Search This Blog

Wednesday, October 31, 2007


The figure is frightening. 25.6 percent of total personal data breaches occur in higher education. A recent survey by CDW Government (CDWG) of 151 college and university IT directors and managers called the rise in data loss “alarming,” in an InformationWeek article. CDW sells computer equipment and technology, and their CDWG subsidiary provides services to colleges and universities. Also from the report, less than 50 percent of campus networks are safe from attack, and 58 percent said they’d had at least one security breach in the past year. And this is all a 10 percent increase over last year. Even scarier, only 8 percent of the respondents felt they had “very secure” networks. I went back to our standby, Privacy Rights Clearinghouse Chronology of Data Breaches, to update the latest in higher education. As of October 30, there have been a total of 714 breaches since the first recorded in January of 2005. Of those, 183 have occurred in colleges or universities for a whopping 25.6 percent of the total. Medical data breaches come in second at around 14 percent. The educational community cites “Lack of staff resources” as the biggest obstacle to securing their systems. Ah yes, protecting our names and private information seems to always be the step-child when it comes to funding programs. CDWG rates the administrations at these schools a “B” for their support of IT security, but the faculty and students get a “C” because of a lack of awareness. As we know, apathy prevails in the public’s mind when it comes to their privacy, particularly for something like ID theft which they feel could never happen to them. But the worst finding of all in the CDWG report was that during the three years they have been conducting the survey, there has been no improvement. On another front, the Miami Hurricane Web site exposed their administration giving up student personal data, including Social Security numbers, to Sallie Mae, one of the largest providers of student aid loans in the U.S. In the online article, “the university confirmed that they had sent the personal data of students to private lender Sallie Mae, even though these students had not authorized them to do so.” There is some confusion as to whether the student application for eligibility counts as an actual loan application, which the U. of M says allows them to provide the data to Sallie Mae. Not so says John Beckman, dir. of financial aid for New York U. And according to Jim Bradshaw, a Dept. of Education spokesperson, the U. of M. may have violated the Family Educational Rights and Privacy Act, which protects student private information. OK folks, here’s the big question. Did the University of Miami get paid for the sensitive data they gave to Sallie Mae? If so, it is just one more example of the manipulation of our names and personal data in an attempt to exploit the American public. In this case the victims are young people who could be devastated at this age with the loss of their identity. If not, it still qualifies as reckless handling of our sensitive data.

Tuesday, October 30, 2007


The graphic you are viewing to the left of this post is part of an e-mail blast that was sent out by Southern California junk mail list broker, Fasano and Assoc. to promote some of its “hot lists,” as the headline screams. (See article) Patricia Fasano, who founded and still runs the firm, has been around some 25 years and is a respected professional in the industry. During my 35 years as a junk mail list/data broker, I had dealings with the company, and found the personnel reasonably competent in handling their jobs. But the one weak link in an organization—which is all it takes for an incident like this or worse yet, the loss or misplacement of consumers personal data that can end up exposing the private records of thousands—is exactly what I have been blogging about for almost three years. It is judgment of this type that leads to the mishandling of sensitive data in the junk mail business that has eventually ended up being sold by the identity theft underworld. Fasano has never misplaced or lost data that I know of, but she has also not said that she is firing this moron for sending the e-mail. To show their commitment to fighting the fires, the firm made a donation three days before the e-mail to the California Firefighters Association to buy various equipment. The overall intentions are good, but on this one dumb occasion nobody was watching the store, and that is precisely the kind of situation where your personal data can easily fall through the cracks. A New York public relations firm said Fasano should have had “checks and balances” in place for this kind of incident. They added that they had “never encountered a company without some approval process for ad and public relations copy.” Unfortunately we are experiencing weekly accounts of questionable judgment when it comes to companies managing our names and private information. The most flagrant are those who allow employees to haul off a laptop with all kinds of individual sensitive data and take it home with them, invariably leaving it in their car while they run errands or just leave the machine completely unprotected. Yes, it is more obvious to a person like me who sold your names and personal data, and witnessed episode after episode of incompetence in the junk mail list industry, including multiple examples of this data being exposed to almost anyone who might want to steal it. Fortunately, most of my 35 years were before the identity crooks discovered just how valuable this private information is, but that has changed significantly today. It does mystify me, however, that if these bad guys can recognize what a gold mine consumers’ sensitive data is, why can’t the consumer whose name and personal data it is figure that out? My new motto is: Hold on to your apathy and lose your identity!

Monday, October 29, 2007


There are two things that the privacy community has been saying for some time now—and that includes this blog—re. announcements of data breaches. First, the number of personal records lost that is quoted by the company is probably less than it really is. Second, the selling of the stolen information by the ID theft underworld will continue for months to come. And that is exactly what has happened in the TJX (TJ Maxx, Marshalls in the US, Winners and HomeSense in Canada) case which originally reported 45.7 million credit and debit card numbers stolen, but according to recent court documents in lawsuits against TJX, the new number is officially 94 million. Second, fraud-related cases from the breach involving Visa cards alone already range from $68 to $83 million spread across 13 countries, and, according to Visa USA’s VP of investigations and fraud management, this will continue for who knows how long. (See MSNBC story) One of the reasons the Visa executive, and other privacy activists like myself are so sure the stealing of victims’ private information will continue is that it has happened before. Another is that the identity crooks were cruising around the Marshalls’ parking lot in 2005, able to access what they wanted using a directional antenna to download the data. And what they wanted was customer sensitive data to sell. breaks the total down to 29 million MasterCard victims, and 65 million Visa victims, these figures also taken right from the same court files in Boston. The breach continued undetected for seventeen months, during which time the hackers had a field day in TJX’s central database. Legal action has also been filed against Fifth Third Bancorp which processed some payment card transactions, and banks affected are seeking class action certification so others can join in the complaint. From our neighbors up North, all news radio 680 reports that there is a new survey that says the Canadians “are very nervous about their personal information.” That can be attributed to the fact that Canadian privacy law is much stronger than here in the US. (See earlier post on TJX) There’s a good chronology of incidents from the TJX breach, also on, that follows how the bad guys moved 80GB of data and remained undetected for seven months. First of all, TJX was found not to be PCI compliant. The Payment Card Industry (PCI), including Visa and MasterCard, require merchants to protect cardholder information by adhering to a set of security standards. Therefore, it was rather simple through a high-speed connection for the intruder to transfer the data to another site on the Internet in California. Even in 2004 before the breach, TJX had several security deficiencies identified that included specific violations. This was confirmed by a company consultant who added that he had never seen such a void of monitoring in a company this size as he saw at TJX. It’s like the old saying, the gift that keeps giving. Well, this is the kind of breach that keeps taking…your money and time.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Saturday, October 27, 2007


