Search This Blog

Wednesday, October 29, 2008


JUNK MAIL TRADE ASSN. DOWNSIZES


The Direct Marketing Association’s (DMA) mission is advocacy for responsible marketing, something they call “The Power of Direct.” The statement goes on to cover a number of benefits offered to its membership like research, education and networking opportunities to improve their junk mail. If they are really looking for improvement, the DMA should be the leader in finding out just how to get rid of the 98 percent which is junk mail and ends up in the trash.

By the way, the vast consumer population who make junk mail purchases—about 60 million households nationwide—does receive attention from the trade group, but not the kind the DMA’s more than 3,600 members get. It is a trade association paid by these some 3,600 junk mailers to keep the market free from regulation of an ultra secretive industry. So where are the advocates for these 60 million households that buy direct? We are out there, like The Dunning Letter, Privacy Rights Clearinghouse, Green Dimes, Junkbusters, and more. So why isn’t this enough?

Because Congress, the states and the media look to the DMA to tell them what, if anything, is wrong with junk mail. In my opinion the DMA has never really leveled with the public about the collecting and selling of consumer names and personal data. The DMA’s mail preference list is a joke since only its small membership is required to use it. There are thousands of junk mailers out there that aren’t members, including some major mailers.

A couple of years ago I challenged the DMA president to allow consumers in to the Chicago annual convention to ask list and data brokers just what they were doing with our names and private information. Not even the courtesy of an answer. In checking the DMA’s site, you will find a proliferation of figures including how junk mailers spent $173.2 million plying their trade in 2007, but you won’t find any mention anywhere of the $4 billion that is made annually by the list business from selling your sensitive data.

What this is all leading up to is the fact that the Direct Marketing Assn. has recently announced it will layoff from 18 to 21 workers. And you say…what difference does that make to me? From my 35 years experience in junk mail, it sounds like consumer protection, already inadequate, will suffer even more by the release of a key employee, James F. Conway, vice president and counsel for corporate and social responsibility. Conway was responsible for the DMA’s “Commitment to Consumer Choice (CCC)" program, an initiative requiring that members practice new, higher standards of corporate responsibility.

It would appear that junk mail customers will just have to sit back and take the hand they are dealt, that is until they are willing to stand up to this industry and federal regulators and say they’re tired of this treatment and won’t take it anymore.

Monday, October 27, 2008


JUNK MAIL IS ALL ABOUT…JUNK MAIL


What has always bothered me as a past direct marketing consultant and data broker is that junk mail doesn’t have to be…junk mail. There are ways to prevent at least a large portion of that 98 percent that goes in the trash to be eliminated before it happens.

One way is predictive modeling that identifies small geographical areas that are prone to making purchases through the mail. Another is an opt-in list of households that want mail, even screened further by the type wanted like apparel, food, electronics, etc. There is, of course, the do-not-mail list that could be enacted by the Federal Trade Commission, similar to the do-not-call registry that has been tremendously successful; which, by the way, did not put the telemarketing industry out of business as predicted. And now we have several states that are attempting to pass their own do-not-mail laws.

Newsweek did a recent article, “To Postal Workers, No Mail is ‘Junk,’” predicated on the fact that these workers are afraid any limitations on the sending of junk mail will cost them their jobs. Like telemarketing, I feel sure they will survive, although, perhaps, with a somewhat downsized postal system.

What is going on here is an event similar to the petroleum industry fighting alternative sources of energy, with all the subsets of businesses that would also be affected by a downturn. Junk mailings support a number of thriving suppliers that produce products and services needed to mail an advertising offer. Companies like paper mills, computer facilities, lettershops, and of course the list business, to name a few. They, as oil, telemarketing and the postal workers look only at their side of the dilemma.

How about the typical junk mail consumers numbering over 60 million households nationwide? It’s their name, their unique address, and their personal data that is being bantered about in the marketplace with little concern over its security. Don’t they have a right to say how that private information is used, and how much junk mail they want to receive? Of course they do.

With emphasis on profits—and list sales are a goldmine for junk mailers amounting to over $4 billion annually—the consumer rarely gets any consideration from the direct marketing industry or our congressional leaders. If “main street,” which seems to be one of the most popular buzz words in the current presidential campaign, doesn’t react in force and with organized efforts, it probably will never happen.

Most junk mailers refuse to spend the money for predictive modeling; some even still think it’s hocus pocus. The opt-in list was tried twice and failed, and the FTC isn’t likely to start a do-not-mail registry with the lobbying efforts of the Direct Marketing Assn. along with its junk mail membership, as are states not likely to get any similar meaningful legislation enacted. So what is the answer?

The public must demand control over its names and personal data that will allow it to decide what mail it wants to receive. At the same time, the junk mail customer should be paid when his or her name is sold to provide incentive to take on this new responsibility. In the long run this could increase the number of people using direct mail, and even satisfy most of the postal service employees.

Thursday, October 02, 2008


FROM TACKY TO BAD TASTE


Some time ago, I responded to something sent to me by Jillian Coleman because I had a gut feeling about her offer. It is another of those get-rich messages that makes you feel that the only thing you have to do to become rich is to buy her program. Of course, I have been bombarded since then with e-mails that attempt to sell self-help programs—a term we used in the junk mail industry to indicate people looking for the “free lunch—with proposals for everything from real estate to having my own Internet cash machine. After 35 years as a junk mail data broker, methods like this that really work are few and far between. But that is not the point of this post.

On September 13, the day Hurricane Ike hit the Texas coast, Coleman was on the Internet contacting supposed suckers like me with a folksy lead-in of four paragraphs about how her family had suffered in the storm. This preceded her pitch in the next paragraph telling readers how she wanted to help her neighbors get low-cost government loans and grants. All you had to do was buy her self-help program for $597 including a HUGE discount of $300, apparently in honor of Ike. She listed her website not once, but three times.

Coleman did say early-on that “part” of every sale was going to organizations assisting in the Ike aftermath. She didn’t say how much or who. Now that is just what a hurricane victim needs, a pricey system to search for loans or grants when many of them couldn’t even find their house. She makes one last pitch before giving her website for the last time. But this is only the beginning.

On September 15, Coleman is back with more of the down-home approach—it works folks, believe me—with another diatribe about Texas’ “Third Coast” and its “miles of beaches and barrier islands, dunes, and sea grass that curve along the Gulf of Mexico.” The pitch starts in this e-mail saying she is donating money, but she wants to do more. And that can happen if you buy in to yet another offer headlined as an Internet cash machine. No, I don’t have the slightest idea what this has to do with hurricanes either. Billed as the “Hurricane Ike Sale for our Neighbors,” it sells for the discounted price of $1,497. There are four links to make your purchase.

There is yet one more pitch on September 17; you’ll note the separation of two days between each e-mail to let the victims, who probably don’t even have a computer left for Internet access, to absorb the gist of this amazing benevolent appeal. I decided to probe further, and came up with some interesting additional information on Coleman and her Austin, Texas company, Live Oak Tree, LLC.

Another of her offers was featured on the Ripoff Report: “Coleman & Associates; GrantMeRich.com.” Samuel of Plantation, Florida complains to the online consumer organization in this headline: “Coleman & Associates; Grant Me Rich.com Stay Away From Coleman & Associates Grantmerich.com Scam Artists! They Have Refused to Refund My Money 1 Year after I returned their USELESS product!!! Austin Texas.” Apparently Samuel purchased Coleman’s “Ike special,” New American Land Rush, and to say the least, he thought it was “useless” and wanted his money back.

Jillian Coleman may be the most legitimate company in Austin, TX, but at the very least, you have to admit this approach is very tacky and reeks of bad taste. There’s more, however, another follow-up on September 27, and a comparison of how these people come out of the woodwork, from Katrina to Ike. Next time.

