How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

  1. Alice turns 18.
  2. Alice applies for credit and discovers she has a credit history
  3. Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13.
  4. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
  5. The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
  6. The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

Dear England, may we borrow Mr. Cameron for a bit?

Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture by UK security services. (“
Britain Pledges Inquiry Into Torture
.”

And yes, it’s certainly more fun to investigate the opposition, but…I’d really like to bring Mr. Cameron over here for a little while. Some investigations would do us, and our fight against al Qaeda, a great deal of good.

Why we need strong oversight & transparency

[The ACLU has a new] report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade.

The survey provides an outline of, and links to, dozens of examples of Cold War-era snooping in the modern age.

“Our review of these practices has found that Americans have been put under surveillance or harassed by the police just for deciding to organize, march, protest, espouse unusual viewpoints and engage in normal, innocuous behaviors such as writing notes or taking photographs in public,” Michael German, an ACLU attorney and former Federal Bureau of Investigation agent, said in a statement.

Via Wired. Unfortunately, (as Declan McCullagh reports) “Police push to continue warrantless cell tracking,” and a host of other surveillance technologies which we have yet to grapple with.

For example, it seems FourSquare had an interesting failure of threat modeling, where they failed to grok the information disclosure aspects of some of their pages. See “White Hat Uses Foursquare Privacy Hole to Capture 875K Check-Ins.” To the extent that surveillance is opt-in, it is far less worrisome than when it’s built into the infrastructure, or forced on consumers via contract revisions.

Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:”

Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you must do in order to download anything via the iTunes store) you agree to let Apple collect store and share “precise location data, including the real-time geographic location of your Apple computer or device.”

Apple says that the data is “collected anonymously in a form that does not personally identify you,” but for some reason we don’t find this very comforting at all. There appears to be no way to opt-out of this data collection without giving up the ability to download apps.

Now, speaking as someone who was about to buy a new iphone (once the servers stopped crashing), what worries me is that the new terms are going to be in the new license for new versions of iTunes and iPhones.

Today, it’s pretty easy to not click ok. But next week or next month, when Apple ships a security update, they’re going to require customers to make a choice: privacy or security. Apple doesn’t ship patches for the previous rev of anything but their OS. iTunes problem? Click ok to give up your privacy, or don’t, and give up your security.

Not a happy choice, being stuck between an Apple and a hard place.

Where’s the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.]
The New York Times headlines “
Britain’s New Leaders Aim to Set Parliament Term at 5 Years
.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament.

As I understand things, the primary check on the Prime Minister is that if their choices are sufficiently unpopular, their party defects and votes against them, leading to a new election. This threat of government collapse is a major check on the power of Parliament, as evidenced by how both Cameron and Clegg are repeating that “this government will last 5 years.”

So if Parliament will last 5 years, what are the checks on its power?

[Edit: Steps on scrapping ID cards and ContactPoint are very positive, but to my mind, those are symptoms of the already barely-checked power of the Prime Minister.]

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer problems.” See “Local computer security expert investigates police practices” in the Seattle PI. Some choice quotes:

…a charge was leveled against him in Seattle Municipal Court for obstructing a public officer. Controversial laws known as obstruction, “stop and frisk” and “stop and identify” statutes have been abused in other cities like New York, studies and news stories show. An obstruction case cited in a 2008 Seattle Post-Intelligencer investigation ended with a federal jury hitting Seattle police with a six-figure penalty.

Rachner’s criminal defense attorney sought dismissal of his gross misdemeanor charge, citing the Washington State Supreme Court decision that says arresting a person for nothing more than withholding identification is unconstitutional. One reason cited by the court: This practice allows police too much discretion to pick targets and punish with arrest. Also, the state constitution is more protective of these rights than the U.S. constitution.

The microphone picks up Letizia explaining the arrest to Rachner and a police sergeant, citing only the failure to provide identification as the reason Rachner was in handcuffs. No other provocations before the arrest were documented.

“The explanation is our servers failed,” said Seattle Police spokesman Sgt. Sean Whitcomb. “Data was lost, more than his, and it took some time to recover it.” “There is absolutely nothing in the activity log to support that claim,” said Rachner. “Moreover, if the video was unavailable, it was dishonest of them to claim the video could no longer be obtained because it was past the 90-day retention period. It is completely at odds with what they told me in writing.”

I say these are lies because their story keeps changing.

