October 18, 2011 Tony Webster P.O. Box 202263 Bloomington, MN 55420 tony@tonywebster.

com Via E-mail and FedEx Priority Overnight Delivery Commissioner Mona Dohman Minnesota Department of Public Safety 444 Cedar Street Saint Paul, MN 55101 mona.dohman@state.mn.us E. Joseph Newton, DPCO DPS Commissioners Oce 445 Minnesota Street, Suite 1000 Saint Paul, MN 55101 joseph.newton@state.mn.us Marc Klein, Chief Information Security Ocer DPS Oce of Technology Services Support 445 Minnesota Street, Suite 140 Saint Paul, MN 55101 marc.klein@state.mn.us Karen Regan, Responsible Authority Designee Minnesota Driver and Vehicle Services 445 Minnesota Street, Suite 190 Saint Paul, MN 55101 karen.regan@state.mn.us

Re: Security Vulnerability on DVS Online Crash Report Website Data Practices Notication of Breach (Minn. Stat. 13.055) Data Practices Request to Inspect Data (Minn. Stat. 13.03, subd. 3)

Dear Commissioner Dohman, et al: Im writing regarding a security vulnerability that exists on the Minnesota Department of Public Safetys Driver and Vehicle Services (DVS) website. This vulnerability is within the DVS Online Crash Report web application, and it allows any member of the public to access the private and protected information of Minnesota drivers involved in vehicle crashes. This data includes the drivers full legal name, residential address, date of birth, gender, vehicle make, model and license plate number, insurance policy number, and more and the only piece of information necessary to obtain all of this information is an individuals Minnesota Drivers License number. The DVS Online Services website links to https://dutchelm.dps.state.mn.us/dvsinfo/AccidentRecords/ accrecord_citizens_login.asp, which prompts users to enter their Minnesota Drivers License number to

Minnesota Department of Public Safety October 18, 2011 Page 2

create, amend or view vehicle crash reports. If a driver has previously led a crash report, regardless of how long ago the report was led, it can be viewed from this web application. I entered my Minnesota Drivers License number and was able to view a vehicle crash report I led in 2007. That report contained the following information: 1. 2. 3. 4. 5. 6. 7. 8. 9. My full legal name, including middle name; My full residential street address; My vehicles license plate number, make, model and color; My insurance company name and policy number; My date of birth and gender; The same information relating to the other party involved in the accident; The date, time, location and conditions of the accident; A narrative description of the details of the accident; Accident number.

A Drivers License number is insecure as a method of authentication, and doesnt positively identify the website user as the licensed driver and subject of the data being accessed. Drivers License numbers are frequently on le with service providers or printed on consumer checks. Retailers commonly ask to view Drivers Licenses for identication, and the cards can lost or stolen. In the context of a vehicle crash, Drivers License numbers are customarily recorded by each party involved in the accident. The general public especially victims of identity the, harassment or domestic violence should be very concerned about this vulnerability because rarely is so much information available in one place with such a poor method of authentication. The information shown to users of the website amounts to a persons place of residence, personal identiers, usual method of transportation, insurance information and more. With the information disclosed on the DVS website, an individual would have enough information to use the DVS other online tools to change the registered address of a vehicle or lookup a vehicles title number. In addition to the DVS website unnecessarily divulging all of this private and personal information, it would be simple to falsely amend another drivers previously led crash report or falsify an entire new crash report all with no verication that I am the person identied in the report.

Minnesota Department of Public Safety October 18, 2011 Page 3

The combination of Drivers License numbers being permanent, the legal requirement that individuals involved in a crash le a vehicle crash report, and the fact that theres no way to individually conceal a drivers information from the online system are a scary combination. Besides being a clear violation of the publics trust, the information disclosed by the DVS website is legally classied as private, protected or condential under applicable state and federal law: 1. Vehicle crash reports are condential: ...accident reports and data contained in the reports are not discoverable under any provision of law... Further, ...disclosing any information contained in any accident report ... is a misdemeanor. (Minn. Stat. 169.09, subd. 13, et seq.) 2. The intent of accident reports are ...to provide statistical data on trac accidents. [Accident reports] cannot be used against [drivers] as evidence in any civil or criminal matter and [the drivers] version of how the accident happened is condential. (Minnesota Motor Vehicle Accident Form paper version) 3. The agency ...shall not knowingly disclose or otherwise make available to any person or entity ... personal information ... of an individuals name and address in connection with a motor vehicle record (18 U.S.C. 2721(a)(1); 18 U.S.C. 2725(1) (5); Minn. Stat. 168.346, subd. 1). 4. The DVS paper Crash Record Request form requires drivers name, date of birth, Drivers License number, license plate number and crash details in order to process the request. Additionally, the form states, Requests will not be processed without a signature from the authorized requestor ... [c]rash information may only be disclosed to authorized requestors. Additionally, DVS authorization forms require a notarized signature. If the Department of Public Safety were to disclose this condential information to someone other than the data subject (the driver), it would be in violation of the Minnesota Government Data Practices Act (Minnesota Statutes, Chapter 13), and subject to civil remedies including damages, costs and attorney fees, an injunction, or action to compel compliance. To that end, it is technically impossible for the Department of Public Safety to conrm with absolute certainty that every individual website access was made by authorized individuals accessing their own records. Even if the agency maintained the best server logs of each and every website access, it would

