Imagine living in a country where it was necessary to register with your community government by providing a copy of one of the following:

1. Driver’s License
2. Birth Certificate
3. Passport
4. Immigration Card
5. Military identification
6. Any other state, local, national, or international official documents containing a birth date of comparable reliability

This may be necessary in perhaps a large number of nations. However, as a United States citizen and resident, I was quite surprised when my local community issued the request. I investigated and found much to my dismay, that my community in fact was required by regulation to survey its residents on a biennial basis.

Regulation

HUD 24 CFR Part 100, §100.307 Verification of occupancy, contains the above list of “reliable documents” but lists as well:

(7) A certification in a lease, application, affidavit, or other document signed by any member of the household age 18 or older asserting that at least one person in the unit is 55 years of age or older.

Being of advanced age, I was puzzled. Why would my community request one of a number of breeder documents when a “note from my mother” was sufficient? I went back to the form and realized that item six in the community-supplied list did contain language that permitted me to supply a signed certification. I hadn’t read beyond “any other state, local, national, or official document containing a birth date”.

I admittedly took poetic license by omitting the full text of item six to reflect my understanding when first attempting to comply with the request. Item six actually reads as follows:

(6) Any other state, local, national, or international official documents containing a birth date of comparable reliability or a Certification signed by any member of the household age 18 or older, asserting that at least one person in the unit is 55 years of age or older.

Having determined that I need not supply a breeder document to my Home Owners Association, I filled out the form, providing the bare minimum of information, and wrote a certification on the reverse complying with the HUD rule. Dropping off my form, I was pleasantly informed that I hadn’t supplied a government document. I replied that the certification I had written was sufficient.

Reflecting back on the experience, even in my addled state, I realized that I was perhaps not alone in realizing that a simple statement would suffice to meet the HUD requirement. Others in my community, and throughout the US, might blindly comply with the request to provide any one of a number of breeder documents to their Association.

So I wrote to my Board suggesting that we might want to modify our form to plainly state that a signed certification of age was sufficient. Better yet, write the statement on the form itself with a signature line. I also suggested we might want to establish a policy and culture of minimal collection of Personally Identifiable Information (PII).

My Board Secretary and President helpfully informed me that this was an Association Management issue and that our General Manager would address it. The General Manager dutifully responded assuring me that “all documents collected are ... secured on servers” and that the “risk of not doing so may jeopardize the Association in other ways that may have far greater risk and consequences”.

That made me feel better.

Of course I did pause to consider how the risk assessment was done, balancing the need to comply with a regulation against the potential of data breach, identity theft, fraud, fraudulent account creation, account takeover, creation of false passports, and the like. My calculus must be rather different than that used by First Services Residential, the management firm that services my Association.

The risk to individuals presented by storing copies of breeder documents “on servers” is well-known and substantial, as is the risk to the entity maintaining the data. Data breaches, even among “the best” are all-too-frequent. In states like California, breaches require notification and payment for identity protection services and may require forensic evidence to limit notification requirements and payments to only those whose data was exfiltrated. The real costs can be significant and the perception costs even higher.

... and the elderly are frequent targets of and high susceptible to fraud.

Institutional inertia is a powerful force and overcoming it can require Sisyphean effort. In this case, the institutions are the US Government and those that attempt to comply with its myriad rules and regulations. The HUD rule with the “list of seven” became final in 1999, well before data breaches were a serious concern. Hopefully if the regulation were written today, its language would be quite different and might even include an admonition against storing copies of breeder documents (if still listed),

Reason

Looking at the regulation, one wonders why it is necessary to repeatedly collect age information. Is HUD concerned that some of us might be getting younger and consequently no longer qualify as “over 55”? Could the goals of the survey and data collection be achieved through some other mechanism? Perhaps simple affidavits with a statistical sampling, either periodically or in case of question would suffice.

No doubt other mechanisms exist to achieve the goal, whatever it might be. Equally certain should be a recognition that minimal data collection by (quasi) governmental entities must be the norm. Requesting and obtaining copies of breeder documents is to my mind a questionable practice. Storing them “on servers”, if not air-gapped, makes them accessible to malevolent actors; criminal, terrorist, or governmental.

We can, and must do better. Governments need to review regulations and strike rules requiring excessive information. Businesses must be encouraged to adopt polices and cultures that reduce collection of PII.

Security can enhance privacy, but only so much. Breaches are inevitable. Data will be exfiltrated. But if the data has little value, it becomes of little interest. Minimizing data collection will require institutional change. Effecting that change will require substantial effort. As Security and Privacy experts, we should encourage this change and enlist others in our efforts.

”Think Globally, Act Locally”.