Choice Point Screening

Stamford Police said Jevene Wright, 29, created a fictitious company called “Choice Point Screening” and submitted false invoices for background checks that were submitted to Noble Americas Corporation, an energy retailer firm located in Stamford. (Patrick Barnard, “The Stamford (CT) Patch“)

I don’t want to minimize the issue here. Assuming the allegations are correct, the company’s assurance in their trust of their employees is diminished, they may face compliance or contractual issues, and they’re out at least 1.4 million dollars, most of which has likely been spent. A good number of folks are having bad days, and I don’t want to add to that.

At the same time, I do have a number of comments.

First, Those background check services sure are expensive! I wonder how many people that was.

Hmmm, according to their website, “In the past six years Noble has grown from 1,500 employees to over 14,000.” I do wonder how many of the “background checks” came back with false allegations of past misconduct. If there were 14,000 people with no red flags, isn’t that something of a red flag in and of itself? I also wonder (in a law school hypothetical sort of way, and assuming with no evidence that Wright or an accomplice fabricated false reports on some people so that his fraud went undetected) what sorts of claims might be available to those denied employment based on those untrue statements?

Second, there’s something of a natural experiment here that lets us assess the value of background checking. Assuming Noble Americas Corporation runs a second set of background checks, I’m very curious to know how well spent that $2m* will have been: how many employees do they fire, having learned of something so heinous that the employee can’t be kept, and how many do they fire, having been handed a reason to get rid of a poor performer? (Naturally, those 2 numbers will be rolled into one.)

Lastly, there’s an interesting social engineering angle here. There’s a real company “ChoicePoint” now part of LexisNexis. (ChoicePoint was made famous for their awesome handling of a 2003 data breach, which this blog diligently covered.) So when naming a false background check company, Choice Point Screening seems like it might be a new brand for the company. An auditor, seeing all those background checks, is unlikely to focus in on the extra space. It’s a nice touch.

Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard.

I call this my law of perversity in computer security.

Today, Kashmir Hill brings a great example in “So which is it?”

Privacy online

Contradiction much? When it comes to the state of online privacy, the media tend to send mixed messages, but this is one of the more extreme examples I’ve seen.

It’s just perverse: it’s hard to be sure when someone wants to rely on the data to protect kids, but it’s easy (for marketing firms) when we prefer to remain private.

Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing.

In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look through people’s Facebook profiles:

I got her out of the room as quickly as possible. The next few interviews were a blur, I was shaken. And then it happened again. This time, I found myself talking to a young man fresh out of University about a development position. After allowing me to surf his Facebook, he asked me how I felt about parenting. As a parent, it was easy to say I liked the idea. Then he dropped the bombshell.

His partner was expecting, and shortly after being hired he would be taking six months of parental leave as required by Ontario law. I told him that he should not have discussed this matter with me. “Oh normally I wouldn’t, but since you’re looking through my Facebook, you know that already. Now of course, you would never refuse to hire someone because they plan to exercise their legal right to parental leave, would you?”

I think it’s a fascinating bit of chaotic blowback, and one that employers and applicants will be exposed to more and more as “social network background check” services help focus what search engines or marketers can already tell us.

In other words, be careful what you ask for, you might just get it.

For the first time in a long time, I’m tempted to set up a Facebook account.

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time:

I am currently out of the office on vacation.

I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me and I can respond if I need to. And I recognize that I’ll probably need to interrupt my vacation from time to time to deal with something urgent.

That said, I promised my wife that I am going to try to disconnect, get away and enjoy our vacation as much as possible. So, I’m going to experiment with something new. I’m going to leave the decision in your hands:

If your email truly is urgent and you need a response while I’m on vacation, please resend it to interruptyourvacation@example.com and I’ll try to respond to it promptly.

If you think someone else at First Round Capital might be able to help you, feel free to email my assistant, Fiona (fiona@firstround.com) and she’ll try to point you in the right direction.

Otherwise, I’ll respond when I return…

Warm regards,
Josh

It avoids any lies, and drives responsibility and choice onto the sender. You can learn a lot about senders this way. It’s probably better than many background checks.

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants.

Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, BBC)

What’s interesting to me about this story is that it illustrates how part of the cost of using Facebook is the occluded future. If you’d asked me if Facebook impacted on military draft, I’d have said no. Predictions are hard, especially about the future. And the young women in question probably didn’t think that their use of a social networking site would cause them to be drafted.

A second interesting aspect to this is that it indicates that one’s Facebook profile, in aggregate, is a religious identifier. That’s interesting because religious information is categorized specially under the Canadian privacy act (PIPED) and possibly also under European data protection laws. I haven’t seen this aspect covered in the analyses that I’ve read from those regulators. (Admittedly, I have not read all of those analyses.)

