Search This Blog

Monday, August 27, 2007


It started out on Aug. 21, when Matt Chapman at announced that hundreds of thousands of recruitment hopefuls on had had their personal details stolen. Symantec discovered the website had been attacked, and advised Monster on Aug. 17. Customers weren’t notified until Aug. 22, one day after Chapman broke the story, according to an article in However, Monster then upped the ante to 1.3 million job seeker records lifted. The information stolen included name, home and work address, e-mail address, mobile and home phone numbers. Now why would the crooks be interested in this private information that doesn’t include at least one of the two main ingredients for ID theft: Social Security number, or date of birth? Because it is probably just as lucrative, and easy, to use the e-mail addresses for phishing scams to prey on unwary job candidates, particularly in the name of And with the sensitive data that was stolen, it is very easy to get your SS# and DOB on the Internet anyway. MSNBC even reported that some Monster users had already received spam asking for financial information. In an Associated Press piece on USA Today, the word is the bad guys hustled passwords from recruiters to do their dirty work. They took resumes and “used information on those documents to craft personalized "phishing" e-mails to job seekers.” This event once again emphasizes why it is so necessary to protect all of your private information, especially now when the phishers have become ultra sophisticated in designing their sites to look identical to the original. However, even in these phishing schemes—as well as several other types—your sensitive data would be safe if you were in control.


I am not really sure where the term, “junk mail” originated, but I do know it was being used when I entered the industry over 35 years ago, and regularly gained momentum over the years. Today when people talk about junk mail, they are mostly referring to spam on the Internet. But the birth of the term was in reference to the fact that junk mailers had to send out 100 pieces of mail to get an average of one to two responses. They still do, and during my tenure as a list/data broker and database consultant, almost every company I worked with was satisfied with this result. The reason is that those 98 or 99 catalogs that go into the city dump, unused, are built into the profit formula used by the junk mailer. To hell with the environment when billions of unread catalogs go in the trash annually, each probably at least 32 pages or larger. The industry tried recyclable paper but that fizzled out because it was time consuming and costly. Predictive modeling—a method of targeting customers who want what you’re selling—evolved some 25 years ago, but the old hard-head, off of the kitchen table entrepreneurs decided they could do it better. I asked one potential client in the late 1970’s how he bought his mailing lists. His answer was, “with my gut feel.” And that would preclude any recommendation I would make to him, based on years of experience. The landscape has changed—junk mailers are able to target better because there are 50,000 lists on the market today with several selection techniques in each to choose from—but the term “junk mail” is still in full force with basically the same definition criteria as 35 years ago.


This is the second in my series of junk mail company reviews that include specifics about their handling of consumer names and personal data, particulars on their list of customers, costs for shipping and handling, and their track record with the Better Business Bureau (BBB), if available. Attention today is on The Sharper Image catalog, a San Francisco based company that sells upscale electronics products from its catalogs and retail stores. I met Richard Thalheimer, the founder of Sharper Image and a visionary in the business, several years ago in San Francisco when I was a list/data broker. I was impressed, as were hundreds of thousands of his customers across the U.S. who bought unique high ticket electronics items. Today there are a total of 4.2 million customers, but Thalheimer left the company in 2006 after a two year sales decline. That’s hard to understand when each catalog purchase is worth an average $170 to Sharper Image, and on top of that you pay shipping and handling based on the dollar amount of your purchase, not the actual cost. I had one client tell me years ago that his shipping department was actually a profit center. As an example, if you order a travel radio costing $100, you pay $17.95 S&H. You can ship the same item any day priority mail for $6.20. Add another couple bucks for handling and you’re still almost $10 under the $17.95. SI also has an unsatisfactory record with the Better Business Bureau; 111 complaints over the last 36 months. Although most complaints were resolved, the “unsatisfactory” label is for failing to resolve or respond to complaints or resolve them in a timely manner, and a pattern of not addressing underlying issues of the complaints. The company is also under siege by 27 state attorneys general in a class-action lawsuit for $900 million financial experts say could bankrupt the company. The legal action is over SI’s Ionic Breeze purifiers that apparently don’t work, and could cause health problems. Some say Thalheimer’s rush to open retail stores was the start of their financial problems. We may never know unless Richard comes forward with the answer.


In an InformationWeek article, a class-action lawsuit was filed against the U.S. Postal Service for allegedly selling employees’ personal information to marketing companies in violation of the U.S. Privacy Act. The 1974 law prevents federal agencies from sharing employee information. It is the same law that many other government bureaucrats are circumventing when they buy consumers’ private information from data brokers like ChoicePoint and Acxiom to spy on innocent Americans. The action was filed on behalf of all postal employees, and over 100 USPS workers joined the lawsuit four days later. It is almost like all agencies and departments of the federal government have taken the same attitude, joining the “Bush Bunch” in thinking that they can treat the citizens of this country any way they please. The lawyers are attempting to stop the USPS from giving out the private information, and in a surprise move, at least to me, “recover the money USPS received through the co-branding agreements.” Apparently these arrangements are set up with marketing companies that allows them to use the Postal Service logo on the junk mailings, which obviously offers authority and endorsement. The mailings sell everything from cell phones to credit cards, and USPS receives compensation from these sales. Postal Regulations 148 Part 268 even states that the USPS and its employees cannot release any private information to any person or organization without the individual’s consent. Should this happen, a plaintiff has the right to recover damages from the Postal Service. Now if the postal employees have a right to the revenue made from the sale of their personal data in this incident, then it appears that a precedent might be set, and the junk mail customer certainly has their rights of recovery from the sale of their names and private information. I will certainly keep you posted on this case.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. Please contact me by e-mail ( with any questions.


In another Postal Service matter, the Humane Society of the US filed a lawsuit against the USPS for allowing the mailings of animal fighting paraphernalia, including trade magazines advertising fighting animals for illegal dog and cockfights. Bush even signed the federal Animal Fighting Prohibition Enforcement Act in May of 2007 that strengthened the federal law against this horrendous sport. Either the Postal Service’s attorneys are asleep at the switch, or I am right about their new image as another bureaucratic Big Brother. And don’t tell me about the 1st Amendment rights of these people, because this kind of sick individual doesn’t deserve to be protected under any law for the brutality they cause animals just to make a buck. Junk mail industry publication, DM News, quotes Gerry McKiernan, media relations manager at the USPS as saying: "We have given thorough consideration to the material provided by the Humane Society and determined that the magazines in question are still mailable." Pathetic. This case is a companion suit to one filed against for shipping the same kind of literature. Now here’s a guy who says we might have too much privacy. It’s that dumb statement again that, if you don’t read the whole article, you think it’s time to let down your guard in the identity crisis. His name is Phillip Alexander writing on, a security officer for a major financial institution, who is also trying to sell a book. He has some good points, like private information is needed to catch child molesters, but loses me with his flat statement, “there is such a thing as too much data privacy. He makes a ridiculous analogy between the Virginia Tech tragedy, and private information being withheld. The reason Seung-Hui Cho’s (the shooter) data didn’t get to the right people is not a protection against anyone’s privacy, but rather a result of the lobbying efforts of organizations like the National Rifle Assn. (NRA). Sharing and making data available to catch crooks is a good idea, but strict oversight is necessary to avoid abuse over a system that could jeopardize the sensitive data of innocent Americans. Consumers lose confidence in the system. reports that according to the “2007 Consumer Survey on Data Security,” a lot of you folks are modifying your buying habits, even online, because of all the recent data breaches. And rightfully so. The survey conducted by Vontu and Ponemon Institute, two privacy research firms, found that 62 percent of respondents had learned that their private information had been lost. This should even make the other 38 percent very cautious, but it probably won’t. Apathy continues to surround this issue, and it’s not clear today what it will take to change that. Case in point: 84 percent of the 62 percent exhibited increased concern over the loss; should have been 100 percent. And 62 percent would be more upset with incompetence in the loss, than if the data were stolen. Regardless of how your private information gets away from the data handlers, you should be mad enough to not take it anymore.

Monday, August 20, 2007


Your FICO credit score is used by many insurance companies to determine what you pay for auto and homeowner policies. This is a fact of life, folks, and you’d better get used to it. According to certain studies, there is a correlation between lower credit scores and the filing of more claims. In other words, if your FICO is one of the higher ones, and they didn’t use this method of ratings, you would subsidize the lower score-holders. The Insurance Information Institute has a report worth reading that gives the federal position on the matter, plus input from several state actions. The FTC believes credit scores lead to more accurate underwriting, and the Government Accountability Office (GAO) thinks the feds should educate consumers in their understanding of the abundant ways FICO scores are used. As an example, did you know that if you are a good money manager, you will probably have fewer accidents, or, at least, file fewer claims? It’s a behavioral thing. It does cut down on your junk mail, but that’s not much comfort for the household with bad credit that needs insurance. There’s another good piece on this issue in The Motley Fool that provides some good advice and helpful links. So, if this is a good thing for those who maintain good credit scores—and everyone should strive for this—what is the downside? Right off the bat, the Public Interest Research Group, a non-profit advocacy group, in a 2004 study, found that out of 200 credit reports, 79 percent contained errors of some kind, 25 percent serious enough for denial of credit, thus, affecting what you pay for insurance. So, if 25 percent of the FICO scores used were wrong and resulted in incorrect credit denial, does that also mean that 25 percent of consumers paying higher insurance rates are doing so because of the use of flawed data? As a junk mail data broker, I worked with three auto and homeowner insurance companies—one local, one regional, and one national—in their acquisition of new customers at about the time they were changing from traditional mailing lists to those based on credit scores. Credit bureaus like Experian, Equifax and TransUnion weren’t scrutinized in those days like they are today, based on their role in the identity crisis. That was several years ago, but rather than getting better, it has only gotten worse.


Junk mail list company, Worldata, out of Boca Raton, FL, has just released its annual report of how much your name and private information are selling for on the open market. Didn’t know you were a commodity? Well, you are, and a hot one based on yearly mailing list sales of over $4 billion. (See earlier posts) I was a stock broker before becoming a data broker, and the company I worked for sold commodities like pork bellies, corn and soybeans. One thing I do remember for sure…the farmer raising that corn was paid for his crop. However, as the name-holder of your sensitive data that is being sold for an astronomical figure, you receive nothing. Somehow this doesn’t seem right considering your “at risk” factor (ID theft), along with the fact that many of the 640 data breaches since 2005 have originated with companies involved in the junk mail medium. You might call it potential double jeopardy in losses. Some types of lists have gone up, like databases (ChoicePoint, Acxiom), and some have gone down like e-mail names of the AOL variety. According to Worldata, the average merchandise buyer’s name sells for around 10 cents each. That’s hard to believe when lists like Brookstone sell your name for almost 17 cents, Restoration Hardware for just over 19 cents, or Eddie Bauer almost 18 cents. You probably don’t care about any of this because, regardless, nothing goes in your pocket. But I do have a point. Because your name and personal data are such a precious commodity, and because is you, the individual, not the company who might lose your private information, that suffers the losses, you should be in control over your sensitive data. Think about it.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. Please contact me by e-mail ( with any questions.


Here we go again. The Department of Justice is still at it using junk mail data brokers like ChoicePoint to hunt identity thieves, which would be great if they weren’t prying into your innocent, private information to do it. A Consumer Affairs article says they are building a new database to—what else?—look for terrorists, using—what else?—databases provided by junk mailers like ChoicePoint.. After a rash of these government attempts in the last few months, wouldn’t you like to see at least some results…like catching a terrorist on American soil? The new program is called “System To Assess Risk,” or STAR, and Senator Patrick Leahy (D-VT), chairman of the Judiciary Committee, criticized the system for its potential for abuse. Civil rights advocates take it a step further citing the inaccuracy of data being used that could end up labeling innocent Americans as terrorists. In a 2005 study conducted by non-profit, Privacy Activism, error rates of 73 percent were found in the most basic of biographical information like name, Social Security number, address, and phone number, in the background reports from ChoicePoint. Apparently STAR will assign a risk score based on information like this—in the same Privacy Activism study, another data broker, Acxiom had an error rate of 67 percent—to identify potential terrorist suspects. The Washington Post reports that STAR poses the same question again of the feds using consumers’ sensitive data to spy on U.S. citizens “without accountability.” Knowing this administration, STAR’s “risk” profile will be “top secret” and only a select few will be privy to its makeup. The Department of Homeland Security has its own “risk” program called, “Automated Targeting System” that is supposed to indicate “potential suspects.” Is this the one that identified Senator Ted Kennedy as a threat? At best, these procedures are borderline, based on results to date. STAR also runs questionable names against the Accurint database to track addresses, phone numbers and driver’s licenses. Accurint is a subsidiary of LexisNexis, another junk mail data broker like ChoicePoint. STAR supposedly will be limited to trained users. Haven’t we heard that one before?


For years junk mailers and traditional retailers have employed data mining in their customer relationship management (CRM) to identify their best customers. Now they’ve turned this practice into a system to determine which ones they want to get rid of. The very design of CRM places the borderline group on the back burner, electing to ignore them for the most part, unless they make another purchase. But just out-and-out dumping them seems a bit over zealous. Liz Pulliam Weston in MSN Money covers the current trend of how companies are getting rid of shoppers who “complain too much, return a lot of items or otherwise hurt their profitability.” Complaints are that these people are spending too little, or complaining too much. This bunch, says corporate-profitability expert, Larry Seiden, represents 20 percent of the total. So you just ditch them, and go looking for the more profitable customer. Actually, it could make sense if these people are chronic offenders with little or nothing to base their actions on. Sprint Nextel dropped 1,000 customers for calling its customer-service lines too much. Online bank, ING Direct shuts down 3,000 to 4,000 accounts a month, because these people are “more trouble than they’re worth.” Other banks may even have you assigned as “pests” or “promising” in their system, so when you approach a teller or go online, they know how to treat you. Airlines are even taking it to another level in determining who is the best-of-the-best frequent flyers, with extra perks at the airport and other benefits. Guess us coach potatoes are relegated to little or no service at all. But some retailers are taking it too far by using a company like The Return Exchange to identify and refuse abusive shoppers. Pulliam mentions two: Staples and The Sports Authority. When you return an item there you must give the clerk your driver’s license, who swipes it through The Return Exchange Verify-1 device. It records your name, address, age, and other particulars of the transaction—no doubt your license number—and sends it to The Return Exchange database where it is kept. As usual, enough data to make it simple for the identity thieves, if somehow a breach occurs. Privacy Rights Clearinghouse has an ALERT on The Return Exchange you should read. Questions immediately arise of how much other personal data does The Return Exchange receive from member retailers? How long do they keep this information, and just who has access to it? As I’ve said many times, the development of personal information databases is a perpetual force in the marketplace, and, despite the state of the current identity crisis, it just keeps on perpetuating.


A White House directive gave government agencies until September 22 to figure out just how to secure Americans’ personal data, according to a story in In typical Bush vagueness, they are to use their “best judgment” to get the job done. But it is the kind of direction we have come to expect from this administration, particularly when it applies to the good of the consumer. It does show the complete incompetence of his advisers, the presidential aides we assume have lived through the same incidents of government laptop losses that we have. Rep. Tom Davis (R-Va) doesn’t want to overreact: “If we allow them to do their job and give them appropriate training, they can do a better job than we can in Congress.” I would certainly go along with that. This White House epistle goes on to recommend certain things that should be done to alleviate the problem: things like encryption and limiting remote access. WOW! Why didn’t anyone else think of that? And then the Federal Trade Commission (FTC) puts in its two cents with a 12 page compliance plan. Startlingly new ideas like: notifying individuals and third parties in a breach, and identity theft risk analysis. The FTC also held some meetings for its employees to take stock of the sensitive data with which each has contact. They plan to hold more, using posters with questions like: "You left your FTC BlackBerry on the Metro--What do you do?" The unsurprising answer at the bottom: "Tell your manager." Pathetic. Tim Grance, manager of systems and network security for the National Institute of Standards and Technology (NIST) did have an observation that is worth mentioning about encryption. No matter what form you use—and right now it is probably the best of security measures available—it won’t be effective without the right keys that actually do the locking. So, much ado about the problem, with a host of ctiticism on what’s being done. I wouldn’t be doing this if I didn’t think I had a better answer. Which is…give consumers control over their names and personal data, and compensate them when it is sold. The former solves the bulk of the identity crisis, and the latter makes an age-old wrong in junk mail right.

Monday, August 13, 2007


For months I have been railing over government agencies using junk mail data brokers like ChoicePoint for consumers’ names and personal data to spy on innocent Americans. It all seemed to hit the fan with the NSA surveillance incident, and has gone downhill since. But the Transportation Security Administration (TSA) announced last week their new “Secure Flight” program that will assume responsibility from U.S. airlines in 2008 to identify potential terrorists, and the likes of ChoicePoint will not be asked to play. Right off the bat I’m suspicious, so I did some more research. The TSA has a release on the program that gives more particulars, but still doesn’t explain how it will accomplish better identification without the technology and private information databases of the junk mail industry. One such procedure is called the merge/purge, something they use to eliminate the duplicates from the merging of hundreds of mailing lists and millions of names. Even this isn’t perfect. After 35 years as a data broker in the business, I can confirm that junk mailers do know how to find the people they are looking for. In the new TSA program, airlines will start sending passenger itineraries to the agency 72 hours before flight time including the traveler’s full name, and will be required to ask for, but not demand, date of birth and gender. If an address is also included in airline data, name, address and DOB is all that’s necessary for ID thieves to do their thing. I am also not sure how the government gets the terrorists’ date of birth to use in the matching process. TSA says by taking the Secure Flight matching responsibilities away from the airlines, that will “ensure a higher level of consistency and will help remedy possible misidentification if a traveler’s name is similar to one found on a watch list.” This sounds like the airlines have been using antiquated technology, and the agency is saying it can do a better job. Although I am the last to suggest they rely on junk mail data mining technology, I frankly do not see how the government can be successful without it.


From time to time, I plan to review junk mailer profiles that will include specifics about their handling of consumer names and personal data, particulars on their list of customers, costs for shipping and handling, and their track record with the Better Business Bureau (BBB), if available. I am turning first to one of my old favorites, Herrington catalog, about which I have posted before. (See here) This is the company that refuses to give customers an opt-out in their catalog from selling their names and private information—which includes income, what you buy, and the age of your children—a policy that has been in effect for several years. I recently ordered a catalog, and there is still no indication they are a member of the Direct Marketing Assn. (DMA), which means they are not bound by the DMA’s guidelines—weak as they might be—to protect customers’ sensitive data. As an example of their attitude, I contacted them back in November of 2006, and received this reply: “At this time Mr. Herrington has decided not to put this type of option on the order form inserted in the catalog. This is a good recommendation that I will forward to him and will hopefully be put to use in future catalogs.” Nine months later, and we’re still waiting. Herrington maintains a total of 1.2 million customers’ names, but sells a select number of those, around 300,000, for an average of over 20 cents each. And if they are like other junk mailers, they’ll sell this group between 25 and 50 times each year. Those are your names. Using even the lower number of 25 turns, Herrington grosses $1.5 million each year from selling your names, and you don’t get one penny. Plus the fact you don’t even get the option to tell them with your order that you don’t want your name sold. Although they have a satisfactory record with the New Hampshire BBB, there were 8 complaints in the last three years, two of which ended with “dissatisfied” customers.


During my last ten years as a junk mail list broker and database consultant, I urged all my clients to engage in data mining—or predictive modeling, as some refer to it—to locate their best customers. The more you target the new prospects, the less junk mail there is. Currently, amounts to an average of around 98 percent that goes in the trash every day. For the old entrepreneurs in the business who thought they knew everything, the answer was “we’ve always done it our way so why should we change?” Or they just didn’t understand the technology, and were afraid to try something new. You probably wonder why I—the reformed privacy activist—would have ever recommended a procedure that could spy on American households with a precision to forecast your daily habits. Well, I didn’t. There are two ways to achieve success in predictive modeling: the first zeroes in on individual households, utilizing all their personal data to pry into the lives of every individual residing there, including young children. I call that the invasive method; the second approach uses small groups of households developed by the postal system (carrier routes numbering around 500, block groups 300) to predict an aggregation that can easily be interpreted to represent a homogeneous group that includes very similar individuals. But in the latter process we have taken the consumer’s distinctive private information out of the mix, thus, protecting their privacy. I did a post on this back in June of 2006 titled, “It's Monday Morning. Do You Know Where Your Name Is?” It describes the mechanics of the procedure, and makes the case of why consumers should have control over their sensitive data. One of the biggest intrusions in junk mail data mining and predictive modeling in recent years is the use of your credit scores to determine how much you pay for auto and homeowner insurance. Most of the insurance companies are doing this now, so check your credit report regularly for your score. My opinion of this practice is that it borders on being illegal, at the least unethical. The junk mail industry is holding its annual convention in Chicago in October of 2007, and there will be several workshops that cover the modeling event. However, there won’t be any coverage of why the consumer should control their name and personal information, and be compensated when it is sold. Why don’t you ask the Direct Marketing Assn. (DMA) why?


Government contractor SAIC put the personal data of 580,000 military personnel and their families on the Internet, and it wasn’t encrypted. Naturally, it was out there for all to see and steal. The unsecured server was being used to handle health care processing claims for the Army, Navy, Air Force, and the Department of Homeland Security. SAIC of Shalimar, FL is the fifth largest government contractor, which you would think requires them to maintain a maximum level of security. The company says it will cost between $7 and $10 million to fix the deal, which will end up costing Uncle Sam, ultimately falling on the American taxpayer. This is the same company responsible for the FBI’s “Virtual Case File” technology upgrade that ended up costing us $170 million, eventually aborted as inoperative. The Certegy Check Services data breach has jumped from 2.3 million consumers’ stolen bank account numbers to 4 million, and is likely to rise as additional information is made available. Certegy is the subsidiary of Fidelity National Information Services, a financial processing company providing solutions supporting financial services companies throughout the world. (See earlier posts, July 7, July 14) The whole thing came down because a Certegy employee stole the data and sold it to a data broker, who sold it to several junk mail companies. But in spite of all this new information and the real potential of ID theft, the Tampa Bay Business Joural’s headline to a story is, “No criminal ID theft yet from Certegy breach.” It reeks of another coverup for private business, implying that there are usually no victims after these massive data breaches. I hope all these naysayers will admit their flawed reasoning when we are drowning in a sea of identity theft victims. States partner with Google to release public records and Arizona, where I live, is one of them. In case you missed it, Privacy International, in June of 2007, labeled the search engine “the worst thing to happen to personal privacy since the invention of the telescope.” Further, “the absolute worst of the worst when it comes to privacy issues.” California, Utah, and Virginia are the other states in this pilot program the Arizona Republic newspaper reports will include records from real estate agents, contractors, nursing homes, child care facilities, plus “more databases.” I asked Chris Cummiskey, Arizona’s chief information officer, to define the exact data to be released. I asked him twice, by e-mail, and received not a word. Is this mysterious silence an indication that the state might be planning to release something more private in nature, and they just don’t want to talk about it? Arizona was caught recently placing the Social Security numbers of its citizens on the Internet for everyone to see.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. Please contact me by e-mail ( with any questions.


