April 26, 2008

University of Miami: Good for the body, bad for the soul?

(Posted by adam)
The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes.

The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there's no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.

There's some analysis of how hard it would be to read the tapes. I'm skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?

The Breach Blog feels differently. In "University of Miami reports stolen tapes affecting patients," he digs into the likelihood of the data being accessed.

Now, the University claims that the tapes are in a "complex and proprietary format," which seems to be "Tivoli Storage Management" from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I'm curious why that wasn't in use.

Also, looking around, I found this quote at an IBM partner site:

Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.
Until I hear more, I'm skeptical of the University's claims. I don't believe, and I have not believed for a long time, that breach notices are about identity theft. They're about the performance of a promise to protect information.

(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)

Posted by adam on April 26, 2008 at 3:51 PM in Choicepoint , breach analysis . You can: comment, view comments (4), search Technorati.

Bookmark this post:

August 12, 2007

ChoicePoint's data quality

(Posted by adam)
In a comment, Tom Lyons asked:
I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a "pattern and practice" on the part of Choice Point.
I don't know Mr. Lyons, but I can't imagine anyone would object to "more informed, more timely decisions that positively impact society." Feel free to get in touch with him.

Posted by adam on August 12, 2007 at 3:04 PM in Choicepoint . You can: comment, view comments (1), search Technorati.

Bookmark this post:

March 7, 2007

Choicepoint's Error Rate

(Posted by adam)
Choicepoint regularly claims a very low rate of errors in their reports. In the Consumer Affairs story, "Choicepoint gets a Makeover," Choicepoint President Doug "Curling claims his company has a less than 1/10th of 1 percent error rate."

Now WATE in Knoxville, TN, reports that "Anderson Co. man finds credit report error:"

At his insurance company's request, ChoicePoint gathered the sum total of Ray's credit, what he owes for his car, his house, credit cards and other purchases. "It says my grand total of indebtedness is $426,000. That's about five times what I currently owe," Ray says.

Some debts Ray paid off showed as though they hadn't been paid at all. "This was a boat loan" for $50,000, Ray says. "I paid it off over a year ago."

He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. "My data had not been updated. It was incorrect. My employer was incorrect," Ray says.

...

ChoicePoint disputes that any errors were made.

See also my May 2005 posting, "Choicepoint Analyses:"
Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the "garbage in, garbage out" problem, has been defined away.
and finally, don't forget Deborah Pierce's work in "Data Aggregators: A Study of Data Quality and Responsiveness:"
100% of the reports given out by ChoicePoint had at least one error in them.
The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.

[Update: Just after posting this, I came across "Where’s Waldo? Spotting the Terrorist using Data Broker Information:"

In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.
Good thing Ray's inaccurate data was "only" used to deny him credit.]

[Update 2: Choicepoint's Chuck Jones disagrees; please see comments.]

Posted by adam on March 7, 2007 at 12:43 PM in Choicepoint . You can: comment, view comments (5), search Technorati.

Bookmark this post:

March 5, 2007

"Free the Grapes" Externalizes Risk

(Posted by adam)
grape-press.jpgOr so "Shipcompliant" would have us believe, with a blog post entitled "Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices."
The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.
So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:
Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.
So there's no reason to add this step. The very next step ensures that wine won't get into the hands of our corruptable youth.

This is two steps backwards: We're creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that's already covered.

Free the grapes? How about free the people from this nonsense?

Photo: "A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)" by mharrsch.

Posted by adam on March 5, 2007 at 11:57 AM in Choicepoint , Economics , ID Management . You can: comment, view comments (1), search Technorati.

Bookmark this post:

January 9, 2007

Choicepoint reports $50M more expenses, some due to breach

(Posted by adam)
The Atlanta Business Chronicle reports that "ChoicePoint tumbles to third-quarter loss:"
ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.
Choicepoints losses are a severe outlier. As I said in March, 2005, "Why Choicepoint Resonates:" It's now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I'd like to think back, and ask, why does this story have legs? Why are reporters still covering it?

There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. I still think my analysis is decent, and that any serious statistical analysis of breach costs must show "without Choicepoint" numbers.

[Update: Clarified title, which attributed all expenses to the breach.]

Posted by adam on January 9, 2007 at 12:07 PM in Choicepoint , breach analysis . You can: comment, view comments (2), search Technorati.

Bookmark this post:

December 20, 2006

Fines, Settlements in Privacy Invasions

(Posted by adam)
peeping-dog.jpgTopping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. "Greek Scandal Sees Vodaphone fined" at the BBC, via Flying Penguin.

On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. ("Driver Data Lawsuits Settlement Proposed.")

Pop quiz: Which do you think will influence behavior more?

Photo: Peeping Dog, by ErinV.

Posted by adam on December 20, 2006 at 10:36 PM in Choicepoint , Economics , Privacy . You can: comment, view comments (1), search Technorati.

Bookmark this post:

September 26, 2006

Worse Than Choicepoint: The FTC?

(Posted by adam)
So part of Choicepoint's settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money:
Jessica Rich, assistant director of the FTC's division of privacy and identity theft, said in a statement released to AP on Wednesday that "law enforcement is still identifying victims and we want to make sure we have the right people."
(From the AP, "FTC Yet To Pay Choicepoint Victims.")

Posted by adam on September 26, 2006 at 12:15 PM in Choicepoint , breach analysis . You can: comment, view comments (1), search Technorati.

Bookmark this post:

September 1, 2006

Choicepoint, while we're correcting errors

(Posted by adam)
A few weeks back, I corrected an error in a post about Choicepoint. Choicepoint also corrected an error, see "Job seeker loses opportunity after inaccurate background check" for details:
"Well, first they said, 'Something was wrong with your background check,'" she said. "I said, 'What is wrong with it? What is wrong with my background check?'"

ChoicePoint found out that Smith was convicted of identity theft 10 years ago and sentenced to three years' probation.

The problem? It wasn't the correct Smith.

Oh, the irony.

Posted by adam on September 1, 2006 at 12:27 PM in Choicepoint . You can: comment, view comments (3), search Technorati.

Bookmark this post:

August 14, 2006

Choicepoint Correction

(Posted by adam)
In response to "Choicepoint Spins off Three Businesses," Choicepoint spokesperson Matt Furman sent the following:
It is factually incorrect to describe ChoicePoint or its subsidiary, Bode Technology Group, as attempting to "amass a DNA database." Bode's clients are almost entirely government laboratories that are trying to solve crimes and identify victims as well as felony offenders. The samples provided to Bode for analysis are identified by a case number and Bode's work does not reveal information about race, hair or eye color, national origin or medical conditions. DNA analysis is done simply to develop a profile that can be used to determine if two people are related or the sample matches a suspect. In no circumstance, however, does Bode "own" any data, samples or any other material and never maintains permanent custody of any sample.

The only centralized databases of DNA profiles are managed by the FBI and its counterparts in the states, not by Bode. Bode is not now nor has it ever been in the business of amassing DNA data and selling it wholesale or otherwise to any government agency. Instead, the men and women of Bode are responsible for making DNA-based identifications where no one else has been able and bringing criminals to account for their crimes.

Matt actually sent that over two weeks ago, and I have a number of operational questions about it, such as: Is the data identified only by a case number? Could it be correlated with other data? Is the question of relation given as "sample A, sample B?" or is one sample named? What data does Bode retain after the sample is destroyed or returned? Presumably, there's some data kept to enable Bode or its representatives to testify in court. However, I'm swamped with other things, and despite my interest in the questions, I don't have a lot of time to pursue them.

However, I remain glad that "amassing a DNA database and selling the contents to the government is something even Choicepoint doesn't expect will become profitable," even if that was a mis-understanding of their plans.

Posted by adam on August 14, 2006 at 11:14 PM in Choicepoint . You can: comment, view comments (1), search Technorati.

Bookmark this post:

July 18, 2006

Choicepoint Spins off 3 Businesses

(Posted by adam)
From their press release:
ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ -- ChoicePoint (NYSE: CPS - News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the decision to divest businesses that either do not fit within the new strategic direction or are unlikely to gain critical mass in the marketplace under ChoicePoint's ownership. This process is ongoing and is expected to continue throughout 2006. Included in the announced divestiture plan are ChoicePoint's direct marketing, forensic DNA and shareholder services businesses.
I'm glad to discover that amassing a DNA database and selling the contents to the government is something even Choicepoint doesn't expect will become profitable. I'm also glad that they're owning up to mistakes. Now lets see if we can see some fair information practices around the rest of their services.

See other analysis in Direct Marketing News or the Boston Globe.

Posted by adam on July 18, 2006 at 11:14 AM in Choicepoint . You can: comment, view comments (0), search Technorati.

Bookmark this post:

July 8, 2006

What Choicepoint Learned

(Posted by adam)
Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company's CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly "to ensure we're hitting every aspect of security and privacy," says DiBattiste.

"One of the lessons we learned is that security is a moving target," she says. "The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond."

So ends an article "Choicepoint's Lessons Learned" in Baseline.

They learned that in 2006?

Maybe they should be attending Blackhat, or Defcon. I hear tell Defcon has some ATMs that they could use.

Posted by adam on July 8, 2006 at 12:25 PM in Choicepoint . You can: comment, view comments (3), search Technorati.

Bookmark this post:

June 23, 2006

The FBI's Use of Data Brokers

(Posted by adam)
Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com.

A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no "systemic" use of data brokers by the FBI.

That's from the CSO Blog, "Data Brokers May Act Illegally." In other news, "ChoicePoint-FBI Deal Raises New Privacy Questions."

So what are we paying for?

Posted by adam on June 23, 2006 at 12:11 PM in Choicepoint , national security . You can: comment, view comments (0), search Technorati.

Bookmark this post:

June 5, 2006

How Damaging is a Breach?

(Posted by adam)
overflowing-dam.jpgPete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What's the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.

For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don't know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse "Chronology of Data Breaches," and Attrition.org's Dataloss list. There are also regular reports through ISN, and Dave Farber's Interesting People List.

While we're happy that there are amateur efforts, it's hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who's gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.

"Dam Water" photo by Ed Hidden.

Posted by adam on June 5, 2006 at 10:34 AM in Choicepoint , Economics , ID Management . You can: comment, view comments (6), search Technorati.

Bookmark this post:

May 13, 2006

Two Minutes Hate: Choicepoint

(Posted by adam)
choicepoint-logo.jpg
This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration's Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI -- though it is better described as the creation of a private KGB.

The leader in the field of what is called "data mining," is a company called, "ChoicePoint, Inc," which has sucked up over a billion dollars in national security contracts.

Read "The Spies Who Shag Us," by Greg Palast. Don't miss the bits about who's the number one supplier of DNA to the FBI.

Posted by adam on May 13, 2006 at 9:22 AM in Choicepoint . You can: comment, view comments (1), search Technorati.

Bookmark this post:

May 9, 2006

Breach Notification, the New Normal, and a New Metaphor

(Posted by adam)
overflowing-dam.jpg
Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.
Wow. Fifteen months since Choicepoint, and that's being written? There's a new set of expectations out there, and it hasn't taken long to set. Thank you, Choicepoint. The quote leads an article, "Are Banks Required To Give Notice of Database Hacks?" on San Diego Business Lawfirm.

Thanks to the Privacy Law Blog, we know that Arizona and Colorado have passed new breach notice laws. Arizona has taken a broad definition of breach in Senate Bill 1338:

"Security Breach" means "an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information... and that causes or is reasonably likely to cause substantial economic loss to an individual."
Colorado meanwhile, has enacted House Bill 1119, which contains a "fox guards the henhouse, and sits in the alarm booth" clause:
The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur...
I think it would be remarkably risky to invoke that clause. Business should ask, who owns that liability if someone makes a mistake? The Center For Policy Alternatives has Model Identity Theft Legislation that doesn't contain this clause. In my non-lawyerly opinion, that speaks to the new norms, and the burden of proof that companies are being asked to develop in a short time, under extreme pressure. Who wants these clauses, anyway?

These questions hold up a national law, according to Computerworld, "Analysis: Data breach notification law unlikely this year." Such delays are a good thing, because they give the new norm time to set, and for people to become accustomed to breach notices.

The overflowing dam photo is by Firesign, on Flickr. Come to think of it, maybe an overflowing dam is a better metaphor than a breached one: there's so much data collected that organizations can't hope to control it?