My home state of Arizona has come forward since the escalation of the identity crisis to enact some good legislation to help control the handling of its citizens’ names and private information. My favorites are two statutes that cover the use of Social Security numbers. The first makes it a civil penalty for government, business or an individual to intentionally release your SS#. They also can’t print the number on anything required for the individual to produce for products or services. The second prevents the use of SS#s by state colleges and universities as student ID’s. The assigning of Social Security numbers as a means of identification in higher education has handily played into the hands of the ID thieves; this area represents over 25 percent of the total data breaches, according to Privacy Rights Clearinghouse. In other Arizona legislation it is unlawful to knowingly dispose of personal records or documents that include name, address, Social Security number, credit card numbers, driver license number, etc. And, any person conducting business in the state that collects unencrypted private information and detects a breach of this information must notify the individual, but only if the breacher determines there will be harm to the person. The latter, in my mind—and this is shared by a majority of privacy advocates—is a huge weakness in laws of this type. Arizona residents are covered in the confidentiality of their health records with limitations as to disclosure to parties such as physicians, hospitals and as a matter of law. The Grand Canyon state recently enacted House Bill 2779 which made it against the law to take another person’s identity by the purchasing of fraudulent records. This was particularly directed toward the hiring of illegal aliens, and had quite an impact on the immigration issue in this state. You can see a listing of the 39 U.S. states with data breach laws by going to the Consumers Union site. Is your state there? If not, it should be. Since launching this blog in April of 2005, I have felt that the answer to protecting our names and personal data was to enact federal legislation, because it would be a uniform approach to solving the issue. However, with the Congress we have been dealt, even with the Democratic majority, there seems no hope of reaching a consensus on anything resembling a data breach law, much less consumer control over their sensitive data. Therefore, it is my contention now that some state legislator like Senator Debbie McCune Davis—sponsor of Arizona’s Senate Bill 1345 requiring credit reporting agencies to allow residents to place a security freeze on their credit report—must take the bold step of introducing legislation granting Arizonans the right of control over their names and private information. And while we’re at it, let’s compensate them when it is sold. Let me hear from you about what’s going on in your state. E-mail me at:

Friday, October 26, 2007


A major finding was the fact that the ID crooks “are increasingly targeting personal information to make a profit and are threatening to impact people's privacy.” This blog has been making that point over and over since launching back in April of 2005. According to, the Microsoft report found one of the reasons for this condition is that organizations’ security and privacy officers don’t talk to each other. Duh. Why would they want to discuss a problem that could expose millions of their customers’ personal records? But apparently there is disagreement within some companies on how to manage private information for two simple reasons: one) security and privacy execs look at customer data as an asset that should be protected; two) the marketing bunch looks at it as a resource for business objectives. I might add to the latter, during my 35 years in the junk mail industry, the “marketing bunch,” which included the list industry, had only one outlook: collect all the names and private information that is available, as fast as possible, and sell it as many times as the marketplace allows. The coverage of the study has a different take on department’s cooperating, saying that the ones with the personal data tend to mismanage it, thinking at the same time the IT department is securing it. The big question is who, and how many, have their finger on that big button that releases your private information? Unfortunately in many companies, the only ones who know this are the ones with the access. Management doesn’t have a clue in some cases. Another finding in the MS report was that the bad guys come up with new technology every day, thus, making it honestly hard for corporations to keep up with it. From comes the report figure of 31.6 million phishing scams in the first part of 2007, an increase of 150 percent over the same period in 2006. MS says a major portion of the thievery, including backdoors/bots/password stealers/keyloggers in the first half of 2007 came from just one family of malware, Win32/IRCbot. Another piece quotes the report as confirming the earlier confusion between company departments saying 78 percent of management thought their marketing department informed security and privacy executives of what it’s doing with your sensitive data. However, the marketers themselves reported this was the case only 30 percent of the time. It’s a situation where this hand releases the private information, with the other hand hoping like hell it will be secure. And that is not good enough, particularly when you consider the amount of revenue that comes from collecting and selling your names and personal data. The junk mail industry alone grosses over $4 billion each year. Why weren’t some of these profits invested in data security years ago when the junk mail industry discovered the gold mine it is now panning so vigorously. I was there hawking lists as early as 1969, and the emphasis was always on collecting and selling, not how do we secure all this precious cargo. The Microsoft study comes out ever six months. It will be interesting if the next study can report some progress in the identity crisis. I do have guarded optimism.

Thursday, October 25, 2007


The Federal Trade Commission (FTC) has decided to delay the purging of telephone numbers on the Do-Not-Call list until Congress decides whether to make it permanent. (See FTC release) A five-year limit had been established to begin deleting numbers if participants did not renew their registration. The registry now holds 145 million numbers, and is updated monthly to remove disconnected and reassigned numbers. The FTC feels confident it can still meet updating standards, even if the program is made permanent. Started in 2003, non renewed numbers were scheduled to be removed starting in 2008. A Harris Interactive survey released January of 2006 showed that 94 percent of the public was familiar with the registry and 76 percent had placed their numbers on it. This is truly a program for which the FTC can be commended.


We haven’t rented movies from Blockbuster for some time now, and maybe never will again. In Sarasota, Florida, this guy was looking for boxes in the refuse bin behind one of their stores when he uncovered Blockbuster trash containing membership forms and employee applications that included names, addresses, credit card numbers and Social Security numbers. According to the Sarasota Herald Tribune, Jonathan Murray told Blockbuster about what he had found, but that when he returned the next day for more boxes, he found “credit card stuff.” What was available in the receptacle was clearly information that could provide ID thieves all the ingredients necessary to steal the identities of the customers affected. So, should we just write it off to another dumb mistake on the part of a company employee that either has a double-digit IQ, or just doesn’t give a damn? It’s pathetic, and what is worse it seems like this kind of incident will never come to an end. On the other hand, retailers in Connecticut are asking for help in alleviating their liability by credit card companies like Visa and MasterCard, who require the stores to hold on to data from one year to 18 months. (See article) This is yet another reason why there should be a standard rule for storing any individual sensitive data. And if the data collecting industry—which includes just about every commercial and government entity—won’t police themselves, the feds or states should do it for them. To cap things off, a study done by Ponemon Research that was commissioned by a Dallas-based law firm shows that, of 700 IT executives and security officers questioned, 85 percent said their business had experienced a data security breach. Worse yet, “46% of those surveyed said their businesses didn't implement encryption solutions on portable devices even after suffering a data breach.” Larry Ponemon, founder of Ponemon Research, in, says although organizations have experienced a number of data breaches, the upper and middle echelons of management have been kept out of the loop on this issue. But the top guys have been watching closer since the TJX (TJ Maxx, Marshalls, etc.) data breach, where over 45 million credit and debit card numbers were stolen due to weak encryption. Just yesterday, that figure was increased to 94 million account records. So “Who do you Trust?” as Johnny Carson would say on his show by the same name back in the 1950s and 1960s. I don’t want to appear altogether cynical, but it is hard to place our trust in businesses and government agencies that seemingly and everlastingly continue to lose our sensitive data, or knowingly place it in a position for the bad guys to steal. In the Blockbuster Sarasota episode, you have this recklessness going on at the smallest level, but when you turn to a TJX, the magnitude of the crisis may be colossal, but it still boils down to incompetence. And that is why we must grant consumers control over their names and personal data, and while we're at it, compensate them when it is sold.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Wednesday, October 24, 2007


