Oops! The EPA Published the Social Security Numbers of People Who Filed FOIA Requests
Thanks to a design bug in a government transparency website, dozens of social security numbers were mistakenly made public.
The Freedom of Information Act (FOIA) is supposed to facilitate government transparency, allowing intrepid reporters and other government accountability groups to pull back the curtain on government behavior. While maximal transparency might seem like a good thing, most people would agree that some information should remain private—like the social security numbers of those filing FOIA requests.
Unfortunately, a design error in foiaonline.gov resulted in at least 80 Social Security numbers of people filing FOIA requests were made public—either partially or in full—for nearly two months, if not longer, according to CNN. It wasn't just social security numbers, either: birthdates, contact information, and immigrant identification numbers were also unintentionally made available to the public.
Foiaonline.gov is a FOIA request portal run by the Environmental Protection Agency (EPA), though other federal government agencies, including Customs and Border Protection (CBP), the Justice Department, and the Small Business Administration (SBA), use it as well. The site underwent a system upgrade on July 9, but there was a design bug. CNN describes the issue thusly:
The problem was with the feature that allowed anyone to search existing FOIA requests. The idea is that people can see what has already been requested, by whom, and in some cases what may have been provided. When users click through to the individual request, the description field is withheld, pending agency approval. Yet those descriptions were viewable in full on the search results page, including if Americans had included their or others' Social Security numbers or any other personal information.
No one was aware of the glitch until CNN contacted the EPA last week. At that point, the EPA removed what sensitive information it could. But since other departments use the portal as well, each one had to remove the descriptions from FOIA requests relating to their specific agencies.
"Recently it was discovered that [potentially identifiable information] in some records was exposed to the public," the EPA wrote Thursday in an email to the other agencies' system administrators. "The PMO [Primary Management Office] has identified the cause of this issue and this afternoon implemented program fixes that resolved the problems. This issue will shortly be publicized by the press. It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records. A review by the PMO has found that this information has been marked as publicly viewable by the reporting agencies. It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such."
While the error was eventually fixed, the bug raises questions about how much personal information you should include when filing a FOIA request. As CNN points out, the FOIA website's "Privacy and Security Notice" warns those filing requests that "personal information…may be publicly disclosed on FOIAonline or on third-party Web sites on the Internet." At the same time, the CBP FOIA request form asks filers to "include as much information as possible to assist us in locating the record(s) you are seeking."
In the past, government incompetence hasn't been the only thing making life harder for those filing FOIA requests. In September, Reason noted how state and local agencies were suing citizens who filed such requests.
On thing is for sure: Getting the government to disclose information it has no business hiding shouldn't come with so many risks.
