Congressional record exposes military officers to identity theft, covers up

Rogue archivist Carl Malamud sez, "The front page of today's Stars and Stripes has a story about a privacy issue Public.Resource.Org has been working on for a couple of years:"
From 1971 to 1996, the U.S. Senate published, in the Congressional Record, the name and the full Social Security number of every military officer promoted. If the officer was senior enough, they printed their birth date as well just to make sure the wrong General Jones wasn't promoted. From 1997 until this year, they switched to only printing the last four digits of the Socials in a note to privacy. (We'll remind readers of the recent article by John Markoff in the New York Times that explained how you can usually guess the first 5 digits of a Social Security number, and since Congress provides the last four digits, you have one-stop shopping for identity theft).

Public.Resource.Org learned of this situation when we copied all Government Printing Office (GPO) docs and put them on our server. A military officer wrote to me and said we had his social on our web site. We did a full scan on our archive, and it appeared that GPO forgot to redact two years of these numbers when they went on the Internet. We called their Inspector General, and they promptly put 50 people in a room and manually scanned every single page of the Congressional Record for those two years, performing the redaction of all SSNs. Of course, we immediately redacted our copies as well.

But, after that we ran into a brick wall. On the Internet, there's a security rule: when you find a bug, you give the vendor a little time to fix it, but then you notify the public. The reason you do that is otherwise you know the bad guys will all know about the bug, but the good guys won't. So, we started calling around and sending email to get things fixed, and ran into a brick wall with the U.S. Congress Joint Committee on Printing. This is the joint committee that has oversight of GPO and would be in a position to fix things. The staff of JCP totally refused to do anything. We had suggested that 3 things needed to happen:

1. All the commercial vendors that had the Congressional Record on-line should be notified so they could redact their copies. Likewise, librarians in the Federal Depository Library Program should be notified that their paper copies had problems.

2. The government should stop publishing even the last 4 digits of Social Numbers. There is just no reason to publish this in the Congressional Record.

3. The government should notify (and apologize!) to the roughly 500,000 military officers who are at heightened risk of identity theft.

To get the attention of the vendors, we drafted an Official FTC Complaint and sent it to the Federal Trade Commission and the Department of Defense, and then cc'd the vendors that had this data. The two major vendors quickly moved to redact. (Boing Boing readers may be amused to hear that their is no such thing as an "Official FTC Complaint," but we printed it in red and put a serial number on it and it certainly looked Official and got their attention.) But, the Joint Committee on Printing is still sitting on their hands and the Department of Defense appears oblivious. This is really unfortunate.

FTC response (PDF)


  1. Not to defend this mistake, but I have a Q about the flip-side of this : Why does a mere SSN give you such great power to steal someone’s identity?

    With “heightened awareness” of the sensitivity of the #, why isn’t there heightened sensitivity on the part of bank officers, credit card companies, and so on, to the fact that knowing a 9-digit number doesn’t prove jack shit?


    1. This.

      I’ve lived in countries where there is *GASP* no such thing as an SSN or equivalent. They make your signature one form of verification (you need to learn to sign EXACTLY the same every time) while they use good old fashioned photo IDs and pass-phrases. Works just fine.

  2. The ultimate problem, of course, is our dysfunctional relationship with the SSN. The same number cannot both be your OMG super Secret! password, sufficient to do all kinds of wacky financial stuff, and an ID number that all sorts of people routinely ask for.

    The problem isn’t that congress would publish the IDs of officers; but that those IDs are all that scammers need to do all sorts of things in their names. (and, quite cleverly, the financial world calls this “identity theft” which makes it your problem, rather than “bank fraud” which would make it theirs. It is impressive, is it not, that if a bank gives somebody money just because they say that they are you, it becomes your problem?)

    As long as the underlying problem remains, any putzing around with the details of where SSNs are likely to show up is just a bandaid.

  3. This is a bit tangential, but I’m surprised to see anything even this controversial from Stars and Stripes.

    I openly profess ignorance of them, but I had thought of that publication as being mostly a propaganda machine based upon what I’d heard of it (not always in the perjorative sense of the word propaganda, but in the sense that doesn’t expect much investigative reporting). I had sort of come to expect a lot of encouraging the troops and some mild jingoism and “the US is great!”

    It looks like I was wrong. How far under a rock have I been living?

  4. Stars and Stripes really does advocate for the military community even when the government screws up. I’ve been similarly surprised in the past.

  5. I agree with knodi and phisrow. Of course if people WEREN’T able to easily do “wacky financial stuff,” by simply giving out their SSNs they’d complain. Just as people complain when asked to show ID when using a credit card. Me, I figure that I’m the one being protected.

  6. The Stars and Stripes is an independent newspaper for military and their families who are overseas. It would not survive if it was merely a propaganda arm of the DoD. No one would pay for a bunch of DoD “rah, rah” crap. I had a subscription to it when I lived in Germany and it was like getting a local paper. It provided news of what was happening in the European theater and beyond. The troops are a varied bunch of people, like everyone else, not a bunch of automatons subject to DoD mind control.

  7. The Stars and Stripes has been pissing off the higher ups since Patton. And they’re now removing SSNs from military/dependant ID cards.

  8. @efergus3 — Any idea of a timeline on the removal of SSN from military ID cards? As the husband of an active duty member of the Air Force, I was glad to see that my SSN has finally been removed from my ID, but my wife’s SSN is still printed on both her ID and mine. You’d think an organization whose entire purpose is to promote security wouldn’t put its members in a position where they’re a lost/stolen wallet away from easy identity theft.

  9. I think phisrow is correct the misuse of personal information will be the consumers problem. Maybe we should all pressure the media writers to call it “bank fraud”.

  10. Much better to simply make a federal standard for the verification of identity which does not rely on ssn, and a law which mandates usage in certain applications (as we do now for banking… through the ssn). There’s absolutely no excuse for the use of ssn as a form of identification. They were neither intended for that purpose, nor do they adequately serve that purpose.

    The technology exists; we simply need to implement it.

  11. The DOD and other government organizations would be forced to respond if one of the officers listed filed a privacy act complaint. I’m pretty sure the publicly published Congressional record is not a Privacy Act system, and it is therefore against the law for it to contain personally identifiable information such as an SSN and DOB.

Comments are closed.