Choicepoint, March 29-31

  • Alacrablog discusses a Morgan Stanley research report:

    Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers.

    There’s also an interesting post rounding up the SIA Anti-Money Laundering conference.

  • The Atlanta Business Journal reports that the Georgia House has passed a notification law.
  • Choicepoint may be developing an access system, according to a March 31 AP story that’s only been picked up by the Kansas City Star (bugmenot has logins):

    “You will receive the reports that we have on you,” Don McGuffey, the firm’s vice president for data acquisition, told the state’s Senate’s Banking, Finance and Insurance Committee on Wednesday.

    It doesn’t seem that they’ll be moving towards the right of correction. Rather, you need to convince whoever reported bad data to correct it, and they will update Choicepoint. (Based on past evidence.) Compare this to credit reporting agencies, who have to include your corrections or disputes. Michael Zimmer has comments as well.

  • Bruce Schneier quotes a Register article:

    Sadly, Congress’s response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.

    For this reason, it’s literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.

  • and Mark Earnest makes a similar point.
  • Finally, today’s Two Minutes Hate Irony is brought to you by “Ayn Rand is my Homegirl,” carrying a press release from

    Executive Alliance, Inc., the premier provider of leadership-recognition forums, today announced that it has named the Distinguished Panel of Judges for the first annual Information Security Executive of the Year (ISE) Midwest Awards(TM) 2005

    The judges panel includes:

    Rich Baich, Chief Information Security Officer Winner of the 2004 ISE in Georgia Award™ ChoicePoint … Leo Cronin, Senior Director, Information Security Finalist of the 2004 ISE National Awards™ LexisNexis Group

    Apparently, UC Berkeley doesn’t have a CSO.

My Choicepoint posts all show up the Choicepoint category archive.

“Public Availability of Private Information”

Screendiscussion makes a case for criminal records searching as an adjunct to a background check:

One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty unique, but if someone has been cursed with a common name then look out.

While it makes sense to curb identify theft by not providing a person’s name, date of birth and Social Security Number to the general public, in practice it’s a double-edged sword. Identity theft is limited, but it also means that an employer has to deal with how to use the information in deciding whether or not to make a job offer. There have been plenty of situations where a person wasn’t offered a job because of faulty information retrieved in a background check, and this newer practice doesn’t help things much.

I think the problem with this is that it’s a self-fulfilling prophesy: As national criminal background checks become possible, for liability-avoidance, they become mandatory. As they become mandatory, more and more data is made public. But they’ll never be perfect. So should we be going in that direction, or choosing to keep background checks expensive, so that employers are less tempted to perform them?

Three Times is Enemy Action

With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they’re not to be trusted; students have no choice but to provide that information; government action is called for.

P2P, Filenames

The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names (“2 yo getting raped during diaper change”). He doesn’t download any files, but takes this as evidence for his title.

I don’t want to defend such sick behavior, but there are some things worth thinking about. First, are these files what they purport to be? That is, are they child porn, or are they trojan horses carrying spyware or viruses? (They could also be 5 minutes of someone screaming “You sick, sick bastard! Go get help!”) Second, are they being distributed by law enforcement or investigative agencies, who log every search and transfer?

So, it’s pretty quick and easy to come up with interpretations of the evidence that aren’t “P2P Provides Safe Haven For Pedophiles.” I have no interest in downloading such files to test the “alternate content” theories. An interesting test would be to run such searches, and dig into the IP addresses sharing such files. Maybe they are law enforcement?

Optimism about the Future

I was talking to someone about a New York Times story “U.S. Is Examining a Plan to Bolster the Rights of Detainees.” The story contains the line:

Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said.

I made a snide comment about just including those confessions in the secret evidence that we won’t show defense attorneys. He commented that it’s actually a step forward, and he’s right. I am deeply saddened that the United States is taking a step forward to exclude torture-derived evidence, but glad that things are heading back towards normal.

The pessimist in me says that there are liberties that we’ll never regain. The banking system is probably a permanently tied to “know thy customer” rules. Air travel will never again be as easy as it was. Tourism will never get back to where it was. The psychological intrusiveness of measures chosen for the US Visit program deter visitors from coming to the US. Even if you think the program is useful, it could have been better implemented. Poor choices include fingerprinting vs other biometrics such as hand geometry which aren’t associated with criminality, and the extensive secondary uses of data, so that it continues to track you through your entire life, not just your entry and exit to the US.

We don’t know what great things might have happened with the liberty that we’ve lost. We’ve chosen to accept fear over hope. To allow fear and pessimism to infect our thinking. I’ll try to do better. To laugh at the fearmongers, rather than cry. To pursue happiness.

Choicepoint, March 27-28

  • EPIC has obtained documents which…

    … reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and calling card data. One memo also discussed the availability of information on Europeans, Latin Americans, Asians, and Africans.

    (Via McGeek)
    Choicepoint, meanwhile denies that this is against the law, but not that the offer was on the table.

