04/23/96 - 4:00 PM

Date: Thu, 23 Apr 1998 15:53:30 -0400
From: "Jim Tobin" 
To: glr@glr.com
Subject: Michigan's Talent Bank

Glen,

Thank you for taking the time to discuss social security numbers
on our web site.  As I mentioned, we have twice improved the
system's security based on your input.  Furthermore, we are
announcing today that we are committed to removing all SSN's
from our web site.  Existing SSN's will be assigned new User
IDs and new users won't be able to input their SSNs.

As we discussed, we have always opposed using SSNs on our resume
system.  However, the U.S. Dept of Labor has told us that they are
going to mandate their use once the system spreads nationwide.
Because of that, we encouraged the use of SSNs, so when the mandate
came we'd be more ready.  Now we've determined that we will fight
that mandate if and when it comes.

                Jim Tobin
                Michigan Jobs Commission

04/22/98 - 7:30 PM

Yesterday, the Associated Press and Lansing State Journal called about this matter. Both ran stories. The Detroit News and Detroit Free Press ran versions of the AP Story (online, at least).

The State claimed in the articles that they fixed the problem and it was also reported that they would pay a hacker $20,000 to verify the fix!

Here is a $20,000 tip:

When I sign in as an eomplyer, and search for Job Seekers -- I should note that this is as an UNVERIFIED employer -- and view the HTML source code in Netscape, select "View" and the "Document Source," I find the following... (much deleted inbetween):

!-- And here's another tag telling web_eval to display the results -
table border=0
!-- ID = MI-384XX2443 --

!-- ID = MI-338XX0441 --

!-- ID = MI-382XX3942 --

The X's I added. Tell me these are not Social Security Numbers!

Now, let me repeat myself from below, my commentary of April 9, 1998: Now, let's stop for a moment. I don't know what information is given to "verified" employers. However, just because someone is an employer, doesn't mean they should get your SSN or other personal information! Though, as an unverified empoloyer, examining the source of the html code (select View Source, under file on Netscape), it appears to give out some SSNs.

Before, the State of Michigan pays a hacker $20,000 maybe they should learn to read english and use two mouse clicks in Netscape to see hwo they are destroying any concept of privacy for Job Seekers in Michigan!

04/09/98 - 11:30 AM

I emailed the MESC webmaster and State Auditor yesterday, asking about the lack of a Privacy Act statement where they ask for Job Seekers SSNs on the web. No reply as of creating this web page.

It started with an article in the Detroit News. A rebuttal, complaining about the Michigan Jobs Comission. Most of the article was the normal political bickering you might expect on governmental agencies. One paragaph jumped out though:

Rebuttal: Employment service hurts state workers
The Detroit News
Tue, Apr 07 1998

Let's talk about the unemployed. They now go to the
unemployment agency and file for benefits. If they are
lucky, the Michigan Works agency is located in the
same building. If not, they have to go where it is located
and put their resume on the Internet. Don't know how
to use the computer? Too bad. Sit there until you learn,
because if you're not on the Internet, you receive no
benefits. Meanwhile, your Social Security number,
name, address and phone number are all over the
Internet for everyone to see and use.

It was interesting to see this on the same say, an article appears on the wire services about an IRS Audit.

Wed, April 8, 1998 -- Chicago Sun Times
Audit Finds IRS security lax

"Under current procedures, an impostor who knows a
taxpayer's name, address and Social Security number
can find out tax and income information from the
Internal Revenue Service with a simple phone call,"
according to an internal IRS audit of agency practices.

I thought, it couldn't be! They aren't making these people post their resumes with SSN to the web? No way! So, I went looking just to make sure.

I couldn't find them. Not at first anyhow. I signed in as an employer. Filled out my name and address. Specified N/A as my employer ID. Went to browse the resumes. Nothing, wouldn't give me even names without being a verified employer.

Now, let's stop for a moment. I don't know what information is given to "verified" employers. However, just because someone is an employer, doesn't mean they should get your SSN or other personal information! Though, as an unverified empoloyer, examining the source of the html code (select View Source, under file on Netscape), it appears to give out some SSNs.

Ok, let's stop being an employer and see what it's like to be a job seeker now. Gotta put in your name and address. Next, it asks for a identifier. For some reason, they encourage you to USE YOUR SOCIAL SECURITY NUMBER. This web page is on the Michigan Employment Security Commission web server, so I can only presume that it is a State Agency request for the SSN and requires a Privacy Act notice. Of course there is none.

To make you feel better they have a grand explanation about the security of all this information and how it will remain private. (Compare that to the View Source option in Netscape while viewing the resumes by unverified employers).

This is their assurance: