Search This Blog

Friday, January 30, 2009


Bernie Madoff awoke one morning in his East Side apartment to face two FBI agents. Special Agent Theodore Cacioppi asked him: “We're here to find out if there's an innocent explanation," referring to reports his investment firm had stolen billions from its customers. Madoff replied: “There is no innocent explanation.” And that is one of the comparisons to identity theft; the only reasoning in either case is the greed of an individual that overrides all common sense and decency.

When the tanking economy prompted many of Madoff’s investors—which included big names like real-estate magnate Mortimer Zuckerman, Nobel laureate Elie Wiesel, Sen. Frank Lautenberg, Hollywood director Steven Spielberg and Zsa Zsa Gabor, some, close friends—to pull out their money, the fraud was finally discovered. Employees actually went to his apartment where Madoff admitted the fraud. His two sons, also among the shocked employees, called the Securities and Exchange Commission, which tipped off the FBI, according to a New York Daily News article.

Thus, the second comparison to ID theft. According to Javelin Strategy & Research, almost half of identity fraud is perpetrated by friends, neighbors, employees, family members or relatives.

Bernie Madoff is charged with the biggest Ponzi scheme ever, costing his victims $50 billion that many experts believe is a complete loss. Coincidentally, almost $50 billion was lost to identity theft in the last Javelin survey, this through a network of crooks that come across almost as sophisticated as Madoff. The point here is that it would be near-impossible to protect against an investment conspiracy like Madoff’s, since years of reputation and friendship were used to pull off the scam. Of course, questioning the spectacular results being experienced in such a down economy would have helped.

On the other hand, it is possible to prevent identity theft by giving consumers control over their names and personal data, and compensating them when it is sold to encourage taking over this new responsibility.

In the meantime, I thought we might start a “Buddy System” to help friends, relatives, even strangers if they will listen, to guard their private information from the bad guys. You remember summer camps when you went swimming and everyone was assigned a buddy for both of you to watch each other. Of course, today’s breast cancer buddy system is one of the most prominent and successful.

As a privacy advocate who lives the part every day, I am amazed at the number of people I run into who either do not understand the basics of protecting their sensitive data, or are of the group that thinks it could never happen to them. In other words, it is at the bottom of the priority list, and is likely to stay there until public recognition is aroused. Perhaps those of us who understand the problem can pass the word around of just how important it is to safeguard our private information.

Just tell them if they don’t, and their identity is stolen, it could cost them $5,720 and at least 25 hours to take back their credit. That’s the facts, folks.

Wednesday, January 28, 2009


Remember the old days when we used to think of something on the black market being either jeans, CDs, videos, even body organs? Now there’s a new player on the block and they are interested in your name and personal data. It’s a well organized, calculated business to acquire all the consumer private information that can be had, either easily, or no matter how much effort it takes to get it. The idea is to steal your sensitive data, and, rather than capitalize on what they have themselves, the thieves sell it around the Internet underground to thousands of takers who then proceed to cop your identity.

Newsweek had an article last December, by Benjamin Sutherland, quoting a French security specialist who estimates there are several hundred online marketplaces just bursting with your latest personal data. My take is that number is conservative. It’s the general run of information that is available. Bank accounts that go for 5 to 10 percent of your balance. But credit cards are the most in demand, garnering around $450 for 10 accounts if you are in the U.S. or Western Europe. Like any other commodity, it is quality that determines the final price.

Naturally, I still believe that my concept of giving consumers control over their names and private information would put an end to this black market trade. Let’s set up a scenario where the crooks have stolen your personal data, including your Social Security number, and have sold it extensively to the underground.

The next move by the bad guys who bought your private information would be to open all the new accounts they can before being discovered. Then, either make purchases in your name or go for whatever cash is available in the credit line. Regardless, you’re on the line for the dirty dealings until, and if, you can prove it is ID theft. But wait…resulting from federal legislation, you were given the right to control your sensitive data, and through a process of approval necessary, whenever your private information is used, you have the ability to stop any and all transactions, ultimately spoiling the heist.

If you want to see the mechanics of how this control over your name would work, go here.

Since much of the thievery of our private information originates outside the U.S., it is sometimes near impossible for the American government to identity the bad guys, must less get the country to take action against them. As an example, in a 2006 study of phishing, 4 percent came from Great Britain, 6 percent from China, 8 percent from India, and 14 percent from South Korea. It is a well known fact that a great deal of identity scammers reside in Russia. In case you’re wondering, phishing is sending an e-mail posing as an established company to get the receiver to give up sensitive data.

