RECAP Joins The Fight Against PACER -- But Do We Want Its Help?

Posted on September 8, 2009 by Ramzi Ajami

It just became a little cheaper and a little easier to access public court filings through PACER (the Public Access to Court Electronic Records), thanks to RECAP, an open-source Firefox plug-in designed to create a free secondary archive of PACER materials.

Court filings contained in PACER are public documents, and are, in theory, open to the public. But, in the past, the fact that these materials were either maintained in individual courthouses or, once digitized, were behind password-protected log-ins and per-page charges generally prevented them from being widely disseminated. Open society advocates have long criticized PACER for charging the public itemized fees to access public court filings, arguing that this pay-as-you-go system effectively removes public filings from the public domain and discourages a fully transparent legal system. 

Princeton University's Center for Information Technology Policy, with assistance from Harvard University's Berkman Center for Internet and Society, unleashed the latest salvo against PACER in the form of RECAP (“PACER” spelled backwards, not by coincidence). RECAP is a free open-source software plug-in for the popular Firefox web browser that automatically uploads all PACER documents a user is viewing onto a growing archive maintained by the non-profit group Internet Archive. When the next RECAP user attempts to view a PACER document that has already been archived, the RECAP plug-in automatically uploads the copy to prevent that user from paying for those materials. This system essentially allows users of PACER to slowly create a secondary archive of these public documents that can be accessed for free.

I have previously discussed the controversy surrounding PACER's security failings and pricing. After the jump, my colleague Aaron Wright and I discuss whether the RECAP plug-in  magnifies or minimizes PACER's security problems and risks of identity theft, the pushback RECAP has received from courts, and RECAP's creators' response to criticism about the plug-in's security and privacy safeguards.

The RECAP plug-in may answer critics' complaints about PACER's pricing scheme; however, the plug-in may potentially mimic the serious security failings of PACER -- while raising both unique security problems of its own, on one hand, and on the other hand mapping out  a potential roadmap for PACER to effectively screen out sensitive personal information in court filings.

As Ramzi Ajami wrote earlier, the PACER system is littered with filings containing very sensitive information about individuals, including Social Security numbers. While various court rules require that this information be redacted, that obligation is placed firmly and solely on the filer and is not subject to any additional screening. Therefore, if a filer forgets or refuses to redact certain sensitive information, that information may appear in the public system. 

The RECAP plug-in poses an obvious risk of creating a more freely-accessible archive of materials that mirrors PACER’s mistakes and contains documents containing very sensitive personally-identifiable information. However, RECAP also poses the unique risk of creating an “outdated” secondary archive of non-redacted PACER documents that are later redacted in PACER, but that have already been copied and archived by RECAP in non-redacted form. 

RECAP’s creators acknowledge these privacy concerns in their Privacy and Security FAQs, and have instituted what appear to be promising safeguards, including a scanning program that identifies and excludes any documents with Social Security numbers:

 * At our request, the Internet Archive has disallowed search engine indexing of the documents we submit. (This may be changed in the future if we develop better ways of addressing privacy concerns.)

 * The RECAP servers automatically scan all submitted documents for Social Security numbers before they are uploaded to the Internet Archive. Any document in which we detect such information is automatically suppressed.

 * We’re relying on RECAP users to report privacy problems. Please email us if you find a document in the repository that contains inappropriate personal information. Your feedback will not only allow us to suppress the document you found; it will also help us improve our automated filters so that fewer problem documents slip through in the future.

However, aside from Social Security numbers, the FAQs do not address whether RECAP screens documents for other sensitive information that must also be redacted from court filings, and that individually or collectively may also pose a serious risk of identity theft, including taxpayer identification numbers, financial account numbers, and full dates of birth. 

While it remains unclear whether the creators of RECAP will implement further safeguards to address filings containing sensitive information aside from Social Security numbers, the plug-in’s creators have extended an invitation to courts and the public to submit suggestions to enhance the program’s overall security.  

Courts, at least, appear to have rejected that offer, and have so far signaled serious skepticism about the plug-in. Over the past two weeks, various courts have posted bulletins warning filers from using RECAP pending further review of the plug-in, claiming that the open-source software format renders RECAP vulnerable to malicious users who can modify the plug-in for improper uses, and also warning that RECAP may upload filers’ materials (available to attorneys through the EMF log-in) that are not publicly available on PACER.  (See, for example, bulletins here and here.) The creators of RECAP responded by clarifying that RECAP only downloads and copies documents through the public PACER portal (and not attorneys’ EMF system), and reiterated that “users can continue using RECAP with the knowledge that it’s designed with privacy as our top priority.” 