I hate paying the salaries of people who can’t tell me the truth, and I think I’ll be writing city hall for an explanation. If you live in Seattle, I suggest you do the same.

J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants

JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JCPenney chain was one of Gonzalez’s victims, even though JCPenney’s media representatives were denying it.

and

[The judge said] both retailers should have announced their involvement from the start, that consumers had the right to know. He said he would not provide the companies “insulation from transparency.” The judge stressed that the companies were seeking privacy as though they were individual victims, which he said was like “hermaphroditing a business corporation.”

Wired picked up the story and wrote:

It’s a bit jarring to see a lucid pro-transparency, pro-security argument from a federal prosecutor. For years, law enforcement has had an informal policy of protecting companies from the public relations consequences of their poor security — a kind of omerta among intruders, the companies they hack and the feds, where only the public is left in the dark. To be sure, it’s never been set in stone, and not all feds have played ball. But it’s a common practice, and it corrodes accountability.

Dear SSN-publishing crowd

There’s a bunch of folks out there who are advocating for publishing all SSNs, and so wanted to point out (courtesy of Michael Froomkin’s new article on Government Data Breaches ) that it would be illegal to do so.

42 USC § 405(c)(2)(C)(viii) reads:

(viii)(I) Social security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such social security account number or related record.

Which doesn’t impact on your policy analysis, but since you need to advocate for a law being changed, we might as well advocate for the right law, rather than a change you hope will have certain effects.

In my view, the right law is one that says that reliance on the SSN for authentication or authorization purposes shall be presumed negligent.

Oh, and Froomkin’s article is delightful too. Take a look.

Your credit worthiness in 140 Characters or Less

In “Social networking: Your key to easy credit?,” Eric Sandberg writes:

In their quest to identify creditworthy customers, some are tapping into the information you and your friends reveal in the virtual stratosphere. Before calling the privacy police, though, understand how it’s really being used.


To be clear, creditors aren’t accessing the credit reports or scores of those in your social network, nor do those friends affect your personal credit rating. Jewitt asserts that the graphs aren’t being used to penalize borrowers or to find reasons to reject customers, but quite the opposite: “There is an immediate concern that it’s going to affect the ability to get a financial product. But it makes it more likely” that it will work in their favor,” says Jewitt. [vice president of business development of Rapleaf, a San Francisco, Calif., company specializing in social media monitoring.]

I’ll give Jewitt the benefit of the doubt here, and assume he’s sincere. But the issue isn’t will it make it more or less likely to get a loan. The issue is the rate that people will pay. If you think about it from the perspective of a smart banker, they want to segment their loans into slices of more and less likely to pay. The most profitable loans are the ones where people who are really likely to pay them back, but can be convinced that they must pay a higher rate.

The way the banking industry works this is through the emergent phenomenon of credit scores. If banks colluded to ensure you paid a higher rate, it would raise regulatory eyebrows. But since Fair Issac does that, all the bankers know that as your credit score falls, they can charge you more without violating rules against collusion.

Secretive and obscure criteria for differentiating people are a godsend, because most people don’t believe that it matters even when there’s evidence that it does.

Another way to ask this is, “if it’s really likely it will work in my favor, why is it so hard to find details about how it works? Wouldn’t RapLeaf’s customers be telling people about all the extra loans they’re handing out at great rates?”

I look forward to that story emerging.

Free speech for police

david-bratzer.jpgDavid Bratzer is a police officer in Victoria, British Columbia. He’s a member of “Law Enforcement Against Prohibition,” and was going to address a conference this week. There’s a news video at “VicPD Officer Ordered to Stay Quiet.”

In an article in the Huffington Post, “The Muzzling of a Cop” former Seattle Police Chief Norm Stamper writes:

Officer Bratzer was scheduled to address, on his own time, an important “harm reduction” conference in the city this week. His chief stepped in, said no. Why? He didn’t like the message Bratzer was set to deliver. Of course, this decision by the brass has had the effect of shining an even brighter light on the horrific effects of the U.S.-led drug war. That’s good.

A free society requires that all points of view be voiced. Debate requires facts. If the department wants to ban all speech about the laws it enforces, that would be one thing. But I don’t think that’s their position, nor would such a ban be compatible with the Canadian Charter of Rights and Freedoms. But as you can see in the video, Sgt Grant Hamilton is portraying the official position of the Victoria police: that the people it protects are incapable of making distinctions between those in uniform and those in civilian dress. That position isn’t compatible with democratic decision making. What other distinctions do the police worry people can’t make? Isn’t making those choices the job of the legislature?