In a crooked reseller’s market, the number of times your personal data is sold is unlimited, which means that there are endless possibilities where your identity can be breached and stolen. This is all escalating to a point where current methods of protecting the individual’s identity are proving useless. If someone has a better idea than giving consumers control over it, let them come forward. Pretty soon it will be too late.

Monday, January 26, 2009


A Penton Media junk mail online publication, Chief Marketer, looks at the future of Direct Marketing after the election. Lots of plans, but nary a mention of how the industry would strive to improve sensitive data security. Of course we wouldn’t want it to be top priority, with identity theft running at the head of the consumer fraud class. With the Direct Marketing Assn. trade group downsizing recently, there is even less oversight for junk mailers who push the envelope or even commit outright deception. Hopefully, the age of “let business police itself” went out the door with George W. Bush. Sorry, but it is obvious from the economic mess we are in right now that has affected so my industries that greed at the top has more appeal than doing the right thing. With around 60 million junk mail households in the country, they have the right to expect that this business lives up to the highest standards in handling their names and private information. Therefore, I hope that the new administration will consider some regulation of junk mailers when it addresses the identity crisis…and soon! Wrong conclusion on new Better Business Bureau strategy. First of all, I don’t believe the BBB is consumer oriented enough; it is clearly more in the corner of business. But an article on MSNBC by Eve Tahmincioglu, misses the point completely about the new agency’s approach. The author takes them to task over a revision in rating businesses that sets up a report card system (A thru F) that is much easier to interpret when deciding to deal with a company or group. She even makes a statement in the piece that proves my point. She says: “Before, if you were a business owner all you had to do was get yourself off the unsatisfactory list and you'd be okay with customers.” A few years ago when the qualifications were “satisfactory” or “unsatisfactory,” I questioned the “satisfactory” rating of a “get rich quick” junk mail company for having a large, and I mean large, number of complaints. The BBB’s answer was that, with regard to the number of complaints in relation to the amount of business they did, the formula considered them OK. Having spent over 25 years as a junk mail list/data broker at the time, I knew that their “amount of business” was reported as the number of suckers that responded to an appeal that promised they would get rich overnight. No wonder the proportion worked in their favor. The new system would probably give them as F, at least a D. Here we go again with another anti-identity theft bill. OK, at least it is designed to make it harder for the bad guys to get your Social Security number. Senators Judd Gregg (R-NH) and Dianne Feinstein (D-CA) introduced the bill in January, according to junk mail publication, Direct. Called the Protecting the Privacy of Social Security Numbers Act, it prohibits the sale, purchase or display of a Social Security number by any person without the number holder’s consent. That’s good for legitimate business, but what about the Internet underground that could care less about federal legislation. Why can’t these lawmakers just realize that there is only one way to end the identity crisis? Give consumers control over their names and personal data, and compensate them when it is sold to encourage the acceptance of this new responsibility.

Friday, January 23, 2009


First, let’s all congratulate our new President, and wish him well in the next four years. It has become painfully obvious since the election just how much Barack Obama will need our support, and he has made it clear on several occasions, there is only so much government can do. The rest is up to the people, as once again we can expect that their voices will be heard by a new administration that is telling us it wants our input.

As a matter of fact, the Obama transition team established a website where consumers can ask questions of President Obama, while suggesting what should be done in the next four to eight years. has already taken more than 76,000 questions from over 103,000 people, and you can be next. Naturally, I have asked the President if he would consider federal legislation that would give consumers control over their names and personal data. The top questions so far are would Obama investigate the Bush/Cheney administration for its wrongdoing and would he favor legalizing marijuana?

According to a 2007 article in junk mail industry publication, DM News, a then Senator Obama sent a letter to the Federal Trade Commission in May of 2007, suggesting they increase their efforts to protect elderly citizens from telemarketing scams. It was directed at junk mailers who took advantage of seniors, and was a result of the New York Times article that same month covering the problem. You can see a copy of his letter here. Junk mail data broker, InfoUSA, was singled out as providing lists of older Americans to telemarketing fraudsters. Lists with titles like, "Suffering Seniors" (people with cancer or Alzheimer's disease); and "Oldies but Goodies" (gamblers over 55 years old).

When I worked as a list/data broker, the list business had a nickname for them: the “gullibles.”

