Search This Blog

Wednesday, December 28, 2005

Winding Down the Worst Year Ever in ID Theft

I started The Dunning Letter on April 19 of this year and this will be post number 46, probably the last for 2005. It all started with my concept that federal legislation should be passed, giving consumers control over their names and personal data, and they should be paid for its use.

In the nine-month period, many things have happened in the identity crisis arena, but nothing of substance that would solve the problem. If you read my last blog, “Government and Business Want to Convince You 2+2=5,” you know that Congressional leaders have once again dropped the ball by putting ID theft legislation on hold.

And then the Los Angeles Times ran an article recently by Joseph Menn, “Data Brokers Press for U.S. Law,” that clearly shows these data merchants are running scared with the state laws that are popping up, the most recent in New York. You know there is something wrong when the junk mail industry supports laws that will regulate its business. What galls me is the fact that the industry is apparently cock-sure this Congress will pass something weak enough not to hurt them, but strong enough to supersede the more stringent state laws.

The latest major event in the identity crisis fiasco is the plight of Eric Drew, from Seattle, Washington. Eric was fighting leukemia in a cancer center when a technician decided the patient probably wouldn’t make it, surmised he wouldn’t need his identity any longer, and promptly stole it from hospital records, opening several credit accounts in his name. Well, Mr. Drew fooled him on both counts. His health improved and Eric fought back to catch the thief. The technician, Richard Gibson, is being prosecuted under a new law passed to protect patients’ privacy. You can read about it on two sites: “Dateline: The lowest scam,” on MSNBC, and “Cancer Patient Catches ID Thief,” on CBSNews.com.

If you consider the millions of patient records in thousands of doctors’ offices, hospitals and medical centers nationwide—many with minimum security—you begin to understand how the Eric Drew incident occurred. Medical databases are one of the largest storehouses of private information in the country, most with Social Security numbers from the days when we readily gave them up. Now these institutions have created the perfect formula for ID theft.

Finally, have to mention what I consider to be the most bizarre news from 2005. ChoicePoint, the company who introduced the new wave of identity theft in 2005, with three incidents totaling almost 172 thousand account records lost, wants to "acquire" state DMV motor vehicle registration records for their client, the U.S. Department of Homeland Security. (Actually, ChoicePoint already has them, something that will be covered in a futute blog) In a Los Angeles Times’ article, “Big Data Broker Eyes DMV Records,” by Michael Hiltzik, he reflects what probably most of us believe: “Given ChoicePoint’s history, should it be allowed anywhere near our motor vehicle records?”

Another piece in LAVoice.com, “The Peter Principle Lives (and then some): ChoicePoint to get DMV Data?” takes us back to the late ‘60’s and early ‘70’s when Dr. Lawrence Peter professed his belief that individuals will eventually be pushed to their highest level of incompetence, after which the competent few must deal with this inadequacy. It’s the primary reason I left corporate America years ago and never looked back.

You might also want to check Michael Hiltzik’s Golden State blog post, “Golden State Column: ChoicePoint and the Threat to Privacy,” where he also feels, “The real remedy is Congressional legislation…” He goes on to comment on ChoicePoint’s dual position of being both investigated by California Attorney General Bill Lockyer for the data breach, and at the same time awarded a contract worth over $845,000 to design a law enforcement database, also by Lockyer.

A sad year, 2005, but I am predicting that all this will change in 2006, when a fed-up public decides they won’t take it anymore. Join my grass-roots movement. Write your Congress person. Contact local TV, radio and newspapers. Tell them you want to see federal legislation passed that will give you control over your name and personal data. And, you want to be paid any time it is used.

Talk to you next year!

Thursday, December 22, 2005

Government and Business Want to Convince You 2+2=5

In George Orwell’s 1984, the “Party” had achieved its ultimate goal of transformation when its members confirmed that they believed 2+2=5. Just saying they believed was not enough. And if the Party wasn’t assured of this belief, people had a way of disappearing, as if they had never existed.

Fortunately, we don’t have to be afraid today that government will make us vanish without a trace, but it, along with certain business interests, is still using the same tactics to destroy our right to privacy. Let me explain my reasoning, starting with government.

A recent article on InternetNews.com, “House Tables Data-Breach Law Talk,” by Roy Mark, pretty much says it all. It fizzled, according to Mark, because Democrats opposed the fact that it “lacks enforcement teeth.” They are right, because the law does not include the one factor that will insure that the legislation is both powerful and lasting, and that is… giving control of their name and personal data to the consumer.

Another article by the Counter Think organization, “Experts predict no data security bill will pass Congress in 2005,” agrees with Mark and makes an interesting comparison. They mention the California legislation responsible for exposing the ChoicePoint, LexisNexis, etc. breaches and the fact this law would be compromised in all currently proposed, weaker federal legislation. And the same applies to a recently passed New York law, the Information Security Breach and Notification Act, requiring consumer notification of data loss.

The Pennsylvania Public Interest Research Group (PIRG) is questioning that state’s Senate Bill 712, similar to California and New York, except, companies have to notify affected customers only if they “reasonably believe” the security breach will cause damage. The article in the Pittsburgh Post Gazette by Patricia Sabatini, “Security breach notification bill won’t protect consumers, group says,” reports that the governor is scheduled to sign it, regardless. Nobody listens to the experts. PIRG has been around since 1983 working at the state level to protect consumer interests.

The federal government and the present Congress and administration will delay any substantive action and/or legislation as long as the consumer remains apathetic and continues to accept the fact that their privacy is not a priority. Further, that they continue to condone the fact that their name and personal data can be sold or used in any way the government or business decides, and without question. In other words, the consumer be damned and the public is willing to live with it.

On the business side, it is not likely to clean up its act until it is forced to do so. I was in the junk mail industry for thirty-five years and I can assure you that the emphasis was always…get as much private information as possible on the individual and sell it to the highest bidder. Not …just how do we make sure the data collected is secure.

Since ChoicePoint started the parade in February of 2005, some other major contributors to the “loose security” brigade are: Bank of America; DSW Retail; LexisNexis; Ralph Lauren Polo/HSBC; Time Warner; Dept. of Justice; Citi Financial; CardSystems (biggest ever at 40 million data files); and TransUnion. According to Privacy Rights Clearinghouse, there have been ninety-six total breaches in 2005, totaling close to 54 million consumer records lost. And then there are the more recent.

On December 2, Sam’s Club, a division of Wal-Mart, disclosed that customers purchasing gas had experienced credit card fraud. In a Computerworld article by Jaikumar Vijayan, “Update: Security breach at Sam’s Club exposes credit card data,” he says an unspecified number affected had purchased gas between 9/21 and 10/2/05. Sam’s Club is working with Visa and MasterCard in their investigation.

And then on December 16, ABN AMRO Mortgage Group, a subsidiary of LaSalle Bank Corp., announced that a computer tape with personal data on 2 million customers, including Social Security numbers, was “missing.” Covered in a Detroit News article by Susan Tompor, “ABN AMRO data lost,” the tape was lost in November when DHL delivery service picked it up in transit to the Experian credit bureau. Fortunately, the tape was located by DHL but the question persists: where was it, and why was it lost?

There is only one way to protect the use of consumers’ names and personal data. Pass federal legislation to give the individual control over their name and private information. And, while we’re at it, compensate the name-holder for its use. Why not? The control provides protection against identity theft and the payback for selling this data can be used to supplement your Social Security.

Think about it and join my grass-roots effort to pass this legislation. Write your Congress person. Write letters to the editor of your local paper or call radio and TV stations’ consumer correspondents. Or, send me an e-mail at jack.dundiv@cox.net and I will see that your thoughts are known by Congressional leaders and the media.

Thursday, December 15, 2005

Another "Given" Bites the Dust: PENSIONS

If you are a young to middle-age employee of Verizon, and a manager with the company, you just lost your pension benefits and might be wondering about the future of your retirement. “Verizon to cut managers’ pensions,” is a recent article on C/Net News.com that seems to be predicting the future of corporate pension plans. And, Verizon is in completely sound financial condition.

The second largest telecommunications provider says the move will affect about 50,000 managers out of their 215,000 employees. Verizon’s Chairman and CEO Ivan Seidenberg says the action will enhance their ability to compete. They are also currently in the process of acquiring the long-distance carrier, MCI, so we see where the priority is.

I’m not faulting Verizon, nor am I justifying what they did. Other companies are doing it or are looking at the possibility. An Associated Press article on Newsday.com, “Companies look to freeze pensions,” reports that last year, 71 of the nation’s biggest firms froze or terminated pension plans, a 58 percent increase over 2003. In Verizon’s case, there are also cuts in retiree health care benefits.

The Newsday article states that Verizon tried to make the same move ten years ago, and the recent step has left several workers understandably angry and afraid. Continuing, it states that Sears, NCR, Circuit City and a division of Abbott laboratories have frozen pension plans for some or all employees and Hewlett-Packard said this past July it would do the same for some workers.

