Your Privacy for Sale

Roger RuleConsumer

Consumer Reports

October 2006

CR INVESTIGATES: Your privacy for sale.

SECTION: Pg. 41 Vol. 71 No. 10

LENGTH: 3060 words

Until Valentine’s Day weekend 2005, Elizabeth Rosen had never heard of ChoicePoint. But ChoicePoint, it turns out, knew plenty about her.
That’s when Rosen, a nurse, received a letter and found out that the Alpharetta, Ga., company had collected information about her. Among the sensitive items it had: her Social Security number, records of her insurance claims, her current and past addresses, and her employment history. Now ChoicePoint was informing her that it had inadvertently disclosed her information – and that of 165,000 other Americans – to a group of criminals. What galls Rosen more, she says, is that all along, ChoicePoint itself” was profiting by collecting and selling confidential information about me without my knowledge or consent.”
ChoicePoint, which has $1 billion in annual revenues, is only one entity in a vast and secretive data industry that feeds on private information about you and millions of other Americans. Its inhabitants include corporate mastodons with access to millions of public records; swarms of private investigators, some of whom lie to obtain confidential information; and hundreds of companies selling background checks, profiles, and address lists, all to meet the surging demand from business, law enforcement, and, increasingly since 9/11, the federal government.
The data collectors say that they’re not prying but speeding the retrieval of public records for both consumers and law enforcement, allowing businesses to cut their risks for fraud and helping marketers to zero in on customers who really want their products. “More than two-thirds of what we do is regulated by state and/or federal law,” says Chuck Jones, a spokesman for ChoicePoint.
Federal privacy and data-security laws such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act do guard some categories of data, including information used to determine eligibility for credit or insurance. But a 2006 investigation by the U.S. Government Accountability Office (GAO) concluded that such protections are limited and that Congress should require information resellers to safeguard all sensitive personal information.
Indeed, CR’s three-month investigation found that the practices of the data collectors can rob you of your privacy, threaten you with ID theft, and profile you as, say, a deadbeat or a security risk. Worse, there’s no way to find out what they are telling others about you. When our reporters requested their own records, they were told that they could not see everything that was routinely sold to businesses. The meager information they did receive was punctuated with errors.

THE DATA FOOD CHAIN
Data and list brokers of all stripes and sizes have collected information about individuals for decades. In recent years, however, faster computers and cheaper electronic data storage have fueled the growth of giant information aggregators, such as ChoicePoint. They have put the industry on steroids by feeding on public-record databases, acquiring companies with analytic software, and consolidating it all in a centralized online resource where it can be categorized, searched, and sliced into customized slabs for resale.
Among the horde of data brokers, Acxiom, LexisNexis, and ChoicePoint are some of the most prominent. Acxiom, a giant with $1.2 billion in annual revenues, processes a billion records a day. Major clients include American Express, Bank of America, Federated Department Stores – and Consumers Union, the nonprofit publisher of Consumer Reports. Acxiom officials turned down CR’s request for an interview.
LexisNexis, with $2 billion a year in revenues, got its start in Dayton, Ohio, supplying data to the U.S. Air Force. It has long aggregated news, business, and legal documents, but with its acquisition last year of Seisint, which resells public records to law enforcement and private investigators, it is focusing on security.” LexisNexis products and services help to power the consumer economy, fight terrorism, and keep our streets and homes safe,” says David Kurt, a company spokesman.
ChoicePoint, which was spun off by Equifax, the credit bureau, in 1997, allows law enforcement to tap its data over the Internet. As the U.S. Marshals Service said in an internal document, “With as little as a first name or a partial address, you can obtain a comprehensive personal profile in minutes.” ChoicePoint also keeps claims histories on your auto and homeowners policies and provides access to birth certificates and other vital records, a service it manages for many states.

