Schneier on Security
A blog covering security and security technology.
« Secrecy and Security |
| Security Risks of Dungeons and Dragons »
March 9, 2005
ChoicePoint Says "Please Regulate Me"
According to ChoicePoint's most recent 8-K filing:
Based on information currently available, we estimate that approximately 145,000 consumers from 50 states and other territories may have had their personal information improperly accessed as a result of the recent Los Angeles incident and certain other instances of unauthorized access to our information products. Approximately 35,000 of these consumers are California residents, and approximately 110,000 are residents of other states. These numbers were determined by conducting searches of our databases that matched searches conducted by customers who we believe may have had unauthorized access to our information products on or after July 1, 2003, the effective date of the California notification law. Because our databases are constantly updated, our search results will never be identical to the search results of these customers.
Catch that? ChoicePoint actually has no idea if only 145,000 customers were affected by its recent security debacle. But it's not doing any work to determine if more than 145,000 customers were affected -- or if any customers before July 1, 2003 were affected -- because there's no law compelling it to do so.
I have no idea why ChoicePoint has decided to tape a huge "Please Regulate My Industry" sign to its back, but it's increasingly obvious that it has. There's a class-action shareholders' lawsuit, but I don't think that will be enough.
And, by the way, Choicepoint's database is riddled with errors.
Posted on March 9, 2005 at 2:54 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"I have no idea why ChoicePoint has "I have no idea why ChoicePoint has decided to tape a huge "Please Regulate My Industry""
Isn't this the best way for them to acknowledge a problem without admitting guilt? This tactic points the finger at somebody else - lack of outside regulation. It also creates the perception of them being the victim, not the offender.
The fact that the data they present is largly wrong is very interesting. I would sure like to see my ChoicePoint version of me. Would be an interesting research topic.
The fact that these wild and crazy companies are brazen enough to call themselves an arm of the US government, yet operate without regulation...wait, let me guess, someone in the Whitehouse thinks regulation interferes with "success".
Note the quote "there are no restrictions in the private sector to individuals collecting information across this country, which potentially could be a problem for the citizens of this country."
CEO Derek V. Smith says they are starting to think about what is good for the consumer as well as their own pocketbook:
This guy says things like "his company has focused primarily on making the country a safer place", but we should probably think carefully about his REAL motives when he is busy selling his shares in ChoicePoint after the breach but prior to public disclosure:
I wonder how much it cost taxpayers to have 38 Attorney Generals call for more disclosure?
From the links provided it appearst that Choicepoint is not only incapable of making sure their information is "secure", but the information they are "securing" doesn't appear worth securing. Perhaps they realize this may lead to many more investigations as to why they even exist.
Surely they are not alone, and that is the real scary part.
ChoicePoint clearly should be regulated. Right now, they can legally sell their data to anyone. Their claim to have been defrauded is a legally interesting one since the "thieves" presumably paid for the data they accessed and I've yet to hear that ChoicePoint has any intention of divesting itself of its ill-gotten gains. In fact, if ChoicePoint can legally sell the data to anyone, one wonders if the act of purchasing the data was even illegal, in and of itself.
Because personal financial data, such as account numbers and SSNs, are often the default log in and password for financial and other accounts, it seems that ChoicePoint should be prosecuted for illegally trafficking in private account passwords and should be held fully responsible for any financial losses caused by their negligence.
In the past, people harmed by the negligence of Data companies have been unable to collect damages because those people were not "customers." That needs to be changed.
If I sold ChoicePoint's bank account log in and password, there is no doubt that I would be prosecuted and held fully financially responsible for any theft that resulted regardless of if ChoicePoint was a customer of mine.
Corporations need to be held to the same standards they hold individuals to.
I hold it both with Occam's and with Hanlon's Razor. I think they just *can't* find out whether there was more data compromised.
Fifty years ago if somebody published damaging lies about you, the government could prosecute them for libel. If they merely spoke these damaging lies, you could sue them for slander. Fines, jail terms, court awards, and punitive damages would go a long way to regulate this 'industry' of commercial espionage. If your good name is worth a few million bucks, then every error these people make would bring them closer to bankruptcy and prison.
