Catching criminals is hard work, and no one believes every lawbreaker will be brought to earthly justice. But we don't expect our government to aid and abet felons. That, though, is exactly what local public-records and law enforcement agencies are doing - often unwittingly and in the name of improved service - says a Madison privacy and information security expert.
Putting public records like liens and accident reports online does make it easier for citizens to access them without standing in a queue at a counter. The problem, says Joe Campana, is that it also makes it easier for identity thieves to exploit poorly secured computer systems to rapidly harvest reams of private information.
"They can use it for employment. They can use it to get medical treatment. They can open financial accounts," says Campana, whose firm, Crime victims Most people, notes Campana, primarily associate identity theft with credit or debit card fraud - which does happen. Just ask Dave McCann, an executive producer at 1310 WIBA radio in Madison. McCann got off work one Saturday night in April, swung by the PDQ to pick up some groceries and had his debit card declined, though he'd used it the day before without any problem. "So I got home, logged on to the account and saw all these different charges totaling about $2,000 in Cincinnati," he says. It took a few days, a number of phone calls and a trip to his bank to get the problem cleared up. But McCann was relatively lucky. Indeed, Campana doesn't think of most credit card fraud as genuine identity theft, although it's legally considered such. Single institutions like bank or credit card companies have departments and policies to address fraud. Unauthorized charges will typically be dismissed. A case like Kristin Hanna's is more difficult. Hanna, a middle school teacher in River Falls, got a call from Citibank in August 2005 asking her to confirm that she'd applied for a new credit card. She hadn't. The Citibank rep told her the application had been flagged as suspicious. So Hanna did some digging into her own credit record and discovered that a woman in Rockford, Ill., had been opening accounts in Hanna's name since January of that year. "She was basically using my information for everything," Hanna says. "Her cell phone, bottled water delivery. She'd just set up electrical service at her house and looked into purchasing a car. Her home phone." Like many crime victims, Hanna felt violated as well as bewildered; she still doesn't know how the thief got her Social Security number and other private information. She estimates she spent 48 hours on the telephone the week she discovered the theft, plus more time photocopying, faxing and mailing affidavits and other paperwork to the three major credit reporting agencies and other institutions. In the process, Hanna managed to gather some information about the thief. She says she passed this on to the Rockford police department, which did nothing with it: "They just said they had much higher crime to deal with." Hanna did get her credit record cleaned up and the outstanding debts in her name taken care of. "Then, two years later, I received a collection notice in the mail," she says. Despite a credit fraud alert on her name, a Rockford pet store had approved financing for the same thief to buy a $400 dog. That meant more phone calls, more affidavits and more photocopies. The faint silver lining was that because the pet store pressed charges, the thief was arrested. But because of all the alerts and protections she's placed on her accounts, Hanna says even getting a new cell phone account requires a pile of paperwork. They've got your number Because identity theft creates confusion over a person's, well, identity, it presents complications that other crimes don't. Jane Berg of Lake Mills wanted to help her son Andrew sort things out after a roommate wrote $15,000 of bad checks in his name, but creditors weren't authorized to deal with anyone but him. And when Jennifer Hanson, a casualty adjuster with American Family Insurance in Madison, got a call from a collection agency about a speeding ticket in Colorado - where she'd never been - she was told she had to provide a copy of the ticket before the agency could remove the charge. But she couldn't get a copy because the ticket wasn't hers. In 2004, in a case that garnered some media attention, a career criminal stole a Rock County man's identity and used it when he was arrested on a drug charge. That meant the victim suddenly had a criminal record. He tried to clear up the mistake, but the felony charge led to his being fired from a part-time job. Later, when he was laid off from another job, he was denied unemployment benefits because records showed the firing had been for cause. Campana worries that identity thieves could even mess up a person's medical records: "Say somebody used my identity to get a job, got health insurance and found out they were diabetic. I could go into an emergency situation, they pull my records up, they think I'm diabetic, and they go, 'Oh, we can't give him these types of drugs because he's diabetic.'" The nonprofit Privacy Rights Clearinghouse reported that about half of all identity theft cases in 2005 weren't directly related to finance, and Campana says the number is rising. That's why he believes individuals, businesses and government need to protect personal