AZ Corporation Commission's Completely Inadequate Response to My Critique on their Site Security

A while back I wrote about my concerns about the total absence of any security at all in the Arizona corporate annual reporting system

I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  .

I showed how one could open and file the report for a company like Wal-Mart, changing all their officers names, and confessing to all sorts of imagined corporate crimes

Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

The head of the Arizona Corporation Commission wrote me back. Here is here email in its entirety:

Dear Mr. Meyer:

Thank you for your email regarding the Corporations Division.  The Arizona Corporation Commission is the repository for all business formation documents for corporations and limited liability corporations.  We are in full compliance with state statutes.

Submitting false documents to alter another’s corporate structure or status is a crime and carries a Class 4 or Class 5 penalty.  The Commission or the aggrieved business entity may refer the false filing to the Attorney General’s office for prosecution.  Additionally, the individual business entity may pursue a civil cause of action.  The Commission only accepts on-line charges for a few services such as name reservation or to order a certificate of good standing, and the online payment process is completely secure.

Even though the Commission’s existing security measures comply with the state law and are similar to most other states and other Arizona governmental entities like the County Treasurer’s Office, the Commission is looking at implementing new technology to allow for the online submission of additional services – such as the filing of original Articles of Organization and Articles of Incorporation.  We do intend to provide password protected security features when that new technology is offered to the public.

J. Jerich

Executive Director

Arizona Corporation Commission

I had no doubt that submitting a false annual report for Wal-Mart would be illegal.  Duh.  However, it is just incredibly naive that this is the sole extent of the Commission's security, to prosecute people once the damage is done.  Can you imagine if Amazon had the same security policy - "we are getting rid of passwords because it would be illegal for you to buy something from someone else's account."  I wonder if the commissioners leave their doors unlocked at night, trusting in the threat of future prosecution to deter burglary and mayhem in their homes?

28 Comments

  1. eddie:

    In all fairness, the threat of future prosecution is exactly what deters burglary. That, and the basic law-abiding nature of the majority of people. The locks on your doors don't even slow a burglar down, let alone deter them.

  2. xtmar:

    Erm, when I grew up, we always left the door unlocked for both the house and the cars, even when nobody was home. We would only bother locking up if we went away for vacation, but I guess we had better neighbors...

  3. mahtso:

    I don't see a problem -- no one forces anyone to take advantage of the benefits of LLCs/Corps etc. If the risk is too great don't form one.

  4. W.C. Taqiyya:

    I don't see a problem either. After all, you are a businessman and operate a business. Anything bad happens, it's OK. Remember, business is evil, profit is evil and you are probably just trying to get away with something. You are lucky they give you a place to register. In the ideal world, you would be sanitized.

  5. Matthew Slyfield:

    I have replaced all the exterior doors on my house with foam core steel doors. That plus deadbolts should slow them down a little.

  6. herdgadfly:

    Locks have always been around for the purpose of keeping honest people honest. In this day and age, however, identity theft and subsequent electronic theft from bank accounts, as we have witnessed by failure of American retailers to convert their credit cards to the more secure formats such as 3D Secure logos is a far bigger problem then that of the Arizona Secretary of State. After new security is added to cards carried, added security has to be imposed for online transactions and that may require use of intermediate services like PayPal or Google Wallet in order to shut down the vulnerability of our exposed credit card numbers when hackers steal as was the case at Target.

  7. jon:

    Stefan Molyneux points this out quite a bit. Businesses looked for the most economical solution to theft, fraud, etc, since they don't want to spend a ton of money so they focus on prevention. So they put up passwords, etc. Government, on the other hand, doesn't spend its own money so doesn't have this incentive, its incentive is more in line with keeping the bureaucrats happy (to move up the food chain) and to follow whatever rules are most convenient to follow (knowing that it is unlikely they are to be prosecuted, unless they are low on the totem pole).

  8. mesaeconoguy:

    The Commission or the aggrieved business entity may
    refer the false filing to the Attorney General’s office for prosecution.
    Additionally, the individual business entity may pursue a civil cause of
    action.

    Here is the problem – the ACC has no incentive to increase their security, because they are indemnified from any wrongdoing on their site, because

    the Commission’s existing security measures comply
    with the state law and are similar to most other states and other Arizona
    governmental entities like the County Treasurer’s Office
    […]

    Everybody else is doing it, and they’re in compliance, so they don’t need to change.

    They are “looking into that” now, but that timetable is likely geological time scale.

  9. mahtso:

    I don't see that logic applying here. What I see is that the Az Corp Comm would be required to raise its fees to add security that is apparently not required. I'll let the techno savvy among you tell me how much that would cost. And perhaps it says more about me than anyone else, but I believe people will be griping when the rates do go up.

  10. ErikTheRed:

    Yeah, the locks on most residences (and businesses) aren't much better than the privacy locks on a bathroom. More challenging locks (like the Mul-T-Lock MT5+) aren't stupidly expensive. Most homes can be outfitted for between a couple of hundred and a thousand dollars. Of course, you still need good doors & windows...

  11. Jim:

    Ex post deterrence won't work if it is about impossible to prosecute anyone hiding their identity, eg through a VPN. But heck if it works, if nobody or almost nobody goes rogue what the hey.

  12. Fred_Z:

    Nobody forces anyone to accept welfare. So why is their database not open to the public?

  13. irandom419:

    A story awhile back where someone showed a bank that they neglected to secure their website, so they had the FBI arrest him.

  14. mahtso:

    I've got to admit, I don't see the relationship.

  15. Old Dude:

    Force is a complex word.

    Many (most ?) public and many private businesses, here in CA, will not do business with a Sole Proprietorship or Partnership. This is to protect themselves from lawsuits by contracted service providers who later claim to be employees. Courts settlements have made contracting with individuals very risky and so Public Agencies and Private Businesses just avoid it.

    In many situations you can't enter the facility (to bid on work) unless you can show that you are the employee of a corporation and are covered under Worker's Compensation. This too is the result of complex case law.

    The situation is the same for much of the software industry. They won't hire Independent Contractors. You have to be employed by an LLC/Corps (even if you are the only employee).

    I have also heard that renting commercial or retail space is difficult as a Sole Proprietor.

    So I while I agree that no one is forced to become an LLC/Corp it gets harder every year to find customers willing to engage the services of non-corps.

  16. Orion Henderson:

    My state does it exactly the same way. Ridiculous.

  17. Old Dude:

    I see this much like the Voter Fraud issue. Our elected officials say there is essentially no voter fraud and so no need to check IDs. Then when we see documentation showing dead people, non-citizens, or people voting multiple times we are told that those people will be prosecuted. Then we learn they were not prosecuted because we can't identify them since they did not have to show ID to vote. Problem solved, Loop closed - repeat.

    It seems the only way to be charged with vote fraud is to make a video showing how easy it is to commit vote fraud.

  18. FelineCannonball:

    Perhaps once the corporate lawyer/small business owner/LLC demonstrates that they have filled the annual registration requirement no one cares and the data is not used by any one in any serious way.

    I suspect the part they care about is paying the fee.

  19. Gdn:

    What those basic locks do is to raise the bar of effort from idle curiosity to intent. They also show that it wasn't an accident that you intruded.

  20. Earl Wertheimer:

    Unfortunately, in Montreal, if the police find your car door unlocked, you will get a ticket!
    Instead of finding and jailing the crooks, it's easier to check for unlocked car doors.

  21. Matthew Slyfield:

    None is as blind as he who will not see.

  22. marque2:

    Not hard to walk in the back yard and bust a window.

  23. marque2:

    Small mom and pop internet mail order companies have password protection on their accounts. They have plenty of commercial off the shelf solutions, if the web page was constructed right. Sure charge an extra dollar per year beyond the exorbitant fees they already charge.

  24. marque2:

    Nevada is password protected. California works by snail mail. I don't know if it is necessarily true that they comply with similar measures done by other states.

  25. marque2:

    VPN? How about just hanging out in the library?

  26. mahtso:

    "None is as blind as he who will not see."
    I think that this is true because a vest has no sleeves.

  27. rst1317:

    If they aren't taking the time to authenticate the identity of someone wanting to file one of those online forms, it's unlikely they've taken the time to put in place the tools, audit trails and such they'd need to be able to figure out who committed the crime.

  28. sjutte350:

    Windows are still made of glass, which can be broken with very little effort. The idea that you can make your house un-enterable with even the best locks money can buy is kind of naive.