Wednesday, September 24, 2008


On September 15, I did a review of Grant Hall's book, Privacy Crisis: Identity Theft Prevention Plan and Guide to Anonymous Living. This post is the second in a series of guest articles in which I feel readers will have interest. Grant's insight into financial institutions will open your eyes, and make you think before your next trip to the bank.


Bank of “Arrogance” and the Privacy Crisis
by Grant Hall

Whose money is it anyway?

Why do Americans have to jump through hoops and provide every conceivable piece of personal information known to computers to pseudo government agents, a.k.a. “bankers” in order to store their currency? Why is a prospective customer met with an “army” of resistance whenever telephone inquiries are made about the once simple procedure of opening a non-interest bearing checking account? And, why does it take three to five employees of a bank and thirty to sixty minutes to gain the information that was once accomplished through a three minute conversation with an entry level banking clerk?
Recent numbers of U.S. banks on the F.D.I.C. watch list increased to 117 in the second quarter of 2008 from 90 in the first quarter of 2008 (Ellis and Luhby, 2008) and in spite of the catastrophe looming, banks and bankers have not made efforts to boost customer satisfaction through better customer service in the opinion of this author and according to this author’s small-sample, empirical study conducted in August 2008.
The author spoke to twelve “bankers,” employed at various regional, money center and local banks and spent an average of thirty-seven minutes on each call during the month of August, 2008. An additional six banks were contacted that did not answer their telephones and these calls were routed to voice mail. Messages were not left for return calls by the author and this study is based on the twelve banks and “bankers” who were available for telephone calls during business hours in August, 2008.
Study results revealed that no first responders (clerks, tellers, assistant managers) could answer all questions asked by the author relating to opening a non-interest bearing checking account for a Trust of which the signer would be the Trustee. Note: Trust accounts are considered “personal” accounts by bankers according to the author’s experience.
Once supervisors or bank managers came to the telephone, the conversation continued with questions necessarily repeated from first responder contacts. Three of the twelve were able to answer all questions concerning the opening of the aforementioned “personal” bank account. A third telephone contact was necessary in six of the twelve telephone contacts. Three of the twelve contacts required a fourth or fifth person or advised having someone call the author back.
Based on the study results, it is clear that service has deteriorated to an unacceptable level at banks And, since banks neither know their business (requirements for opening a basic account) and do not offer acceptable customer service-based on this author’s study and his conclusions-an interpretation in part based on his opinion, why should anyone use them for storing their money?
All twelve banks mentioned said “no” when asked if they would cash a customer’s check if he/she did not have an account with the bank.
The conclusion is therefore drawn from this August, 2008 study that banks are not in the business of providing acceptable and good customer service. This is the opinion of this very experienced author and is based on this study and other studies. Further, employees who field questions by telephone (clerical, assistant mangers) –from numbers one to three who speak to prospective customers-do not know requirements for a basic “trust” checking account. This conclusion and the fact that bankers-executive and management do not know the source of their funds and cannot define the Federal Reserve Bank (Hall, 2006) may cause many customers to hesitate about opening a bank account for personal use.
As the author has explained in Privacy Crisis, there are other options besides commercial banks for storing cash.
Check cashing stores combined with the use of an anonymous safe deposit box will enable the privacy advocate to keep money anonymous-without the probems associated with banks and bankers. A useful resource for an anonymous safe deposit box is 24-7 Private Vaults and their web site is www.24-7PrivateVaults.com

References
Ellis, David and Luhby, Tami, 2008, Problem Bank List Keeps Growing, www.CNNMoney.com
Hall, Grant, Privacy Crisis: Identity Theft Prevention Plan and Guide to Anonymous Living, eBook, available at: www.PrivacyCrisis.com 2006, James Clark King, LLC
Copyright: James Clark King, LLC, September 8, 2008

Monday, September 15, 2008


DECLARATIONS FOR PRIVACY


I ran into a couple of things recently that deserve mention for readers with an urgent interest in protecting their privacy. The first is Grant Hall’s E-book, Privacy Crisis: Identity Theft Prevention Plan and Guide to Anonymous Living, 390 pages packed with a concept so different than most of today’s privacy advocates that it demands recognition. He asks the basic question of why we should have to give up all of our sensitive data just to survive at the existence level in the present-day financial world. That’s true! In order to conduct any business that requires a payment for merchandise or services, if you don’t have the cash in hand, you must reveal the family history to obtain credit. But Grant says there is a way to solve this problem by using cash, and he shows you how this can be done. I suggest you go to the link above and check out Privacy Crisis to see if this approach is for you. And look for an article soon by Grant Hall on this blog: Bank of “Arrogance” and the Privacy Crisis.

The second is a recent post, The Ultimate Guide to Internet Privacy Law: 100 Must-Read Resources, rich with information broken down into guides and articles designed to protect your online privacy. They are the latest privacy scams and security breaches from the news and blogs, authoritative information on online privacy law from academic and research sources, privacy rights organizations, government resources, and some great information for kids and teens. They were even kind enough to include The Dunning Letter in this group. I know about many of these sites, and can see that the collection was put together with some thought. Check out their site, and you can even leave comments if you have ideas on this subject.

We will probably never have enough available advice for protecting our privacy, since the trend in identity breaches just keeps on rising each year, and shows no real signs of receding. So my advice is to make the best of whatever you can find that is legitimate and authoritative.

Thursday, September 04, 2008

Today marks the first of the guest articles from contributors whose specialties are in keeping with the philosophy of The Dunning Letter. Sergei Limberg has a history of advocating for consumers, as the following article illustrates.


Driving in Circles: Lemon Law and Extended Warranties


By Sergei Lemberg


For a long time now, Jack has done an enormous public service in the realm of consumer privacy and identity theft. Over at LemonJustice.com, my colleagues and I are working for consumers in a slightly different arena: lemon law.

All too often, consumers are victimized by car manufacturers when the automaker can’t or won’t fix a serious defect in a new car. We’re not talking about annoying problems like speakers that aren’t installed properly, but rather defects that make the vehicle unreliable or unsafe. Every state has what’s called a lemon law, meant to protect new car buyers from just these kinds of defects. Unfortunately, though, most people don’t understand their lemon law rights, or know how to go about preserving them.

Because each state’s lemon law is different, it’s easy for people to become confused. Generally speaking, though, most states cover new passenger vehicles that are intended for personal use. Typically, lemon laws dictate that, in order to be considered a “lemon,” a vehicle must have serious defects that occur within a certain time frame, such as during the first year or the first 12,000 miles – whichever comes first. There’s also a requirement that the vehicle has been taken in for a certain number of repairs (such as four times for the same problem) or has been out of service for a certain length of time (such as a cumulative total of 30 days). Often, there’s a requirement that the manufacturer has to be notified via certified mail and given one last opportunity to make the repairs. If the automaker can’t fix the problem, they’re required to give the consumer a refund or replacement vehicle.

This is the point where consumers need to make a lot of noise. Understandably, manufacturers don’t want to acknowledge that they have a lemon, and have legal teams that are dedicated to fighting lemon law claims. Often, they make people jump through hoops until the time limit for getting compensation expires, then walk away with smiles on their faces. If you think you have a lemon, you should contact a lemon law attorney after the second or third repair attempt. He or she can help guide you through the final steps that will legally establish your vehicle as a lemon. Because most lemon laws say that the manufacturer has to pay your attorney’s fees in a successful claim, representation shouldn’t cost you a dime.

But that’s only one of the ways that people are victimized in relation to their vehicles. The other is through extended warranty scams. The New York Times recently ran a great article on extended warranties, which basically said that about two-thirds of people end up paying more for the warranty than they save in costs associated with repairing their cars. It also pointed out that it’s best to avoid third-party extended warranties, as you’ll be out of luck if the company you purchase from goes out of business.

