THE VIRGINIA WATCHDOG
05/04/08
Here's more of what Privacy Pete has to say about SSNs on Riverside County CA Superior court Civil/Small Claims web site.... It relates to these two Computerworld articles linked here and also his other posts on the CHP forum (see page 1 & page 2 of posts).
HIS COMMENTS:
I’ve been around the block a few times and just like you, there are times when bad things happen to me and I know something could have been done to prevent it. Sometimes I could have acted sooner to prevent the problem or in other cases, somebody I didn’t know could have looked out for me. These people, who choose to help others, are often referred to as Good Samaritans.. Invariably, the decision and subsequent action required to be a Good Samaritan, means the person has to go out of their way, work a little harder, take a little risk, get a little dirty, etc. A Good Samaritan is not paid to act kindly, is not paid to show compassion and is not paid to unselfishly help others. It is simply within their genetics to do what’s right when the time comes, when someone needs their help.
Well men and women of the CHP, right now there are thousands of individuals that need your help. In a moment, I believe it will be clear why each of you need to stand up for yourselves on this issue. You need to make your voices heard and you need to do so as soon as possible. At this same time, I do not want you to lose sight that although there are an approximate 1,000 of you that have your social security numbers exposed on the Internet by the Riverside Court, there are likely tens or even hundreds of thousands of every day citizens that also have their very private financial and medical information on the Riverside Court’s website. When / if the Riverside Court takes down your social security numbers, I hope you do not forget those thousands that may remain vulnerable by the same system and negligence you currently find yourself. If that time occurs, don’t walk away from this issue, don’t wash your hands of your fellow men and women... Instead, act kindly, have compassion, act unselfishly to help them. You may not get any rewards, accommodations, and some may even question your wish to remain anonymous, but at the end of the day, you’ll know you helped someone.. You’ll know that you did what was right and not what was easy. It is with these principles that I write this message today.
When I first discovered this problem, the first thing I did was go directly to the Riverside Superior Court. They ignored me and refused to take any action to address the issue. I then wrote an email to Chief JoAnne McNabb (California Office of Privacy Protection) on February 21, 2008.. After not hearing from Chief McNabb, I sent a follow-up email a week later on February 28, 2008. On that same day, Chief McNabb replied and indicated she had received my February 21, 2008 email, stating,
[Start of Chief McNabb email dated February 28, 2008]
“I did receive your email, and I am indeed very much occupied with preparations for our summit next week. I appreciate your concerns and after the summit, will be able to think about what we might do to help.”
[End of Chief McNabb email dated February 28, 2008]
I waited almost a month to hear from Chief McNabb regarding what, if anything, her office was doing in this matter. After not hearing anything, on March 26, 2008, I wrote a lengthy email and sent it to numerous individuals I believed could and would investigate this situation. The recipients’ email addresses were; william.vickrey@jud...ca.gov; mark.dusman@jud.ca.gov; shiela.calabro@jud.ca.gov; jfarrow@chp.ca..gov; jnewsome@chp..ca.gov; jhamm@thecahp.org; info@thecahp.org; aread@thecahp.org; joanne.mcnabb@oispp.ca.gov (please note that some recipients have since indicated they never received this March 26, 2008 email).
The only person to reply to the March 26, 2008 email was Chief McNabb and she wrote,
[Start of Chief McNabb email dated March 26, 2008]
“This is a challenging issue area, as you know, pitting open government against individual privacy. The examples you reference are certainly problematic. I looked at the Judicial Council's Rules on Public Access to Electronic Trial Court Records (Rules 2.500-2.507), but the types of records cited in your email do not seem to fall under these rules. We're continuing to look into the matter. I'll let you know what we ultimately learn.”
