Travis County thwarts identity theft...

Or at least that will be the lasting sentiment from this story. And, you know, that's fine with me. I've been *intimately* involved with this particular issue as my wife and I were affected by this personally.

Almost 2 years ago, I learned that Travis County had published our marriage license online, which included our names, addresses, social security numbers, birthplaces and driver's license numbers. For most people, the standard marriage license form doesn't include that information and so it's fit to publish online. What we did different from most people was we filled out a "Declaration of Informal Marriage," a form that legally recognizes a common-law marriage. This was required by my employer (the City of Austin) so I could extend healthcare coverage to my wife.

So when I found out this form was available online and the state required redaction of the social security numbers had not been done, being intimately familiar with this subject (I'm an Information Security Analyst at the City), I called the County Clerk's office and asked to speak to someone who would be able to pull the graphic. Over numerous phone calls to at least a half-dozen different people, I couldn't seem to get a hold of anyone that understood what I was asking for. After about a week of calling and talking to people, the "official" solution (and I'm calling that "official" as this was the highest level person that I could get a hold of even though I asked on numerous occasions to speak directly to Ms. DeBeauvoir herself) was that I would have to file a petition with the court to have the record changed from public information to private (at a cost of at least $300). This was crazy, I explained. Because I do this exact same thing at my day job (look at vendor's applications for weaknesses and re-engineer them to fit the City's security policies), I knew there was some kind of technical disconnect to the person I was talking to. As I kept explaining, I wasn't trying to change the status of the record. I had no problem with it being public. My problem was that this system was publishing records online in violation of the State of Texas' Public Information Act ( § 552.141. CONFIDENTIALITY OF INFORMATION IN APPLICATION FOR MARRIAGE LICENSE) and that Travis County could be held liable for any security breach that could be traced to their website. After all, I wasn't asking to invalidate the record; I was asking for the stupid web application to not publish the one pdf file that contained the information.

So I asked to speak to one of the programmers as I knew I could convey exactly what I was trying to get across to someone technical. I was told I couldn't speak to a programmer as it was an application developed by a vendor and I had no way I could talk to them directly. My concerns would be relayed to them, I was told. So, almost 2 years later and after my wife picked up the phone tag baton, putting multiple 90 day freezes on our credit knowing our information was easily available to any and all, I'm glad to see that the clerk's office is finally doing the right thing. Kudos to you and your staff Ms. DeBeauvoir. I only wish that I could have talked to you directly oh, so many years ago...

But you would think I would end the story there, but I'm not. I'm going to use this as an example of something that is very close to my heart as well as put a few warnings out there. The application that the clerk's office uses, Public Access .NET, is a proprietary application which the clerk's office probably doesn't have rights to access or change the source code. I'm assuming from all my conversations with their staff that no one at the clerk's office has access to the source code of the application much less the right to change the functionality of the application itself (remember, I don't know this for sure; I'm *assuming*).

So I'll offer up this first warning to government officials. Proprietary software and government do not mix well. As Ms. DeBeauvoir states, "I am a strong supporter of open government; however, my obligation as an elected official is to respond to legitimate public concern and to do everything within my authority to protect people now." So, if the public's best interest is the priority, by doing everything in her power, that application should be open and accessible to other programmers outside of the company that developed it. This allows the government entity the option to work on their time schedule and not the agenda of another company. So if a pressing security issue crops up (like publishing social security numbers online), the entity has the option to call a local programmer and immediately address the concern. Like I said before, from my understanding of the application and how these things are put together, this could have been as easy as changing a single field in the database and not a whole rewriting of the application itself. This concept, called open source, is the perfect fit for any government entity who espouses their belief in open government because it practices what it preaches. It allows for the open review of the code by independent 3rd parties and allows changes to the functionality on the government entity's time schedule. I can say that most of the online projects that the City uses have either been developed in-house by our talented programmers or we have access to review the code if needed. We love it from a security standpoint as we can see exactly what is going on and can tailor the app to fit within the City's strict security policies. It's a win for the people's government and a win for the developer.

My second warning goes along with the spirit of the first. The company that developed the application, Hart Intercivic, also developed and programmed the voting machines used in all elections here in Travis County. Hart Intercivic keeps the programming code of these machines as well as the tablulation software proprietary and thus secret. If I could think of any application in the world that needs to be open sourced, it's voting machine software. As shown by the last few election cycles and in numerous other instances, the software has come under scrutiny as irregularities become more prevalent. So, if we value our democracy and if Ms. DeBeauvoir really believes in open government, we need to petition to have a true independent code review of the voting machines we use here (and don't believe the results from the ITA or "Independent Testing Authority" that all these machines must subject themselves to. The ITA is actually just three companies which are paid by the voting machine manufacturers themselves. An article by probably the most prominent voting machine expert, Avi Rubin discusses this "independent" setup). So please, if you value democracy, email or call the Travis County Clerk's office and pressure them to have Hart Intercivic release the code to a true independent party for review. If Hart Intercivic was publishing all my personal information online in direct violation of state law, who knows what the *truly* secret code is doing...