Posted by adam on May 9, 2006 at 8:28 AM in Choicepoint , breach analysis , personal security . You can: comment, view comments (0), search Technorati.

Bookmark this post:

April 5, 2006

DHS Spokesman Brian J. Doyle Arrested

(Posted by adam)
brian-doyle.jpg
The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff's detective who he thought was a 14-year-old girl, the Polk County Sheriff's Office said.

Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. and charged with seven counts of using a computer to seduce a child and 16 counts of transmitting harmful materials to a minor, according to a sheriff's office statement.

See "DHS Spokesman Is Accused of Soliciting Teen Online" at the Washington Post.

While I hate to make light of such a disturbing story, it's a good thing Choicepoint screened all those TSA employees, to make sure no bad people get through. (Doyle worked for TSA before moving to DHS.)

Posted by adam on April 5, 2006 at 11:57 AM in Air Travel , Choicepoint . You can: comment, view comments (8), search Technorati.

Bookmark this post:

April 1, 2006

Google to Acquire Choicepoint

(Posted by adam)
Mountain View, CA., April 1 /PRNewswire/ -- Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the "Lifetime Acheivement" Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. "Google's mission is to "organize the world's information and make it universally accessible and useful."

Google CEO Eric Schmidt said "We're always on the look-out for large databases that we can use to better serve our customers. We used to have access to Choicepoint's data, but the "due diligence" people they kept sending would burst into flames the minute they hit our "no evil" barrier. After seven or eight of those, we couldn't believe it was coincidence any longer, so we just bought them."

Choicepoint CEO Derek Smith (according to the merged database, the two are 17th cousins, three times removed) said "Our missions are remarkably similar. We bring in every scrap of data we can, and never throw anything away."

"I fully support the synergies and customer choice made possible by the merger,' said Chris Hoofnagle, privacy advocate and newly-appointed director of privacy oversight for the program. 'The merger will bring value to consumers and shareholders, and it has pre-approval from Truste.'

The move is expected to substantially improve Google's relationship with governments around the world.

Posted by adam on April 1, 2006 at 9:02 AM in Choicepoint . You can: comment, view comments (4), search Technorati.

Bookmark this post:

February 21, 2006

True.com Sent 'Race-Customized' Valentines

(Posted by adam)
true-targeting.jpg
How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There's nothing wrong with that on the surface. But we wondered how True.com could know which version of its e-mails to send to which users?
So writes Hannah Rosenbaum in "True.com Uses Adult List to Send Targeted Valentine's Day E-mail." I'm going to disagree. It is wrong to track the color of people's skin and use it as part of your decision making process. It's wrong at the surface, and it's wrong in very deep ways. It may even be wrong with explicit consent, which 'True' certainly didn't have.

Speaking of wrong, I'd mentioned the lovely people at 'true' before, in "Choicepoint, March 21." I wonder if their data on race is any better than their criminal background histories? Siteadvisor's one data point per person is a beautiful way to watch the flow of data behind the scenes, but it fails to capture the rich tapestries of our lives, the poor quality of the data (what we used to call garbage-in, garbage-out), or how companies cope with the chaos.

Posted by adam on February 21, 2006 at 10:15 AM in Choicepoint , ID Management , Privacy . You can: comment, view comments (9), search Technorati.

Bookmark this post:

February 15, 2006

Thank You, Choicepoint

(Posted by adam)
It's been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in "Database giant gives access to fake firms," and managed to presage much of what's happened in the opening paragraphs of his story:
Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties," according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.

Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.

I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I'd like to take a moment to look back at what's happened, what we've learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they've brought about. Derek Smith, Choicepoint's CEO, had been fond of calling for a national debate. I don't think he anticipated the answers that debate has produced.
  • The first result of the debate is 20 new laws, as summed up by the National Conference of State Legislatures. These new laws, and the breaches that we learn about because of them are an important window into the true and pathetic state of data security.
  • Remarkably, we have no new law which is explicitly about limits on collection, use, or accuracy of data held by businesses. When I say explicitly about, I mean a law such as Dan Solove and Chris Hoofnagle have laid out in "A Model Regime for Privacy Protection" and I've discussed such things much more briefly in "New American Privacy Law: What Could it Say?
  • Those laws, and the new expectation of disclosure have lead to enough data coming out that it can be analyzed. What's more, analysis, mostly by the Ponnemon Institute, has helped define how to disclose these issues.
  • Choicepoint stock has still not recovered, despite a plethora of actions designed to boost it, including stock buybacks. The largest fine ever imposed by the FTC didn't help. Choicepoint, despite the increased brand recognition, also faces increased scrutiny, as I discussed in "Cost of Breaches," and the Bode cancellation, mentioned in the November 7th "Choicepoint Roundup."
  • Speaking of stock, the SEC investigation into insider trading by Choicepoint executives continues.
  • To improve their reputation, Choicepoint has stepped up their internal audit processes, annoying some customers, as discussed in "CounterTerroristm and Bureauracy."
  • In "Why Choicepoint Resonates," I analyzed the news story, and am both happy with my analysis, and note that Choicepoint really should have talked to their trademark attorneys when I told them to, in "Cardsystems and Choicepoint."
  • Finally, due to certain irregularities arising from background checks, "Choicepoint's acquisition of Emergent Chaos" has been cancelled.
And so, for all these things, a hearty thank you to Choicepoint.
Posted by adam on February 15, 2006 at 12:11 PM in Choicepoint . You can: comment, view comments (2), search Technorati.

Bookmark this post:

January 26, 2006

Choicepoint to Pay $15M Fine

(Posted by adam)
Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans.

The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest civil penalty ever obtained by the agency.

Via Brian Krebs at the Security Fix blog.
Posted by adam on January 26, 2006 at 4:57 PM in Choicepoint . You can: comment, view comments (1), search Technorati.

Bookmark this post:

December 15, 2005

Insurance Claims and Privacy

(Posted by adam)
One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in "Insurers' Road Service Could Prove Costly:"
TAMPA - Andrea Davis can't understand what two flat tires and leaving the keys in her car have to do with being rejected for auto insurance. The answer lies in the optional emergency road service coverage the Lutz resident was persuaded to buy from her insurer, Geico, for $12 a year. The bargain rate, one-fifth the cost of emergency road service from AAA, turned out to be no bargain at all.

...

"They said I had too many claims," said Davis, a public relations manager with a perfect driving record. "I didn't meet their eligibility requirements."

...

Insurance companies use a centralized database with tens of millions of records on U.S. motorists called Comprehensive Loss Underwriting Exchange. The data are maintained by Atlanta-area-based ChoicePoint, one of the country's biggest compilers of consumer data.

Posted by adam on December 15, 2005 at 9:11 AM in Choicepoint , Privacy . You can: comment, view comments (2), search Technorati.

Bookmark this post:

December 1, 2005

Costs of Breaches

(Posted by adam)
The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they're doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what's the real cost of the brand damage done to Choicepoint?
Along with several other data brokers, ChoicePoint has been accused in Florida of violating the federal Drivers Privacy Protection Act by selling motor vehicle records to marketers and other inappropriate buyers. (The act was designed to keep burglars and stalkers from obtaining motorists' home addresses based on license plates they spotted on the road.) A request for class-action certification is pending in federal court.

The California DMV says it first heard from ChoicePoint in October 2004, when the company requested access to all drivers' license records. The state rejected the request out of hand, says Armando Botello, a DMV spokesman.

From LA Times, "Big Data Broker Eyes DMV Records."

Posted by adam on December 1, 2005 at 10:52 AM in Choicepoint , breaches . You can: comment, view comments (0), search Technorati.

Bookmark this post:

November 16, 2005

Choicepoint's Custom Products

(Posted by adam)
I appreciate all the notes you've been sending me telling me about "FBI, Pentagon pay for access to trove of public records." I'd love to have something insightful to add to this, but I don't. Ryan Singel has a bit more:
The article, which relies on heavily redacted documents acquired through an open government request, raises questions about whether the Privacy Act -- which largely prevents secret databases on American citizens -- means anything if the government can simply outsource that data collection to a company like ChoicePoint.
If you're surprised that the US has no effective privacy law, I suggest you read more of the archives.

Posted by adam on November 16, 2005 at 12:38 PM in Choicepoint , Privacy . You can: comment, view comments (0), search Technorati.

Bookmark this post:

November 9, 2005

How Much Goodwill is 17,000 Letters Worth?

(Posted by adam)
The Seattle Post Intelligencer reports that "ChoicePoint warns consumers about fraud:"
ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud.
The story comes from the company's latest 10-Q filing, which also lists an increase in "goodwill" from $824 million to $908 million. (Thus the title, which is courtesy of Rob.) Close watchers of the company might be interested in the "10. Goodwill and Intangible Assets" section, which explains that the newfound goodwill is a result of various acquisitions, and also puts some value on "Purchased data files." Also of interest in any modern Choicepoint SEC filing is the "legal proceedings" section.

Posted by adam on November 9, 2005 at 9:46 AM in Choicepoint , breaches . You can: comment, view comments (0), search Technorati.

Bookmark this post:

November 7, 2005

Choicepoint Roundup

(Posted by adam)

Well, I've tried going cold turkey, but wasn't getting positive reinforcement, so I stopped.

  • Let's start from the positive, shall we? Chris Hoofnagle of EPIC is quoted in a positive light in "ChoicePoint says it's securing public's personal data better" in the Atlanta Journal Constitution.

    Now that that's out of the way.

  • Science Daily tells us that the Illinois State Police have cancelled a contract with Choicepoint subsidiary Bode, citing lack of quality control in their DNA testing, in "Illinois police say lab's work faulty." The Washington Post also reports on the story, in "Ill. Police Claim Lab Botched DNA Tests":
    Illinois authorities conducted quality checks on 51 of 1,200 rape kits Bode had said contained no semen, Brown said. They discovered that 11 of the tests, or nearly 22 percent, had simply failed to detect the semen.
  • The San Jose Mercury news "Man faces more charges in ChoicePoint fraud scheme:"
    A Nigerian man who pleaded no contest earlier this year for his role in a fraud ring that stole data from ChoicePoint Inc. has pleaded not guilty to six new charges, authorities said.

    Olatunji Oluwatosin, 42, was charged last week in Superior Court and has pleaded not guilty to additional counts of identity theft, conspiracy and grand theft. If convicted of all the charges, he could face up to 18 years in prison.

  • The LA Times reports that "Choicepoint Signals Stepped-Up Probe," that the SEC is now "investigating," a step-up from its former "informal inquiry."
  • The Chicago Tribune carries (reg-free!) a story from LA Times reporter Joseph Menn, "Firms Hit by ID Theft Find Way to Cash In on Victims:"
    Elizabeth Rosen was plenty angry when ChoicePoint Inc. sent her a form letter acknowledging that crooks might have perused some of her most sensitive personal and financial data.

    But the Hollywood nurse was flabbergasted when the company, one of the nation's largest collectors of consumer records, also offered to sell her some of the same information so she could see what might have been compromised.

    He goes on to discuss the petulant manner in which the industry is implementing the FACTA rules:
    "We don't make use of domain names that are close to, or are misspellings of, 'annualcreditreport' to try to create business," said TrueCredit President John Danaher. Asked about TransUnion's use of "annualcreditmonitoringreport," Danaher said: "That doesn't have the words 'free, annual' in it."
  • I wasn't going to have a Two Minutes Hate here, but David compels me with his "Nice Identity You Got There. Shame If Anything Happened to It," at ThoughtCrimes.org. How could I resist?
(Use Bugmenot for the LA Times or Atlanta Journal Constitution.)

Posted by adam on November 7, 2005 at 9:43 AM in Choicepoint . You can: comment, view comments (0), search Technorati.

Bookmark this post:

October 6, 2005

IT Harvest IT Security Summit

(Posted by adam)

I should also mention that I had a good time at the Detroit IT Security Summit. I thought there was an interesting and broad selection of panelists, including some technical people and some senior managers. I didn't get to talk to as many folks as I might have liked, but that's always the case.

Posted by adam on October 6, 2005 at 11:39 PM in Choicepoint . You can: comment, view comments (0), search Technorati.

