On Monday afternoon, the House Committee on Government Oversight and Accountability held a fact hearing to investigate allegations that driver’s license fee agents throughout the state are being compelled by the Department of Revenue to illegally disclose personally-identifiable information of Missourians to a third-party private company in Atlanta, Georgia capable of building a massive database and intruding on the privacy rights of Missourians.
We did not conduct this investigation in a vacuum. Many Missourians, including myself, fear that if we are not vigilant that the coming Age of Big Data will also be the Age of Winston Smith. You can see evidence of the dangers of government and big business overreach into the privacy of Missourians nearly every day. Just last week, Attorney General Eric Holder opined that the President has the legal authority to kill American citizens on American soil with neither judge nor jury. Sen. Rand Paul spent 13 heroic hours last week exposing that fundamentally un-American legal opinion to the American public through an old-fashioned filibuster. As a second example, Google admitted last week that the FBI made over 1,000 warrantless requests for information on Google users – requests that do not involve permission from a neutral judge or grand jury.
The concerns are not limited to the actions of government. Big Data companies know more about each of us than any third-party companies have ever known about individuals in the history of the world. There are many who defend this collection of data as being “good for us.” But there are others, myself included, who fear the long-term consequence of such data collection and how it might be abused and manipulated by private companies – and, eventually, be taken by government.
Monday’s hearing had two parts. The first part was a factual inquiry into what the Department of Revenue is actually doing here. Just as with our Mamtek investigation, it is not this Committee’s role to indict or declare activity legal or illegal – that is the role of our legal system. Instead, it is our job to determine the fact’s as best we can – and to use those facts to determine if a legislative solution is necessary, warranted, or possible.
Here’s what we learned Monday – and what we’ve subsequently learned from other hearings or legal proceedings:
- The Department is transitioning to a new driver’s license issuance system. This transition moves away from the old process of printing licenses at each individual fee office to central issuance.
- The Department then outsourced the printing to a vendor called MorphoTrust in Atlanta, Georgia. In its bid materials, MorphoTrust touted the fact that it has similar contracts with 46 other states.
- The Department testified that MorphoTrust provides license fee offices with scanners and computer systems to make copies of documents and share information with the Department of Revenue.
- Upon a Missourian requesting a license or CCW endorsement, the new system requires individual fee office agents to scan a copy of the Missourian’s source documents (for example, birth certificate) and send the copy of the source document to the Department in Jefferson City.
- The fee office agent also sends the “folio” for each applicant to the Department, which is all of the information which appears on the driver’s license, including, whether the Missourian has health restrictions on the license or a CCW permit.
- The Department testified that it keeps the source documents itself and does not share them with any third-party. This is different than the prior system, in which individual fee office clerks reviewed the source documents and verified that they had reviewed them. The Department justifies keeping this source documents by pointing to an example of identity theft that occurred in a St. Joseph, Missouri licensing office. The Department asserts that keeping the source documents is an important deterrent to similar events in the future, and ensures that prosecutors will have necessary evidence in a prosecution for identity theft based on the presentation of forged or stolen source documents.
- The Committee questioned whether keeping the source documents was an effective deterrent. Through questioning, the Department estimated that only 50 source documents were reviewed by its employees each week to ensure accuracy. Rep. Richardson pointed out that this was akin to search for the proverbial “needle in a haystack” and would be highly unlikely to either catch or deter a perpetrator.
- The Committee also questioned whether keeping the source documents was necessary for the introduction of key evidence in an identity theft prosecution. I made the point that the fact that a defendant presented false documents with someone else’s name on them could be brought into evidence through the business records exception rule of evidence.
- The Department testified that it forwards the “folio” information to MorphoTrust in Atlanta, Georgia where the contract specifies that the licenses should be printed within seven days and the folio information destroyed.
- Under questioning by myself, the Department testified that it did not know if the contract had any procedure to verify whether such records were actually destroyed. Nor did the Department know if it had the right to spot-check to ensure such destruction is actually completed. It is my understanding that the Department testified at a hearing in Stoddard County that it has never received verification from MorphoTrust of the destruction of records.