Scott Cohn, in his article on MSNBC, “Are pension promises a thing of the past?” is asking a very provocative question. He quotes a Motorola employee who lost a part of his pension as saying, “I got screwed.” Cohn goes on to add the troubled airline industry to the list of companies cutting retirement benefits. Not looking good for those of you that plan to take it easy in your golden years.

Which brings me back to my original premise: the solution is to pass federal legislation that will give consumers control over their names and personal data and pay them for its use. A double-barrel advantage of preventing ID theft and supplementing your retirement by $607 per month.

The junk mail industry alone grosses over $4 billion annually on your name and private information. Folks, this is year after year after year and growing with each new tidbit of information added to your dossier. And this doesn’t even include the non-junk mail companies, like the pharmaceutical industry, who have gotten into the business of selling your data.

The other benefit of having control over your name and personal data is that you can prevent the possibility of identity theft. You have the right to opt-in—not have to opt-out—to all uses of this data in a system of checks and balances that is both simplified and effective. For once, you can be assured that when your name and private information are being used, they are completely secure.

I’ve never done this before but here is my e-mail address: jack.dundiv@cox.net. Just click on it and send me a quick message with your thoughts, suggestions, comments or even criticisms. I will use your input to help convince Congressional leaders to pass this important federal legislation. Any reference to your message will remain completely anonymous and your name and e-mail address will never be sold or shared; you have my word.

Saturday, December 10, 2005

Make Your Holidays ID Theft Free

You don’t want to wake up Christmas morning with an ID thief under your tree. You may have already heard it a hundred times, but I’m going to say it again. Protect your name and personal data at all times, particularly in the rush of holiday purchases. That’s when you’re most likely to be victimized at the traditional retail locations.

Transactions occur so quickly that you can’t follow the trail of your credit card. A dishonest clerk can copy your account number without being caught and sell it to the crook who either uses it or resells the number. It’s a business, and even organized crime has been involved through bribing employees to steal your private information.

In an article on the TechNewsWorld site by Gene Koprowski, “Forecast: ID Theft by Insiders to Grow Dramatically in ’06,” he is predicting this increased activity by store personnel because retailers are not educating employees about the value of protecting consumer data. In my experience, you’re lucky during the holidays to find someone to help you with knowledge of what they are selling, much less being skilled in protecting your personal data.

Greg Simmons has written an article for FoxNews.com you should read: “Holiday Shoppers Vulnerable to ID Theft.” He tells you why you should worry about identity theft; it won’t hurt to review some of these time-tested bits of advice. He covers a range of possibilities where you can fall victim to the fraud and makes one excellent point: You have to be in control because police departments across the country do not have the officers for investigation.

You also need to make sure your on-line purchases are secure, dealing with companies either you know or those that come highly recommended by others. Always look for the “lock.”

According to the Identity Theft Resource Center, about 22 percent of victims reported their identity stolen from charges over the Internet in 2004, which was almost a ten-percent increase over 2003. Privacy Rights Clearinghouse estimates almost 2 million U.S. adult Internet users were victimized in 2004 and many consumers are beginning to weigh the risk against the convenience.

The above isn’t meant to frighten you into a corner where you are afraid to deal with the outside world. The purpose of all this advice is to make aware shoppers out of all of you so that you take command of your personal life. And, hopefully in 2006, we can convince Congress to give all consumers control over their names and personal data and pay them for its use.

Sunday, December 04, 2005

Babes in the ID Theft Woods

I had the opportunity recently to talk to someone who had been the victim of identity theft. When you are around it constantly, doing research and blogging the results, you begin to assume that everyone knows as much as you do. The irony of this situation came crashing home when my wife and I met a young girl that had been victimized.

To make things worse, she was sitting in the emergency room of a local hospital, alone, and very scared about a condition that had come on suddenly, which was quite debilitating. Her mother had dropped her off quickly and then left to take care of her daughter. To top everything off, she told us after relating the above, that someone had just stolen her identity and made charges to an account which had just been opened.

She didn’t have the slightest idea what her next move should be and she said she could not afford an attorney. The confusion we saw in her face said everything. That account someone had scammed was opened to buy her daughter Christmas presents and now the store had shut it down. Since the girl had not yet even received a credit card for the account, it had to be an inside job. We had to move on to take care of my wife’s father—who was also in the ER—but left her with some good advice we hope she remembers.

To emphasize the plight of this young girl and others like her, Gene Koprowski has written an article you can find on TechNewsWorld.com titled “Forecast: ID Theft by Insiders to Grow Dramatically in ’06.” He is a top security analyst and is predicting that, even though companies install more security safeguards, their employees will find ways to breach these obstacles and steal your personal data. Comforting.

Joseph Ansanelli of data security firm, Vontu, says in the piece that retail employees will begin to realize even more so in 2006 just how valuable your name and private information are, and, if not “trained” to protect this valuable asset, they will continue to make off with your data. You don’t “train” someone to be honest; they either are or they aren’t. Even if they are on the fence, the right offer could make them fall on the wrong side.

From another angle, and it isn’t clear yet just what that angle is, 3,623 consumers’ names with data were stolen from one of the big-three credit report companies, TransUnion. The unclear angle is that it wasn’t reported as an inside theft, but it was stolen from one of their regional offices in California, at least from under the noses of their employees. You can read Jonathan Krim’s article in the Washington Post: “Data on 3,000 Consumers Stolen With Computer.”

TU says the computer was probably the reason for the burglary, not the data. Sure. Computer value, probably at most $500. Data value, at least $10,000. This is the same credit reporting agency that sued the Federal Trade Commission in order to sell your name and personal information, including some credit data, which was in violation of the Fair Credit Reporting Act of 1970. They lost, appealed to a circuit court and lost again, and finally filed a petition for certiorari with the Supreme Court—which means, will the court hear their case—which was also denied.

So, I hope you can see where all this is going. Even if the data were secure within the facility where it is housed, you can still be victimized at the last point of contact, the retail clerk where you make your purchase, including the order-taker at the junk mail company from whom you order. But it isn’t safe with the data brokers, as evidenced by the recent theft from TransUnion and all the other ChoicePoint, LexisNexis, etc. events. And, Gene Koprowski in TechNewsWorld.com says it will just get worse in 2006.

The only answer is to pass federal legislation to give you control over your name and personal data. This will stop the identity crisis in its tracks and give consumers the confidence to work with organizations, when necessary, in the use of their private information. By the way, that legislation would also include paying you for its use.

Wednesday, November 23, 2005

Beware the Third-Party (Temporary) Database

They’re out there everywhere, even more so than the humongous, permanent databases like ChoicePoint, Acxiom, Experian, Equifax, TransUnion, etc. They are assembled on a temporary basis for a specific purpose, usually for a mailing to several million households. They can end up in the largest of metropolitan areas or on the rural back roads of any state.

I am talking about third-party databases that are created solely for the purpose of mailing a company’s products or services, and involve a very specific selection technique that often requires the use of personal data. In addition to your name and address, this could include age, income, ethnicity, travel habits, religion and politics, home equity, credit cards carried, reading choices, likelihood of being a drinker or gambler and much, much more. You get the idea.

The most likely places these temporary databases end up are: printing companies, mailing houses, advertising agencies, computer service bureaus, fulfillment operations, list brokers, list managers, and market research firms. And then there are the delivery services: UPS, U.S. Postal Service, Fed Ex, DHL, etc. Earlier this year, UPS lost computer tapes with the private information of 3.9 million CitiFinancial customers. They were in transit to a credit bureau.

I worked for one of the giant database compilers and during my indoctrination period, was sent to the home office for orientation into the company’s various procedures. On the day we visited the data processing department, the thing that stood out was not the impressive amount of computer equipment that was all around us, but it was the massive inventory of computer tapes that were stored in the tape library. Thousands of tapes, row upon row.

My usual curiosity got the best of me and I started asking questions about what was on the tapes. The answer was that many of them contained raw data for input into the master file, but the largest number included transactions of list orders (names and personal data) that had been prepared for junk mail companies. Commenting on a stack of tapes in disarray, the head of the department told me that it was often necessary to ship out hundreds of tapes with the names and private information to themselves (the same company address), just to make room for inventory during those few days of transit.

But the sleeping giants of third-party databases are the computer facilities that perform what is known in junk mail as the “merge/purge.” This is a matching process where millions of names and personal data are fed into the computer simultaneously to eliminate duplicate names. In the process, this procedure also extracts meaningful data that can be used later to draw comparisons and to pry even deeper into the everyday lives of the typical household.

So what happens to these computer tapes after they have fulfilled their job? They are supposed to be returned to the original computer service bureau maintaining the database, or scratched (meaning, erased). In a number of instances they are returned, but in many cases they languish in the third-party locations, mostly forgotten, and eventually just end up on a shelf with minimum or no security.

Third-party use of consumers’ private information by financial institutions is controlled by the Gramm-Leach-Bliley Act, passed in 1999. They are required to notify customers when their data is supplied to third-party vendors. The time has come to expand this approach to all data of a personal nature in order to curb the current identity crisis.

