from the not-necessarily-one-job-to-do-but-definitely-do-this-job-better dept
We entrust plenty of our personal data to the US government at all levels. And, at all levels, they fail to protect this information on a far too regular basis.
For instance, there’s the Office of Personnel Management hacking. Well, hackings. It happened twice, with the second breach being worse than the first. The two hackings not only exposed unencrypted Social Security numbers, but (with the second hacking) information about federal employees’ mental health problems, past arrests/bankruptcies, contacts/relatives, and any struggles these employees might have had dealing with drug/alcohol addiction.
Then there’s the FBI, which was hacked by a teenager who used the handle “penis” on Twitter. This hacker made off with (and made available) the personal info of thousands of FBI agents.
And there’s the IRS, which gathers a ton of financial and personal data from Americans while failing to thwart nearly constant hacking attempts aimed at, um, liberating this information.
But there’s a part of the federal government that doesn’t even need to be hacked to cough up personal information that would be of interest to identity fraudsters: the US federal court system. The federal court system continues to ignore its own mandates and expose sensitive information, as Tonya Riley reports for CyberScoop.
“Federal court rules — required by Congress — mandate that court filings be scrubbed of personal information before they are publicly available,” Sen. Ron Wyden, D. Ore., wrote Thursday in a letter to Roberts, first shared with CyberScoop. “These rules are not being followed, the courts are not enforcing them, and as a result, each year tens of thousands of Americans are exposed to needless privacy violations.”
The letter follows a recent report by the court system’s top policy-making body showing that the body has been inconsistent in enforcing existing privacy rules and enacting new ones. For instance, the recent report cites a 2015 study, which found that of the nearly 4 million documents posted during a one-month period in 2013, nearly 5,500 included “one or more un-redacted SSNs.”
The court system hasn’t exactly been forthcoming about this shortcoming, as Wyden’s letter [PDF] points out. Apparently, mandates affecting federal entities are not necessarily mandatory. They can be complied with if and when the entity feels like doing so.
Twenty years ago, when Congress required federal courts to publish court records online, it required the Supreme Court to establish rules to protect the privacy and security of Americans “whose information was contained in public court records.” Congress also required the courts to report back every two years to describe whether the rules were in fact protecting Americans’ privacy and security. The judiciary has produced a total of three reports, one in 2009, one in 2011, and then one in June of 2022, five months after my office asked for copies of the old reports.
So, that’s one act of compliance followed by more than a decade of non-compliance — a streak of failure that only ended because Senator Wyden started asking questions.
Its oversight is similarly lacking. The Federal Judicial Center has only twice examined the problem (2010 and 2015) and both times from “significant violations” of this rule. Extrapolating from the latest report, Wyden speculates that if the problems observed seven years ago (5,437 cases of exposed info in 3.9 million court records) are representative of the whole, nearly a half-million documents containing personal data have been uploaded to the PACER system since 2015.
Wyden can do the math. The Federal Judicial Conference (and the court system it oversees), however, doesn’t believe this adds up to a problem. A potential half-million violations is apparently no big deal.
The Judicial Conference has willfully and deliberately failed to address the privacy problems documented by the FJC study. According to the report, the results of this 2015 FJC study were presented to the Judicial Conference’s Standing Committee in 2016, after which the judges on that Committee determined that “no amendments to the privacy rules were warranted.”
The lack of changes to the privacy rules would be fine if the rules were actually followed. But they aren’t. And that means either the rule needs to be changed to include meaningful consequences for discovered violations or the original rule actually needs to be enforced by those with the power to punish violators.
The Judicial Conference appears unwilling to change. It claims it cannot redact full Social Security numbers because this (and other sensitive info) is often used in bankruptcy cases and it wants the rule to be “consistent” across all court cases. It insists on this despite the fact that redaction is anything but consistent across all levels of the court system.
It has also refused to redact everything but the first name and last initial of parties in Social Security and immigration cases — something that would head off exploitation of the sensitive information often included in these cases. Supposedly, the Judicial Conference doesn’t believe it should “tell courts how to write their opinions.”
But that is the Judicial Conference’s job. It makes rules judges and clerks have to follow. A rule is already in place. But it is frequently ignored and the Conference has done nothing but shrug about the potential damage done to US citizens who are required to hand over sensitive info but do so with the understanding that anything exploitable will be redacted in accordance with the federal court system’s own rules.
And the court system has responded with more than decade of do-nothingness, inviting taxpayers to roll the dice when engaging in civil cases. That’s an unacceptable abdication of responsibility. Hopefully, by making this public, Senator Wyden will finally see some accountability and ongoing compliance from a system that just doesn’t seem to care what happens to those utilizing it.