Schneier on Security
A blog covering security and security technology.
« The Economist on High-Tech Passports |
| Airport Screeners Cheat to Pass Tests »
February 23, 2005
The ChoicePoint fiasco has been news for over a week now, and there are only a few things I can add. For those who haven't been following along, ChoicePoint mistakenly sold personal credit reports for about 145,000 Americans to criminals.
This story would have never been made public if it were not for SB 1386, a California law requiring companies to notify California residents if any of a specific set of personal information is leaked.
ChoicePoint's behavior is a textbook example of how to be a bad corporate citizen. The information leakage occurred in October, and it didn't tell any victims until February. First, ChoicePoint notified 30,000 Californians and said that it would not notify anyone who lived outside California (since the law didn't require it). Finally, after public outcry, it announced that it would notify everyone affected.
The clear moral here is that first, SB 1386 needs to be a national law, since without it ChoicePoint would have covered up their mistakes forever. And second, the national law needs to force companies to disclose these sorts of privacy breaches immediately, and not allow them to hide for four months behind the "ongoing FBI investigation" shield.
More is required. Compare the difference in ChoicePoint's public marketing slogans with its private reality.
From "Identity Theft Puts Pressure on Data Sellers," by Evan Perez, in the 18 Feb 2005 Wall Street Journal:
The current investigation involving ChoicePoint began in October when the company found the 50 accounts it said were fraudulent. According to the company and police, criminals opened the accounts, posing as businesses seeking information on potential employees and customers. They paid fees of $100 to $200, and provided fake documentation, gaining access to a trove of
personal data including addresses, phone numbers, and social security numbers.
From ChoicePoint Chairman and CEO Derek V. Smith:
ChoicePoint's core competency is verifying and authenticating individuals
and their credentials.
The reason there is a difference is purely economic. Identity theft is the fastest-growing crime in the U.S., and an enormous problem elsewhere in the world. It's expensive -- both in money and time -- to the victims. And there's not much people can do to stop it, as much of their personal identifying information is not under their control: it's in the computers of companies like ChoicePoint.
ChoicePoint protects its data, but only to the extent that it values it. The hundreds of millions of people in ChoicePoint's databases are not ChoicePoint's customers. They have no power to switch credit agencies. They have no economic pressure that they can bring to bear on the problem. Maybe they should rename the company "NoChoicePoint."
The upshot of this is that ChoicePoint doesn't bear the costs of identity theft, so ChoicePoint doesn't take those costs into account when figuring out how much money to spend on data security. In economic terms, it's an "externality."
The point of regulation is to make externalities internal. SB 1386 did that to some extent, since ChoicePoint now must figure the cost of public humiliation when they decide how much money to spend on security. But the actual cost of ChoicePoint's security failure is much, much greater.
Until ChoicePoint feels those costs -- whether through regulation or liability -- it has no economic incentive to reduce them. Capitalism works, not through corporate charity, but through the free market. I see no other way of solving the problem.
Posted on February 23, 2005 at 3:19 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
On a tangent nothing is currently stopping any company from offshoring information out of the US into countries that do not uphold the laws we do have in place regarding information privacy or information security. Until then we are going to have to live out one bad dream at a time.
undoubtedly choicepoint will be the defendant in civil suits (perhaps a class action) once damage from the resulting identity thefts accumulates.
Sad but true.
It's all about the information-based economy. Unregulated markets obviously heavily favors giant monopolistic corporations. The bigger they are, the more they stand to make by crushing individual freedom, escaping regulations and corrupting market forces. How else can you explain companies like Enron, who created record-breaking "demand" by fabricating energy blackouts?
As I said at the Secure Software Forum at RSA, regulation is about establishing a reasonable baseline for corporations. This has been shown to encourage market growth. SB1386 and AB1950 not only help stop fraud, which hurts companies and consumers, but they also spur new innovation in security. Few companies realize at first pass that the credit card fraud that directly hurts them might have in fact originated from their own internal security weakness. The laws help put the pieces together for those who do not have visibility into the big picture.