This problem is not just a figment of my imagination. These are either first-hand observations by myself, or they are reported fact from individuals who maintain control over the ordering and shipping of names and personal data, and/or the junk mail companies that receive them.

Your private information continues to remain in perpetual jeopardy, and the only answer is to pass federal legislation that gives you control, and, in the process, pay you for its use. Don't you agree?

Wednesday, November 09, 2005

Microsoft Agrees, Well Almost, With The Dunning Letter

In a Washington Post article, “Microsoft Calls for National Privacy Law”, by Brian Krebs and dated November 3, 2005, he writes that Microsoft has called on Congress to pass federal privacy legislation. He goes on to predict that this move will push lawmakers beyond the current provision of just notifying individuals when their personal data is breached. Nothing really new yet.

And then Krebs hits the target. Well, almost. He writes that “…Microsoft said consumers should have at least some control over how their personal information is used and disclosed.” Beginning to sound familiar? This has been my stand for over ten years, except, I would give individuals complete control over their names and private information and pay them for its use.

As the article indicates, here is an industry giant that seems to be admitting that the information business is simply too large to regulate itself on privacy. Further, that fifty different—and, perhaps, not nationally acceptable—state laws could be a nightmare.

Besides, when it comes to regulation, we aren’t just talking the junk mail companies—whose revenue on selling names and personal data alone accounts for $4 billion annually—we are also talking non-junk mail, such as the pharmaceutical industry and financial institutions. We need federal legislation that will level the playing field between government and business needs, while at the same time protecting consumer privacy and giving back what is rightfully ours.

The big guys posted a statement online, “Microsoft Advocates Comprehensive Federal Privacy Legislation,” also on November 3. Brad Smith, senior vice president and general counsel, delivered a speech to the Congressional Internet Caucus and outlined three key factors: 1) the state and federal patchwork of data privacy laws; 2) growing consumer fears over identity theft; and 3) the increasing desire of individuals for control over their names and private information. All three, staples of The Dunning Letter since its introduction last April.

The irony of the situation is that, if the junk mailers and non-junk mail companies would just give up control of this data and share in the wealth, the average consumer would most likely reciprocate by increasing their habits of shopping or dealing direct, and everyone would be the winner. The idea is original, bold and even outrageous according to present-day standards, but workable.

And then there’s the bad news. While Microsoft puts in its two cents for more substantial federal legislation, Congressional leaders continue to mock the plight of the identity crisis by recently passing a bill (November 4, 2005) that not only does not fully protect individuals, but it will pre-empt the California law that does allow consumers to protect themselves. "Data theft bill a step backward" by David Lazarus in the San Francisco Chronicle, states “The Republican-backed bill was approved in a 13-8 vote along party lines…”

The bill does require the reporting of data breaches, but according to Lazarus, the description of this is vague: “…contains no definition of what constitutes a ‘significant risk.’” Consumers Union agrees in their letter to Congressional leaders, “RE: Oppose H.R. 4127, Data Accountability and Trust Act (DATA),” sent on November 2, 2005.

CU had six key concerns you should read about, but their main point was that the bill’s “…so-called breach trigger for notice to individual consumers is nearly insurmountable.” They go on to note that, had the bill been in effect in early 2005, it would be doubtful if any of the 50 million breaches would have been covered.

Pathetic! This doesn’t even qualify as a band-aid approach to the problem. And I don’t know if you can blame it all on the Republicans, since I haven’t heard any screaming by the Democrats over the inequity of the bill.

Folks, if you don’t join my grass-roots effort soon, you’ll find yourselves out in the cold without your identity. According to the Web site Identity Theft Resource Center, victims of ID theft spend over 600 hours of their time to clear their name, equaling nearly $16,000 in lost potential or realized income. And that doesn't even include attorney fees for credit repair.

Let me hear from you. Tell your friends and family. Write your local paper. Contact your members of Congress. Give me some ammunition to get this movement going, and I promise that I will not disappoint you.

Tuesday, November 01, 2005

Why Does the Junk Mail Industry Refuse to Reveal Name and Personal Data Sales Revenue?

The Direct Marketing Assn. (DMA) has just issued its study, “U.S. Direct Marketing Today: Economic Impact 2005,” with figures on most revenue centers in junk mail. Except, that is…the money that is made from the sale of your name and personal data.

Statistics headlined in Direct, an industry publication, trumpets “DM Sales to Hit $1.85 Trillion.” It does not say how many consumer names, addresses, and private information it will take to achieve this goal. I can. Millions. In my best estimate, the junk mail list industry garnered approximately $4 billion off your namesake and personal data in 2004. They do this annually and have, for several years.

Some other figures in the study include 10.6 million jobs in junk mail. There is no breakdown of list business employment, but I can personally attest to the fact that at the annual conventions, the list people appeared to dominate the gathering. Schmoosing, brown-nosing, trying to prevent their clients from talking to other junk mailers. There’s an old saying about list brokers: they are called prostitutes because they’ll do anything to make the sale.

Here’s another fact that is both surprising and bewildering at the same time. Spending on telemarketing, at $47 billion, topped the list of expenditures by medium. This, when the National Do Not Call Registry has grown to over 100 million telephone numbers, with 675,000 complaints filed in 2004. I’m guessing that with this budget, there will be a lot more complaints in 2005.

But why is the junk mail industry so silent, actually downright secretive, about what is made from the sale of mailing lists? It’s an esoteric thing and for years they have kept it that way. That is, until now, with a maverick, former list broker blowing the whistle. That’s me, of course. The list folk are running scared, terrified that they will eventually have to give up some of the spoils. And this applies not just to junk mailers but also to non-junk mail companies that are capturing your name and private information.

Most companies pride themselves on their revenue and earnings. However, most of these are public corporations, and the list business is almost 100% privately held. They have been getting away with it…until now.

Believe me, I tried by surfing every site that might have this data. When searching for “list sales revenue,” the DMA has 159 sites; Direct Magazine, 538; and DM News, only 5; the latter two being industry publications. When “Googling” “mailing list sales revenue stats,” there were 4.1 million hits. As with the others, nothing. Zilch. I consider that anything past the fifth page will probably not produce anything very relevant.

In case you aren’t familiar with the math of mailing lists, let me enlighten you to a profit center that puts all other profit centers to shame. I am speaking of junk mailers here—catalogs, solo mailings, etc.—not data brokers, who have a completely different cost/profit ratio. The junk mailers realize around 60% in profit on every dollar made from the sale of your name and personal data.

How do they do it? Names are a by-product of the merchandise or services you purchase. It’s a, “Duh, look what we found, so what can we do with it?” mentality. Once the potential, along with this neat profit margin was discovered—over fifty years ago—well, you know the rest of the story. That annual $4 billion thing.

The making of all this money doesn’t bother me; that’s the American way. What does worry me is the fact that you, the name holder, do not share in these profits. Am I crazy, or does it really make sense that the person with the name, the address and the private information should benefit from its sale? As far as I am concerned—and I bet the majority of you as well—it’s a slam dunk.

So what do we do? Again, I have the answer. Pass federal legislation that will give you and other consumers control over your names and personal data and pay you for its use. My plan would put $607 per month in the pocket of each age 65 retiree and you would be virtually free of identity theft.

But I cannot do it alone. Please join my grass-roots effort to put this legislation before Congressional leaders. Talk to your friends and family. Write “letters to the editor.” Contact your Congress person. Together we can make this happen.

Tuesday, October 25, 2005

Did George Orwell's 1984 Predict Today's Personal Data Breaches?

1984 is about a totalitarian state where every aspect of public and private behavior is regulated. We certainly aren’t at that point, but the control over our names and personal data by business and government has set the stage for the next step. As Erich Fromm wrote in the book’s “Afterword,” Orwell warns us that, unless drastic changes are made, people will become “soulless automatons.”

Back in 2001, David Goodman did a “Special Report” in Insight on the News, “Orwell’s 1984: The Future Is Here.” It is an excellent article if you are an Orwell fan but is also far-reaching in the analysis of the writer’s meanings in 1984.

First, he makes a comparison between the book’s totalitarian state and the implementation of the USA Patriot Act of 2001. Next, he wonders about the title…why 1984? There are three theories that make interesting reading.

But my favorite is his focus on the fact that, although the liberals embrace Orwell’s resistance to the loss of civil liberties, they can’t admit their leaning toward the principles of totalitarianism. You have to assume that Goodman is referring to the “more government” belief of some Democrats.

If you look closely at Orwell’s “Party” in 1984, as the representation of the all-powerful force that controls every aspect of the people of the fictional country of Oceania, it is easy to draw a comparison with the situation today, where our private information is under the exclusive control of government agencies and business.

In Chapter four of Part one, Orwell writes of the ease with which real people can be made “unpersons,” which closely parallels the idea that credit bureaus can place incorrect and damaging data in your records and damage your credit, and life, forever.

Rick Perera, writing in a 2000, Computerworld article, was concerned even then over privacy issues and the Internet. In his article, “Security and privacy issues loom large for Internet’s future,” he combines the “explosive” development of the Internet, with the warning of privacy legislation if it doesn’t police itself. He remarks, “Citizens around the world are scared about this. A scenario out of George Orwell’s novel 1984, in which companies could know more and more about users of their Web sites, would be a dangerous world.”

Orwell did envision the Internet in the second draft of the book, but in later editing, for some reason, deleted it. His concept of the telescreen even rivals that technology. 1984’s protagonist, Winston Smith, couldn’t speak above a whisper for fear of being heard by the police on this TV-like, customary fixture in most party-members’ homes. Within its field of vision, which was most of his modest living quarters, his every move could be monitored. The author turned the infancy of television, 1948, into a full-scale, scientific phenomenon.

On her BLOG, Your Right To Know, Heather Brooke gives the American consumer credit for rising up against the Patriot Act in her article, “Let Them Read Heat.” (Scroll up to top.) The act was “pushed” through by Bush, but when the American public figured out what was going on, “their protests grew loud and angry,” she reports. A comparison is drawn between this and the British public’s “…lamb-like disposition toward its leaders.”

In all fairness, Heather, the Brits are far ahead of the U.S. in their protection of the consumers’ name and personal data, as evidenced by the United Kingdom’s Data Protection Act of 1998. It at least provides that anyone processing personal information must notify the Information Commissioner’s Office (ICO) that they are doing so, which just falls short of my concept that consumers should have control over their names and personal data. Both articles are available on The Dunning Letter.

Although there were no legislative matters to deal with in 1984—Big Brother did all the legislating—the U.S. Congress had better take note of Orwell’s intentions to warn an apathetic public. Unless, of course, this is all a huge conspiracy between business and Congressional leaders.

Friday, October 07, 2005

Short Hiatus

Well, folks, we’ve been plodding away at this for almost six months (10/19/05). I hope we’ve accomplished some level of awareness on the jeopardy of your name and personal data during this period. There’s lots more to come but we have to take a short break to complete a book project on my concept of giving you control over your name and private information. The hiatus will only be for a couple of weeks.

During this period, any COMMENTS you might have on the material you’ve read so far would be appreciated. See you in two.

Wednesday, October 05, 2005

Drugs, Data and Money

By now, if you have been following my blog, you know that data, particularly personal data, is the Fort Knox of the technological age. If I were a greedy entrepreneur, I would much rather have a database containing several million names with private information, than a row of hotels on Boardwalk. CNN confirms this in their recent article, “Your identity…for sale,” by Jeanne Sahadi.

She covers the regular data breaches by the big companies, banks and data brokers, but her heading, Retailers and manufacturers, is what caught my attention. Under this she says: “From Mom-and-Pop shops to nationwide drug stores and supermarkets to the manufacturer of your coffeemaker, there’s information companies collect on you and may sell to information brokers.” Forget “may.” I can confirm that they do.

Rumors of the sale of consumers’ medical info have been floated for the last few years but Privacy Rights Clearinghouse made it official in 2004, by filing a lawsuit against Albertsons supermarket chain and their drug subsidiaries, OSCO and SAV-ON. PRC makes the claim that, “Albertsons secretly enters into commercial arrangements with pharmaceutical companies willing to pay to participate in Albertsons’ Drug Marketing Program, which is based on the information taken from customer prescriptions.”

And, get this folks, according to PRC: “Albertsons is paid at least $3.00 - $4.50 per letter it sends and between $12-15 for each phone inquiry.” At its best, this is thirty times better than the average 15 cents per name made by the junk mail industry.

According to Food Marketing Institute, the average supermarket has approximately 14,000 customers each week, 700,000 a year. If only one-third of them buy their medication there, that’s a potential annual sale of medical data, per store, of $699,300. Albertsons has 2,300 stores, but let’s say only half have drug departments. The grand total each mailing is over $800 million. And this doesn’t even include the payments for those phone inquiries.

I did a BLOG Bulletin recently on why Albertsons/OSCO wants your personal data. In this particular instance, their check-out clerks were asking for personal information to cash checks and actually in-putting it to their database from the cash register. I raised hell—as probably did many other customers—and they stopped it soon after that incident. Who knows how many driver’s license numbers and telephone numbers—all that’s necessary, along with name and address, to initiate ID theft—they collected before they canceled the policy.

The reason all this is so hush-hush is due to the enormous lobbying efforts of the pharmaceutical industry. The Center for Public Integrity published an article on their Web site recently, “Drug Lobby Second to None,” by Asif Ismail. He starts by revealing that, according to the Center, drug lobbyists spent over “…$800 million in federal lobbying and campaign donations at the federal and state levels in the past seven years…” He goes on to point out how even the direction of the FDA has become more “industry-friendly.”

Although somewhat dated (2001), Andrew Brandt’s Privacy Watch article, “A handful of insurance and medical industry companies want to sell your personal data, but you can stop them,” in PC World, was a forecast of things to come. He singles out insurance companies and the medical industry, both of which, he states, want to get in the business of selling your name and personal data. At the time, the Bush administration was trying to delay the stringent new privacy rules in the Health Insurance Portability and Accountability Act (HIPAA).

If you’ve been to the doctor’s office recently, you know that at least we have the HIPAA on our side now. More on this whole issue in a future post.

Sunday, October 02, 2005

National ID Card...Without the Risk

Yes, it can be done, but, before I get to that, there’s an article from the St. Louis Post Dispatch that brings up two very interesting points. “Can you prove who you are? Maybe we need new ID system,” by Pat Gauen, takes up the subject of identity theft again from a personal slant. Both victims were close—one a colleague, the other his daughter—and each ended up losing that most precious part of their individuality…their identity.

The daughter’s situation was most unique in that it also involved ineptness in her state’s bureaucracy. She had two forms of identification—birth certificate and college picture ID—but she had a “devil of a time” replacing her driver’s license. Bureaucratic snafus are another topic, and, grist for another post, but suffice it to say, they figure significantly in the ID theft problem.

Gauen’s first point of interest to me is his reference to George Orwell’s “Big Brother” government, that, he says “…will hound us cradle to grave.” An interesting observation, because I have a post planned that draws certain similarities between Orwell’s 1984 and the current trend which seems to be leading toward our complete loss of identity.

The second point, with which I highly agree, is his statement that “…we continue to manage the most basic component of our being, our names, with inferior tools.” This comes from his earlier comment about questionable people in charge of our personal data and the enormous collection of private information by business and government. I could not have said it better myself, even though this is the crux of my concept: that consumers should have control over their names and personal data.

I did a post on this subject on May 17, 2005, titled, “BLOG Bulletin: National ID Card Promises to Expose Largest Amount of Personal Data, Ever, In One Location.” The title’s premise is still valid, based on the content of that blog, which explores the fact that government, and business, want to build these massive databases in order to recklessly access our personal data for any reason they desire, and ultimately offer it for sale at a premium.

The Real ID Card is like most issues with Congressional leaders. Rush to propose legislation that will draw attention and then let it languish in committee until, once again, it is politically correct to revive. This time, Congress tacked the Real ID Act on to the $82 billion Military Spending Bill, apparently for convenience. Several Internet articles have covered the subject. One, “National ID cards on the way,?” by Declan McCullagh on News.com, is a good overview from some early maneuvering in Congress to several opinions on how the “card” would function.

eWeek.com’s article by Lisa Vaas, “Analysts: ‘Real ID’ Act Could Help ID Thieves” quotes security experts’ concern over the “card” because of, “…a lack of confidence in the government’s ability to employ the technology in such a way as to prevent citizens from being preyed upon by identity thieves.” Declan McCullagh, in another article, “FAQ: How Real ID will affect you,” will answer most of your questions about the “card,” starting with the fact that it will be required by 2008.

And now, with all these facts before you, let me lay out a plan that is much simpler in construction and execution and far more competent in protecting your name and personal data. I call it the Name and Personal Data ID (NPD-ID) and, as I have written before, it replaces the Social Security card in all transactions relating to your name and private information. I covered this earlier in my blog, “Re-Clarification Of the Basic Issues In the Control Of Your Name and Personal Data,” but the process is expanded here for additional refinement.

The essentials remain: complete control over your name; assignment of the NPD-ID; opting-in to the use of your name and personal data; eliminating ID theft by acting as a watch-dog in fraud incidents; and, sharing in the proceeds of the sale of your name and private information. “But what’s the difference between your NPD-ID and the Real ID?” you ask.

All personal data pertaining to the 295.8 million U.S. consumers would be replaced by two exclusive NPD-ID databases: one, the name and address/identifying characteristics; two, all personal data. The connection between the two is encrypted and only the individual has the code that will connect the two. Only the individual may allow any outside source to access their private information. Simple, but doable. If you’re a “techie” you might want to check Wikipedia’s “Data Encryption Standard” definition.

The technology is already there. Data encryption could have saved thousands of identity thefts from happening, but database companies refuse to invest the extra dollars to install this process. A European company is already selling this procedure, and an American corporation is on the verge of similar technology.

I haven’t worked out the specifics of how to handle emergencies such as terrorist attacks or natural disasters, but the Data Encryption Standard does provide methods that will provide a solution that will satisfy both government and business.

