Tony Webster alleges security flaw in Minnesota DVS
Last week the Minnesota Department of Public Safety disabled a database following an allegation that a security flaw left private information of Minnesota drivers "vulnerable" to public access.
Tony Webster, a web developer and online security researcher from Minneapolis, filed a complaint after discovering he only needed a driver's license number to unlock a wealth of data from a state crash report website, including a driver's insurance policy information, license plate number, home address, and other details related to past car accidents.
Webster says it would be easy for the wrong person to access this information, and he believes some of it violates state data privacy laws.
"If you're a victim of harassment, identity theft, domestic abuse, any of this information could be easily abused," says Webster. "And those are the people most likely to have your driver's license number."
Webster stumbled onto the alleged security flaw by accident. Last week, he was searching for an address on the Minnesota Driver and Vehicle Services website when he saw a link for digital crash reports.
Webster decided to look up his own crash history out of curiosity. This is what came up (personal information redacted):
Screen shot courtesy Tony Webster.
"The only thing that I had to type in was my driver's license number and it kicked back
my full legal name, residential address, my car information, insurance information, crash
information," he says. "And I thought, that's a lot of information to give out based on a driver's license number."
Webster sent an email to the commissioner of the Department of Public Safety last Tuesday alleging that the database violates Minnesota data practice laws. Though a driver's license number isn't public, Webster argues it's easy to obtain, and a weak method of security on its own.
He further detailed his argument in a blog post:
The general public -- especially victims of identity theft, harassment or domestic violence -- should be very concerned about this vulnerability because rarely has so much information been made available in one place with such a poor method of verification of one's identity...
Driver's License numbers are frequently on file with service providers or printed on consumer checks. Retailers commonly ask to view Driver's Licenses for identification, and the physical cards can lost or stolen. In the context of a vehicle crash, Driver's License numbers are customarily recorded by each party involved in the accident. And you can't change them.
In the letter, Webster asks the state to notify Minnesota drivers whose information has been accessed on the database, warning that their privacy could have been breached.
Three hours after sending the email, Webster says the database was shut down.
Doug Neville, spokesman for the Department of Public Safety, confirms they shut the site down in response to Webster's letter, but won't say they found anything wrong with the database.
"The crash site is down now," says Neville. "We really didn't find any vulnerability. We did take it down out of prudence and due diligence."
Without admitting there was a security flaw, the Dept. of Public Safety disabled the website in question.
Most of the information accessed on the crash database is already available to the public and could be found in a police report, says Neville, such as a driver's name, address, phone number, and a short narrative of a car accident.
But Neville says they are still trying to determine whether a driver's insurance policy information and license plate number are private under state law.
"That may not be public," he says. "That said, if two parties are involved in a crash, they're going to exchange that information anyway."
Friday afternoon, Webster received a response letter from E. Joseph Newton, general counsel for the Department of Public Safety, explaining they will not be sending out breach notifications to Minnesota drivers.
Because there is no evidence to suggest that anyone's private information was breached, Newton says they're not obligated to notify anyone.
Newton ends his letter by saying that the website will remain disabled: "Despite no wrongdoing, the Department has decided to forgo the electronic system and require inperson requests."
Webster quickly responded to the letter with another blog post disputing Newton's argument, and linking to an opinion from the Minnesota Department of Administration he believes supports his argument.
"It's a different context and a different query," says Webster. "It's private within this context because it's in a crash report."
But given that the database is disabled, Webster is still chalking it up as a victory.
"I'm calling this one a win," he writes on his blog. "I found a vulnerability that divulged people's personal information, and the state fixed it. They won't admit fault, but they fixed it."
Here, for full reading, are Webster's letter of complaint to the Department of Public Safety, followed by the Department's written response.
Get the This Week's Top Stories Newsletter
Every week we collect the latest news, music and arts stories — along with film and food reviews and the best things to do this week — so that you’ll never miss City Pages' biggest stories.