Incidentally, Californians are now also covered by a "Shine the Light" law (CA Civil Code 1798.83) that says companies must tell with whom they have shared personal information for marketing purposes within the last twelve months. "If the business fails to respond to a disclosure request, the customer may collect a civil penalty of up to $500. If a company willfully or intentionally does not comply with a disclosure request, the customer can recover a civil penalty of up to $3,000."
As Cosmo said in Sneakers:
"It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!"
If they collect sensitive information they have no business having and then sell it to parties who expect to profit from it, then perhaps the federal government should redefine 'espionage'. Federal penitentiaries might provide the missing incentive.
This company has operated "behind the scenes" for years. They have a treasure trove of information about millions of people. I wonder if credit reports are all these criminals had access to. This is the company Jet Blue gave its passenger list to and the company the State of Florida used to cross-reference registered voters with known felons. This is not your father's credit agency...
They're being sued right now. http://www.reuters.com/newsArticle.jhtml?...
ChoicePoint archives all kinds of records, subject to all kinds of regulations. Insurance, financial, property, you name it. They're collecting information from as many sources as they can. Are they upholding every law and regulation, at both federal and state level, for every bit of data they collect? Obviously, no. They're asking for trouble.
Good point. It's amazing that Choicepoint's CEO was recognized as a business leader on the topic of risk. Here's a quote from Mr. Smith that some Americans might like to clarify with him:
"Americans must agree on the best ways to use technology to combat terrorists and criminals, because it is possible to make our nation more secure while protecting civil liberties."
Ironically, Smith "called for a drastic change in the privacy versus security debate in America."
From shining industry star, lauded by Ernst and Young, all the way to "textbook example of how to be a bad corporate citizen".
Does this remind anyone of a certain shining *energy* star, lauded by Arthur Andersen...
I mean, if you are collecting people's identity information without their knowledge or approval, and selling it without their knowledge or approval purely for your own profit...can someone please explain how this protects civil liberties? And what exactly were those E&Y auditors doing there?
Bruce's link (http://atlanta.bizjournals.com/atlanta/stories/2002/12/02/daily7.html), shows that Smith's business model explicity included selling personal information to the Department of Homeland Security.
It should not surprise anyone then that Ashcroft is said to have paid USD$67 million to ChoicePoint for private information on every citizen of half a dozen nations.
Clearly Smith was trying to do his part to help ensure "civil liberties" around the world...to the tune of record ChoicePoint revenues of $796 million with a compounded rate of 19 percent over the past five years.
There's another consideration here: that Choice Point wouldn't even have to disclose anything if it weren't for the California law. They'll probably use their GOP connections to get a federal law passed to override any state laws protecting victims, and you can bet said federal law will be designed to protect the information vendor.
It's not clear to me how this event differs from Choicepoint's normal business. What are the criteria that distinguish "legitimate businesses" (who can buy data from Chioicepoint) from "criminals posing as businessmen" who shouldn't be able to? Anyone is a businessman if they start a business; no-one needs to pose as a businessman.
I would have thought that either ChoicePoint are allowed to sell this data to private customers, or they aren't.
Am I missing something here?
I think ChoicePoint will not be liable for any monetary 'damages'. In federal court you have to have 'standing' to sue and we (the consumer) are not ChoicePoint's customers. In the United States at least, the consumer does not own his/her personal information. So we probably have no 'standing' to start a class action lawsuit. Also federal laws are different from state laws in this regard i.e. standing, and President Bush just signed all Class Action lawsuits to federal courts. Which makes it even harder to have standing. ChoicePoint probably has nothing to lose except some bad PR which will go away shortly. Without some type of regulation concerning personal information, this will happen again.
I'll have to disagree on "Identity theft is [...] an enormous problem elsewhere in the world."
I've specifically inquired our FBI analogon about the role of ID theft. None whatsoever. Of course, we do have the concept of government issued ID cards and mandatory registration with the municipal authorities of the place we live in. This helps a lot as the authenticator and identificator is *not* our Social Security Number but a piece of plastic that is well recognized all through the country. Surveillance is no better or worse than in the US. Funny enough, the system is not being abused by the authorities - so far.
