One of the biggest issues we face as a society comes from the mismanagement of private data, but not in the way that you think. Rather than the problems created by social media or government spying, the fastest-growing problem is that our legal system has become unable to sufficiently safeguard and manage our information. We are, in many cases, still thinking in nineteenth century legal terms when dealing with twenty-first century data management problems.

One example of the biggest byproducts of this outmoded legal system is an increased risk of property tax fraud. It turns out that anyone who knows even a small bit about the assessor’s office has everything they need to run a property tax scam, and our local governments are who they can thank for this. All it takes is an internet connection, a little bit of patience, and our own government’s complete disregard for the protection of people’s financial data.

Here’s how it works: a large number of state and local governments utilize geographic information systems (GIS) technology to be able to utilize the same “big data” analysis tools that businesses have been doing for years. This is actually quite handy, as it allows city planners to design roads to avoid congestion or figure out where to place fire departments to better serve our needs. But alongside that good, there are some definite dangers. Our current legal system requires that all property assessments be a matter of public record: anyone with a fiscal interest in a property can have access to the data. This makes sense: if you are someone looking to purchase a property, finance a loan, or offer insurance on that property it helps to have a quick option for determining who actually owns it, whether any liens are on it, etc.

The problem is that, when the laws authorizing this information access were written, assessments were handwritten documents complied in books two feet thick and held in the county assessor’s office. Gaining access meant going down to the office, signing in, and physically going through the books. Now, however, property assessments have gone digital. Most major counties or states include the assessments as part of their GIS efforts. Since the data is consolidated there already, those same government entities use the GIS database to grant access rather than insisting people come down to the assessor’s office. The laws governing this, however, are still firmly mired in the nineteenth century and have never been updated.

So now, potential criminals can access the property assessment information of most property owners in the nation without leaving any sort of record that he or she did in the past. Now, all a potential criminal has to do is access the county or state GIS database, and all that information is available for the taking.

Here’s why you should care: this form of access gives criminals 90% of the information they need to commit widespread fraud. But I’m not going to ask you to believe me without proof. I am, instead, going to show you the steps someone might take to do it.

The first step actually involves private industry. The real estate industry, specifically. There are a number of website that real estate agencies use to be able to assess what opportunities there are out there for them to make a sale. One such tool would be Zillow. Zillow is a GIS database specifically for providing realtime data on the housing market.
 
unnamed
 
When you look at this screen cap I have taken, you will notice three different colors of dots. The red dots are houses for sale. The purple are apartments for rent. The blue ones… Well, these are our get rich quick scam targets. The blue dots are houses that are going through foreclosure proceedings. I can click on any of those blue dots to turn it green and get detailed information on the property, complete with photos, floorplans, foreclosure cost estimates, dates and stages of process, etc.
 
Zillow-screen-2
 
From there, I can move on to the next step. This is where I access the GIS data being stored by the county. Using the address and map I am able to locate the Parcel ID# used by the county for its property and tax records.
 
County Parcel screen
 
I then plug this number into the county assessor’s GIS database and get back the following information:
 
Assessor-Screen
 
Clicking through the tabs, I can learn the name of the property owner whose home is under foreclosure. I can also learn that the bank is selling the property for $13,000 less than what the county has valued the property. The homeowner currently owes $549.24 of his 2014 property taxes, but he has not yet been declared past due by the county. I know his tax district, school district, floor plan, property size, recorded plat survey system designation…

A quick search for his phone number using the White Pages, and I’m ready to go. I make the following phone call:

“Hello, Mr. [redacted]. My name is James and I’m with the National Debt Forgiveness Council. We’re a non-profit organization that was established to help property owners facing foreclosure in light of the housing bubble bursting in 2007.

The reason I am calling is that [redacted] County is a participant in our program and has referred your case to us. The purpose of this call is to establish whether or not you would be eligible for our debt forgiveness program. To begin with, I need to verify some of the information the county provided us.”

I then proceed to give the home owner the information I’ve managed to glean from the county’s GIS website, asking if it is correct. While many people will probably refuse to participate and/or suspect it is a scam, enough desperate people will want that lifeline that, when given what they think is protected data, they will take that as proof that this is legitimate. Once I have that trust I can ask for banking information “in order to assess your ability to resume payments once the past due amount has been forgiven”, or convince them to wire a reduced settlement amount to settle the debt, or even require an assessment and evaluation fee.

If I’ve covered my tracks in terms of how I am accessing the information on the GIS sites and how I am contacting the victims (this part I am NOT going to cover, as I’d like to see anyone who actually tries this get arrested), it could net me a large chunk of cash and a ticket out of the country before I became a suspect.

Why have I broken this down so clearly? This situation is one in which we need to actually ask our government to act (when normally we need to tell them to stop acting.) While legislators are busy arguing that NSA back doors into our computers, e-mail, and phone traffic could never, ever be accessed by anyone else or abused (We Promise!), our political leaders aren’t updating laws to handle threats like the one I have just detailed. But this sort of fraud is a growing problem.

We need to contact our elected representatives–essentially, our employees–and remind them to focus on real threats that demand a 21st century legal structure regarding government held data, such as that covering our property tax information. With Obamacare, we need to make sure that the government is held accountable to the same electronic HIPAA compliance standards that it holds our health care providers to. We don’t need back doors for hackers to access, we need a 21st century government with 21st century privacy protection laws.

Exploitable data problems like this one need to become obsolete.