Screenshot of day-care data
This is a screenshot of some of the day-care data made publicly available on the Internet. MSNBC.com has blurred out specific names.
By Bob Sullivan Technology correspondent
msnbc.com
updated 2/8/2004 6:59:49 PM ET 2004-02-08T23:59:49

A government subcontractor posted the names, birthdays and daily whereabouts of hundreds of upstate New York children to the Internet, where the information remained publicly available for weeks until MSNBC.com notified authorities.

The incident offers a glimpse into the murky world of government outsourcing and its impact on citizens' privacy. The computer data -- which also listed the names, addresses and other details of low-income and foster families -- passed through three layers of subcontractors on its journey to the Internet.

Officials at the New York State Office of Children and Family Services and in Livingston County, where the incident occured, are investigating. Livingston County's social services office is located in Lima, just a few miles south of Rochester, N.Y.

Two separate databases with personal information about children and their families were exposed. In one case, a list of children in the county's low-income day-care program was intentionally posted for download on Jan. 22 to a Web site used by computer programmers to hire temporary help. Another database, listing families participating in the county's foster care program, was posted to the same Web site in November. Both remained on the site, free for anyone to download, until they were removed Thursday.

The information revealed was explicit. In addition to names, birthdays, and other personal information, a memo field in the database chronicled each child's daily routine:

  • "M,Tue. & Fri when mother attends treatment program and therapy,( approx. 20 hrs per wk)"
  • "M-F, when mom attneds {sic} classes @ GCC & dad is working,"
  • "M,TU,TH,F; 8:15-4 until school starts. Foster parent-(name removed). Eff 2/7/03, new foster parents-(names removed). Eff 2/24/03,Th & sch clsgs."

It's unclear precisely how many children were exposed by the data leak, but the number is in the hundreds. A file called "tblchildren" listed 459 entries, while another labeled "tblpurgedchildren" had 774 entries.

"I can't believe this," said child privacy advocate Parry Aftab, who operates WiredSafety.org. "This is horrible."

Some Internet data leaks are relatively harmless, as files are posted to obscure Web addresses that may never be viewed by strangers. In this case, however, it's clear the childrens' data made its way into the public eye. The Web site where the databases were leaked encouraged visitors to download the information, and the pages where they were offered were viewed by hundreds of people.

Commissioner Sandy Wright, who heads the Livingston County Department of Social Services, spoke briefly to MSNBC.com and said she was investigating the matter, but didn't respond to follow-up interview requests.

Posting of the data on the Internet runs afoul of New York state's confidentiality laws, said Kent Kisselbrack, spokesman for the New York Office of Children and Family Services, which regulates the county agency that leaked the data.

"Personal information of the nature that was on this Web site, especially information about children, it's not appropriate for this kind of information to be available to the general public," Kisselbrack said. The data was removed on Thursday afternoon, when his agency contacted the Web site where the data was posted and asked that it be taken down.

"We have been informed by Sandy Wright that appropriate steps will be taken against the employee responsible," Kisselbrack said. "And we will remind counties around the state about developing proper procedures when developing databases that do or will contain confidential information."

Job outsourced three separate times
Just how the data ended up on the Internet is an alarming window into the use of outside computer service providers by government agencies in the age of increasing outsourcing of development work.

The data was ultimately leaked to the public when it was posted on RentACoder.com, a Web site that helps computer programmers find temporary work. Users looking to hire programmers post jobs to the site, and engineers from around the world bid on the projects, often driving the price down sharply. Programmers stuck with tricky problems also post individual questions, inviting other programmers to supply answers, sometimes for as little as $15.

That's how personal details about hundreds of children ended up on the Internet. A user named Mark Dennis, stuck with a tricky formatting issue, posted his question to RentACoder -- and attached a zipped copy of the database he was working on.

In November, Dennis posted a database front-end named "Respite," with components named "Foster Care Unit," and "Intake Program Data." His listing asking for help had been viewed 214 times by Feb. 4, according to RentACoder's Web site. It's not likely all those visitors unzipped the attached database, but there's no way to know how many did, according to RentACoder CEO Dan Ippolito.

In January, Dennis did the same thing, posting a similar question on Jan. 22 about an attached a zipped copy of a database named "DayCareData." The job offer was viewed 127 times, according to RentACoder's site.

On Jan. 26, another programmer -- who requested anonymity -- sent a message to Dennis, warning him of the possible privacy problems. He replied: "Thank you for the note. That was my mistake and I will be more careful in the future," according to the programmer. The next day, Dennis posted the same database in a different question.

County attorney David Morris said that programming work for the day-care center had been outsourced to the locally-based Genesee Community College. The manager of the college's program refused to speak to a reporter, but Morris said Dennis was a third party consultant hired by Genesee. Dennis, in turn, used RentACoder to once again subcontract the database work, which ultimately fell to a New Jersey-based programmer.

By that time, the programmer actually working on the day-care data was four steps removed from the county's social services program.

Repeated attempts to contact Dennis were unsuccessful. The programmer who took the job through RentACoder refused to comment on the incident.

Families unaware of data leak
Ippolito said his company can't review the details of every single advertisement that is posted on the site, but it has complaint procedures in place if a user has a problem with any ad. While copyright complaints are filed regularly, this is the first privacy complaint the site has received, Ippolito said.

"We have pretty strict legal agreements in place. Buyers assume responsibility for what they post," he said. "They certify that anything they put up there is in full accordance with the law."

County officials have not yet determined if they will tell the families involved about the incident.

"It's kind of a shock," said Morris, the county attorney. "Right now we are consulting with the state office ... to find out what we’ve got to do."

© 2013 msnbc.com Reprints

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments