they could request it on “need to know” basis, with the approval of the holder of the number. Quite frankly, the final four digits is what is generally shown on a credit or debit card receipt. But the SoS obviously wanted to do the web site “on the cheap” and not edit the information that they wanted to make public.