  • Hank Asher, founder of Database Technologies (involved in the Florida voting scandal) and later Seisent, makers of MATRIX, has settled five lawsuits with various companies, including Choicepoint, according to this mysterious press release. Some lists of motions are online. (Thanks N!) South Florida Business Journal has an article:

    “A big part of why I settled the case is it would take three, four, five years to litigate,” Asher said. “I don’t know how much will be left of them [ChoicePoint].”

  • Former Wal-Mart director Thomas Coughlin, who has resigned after improprieties, remains in charge of Choicepoint’s Audit committee, according to the Atlanta Journal Constitution.

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

Emergent Predictions

  1. By the end of 2005, we will have had a month with at least 30 disclosures of serious security breaches, making private information about people available.
  2. At least 10 of these breaches will involve data which organizations are required by law to store and protect.
  3. This will cause a set of Congressional hearings, in which the current data retention standards will be questioned. No reduction in government-mandated data collection will result.

Watch Lists: Juan Carlos Merida

Juan Carlos Merida is an unusual victim of the watch lists. He knows why he’s on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of being a part of the Sept 11th attacks.

But even knowing why he’s on the lists isn’t helping him clear his name.

Update: Michael Froomkin caught a detail I skimmed over, and it’s implications in “The Insidious Effects of Security State Blacklists.”

I’ve discussed the concept of watch lists before.

RFID Kills

The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it.

Want to see if there are more Americans on the right or left side of the plaza? No problem. Uncle Sam is helping the terrorists. There is no good reason for this. Canada, Germany, the Netherlands and Britain have all opposed this. The technical term for these chips is RFID, but really, they’re just small radios that invite thugs and terrorists to attack you as you travel abroad. If we need electronic chips in passports, they don’t need to include radios. I’ve never even seen anyone make an argument for the radios.

I’ve covered this in RFID Passport data won’t be encrypted and The Open Passport, and in small bits have pointed to articles by Ian Grigg and Ryan Singel.

Bill Scannell has set up a web site to make it easy to send your comments to Uncle Sam. Take five minutes and tell them: No RFID chips in passports. They don’t make sense, and RFID Kills.

Framing Effects & Law Reviews

Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it’s just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr saying:

Fun, Entertaining, Clever, and Short: Believe it or not, that’s a description of a forthcoming law review article. Yes, a law review article. Check out The Perfect Crime, by law prof Brian C. Kalt, forthcoming in the Georgetown Law Journal. It clocks in at 22 amusing double-spaced pages…

Yes, in law review-world, that’s short. In my world, this is slightly fun, mildly entertaining, clever in a sort of self-referentially post-modern fashion and short, at slightly over 22 words.

Small Bits: Long tunnels, Marburg virus, Cyber Cons

  • Iraqi prisoners have dug a 200m tunnel out of one of the US run prisons in Iraq. The BBC has pictures.
  • The Marburg is spreading in Angola. Marburg is an Ebola-like heamorraghic agent. Some analysis.
  • Charles Cooper has some commentary ranting about the state of the information security industry at cnet:

    It’s tempting to become cynical about so sensitive a subject, but the blunt truth is that Americans care more about the ultimate outcome of “American Idol” than they do about repairing the nation’s IT infrastructure. Outside of the confines of the security nerds who live and breathe this stuff, most folks are bored silly by the subject.

  • If you’re not bored silly by this stuff, Not Bad for a Cubicle has a nice post on The Costs of Keeping Data. If you’re responsible for security programs, you should read what he says about your costs and risks.

Lying to Congress, Murdering Prisoners Now Legal

Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. “Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency’s actions.”

In other news, the Pentagon will ignore the recommendation of the Army Criminal Investigation Command to try the soldiers responsible for the deaths of detainees. Michael Froomkin has commentary.

Next up, sending prisoners to Egypt, and then seven or eight other things.

Choicepoint, March 24/25

  • The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches.
  • Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart:
    “A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards.”

  • [Choicepoint CEO] Derek Smith has apparently received threats via fax, according to TV station WXIA Atlanta. Here’s a cheat sheet for you:
    • Denying his job application because of a Texas criminal record: Entertaining.
    • Sending him Nigerian spam from a Kinko’s in LA: Self-referentially ironically cool.
    • Sending threats: Not cool.
  • Scott Berinato has a column at CSO Magazine calling this the Waterloo of information security. (Is there a permalink to that column?)
  • The Christian Science Monitor has an editorial entitled “Locking Out Identity Thieves.” The subtitle is “Why are data collectors blocking efforts to require notice of a security breach?”

    One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that’s a small price to pay for privacy and a more secure online identity.

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint. [Update: added Berinato column, 2: Identified Smith]

Security In a Changing Nation

Screendiscussion responds to my comments about “Three Privacy Breaches” in Security In a Changing Nation. He sums up his argument as “Why? The reason is that we, as a nation, have become extremely security conscious in the past few years.” I think this is only partially correct. I suspect that this is part of it. Perhaps that consciousness also entails an understanding that no one is perfect? That the attacker only needs to win once? That a cover-up is a worse sin than a mistake?

I suspect its the last bit: We’re coming to see security mistakes as mistakes, that will happen. I think we need to start designing systems with that in mind.