Government transparency site revealed Social Security numbers, other personal info

WASHINGTON (KUSI) – A federal government transparency website made public dozens, if not hundreds, of Social Security numbers and other personal information in a design error during a system upgrade.

The error, on a Freedom of Information Act request portal, was fixed after the government was alerted to the situation. For weeks prior, however, individuals’ sensitive personal information was available on the public-facing database unbeknownst to them or the government.

The government had published at least 80 full or partial Social Security numbers on the database. There were other instances of sensitive personal information, including dates of birth, immigrant identification numbers, addresses and contact details.

The glitch also exposed other sensitive information about individuals. In one instance, a victim of a violent crime seeking information about the case described the crime. In others, victims of identity fraud seeking more information about their cases had their Social Security Numbers exposed in the process. (In some instances, government agencies require Americans to submit FOIA requests for their own personal information.)

A spokesman for the agency that maintains the website said that the information has been protected. Participating agencies were also notified of the situation.

The portal, foiaonline.gov, is the one-stop clearinghouse for Freedom of Information Act requests to a number of government agencies, ranging from Customs and Border Protection to the Small Business Administration. It is designed to provide a streamlined and transparent way for Americans to request information from their government.

A design bug also revealed information about the requester with no safeguards for personally identifiable information.

The problem was with the feature that allowed anyone to search existing FOIA requests. The idea is that people can see what has already been requested, by whom, and in some cases what may have been provided. When users click through to the individual request, the description field is withheld, pending agency approval. Yet those descriptions were viewable in full on the search results page, including if Americans had included their or others’ Social Security numbers or any other personal information.

The FOIA clearinghouse is maintained by Environmental Protection Agency, which provides the IT resources to keep it up. It is up to each government agency that uses the portal, however, to take the care to input the information correctly.

When the website was switched from the 2.0 version to the 3.0 version on July 9, the masking feature for descriptions somehow ceased to exist. Upon being alerted, the EPA office managing the site said it attempted to re-mask everything that was an obvious privacy concern, including sensitive information like Social Security numbers.

However, because FOIA requests are public information, it is up to the agencies involved whether to determine whether to withhold information based on a case-by-case application of any FOIA exemptions. Thus, EPA said it was not able to simply turn on a blanket masking of all the descriptions on the 3.0 site, because that could have withheld things that agencies have already determined to be public.

After completing what EPA determined was within its ability, the notice went out to all the agency FOIA system administrators that they should check what was in their control and whether they wanted certain information public. That notice went out Thursday night after EPA completed its piece of the work.

While FOIA requests to the government are considered public, there are many exemptions that the government often applies to protected individual privacy.

EPA spokesman John Konkus said the agency would also investigate if further action was warranted.

“The EPA is aware and working with partner agencies to remediate an issue with the FOIAonline 3.0 system,” Konkus said. “The issue affects a limited number of cases and inadvertently displays descriptive information that may, in some instances, include Social Security Numbers. EPA will follow the Agency’s Breach procedures to evaluate the situation further and take the appropriate mitigation measures.”

It’s unknown how many individuals may have had information exposed in the glitch, and for how long. The transition to the new site occurred in mid-July, but older FOIA requests continue to be migrated to the new site.

“This is a really significant mistake,” said Nuala O’Connor, a former chief privacy officer of the Department of Homeland Security.

“These sorts of data points allow people to engage in identity theft or some kind of harassment, or other malicious behavior,” said O’Connor, president and CEO of the Center for Democracy and Technology, a tech-focused privacy and civil liberties advocacy group. “It puts potentially already vulnerable people at greater risk.”

There is no disclaimer about keeping sensitive information out of the request when users go to submit FOIA requests.

In fact, the Customs and Border Protection form encourages anyone seeking information about themselves to “please include as much information as possible to assist us in locating the record(s) you are seeking, to include your Date of Birth, Alien number [an identifier number for US immigrants], your parents’ names, and any Alias’ you may have used at the time of entry or apprehension.”

The Social Security Administration form, though, says the website is not the appropriate place to make requests about individual records.

A privacy notice linked to at the very bottom of the website does warn that “any personal information included in the comment form will be submitted to the Department or Agency to which your request is directed and may be publicly disclosed on FOIAonline or on third-party Web sites on the Internet.”

Even if there was some sort of disclosure anywhere about the risk of information becoming public, O’Connor said, “it defies logic and it defies expectation that anyone would think their Social Security number is being exposed when processing a request like this online.”

Categories: National & International News