data. "What can you do with a Social Security number?" he asks, producing a card. He hands it over. "Can you tell it's not real?" The card certainly looks real, and most folks probably wouldn't question it, if not for the obviously faux name and number: "Annie Buddy, 123-45-6789." "If I were a felon or an illegal immigrant or somebody else who didn't want to be identified, I'd give it to a business, and I've got unlawful employment," he says. "Here's the impact: They're going to report my wages to the IRS and the state Department of Revenue and the Social Security Administration, so whoever's number this is, her records are going to get screwed up." Just put in a name A native of Buffalo, N.Y., Campana moved to Madison 21 years ago to head a high-tech firm. Ten years later, he became an independent consultant and took a training gig with an international insurance company marketing a product to prevent identity theft. "Through that work, I realized that the gateway to control identity theft is through businesses and other organizations," he says. Most multinational corporations have a handle on the problem, but smaller companies tend not to. "And there's upward of 25 million of them in the U.S." To that end, Campana formed his firm - which consists of himself and a rotating set of fellow consultants and colleagues. A chemistry Ph.D. who did postgraduate work at Johns Hopkins medical school, Campana thinks that he's probably a little more "techie" than most folks his age ("I started using computers back when you had to program them with ones and zeros"), which gives him a better handle on the dangers present in a digital world. Campana is especially bothered that personal data of potential use to criminals is routinely made available by local government. "The city of Madison wants to make it easy for people to get information on accidents, so they scan in accident reports and put them on the Internet so that anybody can see them," he says. "You can just put in a person's name." He's right: Go to the accident reports section on the Madison Police Department's website (under ePolicing), enter a generic first and last name, and chances are good an accident report will pop up. "Here's one that has two people," says Campana, looking at a report thus obtained. "It shows their driver's license numbers, date of birth and expiration dates." Campana tells of a business that, for about $90, will produce a fake Wisconsin driver's license using any photo and information provided. It's not legal, but the business he's talking about is in Australia. "The companies that sell machines for making driver's licenses will sell them to anybody who wants to buy them," he says. Capt. Carl Gloede, in charge of records for the Madison Police Department, says the reports are all public under the state's open records law, and are posted as a convenience - not just for citizens but insurance companies. He says fields have been added for middle initials and addresses, to make it harder for people to find information that isn't theirs. Also, after hearing from critics, the MPD stopped posting reports longer than three months. But this drew complaints from some users, upset that older records were no longer available. Says Gloede, "We're trying to reach a balance." Exposing the vulnerability Until recently, real estate documents containing personal information including Social Security numbers could be obtained through the website of the county register of deeds. A thief would have to pay a small charge to run the search, but, Campana says, the returns are well worth it: "When you get a Social Security number, you're going to sell it for $100 to $150 - and you're going to sell it again and again and again." Campana became interested in this subject after serving as a consultant on a court case in Evansville, in which a former resident sued the town for $5 million after municipal employees gave her new address to an abusive ex-husband. "I had previously been focusing only on small businesses," he says, "but I thought towns, counties and cities needed to know they're supposed to protect people's personal information." He spoke about the subject in May 2007 at a meeting of the Dane County Towns Association. This spring, he checked to see if sensitive information was still available online through the county. "I went to see if I could find anything on the two people running for county executive," he says, removing a sheet of paper from a folder. "So here's a mortgage document with Kathleen Falk's name on it. You can see it shows her Social Security number." He found a similar document for county Supv. Eileen Bruskewitz and approached her with it. Bruskewitz was surprised - she'd thought the county had taken steps to redact that kind of information two years ago, after the DCTA meeting. Once Campana brought the vulnerability to Bruskewitz's attention, it received some press, and the register of deeds addressed it. Now, specialized software scans the digitized documents to search for anything that looks like a Social Security number and blacks it out, says Kristi Chlebowski, the county's elected register of deeds. A limited-term employee is double-checking the software's work manually. Nearly 70,000 documents have been fixed so far, says Chlebowski. In the meantime, anyone searching for certain kinds of records via the county's website gets an "Image Not Available" message. Chlebowski agrees there was a need to redact the information. But, she says, Campana didn't have to call attention to the issue the way he did. "He never brought it to my attention. He went to the press," she says. "I think it could have been handled in a totally different manner." Campana says Chlebowski was present at the towns association meeting in 2007 where he spoke about the vulnerability. And he says that, after downloading the document with Falk's personal information, he gave Falk's office about two weeks to respond before he talked to the press about Dane County's vulnerability. 