Congressional record exposes military officers to identity theft, covers up

Rogue archivist Carl Malamud sez, "The front page of today's Stars and Stripes has a story about a privacy issue Public.Resource.Org has been working on for a couple of years:"

From 1971 to 1996, the U.S. Senate published, in the Congressional Record, the name and the full Social Security number of every military officer promoted. If the officer was senior enough, they printed their birth date as well just to make sure the wrong General Jones wasn't promoted. From 1997 until this year, they switched to only printing the last four digits of the Socials in a note to privacy. (We'll remind readers of the recent article by John Markoff in the New York Times that explained how you can usually guess the first 5 digits of a Social Security number, and since Congress provides the last four digits, you have one-stop shopping for identity theft).

Public.Resource.Org learned of this situation when we copied all Government Printing Office (GPO) docs and put them on our server. A military officer wrote to me and said we had his social on our web site. We did a full scan on our archive, and it appeared that GPO forgot to redact two years of these numbers when they went on the Internet. We called their Inspector General, and they promptly put 50 people in a room and manually scanned every single page of the Congressional Record for those two years, performing the redaction of all SSNs. Of course, we immediately redacted our copies as well.

But, after that we ran into a brick wall. On the Internet, there's a security rule: when you find a bug, you give the vendor a little time to fix it, but then you notify the public. The reason you do that is otherwise you know the bad guys will all know about the bug, but the good guys won't. So, we started calling around and sending email to get things fixed, and ran into a brick wall with the U.S. Congress Joint Committee on Printing. This is the joint committee that has oversight of GPO and would be in a position to fix things. The staff of JCP totally refused to do anything. We had suggested that 3 things needed to happen:

1. All the commercial vendors that had the Congressional Record on-line should be notified so they could redact their copies. Likewise, librarians in the Federal Depository Library Program should be notified that their paper copies had problems.

2. The government should stop publishing even the last 4 digits of Social Numbers. There is just no reason to publish this in the Congressional Record.

3. The government should notify (and apologize!) to the roughly 500,000 military officers who are at heightened risk of identity theft.

To get the attention of the vendors, we drafted an Official FTC Complaint and sent it to the Federal Trade Commission and the Department of Defense, and then cc'd the vendors that had this data. The two major vendors quickly moved to redact. (Boing Boing readers may be amused to hear that their is no such thing as an "Official FTC Complaint," but we printed it in red and put a serial number on it and it certainly looked Official and got their attention.) But, the Joint Committee on Printing is still sitting on their hands and the Department of Defense appears oblivious. This is really unfortunate.

FTC response (PDF)