Written by: Jeff W. Richards
Researched by: Peter Fehrs and Casey King
Managing Editor: Brady Iandiorio

These days, it seems like Americans have to hand over their Social Security Numbers (SSN) every time they turn around. From job or rental applications to buying a house, the SSN has become the de facto way of proving that you are you. With such an infusion into everyday life, the dissemination of SSNs is progressively harder to curb and not surprisingly, things frequently go awry. Identity theft is an increasing problem in the modern world of computers and lightning-fast transactions, and rising public awareness has led to efforts by various governments to respond to the problem.

Sounds good, right? Unfortunately, the government frequently gets it wrong… In the case below, the right hand hasn’t got a clue what the left hand is doing. State legislators have passed a new law in Virginia to try and address the problem, but they may have taken aim at the wrong target.

The Irony of it all

Betty Ostergren, an avid privacy advocate, recently won a surprising victory in federal district court – the right to continue publishing other people’s Social Security Numbers online. Ostergren’s website, The Virginia Watchdog, is dedicated to raising awareness of personal information published in public records. Specifically, Ostergren campaigns to have government officials redact public records so that personal information typically used in identity theft, such as SSNs, date of birth, and signatures, is removed from the public eye. Ostergren has been posting examples of records with this information to her website in order to call attention to the problem.

At the same time, state and local governments have been putting increasing numbers of public records online in an attempt to reduce costs and improve public access to information. However, this is also making it easier for identity thieves to obtain all the information they need to steal identities. Redacting the records, Ostergren argues, would make it harder for identity thieves to obtain the information.

The case itself, Ostergren v. McDonnell, stems from a recent change in Virginia’s Personal Information Privacy Act, which took effect in July 2008, and criminalized the intentional publication of SSNs. Ostergren sued to prevent the statute from being enforced against her, claiming that while she was publishing SSNs, her website was constitutionally protected Free Speech, and therefore cannot be criminalized. The court issued an injunction preventing the state from enforcing the new statute against Ostergren and from shutting down her website. In reaching this decision, the court relied heavily on specific facts, such as Ostergren’s position as an observer and critic of the government, and her decision to simply republish public records, rather than modifying them. The court’s narrow holding emphasized that the injunction does not apply to other websites or people, meaning that for now, at least, the state is free to prevent other publications of SSN’s.

The Past Situation:  Nuremberg Files

This is not the first time that courts have grappled with the question of just where to draw the line on the publication of personal information. In one such high-profile case, Planned Parenthood v. American Coalition of Life Activists, the court found that the anti-abortion website known as “the Nuremberg Files” had gone too far. The website published the home addresses and personal information of physicians who worked at abortion clinics.
After several appeals, the Ninth Circuit, sitting en banc, held in a sharply divided opinion that the website was issuing “true threats” against the physicians, and therefore was not protected speech. The holding took into account the entire factual context of the speech when determining if the website acted as a true threat, as opposed to a tasteless joke or rhetorical hyperbole. Since threatening speech is not protected by the first amendment, the Ninth Circuit ruled that the website must be taken offline.

Following the decision, the website was taken down in 2002, only to resurface again on different ISPs. Currently there are copies of the website in several places, and the original site has been slightly modified to conform with the ruling.

The Subject At Hand

These cases are far more alike than they appear at first glance. Both cases deal with websites publishing publicly available information to advance their cause. The Virginia Watchdog publishes copies of public records, which can be obtained from the local courthouse, and the Nuremberg Files publishes home addresses, which can also be obtained from phone books or public records. In both cases, the websites target specific individuals in order to bring political pressure to bear — either against state legislators or physicians. Additionally, each site may serve as a resource for people with a more straightforward criminal intent, by supplying the information needed to commit crimes.

One of the biggest differences, of course, is the intent behind the websites. In Planned Parenthood, the 9th Circuit determined that the Nuremberg Files constituted a “true threat” and was an incitement to violence against the physicians. This interpretation arises from the entire context of the site, with its bloody banners and language, in addition to the wave of violence against abortion clinics that was occurring at the time. In contrast, the Virginia Watchdog site focuses on raising awareness. The tone of the language seeks to inform visitors about the risks of their personal information being revealed on a publicly accessible website, and gives examples of how easily the information can be obtained.

Another difference is the manner in which the information is republished. The Nuremberg Files reformatted public information into wanted posters, and crossed out names of killed physicians. By publishing the information in this manner, alongside references to murder and baby killing, the website turned everyday information — easily available elsewhere — into an implied threat. In contrast, the Virginia Watchdog site posts scans of the records themselves, without modification. Ostergren keeps the focus of her speech directly on governmental action, which reinforces the position that her speech is protected. In the holding, the court specifically mentioned that Ostergren’s decision not to modify the records was a key factor in its decision.

Major differences between the intent and the manner of publication resulted in drastically different outcomes in these cases. While the website for the Nuremberg Files was not offline for long and quickly adapting to the ruling, the case successfully removed all copies of the website in its original form. Controversy is certain to draw attention, which often results in the content being reposted and re-hosted in innumerable locations. Some websites even specialize in “bullet-proof” hosting, which tries to guarantee that a website will remain online and available no matter which government goes after it.

Let’s Push Things Forward

So if a government can’t effectively prevent information from being posted, what can it do to solve the problem of identity theft? In one drastic approach, governments could attempt to filter out websites with illegal information. Some governments have experimented with similar types of online censorship, including China and Myanmar. However, their efforts have not been entirely successful. While this form of regulation can and does work to restrict the vast majority of the population, interested and dedicated parties can still circumvent it with relative ease.

It would seem that similar efforts to prevent reposting of public records would most likely meet the same fate. Thieves tend to have the motivation and incentive to circumvent such protections, so restrictions would only prevent the information from reaching the general public. This would simply lead to yet another, ever-escalating battle between enforcers and thieves, examples of which include digital music, videogames, and movie piracy.

In the end, the only thing governments can do to prevent SSNs from being posted online is to redact the public records they come from in the first place. It won’t solve the identity theft problem, but it would be a big step forward and far more effective than targeting the watchdogs. As a bonus, it won’t restrict the public’s right to free speech — perhaps a tangential, but nonetheless important, point.

That is not to say there are no legislative steps that can be taken to address the problem of identity theft. Increasing regulation of the credit industry has had some impact, and further protections can be designed. Additionally, there are some private-market solutions, such as identity protection companies, which have stepped in to offer additional protection for people worried about identity theft. One such example is LifeLock, whose CEO infamously published his own SSN on company advertisements to demonstrate the security of their product.  Of course, their solutions are less than perfect, as he discovered when he fell victim to identity theft.