Bookmark this post:

October 1, 2005

CounterTerrorism and Bureaucracy

(Posted by adam)
In "Bureaucracy Kills", Daveed Gartenstein-Ross writes (quoting CNN):
FEMA halted tractor trailers hauling water to a supply staging area in Alexandria, Louisiana[.] The New York Times quoted William Vines, former mayor of Fort Smith, Arkansas, as saying, "FEMA would not let the trucks unload. . . . The drivers were stuck for several days on the side of the road" because, he said, they did not have a "tasker number." He added, "What in the world is a tasker number? I have no idea. It's just paperwork and it's ridiculous."
Paperwork should not take precedence over helping those in need in a time of crisis. And just as we should trim our bureaucracy to allow a more effective disaster response, so too should we make sure that law enforcement officers charged with protecting us from terrorists are not shackled by red tape.
He's right about that; the officers should not be shackled by red tape. They should, however, be under close scrutiny: their actions must be monitored in light of the long history of abuses by American domestic intelligence agencies. Its not an easy balance to strike.

On a closely related note, The Canadian Privacy Law Blog points to a story, "Florida cop misused data, ChoicePoint claims." That's actually a fascinating story of how Choicepoint is improving their internal audit practices, which is also covered in the AP's "ChoicePoint Seeks an Anti-Fraud Balance." That's another good story on how Choicepoint is actively interacting with their customers to make sure that they're selling to real businesses. It also contains the wonderfully ironic bit of a private investigator complaining:

Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator's license twice. The company agent also wanted bank account information "and stuff that has nothing to do with my credentials or the nature of my business."

"It's absolutely intrusive," she said.

Posted by adam on October 1, 2005 at 6:26 PM in Choicepoint , Terrorism , national security . You can: search Technorati.

Bookmark this post:

July 16, 2005

Small Bits: Silver Linings, Presidential Game Theory, Disclosure, War

(Posted by adam)

  • Privacy Law lists the 16 states that now have notification laws. Thanks, Choicepoint!
  • At Balkin, 'JB' has a long discussion of why 2nd term Presidents all seem to be scandal ridden...since the 22nd Amendment took away what game theorists call 'the long uncertain shadow of the future.'

    I nearly said something about 'experimental confirmation' here, because its such a seductive statement, even if its wrong. Good experiments only strengthen a theory when they have the power to disprove it. An increase in 2nd term scandal could be caused by things other than the 22nd Amendment. Campaign finance laws spring to mind.

  • Oracle has taken 693 days to fix "Forms Insecure Temporary File Handling. It is unclear to me why 'Red Database' has no CVEs in their advisories.
  • Finally, and most somber, "A Hawk Questions Himself as His Son Goes to War," is an article by Eliot Cohen, Robert E. Osgood Professor of Strategic Studies at the Paul H. Nitze School of Advanced International Studies, Johns Hopkins University. It's worth reading:
    So it is not an academic matter when I say that what I took to be the basic rationale for the war still strikes me as sound. Iraq was a policy problem that we could evade in words but not escape in reality. But what I did not know then that I do know now is just how incompetent we would be at carrying out that task. And that's what prevents me from answering this question with an unhesitating yes.
    (Via P "No longer blogging" C.)

Posted by adam on July 16, 2005 at 10:17 AM in Choicepoint , Economics , national security . You can: search Technorati.

Bookmark this post:

July 6, 2005

Russia's Information Market

(Posted by adam)

Bruce Schneier mysteriously titles a post "Russia'a Black-Market Data Trade." But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail:

At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company's list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?

The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.

Is this so different from Choicepoint's AutoTrackXP? (Sales of which are now "restricted.")

Posted by adam on July 6, 2005 at 12:40 PM in Choicepoint , Privacy . You can: search Technorati.

Bookmark this post:

July 5, 2005

Choicepoint Roundup

(Posted by adam)
  • At MSNBC, Bob Sullivan covers the loss of confidence in ecommerce that leaks are causing:
    The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer privacy.

    ...
    he survey reflects people's frustration, Douglas said. "Americans feel helpless. ... People are crying out for Congress to put power back in their hands, but until lawmakers finally decide whose information it is, who has the right to their own information, (frustration) is what we have."

    Another finding of the survey: The people questioned said they held low opinions towards the Federal Trade Commission, which protects consumers against Internet fraud.

  • The Daily Shiz reports on the case of Steven Calderon, in "Bad Data Could Land You In Jail!"
    That’s exactly what happened to a man named Steven Calderon. He had a clean record, and had done nothing wrong. His new employer did a routine background check using the services of ChoicePoint. What happened next? The local sheriff came to his office and arrested him for warrants of child molestation and rape.
    Baseline Mag has a long story, The Rising Threat from Bad Data
  • Computerworld has a "Q&A: ChoicePoint's Rich Baich on data breach, security needs:"
    You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it's called an account takeover. And that's what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack.
    Well, would you believe a little different? Given that Choicepoint sells services to prevent these things?
  • News.com followed up on Choicepoint's 90 day plan to secure their data...
    On Friday, ChoicePoint spokeswoman Kristen McCaughan said the Alpharetta, Ga.-based data broker has not yet completed the changes. "It is ongoing," she said. McCaughan could not say when ChoicePoint expects to be able to announce that it has completed the process. "I don't think it is going to be anytime in the near future," she said.
    Read "ChoicePoint overhaul falls behind."
Posted by adam on July 5, 2005 at 9:29 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

July 1, 2005

Well Said!

(Posted by adam)

"IRS announces plans to be the butt of three consecutive days of "Daily Show" jokes." So headlines John Paczkowski's post at Good Morning Silicon Valley.

Posted by adam on July 1, 2005 at 2:54 PM in Amusements , Choicepoint . You can: search Technorati.

Bookmark this post:

June 30, 2005

Choicepoint Roundup, June 30

(Posted by adam)

  • We open with two articles from News.com: "ChoicePoint overhaul falls behind," (June 24) and "ChoicePoint overhaul completed, company says" (June 30). From the latter:
    "In fact, we've gone beyond our announced commitments to make substantial changes in the past 90 days," ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday.

    The Alpharetta, Ga.-based data broker is clarifying its position after a spokeswoman told News.com on Friday that the transition process was ongoing and that it would be some time before the company could announce its completion.

    ...
    "ChoicePoint has absolutely fulfilled its obligation to do what it said it would do in the 90-day period," McGinn said, noting that the company has actually gone beyond the goals it initially set for itself.

  • Techdirt reports that "IRS Hires ChoicePoint To Leak Your Info."

    In related news, Choicepoint announced that they didn't even have to notify Calfornia customers, because the law says to notify when "any one or more" of the data elements, not "all." (Speaking of Choicepoint announcements, we never hear from spokesperson Chuck Jones anymore.)

  • Finally, Declan McCullagh reports on the predictable effect of six months of "self-regulation," in "Senators propose sweeping data-security bill." It's a probably a nasty law that will be expensive to implement and cause large amounts of collateral damage. But its probably also better than what we have now. I have not yet read the proposed law yet. [Updated for clarity, fixed URL. Thanks, RS!]
  • On the bright side, I bet Choicepoint would do a better job than the U.S. Citizenship and Immigration Service, who think that fingerprints expire every 18 months. Read the "Fingerprint Mystery: They Don't Change, But They Do Expire" in the Wall St Journal. (Thanks, DM!) [Update: See extended entry for excerpts of WSJ article.]
Government Hopes to Stop Calling Back Immigrants; Mr. Al-Shankiti's Saga By BARRY NEWMAN Staff Reporter of THE WALL STREET JOURNAL June 29, 2005; Page A1

NEW YORK -- Good news for immigrants: If you're applying for a green card or for citizenship, the federal government is determined to stop notifying you that your fingerprints have "expired."

How do fingerprints expire? The official notices don't say. They just give applicants appointments to get fingerprinted again.

At an immigration office in downtown Brooklyn one Friday, scores of them sat on plastic chairs waiting to be called to a high-tech fingerprint station. For some, it would be their fourth time.

"I don't know why," said a woman from Poland, studying her hands. Behind her, two Orthodox Jews read prayer books. Above her, cartoons played on a television screen. "Maybe something happened with my fingers. They check, make sure everything is fine."


Immigrants line up outside a U.S. government fingerprint office in Brooklyn, N.Y.

The official rationale isn't that intuitive, but it does peel back a corner of the electronic security blanket that the government is struggling to tuck around the U.S. immigration bureaucracy.

People who want to stay in America are fingerprinted to make sure they aren't criminals. Pre-computer, the Immigration and Naturalization Service carted its ink-on-paper prints to the Federal Bureau of Investigation. There, experts searched files for matches against the prints of known criminals, just as they would for prints left on martini glasses at crime scenes: narrowing them down through a series of ever-smaller categories that have been in use for more than a century. A name check wouldn't do; criminals change their names. Immigrants with clean records quickly got green cards. Then the FBI threw their paper fingerprints out.

Five years ago, fingerprint computers replaced ink and paper. But the computers had no significant storage capacity. They merely sent prints on phone lines to the FBI. The FBI checked the prints for criminal matches on its own new computers -- and deleted them. The reason was less technical than bureaucratic: Paper fingerprints were trashed in the past, why save digital fingerprints now?

After Sept. 11, 2001, the immigration service was folded into the Department of Homeland Security, and the time it took to grant or deny permanent residence to a foreigner kept growing longer. While waiting, applicants might commit crimes. Without double-checking the FBI's fingerprint files, immigration clerks would never know.

Wouldn't it be handy, the government realized, if those digital prints were stored after all? Retooling the system for storage took until 2003. The next step was to create a search program -- using images, not words -- to retrieve the prints. That component of the project isn't quite ready.

"The easy part was placing them in a repository," says William Yates, who runs this operation at U.S. Citizenship and Immigration Services, now part of the DHS. "The more difficult thing is a mechanism to allow those prints to be called back up. Right now, we don't have that capability."

So immigrants with applications bottled up in bureaucracy keep on reporting to be fingerprinted over and over. "It's stupid and it costs a huge amount of money," says Margaret Stock, a professor of national security law at West Point. "It doesn't make any sense if you realize that fingerprints don't change."

Taking fingerprints is an old routine when it comes to permanent immigrants. When it began, about 50 years ago, immigration clerks did the job. But after an amnesty for illegals unleashed a horde of green-card applicants in 1986, the chore was farmed out to private shops -- and fingerprints got out of hand.

"A criminal alien with his own ink pad could take someone else's prints and submit them as his own," the Justice Department reported in 1994. Hurrying through its paperwork, the immigration service often didn't wait to hear from the FBI. In 1996, it came out that tens of thousands of newly minted citizens had arrest records.

That was the end of private fingerprinting. The FBI has since computerized its files, and the immigration service has opened 130 special fingerprint offices. Under a $370 million government contract signed in 1999, they are staffed and run by Vinnell Corp., a subsidiary of Northrop Grumman Corp. that specializes in logistical support and also happens to train the personal army of Saudi Arabia's royal family.

At the Brooklyn office, Sue Leichter, a Vinnell technician, was showing off the Identix Inc. "TouchPrint" scanner, with the help of a taxi driver from Morocco who was applying for a green card.

As Ms. Leichter pressed his fingers to a glass plate, the man's prints came up on a screen, loops and whorls in brilliant black and white. A box on the screen turned green, and the prints zipped to the FBI. The taxi driver preferred not to give his name, but he took his treatment in stride.

"It's my fourth time," he said.

Grinning at him, Ms. Leichter said, "Welcome back!"

The FBI now tells the immigration service in just a few days whether someone is under a criminal cloud. The immigration service, though, doesn't always put the final touches on its paperwork so speedily.

"It should take three hours," says Rajiv Khanna, an immigration lawyer in Virginia. "Do you know how much time it takes?"

The answer, in some parts of the country, is three years. The government is working mightily to reduce its chronic backlog. But often it can't work fast enough to beat an expiring fingerprint.

In three years, fingerprints expire twice. A set lasts just 15 months -- that is the rule.

An applicant is first fingerprinted after qualifying for a green card, which itself can take years. If it then takes more than 15 months for the immigration service to complete the paperwork and issue the card, the applicant is fingerprinted once more.

Those who go on to apply for citizenship are fingerprinted again. People seeking asylum often wait for at least a decade; every 15 months, they are fingerprinted.

The 15-month rule has been around for years. Not even Mr. Yates at the immigration service can explain it.

"It happened so long ago," he says. "There's no technical reason for it."