Robert Gellman, a privacy and information policy consultant and DM News columnist voiced concern this kind of publicity would “play negatively” for junk mailers. In response to a spokesman for InfoUSA, Stormy Dean, who was quoted as saying, “When it comes to these telemarketer scams, how a list purchaser uses a list is out of our control," Gellman commented that this position was wrong, that InfoUSA had a problem and should acknowledge it.

My comment: It is Dean’s kind of attitude that sends chills down the spines of privacy advocates, confirming once again that the junk mail industry does not exercise adequate security to protect the identities and sensitive data of its customers.

No matter what direction the Obama administration takes on behalf of privacy, particularly the identity crisis—I am not na├»ve enough to think it ranks up there with the problems of the economy, the Iraq War, or the mideast situation—but if something is not done soon to protect the public’s sensitive data, the entire infrastructure of the American family will be in danger.

The new President asked for our help; let’s give it to him in the form of suggestions you might have on this important issue.

Wednesday, January 21, 2009


Surprised? Probably not. Some of you don’t care, many don’t want to worry about it, a lot think it doesn’t make any difference. You’re all lumped into a category I call the “Apathetics.” Oblivious to what is happening to your private information until you’re hit with identity theft...and then it’s too late. Mailing lists are a big business, bringing in an annual gross figure of around $4 billion. That’s a number I worked on for several months, using my own formulas and sources of data because junk mailers won’t tell anyone how much this profit center is worth. My figures are based on 35 years as a junk mail list/data broker, so you can see they do have credibility.

Naturally, list owners—as they refer to themselves—are quick to protect this revenue stream that produces approximately 60 percent profit. Keep in mind, this is actually a by-product of the purchase you made of a product or service from some junk mailer. Somewhere in the order form, almost hidden at times, you will be told that your name—not mentioned, but including private information in some instances—will be “shared” or “exchanged” with other reputable mailers. Never, will they come right out and say that they sell your name up to 50 times in a year, based on each purchase you make. Some let you opt out of this, yet others, even some large junk mailers, do not.

The way they protect this gold mine is by forcing other junk mailers to sign a “list rental agreement” with terms that restrict the selling of your name and address. That’s good for the consumer since most contracts prevent sending you pornography, or fraudulent offers. But also included in each arrangement is the verbiage stating that your name, address, possibly personal data, being sold to the other junk mailer remains the exclusive property of the list owner. Although, perhaps, a technicality to define who originally collected the names and addresses, most junk mailers take this literally as a mandate of their sole proprietorship of our private information.

As an example I picked one of the largest list/data brokers to prove the point. Worldata, out of Boca Raton, Florida clearly states in their agreement that the List Renter “…agrees that this information is the exclusive property of the List Owner.” “Information,” of course, is your name, address, maybe personal data. In the beginning you can see that this is a current instrument used by the junk mail industry today because of the 2009 dateline.

Don’t get me wrong. I don’t think the individual should own their name and private information either, due to the number of con artists out there that would take advantage of those who are vulnerable. My concept is that your name and personal data should remain as a free spirit, much akin to how the airwaves used to be in delivering broadcast media. Like the radio and TV stations that transmit the programming do, consumers should have control over their sensitive data. And, they should be compensated when it is sold to encourage taking on this new responsibility.

However, it will be impossible to sell this concept as a federal law until American consumers convince their congressional leaders they want control over their names and private information. Only then will we stem the tide of junk mail industry lobbyists that somehow have prevailed upon Congress that they are the rightful owners of America’s individual identity.

Monday, January 19, 2009


It can’t get much worse; I’m talking about George W. Bush’s rein over making sure the business community takes complete preference over the lowly consumer. We were simply pawns to this man and his renegade posse that almost put this country in an economic stupor. But rather than rail over the incompetence and deplorable decision-making by “W,” let’s look at how the Federal Trade Commission can change its tactics back to the agency that is supposed to stick up for U.S. citizens in the marketplace.

Of course, my primary concern is over the individual’s privacy, specifically how this relates to the identity crisis. It won’t be long before Javelin releases its 2008 report on identity fraud, and I expect, with some exceptions, it won’t look nice. As an example, in 2007, although down almost 10 percent from 2006, ID theft victims still numbered 8.4 million, and lost $49.3 billion, also down somewhat from the earlier year. The average fraud amount in 2007 went down to $5,720 from $6,278 in 2006, and on average it took you 25 hours to solve your predicament. Even if it improves in 2008 by proportion, we still have a long way to go in resolving the identity crisis.

In October of 2002, a warning headline in junk mail industry publication, DM News, “List Industry Could Be Next Target for the FTC,” cautioned junk mailers that investigations could be underway soon into some of the questionable techniques used by data brokers to sell your names and personal data. Howard Beales, then, director of the FTC’s bureau of consumer protection, said in an October 24, 2002 meeting, “We’re very interested in pursuing investigations involving lists and list brokers.”

As a former junk mail data broker for 35 years, I filed a request with the FTC in Sept. of 2003 under the Freedom of Information Act for more specifics on this meeting, but received little because there really wasn’t much more than what was covered in the above article. Knowing what I know about the selling of mailing lists, I could have turned the get-together into a consumer rumble for the rights of individuals to their sensitive data.

Beales did say they had caught Eli Lilly releasing e-mail addresses for 600 users of Prozac; Microsoft did not maintain the level of security promised for its Passport System; and American Student List Co., along with National Research Center for College and University Admissions sold students’ names, addresses and dates of birth in the marketplace after promising they wouldn’t. All meaningful consequences to our privacy, but still not addressing the root problem: the fact that thousands of junk mail companies out there have consumers’ names and private information, most of which still think it is their "proprietary" property, to do with as they please. As if the individual name-holder has no rights in this issue, except an opt-out section in most junk mail offers that is, at best, misleading.

As far as I can tell, that was the end of any meaningful investigations into the secret world of selling names and personal data. By the way, Howard Beales resigned from the FTC about two years later and returned to academic life.

Next time: data broker and junk mail company contracts written to maintain ownership of your names and private information.

Friday, January 16, 2009


Most posts in The Dunning Letter result from bringing you current events, with some analysis on how they relate to your privacy. On other occasions, such as today, there is a necessity involved that dictates speaking out. The opportunity that presents itself is one of far-reaching concern over the credit bureau Experian, and its level—or lack of—customer service.

On August 18, 2006, I did a post, “Experian Denies My Right to Dispute Credit Report Problem,” after which I have received a parade of comments (28 to date on just this post), e-mails, and visits to this blog with searches titled “Experian dispute.” Earlier in August of 2006, I had done another post, “Level of Competence at Experian Credit Bureau Found to Be Low,” that documented my personal experience of having my credit report go temporarily missing from the paid service I used, Credit Manager, which normally provided 24/7 access online.

In other words, I had uncovered a rash of complaints against Experian, that did not appear to be anywhere near as prevalent with the other two credit bureaus, Equifax and TransUnion.

Speaking of TransUnion, they had their bout with the government and lost, all the way to the Supreme Court. Back in 1992, the Federal Trade Commission filed suit against TransUnion for selling information that was taken from their consumer credit database. The country’s highest court agreed with the FTC, and the practice was stopped.

But in the last couple of weeks I have received at least five comments, some desperate, accompanied with numerous e-mails, from exasperated victims of Experian’s abominable customer service. I can’t imagine what is taking the FTC so long to take action against this credit bureau; The Dunning Letter, alone, has recommended on numerous occasions that Experian casualties file complaints with the FTC.

I even posed this question with a top privacy advocate who also has no idea how long it will take the agency to wake up. This source does emphasize: always file a complaint because eventually the number will be too large to ignore.

This all brings me to an article I read recently in a junk mail industry publication headlined: “Experian Lays Off 130.” Agreed, this was not the company’s credit bureau operation, but rather the marketing arm for selling their database with well over 200 million consumer names and private information. Things like age, income, whether you drink or gamble, what your ailments are and the medications you take for them. The list goes on numbering hundreds of personal things this company knows about you and sells on a daily basis.

The irony of this is, why couldn’t Experian retrain these people and use them in the credit bureau’s “customer service” department, instead of putting them out of work? Anything would be better than the attention the public is getting now.

Experian’s last reported six month period revenues in 2008 generated $1.04 billion in revenue and $251 million is profit. Total company employees number 15,500, less 130. You’d think out of 15,370 people Experian could find someone to handle you complaint.

Maybe it’s time this action made its way to the Supreme Court.

Wednesday, January 14, 2009


If you have become a victim of identity theft, it’s your local police department that you turn to by filing an identity theft report as required by the Fair Credit Reporting Act. You will no doubt have to give law enforcement your date of birth, which they will enter into the report, which could eventually become available to others. And that is the problem. Connected to your name and address—also in the report—your date of birth is one of the primary elements the crooks need to steal your identity.

