Tens of thousands of military Social Security numbers published on Library of Congress Web site

Until this week, you could find the Social Security numbers of tens of thousands of current and former soldiers, sailors and airmen on the Web site of the Library of Congress.


This included Social Security numbers for a former operational commander for Iraq, a former commander of U.S. Central Command, a former vice chief of Naval Operations, a former director of the National Security Agency -- and Colin Powell, the former chairman of the Joint Chiefs of Staff and Secretary of State for President George W. Bush.


The Social Security numbers were in online versions of the Congressional Record from the late 1980s and early 1990s available via a beta search tool on the library's Web site, known as THOMAS. The Social Security numbers were published with the soldiers, sailors and airmen's names when they were nominated for higher ranks.


Because the numbers were first printed long ago, most of the soldiers, sailors and airmen appear to be retired. Some are now prominent private citizens. One, for example, now sits on the South Carolina Supreme Court.


The Social Security numbers were there until I told the Library of Congress about them this week. I found them while using the beta search tool, which has since been taken down.


I didn't attempt to find every page with a Social Security number on it, but from the pages I did find, I extracted 31,144 unique Social Security numbers.


I shared three examples of the pages I found with the library so they could remove the Social Security numbers before I wrote about them.


John Sayers, a spokesman for the Library of Congress, replied in an email message Wednesday that "We've been aware of this problem with some parts of the Congressional Record on THOMAS for some time now, and have been making special efforts to find these problem pages and scrub them of any SSN material."


"Obviously, these were three pages we missed," he wrote.


He promised to tell the library's "data folks," who he said would "redouble their efforts and make sure we've got all these scrubbed."


Sayers also promised to explain further how these pages were missed. He wrote that "about four years ago we took a thorough look at all our online public data with an eye to finding and removing any Social Security numbers that might appear there ... A scrub was done at that time (zeroes put in place of the actual numbers)."


"As you may know, we have millions of searchable records and web pages online, in addition to the Congressional Record, where the numbers you cited originally appeared," he wrote. "It's a lot of information to check that isn't always clearly marked with a signpost that says 'SSN Numbers Here.'"


Sorry to say, it took a while to even get the library's attention.


I initially reported the Social Security numbers through the Library of Congress' beta comment form. I did it that way because I wanted to see how the library would respond if just anyone reported it, not necessarily a journalist. I used my name and email address, but didn't identify myself as being associated with a newspaper.


I never received a response.


A week later, I reported them again using the library's regular comment form.


Again, no response, other than a generic, automated email reply that my message had been received


Finally, I emailed the public affairs office using the email address published on the library's Web site, this time identifying myself as an editor at The Courier-Journal.


Again, no response.


I didn't get a reply until I called and left Sayers a voice mail message, two days after sending the email to public affairs. Sayers later wrote that email to the public affairs office goes to him but he never saw it, perhaps because of "a blip on the system" or because he accidentally deleted it.


"... my sincere apologies again for the fact that no one got back to you sooner on this," he wrote. "It is our policy, when notified by a user that there are SSNs displayed anywhere on our websites, to remove them. We should have responded to you immediately."


I never contacted any of the people whose Social Security numbers were exposed directly. I'm saying these are their Social Security numbers based on the uniqueness of their names, where the Social Security numbers were issued and how their careers paths compare to the promotions listed in the Congressional Record. I could be wrong in a specific case or two mentioned above, although I doubt it.


Personally, I think the issue of identity theft is overhyped. I'm writing about this because not everyone agrees.


Recently the Veterans Administration spent millions to notify veterans and agreed to pay $20 million in a court settlement after a laptop and external drive was stolen from an employee's home.


That strikes me as absurd. The onus should be on the retailers, banks, credit card companies and others who make use of Social Security numbers to have robust defenses against fraud. You shouldn't be able to lose your identity just because your Social Security number or other personal identifiers become public.


If nothing else, this shows how ubiquitous Social Security numbers are, and just how futile it may be to pass laws to hide them or to pretend that by banning their public display it will somehow protect us from identity theft.


Just this January Senator Dianne Feinstein of California introduced the Protecting the Privacy of Social Security Numbers Act, which would amend the federal criminal code to prohibit the "display, sale, or purchase of Social Security numbers without the affirmatively expressed consent of the individual."


In her floor speech introducing the legislation, which is similar to bills she introduced in past sessions, Feinstein said:

Use of these numbers has expanded well beyond their original purpose. Social Security numbers are now used for everything from credit checks to rental agreements to employment verifications, among other purposes. They can be found in privately held databases and on public records--including marriage licenses, professional certifications, and countless other public documents--many of which are available on the Internet.


Once accessed, the numbers act like keys--allowing thieves to open credit card and bank accounts and even begin applying for government benefits.

Feinstein then shared this anecdote:

One thief stole a retired Army captain's military identification card and used his Social Security number, listed on the card, to go on a 6-month, $260,000 shopping spree. By the time the Army captain realized what had happened, the thief had opened more than 60 fraudulent accounts.

If only she knew.