Please sign the petition to let David Bratzer speak at http://www.leap.cc/freespeech, and consider making a donation in support of their work.

Puerto Rico: Biggest Identity Theft ever?

puerto-rico-birth-certificate.jpgApparently, the government of Puerto Rico has stolen the identities of something between 1.7 and 4.1 million people

Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer.

A law enacted by Puerto Rico in December mainly to combat identity theft invalidates as of July 1 all previously issued Puerto Rican birth certificates. That means more than a third of the 4.1 million people of Puerto Rican descent living in the 50 states must arrange to get new certificates. (“Shock over voided Puerto Rican birth certificates,” Suzanne Gamboa, AP)

If I’m parsing that right, all 4.1 million identities were stolen from their legitimate holders, and 1/3 of those are outside Puerto Rico, leading to an unclear level of actual effort to get the documents replaced.

Now, some people may take umbrage at my claim that this is identity theft. You might reasonably think that fraud by impersonation requires impersonation. But the reason that it’s called identity theft is that the victim loses control of their identity. False claims are tired to their name, ssn, birth certificate, etc. Those claims show up at random. Their sense that they have “a good name” is diminished and assaulted.

You might also claim that I’m exaggerating, but I’m not the one who titled the article “shock.” People are feeling shocked, confused and assaulted by this action.

So despite the not for profit nature of the crime, this is identity theft on the largest scale I’ve heard about in years.

Image from the Oritz family showcase.

I’m not comfortable with that

The language of Facebook’s iPhone app is fascinating:Facebook-iphone.jpg

If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information.

So first off, I don’t consent to you using that feature and providing my mobile phone number to Facebook. Not giving my cell phone to random web sites (including but not limited to Facebook) was implicit when that number was provided to you. Your continued compliance is appreciated.

What’s really interesting is the way in which this dialog deflects the moral culpability for Facebook’s choices to you. They didn’t have to create a feature that sucked in all the information in your phone book. They could have offered an option to exclude numbers. And why does Facebook even need phone numbers? Their language also implies that such transfers of third party data are not constrained by any law they have to worry about. Perhaps that’s correct in the United States.

But none of that is considered in the brief notice.

I don’t agree.

Screenshot by Dan Biddle.

My Sweet Lord, this is a Melancholy story

There’s an elephant of a story over at the New York Times, “Musician Apologizes for Advertising Track That Upset the White Stripes.” It’s all about this guy who wrote a song that ended up sounding an awful lot like a song that this other guy had written. And how this other guy (that being Mr. White) took offense to the work of Mr. Kraft, a subcontractor to the folks who were producing a soundtrack for an ad being made for the US Air Force.

The whole thing’s a bomb, but the fact pattern keeps irritating something in my brain. It must be something subconscious.

Ignorance of the 4 new laws a day is no excuse

Code-of-Hammurabi.jpgThe lead of this story caught my eye:

(CNN) — Legislatures in all 50 states, the District of Columbia, Guam, the Virgin Islands and Puerto Rico met in 2009, leading to the enactment of 40,697 laws, many of which take effect January 1.

That’s an average of 753 laws passed in each of those jurisdictions. At 200 working days in a year, which is normal for you and me, that’s nearly 4 laws per day.

Now, there’s a longstanding principle of law, which is that ignorance of the law is no excuse. That goes back to the day when laws, like the code of Hammurabi, were inscribed at a rate of about 4 letters per day. The laws were posted in the city center where both of the literate people could read them.

Joking aside, at what point does knowledge of the law become an unreasonable demand on the citizenry? Civil rights lawyer Harvey Silvergate has a new book, “Three Felonies a Day: How the Feds Target the Innocent. I haven’t read it, but as I understand, it’s largely about the proliferation of vague laws, not the sheer numbers.


A few years back, Aleecia McDonald and Lorrie Cranor calculated the cost of reading and understanding the privacy policies of the sites you visit. It was $365 billion. It might be interesting to apply the same approach to the work of legislatures.

What the FBI Was Doing on Beethoven’s Birthday

monkey-cat.jpg

This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe:

FBI FINALLY MAKES AN ARREST OVER ‘WOLVERINE’ LEAK

The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.”

“Wolverine” has raked in nearly $375 million in worldwide gross since its release. How much money the leak cost Fox will never be settled for certain.

I’m glad we’re spending money on things to keep us safe.