Emergent ChaosThe other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there's no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.
There's some analysis of how hard it would be to read the tapes. I'm skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?
The Breach Blog feels differently. In "University of Miami reports stolen tapes affecting patients," he digs into the likelihood of the data being accessed.
Now, the University claims that the tapes are in a "complex and proprietary format," which seems to be "Tivoli Storage Management" from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I'm curious why that wasn't in use.
Also, looking around, I found this quote at an IBM partner site:
Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.Until I hear more, I'm skeptical of the University's claims. I don't believe, and I have not believed for a long time, that breach notices are about identity theft. They're about the performance of a promise to protect information.
(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)
Bookmark this post:
I have two clients who are asking me to investigate matters with Choice Point as it relates to inaccurate employment records provide to prospective employers. I am seeking persons who have similar experiences to determine a "pattern and practice" on the part of Choice Point.I don't know Mr. Lyons, but I can't imagine anyone would object to "more informed, more timely decisions that positively impact society." Feel free to get in touch with him.
Bookmark this post:
Now WATE in Knoxville, TN, reports that "Anderson Co. man finds credit report error:"
At his insurance company's request, ChoicePoint gathered the sum total of Ray's credit, what he owes for his car, his house, credit cards and other purchases. "It says my grand total of indebtedness is $426,000. That's about five times what I currently owe," Ray says.See also my May 2005 posting, "Choicepoint Analyses:"Some debts Ray paid off showed as though they hadn't been paid at all. "This was a boat loan" for $50,000, Ray says. "I paid it off over a year ago."
He also says he went online to ChoicePoint, filed a dispute and spoke with company officials. "My data had not been updated. It was incorrect. My employer was incorrect," Ray says.
...
ChoicePoint disputes that any errors were made.
Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the "garbage in, garbage out" problem, has been defined away.and finally, don't forget Deborah Pierce's work in "Data Aggregators: A Study of Data Quality and Responsiveness:"
100% of the reports given out by ChoicePoint had at least one error in them.The deep trouble here is not that Choicepoint reports are inaccurate (although that seems to be a problem based on impartial reports). The trouble is the accountability disconnect between data collection, aggregation, and use. No one takes responsibility for the decisions that are made based on bad data.
[Update: Just after posting this, I came across "Where’s Waldo? Spotting the Terrorist using Data Broker Information:"
In its coverage of the issue, the Ottawa Citizen reported that since September 2001, the RCMP has been buying and retaining this kind of personal information from data brokers, and in some instances may have forwarded that information to U.S. law enforcement.Good thing Ray's inaccurate data was "only" used to deny him credit.]
[Update 2: Choicepoint's Chuck Jones disagrees; please see comments.]
Bookmark this post:
Or so "Shipcompliant" would have us believe, with a blog post entitled "Free the Grapes! Updates Wine Industry Code for Direct Shipping Practices."
The new addition to the Code is step 4, which specifies that wineries should verify the age of the purchaser of the wine at the time of transaction for all off-site transactions (Internet, phone, mail, fax, etc.). This can be done either by obtaining a photocopy of the purchaser’s drivers license or by using an approved online age verification vendor such as ChoicePoint or IDology.So to protect themselves from liability, wine merchants who sign up for this code will be putting their customers at risk. Of course, the code already says:
Free the Grapes! encourages licensees to contract only with shippers who check the identification of recipients at the time of delivery to ensure that the recipient is 21 years of age or older.So there's no reason to add this step. The very next step ensures that wine won't get into the hands of our corruptable youth.
This is two steps backwards: We're creating more work for the wineries and wine sellers, exposing their customers to increased risk of privacy violations, and all to cover a risk that's already covered.
Free the grapes? How about free the people from this nonsense?
Photo: "A sculpture commemorating the wine press and its importance to California history in Golden Gate Park near the De Young Museum of Fine Arts (6)" by mharrsch.
Bookmark this post:
ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005.Choicepoints losses are a severe outlier. As I said in March, 2005, "Why Choicepoint Resonates:" It's now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I'd like to think back, and ask, why does this story have legs? Why are reporters still covering it?
There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. I still think my analysis is decent, and that any serious statistical analysis of breach costs must show "without Choicepoint" numbers.
[Update: Clarified title, which attributed all expenses to the breach.]
Bookmark this post:
Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. "Greek Scandal Sees Vodaphone fined" at the BBC, via Flying Penguin.On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers in the US. None of that money would go to those whose privacy was invaded. ("Driver Data Lawsuits Settlement Proposed.")
Pop quiz: Which do you think will influence behavior more?
Photo: Peeping Dog, by ErinV.
Bookmark this post:
Jessica Rich, assistant director of the FTC's division of privacy and identity theft, said in a statement released to AP on Wednesday that "law enforcement is still identifying victims and we want to make sure we have the right people."(From the AP, "FTC Yet To Pay Choicepoint Victims.")
Bookmark this post:
"Well, first they said, 'Something was wrong with your background check,'" she said. "I said, 'What is wrong with it? What is wrong with my background check?'"Oh, the irony.ChoicePoint found out that Smith was convicted of identity theft 10 years ago and sentenced to three years' probation.
The problem? It wasn't the correct Smith.
Bookmark this post:
It is factually incorrect to describe ChoicePoint or its subsidiary, Bode Technology Group, as attempting to "amass a DNA database." Bode's clients are almost entirely government laboratories that are trying to solve crimes and identify victims as well as felony offenders. The samples provided to Bode for analysis are identified by a case number and Bode's work does not reveal information about race, hair or eye color, national origin or medical conditions. DNA analysis is done simply to develop a profile that can be used to determine if two people are related or the sample matches a suspect. In no circumstance, however, does Bode "own" any data, samples or any other material and never maintains permanent custody of any sample.Matt actually sent that over two weeks ago, and I have a number of operational questions about it, such as: Is the data identified only by a case number? Could it be correlated with other data? Is the question of relation given as "sample A, sample B?" or is one sample named? What data does Bode retain after the sample is destroyed or returned? Presumably, there's some data kept to enable Bode or its representatives to testify in court. However, I'm swamped with other things, and despite my interest in the questions, I don't have a lot of time to pursue them.The only centralized databases of DNA profiles are managed by the FBI and its counterparts in the states, not by Bode. Bode is not now nor has it ever been in the business of amassing DNA data and selling it wholesale or otherwise to any government agency. Instead, the men and women of Bode are responsible for making DNA-based identifications where no one else has been able and bringing criminals to account for their crimes.
However, I remain glad that "amassing a DNA database and selling the contents to the government is something even Choicepoint doesn't expect will become profitable," even if that was a mis-understanding of their plans.
Bookmark this post:
ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ -- ChoicePoint (NYSE: CPS - News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the decision to divest businesses that either do not fit within the new strategic direction or are unlikely to gain critical mass in the marketplace under ChoicePoint's ownership. This process is ongoing and is expected to continue throughout 2006. Included in the announced divestiture plan are ChoicePoint's direct marketing, forensic DNA and shareholder services businesses.I'm glad to discover that amassing a DNA database and selling the contents to the government is something even Choicepoint doesn't expect will become profitable. I'm also glad that they're owning up to mistakes. Now lets see if we can see some fair information practices around the rest of their services.
See other analysis in Direct Marketing News or the Boston Globe.
Bookmark this post:
Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company's CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly "to ensure we're hitting every aspect of security and privacy," says DiBattiste.So ends an article "Choicepoint's Lessons Learned" in Baseline."One of the lessons we learned is that security is a moving target," she says. "The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond."
They learned that in 2006?
Maybe they should be attending Blackhat, or Defcon. I hear tell Defcon has some ATMs that they could use.
Bookmark this post:
Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com.That's from the CSO Blog, "Data Brokers May Act Illegally." In other news, "ChoicePoint-FBI Deal Raises New Privacy Questions."A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no "systemic" use of data brokers by the FBI.
So what are we paying for?
Bookmark this post:
Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What's the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.
For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don't know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse "Chronology of Data Breaches," and Attrition.org's Dataloss list. There are also regular reports through ISN, and Dave Farber's Interesting People List.
While we're happy that there are amateur efforts, it's hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who's gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.
"Dam Water" photo by Ed Hidden.
Bookmark this post:
This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration's Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI -- though it is better described as the creation of a private KGB.Read "The Spies Who Shag Us," by Greg Palast. Don't miss the bits about who's the number one supplier of DNA to the FBI.The leader in the field of what is called "data mining," is a company called, "ChoicePoint, Inc," which has sucked up over a billion dollars in national security contracts.
Bookmark this post:
Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.Wow. Fifteen months since Choicepoint, and that's being written? There's a new set of expectations out there, and it hasn't taken long to set. Thank you, Choicepoint. The quote leads an article, "Are Banks Required To Give Notice of Database Hacks?" on San Diego Business Lawfirm.