WHAT THEY FEED ON
The big aggregators (and fleets of smaller ones, including LocatePlus and Intelius) wouldn’t exist if there weren’t data for them to ingest. Fortunately, for them, the richest resources – public records – are increasingly accessible. Some hire researchers to visit courthouses and county clerks’ offices to retrieve information from paper records, but increasingly, state and local governments post records online, making data gathering simpler and less costly for everyone. Open access also increases the potential for misuse of sensitive information. Property deeds, tax liens, and marriage and divorce documents often contain Social Security numbers, dates of birth, and other sensitive information that are golden keys for identity thieves.
A 2004 GAO study found that up to 28 percent of counties in the U.S. posted records with Social Security numbers online. When we checked documents online for Maricopa County, Ariz., an area with the highest per-capita rate of ID theft in 2005, we found individuals’ Social Security numbers on deeds, death certificates, federal tax liens, and divorce filings, one of which also included the couple’s credit-card account numbers.
Consumers supply tons of data themselves, often unwittingly, because information about purchases, donations, and memberships is now widely shared. “People are surprised that their name even exists on lists,” says Greg Branstetter, founder of Hippo Direct, a mailing-list broker in Cleveland. “But most of list creation comes from consumer behavior, whether it is buying from catalogs, ordering magazines, joining associations, or filling out warranty cards.” Branstetter recently completed a project that required him to “track down gay-oriented business publications and Web sites” to provide mailing lists for a client who wanted to market to gay men.

SELLING YOUR INFO
Data brokers provide individual background searches for employers and others. They also take in hefty revenues from slicing and dicing your information with data-mining software to create targeted lists to appeal to marketers.
Remember all those colorful bits of detail about your ailments and hobbies that you supplied on warranty cards? In the data industry, they are combined with information drawn from other sources such as public records and credit transactions to provide what Focus USA, a data broker describes as a “three-dimensional view.” Focus’s own database covers 105 million U.S. households, with labels such as “Christian Donors,” who give twice the portion of their incomes that nonreligious households give to politicians and causes, and a group it calls “Hooked on Plastic,” consisting of 4.2 million American families for whom “using credit cards doesn’t feel like they’re spending money.”
Data brokers are not above selling your most sensitive information. InfoUSA, a database marketer with $400 million in sales, promises on its Web site to “find people who suffer from health conditions such as diabetes” or “search for people taking a certain medication.” Clients can order a mailing list of, say, Prozac users or refine the list to include only those with incomes over $100,000 a year. Rakesh Gupta, InfoUSA’s database president, says that only “legitimate companies,” primarily large pharmaceutical manufacturers, are permitted to buy the lists.

KEEPING YOUR SECRETS
Federal law gives you the right to view data that will be used for certain purposes, such as background screening to determine your eligibility for insurance, a job, or an apartment rental. But there’s a lot that the law doesn’t cover.
Two Consumer Reports staffers requested copies of their own reports. Acxiom’s report for consumers (cost: $5) provided five pages of bar-bones facts such as name, address, phone number, and age. The company included a separate sheet summarizing the range of information that consumers could not view but that the company’s business clients could. Among those tidbits: e-mail address, occupation, political party, categories of retail purchases, estimated net worth, and details on their cars. ChoicePoint’s free basic report was also skimpy. Only LexisNexis’ “Person Report” (cost: $8) provided a little more, listing addresses and birth dates for relatives and neighbors.
The reports also contained several errors, including incorrect addresses, misspellings of names, and an incorrect Social Security number. Data brokers say, however, that they are not in the business of correcting inaccuracies. A letter accompanying the report from LexisNexis, for example, says, “We do not examine or verify our data, nor is it possible for our computers to correct or change data that is incorrect.”
“It’s easy to see how an ordinary consumer could fail to get a job or an apartment,” says Richard Smith, a Boston Internet security consultant,” or even end up on a no-fly list, now that the government is becoming such a big client, too.”
Given the sensitivity of the information that brokers distribute, ensuring its security should be a top priority. The three major data brokers have all suffered major breaches in recent years, although only ChoicePoint’s thus far has led to censure by the Federal Trade Commission. It slapped the company with a $10 million fine, the largest civil penalty in agency history. It also harshly criticized the company’s security and record-handling procedures. Instead of limiting access to legitimate businesses or government agencies, the company released data to crooks whose requests used commercial mail drops as business addresses,” an obvious red flag,” the FTC said. As it turned out, a Nigerian fraud ring was behind the breach.
In February 2005 consumers began to learn about the data breach. To date, says Brian Hoffstadt, an assistant U.S. attorney who co-prosecuted the case against the data thieves, $600,000 worth of fraudulent credit-card charges have been documented involving an estimated 100 individual victims. “For the consumers involved, there could be a ripple effect, and we may not know the true impact for quite a while,” Hoffstadt says.
Elizabeth Rosen, the nurse whose information was stolen in the ChoicePoint breach, encountered no problems initially. But more than a year later, she began to be hounded by calls from various bill collectors asking for other people. ID theft experts say that’s a bad sign, indicating that a thief might have set up accounts using her Social Security number under other names and addresses – a new and growing trend in ID fraud.
In response to the FTC, ChoicePoint has tightened its security procedures, following mandates to verify the identities of businesses seeking to obtain consumer reports, even visiting some and auditing their use of those reports.

