There are a lot of “big brother” types of news stories or columns in the media, and obviously, I don’t post all of them to my blog. But this one by Mike Myer in a West Virginia publication, The Intelligencer, is a terrific example of why the public should be concerned – or at least more aware – of how states compile detailed dossiers on us that may include incorrect information that can then either be used against us or can make things more difficult for us. Mike’s column is also a timely example of some of the issues EPIC raised in an amicus brief it filed in Tolentino about the government’s use of commercial databases that may be riddled with errors:
Big Brother isn’t just watching you. He has been watching you – or at least me – for some time now. I learned that the other day when I decided to check out the VISTA website operated by the West Virginia state auditor’s office.
VISTA provides information on how much the state pays individuals, including government employees, and private companies. Before you can view this public information, however, you must obtain a user name and password for the site.
Doing so requires you provide your name, address, and the date and year of your birth. Then you learn just how much state government knows about you.
In order to verify my identity, I was asked to answer four multiple-choice questions. All involved people I know, places I’ve lived and my Social Security number. Remember, in order to determine you’re who you say you are, VISTA has to have information to verify whether your answers are correct.
The first four questions revealed the state knows where I live now, where I lived 35 years ago, another place I lived about 30 years ago – and my daughter’s married name.
But according to VISTA, I answered one of the four questions incorrectly (I didn’t), so I had to answer four more. One involved my middle name, another asked my street address where I lived nearly 20 years ago and the third asked for the last two digits of my Social Security number. The fourth was a trick question, regarding the time I lived in Paden City: “In which county was your PADEN CITY address?” Tyler County wasn’t an option (Wetzel was), so I answered “none of the above.”
Wrong, VISTA told me. Apparently the state doesn’t understand half of Paden City is in Tyler County, while half is in Wetzel County.
Because VISTA judged I was wrong about that, I had to go to yet another question, this one on the street number of my Paden City address. I’d almost forgotten it myself – but VISTA knew.
Then it was on to “security questions” to be used in case I forgot my VISTA user name and password. They included my mother’s maiden name, the name of my high school and the city where I was born. I didn’t use any of those because, in my opinion, the state already knows too much about me.
Good grief! Again: The state of West Virginia has a database through which very personal information about me and my family, including everywhere I’ve lived since 1959, is accessible. What else do they have?
Well, details on my income and the careers of myself and my wife, along with lots more information about how I get my money and how I spend it (tax returns). Perhaps, through the state Department of Education, officials may still have information on what I studied in school and how well I performed there.
This is only slightly less than scary, folks. The state instantly knows more about me than I can recall easily.
“Slightly less than scary?” I’d hate to see what Mike considers “downright scary.” Mike also raises the issue of data security:
It’s bad enough all that is available to who knows how many people in state government. But I suspect a moderately capable computer hacker could get the details on me, too – and then he would be off to the races with identity theft.
[…]
Just how far should I trust folks who informed me on three of nine questions that I was wrong (again, I wasn’t). And how about the trust issue with people who didn’t bother to learn Paden City is in two counties?
This really isn’t good.
Had Mike Myer answered the first four answers correctly (as far as VISTA’s database was concerned), he might never have discovered how much information his state had on him. And as he points out, who knows how much more they have that he didn’t discover?
Keep in mind, too, that his information includes – and is connected to – others’ records. How else would they know his daughter’s married name?
To protect privacy and security, I often give fake answers to security questions that are then stored in case I ever need to get a new password issued. Using a fake answer gives me some small – and probably unwarranted — sense of security that even if my account were hacked, the hackers would not obtain my true details on certain things. Of course, remembering what lie/fake answer you gave a few years later when you may need to remember it can be difficult, and I may re-use the same lie/fake info across multiple situations.
But what if those fake answers were viewed as accurate information on me because a government agency purchased a commercial database? How could that come back to create problems for me? Mike Myer gave truthful – and correct – answers to identity verification questions and had difficulty convincing the VISTA system that he is, indeed, himself. Where is the mechanism for correcting state or governmental databases? How do we find out what our states and federal government have on us in terms of all of these details?
And more importantly, why are they even collecting and retaining so much information? Does my state really need to know where I lived for a year in the 1970’s?
Just because states and the federal government can compile detailed dossiers of the details of our lives doesn’t mean they should. Who’s reining in this over-exuberant and troubling over-collection of often-incorrect information? While Congress debates legislation that would allow us to discover what information is available about us in databases and provide a mechanism to correct it, the burden seemingly remains on individuals. Why should we have to spend our time and money ensuring that some commercial database that profits from our information got it correct? Shouldn’t that be part of their cost of doing business?