'The public needs to know' There is, as Campana admits, a nebulous quality to the dangers he describes. No one knows for sure that anyone has actually stolen identities using information made available by the county. Add to this his own vested interest, as a professional security consultant, in publicizing these dangers and it's fair to ask if he isn't exaggerating the threat. Campana says that while he's not opposed to making money, that isn't his primary motivation. "I've conducted hundreds of free public-service presentations," he says. "People can make the argument that I have a vested interest, and certainly, there's potential that somebody can come to me and ask for my services, but quite frankly, it hasn't happened." The other criticism he faces is that, by making vulnerabilities in government systems known, he's just giving criminals ideas. Campana rejects this out of hand. "Thieves are aware of how to do this. This is their profession," he says. "The average citizen is shocked to find out this information is available. But just because you don't know how to drive an 18-wheeler, that doesn't mean there aren't professionals who know how." And even if there are some scoundrels who might take a hint from his alarms, Campana isn't backing down: "Might you give ideas to a petty crook who doesn't already know how to do this? Sure, but the public needs to know, and we need to get the local government to do something." In early June, Bruskewitz emailed state Reps. Marlin Schneider and Brett Davis and state Sen. Jon Erpenbach and asked them to form a legislative study committee to address the issue of redacting unnecessary personal information in public records. No committee has been formed. But Julie Laundrie, an aide in Erpenbach's office, says the senator is in the process of drafting a bill, which should be finished in August, that would require county agencies to redact data like Social Security numbers in electronic documents and provide a funding mechanism for it by increasing the fees for access to those records. Of course, on the other side of the issue are concerns that the government ought not to be in the business of restricting access to public records. One solution is for the government not to collect personal information deemed too sensitive to share. Peter Fox, executive director of the Wisconsin Newspaper Association, says that many public and private entities are moving away from using Social Security numbers as identifiers, and that it "would help immeasurably" if everyone did so. "And freedom-of-information and privacy-protection advocates working together will develop a better solution than each side working from opposite corners," he adds. Campana stresses that his aim isn't to suppress most information - just certain kinds of sensitive data. "As an investigator, I don't want transparency reduced," he says. He simply thinks there's an imbalance that local governments need to correct. "If a financial institution were to put this online," he says, holding up the mortgage document that contains Kathleen Falk's Social Security number, "they could be fined up to $1 million, and their executives could get up to 10 years in prison. Yet the county can just throw this stuff on the Internet for anybody to get ahold of. There's a schizophrenia in the laws." To catch an identity thief "It's hard to stop it at the back end," says security expert Joe Campana of identity theft. "It's hard to catch the criminals. Usually who gets caught is the poor illegal immigrant using a Social Security card who's been told he had to buy it to get a job and thought he was doing the legal thing. But there's a lot you can do on the front end." As of Nov. 1, businesses must comply with the federal Red Flags Rule, which requires that they authenticate the identities of all their customers to reduce identity theft. The amount of work it takes to comply varies. Businesses whose clients are other businesses have an easier time, as it's usually simpler to determine whether a company is legit than whether individuals are who they say they are. Those who deal with consumers have more to do, although Campana says compliance for most small businesses is straightforward, and ultimately beneficial to the company anyway. "Who wants to be opening up fraudulent accounts?" Don't be a victim No one is 100% safe from identity theft, but there are steps you can take to reduce the threat, or to mitigate the damage if you're already a victim. Joe Campana offers these suggestions:
Sometimes the nonprofits advise against hiring such restoration services, Campana says, "because they say you can do it all yourself." That's true, but doing it yourself takes time. "If you see value in these services," he says, "buy them."