Just about every month, the credit card companies want me to subscribe to a credit reporting service. As I see it, the following has happened:
1: The credit industry collected all forms of personal data on me.
2: The credit industry will open credit and conduct transactions with just about anyone who has enough information to construct a version of "my identity", whether they are actually "me" or not.
3: The credit industry has done a pathetic job securing and controlling access to the information they collected. Thus, it is they who have put me (and you) at risk.
So now, they want me to get a service where I have to constantly audit their view my financial transactions to tell them if they err or are penetrated.
And they want me to pay for the privilege, on credit no doubt.
I think it's time for the people to say "enough is enough" and start bulldozing these server farms. Jailing these "business leaders" who created this debacle would be a nice touch as well.
I think this is the same company that was used to determine who had a criminal record and remove them from the voting register in the last Florida election. Lots of people were not allowed to vote by mistake. Not surprising given the quality of their data. The point though is that their right to vote was suspended without informing them based on bad data. When they tried to get it fixed, there was no provision except to ask for the governor's clemency. Almost Kafkian in a way.
Reviewing the MSNBC link in above article,
I cannot help but contrast the errors here with what the govt's 'no fly' watch list must look like.
This (fictional?) persons' horror may iconify what the average Joe would see - " ... But the more closely she looked, the more alarmed she became: The report was littered with mistakes. ... "
So no wonder we were turned down for that last job, or re-fi on the house, or whatever - someone (may) have used the innaccurate info from a ChoicePoint report to assay us, and made decisions based on incorrect info, much like one's credit reports.
I doubt one can review, and ask for corrections in such a database, although I believe you can do that with the big 3 credit folks.
Now, how many other companies function like ChoicePoint, or the TSA, for that matter? Perhaps a bit more of this will create enough public outrage/political grease for some reforms, and regulations. Perhaps the class-action lawsuit will start hitting the pockets of the right folks, and things will begin to change.
The icing on the cake as far as I am concerned is that, after all this, ChoicePoint is hiring "a top official at the Transportation Security Administration to review how the company screens its customers."
Presumably this means that your personal information will be safe from terrorists, and also holders of nail clippers and congressional medals of honor.
The more I hear about this company, the more I am simply amazed. Maybe this answers your question, Bruce. It looks like the CEO is taking the "clueless" defense used in some other recent high-profile cases:
Apparently we are to belive that ChoicePoint, the leading US information safety and intelligence company, was completely unaware of the need for security and accountability. Perhaps they felt so self-righteous and morally superior in their zealous quest to sell identity information to Ashcroft, that they simply thought they were untouchable.
"ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show."
A ChoicePoint news release that Smith and Curling would sell off 737,380 shares "was issued just seven days after a Nigerian man suspected in the fraud scheme was arrested in California in a sting in which ChoicePoint participated."
"Smith told The Atlanta Journal-Constitution, which reported on the stock sales Friday [February 25], that he doesn't believe he did anything wrong, and asserted that he didn't personally learn about the breach until late December or January."
Clearly opt-in is required for these guys to sell ANY individual data. (I was affected by the breach.)
I have to both post anonymously and be a little bit elliptical, because my employer does business with ChoicePoint, does business in California and has a legitimate need for "sensitive" personal information, and there are major NDA issues as a result.
But first, I don't buy any sort of ignorance argument from ChoicePoint, because the requirements they put on their customers are significant and burdensome. Now granted, they do not necessarily enforce these requirements, and many of them are among the sort of fake "security stuff" that's so often derided by our host here and others, but they clearly wish to present themselves to their customers as highly "security-conscious". What I'm saying is they talk a great game.
