Schneier on Security
A blog covering security and security technology.
« GAO's Report on Secure Flight |
| ID Theft is Inescapable »
March 29, 2005
More on ChoicePoint
EPIC Executive Director Marc Rotenberg's testimony before the House Subcommittee on Commerce, Trade and Consumer Protection is worth reading.
Posted on March 29, 2005 at 8:32 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Although I fully approve of appropriate legislation to protect the consumer, my experiance of it so far in the UK has not been good, and can best be described as a "dead and toothless watchdog".
The sad fact of life is that unless you have strong legislation companies will do everything they can to avoide any kind of liability on their actions (after all it's their botom line).
An often quoted example is the "Lemon Laws" to protect car buyers.
Put simply legislation is like a knife, without a keen edge it is more likley to hurt those who try to use it than to produce the desired result.
Excellent find. I thought this paragraph sums things up nicely:
"Mr. Chairman, hindsight may be 20-20, but it is remarkable to us that ChoicePoint had the audacity to write such a letter [regarding their compliance with the FCRA] when it already knew that state investigators had uncovered the fact that the company had sold information on American consumer to an identity theft ring. They were accusing us of inaccuracy at the same time that state and federal prosecutors knew that Choicepoint, a company that offered services for business credentialing, had exposed more than a hundred thousand Americans to a heightened risk of identity theft because it sold data to crooks."
Hindsight, indeed. Senator Boxer and Feinstein were not only correct to fight for their amendments in 2003 to the 1996 Fair Credit Reporting Act (FCRA) but they also were clearly facing an uphill battle against entrenched big-business lobbyists from ChoicePoint.
If you remember the US conservatives and financial industry said they opposed the amendment because it "would devastate the sharing of information that has helped make consumer credit more available and less expensive".
Senator Shelby even claimed, in one of his more famous statements, "from a consumer perspective, there is no difference between a company sharing information internally between departments and sharing between affiliates."
Oh really, my fine Republican friend? What if one of those affiliates is a criminal organization? What if there is no penalty or accountability for selling customer data to organized crime? Your "significant improvement over existing law" was a start, but you sold America a paper tiger that continued to give big business the green light to unjustly ruin US citizens' lives for profit.
In review, Choicepoint's business model was about making money hand over fist with a shrewd manipulation of trust. This was backed by a Republican-led anti-regulation agenda that big identity warehouses used to say fraud and theft were not their problem.
ChoicePoint billed itself as privacy and security champion in such a way that people bought their information because they believed they could *trust* it. They lied to manipulate the market and abuse trust for profit. The result is that ChoicePoint did the exact opposite of its promises and actually contributed to identity theft.
Enron billed itself as an energy efficiency champion and marketed itself in such a way that it was *trusted* to manage state utilities. They lied to manipulate the market and abuse trust for profit.
But Rotenberg captures something that I believe is a key difference in these heinous crimes against the public: ChoicePoint actually believed that they were an arm of the government, helping Ashcroft wage an information war against the people who live in other countries:
"Choicepoint's activities have fueled opposition to the United States overseas and raised the alarming prospect that our country condones the violation of privacy laws of other government."
I second Clive's sentiments on toothless consumer legislation.
Ever file a complaint with the National Do Not Call Registry? They have a nice disclaimer that they don't investigate individual complaints.
Clive, surely his proposals for liquidated damages are stronger than UK practice?
That, backed by contingency-fee lawyers would put the Choicepoints into a world of pain.
Senator Feinstein's "Notification of Risk to Personal Data Act" adds USD$25000 per day in fines for failure to comply.
Note that the state legislation that this national act was based upon is SB1386, which has been largely credited with the ChoicePoint disclosure (even though, as many are quick to note, ChoicePoint technically "sold" its customer data to criminals). SB1386 has been extremely effective with regard to notifying consumers of their risk, as noted recently:
The Google Ads are creeping into the government web domain.
THE CITY OF KETCHIKAN, 334 FRONT STREET
KETCHIKAN AK 99901 http://www.city.ketchikan.ak.us/
They have community links, but no news link with the other community links.
When you type news into the site search box, you end up at their Google government site with an ad for coffeefool.com. Check the coffeefool shopping cart and you find the certificate has a OU for https://services.choicepoint.net That should inspire confidence!
That is how ChoicePoint, Google and Ketchikan all fit together.
Guess what the weak link is?
Here's an example of a Google Ad with a government operated web site. http://compactURL.com/htdo
Here's how it works.
AdWords Spark Debate
Trademark holders are fighting Googles lucrative advertising practice.