This issue of third-party warranties intersects with privacy issues, since extended car warranty companies buy lists of names and snooker them into buying meaningless warranties. Chances are, you’ve received pre-recorded calls, letters, or emails warning you that the warranty on your vehicle is about to run out and that you need to “act now” to protect yourself. Usually, the company bought your name from a list broker and is betting on your naivete to scam you into buying something you don’t need.

From a lemon law perspective, even legitimate extended warranties aren’t so great. They’re simply service contracts, so a manufacturer’s repeated failure to fix a problem is hardly ever actionable.

Sergei Lemberg, Esq., focuses his practice on Lemon Law, Consumer Fraud, Auto Warranty and Auto Injury litigation. He is licensed to practice in New York, Massachusetts, and Connecticut. He can be reached at: 1-877-77-LEMON (1-877-775-3666)or e-mail contact06@lemonjustice.com

Friday, June 20, 2008


THE BASIC CASE REHASHED AGAINST JUNK MAILERS WHO SELL YOUR SENSITIVE DATA



Today is my day to jump on the soapbox, and bombard readers with another warning about how your name and sensitive data are collected in an industry where profits rank far above security. Even though it has been said countless times, it deserves another outing, particularly with identity theft still soaring.

If there is one thing that should be remembered by junk mail shoppers, it is that when you order a product or service from a junk mailer, or request information from a non-junk mail company, your name and private information is the real prize in the transaction. Unbeknownst to many consumers, that sensitive data is rushed at lightening speed to a computer facility where it is prepared to be sold, often within 24 hours. Sure, they will deliver your product, or service, or requested information, but that is almost an afterthought to many companies that survive from the marketing of your names and personal data.

And that is not the purpose for which you gave them your name, address, telephone number, credit card account, etc. You gave it to them to deliver what you asked for, not sell it to 50 other junk mailers that, if you should order something from them, will sell it to another 50 companies, and on and on. I also mention non-junk mailers because they are quickly catching up with the traditional list business in collecting names and private information, also putting it up for sale. The most glaring example of this is pharmaceutical companies who buy your prescription data from your local pharmacy.

And the process does not end with the information you provide the junk mailer. Not satisfied, they go to major data brokers like ChoicePoint, Acxiom, Experian, Equifax and TransUnion to enhance the information they already have on you. Things like your age and income, home value, credit cards you carry, children’s names, where you work, what you drink and read, and whether or not you gamble. The last I checked, there were a minimum of 250 known demographic and lifestyle characteristics that could be added to your name and address.

There are now around 60,000 lists on the market that gross over $4 billion each year by the junk mail list industry. Most of these lists are not regulated by the Direct Marketing Assn. (DMA), so they are free to do what they please with your name and personal data. Most are honest, but it is the group of renegades that will sell your private information to unethical and dishonest companies that ply us with fraudulent offers, then vanish into the night.

Selling mailing lists has created a life of its own, and with the way new technology is evolving, every day there are new ways to suck up every morsel of private information available on each of us. Although I cannot confirm this, I bet that there is a new database filled with consumer sensitive data born every hour. Maybe even more often. Question if you will, but we have entered the age of Orwell’s Big Brother.

Thursday, June 19, 2008


REAL ID ACT GOES DOWN IN FLAMES IN ARIZONA


I am proud of my state for passing a law (AZ House Bill 2677) that basically prevents the enactment of the Real ID Act in Arizona. I am equally proud of Governor Janet Napolitano, a Democrat, for signing it into law on Tuesday, June 17. In case you have forgotten, the Real ID Act mandates a universal driver’s license issued by each state, with personal data on each individual citizen to be compiled in a national database of sorts.

This massive amount of private information on individuals will be controlled by the Dept. of Homeland Security (DHS) and the agency has already said it might add to the state-supplied driver’s license data. I remind you that the government is responsible for 20 percent of all data breaches.

In the beginning, DHS said that non-compliance would prevent state’s residents from participating in some federal programs, most importantly, not being able to board airline flights through the federally operated Transportation Security Administration (TSA). But in January DHS Secretary Chertoff said that other forms of identification will be acceptable to fly. DHS had originally granted an extension for compliance to all states until December 31, 2009, and then, again in January 2008, further extended it until 2014, 2017 for those over age 50. More info from DHS here, and a detailed explanation from Wikipedia here.

Homeland Security says this is not a national ID card, but what else can you call it? With a shared pool of information containing the most sensitive of personal consumer data available to all the states plus the federal government, and one similar ID card carried by every citizen in the U.S. as their identification, I’ll let you decide what we call it. Anyway you label this planned monstrosity, in the end it will still result in a new, ready-made source for identity thieves.

Aside from invading the privacy of every American citizen, the cost that would be borne by states is prohibitive. In a joint report from the National Governors Association, National Conference of State Legislatures, and American Association of Motor Vehicle Administrators, the cost nationwide would be more than $11 billion. When DHS handed down the final regulations on compliance in January of this year, several observers indicated the delayed deadline would do little to ease funding concerns, according to GovTech.com. The delay is thought to reduce that $11 billion to about $4 billion, however.

Jeremy Meadows, senior committee director for the National Conference of State Legislatures confirms that, “despite the concessions, DHS didn’t heed a number of other requests from states. Funding and privacy concerns appear to have gone ignored.”

Homeland security hasn’t yet made a final decision on just how the central collection of personal data will be organized, as well as how it will be shared. At this point it is very confusing re. what the level of intrusion into individual privacy will be. What we do know is that if the Real ID Act does take effect, that alone will be an invasion of our privacy. See more FAQs on Real ID here.

Wednesday, June 18, 2008


CYBERSPACE PROVEN UNSAFE FOR SOME BY INTERNET CRIME COMPLAINT CENTER


It’s always been going on, but the Internet is “fast becoming the new nexus for fraud, scams, and identity theft—and the losses appear to be mounting.” This is a quote from the April 4, 2008 Internet Crime Complaint Center (IT3), as reported in ConsumerAffairs.com. IC3 is a partnership between the FBI and the National White Collar Crime Center. The report claims that American consumers lost $239 million during 2007 in Internet-based fraud schemes, up from $198 million in 2006.

Investment and retirement scams were highest with a median loss of $3,547 per complaint; check fraud at $3,000 per; and the historic Nigerian scam at $1,922. California leads in fraud perpetrators, followed by Florida and New York; 75 percent of the perps are male. And you will likely be contacted by e-mail by the scammer, followed by Web site visitation, then telephone or instant-messaging chats.

The Nigerian, or 419, scam dates back to the 1980s when the oil-based Nigerian economy declined, and unemployed college students started hustling first businessmen in the west, then spread out to consumers in general. They started with letters, faxes, or Telex, then graduated to e-mail as the preferred way of contact. The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud, according to Wikipedia. The lesson here is the simplicity it takes to create a full-blown, worldwide scam, dreamed up by students with nothing to do, resulting in losses to victims in the millions.

The bad guys are using the same means of contact that are used in the junk mail industry to sell their products and services, thus, a familiarity by the recipient if they also shop by junk mail. I don’t know what customer profile selection the Nigerian used in acquiring 163,000 names from ChoicePoint in February of 2005—the beginning of the ID theft debacle—but as a former data broker, my guess is “opportunity seekers,” called a “mooch” list. So named because of the gullibility of the people on the list who are known for responding to offers that are in fact too good to be true.

The FBI, supported by outside security analysts, says the reported crimes received by IC3 is only a fraction of what is really occurring. This is a result of both business and consumers not reporting incidents for a number of reasons, including the time necessary to do so. Still, the FTC has determined that consumer fraud in 2007 totaled $1.2 billion, averaging $349 per individual.

Chris Hoofnagle, senior staff attorney to the Samuelson Law, Technology & Public Policy Clinic and senior fellow with the Berkeley Center for Law & Technology, a known privacy expert, has found in an initial study that “many of the world's largest corporations' customer records were the most frequently pilfered for identity theft and related fraud.” But he adds that this is only a first attempt and that further research is necessary.

This is a point I have been making for three years of blogging, based on 35 years in the junk mail industry observing the negligent handling of consumers’ names and personal data. When you combine this carelessness in the business community, including health care and the government, with the explosion of Internet technology and growing sophistication of the identity thieves, you have a potential disaster in the making.

Tuesday, June 17, 2008


ALTHOUGH NEVER OUT OF THE NEWS, FACEBOOK IS FRONT AND CENTER AGAIN ON PRIVACY


Facebook has been dogged by privacy issues in the past, but the latest could be the one that eventually convinces its users that they are potentially submitting their personal information to anyone in the world who cares to read about it. That is…unless they apply the controls provided by the website that limits where their sensitive data goes. Unfortunately, most Facebook users are in such a hurry to make contact with their friends that security is the last thing on their minds.

Adrienne Felt of the University of Virginia looked at a feature provided by Facebook which allows outside developers to create small programs called applications for its members for things like playing poker, getting daily horoscopes, and sending each other virtual fantasies. According to The Washington Post, since Facebook started this a year ago, “about 24,000 applications have been built by 400,000 developers.” David Dixon, an information technology consultant, recently deleted all his applications after hearing that these developers might have access to his private information.

Felt says that once developers have your personal data, Facebook can’t do anything about it. She also found that 90 out of 150 of Facebook’s most popular applications (that’s 60 percent) have unnecessary access to personal data. One applications provider thinks “leveraging that data would make a lot of sense.” He does add that no plans “are in the works” to do that. That’s the same thing junk mailers said years ago when they began collecting consumer sensitive data.

And then our friends to the north in Canada have made their concerns known when the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint in May 2008 asking the country’s Privacy Commissioner to review what CIPPIC felt were “various violations of Canadian privacy law,” by Facebook. Arstechnica.com reports that Facebook’s policies and practices were analyzed by a “team of law students” resulting in the discovery of these violations of the Canadian Personal Information Protection and Electronics Document Act (PIPEDA). Although some of the issues are somewhat picky, like making it hard to delete some things, others are substantive, like a user’s inability to cancel their account and all the data with it.

Other violations by Facebook include asking for the member’s date of birth for no obvious reason, which, along with the person’s name and address, is one of the key ingredients for identity theft. CIPPIC says that Facebook fails to get the “express consent” of users to share their personal information by making all information partially public by default, requiring the member to change privacy settings later.

But the granddaddy of complaints is over Beacon, a system that allows partner sites like Blockbuster, Fandango and forty others to share users’ “off-Facebook” activities with the website. Initially you had no choice, but after an outcry, the company changed a number of privacy settings to prevent publishing by default.

Technology is exploding, and it is the younger set (under age 29) that both understands best and makes the most use of cyber space. They also account for over 25 percent of Internet fraud complaints, a number that is likely to increase if they aren’t taught the potential disaster of the “willingly-without-regard-to-the-consequences” giving out of their sensitive data. On comparison, the 60-plus age group files less than 10 percent of the total complaints. Apparently us old farts aren’t as far out of it as we might have thought.

Friday, June 13, 2008


SENATOR MCCAIN: SHOULD WE BACK A CANDIDATE WHO BACKS UNWARRANTED WIRETAPPING OF INNOCENT AMERICANS?


If you want to reinstate George W. Bush’s tactics of wiretapping the international telephone conversations and e-mails of innocent Americans, then you have a choice in candidate John McCain. According to the New York Times, Douglas Holtz-Eakin, a top McCain adviser, says McCain “believes that President Bush’s program of wiretapping without warrants was lawful.” McCain says it is authorized by Article II of the Constitution, which pertains to those powers vested in the President. Bush did it and McCain supports the National Security Agency wiretapping, despite the Foreign Intelligence Surveillance Act of 1978 which requires court oversight.

How did the public feel about the NSA spying? In an NBC/WSJ poll in January of 2006, “51 percent approve of the administration’s use of these wiretaps — without a court order — to monitor the conversations between al-Qaida suspects and those living in the United States, compared with 46 percent who disapprove. However, 56 percent say they’re concerned that such wiretaps could be misused and could violate a person’s privacy.” McCain also doesn’t think an apology is necessary from the telephone companies to their customers for giving up our private information in support of the illegal wiretapping.

The key to the above statement is “conversations between al-Qaida suspects and those living in the United States,” my emphasis. Unfortunately millions of innocent telephone and Internet customers were spied on to accomplish this ill-planned, emergency action. On the one hand McCain says sometimes the statutes don’t apply to the president, but on the other hand he says, “I don’t think the president has the right to disobey any law.” You can’t have it both ways, but, then, if that’s what he wants, we can be assured of a continuation of the policies of the Bush administration.

A New York University law professor who specializes in executive power issues comments that the latest McCain statement is a contradiction of what he said six months ago to the Boston Globe. At that time the Republican candidate “strongly suggested that if he became the next commander in chief, he would consider himself obligated to obey a statute restricting what he did in national security matters.” Greg Craig, Obama campaign adviser, suggested that anyone reading this would be “totally confused” about John McCain’s position on the issue.

McCain most recently voted for legislation to hold telecommunications companies unaccountable for their action in the NSA spying. The bill also legalizes a form of surveillance without warrants. Salon columnist, Glenn Greenwald, thinks all this is just another ploy by McCain to bring back support of the right-wing-extremists.

And on yet another flip-flop at a conference on computer policy, McCain spokesperson Chuck Fish said the Senator wanted to temper his attitude toward those NSA spying cooperating telecoms saying “they should feel free to disregard communications privacy laws in the future if a president tells them to.” When Wired magazine published the remarks, the McCain campaign said Fish was mistaken. Further, that the Senator’s position—whatever that was—had not changed. Again, my emphasis.

Thursday, June 12, 2008


NEW RESEARCH STUDY FAULTS STATE DATA BREACH NOTIFICATION LAWS


As the data breaches march aggressively on (a grand total since Jan. 2005 of 917, outing 227.3 million personal records), researchers from Carnegie Mellon University say state data breach laws don’t work. There are 43 states plus Puerto Rico that have enacted legislation, and you can check your state’s law here. If other states’ legislation is anything like Arizona where I live, you can understand why it hasn’t worked. The reason is that in many cases it is up to the company doing the breaching to determine if the loss of the individual’s sensitive data is likely to do any harm. That’s like giving the crook your credit card and asking him to let you know when he uses it.

In the TechWorld article, the Carnegie Mellon research team leader, Sasha Romanosky, says, "There doesn't seem to be any evidence that the laws actually reduce identity theft." The data came from the Federal Trade commission and included identity theft complaints filed between 2002 and 2006 to determine if state laws like California’s SB 1386 were effective. Well, they weren’t, and since the state legislation route was our only hope due to inept U.S. congressional leaders that have yet to come up with a workable identity theft law, where do we go from here? I’ll tell you where.

Form a grass-roots movement—like the one I have been raving about for three years—and force Congress to pass legislation that will give consumers control over their names and personal data, and compensate them when it is sold. It would be up to you to determine who can have access to your private information, and just what kind of junk mail or non-junk mail material you want to receive. My plan is simple and practical, easy to launch and maintain, with the result secure sensitive data for the first time since technology took its giant leap.

Carnegie Mellon admits the data isn’t perfect, but, as they perhaps beseechingly put it, it’s all we’ve got. And that in itself is a tragedy, since we are dealing here with the number one consumer fraud in America. Maybe the reason we don’t have well organized figures on ID theft is because Washington wants it that way to keep from having to address the issue. You can see the complete Carnegie Mellon study here. It’s due to be presented at a conference on information Security Economics at Dartmouth College later this month.

