Dangers of unfettered access to personally identifiable information

In July, U.S. District Court Judge Esther Salas and her family were attacked in the comfort of their own home. The attack left her 20-year-old son dead and her husband, also an attorney, critically injured.

In a recently released video, Salas blamed the attack on the free flow of information from the internet, which she says allowed a sick individual to target her and her family. She also stated that internet companies sell information, enabling criminals to target individuals. According to Salas, the man behind the attack had a “complete dossier” containing information about her and her family, which he used to track her down and carry out the attack. 

In echoing Salas’s view, we need to identify a solution to keep the private information of federal judges private. 

Judge Salas isn’t alone. In Portland, Ore., during the anti-police protests, over 38 federal law enforcement officers were doxxed, which generally means when personally identifiable information (PII) — like phone numbers and addresses — is leaked online. In addition to doxxing, online crimes related to swatting, in which individuals prank call police and send them to an unsuspecting address, and sextortion, in which graphic photos are used to extort things from an individual — who are most often young girls — have become increasingly common. 

This victimization of individuals’ PII has affected judges, federal law enforcement officers, politicians, celebrities and even those in the media. In reality, these databases endanger everyone’s private information and, as Judge Salas pointed out, that free flow and accessibility of private information is dangerous, damaging and could lead to destruction — even death.

According to the FBI, the Internet Crime Complaint Center (IC3) received over 400,000 complaints in 2019, which their report stated is, “an average of nearly 1,300 every day — and recorded more than $3.5 billion in losses to individual and business victims. The most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams, and extortion.”

Trafficking in PII, both commercially and criminally, has risen. Anyone can buy a “fullz,” which is a kit containing a person’s full name, birth date, Social Security number, address, phone number, driver’s license number and mother’s maiden name for around $40.00. For an extra $10 to $25, commercial sellers will add an individual’s credit card data, bank account data, bank security questions and answers, employer, or other critical information. That’s all the information needed to destroy lives.

PII merchants have even gone so far as to provide instructions on how to use such information to commit fraud. 

Yet, as Salas alluded to, the federal tools to stop this dangerous threat are severely lacking. Currently, the capture, dissemination, or use of PII information is only punishable under one of two federal statutes. The Interstate Communications Statute or the Interstate Stalking Statute. The problem is the Interstate Communications Statute only criminalizes explicit threats and the Interstate Stalking Statute only protects from clear online harassment. 

To illustrate, over 3 million people are stalked over the internet each year, the statute isn’t always applicable in cyberstalking cases. This leaves states to fill the gap on thwarting cyber threats, but they often don’t have the resources to prosecute these types of crimes.  

When given the chance to act though, Congress has been lackluster. According to a Congressional Research Service (CRS) report in 2014, which performed a comprehensive review of federal cyber statutes, up until that point, in the previous three Congresses, more than 40 bills addressing cyber crimes were introduced into each in the 113th and 112th Congresses, and more than 60 in the 111th. Of all those bills, only two related to cyber crimes were passed into law, the Cybersecurity Act of 2013 and Data Security Act of 2014. In the report, CRS made several recommendations for reforms to various federal statutes most of which have not occurred.  

In early 2019, members of Congress began to draft agreements on addressing privacy protections and PII, which included a Consumer Data Protection Act and Data Care Act. California also moved to strengthen privacy measures; two years ago it passed the California Consumer Privacy Act of 2018. CCPA gives consumers more control over the personal information that businesses collect about them. 

Regardless of states’ actions on this front, the federal government and Congress have the broader jurisdiction and greater ability to impact PII protections. As Judge Salas pointed out, not doing so will only continue to endanger all Americans.

Donald J. Mihalek is a retired senior Secret Service Regional Training, tactics and firearms instructor. He also serves as the executive director of the Federal Law Enforcement Officers Association.