Two Minutes Hate: Choicepoint

choicepoint-logo.jpg

This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration’s Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI — though it is better described as the creation of a private KGB.

The leader in the field of what is called “data mining,” is a company called, “ChoicePoint, Inc,” which has sucked up over a billion dollars in national security contracts.

Read “The Spies Who Shag Us,” by Greg Palast. Don’t miss the bits about who’s the number one supplier of DNA to the FBI.

Breach Notification, the New Normal, and a New Metaphor

overflowing-dam.jpg

Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.

Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an article, “Are Banks Required To Give Notice of Database Hacks?” on San Diego Business Lawfirm.

Thanks to the Privacy Law Blog, we know that Arizona and Colorado have passed new breach notice laws. Arizona has taken a broad definition of breach in Senate Bill 1338:

“Security Breach” means “an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information… and that causes or is reasonably likely to cause substantial economic loss to an individual.”

Colorado meanwhile, has enacted House Bill 1119, which contains a “fox guards the henhouse, and sits in the alarm booth” clause:

The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur…

I think it would be remarkably risky to invoke that clause. Business should ask, who owns that liability if someone makes a mistake? The Center For Policy Alternatives has Model Identity Theft Legislation that doesn’t contain this clause. In my non-lawyerly opinion, that speaks to the new norms, and the burden of proof that companies are being asked to develop in a short time, under extreme pressure. Who wants these clauses, anyway?

These questions hold up a national law, according to Computerworld, “Analysis: Data breach notification law unlikely this year.” Such delays are a good thing, because they give the new norm time to set, and for people to become accustomed to breach notices.

The overflowing dam photo is by Firesign, on Flickr. Come to think of it, maybe an overflowing dam is a better metaphor than a breached one: there’s so much data collected that organizations can’t hope to control it?

 

DHS Spokesman Brian J. Doyle Arrested

brian-doyle.jpg

The deputy press secretary for the Department of Homeland Security was
arrested last night on charges that he used the Internet to seduce an
undercover Florida sheriff’s detective who he thought was a
14-year-old girl, the Polk County Sheriff’s Office said.

Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45
p.m. and charged with seven counts of using a computer to seduce a
child and 16 counts of transmitting harmful materials to a minor,
according to a sheriff’s office statement.

See “DHS Spokesman Is Accused of Soliciting Teen Online” at the Washington Post.

While I hate to make light of such a disturbing story, it’s a good thing Choicepoint screened all those TSA employees, to make sure no bad people get through. (Doyle worked for TSA before moving to DHS.)

Google to Acquire Choicepoint

Mountain View, CA., April 1 /PRNewswire/ — Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the “Lifetime Acheivement” Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. “Google’s mission is to “organize the world’s information and make it universally accessible and useful.”

Google CEO Eric Schmidt said “We’re always on the look-out for large databases that we can use to better serve our customers. We used to have access to Choicepoint’s data, but the “due diligence” people they kept sending would burst into flames the minute they hit our “no evil” barrier. After seven or eight of those, we couldn’t believe it was coincidence any longer, so we just bought them.”

Choicepoint CEO Derek Smith (according to the merged database, the two are 17th cousins, three times removed) said “Our missions are remarkably similar. We bring in every scrap of data we can, and never throw anything away.”

“I fully support the synergies and customer choice made possible by the merger,’ said Chris Hoofnagle, privacy advocate and newly-appointed director of privacy oversight for the program. ‘The merger will bring value to consumers and shareholders, and it has pre-approval from Truste.’

The move is expected to substantially improve Google’s relationship with governments around the world.

True.com Sent ‘Race-Customized’ Valentines

true-targeting.jpg

How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how True.com could know which version of its e-mails to send to which users?

So writes Hannah Rosenbaum in “True.com Uses Adult List to Send Targeted Valentine’s Day E-mail.” I’m going to disagree. It is wrong to track the color of people’s skin and use it as part of your decision making process. It’s wrong at the surface, and it’s wrong in very deep ways. It may even be wrong with explicit consent, which ‘True’ certainly didn’t have.

Speaking of wrong, I’d mentioned the lovely people at ‘true’ before, in “Choicepoint, March 21.” I wonder if their data on race is any better than their criminal background histories? Siteadvisor’s one data point per person is a beautiful way to watch the flow of data behind the scenes, but it fails to capture the rich tapestries of our lives, the poor quality of the data (what we used to call garbage-in, garbage-out), or how companies cope with the chaos.

Thank You, Choicepoint

It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story:

Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state’s consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.

Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.

I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I’d like to take a moment to look back at what’s happened, what we’ve learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they’ve brought about. Derek Smith, Choicepoint’s CEO, had been fond of calling for a national debate. I don’t think he anticipated the answers that debate has produced.