A STEADY CUSTOMER
Since 2002, a rule change at the U.S. Department of Justice has allowed unrelated bits of personal data to be pieced together to target American citizens as potential threats who merit surveillance or investigation, even if no reasonable suspicion of criminal activity exists. The federal government has become a steady buyer of this kind of information. In fiscal 2005, the departments of Justice, Homeland Security, and State, and the Social Security Administration spent $30 million on data-broker contracts, according to a 2006 GAO report, which also suggested that the data-broker business was at odds with widely accepted principles for protecting personal data.
Another example: To help sell military careers to young people, the Pentagon has bought data from brokers. According to the Electronic Privacy Information Center (EPIC), they include American Student List, a company that signed a consent agreement in 2002 with the FTC promising not to distribute student data to brokers for noneducational marketing without disclosing it to students.
The Pentagon’s database has accumulated information on the ethnicities, grade-point averages, intended fields of college study, phone numbers, and e-mail addresses of about 30 million Americans between ages 16 and 25. Those in the database can request by letter that the Pentagon not send direct-mail or telemarketing pitches, but they are not permitted to opt out of the database.
Activist groups, such as Leave My Child Alone, based in San Francisco, complain that recruiters repeatedly call students at home or on cell phones. Felicity Crush, the group’s spokeswoman, says, “They have the money to farm this out to a private company, but when we asked the Pentagon to establish a toll-free number for opting out, they claim they didn’t have money in the budget.”
Finding out what the government is buying has proven impossible. When EPIC filed a request under the Freedom of Information Act in 2001 to obtain copies of records relating to federal agencies’ use of data brokers, among the documents it received was a Jan. 13, 2000, PowerPoint slide presentation with the ChoicePoint and Federal Bureau of Investigation logos displayed together above the report’s title: “A Partnership for the New Millennium.” All other text on the slides had been blacked out, and to date, the FBI has failed to deliver 5,000 additional pages of ChoicePoint contracting documents.
“Over the past several years, we’ve learned about huge database of information on law-abiding Americans being assembled by the government directly or purchased by the government from private vendors,” Sen. Ron Wyden, D-Ore., recently told CR. “These reports raise serious concerns about privacy and consumer rights.” In 2003, he introduced legislation to require the FBI and other federal agencies to provide detailed reports to Congress explaining their use of public and private databases. The bill failed to pass, though Wyden hopes to take up the issue again.

