A federal government transparency website made public dozens, if not hundreds, of Social Security numbers and other personal information in a design error during a system upgrade.
The error, on a Freedom of Information Act request portal, was fixed after CNN alerted the government to the situation. For weeks prior, however, individuals' sensitive personal information was available on the public-facing database unbeknownst to them or the government.
After a tip from a source who had noticed the glitch, with two quick searches, CNN discovered that the government had published at least 80 full or partial Social Security numbers. There were other instances of sensitive personal information, including dates of birth, immigrant identification numbers, addresses and contact details.
The glitch also exposed other sensitive information about individuals. In one instance, a victim of a violent crime seeking information about the case described the crime. In others, victims of identity fraud seeking more information about their cases had their Social Security Numbers exposed in the process. (In some instances, government agencies require Americans to submit FOIA requests for their own personal information.)
Before publication, CNN alerted the government to the issue. CNN has been told by a spokesman for the agency that maintains the website that the information has been protected. Participating agencies were also notified of the situation.
The portal, foiaonline.gov, is the one-stop clearinghouse for Freedom of Information Act requests to a number of government agencies, ranging from Customs and Border Protection to the Small Business Administration. It is designed to provide a streamlined and transparent way for Americans to request information from their government.
How the error was made and addressed
A design bug also revealed information about the requester with no safeguards for personally identifiable information.
The problem was with the feature that allowed anyone to search existing FOIA requests. The idea is that people can see what has already been requested, by whom, and in some cases what may have been provided. When users click through to the individual request, the description field is withheld, pending agency approval. Yet those descriptions were viewable in full on the search results page, including if Americans had included their or others' Social Security numbers or any other personal information.
The FOIA clearinghouse is maintained by Environmental Protection Agency, which provides the IT resources to keep it up. It is up to each government agency that uses the portal, however, to take the care to input the information correctly.
When the website was switched from the 2.0 version to the 3.0 version on July 9, the masking feature for descriptions somehow ceased to exist. No one was aware of the issue until alerted by CNN. Upon being alerted, the EPA office managing the site said it attempted to re-mask everything that was an obvious privacy concern, including sensitive information like Social Security numbers.
However, because FOIA requests are public information, it is up to the agencies involved whether to determine whether to withhold information based on a case-by-case application of any FOIA exemptions. Thus, EPA said it was not able to simply turn on a blanket masking of all the descriptions on the 3.0 site, because that could have withheld things that agencies have already determined to be public.
After completing what EPA determined was within its ability, the notice went out to all the agency FOIA system administrators that they should check what was in their control and whether they wanted certain information public. That notice went out Thursday night after EPA completed its piece of the work.
"Recently it was discovered that PII (SSN) information in some records was exposed to the public," the email said, according to a copy obtained by CNN. PII stands for personally identifiable information. "The PMO [Primary Management Office] has identified the cause of this issue and this afternoon implemented program fixes that resolved the problems. This issue will shortly be publicized by the press. It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records. A review by the PMO has found that this information has been marked as publicly viewable by the reporting agencies. It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such."
While FOIA requests to the government are considered public, there are many exemptions that the government often applies to protected individual privacy.
EPA spokesman John Konkus told CNN the agency would also investigate if further action was warranted.
"The EPA is aware and working with partner agencies to remediate an issue with the FOIAonline 3.0 system," Konkus said. "The issue affects a limited number of cases and inadvertently displays descriptive information that may, in some instances, include Social Security Numbers. EPA will follow the Agency's Breach procedures to evaluate the situation further and take the appropriate mitigation measures."
It's unknown how many individuals may have had information exposed in the glitch, and for how long. The transition to the new site occurred in mid-July, but older FOIA requests continue to be migrated to the new site.
'It defies logic'
"This is a really significant mistake," said Nuala O'Connor, a former chief privacy officer of the Department of Homeland Security.
"These sorts of data points allow people to engage in identity theft or some kind of harassment, or other malicious behavior," said O'Connor, president and CEO of the Center for Democracy and Technology, a tech-focused privacy and civil liberties advocacy group. "It puts potentially already vulnerable people at greater risk."
There is no disclaimer about keeping sensitive information out of the request when users go to submit FOIA requests.
In fact, the Customs and Border Protection form encourages anyone seeking information about themselves to "please include as much information as possible to assist us in locating the record(s) you are seeking, to include your Date of Birth, Alien number [an identifier number for US immigrants], your parents' names, and any Alias' you may have used at the time of entry or apprehension."
The Social Security Administration form, though, says the website is not the appropriate place to make requests about individual records.
A privacy notice linked to at the very bottom of the website does warn that "any personal information included in the comment form will be submitted to the Department or Agency to which your request is directed and may be publicly disclosed on FOIAonline or on third-party Web sites on the Internet."
Even if there was some sort of disclosure anywhere about the risk of information becoming public, O'Connor said, "it defies logic and it defies expectation that anyone would think their Social Security number is being exposed when processing a request like this online."