Travis County Clerk Pulls Images Offline
David Bloys - News For Public Officials June 28th, 2006
Travis County Clerk Dana DeBeauvoir has halted publishing the County's document images on the Internet, citing concerns about revealing individual citizens' personal data.
DeBeauvoir said she ordered the records taken offline at the request of residents worried about personal information available over the Internet.
DeBeauvoir should be commended for the respect she is showing the Travis County public. Despite pressure from companies outside her jurisdiction, she has put her constituents first. This is a big win for local citizens and a big loss for companies and criminals around the world who exploit county records online.
Austin and Round Rock residents have reason to be concerned that their sensitive information may have been breached by the county website. According to the Federal Trade Commission, Austin residents have suffered the second highest number of complaints in the state for identity fraud.
News for Public Officials has identified several leading citizens whose personal information was exposed by the County Clerk's website. The list includes, judges, legislators, and law enforcement personnel.
Scott Brown, an Information Security Analyst with the City of Austin became intimately involved with this issue when he learned almost two years ago that Travis County had published his marriage license online, which included his and his wife's names, addresses, social security numbers, birthplaces and driver's license numbers.
Mr. Brown contacted Ms. DeBeauvoir's office and asked the record be taken offline but was told by deputy clerks that he would have to file a petition with the court to have the record changed from public information to private (at a cost of at least $300).
Mr. Brown states on OpenNetworks.org , "I wasn't trying to change the status of the record. I had no problem with it being public. My problem was that this system was publishing records online in violation of the State of Texas' Public Information Act ( § 552.141. CONFIDENTIALITY OF INFORMATION IN APPLICATION FOR MARRIAGE LICENSE) and that Travis County could be held liable for any security breach that could be traced to their website. After all, I wasn't asking to invalidate the record; I was asking for the stupid web application to not publish the one pdf file that contained the information."
DeBeauvoir said her staff has been working to redact personal info from Public Records since the Legislature authorized county clerks to remove Social Security numbers from records in 2005.
Ms. DeBeauvoir stated she knows of no incidence where the information the County published online had been used by criminals.
Only one in seven hundred identity thieves are caught. Of those that are caught, an increasing number of criminals are confessing, even boasting, they found the information they needed from government websites.
Recently, Tom Zeller with the New York Times reported on a young drug addict who showed police in Maricopa County, Arizona how he easily gathered the information he needed to steal the identities of Phoenix residents from the County Website.
Maricopa County was the first county to publish real estate records online and today the Federal Trade Commission reports incidences of identity theft in Maricopa County are highest in the nation.
While finding your Social Security number displayed on the Internet is a shocking experience, Social Security numbers are by no means the only key to criminals using the records published by county websites.
Anything you can use to identify yourself can and has been used by identity thieves. Thieves use signatures, driver's license numbers, mother's maiden names, Medicare and Medicaid numbers, dates of birth, bank account numbers even the images of notary seals affixed to documents displayed on county websites.
The Federal Bureau of Investigation reports that deed fraud is epidemic across the country as identity thieves worldwide have learned how easy it is to copy a signature from a deed placed online. Recent notary seals can be copied from county websites and pasted below these signatures to produce a bogus deed that for all practical purposes appears to be a legitimate transfer of property.
This method may have been used to by identity thieves to steal a Denton County couple's home last summer. Police there reported the wife's signature, and driver's license number were used to create a bogus deed. Public Records researcher Lisa Ramsey found the wife's driver's license number and and several good copies of her signature on the Denton County Website.
Mike Hoyem with News-Press.com wrote a series of articles exposing the rampant deed fraud in Florida's online records exposed the county websites as the most likely source for the signatures and notary seals the criminals were using.
Addresses may not seem to be a particularly threatening identifier to have published on the Internet, but ready access to address information published by the government in electronic form cost actress Rebecca Schaeffer her life in 1989. In that case, a private investigator obtained Schaeffer's home address through the California motor vehicle database and sold the address to a stalker. The stalker used the information to stalk and kill Schaeffer.
In August 2000, the Boston Phoenix reported that Liam Youens used information he found in the online Public Records to stalk and kill twenty year old Amy Boyer. Youens had been obsessed with Amy since at least the tenth grade.
Youens wrote in his online diary shortly after finding the information he needed. "It is almost obscene, what you can find out about a person online."
At 4:30 p.m. Oct. 15, 1999, Youens murdered Amy as she left her job at a dental office.
Two weeks after Amy's funeral, identity thieves stole her identity to run up several thousand dollars in credit card debt for her grieving parents to deal with.
Protective organizations that provide shelter to abused women may be shocked to learn that many counties routinely publish the addresses of their secret shelters.
Travis County plans to republish the records online after redacting as many social security numbers as they can find in the next twelve months. This will leave most of the information criminals need readily accessible by anyone, anywhere in the world. Redaction is an ineffective method for removing information most often used by identity thieves, stalkers and terrorists. Ask Florida Governor Jeb Bush. His Social Security Number was redacted from the official government site but can still be found on sites all over the world.
Imaged signatures, maiden names, addresses, dates of birth, and medical information have all been used by criminals from records they access through county websites.
Ms. DeBeauvoir wasn't the first to come to the conclusion that publishing the records online could place her constituents in danger. Clerks and judges across the country are reexamining the practice.
Judge Robert H. Alsdorf, Washington, wrote in a memorandum ruling, "It is hard to conceive of a broader invasion of privacy than freely disseminating the information to the entire world and rendering it instantaneously accessible to all."
John Dozier, a lawyer at Dozier Internet Law PC in Glen Allen, says deed documents include all the information a criminal would need to steal someone’s identity.
Putting deeds online is "a horribly risky approach," Dozier said. "It certainly is the antithesis of consumer protection."
Bryan Sartin, director of technology for Ubizen, a unit of Cybertrust Inc. of Herndon, Va. was quoted in the Wall Street Journal, "The most effective method for protecting against such attacks is also the simplest -- disconnect databases containing sensitive information from the Internet. Systems like that should not have Internet access, period”.
While Travis County has taken a big step to protecting their citizens, other counties across the country continue to expose the sensitive information to criminals worldwide.
There are approximately twenty counties in Texas currently publishing records online with more making plans to go online.
The primary function of government is to protect its citizens. Ms. DeBeauvoir has taken the correct path to protect her constituents by pulling the records offline. She should be applauded. It makes no sense to make the records accessible outside the jurisdiction of the county. Texas law does not require it, and the citizens do not want it.
For more information about why redaction is failing please read