Category Archives: Choicepoint

Choicepoint Spins off 3 Businesses

Posted on by

From their press release:

ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ — ChoicePoint (NYSE: CPS – News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the decision to divest businesses that either do not fit within the new strategic direction or are unlikely to gain critical mass in the marketplace under ChoicePoint’s ownership. This process is ongoing and is expected to continue throughout 2006. Included in the announced divestiture plan are ChoicePoint’s direct marketing, forensic DNA and shareholder services businesses.

I’m glad to discover that amassing a DNA database and selling the contents to the government is something even Choicepoint doesn’t expect will become profitable. I’m also glad that they’re owning up to mistakes. Now lets see if we can see some fair information practices around the rest of their services.

See other analysis in Direct Marketing News or the Boston Globe.

What Choicepoint Learned

Posted on by

Another new measure: ChoicePoint this month created a security advisory committee comprised of DiBattiste, the company’s CIO, head of internal audit, the chief business officer, chief marketing officer, chief administrative officer and general counsel. The group meets regularly “to ensure we’re hitting every aspect of security and privacy,” says DiBattiste.

“One of the lessons we learned is that security is a moving target,” she says. “The bad guys move too. So we have to constantly be in touch with the things we need to be doing to respond.”

So ends an article “Choicepoint’s Lessons Learned” in Baseline.

They learned that in 2006?

Maybe they should be attending Blackhat, or Defcon. I hear tell Defcon has some ATMs that they could use.

The FBI’s Use of Data Brokers

Posted on by

Although the federal government and local law enforcement agencies nationwide use private data brokers, the FBI said that practices used by these companies to gather private phone records without warrants or subpoenas is illegal, according to an Associated Press article on Chron.com.

A senior FBI lawyer, Elaine N. Lammert, told lawmakers the bureau was still surveying agents around the United States, but so far has found no “systemic” use of data brokers by the FBI.

That’s from the CSO Blog, “Data Brokers May Act Illegally.” In other news, “ChoicePoint-FBI Deal Raises New Privacy Questions.”

So what are we paying for?

How Damaging is a Breach?

Posted on by

overflowing-dam.jpgPete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.

For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don’t know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse “Chronology of Data Breaches,” and Attrition.org’s Dataloss list. There are also regular reports through ISN, and Dave Farber’s Interesting People List.

While we’re happy that there are amateur efforts, it’s hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who’s gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.

Dam Water” photo by Ed Hidden.

Two Minutes Hate: Choicepoint

Posted on by

choicepoint-logo.jpg

This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration’s Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI — though it is better described as the creation of a private KGB.

The leader in the field of what is called “data mining,” is a company called, “ChoicePoint, Inc,” which has sucked up over a billion dollars in national security contracts.

Read “The Spies Who Shag Us,” by Greg Palast. Don’t miss the bits about who’s the number one supplier of DNA to the FBI.

Breach Notification, the New Normal, and a New Metaphor

Posted on by

overflowing-dam.jpg

Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not.

Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an article, “Are Banks Required To Give Notice of Database Hacks?” on San Diego Business Lawfirm.

Thanks to the Privacy Law Blog, we know that Arizona and Colorado have passed new breach notice laws. Arizona has taken a broad definition of breach in Senate Bill 1338:

“Security Breach” means “an unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially compromises the security or confidentiality of personal information… and that causes or is reasonably likely to cause substantial economic loss to an individual.”

Colorado meanwhile, has enacted House Bill 1119, which contains a “fox guards the henhouse, and sits in the alarm booth” clause:

The new law requires to businesses to conduct, in good faith, a reasonable and prompt investigation into a security breach, and unless it determines that misuse of the personal information has not occurred and is not reasonably likely to occur…

I think it would be remarkably risky to invoke that clause. Business should ask, who owns that liability if someone makes a mistake? The Center For Policy Alternatives has Model Identity Theft Legislation that doesn’t contain this clause. In my non-lawyerly opinion, that speaks to the new norms, and the burden of proof that companies are being asked to develop in a short time, under extreme pressure. Who wants these clauses, anyway?

These questions hold up a national law, according to Computerworld, “Analysis: Data breach notification law unlikely this year.” Such delays are a good thing, because they give the new norm time to set, and for people to become accustomed to breach notices.

The overflowing dam photo is by Firesign, on Flickr. Come to think of it, maybe an overflowing dam is a better metaphor than a breached one: there’s so much data collected that organizations can’t hope to control it?

DHS Spokesman Brian J. Doyle Arrested

Posted on by

brian-doyle.jpg

The deputy press secretary for the Department of Homeland Security was
arrested last night on charges that he used the Internet to seduce an
undercover Florida sheriff’s detective who he thought was a
14-year-old girl, the Polk County Sheriff’s Office said.

Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45
p.m. and charged with seven counts of using a computer to seduce a
child and 16 counts of transmitting harmful materials to a minor,
according to a sheriff’s office statement.

See “DHS Spokesman Is Accused of Soliciting Teen Online” at the Washington Post.

While I hate to make light of such a disturbing story, it’s a good thing Choicepoint screened all those TSA employees, to make sure no bad people get through. (Doyle worked for TSA before moving to DHS.)

Google to Acquire Choicepoint

Posted on by

Mountain View, CA., April 1 /PRNewswire/ — Google today announced plans to acquire Alpharetta, GA based Choicepoint. Choicepoint, 2005 winner of the “Lifetime Acheivement” Big Brother award, is a data warehouser which collects information on everyone it possibly can, and re-sells it widely. “Google’s mission is to “organize the world’s information and make it universally accessible and useful.”

Google CEO Eric Schmidt said “We’re always on the look-out for large databases that we can use to better serve our customers. We used to have access to Choicepoint’s data, but the “due diligence” people they kept sending would burst into flames the minute they hit our “no evil” barrier. After seven or eight of those, we couldn’t believe it was coincidence any longer, so we just bought them.”

Choicepoint CEO Derek Smith (according to the merged database, the two are 17th cousins, three times removed) said “Our missions are remarkably similar. We bring in every scrap of data we can, and never throw anything away.”

“I fully support the synergies and customer choice made possible by the merger,’ said Chris Hoofnagle, privacy advocate and newly-appointed director of privacy oversight for the program. ‘The merger will bring value to consumers and shareholders, and it has pre-approval from Truste.’

The move is expected to substantially improve Google’s relationship with governments around the world.

True.com Sent ‘Race-Customized’ Valentines

Posted on by

true-targeting.jpg

How are True.com’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how True.com could know which version of its e-mails to send to which users?

So writes Hannah Rosenbaum in “True.com Uses Adult List to Send Targeted Valentine’s Day E-mail.” I’m going to disagree. It is wrong to track the color of people’s skin and use it as part of your decision making process. It’s wrong at the surface, and it’s wrong in very deep ways. It may even be wrong with explicit consent, which ‘True’ certainly didn’t have.

Speaking of wrong, I’d mentioned the lovely people at ‘true’ before, in “Choicepoint, March 21.” I wonder if their data on race is any better than their criminal background histories? Siteadvisor’s one data point per person is a beautiful way to watch the flow of data behind the scenes, but it fails to capture the rich tapestries of our lives, the poor quality of the data (what we used to call garbage-in, garbage-out), or how companies cope with the chaos.

Thank You, Choicepoint

Posted on by

It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story:

Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state’s consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.

Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.

I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I’d like to take a moment to look back at what’s happened, what we’ve learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they’ve brought about. Derek Smith, Choicepoint’s CEO, had been fond of calling for a national debate. I don’t think he anticipated the answers that debate has produced.

  • The first result of the debate is 20 new laws, as summed up by the National Conference of State Legislatures. These new laws, and the breaches that we learn about because of them are an important window into the true and pathetic state of data security.
  • Remarkably, we have no new law which is explicitly about limits on collection, use, or accuracy of data held by businesses. When I say explicitly about, I mean a law such as Dan Solove and Chris Hoofnagle have laid out in “A Model Regime for Privacy Protection” and I’ve discussed such things much more briefly in “New American Privacy Law: What Could it Say?
  • Those laws, and the new expectation of disclosure have lead to enough data coming out that it can be analyzed. What’s more, analysis, mostly by the Ponnemon Institute, has helped define how to disclose these issues.
  • Choicepoint stock has still not recovered, despite a plethora of actions designed to boost it, including stock buybacks. The largest fine ever imposed by the FTC didn’t help. Choicepoint, despite the increased brand recognition, also faces increased scrutiny, as I discussed in “Cost of Breaches,” and the Bode cancellation, mentioned in the November 7th “Choicepoint Roundup.”
  • Speaking of stock, the SEC investigation into insider trading by Choicepoint executives continues.
  • To improve their reputation, Choicepoint has stepped up their internal audit processes, annoying some customers, as discussed in “CounterTerroristm and Bureauracy.”
  • In “Why Choicepoint Resonates,” I analyzed the news story, and am both happy with my analysis, and note that Choicepoint really should have talked to their trademark attorneys when I told them to, in “Cardsystems and Choicepoint.”
  • Finally, due to certain irregularities arising from background checks, “Choicepoint’s acquisition of Emergent Chaos” has been cancelled.

And so, for all these things, a hearty thank you to Choicepoint.