In the “Abstract” at the beginning of the study which is basically a summary, the conclusion is drawn that it cannot be decided, based on the data, that state laws have had any affect in curbing identity theft. However, the Carnegie Mellon team does give us a ray of hope in exclaiming that the state laws could be having other benefits such as reducing a victim’s average losses, and forcing business to clean up their security act. We’ll take anything we can get.

Wednesday, June 11, 2008


MYMEDICALRECORDS.COM AND YOUR PERSONAL HEALTH DATA-PART 2


There is no doubt in my mind of the need for having our medical records organized in such a way that it both benefits the individual, but is also available in an emergency to prevent an accident by a caregiver, or even death. This is not a scare tactic like the cancer insurance of years ago, but rather a need made necessary by today’s lifestyles. Besides, instant answers, thus immediate decisions in medicine, have always been one of the biggest assets to hospitals, doctors and nurses.

But most of us are leery of giving out this most precious of our personal data, and you should be based on the current rate of medical identity theft. As of today there are over 227 million personal records exposed by breachers, over 15 percent of which is health data.

In yesterday’s post, I started a review of a company I feel has all the ingredients for benefits to the consumer in maintaining their health records, plus security protection standards that are above average. In May I had done a series on the inevitability of the latest trend of computerizing medical data (here, here and here), and endorsed the concept with reservations. My concern was finding an organization that would do this in a way that would exceed the security standards of today’s typical data collectors, many of which are guilty of losing or exposing so much sensitive data.

One such company that exceeds today’s security standards is MyMedicalRecords.com, and I want to continue in a review of qualifications that, as a privacy advocate, I find commendable. Some of the highlights from yesterday start with the fact that MMR started by first making sure of consumer data security before proceeding with their business plan. Access to private information is restricted, and a fact I failed to mention in my earlier post was MMR’s low cost of $9.95 monthly, or $99.95 if paid annually.

Getting back to the study conducted by MyMedicalRecords, in a comparison with Microsoft’s HealthVault, there are a number of “haves” and “have nots” between the two providers. MMR accepts secure fax documents; HV does not. MMR has voice mail capability for confidential messages; HV does not. MMR allows the sorting of records by date, family member, etc; HV does not. MMR gives users a search function; HV does not.

And finally, HV’s information sharing feature within the necessary third party structure is a somewhat complicated process of steps. MMR, on the other hand, has a fully integrated system within the company, no third party providers, and with a procedure designed to effortlessly allow the flow of information between user and health caregivers. MyMedicalRecords’ privacy policy is standard with typical protection required by law.

You have to make the decision if you are ready for this, but, if you are, by all means shop around, but from what I’ve seen, you must consider MyMedicalRecords.com.

Tuesday, June 10, 2008


MAKING SURE YOU PUT YOUR MEDICAL RECORDS WITH SOMEONE YOU CAN TRUST


It isn’t often that I get a chance to talk about a company that collects your name and private information and do it on a purely positive note. If the business I am talking about is assembling your personal medical data, my skepticism and curiosity both rise significantly. The skepticism part wasn’t necessary, but my curiosity got the best of me when I learned about yet another Personal Health Records Provider (PHR).

MyMedicalRecords.com, headquartered in Los Angeles, “seeks to empower health care consumers and medical professionals by facilitating access to consumer medical records and associated vital documents (such as living wills, birth certificates and insurance policies).” Founded in 2005, “Our Mission is to give consumers greater control over their personal health and medical records, as well as other vital information.” It was the “give consumers greater control” phrase on their website that caught my eye, and led me to an intensive inspection of just how the company operated.

I was both surprised and elated by the transparency of their representative, Scott Smith, MMR’s Director of Public Relations. Starting with a comment on this blog’s recent post series, “How Long Before We Accept Inevitability of Personal Health Records Databases? Part 3,” Scott very diplomatically introduced me to MMR, which I had somehow missed in my research of PHRs. It had been my loss because over the period of a couple of weeks, I found a company that started its business by first making sure consumer privacy issues were firmly dealt with, which is unheard of in the junk mail business where I come from. With that in place, they went on to develop a program that deserves your attention if you are searching for a PHR.

To begin, MMR requires all record input via fax or file upload. Fax eliminates the risk of transmitting data over the Internet, but their browser does support 256 bits of encryption. Accounts are secured by a unique combination of user ID and password, and protected from multiple attempts to open an account. MMR employees have no access to any information, and I am assured there is a complete purge of data, including backup storage, when a participant cancels. This kind of company—compared to doctors and hospitals—is not subject to HIPAA, but MMR still conforms to its guidelines.

In a study by MyMedicalRecords comparing its features to Microsoft’s HealthVault, the service offered by MMR is fully integrated with a multiplicity of tools that allow the person to manage their personal health care information, including actual copies of medical records. According to the study, HV is like a centrally located computer server connecting to an array of third party service providers, each requiring individual set up and coordination.

There are other important comparisons. First, the HV sign-up involves 4 steps compared to MMR’s single step. Although HealthVault as a stand alone is free, many of their third party services you might want or require are not. Added together they could total $407 per year, and include CapMed Online, Peakworks fitness management, eSound Health Food Journal, CapMed Ice, which allows Physicians to access emergency information, and the MySelfHelp module dealing with grief and depression.

Also, HealthVault does not accept the faxing of documents from third party providers for things like lab tests, radiology reports, patient charts, but MMR does. None of HV’s third party services offers voice mail or a built-in drug interaction tool which come with a MyMedicalRecords account.

There’s more and we’ll get to it in the next post.

Monday, June 09, 2008


SENATOR OBAMA: THERE IS A WAY FOR AMERICANS TO SUPPLEMENT THEIR SOCIAL SECURITY OR OTHER RETIREMENT INCOME THAT YOU SHOULD CONSIDER


You want change, Senator Obama? Here’s an idea that might take you back to the very roots of the Democratic party of yesteryear when it still believed in individual rights.

Social Security income—or any retirement plan for that matter—could be supplemented using junk mail. This approach would solve the problem of those who hate junk mail, turning some of them into believers, and it could be a boon to the industry. And, those loyalists who choose to sit at home and shop will finally be rewarded for something that already comes natural for them. It would also appease the movement to stop unwanted junk mail. See earlier post. First, let me cover some of your positions on Social Security and retirement.

As our next President, you would want to protect Social Security, and one of the ways you would do this is through using the payroll tax system by increasing the maximum amount of earnings covered by Social Security. You are “forcefully” against the privatization of SS, but want to help Americans save more in some form of automatic savings plan. The latter could be accomplished by re-directing half of the income realized annually by junk mailers ($4 billion) in the sale of consumers’ names and personal data. And, why not?

Without this name-holder and their sensitive data, there is nothing for the list industry to sell, so it is only right that these individuals should be compensated for the sale of their names and private information. At the same time, they take control over their sensitive data, and determine just who may have access. I am not suggesting that they take ownership, just control. I call it the Name & Personal Data Annuity (NPDA), and it works this way.

Junk mailers gross $4 billion annually from selling names and personal data, and this continues to grow each year. It is actually a by-product of the sale of their merchandise or services, and consumers have been kept in the dark for years over the manipulation and sale of this private information. NPDA would not only provide rightful compensation to the name-holder, it would also give them the power to determine just who can use their personal data.

A consortium would be formed with both private (privacy advocates/business) and government oversight. Junk mailers would forward half the income from monthly list sales ($2 billion per year) that would be invested in a national account similar to Social Security at a simple interest rate. As an example, the lucky participant who starts this method of shopping at age 18 (and a great majority do) could supplement their retirement income in an average amount of $607 monthly. The more you shop, the more your name is sold, and the higher that $607 goes.