[End of Chief McNabb email dated March 26, 2008]
I replied to Chief McNabb on the same day with a lengthy email indicating why I believed “open government” didn’t require the release of the these documents nor the release of social security numbers (you’ve read these same arguments in my previous posts on this forum). Approximately one week later on April 1, 2008, Chief McNabb sent me an email indicating she had sent a letter to Inga McElyea, Chief Executive Officer of the Riverside Superior Court. Such letter was attached to Chief McNabb’s email, and it states,
[Start of Chief McNabb letter dated April 1, 2008]
“Dear Ms. McElyea:
The California Office of Privacy Protection has received a complaint regarding a practice of the Riverside Courts that puts people at risk of identity theft. The Office of Privacy Protection is an education and advocacy office in State government that provides information and assistance to consumers on privacy issues and makes best practice recommendations to organizations.
The person who complained to us, identified as “Concerned About Privacy,” provided links to several documents posted on the Riverside Courts Web site that contain Social Security numbers and other sensitive personal information of the kind sought by identity thieves. The complainant also said that there is a document posted that contains the full Social Security numbers of over 1,000 CHP officers, although in the interest of the officers’ privacy and safety the complainant did not provide a link to that document. See the enclosed email for specifics.
Recent State laws recognize the risks posed by exposing Social Security numbers in particular. In the last five years, the numbers have been prohibited from being publicly posted or displayed (Civil Code §§ 1798.85-1798.86); required to be kept confidential in court filings for legal separation, dissolution, or nullification of marriage (Family Code § 2024.5); removed from pay stubs (Labor Code § 221) and power of attorney forms (Probate Code § 4401); and truncated in abstracts of judgment, decrees and tax liens (Code of Civil Procedure § 674, Revenue & Taxation Code § 2191.3). Just last year AB 1168 (Chapter 627 of 2007) addressed Social Security numbers in public records and required the redaction or truncation of the numbers in tax liens, Uniform Commercial Code filings, and various local government records when they are made available to the public...
I encourage you to remove the documents mentioned in the enclosed email from your Web site, as a responsible privacy practice. I also encourage you to review your site for other documents that contain individuals’ Social Security numbers and remove them as well.
While there is a vital public interest in making government records and court records in particular available to the public, there is also a need to protect the privacy of the individuals who entrust their government with their most sensitive personal information. I am suggesting here that you avoid the very broad exposure of Social Security numbers by removing documents containing them from your Web site, at least until you have put in place procedures for redacting the numbers from the copies of the documents to be posted online.
I would be happy to discuss this with you further. You can reach me at 915-574-8181.
Yours truly,
Joanne B. McNabb Chief
Enclosure
cc: The Honorable Richard T. Fields, Presiding Judge, Riverside Superior Court William C. Vickery, Director, Administrative Office of the Courts”
[End of Chief McNabb letter dated April 1, 2008]
After reading Chief McNabb’s letter to Ms. McElyea, I was enthusiastic that something may get done, some positive change may occur. Unfortunately, my enthusiasm dissipated as I sent numerous emails to Chief McNabb from April 3, 2008 through April 22, 2008, seeking a follow-up on the status. On April 22, 2008, Chief McNabb responded to my emails by stating, “I haven't heard anything from the court. I called last week, but was unable to reach the administratie [sic] officer, who was unavailable. I'll call again today.”
Knowing approximately 1,000 CHP officers’ identities and possibly their safety was at risk, it was clear I couldn’t rely on Chief McNabb to fix the problem. Therefore, on the same day, April 22, 2008, I made my first lengthy post on chpforums.com.
The next day, April 23, 2008, I received another, not so promising, email from Chief McNabb that read, “I've left a phone message for the exec. officer of the Riverside Court, Inga McElyea. I also just emailed my CHP contact and asked him to find out what action the CHP hierarchy may have taken on your email.”