The consumer’s part in acting as watch-dog to their data and providing authorization for its use would not replace the laws already in place that protect against ID theft. It would just put some of the responsibility on the individual to be concerned over what is one of their most valued possessions. Not too much to ask if you’re also going to be paid when your name and the personal data is sold, right?

Wednesday, September 28, 2005

ChexSystems: Another Lurking Database

If you buy your checks from Deluxe Corporation, the largest of the check printers, there are some facts you should know about this company. CardReport.com, a site packed with good information for your credit needs and woes, provides insight into ChexSystems, a Deluxe subsidiary that maintains negative information on your checking and savings account habits.

These include accounts closed for reasons of insufficient funds (bounced checks) or ATM overdrafts. Deluxe claims 80 percent of all banks will contact ChexSystems re. new checking and savings accounts, according to CardReport. The database comprises some 19 million old accounts listed as “Closed For Cause” by the bank. And there you have that dirty word again…database.

Personal data incorporated into this database includes your name, address, Social Security number, driver’s license number, and more. Deluxe also owns Shared Check Authorization Network (S.C.A.N.), which verifies checks for over 77,000 retail locations nationwide. And not to be denied the junk mailer’s devious craft of selling your name and private information for a profit, they have another company by the name of Deluxe Data Resources, which sells detailed consumer demographic data on 100 million households.

Bankrate.com, one of the most comprehensive sites for credit info I’ve run across, confirms that 80 percent of U.S. banks do belong to the ChexSystems network. They also recount grass-roots efforts against ChexSystems by Web sites such as PassChecking.com, set up entirely to help consumers fight the system. Later in this post, I will show you other sites that either report on ChexSystems or are activists against the company.

Bankrate questions why a few overdrafts should place you on the blacklist for five years and goes on to note that it is the bank that actually causes that to happen. ChexSystems merely provides the database—there’s that dirty word again—that allows the bank to act. If you end up on its list through error, ChexSystems professes to help correct this both within their company and with the participating banks.

Let me say that I don’t believe most consumers would condone the flakes that regularly write bad checks or hit the ATM for cash that is not in their account. I know I don’t. It is dealing with these individuals, compared with those innocent souls that found their way on to this list erroneously, that bothers me. That and the resulting monstrous database. ChexSystems is regulated by the Fair Credit Reporting Act, so, at least, you do have the right to a free report.

If you Google ChexSystems, you come up with a site named Consumer Debt Resource, which apparently is the company, minus the bad-press name. In all fairness, there is an abundance of consumer credit information available, but you won’t find any details on the personal data that is compiled by ChexSystems, or its parent, Deluxe Corporation.

You won’t see another Deluxe company on the site: Checks Unlimited, formerly known as Current Checks. Checks Unlimited is a junk mail supplier of checks, with 8.3 million customers whose names are sold along with their lifestyles—forty-three, based on their check purchases—from book readers to pet owners to gardeners, environmentally conscious, investors, Republican prospects, to young children and teens. That’s database number four for Deluxe, with individual household, private information.

And now on to the Web sites I promised earlier that attempt to deal with ChexSystems (CS), each in its own way. First, ChexSystems Bites! places the company in its HALL OF SHAME for “developing and profiting from the terribly flawed system known as the ChexSystems Network.” The National Check Fraud Center provides a running commentary about CS, of benefit to anyone on their list. Carreon and Associates’ Better Credit-Better Life site has an in-depth report titled, “Getting Around ChexSystems,” which seems to speak for itself.

Yahoo! has a page listing other sites that deal with CS, one of which is “Fight Back Against ChexSystems.” Consumeraffairs.com has a short blurb called Chex Imbalances that compares CS with ChoicePoint and Bank of America, exposing CS’s freedom from public oversight, although its “practices have spawned a Web-based subculture of horror stories…”

Finally, there’s the “Mother” of all anti-ChexSystems sites: ChexVictims. You have to sign up to get the best information and participate, but it’s FREE and takes only a couple of minutes. From finding the 20 percent of banks that do not cooperate with CS, to joining in on discussions and telling your personal story, this site means business. ChexVictims even gets into general credit problems that can result from being a CS victim.

With all the animosity toward ChexSystems, it makes you wonder where all this momentum comes from, and I think I have the answer. That’s right, the dirty word…database. Just another collection of your names and personal data that is probably ripe for the picking and somewhere on the priority list of ID thieves. Well, consumers are dead-tired of this and they aren’t going to take it much longer!

Saturday, September 24, 2005

Colleges & Universities: Another Break in the Social Security Dike

I found an article on MSNBC recently about a stolen laptop computer with personal information on more than 98,000 California university students and applicants. “Stolen Berkeley laptop recovered; arrest made,” reported by Reuters, states that the university is “uncertain whether the information had been tapped…” Berkeley officials also confirmed a man was arrested and charged with possession of stolen property, which was allegedly bought over the Internet.

There’s more, but my first question would be, what is this sensitive data doing on a laptop? The second question is, why does the California university system require Social Security numbers for identification?

I searched for over a half-hour for Berkeley’s Privacy Policy with no success. I was able to find something from Long Beach, a part of the California university system, stating that CA Code (Section 41201, Title 5) and the Internal Revenue Code (Section 6109) “require you to provide the university with your correct Social Security number.” The Long Beach policy states further, “The university uses your Social Security number to identify your academic records and to collect any debts you may owe to (the school) CSULB.”

I am not familiar with the California Code, but I did check the IRS Code 6109 on the Department of the Treasury site, and in its summary it clearly states that the “regulations affect individual preparers who elect to identify themselves using a number other than their SSN.” It appears to be concerned with tax refunds more than anything else and almost always refers to the “preparer” as the subject of attention.

It’s hard to understand the state of California, one that is probably the most consumer-oriented in the nation, still requiring Social Security numbers in their universities for identification. The state of Arizona, certainly not a leader in consumer rights, enacted law in 2002 prohibiting universities and colleges from using Social Security numbers to identify students or faculty. This was the result of an earlier data breach at the University of Arizona in Tucson. It also refutes California’s IRS requirement.

There is also another site, “Social Security Numbers and Student Privacy,” that debates the issue of protecting students from the fraudulent use of Social Security numbers. It discusses the increasing number of students that are revolting against using this information for identification, with students knowing full-well that their personal data is already plastered throughout databases all over the country. The feedback is interesting and worth your time if you are a college student or his/her parents.

And, once again, Privacy Rights Clearinghouse provides the best information for students and faculty in protecting their personal data. Their page, “My Social Security Number: How Secure Is It?” is a huge aggregation of pointers about the nine digits and how to keep them safe. It includes a section, “How Can a School Use My Social Security Number,” that explains compliance with the Family Education Rights and Privacy Act, which “requires written consent for the release of educational records or personally identifiable information…”

On another page, “A Chronology of Data Breaches Reported Since the ChoicePoint Incident,” details thirty-nine colleges and universities, and one high school, that have experienced personal data breaches in the amount of 1.7 million individuals. ALL IN THE YEAR 2005. And one, Georgia Southern University, not included in this number, reported “tens of thousands.” Most were the result of hacking, some stolen laptops, and one “dishonest insider.”

Folks, we’re talking about this country’s largest and most prestigious schools of higher learning, and even one high school. Institutions like Berkeley, Boston College, Northwestern, Carnegie Mellon, Michigan State, Oklahoma State, Purdue, Stanford, Duke, U. of Connecticut, Ohio State, USC, U. of Colorado and the U. of Florida, to name only a few.

According to the National Center for Education Statistics, there are approximately 16.7 million students attending college in 2005. Based on the Privacy Rights Clearinghouse figures, above, over ten percent of the students have had a breach of their personal data. The students also represent over three percent of the total data breaches since ChoicePoint. A small figure to some, perhaps, but still yet another tragic statistic that needs immediate attention.

Thursday, September 22, 2005

DMA Protects Deceased Families...AT a Price

The Direct Marketing Association (DMA) has just started its new Deceased Do Not Contact List. With the success of the telemarketing Do Not Call list, now almost numbering 100 million households, and the numerous calls from grieving families, the DMA felt it necessary to give another ultimatum to its 5,200 members. According to the DMA, they are “required to eliminate these individuals from their prospecting campaigns.”

You will, however, have to pay $1 for this right, giving the DMA your credit card number, name, relationship to the deceased, and e-mail address; the deceased’s, full name and address, all telephone numbers, their e-mail address, and month and year of death. They claim the buck is a verification fee, and I quote here, “to make sure we have a permanent record of the credit card information of those who did the registering; and to help prevent misuse of, or fraud against, this system.”

This is patently ludicrous. How does $1 stop misuse or fraud? Are they going to report violators to the FTC Death Squad or send you harassing e-mails because you were a bad boy or girl? “CTO” from the VoIP Blog has the right idea. He considered using each of his thirteen credit cards to add all members of his family to the list. Stopping their junk mail, he felt, would be the best Christmas gift he could give.

