[EAS] ID Theft Kit

pjk pjk at design.eng.yale.edu
Wed Oct 27 16:58:51 EDT 2004

Subject:   ID Theft Kit

(from NewsScan Daily, 27 October 2004)

                              (by Chey Cobb & Stephen Cobb)
      A few years ago, when the dot com bubble was still bubbling, 
legislators in the State of Florida got the 'technology bug' and
mandated  that all Florida counties put all public records on 'The
Web.' We have no  idea if the companies that make the hardware and
software used to implement  the mandate handed out campaign
contributions to encourage this technology  leap. But a lot of money
has been spent on such technology in the years  since, from dozens
of high speed scanners to terabytes of storage and  thousands of
lines of Web code.
      The result? A large group of people, and even the country as a
whole,  is probably a lot less safe than it used to be. To
understand why, take a  look at a Web page we have put up to
demonstrate:  <http://www.privacyforbusiness.com/example1.htm>
      The link on the right shows you a prime example of what can
happen  when people don't fully grasp the relationship between
privacy, technology,  and human nature. Anyone on the planet with an
Internet connection can now  find intensely personal details about
individuals who have lived in, or  passed through, Florida.
      One such class of persons is elderly folk whose relatives have
filed  power of attorney (these records sometimes include banking
data along with  SSN and signature). Another worrying class of
victims is U.S. military  personnel. You can find out what their
specialties are, their Social  Security Numbers, addresses,
relatives, signature, and so forth.
      The example we give is one of these, from Duval County, the
most  populous county in Florida. What you will see is the record as
it appears  on the Web, except that we added red ink to blot out key
portions of the  name of this particular person. If you go to the
Duval County Web site,  from any country in the world, you can find
thousands of records just like  this, with the name and SSN in
place, NOT crossed out. Many of these people  are not Florida
residents, they just happen to have left the service while  in
      The legislators who mandated this state of affairs were not
alone in  their failure to realize that "The Web" is the same "World
Wide Web" you  can access from anywhere, from Boca Raton to
Bulgaria, Tampa Bay to  Turkistan. A number of federal government
agencies took the same leap off  the cliff of commonsense in their
eagerness to save money by automating  public access to information.
The basic mistake was to think of the  Internet as the American
public. Perhaps their Internet bubble was a Venn  diagram in which
the set of all U.S. citizens neatly coincided with the set  of all
Internet users. In the very early days of the Internet that might 
have been forgivable, but these days, when the evening news
routinely pulls  its footage from Islamic fundamentalist Web sites,
you would think we'd all  be a bit wiser. Apparently not.
      Consider how you get to these records, many of which are the
perfect  starting point for the crime of identity theft. You would
think that you  would need to know a specific person's name to find
public records  pertaining to them. But no, in Duval County you can
simply ask to see all  records of a particular type within a valid
date range. In other counties  you can't browse all records at once,
but a very lame search mechanism lets  you enter a single letter for
a last name, like "A," and thus browse all  persons whose name
begins with "A," from Aarnem to Aziz. At some sites,  including
Duval, you don't even need a document viewer like Acrobat because 
the county provides one for you.
      Needless to say, we think this type of access to people's
private  information is wrong. Our government does not have the
right to publish to  the world our Social Security Numbers,
signatures, and other personal  details (and this doesn't even get
into the whole issue of Florida juvenile  records wrongly placed in
the public domain). Things need to be changed. If  anyone would like
to contact us about efforts to effect changes we will try  to do
what we can to help.
      What sort of changes are needed? Well, expunging all Social
Security  Numbers would be a start, but even easier would be the
requirement that you  need to know the name of the person whose
public records you are seeking.  And personally, we see no reason
for military discharge papers to be made  available at the county
level. Why not make that a responsibility of the  branch of the
armed services in which the person served?
      In the broader scheme of things Americans need to do some
serious  thinking about what 'public record' means. Stephen is
sitting in a bar in  Amsterdam right now, looking at military
service records of people from  Alabama to Wyoming. He's also
viewing aerial photographs of properties in  our Florida
neighborhood, then pulling up the names and addresses of the 
owners, seeing what they paid for their homes and if their taxes are
 current. Does he have a right to do that? From there? And what
about the  fundamentalist who might be sitting next to him in that
      [Chey Cobb, CISSP, the author of "Cryptography for Dummies"
and  "Network Security for Dummies," is a former senior technical
security  advisor to the NRO. Her email is chey at aug dot com.
Stephen Cobb, CISSP,  is the author of "Privacy for Business" and
Chief Security Executive of  STSN. His email is scobb at cobb dot

       To subscribe or unsubscribe to the text, html, or handheld
versions  of NewsScan Daily, send the appropriate subscribe or
unsubscribe messages  (i.e., with the word 'subscribe' or
'unsubscribe' in the subject line) to  the addresses shown below:
       Text version: Send message to NewsScan at NewsScan.com
       HTML version: Send mail to NewsScan-html at NewsScan.com
       NewsScan-To-Go: <http://www.newsscan.com/handheld/current.html>

More information about the EAS-INFO mailing list