Whether courts will actually engage in a meaningful dialogue with RECAP's creators to strengthen the program’s security protocol, or whether RECAP’s screening protocol for sensitive information may actually provide a roadmap to strengthen PACER’s own security failings, remains to be seen.

Links:

 
Tags: , , , , , , , , , , , , ,

Electronic Access to Court Filings Potentially Exposing Sensitive, Personal Information

Posted on April 9, 2009 by Ramzi Ajami

In an April 2009 press release (.pdf), the Public Access to Court Electronic Records system (“PACER") announced that 99% of all federal courts nationwide have implemented electronic systems allowing litigants to file and review documents online. The near-complete implementation of these online systems marks an important technological and environmental milestone for the legal profession; however, it comes with considerable risks to individuals' privacy and security: potentially limitless filings that inadvertently contain individuals' sensitive information, including financial account numbers and Social Security numbers, may be available to anyone with an Internet connection for the small price of $0.08 cents per page.

On February 27, 2009, Senator Joe Lieberman (I-CT), issued a news release (.pdf) strongly criticizing the Judicial Conference (charged with formulating privacy protections for all federal court practice) in part for allowing thousands of federal filings that contain sensitive, unredacted information, including Social Security numbers, to be made publicly available online through the PACER service).  These infractions were documented by Carl Malamud, the president of Public.Resource.org, a non-profit organization whose general mission is to “Mak[e] Government Information More Accessible.”  Significantly, Malamud only reviewed a portion of all filings publicly available on PACER; the full scope of the number and nature of these infractions remains unknown.  Malamud's exposé of PACER has been documented by the New York Times.  

The problem can originally be traced to the E-Government Act of 2002 (.pdf) (P.L. 107-347, Title II, § 205). This federal statute requires all federal courts to make their electronic filings available to the general public online. Since nearly every federal court implements an electronic filing service, this provision applies to virtually all documents filed in federal court -- greatly increasing the risk that sensitive information is inadvertently published. 

To safeguard against the publication of individuals' sensitive information, the E-Government Act broadly directed the federal judiciary to adopt uniform rules to protect sensitive information contained in court filings. These rules eventually culminated into amendments, effective December 1, 2007, to the Federal Rules of Appellate Procedure (Rule 25), Civil Procedure (Rule 5.2), Criminal Procedure (Rule 49.1), and new Bankruptcy Rule 9037. These new rules require parties to redact specific categories of information from all filings, including Social Security and taxpayer identification numbers (except for the last four digits), all names of minor children (except for initials), all financial account numbers (except for the last four digits), all dates of births for persons (except for the year of birth), and in criminal cases, all home addresses (except for the city and state).

A weakness in these privacy provisions, however, is that they depend solely on the conscientiousness of whomever is filing the documents to identify, and then redact, the sensitive information. This holds true whether the filer is an attorney, or a layperson with no legal background. Courts are not required to review these filings before publishing them online, and in some instances, courts explicitly state that they will not review filings for any redaction. (See, for example, the press release from the District Court for the Southern District of West Virginia (.pdf) on compliance with the E-Government Act and the notice from the Distict Court for the District of Rhode Island (.pdf).)  Therefore, at present, there is absolutely no filter or other protection that prevents a person from filing sensitive personal information in federal court and publishing this information for the general public to access. 

As cases grow more and more document-intensive, it is unsurprising that people filing documents in court may overlook redacting sensitive information.  This is particularly true where the sensitive information is not the client's, but instead relate to a non-party that has no reason to be policing the court docket.  For example, where an employer is sued, sensitive information of its employees may be included in the employer's financial spreadsheets and filed in court as an exhibit during motion practice.  With courts' hands-off approach to filings, we are all in danger of having our sensitive information published online for cases that we may not even know exist.  

The Judicial Conference recently issued a response to Sen. Lieberman's letter. In its response, dated March 26, 2009 (.pdf), the Judicial Conference squarely blames litigants, and not courts, for the infractions arising from the publication of non-redacted sensitive information online,  asserting that litigants alone are responsible for redacting materials under the relevant privacy rules; courts are only charged with publishing those materials.  The Judicial Conference defended this policy: “[t]he litigants and lawyers are in the best position to know if such [sensitive] information is in the filings and, if so, where…Moreover, requiring court staff unilaterally to modify … documents that are filed in court was seen to be impractical and potentially compromising the neutral role the court must play.”  The letter did not explain how instructing court clerks to assist in the ministerial task of redacting sensitive information, even of non-parties unrelated to the case, would "compromis[e] the neutral role the court must play."

However, the Judicial Conference did acknowledge that the reported instances of electronic filings containing sensitive information is “disturbing and must be addressed,” and insisted that its Privacy Subcommittee is continuing to assess whether any additional privacy rules should be implemented to safeguard that information. Moreover, the Judicial Conference explained that while it continues to assess the issue more carefully (including by exploring empirical data on the number of infractions), it has encouraged all clerks of court to remind all parties about their obligations to redact sensitive information, and has encouraged all courts to submit privacy recommendations for possible national adoption.

In the meanwhile, the safekeeping of our sensitive information in federal court filings, available to the public online, remains solely in the hands of whomever is filing those materials. 

Links
Tags: , , , , , , , , , , , ,

Senator Feinstein Introduces Two New Security/Privacy Bills

Posted on January 16, 2009 by Jeff Bone

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that notice be provided to “major media outlets” within a state if the number of state residents affected by the breach exceeds 5,000, and also requires that notice be given to the Secret Service if the number of affected individuals exceeds 10,000 or if the affected database contains information of more than 1,000,000 individuals. The bill provides for limited exceptions for law enforcement or national security purposes. 

The bill requires that the notice include (1) a description of the categories of information that was acquired by an unauthorized person, (2) a toll-free number that the individual may use to contact the agency or business and learn what types of information the agency or business maintained about the individual, and (3) the toll-free contact telephone numbers and addresses of major credit reporting agencies. The first requirement of the notification’s content is particularly interesting, as several states (including Massachusetts) currently forbid the notification to include the nature of the breach. Bill S. 139 states that it does not provide a private right of action, meaning that a private individual may not bring suit under the bill. Finally, the bill provides that its  provisions “shall supersede any other provision of Federal law or any provision of law of any state relating to notification by a business entity . . . or agency.”

Senator Feinstein introduced a similar bill in 2007 which failed to pass the Senate. This year’s version, which has no co-sponsors, has been referred to the Judiciary Committee. 

Bill S. 141, entitled the “Protecting the Privacy of Social Security Numbers Act,” is co-sponsored by Senators Judd Gregg (R-NH) and Olympia Snowe (R-ME). It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). The bill also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks. [These provisions parallel recent recommendations from the FTC as we Further, the bill prohibits any federal, state, or local agency from employing inmates in any position that would give the inmate access to Social Security numbers of other individuals. Finally, the bill would provide limits on when businesses may ask customers for their Social Security numbers. 

Unlike the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act provides for a private right of action, allowing any aggrieved individual to sue for an injunction or monetary damages (which could be tripled if a court finds a willful and knowing violation). As with the Data Breach Notification Act, the Protecting the Privacy of Social Security Numbers Act has been referred to the Judiciary Committee.

Given the many challenges facing the federal government this upcoming year as it transitions into the Obama administration, it is difficult to predict whether Senator Feinstein’s bills will face resistance. However, all signs point to a recession driven boom of cybercrime, identity theft and security breaches that will continue to expand in 2009 as it did in 2008.  Given this environment, Congress will probably enact some version of these proposals sooner rather than later.

Links:

Tags: , , , , , , , , , , ,

FTC Issues Guidance to Businesses on How To Handle Social Security Numbers

Posted on January 15, 2009 by Gabriel M. Helmer

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers - SSNs and ID Theft. The new report articulates a series of FTC recommendations with respect to the handling of Social Security numbers (SSNs) based upon the work of the President’s Identity Theft Task Force, which was established in May 2006 and led to an extensive fact finding effort summarized in the FTC’s November 2007 staff summary report (which can be found here [.pdf]). For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, when the FTC will begin enforcing federal identity theft regulations. 

 The FTC Report first makes two key recommendations that should be considered when developing an identity theft prevention programs:

FTC Recommendation 1 - Businesses should improve their methods of authenticating the identity of consumers

By this, the FTC means that businesses should reduce or eliminate altogether the use of SSNs to authenticate a person’s identity. The FTC explains that SSNs themselves are not useful tools to confirm a person’s identity because SSNs are widely used as “identifiers” — information that, like your name and address, are commonly supplied to a range of merchants, employers, government agencies and financial institutions — rather than as “authenticators” — information like a password or personal information which remains secret. In short, because your SSN is generally no secret to your boss, your doctor, your bank, the IRS and a number of other entities, knowledge of your SSN is insufficient to prove that you are who you say you are. 