Thanks to the Privacy Law Blog, we know that Arizona and Colorado have passed new breach notice laws. Arizona has taken a broad definition of breach in Senate Bill 1338:
"Security Breach" means "an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information... and that causes or is reasonably likely to cause substantial economic loss to an individual."Colorado meanwhile, has enacted House Bill 1119, which contains a "fox guards the henhouse, and sits in the alarm booth" clause:
The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur...I think it would be remarkably risky to invoke that clause. Business should ask, who owns that liability if someone makes a mistake? The Center For Policy Alternatives has Model Identity Theft Legislation that doesn't contain this clause. In my non-lawyerly opinion, that speaks to the new norms, and the burden of proof that companies are being asked to develop in a short time, under extreme pressure. Who wants these clauses, anyway?
These questions hold up a national law, according to Computerworld, "Analysis: Data breach notification law unlikely this year." Such delays are a good thing, because they give the new norm time to set, and for people to become accustomed to breach notices.
The overflowing dam photo is by Firesign, on Flickr. Come to think of it, maybe an overflowing dam is a better metaphor than a breached one: there's so much data collected that organizations can't hope to control it?
Bookmark this post:
The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff's detective who he thought was a 14-year-old girl, the Polk County Sheriff's Office said.See "DHS Spokesman Is Accused of Soliciting Teen Online" at the Washington Post.Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. and charged with seven counts of using a computer to seduce a child and 16 counts of transmitting harmful materials to a minor, according to a sheriff's office statement.
While I hate to make light of such a disturbing story, it's a good thing Choicepoint screened all those TSA employees, to make sure no bad people get through. (Doyle worked for TSA before moving to DHS.)
Bookmark this post:
Google CEO Eric Schmidt said "We're always on the look-out for large databases that we can use to better serve our customers. We used to have access to Choicepoint's data, but the "due diligence" people they kept sending would burst into flames the minute they hit our "no evil" barrier. After seven or eight of those, we couldn't believe it was coincidence any longer, so we just bought them."
Choicepoint CEO Derek Smith (according to the merged database, the two are 17th cousins, three times removed) said "Our missions are remarkably similar. We bring in every scrap of data we can, and never throw anything away."
"I fully support the synergies and customer choice made possible by the merger,' said Chris Hoofnagle, privacy advocate and newly-appointed director of privacy oversight for the program. 'The merger will bring value to consumers and shareholders, and it has pre-approval from Truste.'
The move is expected to substantially improve Google's relationship with governments around the world.
Bookmark this post:
How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There's nothing wrong with that on the surface. But we wondered how True.com could know which version of its e-mails to send to which users?So writes Hannah Rosenbaum in "True.com Uses Adult List to Send Targeted Valentine's Day E-mail." I'm going to disagree. It is wrong to track the color of people's skin and use it as part of your decision making process. It's wrong at the surface, and it's wrong in very deep ways. It may even be wrong with explicit consent, which 'True' certainly didn't have.
Speaking of wrong, I'd mentioned the lovely people at 'true' before, in "Choicepoint, March 21." I wonder if their data on race is any better than their criminal background histories? Siteadvisor's one data point per person is a beautiful way to watch the flow of data behind the scenes, but it fails to capture the rich tapestries of our lives, the poor quality of the data (what we used to call garbage-in, garbage-out), or how companies cope with the chaos.
Bookmark this post:
Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by "unauthorized third parties," according to ChoicePoint spokesman James Lee.I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I'd like to take a moment to look back at what's happened, what we've learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they've brought about. Derek Smith, Choicepoint's CEO, had been fond of calling for a national debate. I don't think he anticipated the answers that debate has produced.California law requires firms to disclose such incidents to the state's consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.
Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.
Bookmark this post:
Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans.Via Brian Krebs at the Security Fix blog.The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest civil penalty ever obtained by the agency.
Bookmark this post:
TAMPA - Andrea Davis can't understand what two flat tires and leaving the keys in her car have to do with being rejected for auto insurance. The answer lies in the optional emergency road service coverage the Lutz resident was persuaded to buy from her insurer, Geico, for $12 a year. The bargain rate, one-fifth the cost of emergency road service from AAA, turned out to be no bargain at all....
"They said I had too many claims," said Davis, a public relations manager with a perfect driving record. "I didn't meet their eligibility requirements."
...
Insurance companies use a centralized database with tens of millions of records on U.S. motorists called Comprehensive Loss Underwriting Exchange. The data are maintained by Atlanta-area-based ChoicePoint, one of the country's biggest compilers of consumer data.
Bookmark this post:
Along with several other data brokers, ChoicePoint has been accused in Florida of violating the federal Drivers Privacy Protection Act by selling motor vehicle records to marketers and other inappropriate buyers. (The act was designed to keep burglars and stalkers from obtaining motorists' home addresses based on license plates they spotted on the road.) A request for class-action certification is pending in federal court.From LA Times, "Big Data Broker Eyes DMV Records."The California DMV says it first heard from ChoicePoint in October 2004, when the company requested access to all drivers' license records. The state rejected the request out of hand, says Armando Botello, a DMV spokesman.
Bookmark this post:
The article, which relies on heavily redacted documents acquired through an open government request, raises questions about whether the Privacy Act -- which largely prevents secret databases on American citizens -- means anything if the government can simply outsource that data collection to a company like ChoicePoint.If you're surprised that the US has no effective privacy law, I suggest you read more of the archives.
Bookmark this post:
ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud.The story comes from the company's latest 10-Q filing, which also lists an increase in "goodwill" from $824 million to $908 million. (Thus the title, which is courtesy of Rob.) Close watchers of the company might be interested in the "10. Goodwill and Intangible Assets" section, which explains that the newfound goodwill is a result of various acquisitions, and also puts some value on "Purchased data files." Also of interest in any modern Choicepoint SEC filing is the "legal proceedings" section.
Bookmark this post:
Well, I've tried going cold turkey, but wasn't getting positive reinforcement, so I stopped.
Now that that's out of the way.
Illinois authorities conducted quality checks on 51 of 1,200 rape kits Bode had said contained no semen, Brown said. They discovered that 11 of the tests, or nearly 22 percent, had simply failed to detect the semen.
A Nigerian man who pleaded no contest earlier this year for his role in a fraud ring that stole data from ChoicePoint Inc. has pleaded not guilty to six new charges, authorities said.Olatunji Oluwatosin, 42, was charged last week in Superior Court and has pleaded not guilty to additional counts of identity theft, conspiracy and grand theft. If convicted of all the charges, he could face up to 18 years in prison.
Elizabeth Rosen was plenty angry when ChoicePoint Inc. sent her a form letter acknowledging that crooks might have perused some of her most sensitive personal and financial data.He goes on to discuss the petulant manner in which the industry is implementing the FACTA rules:But the Hollywood nurse was flabbergasted when the company, one of the nation's largest collectors of consumer records, also offered to sell her some of the same information so she could see what might have been compromised.
"We don't make use of domain names that are close to, or are misspellings of, 'annualcreditreport' to try to create business," said TrueCredit President John Danaher. Asked about TransUnion's use of "annualcreditmonitoringreport," Danaher said: "That doesn't have the words 'free, annual' in it."
Bookmark this post:
I should also mention that I had a good time at the Detroit IT Security Summit. I thought there was an interesting and broad selection of panelists, including some technical people and some senior managers. I didn't get to talk to as many folks as I might have liked, but that's always the case.
Bookmark this post:
He's right about that; the officers should not be shackled by red tape. They should, however, be under close scrutiny: their actions must be monitored in light of the long history of abuses by American domestic intelligence agencies. Its not an easy balance to strike.FEMA halted tractor trailers hauling water to a supply staging area in Alexandria, Louisiana[.] The New York Times quoted William Vines, former mayor of Fort Smith, Arkansas, as saying, "FEMA would not let the trucks unload. . . . The drivers were stuck for several days on the side of the road" because, he said, they did not have a "tasker number." He added, "What in the world is a tasker number? I have no idea. It's just paperwork and it's ridiculous."Paperwork should not take precedence over helping those in need in a time of crisis. And just as we should trim our bureaucracy to allow a more effective disaster response, so too should we make sure that law enforcement officers charged with protecting us from terrorists are not shackled by red tape.
On a closely related note, The Canadian Privacy Law Blog points to a story, "Florida cop misused data, ChoicePoint claims." That's actually a fascinating story of how Choicepoint is improving their internal audit practices, which is also covered in the AP's "ChoicePoint Seeks an Anti-Fraud Balance." That's another good story on how Choicepoint is actively interacting with their customers to make sure that they're selling to real businesses. It also contains the wonderfully ironic bit of a private investigator complaining:
Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator's license twice. The company agent also wanted bank account information "and stuff that has nothing to do with my credentials or the nature of my business.""It's absolutely intrusive," she said.
Bookmark this post:
I nearly said something about 'experimental confirmation' here, because its such a seductive statement, even if its wrong. Good experiments only strengthen a theory when they have the power to disprove it. An increase in 2nd term scandal could be caused by things other than the 22nd Amendment. Campaign finance laws spring to mind.
So it is not an academic matter when I say that what I took to be the basic rationale for the war still strikes me as sound. Iraq was a policy problem that we could evade in words but not escape in reality. But what I did not know then that I do know now is just how incompetent we would be at carrying out that task. And that's what prevents me from answering this question with an unhesitating yes.(Via P "No longer blogging" C.)
Bookmark this post:
Bruce Schneier mysteriously titles a post "Russia'a Black-Market Data Trade." But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail:
At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner considers his options: $43 for a mobile phone company's list of subscribers? Or $100 for a database of vehicles registered in the Moscow region?Is this so different from Choicepoint's AutoTrackXP? (Sales of which are now "restricted.")The vehicle database proves irresistible. It appears to contain names, birthdays, passport numbers, addresses, telephone numbers, descriptions of vehicles, and vehicle identification (VIN) numbers for every driver in Moscow.
Bookmark this post:
The survey also found nearly all Americans think identity theft and spyware are serious problems, but only 28 percent think the government is doing enough to address the issues. About 70 percent said new laws are necessary to protect consumer privacy....
he survey reflects people's frustration, Douglas said. "Americans feel helpless. ... People are crying out for Congress to put power back in their hands, but until lawmakers finally decide whose information it is, who has the right to their own information, (frustration) is what we have."Another finding of the survey: The people questioned said they held low opinions towards the Federal Trade Commission, which protects consumers against Internet fraud.
That’s exactly what happened to a man named Steven Calderon. He had a clean record, and had done nothing wrong. His new employer did a routine background check using the services of ChoicePoint. What happened next? The local sheriff came to his office and arrested him for warrants of child molestation and rape.Baseline Mag has a long story, The Rising Threat from Bad Data
You have in the past said that what happened at ChoicePoint was not really a security breach. Then what was it? It all comes down to how you define a breach and how you define an incident. This was fraud. Someone fraudulently provided authentication to the system. It's no different than credit card theft and credit card fraud. Those are never referenced as IT-related issues though they happen millions of times every year. In fraud terms, it's called an account takeover. And that's what occurred. All I was trying to do was educate the press more than anything else that this was not what everyone would call a traditional hack.Well, would you believe a little different? Given that Choicepoint sells services to prevent these things?
On Friday, ChoicePoint spokeswoman Kristen McCaughan said the Alpharetta, Ga.-based data broker has not yet completed the changes. "It is ongoing," she said. McCaughan could not say when ChoicePoint expects to be able to announce that it has completed the process. "I don't think it is going to be anytime in the near future," she said.Read "ChoicePoint overhaul falls behind."
Bookmark this post:
"IRS announces plans to be the butt of three consecutive days of "Daily Show" jokes." So headlines John Paczkowski's post at Good Morning Silicon Valley.
Bookmark this post:
"In fact, we've gone beyond our announced commitments to make substantial changes in the past 90 days," ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday.The Alpharetta, Ga.-based data broker is clarifying its position after a spokeswoman told News.com on Friday that the transition process was ongoing and that it would be some time before the company could announce its completion.
...
"ChoicePoint has absolutely fulfilled its obligation to do what it said it would do in the 90-day period," McGinn said, noting that the company has actually gone beyond the goals it initially set for itself.
In related news, Choicepoint announced that they didn't even have to notify Calfornia customers, because the law says to notify when "any one or more" of the data elements, not "all." (Speaking of Choicepoint announcements, we never hear from spokesperson Chuck Jones anymore.)
Government Hopes to Stop Calling Back Immigrants; Mr. Al-Shankiti's Saga By BARRY NEWMAN Staff Reporter of THE WALL STREET JOURNAL June 29, 2005; Page A1NEW YORK -- Good news for immigrants: If you're applying for a green card or for citizenship, the federal government is determined to stop notifying you that your fingerprints have "expired."
How do fingerprints expire? The official notices don't say. They just give applicants appointments to get fingerprinted again.
At an immigration office in downtown Brooklyn one Friday, scores of them sat on plastic chairs waiting to be called to a high-tech fingerprint station. For some, it would be their fourth time.
"I don't know why," said a woman from Poland, studying her hands. Behind her, two Orthodox Jews read prayer books. Above her, cartoons played on a television screen. "Maybe something happened with my fingers. They check, make sure everything is fine."
Immigrants line up outside a U.S. government fingerprint office in Brooklyn, N.Y.The official rationale isn't that intuitive, but it does peel back a corner of the electronic security blanket that the government is struggling to tuck around the U.S. immigration bureaucracy.
People who want to stay in America are fingerprinted to make sure they aren't criminals. Pre-computer, the Immigration and Naturalization Service carted its ink-on-paper prints to the Federal Bureau of Investigation. There, experts searched files for matches against the prints of known criminals, just as they would for prints left on martini glasses at crime scenes: narrowing them down through a series of ever-smaller categories that have been in use for more than a century. A name check wouldn't do; criminals change their names. Immigrants with clean records quickly got green cards. Then the FBI threw their paper fingerprints out.
Five years ago, fingerprint computers replaced ink and paper. But the computers had no significant storage capacity. They merely sent prints on phone lines to the FBI. The FBI checked the prints for criminal matches on its own new computers -- and deleted them. The reason was less technical than bureaucratic: Paper fingerprints were trashed in the past, why save digital fingerprints now?
After Sept. 11, 2001, the immigration service was folded into the Department of Homeland Security, and the time it took to grant or deny permanent residence to a foreigner kept growing longer. While waiting, applicants might commit crimes. Without double-checking the FBI's fingerprint files, immigration clerks would never know.
Wouldn't it be handy, the government realized, if those digital prints were stored after all? Retooling the system for storage took until 2003. The next step was to create a search program -- using images, not words -- to retrieve the prints. That component of the project isn't quite ready.
"The easy part was placing them in a repository," says William Yates, who runs this operation at U.S. Citizenship and Immigration Services, now part of the DHS. "The more difficult thing is a mechanism to allow those prints to be called back up. Right now, we don't have that capability."
So immigrants with applications bottled up in bureaucracy keep on reporting to be fingerprinted over and over. "It's stupid and it costs a huge amount of money," says Margaret Stock, a professor of national security law at West Point. "It doesn't make any sense if you realize that fingerprints don't change."
Taking fingerprints is an old routine when it comes to permanent immigrants. When it began, about 50 years ago, immigration clerks did the job. But after an amnesty for illegals unleashed a horde of green-card applicants in 1986, the chore was farmed out to private shops -- and fingerprints got out of hand.
"A criminal alien with his own ink pad could take someone else's prints and submit them as his own," the Justice Department reported in 1994. Hurrying through its paperwork, the immigration service often didn't wait to hear from the FBI. In 1996, it came out that tens of thousands of newly minted citizens had arrest records.
That was the end of private fingerprinting. The FBI has since computerized its files, and the immigration service has opened 130 special fingerprint offices. Under a $370 million government contract signed in 1999, they are staffed and run by Vinnell Corp., a subsidiary of Northrop Grumman Corp. that specializes in logistical support and also happens to train the personal army of Saudi Arabia's royal family.
At the Brooklyn office, Sue Leichter, a Vinnell technician, was showing off the Identix Inc. "TouchPrint" scanner, with the help of a taxi driver from Morocco who was applying for a green card.
As Ms. Leichter pressed his fingers to a glass plate, the man's prints came up on a screen, loops and whorls in brilliant black and white. A box on the screen turned green, and the prints zipped to the FBI. The taxi driver preferred not to give his name, but he took his treatment in stride.
"It's my fourth time," he said.
Grinning at him, Ms. Leichter said, "Welcome back!"
The FBI now tells the immigration service in just a few days whether someone is under a criminal cloud. The immigration service, though, doesn't always put the final touches on its paperwork so speedily.
"It should take three hours," says Rajiv Khanna, an immigration lawyer in Virginia. "Do you know how much time it takes?"
The answer, in some parts of the country, is three years. The government is working mightily to reduce its chronic backlog. But often it can't work fast enough to beat an expiring fingerprint.
In three years, fingerprints expire twice. A set lasts just 15 months -- that is the rule.