I signed on to Microsoft’s HealthVault yesterday just to learn what exchange of sensitive data was involved. From what I learned, it is the most aggressive effort yet to profile your medical history. In the first place, security was very good in establishing my “Windows Live ID” account, which HealthVault uses to authenticate you are who you say you are. I found out that a password I have been using for years is “weak,” so I tweaked it a bit with information from MS, and I was in. If you have never tested the strength of your password(s), I suggest you go to this site to see how strong the one you are using is. From there it was necessary to tell HV about myself, which included in the required fields: name, e-mail address, country lived in, zip code, date-of-birth and gender. Later they ask for your middle name, telephone number, postal address, ethnicity, and what language you speak, although this is not necessary to complete your membership. There is a wide variety of selections that help you through the signing up process and then to catalog your personal health data from “Getting Started” to “Help.” Then there are sections for your “Health Records,” “Health Details,” and “Account Profile.” Under these heading you list your health information, documents, how you want the information shared, health programs in which you are involved, your health history and your personal profile. No requirements that I can see that would be unacceptable to the privacy conscious individual, that is, until you willingly give up your medical history. Or, as Microsoft has indicated the direction they expect the program to proceed, let your doctor(s) enter your private medical information. OK. Either I input it or my doctor provides the data. How safe is it really going to be? MS says the medical records will be encrypted, but does not say at what level. After considerable effort to find a way to pose this question to HealthVault, I finally found the location, but only after searching several links. They promise reasonably fast reaction, so I will let you know when I know. In the meantime, Kachina Dunn, Ed. In Chief of ITBusinessEdge questions whether consumers will let their distrust of Microsoft’s security record keep them away from the tool. She does feel that the fact that HealthVault is housed in a provider outside the healthcare industry is a plus, and I agree based on their track record with breaches. (See earlier post on MSHV) HV is the brainchild of Microsoft’s CEO, Steve Ballmer, who in 2000 described his grand vision, which wasn’t particularly receptive to the industry, reports the Economist. In the article a MS employee explains the targeted search method which relies on the “vertical” approach to get at more relevant results. It would outshine the strategies of Google and Yahoo by examining all the records of the HV database, while at the same time keeping tabs on members past queries. And therein lays the problem, according to Sean Nolan, the MS employee, since Microsoft is selling the program based on enforcing strict privacy rules. If they do that, says Nolan, this “would preclude such data mining.”

Tuesday, October 23, 2007


California Assemblymember Dave Jones from Sacramento is responsible for two excellent laws affecting the individual’s sensitive data. One, AB 1168, requires eliminating the full Social Security number of California residents from state records. The second, AB 1298, requires businesses and state agencies holding medical information to notify patients whose data is subject to breach. What didn’t get done was what Jones considered “my highest profile privacy bill, AB 779.” The reason is that Governor Schwarzenegger vetoed the bill, in favor of the business community over the consumer. See the article in California Progressive Report. The bill would have prohibited the storing of payment verification data taken at the point of purchase in the use of a credit card, improve the way data breaching companies would have to report an incident, and make those responsible for the breach pay some of the costs of credit card replacements and consumer notification. This is landmark consumer legislation that had a large coalition of supporters. The bill passed the State Assembly by a vote of 73-0; passing the State Senate by 30 to 6. If I were Assemblymember Jones, I would have been stunned by the veto. See my Oct. 19 post. So where do we go from here? I would like to see Dave Jones introduce a bill to the California legislature that grants the state’s citizens control over their names and personal data, adding a section that would compensate them when it is sold. I told him this directly in a e-mail, and I look forward to his reply. I had thought some time ago that federal legislation was the answer, but this Congress can’t even agree to agree to pass this kind of law. This was covered in a post back in September. There are now two states that seem serious about controlling the loss to crooks of consumers’ names and private information. They are California and Minnesota, representing 41,624,650 people or just under 14 percent of the population. Business and government could not argue with those figures alone, but what if more states jumped in with similar bills, adding additional population to the mix? I’ll tell you what. The bobbsey twins of data breachers (Bus./Gov.) would realize the public is serious about protecting their sensitive data, and that their state legislatures support them in this issue. It could put in place the foundation for guaranteeing every American the privacy that is their right, and at the same time rejuvenate public confidence in dealing with business and government. If you agree, maybe it’s time for all of us to contact our state legislators and tell we’re mad as hell, and we’re not going to take this anymore. Too bad we don’t have a Howard Beale around today!

Monday, October 22, 2007


Microsoft’s new HealthVault is not such a bad idea if it didn’t portend yet another increase in the collection and selling of your sensitive data. I am not even implying that is what Microsoft has in mind, but the sale of medical related information is already big business in the junk mail industry. There are 1,403 “medical related” lists on the market representing every ailment from Alzheimers to ulcers, and each medication you take from Advil to Zoloft. There’s a new list on the market called MedTrackAlert Ailment eNewsletter where 500 thousand online consumers signed up for this free newsletter and asked for information on various health subjects, and now their names and e-mail and postal addresses are for sale. A physician does make his case for the HealthVault approach to accessible medical data: for doctors, as a patient, and if you provide health care for a family member. See article. That’s a good thing, but it never seems to stop there. First of all, the loss of your medical records by the institutions that hold them is running at a record pace. The VA breach of 26.5 million records, Ohio U., 60,000 student records, UCLA, over 800,000 records, and the list goes on. When you Google “medical data breaches” you get 234,000 hits. Second, the minute a new piece of consumer information is collected by most organizations, there is that immediate-impulse- mentality to get it ready to sell. This is demonstrated by a total of over 50,000 junk mail lists on the market, more specifically the 1,403 devoted to medical data. And there is also the alleged sale by the Albertsons food and drug chain of customer names and prescription data to pharmaceutical companies in 2004, which resulted in a lawsuit filed against the chain by Privacy Rights Clearinghouse. MS says of HealthVault, “The personal information will be stored in a secure encrypted database.” From a New York Times article. The question is, what level of encryption, and is it secure enough to ward off hackers. The TJX (TJ Maxx, Marshalls, etc. retail stores) customer credit card data was also encrypted, but at a level that allowed the crooks to steal it easily with a directional antenna while cruising the retail store’s parking lot. MS also says it isn’t expecting much information from the individual, but hopes the individual will grant permission for its release from doctors and hospitals. I haven’t signed up yet, which I plan to do just to find out the parameters of the program, but I did get some specifics from the initial stages of this process. They are: You control your HealthVault; You decide what information goes in or out of your record; MS won’t use your “health information for commercial purposes unless (they) ask and you say clearly that (they) may.” And there lies the problem, in that the complexity in any approval of the use of your name and personal data by an outside source can be confusing. It is hard to understand and digest on the spot, which is the position you are in when signing-on, or even eventually when you are contacted for approval. Trust me…data collectors always get what they want, and that is the reason we are in the identity crisis that exists today.

More on this later.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Saturday, October 20, 2007


This is a quick update on the worst data breach ever. In case you were in another galaxy, TJX, parent of TJ Maxx, Marshalls, and other US and Canadian retailers, lost 45.7 million customer credit and debit card numbers to hackers, as it was first announced back in early 2007. Apparently the bad guys had been at work stealing the company’s customer information since 2003, and were eventually able to access what they wanted from the parking lot of one of the Marshalls’ stores in 2005, using a directional antenna to download the data. Say what you want, but that’s very sophisticated planning. Based on the potential cost to TJX for the breach—it has been estimated at $4.5 billion—you’d think these folks would have been watching the store more closely. In a new report issued by the Office of the Privacy Commissioner of Canada—TJX stores in that country are Winners Merchant Int’l—the company failed to set adequate standards that could have prevented the break-in. See Wi-Fi Planet story. The article indicates that although other components were complicit in the breach, the actual reason is the fact that TJX relied on weak encryption protocol (Wired Equivalent Privacy-WEP), which allowed the parking lot bandits to do their number. They should have converted to a higher standard (Wi-Fi Protected Access-WPA). See definition. Canadian investigators deemed, “The risk of breach was foreseeable…” TJX actually knew something was going on in 2006, according to the report. So why weren’t steps taken to improve the encryption? I cannot answer that question, but I can reply to how we can stop this kind of identity fraud for good. Give consumers control over their names and personal data, and while we’re at it, compensate them when it is sold. While the Congress, and most states, toy with legislation that applies only after the breach has happened, my concept of control prevents the act from ever occurring. Please tell me if there is something wrong with this idea?

Friday, October 19, 2007


The colorful Governor of California, Arnold Schwarzenegger, has apparently now shown us just where he stands on the issue of which is the most important: the consumer or big business? Arnie just vetoed a highly bipartisan bill in the California legislature that was introduced by Assembly member Dave Jones, a Democrat from Sacramento. According to, Assembly Bill 779 would have prohibited the storing of payment verification data taken at the point of purchase in the use of a credit card. California Chronicle reports that the bill would also improve the way data breaching companies would have to report the incident, and make those responsible for the breach pay the costs of credit card replacements and consumer notification. then articulates why the legislation was so important by documenting a “significant amount of fraud” committed following the TJX breach (TJ Maxx and Marshalls in the U.S., Winners and HomeSense stores in Canada) of more than 45 million (largest ever) credit and debit card numbers. Suspects are accused of using these stolen credit card numbers to buy gift cards to purchase big-ticket items like big-screen TVs and computers at Wal-Marts and Sam’s Clubs in Florida. Hackers started lifting personal data as far back as 2003, with costs to the company as of May 2007 at $17 million, with an estimate that it could eventually cost TJX $4.5 billion. Canadian authorities placed much of the blame on weak data encryption protocol by TJX, with this breach a foreseeable event just waiting to happen. In the US, the FTC launched an investigation of TJX in March of 2007; it is now seven months later with no official announcement. Yet another example of how Canadian consumer law is light years ahead of this country. So back to the movie star turned politician—haven’t we been there before—who thinks the cost of the California Bill would be too costly for business. How about the average cost to the ID theft victim of $5,720, and the 40 hours necessary to clean up the mess? These people are not important to the GOP—Schwarzenegger, of course, is a Republican—when they can fawn over big business, giving them their way with an innocent consumer that’s taking it in the rear end under the Bush administration. Tom Smith has an excellent article on that questions the Governor’s veto. Here’s an exact quote:

“Gov. Arnold Schwarzenegger's veto of a California bill aimed at increasing the state's data protection standards, in part based on his view that the marketplace is handling consumer data protection, raises a troubling question: What planet is this guy living on?”

Smith goes on to quote more Schwarzenegger comments on the bill that are some of the dumbest and most naïve about the consumer’s plight that have ever come out of a politician, even if he is a Republican. Arnold thinks the marketplace (the ChoicePoints and TJXs) have already established responsible security for the protection of the public. And, this industry (data brokers, junk mailers, retailers, etc.) is in a “superior” position to ensure consumer security. These statements are enough to make privacy advocates throw up. So that leaves Minnesota with the only legislation holding retailers responsible for ignorance in private information handling. And in Minnesota you can file your own lawsuit against the company breaching your sensitive data, which wasn’t in the California bill. Maybe the Golden State is losing its luster and needs another Pat Brown. Think about it.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Thursday, October 18, 2007


U.S. Representative Michael R. McNulty from New York has introduced the Social Security Number Privacy and Identity Theft Prevention Act of 2007. Its purpose is to amend the Social Security Act to enhance Social Security account number privacy protections, to prevent fraudulent misuse of the Social Security account number, and to otherwise enhance protection against identity theft, and for other purposes. This is good legislation, and even when we accomplish my concept of granting consumer control over their names and personal data, this law would still stand as an important barrier to accessing individual private information. The Care2 group has a petition drive going that is sponsored by Consumers Union, and you should go there to add your name to the list of people who are concerned about the safety of their sensitive data. There are currently 6,535 signers to the petition; that’s 85 more than when I signed on Wednesday morning. The goal is 20,000 signatures. To help you make up your mind on this issue, Consumers Union in their Consumer Reports publication has the results of a poll released on September 6, 2007. It found that “consumers are routinely asked to provide their social Security numbers and that requests come from a wide variety of businesses, many of which have no clear need to collect these numbers. Other findings were:

• 87 percent of you were asked last year to provide your SS# in whole or part by business or government; 42 percent on the phone or Internet to access goods or services or to verify identity.
• Others looking for your SS# were employers, insurance companies, colleges, cable TV or cell phone cos., utilities, and retailers.
• 78 percent of you don’t want to give up the number, but are afraid it will affect the transaction you are trying to complete.
• 23 percent of Americans have been victims of identity theft or have a family member who was.
• A whopping 97 percent of you want remedies to help thwart potential fraud. You can have this if you join my grass-roots movement to give consumers control over their names and personal data and compensate them when it is sold.

There is one disturbing statement in the report, at least to me. “Consumers Union recommends that the sale and purchase of Social Security numbers be tightly restricted,” and they go on to suggest prohibition of using them as identification. I cannot imagine an instance where it would be necessary, certainly not advisable, to sell your Social Security number. And, when my concept of control over your names and private information is adopted, arrangements are made for ID confirmation in a procedure that in no way jeopardizes the individuals’ sensitive data. But you have to jump on the bandwagon and let me know of your support. That’s all, but I do need to hear from you.

Wednesday, October 17, 2007


Back in April of 2006, I signed up for the American Assn. of Retired Persons (AARP) prescription plan made available through the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA). By April 12, 2006, I had received a mailing from Walgreens soliciting my business and offering help with my Medicare Prescription Drug Program. The mailing was disguised with an address to “The Dunning Household” but there was no doubt in my mind where Walgreens got my name. It had to be from my signing up with Medicare because nothing else had changed. I contacted AARP in May of 2006 to ask why, without permission, my name had been given to Walgreens. In a series of e-mail replies, I was recommended to a general number at United Health Care who administers the program for AARP. When calling this number, the person answering had no idea what I was talking about, and referred me to another number where I left a message that was never returned. Back to AARP where I asked for a direct contact at United Health Care, which they refused to give me, referring me back to the useless number, eventually blowing me off with “I am sorry but I do not have further information.” I have been an AARP member for over 25 years and, needless to say, I was shocked when this organization refused to provide assistance in my concern over the privacy of my personal data. United Health Care finally sent me their “Notice of Privacy Practices” in November of 2006 which you can read here, and, considering the number of ways they disclose your information, probably explains how Walgreens got my name. By the way, I received another Walgreens mailing still soliciting my prescription business in January of 2006, this time addressed to “The Dunning Family.” And then in June of 2007, AARP automatically signed me up for their “RX Prescription Solutions” program, also administered by United Healthcare, with an opt-out date that was impossible for me to meet. It said I could cancel later which I decided to do, primarily so I could monitor the activity using my private information. I was deluged with mail touting everything from an upgrade in the Medicare prescription program to trying to sell me drugs by junk mail. One particular mailing included six medications I currently take or have taken, indicating how AARP/United Health Care could save me money buying through them. I decided to cancel RX Prescription Solutions. If you are having similar problems, or have an opinion on this issue, contact AARP and tell them how you feel. OK. So what’s all the hullabaloo for if this is only about unwanted junk mail? The problem, of course, isn’t receiving the mail, it is the database that was created with my personal data, including health information, that concerns me. Even when I cancelled the program, they still retained my sensitive data, just moving it to another inactive database they will eventually use to try and sign me up again in the future. And this isn’t over-reaction because in my 35 years as a junk mail data broker, I have witnessed thousands of databases like this one created, and most of them are still around in the archives, some with minimum security, and could provide the next avenue for attack by the ID crooks.

Tuesday, October 16, 2007


In yesterday’s post I took Albertsons/OSCO to task for starting another program to collect you private medical data, and manipulate it for their benefit. In the company’s mailing to my wife, she wasn’t even given the option to say whether she wanted to join. She was in, and if she wanted out she had to call Albertsons. Privacy Rights Clearinghouse (PRC) is concerned, as you can see by the “Alert” posted on their site. I urge you to read this article from PRC, because it confirms everything I reported on Albertsons/OSCO in Monday’s post. Like proceeding with programs (NextStep Prescription Support) that involve prescription information compiled in an easily retrieved database, without the customer’s permission. By the way, your doctor has no idea they are doing this. And now Dominick’s, a food and drug chain in the Midwest owned by Safeway, is mailing out letters similar to those I reported Albertsons was sending in 2005 and early 2007; see here and here. It all sounds so mysterious. Out of the blue you receive this notification from your local pharmacist that your prescription for “X” may be overdue, but you should ignore this communiqué if your doctor has changed your prescription or has given you other instructions. In other words, the sender doesn’t have the slightest idea what your specific situation is, but if at all possible, they want their Rx for “X” renewed. Older folk might be confused by this approach into thinking they may not be taking their medicine properly and make critical mistakes. After all, it comes from their trusted pharmacist, who, for many of us, represents a very important second line of health information and communications. It is just one more example of how our names and personal data are used to sell us something, or be sold for huge profits by the junk mail and non-junk mail industries. In my concept of control over consumers’ names and private information, the pharmaceutical business would be at the top of the non-junk mail list, along with all the other similar companies who have recently decided that collecting and selling your sensitive data is a new-found treasure of revenue. It is only a matter of time until pharmaceutical corporations start to perform data mining/predictive modeling in a serious fashion to determine who they can coerce into switching medications. That is, if they aren’t already doing it secretly. With all the consumer information out there on ailments suffered and prescriptions taken, then combining this with demographic data like age, income, occupation, etc., compounded further with lifestyle habits like drinking, smoking, gambling and the like…the individual doesn’t have a fighting chance. Especially should these databases be used in the hiring of employees, determining insurance eligibility, and for securing home mortgages or other types of credit. Think they won’t do it? Innocent Americans didn’t think their own President would spy on their phone calls either.

Tomorrow: AARP tries the same negative-option approach as Albertsons and Dominick”s.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Monday, October 15, 2007


Just when you thought you could go back to the Albertsons/OSCO pharmacy without worrying about your personal data, they start yet another program that will document all medical-related activity at your friendly OSCO pharmacist. I called mine, the pharmacy manager, to raise hell, and he didn’t even know about the program called “NextStep Prescription Support.” My wife wasn’t given a choice of joining; she’s in the program unless she takes the time to call them and cancel. It’s called “negative option” in junk mail, and one of the most devious methods used to acquire customers. I did three posts on Albertsons/OSCO starting in October of 2005 (See one, two, three) about requests for my Social Security number, and mine and my wife’s driver’s license numbers for their database, and also mailings we were receiving then with private information about our medications. Privacy Rights Clearinghouse (PRC) filed a lawsuit in September of 2004, charging Albertsons and its drug chain subsidiaries OSCO, SavOn, and Jewel-OSCO, with “violating the privacy rights of thousands of its customers by illegally using their confidential prescription information to conduct targeted marketing campaigns on behalf of drug companies.” In a direct quote from the PRC action, “The complaint alleges that Albertsons’ pharmacy customers receive direct mail and phone solicitations derived from confidential customer medical information provided to the pharmacy solely to fill prescriptions. The solicitations look like they are from the patient’s concerned local pharmacist and remind the customer to renew a prescription or consider an alternative medication. But they are actually generated for pharmaceutical company’s sales purposes by a specially-designed marketing database, sold by Albertsons. The phone calls customers receive are intended to more urgently communicate the same message. Written authorization from the customer is not first provided as legally required.” So you ask why we are still dealing with Albertsons/OSCO if they are into so many of these shenanigans. Because someone has to keep an eye on them, and I am also working on another story about the pharmaceutical industry that I know I can depend on Albertsons for a major contribution, based on their track record. According to the letter we received—displayed at the beginning of this post—the NextStep Prescription Support Program comes by financial support from Proctor & Gamble Pharmaceuticals, and Sanofi-aventis, neither of which get to see your “personal information,” Albertsons professes at the end. There have been changes at Albertsons Inc. out of Boise, ID in the past couple of years, in the sale of some 661 Albertsons stores around the country to investor group, Cerberus Capital Management, LP, with headquarters in New York. It is from this organization that my wife’s letter was received. The new Albertsons LLC will be headed up by Robert Miller, who exclaims that now that they are smaller, they can better deal with things at the local level and “have a more targeted focus on what is right for the customer and be able to make those decisions much more quickly and closer to them.” In the case of the NextStep Prescription Support Program, he’d better rethink that decision.

Tomorrow: More on "Pharmacies Profiting at Your Expense."

Saturday, October 13, 2007


Planning to switch your auto insurance coverage? List company Focus USA may have you in their database, with other personal data like age, income, whether you have children, invest, travel, carry a credit card and if you are Internet connected. Here’s another data mining/predictive modeling program (See former post) designed to forecast your habits this time in purchasing auto insurance, and based on marketing research of “consumer behavior and intentions.” The latter is most likely survey mailings that ask questions tied to products or services where the answer is prompted by what product or service the consumer wants to receive from the survey. The downside to a list like this is a ton of mail to recipients who may not want it, plus the fact that once again you are labeled personally with characteristics that may not be true, and could be damaging. Does it bother you that all of a sudden National Intelligence Director, Mike McConnell has become more open to sharing the details of government surveillance? It’s beginning to sound like the carrot to sway Congress in the Bush/Cheney plan to shield the likes of AT&T, Verizon, and other telecommunications companies from prosecution. These guys are alleged to have given up private information on innocent Americans in the NSA surveillance activities back in 2005 and should at least be investigated. Based on a May 31 ruling, the government now must get court warrants if any telephone activity travels in a US network. McConnell did say that fewer than 100 people inside the United States are being monitored under FISA warrants. We’ll see who wins this one between Congress and the Bush administration. It’s happened to Pfizer again, but it’s not their fault this time, according to Ed Silverman’s Pharmalot blog. The problem on the latest of four breaches is with the company that supplies cars for Pfizer, Wheels, and fortunately is limited to only 1,800 employees. The bad news is the data released—without encryption—is name/address, date of birth, and driver’s license numbers. All that’s necessary for the ID thieves to dig further and open the door to the individuals’ more sensitive data. This one also points the finger again at companies holding consumers’ personal data that are working for other companies responsible for that data. Eventually the hammer has to come down on one side or the other because of the number of incidents, and also because ultimately the victims have to look to one entity as the responsible party for their dilemma. Here’s a great idea! Demand the names of companies who breach consumer data, and publicize them in a “public shaming” as Lisa Vaas suggests in a story. She doesn’t have much hope that this will help in view of the apparent lack of concern consumers and investors showed over the worst ever TJMaxx data loss of over 45 million customer debit and credit card numbers. Clearly neither the consumer nor the investment community decided to overlook the potential disaster in light of the company’s much “improved” sales results. Not that I want to see TJMaxx parent TJX suffer needlessly, but you would expect an educated public to be somewhat hesitant over this kind of conspicuous incident. At the very least to stand back and question just what security measures the company would take to prevent this from happening again. But no, it’s just another excellent example of the “Apathetics” that populate the marketplace, thinking it could never happen to them.

Friday, October 12, 2007


This must be a big shock to the junk mail industry, when I agree with such a sensitive issue as consumers receiving junk mail. But there are good reasons why I don’t think a Do-Not-Mail law is a good idea, whether on a state level or federal. First, junk mail, contrary to its counterparts, telephone solicitations and e-mail spam, can be easily discarded if not wanted. Second, if my concept of control over their names and personal data is granted to consumers, the problems of environmental waste and privacy will go away. Why? Because the individual will then determine what they receive, and who has access to their private information. Third, I don’t want to halt all junk mail. Rather, I want to harness its power to rightfully share the wealth with the name-holder in their later years by supplementing the retiree’s Social Security and/or pension by an average of $607 monthly. This would come from the $4 billion collected each year by the list business through selling your names and personal data. Editor & Publisher has an article about the concern of the DMA that do-not-mail proponents will find the same success as the do-not call list, and has organized a group, “Mail Moves America,” to fight the trend. John Greco, DMA President, says the environmentalists and privacy advocates “distort the facts in their efforts to eliminate advertising mail to consumers.” C’mon Greco, it’s junk mail until your band of shotgun marketing cowboys can eliminate the need to mail 100 catalogs to get just one or two orders, with the rest going in the trash. On the DMA Web site, they list the states that have do-not-mail legislation in the making. The fifteen states range from Arkansas to Washington state, and include large population areas like New York, New Jersey, and Texas. Curiously missing is California, where it all started with the outing of the ChoicePoint data breach. Believe me, I want to bridle the junk mailers from the reckless handling of your names and private information, but the way to accomplish this is not to enact state laws that could bring the consumers’ potential golden goose to a standstill. If you want legislation, consider passing a federal law that gives individuals control over their sensitive data, while compensating them when it is sold. I doubt seriously if Greco will bring this idea before his minions when he opens the annual junk mail conference tomorrow in Chicago.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Thursday, October 11, 2007


Although not biblical, the headline does portray the story of how your name is sold once you have made that junk mail purchase. And that process restarts each time you embark on a new shopping venture with another order through catalogs or other junk mail advertising. Depending on your zip code, how much you spend, and a host of other criteria, your name and personal data could be sold from 25 to 50 times each year. Per junk mail purchase. According to, a non-profit organization concerned with junk mail’s effect on the environment, as a result of the sale of your sensitive data, you receive 10.8 pieces of junk mail weekly, which adds up to around 560 each year. You also want to consider that with each of those weekly mailings, your name and private information move through at least five additional transitional events like computer houses, transportation carriers, mail houses, etc., before the junk mail arrives at your address. That adds up to 54 incidents per week, 2,800 for the year. Each providing the opportunity for identity thieves who have escalated their attention now toward the more sophisticated approach of planning the heist, rather than just letting it fall into their lap. Junk mail industry publication, DM News, in an article earlier this year, made the statement: “Studies show that 70 percent of the U.S. population prefers direct mail to e-mail or phone calls.” My gut feeling is that nearly 100 percent of the population prefers anything other than junk e-mail and phone calls. The study also found that additional consumer reaction objected to junk mailers who sent them “way too much mail.” And then there’s the Direct Marketing Assn. (DMA)—who is holding its annual convention in Chicago this weekend—where I posed a recent question to their privacy dept. asking how a junk mailer would handle the selling of a person’s name, if the customer had opted-out with the company selling the name. This is an area in which I think junk mail companies might be lax, as far as updating their lists and one that could produce an enormous amount of unwanted mail. Marsha Goldberger, Director, Corporate Responsibility for the DMA, replied with: “DMA members are required to abide by our Guidelines for Ethical Business Practice, which address your opt-out question.” You can look at the “Guidelines” yourself by clicking on the highlighted area and scrolling to article #31, but I will also provide a capsule version here. The regulations say any opt-out names should be removed from all lists, and consumers who do not want junk mail should not be sold to other junk mailers. The definition of “should” from is: “plan to, intend to, or expect to.“ I’ll let you determine DMA member compliance based on the number of pieces of junk mail you receive weekly and annually. I’ve been saying it all week but it is downright distressing that at the DMA exhibition starting on October 13 at McCormack Plaza West in Chicago, more time will not be devoted to junk mail’s major contribution to the ID theft crisis. It is becoming more and more obvious each day that the industry will have to be forced into acceptance of the fact that consumers should have control over their names and personal data, and be compensated when it is sold. And that may very well require federal legislation.

Wednesday, October 10, 2007


Not my words; the words of some conventioneers who will arrive at McCormack Plaza West in Chicago on October 13, to learn more about how to locate, collect, and sell more of your names and personal data. Junk mail industry publication, DM News, has an article on what attendees want and don’t want at these annual shows. It was the less “sanguine” bunch that considered it a necessary evil. Does that mean that some members of the junk mail business are suddenly less optimistic about its future? Probably a direct result of my constant prodding of junk mailers to grant consumers rightful control over their names and private information, and compensate them when it is sold. Yeah…sure. For 35 years I made my way to these events as a junk mail list/data broker, and all I ever got out of it—as well as many of the participants I talked with—was the socialization factor. Hang around, have a few drinks, and tell other brokers how good your business was. But, admittedly, you had to be there to keep the competition from stealing your clients. It seems John Greco, DMA President, was asked by DM News who wouldn’t be at the convention who should be. His answer: “everyone who isn’t.” What? That statement flies in the face of his reaction to my suggestion six months ago, which recommended to Greco that he invite interested Chicago residents to the exhibition hall to ask list professionals just how their names and personal data are being sold everywhere non-stop. He didn’t even give me the courtesy of an answer. It could have been sort of a forum for consumers to find out what this secretive junk mail business is all about. He didn’t reply then, but now it seems like there might be room, so I suggest if any of you Chicagoans are curious about your sensitive data, hurry down to McCormack Plaza West during the show dates, Oct. 13-18. Tell Greco I sent you. As you would expect from an annual convention, there will be meetings and workshops mixed with frivolity on everything from a “Boot Camp” that is supposed to turn civilians into direct marketing professionals, to special guest Howie Mandel, “Deal or No Deal” TV Show host and comedian, who will present DMA awards. (See DMA07 Highlights) Sorely missing will be any mention of who should control the humongous plethora of consumer private information hanging precariously in the marketplace exposed regularly to ID thieves. One of the DMA’s “Special Interest Councils” caught my attention simply because of the headline announcing the gathering. It read: “Customer Relations Management—is it Still Relevant?” Not only is the junk mail industry in denial over who should control individuals’ names and personal data, they aren’t even sure anymore if “relations” with the customer are relevant.

