Yesterday, we told you (and the New York Times published a longer article) that USDA published the Social Security numbers of individuals who receive federal aid in a publicly available online database of government grants. That information was inadvertantly pick up in a database that we funded — FedSpending.org. The database, which details government grants and contracts in a user friendly way was developed by OMB Watch. It's a hugely popular database — during the month of March, there were roughly 1 million searches made. (That's not visitors or hits, that's 1 million people looking up stuff.)

This morning, Gary Bass, OMB Watch's Director, sent a note to me and several other funders, to tell his side of the story explaining how it all unfolded. It's worth a read:

Once we knew the New York Times was going to break the story on its website yesterday, we prepared a detailed description of events that transpired. That information, along with a statement from OMB Watch, is available on FedSpending.org as well as our home page….

In summary, when the user notified us that her Social Security number was available from our site, we verified that the data was the same as on the data we obtained from the Census Bureau and suggested she contact officials at Census and USDA, the agency where she received a loan. That evening we redacted the data field from her record and suggested to government officials that this may be part of a larger problem.

Late on Monday, we received a request from the government to redact the data field from the entire database for 30 days while the government notifies other agencies. (The Census Bureau noted that it was redacting the field from the files that can be downloaded from its site. On Tuesday, after the government's redaction, we found the same data with the Social Security numbers on a National Archives website, highlighting the extent of the problem for government. That information, as of this morning has now been restricted — meaning the web site doesn't display the SSN anymore.)

We responded on Monday that we would redact the data field for 30 days if the government provides a plan (within the 30 day period) for correcting the data for the field in question . The data field, called the Federal Award ID, is a unique identifier for specific financial transactions. (What two agencies within USDA were doing was including the 9-digit Social Security numbers as part of the 15-digit ID. It does not appear any other agency in government did this.) Without the number, it is near impossible to track specific grants, loans and other forms of financial assistance. For example, you need that identifier when doing a Freedom of Information request for specific financial transactions.

In other words, we were not prepared to let government's apparent violation of federal law (by releasing Social Security numbers) become an excuse for reducing transparency and accountability about government spending. Plus we knew that it is not a hard technological fix (the government could generate new numbers and give us a crosswalk to post the corrected numbers). (Of course, this doesn't fix the problem for those who downloaded the files from government websites for around the last 10 years.)

Although there was lots of conversation with government on Fri (4/13) and Mon (4/16), after we sent our letter, there was no more discussion with us. (Well, there was one. The USDA Chief Information Officer sent me an email, apparently accidentally, telling the Commerce Department to have legal counsel tell OMB Watch that it is violating the Privacy Act. BTW, the Privacy Act only applies to government agencies such as the USDA.)

Accordingly, we talked confidentially with colleagues in the news media about whether we should voluntarily redact the data in order to asses the damage. In doing so, two felt this was an important story to tell; one was from the New York Times and the other from the Sunlight Foundation, the organization that provided funding for FedSpending.org.

By Wednesday night we told the two organizations we would not stop them from doing a story, but asked if they would wait until Friday (4/20) to see if government did something by then. Coincidentally, as the New York Times reporter began questioning government officials on Thurs (4/19) morning, OMB Watch received a call from OMB to discuss the issue. After a series of calls throughout the day on Thurs, by the early evening we received assurance that we would receive a written response indicating the government will provide a public plan for correcting the data field within 30 days. We received the written agreement late on Friday (4/20).

OMB Watch has temporarily redacted the Federal Award ID data field from the database. We eagerly await the government's plan to correct the problem, especially since there is now a law that requires the government to create a database like FedSpending.org by Jan. 1, 2008 (which we proudly helped push).

We couldn't be more pleased with the way OMB Watch has handled this controversy, or the wiseness of this investment in their work.

0 Comments

For almost a decade, some divisions of the Department of Agriculture published the Social Security numbers of individuals who receive federal aid in a publicly available online database of government grants. The Farm Service Agency and at least one other agency within Agriculture included the nine digit numbers as part of the tracking number assigned to each recipient of government assistance, called a Federal Award ID.

Those tracking numbers were then published in the Federal Assistance Awards Database System (FAADS), an online compendium of “all types of financial assistance awards made by federal agencies to all types of recipients,” which is updated quarterly. This database is generally used by experts and is not very user-friendly.

So far, it’s not clear whether the inadvertent publication of individuals’ Social Security numbers is limited to the two agencies in Agriculture, or whether the problem extends to other departments and agencies as well.

The government has removed Federal Award IDs from the FAADS database; however, researchers, journalists, news organizations, nonprofits and numerous others with an interest in government programs have been downloading the data for years. The government was alerted to the problem after a citizen discovered the personal information on a Web site maintained by a nonprofit group.

Marsha Bergmeier, whose family farm receives loans through a Farm Service Agency program, discovered the problem through a Google search. She came across records for her farm on FedSpending.org, a user-friendly database of government spending produced by the nonprofit watchdog group OMB Watch that includes data from FAADS. (Full disclosure: OMB Watch is a grantee of the Sunlight Foundation, which provided funding for FedSpending.org.)

On the OMB Watch site, Bergmeier found that personal information, including her farm’s tax ID number, was a part of a string of digits under the Federal Award ID column.

Bergmeier alerted OMB Watch and the Department of Agriculture, setting off a series of discussions and email exchanges among the staff of OMB Watch and officials from Agriculture and the Census Bureau, which maintains the FAADS database.

The New York Times is expected to publish a detailed story on this later today.

Thousands of individuals affected

Gary Bass, executive director of OMB Watch, characterized the oversight as “deplorable.” He said that government officials first asked OMB Watch to pull down one record—Bergmeier’s—and later requested to remove the entire Federal Award ID field, as they suspected there could be more such cases.

Once again, it was Bergmeier who discovered the problem.

As she dug deeper into FAADS data using online searches, she found that there were more than 28,000 cases where people’s Social Security numbers were being used as the primary ID for the records. In an email she sent to OMB Watch on April 13, she wrote, “I have identified 28,209 records on your Web site that contain Social Security numbers and banking information.”

Both OMB Watch and Commerce have removed the Federal Award ID field from their Web sites.

But removing the numbers doesn’t solve all the problems that publishing the Social Security numbers caused while creating other problems. As Bass noted, the Federal Award ID, which is the unique record identification, is essential for any type of investigator making a Freedom of Information Act request—which is much harder for the government to fill without a specific transaction number. While a Census data specialist Mike Mashburn maintained that researchers can still use the information without the Federal Award ID numbers, the data cannot be mined to its fullest without this information.

“The best possible solution is for the USDA to quickly re-generate the ID numbers and resolve the problem, and this should technically take an hour,” Bass said. As of Thursday morning, government officials had yet to determine how they were going to address the problem.

Even with the Federal Award ID removed, there is no way to tell how many people may already have access to the data—including thousands of Social Security numbers. Take OMB Watch—they said they have had as many as three million searches of FedSpending.org data since the site was launched in October 2006.

“There is no way to say how many people have downloaded it or have copies of it,” Bass said. In fact, after the Census Bureau redacted the Federal Award IDs on its server earlier this week, OMB Watch did a search on Tuesday and found that the National Archives had FAADS records—still showing the IDs—on their Web site.

Besides government agencies, other private organizations such as Investigative Reporters and Editors also have this data. Since 2002, IRE has distributed this data to at least three dozen media organizations.

We have not received comment on this story from any government official in spite of numerous and repeated phone calls.

This story was first reported on Sunlight's Real Time Investigations.

0 Comments