Check out this pretty outrageous story that clever AP reporter Ken Maguire came up with. Maguire’s story calls Secretary of State Bill Galvin out for a failing that is startlingly reminiscent of the DevalPatrick.com privacy flap. Awkward for Galvin, since he was the one banging the drum for DP.com to be taken down.
It turns out, you see, that it’s really really easy to dig up lots of personal information — home addresses, bank account numbers, even social security numbers — right on Galvin’s state website. In particular, Galvin’s site makes publicly available all of the Uniform Commercial Code (UCC) financing statements that are on record with the state. These statements are used in secured lending — whenever a lender secures a loan with personal (as opposed to real) property, the lender has to file a UCC form with the state in order to inform other potential lenders that the property is encumbered.
The problem is that these UCC forms often contain sensitive personal information, including social security numbers and bank account numbers. That problem could be minimized by Galvin not making the database publicly available to anyone with access to the internets. Or by scrubbing the electronic versions of the forms before posting them. Or by not making them available on his site at all, instead requiring lenders to do whatever they did before the internet. (The problem can’t be eliminated completely, because UCC forms have to be publicly available in some fashion if they’re to serve the function they’re designed to serve.) But Galvin has not chosen any of those courses.
To see if the AP story checked out, I typed in a couple of random names into the database. It took me exactly one try to bring up a UCC form that listed the borrower’s home address and social security number. Oops.
Here are Galvin’s lame explanations.
“This is standard practice in the business world,” he said. “It’s necessary for commerce. There are people who are reliant upon this system.” …
“[DevalPatrick.com is] very different from what we’re talking about here,” Galvin said, who was aware of his office’s policy when he criticized Patrick. “The governor’s site is a political committee. Our site is a governmental function. This is an essential part of commerce.”
Sorry Bill, but that’s crap. Yes, access to the UCC forms is important for lenders. But no, you don’t have to make them publicly available, in a single database, accessible to everyone in the world with no security. Remember, all the information in the DP.com database was publicly available too — the big criticism was that it hadn’t been so readily accessible in a single place before. And as for DP.com being a “political committee,” I don’t think the identity thieves much care who is paying the site’s hosting bills.
DP.com’s privacy issues have been fixed — took them about a day to do it. How’s your site doing, Bill, now that this has been called to your attention?
Galvin said his office would remove the Social Security numbers of any individual who calls and requests it. He said a software program would eventually remove the private information.