Privacy in Peril

I know your name. I know where you live, and everywhere you've ever lived. I know when and where you were born. I know how many credit cards you have--and how good you are about paying them off. And I know all about your insurance claims, your work history, and whether you have a criminal record.

At least, I could uncover all of that, and a broad range of other sensitive personal information about you. All I'd have to do is pay between $10 and $50 to any of a vast number of online information brokers--companies such as Intelius and ZabaSearch, and larger firms like Acxiom and ChoicePoint--and in 15 minutes I'd have as much information about you as I could possibly want.

With a name, an address, and a Social Security number, a person can take out loans, open credit card accounts, lease an apartment, and commit crimes, all in your name. When their actions get confused with yours, you may get stuck with the bills or, in extreme cases, be arrested. That your data is readily available via the Internet only increases your vulnerability.

Information brokers gather incredible amounts of personal data--not just credit details--from many different sources, including private companies and government agencies; then they sell it to businesses, to law enforcement, or to anyone who can demonstrate a need that the brokers consider legitimate. The laws limiting what information can be sold and who can receive it are weak and narrowly focused, so for the most part each broker is free to formulate its own standards.

And not all of them safeguard your data as well as they could, as shown by a number of highly publicized fraudulent purchases from, and hacks into, some of the largest sellers of personal info--firms like Acxiom, ChoicePoint, and LexisNexis. In early 2005, ChoicePoint revealed that it had sold information on 145,000 consumers nationwide. Reportedly, the buyers posed as legitimate business customers but were members of a Nigerian organized-crime group. ChoicePoint says that criminal attempts were made to use the identities of approximately 750 consumers. LexisNexis reported that it had uncovered 59 incidents over a two-year period in which unauthorized persons had gained access to personal data on 310,000 people in the United States.

Mickey Martinez, a Yale University law student who is a plaintiff in a ChoicePoint class-action suit, says that he received a letter the broker sent out to warn people who were exposed to identity theft as a result of its breach. "I was just outraged. No matter how zealously careful you are, carelessness [by] one of these outfits potentially can put you at risk."

He adds that he's been careful to shred personal documents, tell credit agencies not to send him preapproved credit offers, and refrain from conducting financial transactions over his wireless network, and yet he was still exposed. ChoicePoint offered to pay for a year's worth of credit monitoring, which he thinks is insufficient. "At the very least, they should offer a lengthier period of monitoring, and [issue] some sort of statement of responsibility: If something goes wrong, they will take upon themselves the financial burden and the hassle of fixing it," he says.

Information brokers aren't alone. At this writing the Privacy Rights Clearinghouse lists some 80 breaches of data for over 50 million people since February. Among the most serious incidents: CardSystems, a credit card processor, unwittingly coughed up information on 40 million people to a hacker; and a CitiGroup subsidiary lost data on 3.9 million people when unencrypted backup tapes it had shipped via United Parcel Service went missing.

Nevertheless, information brokers have been catching the most flak recently. "The thing about a breach like ChoicePoint's is, it's so much more serious--because if organized crime buys the data, you can be pretty sure they're going to use it," says Garnet Steen, president of RelyData, a company that offers identity theft recovery services. "That's a little different from saying that a state university's database got hacked, when it could have been just some computer-science students flexing their muscles."

The real issue is not whether information brokers should have access to personal data--if you want to live, work, and purchase things in this country, such access is probably unavoidable--but whether they, and not you, should have ultimate control over who can see your information. (Continue to page 2.)

See the Complete Special Report

The New Security War: In This Special Package
Best Defenders and Spy Sweeper Leads the Field (chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
10-Step Security
Security by the Numbers
More Security Resources on the Web

Also See Our In-Depth Online Series
Web of Crime

Who's Minding the Store?

Businesses of almost any type used to be able to buy information from ChoicePoint for ID validation, fraud detection, debt collection, legal investigation, and credentialing. But because of the fraudulent purchases, ChoicePoint says it has stopped selling personally identifiable information--your name, address, Social Security number, and the like--to many customers. Nevertheless, it continues to sell that data to the insurance industry, employers, landlords, certain large corporate customers, and law enforcement agencies. So it still maintains vast troves of sensitive personal information that ID thieves are extremely eager to obtain.

ChoicePoint's chief marketing officer, James Lee, says that since the company's unwitting sale of data to criminals, it has implemented new user-access, password, and account deactivation requirements; strengthened its credentialing procedures; and recredentialed broad segments of its customer base. In addition, it no longer permits Internet access from non-U.S. countries. Other information brokers report their own upgrades in security.

"We don't have four or five information brokers in the united states; there are thousands of them. " --Consumer advocate Linda Foley of the identity theft resource center
Photograph: James Aronovsky
"There's a problem, however," asserts Linda Foley, co-executive director of the Identity Theft Resource Center, a consumer advocacy site. "We don't have four or five data brokers in the United States; there are thousands of them." And just because ChoicePoint says it's beefing up security and being more selective about customers doesn't mean that all of the companies that maintain and have access to personal information databases are improving their security and screening, too.

Security consultant Charles Cresson Wood thinks that the companies purchasing information from brokers need to be held just as responsible for data security. "What happens to the information once it's in the hands of a customer?" he asks. "Are they required to destroy the info, return it, and make a statement that they will use it only for certain purposes?"

A LexisNexis representative says that the broker reviews customers' business licenses and other credentials, and that it checks for forged or tampered application documents. ChoicePoint's contracts, according to Lee, include specific requirements for information use and authorize the company to check up on that use.

That's Not Me!