As if the total absurdity of the idea wasn’t enough, the DMA is quietly collecting another database with personal information—including your credit card number—flying in the face of so many recent data breaches from junk mail companies, data brokers and banks. What makes them think they can keep their data secure with the recent announcement that ChoicePoint has had another breach of 5,103 customers, as reported in the Atlanta Journal-Constitution?

The number isn’t as important as the fact that this is yet another trespass on private information, added to the one last February, which was reported only because of a 2003 California law requiring notification. COMPUTERWORLD stated in an April article by Grant Gross that ChoicePoint discovered 45 to 50 more data breaches that hadn’t been reported. But if you are counting, that’s over 150,000 customer records revealed by ChoicePoint.

There are some in the industry that aren’t completely sure of the effectiveness of the Deceased list. Geoffrey W. Peters, Pro Bono General Counsel to American Charities for Reasonable Fundraising Regulation in Vienna, VA, likes the DMA’s effort but harbors some skepticism. In an article by Dan McNamara in The NonProfit Times, Peters recounts an incident a few years ago where he inadvertently mailed a suppression list and got a 6 percent response from supposedly dead people. His point is that all those included in the Deceased list might not be deceased.

I can go one better. I am personally acquainted with the actual mailing—not suppression—of the Direct Marketing Association’s Mail Preference List by a couple of supposed junk mail professionals. That’s the list you get on when you contact the DMA telling them you don’t want any more junk mail.

The two culprits, a junk mail computer facility owner and a catalog entrepreneur, got together on a lark to test how the response to the list would be, and were pleasantly surprised with the results. Yes, folks, they really did mail to the list that is supposed to be used to eliminate people who do not want junk mail.

Although this was several years ago, it shows a certain arrogance, and the clear disregard for rules and ethics, for some in this industry.

Friday, September 16, 2005

Identity Theft, Junk Mail and Your Mailbox

An advertisement ran in major print media last June stating that, “…the majority of identity theft still takes place in low-tech ways—stolen purses, wallets and stolen mail…” There was a large picture of the rural type mailbox, front open, with the word “Database” pointing to the inside. A headline exclaimed: “Most identity thieves don’t gather their data from a computer.” The implication, of course, is that ID thieves rely on this source most often to steal your name and personal data.

In a response to the ad by the U.S. Postal Service, reported by DM News, leading junk mail industry publication, their position was that the ad was not true. They quoted an FTC report that found that stolen mail only accounted for 4% of identity theft in the U.S. Further, that 53% of identity theft is from online activities.

The ad in question was run by a group called Your Credit Card Companies, identifying the following financial institutions: Citibank, MasterCard, MBNA, Discover Card and Chase. If you go to their site, YourCreditCardCompanies.com and click on Media Center/Materials, then click on Advertising, and finally, on the ad headline, “Most identity thieves don’t gather their data from a computer,” you’ll find they’ve changed the picture from a mailbox to two garbage cans. The basic ad stays the same. Oh, the power of the U.S. Postal Service.

But when you analyze the total problem, and where the easiest link to your name and personal data is, I think the mailbox, and the garbage can, do rank right up there at the top. Here’s why.

According to Synovate, a research company that is part of the Aegis Group, US households received an estimated 5.23 million credit card offers in 2004, up 22% over 2003. Percentage of homes receiving a credit card offer was 71% with an average per month of 5.7. The financial junk mailers are blanketing almost three-quarters of the country and hitting on these households almost six times per month—which is, in itself, enough to become alarmed over—but they still wonder why ID theft is rampant…?

Tell the truth. How many of you shred the info page of credit card offers, and I don’t mean just tearing it into even small pieces? Our household does, and, knock on wood, we’ve never had an incident. We were getting well over 5.7 mailings a month, enough to stack two feet high in a short period of time when I measured it. So get on the band wagon and get yourself a shredder and at least you have done all you can.

Let me leave you with some startling facts. Eighteen percent of the population has been victim to identity theft. That’s almost one in five…52 million consumers. Eleven percent, or, almost 32 million senior citizens, those most vulnerable, are in that figure, representing over 61% of the total. You can go to the Experian-Gallup Personal Credit Index and see all the data.

There are two sites and the second, headlined, “21 percent of victims say theft of personal or financial information was done by someone they knew,” is a shocker, but, once again, confirms my belief that identity theft can be stopped only by giving consumers 100% control over their names and personal data.

Wednesday, September 14, 2005

Kids, Guns and Junk Mail

I just read an article from MSNBC titled, “1.7 million kids live in homes with loaded guns” and over 42,000 of those households reported having loaded, unlocked firearms around their children. Alabama had the highest proportion with 7.3%, Alaska next with 6.6%, followed by Arkansas, Montana and Idaho with similar figures. I’m sorry, but this sounds to me like either the parents are morons or unconscious beyond help.

After the assassination of President John F. Kennedy, who was killed by a mail order gun owned by Lee Harvey Oswald, they passed the Gun Control Act of 1968. The major force in this act was the prohibition of mail order sales of rifles and shotguns. In 1999, Senator Charles Schumer of New York introduced the Internet Gun Trafficking Act, which attempted to restrict the sale of firearms on the Internet. As far as I can tell, it is still in the Judiciary committee, or worse…forgotten.

I tried placing an online order for a gun on the Internet and the requirement is that any firearms must be delivered through a licensed dealer, subject to the gun laws of your state. Even if we don’t have an Internet law in place, certain procedures seem to dictate that firearms are not readily available to just anyone on the Internet. Of interest to me was the fact that when I Googled “mail order guns,” 6.6 million sites came up. With “Internet guns,” the number was 12.4 million.

A report was done by the Department of Health Behavior and Health Education from the University of North Carolina to evaluate just how much Internet firearms vendors encourage purchasers to conform to firearms laws. The study, “Ready, aim..click: An exploration of firearms sales practices on the Internet,” concludes that online selling of guns is extremely aggressive and easily accessible but fails in its obligation to encourage buyers to abide by firearms laws. One of the findings was a shock to me: none of the sites posted a warning on its homepage about not selling guns to juveniles. Click on the study, above, for more startling facts.

An excellent site for information on gun laws relating to juveniles is CNN.com, “State by State Look at Gun Laws in the U.S.” You can search by state with documentation of laws relating to children plus general information such as permits, registrations, etc. As we know, Alabama is on the bottom, but my state, Arizona, falls short in its lack of the Child Access Prevention law which requires adults to use a gun-locking device or store guns in a secure location. Washington, DC, and New York seem to rate highest.

There are fifteen mail order lists on the market, according to Standard Rate & Data, the bible of the list industry. They range from magazine subscriptions to hunters to parts & accessories catalogs. I tried Googling “gun parts & accessories catalogs and came up with 2.5 million sites. One of them, Numrich Gun Parts Corporation, states that they can …”supply everything from pins & springs to barrels and stocks.” Their inventory features over 180 thousand individual items from an inventory of over 650 million parts and accessories. They even supply schematics with the parts layout of firearms.

I don’t know much about guns, but I do know that general parts and accessories are not covered in the normal firearms protection laws. However, the 1968 Gun Control Act does prohibit the sale of parts or “conversion kits” used to make semiautomatic firearms fully automatic. You can get unlimited information on this subject at the Brady Campaign To Prevent Gun Violence site, and I recommend a visit there when you have time to spend.

So, we are left with a lot of facts, some protective measures, but still one major problem: kids with access to firearms. I can’t do anything about those parents who are too numb to keep their guns out of the reach of their children. And, I know it’s far-fetched but they are also likely to be the same households where a kid would order the parts and assemble a rifle or handgun. It’s the inherent mentality that worries me, and I feel we should stop this potential threat before it becomes a reality…again.

Please give me your COMMENTS on this.

Friday, September 09, 2005

The Mysterious Provision in the Highway Bill

They’re at it again. Spending our money needlessly and skirting the real issue of protecting our names and personal data. It’s the new Federal-Aid Highways law that took effect May 17. It was passed, “To authorize funds for Federal-aid highways, highway safety programs, and transit programs, and for other purposes.” It’s the “…and for other purposes” that worries me.

An obscure provision (Section 7139), will force state motor vehicle departments to use the very data brokers that have had recent breaches, and who we now know to have inaccuracies in their records, for the authentication of commercial driver’s licenses. You can read the complete article, “Highway bill has identity check provision” by Shaun Waterman on Monsters and Critics.com. The question arises, are we trying to prop these companies up now after their fall from grace?

Two immediate reasons for Section 7139 come to mind: one, to get the monkey off the back of Congress so if something else does go wrong they can say they tried. Two, another gift to big business by this administration, which, apparently, the Democrats fell in line with.

The provision is very expensive for the states, and all but promises that the imperfections in data being used will produce unlimited problems. Situations like wrongful license denials and abuse by illegal immigrants, possibly terrorists. But, as the article points out, “…a huge windfall for the databrokers…” and further, “…a cost that would have to be borne by state authorities, or passed on to applicants.”

And, of course, the data brokers had their eye on the new information that would be produced as a result of the state queries, which they could re-sell as a new commodity. Anything to add to that $4 billion that the junk mail industry is reaping annually from the sale of our names and personal data. However, a Democrat, Senator Russ Feingold from Wisconsin, stepped in with an amendment to disallow the sale of this new, private information. At least that, and, perhaps, a forecast of more restrictions on the sale of private information in the future.

Waterman points out in his article that the REAL ID Act passed earlier this year supposedly provides the authenticity that Section 7139 requires in the new bill. He goes on to cover another method of confirmation that has existed since 1992, using the applicant’s Social Security number and date of birth. With all these restraints already in place, the mystery of Section 7139 just gets deeper. This is an excellent article and a must read for anyone sick of Congressional incompetence and favoritism.

I did a piece on the REAL ID card back in May: BLOG Bulletin : National ID Card Promises to Expose Largest Amount of Personal Data, Ever, In One Location. There are two major points in that post: one, by linking all state databases, this provides one-stop shopping for identity thieves. And two, in keeping with the latter, skepticism that the Homeland Security Department could keep the data secure, with four scores of “F” in a row from the Federal Information Security Management Act (FISMA). Of course, we now have experienced HSD’s performance in the wake of Katrina.

It’s all very discouraging and just seems to be getting worse, with no improvement in sight. Unless…the American public takes a stand on the issues they feel are important to themselves and this country. This is not a partisan thing, and we just may be in the throes of spawning a new independent political party that will provide those solutions.

Tuesday, September 06, 2005

Katrina and Potential Identity Theft

We stayed quiet this past week in the aftermath of Katrina. I felt it was time to take a backseat to this natural disaster of epic proportions and let the bloggers who could, provide online aid and assistance. We’re back now, and the emphasis is on the numerous ways your personal data can be breached and you could fall victim to identity theft from the storm.

This is directed not only to residents of the New Orleans area, although one might wonder if they are even connected to the Internet, or if they care about cyberspace at this point, but to anyone doing business with a firm located in the disaster area. We’ll start with…what kind of personal information is in their files relating to your household?

As an example, you could have just moved to Arizona, selling your home in New Orleans. Local mortgage offices are one of the largest repositories of personal data in the country with everything from your IRS returns to your complete credit report. There are also records in the realtor’s office that sold your home. Most of these records are on paper and could have been strewn anywhere in the disaster zone. And then you might live in Vermont and have your life insured by a New Orleans company or have your auto insurance with a large firm that has regional offices in the area.

Of course, the banks have a carload of personal information if you bank and do financial investments in one location. Hopefully, most of this data is computerized—although there is always the paper trail used for input—but this isn’t even secure from determined looters and ID thieves.

If one is able to break into the Tucson, AZ, CardSystems Solutions computers and access 40 million debit and credit-card accounts, they are probably qualified to mount an assault on unmanned equipment, possibly unsecured, definitely not protected, and physically steal the data, no matter what form it is in. Folks, this is just how organized identity theft is, and my perception is that the planning phase began about the time Katrina passed over Florida into the Gulf and began to gain strength heading toward the Big Easy.

The last collection facility I can think of right now that could be effected in the disaster area is the smaller, local credit bureaus used regularly by the realtors and mortgage companies. A treasure trove of private information is here just like it is in the big three: Equifax, Experian and TransUnion. If the mortgage company pulls your credit report, it is probably produced at least once on paper.

Just where is all this paper or other structures of data now? The obvious answer is, I do not know, but suspect that at least some of it is in the hands of some pretty sophisticated data thieves. If I am wrong, I apologize for being the alarmist, but doubt if this is an inaccurate assumption. Some may think it is farfetched but so did we, when the bad guys were getting our private information from ChoicePoint, LexisNexis, TimeWarner, Bank of America, and the list goes on.

So what do we do about it? In Louisiana and Texas, you can freeze your credit report so that no transactions can take place without your knowledge. Go to Bankrate.com for instructions on how to follow this procedure, and all the states where it is available. It is not offered in Mississippi or Alabama. Louisiana allows you to do this without any breach of your personal data; Texas requires that you be an identity theft victim already. My gut feeling is there will be some waiving of the latter with the credit reporting agencies in response to Katrina’s havoc.

Otherwise, systematically check your credit report in stages that will thwart the ID thieves, starting with your FREE report. They are available in all states now. Request the first report within the next couple of weeks. Get the second, which you will have to pay for, thirty days later. Wait another thirty days for the third. This is only if you are affected in some way as mentioned above. Go to AnnualCreditReport.com for instructions and each paid report will cost $9.50, regardless of the credit bureau you use.

You can also call a toll-free number: 1-877-322-8228 for the report.

The local, state or federal authorities do not have the time or resources now to help in this matter. You must bear the burden to protect yourself from identity theft. If you haven’t already accessed your free credit report, your investment is only $19.00, an amount well-worth spending to prevent thousands in legal fees to get your personal identity back.

Thursday, August 25, 2005

Ethnic Profiling In Junk Mail II

In an October 2001, article titled, “Ethnic Profiling: A Rational and Moral Framework,” by Robert A. Levy, Senior Fellow in Constitutional Studies for the Cato Institute, he reports on a then Gallup poll which revealed that 60% of Americans wanted Arabs to be subjected to more intensive screening at airports. Of course, this was less than a month after 9/11. He quickly raises the question of whether any ethnic or racial profiling should ever be justified.

And then in August of this year, Ralph Hostetter’s piece, “Ethnic Profiling,” on CNSNEWS.COM, takes the ACLU to task for attempting to organize the Far Left, ultra liberals, against such targeted, ethnic profiling. The ACLU objects because terrorist acts such as Oklahoma City, the Atlanta Olympics, even a Taliban insurgent, were all Anglo-Christian Americans. But Hostetter apparently still feels this weakens the U.S. fight against terrorism and puts our citizens in jeopardy.

Levy believes, …”we must defeat without abandoning the liberties that set us apart from every other country in the world.” He goes on to call for “logic, not emotion,” “evidence, not rumor,” and …”a structured approach that weighs the competing interests rationally and morally.”

On the other hand, Hostetter states, “It is politically stupid for Americans who are so easily identified on an ethnic basis not to use ethnic profiling against our sworn enemies in the interests of our own protection.” He goes on, “Ethnic profiling works. If ethnic profiling is but one viable tool in the war against international terrorism, it must be used to the utmost.”

Two somewhat opposing views, but each with a certain degree of substance. We must defend America but we must not take away or infringe upon the civil rights of the people. And, under no circumstances should we be allowed to invade the privacy of any home or individual without confirmed provocation.

Keeping both of these positions in mind, let’s continue where we left off in my last post with the parade of ethnic lists that prevail in the junk mail industry.

Ethnic Lists & Marketing, LLC of Scottsdale, AZ, has a list called “Arab-American/Muslim-American Doctors.” There are 6,431 nationwide. Here’s one from Ethnic Technologies, LLC of South Hackensack, NJ, “Arabic Prime Prospects.” They also have “Turkish Speaking Households.” Three more from ClientLogic: “Ethnic Clubs & Organizations,” Islamic Households by Occupation,” and “Islamic Lifestyle Index” which identifies Islamic homes with guns and ammunition.

There’s an ethnic database of e-mail addresses from List Services Direct in Leonia, NY, and a huge ethnic masterfile of millions of names with added personal data from Focus USA, Hackensack, NJ. All of the smaller lists have some personal data available. Items include age of adults and children, telephone number, income, occupation, credit card usage, length of residence, language spoken, investments, education, vehicle information, frequent travelers, and, my favorite, “people interested in Middle East politics and the Arab-Israeli conflict.”

Some of the major magazines are also very aggressive in this area. Entrepreneur, U.S. News & World Report, Newsweek, the Time Inc. Group, Hearst Magazines (Cosmopolitan, Esquire, Good Housekeeping, Harper’s Bazaar, Popular Mechanics and Redbook, to name a few), and Meredith Magazines including Better Homes & Gardens and Ladies Home Journal. All have ethnic selections on lists that range in size from 500 thousand to over 30 million, the latter being the Time Inc. Group.

But the “mother” of all ethnic lists comes from Experian, also one of the three credit report providers, covering 43 different ethnic origins, and including 84 million individuals. That’s 28% of the total population. In addition to age, income, occupation, education, etc., here’s what Experian also knows about these households: whether they are business owners; number of children and their gender; wealth rating; and their summarized credit statistics.

As I indicated in my last post on “Ethnic Profiling In Junk Mail,” the real purpose of amassing all this data into lists and databases is to make more money from the sale of the names and personal information. Which is OK, if the name-holders were getting their fair share. Ethnic names range in price from 7 cents to 16 cents, the high side being just over the average of 15 cents.

As a part of the $4 billion made annually from the sale of consumers’ names and personal data, ethnic lists probably don’t represent a major contribution…yet. But considering the federal government’s recent habits of using data brokers as major investigative tools, can that time for typical overspending in this field by the feds, accompanied by humongous privacy abuses, be far away?

Read all about this in Rebecca Carr’s article, “Government employing brokers as data posse,” taken from the Palm Beach Post-Cox News Service. She reports that federal agencies still use companies like ChoicePoint and Seisint Inc. (LexisNexis) despite activist and lawmaker concerns over their recent data breaches and about this potential invasion of our privacy. You can only assume from this that we do not ever learn from our mistakes.

Tuesday, August 23, 2005

Ethnic Profiling In Junk Mail

There are over 1,500 ethnic mailing lists being sold today by the junk mail industry. Compare that with the number of apparel lists being sold: just under 600. What is the fascination of such lists? A recent Web article, Marketers seek Jewish data, by Ted Siefer, points out that junk mailers are becoming more “savvy” in targeting certain groups, and that is “cause for alarm,” considering the surge of identity theft.

As Al Jolson used to say, “You ain’t heard nothin’ yet.” Most every ethnicity is covered in the 1,541 lists, with some religions also identified: Catholic, Protestant, Jewish, Buddhist, Muslim, etc. One list, “Jewish Households By Lifestyle Interest,” available through the ClientLogic company in Fairlawn, NJ, sells Jewish families that gamble, travel overseas and drink. They also sell a similar list for Islamic households, minus the gambling and drinking. Syrian households are available from the TMA List Brokerage & Management company in Reston, VA.

The Christian Science Monitor has an interesting article on their Web site, “Profiling’s Limits,” that states “the ethnic or religious identity of a person may be one factor, preferably not the only one, leading to heightened scrutiny of some passengers, truck drivers, and so forth. But that scrutiny should be handled with care and respect”

Any ethnic list sold under that category is blatantly designed to separate out a group of people and place them in a neat category. It’s all a part of the junk mail frenzy to create another database that will outperform the one before it. The approach used to be to target households of younger females that buy expensive apparel. Today, the latter applies, but the junk mailer also wants to know her age, income, occupation, education, whether she has children and what age, whether she’s married, her investments, travel plans, and, of course her ethnicity, and the list goes on and on. The question is, exactly what is all this data used for?

Ted Seifer’s article quotes one list professional as mandating that the whole process of selling these names is safe. It is not. Yes, the list owner requires samples of what is to be mailed for approval, but the bad guys have been known to submit fraudulent samples, which were approved. Once in their hands, the crooks can do with the names as they please. Or, computer tapes are lost, as was the case with Bank of America. With the large number of transactions and times these names change hands, there are endless chances for a data breach.

So, once again, what is the real purpose of amassing all this data? The short answer the junk mail industry would have us believe is to best identify households so they can be sold only those products and services they want. This becomes laughable when you understand that 98 out of 100 pieces of mail that goes to these households ends up in the trash. The honest answer is that the ethnic craze is just the latest excuse to acquire more data on U.S. households and store it in a multitude of junk mailer computers for sale.

The exception is that in today’s hostile environment due to the terrorist threat, it does not bode well for some ethnic groups that may be sitting targets. And, we’ll dig deeper into this problem in my next post.

Wednesday, August 17, 2005

Moving Ahead With Privacy In Junk Mail

In my last post, “A Brief History of Privacy in Junk Mail,” I made some points which I felt established the fact that our rights to privacy concerning our name and personal data prevail over any rights the 1st Amendment gives junk mailers. We progressed through The Privacy Act of 1974 and a 1997 Privacy Protection Study Commission that issued its report: “Personal Privacy In An Information Society.”

This Commission recommended that junk mailers should inform consumers in advance of selling their name and personal data, specifically how it would be sold. Also, that the consumer should have the right to decide “if” it is to be sold. Just short of my concept that we should have 100% control, but a good start. It isn’t clear what it cost to form this Commission, but, obviously, it was at least partially a waste of money.

The most that came out of it was the junk mail industry’s resolve to put a sometimes barely readable message in most catalogs and other offers that said the customer could opt-out of having their name sold. No mention was ever made anywhere of the zillions of bits of private information that were being collected on the individual and compiled in huge databases.

Now, fast-forward to the year 2005, twenty-eight years later. Did we learn anything? Apparently not, considering the period of time that has elapsed with nothing else being done.

So after all the breaches by the data brokers, financial institutions and large companies, Congress has decided to take another shot at privacy. That would be the Personal Data Privacy And Security Act Of 2005, sponsored by Senators Specter and Leahy. It’s the one that requires notification of a breach after it has already happened. The Act is riddled with shortcomings for the consumer, and I am really disappointed with Senator Leahy, a Democrat, for not seeing this.

The first drawback, pointed out above, is notification “after” the fact. Second, setting a minimum (10,000 individuals) on databases that have to comply is ridiculous. What’s the magic of the number 10,000? But this one takes the prize for irony: prohibiting the sale of Social Security numbers. I can see crooked information brokers looking at this section of the Act and scampering off to their computers to steal all the SS #’s they can before the legislation is enacted.

Think, Congress! The only way to curb the problem of breaches of our private information and the resulting identity theft is federal legislation that will give consumers 100% control over their name and personal data. Like I said in an earlier post, “bite the bullet” and do it right this time.

In the meantime, if you want a really happy constituency, pave the way for the junk mail shopper to share in the $4 billion annually from the sale of names and personal data. I have made a case for using this money to supplement our Social Security, and, if acted on soon, could be in place for the alarm periods of 2018 and 2042.

And to cap it all off, junk mailers recently held something called “List Vision 2005” in New York. They are worried about list-regulation legislation that is being considered by Congress and feel self-regulation is the best defense against extensive legislative restrictions. They’re talking about alleviating consumer fears. Where were these people from 1974 to 2005?

You’d think the industry would wake up and realize that the meat of their existence, the junk mail customer, deserves better treatment. Give them what is rightfully theirs: 100% control over their name and personal data. Share with them the proceeds of that $4 billion each year.

The most-attended discussion panel at List Vision 2005 was “Suicide Prevention: Let’s Not Kill the List Industry.” The 1980”s “Me” generation has taken up residence in 2005. The major concern of the list hucksters is their own well-being, and, as a former broker of mailing list names, I don’t think that will ever change.

Wednesday, August 10, 2005

A Brief History of Privacy in Junk Mail

In the case of our name and personal data, I believe that the laws of privacy prevail. I also believe that individuals have the right to decide whether or not this private information should be sold on the open market, and, if it is, to maintain 100% control. That said, what officially—or even legally—backs my theory, when opponents repeatedly cite the 1st Amendment as their right to send unrestrained junk mail?

Paraphrased, the 1st Amendment states that Congress shall make no law prohibiting free speech. Just click on the highlighted portion and you can research the Amendment at FindLaw. My question is, where does the junk mailer’s right to free speech end and my privacy begin?

The Constitution does not specifically mention a right to privacy, but Supreme Court decisions over the years have established privacy as a basic human right. The 9th Amendment states that, although certain rights are specified by the Constitution, just because something is not specifically designated, it should not mean that it isn’t a right of the people. Again, available on FindLaw.

In the Bill of Rights, 4th Amendment, the people are given the right “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures…” It’s not likely the architects of the Constitution could have even imagined the era of computers and personal databases. They were busy putting a new country together. However, it seems clear to me that, at least in the spirit of the law, we are supposed to enjoy a certain level of privacy.

Apparently, privacy wasn’t much of a real issue until The Privacy Act of 1974, when government agencies were restricted in what they could do with citizens’ personal data. It was enacted, in part, because the people do not have the same alternatives in dealing with the federal government as they do with private business. The major concern was assuring the public that their private information would not be abused by federal agencies or bureaucrats. Even then, they couldn’t have envisioned The Patriot Act.

Three years after The Privacy Act of 1974, a Privacy Protection Study Commission was formed and it issued its report: “Personal Privacy In An Information Society,” July 1977. Click on the highlighted area and then click on “Mailing Lists.” This report has been in my hands since its original publication, another confirmation of the number of years I have been concerned over the potential problems of selling names and personal data.

One of the recommendations made by the Commission was that organizations selling customer names and personal data “…should adopt a procedure whereby each customer, member, or donor is informed of the organization’s practice in that respect, including a description of the selection criteria that might be used in selling, renting or exchanging lists, such as ZIP codes, interest, buying patterns, and level of activity, and, in addition, is given an opportunity to indicate to the organization that he does not wish to have his address, or name and address, made available for such purposes.”

Interpretation: selling our name and personal data should be an opt-in arrangement, meaning the junk mailers shouldn’t make a move without our prior approval. Folks, this was 28 years ago. The commission had the vision to predict that certain selection criteria like our “buying habits” could be tantamount to a major invasion of our privacy. They were defining “personal data” before we really knew what it meant.

In another important move, the Commission recommended against companies selling or sharing data with their affiliates, a problem that still exists today. If you trust the parent company, why not the subsidiaries? Simply put, loss of control. And, if security is lax at the top, ie. ChoicePoint, LexisNexis, Bank of America, Time Warner, what’s it like in the companies’ smaller affiliates?

In my next post on this subject, we’ll talk about what’s happening today in personal data privacy and the mounting war against identity theft.