By Jamie Ann Tyo
Have you ever wondered why, when searching a keyword such as news in Google, something as seemingly unrelated as www.coffeefool.com pops up on the right side of the page, under Sponsored Links? After all, The Coffee Fool seems to have little to do with news. In fact, the only parallel is that people who drink coffee might also read the newspaper. Trying to catch the eye of Web surfers, The Coffee Fool purchased the AdWord news from Google.
While this seems to be an innocent practice the links are clearly labeled as advertisements and most terms are generic some trademark owners disagree. Trademark owners are concerned that when a keyword containing their trademarked name is sold to a competing company, it lowers brand awareness and violates their trademark.
Great work Marc & the EPIC team! So, essentially, though "we may never
know!" ChoicePoint could well be and/or became at some point a
privatized front for CIA/FBI counter-intelligence. Latin American data
profiles is one dead give away. Some of what has ""so far"" been
exposed on CP would likely make the KGB, InterPOL & UK-SIS proud!
Unfortunately, with such a deep & vast database of information, and
given CPs lack of checks & balances et al; I can only imagine what
the leave_no_trace Pro*Crackers have managed to "obtain" over the years.
Daemons@Santa Fe ~Faithfully ACKnowledging our SYNs~
Great discussion! So if I am an ill-minded terrorist organization in need of money, why should I bother "phishing" E-bay information from people with SPAM? Why not set up a "legitimate front" organization and just buy information from ChoicePoint wholesale? Then I can set to transferring their credit card balances to my account in the Caymans. One, of course, assumes that members of Congress and the Senate also have information stored at ChoicePoint? Cabinet members perhaps? State Governers, District Judges, etc.? But there's no reason to worry about ChoicePoints practices right? I am sure they have a bona-fide technique to determine which organizations knocking on their door with cash in hand are "legit" and which are not. And besides, no "legitimate" purchaser of this information would consider re-selling that information to someone else would they? Of course not...it wouldn't be proper...unless, of course, there's a profit involved.
Yes I see...thanks for the response; I wasn't aware of your prior delve into the likes of re-branded, post cold-war US/UK "agencies" effort at DigiIntell via corps. such as CP. It's interesting to note, that by and large such painstaking database/info security measures are so highly stressed, for example here at Los Alamos, pertaining to long obsolete Nuc_Research than is imposed or maintained on our citizens & government issues/officials.
So what was once a "McCarthyist" based justifiable total breach of privacy in terms of rooting out Communists is now the same old wine labeled Terrorists. What's even ironicly-funnier is the `ah hum` ad-hoc, inept & archaic screening process implemented by TSA/DHS for "phasing" through potential candidates for employment.
ie; online, unsupervied, fully InterWeb enabled & physically Accessable PCs at a CompUSA used by TSA/DHS for Viet Nam era psych-type & apptitude evals. not to mention the sham of the current contractors that maintain scheduling, background verifications, etc. Lets face it; e-government is for the most part in shambles. Hopefully Mr. Schneier & "the team" can bring some changes about on at least the more obvious concerns.
Daemons@Santa Fe ~Faithfully ACKnowledging our SYNs~
It's out-and-out silly that law enforcement had to employ ChoicePoint to gather data they're not allowed to gather themselves. I don't mean that there's anything wrong with the government outsourcing its routine operations -- I mean that if the information they're gathering is so sensitive that the police shouldn't see it without a warrant, then nobody in the private sector should be allowed to gather or share it either without the written consent of the person it's about for each transfer. Conversely, if the information is non-sensitive and public, then the police should be at least as free to get it as anybody else is.
Choice post traffic ticket a person get within a few days of issuance and weeks before your court date in Farmington Hills MI. and probably every where and your auto insurance rates are raised even if your ticket is thrown out and Adjudicated because you proved your innocence.
I Contacted my Insurance Agent State Farm to have my rate lowered to there previous amount and only time will tell because I got a negative vibe when my Agent told me it was still my obligation to have ChoicePoint National Consumer Disclosure Center who also goes by www.consumerdisclosure.com receive copies of your total legal dismissal and have them remove it from their data base and whoever else they may have shared this information with. The only phone no. I was given is completely automative and couldn't repeat things like my name and address correctly all the time informing me that any wrong information could result in me not getting a copy from them along with a number that would put me in touch with a real person that was suppose to correct any errors on your Auto report
Does any person have any advice what a person can do or contact even if it is a phone no. with one of these people that don't care in the least bit what they are doing to innocent peoples reputation,insurance rates ect.
please e-mail or call 2482271804
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.