The FTC Report does identify some appropriate ways that SSNs may be used during the authentication process which might safely avoid some of the risks associated with using a SSN as an authenticator:

  • using the SSN “to access databases containing information about an individual that can be used to formulate challenge questions that only the true individual should be able to answer (for example, the amount of her mortgage payment each month)”; [Report at 5]
  • using the SSN to check an individual’s identity against a fraud database, for example, checking to see that the SSN matches the Social Security Administration’s listing for a living individual or whether the SSN is listed on industry databases of SSNs used to commit fraud; and
  • using the SSN “as one element in their quantitative fraud prediction models, which are designed to flag suspect patterns of use of identifying information that might indicate that an application or proposed transaction is fraudulent” [Report at 5] — for example, a check to see whether there have been an unusually large number of credit applications or other suspicious activity using a particular SSN.  

While these examples can be found in the FTC Report, the FTC has made clear that they are not taking a stance on whether any specific techniques would ensure compliance with new federal regulations. In calling for rulemaking on this issue, the FTC indicates, as they have with respect to recent Red Flags regulation, “the standard should be one of reasonableness and not perfection, acknowledging that there is no fool-proof method of authenticating consumers and no likelihood that one will be developed in the foreseeable future.” [Report at 7] Nevertheless, given the FTC’s conclusion that use of SSNs to authenticate a person’s identity presents a risk of identity theft, it seems clear that businesses that rely on SSNs as an authenticator do so at their peril.

FTC Recommendation 2 - Businesses should abolish the public display and transmission of Social Security numbers

Here, the FTC’s guidance is abundantly clear: stop displaying and transmitting SSNs in unnecessary and potentially risky ways. While the FTC calls on regulatory agencies that oversee the use of SSNs to adopt rules on this issue, the FTC makes a series of specific recommendations to businesses in advance of further regulation: 

  •  Stop using SSNs as employee or customer numbers;
  • Stop printing SSNs on identification cards that would be compromised every time a wallet is lost or stolen;
  • Stop printing SSNs on mailings, such as account statements or paychecks that can be lifted from a person’s mailbox or trashcan;
  • Stop displaying SSNs in emails or website pages, which can be observed over a person’s shoulder;
  • Encrypt SSNs when they must be transmitted over the Internet.

[Report at 8-9]

In addition, the FTC appears to take the view that displaying only a truncated portion of a person’s SSN provides little protection because the other digits can often be collected from other sources or fabricated based on other personal information. [Report at 8]

Given the level of confusion that plagues many businesses’ efforts to develop identity theft prevention programs, the FTC’s clarity on this issue should not be ignored, especially since many, if not all, of these steps are simple and inexpensive to implement.

Other FTC Recommendations

Perhaps not surprisingly given the confusion generated by new federal and state identity theft regulations, the FTC’s remaining recommendations call on Congress, other regulatory agencies and the FTC itself to develop national standards and provide guidance and leadership to dispel the widespread confusion on what we can do to reduce the threat of identity theft. The FTC outlines some specific guidance to businesses, such as:

  • Collect SSNs only when necessary;
  • Retain SSNs only as long as necessary;
  • Consider how to properly and securely dispose of records containing SSNs;
     
  • Secure and/or encrypt electronic transmissions containing SSNs;
  • Limit employee access to SSNs;
  • Conduct reasonable employee screening to avoid hiring identity thieves; and
  • Conduct reasonable employee training to prevent potential mistakes.

For those businesses working to comply with recent Massachusetts identity theft regulations (201 C.M.R. § 17.03) or similar state regulations, the FTC's guidance may seem eerily familiar because it parallels many of state requirements. For example, in Massachusetts, 201 C.M.R. § 17.03(g) requires businesses to limit the amount of “personal information” (which includes SSNs) collected, limit access to that information to those employees that require access, and limit “the time such information is retained to that reasonably necessary to accomplish such purpose.”  This is good news for businesses worried that they may face inconsistent federal and state requirement and bad news for those having difficulty meeting these state standards.

Links:   

  • The FTC Report - Security in Numbers - SSNs and ID Theft is available here (.pdf) or from the FTC here (.pdf)
  • The FTC’s Staff Summary of Comments and Information Received Regarding the Private Sector’s Use of Social Security Numbers is available here (.pdf) or from the FTC’s website here (.pdf)
  • The FTC’s website on the use of SSNs containing transcripts and webcast of public workshops, public comments, and press releases.
  • The President’s Identity Theft Task Force website
Tags: , , , , , , , , , ,