This same day, April 23, 2008, I receive an email from Captain Scott Silsbee that reads,
[Start of Scott Silsbee email dated April 23, 2008]
“My name is Scott Silsbee and I'm a captain in the Commissioner' Office, in the Office of Employee Relations (we work with the unions). CAHP President Rick Mattos contacted us today regarding your postings on CHP Forums. Immediately upon getting the information we got together with the Department's General Counsel, Risk Management, Inland Division and Commissioners Farrow and Carter to discuss the problem. We all agree that this is a very serious issue and all the players are simply in fact finding mode right now. Like you, we're all very concerned. Hopefully, I'll have a better understanding of the problem in a few days. Please be patient as this is the first time any of us have heard of the issue.
Also, I specifically asked Commissioner Farrow if he had received an email and he said he would have remembered something like this. I will admit to being a little frustrated with the posting's suggestion that nobody was willing to help. Here it is the first time we've heard of this and you have both the association and the department rapidly swinging into action. I agree with Rick Mattos that a phone call would have helped. After all, can't you be anonymous in a phone call as well??? Or perhaps a dead-drop secret location ;-) I'm just kiddin'.
Regardless, I'm happy to have the information as I believe we are all on the same sheet of music. In the time it has taken me to type this email, I got a call from A/Chief Jim Abele (Inland Div) who has been in contact with the court today and will be talking to a supervisor tomorrow. He'll give me an update tomorrow.
Hope this makes you feel a little better.
Take Care, Scott”
[End of Scott Silsbee email dated April 23, 2008]
On April 24, 2008, in attempts to give the CHP and CAHP a head start, I sent a lengthy email to Scott Silsbee providing detailed reasons why I believe the Court has taken a negligent and faulty position in this matter. Scott Silsbee replied the same day with an email stating,
[Start of Scott Silsbee email dated April 24, 2008]
“Thanks Pete. That does help. Chief Abele has had at least two conversations with Riverside Court employees (still making his way up the chain) and still gathering info. I'll forward this to him as well. Once he's satisfied that he has gathered the necessary info, he will put it into an email and forward it to me so that we can sit down with General Counsel to determine a course of action. Thanks again, Scott PS - Myself and our entire staff are out of the office next week at the CAHP Board Mtg in LA so pls be patient. Thanks in advance and please don't hesitate to forward anything you think may help. Take care, Scott”
[End of Scott Silsbee email dated April 24, 2008]
On April 25, 2008, I wrote an email to Scott Silsbee, hoping to have him understand that this situation deserved urgent attention. Scott Silsbee replied the same day with an email stating,
[Start of Scott Silsbee email dated April 25, 2008]
Trust me brother, I get it. [**portion of dialogue removed to protect Captain Silsbee’s privacy**]…and I'm looking at this as though our personal info may be up there and ALREADY accessed by some "undesirable." If there is anything I can do, I'm gonna do it and I'm gonna do it as soon as humanly possible. thx for the follow up and have a good weekend. Scott
[End of Scott Silsbee email dated April 25, 2008]
On April 28, 2008, I sent an email to Scott Silsbee referring him and his colleagues to Government Code Section 6254.21(f) as the reference was provided to me by Betty "BJ" Ostergren. With no reply from Captain Silsbee (as I understand he was at the CAHP board meeting).
On May 1, 2008, I sent an email to Scott Silsbee inquiring regarding an update. With no reply from Captain Silsbee (as I understand he was at the CAHP board meeting).
On May 2, 2008, I sent an email to Scott Silsbee providing the same links and updates I provided the same day on chpforums.com. On the same day, Scott Silsbee replied with an email stating, “
[Start of Scott Silsbee email dated May 2, 2008]
“Pete, Just got back from LA and I'm wading through a 2 foot tall in-basket. However, I did get an update from Chief Abele yesterday and to make a long story short, he feels that the court is taking his (our) concerns very seriously and making this, as they said, "their top priority." He gave me the impression that as he got higher on the food chain, the higher the concern became. In other words, people at the top saw the "flammable nature" of the topic and promised to start looking closely at what they were posting before they sit down to discuss it. He believes he'll get a meeting with some decision makers next week. That's all I know for now. As I've said, once he gets the definitive response from the court, he will advise our legal counsel and they will determine what steps (if any) can be taken. Gotta push paper! Have a nice weekend. Scott”
[End of Scott Silsbee email dated May 2, 2008]
A few hours later, at approximately 3:36pm on Friday, May 2, 2008, I received the following email from Chief McNabb. It states,
[Start of Chief McNabb email dated May 2, 2008 (3:36pm)]
“I just spoke with Asst. Exec. Officer of the Riverside Court, Marita Ford, at 951-955-5536. If you give her the locations of the documents containing CHP officers' SSNs, they'll take action on it.