I know that this issue is not open to discussion with most US citizens, but it's a fact that ID theft plays no role here.
So far, every time I've asked for a copy of my credit report under the new federal law, I've been denied. But it definately is NoChoicePoint, since the way the laws are currently written (and the court cases have been decided)automatically grant ownership of the information to the keeper of the database, not the person about whom the data is kept.
Israel, Europe has laws that limit the data that may be kept, and prohibit the export of data to get around the restrictions. The US has negotiated some evasions to the laws for US companies, but the NoChoicePoint issue will end up getting those treaties cancelled.
I agree with Andrew McGuinness's comment above. The problem is not that ChoicePoint sold this information to "criminals". ChoicePoint will sell this information to anyone! We have to realize that this kind of so-called sensitive information is publicly available to anyone who wants it. Calls to crack down on ChoicePoint or expand the California law nation-wide will have no effect.
The real problem is with those institutions that facilitate identity theft by relying on public knowledge as supposed proof of identity. Just because someone knows my SSN or credit card numbers, they should not be able to pose as me! We need a system which allows people to verify their identity in a reliable way and which doesn't rely on public information. Obviously any such system is going to break down.
ChoicePoint is not the problem here; it just exposes the illogic of trying to pretend that information is secret when anyone can get access to it. All the fuss and fingerpointing ends up distracting us from the real issue. We can't go on with the current system of basing identity on all-too-easily exposed information.
The other vulnerability of ChoicePoint is that they have very poor/no ingress filters.
Choicepoint also collects data on driving history. I found this out when trying to switch insurance companies. Every time I'd call another provider to get an estimate, they'd "check me out" and give me a totally outrageous quote. Finally, I asked what they were seeing, and they said that I'd had six accidents in the last two years, putting me in the super-high risk category. This was totally bogus, and the data source was from ChoicePoint. Where did they get it? Who knows?
It did make me think: If I was an insurance company or even an individual broker, feeding fake accident data into the system to make it look to other companies like my clients were a very bad risk would be an awfully good way to keep people from switching carriers.
With regard to Andy B's comments, yes europe does have the "safe harbour" rules and regs, however the UK government chose EDS (owner Ross Perot that US readers may remember for his presedential campaign) to look after various of it's databases on UK citizens.
EDS offices where in Vaxhal south london (not to far from the Secret Service Building at Vaxhaul Cross). Stories started emerging from ex employees about the "UK Data" being backed up on US systems that where shared by US Government data.
I have no idea if there was any truth in the stories or not, if they where true so so much for the safe harbour rules...
Responding to Israel Torres' comment at the top:
Maybe if the US adopted EU data protection laws THAT wouldn't be a problem either. Personal data is supposed to be prevented from being sent out of the EU to countries that lack adequate data protection laws.
Of course, whether it is or not is another question. I mean, we had to make an exception for the US...
There is now a Federal law in place that permits everyone in the U.S. to obtain (at no cost) their credit report(s) from each of the "big three" credit reporting firms, Equifax, Trans Union and Experian.
We should demand that this Federal law be extended to ANY and ALL private corporations that compile data on U.S. citizens.
This should be easy to fix: a new federal law preempting any state regulation of data reporting companies, which also automatically transfers any lawsuit against a data reporting company to FISA court. There the lawsuits can all be dismissed based on classified friend-of-court briefs submitted by the FBI (which I believe is one of ChoicePoint's larger customers).
"The clear moral here is that first, SB 1386 needs to be a national law, since without it ChoicePoint would have covered up their mistakes forever."
You may be in luck. Congress has noticed: http://www.cbsnews.com/stories/2005/02/24/...
There was a case in New Hampshire where an individual was tracked down and murdered. The perpetrator had purchased information about the victim (a Social Security number and a work address) from an information broker Web site. The New Hampshire Supreme Court ruled that an information broker can face civil liability when providing a third party's information to a customer. See http://www.techlawjournal.com/topstories/2003/...
