Are online public records too public?

Genealogical Web site RootsWeb.com removed databases of California and Texas birth records from its site Friday after receiving a blitz of phone calls from frantic state residents worried that data contained in the public records could be used for malfeasance. The data--birth records dating from 1905 to 1995 on more than 24 million Californians--included names, birth dates, places of birth and mothers' maiden names, a key ingredient to accessing customer financial information at many banks and credit card companies.

Now, a California legislator is asking Gov. Gray Davis to stop the Department of Health Services from selling California birth records in electronic format to third parties, a legal right of the state agency. In a letter sent late Friday, Sen. Jackie Speier, (D-San Francisco, San Mateo), also asked that the governor track down one other Web company, which bought the data earlier this year, and prevent it from publishing the information online.

Access to personal data contained in public records is of mounting concern to lawmakers and privacy experts in the wake of the Sept. 11 terrorist attacks, in which one suicide bomber is suspected of using a deceased person's social security number to create false identification. Although personal information contained on research Web sites alone is typically not enough to steal someone's identity, lawmakers and privacy advocates are concerned that the data could be used as building blocks for a false ID.

Privacy advocates are particularly concerned about the ease with which people can obtain sensitive data from public records online. Although birth and death records have long been available to the public through state offices, people typically had to visit a courthouse, fill out an application, or wade through library documents to look up information.

"It's certainly very troubling because while it's important to have public records, the complexity of accessing those records has always limited their ability to be misused," said Ray Everett-Church, a California-based privacy consultant.

"Because the mother's maiden name often doubles as a kind of password to your private information at credit bureaus or credit cards...(easy access on the Internet) is of increasing concern as the number of identity theft cases skyrocket," he added.

Jodi Beebe, hotline director for the Privacy Rights Clearinghouse, said there are between 500,000 and 750,000 potential new victims of identity theft per year. Of those cases, between 75,000 and 100,000 take place in California.

"Obviously this information is public record, but making it so easily available online may be facilitating a crime we don't want to see growing at the statewide or nationwide level--namely identity theft," Beebe said.

Up for sale
In addition to RootsWeb, the Office of Health Information and Research sold California birth and death records to PeopleSearch.com, according to the agency's chief, Michael Quinn. PeopleSearch is an Internet-based company that charges $50 to $100 to help people find someone or perform a background check.

"We're required by the Public Records Act to produce this index and keep it available for the public," Quinn said.

A representative for PeopleSearch.com said the data is "one of many sources we use" to provide information but declined to comment further on use of the records.

Lawmakers in California would like to impose stricter limitations on who can have access to public birth records. Richard Steffen, staff director for Speier, said the office is planning to draft new legislation by early next year to tighten controls on access to birth certificates.

"Initially, we don't believe the index of birth records with mothers' maiden names is appropriate as a public database because it allows anyone around the world, in a short period of time, the ability to review 24 million personal documents," Steffen said.

Instead, the office would like to see access to records limited to the person of record, a legal representative or "legitimate researchers," a group yet to be defined, Steffen said. He added that they plan to send a letter to the Department of Health Services asking about buyers of the birth records.

"Clearly, Health and Safety Code Section 103525 requires the state and local registrars to provide birth certificates upon request. But it does not, in my opinion, authorize the state to package all birth records into an electronic format that is then launched in cyberspace for anyone's use, legal or illegal," Speier wrote in a letter to the governor.

In response to the letter, a representative for Davis said the governor is crafting legislation for January that would address issues related to identity theft and privacy. In the interim, "the governor is pleased to learn that (RootsWeb) has stopped providing the information in question," the representative said.

RootsWeb bought birth record information on CD-ROM for about $900 and the death records for about $600 from California's Department of Health Services. The information is not a full record, but rather a listing of the document. People can request to buy a birth or death record from the office directly or by fax. Quinn, of the Office of Health Information and Research, said that most of those buying access to the information are genealogists or attorneys handling unclaimed property cases in California.

After a report appeared in the San Jose Mercury News, California and Texas residents flooded the phone lines at the headquarters of RootsWeb, owned by MyFamily.com, asking to be removed from the database. The company decided to give people the right to opt out of the database after the article, then shortly pulled the database altogether.

RootsWeb did not return phone calls seeking comment for this story.

According to its site: "In addition to our goal to provide outstanding genealogical resources to our users, RootsWeb.com is also committed to protecting the privacy of our customers."