The Riverside Court is working with the Judicial Council on this issue. She referenced a Court Rule I wasn't aware of, Rule 1.20(b), on Protection of Privacy, which requires parties and their attorneys not to include or to redact certain identifiers, including SSNs and financial account numbers, on pleadings and other papers filed in the court's public file, unless otherwise provided by law or ordered by the court. The Rule makes such redaction or exclusion the responsibility of the filer.
They key to making this Rule effective, of course, is public and attorney awareness of it... The courts have to do a very good job of educating and reminding filers. I understand that the Riverside Court is preparing to do this.”
[End of Chief McNabb email dated May 2, 2008 (3:36pm)]
In response to Chief McNabb’s email, I sent her a reply which read:
[Start of Privacy Pete’s email dated May 2, 2008 (4:13pm)]
“Wow, that's it, that's their answer. Does that make sense to you? Let's for a moment assume the Riverside Court is allowed to post this information (while I believe they may be right now violating state and federal law). Just because they can post it, doesn't mean they should. I guarantee they are NOT required to post it. Shouldn't they be balancing the harms between keeping or removing the documents from the Internet? Shouldn't they have some type of login or captcha requirement? I have to get a library card to checkout a $2 paperback book from the library, but I can get thousands of social security numbers for free with no way to trace me. Doesn't that sound like something your office should be doing more about?
OK, so their answer is, we can and so we will post these thousands of social security numbers on the Internet. Did she talk about when that "rule" went into affect. Of course not, that would make common sense. A quick Google search indicates that law may have went into affect on 1/1/08. OK, so even if I was going to buy that ludicrous response from them, how about those cases and documents before this rule took affect?
To say I'm disappointed is a real BIG understatement. It took them an entire month to get in touch with you and site one new rule? Wow, efficiency knows no limits.
Oh, but as if that wasn't enough, they want me to provide the location of where to find the 1,000 CHP social security numbers, so they can protect a few of the possible 200,000 lives potentially devastated by their voluntary recklessness. Oh, ok, sure...where do I sign up for that?
If this is termination of your ability to help or your hands are tied, please let me know. If I can find 8,000 social security numbers in my free time, so can anyone else...especially those who will do it for financial gain. Now that this is circulating around the Internet and in chat rooms, the undesirables will certainly be flocking to these identities.
Wish you could have done more. Pete”
[End of Privacy Pete’s email dated May 2, 2008 (4:13pm)]
Ok, I’ll be the first to admit that the above email shows yours truly was a little hot under the collar. Oh well, sometimes the kid gloves slip off.
A little time later that same day, I received the following email from Chief McNabb, it reads:
[Start of Chief McNabb email dated May 2, 2008 (4:49pm)]
“I do think that the Riverside Court is going to mount a serious awareness and education campaign to alert filers of the need to redact SSNs and other personal identifiers. I also think they're taking the issue seriously and I believe (although they didn't explicitly say so) they're going to take down existing documents with SSNs that they're aware of. If you would give me the links to any other such documents that you're aware of, I'll pass the info on to the court.
There is apparently not a means of scanning the Web site to find SSNs that are in imaged documents (as opposed to posted directly on the site or in a database on the site). Are you aware of technology that would do that?
[End of Chief McNabb email dated May 2, 2008 (4:49pm)]
To which, I replied via email:
[Start of Privacy Pete’s email dated May 2, 2008 (5:08pm)]
1. They still haven't told you why they're keeping the documents online while other counties have not done so. Shouldn't this be the first hurdle, before we get to whether they're using commonsense to try and put Band-Aids on this gaping wound?
2. A serious awareness and educational campaign is almost meaningless. They have over 10 years of records on their site. Their own representative said they have over 20 million pages. How wonderful to talk a good talk about new documents (of course, they still will never know what those documents contain), but hey talk is good around these parts, apparently.
3. Did you read my response to Mr. Whitehead's analogy of "needle in a haystack?" My cooperation with the Riverside Court regarding this issue will be based upon such response.
4. Let me put it this way, if I had their I.T. people working for me, I'd immediately fire them all...and I'm not an I.T. guy.
Can you simply ask someone at the Court, "Why?, why do you post these on the Internet?" If they say, "Well because we've scanned them and thus we now have to," I say BS. If someone can assure me that they are REQUIRED to put these documents online, I will cooperate with them. However, if not, I will not cooperate with stupidity.
Pete”
[End of Privacy Pete’s email dated May 2, 2008 (5:08pm)]
As you can tell from the above emails, there is a reason I do not call these individuals. It is because I have a pet peeve with ambiguity or “he said, she said.”
Well, men and women, boys and girls, and those who still have your eye lids open. This is where we find ourselves today. We have put our trust in our elected officials, our appointed officials, some have even put trust in their employer or union. While thousands upon thousands of individuals’ financial, emotional and even physical wellbeing is at risk, people are simply “playing phone tag,” “trying to move up the ladder of supervisors,” or “attending week long seminars.” Maybe next week, some committee or subcommittee can have some hearings to determine whether other meetings should take place to discuss how to properly advise a CHP representative to get into his or her car and drive down to the Riverside Superior Courthouse to see if someone can meet with him or her. Let me get this right, CHP is waiting to get the court’s response (keep in mind it took Chief McNabb almost two months to get one newly created rule cited to her), and then they’ll meet with their legal counsel. Of course, as I understand it, it only took Betty "BJ" Ostergren of The Virginia Watchdog one phone call to speak with Presiding Judge's (Richard Fields) assistant (Linda). So you must ask yourself, how much lip service do you want?
What happens when the “undesirables” start passing around CHP social security numbers? What happens when some “undesirable” starts a website, like the one started in Washington State, which publishes all of these social security numbers on the Internet and gets hundreds of thousands of hits to his internet site? What happens when CHP legal counsel then finds out that its too late to do anything because these are now considered “public records?” So, CHP is doing everything “humanly possible” and taking this “seriously”, huh. I think I’m taking this seriously, and hence I believe my definition of seriously is a little different than these other individuals’ definition. If I were a CHP officer, I would be extremely upset. Why hasn’t your employer and union gone to their lawyers and said, “I want a federal lawsuit with motion for immediate temporary injunction to require the Riverside Court stop exposing our social security numbers in the Internet!” How about a call from the Commissioner himself to Chief Judge Fields or the CEO of the Court? Guess that would be taking the matter a little more than “seriously” for them.
I guess I won’t be getting a Christmas Card from Chief McNabb, Scott Silsbee or the others who are apparently taking this matter “seriously.” Please know, I truly believe these individuals are probably great people and they probably make great friends, they’re probably great to hang out with and they probably do all their other job tasks excellently, but with this they’ve “dropped the ball.” The bottom line with the CHP is this, they’ve known about the issue for at least 13 days (and possibly at some levels before that) and we’re still “hoping” a meeting might take place next week. I don’t care whatever the reasons, excuses, phone calls, power outages, or whatever else has caused this….it is in one word, unacceptable.
