[EAS] ID Theft Kit
pjk
pjk at design.eng.yale.edu
Wed Oct 27 16:58:51 EDT 2004
Subject: ID Theft Kit
(from NewsScan Daily, 27 October 2004)
SAFE & SOUND IN THE CYBER AGE: FLORIDA'S ID THEFT KIT
(by Chey Cobb & Stephen Cobb)
***
A few years ago, when the dot com bubble was still bubbling,
legislators in the State of Florida got the 'technology bug' and
mandated that all Florida counties put all public records on 'The
Web.' We have no idea if the companies that make the hardware and
software used to implement the mandate handed out campaign
contributions to encourage this technology leap. But a lot of money
has been spent on such technology in the years since, from dozens
of high speed scanners to terabytes of storage and thousands of
lines of Web code.
The result? A large group of people, and even the country as a
whole, is probably a lot less safe than it used to be. To
understand why, take a look at a Web page we have put up to
demonstrate: <http://www.privacyforbusiness.com/example1.htm>
The link on the right shows you a prime example of what can
happen when people don't fully grasp the relationship between
privacy, technology, and human nature. Anyone on the planet with an
Internet connection can now find intensely personal details about
individuals who have lived in, or passed through, Florida.
One such class of persons is elderly folk whose relatives have
filed power of attorney (these records sometimes include banking
data along with SSN and signature). Another worrying class of
victims is U.S. military personnel. You can find out what their
specialties are, their Social Security Numbers, addresses,
relatives, signature, and so forth.
The example we give is one of these, from Duval County, the
most populous county in Florida. What you will see is the record as
it appears on the Web, except that we added red ink to blot out key
portions of the name of this particular person. If you go to the
Duval County Web site, from any country in the world, you can find
thousands of records just like this, with the name and SSN in
place, NOT crossed out. Many of these people are not Florida
residents, they just happen to have left the service while in
Florida.
The legislators who mandated this state of affairs were not
alone in their failure to realize that "The Web" is the same "World
Wide Web" you can access from anywhere, from Boca Raton to
Bulgaria, Tampa Bay to Turkistan. A number of federal government
agencies took the same leap off the cliff of commonsense in their
eagerness to save money by automating public access to information.
The basic mistake was to think of the Internet as the American
public. Perhaps their Internet bubble was a Venn diagram in which
the set of all U.S. citizens neatly coincided with the set of all
Internet users. In the very early days of the Internet that might
have been forgivable, but these days, when the evening news
routinely pulls its footage from Islamic fundamentalist Web sites,
you would think we'd all be a bit wiser. Apparently not.
Consider how you get to these records, many of which are the
perfect starting point for the crime of identity theft. You would
think that you would need to know a specific person's name to find
public records pertaining to them. But no, in Duval County you can
simply ask to see all records of a particular type within a valid
date range. In other counties you can't browse all records at once,
but a very lame search mechanism lets you enter a single letter for
a last name, like "A," and thus browse all persons whose name
begins with "A," from Aarnem to Aziz. At some sites, including
Duval, you don't even need a document viewer like Acrobat because
the county provides one for you.
Needless to say, we think this type of access to people's
private information is wrong. Our government does not have the
right to publish to the world our Social Security Numbers,
signatures, and other personal details (and this doesn't even get
into the whole issue of Florida juvenile records wrongly placed in
the public domain). Things need to be changed. If anyone would like
to contact us about efforts to effect changes we will try to do
what we can to help.
What sort of changes are needed? Well, expunging all Social
Security Numbers would be a start, but even easier would be the
requirement that you need to know the name of the person whose
public records you are seeking. And personally, we see no reason
for military discharge papers to be made available at the county
level. Why not make that a responsibility of the branch of the
armed services in which the person served?
In the broader scheme of things Americans need to do some
serious thinking about what 'public record' means. Stephen is
sitting in a bar in Amsterdam right now, looking at military
service records of people from Alabama to Wyoming. He's also
viewing aerial photographs of properties in our Florida
neighborhood, then pulling up the names and addresses of the
owners, seeing what they paid for their homes and if their taxes are
current. Does he have a right to do that? From there? And what
about the fundamentalist who might be sitting next to him in that
bar?
[Chey Cobb, CISSP, the author of "Cryptography for Dummies"
and "Network Security for Dummies," is a former senior technical
security advisor to the NRO. Her email is chey at aug dot com.
Stephen Cobb, CISSP, is the author of "Privacy for Business" and
Chief Security Executive of STSN. His email is scobb at cobb dot
com.]
-------------------------------------------------------------------
SUBSCRIPTION INFO FOR NEWSSCAN DAILY:
To subscribe or unsubscribe to the text, html, or handheld
versions of NewsScan Daily, send the appropriate subscribe or
unsubscribe messages (i.e., with the word 'subscribe' or
'unsubscribe' in the subject line) to the addresses shown below:
Text version: Send message to NewsScan at NewsScan.com
HTML version: Send mail to NewsScan-html at NewsScan.com
NewsScan-To-Go: <http://www.newsscan.com/handheld/current.html>
More information about the EAS-INFO
mailing list