Thieves aren't the only issue with companies that sell personal information. Just as with credit reporting bureaus, incorrect personal information in data files is a common problem. "It is reasonable to expect these files to contain some errors," LexisNexis notes in its privacy policy.

Information brokers allow you to see some--but not all--of the details they have on you. ChoicePoint shows you the public records it has, plus information covered by the Fair Credit Reporting Act, which governs the collection, use, and communication of credit and other data about consumers. ChoicePoint says you must try to revise incorrect public records at the source (wise advice, but you have to be able to identify where it came from, and hope that the corrections ripple down to the broker). LexisNexis reveals even more--possible relatives, neighbors' names, and voter registration information--but that report (which the company mails) costs $8 and takes up to 45 days to reach you.

Not having the time to wait on LexisNexis, I ordered a background report on myself from Intelius.com, which provides much of the same type of data to anyone for $50. I found that a person living in California with the same first and last name as mine has a small-claims court judgment against him. Worse, my report listed several convicted felons who shared my first and last name, including one person in North Carolina with the same middle initial as mine--and no full middle name. The information isn't incorrect; but proving that those people and I aren't one and the same might be difficult, so I have to hope that whoever orders the background report will read between the lines.

Interestingly, Intelius also offers an ID Watch service to consumers. This service monitors an individual's credit, utility charges, new phone connections, change of address requests, and more for $95 per year.

Legislative Action

ChoicePoint says that most identity theft occurs as a result of offline tactics--someone stealing your mail or copying a credit card number from a receipt. However, the reports of security breaches in the online world have caused some people to rethink how identity thieves operate. "Most people don't know how they were struck," says RelyData's Steen. "But a lot of the stuff that you're never going to find out how it happened was electronic, was breaches, was the Internet."

As a result, lawmakers have hastened the call for more legislation dealing with these issues. A reference point for some of these bills is the landmark California law that requires companies to notify California residents in cases of unencrypted data theft or loss. This law is the reason so many companies have revealed breaches.

The bills wending their way through Congress and many state legislatures incorporate three ideas: restricting access to personal data, especially Social Security numbers; breach notification; and restricting access to credit reports.

Ten years ago the European Union enacted a far-reaching privacy directive. The directive declares that data can be collected only for a specific purpose and cannot be kept longer than necessary to fulfill that purpose. It also requires that data be accurate and up-to-date, and it restricts transfers of personal information to third parties without the permission of the data subject. Additionally, it regulates transfers of data to companies in any country that has insufficient privacy protection--including the United States.

The proposed Specter-Leahy Personal Data Privacy and Security Act of 2005, sponsored by Senators Arlen Specter (R-Pennsylvania) and Patrick Leahy (D-Vermont), incorporates a few of the concepts of the European directive. This bill would restrict companies' use of Social Security numbers. It would require that law enforcement, consumers, and credit reporting agencies be notified of security breaches. And it would require information brokers to create a mechanism for individuals to access and correct data.

Several states have passed laws to let consumers freeze their credit. "I'm a big fan of [the law] in California, where nobody can see your credit report unless you have previously authorized it by providing a very long password," says Wood. However, most of the laws allow credit bureaus to charge fees for implementing a freeze (in California, the fee is $10 for each bureau) and for temporarily lifting the freeze ($10 or $12 per request per bureau).

The Consumer Identity Protection and Security Act, introduced by Senator Mark Pryor (D-Arkansas), would address some of those limitations by establishing the right of consumers to freeze their credit reports at no cost and to authorize the release of credit files to specific parties or for a specific time by contacting a credit agency.

Meanwhile, Senator Dianne Feinstein (D-California) has introduced the Notification of Risk to Personal Data Act, which would require companies to alert consumers nationwide to any unauthorized acquisition of their information.

Privacy advocates have problems with nearly all of the bills under consideration. According to ITRC's Foley, "Congress wants to add a phrase such as 'if there is a 50 percent chance you will become a victim of ID theft.' What the businesses are going to say is, 'Well, we can't confirm that there's going to be a risk of harm until someone becomes a victim'."

Balancing the rights of individuals with those of people who have a legitimate need to know is a tricky issue. As Foley acknowledges, "Don't you want to know if the nanny you hire has a criminal record?" But consumers should be able to exercise far more control than they have now over who accesses their personal information and what they can do with it.

Identity Maintenance

Illustration: Stuart Bradford
Though nothing can absolutely prevent identity theft, these tips can reduce your exposure--or help you recover should you become a victim.

Inventory your wallet's contents: That way, you'll have a list of whom to call in case it gets stolen. Remove anything with a Social Security number.

Consider a credit-monitoring service: If you get one, make sure it covers all three credit reporting agencies: Equifax, Experian, and TransUnion.

Order a free credit report every four months: The Fair Credit Reporting Act guarantees you one free report per year per credit reporting agency. Order them only at AnnualCreditReport.com.

Minors are at risk: Most don't have a credit report, and a credit agency won't freeze a minor's credit until one exists. If an ID thief requests credit in the kid's name, the agency will create a report (but you may never hear about it). If you suspect that your child's data has been used, you can e-mail TransUnion at childidtheft@transunion.com.

Are you a victim? Renew the 90-day fraud alerts placed on your credit reports. Smart thieves have been known to wait until after the 90-day alert expires to start causing trouble.

See the Complete Special Report

The New Security War: In This Special Package
Best Defenders and Spy Sweeper Leads the Field (chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
10-Step Security
Security by the Numbers
More Security Resources on the Web

Also See Our In-Depth Online Series
Web of Crime

Alan Stafford is PC World's senior writer.

Subscribe to the Security Watch Newsletter

Comments