Eric Ellman is a lobbyist for the Consumer Data Industry Assn. (CDIA), and according to an article in USA Today, he goes to work every day “prepared to explain why identity theft isn’t as big a threat as people think.” He is the kind of mis-information artist that has turned millions of Americans into “Apathetics. This is my term for those of you that have quit worrying about the security of your identity because you think it will never happen to you. It may not…but, it just might, and you’re hung up with an average of over $5,000 in losses, plus another $500 to clear it all up, taking 25 hours of your time in the process. There were 8.4 million identity theft victims in 2006, or one in 27, according to Javelin Research, and that’s much better odds than any lottery. So what is Eric Ellman working on today that deserves attention? He is looking for a federal answer to stem the flow of state laws that allow consumers to freeze their credit information. Companies like the big three credit bureaus, Experian, Equifax and TransUnion, paid CDIA $1.4 million in 2006 to take back the personal data that they make billions of dollars on every year. These are the same people that, when you apply for a mortgage loan, sell your name overnight to competing mortgage brokers that hound you forever by telephone and/or mail. CDIA even sent Ellman to Montana to help defeat one of the toughest pro-consumer credit freeze bills in the country. He failed. A credit freeze is a good band-aid for the identity crisis, but won’t solve the problem. The only answer is to give consumers control over their names and private information, and, while we’re at it, compensate them when it is sold. I’d give anything to know what Mr. Ellman thinks of that concept.

Monday, August 06, 2007


We’re already seven months into the 110th Congress controlled by the Democrats—you know, the party of the people—and not only is there no meaningful data breach legislation passed, but there doesn’t seem to be the slightest chance it will happen before 2008…if then. According to Milo Cividanes, privacy attorney writing for SC Magazine, it’s not likely to occur until 2009. So far, the U.S. Congress has left it up to the states to protect consumer rights, and thirty-eight of them have passed data breach laws. However, most are weak in that they allow the breaching company to decide if the breach is serious enough to put the consumer at risk. I think it has become relatively apparent that we cannot trust the kind of company or government agency that allows its employees to take home sensitive consumer data on laptops and storage devices to understand the significance of notification in a data breach. California’s SB 1386, the law that stopped ChoicePoint in their tracks in February of 2005, requiring them to notify 163,000 consumers that their private information had been stolen, is the only state law that does not have the “deemed to be at risk” clause. This breach, of course, started the data rolling, and we are now the proud owners of a record of 640 breaches since 2005, exposing almost 159 million personal records. It is true that the Iraq war is consuming this Congress today, but it is also the Iraq war that prompted the need for more privacy protection from a White House bent on spying on innocent American households. The incompetence of this administration also makes it frightening to those who understand how easy it is to pry into our lives with so little information. If you are interested in what the “independents” are doing right now, go to the Committee for a Unified Independent Party, Inc. (CUIP) site for more information.


While it is completely justified that the U.S. Congress should attack the Department of Homeland Security for 844 cybersecurity mishaps over the past two years, it is also this esteemed body that has refused to bring to the American public user-friendly legislation that will protect the individual’s name and personal data. More on this later. In an InformationWeek article, Jim Langevin, (D-R.I.) chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, says these security leaks are “one of the most critical issues confronting the country…” On the other hand, Bush is pushing for additional clout to do more of the same surveillance conducted by the NSA in the past which ended up spying on Americans’ phone calls. We’ve just learned that the NSA spying was much broader than admitted by the administration, and now Bush wants to bypass FISA again. I plan a post on this recent development by next week. Whether it is the NSA, Homeland Security, the FBI, or whatever agency pops up next looking into the innocent lives of our citizens, it is obvious that the infrastructure of this administration has become obsessed with turning this country into another Big Brother state as depicted in George Orwell’s 1984. Any intelligent human being knows that every country must do its share of spying to protect its security, but in the past it has always been directed toward the bad guys. What is needed is a law that will be the bulwark of human rights in the protection of individual privacy. Congress won’t do it; they are pathetically mired in debate they say is over how to protect their constituents, but it really is about how not to curb business interests.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85331. Please contact me by e-mail ( with any questions.


