A Proposed Database of Food Stamp Recipients Isn't Only Cruel, It's a Security Risk

In an effort to curb a problem that happens less than 1 percent of the time, Congress wants to store personal information of millions of Americans in a massive database. This could put some of the most financially vulnerable Americans at risk of privacy breaches, all in the effort to fix a problem that barely exists to begin with.

The House Agriculture Committee passed its version of the 2018 Farm Bill last month, and it’s set to be debated on the House floor in the next few weeks. This year, House Republicans have proposed major reform to the Supplemental Nutrition Assistance Program (SNAP), also known as food stamps.

This includes imposing much stricter work requirements that could cause millions of Americans to lose their benefits. The House Committee’s Farm Bill would also create a nationwide database with the private information of SNAP’s 40 million participants including social security numbers, income, and asset information. The purported logic behind such a database is to catch any food stamps participants who are collecting stamps in more than one state.

“SNAP has one of the lowest error rates of any federal program,” House committee ranking member Collin Peterson (D-Minnesota) said via email. “I support efforts to further strengthen the integrity of the program, but I have a number of unanswered questions regarding this new database. Specifically, I’m concerned about the security of the data gathered.”

Curbing fraud of public programs is obviously a good thing, but the problem this database is designed to solve is extremely rare. We know this because there is already a pilot database for SNAP users in Alabama, Florida, Georgia, Louisiana, and Mississippi designed to track any participants who doubled up, collecting SNAP benefits in more than one state. Using this database, called the National Accuracy Clearinghouse, investigators found fewer than 0.2 percent of food stamp recipients are so-called “dual participants” in those five states, according to a USDA-solicited report on the effectiveness of the NAC from 2015.

"The goal is to prevent duplicate participation across states, but this database goes well beyond what is needed for that purpose," said Stacy Dean, the vice president of food assistance policy for the Center on Budget and Policy Priorities, a left-leaning think tank, in an email. "Congress can protect SNAP’s program integrity without needlessly collecting and storing sensitive information on our country’s most vulnerable.”

SNAP is a vital program that is already strictly controlled and limited to help those below the poverty line not starve, with the average participant receiving just $125.99 per month for food costs. Yet the GOP and President Donald Trump’s administration have been gunning to roll back, tighten up, and slash the program for the last year. The House committee’s proposal is just the latest step towards gutting the program.

“Fraud and abuse of any amount takes food support away from our most vulnerable citizens,” said House Representative Glenn Thompson (R-Pennsylvania) while discussing the Farm Bill on the House floor. “Between 2012 and 2017, there were some 22,000 fraudulent SNAP transactions that totaled some $3.7 million in taxpayer dollars. That’s $3.7 million, that if used appropriately and without fraud, would be able to meet the food insecurity needs of our citizens.”

But most SNAP-related fraud isn’t due to dual participants, which this database would solely address. The biggest source of fraud is food stamp trafficking schemes that take advantage of real SNAP participants looking for extra cash, such as a recently-discovered case in Florida.

Proponents of the database say that they will take every effort to make sure the information is secure and private. A spokesperson for Representative Mike Conaway (R-Texas), chair of the agricultural committee, told me they’ve already reached out to the USDA for technical expertise on keeping data secure.

The problem is that any time you’re digitizing private information, you’re creating a new risk that it could be leaked, stolen, or abused, according to security researcher Troy Hunt, who runs the breach notification service Have I Been Pwned?

“It creates new risks that we didn’t have before,” Hunt told me over the phone. “At the end of the day, the government is full of humans building code just like every other organization and it can have flawed processes.”

Hunt pointed to an incident just last year in his native Australia where health insurance card information was being sold on the dark web thanks to one single vulnerability in the database. He said that policymakers need to weigh the potential benefits with the potential risks when considering keeping this kind of private information on millions of citizens stored in a single place.

Nicholas Weaver, a security researcher from UC Berkeley, agreed.

“I don't see it as any riskier than any of the other gazillion databases from a technical front,” Weaver told me via email. “Rather, it seems more likely to cause damage from a social front by needlessly and cruelly denying benefits due to innocent mistakes such as a transposed digit or forgotten social security number.”

Get six of our favorite Motherboard stories every day by signing up for our newsletter .