With computers that store and actually retrieve fingerprints, Mr. Yates imagines a day when fresh arrest records pop up on his screens daily, and fingerprints never expire again. Such seamless feedback from the FBI isn't even being planned, but it sure would have made Ali Al-Shankiti's passage to America less confusing.

He is a 29-year-old Saudi Arabian who came to the U.S. in 1993, earned three degrees, and now does research in wireless computer technology for a big company in Boston. In 2002, based on his job, he was cleared for a green card. On April 4, he was fingerprinted. His expiration notice came 15 months later.

"I'm not the most favored immigrant," Mr. Al-Shankiti says. "I do understand that. Still, I thought, how do fingerprints expire?"

On the day of his second fingerprinting appointment, he had to be away. He wrote in advance asking for a another date. Months passed with no reply. On Aug. 26, 2003, Mr. Al-Shankiti went in unannounced.

"They were happy to print me," he says. But then came a letter with yet another fingerprinting appointment for Sept. 27.

Mr. Al-Shankiti went. A month later, he was told to come back again; it seemed the FBI computer couldn't read his prints. So on Dec. 9, 2003, Mr. Al-Shankiti was fingerprinted for the fourth time.

For 18 months, he heard nothing else. Finally, he telephoned the immigration service to let a clerk know that his fingerprints had expired. This past Monday, he got a notice in the mail giving him an appointment on July 23 -- for his fifth fingerprinting.

Mr. Al-Shankiti is allowed to keep working, as long as the immigration service issues him an employment authorization card each year. The cards, designed to be forgery-proof, carry a photo and one fingerprint. Though Mr. Al-Shankiti has had several cards, his latest is strange. He is at a loss to explain it, and so is a spokesman for the Homeland Security Department.

The place on the employment card where his fingerprint belongs has a stamp instead. It says: "Fingerprint not available."

Posted by adam on June 30, 2005 at 12:21 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

June 27, 2005

UK ID Cards, Choicepoint, and Privacy

(Posted by adam)

tony-bliar.jpg Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they're being honest. As the Independent reports in "Ministers plan to sell your ID card details to raise cash":

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that "unlike electoral registers, the National Identity Register will not be open for any general access or inspection."

Any guesses as to who'll be first in line? (I already gave you a hint in the title.)

Meanwhile, Stefan Brands has a 4 part summary of the LSE analysis of the new ID card system. Part I, Part II, Part III, Part IV. Summary of the summaries: The proposed system was designed by companies selling "enterprise" software with no concern for, or thought given to, the appropriateness of that software for national ID use. (UK ID tidbit via Pacanukeha's "It's all about Control." ID card from ID Unknown)

Posted by adam on June 27, 2005 at 1:24 PM in Choicepoint , ID Management , Privacy . You can: search Technorati.

Bookmark this post:

Choicepoint, Two Minutes Hate

(Posted by adam)

This was going to be a roundup, but heck, There's a backlog of hate, and I must post.

  • Under the headline, "Who let Jeb Bush and ChoicePoint into the UK?" 'Brother Rail Gun of Desirable Mindfulness' points to a BBC story, "Hundreds wiped off vote register."
  • An oldy-but-I-Hadn't-linked, Adrift at Sea comments in "Bleeding Edge Technology:"
    I don’t know if ChoicePoint or any of its subsidiaries are actually involved in the development or deployment of the new passports for the United States, but given the track record of DHS and of these companies, I would rather stick with more basic, less technologically advanced security methods for now.
  • Juxtapostition asks "A message to ChoicePoint customers: just how helpful is the data you are buying?:"
    A great point that has been lost in a lot of the reporting. Just how useful is the service they provide when they were spoofed over 50 times by fraudulent users?

    These companies always beg the question of which entities are authorized to be their customers to "legitimately" obtain this kind of sensitive data about people? What would stop me from paying to get the data on anyone they had? What criteria would they establish to prevent just anyone from getting at this data? Or, do they not care as long as you have the cash?

  • Unmarketing has a long post, which I'll excerpt unfairly:
    In fact, it was a passing remark made by a ChoicePoint representative, who said, in effect (because I didn't write it down):
    Americans have the right to privacy, but no longer have the right to anonymity.
    As a private citizen, this made me blanch. This made me sick. This, in short, pissed me off.
    He also points to Infinisource, who, back in 2001, examined her Choicepoint file in "A Sample ChoicePoint FBI Dossier:"
    Just for fun, if a rough accounting of the report I received is done by giving each correct entry a point, deducting a point for each error and ignoring omissions then my ChoicePoint report was only 56% accurate.
  • No link, but in the Wall Street Journal Monday June 13, there's a story on Wal Mart "rescinding" its retirement package for ex-executive Thomas Coughlin. Coughlin's package was worth about $12m. Coughlin has not resigned from the board of...Choicepoint.
  • If you think hatred of Choicepoint is only here, take a gander at the LiveJournal "Awake and Dreaming - Still far from shores I've yet to reach"
    I've been getting a lot of attention from ladies online recently. I've been talking to one for about a week who lives in Gwinnett. The only problem is she works for Choicepoint (for those of you who don't know, that's the company that got in trouble for selling lots of people's personal information to people posing as government entities or something), and although she's not ugly, she doesn't attract me too much.
  • To close, in stark contrast to the outporing of hate for Choicepoint, we offer up Two Minutes Hate from Choicepoint employee Jason Fayling, blogging at "Dude, Where's My Car?" Jason offers up "Linux Sucks:"
    I have been playing around with Linux lately. Specifically Red Hat FedoraCore 3. Let me tell you, for those who fear Linux will over come Windows. Fear Not! Linux Sucks! I spent my entire weekend last week trying to install that piece of junk. I finally got it to install after my 7th attempt, but even still, my sound card doesnt work. Granted, I am trying to run Linux inside Microsoft Virtual PC 2004, a virtual machine software, but that is because I am not willing to do a dual boot from my laptop. I had to get a hacked Linux kernel to get it to run within the virtual machine. What amazes me is how anybody gets anything done in Linux at all. There are so many CRYPTIC commands. For example, if you want to rename a file in Linux you use the mv command. What the heck is that all about?
Posted by adam on June 27, 2005 at 10:58 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

June 21, 2005

CardSystems and Choicepoint

(Posted by adam)

Choicepoint, please call your trademark attorneys. You're in danger of becoming a generic term for "massive security breach," and a band-aid isn't going to fix that.

That was the lead (and about all I'd written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point of the article was going to be how people know that their banks could make mistakes, and that a bank mistake wouldn't ever be as upsetting as the Choicepoint error. But now, CardSystems Solutions has done what no bank could do. They're taking attention away from Choicepoint, and they're going to take more, for a while. I'd like to explain why I think this.

Firstly, this one is big. As in ten times larger than the previous record. JW mentioned to me that 40m could reasonably be expressed as a percentage of Mastercards issued. (Actually, it was 20m Mastercards, which is just short of 3% of the 698m Mastercards issued.)

Second, like Choicepoint, you have no choice about doing business with Cardsystems. You didn't know they existed before you heard your credit card was in the hands of Russian thieves.

Third, because what was stolen was credit card data, rather than SSNs, its short lived, and the folks who have it are already under huge pressure to flip the data as many times as they can, as quickly as they can, along with the blame and the legal pressure. That means that most of the impact is going to be on credit card statements this month and next. That compression has an upside, which is no life of fear for the victims, and a downside, which is that Congress is going to be under enormous pressure to pass a law. That's a downside because Congress legislates in haste, while we all repent at leisure.

Fourth, Cardsystems flubbed their public relations. Their story was inconsistent and confusing. Basic company facts were confused. (Are they headquartered in Tuscon, AZ, Tucson, AZ, or Atlanta, GA? Major media outlets were contradicting each other.) AZCentral tells us:

Actually, the company appears to be headquartered in suburban Atlanta, but has its processing center in Tucson. Or maybe it's based in Tucson in the winter when executives want to play golf. It handles $15 billion in payments every year.

Finally, they violated their contract with the card providers (by storing CCVs), their CEO offered a confused story about "research purposes." (In "Lost Credit Data Improperly Kept, Company Admits," in the New York Times.)

Posted by adam on June 21, 2005 at 10:25 PM in Choicepoint , breaches . You can: search Technorati.

Bookmark this post:

June 7, 2005

Markets in Social Security Numbers

(Posted by adam)

Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they've created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit agencies have also helped, by declaring an SSN enough to get credit.)

Where there's demand, there's a market. Where there's a market, eventually there's differentiation. So there are the people who buy in bulk from Choicepoint. There are people who get them one at a time from their students. And as the New York Times reports in "Social Security: Migrants Offer Numbers for Fee," there are people who rent or sell them:

This process has one big drawback, however. Each year, Social Security receives millions of W-2 earning statements with names or numbers that do not match its records. Nine million poured in for 2002, many of them just simple mistakes. In response the agency sends hundreds of thousands of letters asking employers to correct the information. These letters can provoke the firing of the offending worker.
...

Since legal American residents can lose their green cards if they stay outside the country too long, for those who have returned to Mexico it is useful to have somebody working under their identity north of the border. [How's that for a perverse incentive under the law?]
...

Mr. Luviano decided to pull the plug on the arrangement, however, when bills for purchases he had not made started arriving in his name at his brother's address. "You lend your number in good faith and you can get yourself in trouble," he said.

Ian Grigg has more at "Identity is an asset. Assets mean theft ... and Trade! "

Posted by adam on June 7, 2005 at 5:31 PM in Choicepoint , ID Management . You can: search Technorati.

Bookmark this post:

June 5, 2005

Duke, 9,000 partial SSNs, Hacker. (With Commentary.)

(Posted by adam)
In Hacker hits Duke system, the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school's "Security Incident at Duke" page states:
On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke University Medical Center. None of the web sites was used for patient care.

The web sites that were accessed did NOT contain any patient data or personal financial information, such as credit card or bank account numbers. However, they did include the passwords of about 5,500 users. These passwords gave the users access to various Duke web sites. In addition, some of the compromised databases included fragments of Social Security numbers – either four or six of the nine digits – for about 9,000 users. (Emphasis Duke's.)

What I find interesting is that the norms are changing very quickly. In January, this probably would have been swept under the rug. But all that was revealed was passwords. Many companies are lobbying like mad to not have to do this. What they don't understand is that a new normal has emerged while they weren't looking.

Choicepoint tried the "We notified everyone we were required to" line. It didn't work for them. It won't work for anyone else. So can we please get over the posturing, and admit that breaches happen?

Maybe once we do, we can start learning why they happen, and from there, start addressing root causes.

Posted by adam on June 5, 2005 at 3:59 PM in Choicepoint , breaches . You can: search Technorati.

Bookmark this post:

June 1, 2005

Breach Disclosure Laws

(Posted by adam)

The National Conference of State Legislatures has a "2005 Breach of Information Legislation" summary page:

Summary: Legislation was introduced in at least 34 states as of May 18, 2005. Legislation enacted in at least six states in 2005: Arkansas, Georgia, Indiana, Montana, North Dakota and Washington.
Thank you, masked man Choicepoint.

(Via The HIPAA blog.)

Posted by adam on June 1, 2005 at 12:15 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 31, 2005

Choicepoint Roundup

(Posted by adam)

  • Household Watch has a story:
    When Ms. Marshall got a $6,000 home-improvement loan from a credit union in April 2003, she had to pay relatively high interest because of a weak credit score. The credit check had showed a court ruling ordering her to pay overdue rent to a former landlord in a Washington, D.C., suburb. But the judgment had been caused by a court error and vacated by a judge – facts that didn’t make it into her credit history. It turned out that a ChoicePoint contractor at a courthouse hadn’t properly updated the file, and that Equifax, the credit bureau, purchased the erroneous entry from ChoicePoint.
    Unfortunately, the suit was thrown out after the errors were fixed. That sort of decision encourages these companies to be sloppy with their data gathering processes. Data processing professionals used to say "Garbage in, garbage out."
  • The LA Times has an article "ID Theft Coverage Draws Criticism."
  • Finally, its been too long, but today Two Minutes Hate comes to you from...The San Jose Mercury News, who says that "Thieves go where the data is -- while Congress just fiddles." (Ironic for a company that insists on collecting data from you, or really, from Bugmenot.)