- Under questioning by Rep. Richardson, the Department testified that MorphoTrust is audited six times per year by federal agencies. Rep. Richardson commented that such audits were paradoxical from the perspective of ensuring that such information is not shared with the federal government. It does not make sense to have the entities from which we are concerned does not get the information to then do the audits to ensure that the information is being destroyed.
- The Department testified that it paid for the central issue system after receiving clearance from the General Assembly in last year’s budget. The bid accepted reduced costs by $4 million per year. It was not clear at such time, however, that the bid would be secured by an out-of-state vendor with 46 other states under contract.
- Upon questioning about equipment with “Department of Homeland Security” markings, in particular “void” hole-punchers, the Department testified that such equipment was purchased with grants from DHS. These hole-punchers cost approximately $134 each – an issue of itself.
- Rep. Richardson questioned the price of scanners in the contract – approximately $4,000 per scanner if my memory is correct – when a similar scanner can be purchased retail for approximately $600.
- Russ Oliver, the attorney for the plaintiff in the Stoddard County case, testified that their lawsuit was based on the claim that the Department had illegally placed another hurdle in the CCW process – namely, requiring a permit holder to allow the copying of their source documents. He further testified that he believed the same requirement was illegal as a new requirement for Missourian’s applying for driver’s licenses. Oliver’s case will be determined by a judge in Stoddard County.
- The committee took testimony from Richard McIntosh, a registered lobbyist for MorphoTrust USA. Mr. McIntosh was only recently hired by MorphoTrust, and, as a result, was unable to answer many questions of the committee, including, but not limited to the following:
- Does MorphoTrust have contracts with federal agencies for the collection of personal data of Americans?
- Does MorphoTrust have contracts with any private companies for the sharing of personal data or creation of databases with details on Americans?
- How does MorphoTrust verify that it destroys the records it receives?
- On Wednesday, the Department testified before the Senate Budget Committee – and the end result were serious questions raised by Sen. Kurt Schaefer about the source of some funds. Though relevant to this issue, the questions raised by Sen. Schaefer are more appropriate for budget committees than Government Oversight and Accountability.
From the fact-hearing, the Committee has identified two major areas of concern. The first is the copying and keeping of source documents by the Department of Revenue. As Rep. Richardson pointed out, while rational, the Department’s reasons for keeping this information do not hold up under scrutiny. By creating a centralized data-base in state possession, the Department has created an enormous target for hackers – and, no matter how secure the Department believes it’s systems are, the Committee does not believe there is any such thing as a complete secure database. Just ask companies being hacked by China.
The second issue is the sharing of folio data with an out-of-state private vendor that has similar contracts with approximately 46 other states. Though MorphoTrust touts this dominance as a reason for states to contract with it, I believe it is a detriment. If you had 50 golden eggs, would you put 47 in the same basket? I don’t believe so. Allowing one company to compile such a vast amount of personally-identifiable information from nearly every state creates a serious security risk and states ought to take action to ensure that the outsourcing of these services is de-centralized.
The second part of the hearing was HB 787, sponsored by Rep. Richardson, which is a first-draft attempt to ensure that personally-identifiable information of Missourians remains protected. Rep. Richardson’s bill as currently drafted would require the Department to destroy any source documents collected from license fee offices. His bill, however, is likely to grow.
I have inquired of the Department on how much it would cost to either (1) go to a complete central-issuance system ran by the state of Missouri, or (2) to purchase a single printer to allow Missourians with privacy concerns to opt-out of having their personally-identifiable information shared with a third-party vendor that collects such information on Americans from 46 different U.S. states. Rep. Richardson’s bill could be amended to require the Department to allow such an opt-out – or to require the Department to do the printing in-house. This opt-out or in-house model would apply to applicants for driver’s licenses and CCW permits.
Rep. Wanda Brown has also filed a bill which would require the Department to indemnify fee office agents simply carrying out orders of the Department. This provision is likely to be added as an amendment to Rep. Richardson’s bill as well.
The legislature takes its annual spring break next week. The Committee when we return from break – giving Rep. Richardson time to add various provisions to the bill to ensure we have as complete a resolution as possible. The Committee will likely vote on Rep. Richardson’s amended bill on Tuesday, March 26, our second day back from spring break.