Minnesota Department of Public Safety October 18, 2011 Page 4

have no way to authenticate accesses as being from the actual driver and data subject. As such, it should be assumed that all current and previous licensed drivers in Minnesota who have a vehicle crash report available for viewing on the DVS website has had their data breached and subjected to unauthorized acquisition by an unauthorized person, as those terms are dened pursuant to Minn. Stat. 13.055, subd. 1(c) 1(d). Because the Department of Public Safety made possible and practicable a breach of the security of the data, as that phrase is dened pursuant to Minn. Stat. 13.055, subd. 1(a), and realized through the dissemination of private or condential data on individuals, it must notify any and all individuals who are the subject of breached data that was, or is reasonably believed to have been acquired by an unauthorized person. Given those facts, the Minnesota Department of Public Safety must disclose the breach ...in the most expedient time possible and without unreasonable delay... via methods described in Minn. Stat. 13.055, subd. 4: written notice by rst class mail. Additionally, it would be prudent for the Minnesota Department of Public Safety to make a conspicuous posting of the notice on the agencys website and make notication to major media outlets. The agency may also be required to coordinate with consumer reporting agencies for identity the prevention purposes. Clearly, the DVS Online Crash Report web application should be disabled immediately and not made public again until reasonable precautions have been taken to ensure that only authorized individuals can access private and protected data. Additionally, the amount of data revealed by piecing together bits of information from the variety of online tools that the DVS oers leaves much to be desired in terms of information security. I strongly urge the Department of Public Safety to do a full and complete audit and security assessment of their information security. An additional concern is that the DVS Online Crash Report application fails to provide a Tennessen warning that informs the user of their rights pursuant to Minn. Stat. 13.04, subd. 2: An individual asked to supply private or condential data concerning the individual shall be informed of: (a) the purpose and intended use of the requested data within the collecting government entity; (b) whether the individual may refuse or is legally required to supply the requested data; (c) any known consequence arising from supplying or refusing to supply private or condential data; and (d) the identity of other persons or entities authorized by state or federal law to receive the data.

Minnesota Department of Public Safety October 18, 2011 Page 5

Responsible Disclosure: This is a responsible disclosure of an information systems vulnerability. I will not disclose the vulnerability to the media or in public until the the DVS Online Crash Report web application has been disabled or improved, or until ve days have passed, whichever is soonest unless I receive communication from your agency indicating that you require additional time. Demand for Compliance: As a licensed driver in the State of Minnesota, this is a demand for compliance with the Minnesota Government Data Practices Act and the federal Drivers Privacy Protection Act. I reserve all legal rights and remedies regarding the same. Data Practices Request: This communication is also a request to inspect public data pursuant to the Minnesota Government Data Practices Act (Minn. Stat. 13.03, et seq.) One or more of these requests may be a request from a data subject, requiring your immediate response. I request to inspect the following government data: 1. Any and all documentation, correspondence, memorandums, letters, e-mails, voicemails, records, contracts, invoices, or other data relating to the DVS and Minnesota Department of Public Safetys most recent ...comprehensive security assessment of any personal information maintained by the government entity... pursuant to Minn. Stat. 13.055, subd 6. 2. Summary data of how many current and former licensed Minnesota drivers have a vehicle crash report led or draed within the DVS Online Crash Report web application1. 3. Summary data of how many current licensed Minnesota drivers have elected to request that their name and/or residential address be classied as private data on individuals pursuant to Minn. Stat. 168.346, subd. 3. 4. Summary data of how many individuals are simultaneously responsive to Request #3 AND Request #2 that is, how many private data crash reports are in the web application.

Electronic access data is classied as private data on individuals or nonpublic data pursuant to Minn. Stat. 13.15, subd. 2. However, this is a request for summary data (Minn. Stat. 13.02, subd. 19) that does not identify individual records or identities. Per Minnesota Department of Administration Advisory Opinion 01-053, When a person makes a request for summary data ... the entity is required to provide the data minus all the data elements that could link the data to a specic individual.

Minnesota Department of Public Safety October 18, 2011 Page 6

5. Summary data of how many unique Drivers Licenses have been entered on the DVS Online Crash Report application since inception, separated by month. 6. Any and all documentation, correspondence, memorandums, letters, e-mails, voicemails, records, contracts, invoices, or other government data relating to the creation or maintenance of the DVS Online Crash Report application. 7. Any and all correspondence, submitted feedback forms, e-mails, voicemails or other correspondence from individuals relating to the DVS Online Crash Report application. 8. A standing request for all newly created or communicated data that would have been responsive to any of the prior requests, for the next 60 days. 9. A standing request for all e-mails, memorandums, letters, voicemails, or other communications sent to, sent from, copied or forwarded to, any employee of your agency regarding me or this matter, for the next 60 days. If I am denied access to inspect data according to my request, I request that you cite in writing the specic statutory section, temporary classication or specic provision of federal law in which the determination is based (Minn. Stat. 13.03, subd. 3(f)). If you have any questions or if I can be of any assistance as you address this matter, please dont hesitate to e-mail me at tony@tonywebster.com or call me at 612-234-5698. Warm regards,

Tony Webster Attachments cc: Carolyn Parnell, Minnesota Chief Information Ocer Chris Buse, Minnesota Chief Information Security Ocer Lori Swanson, Minnesota Attorney General

Minnesota Department of Public Safety October 18, 2011 Page 7

Minnesota Department of Public Safety October 18, 2011 Page 8

Minnesota Department of Public Safety October 18, 2011 Page 9