Posted by adam on May 31, 2005 at 10:39 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 30, 2005

Choicepoint vs CIA

(Posted by adam)

air-america-cap.jpg The New York Times has a long article on the successors to Air America, "C.I.A. Expanding Terror Battle Under Guise of Charter Flights." The bit that really caught my attention was:

On closer examination, however, it becomes clear that those companies appear to have no premises, only post office boxes or addresses in care of lawyers' offices. Their officers and directors, listed in state corporate databases, seem to have been invented. A search of public records for ordinary identifying information about the officers - addresses, phone numbers, house purchases, and so on - comes up with only post office boxes in Virginia, Maryland and Washington, D.C.

But whoever created the companies used some of the same post office box addresses and the same apparently fictitious officers for two or more of the companies. One of those seeming ghost executives, Philip P. Quincannon, for instance, is listed as an officer of Premier Executive Transport Services and Crowell Aviation Technologies, both listed to the same Massachusetts address, as well as Stevens Express Leasing in Tennessee.

No one by that name can be found in any public record other than post office boxes in Washington and Dunn Loring, Va.

In the past, the FBI could set up undercover agents, or those in the witness protection program, by talking to "the big three" credit agencies. If the CIA needed cover identities, they could do the same.

But today, "thanks" to the profusion of businesses dedicated to bringing public records access to everyone, these techniques no longer work. You can't ask three patriotic businesses to help you, you'd need to give a list of identities to create to tens? hundreds? of businesses. I expect that CIA believes at least one of those businesses is a front for Al Qaeda, and thus, this is inconceivable, to hand out a list of covert officers.

Just another way in which privacy helps security.

Posted by adam on May 30, 2005 at 10:11 PM in Choicepoint , national security . You can: search Technorati.

Bookmark this post:

May 23, 2005

New Books

(Posted by adam)

national_id_book.jpg Two new books that may be of interest are blogger Wendy McElroy's "National Identification Systems, Essays in Opposition" and Choicepoint CISO Richard Baich's "Winning as a CISO." I was going to add clever text juxtaposing the texts, but really. baich_book.jpg

hmmm, I really must make this post longer, or the blog looks really bad.

 

 

 

 

 

Almost...there....  

 

 

 

Posted by adam on May 23, 2005 at 9:25 PM in Choicepoint , National ID . You can: search Technorati.

Bookmark this post:

May 19, 2005

Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA, 500,000, Employees Double Dipping

(Posted by adam)
Electronic account records for some 500,000 banking customers at four different banks were allegedly stolen and sold to collection agencies in a data-theft case that has so far led to criminal charges against nine people, including seven former bank employees.

Police in Hackensack, N.J., are continuing their investigation into the theft by a crime ring that apparently accessed the data illegally through the former bank employees.

So Computerworld tells us, in "Data theft involving four banks could affect 500,000 customers." The story mentions a "crime ring," but its not clear what that ring did, other than stock a private database, owned by Orazio Lembo Jr., to compete with Choicepoint. MSNBC tells us in "Massive bank security breach uncovered in N.J." that: The employees are accused of turning over customer bank account numbers and balance information for a profit [fee, really] of $10 per account. Even a state employee is accused of providing private information from state employment files. North Jersey News names names in "9 charged in bank data scheme:"
Lembo resold the information to the collection agencies and attorneys for $70 to $100, Zisa said. He even allegedly sold package deals that included employer information supplied by the state worker, Rivera, 42, of New Milford. [Rivera is a manager in the Jersey City office of the New Jersey Department of Labor.]

...

Zoran Levajac of Totowa [At the West Caldwell branch of Commerce Bank], Kathleen Lovelace, 35, of Kearny, then paid James Digangi, 27, of Elmwood Park, and Anthony Diamanti, 29, of Clifton.

Also charged were Kelvin Diaz, 27, of Hackensack, an employee at Bank of America branches in Elmwood Park and Paterson; Myron Frierson, 29, of Teaneck, a financial specialist for Wachovia Bank in Elmwood Park; and Maurice Williams II, 28, of Hackensack, a financial specialist for First Union/Wachovia in Bogota.

(Via Jim Horning, at Nothing is as simple as we hope it will be, Another Massive Personal Information Theft.)

[Update: If you find this interesting, you might also be interested in my posts on breaches, or the Choicepoint debacle. Or just take a look around the blog.]

Posted by adam on May 19, 2005 at 8:28 PM in Choicepoint , breaches . You can: search Technorati.

Bookmark this post:

Choicepoint, Axciom Highly Accurate

(Posted by adam)
100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it.
So says a new study from Privacy Activism. Read the news release, or the study. (There's also a 162k PDF file.)

On thinking about this for another minute, I need to add that ironically, inaccuracies in the data are more likely to harm the honest than the fraudsters-by-impersonation. The id theives, will just hope that the wrong data is seen as right, or right enough for granting credit, or just move onto the next person.

Posted by adam on May 19, 2005 at 12:39 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

Real ID Roundup

(Posted by adam)

The fair and balanced Real ID Sucks blog ("A clearinghouse of stories about how the states will be required to spend $250 million to create standardized, machine-readable driver's licenses, to make it easier for hackers, thieves and credit bureaus to track your every move.") points to a San Jose Mercury News editorial, "Real ID Act mostly helps identity thieves:

The people who will benefit most from this law are snoops and identity thieves. The requirement that all personal information be encoded in a machine-readable form will be a gift to them. Already bars, athletic clubs and other commercial establishments swipe driver's licenses. With a national format, every retailer will swipe the IDs to collect valuable information that will be sold to data aggregators, such as ChoicePoint. They, in turn, will resell the information to marketers and other customers.

...

The irony is that the Real ID Act was wholly unnecessary. Just five months ago, Congress approved a bill that required the federal government and states to work together on sensible national standards for driver's licenses. That work, which has already begun, now will be scrapped.

Congress reversed itself once. It has to do so again.

(Use bugmenot for a login.)

Posted by adam on May 19, 2005 at 12:30 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 17, 2005

Choicepoint

(Posted by adam)

Knight Errant has a long post, "Tipping My Tinfoil Hat," in which he makes mention of Choicepoint. And Consumer Affairs has a long article "USA PATRIOT Act Rewards ChoicePoint."

The IntegraSys corporation's ID Verification software, for example, cross-checks and references 23 billion data records, including everything from credit report headers to "warm address lists" that target "known sites of fraudulent activity", such as hotel mailboxes, prisons, P.O. boxes, etc.
I want to write something about the relation of the policeman within, the negative effects of these databases which declare you may only partake of society with a known address. What do the hundreds of thousands of Americans who live in actually mobile homes do? Hire a mail forwarding service. But that's now "a known site of fraudulent activity." Could those companies sue for libel, if there's never been a fraud perpetrated at the site?

Posted by adam on May 17, 2005 at 11:04 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 12, 2005

Choicepoint, May 12

(Posted by adam)

Posted by adam on May 12, 2005 at 1:46 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 5, 2005

Corporate Welfare from TSA

(Posted by adam)

USA Today reports "U.S. asks for more data on travelers"

The federal government plans to begin collecting the full names and birth dates of air travelers this summer in its latest effort to screen passengers for possible links to terrorism.

In a few weeks, the Transportation Security Administration will notify airlines, travel agents and online reservation systems that they will be required to ask travelers for their legal names and birth dates when booking domestic flights.

Passengers who don't comply [sic] with the request will dramatically increase their chances of being stopped at airports for questioning or pat-downs, TSA assistant administrator Justin Oberman said. That's because their partial names are more likely to register a "hit" on terrorist watch lists.

This could help some people avoid the problems that the watchlists create. If we happen to know a terrorists' birthday, anyway. But I'm far more concerned that, yet again, TSA will be mandating data collection through unregulated third parties.

It will probably be a crime to lie to the airline about your birthday. And that means that there's another government-mandated privacy invasion where the airlines will be free to link "their" data with anyone else's. It's corporate welfare for the privacy invasion business.

On a similar note, Choicepoint has acquired EZGov, in a "transaction that will not have a material impact on its financial results, and will not be dilutive to earnings." But it sure will improve their data to know that lying to them could land you in jail. Operational synergies, indeed. (Conscious Junkyard has more on "Choicepoint, Corporatism, and Welfare.")

(Via BoingBoing. Ryan Singel comments in "You Say Its Your Birthday.")

Posted by adam on May 5, 2005 at 10:16 AM in Air Travel , Choicepoint . You can: search Technorati.

Bookmark this post:

May 4, 2005

The Coming Privacy Law

(Posted by adam)

Perspectives from the gossip industry are presented by Information Week, in "Execs Testify In Favor Of National Data-Security Law:"

In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California's law requiring companies to notify customers about security breaches.

ChoicePoint Inc., the information broker whose disclosure of a security breach set off a furor over privacy and identity theft, favors existing laws such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, as well as a "pre-emptive" national law for notifying consumers when a breach has occurred, said Don McGuffey, senior VP for data acquisition and strategy.

Update: Of course, what the industry is saying depends on where you sit. CBS MarketWatch reports: "Industry says no need for more privacy laws."

Meanwhile, the Center for American Progress has a long editorial on Protecting Privacy in the Digital Age, talking about how the Privacy Act of 1974 no longer really means anything, as government now simply outsources those actions which it isn't allowed to take.

Posted by adam on May 4, 2005 at 7:38 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 3, 2005

Choicepoint Analyses

(Posted by adam)

Today's Wall Street Journal has an good summary article, "For Big Vendor of Personal Data, A Theft Lays Bare the Downside" (Thanks, Nick!. Also, the Pittsburgh Post-Gazette has picked up the story, and made it available):

The vulnerability of the company's data and its difficulty in tracking the breach point to a paradox. ChoicePoint and similar data sellers pitch their troves of private information as a hope for restoring personal security to a society fraught with anxiety over terrorism and crime. The chief executive of ChoicePoint, Derek Smith, espouses a thesis that society is better off if everyone can check the background of anyone else. Yet the very existence of these vast information stockpiles -- vulnerable to both error and poaching -- has spawned a new area of worry and risk.
...

"The needs of consumers and society must be the central focus of our company's and our industry's efforts," Mr. Smith said in a statement yesterday. "We believe regulation will give consumers additional protections, remove risk from the industry model and ensure all competitors are playing on the same, level field."
...

ChoicePoint collects data from insurers and an extensive network of contractors who scoop up nuggets from public filings, financial-services firms, phone directories and forms people fill out when applying for loans. Pointing to 7.3 million background checks it did last year, the company says just .0008% have been shown to contain incorrect information.

This last shows how far Choicepoint is from getting it. Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the "garbage in, garbage out" problem, has been defined away.

Also, CSO Online has a good long article, "The Five Most Shocking Things About the ChoicePoint Debacle," but this post is long enough, and CSO is interested in having readers, so I don't feel as interested in excerpting.

Posted by adam on May 3, 2005 at 11:51 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

May 1, 2005

Perspectives on "Identity Theft"

(Posted by adam)

WYFF-TV, "The Carolina Channel," interviews two fraudsters who made money impersonating others. If you have any doubt these people are scum, one impersonated his own brother, and stole $71,000.

In another, on Dave Farber's list, victim Tom Goltz writes:

Speaking as a victim of identity theft, there is absolutely nothing that an individual can do to effectively protect themselves against identity theft.

Do you know what your identity is worth? Mine cost $200. That's what a criminal paid on a street corner in Los Angeles. Add in $75 for a low-grade forgery of a driver's license, and he was in business. To this day, I have been unable to discover how my personal information ended up on that street corner. I own and religiously use a high-quality confetti-cut paper shredder. I have never received sensitive financial correspondence at the unsecured mailbox at my home, instead renting a locked post office box. I have made a policy of not disclosing my social security number whenever possible. My SSN has never been on my driver's license. It has never been printed on my checks. I do not carry my social security card in my wallet, nor any other document bearing my SSN.

Goltz is right. The Choicepoints, the Lexis Nexises, and their utter lack of liability means they can't justify investing in protecting the data that they have. Banks are pushing hard to be allowed to decide when a theft is likely to lead to problems for you. (Gosh, Iwonder what they'll decide?)

The problem stems from financial institutions granting credit easily, and then blaming the victim, by spreading lies through the credit bureaus. As long as these organizations have no responsibility for the problems they allow to happen, and then magnify by ignoring the victims...