ON A PRETEXT
The data industry has a shady element that includes private investigators and others who practice so-called pretexting: impersonating relatives, company officials, or even law-enforcement personnel to obtain confidential consumer information.
The results can be deadly. Case in point: Amy Boyer of Nashua, N.H., was fatally gunned down by Liam Youens, a stalker, as she left work. Youens had obtained, for less than $200, all of the information he needed to track her from Docusearch.com, an online data broker that, court papers say, hired a pretexter to find out where she worked. A civil suit filed against the company charged that Youens maintained a Web site describing his plans to kill Boyer. The case was settled out of court. Dan Cohn, president of Docusearch, says, “Our policies and the way we do business has changed as a result.”
The murder occurred in 1999, but Docusearch and similar “backgrounding” services have only grown. Rob Douglas, founder of PrivacyToday.com, information-security consultants, says, “With the advent of the Internet, data brokers learned how much money could be made selling phone and bank records to customers online, and the feeding frenzy was on.”
While some Web sites require that customers complete a “permissible purpose form” stating that they have a legitimate legal reason for requesting someone’s confidential information, Douglas says such requirements are usually nothing more than “legal mumbo jumbo” the brokers use to cover themselves in case something goes awry later. He says faxing a fake letterhead identifying you as a member of a law firm or a potential employer usually can get you what you want.
Customers buying covertly obtained information range from large corporations tracking deadbeat customers to snoops checking up on potential mates. According to statements that some data brokers have provided to congressional investigators, their customers also include local and federal law-enforcement personnel who in this way obtain cell-phone records without subpoenas or warrants. “This illicit marriage between law enforcement and black-market information thieves deserves to be fully investigated,” Douglas says.
David Gandal, a Loveland, Colo., investigator who has used pretexting to track debtors skipping out on car loans, says, “Just about every major financial institution has paid for this kind of work.” He told CR that armed with a few bits of identifying information readily available to most investigators through large commercial databases, a pretexter calls customer-service representatives at a phone company or utility. The person then tricks them into revealing account numbers, passwords, and other sensitive information by pretending to be the customer or another company employee, say, someone in tech support. “I’m a man of many voices,” Gandal says. “Sometimes I would pretend to be a stroke victim having trouble getting my words out and they’d help by volunteering whatever information I needed.”
While pretexting to obtain access to bank records was outlawed in 1999 with the passage of the Gramm-Leach-Bliley Act, no federal law specifically prohibits using such deception to obtain phone, utility, or other customer records. (Viewpoint, lays out CU’s recommendations to lawmakers.)

FIGHTING BACK
A few fledgling efforts to combat the release of personal information have made headway. B.J. Ostergren, a former insurance-claims supervisor, launched an effective one-woman campaign to keep her home county in Virginia from posting its public records on the Internet. To get legislators’ attention, she demonstrated the potential for harm in January 2005 by posting on her own Web site (www.thevirginiawatchdog.com) a few Social Security numbers for people whose records she spotted online. Among them: former CIA Director Porter Goss, former Secretary of State Colin Powell, and Florida Gov. Jeb Bush, whose number was blacked out on Dade County online records after she drew attention to it. “I understand why he’d want to black out his number,” Ostergren says. “But shouldn’t everyone have that right?”

LOAD-DATE: October 2, 2006

LANGUAGE: ENGLISH

GRAPHIC: Photograph, her information sold to crooks. Who. Elizabeth Rosen, nurse, California. What happened. Rosen learned in February 2005 that she was a victim of a large ChoicePoint data breach. Her credit report revealed no problems initially, but she recently has been hounded by calls from bill collectors who ask for other people. ID theft experts say those calls may indicate a thief has been using her Social Security number under a different name and address – a growing trend in ID fraud; Photograph, a murder from $150 of data. Who. Viola Berkeyheiser, Washington Crossing, Pa. What happened. Berkeyheiser’s husband, William, was murdered in 2005 by Stanford Douglas, a mentally ill former co-worker who held a grudge against him for a joke Douglas claimed Berkeyheiser told years earlier. A civil suit filed by Viola Berkeyheiser charges that Douglas located Berkeyheiser through A-Plus Investigations, which bought his address from IRBsearch, another data broker, for a few dollars. Douglas paid A-Plus $150. IRBsearch says, “We have no proof of any of the facts.” A-Plus chief executive officer John Ciaccio says that Douglas said he wanted the data for “a legal purpose”; 2 non-captioned photographs.

PUBLICATION-TYPE: Magazine

Copyright 2006 Consumers Union of U.S., Inc.
All Rights Reserved