There’s a good article in (subscription only) about how there is always risk prevalent wherever data is stored. Actually, we’ve known this for years, but have been betting against the odds the risk wouldn’t turn into a full-blown disaster like the current identity crisis. I remember questioning people in charge of maintaining data storage about this when I was a junk mail data broker. In the early stages of computers, I witnessed magnetic tapes with sensitive data laying around in the open, unprotected, prey for potential thieves. In those days, the theft was for the purpose of selling the names to some other crook who would use them to mail some questionable offer. And then the thieves became sophisticated, learned the value of the private information stored, which could be sold for much more than just the names themselves. It was this bunch of bad guys that actually ushered in the information revolution, or at least brought the attention to this movement that got the attention of the general population. There are points in Lee Howard’s article, “Where There’s Data Stored, There’s A Risk,” that are worth covering. Howard quotes from several sources, one a casino VP who says they stopped collecting Social Security numbers several years ago. A privacy officer who explains away the data loss problems in the medical community with the fact it is not yet automated. However, the dilemma just worsens with computerization, if security of data isn’t the top priority. And then there are the “apathetics,” as I call them due to their detachment with the reality of the potential breach of their private information, that refuse to cooperate in their own security. I personally would much rather see a law that gave consumers control over their names and personal data, than one that dictates what data can be collected. One good reason is the fact that the latter would never work.


Nancy Tobi, who writes on voter integrity says “Congress is about to ‘just say yes’ to permanent secret vote counting,” in an article for She quotes Joseph Stalin on centralized control of voting: “Those who cast the votes decide nothing. Those who count the votes decide everything.” With this said, Congress is about to pass an election reform bill, HR811, that turns over vote counting to the White House. I couldn’t fathom giving Bush this control, but it isn’t the kind of authority that should be given to any president. Kenneth Janda, professor of political science at Northwestern U., compares our decentralized structure of government with less-fortunate countries around the world. He said, “The Framers of the U.S. Constitution were extremely wary of the potential dangers of concentrating power in any single political institution, and so deliberately undertook to divide authority among different branches and levels of government.” In 2002, the Help America Vote Act (HAVA) gave total control over voting system standards to four presidential appointees. In keeping with GWB’s already established reputation, these four people are the “deciders,” and they answer to the president. Tobi tells us about VoteTrustUSA, a grassroots organization which is one of the biggest supporters of HR811, and who has ties to ChoicePoint, the guys who helped launch the identity crisis. They were also instrumental in the 2000 Florida election supplying flawed data to Secretary of State Katherine Harris’ office, on potential felons on the voter registration list who weren’t. ChoicePoint already has several government contracts, and the wife of the president of ChoicePoint, Doug Curling, is a big supporter of VoteTrustUSA. Proponents of the bill say it is the best they can get passed by Congress, not that it is the best for the American people. Are these the kind of congressional leaders we want running the greatest country in the world?


As was the intention of the Privacy Act of 1974 to protect consumers’ personal data, the government has taken the lead again to set the standards for security controls to keep the fed’s huge system of databases from being breached. The Privacy Act was eventually circumvented when government agencies started outsourcing their dirty work—with data brokers like ChoicePoint and Acxiom—to collect every morsel of information available on U.S. citizens. You know the result: NSA spying and FBI wiretapping. In the article, “Standards body drafts guide on preventing data breaches,” Heather Greenfield talks about the establishing of these standards, one of which is encryption, to basically neutralize future breaches like the VA’s 26.5 million record loss. There are other aspects to Greenfield’s piece, but I want to concentrate on encryption. Although I do not feel that encrypting data is the solution to preventing data breaches, it could certainly temporarily reduce the risk in thousands of daily transactions of names and private information by the junk mail industry—particularly including the data brokers—where this sensitive data is winging its way to a final destination by storage device on public transportation or by electronic means. This is one of the true time-bombs of the identity crisis, and one the junk mailers have completely ignored so far. William Jackson writes in Government Computer News that “Crypto is no magic bullet for data protection,” explaining that “poor key management makes cryptography vulnerable.” Along with an algorithm, the “key” is used for encrypting and decrypting, and should be a large enough number that couldn’t be guessed or determined in exhaustive search. In other words, too expensive for business to consider. Right now they would rather fight the legal battles and pay the fines. There is only one authentic answer for controlling the identity crisis: Give consumers control over their names and personal data, and while we’re at it, compensate them when it is sold.