More troubling is what we see from California, which is coming out as the "good guy" in this. While I understand that we have to process and maintain personal information, and we certainly need to exercise a great deal of diligence, what the state agency which regulates our line of business requires is the worst sort of mindless "security". I mean the sort of thing along the lines that say "if an 8-character alphanumeric password changed every 60 days is good, then a 16-character mixed-case alphanumeric changed every 30 days is twice as good." Some of the steps they require obviously, to any reader of this site, make our infrastructure less secure, not more. And there's nobody there who even listens, let alone with whom you can negotiate or reason. So our security team laughs at the requirements while implementing them. Who is helped?
Come on now, lets not be too tough on them, I mean JEEZ thats a LOT of information to keep track of, and I'm sure they're doing the best they can. maybe they have other things on their mind. I'm sure if YOU accidently leaked the personal info of 145,000 people you'd feel pretty bad wouldn't you?
..and isn't that punishment enough?
A lawsuit certainly will not do much good "judging" by the new group of Judges Bush wants confirmed ASAP.
Is it just me or does it seem odd that Bush proposed the same 20 judicial nominees that Democrats rejected last term (compared to over 200 they approved)? I mean, why return these 20 to the table and why try so hard to ensure every single one gets confirmed?
If I were to take a guess, I would say it has something to do with the fact that these 20 judges have consistently picked corporate interests over basic rights. For example, they advocate reversing decades of progress in anti-discrimination, women's rights, worker's rights, and (of course) the environment.
If approved, the Judges are given lifetime appointments. This is a way to further remove the little guys from having any chance against the "clueless" leaders of companies like Enron, Worldcom, and ChoicePoint. It locks-in an anti-consumer conservative ideology for decades.
What is even more interesting is that the Bush administration has threatened to use this situation to remove Senate Democrats' ability to review future judges, including Supreme Court nominees.
Take this week's Senate debate, for example, of judicial nominee William Myers III for the 9th Circuit Court of Appeals. This man is an unabashed pro-corporate career lobbyist for the cattle and mining industries. http://www.allianceforjustice.org/judicial/...
Any guesses how he might handle pending ChoicePoint litigation? I suspect he might say something about preserving the welfare of big companies is most important, regardless of their mistakes, when compared to the needs of cows...oops, I mean consumers.
If a company is selling (and leaking) information about me without my consent, I certainly want it to be "riddled with errors". Regulation would be great, but there could be another stick with which we have a chance of beating the likes of ChoicePoint - offer to correct their database in return for control over what is done with the result.
I'm assuming of course that companies peddling accurate data would have a competitive advantage over those peddling bogus information. That depends a lot on what their customers think they're using the data for.
More a question than a comment, but in the US can people request to see what data ChoicePoint (or similar companies) hold on them?
In the UK, you can make that request of a company, and they HAVE to tell you. 'Course they might make a small charge, but it's not normally too bad.
Why is ChoicePoint asking to be regulated? Probably because it's afraid that any voluntary measures it takes will simply erode its position relative to its competitors. Every dominant business sooner or later connives in the regulation of its sector in order to hold down lower-cost competition.
Expect ChoicePoint's preferred regulation to involve lots of costly audits and licenses and certifications -- and possibly a token nod toward security.
If you look at what they do, collect information on anyone that falls through their net, and then resell that info to folks who want to make "business decisions" based on the information they've collected. I think the bigger question is why do business like these need to collect information on you and I? If the government is restriceted from collecting this kind of data on its citizens, then I think businesses should be restricted as well.
As soon as the judge and jury get finished throwing the book at Bernie Ebbers of Worldcom, Bernie can start collecting royalities for the "Bernie Ebbers Award for Extraordinary Ignorance While Making Money."
Let's see, would the CEO of a major corporation who is totally ignorant of the biggest security breach in his company history, for months, qualify?
It makes me wonder...as the Titanic slipped under the waves, was Captain Smith last heard to say "Iceberg! What Iceberg?"
When information is secret, then when bad news and good news compete, bad news has the edge. If I were a loan officer buying secret reports on applicants, I could kid myself, and my bosses, into believing that I was saving the bank money by denying applications to risky applicants. If the marketers of the news I'm using are so indiscriminate that none of the information is trustworthy, then I am in fact making random decisions, but I will still convince myself I profit from inside information. Rumormongering has existed since language was invented, but now with computers doing the data mining, rumormongering has become a profitable industry with little risk of loss due to mistakes.
