MENU

Reason.com

Free Minds & Free Markets

Oops! The EPA Published the Social Security Numbers of People Who Filed FOIA Requests

Thanks to a design bug in a government transparency website, dozens of social security numbers were mistakenly made public.

Hafakot/Dreamstime.comHafakot/Dreamstime.comThe Freedom of Information Act (FOIA) is supposed to facilitate government transparency, allowing intrepid reporters and other government accountability groups to pull back the curtain on government behavior. While maximal transparency might seem like a good thing, most people would agree that some information should remain private—like the social security numbers of those filing FOIA requests.

Unfortunately, a design error in foiaonline.gov resulted in at least 80 Social Security numbers of people filing FOIA requests were made public—either partially or in full—for nearly two months, if not longer, according to CNN. It wasn't just social security numbers, either: birthdates, contact information, and immigrant identification numbers were also unintentionally made available to the public.

Foiaonline.gov is a FOIA request portal run by the Environmental Protection Agency (EPA), though other federal government agencies, including Customs and Border Protection (CBP), the Justice Department, and the Small Business Administration (SBA), use it as well. The site underwent a system upgrade on July 9, but there was a design bug. CNN describes the issue thusly:

The problem was with the feature that allowed anyone to search existing FOIA requests. The idea is that people can see what has already been requested, by whom, and in some cases what may have been provided. When users click through to the individual request, the description field is withheld, pending agency approval. Yet those descriptions were viewable in full on the search results page, including if Americans had included their or others' Social Security numbers or any other personal information.

No one was aware of the glitch until CNN contacted the EPA last week. At that point, the EPA removed what sensitive information it could. But since other departments use the portal as well, each one had to remove the descriptions from FOIA requests relating to their specific agencies.

"Recently it was discovered that [potentially identifiable information] in some records was exposed to the public," the EPA wrote Thursday in an email to the other agencies' system administrators. "The PMO [Primary Management Office] has identified the cause of this issue and this afternoon implemented program fixes that resolved the problems. This issue will shortly be publicized by the press. It will also be reported that after our fix, that some names and addresses still do appear in publicly available FOIAonline records. A review by the PMO has found that this information has been marked as publicly viewable by the reporting agencies. It is requested that partner agencies review publicly viewable information to ensure that any personal information is specifically intended to be presented as such."

While the error was eventually fixed, the bug raises questions about how much personal information you should include when filing a FOIA request. As CNN points out, the FOIA website's "Privacy and Security Notice" warns those filing requests that "personal information…may be publicly disclosed on FOIAonline or on third-party Web sites on the Internet." At the same time, the CBP FOIA request form asks filers to "include as much information as possible to assist us in locating the record(s) you are seeking."

In the past, government incompetence hasn't been the only thing making life harder for those filing FOIA requests. In September, Reason noted how state and local agencies were suing citizens who filed such requests.

On thing is for sure: Getting the government to disclose information it has no business hiding shouldn't come with so many risks.

Photo Credit: Hafakot/Dreamstime.com

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Hamster of Doom||

    We got the opposite of what was sold to us. Yes. This does appear to be the pattern.

  • loveconstitution1789||

    The 'Living Constitution' has been changed without following the approved amendment process.

    It has been ignored without much in the way of consequences. Well, Trump is a consequences to Constitutional abuse and the Lefties hate that consequence.

  • Brandybuck||

    The "living constitution" has been "mutating" since day one. Since BEFORE Karl Marx was even born. So don't be blaming the lefties on this.

  • Juice||

    "But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case it is unfit to exist."

  • loveconstitution1789||

    Karl Marx was not Lefty #1. There have been Socialists in other forms for Centuries.

  • Diane Reynolds (Paul.)||

    Well, Warren Berger helped it along in ways that should have shocked everyone.

  • Fist of Etiquette||

    Getting the government to disclose information it has no business hiding shouldn't come with so many risks.

    No pain, no gain.

  • Dillinger||

    assuming risk ever giving out whole social. der. super der.

  • Jerryskids||

    Bug or feature? You go sticking your nose where it doesn't belong and demanding your lords and masters allow you to look over their shoulders and you'll see how they'll slap you down for your arrogance. You have no right to question their decisions, they're the experts and you're nobody.

  • JFree||

    This.

  • Restoras||

    Yes, exactly right.

  • loveconstitution1789||

    ...like the social security numbers of those filing FOIA requests.

    Why are birth dates, SSNs, or any other information besides name and mailing address required fro FOIA requests?

    Does it matter if a 20 year old is submitting a FOIA request?

  • Rossami||

    re: "Why are..."

    Requesting 'all records about me' (or about my client) is a pretty standard practice and could be justified in any number of situations. And since the agencies use your SSN, birthdates and other information to tell you from all the other John Smiths in the world (addresses alone are notoriously unreliable), you kind of have to provide that information in order for the agencies to find whatever records they have about you.

    Now, you could argue that they shouldn't be keeping those records in the first place - and in most situations, I would strongly agree. But once we allow the agencies to keep those records, we do have to make it possible for the agencies to comply with the FOIA requests.

  • Cynical Asshole||

    Why are birth dates, SSNs, or any other information besides name and mailing address required fro FOIA requests?

    Because FYTW.

  • Shockerengr||

    It sounds like if you requested information relating to a SSN, that wasn't getting scrubbed from the results

  • Fuck you, Shikha (Nunya)||

    Obviously they want the SSN to be able to use your address listed in the FOIA request to hunt you down if you are behind in taxes. It's a feature.

  • Earth Skeptic||

    Well, if information should be freed...

  • Brandybuck||

    Now I'm not a web or database developer, I develop other stuff. But how in the world can a competent developer make a mistake like this?

    Oh wait, I've done work for a government contractor. I know how...

  • damikesc||

    I actually wonder if the difficulty in suing the government for this stuff is why the government is so lax on this stuff.

  • Longtobefree||

    And yet, somehow, the most important piece of information, the name of the incompetent company screwing up the design, remains unreported. Likewise not disclosed is the action, if any, taken by the federal government to sanction that company.
    Perhaps someone without a birth date or social security number should file a FOIA request for that data?

  • SRVolunteer||

    They already gave all my PII away when they let OPM get hacked.

  • shortviking||

    "oops"

  • Hamster of Doom||

    And in off-topic news:

    The University of Chicago is advertising for a part-time position that requires relocating to the South Pole.

    It's a giggle.

  • Hamster of Doom||

  • Cynical Asshole||

    Don't want your identity stolen like a thug, don't file FOIA requests like a thug.

  • jcw||

    Pro se filers like to include SSNs and other identifying information in public filings at the federal court where I used to work. However, we had a pretty rigorous QA process to go and black out the sensitive information or remove the documents entirely. Funny how nobody internally checked the website in months in this situation.

  • Diane Reynolds (Paul.)||

    Why does an FOIA request require an SSN? That seems racist to me.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online