What’s scarier than: the Court acting negligently and carelessly on this issue for at least a year; Chief McNabb taking over two months to speak with an assistant at the Court; and the CHP and CAHP dropping the ball on this for 13 days…it’s what the internet has done with it in 2 days. You think undesirables aren’t reading about this issue. Check these out (keep in mind, it only took a few seconds to find these and it didn’t even bring up this forum – these are what I could find of the public forums)!!
http://www.terminaldigit.com/2008/05/04/riverside-court-posts-ssns-online/
http://www.expat.ru/forum/tech-news/78732-california-court-posts-ssns-medical-records.html [Moscow Expat Forums]
http://www.kizo.com/2008/california-court-posts-ssns-medical-records/
http://watchmanwhatofthenight.ning.com/profiles/blog/show?id=1668045%3ABlogPost%3A10320
http://theleetgeeks.com/05-02/the-courts-are-here-to-protect-us-maybe-not/
http://yro.slashdot.org/article.pl?sid=08/05/02/1529234
http://www.gawr.com/2008/05/02/california-court-posts-ssns-medical-records/
http://digg.com/security/Sensitive_Data_Said_To_Be_Available_On_Superior_Court_Site
http://www.pogowasright.org/article.php?story=20080501200230927
http://forums.studentdoctor.net/showthread.php?t=519544
So you, those who are personally affected by this and my Good Samaritans, you now know everything I know. They wouldn’t listen to me when I brought it to them behind closed doors, they still won’t listen to me. I can’t do this alone (or even with the help of my kindred spirit, Betty "BJ" Ostergren of The Virginia Watchdog), I think the above history proves that. Thus, it is time for you to stop reading and waiting for others to handle it. It’s time to start TAKING ACTION. Make one phone call, write one email, make hundreds of phone calls, write hundreds of emails, but do SOMETHING. When you’re spending hundreds of hours trying to clean up your credit or worse when an undesirable decides to visit your personal residence, it will be too late to step up and help yourself and others prevent the problem.
Here is a link to the publicly available Riverside County Roster: http://riverside.asrclkrec.com/acr/forms/CountyRoster.pdf All the individuals that deal with the Riverside Superior Court start on page 8.
If these are helpful, here is some of the contacts that were PREVIOUSLY corresponding with me.
Joanne McNabb, CIPP/G Chief, California Office of Privacy Protection 1625 N. Market Blvd., Suite S202 Sacramento, CA 95834 www.privacy.ca.gov Phone: 916.574.8181 Fax: 916.574.8611
Scott Silsbee, Captain Commander California Highway Patrol Office of Employee Relations 2555 First Ave, Suite 220 Sacramento, CA 95818 (916) 657-7189 (916) 657-8286 fax
Phillip Gonzales <PGonzales@chp.ca.gov>;
Rick Mattos <rmattos@THECAHP.ORG>
In addition, here is a link to a site where you can find your government representatives. Just put in your zip code on the upper left portion of the page.
Here’s the same website with the zip code of the court, these representatives should be actively participating in fixing this problem. http://www.votesmart.org/search.php?search=92501
If you take this matter “seriously” (my definition of seriously), then start calling, start sending emails, tell your friends, neighbors and colleagues to do something, call your elected representatives, call Arnold, call whoever, but get moving, get doing something. Do what’s right, not what’s easy.
By the way, I don’t know DW, but from everything I’ve read and his personal posts, he’s a standup guy. He has been kind enough to allow this dialogue to continue. Thus, I wouldn’t imagine he’d find a need to remove this message. If he does, this message will appear elsewhere. Lastly, I hope this is not deemed to be an invitation for a pi$$*** contest (as DW put it)…but if it is so deemed, step right up. Oh, but before you do that or before you try and convince me or others that the Court, Chief McNabb, the CHP or CAHP has “done everything they can do as fast as they could do it,” do me just one favor, make a phone call or send an email to someone who can help fix this problem…THEN step right up.
Privacy Pete
Return to The Virginia Watchdog HOME PAGE or NEWS ARTICLES |
(c) 2003 Ostergren, P.C. (Page Format Only)