"Incidentally, Californians are now also covered by a "Shine the Light" law (CA Civil Code 1798.83) that says companies must tell with whom they have shared personal information for marketing purposes within the last twelve months"
--Actually, this only applies to companies you have a "business relationship" with. While I might think that a company that sells my personal data has a de facto business relationship with me, the law does not agree. Credit agencies are specifically exempt from the disclosure law. This deliberate exemption is just another of the many travesties that let the data companies get away with outrageous liberties.
I think that any and every company that sells data on an individual should have to register with the government and make the data it holds available at no charge to anyone who request their own data. In most cases, the data should be consistently redacted to obfuscate account numbers to help reduce identity theft, and all vendors should have to redact the same digits so thieves can't assemble data from different sources.
A number of people have trademarked their names. I'm wondering if any of them have successfully sued a data company for illegally profiting from their trademark by selling their name and the associated data?
I just wondered what Choicepoint needed the 4 months for.
Maybe to prepare for the forecoming battle?
I just wondered what Choicepoint needed the 4 months for. Why did not they notify the concerned ones immediately?
Maybe to prepare for the forecoming battle? or to collect money?
"The clear moral here is that first, SB 1386 needs to be a national law, since without it ChoicePoint would have covered up their mistakes forever."
On the contrary, the clear message here is that national organizations that collect private data will have to notify consumers nationwide, even if they appear to live in states that don't have similar laws. The way the law is written, ChoicePoint can't get away with notifying only consumers that have a CA address, since someone with a Texas address may also be a resident of CA.
I don't understand how someone can point to an example of the effectiveness of current regulation and claim it is justification for more regulation.
The fact that ChoicePoint was completely irresponsible is clear. While they may not have been "hacked", they certainly allowed fraud to occur to release this information.
The bigger question in my mind is that I can't imagine a reasonable business process that would require a company like ChoicePoint to disclose sensitive information like people's SSN and other sensitive info. That is, what company would need this? So, I sign up with ChoicePoint, get "verified", and ChoicePoint just sends me people's SSNs and other personal and private information from their database?
Doesn't it work the other way around? That is, if someone does a credit check on me, I give the company my SSN and they send that to the credit checking company (aka ChoicePoint) who looks up my SSN in their database. Where, the SSN never needs to leave their database.
Why in the world would ChoicePoint ever provide another entity information, like SSNs, from their database. It just doesn't make sense.
1. These people are collecting information on Americans from many sources and putting it all in one place
2. They are selling the information to companies who claim need it without notifying those who it belong to
3. The information becomes suddenly handy to anybody who has money and wants it (there must be a reason for wanting it) and for hackers
4. Having such information becomes dangerous when it is used in the wrong way (the information can be mistaken or intentionally modified)
5. All this takes away a little Freedom by compromising people's lives and opportunities in a good or bad way
6. Shouldn't Home Land Security do something about it? Our identities are in Nigeria
Can someone give me any legitimate reason why any entity (person or business or government) would need to purchase my social security number in the first place?
ChoicePoint gathers information on millions of people that would make "Big Brother" foam at the mouth.
Heck we don't need the CIA, FBI, Office of Homeland Security, (remember they don't share information well) I don't know why they all just didn't call ChoicePoint.
Take a little stroll through thier website, read the subscriber form! (pretend you want to sign up for
information diving) Especially the last 2 pages of the application, where you can't use the information on prescription drugs physician may provide to their patients! WHAT! They know what prescriptions I take!! And what doctor wrote them!
What I want to know is where Choice Point gets this information, who sells it to them??
In one area under something like an FAQ, it clearly states that they can not make any changes in the information they have, on the people who buy it from them can make the changes! WHAT!
It will also tell you that the information may or may not be correct!
So, what is this, they can just find information erroneous or not, make crap up, slap it into a file and put your name on it, call it official and sell it to companies that pretty much regulate your life!!
They don't need your social security number, heck they have your DNA profile! And they will sell it to anyone willing to pay.
Has anyone read the article in the LA times that this happened 5 years ago as well, but the CA law was not in effect so it went unannounced!
Now I don't know much about Nigeria (but I guess I need to learn more about the country, since for all I know, I'm living a double life, and one is in Nigeria) but why is all identity theft being blamed on Nigerians?? Anyone??? Don't they have Identities over there? Why do they need to steal ours? What do they do with it?
Someone needs to answer these questions!
I've never been contacted by anyone from Nigeria wanting to know if I wanted to buy some Identity, have you? Who ever has this information not only has your identity, but heck they have your whole persona! If you think they just have information like you find in your credit report, you are sadly mistaken.
They not only have your credit card number and expiration date, they can tell you everything you ever bought with it! That information is sold to those who see you bought a bottle of Rogaine and then send you junk mail trying to sell you a toupe.
I've gotten email about the Nigerian uncle who needs to move his money to America, yada yada yada. But I have NEVER been asked by a Nigerian if I needed some Identity. I would like to know how much some Identity would cost though.
There might not be a direct connection between consumers and data brokers but what about the employers, insurers, and companies we purchase goods and services from? If these businesses provide and obtain information from a company who has "poor systems" to protect privacy, are they not liable as well. Collectively, consumers have more power than they often think they have.
ok first of all...you report the story half wrong....choiocepoint knew of the activities in october but waited to act b/c autorities requested that choicepoint wait until their investigation was over.
secondly...they notified people of their own free will and have paid for everyone to get their credit for a year and gave the credit protection free for a year"
i am not sure the extent of their liability but come on....
at least report it correctly
The ignorance Posted in this forum truely astounds me! People speak before knowing what they are talking about.
Individuals and groups from other countries have, especially over the past few years, networked scams through the Internet like the famous Nigerian inheritance scam perpetrated by sending an e-mail notice to a potential victim, enticing them with large amounts of money (some letters are as high as $200 million) due to an inheritance. The Nigerians offer large amounts of money to help move the money to a U.S. Bank Account and ask for a large up-front wire transfer fee to cover the expense.
Scams like these are horrible but difficult to control due to the origination of crimes.
For this reason, I am concerned with open policies of data or information vendors to freely provide information services to individuals or companies.... without proper background checks.
The sales person who sold the data to the Nigerian without proper research or background verification......... should be fired. Ignorance should not be a defense for Choicepoint. They hold the keys to a lot of personal data and should be held accountable.
Other firms are in the same picture. When was the last time anyone called TransUnion, the company who holds personal information on millions of Americans. They are outsourcing to India. Call them at 800-916-8800.
I haven't received an American Accent yet.
Has anyone considered a class action suit against ChoicePoint for their incompetent management of the information they have. This may be one way we as no choice victims can have some affect on the way this is managed. The quanity of the information at one sit that can be accessed by one compay is criminal.
"Has anyone considered a class action suit against ChoicePoint for their incompetent management of the information they have."
I know that they were being considered. I don't know if the individuals had any standing.
My name is Greg and I believe I'm a victim of the ChoicePoint fiasco. I,m meligned with a fraudulent and/or erroneous documentation on my background check. I can substantiate and document all true facts to the matter. Are there any class actions suits going on. If so where can I find more information? What my legal recourse?
To whom it may concern,
My name is Stephen Rose and I reside in Forsyth County Ga. I wish to ask of your assistiance. Choicepoint has pinned two felonys on my record that do not exist in two counties here in Georgia resulting in my denial of employment with Home Depot. What assistance I am asking is how to contact Eileen Goldberg about her situation that happened with Choicepoint as well as her sons law firm that represented her in the case she had and I will supply documentation that my public records in both counties are clean and Choicepoint is clearly in the wrong thus giving the US media a story to tell because I am seeking law representation against Choicepoint and wanting to file a class action law suit against the company. My e-mail address is firstname.lastname@example.org if you can help in any way it would be greatly appreciated.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.