An applicant is first fingerprinted after qualifying for a green card, which itself can take years. If it then takes more than 15 months for the immigration service to complete the paperwork and issue the card, the applicant is fingerprinted once more.
Those who go on to apply for citizenship are fingerprinted again. People seeking asylum often wait for at least a decade; every 15 months, they are fingerprinted.
The 15-month rule has been around for years. Not even Mr. Yates at the immigration service can explain it.
"It happened so long ago," he says. "There's no technical reason for it."
With computers that store and actually retrieve fingerprints, Mr. Yates imagines a day when fresh arrest records pop up on his screens daily, and fingerprints never expire again. Such seamless feedback from the FBI isn't even being planned, but it sure would have made Ali Al-Shankiti's passage to America less confusing.
He is a 29-year-old Saudi Arabian who came to the U.S. in 1993, earned three degrees, and now does research in wireless computer technology for a big company in Boston. In 2002, based on his job, he was cleared for a green card. On April 4, he was fingerprinted. His expiration notice came 15 months later.
"I'm not the most favored immigrant," Mr. Al-Shankiti says. "I do understand that. Still, I thought, how do fingerprints expire?"
On the day of his second fingerprinting appointment, he had to be away. He wrote in advance asking for a another date. Months passed with no reply. On Aug. 26, 2003, Mr. Al-Shankiti went in unannounced.
"They were happy to print me," he says. But then came a letter with yet another fingerprinting appointment for Sept. 27.
Mr. Al-Shankiti went. A month later, he was told to come back again; it seemed the FBI computer couldn't read his prints. So on Dec. 9, 2003, Mr. Al-Shankiti was fingerprinted for the fourth time.
For 18 months, he heard nothing else. Finally, he telephoned the immigration service to let a clerk know that his fingerprints had expired. This past Monday, he got a notice in the mail giving him an appointment on July 23 -- for his fifth fingerprinting.
Mr. Al-Shankiti is allowed to keep working, as long as the immigration service issues him an employment authorization card each year. The cards, designed to be forgery-proof, carry a photo and one fingerprint. Though Mr. Al-Shankiti has had several cards, his latest is strange. He is at a loss to explain it, and so is a spokesman for the Homeland Security Department.
The place on the employment card where his fingerprint belongs has a stamp instead. It says: "Fingerprint not available."
Bookmark this post:
Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they're being honest. As the Independent reports in "Ministers plan to sell your ID card details to raise cash":
Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.Any guesses as to who'll be first in line? (I already gave you a hint in the title.)The opening of commercial talks contradicts a promise made when the Home Office launched a public consultation on ID cards in April last year, when officials pledged that "unlike electoral registers, the National Identity Register will not be open for any general access or inspection."
Meanwhile, Stefan Brands has a 4 part summary of the LSE analysis of the new ID card system. Part I, Part II, Part III, Part IV. Summary of the summaries: The proposed system was designed by companies selling "enterprise" software with no concern for, or thought given to, the appropriateness of that software for national ID use. (UK ID tidbit via Pacanukeha's "It's all about Control." ID card from ID Unknown)
Bookmark this post:
This was going to be a roundup, but heck, There's a backlog of hate, and I must post.
I don’t know if ChoicePoint or any of its subsidiaries are actually involved in the development or deployment of the new passports for the United States, but given the track record of DHS and of these companies, I would rather stick with more basic, less technologically advanced security methods for now.
A great point that has been lost in a lot of the reporting. Just how useful is the service they provide when they were spoofed over 50 times by fraudulent users?These companies always beg the question of which entities are authorized to be their customers to "legitimately" obtain this kind of sensitive data about people? What would stop me from paying to get the data on anyone they had? What criteria would they establish to prevent just anyone from getting at this data? Or, do they not care as long as you have the cash?
In fact, it was a passing remark made by a ChoicePoint representative, who said, in effect (because I didn't write it down):He also points to Infinisource, who, back in 2001, examined her Choicepoint file in "A Sample ChoicePoint FBI Dossier:"Americans have the right to privacy, but no longer have the right to anonymity.As a private citizen, this made me blanch. This made me sick. This, in short, pissed me off.
Just for fun, if a rough accounting of the report I received is done by giving each correct entry a point, deducting a point for each error and ignoring omissions then my ChoicePoint report was only 56% accurate.
I've been getting a lot of attention from ladies online recently. I've been talking to one for about a week who lives in Gwinnett. The only problem is she works for Choicepoint (for those of you who don't know, that's the company that got in trouble for selling lots of people's personal information to people posing as government entities or something), and although she's not ugly, she doesn't attract me too much.
I have been playing around with Linux lately. Specifically Red Hat FedoraCore 3. Let me tell you, for those who fear Linux will over come Windows. Fear Not! Linux Sucks! I spent my entire weekend last week trying to install that piece of junk. I finally got it to install after my 7th attempt, but even still, my sound card doesnt work. Granted, I am trying to run Linux inside Microsoft Virtual PC 2004, a virtual machine software, but that is because I am not willing to do a dual boot from my laptop. I had to get a hacked Linux kernel to get it to run within the virtual machine. What amazes me is how anybody gets anything done in Linux at all. There are so many CRYPTIC commands. For example, if you want to rename a file in Linux you use the mv command. What the heck is that all about?
Bookmark this post:
Choicepoint, please call your trademark attorneys. You're in danger of becoming a generic term for "massive security breach," and a band-aid isn't going to fix that.
That was the lead (and about all I'd written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point of the article was going to be how people know that their banks could make mistakes, and that a bank mistake wouldn't ever be as upsetting as the Choicepoint error. But now, CardSystems Solutions has done what no bank could do. They're taking attention away from Choicepoint, and they're going to take more, for a while. I'd like to explain why I think this.
Firstly, this one is big. As in ten times larger than the previous record. JW mentioned to me that 40m could reasonably be expressed as a percentage of Mastercards issued. (Actually, it was 20m Mastercards, which is just short of 3% of the 698m Mastercards issued.)
Second, like Choicepoint, you have no choice about doing business with Cardsystems. You didn't know they existed before you heard your credit card was in the hands of Russian thieves.
Third, because what was stolen was credit card data, rather than SSNs, its short lived, and the folks who have it are already under huge pressure to flip the data as many times as they can, as quickly as they can, along with the blame and the legal pressure. That means that most of the impact is going to be on credit card statements this month and next. That compression has an upside, which is no life of fear for the victims, and a downside, which is that Congress is going to be under enormous pressure to pass a law. That's a downside because Congress legislates in haste, while we all repent at leisure.
Fourth, Cardsystems flubbed their public relations. Their story was inconsistent and confusing. Basic company facts were confused. (Are they headquartered in Tuscon, AZ, Tucson, AZ, or Atlanta, GA? Major media outlets were contradicting each other.) AZCentral tells us:
Actually, the company appears to be headquartered in suburban Atlanta, but has its processing center in Tucson. Or maybe it's based in Tucson in the winter when executives want to play golf. It handles $15 billion in payments every year.
Finally, they violated their contract with the card providers (by storing CCVs), their CEO offered a confused story about "research purposes." (In "Lost Credit Data Improperly Kept, Company Admits," in the New York Times.)
Bookmark this post:
Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they've created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit agencies have also helped, by declaring an SSN enough to get credit.)
Where there's demand, there's a market. Where there's a market, eventually there's differentiation. So there are the people who buy in bulk from Choicepoint. There are people who get them one at a time from their students. And as the New York Times reports in "Social Security: Migrants Offer Numbers for Fee," there are people who rent or sell them:
This process has one big drawback, however. Each year, Social Security receives millions of W-2 earning statements with names or numbers that do not match its records. Nine million poured in for 2002, many of them just simple mistakes. In response the agency sends hundreds of thousands of letters asking employers to correct the information. These letters can provoke the firing of the offending worker.Ian Grigg has more at "Identity is an asset. Assets mean theft ... and Trade! "
...Since legal American residents can lose their green cards if they stay outside the country too long, for those who have returned to Mexico it is useful to have somebody working under their identity north of the border. [How's that for a perverse incentive under the law?]
...Mr. Luviano decided to pull the plug on the arrangement, however, when bills for purchases he had not made started arriving in his name at his brother's address. "You lend your number in good faith and you can get yourself in trouble," he said.
Bookmark this post:
On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke University Medical Center. None of the web sites was used for patient care.What I find interesting is that the norms are changing very quickly. In January, this probably would have been swept under the rug. But all that was revealed was passwords. Many companies are lobbying like mad to not have to do this. What they don't understand is that a new normal has emerged while they weren't looking.The web sites that were accessed did NOT contain any patient data or personal financial information, such as credit card or bank account numbers. However, they did include the passwords of about 5,500 users. These passwords gave the users access to various Duke web sites. In addition, some of the compromised databases included fragments of Social Security numbers – either four or six of the nine digits – for about 9,000 users. (Emphasis Duke's.)