Even the 78 million baby boomers you have quoted that will be retiring in the next ten to twenty years have a shot at realizing benefits from NPDA. There is another advantage. Through the accounting methods that the consortium would use to screen junk mailers who sell their mailing lists, organizations like the FBI and FTC will have better insight into their activities, and will be able to weed out more of the crooks.

Senator Obama, I sincerely hope that you will take a look at my NPDA concept, and consider its incorporation into the party platform for the November 2008 election.

See additional posts on supplementing Social Security with junk mail here, here and here.

Friday, June 06, 2008


THE 2008 PRESIDENCY AND YOUR PRIVACY: JOHN MCCAIN’S MAILING LIST


Although this might be old news to some, the subject deserves new perspective from an insider that understands just what was going on when John McCain used his mailing list as collateral for a bank loan earlier this year. The insider is me, with 35 years as a junk mail list/data broker selling mailing lists of consumers—and in this case, contributors—along with their personal data to business and political campaigns. Richard Viguerie—you never call him Dick—started the political genre in Virginia, just outside the nation’s capital, with his conservative agenda, and a knack for putting together fundraising mailings.

I was working for a now defunct company in Washington that had several clients in the philanthropic area, including some politicians and political parties. We managed client contributor lists, and collected a 10 percent commission for this function, which included promoting and advertising the lists to the junk mail list/data broker community. In many cases the company also acted as the list/data broker and could collect another 20 percent commission.

That’s right. One building, one person, and literally one transaction could gross the firm a total of 30 cents on every dollar of revenue. If you were greedy you took it. If you had a conscience—which I managed to develop along the way—you negotiated the commission down. Political lists today sell for around 10 cents per name as a base rate, 17.5 to 20 cents base with e-mail address, but the cost just goes up from there.

The candidate would want to select a party, and the fact they have a credit card and made a minimum donation amount. Donor’s age might be important, their income, whether they own their home, and if they respond to junk mail. Telephone number would be a must, and marital status for the family approach. Add it all together and you tack another 10 cents on, which, if you are talking about e-mail lists—and most candidates are—totals 30 cents for each name, or as we say in the business, $300 per thousand names. The industry average is around 15 cents a name or $150 for a thousand names.

Earlier when John McCain’s campaign was in dire financial straits, it borrowed money from its bank using its mailing list as collateral. In a Jan. 9, 2008 article on Politico, McCain campaign manager, Rick Davis, said “The windfall from selling or leasing such a list was sufficient to get them their cash.” Couldn’t have said it better myself. The next day, Politico posted another piece, “McCain loan could violate donor privacy,” because the candidate’s privacy policy clearly stated the donors’ names would not be sold. In all likelihood it won’t be sold or shared until the November election, but after that, the potential is astronomical in future conservative causes.

I don’t know how many donors McCain has collected, but Mike Huckabee, an earlier competitor and now possible running mate, amassed a file of 3.2 million names while he was running. If McCain hasn’t equaled that, there is something wrong with his strategy.

Here’s the math on 3 million donor names selling at 30 cents per name. First of all, we narrow the file down to its best donors which would probably net 1.5 million names. One turn of the list grosses $450,000 dollars. But the number of times it could be sold in the period of a year is between 25 and 50 times. Let’s be “conservative” and say it is sold 35 times. The gross revenue for one year could reach as much as $15,750,000.

Now you know why John McCain is still in the race for president.

Thursday, June 05, 2008


DATA BREACHES 2008…STILL AN UGLY MESS


I hesitate to throw statistics at my readers, but, as they say, there is safety in numbers, and the best way to illustrate the identity theft problem is to expose the numbers. Millions of them. Brian Krebs in his Washington Post “Security Fix” column posted this past April 2, reported that 8.3 million personal and financial records had been compromised since January, resulting from 167 data breaches. In all of 2007 there were 448 data breaches recorded. The statistics come from Identity Theft Resource Center.

Now get this; since April 2, 2008, the number of records exposed has grown to 16, 683,718, doubling the first quarter in just an additional two months. It took only 131 more breaches to reach the twofold mark, for a total today of 298. That means we are already at 66.5 percent of 2007 in only five months and growing. There was a large breach at Hannaford Bros. super markets of 4.2 million, but this sort of thing seems to be happening on an annual basis. Remember TJX (TJ Maxx, Marshalls retail stores) where 94 million credit and debit card numbers were lost to hackers last year?

Krebs confirms figures that we have seen quoted before showing business accounting for around 36 percent of the data breaches; next, schools and universities 25 percent; government and military 18 percent; health care 14 percent; and banking and financial 7 percent. See the industry breakdown here. Additional figures are the fact that 13 percent of breaches are from outside hackers; the majority of data loss from lost or stolen laptops. And insiders still do play a part in this fraud.

It is most interesting to see who the players are and they are a broad range from business to government, military, universities, hospitals, and huge lending institutions. To mention a few: the IRS lost 15,000 records, Pfizer, a repeater, 13,000; the Marine Corp. 17,000; University of Miami 2.1 million; Staten Island U. Hospital 88,000; Bank New York Mellon Shareholders Services 4,504,690; GE Money-Americas 650,000. In all cases some type of personal data went missing which included from name and addresses to Social Security numbers to medical records.

ITRC says some of the things prompting the increases in breaches are consumer awareness and mandatory laws for reporting where business would prefer releasing the bad news rather than have it come from the media.

I encourage you to go to the ITRC site and click around on the different choices. Under Consumer Resources there are Prevention Tips and Consumer Guide. Victim Resources provides Solutions and Letter Templates. And the State and Local Resources button will lead you direct to your state with complete information on what help you can get at the local level. It is only through education and preparedness that we can eventually eliminate identity theft, and you must do your part.

Wednesday, June 04, 2008


2008 PRESIDENTIAL CANDIDATES ON PRIVACY: BARACK OBAMA


Obama has the Democratic Party’s nod as its presidential candidate in November; something that still has to be confirmed at the August convention, so now is the best time to evaluate his credentials as a supporter of consumer privacy. McCain didn’t take long to appraise, because he has no real positions on this important issue, must less addressing the problem of identity theft. Unfortunately, Obama lends little to the right to privacy movement in the way of specifics.

He, as did McCain, sent his representative, Daniel Weitzner, to the annual Computer Freedom and Privacy Conference recently in New Haven, Conn. In a Los Angeles Times Blog, Weitzner says Obama wants to “preserve and enable the growth of the Internet with its current openness properties.” Further, that the candidate is “committed to strengthening privacy laws…” So far, only generalities. In more of the same, wants to make government more transparent, and was outraged over his confidential passport files being looked at.

As compared to Hillary Clinton’s introduction of privacy legislation—although nothing has passed so far—Obama has not brought any bills forward for the protection of consumer privacy. Back in February of 2006, on the floor of the Senate, he attacked the PATRIOT ACT as overreacting to law enforcement power at the expense of individual rights. In a campaign blog published in December of 2007, he mentions the “P” word five times in his belief that a person’s privacy must be balanced with the protection of the nation’s security.

Ideas are great, but consumers need to know now, today, how their names and personal data will be protected starting in January 2009. It certainly hasn’t been in the last seven and one-half years.

Turning to health privacy and Pogo Was Right/Chronicles of Dissent re. Obama, the same thing happened here that happened to me when asking the campaign a question, and requesting an interview on the candidate’s positions. A quick response that they would get back to me, then I began to receive unsolicited campaign mailings, but never had my questions answered, nor any additional information. I even contacted the guy in charge in Arizona, but still heard nothing. Not a way to encourage votes. Pogo found no evidence the Senator ever addressed health record privacy, except for his “Plan for a Healthy America,” which you can see here.

Finally, in a presidential announcement speech February of 2007 in his home state of Illinois, one of his major points was to “Safeguard our Right to Privacy.” Again Obama mentions the “P” word seven times, rambles about the need for privacy protection, and says he will strengthen privacy and hold government and business accountable for violations. He just doesn’t say how he’ll do it, or even give us a hint.