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds:

The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed to solve violent crimes and missing persons cases.

Civil libertarians call the database — which increasingly includes everyone convicted of every federal law, legally innocent people awaiting trial and non-citizens detained in the U.S. for any reason — unnecessary and unconstitutional.

And yet a review by the Department of Justice’s Inspector General released on Monday concludes that the need to analyze and upload some 96,973 or more DNA samples a year into that database is contributing to a backlog of forensic DNA cases that stood at 3,211 in March.

That translates into a delay of about 150 days to over 600 days for law enforcement agencies who need answers right away.

We need to defund the database and use that money for something more useful, like getting that 150 days down to 5 or 10 for active criminal cases.

Via Michael Froomkin, “FBI Prefers Building DNA Database to Solving Crimes

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

  1. Alice turns 18.
  2. Alice applies for credit and discovers she has a credit history
  3. Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13.
  4. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
  5. The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
  6. The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores.

I’d like to add one more danger of credit scores: deceptive advertising. The way it works is that a bank advertises a great rate for those with “perfect credit.” What it doesn’t advertise is what the curve of credit scores versus rates looks like. There are two issues here. The first is that the market is inefficient, as figuring out what actual rates are often involves talking to a human, and usually disclosing enough personal information to make a fraudster drool. Inefficient markets favor the side with more information (the loan offerer) and lead to less trade than more transparent markets.

The second issue is that everyone is mislead by the headline rate. I’ve looked for data on what fraction of Americans are listed as having “perfect credit” or data on the distribution of interest rates people are really paying, and I’ve been unable to find it. For publicly traded companies, it’s sometimes possible to reverse engineer some of this, but not very much.

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer problems.” See “Local computer security expert investigates police practices” in the Seattle PI. Some choice quotes:

…a charge was leveled against him in Seattle Municipal Court for obstructing a public officer. Controversial laws known as obstruction, “stop and frisk” and “stop and identify” statutes have been abused in other cities like New York, studies and news stories show. An obstruction case cited in a 2008 Seattle Post-Intelligencer investigation ended with a federal jury hitting Seattle police with a six-figure penalty.

Rachner’s criminal defense attorney sought dismissal of his gross misdemeanor charge, citing the Washington State Supreme Court decision that says arresting a person for nothing more than withholding identification is unconstitutional. One reason cited by the court: This practice allows police too much discretion to pick targets and punish with arrest. Also, the state constitution is more protective of these rights than the U.S. constitution.

The microphone picks up Letizia explaining the arrest to Rachner and a police sergeant, citing only the failure to provide identification as the reason Rachner was in handcuffs. No other provocations before the arrest were documented.

“The explanation is our servers failed,” said Seattle Police spokesman Sgt. Sean Whitcomb. “Data was lost, more than his, and it took some time to recover it.” “There is absolutely nothing in the activity log to support that claim,” said Rachner. “Moreover, if the video was unavailable, it was dishonest of them to claim the video could no longer be obtained because it was past the 90-day retention period. It is completely at odds with what they told me in writing.”

I say these are lies because their story keeps changing.

I hate paying the salaries of people who can’t tell me the truth, and I think I’ll be writing city hall for an explanation. If you live in Seattle, I suggest you do the same.

Credit Checks are a Best Practice in Hiring

The New York Times reports that “As a Hiring Filter, Credit Checks Draw Questions:”

In defending employers’ use of credit checks as part of the hiring process, Eric Rosenberg of the TransUnion credit bureau paints a sobering picture. [...]

Screening the backgrounds of employees “is critical to protect the safety of Connecticut residents in their homes and offices, in their cars and in all other places they travel,” Mr. Rosenberg testified to Connecticut legislators in February 2009, explaining why TransUnion markets its credit reports to employers.

Trouble is, researchers say there is no evidence showing that people with weak credit are more likely to be bad employees or to steal from their bosses, a fact that Mr. Rosenberg himself later admitted.

“At this point we don’t have any research to show any statistical correlation between what’s in somebody’s credit report and their job performance or their likelihood to commit fraud,” he said in separate testimony to Oregon legislators in January.

But please keep sending Transunion your money, they really like your money, and it makes them happy.

So why do I say it’s a best practice? Because most best practices, like this one, seem to be good ideas, but actually have no evidence that they work. It’s like torture. There are people who think torturing people helps prevent terrorist plots, but there’s no evidence for that, and lots of evidence it undercuts our security. People keep advocating anyway.

Businesses would actually be better off sending their money to TransUnion and not getting the credit report: that way, all those people they reject for the wrong reasons would still be in their hiring pools.

Businesses would be even better off spending their money on something that protects them or their customers.