Choicepoint tried the "We notified everyone we were required to" line. It didn't work for them. It won't work for anyone else. So can we please get over the posturing, and admit that breaches happen?
Maybe once we do, we can start learning why they happen, and from there, start addressing root causes.
Bookmark this post:
The National Conference of State Legislatures has a "2005 Breach of Information Legislation" summary page:
Summary: Legislation was introduced in at least 34 states as of May 18, 2005. Legislation enacted in at least six states in 2005: Arkansas, Georgia, Indiana, Montana, North Dakota and Washington.Thank you,
(Via The HIPAA blog.)
Bookmark this post:
When Ms. Marshall got a $6,000 home-improvement loan from a credit union in April 2003, she had to pay relatively high interest because of a weak credit score. The credit check had showed a court ruling ordering her to pay overdue rent to a former landlord in a Washington, D.C., suburb. But the judgment had been caused by a court error and vacated by a judge – facts that didn’t make it into her credit history. It turned out that a ChoicePoint contractor at a courthouse hadn’t properly updated the file, and that Equifax, the credit bureau, purchased the erroneous entry from ChoicePoint.Unfortunately, the suit was thrown out after the errors were fixed. That sort of decision encourages these companies to be sloppy with their data gathering processes. Data processing professionals used to say "Garbage in, garbage out."
Bookmark this post:
The New York Times has a long article on the successors to Air America, "C.I.A. Expanding Terror Battle Under Guise of Charter Flights." The bit that really caught my attention was:
On closer examination, however, it becomes clear that those companies appear to have no premises, only post office boxes or addresses in care of lawyers' offices. Their officers and directors, listed in state corporate databases, seem to have been invented. A search of public records for ordinary identifying information about the officers - addresses, phone numbers, house purchases, and so on - comes up with only post office boxes in Virginia, Maryland and Washington, D.C.In the past, the FBI could set up undercover agents, or those in the witness protection program, by talking to "the big three" credit agencies. If the CIA needed cover identities, they could do the same.But whoever created the companies used some of the same post office box addresses and the same apparently fictitious officers for two or more of the companies. One of those seeming ghost executives, Philip P. Quincannon, for instance, is listed as an officer of Premier Executive Transport Services and Crowell Aviation Technologies, both listed to the same Massachusetts address, as well as Stevens Express Leasing in Tennessee.
No one by that name can be found in any public record other than post office boxes in Washington and Dunn Loring, Va.
But today, "thanks" to the profusion of businesses dedicated to bringing public records access to everyone, these techniques no longer work. You can't ask three patriotic businesses to help you, you'd need to give a list of identities to create to tens? hundreds? of businesses. I expect that CIA believes at least one of those businesses is a front for Al Qaeda, and thus, this is inconceivable, to hand out a list of covert officers.
Just another way in which privacy helps security.
Bookmark this post:
Two new books that may be of interest are blogger Wendy McElroy's "National Identification Systems, Essays in Opposition" and Choicepoint CISO Richard Baich's "Winning as a CISO." I was going to add clever text juxtaposing the texts, but really. 
hmmm, I really must make this post longer, or the blog looks really bad.
Almost...there....
Bookmark this post:
Electronic account records for some 500,000 banking customers at four different banks were allegedly stolen and sold to collection agencies in a data-theft case that has so far led to criminal charges against nine people, including seven former bank employees.So Computerworld tells us, in "Data theft involving four banks could affect 500,000 customers." The story mentions a "crime ring," but its not clear what that ring did, other than stock a private database, owned by Orazio Lembo Jr., to compete with Choicepoint. MSNBC tells us in "Massive bank security breach uncovered in N.J." that: The employees are accused of turning over customer bank account numbers and balance information for a profit [fee, really] of $10 per account. Even a state employee is accused of providing private information from state employment files. North Jersey News names names in "9 charged in bank data scheme:"Police in Hackensack, N.J., are continuing their investigation into the theft by a crime ring that apparently accessed the data illegally through the former bank employees.
Lembo resold the information to the collection agencies and attorneys for $70 to $100, Zisa said. He even allegedly sold package deals that included employer information supplied by the state worker, Rivera, 42, of New Milford. [Rivera is a manager in the Jersey City office of the New Jersey Department of Labor.](Via Jim Horning, at Nothing is as simple as we hope it will be, Another Massive Personal Information Theft.)...
Zoran Levajac of Totowa [At the West Caldwell branch of Commerce Bank], Kathleen Lovelace, 35, of Kearny, then paid James Digangi, 27, of Elmwood Park, and Anthony Diamanti, 29, of Clifton.
Also charged were Kelvin Diaz, 27, of Hackensack, an employee at Bank of America branches in Elmwood Park and Paterson; Myron Frierson, 29, of Teaneck, a financial specialist for Wachovia Bank in Elmwood Park; and Maurice Williams II, 28, of Hackensack, a financial specialist for First Union/Wachovia in Bogota.
[Update: If you find this interesting, you might also be interested in my posts on breaches, or the Choicepoint debacle. Or just take a look around the blog.]
Bookmark this post:
100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it.So says a new study from Privacy Activism. Read the news release, or the study. (There's also a 162k PDF file.)
On thinking about this for another minute, I need to add that ironically, inaccuracies in the data are more likely to harm the honest than the fraudsters-by-impersonation. The id theives, will just hope that the wrong data is seen as right, or right enough for granting credit, or just move onto the next person.
Bookmark this post:
The fair and balanced Real ID Sucks blog ("A clearinghouse of stories about how the states will be required to spend $250 million to create standardized, machine-readable driver's licenses, to make it easier for hackers, thieves and credit bureaus to track your every move.") points to a San Jose Mercury News editorial, "Real ID Act mostly helps identity thieves:
The people who will benefit most from this law are snoops and identity thieves. The requirement that all personal information be encoded in a machine-readable form will be a gift to them. Already bars, athletic clubs and other commercial establishments swipe driver's licenses. With a national format, every retailer will swipe the IDs to collect valuable information that will be sold to data aggregators, such as ChoicePoint. They, in turn, will resell the information to marketers and other customers.(Use bugmenot for a login.)...
The irony is that the Real ID Act was wholly unnecessary. Just five months ago, Congress approved a bill that required the federal government and states to work together on sensible national standards for driver's licenses. That work, which has already begun, now will be scrapped.
Congress reversed itself once. It has to do so again.
Bookmark this post:
Knight Errant has a long post, "Tipping My Tinfoil Hat," in which he makes mention of Choicepoint. And Consumer Affairs has a long article "USA PATRIOT Act Rewards ChoicePoint."
The IntegraSys corporation's ID Verification software, for example, cross-checks and references 23 billion data records, including everything from credit report headers to "warm address lists" that target "known sites of fraudulent activity", such as hotel mailboxes, prisons, P.O. boxes, etc.I want to write something about the relation of the policeman within, the negative effects of these databases which declare you may only partake of society with a known address. What do the hundreds of thousands of Americans who live in actually mobile homes do? Hire a mail forwarding service. But that's now "a known site of fraudulent activity." Could those companies sue for libel, if there's never been a fraud perpetrated at the site?
Bookmark this post:
The suits, which have been consolidated in federal court in Los Angeles and are requesting class action status, seek monetary, statutory and punitive damages, including compensation for the anxiety of waiting and wondering. They also aim to represent consumers regardless of whether their data were used by thieves or not. Harrington v. Choicepoint, No. 2:05-CV-01294-SJO-JWJ (C.D. Calif.)."Once the data is stolen and is out there, people have a legitimate fear that they're going to become victims, and that's damage right there," said attorney James B. Fishman, a consumer rights expert and partner at New York's Fishman & Neil.
Bookmark this post:
USA Today reports "U.S. asks for more data on travelers"
The federal government plans to begin collecting the full names and birth dates of air travelers this summer in its latest effort to screen passengers for possible links to terrorism.This could help some people avoid the problems that the watchlists create. If we happen to know a terrorists' birthday, anyway. But I'm far more concerned that, yet again, TSA will be mandating data collection through unregulated third parties.In a few weeks, the Transportation Security Administration will notify airlines, travel agents and online reservation systems that they will be required to ask travelers for their legal names and birth dates when booking domestic flights.
Passengers who don't comply [sic] with the request will dramatically increase their chances of being stopped at airports for questioning or pat-downs, TSA assistant administrator Justin Oberman said. That's because their partial names are more likely to register a "hit" on terrorist watch lists.