Posted by adam on May 1, 2005 at 9:08 AM in Choicepoint , ID Management . You can: search Technorati.

Bookmark this post:

April 30, 2005

Small Bits of Chaos all Starting with Names

(Posted by adam)

  • Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I've been wondering about NetNewswire's cookie behavior when you load pages, but some rummaging in it's files didn't seem to turn up cookies, and I needed to go blog earn money.)
  • Alan Chapell (whose blog is looking much nicer, but still needs RSS and individual post links) discusses (Thurs, April 28 entry) :
    When I confirmed that I’d been enrolled as a result of a purchase I’d made on the travel web site, I decided to end my relationship with the travel web site. Here’s where the fun started…

    I sent an email to the travel web site’s CS group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states:

    “If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” ([Chapell] paraphrased this to protect the company)
    [Frustration, frustration elided.] As a consumer, this is beyond frustrating. Btw, this is not some tiny website – it is a nationally advertised site owned by a fairly large company.

    Perhaps its time to involve their seal program…

    No, sir, it's time to name names. Why are you protecting them? Shame them. Call them out. Use them as an example when you speak. Tell them that you'll continue doing so until you believe that they comply with the terms and conditions they had on display when you signed up.
  • Kurt Voelker has an insightful post about "Lessons for Online Community in ChoicePoint Failures:"
    Think about credit agencies. When it comes to our digital reputations, systems like ChoicePoint and Equifax are reviled, while ranking and endorsing systems like eBay's thrive. Why? Transparency. The eBay community incents its members to participate because they can see exactly who is saying what about whom. And interestingly, this transparency lets my digital reputation be as much about what I say of others, as it is about what other say about me.
  • Zach Brown (hi Zach!) has a great post in which he goes from C code to the philosophy of programming, entitled: Sloppy Systems Programming:
    It wasn’t that stat() failed, it was that suEXEC saw that it had just performed stat() on a link. It apparently decides that this is fatal, because it knows more about the security trade-offs of your environment than you do, and that when it sees this policy violation it will fail and lie to you about why it failed.

    Now, I’ll be the first to admit that this in itself is a very minor detail. The rub is that this sort of misleading behaviour isn’t rare at all. I think this struck a chord with me because it made me focus on my changing thoughts about what it is that I do. There was a time when I loved having a catalogue of this kind of behaviour in my head so that I could use all kinds of software and predict the ways in which I would have to work around its behaviour. It was super-fun to be an expert in so many details.

    But these days, and I won’t admit to a decade having passed, it all seems like so much wasted time. People who use this software should be focusing on solving their problems instead of spending time discovering that “cannot stat program:” can sometimes mean “I refuse to work with this file because it is a link.”

    It seems like after a few decades of building these kinds of software systems we could be doing a better job of it.

    The profusion of such issues, along with the social awareness that they're ok, helped drive me to a Mac. On the Mac, they are distinctly not ok, and once you adjust your pain threshold downwards, its hard to remember why you put up with them.

Posted by adam on April 30, 2005 at 1:29 PM in Choicepoint , ID Management , Privacy . You can: search Technorati.

Bookmark this post:

April 29, 2005

Way To Debate!

(Posted by adam)

Since Choicepoint demonstrated that screening is hard, they've been repeating the phrase "We look forward to a national debate." But at yesterday's annual meeting, they once again failed to engage in that debate. The LA Times has an AP story "No Answers for ChoicePoint Shareholders" (Bugmenot, because no other paper has picked up the story, according to Google News.) Or, The Atlanta Journal Constitution, "ChoicePoint boss deflects scam queries." (Bugmenot)

In a quick and scripted annual shareholder meeting, ChoicePoint executives turned away any questions about the invasion of the company's database by fraud artists.
...

But Smith said that because of investigations into the database scam, "we will not be taking questions relating to those matters in this annual meeting."

It seems to me that understanding how management is handling these issues would be important to a shareholder.

Posted by adam on April 29, 2005 at 10:19 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

April 28, 2005

Choicepoint Annual Meeting

(Posted by adam)

dereksmith.jpg

But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders.
...

Lauren Waits, who oversaw ChoicePoint's charitable giving program before leaving earlier this year, describes her former boss as a visionary who also can be intense and "quite hard on other people." He has been impatient for government to act on ideas, such as storing DNA profiles on all felons in a central database that could be used to catch repeat offenders.
...

But the most difficult thing for ChoicePoint's CEO hasn't been the criticism or a grilling before Congress, said Rod Dowling, an investment banker who has worked with ChoicePoint. What Dowling said got to Smith most in the wake of the scam was that an Atlanta publication, Creative Loafing, published his home phone number and address.

That's just a smidgen of the kind of information ChoicePoint supplies to clients every day. But Smith worried about his family's safety and quickly changed his phone number, said Dowling, CEO of SunTrust Robinson Humphrey.

If only we could do the same when our data gets into untrustworthy hands.

From the Atlanta Journal Constitution, "Embattled CEO must take stage."

Posted by adam on April 28, 2005 at 5:21 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

National Legislative Roundup

(Posted by adam)

In "Proposed Legislation Limiting PI Access to Data", Private Investigator News and Information provides the National Council of Investigation and Security Services's roundup of legislation that would affect the private investigator business.

Naturally, the private investigators are up in arms; their job is about to be made a lot harder over something that wasn't their fault.

Posted by adam on April 28, 2005 at 10:19 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

April 24, 2005

Choicepoint: April 24

(Posted by adam)

  • The Privacy Law Site posted on the Schumer-Nelson Comprehensive Privacy bill on April 13, but I just found it. The author summarizes the bill.
  • Richard Clarke has a column in the New York Times, "You've Been Sold," in which he outlines some reasonable parts of a new law. [Added shortly after first posting.]
  • The Seattle Times covers "Bills sent to governor aim to fend off identity thieves:"
    A security-breach bill, Senate Bill 6043, will require consumers to be notified by credit-reporting and consumer-data agencies if a security breach compromises their personal information.

    And a security-freeze bill, Senate Bill 5418, will let victims of identity theft — or those whose personal data have been stolen — place a security freeze on their credit files with credit-reporting agencies to lock out potential thieves.

    One of the state's top consumer groups, the Washington Public Interest Research Group, dropped its support for the security-breach bill when amendments were added letting companies decide whether to notify customers when their data are stolen. If the companies consider it a "technical breach" that doesn't seem reasonably likely to subject customers to criminal activity, they're not required to tell customers.

    Look for blowback on that loophole. Washington banks are going to have to go through two compliance programs over the next few years after a big bank abuses this, and a more stringent law shows up.
  • It's been a little while, and I feel a need for release. Today's Two Minutes Hate comes to you from The Nashua Telegrah, who asks, Didn’t ChoicePoint learn anything from murder of Nashua’s Amy Boyer:
    Amy Boyer was a 21 year-old college student working part-time as a dental assistant in downtown Nashua. Amy was shot nine times in the head as she left work on Oct. 15, 1999, by a stalker who bought Amy’s Social Security number and work address on the Internet from an “information broker” named Docusearch.

    Docusearch purchased Amy’s Social Security number from IRSC, an information broker that folded into the ChoicePoint conglomerate.

Posted by adam on April 24, 2005 at 6:36 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

April 20, 2005

Choicepoint Earnings

(Posted by adam)

ChoicePoint Inc. (NYSE: CPS), today reported first quarter total revenue growth of 19 percent compared to 2004. First quarter total revenue for 2005 was $259.3 million.
...

These expenses included approximately $2.0 million for communications to, and credit reports and credit monitoring services for, individuals receiving notice of the fraudulent data access and approximately $3.4 million for legal expenses and other professional fees.
...

ChoicePoint's first quarter results will be discussed in more detail on April 21, 2005, at 8:30 a.m. EDT via teleconference. The live audio Webcast of the call will be available on ChoicePoint's Web site at http://www.choicepoint.com. There will also be a replay of the call available beginning at approximately 10:00 a.m. EDT at the same Web address.

From the press release "ChoicePoint(R) Reports Record Revenue in the First Quarter of 2005"

Posted by adam on April 20, 2005 at 10:02 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

Choicepoint, April 20

(Posted by adam)

  • Presto Vivace reports that:
    During the April NCC AIIM meeting, a member of the audience asked how the IRS’ Free-File could avoid becoming another ChoicePoint, clearly a reference to recent security breaches. Everyone in the room immediately understood the reference; no explanation was needed.
  • CBS Marketwatch reports "For now, little way to halt firms' leaks of consumer data," with lots of Choicepoint. Also, this gem from Lexis Nexis spokesperson Steve Edwards demonstrates how far we have to go:
    "We're setting up [new guidelines] to help them administer and protect their IDs and passwords. I won't get into too much detail there because then we're giving away the secrets to the bad guys," Edwards said.
    Let me guess, 7 or more characters, mixed letters and numbers, change regularly, and don't share it? Did I give something away to the bad guys?
  • Kim Zetter at Wired reports "ChoicePoint Division Changes Tack:"
    Rapsheets, a Tennessee company purchased by ChoicePoint last year, provides instant criminal background checks to employers and organizations to help them screen workers and volunteers.
    ...

    The move brings the company into compliance with the Fair Credit Reporting Act, or FCRA, which requires background-checking services to either provide employers with the most-current information available from public records or to notify workers and job applicants when they are providing an employer with damaging information about them that is likely to affect their job prospects.
    ...

    "The high road would be for them to say, 'We're going to verify anything before we deliver a record to an employer,'" [Mike Coffey, president of Texas investigation firm Imperative Information Group] said. "They're still going to put the onus back on the consumer to make sure that everything is correct."

Posted by adam on April 20, 2005 at 12:10 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

April 15, 2005

Choicepoint, April 15

(Posted by adam)

My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

Posted by adam on April 15, 2005 at 1:26 PM in Choicepoint . You can: search Technorati.

Bookmark this post:

Congratulations, Choicepoint!

(Posted by adam)

big-brother-award.jpgYou've won the Big Brother award for Lifetime achievement!

It was a tough battle for top place this year, and while Choicepoint was the people's fave, we all know that those privacy elitists don't really care about the little people.

Other winners included California's Brittan Elementary. The Department of Education got worst government department, despite stiff competition from Homeland Security and the IRS.

So, Mr. Smith, now that you're at the very top, where do you go? New levels of cringe-inducement with that DNA database? Something the rest of us haven't even thought of? Or maybe it's time for new directions?

We're sure you're thinking about these big questions in private, and rest assured: We're not watching nearly as closely as you do.

Posted by adam on April 15, 2005 at 11:39 AM in Choicepoint . You can: search Technorati.

Bookmark this post:

April 14, 2005

Choicepoint, April 14

(Posted by adam)

  • Following yesterday's Congressional testimony, there's analysis by Thomas Greene in The Register, also in Internet News. The Atlanta Journal Constitution reports that Choicepoint VP Doug Curling, and LexisNexis President Kurt Stanford both seemed to come out as accepting of extending fair information practices to their businesses.

    The testimony prompted editorials in USA Today, and the Washington Post. Perhaps the best line, from Thomas Greene, is:

    FTC Chairwoman Deborah Platt Majoras advised the Committee to avoid over-notification. "Consumers will become numb to notices," she said.
    That's how bad it is, huh? We'll become numb if we knew the truth?

  • Bruce Schneier has insightful analysis at cnet.
  • According to this press release:
    The Identity Theft Resource Center (ITRC) announced today that ChoicePoint is partnering with the ITRC to combat identity theft via a four-year funding commitment to expand ITRC's current victim assistance and consumer education program.
    The ChoicePoint Foundation is paying $1 Million over 4 years. Congrats to the ITRC. I've mentioned a profile of the Foleys, who run the center.

    My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

  • Posted by adam on April 14, 2005 at 2:05 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    April 13, 2005

    Rational Response?

    (Posted by adam)

    Sitting at a coffeeshop today, I listened to the fellow behind me try to get Dell and Equifax to agree to fix his credit. It seems that his father passed away recently, in debt to Dell over a computer. That debt is now on his credit report, despite his not being a co-signer for the loan.

    Over at Motley Fool, Rich Smith writes about "What, Me Worry About ID Theft?" He starts from Choicepoint and Lexis Nexis, and his thesis is:

    But what's even scarier is the utter complacency with which the victims of these attacks -- the owners of the social security numbers, driver's license numbers, and such like information that was stolen -- are reacting. Or rather, not reacting....there's just no logical reason why potential victims of ID theft would pass on an offer of free protection. No logical reason except one, that is: They just don't care.

    Hard as that is to fathom, it suggests that the data collection industry may escape this series of fiascoes without Congress imposing additional regulations on it. Voters who don't care enough about their own data security to accept an offer of free protection are not likely to be expending much effort lobbying Congress for tighter regulations.

    I tend to doubt claims that thousands of people are acting irrationally. I believe that there's a second logical reason not to bother with credit monitoring services: You're damned if you do, and damned if you don't. Watching your credit report is like the old description of war: Years of boredom punctuated by moments of terror.

    What would this fellow behind me have gained by watching his report? The knowledge that he had to go through this earlier. Does that really help? Does it help as much as a well-crafted new law might? Or even a reasonably-crafted one?

    People may well, and rationally, be spending their energy complaining to their Congressmen. The problem is a widespread abuse of the Social Security number as identifier and authenticator. People understand that, and resist giving them out. They're going to look to Congress for support.

    Posted by adam on April 13, 2005 at 7:32 PM in Choicepoint , ID Management . You can: search Technorati.

    Bookmark this post:

    Choicepoint Roundup, April 13

    (Posted by adam)
    • Internet News has one of many reports on the latest breaches, this one titled "Feinstein Tightens ID Theft Proposal"
    • Bob Sullivan at MSNBC reports on background checks:
      But experts say the nationwide tallies are often full of holes, and contain as few as 70 percent of all felony conviction records, leading in turn to a false sense of security.
      ...

      "We've done tests, and the national databases have a 41 percent error rate," [Rhonda Taylor, CEO of Intellisense Corp] said.  "(There is) a glaring issue related to a false sense of security if that information is relied upon with no other investigative tools."

      (via Dave Evans.) Choicepoint missed at least 40 convicted criminals when they did the background checks for airport screeners, along with one guy who was a fan of Osama bin Laden.
    • The Atlanta Journal Constitution reports "Feds dependent on data brokers :"
      The FBI says it trains agents before they can use ChoicePoint's database to ensure the data isn't misused or abused. Hoofnagle disputed that, citing documents the obtained by the Privacy Information Center.

      "There was almost no evidence of controls to prevent agency employees from misusing the databases," he said.

    My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

    Posted by adam on April 13, 2005 at 11:34 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    April 12, 2005

    Choicepoint's "Privacy" Officer

    (Posted by adam)

    Declan has some choice words about Choicepoint's new Credentialling, Compliance and privacy officer, in "Sidelining Homeland Security's privacy chief:"

    DiBattiste sounded like she was replying to a pesky reporter when she wrote back [To TSA Privacy Officer Nuala O'Conner Kelly]: "TSA Public Affairs has no information in response to your request."

    How fitting, then, that DiBattiste landed a plum $500,000-a-year job last month with privacy-impaired company ChoicePoint.

    (Via Ray Everett-Church's Privacy Clue; my previous commentary is in my March 8 roundup.)

    Posted by adam on April 12, 2005 at 10:14 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    59 breaches at Lexis-Nexis

    (Posted by adam)
    [T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said.
    (From CNN, or see the statement here.)

    So, let's review. A slew of people are trolling Lexis-Nexis' databases. They're not stealing identities. So what are they doing?

    One thing that springs to mind is that Lexis Nexis is providing the back end data for CAPPS-II, Secure Flight, and probably 'Trusted Traveller.' (No Place To Hide, pp 225.) So if a terrorist got hold of this data, then they might have 5,200 or so names, addresses, social security numbers, and everything else needed to impersonate people so that they'd be seen as 'clean' by Secure Flight. That could be worth a lot more than the few tens of thousands of dollars you might steal.

    Before the biometric cheerleading squad jumps out, please remember that we don't know if any of those 59 accounts that were used had update or corrections privileges into the database.

    Posted by adam on April 12, 2005 at 6:58 PM in Air Travel , Choicepoint , ID Management , breaches . You can: search Technorati.

    Bookmark this post:

    Choicepoint, April 9-12

    (Posted by adam)
    • The Daily Caveat tells us that "Choicepoint Changes Access to Personal Data, and Research News has more.

      No word on what level of audits Choicepoint will be doing. It sounds like there will be a pulldown menu or checkboxes for "allowable uses," perhaps causing people to think for a bit, then get used to selecting one. Annoying to legitimate users, no impact on actual bad guys. Sounds like the perfect security theatre measure.

    • Michael Geist writes about the impact of a number of recent issues, including Choicepoint, in a column for the Toronto Star:
      The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry.  These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.
    • Delaware Online profiles victim Art Sullivan:
      "They gave me some tools to use so I can do this, I guess, for the rest of my life," Sullivan said. "It's almost become a part-time job for me."
    • Secondary Screening ties it all together:
      LexisNexis is sick of all the press ChoicePoint is getting and decided yesterday to one-up its competitor.
      "After all, no publicity is bad publicity"
    My choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

    Posted by adam on April 12, 2005 at 6:43 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    April 8, 2005

    Choicepoint, April 8

    (Posted by adam)

    • Choicepoint has been nominated for a lifetime Big Brother award. Best of luck, folks!
    • Prophet or Madman points to an article at Knowledge@Wharton about the issues raised by the case.
    • Robert Gellman has a column in DMnews "Out of the Frying Pan."
    • Choicepoint has announced their earnings call and webcast, on April 21. (Is 'before the market opens' typical? I recall calls being after market close.)
    • Computerworld carries an article by Alan Brill and Jason Paroff, executives at investigative firm Kroll Ontrack, "They can't steal data you don't have:"
      We have observed that some of the sensitive data that gets stolen fits into one of several categories:
      • Data that was never needed
      • Data that was needed but should never have been stored
      • Data that was originally needed but was kept far beyond its useful life
      • Data that should never have been stored in an unencrypted form
      At some point, the question "Did you consider not having this data" is going to become a standard part of lawsuits. If you're an IT manager, are you planning for that day?

    • Speaking of lawsuits, the Atlanta Journal Constitution reports on the class action suits from the affected parties:
      Consumer Eileen Goldberg, one of the people who received a notice from ChoicePoint, was the first to sue the company. The California resident showed the letter to her son, Michael Goldberg, a prominent class-action attorney in Los Angeles. After looking into the incident and the lack of regulation governing the data-brokering industry, Goldberg and fellow attorneys at Glancy Binkow & Goldberg decided they had a case based on fraud and negligence.

      ...
      In the meantime, the firms involved in the ChoicePoint suits are trolling for more plaintiffs. They've launched Web sites. They've issued news releases. And at some point, they may try to subpoena ChoicePoint for that list of 145,000 clients-in-waiting.

    My choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

    Posted by adam on April 8, 2005 at 11:20 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    April 7, 2005

    Choicepoint, April 3-7

    (Posted by adam)

    • Diebold, Choicepoint Partner to Offer Innovative Voting Technology was an April Fools item I forgot to blog:
      Alpharetta, GA - Diebold Election Systems and Choicepoint, Inc., today announced a joint venture that could revolutionize the voting market. The concept is simple: combine Diebold's demonstrated expertise in voting systems with Choicepoint's superior data-mining techniques to produce PredictaVote(TM) - the first 100 percent voter-free, predictive voting system.
    • The Orlando Sentinel discusses Florida's proposed disclosure law:
      "Virtually every state is now actively pursuing some type of legislation," said Judith Collins, director of the Identity Theft Crime & Research Lab at Michigan State University. "When something like this happens to Bank of America, people realize no business is immune."

      ...
      "Our concern is that you might have two sets of standards which are inconsistent," said Tom Cardwell, an Orlando lawyer and counsel for the Florida Bankers Association.

      "Consistency" here means "the weaker Federal standard," where the organization that's been breached, decides.

    • callcenter.jpgThe Coloradoan reports that Choicepoint is looking to contract for a call center, and includes the picture here. It makes me all warm and fuzzy to know that those call center employees probably use a password, and are, ummm, background checked before they can get a job. And no one could ever walk up to the wrong terminal, or see their terminal getting the wrong data and scripts. (photo V. Richard Haro/The Coloradoan; article via Call Center Digest.)

    • The Atlanta Journal Constituion reports that Carol DiBattiste, Choicepoints new Chief Credentialing, Compliance and Privacy Officer, will be getting nearly a million dollars for her first year of work; $9,500 a week, a 350k bonus for 2005, and 100k if she stays through May, 2006. I see no reason to change my previous analysis.

    • The Kansas City Star has an interesting story (Use Bugmenot for a login.) about consumer advocates calling for State Farm to use Choicepoint's data to find current owners of vehicles whose wrecking wasn't properly disclosed:
      The groups accuse State Farm of foot-dragging to avoid bad publicity and to prevent lawyers from learning the names of victims and filing big suits. Consumer groups point out that any insurance company can purchase the names of vehicle owners from ChoicePoint, a data collection company with billions of records.

      A ChoicePoint spokeswoman says the company had no comment because the State Farm situation was "too sensitive."

      It seems Choicepoint is feeling burnt because they don't understand why the whole thing blew up in their face. This is a perfect opportunity to explain the benefits of their database.
      The settlement calls for State Farm to use ChoicePoint to identify the motorists.

      ...
      As for ChoicePoint, [Iowa consumer protection division lead William L.] Brauch said the data company's information is not as accurate as vehicle information the states keep. He said the states plan to use ChoicePoint "as a final check. But that is not the only way to locate these vehicles."

    • Finally, in today's Two Minutes Sardonic, Herestormwiththeweather offers "Cheers to Olatunji Oluwatosin,"
      Because of Oluwatosin's efforts coupled with California law that requires disclosure of compromises of user information, Choicepoint is finally receiving the scrutiny that they deserve.
    My choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.

    Posted by adam on April 7, 2005 at 1:50 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    April 2, 2005

    Choicepoint, April 2

    (Posted by adam)

    • The Atlanta Journal Constitution has an editorial "ChoicePoint's offer not enough :"
      The better solution would be to prohibit companies such as ChoicePoint from warehousing personal information in the first place, since security has proved so problematic. Computerized collections of consumers' Social Security numbers, credit information, driving histories, medical and court records may make commerce more efficient, but they also present appealing targets to crooks.

      ChoicePoint's offer, made Wednesday in the California General Assembly, was not accompanied by specifics on how it would work or whether consumers would be charged for access. But consumers should not have to depend on voluntary action by the company. Rules should be written into law modeling federal regulations that already cover the major credit reporting companies: Equifax, Experian and TransUnion.

      It's not at all clear that the current rules don't cover Choicepoint, as EPIC points out.

    • Also in the Atlanta Journal Constitution, "ID thief receives 15 years in prison." I think this is a new case, and involves the use of Choicepoint to make sure the ID thieves only targeted the rich. (The poor, afterall, are tough and chewy.)
      A College Park [Georgia] man was sentenced to more than 15 years in prison Friday for his role in an identity theft scam in which he used data from ChoicePoint, the Alpharetta consumer information firm, to help target victims, prosecutors said.

      Robert Stewart, 33, received a 190-month prison term in federal District Court based on a guilty plea entered earlier. According to testimony, he worked with nine others to defraud banks and other companies of about $1.3 million, using stolen identities to cash counterfeit checks.

      The U.S. attorney's office, in a news release, said Stewart stole identities through jobs he held at various companies in the Atlanta area, including at a company screening job applicants for the Transportation Security Administration.

    • Finally, I've posted some commentary on "Information Security Magazine on Choicepoint." The post is too long and tangential to include in the category archive.
    For more on Choicepoint, see the Choicepoint category.

    Posted by adam on April 2, 2005 at 1:07 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    April 1, 2005

    Choicepoint Acquires Emergent Chaos

    (Posted by adam)

    Alpharetta, Georgia, April 1 /PRNewsWire/ Alpharetta-based information broker Choicepoint today announced its intent to acquire the blog "EmergentChaos," citing market synergies, cost reductions, and new revenue opportunities.

    Financial terms of the deal were not disclosed, but Choicepoint CEO Derek Smith said "We knew just which buttons to push."

    Emergent Chaos is a weblog, or "blog," with a focus on security and privacy issues. The lead author has lately been covering Choicepoint, much to his dismay. He said "Our shareholders are excited by the value creation inherent in this event, and we look forward to our better understanding of our readership, and the customization that will now be possible for you, Mr !E_USER_NOT_FOUND!."

    Choicepoint spokesperson Chuck Jones stated "We expect some cost reductions, and have advised the employee of this."

    Privacy advocate Ian Goldberg said "I suppose, if you can't beat 'em, join 'em!"

    The acquisition is subject to customary closing conditions. Choicepoint anticipates that the acquisition will close slightly before Hell freezes over.

    Posted by adam on April 1, 2005 at 7:53 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 31, 2005

    Choicepoint, March 29-31

    (Posted by adam)

    • Alacrablog discusses a Morgan Stanley research report:
      Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers.
      There's also an interesting post rounding up the SIA Anti-Money Laundering conference.
    • The Atlanta Business Journal reports that the Georgia House has passed a notification law.
    • Choicepoint may be developing an access system, according to a March 31 AP story that's only been picked up by the Kansas City Star (bugmenot has logins):
      "You will receive the reports that we have on you," Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.
      It doesn't seem that they'll be moving towards the right of correction. Rather, you need to convince whoever reported bad data to correct it, and they will update Choicepoint. (Based on past evidence.) Compare this to credit reporting agencies, who have to include your corrections or disputes. Michael Zimmer has comments as well.
    • Bruce Schneier quotes a Register article:
      Sadly, Congress's response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.

      For this reason, it's literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.

    • and Mark Earnest makes a similar point.
    • Finally, today's Two Minutes Hate Irony is brought to you by "Ayn Rand is my Homegirl," carrying a press release from
      Executive Alliance, Inc., the premier provider of leadership-recognition forums, today announced that it has named the Distinguished Panel of Judges for the first annual Information Security Executive of the Year (ISE) Midwest Awards(TM) 2005
      The judges panel includes:
      Rich Baich, Chief Information Security Officer Winner of the 2004 ISE in Georgia Award™ ChoicePoint ... Leo Cronin, Senior Director, Information Security Finalist of the 2004 ISE National Awards™ LexisNexis Group
      Apparently, UC Berkeley doesn't have a CSO.
    My Choicepoint posts all show up the Choicepoint category archive.

    Posted by adam on March 31, 2005 at 10:30 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 28, 2005

    Choicepoint, March 27-28

    (Posted by adam)

    • EPIC has obtained documents which...
      ... reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and calling card data. One memo also discussed the availability of information on Europeans, Latin Americans, Asians, and Africans.
      (Via McGeek) Choicepoint, meanwhile denies that this is against the law, but not that the offer was on the table.
    • Hank Asher, founder of Database Technologies (involved in the Florida voting scandal) and later Seisent, makers of MATRIX, has settled five lawsuits with various companies, including Choicepoint, according to this mysterious press release. Some lists of motions are online. (Thanks N!) South Florida Business Journal has an article:
      "A big part of why I settled the case is it would take three, four, five years to litigate," Asher said. "I don't know how much will be left of them [ChoicePoint]."
    • Former Wal-Mart director Thomas Coughlin, who has resigned after improprieties, remains in charge of Choicepoint's Audit committee, according to the Atlanta Journal Constitution.
    The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

    Posted by adam on March 28, 2005 at 11:24 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 26, 2005

    Choicepoint, March 24/25

    (Posted by adam)

    • The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches.
    • Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart: "A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards."
    • [Choicepoint CEO] Derek Smith has apparently received threats via fax, according to TV station WXIA Atlanta. Here's a cheat sheet for you:
      • Denying his job application because of a Texas criminal record: Entertaining.
      • Sending him Nigerian spam from a Kinko's in LA: Self-referentially ironically cool.
      • Sending threats: Not cool.
    • Scott Berinato has a column at CSO Magazine calling this the Waterloo of information security. (Is there a permalink to that column?)
    • The Christian Science Monitor has an editorial entitled "Locking Out Identity Thieves." The subtitle is "Why are data collectors blocking efforts to require notice of a security breach?"
      One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that's a small price to pay for privacy and a more secure online identity.
    The best way to see all my Choicepoint posts is probably the category archive for Choicepoint. [Update: added Berinato column, 2: Identified Smith]

    Posted by adam on March 26, 2005 at 9:59 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 23, 2005

    Choicepoint, March 22/23

    (Posted by adam)

    • The Daily Caveat rounds up the five shareholder lawsuits against Choicepoint.
    • The Atlanta Business Journal has an article on Choicepoint's executive compensation.
    • Kim Zetter at Wired has a 3 page story on Choicepoint's Checks Under Fire.
    • CNN reports that only 11% of id theft occurs online.

      Well, actually, there might be some methodological problems. It's hard to tell, since the survey costs $1,500. First, consumers often have mistaken information about security issues. Second, its not clear if this was a survey of consumers who had suffered ID theft, or if second-hand data was accepted. No comparison to FTC data is provided.

      The telephone survey of 4,000 consumers was done by the Better Business Bureau, and funded by eMarketer online. I called Sheila Adkins, CBBB's Associate Director, Public Affairs, but have not heard back., who called back, and gave me other folks to talk to. Not yet sure if I'll track this down for analysis.

    • LiberalDesert writes about how the Social Security administration has better customer service than the big three credit agencies.
    • Finally, today's Two Minutes Hate, while not really Choicepoint related, comes to you from ... Freedom is Slavery. How could I argue with MinTrue?
    The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

    Posted by adam on March 23, 2005 at 11:36 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 21, 2005

    Choicepoint, March 21

    (Posted by adam)
    • Businessweek has an editorial, saying strong regulation is unlikely, but credit freezes, mandatory disclosure, and liability for breaches should come. (I'd argue that liability for inaccuracy, creating a duty to the subjects of a database should also be considered a floor for a new law.)
    • EPIC has written to the FTC, critiquing their testimony. (Via Consumeraffairs.com.
    • It seems that Choicepoint owns Rapsheets.com, the company providing back-end data for investigate-your-date company true.com. (From the Desert Dispatch, via Kathryn Lord. Note that Choicepoint also has a bad habit of reporting erroneous criminal histories.
    • In the fallout department, IRBSearch has taken to truncating SSNs, according to The Daily Caveat, a PI blog.
    • Bob Sullivan at MSNBC turns a skeptical eye towards ID theft insurance and monitoring services.
    • Screendiscussion has some thoughtful and interesting discussion of background check related issues. His writing style resonates with me more than many of the other PI and screening industry folks who've blogs that I've come across.
    The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

    Posted by adam on March 21, 2005 at 8:51 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 20, 2005

    Choicepoint, March 20

    (Posted by adam)

    • Susan Kuchinskas writes "No Security in SSNs?" for Internetnews.
      Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to.

      "They had their chance. They weakened the legislation, and, as a result, more than 10 million citizens are victims of identity theft every year," Solove said. "They got what they wanted, and it didn't work."

    • Right Justified wants to know if Choicepoint is building their fingerprint database when you go for a concealed carry permit.
    • The Wisconsin State Journal has a profile of Jay and Linday Foley, who run the ID Theft Resource Center.
    • CAR Report (computer assisted reporting) comments that journalists are going to lose easy access to social security numbers, saying "I rarely read or hear a story on this issue in which someone points out that access to SSNs makes it much easier for journalists to report on crime, corruption and mismanagement."
    • Finally, today's Two Minutes Hate comes to you from Plastic Noodle.
    My Choicepoint posts now have a category archive (all posts on a single page), or you can pick and choose.

    Posted by adam on March 20, 2005 at 11:00 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 19, 2005

    Choicepoint, March 19

    (Posted by adam)

    • Not In Chicago Anymore comments on Handling of Credit Related Information, and some of the possible repercussions of new law.
    • Ryan Singel at Secondary Screening points out in "Popcorn, popcorn" that (Choicepoint Vice President) McGuffey testified under oath that he told (CPS President) Doug Curling about the investigation in November, which would mean that Curling knew about the issue as he sold his company's stock. I don't know enough securities law to know if he should or could have stopped selling based on that non-public information, if he got it after he filed the plan.
    • Jim Horning points to a USACM public policy blog post in "Momentum Turns Toward Privacy Protection."
    • According to research firm Financial Insights, 6% of respondents to their survey had switched banks in an attempt to reduce their risk of being a victim of ID Theft. Reported in Information Week.

      I must admit, I've considered doing this, but it's such a pain to find a bank that keeps everything on paper these days.

    • Westlaw will constrain some access to social security numbers, according to lots of stories, including Cnet.

      Pundits predict the imminent collapse of civilization, and a doubling of mortgage interest rates as US businesses fail to adapt.

    • Your PI News hopes that backsplash from Choicepoint's errors won't crush the PI industry in "Public Thoughts on Privacy."
    • Random Fate has a long post on accountability, the growth of bad laws, and incidentally, Choicepoint, entitled "For whose benefit is the law and the government?"
    • Finally, today's Two Minutes Hate comes to you from The Samuel Taylor Coleridge Foundation blog, in "You're Only A Commodity..."
    My Choicepoint posts now have a category archive, or you can see them listed in this roundup post.

    Posted by adam on March 19, 2005 at 11:11 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 18, 2005

    Choicepoint, March 18

    (Posted by adam)
    • ChoicePoint's data bonanza lures thieves , in the Atlanta Journal Constitution.
    • The Q Speaks asks what have we wrought in "ID theft writ large"
    • In another example of what we have wrought, "the Fairfax County's School Board awarded a contract Thursday night to ChoicePoint, Inc., for testing student athletes and bus drivers for drug and alcohol use." (Story in "The Connection newspaper.)"

      Regardless of if you think this testing is a good idea, the students whose names, addresses, and social security numbers will be sent to Choicepoint have no say in the matter. The bus drivers might quit, but what are the students to do? Drop out of school?

    • Fear of ID theft is on the rise, according to the Ponemon institute, according to a story in GlobeTechnology.
    • Finally, today's Two Minutes Hate comes to you from ... Now I'm Pissed.
    Posted by adam on March 18, 2005 at 11:07 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 17, 2005

    Choicepoint, March 17

    (Posted by adam)

    Posted by adam on March 17, 2005 at 11:09 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 16, 2005

    Choicepoint, March 16

    (Posted by adam)

    • The House Energy and Commerce committee held hearings. Thanks to Ryan Singel for letting me know they were webcast. Payments News points to the written testimonies of Choicepoint and LexisNexis
      ``Let me begin by offering an apology on behalf of our company and my own personal apology to those consumers whose information may have been accessed by the criminals whose fraudulent activity ChoicePoint failed to prevent.'' Smith said.

      ...
      ``What we're hearing today is an industry still in denial, still doesn't recognize how many Americans value their privacy and are hoping to ride out this standard without having Congress make the changes necessary,'' said Markey.

      And what a convoluted apology! How about "to those Americans who are worried about identity theft because we made a mistake?"
    • Hearing coverage from: Declan McCullagh (CNET), Bob Sullivan (MSNBC), or Ryan Singel (Secondary Screening).
    • During the hearing, Mr. Kurt P. Sanford, President and CEO, U.S. Corporate and Federal Government Markets, LexisNexis, mentioned a form that allows special classes of people (law enforcement officers, public officials whose job carries a threat of imminent harm; victims of identity theft; or those who "are at risk of physical harm.") to get out of the databases. However, that form is not only obscure, in that you have to know that LN offers such a thing, the form is hard to find. It's here.
    • The Contracts Blog posts a bunch of contracts that may interest you. (Actually, he posted this way back in February, but I'd missed it.)
    • PI News and Information sees the risk to their profession, and also carries a press release from the National Council of Investigation and Security Services.
    • Finally, today's Two Minutes Hate comes to you from Congressman Ed Markey (.doc) or listen to the mp3.
    My previous Choicepoint coverage includes roundups and analysis.

    Posted by adam on March 16, 2005 at 11:48 AM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 15, 2005

    Choicepoint, March 15

    (Posted by adam)

    • The LA Times has more on what happened, and Choicepoint's controls.
    • A great many people feel that this is a compelling story. I enjoyed reading the spouter inn.
    • Finally, today's Two Minutes Hate comes to you from Futurismic.
    I've been covering Choicepoint issues since the scandal broke.

    Posted by adam on March 15, 2005 at 1:08 PM in Choicepoint . You can: search Technorati.

    Bookmark this post:

    March 14, 2005