How could we be entering the general election phase of the 2008 presidential election without one of the contenders talking about how they will stop identity theft, the biggest threat to voters’ privacy that has come along in years? If the candidates don’t care about the privacy of the individual in general, let them at least address the number one consumer fraud today: ID theft. If no one does soon, maybe the slate for president isn’t complete yet.

Tuesday, June 03, 2008


BULLETIN: CALIFORNIA STATE SENATOR WANTS TO TAKE AWAY YOUR PATIENT PRIVACY RIGHTS


California State Senator, Ron Calderon, a Democrat, has proposed legislation that will allow your local pharmacy to share and sell your confidential medical information to pharmaceutical companies and third party corporations (data brokers). Included for sale are the medications you take, and it could be done without the patient’s consent if SB. 1096 passes into law. The Consumer Federation of California in a release reports that, "Under this bill, an individual’s private medical prescriptions become commodities to be marketed and sold for the purpose of increasing corporate profit, not improving public health."

It has already been done, minus support of a law like this, in certain other states, one of which is where I live in Arizona. Albertsons/OSCO sold our family’s medication records to drug companies, who bombarded us with mailings over several months. Although these mailings stopped, the question still arises of where this private medical information, plus Social Security numbers, name/address, etc., are still warehoused. I can assure it has not been deleted from the pharmaceutical companies’ databases.

Californians should contact their representatives, and the media, to let them know how you feel. The other 49 states can only wait and see the outcome of this bill. Unfortunately, so goes California, so goes the rest of the country in many cases.

2008 PRESIDENTIAL CANDIDATES ON PRIVACY: HILLARY CLINTON…PART 2


In my last post, Senator Clinton had strongly recommended a Privacy Czar that would serve under Homeland Security, and straighten out the government’s handling of consumer sensitive data to both protect the individual’s privacy, while keeping the U.S. secure. Next we turn to the privacy of health records where Hillary shines in an array of introduced legislation, but still no bills passed.

From Pogo Was Right/Chronicles of Dissent, there was the Patients’ Privacy Protection Act of 2004, S. 2827, designed to close loopholes in Federal Rules of Evidence that would make sure “every American’s medical records remain confidential.” In other words, all that good stuff you lay on the line with your doc stays with the doc. A judge would have to rule otherwise, but at the same time maintaining patient privacy to the best of his or her ability.

Then, the candidate supported the Genetic Information Nondiscrimination Act of 2005, S. 306, to “maximize advancing technology’s benefits while protecting Americans from the use of genetic information as a tool for discrimination.” And there was the SAFE-ID Act, S. 810, mentioned in yesterday’s post, when related to healthcare, provides the same protections for personal health data in the U.S. and overseas. In referring to the Health Insurance Portability and Accountability Act (HIPAA), Clinton says that HIPAA was meant to have teeth, but laments the 35,000 complaints received based on the act with not one monetary penalty having been levied.

In the Senator’s American Health Choices Plan introduced in September 2007, Pogo points out that privacy is mentioned only once, and that is in a heading on page 7, reading, “Ensure That All Providers and Plans Use Privacy-Protected Information Technology.” You can’t blame the candidate after suffering all these defeats in the passage of a series of well-conceived and well-written bills on privacy. She can be faulted, like all the others, for not insisting that this issue be included in the party’s platform.

Hillary believes we can balance privacy rights and national security using the Foreign Intelligence Surveillance Act (FISA) that Bush whined was too slow. This would be done in three ways by 1)giving Congress oversight over the issue, 2)first seek a warrant for the surveillance, and 3)maintain effective intelligence gathering according to law.

WIRED did a good piece on the candidate back in January of 2007, entitled “Hillary: The Privacy Candidate?” The time period seems almost ancient based on recent developments in the presidential campaign. According to the article, Obama and Edwards have addressed privacy issues throughout their career but “Clinton’s approach is notable for its range and detail,” according to privacy advocates. Chris Hoofnagle, a law professor at UC Berkeley's School of Law and privacy expert said: "Sen. Clinton's plan is well-informed and the most sophisticated statement in recent years by a presidential candidate on privacy issues."

Although I haven’t been able to uncover the source for this statement, WIRED says Senator Clinton’s “general policy position is that companies should cede more control to consumers, and that new legislation should be enacted to make it easier for consumers to recover monetary damages from companies that violate their privacy policies.” Jim Harper of libertarian think tank, The Cato Institute, comments: "The reality (of her proposals) is that they would almost turn the information economy inside out -- it's like saying, 'OK, now the water in the stream is going to flow in the other direction,'"

Isn’t that exactly what we need to do?

Monday, June 02, 2008


2008 PRESIDENTIAL CANDIDATES ON PRIVACY: HILLARY CLINTON


I am impressed with Clinton’s proposing of privacy legislation, but, unfortunately, none of it has resulted in law. Her most courageous efforts are S. 3713, the Privacy Rights and Oversight for Electronics and Commercial Transactions Act of 2006 (PROTECT), and, S. 810, the SAFE-ID Act, both in the 109th Congress. Much of their failure can probably be blamed on a Republican-controlled Congress when each was introduced. However, when the Democrats took over in January of 2007, they had their chance to shine, but, of course, blew it.

On June 16, 2006, speaking before the American Constitution Society, Hillary laid out her plans for privacy and they are quite impressive. To begin, she says: “At all levels, the privacy protections for ordinary citizens are broken, inadequate and out of date...” Good start. Then comments on how “privacy and national security have gone hand in hand since America’s beginnings.” Followed by how the Framers adopted the Fourth Amendment to provide us this right, she said, “Privacy is not and should not be a liberal value or a conservative value. It is fundamentally an American value. It is a human value.” Sounds like we’re on the way but that was 2006.

That’s when she proposed her privacy Bill of Rights (S. 3713) to be encapsulated in the PROTECT Act, and introduced in Congress on July 21, 2006. Here are the protections proposed that would hold the government and the private sector responsible for the information they gather:

• the right to sue when those rules have been violated

• the right to protect your phone records

• the right to freeze your credit when your identity has been stolen

• the right to know what businesses are doing with your credit and credit
reports

• the right to expect the government to use the best privacy practices itself with your information

Next, her Bill of Rights would prevent private cell phone numbers and their call records from being shared or sold. And the Senator feels strong about notification in the event of a data breach; not in days, weeks, or months, but immediately. Right on.

But her facts are flawed when talking about personal data that is sent overseas. Hillary says, as inadequate as U.S. privacy laws are, they are better than found "in most of the rest of the world.” Not true. Sure, if you’re talking about India or Pakistan, but the privacy standards set by the European Union are far superior to any law passed or proposed in this country. Her SAFE-ID bill (S. 810) would have made sure that consumers were notified when their private information was going to be sent abroad, and offered the opportunity to opt out.

Clinton wants another Privacy Czar like the one during her husband’s administration. Naturally, George Bush decided it wasn’t necessary in an imperialistic government. The Senator would have the privacy czar as a part of the Office of Management and Budget, with oversight into the workings of all government departments with the power to enforce the law. And when selecting this person, I would hope that the next president would allow the community of privacy advocates to have major input.

More Hillary privacy next post.

Friday, May 30, 2008


ACXIOM PROVIDES BUSINESS NEW AUTHENTICATION OF ONLINE CUSTOMERS. BUT, HOW ACCURATE IS IT?


Junk mail data broker, Acxiom, has just announced that it will introduce a new service, FactCheck-X Authenticate, to business clients based on unique biographically based questions asked of online customers that are designed to qualify them with the company they are contacting. This could be logging into your stock portfolio, accessing your bank statements, or perhaps even looking at your medical records. In an article on PR-inside.com, “businesses are more secure and customers can experience a better online authentication experience.” I doubt the latter, and here’s the reason why.

In 2005—and if anyone finds a later report please let me know—the non-profit Privacy Activism did a study to determine the accuracy of biographical information in two major data brokers, Acxiom and ChoicePoint. Acxiom’s authentication, above, is based on biographical data. It was discovered that even in the most basic information like name, address, phone number, Social Security number, errors were found in 67 percent of Acxiom’s reports. If this has been corrected, I welcome factual substantiation that it has.

NewsEnet.com provides insight into some of those biographical questions inquiring consumer minds might be faced with.

• In what subdivision do you live?

• Where does your brother Mike live?

• Select a state which you were previously licensed to drive.

• How many fireplaces are in your current residence?

OK, what if both Mike and I just moved? Will Acxiom allow for this mistake, and then ask where the former residences were? The fact that they are asking anything about my driver’s license bothers me, but I guess telling them about my fireplace won’t hurt.

Jennifer Barrett, Acxiom’s chief privacy officer, won’t reveal specific sources of your biographical data, but adds that it did come from “public document files and private sources.” She also cites the Patriot Act as a crutch for doing this, which immediately throws up warning flags and reminders of NSA’s warrantless spying. Lee Tien of non-profit Electronic Frontier Foundation sees no advantage to the service. Others can find out many of these facts about you, and her opinion is that a random, newly assigned PIN would be safer.

I did a post in February of this year where it is shown how your name and personal information are eternalized—similar to your name and date of passing on your tombstone—in data broker databanks across this country and throughout the world. The major companies responsible for collecting your private information and archiving it forever are Experian, TransUnion, Equafax, ChoicePoint, and of course Acxiom. The first three are also credit bureaus, holding your most precious credit data as well.

In March of 2007, another post was done on Acxiom’s new connection to May Company stores, which were eventually converted to Macy’s. Acxiom was enhancing the Macy’s list—including Bloomingdale’s, also a part of Federated Stores—with customer personal data, among which is your age, income, plus a number of other demographic characteristics, then purchase and lifestyle behavior like health interests, religion, credit cards held, politics, cell phone owners, investments, reading and vacation habits, and wine drinkers. If you are a Macy’s or Bloomingdale’s card holder—there are over 3.6 million—go to this site to see what all they know about you.

So the next time you shop at Macy’s or Bloomingdale’s online, they might ask you if you have arthritis, or if you like baseball, if you are on a diet, what shape your houseplants are in, or how was your recent skiing trip? If you can’t answer the questions, don’t be surprised if they hesitate to sell you a collar for your cat, which they already know you own.

Thursday, May 29, 2008


2008 PRESIDENTIAL CANDIDATES ON PRIVACY: JOHN MCCAIN


This is the first in a series of posts on the 2008 presidential candidates’ positions on privacy. With identity theft the number one consumer threat to Americans today, you would expect at least the Democrats to be coming out full-bore with promises to secure our sensitive data. The Dems used to be the party of the people, protectors of individual rights, but that has gone by the wayside in favor of just winning elections. I even contacted the Obama campaign at the national and local levels because of his cry for “change.” There was no response. But then this is about John McCain.

Although it seems apparent that this candidate plans to carry out many of the policies of the Bush administration, he did stray recently by stating that he didn’t believe Congress should immunize the phone companies for liability in the NSA warrantless wiretapping. See Electronic Frontier Foundation.

According to Michael Arrington, a blogger and former corporate attorney, McCain’s reply to a question re. the government’s role in preventing identity theft and protecting online privacy: "I think the best solution is continued consumer education and business innovation to try [to] come up with further safeguards." This is from an interview Arrington had with McCain back in late 2007, and reported by Tech Policy Central.

Along the same lines in the Los Angeles Times blog, a McCain representative speaking on behalf of the candidate at the Computers, Freedom and Privacy conference held earlier this month, indicated that “McCain preferred a more market-oriented approach to technology issues.” Although directed primarily at the Internet, it is further substantiation that the Republican will act like a Republican, favoring big business over the consumer. The latter my comments.

If you go to McCain’s presidential election site, you won’t find any commitments to protecting your privacy. There is a page of “Issues” that lists fourteen topics, from the economy to the space program, but nothing that says he will address the ID theft problem and individual privacy in general. Earlier in an MSNBC article, the candidate states that he will talk about consumer issues during the course of his campaign.

In another recent blog by Lindsay Byerstein, Majikthise, she feels that McCain could be entertaining an advocacy of executive power even more extreme than the Bush doctrine. This stems from the presidential contender’s comment at Wake Forest University recently that “activist” federal judges were usurping the power of state legislatures. Byerstein wonders whether McCain is recommending that the Executive branch now assume full responsibility for interpreting the Constitution. She quotes Jeffrey Toobin, attorney and legal expert for The New Yorker and CNN who compares McCain’s position with Bush who expressed contempt for judges who “legislate from the bench.”

In Toobin’s The New Yorker piece, he observes the candidate’s reference to “penumbras” and “emanations” used by the Supreme Court as a way of skirting “clear and rigorous constitutional reasoning.” Not accidental, the use of the two terms penumbras and emanations says Toobin; the same words coming from William O. Douglas in 1965 in a ruling that a state could not deny married couples access to birth control. In the court case, Griswold v. Connecticut, it was also the first time the Supreme Court recognized a constitutional right to privacy.

Wednesday, May 28, 2008


IT’S OPEN SEASON ON OPEN ID


If you haven’t already heard of it, OpenID is a shared identity service that lets Internet users log into a number of web sites with only one digital identity. This eliminates the need for a user name and password for each site. In a Washington Post article by Brian Krebs, “The key to your online identity [in OpenID] is the use of a Web or blog address, such as http://myblog.someplace.com.”

An OpenID is obviously no more than a URL, which simplifies things if you already own one. Then you have to pick a provider like Live Journal, Vox, VeriSign or MyOpenID. By using your online identity at a site accepting OpenID, you then have to confirm your identity credentials, and you’re in.

From what I can tell by visiting the four providers mentioned, the most personal data you give up to join is date of birth. You may be asked for additional private information later as a member when participating in company promotions or sweepstakes. And this data could be shared with outsiders. But the only site asking for a full name—almost completing the formula that could trigger identity theft along with date of birth—Is Vox, and they also want your gender. MyOpenID and VeriSign offer passwords along with normal industry standards for security. Vox and LiveJournal add to that SSL encryption to protect some data transmissions.

Bill Gates said Microsoft would throw their support behind OpenID, but, then, MS attempted to control online IDs with MSN Passport a few years ago which never caught on outside the company. Yahoo and Google also tried their own versions. Maybe it took a new set of entrepreneurs to get things rolling, because it is reported that there are over 160-million OpenID-enabled URIs (Uniform Resource Identifier), and nearly ten-thousand sites supporting this kind of login.

There are mixed reviews with advocates feeling OpenID can both prevent and open the floodgates to phishers and scam artists. But I think we have long since accepted the fact that if sensitive information that can lead to ID theft is available out there, the bad guys will find a way to harvest it. Prove me wrong, but I don’t think this is any different. There is another site from the WP article that provides more depth to the technology of OpenID that I am linking to here.

The upside is plainly convenience. The downside—and you’ve heard this many times from me—is that the OpenID is yet another process of creating a community of databases with at least four players already collecting your personal data. Since this new-found brainchild from geekdom will open the way to every portal on the Internet with which you have an association, and potentially could expose your complete world of private information, don’t you think you should demand some major controls over its security?

I’m not crying wolf before he’s in the henhouse, but at the least I would like to hear more from this new industry about what their plans are to protect your sensitive data, and just what safeguards will be put in place to combat a potential disaster of data loss when it happens. And we know it will…eventually.