http://www.pc-radio.com/dean-ftp.html By Brian McWilliams December 10, 2003 Political opponents and journalists are frustrated over former Vermont governor Howard Dean's refusal to unseal 145 boxes of hard copy documents from his 12-year term in office. Judicial Watch, a Washington, D.C. nonprofit, has even sued Dean, who is running for president, to open the estimated 400,000 records to public examination. I wondered if anyone had checked whether Dean accidentally exposed any documents of the electronic variety when he ended his gubernatorial tenure last January. So I visited The Internet Archive, where I pulled up a copy of the 1997 edition of the Vermont State Web site, including a page titled The Virtual Office of Vermont Governor Howard Dean. A quick review revealed nothing particularly noteworthy there, aside from the fact that the old site had apparently been designed by Montpelier High School students. But visiting an archived version of Vermont's main page, as well as the current version of the site, I noticed a page with a hyperlink labeled State of Vermont FTP server. Clicking the link enables anyone with a Web browser to log in "anonymously" to the state's file transfer protocol (FTP) server. Last week, I found over a gigabyte of files on the FTP server, many of them created during Dean's term in office, from 1991 through January 2003. After I told Vermont officials about it, they deleted the files last Friday. There were no references to Dean in any of the files, so you can stop reading right now if you were hoping for some embarrassing evidence. § About the most interesting thing I found on the FTP server were a half dozen or so files in a folder named "courts." They contained records on over 2,000 individuals arrested in July of 2000, including their name, city of residence, and date of birth, and the reason for their arrest, which included misdemeanors such as disorderly conduct to felonies including sexual assault, kidnapping, and homicide. A representative of Vermont's office of court administrator told me the arrest records were intended for internal use by Vermont's district court system. He said they were placed on the server prior to being transferred to another government department. Due to an oversight, the records were never deleted, he said. Vermont's assistant attorney general Bill Griffin said the files contained only public information, and that no privacy laws were violated as a result. One privacy expert, however, said the security lapse was potentially serious. While Vermont law does not specifically prohibit the publication of such data, individuals named in the exposed files might still be able to sue the state for violating their privacy, according to Robert Ellis Smith, publisher of Privacy Journal. "Any disclosure of private facts that are offensive about an individual could lead to somebody collecting damages," said Smith. He noted that many states treat arrest records as confidential, to protect the privacy of individuals who are arrested but never prosecuted. In a folder labelled "psd" I found a compressed archive with nearly a gigabyte of binary files dated May 14, 2003 and apparently generated by a relatively obscure database program. Vermont's department of public service didn't respond when I asked what was contained in the archive. It was among the files removed from the FTP server last week. "This is potentially very sensitive information. It had no business being left on a server accessible to the public," said Lee Tien, staff attorney with the Electronic Frontier Foundation. Robin Siss, Vermont's chief information officer, apparently agreed. "[The files] should not have been there," said Siss, who was hired in September by Republican governor Jim Douglas. Siss noted that the FTP site "predates my administration" and that her department is still "going through its discovery" but is confident that only "appropriate" content is now on the server. Citing "executive privilege," attorneys for Dean last year asked the state to seal his records for 24 years. Dean has recently said that he made the request to protect the privacy rights of his personnel and members of the public. But in January Dean reportedly told Vermont Public Radio that he arranged to have the records kept confidential for "political considerations" and to avoid embarrassment "at a critical time in any future endeavor." Dean now says that a judge should decide what records should be made public, a process that could take months. Spokespeople for Dean have noted that many other records from his governorship are open for public viewing in the Vermont state archives. Dean's campaign has received a lot of attention for its Internet grassroots organizing and fund raising. About all you can conclude from this FTP server incident is that some members of his gubernatorial administration were mediocre at Internet security. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 03:49:58 PST