It will probably be a crime to lie to the airline about your birthday. And that means that there's another government-mandated privacy invasion where the airlines will be free to link "their" data with anyone else's. It's corporate welfare for the privacy invasion business.
On a similar note, Choicepoint has acquired EZGov, in a "transaction that will not have a material impact on its financial results, and will not be dilutive to earnings." But it sure will improve their data to know that lying to them could land you in jail. Operational synergies, indeed. (Conscious Junkyard has more on "Choicepoint, Corporatism, and Welfare.")
(Via BoingBoing. Ryan Singel comments in "You Say Its Your Birthday.")
Bookmark this post:
Perspectives from the gossip industry are presented by Information Week, in "Execs Testify In Favor Of National Data-Security Law:"
In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California's law requiring companies to notify customers about security breaches.Update: Of course, what the industry is saying depends on where you sit. CBS MarketWatch reports: "Industry says no need for more privacy laws."ChoicePoint Inc., the information broker whose disclosure of a security breach set off a furor over privacy and identity theft, favors existing laws such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, as well as a "pre-emptive" national law for notifying consumers when a breach has occurred, said Don McGuffey, senior VP for data acquisition and strategy.
Meanwhile, the Center for American Progress has a long editorial on Protecting Privacy in the Digital Age, talking about how the Privacy Act of 1974 no longer really means anything, as government now simply outsources those actions which it isn't allowed to take.
Bookmark this post:
Today's Wall Street Journal has an good summary article, "For Big Vendor of Personal Data, A Theft Lays Bare the Downside" (Thanks, Nick!. Also, the Pittsburgh Post-Gazette has picked up the story, and made it available):
The vulnerability of the company's data and its difficulty in tracking the breach point to a paradox. ChoicePoint and similar data sellers pitch their troves of private information as a hope for restoring personal security to a society fraught with anxiety over terrorism and crime. The chief executive of ChoicePoint, Derek Smith, espouses a thesis that society is better off if everyone can check the background of anyone else. Yet the very existence of these vast information stockpiles -- vulnerable to both error and poaching -- has spawned a new area of worry and risk.This last shows how far Choicepoint is from getting it. Choicepoint defines an error as a problem between their collector and the report; bad data collected, which we used to call the "garbage in, garbage out" problem, has been defined away.
..."The needs of consumers and society must be the central focus of our company's and our industry's efforts," Mr. Smith said in a statement yesterday. "We believe regulation will give consumers additional protections, remove risk from the industry model and ensure all competitors are playing on the same, level field."
...ChoicePoint collects data from insurers and an extensive network of contractors who scoop up nuggets from public filings, financial-services firms, phone directories and forms people fill out when applying for loans. Pointing to 7.3 million background checks it did last year, the company says just .0008% have been shown to contain incorrect information.
Also, CSO Online has a good long article, "The Five Most Shocking Things About the ChoicePoint Debacle," but this post is long enough, and CSO is interested in having readers, so I don't feel as interested in excerpting.
Bookmark this post:
WYFF-TV, "The Carolina Channel," interviews two fraudsters who made money impersonating others. If you have any doubt these people are scum, one impersonated his own brother, and stole $71,000.
In another, on Dave Farber's list, victim Tom Goltz writes:
Speaking as a victim of identity theft, there is absolutely nothing that an individual can do to effectively protect themselves against identity theft.Goltz is right. The Choicepoints, the Lexis Nexises, and their utter lack of liability means they can't justify investing in protecting the data that they have. Banks are pushing hard to be allowed to decide when a theft is likely to lead to problems for you. (Gosh, Iwonder what they'll decide?)Do you know what your identity is worth? Mine cost $200. That's what a criminal paid on a street corner in Los Angeles. Add in $75 for a low-grade forgery of a driver's license, and he was in business. To this day, I have been unable to discover how my personal information ended up on that street corner. I own and religiously use a high-quality confetti-cut paper shredder. I have never received sensitive financial correspondence at the unsecured mailbox at my home, instead renting a locked post office box. I have made a policy of not disclosing my social security number whenever possible. My SSN has never been on my driver's license. It has never been printed on my checks. I do not carry my social security card in my wallet, nor any other document bearing my SSN.
The problem stems from financial institutions granting credit easily, and then blaming the victim, by spreading lies through the credit bureaus. As long as these organizations have no responsibility for the problems they allow to happen, and then magnify by ignoring the victims...
Bookmark this post:
When I confirmed that I’d been enrolled as a result of a purchase I’d made on the travel web site, I decided to end my relationship with the travel web site. Here’s where the fun started…No, sir, it's time to name names. Why are you protecting them? Shame them. Call them out. Use them as an example when you speak. Tell them that you'll continue doing so until you believe that they comply with the terms and conditions they had on display when you signed up.I sent an email to the travel web site’s CS group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states:
“If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” ([Chapell] paraphrased this to protect the company)[Frustration, frustration elided.] As a consumer, this is beyond frustrating. Btw, this is not some tiny website – it is a nationally advertised site owned by a fairly large company.Perhaps its time to involve their seal program…
Think about credit agencies. When it comes to our digital reputations, systems like ChoicePoint and Equifax are reviled, while ranking and endorsing systems like eBay's thrive. Why? Transparency. The eBay community incents its members to participate because they can see exactly who is saying what about whom. And interestingly, this transparency lets my digital reputation be as much about what I say of others, as it is about what other say about me.
It wasn’t that stat() failed, it was that suEXEC saw that it had just performed stat() on a link. It apparently decides that this is fatal, because it knows more about the security trade-offs of your environment than you do, and that when it sees this policy violation it will fail and lie to you about why it failed.The profusion of such issues, along with the social awareness that they're ok, helped drive me to a Mac. On the Mac, they are distinctly not ok, and once you adjust your pain threshold downwards, its hard to remember why you put up with them.Now, I’ll be the first to admit that this in itself is a very minor detail. The rub is that this sort of misleading behaviour isn’t rare at all. I think this struck a chord with me because it made me focus on my changing thoughts about what it is that I do. There was a time when I loved having a catalogue of this kind of behaviour in my head so that I could use all kinds of software and predict the ways in which I would have to work around its behaviour. It was super-fun to be an expert in so many details.
But these days, and I won’t admit to a decade having passed, it all seems like so much wasted time. People who use this software should be focusing on solving their problems instead of spending time discovering that “cannot stat program:” can sometimes mean “I refuse to work with this file because it is a link.”
It seems like after a few decades of building these kinds of software systems we could be doing a better job of it.
Bookmark this post:
Since Choicepoint demonstrated that screening is hard, they've been repeating the phrase "We look forward to a national debate." But at yesterday's annual meeting, they once again failed to engage in that debate. The LA Times has an AP story "No Answers for ChoicePoint Shareholders" (Bugmenot, because no other paper has picked up the story, according to Google News.) Or, The Atlanta Journal Constitution, "ChoicePoint boss deflects scam queries." (Bugmenot)
In a quick and scripted annual shareholder meeting, ChoicePoint executives turned away any questions about the invasion of the company's database by fraud artists.It seems to me that understanding how management is handling these issues would be important to a shareholder.
...But Smith said that because of investigations into the database scam, "we will not be taking questions relating to those matters in this annual meeting."
Bookmark this post:
But today, the chairman and chief executive of Alpharetta-based ChoicePoint is likely to get a feel for his standing on a smaller stage: whether he is held in esteem by ChoicePoint shareholders.If only we could do the same when our data gets into untrustworthy hands.
...Lauren Waits, who oversaw ChoicePoint's charitable giving program before leaving earlier this year, describes her former boss as a visionary who also can be intense and "quite hard on other people." He has been impatient for government to act on ideas, such as storing DNA profiles on all felons in a central database that could be used to catch repeat offenders.
...But the most difficult thing for ChoicePoint's CEO hasn't been the criticism or a grilling before Congress, said Rod Dowling, an investment banker who has worked with ChoicePoint. What Dowling said got to Smith most in the wake of the scam was that an Atlanta publication, Creative Loafing, published his home phone number and address.
That's just a smidgen of the kind of information ChoicePoint supplies to clients every day. But Smith worried about his family's safety and quickly changed his phone number, said Dowling, CEO of SunTrust Robinson Humphrey.
From the Atlanta Journal Constitution, "Embattled CEO must take stage."
Bookmark this post:
In "Proposed Legislation Limiting PI Access to Data", Private Investigator News and Information provides the National Council of Investigation and Security Services's roundup of legislation that would affect the private investigator business.
Naturally, the private investigators are up in arms; their job is about to be made a lot harder over something that wasn't their fault.