Tuesday, October 09, 2007


If you think of it, junk mailers require a crowd of customers to make their business work. They send out 100 advertisements to get just one or two orders. (But here’s what that does to the environment) When you equate this to the millions of pieces of mail that arrive in mailboxes each year, the junk mail industry is really at the mercy of the crowd mentality. Many of these companies know your buying habits, so they send you catalogs about things you have purchased before. They also know your lifestyle patterns, and direct their advertisements to behavioral conduct like what books or magazines you read, or what music you listen to. Since junk mail and non-junk mail firms are aware of what ailments you suffer from, and what medications you take, you receive offers for self improvement, or blatant attempts to switch you from one kind of prescription medicine to another. Your financial habits are an open-book, so credit card companies inundate you with offers for another credit card you do not need. The minute you apply for a new mortgage, fourteen other mortgage companies contact you by mail or telephone to try and convince you that their service is better. You move into your new home and mail pours in for carpeting, draperies, and gardening services. All of this is accomplished by selection techniques that sort out your private information and then blend this together to create the intimate details of your daily habits. (See my recent post) The crowd mentality rules when you do respond and buy, and then something very unique happens that is not prevalent in most other advertising mediums. Your name and personal data are collected, and become an extremely valuable commodity to the world of junk mailers. As a by-product to all those products and services you purchase, your name and private information are marketed for $4 billion each year. In some cases your sensitive data is worth more than the products and services for sale by these organizations. This would all be a very good thing, if only for one missing link. Throughout the process, you should be in control of your name and personal data, and you should be compensated when it is sold from that annual amount of $4 billion. And, of course, you aren’t. But the time has come to turn this crowd mentality around, and force my concept of control to happen with a grass-roots movement from the American consumer. Whether you are a junk mail shopper or not, your name and private information are compiled and sold. That’s right, all approximately 109 million households are in the cross-hairs of the data collectors, and what’s worse is the fact that all this sensitive data is up for grabs by identity thieves. You could become a victim just to satisfy the greedy profit centers of the list business. Junk mailers will meet at the end of this week in Chicago for the Direct Marketing Assn. (DMA) annual convention. If any of you Chicagoans are around McCormack Place West between October 13 and 18, ask to speak to DMA President, John Greco. Ask him why you shouldn’t have control over your name and personal data.

Monday, October 08, 2007


The Direct Marketing Assn. (DMA), the industry representative for junk mail companies, meets in Chicago for its annual convention the end of this week. For the last six months I have implored John Greco, DMA president, to allow interested consumers in to the exhibition hall free to question mailing list professionals about how their names and personal data are being sold all over the world. It is a $4 billion annual business, and growing each year as they uncover or you give up more of your private information that sells for a premium. I have already done three posts on the subject starting last June. You can read them here: One, two, and three. Greco’s answer to my e-mails was…no answer. Not even the courtesy of a side comment like, “Buzz off Dunning, junk mail is too secretive an industry, especially in the selling of names and personal data, to share this with the consumer.” So after being blown off by the head junk mailer, I decided to go to the Chicago media including newspapers, TV and radio, and tell them the same story. I also pumped out several op-eds to major newspapers across the country touting the fact that apparently junk mailers weren’t interested in leveling with the very customers that paid their bills. I had one reply from a Chicago TV station that was “very interested” but eventually went quiet, and also didn’t return my e-mails. The lone responder to my op-ed efforts was the North Jersey Record publishing my piece, “How junk mail can save the day.” It is one of the larger US newspapers, close to New York City, and they had published my articles before, but why not Chicago? Is it possible that the convention business is more important to the windy city than the truth about what happens to our names and private information? I would hope not, but wouldn’t at least “talk radio” jump in to take advantage of such a juicy subject? The fact that our individual sensitive data is recklessly handled and lost by junk mailers and non-junk mailers in an era of high-risk identity theft is an issue that should be foremost in the minds of every consumer. And if it isn’t, the national media should at least explore the possibility that there could be a conspiracy—all in the name of protecting the profits of the information collecting and selling industry—to cover up the way in which consumers’ names and personal data are manipulated. I am resolved to converting what I have identified as the “apathetic” public, those who feel, “this couldn’t happen to me,” until it does. That is what The Dunning Letter is all about. And if you really believe it won’t happen to you, just think about the 8.4 million 2006 ID theft victims who ended up spending an average of $5,720 each to straighten out the dilemma, taking 25 hours to get the job done. Folks, that stolen or lost private information is out there, and it is just a question of time until the crooks get around to using your “goodies.” When it happens, don’t say I didn’t warn you.


Control Your Name Alliance, Inc. (CYNA) is a non-profit organization formed for the purpose of achieving individual control over our names and personal data, and compensating the name-holder when it is sold. It is a grassroots movement conducting research and education on this issue to determine the best approach to accomplish these goals. Please support your right to control your sensitive data by making a contribution to CYNA and send your check to Control Your Name Alliance, Inc., at P.O. Box 347, Cave Creek, AZ 85327. Please contact me by e-mail ( with any questions.

Saturday, October 06, 2007


According to Jennifer Fiddian-Green, forensic partner with Grant Thornton LLP, a leading Canadian accounting and business advisory firm, you have to look no further than Facebook and MySpace for the answer. Fiddian-Green, in a company release to the press, says that, “identity theft, a growing threat whereby criminals use personal information to obtain credit and loans in a person's name without their knowledge, is being facilitated by information posted on these social networking sites: The more personal information the fraudster has, the easier it is to impersonate victims and wreak havoc on their finances and credit record.” My take is that social networking is a phenomenon that is either in the throes of a technology revolution in the art of communicating, or a pending disaster in the handling of consumers’ private information. A fellow blogger recently told me that he feels the Canadian government is ahead of the US in its fight to protect its citizens’ privacy. If Ms. Fiddian-Green’s statement is any indication of the attitude of private business in Canada, they too are way ahead of the US. I decided to look at Canada’s “Personal Information Protection and Electronic Documents Act” again as a reminder of just how far ahead of US legislation they are. As with the United Kingdom “Data Protection Act of 1998,” when looking at Canada’s Act, members of Congress should be ashamed of the identity crisis in which they are leaving the American consumer to wallow. Here are some juicy tidbits from the Canadian privacy law. Right out of the gate, in Canada business must identify what purpose they have for collecting the data, and use it just for that. Second, they must secure the consent of the consumer to hold their data. And third, the individual has a right to know what information is being compiled on them. Regulations which are foreign to both US business and government. Oh yes, there is a “Grandfather” clause that makes the law retroactive to any personal data already collected by the company. I am dumbfounded how either a House member, or a Senator, can call themselves a representative of their constituency, and not do anything about the privacy rights of the people in their districts. But this post is primarily about Facebook and MySpace, where users routinely furnish information like date of birth, relationship status, where you’re located sometimes with an address, where you work, e-mail and phone number. Right in a profile that often has no restrictions for access. And sometime you don’t really know the person you’re socializing with, quotes Fiddian-Green from an outside source. She adds: all of this information is a treasure chest for hackers. My additional thought here is that by posing as either Facebook or MySpace, phishers will find a goldmine. I’ll leave you with these statistics from Sophos, a world leader in security and technology, who approached 200 random Facebook members to find out how they would react to a “friend” solicitation from a complete stranger.

87% gave details on their education or employment
84% provided date of birth
78% provided an address or locale
72% gave a personal e-mail address
26% divulged their instant-message screen name
23% gave their current phone number

Just so you know who we are dealing with, Facebook, originally open to only college students, now has 49.7% of visitors over age 25, 41.1% over 35, and 7.6% over 55. Household income is over $75,000 for 46.2%, $100,000+ at 29.6 percent. These people should know better, but this is yet another hard example of the “Appathetics” that populate the marketplace.

Friday, October 05, 2007


The ACLU is demanding that the Department of Homeland Security (DHS) shut down the illegal Automated Targeting System (ATS) because it violates a congressional mandate barring DHS from assigning risk levels to innocent Americans, using personal data through data-mining techniques. The program was “approved without public or congressional consideration,” according to an ACLU release. And then a Newsweek article trumpets the fact that computer data-mining technology is replacing human intuition in deciding what you plan to buy, or just what book you will read next. All of this has been going on for years in both the private sector and federal agencies. I can account for over 20 years of tracking consumer whereabouts during my 35 years as a junk mail data broker and database consultant. We wanted to know everything about you and on a regular basis found new ways to dig up your private information and maneuver it through the system to track your daily habits. But the grind goes on and there was a distressing announcement in September by of a story by the New York Times that MySpace was outdoing Google in the collecting and using of your personal data. Blogger Preston Gralla says the NYT reports that MySpace will use 100 employees “to grab every piece of personal information it can about its users, and then use that to finely target ads.” This reeks of the old junk mail entrepreneurs who collected every morsel of your sensitive data, promptly deemed it their property, and then eventually sold it to the tune of what is today $4 billion annually. Gralla says of MySpace, “[Collecting] may be just the beginning. Will sales of that data be far behind?” Returning to government activity, the Washington Post had a good article in 2006 how the feds were “increasingly turning to data-mining.” First off, they go to the junk mail industry for consumer information; companies like ChoicePoint, Acxiom and LexisNexis. Other consumer database companies loaded with your private information are Experian, Equifax and TransUnion, all three of which are also credit bureaus. These six companies, themselves, engage in individual household data-mining at the highest levels, including neural network predictive modeling, also known as artificial intelligence. The NSA spying episode brought to light the government’s interest in your telephone activity, using databases provided by the private sector. WP states it is hard to pinpoint how many such data contracts exist, but points out 52 government agencies had launched or had plans for at least 199 data-mining projects as far back as 2004. Data-mining, or predictive modeling as some refer to it, was a blip on the horizon when I became involved some 20 years ago in junk mail. I’ve watched the technology develop over the years into something that, in the right hands, can be used as a surveillance tool that can tell you things about yourself even you don’t know. It’s done by combining personal data with sophisticated algorithms that analyze trends that can be used to make uncanny predictions. There was a great quote in the Federal Times by Tim Grance, manager of the National Institute of Standards and Technology’s computer security division: “Developing policy is easy,” he said. But, he added: “God and the devil both dwell in the implementation.” Think the Bush administration will ever figure this one out?

Thursday, October 04, 2007


It is my practice to let the personal data breaches pile up, and then I cull out the most significant of the bunch and report them to you, just in case you may have missed these important incidents. This time I go back to June of this year and the theft of a storage device from an Ohio government intern’s car with 64,000 state employees’ personal information including Social Security numbers. (See Story) But according to a story in The Columbus Dispatch, the significance of the occurrence was downplayed from the beginning. Ohio Republicans called it a “cover-up” since Gov. Ted Strickland is a Democrat. Next, there were the computers stolen from the Yale College Dean’s office in July, compromising the names and Social Security numbers of 10,000 current and former students, faculty and staff. The Yale Daily News reported “The lost files had not been maintained for any purpose,” and “were overlooked in the University’s efforts at reducing the amount of personal information it holds.” Just when you thought you’d heard it all. Approximately 25 percent of all data breaches nationwide happen in places of higher learning, which qualifies this area as critical in the identity crisis. And then came Certegy’s breach of 8.5 million customer checking account and credit card records, also in July. I did two posts on this you can read here and here. Certegy is a subsidiary of Fidelity National Information Services, a financial processing company that provides solutions supporting financial services companies throughout the world. It is alleged that a senior employee by the name of William G. Sullivan heisted the records and sold them through a company he owned to junk mailers. This is a case of companies buying consumers’ sensitive data without checking its source, and from my experience as a junk mail data broker, that is irresponsible. But here is the most bazarre case I have heard of in a long time. The Russian connection targets wealthy Americans with high home equity loan reserves, and has stolen $1.5 million from their accounts with attempts to steal another $10.7 million, according to Technology News Daily. The conspiracy ringleader is a 24 year old Russian named Igor Klopov from Moscow who scammed, among others, the head of a major credit reporting agency. He had four accomplices spread out all over the country, all of which have now been indicted as of August 17. Maybe now we can get the attention of the Experian, Equifax, and TransUnion people, but I won’t hold my breath. It sounds like a James Bond novel with the likes of the US Secret Service, NYPD, and the Manhattan district Attorney’s Identity Theft Unit involved. One bright spot in the scam was JP Morgan/Chase bank’s alertnertness that stopped one of the transactions before the money was taken. Johns Hopkins Hospital in Maryland had a computer stolen in July with over 5 thousand patients’ names, SS#s, birth dates, medical histories, and other personal information, as reported by the Baltimore Sun. It took more than five weeks before the victims were alerted of the theft. The University of Kansas apparently not very vigilant in disposing of personal records containing SS#s, addresses, insurance details and student grades. The U. newspaper the Kansan says in their September story that no less than four other breaches have occurred. The Gap had 800,000 job applicant personal records including SS#s and other private information taken in the theft of a laptop from a third-party vendor in September, says Other Gap stores include Old Navy, banana Republic, and Outlet stores in Puerto Rico and Canada. But the prize-winner is the alleged charge by an attorney that Ameritrade online brokerage lost personally identifying information to hackers for some 6.3 million customers. The class-action lawsuit filed last May against the company also aleges it knew of the breach a year ago (last November), but kept pumping user information into the breached database. The story appeared on on September 17, 2007, and quotes security company Sophos as warning Ameritrade users “to be on ‘red alert’ against targeted spam attacks.” Personal data taken was names, e-mail addresses, phone numbers and home addresses. By masquerading as Ameritrade, the phishing underground could have a field-day with this one.