Search This Blog

Wednesday, June 27, 2007


Claim forms have been sent to a potential 2,400 victims of the ChoicePoint personal data breach that happened back in February of 2005. They are still looking for more consumers who have experienced ID theft from this incident with actual out-of-pocket losses. You have until August 18, to file your claim. In an article by NetworkWorld, they provide a FTC Web site where you can download a claim form with information. The FTC also has another site with facts and advice on the matter here. The FTC identified another 1000 possible ID theft targets since December of 2006, in addition to the original 1,400 identified in 2005. This proves the point I have been making for the last two years that the identity thieves have become sophisticated enough to hold on to the sensitive data, and strike at a later date when you’ve let your guard down. If you are one of the 163,000 victims of the breach—and you should have been alerted by ChoicePoint—check all of your financial records for any suspicious activity. You’ll be glad today and not sorry tomorrow.


If you somehow detect a bit of sarcasm in the title, you are correct. When the junk mailers come to Chicago’s McCormack Plaza West on October 13, 2007 for the annual Direct Marketing Assn. (DMA) convention, they will learn everything from the basics of their trade to sophisticated data mining programs that can pry into the very depths of your private life. The exhibit hall will house hundreds of vendors who will ply their wares to thousands of industry participants, and many of those hawking their products and services will be list professionals. They’re the ones who sell your names and personal data to the tune of over $4 billion every year. These list pros will shout about the latest private information available on consumers, and how this can be used to target what time you go to bed, and what book you are reading when you do. What they won’t be doing is what I suggested to John Greco, DMA President. That is to set up a session for interested Chicago consumers where list people would answer questions about the sale of your names and personal data. Greco’s action, typical of this secretive business holding your most precious sensitive data, was to ignore me, thus, the very customers on whom junk mailers depend. And now I just received a copy of the schedule of events. There’s nothing in the six day agenda that addresses how consumers could and should control their names and private information. In fact, just the opposite with one session titled: “Harnessing Human Behavior.” However, Howie Mandel from the “Deal or No Deal” TV show will be there to give out the “Oscars” of junk mail. Somehow, there must be a hint of parody in this.


After my recent post on Pfizer’s loss of 17,000 employee private records, including names and Social Security numbers, I received an e-mail from Ed Silverman who runs the Pharmalot blog shedding additional light on the subject. His article, “Pfizer: 17,000 Employees Suffer Privacy Breach,” is a must read for the privacy minded. His blog is also good if you want to stay in touch with what’s going on in the pharmaceutical industry. Pharmalot was the first to release the Pfizer story including a letter from Lisa Goldman from the firm’s privacy office. Let me address some of the bizarre statements made by Goldman. Pfizer: “The information was stored on a Pfizer laptop computer that was provided to a Pfizer colleague for use in her home.” Comment: Only the dumbest of companies would still allow sensitive data on a laptop outside the company after the VA incident (26.5 million lost records), and the hundreds of incidents that have followed. Pfizer: Sensitive data “…were exposed to one or more third parties.” Comment: In this case one of the “third parties” was the Pfizer employee’s spouse, which indicates there was either no password protection, or the spouse had the password. Pfizer: “Our investigation revealed that certain files containing your data were accessed and copied.” Comment: Since we know from the Pharmalot article that the information was uploaded to the Internet and copied, obviously no encryption. Pfizer: “Based on our investigation to date, we have no reason to believe that any other personally identifiable information was exposed.” Comment: They haven’t the slightest idea and this is simply CYA. By now the American public should be tiring of all these excuses about the mishandling of their names and personal data, and demanding something be done immediately…like letting the consumer take control and manage one of the most valuable assets of their individuality.


This is a scam that ranks right up there with the crooks that took advantage of Katrina victims. A supposed, young-sounding American calls a military spouse representing the Red Cross. The caller indicates the spouse’s husband (not using the actual name) was hurt on duty in Iraq, and is currently in the hospital. The slime ball says treatment can’t start until they have the husband’s Social Security number and date of birth. The Red Cross never does this, but in the obvious state of emotions the spouse is in, who thinks of identity theft connected to a wounded husband in Iraq who needs treatment. Read more from the Identity Theft Resource Center Web site. This once again confirms how advanced the crooks are, and how far they will go to steal your life. USA Today reports that the military is the latest target of data thieves, calling them the Achilles’ heel of the system. The reason: the Department of Defense uses their Social Security numbers for “…everything from dog tags to chow-line rosters.” That tops anything I’ve heard in private business and other government agencies as the stupidest trick imaginable. Until the TJ Maxx breach of 45.7 million personal records, the VA’s loss of 26.5 million military records was the highest. In that was included 1.1 active-duty personnel, 430,000 National Guard members, and 645,000 reservists, according to an article in the Washington Post. It has become clear that identity thieves will stop at nothing, nor any group, to accomplish their goals. That means that somehow, someplace, sometime, you could be in the cross-hairs. Think about it and back my movement to give consumers control over their names and private information, and compensate them when it is sold.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. We aren’t tax exempt yet, so donations are not tax deductible. Please contact me by e-mail ( with any questions.


Most junk mail is unsolicited, but the one that ranks as the Oscar winner around our house is the kind that comes with almost celebrated potential danger for ID theft attached. These mailings range from the millions of credit card solicitations received annually, to your mortgage holder who sends you an accidental death insurance offer with your home loan number clearly stated. While not as decisive as the Social Security number or date of birth to heist your identity, it is a start, particularly considering the recent successes of pre-texting (the thief could pose as you calling the mortgage company and obtain further personal data). Indymac Bank sent me two such mailings, one with envelope copy, “Do Not Discard,” sure to get any crook’s attention. Shell has been bombarding us with mailings for a credit card with “Congratulations You’re pre-approved” on the envelope that is one of the most generous invitations to this kind of criminal mind. And then there are those who dispatch pre-approved credit card offers to the deceased…years following their death. My Mother received one from Visa June 1st: she passed away in 1989 and is on every “death” file available. By the way, the deceased person’s data is by far the most valuable since there is no one to catch the thief at work. There are others, like the Home Depot mailing my wife just received with a guaranteed $7,500 credit line. The envelope is so obviously a credit card solicitation that the most inexperienced identity shark would know. And, I counted seven places on the application with the word “pre-approved,” that would cinch any indecision of whether or not for the bad guys to make their move. Individuals need control over their sensitive data, and they need it now.

Tuesday, June 19, 2007


Even if you are a hermit living in a desolate cabin, you would probably somehow have heard about the fact that data breaches are the biggest news story of the day. You’d think this reasoning would apply to individuals entrusted with our sensitive data, even if they don’t read print articles, hear it on TV or radio, or Google it on the Internet. Not so. The idiots are still out there, and one surfaced recently in Ohio, a 22-year-old intern from a state agency, who left a backup data device in his car with 64,000 state employees’ names and Social Security numbers. (See the stories: and All that’s needed by the crooks to heist these identities, ruin their credit, and generally make life miserable. But to make it worse, the state’s Governor issued a statement indicating, because they don’t believe a breach of information has occurred the victims needn’t be concerned. One, a breach did occur when the idiot intern left the storage device in his car as fair game for thieves. Think about it. Since there is no real value to something like this, why else would they steal it except for the data? Two, even if it were petty thieves, the awareness is high enough that, when they realize what they have, they’ll sell it to the highest bidder. Three, this is such an organized crime event now that the culprits hold the data until the heat is off, then use it when the victim is least suspecting. If the Governor’s comment didn’t stymie most consumer concern—the apathy is already large enough without all these amateur opinions—The Columbus Dispatch printed a story I won’t link to because of obvious reasons titled, “Breaches often don’t lead to ID theft.” From the initial incident which was the ChoicePoint breach of 163,000 names in Feb. 2005, the FTC has identified 1,400 victims. Javelin Survey’s latest figure of an average loss per victim of $5,720 adds up to a potential $8 million in the Ohio case. This whole scenario of “don’t worry” after data breaches reminds me of the Mayor in the movie Jaws, who didn’t want to scare off the tourists. We’d better start worrying because the bad guys are becoming more adept each day in capturing our personal data, and using for their own fraudulent purposes.


DM News is my favorite of the junk mail publications that report on the industry. They are honest and up front, and got their start several years ago by telling it like it is. That’s why I was surprised by a recent article by a list professional, Stacey Girt, who is a senior vice president of a leading list firm by the name of MKTG Services. The title of her piece, “Protecting consumers and our industry,” caught my attention, because I thought someone in this business was finally genuinely concerned over the lowly consumer. What changed my mind was her statement, “Those of us who provide lists share at least some of the responsibility for knowing what promotion will be communicated to those lists…” In my 35 years as a junk mail data broker, I assumed 100 percent of the responsibility of making sure the company purchasing my lists was completely legitimate in all respects. You might want to go to the MKTG Web site and check those lists where your interests could have you recorded as a customer, and then inquire of this List Manager just how they determine who buys these lists. After getting to the site, click on “View Datacards” on the right; a datacard is an explanation of the list in question. Sample mailing pieces are supposed to be scrutinized carefully, but in my experience the list owner was more concerned with the competitiveness of the offer, and it is entirely possible a fraudulent sample could be submitted for approval. This, of course, is not the fault of the list professional, and they do “decoy” the list to check for what is actually mailed. All things considered, most companies do a good job of pre-screening, but some can fall through the crack like the ChoicePoint sale to a foreign criminal ring.

In a recent edition of Reader’s Digest, there is a mail-in form asking readers to identify their kind of pain, and list the medication they are taking for it. You also must provide your name, address, age and gender. Phone and e-mail address are optional. You send it to Pfizer in a fold-over style mailer with minimum security, and it promptly goes into their database of consumer private information. For this data, they offer information about pain and Pfizer products for your ailments. There are two more boxes to check: one, asking you to agree to allow them to share this info around and outside the company; two, they want to call you and ask questions. My advice: if you have pain, call a doctor; don’t tell Pfizer or any other pharmaceutical company about it. As an example, Pfizer just reported the loss of personal information on 17,000—still not sure other data hasn’t been compromised—including name, address, and Social Security number, which was posted on the Internet. It isn’t clear, but the company thinks another less-than-bright employee took a laptop home, and the spouse may have tried to install file-sharing software, after which the private data was made available over a “peer-to-peer” network, according to The As best I can determine, P to P networks are simply multiple computers tied together, like a husband and wife at home, so I am not certain how the sensitive data ended up on the Internet, and Pfizer refuses to answer specific questions re. the incident. A few years back Privacy Rights clearinghouse filed a lawsuit against Albertsons/OSCO for collecting your prescription data and selling it to pharmaceutical companies. CVS did the same in 1998, resulting in a lawsuit again the outside data company, Elensys, and Eli Lilly “outed” 669 Prozac users through a broadcast e-mail listing all recipients in the “To” line. I believe most of us would agree that the last industry we want in the personal data business is the pharmaceutical companies.

The European Union is questioning the use of insecure biometric ID cards, while at the same time the United Kingdom is using its presidency of the organization to push for adoption of the cards across the entire EU. EU standards on consumer privacy are already much higher than the U.S. requiring many American companies to increase their benchmarks significantly before managing data overseas. Biometrics is a technology used for recognizing humans based on one or more intrinsic physical or behavioral traits like fingerprints or iris scans. The U.S. Department of Defense has used it in military locations around the world, even some in the U.S. From an article in London’s The Register, EU-funded FIDIS (Future of Identity in the Information Society) warned of the risks in implementing this kind of ID for travel because it would decrease security and privacy, and increase the possibility of identity theft. The reason is that this new Machine Readable Travel Document (MRTD) is remotely readable at distances from 6.5 feet to 32.5 feet. This would allow stealing of the data in much the same way the TJ Maxx 47 million credit card numbers were taken from a wireless cash register by thieves navigating a parking lot in St Paul, MN. (See TJ Maxx story) With the continued development of this kind of technology without the accompanying addition of security measures to protect the data, ID thieves of the future will be walking around looking for wireless locations with their directional antennas much like searchers looking for valuables with a metal detector. With the advancement of this science far out-pacing the protective measures for our sensitive data, the only answer is protection by individual control over our names and private information. Please join me in this grassroots movement by letting me know your thoughts on the issue.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. We aren’t tax exempt yet, so donations are not tax deductible. Please contact me by e-mail ( with any questions.


Doc Searls is an expert on topics where technology converges with business, and serves as a senior editor at Linux Journal, one of the leading magazines in its field. He has written extensively on the privacy issue with a recent article, “Why are privacy and advertising strange bedfellows?” You might think by the headline that we have finally reached a balance between corporations collecting our sensitive data, and how they protect and use it. But alas, by the second paragraph of the piece, we learn that Google gets the bottom ranking of “Black” (for “Comprehensive consumer surveillance & entrenched hostility to privacy”) from Privacy International who rated the companies. Not one company gets the best, which is “Green.” This is based on Internet service companies, but it reflects the general attitude of business today toward the handling of our names and personal data. Working backward, the next worst rating, “Red,” goes to companies like AOL, Apple, FaceBook, and Yahoo. Microsoft is blessed with “Orange,” and gets a “Yellow.” This article and the rankings are worth looking at because an explanation of what they are doing wrong is listed by each company. Returning to Google, probably no other company has been in the news recently as much as they have with coverage like, “Are Google’s moves creeping you out?” “Google is watching you,” and “Privacy concerns dog Google-DoubleClick deal,” also worth a read. Doc Searls comments, “Why would these companies suck so badly at respecting privacy? and then provides the answer. One, because of a revenue-driven model Google supplies business; and two, because consumers have no control over their names and personal data. Sound familiar?

Monday, June 11, 2007


John Greco is president of the Direct marketing Assn. (DMA), the trade group that represents the junk mail industry. They are holding their fall 2007, annual convention at McCormack Place in the “windy” city from October 13th to the 18th. I Emailed Greco in April, asking that the DMA provide free access to consumers in the Chicago area who are not connected with the business, and who have an interest to learn just how their names and personal data are being used and sold by junk mailers. I suggested the DMA should add a panel of list professionals to its program who could answer the questions of the public. Since the issues of general privacy and identity theft are foremost in the minds of Americans today, I thought it was a great chance for the industry to be open about what they do with your sensitive data. No answer. Zilch. Greco didn’t even give me the courtesy of a reply, which, as I told him in a recent follow-up Email, doesn’t surprise me, considering the veiled approach junk mailers have taken toward the sale of our names and private information. A number of insiders have even commented in recent trade publications that the industry should be more candid and accessible over the sale of this data. My plan is to submit op-ed articles to the Chicago newspapers, contact talk radio and TV consumer reporters to let them know about the DMA convention, and suggest coverage during the October event to pressure junk mailers to be honest and up front with the public. Any Chicagoans out there? Please let me know if you have any suggestions, and let the DMA know what you think.


Orwell’s 1984 had only one Big Brother, but members of the Party of Oceania, the novel’s fictional country, were trained to spout the philosophy from and do the work of the big guy. Just like the followers of GWB who march to only one drummer, Big Brother Bush. Although cloning wasn’t a part of Orwell’s storyline, it is certainly apparent in the imperial authority of the Bush administration. The underlings not only follow orders, they actually act in the image of BBB. The latest case in point is the testimony by Monica Goodling—described as the administration’s enforcer of political purity inside the Justice Department—that the Attorney General might have been trying to “coach” her about what she was about to say before Congress about the firings of federal prosecutors. (Read more in MSNBC article) Gonzales, of course, is one of Dubya’s favorite clones, who also beget his likeness in a guy named John Yoo, a young gung-ho lawyer in Justice. It is Yoo, another follower of Cheney, who wrote the opinions justifying the eavesdropping program on innocent Americans following 9/11. Another Justice lawyer, Jack Goldsmith, put in charge of the Office of Legal Counsel, which offers advice on Constitutional issues, ruled Yoo’s opinions were not legally supportable. Up to this point, we had a relatively obscure Justice employee deciding on the privacy rights of U.S. citizens. And to top it off MSNBC in another article reports that Dick Cheney blocked the promotion of another Justice Department official, Patrick Philbin, who opposed the eavesdropping program. If they won’t join you, beat them out of office.


I live in Phoenix, Arizona, where drive-by shootings occur on a regular basis. There’s no technology involved except the craftsmanship of the weapons maker. Many of these incidents are deadly, resulting in the deaths, sometime, of innocent victims. Fortunately, the latest drive-by crime doesn’t include murder, but there are innocent victims. An account says there was considerable technology used by the ID thieves in an incident that started in the parking lot of Marshalls’ discount store in St. Paul MN. Still on the loose today, the hackers eavesdropped on wireless communications originating within the store using a directional antenna to gain data allowing them to breach another TJX company, TJ Maxx. They downloaded 45.7 million credit card numbers, but this figure could reach 200 million, according to the Wall Street Journal. This was a clever, two-part theft where the crooks knew what they were stealing, meaning they had use for the data, like stealing your identity. This all took place in two years as TJ Maxx went merrily about their business. Once again, lax security—they were using weak encryption for the wireless network—which further proves my premise that consumers should control their sensitive data with the right to approve any transaction involving their private information. Had this protection been in effect at the time of the breach, it is likely that not one of the TJ Maxx credit card numbers could have been used without the owner’s consent. Think about it. Are you willing to accept this responsibility? If not, are you willing to accept the possibility of losing your identity to the crooks for a potential personal loss of $5,720 plus $535 to clear it up over as many as 6000 hours, depending on the severity of the crime?


In 1940, President elect Franklin Delano Roosevelt commented that “…the great public is interested more in Government than politics…” Further, that the impact of Independent voters was here to stay, and “…the tendency, frankly, is on the increase.” If he were alive today, he might revise the first statement to say that the American people are still interested in Government, but they are fed up with the current crop of politicians and their futile methods of governing. This excerpt by FDR came from Independent Nation, leading off an article you might want to read. It points out how, with Congress growing more partisan, the voting electorate has moved further to the center. In the 2006 election, a pathetic 70 percent of eligible voters were registered. Democrats accounted for 42.5 percent, Republicans 34.3 percent. That leaves just over 20 percent that could fall within the Independent category. This is up from just under 14 percent twelve years ago. I ran across a blog recently that is packed with information for Independents. The Hankster is a must-read for those of you serious about bolting from today’s run-of-the-mill politics. The blog recently featured an ABC News article, “Independents Rule New Hampshire,” that is also worth reading, and encouraging because it points out that 44 percent of New Hampshire voters are Independent, up 62 percent in the last decade. So FDR was right, and the problem today is how do we unite this group, and build on its strength?


Financial institutions are perhaps one of the most concerned of all businesses when it comes to data breaches. My guess for why this may be true is the fact that the industry does not fully understand the value of your name and personal data. Add to that the possibility of compromising your financial records in a situation that could spell disastrous PR, and you can understand why they are worried. It happened to Bank of America and Citi Bank, and the repercussions were swift and furious in the media. If you aren’t fully familiar with the pitfalls of a potential threat like a major data breach—as their counterparts in the junk mail business should be—you do what comes natural. You buy insurance to offset the loss. ChoicePoint should have known to take more precautions, and look what happened to them. Bank Technology News reports the cost per record when data goes missing is $100, according to ChoicePoint, the guys that started this whole mess; $182, Ponemon Institute; and from $90 to $305, Forrester Research. Do the math if they lose 1 million records. To the rescue, the insurance industry, of course. However, a privacy attorney thinks the coverage isn’t adequate, and “…wouldn’t come close to covering the liability an institution might face in a major breach.” So, the point of this story is, if industries are out of the loop on what collecting and manipulating sensitive data is all about, they may just decide to blow the budget on insurance rather than beef up security. That’s when we all lose.