  • The first result of the debate is 20 new laws, as summed up by the National Conference of State Legislatures. These new laws, and the breaches that we learn about because of them are an important window into the true and pathetic state of data security.
  • Remarkably, we have no new law which is explicitly about limits on collection, use, or accuracy of data held by businesses. When I say explicitly about, I mean a law such as Dan Solove and Chris Hoofnagle have laid out in “A Model Regime for Privacy Protection” and I’ve discussed such things much more briefly in “New American Privacy Law: What Could it Say?
  • Those laws, and the new expectation of disclosure have lead to enough data coming out that it can be analyzed. What’s more, analysis, mostly by the Ponnemon Institute, has helped define how to disclose these issues.
  • Choicepoint stock has still not recovered, despite a plethora of actions designed to boost it, including stock buybacks. The largest fine ever imposed by the FTC didn’t help. Choicepoint, despite the increased brand recognition, also faces increased scrutiny, as I discussed in “Cost of Breaches,” and the Bode cancellation, mentioned in the November 7th “Choicepoint Roundup.”
  • Speaking of stock, the SEC investigation into insider trading by Choicepoint executives continues.
  • To improve their reputation, Choicepoint has stepped up their internal audit processes, annoying some customers, as discussed in “CounterTerroristm and Bureauracy.”
  • In “Why Choicepoint Resonates,” I analyzed the news story, and am both happy with my analysis, and note that Choicepoint really should have talked to their trademark attorneys when I told them to, in “Cardsystems and Choicepoint.”
  • Finally, due to certain irregularities arising from background checks, “Choicepoint’s acquisition of Emergent Chaos” has been cancelled.

And so, for all these things, a hearty thank you to Choicepoint.

Choicepoint to Pay $15M Fine

Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans.

The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest civil penalty ever obtained by the agency.

Via Brian Krebs at the Security Fix blog.

Insurance Claims and Privacy

One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:”

TAMPA – Andrea Davis can’t understand what two flat tires and leaving the keys in her car have to do with being rejected for auto insurance.
The answer lies in the optional emergency road service coverage the Lutz resident was persuaded to buy from her insurer, Geico, for $12 a year. The bargain rate, one-fifth the cost of emergency road service from AAA, turned out to be no bargain at all.

“They said I had too many claims,” said Davis, a public relations manager with a perfect driving record. “I didn’t meet their eligibility requirements.”

Insurance companies use a centralized database with tens of millions of records on U.S. motorists called Comprehensive Loss Underwriting Exchange. The data are maintained by Atlanta-area-based ChoicePoint, one of the country’s biggest compilers of consumer data.

Costs of Breaches

The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they’re doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what’s the real cost of the brand damage done to Choicepoint?

Along with several other data brokers, ChoicePoint has been accused in Florida of violating the federal Drivers Privacy Protection Act by selling motor vehicle records to marketers and other inappropriate buyers. (The act was designed to keep burglars and stalkers from obtaining motorists’ home addresses based on license plates they spotted on the road.) A request for class-action certification is pending in federal court.

The California DMV says it first heard from ChoicePoint in October 2004, when the company requested access to all drivers’ license records. The state rejected the request out of hand, says Armando Botello, a DMV spokesman.

From LA Times, “Big Data Broker Eyes DMV Records.”

Choicepoint’s Custom Products

I appreciate all the notes you’ve been sending me telling me about “FBI, Pentagon pay for access to trove of public records.” I’d love to have something insightful to add to this, but I don’t. Ryan Singel has a bit more:

The article, which relies on heavily redacted documents acquired through an open government request, raises questions about whether the Privacy Act — which largely prevents secret databases on American citizens — means anything if the government can simply outsource that data collection to a company like ChoicePoint.

If you’re surprised that the US has no effective privacy law, I suggest you read more of the archives.

How Much Goodwill is 17,000 Letters Worth?

The Seattle Post Intelligencer reports that “ChoicePoint warns consumers about fraud:”

ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud.

The story comes from the company’s latest 10-Q filing, which also lists an increase in “goodwill” from $824 million to $908 million. (Thus the title, which is courtesy of Rob.) Close watchers of the company might be interested in the “10. Goodwill and Intangible Assets” section, which explains that the newfound goodwill is a result of various acquisitions, and also puts some value on “Purchased data files.” Also of interest in any modern Choicepoint SEC filing is the “legal proceedings” section.

Choicepoint Roundup

Well, I’ve tried going cold turkey, but wasn’t getting positive reinforcement, so I stopped.

  • Let’s start from the positive, shall we? Chris Hoofnagle of EPIC is quoted in a positive light in “ChoicePoint says it’s securing public’s personal data better” in the Atlanta Journal Constitution.

    Now that that’s out of the way.

  • Science Daily tells us that the Illinois State Police have cancelled a contract with Choicepoint subsidiary Bode, citing lack of quality control in their DNA testing, in “Illinois police say lab’s work faulty.” The Washington Post also reports on the story, in “Ill. Police Claim Lab Botched DNA Tests“:

    Illinois authorities conducted quality checks on 51 of 1,200 rape kits Bode had said contained no semen, Brown said. They discovered that 11 of the tests, or nearly 22 percent, had simply failed to detect the semen.

