Mea Maxima Culpa

In posting yesterday about Debix, I should have disclosed that I have
personal and financial relationships with the company.

In addition, I was one of the 54 people in the test, and my fraud
alerts did not set properly. I should have disclosed that as well.

I apologize for the oversight.

My thanks to
Mr. X for commenting that I didn’t seem my usual skeptical self in my
posting. I had planned to disclose this in the post, as I have in
prior mentions of Debix. (“ href=""
Lost Data Matter,” and “Introducing Debix.”) For clarity, I am no longer on Debix’s Technical Advisory Board. As I said when I announced that I’m Joining Microsoft, “I want to be clear that [the decision to leave advisory boards] is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.”

An Odd IDology

So over at the “ID Space,” jdancu (who I assume is John) writes some responses to questions I posted to Kim Cameron’s blog. The article is “Knowledge Verification In Practice…” Kim also has a response, “Law of Minimal Disclosure or Norlin’s Maxim?

Since this is part of a continuing conversation, let me summarize by stating that I don’t think any of my questions have been clearly answered, and I think John’s use of language is substantially divorced from mine, and, I think, from general usage.

I’ll start with consent. I wrote: “[These systems] are non-consensual for the consumer. Companies such as IDology make deals with other companies, such as my bank, and then I’m forced to use the system.”

First, because we (the consumers) have voluntarily submitted our information with the intention of entering into a business transaction, we have given our consent for the business to verify the information we’ve presented.

That’s an odd definition of consent. I’ve submitted information which I hope will be used to fulfill a transaction. I have not consented* to transferring that data to a third party for ‘verification’ or analysis. I’ve consented to the reasonable and predictable uses of that data, which don’t, in my professional and personal opinions, include grubbing through other databases. What if I don’t consent to having the data verified?

Let me tell you, having just moved, my data doesn’t “verify.” The databases are wrong, out of date, and confused. I am forced to feed them a pack of lies in order to get anything done.

More after the break.

Continue reading

40% of Fraud Alerts Don’t Propagate

[Update 3: I should have disclosed affiliations with Debix in this post. See "Mea Maxima Culpa."]

Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret.

Identity theft is the best thing to happen to the credit agencies since the creation of the SSN.

Identity theft helps them sell more products, like identity verification tools, to their customers. It creates a new line of consumer business, people who will often happily pay them $10 a month to tell you what lies they’re spreading about you.

Is it any wonder that the alerts don’t propagate? Is it any wonder that they’ve been sitting on this knowledge?

I’m very excited about the emergence of companies like Debix, who are not responsible for the problem, but are helping us understand and fix it.

[Update: The New York Times covers this, "ID Security Company Finds Snags in Fraud Alert System."] [Update 2: Bob Sullivan has a story at MSNBC, “Fraud Alert System Broken, Study Says.”

Nick Szabo is on a Roll

When I started blogging, I wanted to say one interesting and insightful thing per day. I still do, and so say several things in the hopes that one of them is interesting. Nick Szabo, on the other hand, has apparently been storing them up, and is on a roll lately:

Book consciousness,” on the effects of the rise of the printing press, “Charters and judicial review,” on the history of English law, and “Conservation of rights.”

Breach numbers

I just got a response from North Carolina to my freedom of information request, asking for records pertaining to security breaches resulting in the exposure of personal information. North Carolina requires that such breaches be reported centrally.
The data were sent in printed form, in a table obviously derived from a spreadsheet. I hope to obtain that spreadsheet when I call tomorrow, but for now, here’s what I have:
The date range is December 19, 2005 through July 21, 2006.
There are 41 incidents, totaling 231,373 North Carolina records.
By comparison, New York provided me with information on 29 incidents from December 15, 2005 through approximately March 10, 2006, exposing 217,795 New York records.
Let’s have some fun, bearing in mind that this isn’t intended as scholarship, and I didn’t check my figures:
Incidents per day (NY/NC): .34/.19
Exposed records per day (NY/NC): 2562/1081
Now if we normalize that last, by taking into account state population:
2562/(1081*2.3) = 1.03
Now that is a cool result (even if it is a coincidence!) ;^)
[Updated 8/22 to clarify what kind of info this is. Thanks, Ian!]

AOL data release fallout

AOL’s CTO has “decided to leave” the company, “effective immediately”, according to an email message sent to remaining employees by CEO Jon Miller.
Additionally, CNet news reports that the researcher who posted the data, and the researcher’s supervisor (a direct report of ex-CTO Maureen Govern) have been fired.