This industry did not spring up yesterday. The collection of reams of data about individuals has been going on for years. Thus, the need for regulation is nothing new, and could have been initiated some time back. So what have the regulators been doing with themselves as this situation unfolded? I refer to you the recent thread about banning of matches on airplanes. It's good to know our elected are looking out for our interests.
I'd say the lynch pin was the Bank of America data. It contained financial data for some actual congress people. It often isn't until congressional members are directly affected that they do anything. This was the case when congress finally passed a law prohibiting the interception of cell phone calls after embarrassing tapes of congressional cell phone calls were released...
What I want to know is... where are all of the lawyers?
If ChoicePoint said I have a criminal history (I don't), and it cost me a job, I sure would sue for slander. If identity thieves got ahold of my personal information through ChoicePoint and destroyed my credit record, I'd hold ChoicePoint accountable.
It's time for the personal injury suit industry to step into the 21st century.
>If ChoicePoint said I have a criminal history (I don't), and it cost me a job, I sure would sue for slander.
A couple of problems with that. First, you'd never know that ChoicePoint cost you the job because the company that didn't hire you doesn't have to say why they didn't hire you, or even that they bought your personal data from ChoicePoint for review.
Second, in order to sue for libel (since the data is written, not spoken, you wouldn't sue for "slander") the information has to be false and *malicious*. ChoicePoint just has to say it wasn't deliberate and case closed--in their favor.
Only new laws making DataFirms accountable will solve this. But such laws are unlikely.
Surely ChoicePoint and other data vendors have to abide by their duty of care and common standards of due care in handling data. Their mistakes may not be deliberate, but that shouldn't be an excuse.
Besides, when it comes to medical data, they may not be a health care provider, but surely they are affected in some way by the Health Insurance Portability and Accountability Act (HIPAA) . Likewise, they should be subject to at least some peripheral aspects of FDIC regulations if they manage financial data. Not to mention Sarbanes-Oxley.
Unfortunately, AFAIK these regulations are used and enforced only by auditors and cannot be used by the general public. But certainly they must be bound by some regulations. Unless, of course, they're waving the flag and saying "We're protecting you from terrorists! Bush is great!" Seems like that's the root password to the government and the legal system these days.
In New Hampshire, an individual was tracked down and murdered. The perpetrator had purchased information about the victim (a Social Security number and a work address) from an information broker web site. The New Hampshire Supreme Court ruled that information brokers can face civil liability when providing a third party's information to a customer. See http://www.techlawjournal.com/topstories/2003/...
Yet another article regarding Choicepoint and ilk:
"Bad Data Fouls Background Checks"
"Recent security breaches at ChoicePoint and Seisint have raised awareness about data brokering and the role that these companies play in identity theft.
But the breaches have brought little attention to another problem with data brokering that can cause just as much harm as identity theft -- inaccurate data. "
These companies shouldn't exist if they don't maintain accurate data. As the saying goes "Being Good Enough, Isn't."
Some possible reasons exist as to why ChoicePoint has decided to tape a huge "Please Regulate My Industry" sign to its back.
A question could be framed as “How might Choicepoint potentially benefit from federal regulation?��?
-- Any federal regulation would probably end up favoring Choicepoint. Do a Google search for “Individual Reference Services Group��? and see how this lobbying group (Choicepoint was a member—-IRSG apparently disbanded in 2002) formed self-regulation in its favor after dealing with the FTC, SEC, Congress, etc. And Choicepoint has all kinds of extremely friendly relationships in the federal government. This will work in their favor.
-- Federal regulation would allow Choicepoint to claim some form of “compliance.��? Thus, consumers will feel “safe.��?
-- Current regulations—-such as GLB, HIPAA, FCRA—-don’t really offer much privacy or security. Companies rather than citizens own personal data—-the opposite of EU privacy laws.