In a recent article from the Arizona Republic, in some cases Phoenix Police censor critical personal data, such as your date of birth and Social Security number, and sometimes they don’t. Apparently, in a lot of incidents the DOB is necessary to narrow the search down to the exact person being looked for when additional investigations are conducted. The state of Arizona does have a law that protects residents’ private information, and the Phoenix City Manager says the city “began restricting public documents, at the request of city attorneys, to comply with an Arizona law designed to protect residents’ personal information.”

Other police departments confirm that date of birth is necessary to prevent mistaken identities, and this is supported by private individuals and companies who have to access these records for business purposes. What we have here is one of those situations that can give privacy advocates a bad case of heart burn. This, combined with an active terrorist movement, plus bad guys that seem to find new and better ways to rob us each day, provides a real dilemma. And it doesn’t appear that either side is willing to give in completely, nor should they.

If your state has a law protecting this sort of personal data collection, please share it with us all, and provide any information you might have on what your local law enforcement jurisdictions collect and make available to the public.

Somewhere in the future, either technology will give us the ability to solve the identification process without giving up the family private history. Or, Congress will eventually implement the Real ID Act. You remember this fiasco, the one that requires each state to come up with an ID card that is standard by federal guidelines. The Act was delayed in 2008 with an extension to December 31, 2009. I wouldn’t have bet on anything of this nature backed by the Bush administration, but perhaps Obama’s “heads” can figure out a way to ID each of us without potentially giving away the farm.

What I do know is that with each announcement of this type, we get closer and closer to the time when the data burglars won’t have to spend more than a few seconds to determine from where to steal your private information. The way things are going, it’s only a matter of time before the crooks compile their own “Directory of ID Theft Sources.” And with public apathy toward the identity crisis continuing at a steady pace, those sources will persist and become more valuable each day.

Monday, January 12, 2009


Just before this last Christmas, my wife was shopping in a Target store when she realized she needed a gift for an upcoming party. Since a good California wine is always acceptable, she headed for the liquor section, eventually finding what she wanted. At the checkout stand the clerk asked her for her driver’s license to confirm that she was over 21. My wife looks great and they did card her at restaurants up into her late 30’s, but the fact is she will be 65 this month and anyone with common sense would know she is over 21. Willing to show the ID, she quickly withdrew her license when the clerk indicated she was going to scan it into Target’s database. The purchase was, of course, cancelled.

We had already gone through this earlier with Safeway re. the cashing of a check. Even earlier it had been OfficeMax, who wanted to scan my wife’s driver’s license number to return an ink cartridge just because the purchase date was older than 30 days. Back in October of 2007, I did a post on Albertsons/OSCO when they sold our family’s personal data, including medication information, to the pharmaceutical industry. Their pharmacy, OSCO, also once asked me for my Social Security number for their database, which I refused as did my wife in the other incidents. But back to Target.

Since the store manager was clueless over why they had to scan the date of birth into their database saying over and over—“it’s just store policy”—my wife opted to buy the wine somewhere else, and, of course, it was my decision to tell this story to the President of Target by e-mail. I explained to him how complete the Arizona license is with identifiable info, including a picture, and that checking it should be sufficient. An afterthought, however, was that they might not trust the judgment of their clerks, but that is another complete story.

I had my answer within two hours from Joe, who wouldn’t give me his last name due to security purposes. They are worried about Joe, but not what might happen to my wife’s sensitive data once it is in their database. By the way, all that is necessary to commit identity theft is your name, address and date of birth, and I don’t have remind you how many companies had their customers’ private information raided in 2008. Some big names include: Hannaford Bros. (Eastern) Supermarket Chain, 4.2 million personal records; Countrywide Mortgage, 2 million; Starbucks 97,000. Target gets “A” for response time but “F” for policy.

Agreed, companies have to be careful who they sell booze to, but it borders on the ridiculous when the separation in the components in question—this case age—is 45 years. Rethinking my earlier statement of not trusting the clerk’s judgment, it is obvious they don’t even trust the store manager to make this decision, much less update them on the specifics of the policy.

In closing, Joe did tell me that Target only keeps the birth date after swiping the driver’s license, and that the company has a new policy under consideration in relation to this kind of incident. But added that he couldn’t guarantee quick action. Until that new policy is enacted, our family has decided to stop buying any alcoholic beverages at Target, and only other products there not available at other stores at comparable prices.