  • The San Jose Mercury news “Man faces more charges in ChoicePoint fraud scheme:”

    A Nigerian man who pleaded no contest earlier this year for his role in a fraud ring that stole data from ChoicePoint Inc. has pleaded not guilty to six new charges, authorities said.

    Olatunji Oluwatosin, 42, was charged last week in Superior Court and has pleaded not guilty to additional counts of identity theft, conspiracy and grand theft. If convicted of all the charges, he could face up to 18 years in prison.

  • The LA Times reports that “Choicepoint Signals Stepped-Up Probe,” that the SEC is now “investigating,” a step-up from its former “informal inquiry.”
  • The Chicago Tribune carries (reg-free!) a story from LA Times reporter Joseph Menn, “Firms Hit by ID Theft Find Way to Cash In on Victims:”

    Elizabeth Rosen was plenty angry when ChoicePoint Inc. sent her a form letter acknowledging that crooks might have perused some of her most sensitive personal and financial data.

    But the Hollywood nurse was flabbergasted when the company, one of the nation’s largest collectors of consumer records, also offered to sell her some of the same information so she could see what might have been compromised.

    He goes on to discuss the petulant manner in which the industry is implementing the FACTA rules:

    “We don’t make use of domain names that are close to, or are misspellings of, ‘annualcreditreport’ to try to create business,” said TrueCredit President John Danaher. Asked about TransUnion’s use of “annualcreditmonitoringreport,” Danaher said: “That doesn’t have the words ‘free, annual’ in it.”

  • I wasn’t going to have a Two Minutes Hate here, but David compels me with his “Nice Identity You Got There. Shame If Anything Happened to It,” at ThoughtCrimes.org. How could I resist?

(Use Bugmenot for the LA Times or Atlanta Journal Constitution.)

CounterTerrorism and Bureaucracy

In “Bureaucracy
Kills
“,
Daveed Gartenstein-Ross writes (quoting
CNN)
:

FEMA halted tractor trailers hauling water to a supply
staging area in Alexandria, Louisiana[.] The New York Times quoted
William Vines, former mayor of Fort Smith, Arkansas, as saying, “FEMA
would not let the trucks unload. . . . The drivers were stuck for
several days on the side of the road” because, he said, they did not
have a “tasker number.” He added, “What in the world is a tasker
number? I have no idea. It’s just paperwork and it’s ridiculous.”

Paperwork should not take precedence over helping those in need in a
time of crisis. And just as we should trim our bureaucracy to allow a
more effective disaster response, so too should we make sure that law
enforcement officers charged with protecting us from terrorists are not
shackled by red tape.

He’s right about that; the officers should not be shackled by red
tape. They should, however, be under close scrutiny: their
actions must be monitored in light of the long history of abuses by American domestic intelligence agencies.
Its not an easy balance to strike.

On a closely related note, The Canadian Privacy Law Blog points
to a story
, “Florida
cop
misused data, ChoicePoint claims
.” That’s actually a
fascinating story of how Choicepoint is improving their internal audit
practices, which is also covered in the AP’s “ChoicePoint Seeks an Anti-Fraud Balance.” That’s another good story on how Choicepoint is actively interacting with their customers to make sure that they’re selling to real businesses. It also contains the wonderfully ironic bit of a private investigator complaining:

Cynthia Hetherington, a private investigator in New Jersey, had to send ChoicePoint a copy of her investigator’s license twice. The company agent also wanted bank account information “and stuff that has nothing to do with my credentials or the nature of my business.”

“It’s absolutely intrusive,” she said.

Small Bits: Silver Linings, Presidential Game Theory, Disclosure, War

  • Privacy Law lists the 16 states that now have notification laws. Thanks, Choicepoint!
  • At Balkin, ‘JB’ has a long discussion of why 2nd term Presidents all seem to be scandal ridden…since the 22nd Amendment took away what game theorists call ‘the long uncertain shadow of the future.’

    I nearly said something about ‘experimental confirmation’ here, because its such a seductive statement, even if its wrong. Good experiments only strengthen a theory when they have the power to disprove it. An increase in 2nd term scandal could be caused by things other than the 22nd Amendment. Campaign finance laws spring to mind.

  • Oracle has taken 693 days to fix “Forms Insecure Temporary File Handling. It is unclear to me why ‘Red Database’ has no CVEs in their advisories.
  • Finally, and most somber, “A Hawk Questions Himself as His Son Goes to War,” is an article by Eliot Cohen, Robert E. Osgood Professor of Strategic Studies at the Paul H. Nitze School of Advanced International Studies, Johns Hopkins University. It’s worth reading:

    So it is not an academic matter when I say that what I took to be the basic rationale for the war still strikes me as sound. Iraq was a policy problem that we could evade in words but not escape in reality. But what I did not know then that I do know now is just how incompetent we would be at carrying out that task. And that’s what prevents me from answering this question with an unhesitating yes.

    (Via P “No longer blogging” C.)