Bookmark this post:
A security-breach bill, Senate Bill 6043, will require consumers to be notified by credit-reporting and consumer-data agencies if a security breach compromises their personal information.Look for blowback on that loophole. Washington banks are going to have to go through two compliance programs over the next few years after a big bank abuses this, and a more stringent law shows up.And a security-freeze bill, Senate Bill 5418, will let victims of identity theft — or those whose personal data have been stolen — place a security freeze on their credit files with credit-reporting agencies to lock out potential thieves.
One of the state's top consumer groups, the Washington Public Interest Research Group, dropped its support for the security-breach bill when amendments were added letting companies decide whether to notify customers when their data are stolen. If the companies consider it a "technical breach" that doesn't seem reasonably likely to subject customers to criminal activity, they're not required to tell customers.
Amy Boyer was a 21 year-old college student working part-time as a dental assistant in downtown Nashua. Amy was shot nine times in the head as she left work on Oct. 15, 1999, by a stalker who bought Amy’s Social Security number and work address on the Internet from an “information broker” named Docusearch.Docusearch purchased Amy’s Social Security number from IRSC, an information broker that folded into the ChoicePoint conglomerate.
Bookmark this post:
ChoicePoint Inc. (NYSE: CPS), today reported first quarter total revenue growth of 19 percent compared to 2004. First quarter total revenue for 2005 was $259.3 million.From the press release "ChoicePoint(R) Reports Record Revenue in the First Quarter of 2005"
...These expenses included approximately $2.0 million for communications to, and credit reports and credit monitoring services for, individuals receiving notice of the fraudulent data access and approximately $3.4 million for legal expenses and other professional fees.
...ChoicePoint's first quarter results will be discussed in more detail on April 21, 2005, at 8:30 a.m. EDT via teleconference. The live audio Webcast of the call will be available on ChoicePoint's Web site at http://www.choicepoint.com. There will also be a replay of the call available beginning at approximately 10:00 a.m. EDT at the same Web address.
Bookmark this post:
During the April NCC AIIM meeting, a member of the audience asked how the IRS’ Free-File could avoid becoming another ChoicePoint, clearly a reference to recent security breaches. Everyone in the room immediately understood the reference; no explanation was needed.
"We're setting up [new guidelines] to help them administer and protect their IDs and passwords. I won't get into too much detail there because then we're giving away the secrets to the bad guys," Edwards said.Let me guess, 7 or more characters, mixed letters and numbers, change regularly, and don't share it? Did I give something away to the bad guys?
Rapsheets, a Tennessee company purchased by ChoicePoint last year, provides instant criminal background checks to employers and organizations to help them screen workers and volunteers.
...The move brings the company into compliance with the Fair Credit Reporting Act, or FCRA, which requires background-checking services to either provide employers with the most-current information available from public records or to notify workers and job applicants when they are providing an employer with damaging information about them that is likely to affect their job prospects.
..."The high road would be for them to say, 'We're going to verify anything before we deliver a record to an employer,'" [Mike Coffey, president of Texas investigation firm Imperative Information Group] said. "They're still going to put the onus back on the consumer to make sure that everything is correct."
Bookmark this post:
My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.
Bookmark this post:
You've won the Big Brother award for Lifetime achievement!
It was a tough battle for top place this year, and while Choicepoint was the people's fave, we all know that those privacy elitists don't really care about the little people.
Other winners included California's Brittan Elementary. The Department of Education got worst government department, despite stiff competition from Homeland Security and the IRS.
So, Mr. Smith, now that you're at the very top, where do you go? New levels of cringe-inducement with that DNA database? Something the rest of us haven't even thought of? Or maybe it's time for new directions?
We're sure you're thinking about these big questions in private, and rest assured: We're not watching nearly as closely as you do.
Bookmark this post:
The testimony prompted editorials in USA Today, and the Washington Post. Perhaps the best line, from Thomas Greene, is:
FTC Chairwoman Deborah Platt Majoras advised the Committee to avoid over-notification. "Consumers will become numb to notices," she said.That's how bad it is, huh? We'll become numb if we knew the truth?
The Identity Theft Resource Center (ITRC) announced today that ChoicePoint is partnering with the ITRC to combat identity theft via a four-year funding commitment to expand ITRC's current victim assistance and consumer education program.The ChoicePoint Foundation is paying $1 Million over 4 years. Congrats to the ITRC. I've mentioned a profile of the Foleys, who run the center.
My Choicepoint category archive includes extensive coverage of the most recent Choicepoint ID theft issue.
Bookmark this post:
Sitting at a coffeeshop today, I listened to the fellow behind me try to get Dell and Equifax to agree to fix his credit. It seems that his father passed away recently, in debt to Dell over a computer. That debt is now on his credit report, despite his not being a co-signer for the loan.
Over at Motley Fool, Rich Smith writes about "What, Me Worry About ID Theft?" He starts from Choicepoint and Lexis Nexis, and his thesis is:
But what's even scarier is the utter complacency with which the victims of these attacks -- the owners of the social security numbers, driver's license numbers, and such like information that was stolen -- are reacting. Or rather, not reacting....there's just no logical reason why potential victims of ID theft would pass on an offer of free protection. No logical reason except one, that is: They just don't care.I tend to doubt claims that thousands of people are acting irrationally. I believe that there's a second logical reason not to bother with credit monitoring services: You're damned if you do, and damned if you don't. Watching your credit report is like the old description of war: Years of boredom punctuated by moments of terror.Hard as that is to fathom, it suggests that the data collection industry may escape this series of fiascoes without Congress imposing additional regulations on it. Voters who don't care enough about their own data security to accept an offer of free protection are not likely to be expending much effort lobbying Congress for tighter regulations.
What would this fellow behind me have gained by watching his report? The knowledge that he had to go through this earlier. Does that really help? Does it help as much as a well-crafted new law might? Or even a reasonably-crafted one?
People may well, and rationally, be spending their energy complaining to their Congressmen. The problem is a widespread abuse of the Social Security number as identifier and authenticator. People understand that, and resist giving them out. They're going to look to Congress for support.
Bookmark this post:
But experts say the nationwide tallies are often full of holes, and contain as few as 70 percent of all felony conviction records, leading in turn to a false sense of security.(via Dave Evans.) Choicepoint missed at least 40 convicted criminals when they did the background checks for airport screeners, along with one guy who was a fan of Osama bin Laden.
..."We've done tests, and the national databases have a 41 percent error rate," [Rhonda Taylor, CEO of Intellisense Corp] said. "(There is) a glaring issue related to a false sense of security if that information is relied upon with no other investigative tools."
The FBI says it trains agents before they can use ChoicePoint's database to ensure the data isn't misused or abused. Hoofnagle disputed that, citing documents the obtained by the Privacy Information Center."There was almost no evidence of controls to prevent agency employees from misusing the databases," he said.
Bookmark this post:
Declan has some choice words about Choicepoint's new Credentialling, Compliance and privacy officer, in "Sidelining Homeland Security's privacy chief:"
DiBattiste sounded like she was replying to a pesky reporter when she wrote back [To TSA Privacy Officer Nuala O'Conner Kelly]: "TSA Public Affairs has no information in response to your request."How fitting, then, that DiBattiste landed a plum $500,000-a-year job last month with privacy-impaired company ChoicePoint.
(Via Ray Everett-Church's Privacy Clue; my previous commentary is in my March 8 roundup.)
Bookmark this post:
[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said.(From CNN, or see the statement here.)
So, let's review. A slew of people are trolling Lexis-Nexis' databases. They're not stealing identities. So what are they doing?
One thing that springs to mind is that Lexis Nexis is providing the back end data for CAPPS-II, Secure Flight, and probably 'Trusted Traveller.' (No Place To Hide, pp 225.) So if a terrorist got hold of this data, then they might have 5,200 or so names, addresses, social security numbers, and everything else needed to impersonate people so that they'd be seen as 'clean' by Secure Flight. That could be worth a lot more than the few tens of thousands of dollars you might steal.
Before the biometric cheerleading squad jumps out, please remember that we don't know if any of those 59 accounts that were used had update or corrections privileges into the database.
Bookmark this post:
No word on what level of audits Choicepoint will be doing. It sounds like there will be a pulldown menu or checkboxes for "allowable uses," perhaps causing people to think for a bit, then get used to selecting one. Annoying to legitimate users, no impact on actual bad guys. Sounds like the perfect security theatre measure.
The B.C. judge affirmed the importance attached to privacy protection but allowed the outsourcing arrangements largely because of a series of significant new protections introduced by Maximus in response to the public outcry. These included a $35 million penalty for breach of confidentiality, extensive provisions to ensure that the data remained in the province, and a contractual term prohibiting disclosure of the data.