-- Regulation would level the playing field as far as investments & costs as all players in the information broker industry will have to spend money in order to establish compliance.
-- Regulation will not affect the PATRIOT Act, etc. Data brokers will still keep doing what they are doing with the government & private industry—-it will just be more “legal.��?
-- Regulation won’t deal with the root problem in the Choicepoint debacle—-how does an entity detect misuse by authorized parties? The commercial infosec industry hasn’t adequately dealt with this problem. Current security approaches look for unauthorized intrusion not misuse by authorized parties.
A pertinent quote from Charles Morgan of Acxiom, one of Choicepoint's competitors:
"I think that regular Joes on the street pay little attention to Acxiom. But should we come to their attention, we need to make sure they feel there are appropriate laws in place and that they are comfortable with our published information . . . And the average person probably doesn't care. But for those who do, they need to be able to find the information out that gives them the level comfort that they need." (Robert O'Harrow, _No Place to Hide_, page 73)
My hunch is that any new federal regulation applying to Choicepoint and other data brokers will ultimately be useless if the regulation is anything like existing regulations.
New legal and regulatory approaches are needed.
Although Canada already has privacy legislation (PIPEDA), a member of the Ontario legislature has introduced Bill 174 to force immediate disclosure of privacy breaches by credit bureaus in Ontario. There's an overview in this Toronto Star Article. Bill 174 still needs to gain approval in April. If it is made law, I hope other governments follow this example.
Well next time I need bumbly info thats not very accurate I know where to go and YES this is the same company that purged "felons" ffrom the 2000 election voter rolls
winston churchill said "the truth must be protected by a bodyguard of lies." almost every day, i protect myself by lying like a dirty rug. when i moved to a new state and it was time to get my phone #, i went to the phone co. office and instead of applying as (bruce) (last name) i applied as (fake first initial) (b) (last name); as a result of this, some four years later, online search sites such as ussearch.com still don't know i exist. dates of birth? the american convention is (month)/(day)/(year), but i frequently use the european convention (day)/(month)/(year). it helps a lot to have been born in the first twelve days of the month :-). social security numbers? for people who have no right to ask, i don't put up an argument, i just switch two of the digits. i can't imagine the garbage in my choicepoint file, but it reassures me to know that it is garbage.
I think the free market approach you take is the correct one. Until individuals OWN their own data, as a matter of federal law, and until the cost of correctly securing data is exceeded by the potential cost (to the data aggregator) of not doing so, nothing will change and the identity theft situation will worsen.
Comment on a comment: Some of your respondents have mentioned that Choicepoint claims to keep data on individual's prescriptions/drugs and other personally identifiable medical information. If true, then clearly it is indeed time for congress to declare the individual's OWNERSHIP of his own data to any who might share it with aggegators or any other organization without the individual's explicit permission or request. The final point in my thoughts on this is that federal law should be enacted that limits the government's activities in collecting information on individuals outside of legitimate criminal investigations - yes, EVEN under the auspices of the USA Nazification Act... oh, sorry - Patriot Act.
All I want to know is just how to get your name wiped from all these databases. Some of them say send your name address phone ss..well call me stupid but how pointless is that!
How about stalkers, did they ever think about that, and maybe their grandparents names should appear online. No one ever cares unless it happens to them.
I think the name address ss# salary every CEO of each data broker company should show up. We should work to make that happen because it sounds like a good idea to me. So..
There are some privacy laws I guess but why is tgere an argument to get them to obey the laws.
Since when did SS #'s become public info anway.
Now you are able to have your identity stolen fromanywhere in the world. How sick is that! These companies have no morals. Well like I said nothing seems important until it affects them. Why are we victims in our own country. This thing stops people from getting decent jobs, having bank accounts,finding housing. If everything is online, you are taking security away from the chikdren and putting them in danger by pitting the oarents in danger.
Why isn't this country doing something to just wipe out the names online. Why do we have to get sick worrying about this stuff?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.