"They gave me some tools to use so I can do this, I guess, for the rest of my life," Sullivan said. "It's almost become a part-time job for me."
LexisNexis is sick of all the press ChoicePoint is getting and decided yesterday to one-up its competitor."After all, no publicity is bad publicity"
Bookmark this post:
We have observed that some of the sensitive data that gets stolen fits into one of several categories:At some point, the question "Did you consider not having this data" is going to become a standard part of lawsuits. If you're an IT manager, are you planning for that day?
- Data that was never needed
- Data that was needed but should never have been stored
- Data that was originally needed but was kept far beyond its useful life
- Data that should never have been stored in an unencrypted form
Consumer Eileen Goldberg, one of the people who received a notice from ChoicePoint, was the first to sue the company. The California resident showed the letter to her son, Michael Goldberg, a prominent class-action attorney in Los Angeles. After looking into the incident and the lack of regulation governing the data-brokering industry, Goldberg and fellow attorneys at Glancy Binkow & Goldberg decided they had a case based on fraud and negligence....
In the meantime, the firms involved in the ChoicePoint suits are trolling for more plaintiffs. They've launched Web sites. They've issued news releases. And at some point, they may try to subpoena ChoicePoint for that list of 145,000 clients-in-waiting.
Bookmark this post:
Alpharetta, GA - Diebold Election Systems and Choicepoint, Inc., today announced a joint venture that could revolutionize the voting market. The concept is simple: combine Diebold's demonstrated expertise in voting systems with Choicepoint's superior data-mining techniques to produce PredictaVote(TM) - the first 100 percent voter-free, predictive voting system.
"Virtually every state is now actively pursuing some type of legislation," said Judith Collins, director of the Identity Theft Crime & Research Lab at Michigan State University. "When something like this happens to Bank of America, people realize no business is immune.""Consistency" here means "the weaker Federal standard," where the organization that's been breached, decides....
"Our concern is that you might have two sets of standards which are inconsistent," said Tom Cardwell, an Orlando lawyer and counsel for the Florida Bankers Association.
The Coloradoan reports that Choicepoint is looking to contract for a call center, and includes the picture here. It makes me all warm and fuzzy to know that those call center employees probably use a password, and are, ummm, background checked before they can get a job. And no one could ever walk up to the wrong terminal, or see their terminal getting the wrong data and scripts. (photo V. Richard Haro/The Coloradoan; article via Call Center Digest.)
The groups accuse State Farm of foot-dragging to avoid bad publicity and to prevent lawyers from learning the names of victims and filing big suits. Consumer groups point out that any insurance company can purchase the names of vehicle owners from ChoicePoint, a data collection company with billions of records.It seems Choicepoint is feeling burnt because they don't understand why the whole thing blew up in their face. This is a perfect opportunity to explain the benefits of their database.A ChoicePoint spokeswoman says the company had no comment because the State Farm situation was "too sensitive."
The settlement calls for State Farm to use ChoicePoint to identify the motorists....
As for ChoicePoint, [Iowa consumer protection division lead William L.] Brauch said the data company's information is not as accurate as vehicle information the states keep. He said the states plan to use ChoicePoint "as a final check. But that is not the only way to locate these vehicles."
Because of Oluwatosin's efforts coupled with California law that requires disclosure of compromises of user information, Choicepoint is finally receiving the scrutiny that they deserve.
Bookmark this post:
The better solution would be to prohibit companies such as ChoicePoint from warehousing personal information in the first place, since security has proved so problematic. Computerized collections of consumers' Social Security numbers, credit information, driving histories, medical and court records may make commerce more efficient, but they also present appealing targets to crooks.It's not at all clear that the current rules don't cover Choicepoint, as EPIC points out.ChoicePoint's offer, made Wednesday in the California General Assembly, was not accompanied by specifics on how it would work or whether consumers would be charged for access. But consumers should not have to depend on voluntary action by the company. Rules should be written into law modeling federal regulations that already cover the major credit reporting companies: Equifax, Experian and TransUnion.
A College Park [Georgia] man was sentenced to more than 15 years in prison Friday for his role in an identity theft scam in which he used data from ChoicePoint, the Alpharetta consumer information firm, to help target victims, prosecutors said.Robert Stewart, 33, received a 190-month prison term in federal District Court based on a guilty plea entered earlier. According to testimony, he worked with nine others to defraud banks and other companies of about $1.3 million, using stolen identities to cash counterfeit checks.
The U.S. attorney's office, in a news release, said Stewart stole identities through jobs he held at various companies in the Atlanta area, including at a company screening job applicants for the Transportation Security Administration.
Bookmark this post:
Alpharetta, Georgia, April 1 /PRNewsWire/ Alpharetta-based information broker Choicepoint today announced its intent to acquire the blog "EmergentChaos," citing market synergies, cost reductions, and new revenue opportunities.
Financial terms of the deal were not disclosed, but Choicepoint CEO Derek Smith said "We knew just which buttons to push."
Emergent Chaos is a weblog, or "blog," with a focus on security and privacy issues. The lead author has lately been covering Choicepoint, much to his dismay. He said "Our shareholders are excited by the value creation inherent in this event, and we look forward to our better understanding of our readership, and the customization that will now be possible for you, Mr !E_USER_NOT_FOUND!."
Choicepoint spokesperson Chuck Jones stated "We expect some cost reductions, and have advised the employee of this."
Privacy advocate Ian Goldberg said "I suppose, if you can't beat 'em, join 'em!"
The acquisition is subject to customary closing conditions. Choicepoint anticipates that the acquisition will close slightly before Hell freezes over.
Bookmark this post:
Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers.There's also an interesting post rounding up the SIA Anti-Money Laundering conference.
"You will receive the reports that we have on you," Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.It doesn't seem that they'll be moving towards the right of correction. Rather, you need to convince whoever reported bad data to correct it, and they will update Choicepoint. (Based on past evidence.) Compare this to credit reporting agencies, who have to include your corrections or disputes. Michael Zimmer has comments as well.
Sadly, Congress's response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.For this reason, it's literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.
Executive Alliance, Inc., the premier provider of leadership-recognition forums, today announced that it has named the Distinguished Panel of Judges for the first annual Information Security Executive of the Year (ISE) Midwest Awards(TM) 2005The judges panel includes:
Rich Baich, Chief Information Security Officer Winner of the 2004 ISE in Georgia Award™ ChoicePoint ... Leo Cronin, Senior Director, Information Security Finalist of the 2004 ISE National Awards™ LexisNexis GroupApparently, UC Berkeley doesn't have a CSO.
Bookmark this post:
... reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and calling card data. One memo also discussed the availability of information on Europeans, Latin Americans, Asians, and Africans.(Via McGeek) Choicepoint, meanwhile denies that this is against the law, but not that the offer was on the table.
"A big part of why I settled the case is it would take three, four, five years to litigate," Asher said. "I don't know how much will be left of them [ChoicePoint]."
Bookmark this post:
One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that's a small price to pay for privacy and a more secure online identity.
Bookmark this post:
Well, actually, there might be some methodological problems. It's hard to tell, since the survey costs $1,500. First, consumers often have mistaken information about security issues. Second, its not clear if this was a survey of consumers who had suffered ID theft, or if second-hand data was accepted. No comparison to FTC data is provided.
The telephone survey of 4,000 consumers was done by the Better Business Bureau, and funded by eMarketer online. I called Sheila Adkins, CBBB's Associate Director, Public Affairs, but have not heard back., who called back, and gave me other folks to talk to. Not yet sure if I'll track this down for analysis.
Bookmark this post:
Bookmark this post:
Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to."They had their chance. They weakened the legislation, and, as a result, more than 10 million citizens are victims of identity theft every year," Solove said. "They got what they wanted, and it didn't work."
Bookmark this post:
I must admit, I've considered doing this, but it's such a pain to find a bank that keeps everything on paper these days.
Pundits predict the imminent collapse of civilization, and a doubling of mortgage interest rates as US businesses fail to adapt.
Bookmark this post:
Regardless of if you think this testing is a good idea, the students whose names, addresses, and social security numbers will be sent to Choicepoint have no say in the matter. The bus drivers might quit, but what are the students to do? Drop out of school?
Bookmark this post:
Bookmark this post:
``Let me begin by offering an apology on behalf of our company and my own personal apology to those consumers whose information may have been accessed by the criminals whose fraudulent activity ChoicePoint failed to prevent.'' Smith said.And what a convoluted apology! How about "to those Americans who are worried about identity theft because we made a mistake?"...
``What we're hearing today is an industry still in denial, still doesn't recognize how many Americans value their privacy and are hoping to ride out this standard without having Congress make the changes necessary,'' said Markey.
Bookmark this post:
Bookmark this post:
